From: Andy Lutomirski <luto@kernel.org>
To: Jarkko Sakkinen <kernel.org@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
X86 ML <x86@kernel.org>,
linux-sgx@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Jethro Beekman <jethro@fortanix.com>,
Darren Kenny <darren.kenny@oracle.com>,
Andy Lutomirski <luto@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
asapek@google.com, Borislav Petkov <bp@alien8.de>,
"Xing, Cedric" <cedric.xing@intel.com>,
chenalexchen@google.com, Conrad Parker <conradparker@google.com>,
cyhanish@google.com, "Huang, Haitao" <haitao.huang@intel.com>,
"Huang, Kai" <kai.huang@intel.com>,
"Svahn, Kai" <kai.svahn@intel.com>, Keith Moyer <kmoy@google.com>,
Christian Ludloff <ludloff@google.com>,
Neil Horman <nhorman@redhat.com>,
Nathaniel McCallum <npmccallum@redhat.com>,
Patrick Uiterwijk <puiterwijk@redhat.com>,
David Rientjes <rientjes@google.com>,
"Christopherson, Sean J" <sean.j.christopherson@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
yaozhangx@google.com, Mikko Ylinen <mikko.ylinen@intel.com>
Subject: Re: [PATCH v39 15/24] x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION
Date: Sat, 24 Oct 2020 08:47:28 -0700 [thread overview]
Message-ID: <CALCETrWxA6AgU8zg=npS=4NaA1_Pu9UwScEnr_Gk0wF-BOmqqQ@mail.gmail.com> (raw)
In-Reply-To: <20201024113403.GA29427@kernel.org>
On Sat, Oct 24, 2020 at 4:34 AM Jarkko Sakkinen <kernel.org@kernel.org> wrote:
>
> On Fri, Oct 23, 2020 at 07:19:05AM -0700, Dave Hansen wrote:
> > On 10/23/20 3:17 AM, Jarkko Sakkinen wrote:
> > > On Tue, Oct 20, 2020 at 02:19:26PM -0700, Dave Hansen wrote:
> > >> On 10/2/20 9:50 PM, Jarkko Sakkinen wrote:
> > >>> + * Failure to explicitly request access to a restricted attribute will cause
> > >>> + * sgx_ioc_enclave_init() to fail. Currently, the only restricted attribute
> > >>> + * is access to the PROVISION_KEY.
> > >> Could we also justify why access is restricted, please? Maybe:
> > >>
> > >> Access is restricted because PROVISION_KEY is burned uniquely
> > >> into each each processor, making it a perfect unique identifier
> > >> with privacy and fingerprinting implications.
> > >>
> > >> Are there any other reasons for doing it this way?
> > > AFAIK, if I interperet the SDM correctl, PROVISION_KEY and
> > > PROVISION_SEALING_KEY also have random salt added, i.e. they change
> > > every boot cycle.
> > >
> > > There is "RAND = yes" on those keys in Table 40-64 of Intel SDM volume
> > > 3D :-)
> >
> > Does that mean there are no privacy implications from access to the
> > provisioning keys? If that's true, why do we need a separate permission
> > framework for creating provisioning enclaves?
>
> As I've understood it, the key material for those keys is not even
> required in the current SGX architecture, it was used in the legacy EPID
> scheme, but the attribute itself is useful.
>
> Let's assume that we have some sort of quoting enclave Q, which guards a
> public key pair, which signs quotes of other enclaves. Let's assume we
> have an attestation server A, which will enable some capabilities [*],
> if it receives a quote signed with that public key pair.
>
> 1. E gets the report key with EGETKEY.
> 2. E constructs REPORTDATA (37.16) and TARGETINFO (37.17) structures.
> The former describes the enclaves contents and attributes and latter
> the target, i.e. Q in this artitificial example.
> 3. E calls EREPORT to generate a structure called REPORT MAC'd with the
> *targets* report key. It knows, which key to usue from REPORTDATA.
> 4. The runtime will then pass this to Q.
> 5. Q will check if ATTRIBUTE.PROVISION_KEY is set. If it is, Q will
> know that the enclave is allowed to get attested. Then it will
> sign the report with the guarded public key pair and send it to
> the attestation server.
I think you have this a little bit off. AIUI E won't have
ATTRIBUTE.PROVISION_KEY set -- Q will. Q uses the provisioning key to
convince an Intel server that it's running on a genuine Intel CPU, and
the Intel server will return a signed certificate that Q can chain off
of to generate attestations for E.
Dave, I would rephrase what you're saying a bit. The PROVISION_KEY
attribute allows enclaves to access keys that are unique to a
processor and unchangeable. Unlike other SGX keys, these keys are not
affected by OWNER_EPOCH changes and therefore cannot be reset.
--Andy
next prev parent reply other threads:[~2020-10-24 15:47 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201003045059.665934-1-jarkko.sakkinen@linux.intel.com>
2020-10-03 4:50 ` [PATCH v39 11/24] x86/sgx: Add SGX enclave driver Jarkko Sakkinen
2020-10-03 14:39 ` Greg KH
2020-10-04 14:32 ` Jarkko Sakkinen
2020-10-04 15:01 ` Jarkko Sakkinen
2020-10-05 9:42 ` Greg KH
2020-10-05 12:42 ` Jarkko Sakkinen
2020-10-07 18:09 ` Haitao Huang
2020-10-07 19:26 ` Greg KH
2020-10-09 6:44 ` Jarkko Sakkinen
2020-10-14 20:16 ` Dave Hansen
2020-10-05 8:45 ` Christoph Hellwig
2020-10-05 11:42 ` Jarkko Sakkinen
2020-10-05 11:50 ` Greg KH
2020-10-05 14:23 ` Jarkko Sakkinen
2020-10-05 15:02 ` Greg KH
2020-10-05 16:40 ` Dave Hansen
2020-10-05 20:02 ` Jarkko Sakkinen
2020-10-09 7:10 ` Pavel Machek
2020-10-09 7:21 ` Greg KH
2020-10-09 8:21 ` Pavel Machek
2020-10-03 19:54 ` Matthew Wilcox
2020-10-04 21:50 ` Jarkko Sakkinen
2020-10-04 22:02 ` Jarkko Sakkinen
2020-10-04 22:27 ` Matthew Wilcox
2020-10-04 23:41 ` Jarkko Sakkinen
2020-10-05 1:30 ` Matthew Wilcox
2020-10-05 3:06 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 15/24] x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION Jarkko Sakkinen
2020-10-20 15:48 ` Dave Hansen
2020-10-23 10:14 ` Jarkko Sakkinen
2020-10-20 21:19 ` Dave Hansen
2020-10-23 10:17 ` Jarkko Sakkinen
2020-10-23 14:19 ` Dave Hansen
2020-10-24 11:34 ` Jarkko Sakkinen
2020-10-24 15:47 ` Andy Lutomirski [this message]
2020-10-24 20:23 ` Jarkko Sakkinen
2020-10-27 10:38 ` Dr. Greg
2020-10-23 14:23 ` Jethro Beekman
2020-10-24 11:40 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrWxA6AgU8zg=npS=4NaA1_Pu9UwScEnr_Gk0wF-BOmqqQ@mail.gmail.com' \
--to=luto@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=asapek@google.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=chenalexchen@google.com \
--cc=conradparker@google.com \
--cc=cyhanish@google.com \
--cc=darren.kenny@oracle.com \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=kernel.org@kernel.org \
--cc=kmoy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=ludloff@google.com \
--cc=mikko.ylinen@intel.com \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=puiterwijk@redhat.com \
--cc=rientjes@google.com \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yaozhangx@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).