From: James Morris <jmorris@namei.org>
To: "Dr. Greg" <greg@enjellic.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Sean Christopherson <sean.j.christopherson@intel.com>,
linux-sgx@vger.kernel.org, Dave Hansen <dave.hansen@intel.com>,
Cedric Xing <cedric.xing@intel.com>,
Andy Lutomirski <luto@kernel.org>,
Jethro Beekman <jethro@fortanix.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
casey.schaufler@intel.com, william.c.roberts@intel.com,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [RFC PATCH v3 09/12] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX
Date: Thu, 27 Jun 2019 06:39:05 +1000 (AEST) [thread overview]
Message-ID: <alpine.LRH.2.21.1906270637300.28132@namei.org> (raw)
In-Reply-To: <20190623171626.GA25683@wind.enjellic.com>
On Sun, 23 Jun 2019, Dr. Greg wrote:
> The most relevant and important control with respect to whether or not
> an enclave should be allowed to execute is evaluation of the
> SIGSTRUCT. Given the trajectory that platform security is on, SGX is
> not going to be the last technology of its type nor the only
> technology that makes use of cryptographically based code provenance.
>
> As a result, if we are content with handing an opaque pointer of a
> descriptive struture to an LSM routine, a generic hook that is tasked
> with verifying code or execution environment provenance doesn't seem
> like it would need to be technology specific nor controversial.
>
> That leaves as the last thorny issue the question of dynamic
> allocation of memory for executable content. As we have stated
> before, and at the outset of this note, from a security perspective
> this is only, effectively, a binary question for the platform owner as
> to whether or not the concept should be allowed.
>
> A generic LSM hook, appropriately named, could execute that decision
> without being SGX specific. Arguably, the hook should be named to
> indicate that it is seeking approval for allocating memory to be used
> for anonymous executable content, since that is what it would be
> effectively requesting approval for, in the case of SGX.
>
> For completeness a third generic hook may be useful. The purpose of
> that hook would be to verify a block of memory as being
> measured or signed for consideration as executable content. Arguably
> that will have utility far beyond SGX.
>
> In the case of SGX it would address the issue as to whether or not a
> block of executable content in untrusted space is eligible for
> anonymous execution. That may be a useful security measure in order
> to provide some control over an enclave being used as a random
> execution oracle.
>
> It obviously has no security utility against the enclave author since,
> as we have noted before, it is possible for the enclave author to
> simply pull whatever code is desired over an encrypted network
> connection.
>
> > James Morris
>
> Hopefully these comments are a useful basis for further discussion.
Thanks, this is helpful.
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2019-06-26 20:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190617222438.2080-1-sean.j.christopherson@intel.com>
[not found] ` <20190617222438.2080-10-sean.j.christopherson@intel.com>
[not found] ` <0c4f75a0ae2fdeee6db07f3a224918f321163d56.camel@linux.intel.com>
[not found] ` <alpine.LRH.2.21.1906200702040.28119@namei.org>
2019-06-23 17:16 ` [RFC PATCH v3 09/12] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX Dr. Greg
2019-06-26 20:39 ` James Morris [this message]
[not found] ` <20190617222438.2080-5-sean.j.christopherson@intel.com>
[not found] ` <dc3d59c2783ea81d85d4d447bd1a4a2d5fe51421.camel@linux.intel.com>
[not found] ` <20190619152018.GC1203@linux.intel.com>
[not found] ` <20190620221702.GE20474@linux.intel.com>
[not found] ` <20190707190809.GE19593@linux.intel.com>
[not found] ` <1b7369a08e98dd08a4f8bb19b16479f12bee130f.camel@linux.intel.com>
[not found] ` <20190708161932.GE20433@linux.intel.com>
[not found] ` <20190709160634.3yupyabf5svnj4ds@linux.intel.com>
[not found] ` <20190710172553.GE4348@linux.intel.com>
2019-07-15 22:29 ` [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits Andy Lutomirski
2019-08-01 16:38 ` Jarkko Sakkinen
2019-08-04 22:20 ` Andy Lutomirski
2019-08-05 20:51 ` Jarkko Sakkinen
2019-08-05 21:30 ` Andy Lutomirski
2019-08-07 18:51 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.21.1906270637300.28132@namei.org \
--to=jmorris@namei.org \
--cc=casey.schaufler@intel.com \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@intel.com \
--cc=greg@enjellic.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=sean.j.christopherson@intel.com \
--cc=selinux@vger.kernel.org \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).