Re: [PATCH 4/5] x86/sgx: Validate TCS permssions in sgx_validate_secinfo()

From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-sgx@vger.kernel.org
Subject: Re: [PATCH 4/5] x86/sgx: Validate TCS permssions in sgx_validate_secinfo()
Date: Thu, 22 Aug 2019 09:34:59 -0700	[thread overview]
Message-ID: <20190822163458.GG25467@linux.intel.com> (raw)
In-Reply-To: <d0e8313b7817a43151b11602ad55b1136f614850.camel@linux.intel.com>

On Thu, Aug 22, 2019 at 07:31:39PM +0300, Jarkko Sakkinen wrote:
> On Wed, 2019-08-21 at 20:55 -0700, Sean Christopherson wrote:
> > Why are we validating the TCS protection bits?  Hardware ignores them, so
> > why do we care?  sgx_ioc_enclave_add_page() sets the internal protection
> > bits so there's no danger of putting the wrong thing in the page tables.
> 
> I think that in this commit I got it wrong but I think this is awkward:
> 
> 	/*
> 	 * TCS pages must always RW set for CPU access while the SECINFO
> 	 * permissions are *always* zero - the CPU ignores the user provided
> 	 * values and silently overwrites with zero permissions.
> 	 */
> 	if ((secinfo.flags & SGX_SECINFO_PAGE_TYPE_MASK) == SGX_SECINFO_TCS)
> 		prot |= PROT_READ | PROT_WRITE;
> 
> In my opinion the right thing to do would be check that SECINFO has *at
> minimum* RW and return -EINVAL if not.

Based on Serge's comment, hardware updates MRENCLAVE with SECINFO *after*
it overwrites the flags for TCS pages.  I.e. requiring RW for the TCS
would result in every enclave failing EINIT due to an invalid measurement.
It'd be fairly easy to verify this if we want to triple check that that is
indeed hardware behavior.