From: Andy Lutomirski <luto@kernel.org>
To: Rich Felker <dalias@libc.org>
Cc: "Christopherson, Sean J" <sean.j.christopherson@intel.com>,
"Andrew Lutomirski" <luto@kernel.org>,
Dave Hansen <dave.hansen@intel.com>, Jann Horn <jannh@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
Jethro Beekman <jethro@fortanix.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Florian Weimer <fweimer@redhat.com>,
Linux API <linux-api@vger.kernel.org>, X86 ML <x86@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>, <nhorman@redhat.com>,
<npmccallum@redhat.com>, "Ayoun, Serge" <serge.ayoun@intel.com>,
<shay.katz-zamir@intel.com>, <linux-sgx@vger.kernel.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"Carlos O'Donell" <carlos@redhat.com>,
<adhemerval.zanella@linaro.org>
Subject: Re: RFC: userspace exception fixups
Date: Wed, 7 Nov 2018 13:33:24 -0800 [thread overview]
Message-ID: <CALCETrUh4TkgTPjoaLaT-TjD9JuPhPrLbpGdB8C95R0a+rexww@mail.gmail.com> (raw)
In-Reply-To: <20181107212758.GU5150@brightrain.aerifal.cx>
On Wed, Nov 7, 2018 at 1:28 PM Rich Felker <dalias@libc.org> wrote:
>
> On Tue, Nov 06, 2018 at 03:26:16PM -0800, Sean Christopherson wrote:
> > On Tue, Nov 06, 2018 at 06:17:30PM -0500, Rich Felker wrote:
> > > On Tue, Nov 06, 2018 at 11:02:11AM -0800, Andy Lutomirski wrote:
> > > > On Tue, Nov 6, 2018 at 10:41 AM Dave Hansen <dave.hansen@intel.com> wrote:
> > > > >
> > > > > On 11/6/18 10:20 AM, Andy Lutomirski wrote:
> > > > > > I almost feel like the right solution is to call into SGX on its own
> > > > > > private stack or maybe even its own private address space.
> > > > >
> > > > > Yeah, I had the same gut feeling. Couldn't the debugger even treat the
> > > > > enclave like its own "thread" with its own stack and its own set of
> > > > > registers and context? That seems like a much more workable model than
> > > > > trying to weave it together with the EENTER context.
> > > >
> > > > So maybe the API should be, roughly
> > > >
> > > > sgx_exit_reason_t sgx_enter_enclave(pointer_to_enclave, struct
> > > > host_state *state);
> > > > sgx_exit_reason_t sgx_resume_enclave(same args);
> > > >
> > > > where host_state is something like:
> > > >
> > > > struct host_state {
> > > > unsigned long bp, sp, ax, bx, cx, dx, si, di;
> > > > };
> > > >
> > > > and the values in host_state explicitly have nothing to do with the
> > > > actual host registers. So, if you want to use the outcall mechanism,
> > > > you'd allocate some memory, point sp to that memory, call
> > > > sgx_enter_enclave(), and then read that memory to do the outcall.
> > > >
> > > > Actually implementing this would be distinctly nontrivial, and would
> > > > almost certainly need some degree of kernel help to avoid an explosion
> > > > when a signal gets delivered while we have host_state.sp loaded into
> > > > the actual SP register. Maybe rseq could help with this?
> > > >
> > > > The ISA here is IMO not well thought through.
> > >
> > > Maybe I'm mistaken about some fundamentals here, but my understanding
> > > of SGX is that the whole point is that the host application and the
> > > code running in the enclave are mutually adversarial towards one
> > > another. Do any or all of the proposed protocols here account for this
> > > and fully protect the host application from malicious code in the
> > > enclave? It seems that having control over the register file on exit
> > > from the enclave is fundamentally problematic but I assume there must
> > > be some way I'm missing that this is fixed up.
> >
> > SGX provides protections for the enclave but not the other way around.
> > The kernel has all of its normal non-SGX protections in place, but the
> > enclave can certainly wreak havoc on its userspace process. The basic
> > design idea is that the enclave is a specialized .so that gets extra
> > security protections but is still effectively part of the overall
> > application, e.g. it has full access to its host userspace process'
> > virtual memory.
>
> In that case it seems like the only way to use SGX that's not a gaping
> security hole is to run the SGX enclave in its own fully-seccomp (or
> equivalent) process, with no host application in the same address
> space. Since the host application can't see the contents of the
> enclave to make any determination of whether it's safe to run, running
> it in the same address space only makes sense if the cpu provides
> protection against unwanted accesses to the host's memory from the
> enclave -- and according to you, it doesn't.
>
I think the theory is that the enclave is shipped with the host application.
That being said, a way to run the enclave in an address space that has
basically nothing else (except an ENCLU instruction as a trampoline)
would be quite nice.
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@kernel.org>
To: Rich Felker <dalias@libc.org>
Cc: "Christopherson, Sean J" <sean.j.christopherson@intel.com>,
Andrew Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@intel.com>, Jann Horn <jannh@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Jethro Beekman <jethro@fortanix.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Florian Weimer <fweimer@redhat.com>,
Linux API <linux-api@vger.kernel.org>, X86 ML <x86@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
nhorman@redhat.com, npmccallum@redhat.com, "Ayoun,
Serge" <serge.ayoun@intel.com>,
shay.katz-zamir@intel.com, linux-sgx@vger.kernel.org,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"Carlos O'Donell" <carlos@redhat.com>,
adhemerval.zanella@linaro.org
Subject: Re: RFC: userspace exception fixups
Date: Wed, 7 Nov 2018 13:33:24 -0800 [thread overview]
Message-ID: <CALCETrUh4TkgTPjoaLaT-TjD9JuPhPrLbpGdB8C95R0a+rexww@mail.gmail.com> (raw)
Message-ID: <20181107213324.MXx1x1ot__ADd_9OVXtK6ndSWuIxhdIwU6Lu_kmqjXI@z> (raw)
In-Reply-To: <20181107212758.GU5150@brightrain.aerifal.cx>
On Wed, Nov 7, 2018 at 1:28 PM Rich Felker <dalias@libc.org> wrote:
>
> On Tue, Nov 06, 2018 at 03:26:16PM -0800, Sean Christopherson wrote:
> > On Tue, Nov 06, 2018 at 06:17:30PM -0500, Rich Felker wrote:
> > > On Tue, Nov 06, 2018 at 11:02:11AM -0800, Andy Lutomirski wrote:
> > > > On Tue, Nov 6, 2018 at 10:41 AM Dave Hansen <dave.hansen@intel.com> wrote:
> > > > >
> > > > > On 11/6/18 10:20 AM, Andy Lutomirski wrote:
> > > > > > I almost feel like the right solution is to call into SGX on its own
> > > > > > private stack or maybe even its own private address space.
> > > > >
> > > > > Yeah, I had the same gut feeling. Couldn't the debugger even treat the
> > > > > enclave like its own "thread" with its own stack and its own set of
> > > > > registers and context? That seems like a much more workable model than
> > > > > trying to weave it together with the EENTER context.
> > > >
> > > > So maybe the API should be, roughly
> > > >
> > > > sgx_exit_reason_t sgx_enter_enclave(pointer_to_enclave, struct
> > > > host_state *state);
> > > > sgx_exit_reason_t sgx_resume_enclave(same args);
> > > >
> > > > where host_state is something like:
> > > >
> > > > struct host_state {
> > > > unsigned long bp, sp, ax, bx, cx, dx, si, di;
> > > > };
> > > >
> > > > and the values in host_state explicitly have nothing to do with the
> > > > actual host registers. So, if you want to use the outcall mechanism,
> > > > you'd allocate some memory, point sp to that memory, call
> > > > sgx_enter_enclave(), and then read that memory to do the outcall.
> > > >
> > > > Actually implementing this would be distinctly nontrivial, and would
> > > > almost certainly need some degree of kernel help to avoid an explosion
> > > > when a signal gets delivered while we have host_state.sp loaded into
> > > > the actual SP register. Maybe rseq could help with this?
> > > >
> > > > The ISA here is IMO not well thought through.
> > >
> > > Maybe I'm mistaken about some fundamentals here, but my understanding
> > > of SGX is that the whole point is that the host application and the
> > > code running in the enclave are mutually adversarial towards one
> > > another. Do any or all of the proposed protocols here account for this
> > > and fully protect the host application from malicious code in the
> > > enclave? It seems that having control over the register file on exit
> > > from the enclave is fundamentally problematic but I assume there must
> > > be some way I'm missing that this is fixed up.
> >
> > SGX provides protections for the enclave but not the other way around.
> > The kernel has all of its normal non-SGX protections in place, but the
> > enclave can certainly wreak havoc on its userspace process. The basic
> > design idea is that the enclave is a specialized .so that gets extra
> > security protections but is still effectively part of the overall
> > application, e.g. it has full access to its host userspace process'
> > virtual memory.
>
> In that case it seems like the only way to use SGX that's not a gaping
> security hole is to run the SGX enclave in its own fully-seccomp (or
> equivalent) process, with no host application in the same address
> space. Since the host application can't see the contents of the
> enclave to make any determination of whether it's safe to run, running
> it in the same address space only makes sense if the cpu provides
> protection against unwanted accesses to the host's memory from the
> enclave -- and according to you, it doesn't.
>
I think the theory is that the enclave is shipped with the host application.
That being said, a way to run the enclave in an address space that has
basically nothing else (except an ENCLU instruction as a trampoline)
would be quite nice.
next prev parent reply other threads:[~2018-11-07 21:33 UTC|newest]
Thread overview: 163+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-01 17:53 RFC: userspace exception fixups Andy Lutomirski
2018-11-01 17:53 ` Andy Lutomirski
2018-11-01 18:09 ` Florian Weimer
2018-11-01 18:09 ` Florian Weimer
2018-11-01 18:30 ` Rich Felker
2018-11-01 18:30 ` Rich Felker
2018-11-01 19:00 ` Jarkko Sakkinen
2018-11-01 19:00 ` Jarkko Sakkinen
2018-11-01 18:27 ` Rich Felker
2018-11-01 18:27 ` Rich Felker
2018-11-01 18:33 ` Jann Horn
2018-11-01 18:33 ` Jann Horn
2018-11-01 18:52 ` Rich Felker
2018-11-01 18:52 ` Rich Felker
2018-11-01 19:10 ` Linus Torvalds
2018-11-01 19:10 ` Linus Torvalds
2018-11-01 19:31 ` Rich Felker
2018-11-01 19:31 ` Rich Felker
2018-11-01 21:24 ` Linus Torvalds
2018-11-01 21:24 ` Linus Torvalds
2018-11-01 23:22 ` Andy Lutomirski
2018-11-01 23:22 ` Andy Lutomirski
2018-11-02 16:30 ` Sean Christopherson
2018-11-02 16:30 ` Sean Christopherson
2018-11-02 16:37 ` Jethro Beekman
2018-11-02 16:37 ` Jethro Beekman
2018-11-02 16:52 ` Sean Christopherson
2018-11-02 16:52 ` Sean Christopherson
2018-11-02 16:56 ` Jethro Beekman
2018-11-02 16:56 ` Jethro Beekman
2018-11-02 17:01 ` Andy Lutomirski
2018-11-02 17:01 ` Andy Lutomirski
2018-11-02 17:05 ` Jethro Beekman
2018-11-02 17:05 ` Jethro Beekman
2018-11-02 17:16 ` Andy Lutomirski
2018-11-02 17:16 ` Andy Lutomirski
2018-11-02 17:32 ` Rich Felker
2018-11-02 17:32 ` Rich Felker
2018-11-02 17:12 ` Sean Christopherson
2018-11-02 17:12 ` Sean Christopherson
2018-11-02 22:42 ` Jarkko Sakkinen
2018-11-02 22:42 ` Jarkko Sakkinen
2018-11-02 16:56 ` Dave Hansen
2018-11-02 16:56 ` Dave Hansen
2018-11-02 17:06 ` Sean Christopherson
2018-11-02 17:06 ` Sean Christopherson
2018-11-02 17:13 ` Dave Hansen
2018-11-02 17:13 ` Dave Hansen
2018-11-02 17:33 ` Sean Christopherson
2018-11-02 17:33 ` Sean Christopherson
2018-11-02 17:48 ` Andy Lutomirski
2018-11-02 17:48 ` Andy Lutomirski
2018-11-02 18:27 ` Sean Christopherson
2018-11-02 18:27 ` Sean Christopherson
2018-11-02 19:02 ` Jann Horn
2018-11-02 19:02 ` Jann Horn
2018-11-02 22:04 ` Sean Christopherson
2018-11-02 22:04 ` Sean Christopherson
2018-11-02 23:27 ` Jann Horn
2018-11-02 23:27 ` Jann Horn
2018-11-02 23:32 ` Andy Lutomirski
2018-11-02 23:32 ` Andy Lutomirski
2018-11-02 23:36 ` Jann Horn
2018-11-02 23:36 ` Jann Horn
2018-11-06 15:37 ` Sean Christopherson
2018-11-06 15:37 ` Sean Christopherson
2018-11-06 16:57 ` Andy Lutomirski
2018-11-06 16:57 ` Andy Lutomirski
2018-11-06 17:03 ` Dave Hansen
2018-11-06 17:03 ` Dave Hansen
2018-11-06 17:19 ` Sean Christopherson
2018-11-06 17:19 ` Sean Christopherson
2018-11-06 18:20 ` Andy Lutomirski
2018-11-06 18:20 ` Andy Lutomirski
2018-11-06 18:41 ` Dave Hansen
2018-11-06 18:41 ` Dave Hansen
2018-11-06 19:02 ` Andy Lutomirski
2018-11-06 19:02 ` Andy Lutomirski
2018-11-06 19:22 ` Dave Hansen
2018-11-06 19:22 ` Dave Hansen
2018-11-06 20:12 ` Andy Lutomirski
2018-11-06 20:12 ` Andy Lutomirski
2018-11-06 21:00 ` Dave Hansen
2018-11-06 21:00 ` Dave Hansen
2018-11-06 21:07 ` Andy Lutomirski
2018-11-06 21:07 ` Andy Lutomirski
2018-11-06 21:41 ` Andy Lutomirski
2018-11-06 21:41 ` Andy Lutomirski
2018-11-06 21:59 ` Sean Christopherson
2018-11-06 21:59 ` Sean Christopherson
2018-11-06 23:00 ` Andy Lutomirski
2018-11-06 23:00 ` Andy Lutomirski
2018-11-06 23:35 ` Sean Christopherson
2018-11-06 23:35 ` Sean Christopherson
2018-11-06 23:39 ` Andy Lutomirski
2018-11-06 23:39 ` Andy Lutomirski
2018-11-07 0:02 ` Sean Christopherson
2018-11-07 0:02 ` Sean Christopherson
2018-11-07 1:17 ` Andy Lutomirski
2018-11-07 1:17 ` Andy Lutomirski
2018-11-07 6:47 ` Jethro Beekman
2018-11-07 6:47 ` Jethro Beekman
2018-11-07 15:34 ` Sean Christopherson
2018-11-07 15:34 ` Sean Christopherson
2018-11-07 19:01 ` Sean Christopherson
2018-11-07 19:01 ` Sean Christopherson
2018-11-07 20:56 ` Dave Hansen
2018-11-07 20:56 ` Dave Hansen
2018-11-08 15:04 ` Jarkko Sakkinen
2018-11-08 15:04 ` Jarkko Sakkinen
2018-11-08 19:54 ` Sean Christopherson
2018-11-08 19:54 ` Sean Christopherson
2018-11-08 20:05 ` Andy Lutomirski
2018-11-08 20:05 ` Andy Lutomirski
2018-11-08 20:10 ` Dave Hansen
2018-11-08 20:10 ` Dave Hansen
2018-11-08 21:16 ` Sean Christopherson
2018-11-08 21:16 ` Sean Christopherson
2018-11-08 21:50 ` Dave Hansen
2018-11-08 21:50 ` Dave Hansen
2018-11-08 22:04 ` Sean Christopherson
2018-11-08 22:04 ` Sean Christopherson
2018-11-09 7:12 ` Christoph Hellwig
2018-11-09 7:12 ` Christoph Hellwig
2018-11-06 23:17 ` Rich Felker
2018-11-06 23:17 ` Rich Felker
2018-11-06 23:26 ` Sean Christopherson
2018-11-06 23:26 ` Sean Christopherson
2018-11-07 21:27 ` Rich Felker
2018-11-07 21:27 ` Rich Felker
2018-11-07 21:33 ` Andy Lutomirski [this message]
2018-11-07 21:33 ` Andy Lutomirski
2018-11-07 21:40 ` Sean Christopherson
2018-11-07 21:40 ` Sean Christopherson
2018-11-08 15:11 ` Jarkko Sakkinen
2018-11-08 15:11 ` Jarkko Sakkinen
2018-11-06 17:00 ` Dave Hansen
2018-11-06 17:00 ` Dave Hansen
2018-11-02 22:37 ` Jarkko Sakkinen
2018-11-02 22:37 ` Jarkko Sakkinen
2018-11-01 19:06 ` Linus Torvalds
2018-11-01 19:06 ` Linus Torvalds
2018-11-02 22:07 ` Jarkko Sakkinen
2018-11-02 22:07 ` Jarkko Sakkinen
2018-11-18 7:15 ` Jarkko Sakkinen
2018-11-18 7:18 ` Jarkko Sakkinen
2018-11-18 13:02 ` Jarkko Sakkinen
2018-11-19 5:17 ` Jethro Beekman
2018-11-19 14:05 ` Jarkko Sakkinen
2018-11-19 14:59 ` Jarkko Sakkinen
2018-11-19 15:29 ` Andy Lutomirski
2018-11-19 16:02 ` Jarkko Sakkinen
2018-11-19 17:00 ` Andy Lutomirski
2018-11-20 10:11 ` Jarkko Sakkinen
2018-11-20 15:19 ` Andy Lutomirski
2018-11-20 22:55 ` Jarkko Sakkinen
2018-11-21 5:17 ` Jethro Beekman
2018-11-21 15:17 ` Jarkko Sakkinen
2018-11-24 17:07 ` Jarkko Sakkinen
2018-11-26 14:35 ` Sean Christopherson
2018-11-26 22:06 ` Jarkko Sakkinen
2018-11-20 18:09 ` Sean Christopherson
2018-11-20 22:46 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrUh4TkgTPjoaLaT-TjD9JuPhPrLbpGdB8C95R0a+rexww@mail.gmail.com \
--to=luto@kernel.org \
--cc=adhemerval.zanella@linaro.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@alien8.de \
--cc=carlos@redhat.com \
--cc=dalias@libc.org \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=fweimer@redhat.com \
--cc=jannh@google.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=peterz@infradead.org \
--cc=sean.j.christopherson@intel.com \
--cc=serge.ayoun@intel.com \
--cc=shay.katz-zamir@intel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).