From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753184AbcDZVAc (ORCPT <rfc822;w@1wt.eu>);
	Tue, 26 Apr 2016 17:00:32 -0400
Received: from lxorguk.ukuu.org.uk ([81.2.110.251]:43540 "EHLO
	lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752297AbcDZVAa (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 26 Apr 2016 17:00:30 -0400
Date: Tue, 26 Apr 2016 21:59:52 +0100
From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
To: Pavel Machek <pavel@ucw.cz>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        "open list:STAGING SUBSYSTEM" <devel@driverdev.osuosl.org>,
        Ingo Molnar <mingo@kernel.org>,
        Kristen Carlson Accardi <kristen@linux.intel.com>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>,
        Mathias Krause <minipli@googlemail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Wan Zongshun <Vincent.Wan@amd.com>
Subject: Re: [PATCH 0/6] Intel Secure Guard Extensions
Message-ID: <20160426215952.44ff82a6@lxorguk.ukuu.org.uk>
In-Reply-To: <20160426201154.GC11111@amd>
References: <1461605698-12385-1-git-send-email-jarkko.sakkinen@linux.intel.com>
	<20160426190009.GC8162@amd>
	<CALCETrVVjkppY=pG3CtLWcnP0WMGWJdKVH6CnKxw56gqn0D_1g@mail.gmail.com>
	<20160426194117.GA11111@amd>
	<CALCETrXNW8GiqMwj8rrBOv6cGYDsgQ238m5NrMDFqTA173iyoA@mail.gmail.com>
	<20160426201154.GC11111@amd>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> But... that will mean that my ssh will need to be SGX-aware, and that
> I will not be able to switch to AMD machine in future. ... or to other
> Intel machine for that matter, right?

I'm not privy to AMD's CPU design plans.

However I think for the ssl/ssh case you'd use the same interfaces
currently available for plugging in TPMs and dongles. It's a solved
problem in the crypto libraries.

> What new syscalls would be needed for ssh to get all this support?

I don't see why you'd need new syscalls.

> Ookay... I guess I can get a fake Replay Protected Memory block, which
> will confirm that write happened and not do anything from China, but

It's not quite that simple because there are keys and a counter involved
but I am sure doable.

> And, again, it means that quite complex new kernel-user interface will
> be needed, right?

Why ? For user space we have perfectly good existing system calls, for
kernel space we have existing interfaces to the crypto and key layers for
modules to use.

Alan