[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160427081804.GC16991@gmail.com>
Date: Wed, 27 Apr 2016 10:18:05 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Andy Lutomirski <luto@...capital.net>
Cc: Pavel Machek <pavel@....cz>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Greg KH <gregkh@...uxfoundation.org>,
Mathias Krause <minipli@...glemail.com>,
Borislav Petkov <bp@...e.de>,
"open list:STAGING SUBSYSTEM" <devel@...verdev.osuosl.org>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Wan Zongshun <Vincent.Wan@....com>,
Kristen Carlson Accardi <kristen@...ux.intel.com>,
open list <linux-kernel@...r.kernel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"H. Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>
Subject: Re: [PATCH 0/6] Intel Secure Guard Extensions
* Andy Lutomirski <luto@...capital.net> wrote:
> > What new syscalls would be needed for ssh to get all this support?
>
> This patchset or similar, plus some user code and an enclave to use.
>
> Sadly, on current CPUs, you also need Intel to bless the enclave. It looks like
> new CPUs might relax that requirement.
That looks like a fundamental technical limitation in my book - to an open source
user this is essentially a very similar capability as tboot: it only allows the
execution of externally blessed static binary blobs...
I don't think we can merge any of this upstream until it's clear that the hardware
owner running open-source user-space can also freely define/start his own secure
enclaves without having to sign the enclave with any external party. I.e.
self-signed enclaves should be fundamentally supported as well.
Thanks,
Ingo
Powered by blists - more mailing lists