| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <73b7e4e3712074b73f4ac8211699d24dfdced6bf.camel@linux.intel.com>
Date: Mon, 25 Jun 2018 12:41:08 +0300
From: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To: Nathaniel McCallum <npmccallum@...hat.com>,
sean.j.christopherson@...el.com
Cc: jethro@...tanix.com, luto@...nel.org,
Neil Horman <nhorman@...hat.com>, x86@...nel.org,
platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org,
mingo@...hat.com, intel-sgx-kernel-dev@...ts.01.org, hpa@...or.com,
dvhart@...radead.org, tglx@...utronix.de, andy@...radead.org,
Peter Jones <pjones@...hat.com>
Subject: Re: [intel-sgx-kernel-dev] [PATCH v11 13/13] intel_sgx: in-kernel
launch enclave
On Thu, 2018-06-21 at 08:32 -0400, Nathaniel McCallum wrote:
> This implies that it should be possible to create MSR activation (and
> an embedded launch enclave?) entirely as a UEFI module. The kernel
> would still get to manage who has access to /dev/sgx and other
> important non-cryptographic policy details. Users would still be able
> to control the cryptographic policy details (via BIOS Secure Boot
> configuration that exists today). Distributions could still control
> cryptographic policy details via signing of the UEFI module with their
> own Secure Boot key (or using something like shim). The UEFI module
> (and possibly the external launch enclave) could be distributed via
> linux-firmware.
>
> Andy/Neil, does this work for you?
Nothing against having UEFI module for MSR activation step.
And we would move the existing in-kernel LE to firmware so that it is
avaible for locked-in-to-non-Intel-values case?
/Jarkko
Powered by blists - more mailing lists