lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 20 Apr 2019 07:42:13 +0200 (CEST)
From:   Thomas Gleixner <>
To:     Jethro Beekman <>
cc:     Andy Lutomirski <>,
        Andy Lutomirski <>,
        "Dr. Greg" <>,
        Dave Hansen <>,
        Jarkko Sakkinen <>,
        Linus Torvalds <>,
        LKML <>, X86 ML <>,
        "" <>,
        Andrew Morton <>,
        "Christopherson, Sean J" <>,
        "" <>,
        "" <>,
        "Ayoun, Serge" <>,
        "Katz-zamir, Shay" <>,
        "Huang, Haitao" <>,
        Andy Shevchenko <>,
        "Svahn, Kai" <>, Borislav Petkov <>,
        Josh Triplett <>,
        "Huang, Kai" <>,
        David Rientjes <>
Subject: Re: [PATCH v20 00/28] Intel SGX1 support

On Fri, 19 Apr 2019, Jethro Beekman wrote:
> On 2019-04-19 14:34, Thomas Gleixner wrote:
> > And how so? You create writeable AND executable memory. That's a nono and
> > you can argue in circles, that's not going to change with any of your
> > proposed changes.
> On 2019-04-19 14:38, Thomas Gleixner wrote:
> > You are working around LSM nothing else and that's just not going to fly.
> Based on your comments, I'm still unsure if we're on the same page with
> regards to what I'm proposing.
> Here's a regular non-SGX flow that LSM would likely prevent:
> memcpy()
> mmap(PROT_READ|PROT_EXEC) <-- denied by LSM
> Or just something based on regular PT permissions:
> memcpy() <-- SIGSEGV
> Now, the equivalent for SGX:
> ioctl(EADD)
> mmap(PROT_READ|PROT_EXEC) <-- denied by LSM

This is completely irrelevant, really.

The point is that the SGX driver loads and executes arbitrary data which is
handed in from user space via an ioctl w/o any chance of verifying where
that comes from.

What Andy proposed is to open a file with the SGX payload and hand in the
file descriptor. That way LSM can decide whether this is allowed or denied
based on the file descriptor and whatever the security model/policy is in a
particular setup.

Right know the SGX driver and its proposed API prevent any form of LSM
auditing and whatever permission checks you had in mind won't change that
at all.



Powered by blists - more mailing lists