lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 May 2019 08:07:05 +0300
From:   Jarkko Sakkinen <>
To:     Andy Lutomirski <>
Cc:     Sean Christopherson <>,
        Andy Lutomirski <>,
        Jethro Beekman <>,
        "Xing, Cedric" <>,
        "Hansen, Dave" <>,
        Thomas Gleixner <>,
        "Dr. Greg" <>,
        Linus Torvalds <>,
        LKML <>, X86 ML <>,
        "" <>,
        Andrew Morton <>,
        "" <>,
        "" <>,
        "Ayoun, Serge" <>,
        "Katz-zamir, Shay" <>,
        "Huang, Haitao" <>,
        Andy Shevchenko <>,
        "Svahn, Kai" <>, Borislav Petkov <>,
        Josh Triplett <>,
        "Huang, Kai" <>,
        David Rientjes <>
Subject: Re: [PATCH v20 00/28] Intel SGX1 support

On Wed, May 15, 2019 at 07:27:02AM -0700, Andy Lutomirski wrote:
> > On May 15, 2019, at 4:00 AM, Jarkko Sakkinen <> wrote:
> > 
> >> On Wed, May 15, 2019 at 01:35:31PM +0300, Jarkko Sakkinen wrote:
> >> This brings me to an open question in Andy's model: lets say that we
> >> change the source for SIGSTRUCT from memory address to fd. How can the
> >> policy prevent the use not creating a file containing a SIGSTRUCT and
> >> passing fd of that to the EINIT ioctl?
> > 
> The policy will presumably check the label on the file that the fd points to.

Right (checked SELinux documentation).

Got one idea from this. Right now creation and initialization does not
require any VMAs to be created (since v20). Requiring to map a VMA for
copying the data would bring in my opinion a glitch to this model that
we have done effort to build up.

What if we similarly change EADD ioctl in a way that it'd take an fd
and an offset? This way we can enforce policy to the source where the
enclave data is loaded from. On the other hand, loading SIGSTRUCT from
fd enforces a legit structure for the enclave.

This would still allow to construct enclaves in VMA independent way.

> > Also wondering if a path would be better than plain fd for defining a
> > reasonable policy i.e. have sigstruct_path as part of the ioctl
> > parameters and not sigstruct_fd.
> > 
> It would save two syscalls at the cost of a decent amount of complexity.

And also using fd gives robustness because it allows SIGSTRUCT
pulled from a file containing it (among other things).


Powered by blists - more mailing lists