lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190924202210.GC16218@linux.intel.com>
Date:   Tue, 24 Sep 2019 13:22:10 -0700
From:   Sean Christopherson <sean.j.christopherson@...el.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-sgx@...r.kernel.org, akpm@...ux-foundation.org,
        dave.hansen@...el.com, nhorman@...hat.com, npmccallum@...hat.com,
        serge.ayoun@...el.com, shay.katz-zamir@...el.com,
        haitao.huang@...el.com, andriy.shevchenko@...ux.intel.com,
        tglx@...utronix.de, kai.svahn@...el.com, josh@...htriplett.org,
        luto@...nel.org, kai.huang@...el.com, rientjes@...gle.com,
        cedric.xing@...el.com, Kai Huang <kai.huang@...ux.intel.com>,
        Haim Cohen <haim.cohen@...el.com>
Subject: Re: [PATCH v22 02/24] x86/cpufeatures: x86/msr: Intel SGX Launch
 Control hardware bits

On Tue, Sep 24, 2019 at 05:52:32PM +0200, Borislav Petkov wrote:
> On Tue, Sep 03, 2019 at 05:26:33PM +0300, Jarkko Sakkinen wrote:
> > From: Kai Huang <kai.huang@...ux.intel.com>
> > 
> > Add X86_FEATURE_SGX_LC, which informs whether or not the CPU supports SGX
> > Launch Control.
> > 
> > Add MSR_IA32_SGXLEPUBKEYHASH{0, 1, 2, 3}, which when combined contain a
> > SHA256 hash of a 3072-bit RSA public key. SGX backed software packages, so
> > called enclaves, are always signed. All enclaves signed with the public key
> > are unconditionally allowed to initialize. [1]
> > 
> > Add FEATURE_CONTROL_SGX_LE_WR bit of the feature control MSR, which informs
> > whether the formentioned MSRs are writable or not. If the bit is off, the
> > public key MSRs are read-only for the OS.
> > 
> > If the MSRs are read-only, the platform must provide a launch enclave (LE).
> > LE can create cryptographic tokens for other enclaves that they can pass
> > together with their signature to the ENCLS(EINIT) opcode, which is used
> > to initialize enclaves.
> > 
> > Linux is unlikely to support the locked configuration because it takes away
> > the control of the launch decisions from the kernel.
> 
> Right, who has control over FEATURE_CONTROL_SGX_LE_WR? Can the
> kernel set it and put another hash in there or there will be locked
> configurations where setting that bit will trap?

Short answer, BIOS controls SGX_LE_WR.

The approach we chose (patch 04, which we were discussing) is to disable
SGX if SGX_LE_WR is not set, i.e. disallow SGX unless the hash MSRs exist
and are fully writable.

WRMSR will #GP if FEATURE_CONTROL is locked (bit 0), e.g. attempting to
set SGX_LE_WR will trap if FEATURE_CONTROL was locked by BIOS.  And
conversely, the various enable bits in FEATURE_CONTROL don't take effect
until FEATURE_CONTROL is locked, e.g. the LE hash MSRs aren't writable if
FEATURE_CONTROL is unlocked, regardless of whether SGX_LE_WR is set.

> I don't want to leave anything in the hands of the BIOS controlling
> whether the platform can set its own key because BIOS is known to f*ck
> it up almost every time. And so I'd like for us to be able to fix up
> things without depending on the mood of some OEM vendor's BIOS fixing
> desire.

Sadly, because FEATURE_CONTROL must be locked to fully enable SGX, the
reality is that any BIOS that supports SGX will lock FEATURE_CONTROL.

That's the status quo today as well since VMX (and SMX/TXT) is also
enabled via FEATURE_CONTROL.  KVM does have logic to enable VMX and lock
FEATURE_CONTROL if the MSR isn't locked, but AIUI that exists only to work
with old BIOSes.

If we want to support setting and locking FEATURE_CONTROL in the extremely
unlikely scenario that BIOS left it unlocked, the proper change would be
to move the existing KVM FEATURE_CONTROL logic into the early-ish boot
flow and try to set all known bits before locking FEATURE_CONTROL.  I
don't have a strong preference either way.  We opted not to try and set
FEATURE_CONTROL as we felt that doing so was more likely to cause breakage
than it was to actually "fix" a broken BIOS.

> > [1] Intel SDM: 38.1.4 Intel SGX Launch Control Configuration

One note on Launch Control that isn't covered in the SDM: the LE hash
MSRs can also be written before SGX is activated.  SGX activation must
occur before FEATURE_CONTROL is locked, meaning BIOS can set the LE
hash MSRs to a non-intel and then lock FEATURE_CONTROL with SGX_LE_WR=0.

There's a blurb on SGX activation in the kernel docs (patch 23).

> > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> > index c5582e766121..ca82226e25ec 100644
> > --- a/arch/x86/include/asm/cpufeatures.h
> > +++ b/arch/x86/include/asm/cpufeatures.h
> > @@ -355,6 +355,7 @@
> >  #define X86_FEATURE_CLDEMOTE		(16*32+25) /* CLDEMOTE instruction */
> >  #define X86_FEATURE_MOVDIRI		(16*32+27) /* MOVDIRI instruction */
> >  #define X86_FEATURE_MOVDIR64B		(16*32+28) /* MOVDIR64B instruction */
> > +#define X86_FEATURE_SGX_LC		(16*32+30) /* Software Guard Extensions Launch Control */
> 
> Amazing. SGX feature bits are spread around at least three CPUID leafs:
> 
> 7_EBX, 7_ECX, 12_EAX. Maybe there's a 4th somewhere because hey... :-\

Heh, why stop at 4?  12_EBX, 12_1_ECX and 12_1_EDX are effectively feature
leafs as well, although the kernel can ignore them for the most part.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ