lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200317010718.GA2546@wind.enjellic.com>
Date:   Mon, 16 Mar 2020 20:07:18 -0500
From:   "Dr. Greg" <greg@...ellic.com>
To:     Haitao Huang <haitao.huang@...ux.intel.com>
Cc:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-sgx@...r.kernel.org, akpm@...ux-foundation.org,
        dave.hansen@...el.com, sean.j.christopherson@...el.com,
        nhorman@...hat.com, npmccallum@...hat.com, haitao.huang@...el.com,
        andriy.shevchenko@...ux.intel.com, tglx@...utronix.de,
        kai.svahn@...el.com, bp@...en8.de, josh@...htriplett.org,
        luto@...nel.org, kai.huang@...el.com, rientjes@...gle.com,
        cedric.xing@...el.com, puiterwijk@...hat.com,
        linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v28 14/22] selftests/x86: Add a selftest for SGX

On Tue, Mar 10, 2020 at 02:29:41PM -0500, Haitao Huang wrote:

Good evening, I hope the week is going well for everyone.

> >Just as a clarification, are you testing the new driver against
> >signed production class enclaves in .so format that also include
> >metadata layout directives or is the driver just getting tested
> >against the two page toy enclave that copies a word of memory from
> >one memory location to another?

> We (Intel SGX SDK/PSW team) tested this driver for enclaves in .so
> format with metadata. Our 2.8 release supports v24 and 2.9 supports
> v25+. Both production signed and debug signed enclaves worked.
>
> *Note* we did make some code changes in our runtime for v24+, mainly
> dealing with src & EPC page alignment for EADD, open one fd per
> enclave, use -z noexecstack linker option, etc. You can see the
> changes on GitHub.

Lots of knobs getting turned at the same time but we sorted out all
the issues and our runtime is now passing its regression tests with
the new driver, with an exception that we note below.

I suspect that we might have the only complete and architecturally
independent runtime implementation so if the new driver is working
against yours and ours it would seem to be a reasonable test spectrum
for the driver.

> >We see the same behavior from both our unit test enclaves and the
> >Quoting Enclave from the Intel SGX runtime.

> We did not see any issue loading QE in our tests. Please directly
> email me on this test if you have specific questions.

As it turns out the major problem we were running into with respect to
the QE test was the fact that generic use of atexit() handlers was
disabled by changes that went into the 2.8 SDK.  Our runtime and SDK
assume that enclave atexit() handling works.

The enclave UNINIT ECALL is only allowed on runtimes that are
advertising EDMM support.  That seems excessively restrictive since
atexit() handling is generically useful for enclaves that are not
using EDMM.  Our runtime allows EDMM to be disabled and we have
enclaves that gate on that for security purposes.

On a quasi-related note, it appears that the 1.4 compatibility
metadata created by post 2.0 signing tools is leaking layout
descriptors that a version 1.4 runtime doesn't understand.

Do you want to exchange e-mail on this or should we direct
conversations about these issues with others on your SDK team.

Have a good remainder of the week.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker      SGX secured infrastructure and
Enjellic Systems Development, LLC     autonomously self-defensive
4206 N. 19th Ave.                     platforms.
Fargo, ND  58102
PH: 701-281-1686                      EMAIL: greg@...ellic.com
------------------------------------------------------------------------------
"All parts should go together without forcing.  You must remember that
 the parts you are reassembling were disassembled by you.  Therefore,
 if you can't get them together again, there must be a reason.  By all
 means, do not use a hammer."
                                -- IBM maintenance manual, 1925

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ