lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200319182219.GB22995@wind.enjellic.com>
Date:   Thu, 19 Mar 2020 13:22:20 -0500
From:   "Dr. Greg" <greg@...ellic.com>
To:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:     Jethro Beekman <jethro@...tanix.com>,
        Sean Christopherson <sean.j.christopherson@...el.com>,
        linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-sgx@...r.kernel.org, akpm@...ux-foundation.org,
        dave.hansen@...el.com, nhorman@...hat.com, npmccallum@...hat.com,
        haitao.huang@...el.com, andriy.shevchenko@...ux.intel.com,
        tglx@...utronix.de, kai.svahn@...el.com, bp@...en8.de,
        josh@...htriplett.org, luto@...nel.org, kai.huang@...el.com,
        rientjes@...gle.com, cedric.xing@...el.com, puiterwijk@...hat.com,
        linux-security-module@...r.kernel.org,
        Suresh Siddha <suresh.b.siddha@...el.com>,
        Haitao Huang <haitao.huang@...ux.intel.com>,
        Chunyang Hui <sanqian.hcy@...fin.com>
Subject: Re: [PATCH v28 11/22] x86/sgx: Linux Enclave Driver

On Fri, Mar 06, 2020 at 09:00:03PM +0200, Jarkko Sakkinen wrote:

Good afternoon, I hope the day is going well for everyone.

> > >> +/**
> > >> + * struct sgx_enclave_create - parameter structure for the
> > >> + *                             %SGX_IOC_ENCLAVE_CREATE ioctl
> > >> + * @src:	address for the SECS page data
> > >> + */
> > >> +struct sgx_enclave_create  {
> > >> +	__u64	src;
> > > 
> > > Would it make sense to add reserved fields to the structs so that new
> > > features can be added in a backwards compatible way?  E.g. if we want to
> > > allow userspace to control the backing store by passing in a file
> > > descriptor ENCLAVE_CREATE.

> > Reserving space for future fields is not necessary because the
> > size of the struct is encoded in the ioctl number. The kernel can
> > use this to differentiate between different call versions from
> > userspace.

> Sure but I still would never change the signature once a ioctl is
> added.

These reflections cause me to call, once again, what will be an
unpopular question, but if we pride ourselves on intellectual honesty
in our engineering practices we need to address it.

If we are locking ioctl's and ABI's down, then we need to address,
before the driver goes in, how we are going to handle support for
those of us that have engineering needs around launch token
technology.

On an FLC (unlocked) platform, which is the only thing the driver will
initialize on, there is no reason not to preserve the initialization
IOCTL argument structure that accepts a pointer to a launch token or
to disallow an enclave that has the attribute bit/mask set that allows
the enclave to have access to the launch key.  When presented with an
enclave with the launch bit set the driver can simply set the launch
control registers to the MRSIGNER value of that enclave.

It is a straight forward process to provide a root based mechanism
that allows the owner of the platform to control that behavior, if
there are concerns about how the platform is to be used, much like
what is currently being done with access to the provision key.

The ideological purity statement is made by the decision to limit what
hardware the driver will run on.  Once that statement is made, and the
driver firmly implements that decision, the owner of that platform
should be able to decide how they want to use and implement the
technology from there.

Unless someone else chirps up there are essentially only two complete
runtimes that are concerned with this issue.  Intel can enforce
enhanced ideological purity, if they desire, by simply disallowing
anyone to pass a non-null EINIT structure pointer through their
runtime to the driver, which leaves us to implement the behavior we
want without ABI concerns.

There is a fairly fundamental question here regarding 'software
freedom', maybe Jonathan Corbet and company will even pick up on
it.... :-)

> /Jarkko

Hopefully all of this makes sense and is reasonable.

Have a good remainder of the week, wherever you happen to be locked in
at.

We now return you to your regularly scheduled programming on the
register dance surrounding enclave entry.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker      SGX secured infrastructure and
Enjellic Systems Development, LLC     autonomously self-defensive
4206 N. 19th Ave.                     platforms.
Fargo, ND  58102
PH: 701-281-1686                      EMAIL: greg@...ellic.com
------------------------------------------------------------------------------
"More people are killed every year by pigs than by sharks, which shows
 you how good we are at evaluating risk."
                                -- Bruce Schneier
                                   Beyond Fear

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ