[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e25bfeaa-afb4-3928-eb80-50d90815eabb@intel.com>
Date: Thu, 24 Sep 2020 13:54:09 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Sean Christopherson <sean.j.christopherson@...el.com>
Cc: Haitao Huang <haitao.huang@...ux.intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>, X86 ML <x86@...nel.org>,
linux-sgx@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Matthew Wilcox <willy@...radead.org>,
Jethro Beekman <jethro@...tanix.com>,
Darren Kenny <darren.kenny@...cle.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
asapek@...gle.com, Borislav Petkov <bp@...en8.de>,
"Xing, Cedric" <cedric.xing@...el.com>, chenalexchen@...gle.com,
Conrad Parker <conradparker@...gle.com>, cyhanish@...gle.com,
"Huang, Haitao" <haitao.huang@...el.com>,
Josh Triplett <josh@...htriplett.org>,
"Huang, Kai" <kai.huang@...el.com>,
"Svahn, Kai" <kai.svahn@...el.com>, Keith Moyer <kmoy@...gle.com>,
Christian Ludloff <ludloff@...gle.com>,
Neil Horman <nhorman@...hat.com>,
Nathaniel McCallum <npmccallum@...hat.com>,
Patrick Uiterwijk <puiterwijk@...hat.com>,
David Rientjes <rientjes@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>, yaozhangx@...gle.com
Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
On 9/24/20 1:25 PM, Sean Christopherson wrote:
...
>> Why don't we just declare enclave memory as "out of scope for noexec" in
>> the same way that anonymous memory is, and just discard this patch?
>> That doesn't seem too much of a stretch.
>
> Because we lose line of sight to LSM support. Without enforcing "declare perms
> at load time" in the initial series, we would create an ABI where userspace
> could load an enclave page with only READ permissions and then map the enclave
> with whatever permissions it wants, without any convenient way for SGX to call
> into the LSM.
This argument holds no water for me. LSMs are all about taking what
would otherwise be perfectly acceptable behavior and breaking them in
the name of security. They fundamentally break applications that used
to work just fine and also did totally sane things.
> Retroactively enforcing permissions at load time would break the ABI, or at
> least yield different behavior based on the mere existence of LSMs, e.g. if
> LSMs are supported, suddenly the ADD_PAGES w/ READ -> mmap(RWX) flow breaks,
> even if there is no LSM policy denying that behavior.
I'm a security dummy. All I know is that when I see something like this:
if (security_vm_enough_memory_mm(mm, grow))
...
I know to ignore it because I like my systems to boot and I'm not using
those hooks. :)
How could the mere presence of an LSM change the behavior of one of
these hooks? Don't they have to actually hook into the specific place
and actively go trying to change the behavior at that site?
Powered by blists - more mailing lists