| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200925194304.GE31528@linux.intel.com>
Date: Fri, 25 Sep 2020 12:43:04 -0700
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Haitao Huang <haitao.huang@...ux.intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>, X86 ML <x86@...nel.org>,
linux-sgx@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Matthew Wilcox <willy@...radead.org>,
Jethro Beekman <jethro@...tanix.com>,
Darren Kenny <darren.kenny@...cle.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
asapek@...gle.com, Borislav Petkov <bp@...en8.de>,
"Xing, Cedric" <cedric.xing@...el.com>, chenalexchen@...gle.com,
Conrad Parker <conradparker@...gle.com>, cyhanish@...gle.com,
"Huang, Haitao" <haitao.huang@...el.com>,
Josh Triplett <josh@...htriplett.org>,
"Huang, Kai" <kai.huang@...el.com>,
"Svahn, Kai" <kai.svahn@...el.com>, Keith Moyer <kmoy@...gle.com>,
Christian Ludloff <ludloff@...gle.com>,
Neil Horman <nhorman@...hat.com>,
Nathaniel McCallum <npmccallum@...hat.com>,
Patrick Uiterwijk <puiterwijk@...hat.com>,
David Rientjes <rientjes@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>, yaozhangx@...gle.com
Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
On Fri, Sep 25, 2020 at 10:18:28AM -0700, Dave Hansen wrote:
> Thanks for the walkthrough. The thing that clicked for me seeing those
> examples was how the earlier ioctl(ADD_PAGE) is "bound" to later
> enforcement actions at enclave PTE creation time.
>
> On 9/24/20 5:00 PM, Sean Christopherson wrote:
> > My concern is that if we merge this
> >
> > ioctl(sgx_fd, ENCLAVE_ADD_PAGE, SGX_PROT_READ | SGX_PROT_EXEC, ptr, size);
> >
> > without ->mprotect(), we can't actually enforce the declared protections. And
> > if we drop the field altogether:
> >
> > ioctl(sgx_fd, ENCLAVE_ADD_PAGE, ptr, size);
> >
> > then we can't implement security_enclave_load().
>
> To me, it's perfectly OK to have parts of the ABI which are unused. It
> sure makes them harder to test if there are no actual users in the code,
> but if it solves a real problem with the ABI, I'm fine with it.
>
> Let's see if I can put all the pieces together.
>
> Background:
>
> 1. SGX enclave pages are populated with data by copying data to them
> from normal memory via: ioctl(sgx_fd, ENCLAVE_ADD_PAGE, src_ptr...);
> 2. We want to be able to restrict those normal memory data sources. For
> instance, before copying data to an executable enclave page, we might
> ensure that the source is executable.
> 3. Enclave page permissions are dynamic just like normal permissions and
> can be adjusted at runtime with mprotect() (along with a
> corresponding special instruction inside the enclave)
> 4. The original data source may have have long since vanished at the
> time when enclave page permission are established (mmap() or
> mprotect())
>
> Solution:
>
> The solution is to force enclaves creators to declare their intent up
> front to ioctl(ENCLAVE_ADD_PAGE). This intent can me immediately
> compared to the source data mapping (and rejected if necessary). It is
> also stashed off and then later compared with enclave PTEs to ensure
> that any future mmap()/mprotect() operations performed by the enclave
> creator or the enclave itself are consistent with the earlier declared
> permissions.
>
> Essentially, this means that whenever the kernel is asked to change an
> enclave PTE, it needs to ensure the change is consistent with that
> stashed intent. There is an existing vm_ops->mmap() hook which allows
> SGX to do that for mmap(). However, there is no ->mprotect() hook. Add
> a vm_ops->mprotect() hook so that mprotect() operations which are
> inconsistent with any page's stashed intent can be rejected by the driver.
Yes to all of the above.
> Implications:
>
> However, there is currently no implementation of the intent checks at
> the time of ioctl(ENCLAVE_ADD_PAGE).
Correct.
> That means that the intent argument (SGX_PROT_*) is currently unused.
No, the intent argument is used (eventually) by SGX's ->mprotect()
implementation, i.e. sgx_mprotect() enforces that the actual protections are a
subset of the declared/intended protections.
If ->mprotect() is not merged, then it yes, it will be unused. And therein
lies the problem as the kernel can't start using/enforcing the intent without
breaking userspace. E.g. an enclave loaded with SGX_PROT_READ but mprotect()'d
with PROT_READ | PROT_EXEC would break if sgx_mprotect() came along.
One way to avoid introducing ->mprotect() would be to require all enclaves to
declare all pages with READ|WRITE|EXEC. Then we could drop sgx_mprotect()
since the mprotect() permissions are guaranteed to be a subset of the declared
permissions. That would have the added bonus of eliminating the per-page
checks in sgx_mmap()/sgx_mprotect(), though I've no idea if that is a
meaningful optmization or it's lost in the noise.
The big downside of requiring READ|WRITE|EXEC is that it will make life hell
for a LSM policy owner if they ever want to apply EXECMEM or EXECMOD style
restritions on enclaves, i.e. if SELinux folks want to add
security_enclave_load().
I find that I'm more or less ok with that approach, in no small part because
introducing security_enclave_load() might be a pretty big "if", e.g. security
folks may decide that they'd rather allow/deny enclaves based on the
measurement or signer of the enclave and eschew per-page checks entirely.
> --
>
> Is that all correct? Did I miss anything?
Powered by blists - more mailing lists