lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YJAZjP2k6Aff7wgk@kernel.org>
Date:   Mon, 3 May 2021 18:41:00 +0300
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     Dave Hansen <dave.hansen@...el.com>
Cc:     Tim Gardner <tim.gardner@...onical.com>,
        dave.hansen@...ux.intel.com, shuah@...nel.org,
        linux-sgx@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: Subject: [PATCH 0/1] SGX self test fails

On Thu, Apr 29, 2021 at 11:55:23AM -0700, Dave Hansen wrote:
> On 4/29/21 11:39 AM, Tim Gardner wrote:
> > I'm just starting my learning curve on SGX, so I don't know if I've missed
> > some setup for the SGX device entries. After looking at arch/x86/kernel/cpu/sgx/driver.c
> > I see that there is no mode value for either sgx_dev_enclave or sgx_dev_provision.
> > 
> > With this patch I can get the SGX self test to complete:
> > 
> > sudo ./test_sgx
> > Warning: no execute permissions on device file /dev/sgx_enclave
> > 0x0000000000000000 0x0000000000002000 0x03
> > 0x0000000000002000 0x0000000000001000 0x05
> > 0x0000000000003000 0x0000000000003000 0x03
> > SUCCESS
> > 
> > Is the warning even necessary ?
> 
> Dang, I just added that warning.  I thought it was necessary, but I
> guess not:
> 
> $ ls -l /dev/sgx_enclave
> crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave
> $ ./test_sgx
> 0x0000000000000000 0x0000000000002000 0x03
> 0x0000000000002000 0x0000000000001000 0x05
> 0x0000000000003000 0x0000000000003000 0x03
> SUCCESS
> 
> *But*, is that OK?  Should we be happily creating a PROT_EXEC mapping on
> a ugo-x file?  Why were we respecting noexec on the filesystem but not
> ugo-x on the file?

Yeah, this supports my earlier response:

"EPERM  The prot argument asks for PROT_EXEC but the mapped area
 belongs to a file on a filesystem that was mounted no-exec."
https://man7.org/linux/man-pages/man2/mmap.2.html

I guess the right model is to think just as "anonymous memory"
with equivalent access control semantics after succesfully
opened for read and write.

BTW, this is good material for the man page :-)

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ