lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 11 Aug 2021 03:19:09 +0300
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     Kai Huang <kai.huang@...el.com>
Cc:     linux-sgx@...r.kernel.org,
        Reinette Chatre <reinette.chatre@...el.com>,
        Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        Sean Christopherson <seanjc@...gle.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/sgx: Always deregister /dev/sgx_provision on failure

On Wed, Aug 11, 2021 at 11:27:13AM +1200, Kai Huang wrote:
> On Wed, 11 Aug 2021 01:56:27 +0300 Jarkko Sakkinen wrote:
> > When /dev/sgx_vepc for KVM was added, the initialization was relaxed so
> > that this file can be accessed even when the driver is disabled.
> > 
> > Deregister /dev/sgx_provision when the driver is disabled, because it is
> > only useful for the driver.
> 
> Hi Jarkko,
> 
> This is not true.  KVM also uses /dev/sgx_provision to restrict enclave in guest
> from accessing provisoning key.  Specifically, in order to allow guest enclave
> to be able to use provisioning key, when one VM is created, Qemu must have
> permission to open /dev/sgx_provision, and pass the fd as parameter to
> KVM_CAP_SGX_ATTRIBUTE.
> 
> Please see below KVM API:
> 
> 7.25 KVM_CAP_SGX_ATTRIBUTE
> --------------------------           
>                                                      
> :Architectures: x86                                         
> :Target: VM                                                              
> :Parameters: args[0] is a file handle of a SGX attribute file in securityfs
> :Returns: 0 on success, -EINVAL if the file handle is invalid or if a requested
>           attribute is not supported by KVM.                         
>                                                                                
> KVM_CAP_SGX_ATTRIBUTE enables a userspace VMM to grant a VM access to one or
> more priveleged enclave attributes.  args[0] must hold a file handle to a valid
> SGX attribute file corresponding to an attribute that is supported/restricted
> by KVM (currently only PROVISIONKEY).
>                                                                     
> The SGX subsystem restricts access to a subset of enclave attributes to provide
> additional security for an uncompromised kernel, e.g. use of the PROVISIONKEY
> is restricted to deter malware from using the PROVISIONKEY to obtain a stable
> system fingerprint.  To prevent userspace from circumventing such restrictions
> by running an enclave in a VM, KVM prevents access to privileged attributes by
> default.                                                 

OK, I was not aware of this.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ