| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YkvqN2eSJJdAuiWE@kernel.org>
Date: Tue, 5 Apr 2022 10:05:27 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Reinette Chatre <reinette.chatre@...el.com>
Cc: dave.hansen@...ux.intel.com, tglx@...utronix.de, bp@...en8.de,
luto@...nel.org, mingo@...hat.com, linux-sgx@...r.kernel.org,
x86@...nel.org, seanjc@...gle.com, kai.huang@...el.com,
cathy.zhang@...el.com, cedric.xing@...el.com,
haitao.huang@...el.com, mark.shanahan@...el.com, hpa@...or.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH V3 16/30] x86/sgx: Tighten accessible memory range after
enclave initialization
On Mon, Apr 04, 2022 at 09:49:24AM -0700, Reinette Chatre wrote:
> Before an enclave is initialized the enclave's memory range is unknown.
> The enclave's memory range is learned at the time it is created via the
> SGX_IOC_ENCLAVE_CREATE ioctl() where the provided memory range is
> obtained from an earlier mmap() of /dev/sgx_enclave. After an enclave
> is initialized its memory can be mapped into user space (mmap()) from
> where it can be entered at its defined entry points.
>
> With the enclave's memory range known after it is initialized there is
> no reason why it should be possible to map memory outside this range.
>
> Lock down access to the initialized enclave's memory range by denying
> any attempt to map memory outside its memory range.
>
> Locking down the memory range also makes adding pages to an initialized
> enclave more efficient. Pages are added to an initialized enclave by
> accessing memory that belongs to the enclave's memory range but not yet
> backed by an enclave page. If it is possible for user space to map
> memory that does not form part of the enclave then an access to this
> memory would eventually fail. Failures range from a prompt general
> protection fault if the access was an ENCLU[EACCEPT] from within the
> enclave, or a page fault via the vDSO if it was another access from
> within the enclave, or a SIGBUS (also resulting from a page fault) if
> the access was from outside the enclave.
>
> Disallowing invalid memory to be mapped in the first place avoids
> preventable failures.
>
> Signed-off-by: Reinette Chatre <reinette.chatre@...el.com>
> ---
> No changes since V2
>
> Changes since V1:
> - Add comment (Jarkko).
>
> arch/x86/kernel/cpu/sgx/encl.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
> index fa4f947f8496..7909570736a0 100644
> --- a/arch/x86/kernel/cpu/sgx/encl.c
> +++ b/arch/x86/kernel/cpu/sgx/encl.c
> @@ -409,6 +409,11 @@ int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
>
> XA_STATE(xas, &encl->page_array, PFN_DOWN(start));
>
> + /* Disallow mapping outside enclave's address range. */
> + if (test_bit(SGX_ENCL_INITIALIZED, &encl->flags) &&
> + (start < encl->base || end > encl->base + encl->size))
> + return -EACCES;
> +
> /*
> * Disallow READ_IMPLIES_EXEC tasks as their VMA permissions might
> * conflict with the enclave page permissions.
> --
> 2.25.1
>
Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
BR, Jarkko
Powered by blists - more mailing lists