| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jul 2022 05:34:48 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: linux-kernel@...r.kernel.org, Andy Lutomirski <luto@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
linux-sgx@...r.kernel.org
Subject: Re: [PATCH] x86/sgx: Allow enclaves to use Asynchrounous Exit
Notification
On Tue, Jul 05, 2022 at 11:36:48AM -0700, Dave Hansen wrote:
> Short Version:
>
> Allow enclaves to use the new Asynchronous EXit (AEX)
> notification mechanism. This mechanism lets enclaves run a
> handler after an AEX event. These handlers can run mitigations
> for things like SGX-Step[1].
>
> AEX Notify will be made available both on upcoming processors and
> on some older processors through microcode updates.
>
> Long Version:
>
> == SGX Attribute Background ==
>
> The SGX architecture includes a list of SGX "attributes". These
> attributes ensure consistency and transparency around specific
> enclave features.
>
> As a simple example, the "DEBUG" attribute allows an enclave to
> be debugged, but also destroys virtually all of SGX security.
> Using attributes, enclaves can know that they are being debugged.
> Attributes also affect enclave attestation so an enclave can, for
> instance, be denied access to secrets while it is being debugged.
>
> The kernel keeps a list of known attributes and will only
> initialize enclaves that use a known set of attributes. This
> kernel policy eliminates the chance that a new SGX attribute
> could cause undesired effects.
>
> For example, imagine a new attribute was added called
> "PROVISIONKEY2" that provided similar functionality to
> "PROVISIIONKEY". A kernel policy that allowed indiscriminate use
> of unknown attributes and thus PROVISIONKEY2 would undermine the
> existing kernel policy which limits use of PROVISIONKEY enclaves.
>
> == AEX Notify Background ==
>
> "Intel Architecture Instruction Set Extensions and Future
> Features - Version 45" is out[2]. There is a new chapter:
>
> Asynchronous Enclave Exit Notify and the EDECCSSA User Leaf Function.
>
> Enclaves exit can be either synchronous and consensual (EEXIT for
> instance) or asynchronous (on an interrupt or fault). The
> asynchronous ones can evidently be exploited to single step
> enclaves[1], on top of which other naughty things can be built.
>
> AEX Notify will be made available both on upcoming processors and
> on some older processors through microcode updates.
>
> == The Problem ==
>
> These attacks are currently entirely opaque to the enclave since
> the hardware does the save/restore under the covers. The
> Asynchronous Enclave Exit Notify (AEX Notify) mechanism provides
> enclaves an ability to detect and mitigate potential exposure to
> these kinds of attacks.
>
> == The Solution ==
>
> Define the new attribute value for AEX Notification. Ensure the
> attribute is cleared from the list reserved attributes which
> allows it to be used in enclaves.
>
> I just built this and ran it to make sure there were no obvious
> regressions since I do not have the hardware to test it handy.
> Tested-by's would be much appreciated.
Is this available on recent ucode updates e.g. for Icelake
or Geminilake?
>
> 1. https://github.com/jovanbulck/sgx-step
> 2. https://cdrdv2.intel.com/v1/dl/getContent/671368?explicitVersion=true
>
> Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: Jarkko Sakkinen <jarkko@...nel.org>
> Cc: Andy Lutomirski <luto@...nel.org>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Ingo Molnar <mingo@...hat.com>
> Cc: Borislav Petkov <bp@...en8.de>
> Cc: x86@...nel.org
> Cc: "H. Peter Anvin" <hpa@...or.com>
> Cc: linux-sgx@...r.kernel.org
> Cc: linux-kernel@...r.kernel.org
> ---
> arch/x86/include/asm/sgx.h | 25 ++++++++++++++++++-------
> 1 file changed, 18 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/include/asm/sgx.h b/arch/x86/include/asm/sgx.h
> index 3f9334ef67cd..f7328d8efd83 100644
> --- a/arch/x86/include/asm/sgx.h
> +++ b/arch/x86/include/asm/sgx.h
> @@ -110,17 +110,28 @@ enum sgx_miscselect {
> * %SGX_ATTR_EINITTOKENKEY: Allow to use token signing key that is used to
> * sign cryptographic tokens that can be passed to
> * EINIT as an authorization to run an enclave.
> + * %SGX_ATTR_ASYNC_EXIT_NOTIFY: Allow enclaves to be notified after an
> + * asynchronous exit has occurred.
> */
> enum sgx_attribute {
> - SGX_ATTR_INIT = BIT(0),
> - SGX_ATTR_DEBUG = BIT(1),
> - SGX_ATTR_MODE64BIT = BIT(2),
> - SGX_ATTR_PROVISIONKEY = BIT(4),
> - SGX_ATTR_EINITTOKENKEY = BIT(5),
> - SGX_ATTR_KSS = BIT(7),
> + SGX_ATTR_INIT = BIT(0),
> + SGX_ATTR_DEBUG = BIT(1),
> + SGX_ATTR_MODE64BIT = BIT(2),
> + /* BIT(3) is reserved */
> + SGX_ATTR_PROVISIONKEY = BIT(4),
> + SGX_ATTR_EINITTOKENKEY = BIT(5),
> + /* BIT(6) is for CET */
> + SGX_ATTR_KSS = BIT(7),
> + /* BIT(8) is reserved */
> + /* BIT(9) is reserved */
> + SGX_ATTR_ASYNC_EXIT_NOTIFY = BIT(10),
> };
>
> -#define SGX_ATTR_RESERVED_MASK (BIT_ULL(3) | BIT_ULL(6) | GENMASK_ULL(63, 8))
> +#define SGX_ATTR_RESERVED_MASK (BIT_ULL(3) | \
> + BIT_ULL(6) | \
> + BIT_ULL(8) | \
> + BIT_ULL(9) | \
> + GENMASK_ULL(63, 11))
>
> /**
> * struct sgx_secs - SGX Enclave Control Structure (SECS)
> --
> 2.34.1
>
BR, Jarkko
Powered by blists - more mailing lists