On Tue, Mar 19, 2019 at 01:09:12PM -0700, Sean Christopherson wrote:
> On Sun, Mar 17, 2019 at 11:14:46PM +0200, Jarkko Sakkinen wrote:
> > In order to provide a mechanism for devilering provisoning rights:
> >
> > 1. Add a new file to the securityfs file called sgx/provision that works
> > as a token for allowing an enclave to have the provisioning privileges.
> > 2. Add a new ioctl called SGX_IOC_ENCLAVE_SET_ATTRIBUTE that accepts the
> > following data structure:
> >
> > struct sgx_enclave_set_attribute {
> > __u64 addr;
> > __u64 token_fd;
> > };
> >
> > A daemon could sit on top of sgx/provision and send a file descriptor of
> > this file to a process that needs to be able to provision enclaves.
> >
> > The way this API is used is more or less straight-forward. Lets assume that
> > dev_fd is a handle to /dev/sgx and prov_fd is a handle to sgx/provision.
> > You would allow SGX_IOC_ENCLAVE_CREATE to initialize an enclave with the
> > PROVISIONKEY attribute by
> >
> > params.addr = <enclave address>;
> > params.token_fd = prov_fd;
> >
> > ioctl(dev_fd, SGX_IOC_ENCLAVE_SET_ATTRIBUTE, ¶ms);
> >
> > Cc: James Morris <jmorris@xxxxxxxxx>
> > Cc: Serge E. Hallyn <serge@xxxxxxxxxx>
> > Cc: linux-security-module@xxxxxxxxxxxxxxx
> > Suggested-by: Andy Lutomirski <luto@xxxxxxxxxx>
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> > ---
> > arch/x86/include/uapi/asm/sgx.h | 13 +++++++
> > arch/x86/kernel/cpu/sgx/driver/ioctl.c | 43 +++++++++++++++++++++++
> > arch/x86/kernel/cpu/sgx/driver/main.c | 47 ++++++++++++++++++++++++++
> > 3 files changed, 103 insertions(+)
> >
> > diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
> > index aadf9c76e360..150a784db395 100644
> > --- a/arch/x86/include/uapi/asm/sgx.h
> > +++ b/arch/x86/include/uapi/asm/sgx.h
> > @@ -16,6 +16,8 @@
> > _IOW(SGX_MAGIC, 0x01, struct sgx_enclave_add_page)
> > #define SGX_IOC_ENCLAVE_INIT \
> > _IOW(SGX_MAGIC, 0x02, struct sgx_enclave_init)
> > +#define SGX_IOC_ENCLAVE_SET_ATTRIBUTE \
> > + _IOW(SGX_MAGIC, 0x03, struct sgx_enclave_set_attribute)
> >
> > /* IOCTL return values */
> > #define SGX_POWER_LOST_ENCLAVE 0x40000000
> > @@ -56,4 +58,15 @@ struct sgx_enclave_init {
> > __u64 sigstruct;
> > };
> >
> > +/**
> > + * struct sgx_enclave_set_attribute - parameter structure for the
> > + * %SGX_IOC_ENCLAVE_INIT ioctl
> > + * @addr: address within the ELRANGE
> > + * @attribute_fd: file handle of the attribute file in the securityfs
> > + */
> > +struct sgx_enclave_set_attribute {
> > + __u64 addr;
> > + __u64 attribute_fd;
> > +};
> > +
> > #endif /* _UAPI_ASM_X86_SGX_H */
> > diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > index 4b9a91b53b50..5d85bd3f7876 100644
> > --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > @@ -759,6 +759,46 @@ static long sgx_ioc_enclave_init(struct file *filep, unsigned int cmd,
> > return ret;
> > }
> >
> > +/**
> > + * sgx_ioc_enclave_set_attribute - handler for %SGX_IOC_ENCLAVE_SET_ATTRIBUTE
> > + * @filep: open file to /dev/sgx
> > + * @cmd: the command value
> > + * @arg: pointer to a struct sgx_enclave_set_attribute instance
> > + *
> > + * Sets an attribute matching the attribute file that is pointed by the
> > + * parameter structure field attribute_fd.
>
> With the @data change (see below), this becomes something like:
>
> * Allow the enclave to request the attribute managed by the SGX security file
> * pointed at by the parameter structure field attribute_fd.
I see your point but the current implementation is just a tiny bit
simpler and right now we have one single file.
But I would do to fix this patch right now is to rename
sgx_fs_provision_ops as sgx_fs_ops to point out that only single fops
are required.
The current implementation is "good enough" for handling the
provisioning key.
/Jarkko
