On Thu, May 16, 2019 at 05:35:16PM -0700, Andy Lutomirski wrote: > On Thu, May 16, 2019 at 3:23 PM Xing, Cedric <cedric.xing@xxxxxxxxx> wrote: > > And if you are with me on that bigger picture, the next question is: what > > should be the default behavior of security_sgx_mprot() for > > existing/non-SGX-aware LSM modules/policies? I'd say a reasonable default > > is to allow R, RW and RX, but not anything else. It'd suffice to get rid of > > EXECMEM/EXECMOD requirements on enclave applications. For SGX1, EPCM > > permissions are immutable so it really doesn't matter what > > security_sgx_mprot() does. For SGX2 and beyond, there's still time and new > > SGX-aware LSM modules/policies will probably have emerged by then. > > I hadn't thought about the SGX1 vs SGX2 difference. If the driver > initially only wants to support SGX1, then I guess we really could get > away with constraining the EPC flags based on the source page > permission and not restricting mprotect() and mmap() permissions on > /dev/sgx/enclave at all. No, SGX1 vs SGX2 support in the kernel is irrelevant. Well, unless the driver simply refuses to load on SGX2 hardware, but I don't think anyone wants to go that route. There is no enabling or attribute bit required to execute ENCLU[EMODPE], e.g. an enclave can effect RW->RWX in the EPCM on SGX2 hardware regardless of what the kernel is doing. IMO the kernel should ignore the EPCM from an LSM perspective.
