On Tue, Jun 11, 2019 at 03:02:43PM -0700, Sean Christopherson wrote: Good morning, I hope the week is proceeding well for everyone. > On Tue, Jun 11, 2019 at 09:40:25AM -0400, Stephen Smalley wrote: > > I haven't looked at this code closely, but it feels like a lot of > > SGX-specific logic embedded into SELinux that will have to be repeated or > > reused for every security module. Does SGX not track this state itself? > SGX does track equivalent state. > > There are three proposals on the table (I think): > > 1. Require userspace to explicitly specificy (maximal) enclave page > permissions at build time. The enclave page permissions are provided > to, and checked by, LSMs at enclave build time. > > Pros: Low-complexity kernel implementation, straightforward auditing > Cons: Sullies the SGX UAPI to some extent, may increase complexity of > SGX2 enclave loaders. > > 2. Pre-check LSM permissions and dynamically track mappings to enclave > pages, e.g. add an SGX mprotect() hook to restrict W->X and WX > based on the pre-checked permissions. > > Pros: Does not impact SGX UAPI, medium kernel complexity > Cons: Auditing is complex/weird, requires taking enclave-specific > lock during mprotect() to query/update tracking. > > 3. Implement LSM hooks in SGX to allow LSMs to track enclave regions > from cradle to grave, but otherwise defer everything to LSMs. > > Pros: Does not impact SGX UAPI, maximum flexibility, precise auditing > Cons: Most complex and "heaviest" kernel implementation of the three, > pushes more SGX details into LSMs. > > My RFC series[1] implements #1. My understanding is that Andy (Lutomirski) > prefers #2. Cedric's RFC series implements #3. > > Perhaps the easiest way to make forward progress is to rule out the > options we absolutely *don't* want by focusing on the potentially blocking > issue with each option: > > #1 - SGX UAPI funkiness > > #2 - Auditing complexity, potential enclave lock contention > > #3 - Pushing SGX details into LSMs and complexity of kernel implementation At the risk of repeating myself, I believe the issue that has not received full clarity is that, for a security relevant solution, there has to be two separate aspects of LSM coverage for SGX. I believe that a high level review of the requirements may assist in selection of a course of action for the driver. The first aspect of LSM control has been covered extensively and that is the notion of implementing control over the ability of a user identity to request some cohort of page privileges. The cohort of obvious concern is the ability of a page to possess both WRITE and EXECUTE privileges at sometime during its lifetime. Given that SGX2 support is the ultimate and necesary goal for this driver, the selected proposal should be the one that gives the most simplistic application of this policy. As I have noted previously, once SGX2 becomes available, the only relevant security control that can be realized with this type of LSM support is whether or not the platform owner wishes to limit access by a user identity to the ability to dynamically load code in enclave context. With SGX2 we will, by necessity, have to admit the notion that a platform owner will not have any effective visibility into code that is loaded and executed, since it can come in over a secured network connection in an enclave security context. This advocates for the simplest approach possible to providing some type of regulation to any form of WX page access. Current state of the art, and there doesn't appear to be a reason to change this, is to package an enclave in the form of an ELF shared library. It seems straight forward to inherit and act on page privileges from the privileges specified on the ELF sections that are loaded. Loaders will have a file descriptor available so an mmap of the incoming page with the specified privileges should trigger the required LSM interventions and tie them to a specific enclave. The current enclave 'standard' also uses layout metadata, stored in a special .notes section of the shared image, to direct a loader with respect to construction of the enclave stack, heap, TCS and other miscellaneous regions not directly coded by the ELF TEXT sections. It seems straight forward to extend this paradigm to declare region(s) of an enclave that are eligible to be generated at runtime (EAUG'ed) with the RWX protections needed to support dynamically loaded code. If an enclave wishes to support this functionality, it would seem straight forward to require an enclave to provide a single zero page which the loader will mmap with those protections in order to trigger the desired LSM checks against that specific enclave. The simplest driver approach that achieves the desired introspection of permissions in the described framework will implement as much LSM security as is possible with SGX technology and with minimal disruption to the existing SGX software eco-system. This leaves the second aspect of LSM security and that is the ability to inspect and act on the initialized characteristics of the enclave. This is the aspect of SGX LSM functionality that has not been clearly called out. All that is needed here is an LSM hook that gets handed a pointer to the signature structure (SIGSTRUCT) that is passed to the EINIT ioctl. If the SIGSTRUCT does not match the proposed enclave image that the processor has computed secondary to the enclave image creation process the enclave will not initialize, so all that is needed is for an LSM to be allowed to interpret and act on the characteristics defined in that structure before the enclave is actually initialized. As we have now collectively demonstrated, it is easy to get lost in minutia with respect to all of this. I believe if we can focus on a solution that implements what I have discussed above we will achieve as much as can be achieved with respect to platform security for SGX systems. Best wishes for a productive remainder of the week. Dr. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 EMAIL: greg@xxxxxxxxxxxx ------------------------------------------------------------------------------ "Nullum magnum ingenium sine mixtura dementiae fuit." (There is no great genius without some touch of madness.) -- Seneca