On 7/11/2019 10:51 AM, Jarkko Sakkinen wrote:
On Thu, Jul 11, 2019 at 10:32:41AM -0400, Stephen Smalley wrote:
The existing permissions don't map cleanly to SGX but I think Sean and
Cedric were trying to make a best-effort approximation to the underlying
concepts in a manner that permits control over the introduction of
executable content.
Sure, the existing EXECMOD check is only applied today when there is an
attempt to make executable a previously modified (detected based on COW
having occurred) private file mapping. But the general notion of
controlling the ability to execute modified content is still meaningful.
OK to summarize EXECMOD does not connect with SGX in any possible way
but SGX needs something that mimics EXECMOD behaviour?
Stephen may correct me if I'm wrong. EXECMOD is granted to files, to
indicate the bearer contains self-modifying code (or text relocation).
So if it applies the enclaves, there are two aspects of it:
(1) An enclave may be loaded from multiple image files, among which some
may contain self-modifying code and hence would require EXECMOD on each
of them. At runtime, W->X will be allowed/denied for pages loaded from
image files having/not having EXECMOD.
(2) But there are pages not loaded from any files - e.g. pages EAUG'ed
at runtime. We are trying to use the file containing SIGSTRUCT as the
"proxy file" - i.e. EXECMOD on the proxy file indicates the enclave may
load code into EAUG'ed pages at runtime.
(3) Well, this is not an aspect of EXECMOD. Yet there's another category
of pages - pages EADD'ed from anonymous memory. They are different than
EAUG'ed pages in that their contents are supplied by untrusted code. How
to control their accesses is still being debated. My argument was that
the source pages must be executable before they could be loaded
executable in EPC. Andy argued that SIGSTRUCT alone could be considered
sufficient validation on the contents in certain usages, so both Sean
and I had proposed PROCESS2__ENCLAVE_EXECANON as a new permission. But
for the 1st upstream I think we all agree to do just the minimum until
real requirements come up. After all, adding is generally easier than
taking away existing things.