Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Andy Lutomirski <luto@xxxxxxxxxx>
Subject: Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
From: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
Date: Thu, 1 Aug 2019 19:38:39 +0300
Cc: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>, "Schaufler, Casey" <casey.schaufler@xxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, linux-sgx@xxxxxxxxxxxxxxx, Dave Hansen <dave.hansen@xxxxxxxxx>, Cedric Xing <cedric.xing@xxxxxxxxx>, Jethro Beekman <jethro@xxxxxxxxxxxx>, "Dr . Greg Wettstein" <greg@xxxxxxxxxxxx>, Stephen Smalley <sds@xxxxxxxxxxxxx>, LSM List <linux-security-module@xxxxxxxxxxxxxxx>
In-reply-to: <CALCETrXMAwHod_KZYPGWjTjg-fxOb1=02=Qj2g1o624wOPfPZQ@mail.gmail.com>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
References: <20190617222438.2080-5-sean.j.christopherson@intel.com> <dc3d59c2783ea81d85d4d447bd1a4a2d5fe51421.camel@linux.intel.com> <20190619152018.GC1203@linux.intel.com> <20190620221702.GE20474@linux.intel.com> <20190707190809.GE19593@linux.intel.com> <1b7369a08e98dd08a4f8bb19b16479f12bee130f.camel@linux.intel.com> <20190708161932.GE20433@linux.intel.com> <20190709160634.3yupyabf5svnj4ds@linux.intel.com> <20190710172553.GE4348@linux.intel.com> <CALCETrXMAwHod_KZYPGWjTjg-fxOb1=02=Qj2g1o624wOPfPZQ@mail.gmail.com>
User-agent: NeoMutt/20180716

On Mon, Jul 15, 2019 at 03:29:23PM -0700, Andy Lutomirski wrote:
> I would say it differently: regardless of exactly how /dev/sgx/enclave
> is wired up under the hood, we want a way that a process can be
> granted permission to usefully run enclaves without being granted
> permission to execute whatever bytes of code it wants.  Preferably
> without requiring LSMs to maintain some form of enclave signature
> whitelist.

Would it be better to have a signer whitelist instead or some
combination? E.g. you could whiteliste either by signer or
enclave signature.

/Jarkko

Follow-Ups:
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Andy Lutomirski

References:
- [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Sean Christopherson
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Jarkko Sakkinen
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Sean Christopherson
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Jarkko Sakkinen
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Sean Christopherson
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Jarkko Sakkinen
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Sean Christopherson
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Jarkko Sakkinen
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Sean Christopherson
- Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
  - From: Andy Lutomirski

Prev by Date: Re: [PATCH] x86/sgx: Return 0 when !CONFIG_INTEL_SGX_DRIVER
Next by Date: Re: [PATCH] x86/sgx: Return 0 when !CONFIG_INTEL_SGX_DRIVER
Previous by thread: Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
Next by thread: Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
Index(es):
- Date
- Thread

[Index of Archives] [AMD Graphics] [Linux USB Devel] [Linux Audio Users] [Yosemite News] [Linux Kernel] [Linux SCSI]