Re: [PATCH 05/25] x86/sgx: Introduce runtime protection bits

["Haitao Huang" <haitao.huang@xxxxxxxxxxxxxxx>]

On Fri, 07 Jan 2022 06:16:21 -0600, Jarkko Sakkinen <jarkko@xxxxxxxxxx>  
wrote:

> On Thu, Jan 06, 2022 at 09:46:06AM -0800, Reinette Chatre wrote:
> > Hi Jarkko,
> >
> > On 12/28/2021 6:52 AM, Jarkko Sakkinen wrote:
> > > On Mon, Dec 13, 2021 at 02:10:17PM -0800, Reinette Chatre wrote:
> > >> Hi Jarkko,
> > >>
> > >> On 12/10/2021 11:42 PM, Jarkko Sakkinen wrote:
> > >>> On Mon, 2021-12-06 at 13:20 -0800, Reinette Chatre wrote:
> > >>>>> This is a valid question. Since EMODPE exists why not just make  
> > things for
> > >>>>> EMODPE, and ignore EMODPR altogether?
> > >>>>>
> > >>>>
> > >>>> I believe that we should support the best practice of principle of  
> > least
> > >>>> privilege - once a page no longer needs a particular permission  
> > there
> > >>>> should be a way to remove it (the unneeded permission).
> > >>>
> > >>> What if EMODPR was not used at all, since EMODPE is there anyway?
> > >>
> > >> EMODPR and EMODPE are not equivalent.
> > >>
> > >> EMODPE can only be used to "extend"/relax permissions while EMODPR  
> > can only
> > >> be used to restrict permissions.
> > >>
> > >> Notice in the EMODPE instruction reference of the SDM:
> > >>
> > >> (* Update EPCM permissions *)
> > >> EPCM(DS:RCX).R := EPCM(DS:RCX).R | SCRATCH_SECINFO.FLAGS.R;
> > >> EPCM(DS:RCX).W := EPCM(DS:RCX).W | SCRATCH_SECINFO.FLAGS.W;
> > >> EPCM(DS:RCX).X := EPCM(DS:RCX).X | SCRATCH_SECINFO.FLAGS.X;
> > >>
> > >> So, when using EMODPE it is only possible to add permissions, not  
> > remove
> > >> permissions.
> > >>
> > >> If a user wants to remove permissions from an EPCM page it is only  
> > possible
> > >> when using EMODPR. Notice in its instruction reference found in the  
> > SDM how
> > >> it in turn can only be used to restrict permissions:
> > >>
> > >> (* Update EPCM permissions *)
> > >> EPCM(DS:RCX).R := EPCM(DS:RCX).R & SCRATCH_SECINFO.FLAGS.R;
> > >> EPCM(DS:RCX).W := EPCM(DS:RCX).W & SCRATCH_SECINFO.FLAGS.W;
> > >> EPCM(DS:RCX).X := EPCM(DS:RCX).X & SCRATCH_SECINFO.FLAGS.X;
> > >
> > > OK, so the question is: do we need both or would a mechanism just to  
> > extend
> > > permissions be sufficient?
> >
> > I do believe that we need both in order to support pages having only
> > the permissions required to support their intended use during the time  
> > the
> > particular access is required. While technically it is possible to grant
> > pages all permissions they may need during their lifetime it is safer to
> > remove permissions when no longer required.
>
> So if we imagine a run-time: how EMODPR would be useful, and how using it
> would make things safer?
In scenarios of JIT compilers, once code is generated into RW pages,  
modifying both PTE and EPCM permissions to RX would be a good defensive  
measure. In that case, EMODPR is useful.

Haitao