On Mon, Nov 26, 2018 at 03:04:36PM -0800, Jarkko Sakkinen wrote: Good morning to everyone. > On Mon, Nov 26, 2018 at 01:51:45PM -0800, Jarkko Sakkinen wrote: > > > ioctl(sgx, SGX_IOC_ADD_RIGHT, sgx_provisioning); > > > > > > This requires extra syscalls, but it doesn???t have the combinatorial > > > explosion problem. > > > > I like this design because it is extendable. I'm now also in the same > > page why we need to protect provisioning in the first place. I would > > slight restructure this as > > > > /dev/sgx/control > > /dev/sgx/attributes/provision > I guess it would be OK to upstream only control node first as long > as provision attribute is denied in order to keep the already huge > patch set a tiny bit smaller? At this point in time I believe there is a consensus that the driver needs a policy management framework of some type for an optimum implementation. The PROVISION attribute has privacy implications and unrestricted access to release mode (full security) is problematic. Since the thread has become a bit divergent I wanted to note that we have offered a proposal for a general policy management framework based on MRSIGNER values. This framework is consistent with the SGX security model, ie. cryptographic rather then DAC based policy controls. This framework also allows a much more flexible policy implementation that doesn't result in combinatoric issues. Our framework also allows the preservation of the current ABI which allows an EINITTOKEN to be passed in from userspace. The framework also supports the ability to specify that only a kernel based launch enclave (LE) should be available if the platform owner or distribution should desire to implement such a model. The policy management framework is straight forward. Three linked lists or their equivalent which are populated through /sysfs pseudo-files or equivalent plumbing. Each list is populated with MRSIGNER values for signing keys that are allowed to initialize enclaves under three separate conditions. 1.) General enclaves without special attribute bits. 2.) Enclaves with the SGX_FLAGS_PROVISION_KEY attribute set. - i.e., 'Provisioning Enclaves'. 3.) Enclaves with the SGX_FLAGS_LICENSE_KEY attribute set - i.e., 'Launch Enclaves'. An all-null MRSIGNER value serves as a 'sealing' value that locks a list from any further modifications. This architecture allows platform policies to be specified and then sealed at early boot by the root user. At that point cryptographic policy controls are in place rather then DAC based controls, the latter of which have perpetual security liabilities in addition to the useability constraints inherent in a DAC or device node model. We have developed an independent implementation of the PSW and arguably have as much experience with issues surrounding how to interact with the device driver as anyone. We have spent a lot of time thinking about these issues and the above framework provides the most flexible architecture available. > /Jarkko We would be happy to discuss specific aspects of the implementation. Have a good day. Dr. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg@xxxxxxxxxxxx ------------------------------------------------------------------------------ "Remember that when you take down the fishhouse you can't put the minnows back into the lake, so throw them out on the ice. Make sure you stomp on any of the live ones so they don't suffer." -- Fritz Wettstein At the lake