On Tue, Nov 27, 2018 at 02:55:33AM -0600, Dr. Greg wrote: > Since the thread has become a bit divergent I wanted to note that we > have offered a proposal for a general policy management framework > based on MRSIGNER values. This framework is consistent with the SGX > security model, ie. cryptographic rather then DAC based policy > controls. This framework also allows a much more flexible policy > implementation that doesn't result in combinatoric issues. > > Our framework also allows the preservation of the current ABI which > allows an EINITTOKEN to be passed in from userspace. The framework > also supports the ability to specify that only a kernel based launch > enclave (LE) should be available if the platform owner or distribution > should desire to implement such a model. > > The policy management framework is straight forward. Three linked > lists or their equivalent which are populated through /sysfs > pseudo-files or equivalent plumbing. Each list is populated with > MRSIGNER values for signing keys that are allowed to initialize > enclaves under three separate conditions. > > 1.) General enclaves without special attribute bits. > > 2.) Enclaves with the SGX_FLAGS_PROVISION_KEY attribute set. - i.e., > 'Provisioning Enclaves'. > > 3.) Enclaves with the SGX_FLAGS_LICENSE_KEY attribute set - i.e., 'Launch > Enclaves'. > > An all-null MRSIGNER value serves as a 'sealing' value that locks a > list from any further modifications. > > This architecture allows platform policies to be specified and then > sealed at early boot by the root user. At that point cryptographic > policy controls are in place rather then DAC based controls, the > latter of which have perpetual security liabilities in addition to the > useability constraints inherent in a DAC or device node model. > > We have developed an independent implementation of the PSW and > arguably have as much experience with issues surrounding how to > interact with the device driver as anyone. We have spent a lot of > time thinking about these issues and the above framework provides the > most flexible architecture available. Sounds like a lot bloat and policy added to the kernel whereas with Andy's proposal you can implement logic to a daemon and provide only mechanism to do it. /Jarkko
