On Sun, 23 Jun 2019, Dr. Greg wrote: > The most relevant and important control with respect to whether or not > an enclave should be allowed to execute is evaluation of the > SIGSTRUCT. Given the trajectory that platform security is on, SGX is > not going to be the last technology of its type nor the only > technology that makes use of cryptographically based code provenance. > > As a result, if we are content with handing an opaque pointer of a > descriptive struture to an LSM routine, a generic hook that is tasked > with verifying code or execution environment provenance doesn't seem > like it would need to be technology specific nor controversial. > > That leaves as the last thorny issue the question of dynamic > allocation of memory for executable content. As we have stated > before, and at the outset of this note, from a security perspective > this is only, effectively, a binary question for the platform owner as > to whether or not the concept should be allowed. > > A generic LSM hook, appropriately named, could execute that decision > without being SGX specific. Arguably, the hook should be named to > indicate that it is seeking approval for allocating memory to be used > for anonymous executable content, since that is what it would be > effectively requesting approval for, in the case of SGX. > > For completeness a third generic hook may be useful. The purpose of > that hook would be to verify a block of memory as being > measured or signed for consideration as executable content. Arguably > that will have utility far beyond SGX. > > In the case of SGX it would address the issue as to whether or not a > block of executable content in untrusted space is eligible for > anonymous execution. That may be a useful security measure in order > to provide some control over an enclave being used as a random > execution oracle. > > It obviously has no security utility against the enclave author since, > as we have noted before, it is possible for the enclave author to > simply pull whatever code is desired over an encrypted network > connection. > > > James Morris > > Hopefully these comments are a useful basis for further discussion. Thanks, this is helpful. -- James Morris <jmorris@xxxxxxxxx>
