Re: [RFC PATCH v4 00/12] security: x86/sgx: SGX vs. LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/11/2019 10:51 AM, Jarkko Sakkinen wrote:
On Thu, Jul 11, 2019 at 10:32:41AM -0400, Stephen Smalley wrote:
The existing permissions don't map cleanly to SGX but I think Sean and
Cedric were trying to make a best-effort approximation to the underlying
concepts in a manner that permits control over the introduction of
executable content.

Sure, the existing EXECMOD check is only applied today when there is an
attempt to make executable a previously modified (detected based on COW
having occurred) private file mapping.  But the general notion of
controlling the ability to execute modified content is still meaningful.

OK to summarize EXECMOD does not connect with SGX in any possible way
but SGX needs something that mimics EXECMOD behaviour?

Stephen may correct me if I'm wrong. EXECMOD is granted to files, to indicate the bearer contains self-modifying code (or text relocation). So if it applies the enclaves, there are two aspects of it:

(1) An enclave may be loaded from multiple image files, among which some may contain self-modifying code and hence would require EXECMOD on each of them. At runtime, W->X will be allowed/denied for pages loaded from image files having/not having EXECMOD.

(2) But there are pages not loaded from any files - e.g. pages EAUG'ed at runtime. We are trying to use the file containing SIGSTRUCT as the "proxy file" - i.e. EXECMOD on the proxy file indicates the enclave may load code into EAUG'ed pages at runtime.

(3) Well, this is not an aspect of EXECMOD. Yet there's another category of pages - pages EADD'ed from anonymous memory. They are different than EAUG'ed pages in that their contents are supplied by untrusted code. How to control their accesses is still being debated. My argument was that the source pages must be executable before they could be loaded executable in EPC. Andy argued that SIGSTRUCT alone could be considered sufficient validation on the contents in certain usages, so both Sean and I had proposed PROCESS2__ENCLAVE_EXECANON as a new permission. But for the 1st upstream I think we all agree to do just the minimum until real requirements come up. After all, adding is generally easier than taking away existing things.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux