Re: [PATCH 0/6] Intel Secure Guard Extensions

From: Ingo Molnar
Date: Wed Apr 27 2016 - 04:18:19 EST

Next message: Richard Genoud: "Re: [PATCH] serial: mctrl_gpio: Drop support for out1-gpios and out2-gpios"
Previous message: Dan Streetman: "Re: + mm-zswap-use-workqueue-to-destroy-pool.patch added to -mm tree"
In reply to: Pavel Machek: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Next in thread: Andy Lutomirski: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> > What new syscalls would be needed for ssh to get all this support?
>
> This patchset or similar, plus some user code and an enclave to use.
>
> Sadly, on current CPUs, you also need Intel to bless the enclave. It looks like
> new CPUs might relax that requirement.

That looks like a fundamental technical limitation in my book - to an open source
user this is essentially a very similar capability as tboot: it only allows the
execution of externally blessed static binary blobs...

I don't think we can merge any of this upstream until it's clear that the hardware
owner running open-source user-space can also freely define/start his own secure
enclaves without having to sign the enclave with any external party. I.e.
self-signed enclaves should be fundamentally supported as well.

Thanks,

Ingo

Next message: Richard Genoud: "Re: [PATCH] serial: mctrl_gpio: Drop support for out1-gpios and out2-gpios"
Previous message: Dan Streetman: "Re: + mm-zswap-use-workqueue-to-destroy-pool.patch added to -mm tree"
In reply to: Pavel Machek: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Next in thread: Andy Lutomirski: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]