Re: [PATCH v20 00/28] Intel SGX1 support

From: Andy Lutomirski
Date: Fri Apr 19 2019 - 17:15:15 EST

> On Apr 19, 2019, at 1:54 PM, Jethro Beekman <jethro@xxxxxxxxxxxx> wrote:
>> On 2019-04-19 13:50, Thomas Gleixner wrote:
>>> On Fri, 19 Apr 2019, Jethro Beekman wrote:
>>>> On 2019-04-19 13:39, Thomas Gleixner wrote:
>>>>> On Fri, 19 Apr 2019, Jethro Beekman wrote:
>>>>>> On 2019-04-19 08:27, Andy Lutomirski wrote:
>>>>>> There are many,
>>>>>> many Linux systems that enforce a policy that *all* executable text
>>>>>> needs to come from a verified source. On these systems, you can't
>>>>>> mmap some writable memory, write to it, and then change it to
>>>>>> executable.
>>>>> How is this implemented on those systems? AFAIK there's no kernel config
>>>>> option that changes the semantics of mmap as you describe.
>>>> That has nothing to do with mmap() semantics. You mmap() writeable memory
>>>> and then you change the permissions via mprotect(). mprotect() calls into
>>>> LSM and depending on policy and security model this will reject the
>>>> request.
>>>> Andy was pointing out that the SGX ioctl bypasses the LSM mechanics which
>>>> is obviously a bad thing.
>>> We could modify the driver such that when you call ioctl EADD, the page
>>> table permissions need to be the PAGEINFO.SECINFO.FLAGS | PROT_WRITE,
>>> otherwise you get EPERM or so. After EADD, if you want, you can restrict
>>> the page table permissions again using mprotect but the page table
>>> permissions don't really matter for SGX.
>> And the point of that is? That you still can cirumvent LSM for feeding
>> executable code into SGX.
> How? LSM would see that you're trying to map a page RWX so you can do
> your ioctl?

With plain mmap() + mprotect(), the LSM will prevent you from making memory that *was* writable executable. This is by design and SELinux supports it. I donât remember the name of the associated SELinux permission off the top of my head.

If we start enforcing equivalent rules on SGX, then the current API will simply not allow enclaves to be loaded â no matter how you slice it, loading an enclave with the current API is indistinguishable from making arbitrary data executable.

Put another way, you can compile your enclave, ship it as a file, and get it appropriately verified (by LSM attribute, IMA, dm-verity, whatever) and run it, but, with the current API, the kernel has no way of knowing that the userspace enclave loader is actually reading it from the file in question.

So I think we need to work on the API.

>> No, we are not making special cases and exceptions for SGX.
> Maybe I didn't express myself clearly? I don't think I was suggesting
> anything like that.
> --
> Jethro Beekman | Fortanix