Re: [PATCH v17 18/23] platform/x86: Intel SGX driver
From: Jarkko Sakkinen
Date: Mon Nov 26 2018 - 16:51:47 EST
On Sun, Nov 25, 2018 at 08:22:35AM -0800, Andy Lutomirski wrote:
> Agreed. What Iâm proposing adds additional security if the kernel is
> *not* compromised.
And even if the kernel is compromised evil use will detected quicker
i.e. compromissed kernel is "better" than a kernel that allows to
use provisioning freely.
> There are other ways to accomplish it that might be better in some
> respects. For example, there could be /dev/sgx and
> /dev/sgx_rights/provision. The former exposes the whole sgx API,
> except that it doesnât allow provisioning by default. The latter does
> nothing by itself. To run a provisioning enclave, you open both nodes,
> then do something like:
>
> ioctl(sgx, SGX_IOC_ADD_RIGHT, sgx_provisioning);
>
> This requires extra syscalls, but it doesnât have the combinatorial
> explosion problem.
I like this design because it is extendable. I'm now also in the same
page why we need to protect provisioning in the first place. I would
slight restructure this as
/dev/sgx/control
/dev/sgx/attributes/provision
Looks cleaner and the root /dev directory is less polluted.
BTW, off-topic from this but should we remove ENCLAVE from IOC names as
they all concern enclaves anyway? Seems kind of redundant. I.e.
SGX_IOC_ENCLAVE_CREATE -> SGX_IOC_CREATE
SGX_IOC_ENCLAVE_ADD_PAGE -> SGX_IOC_ADD_PAGE
SGX_IOC_ENCLAVE_INIT -> SGX_IOC_INIT
/Jarkko