Re: [PATCH v17 18/23] platform/x86: Intel SGX driver

From: Andy Lutomirski
Date: Tue Nov 27 2018 - 12:55:53 EST

> On Nov 27, 2018, at 8:41 AM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
>> On Tue, Nov 27, 2018 at 02:55:33AM -0600, Dr. Greg wrote:
>> Since the thread has become a bit divergent I wanted to note that we
>> have offered a proposal for a general policy management framework
>> based on MRSIGNER values. This framework is consistent with the SGX
>> security model, ie. cryptographic rather then DAC based policy
>> controls. This framework also allows a much more flexible policy
>> implementation that doesn't result in combinatoric issues.
>> Our framework also allows the preservation of the current ABI which
>> allows an EINITTOKEN to be passed in from userspace. The framework
>> also supports the ability to specify that only a kernel based launch
>> enclave (LE) should be available if the platform owner or distribution
>> should desire to implement such a model.
>> The policy management framework is straight forward. Three linked
>> lists or their equivalent which are populated through /sysfs
>> pseudo-files or equivalent plumbing. Each list is populated with
>> MRSIGNER values for signing keys that are allowed to initialize
>> enclaves under three separate conditions.
>> 1.) General enclaves without special attribute bits.
>> 2.) Enclaves with the SGX_FLAGS_PROVISION_KEY attribute set. - i.e.,
>> 'Provisioning Enclaves'.
>> 3.) Enclaves with the SGX_FLAGS_LICENSE_KEY attribute set - i.e., 'Launch
>> Enclaves'.
>> An all-null MRSIGNER value serves as a 'sealing' value that locks a
>> list from any further modifications.
>> This architecture allows platform policies to be specified and then
>> sealed at early boot by the root user. At that point cryptographic
>> policy controls are in place rather then DAC based controls, the
>> latter of which have perpetual security liabilities in addition to the
>> useability constraints inherent in a DAC or device node model.
>> We have developed an independent implementation of the PSW and
>> arguably have as much experience with issues surrounding how to
>> interact with the device driver as anyone. We have spent a lot of
>> time thinking about these issues and the above framework provides the
>> most flexible architecture available.
> Sounds like a lot bloat and policy added to the kernel whereas with
> Andy's proposal you can implement logic to a daemon and provide only
> mechanism to do it.

Well, almost. Weâd need SGX_IOC_FREEZE_MR{ENCLAVE,SIGNER} or similar. Or maybe the daemon could handle the entire loading process. But this can wait until after the main driver is upstream.

This does lead to a question: enclaves are kind-of-sort-of mapped into a given address space. What happens if you issue the various ioctls in the context of a different mm? For that matter, can two processes mmap the same enclave?