Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)

From: Sean Christopherson
Date: Fri May 17 2019 - 12:07:14 EST


On Thu, May 16, 2019 at 05:35:16PM -0700, Andy Lutomirski wrote:
> On Thu, May 16, 2019 at 3:23 PM Xing, Cedric <cedric.xing@xxxxxxxxx> wrote:
> > And if you are with me on that bigger picture, the next question is: what
> > should be the default behavior of security_sgx_mprot() for
> > existing/non-SGX-aware LSM modules/policies? I'd say a reasonable default
> > is to allow R, RW and RX, but not anything else. It'd suffice to get rid of
> > EXECMEM/EXECMOD requirements on enclave applications. For SGX1, EPCM
> > permissions are immutable so it really doesn't matter what
> > security_sgx_mprot() does. For SGX2 and beyond, there's still time and new
> > SGX-aware LSM modules/policies will probably have emerged by then.
>
> I hadn't thought about the SGX1 vs SGX2 difference. If the driver
> initially only wants to support SGX1, then I guess we really could get
> away with constraining the EPC flags based on the source page
> permission and not restricting mprotect() and mmap() permissions on
> /dev/sgx/enclave at all.

No, SGX1 vs SGX2 support in the kernel is irrelevant. Well, unless the
driver simply refuses to load on SGX2 hardware, but I don't think anyone
wants to go that route. There is no enabling or attribute bit required
to execute ENCLU[EMODPE], e.g. an enclave can effect RW->RWX in the EPCM
on SGX2 hardware regardless of what the kernel is doing.

IMO the kernel should ignore the EPCM from an LSM perspective.