Re: [PATCH v12 00/18] Enable FSGSBASE instructions

From: Thomas Gleixner
Date: Mon May 18 2020 - 14:29:11 EST


Sasha Levin <sashal@xxxxxxxxxx> writes:
> On Mon, May 18, 2020 at 11:51:07AM +0200, Thomas Gleixner wrote:
>>Sasha Levin <sashal@xxxxxxxxxx> writes:
>>> On Fri, May 15, 2020 at 12:24:14PM +0300, Jarkko Sakkinen wrote:
>>>>
>>>>Can you put me to the CC-loop for this patches. Some SGX-enabled
>>>>frameworks such as Graphene use out-of-tree changes to achieve this.
>>>>That's where the interest to possibly test this comes from.
>>>
>>> Indeed, we've seen a few hacks that basically just enable FSGSBASE:
>>>
>>> - https://github.com/oscarlab/graphene-sgx-driver
>>> - https://github.com/occlum/enable_rdfsbase
>>
>>I'm really amazed by all these security experts enabling a full root
>>hole. It clearly puts the SGX hypocrisy into perspective.
>
> We can bash Intel all we want here, but sadly there are users in the

This is not about bashing Intel.

> "wild" who just enable these root holes thinking they're secure, and
> those users are the ones running very sensitive workloads. Here's an
> example from a book called "Responsible Genomic Data Sharing":
>
> https://books.google.com/books?id=y6zWDwAAQBAJ&pg=PA184#v=onepage&q&f=false
>
> That explains how to use Graphene-SGX which just enables FSGSBASE with
> root holes.

It's about these SGX promoting security experts which try to tell
everyone else that he has no clue about security.

Thanks,

tglx