Re: [PATCH v17 18/23] platform/x86: Intel SGX driver

From: Dr. Greg
Date: Wed Nov 28 2018 - 05:52:44 EST

Next message: Mika Westerberg: "Re: [PATCH v2 1/4] PCI / ACPI: Identify untrusted PCI devices"
Previous message: Thierry Reding: "Re: [PATCH 7/9] dt-bindings: tegra186-gpio: Add wakeup parent support"
In reply to: Andy Lutomirski: "Re: [PATCH v17 18/23] platform/x86: Intel SGX driver"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v17 18/23] platform/x86: Intel SGX driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 27, 2018 at 09:55:45AM -0800, Andy Lutomirski wrote:

> > On Nov 27, 2018, at 8:41 AM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
> >
> >> On Tue, Nov 27, 2018 at 02:55:33AM -0600, Dr. Greg wrote:
> >> Since the thread has become a bit divergent I wanted to note that we
> >> have offered a proposal for a general policy management framework
> >> based on MRSIGNER values. This framework is consistent with the SGX
> >> security model, ie. cryptographic rather then DAC based policy
> >> controls. This framework also allows a much more flexible policy
> >> implementation that doesn't result in combinatoric issues.
> >>
> >> Our framework also allows the preservation of the current ABI which
> >> allows an EINITTOKEN to be passed in from userspace. The framework
> >> also supports the ability to specify that only a kernel based launch
> >> enclave (LE) should be available if the platform owner or distribution
> >> should desire to implement such a model.
> >>
> >> The policy management framework is straight forward. Three linked
> >> lists or their equivalent which are populated through /sysfs
> >> pseudo-files or equivalent plumbing. Each list is populated with
> >> MRSIGNER values for signing keys that are allowed to initialize
> >> enclaves under three separate conditions.
> >>
> >> 1.) General enclaves without special attribute bits.
> >>
> >> 2.) Enclaves with the SGX_FLAGS_PROVISION_KEY attribute set. - i.e.,
> >> 'Provisioning Enclaves'.
> >>
> >> 3.) Enclaves with the SGX_FLAGS_LICENSE_KEY attribute set - i.e., 'Launch
> >> Enclaves'.
> >>
> >> An all-null MRSIGNER value serves as a 'sealing' value that locks a
> >> list from any further modifications.
> >>
> >> This architecture allows platform policies to be specified and then
> >> sealed at early boot by the root user. At that point cryptographic
> >> policy controls are in place rather then DAC based controls, the
> >> latter of which have perpetual security liabilities in addition to the
> >> useability constraints inherent in a DAC or device node model.
> >>
> >> We have developed an independent implementation of the PSW and
> >> arguably have as much experience with issues surrounding how to
> >> interact with the device driver as anyone. We have spent a lot of
> >> time thinking about these issues and the above framework provides the
> >> most flexible architecture available.
> >
> > Sounds like a lot bloat and policy added to the kernel whereas with
> > Andy's proposal you can implement logic to a daemon and provide only
> > mechanism to do it.

> Well, almost. We'd need SGX_IOC_FREEZE_MR{ENCLAVE,SIGNER} or
> similar. Or maybe the daemon could handle the entire loading process.
> But this can wait until after the main driver is upstream.
>
> This does lead to a question: enclaves are kind-of-sort-of mapped
> into a given address space. What happens if you issue the various
> ioctls in the context of a different mm? For that matter, can two
> processes mmap the same enclave?

Fascinating.

We've been carrying a patch, that drops in on top of the proposed
kernel driver, that implements the needed policy management framework
for DAC fragile (FLC) platforms. After a meeting yesterday with the
client that is funding the work, a decision was made to release the
enhancements when the SGX driver goes mainline. That will at least
give developers the option of creating solutions on Linux that
implement the security guarantees that SGX was designed to deliver.

Most importantly, since it implements a driver consistent with the
design of SGX, it has the added benefit of allowing system
administrators the ability to enable the driver to work on non-FLC
(locked) platforms. Since Jarkko confirmed that FLC is the option of
platform vendors, this would seem to be important as SGX on Linux will
only work in a random fashion dependent on the whims of hardware OEM's
in probably a SKU dependent fashion. Which is why the client has
interest in the work.

Best wishes for a productive remainder of the week.

Dr. Greg

As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg@xxxxxxxxxxxx
------------------------------------------------------------------------------
"Five year projections, are you kidding me. We don't know what we are
supposed to be doing at the 4 o'clock meeting this afternoon."
-- Terry Wieland
Resurrection

Next message: Mika Westerberg: "Re: [PATCH v2 1/4] PCI / ACPI: Identify untrusted PCI devices"
Previous message: Thierry Reding: "Re: [PATCH 7/9] dt-bindings: tegra186-gpio: Add wakeup parent support"
In reply to: Andy Lutomirski: "Re: [PATCH v17 18/23] platform/x86: Intel SGX driver"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v17 18/23] platform/x86: Intel SGX driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]