SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)

Jarkko Sakkinen jarkko.sakkinen at linux.intel.com
Mon May 27 13:38:39 UTC 2019


On Mon, May 27, 2019 at 04:34:31PM +0300, Jarkko Sakkinen wrote:
> On Thu, May 23, 2019 at 07:17:52AM -0700, Sean Christopherson wrote:
> >   1. Do nothing.  Userspace would essentially be required to mmap() the
> >      enclave after EINIT, which is ugly but not breaking since userspace
> >      could mmap() the enclave with a placeholder VMA prior to building
> >      the enclave, and then a series of mmap() to establish its "real"
> >      mapping.
> 
> What it'd break to return error if mmap() is done before EINIT?
> 
> >   2. Propagate the permissions from EADD to the VMAs of the current mm
> >      if the entire EADD range is mapped and the mapping is PROT_NONE.
> 
> Right now you can do multiple mmap's. If the mmap's must be done after
> EINIT, the driver could check that permissions match the permissions in
> that range.
> 
> This leaves open how to deal with mprotect() but if the process does not
> have FILE__WRITE I guess you cannot do much.
> 
> >   3. Propagate the permissions from EADD to the VMAs of all mm structs
> >      that have mapped some piece of the enclave, following the matching
> >      rules from #2.
> 
> For me it looks that allowing mmap's only after EINIT would result the
> least confusing implemntation.

Obvious problem is of course the requirement of fixed mapping, which is
of course nasty.

/Jarkko



More information about the Linux-security-module-archive mailing list