SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)
Stephen Smalley
sds at tycho.nsa.gov
Wed May 22 13:56:30 UTC 2019
On 5/22/19 9:22 AM, Jarkko Sakkinen wrote:
> On Wed, May 22, 2019 at 04:20:22PM +0300, Jarkko Sakkinen wrote:
>> On Tue, May 21, 2019 at 08:51:40AM -0700, Sean Christopherson wrote:
>>> Except that mmap() is more or less required to guarantee that ELRANGE
>>> established by ECREATE is available. And we want to disallow mmap() as
>>> soon as the first EADD is done so that userspace can't remap the enclave's
>>> VMAs via munmap()->mmap() and gain execute permissions to pages that were
>>> EADD'd as NX.
>>
>> We don't want to guarantee such thing and it is not guaranteed. It does
>> not fit at all to the multi process work done. Enclaves are detached
>> from any particular process addresse spaces. It is responsibility of
>> process to open windows to them.
>>
>> That would be completely against work that we've done lately.
>
> Example use case: you have a process that just constructs an enclave
> and sends it to another process or processes for use. The constructor
> process could have basically anything on that range. This was the key
> goal of the fd based enclave work.
What exactly happens in the constructor versus the recipient processes?
Which process performs each of the necessary open(), mmap(), and ioctl()
calls for setting up the enclave? Can you provide a high level overview
of the sequence of userspace calls by the constructor and by the
recipient similar to what Sean showed earlier for just a single process?
More information about the Linux-security-module-archive
mailing list