SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Mon May 27 13:38:39 UTC 2019
On Mon, May 27, 2019 at 04:34:31PM +0300, Jarkko Sakkinen wrote:
> On Thu, May 23, 2019 at 07:17:52AM -0700, Sean Christopherson wrote:
> > 1. Do nothing. Userspace would essentially be required to mmap() the
> > enclave after EINIT, which is ugly but not breaking since userspace
> > could mmap() the enclave with a placeholder VMA prior to building
> > the enclave, and then a series of mmap() to establish its "real"
> > mapping.
>
> What it'd break to return error if mmap() is done before EINIT?
>
> > 2. Propagate the permissions from EADD to the VMAs of the current mm
> > if the entire EADD range is mapped and the mapping is PROT_NONE.
>
> Right now you can do multiple mmap's. If the mmap's must be done after
> EINIT, the driver could check that permissions match the permissions in
> that range.
>
> This leaves open how to deal with mprotect() but if the process does not
> have FILE__WRITE I guess you cannot do much.
>
> > 3. Propagate the permissions from EADD to the VMAs of all mm structs
> > that have mapped some piece of the enclave, following the matching
> > rules from #2.
>
> For me it looks that allowing mmap's only after EINIT would result the
> least confusing implemntation.
Obvious problem is of course the requirement of fixed mapping, which is
of course nasty.
/Jarkko
More information about the Linux-security-module-archive
mailing list