| Message ID | 20220304011636.327511-1-jarkko@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86/sgx: Do not limit EAUG'd pages by pre-initialization policy | expand |
On Fri, Mar 04, 2022 at 03:16:35AM +0200, Jarkko Sakkinen wrote: > Pre-initialization policy is meant for EADD'd pages because they are > part of the enclave identity. It's a good practice to not let touch the > permissions after initialization, and does provide guarantees to e.g. > LSM's about the enclave. > > For EAUG'd pages it should be sufficient to let mmap(), mprotect() and > SGX opcodes to control the permissions. Thus effectively disable > pre-initialization policy by setting vm_max_prot_bit and > vm_run_prot_bits to RWX. > > Cc: Reinette Chatre <reinette.chatre@intel.com> > Cc: Nathaniel McCallum <nathaniel@profian.com> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > --- > arch/x86/kernel/cpu/sgx/encl.c | 8 +------- > 1 file changed, 1 insertion(+), 7 deletions(-) > > diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c > index 5fe7189eac9d..17feb6fa5578 100644 > --- a/arch/x86/kernel/cpu/sgx/encl.c > +++ b/arch/x86/kernel/cpu/sgx/encl.c > @@ -200,13 +200,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, > encl_page->desc = addr; > encl_page->encl = encl; > > - /* > - * Adding a regular page that is architecturally allowed to only > - * be created with RW permissions. > - * TBD: Interface with user space policy to support max permissions > - * of RWX. > - */ > - prot = PROT_READ | PROT_WRITE; > + prot = PROT_READ | PROT_WRITE | PROT_EXEC; > encl_page->vm_run_prot_bits = calc_vm_prot_bits(prot, 0); > encl_page->vm_max_prot_bits = encl_page->vm_run_prot_bits; > > -- > 2.35.1 > This does not break any existing ABI and at least makes the current patch set usable. BR, Jarkko
On Fri, Mar 04, 2022 at 03:25:38AM +0200, Jarkko Sakkinen wrote: > On Fri, Mar 04, 2022 at 03:16:35AM +0200, Jarkko Sakkinen wrote: > > Pre-initialization policy is meant for EADD'd pages because they are > > part of the enclave identity. It's a good practice to not let touch the > > permissions after initialization, and does provide guarantees to e.g. > > LSM's about the enclave. > > > > For EAUG'd pages it should be sufficient to let mmap(), mprotect() and > > SGX opcodes to control the permissions. Thus effectively disable > > pre-initialization policy by setting vm_max_prot_bit and > > vm_run_prot_bits to RWX. > > > > Cc: Reinette Chatre <reinette.chatre@intel.com> > > Cc: Nathaniel McCallum <nathaniel@profian.com> > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > --- > > arch/x86/kernel/cpu/sgx/encl.c | 8 +------- > > 1 file changed, 1 insertion(+), 7 deletions(-) > > > > diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c > > index 5fe7189eac9d..17feb6fa5578 100644 > > --- a/arch/x86/kernel/cpu/sgx/encl.c > > +++ b/arch/x86/kernel/cpu/sgx/encl.c > > @@ -200,13 +200,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, > > encl_page->desc = addr; > > encl_page->encl = encl; > > > > - /* > > - * Adding a regular page that is architecturally allowed to only > > - * be created with RW permissions. > > - * TBD: Interface with user space policy to support max permissions > > - * of RWX. > > - */ > > - prot = PROT_READ | PROT_WRITE; > > + prot = PROT_READ | PROT_WRITE | PROT_EXEC; > > encl_page->vm_run_prot_bits = calc_vm_prot_bits(prot, 0); > > encl_page->vm_max_prot_bits = encl_page->vm_run_prot_bits; > > > > -- > > 2.35.1 > > > > This does not break any existing ABI and at least makes the current > patch set usable. Also it would be a sane limitation to deny EMODPR and EMODT completely for EADD'd pages. Then, you can discard vm_run_prot_bits. It's not needed for anything anymore. This should make implementation considerably less obfuscated. BR, Jarkko
diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 5fe7189eac9d..17feb6fa5578 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -200,13 +200,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, encl_page->desc = addr; encl_page->encl = encl; - /* - * Adding a regular page that is architecturally allowed to only - * be created with RW permissions. - * TBD: Interface with user space policy to support max permissions - * of RWX. - */ - prot = PROT_READ | PROT_WRITE; + prot = PROT_READ | PROT_WRITE | PROT_EXEC; encl_page->vm_run_prot_bits = calc_vm_prot_bits(prot, 0); encl_page->vm_max_prot_bits = encl_page->vm_run_prot_bits;
Pre-initialization policy is meant for EADD'd pages because they are part of the enclave identity. It's a good practice to not let touch the permissions after initialization, and does provide guarantees to e.g. LSM's about the enclave. For EAUG'd pages it should be sufficient to let mmap(), mprotect() and SGX opcodes to control the permissions. Thus effectively disable pre-initialization policy by setting vm_max_prot_bit and vm_run_prot_bits to RWX. Cc: Reinette Chatre <reinette.chatre@intel.com> Cc: Nathaniel McCallum <nathaniel@profian.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> --- arch/x86/kernel/cpu/sgx/encl.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-)