@@ -16,6 +16,8 @@
_IOW(SGX_MAGIC, 0x01, struct sgx_enclave_add_page)
#define SGX_IOC_ENCLAVE_INIT \
_IOW(SGX_MAGIC, 0x02, struct sgx_enclave_init)
+#define SGX_IOC_ENCLAVE_SET_ATTRIBUTE \
+ _IOW(SGX_MAGIC, 0x03, struct sgx_enclave_set_attribute)
/**
* struct sgx_enclave_create - parameter structure for the
@@ -52,4 +54,13 @@ struct sgx_enclave_init {
__u64 sigstruct;
};
+/**
+ * struct sgx_enclave_set_attribute - parameter structure for the
+ * %SGX_IOC_ENCLAVE_SET_ATTRIBUTE ioctl
+ * @attribute_fd: file handle of the attribute file in the securityfs
+ */
+struct sgx_enclave_set_attribute {
+ __u64 attribute_fd;
+};
+
#endif /* _UAPI_ASM_X86_SGX_H */
@@ -28,7 +28,7 @@ extern u64 sgx_attributes_reserved_mask;
extern u64 sgx_xfrm_reserved_mask;
extern u32 sgx_xsave_size_tbl[64];
-extern const struct file_operations sgx_fs_provision_fops;
+extern const struct file_operations sgx_provision_fops;
long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);
@@ -718,6 +718,49 @@ static long sgx_ioc_enclave_init(struct file *filep, void __user *arg)
return ret;
}
+/**
+ * sgx_ioc_enclave_set_attribute - handler for %SGX_IOC_ENCLAVE_SET_ATTRIBUTE
+ * @filep: open file to /dev/sgx
+ * @arg: userspace pointer to a struct sgx_enclave_set_attribute instance
+ *
+ * Mark the enclave as being allowed to access a restricted attribute bit.
+ * The requested attribute is specified via the attribute_fd field in the
+ * provided struct sgx_enclave_set_attribute. The attribute_fd must be a
+ * handle to an SGX attribute file, e.g. “/dev/sgx/provision".
+ *
+ * Failure to explicitly request access to a restricted attribute will cause
+ * sgx_ioc_enclave_init() to fail. Currently, the only restricted attribute
+ * is access to the PROVISION_KEY.
+ *
+ * Note, access to the EINITTOKEN_KEY is disallowed entirely.
+ *
+ * Return: 0 on success, -errno otherwise
+ */
+static long sgx_ioc_enclave_set_attribute(struct file *filep, void __user *arg)
+{
+ struct sgx_encl *encl = filep->private_data;
+ struct sgx_enclave_set_attribute params;
+ struct file *attribute_file;
+ int ret;
+
+ if (copy_from_user(¶ms, arg, sizeof(params)))
+ return -EFAULT;
+
+ attribute_file = fget(params.attribute_fd);
+ if (!attribute_file->f_op)
+ return -EINVAL;
+
+ if (attribute_file->f_op != &sgx_provision_fops) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ encl->allowed_attributes |= SGX_ATTR_PROVISIONKEY;
+
+out:
+ fput(attribute_file);
+ return ret;
+}
long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
{
@@ -728,6 +771,8 @@ long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
return sgx_ioc_enclave_add_page(filep, (void __user *)arg);
case SGX_IOC_ENCLAVE_INIT:
return sgx_ioc_enclave_init(filep, (void __user *)arg);
+ case SGX_IOC_ENCLAVE_SET_ATTRIBUTE:
+ return sgx_ioc_enclave_set_attribute(filep, (void __user *)arg);
default:
return -ENOIOCTLCMD;
}
@@ -153,12 +153,18 @@ static const struct file_operations sgx_encl_fops = {
.get_unmapped_area = sgx_get_unmapped_area,
};
+const struct file_operations sgx_provision_fops = {
+ .owner = THIS_MODULE,
+};
+
static struct bus_type sgx_bus_type = {
.name = "sgx",
};
static struct device sgx_encl_dev;
static struct cdev sgx_encl_cdev;
+static struct device sgx_provision_dev;
+static struct cdev sgx_provision_cdev;
static dev_t sgx_devt;
static void sgx_dev_release(struct device *dev)
@@ -235,22 +241,37 @@ int __init sgx_drv_init(void)
if (ret)
goto err_chrdev_region;
+ ret = sgx_dev_init("sgx/provision", &sgx_provision_dev,
+ &sgx_provision_cdev, &sgx_provision_fops, 1);
+ if (ret)
+ goto err_encl_dev;
+
sgx_encl_wq = alloc_workqueue("sgx-encl-wq",
WQ_UNBOUND | WQ_FREEZABLE, 1);
if (!sgx_encl_wq) {
ret = -ENOMEM;
- goto err_encl_dev;
+ goto err_provision_dev;
}
ret = cdev_device_add(&sgx_encl_cdev, &sgx_encl_dev);
if (ret)
goto err_encl_wq;
+ ret = cdev_device_add(&sgx_provision_cdev, &sgx_provision_dev);
+ if (ret)
+ goto err_encl_cdev;
+
return 0;
+err_encl_cdev:
+ cdev_device_del(&sgx_encl_cdev, &sgx_encl_dev);
+
err_encl_wq:
destroy_workqueue(sgx_encl_wq);
+err_provision_dev:
+ put_device(&sgx_provision_dev);
+
err_encl_dev:
put_device(&sgx_encl_dev);
In order to provide a mechanism for devilering provisoning rights: 1. Add a new device file /dev/sgx/provision that works as a token for allowing an enclave to have the provisioning privileges. 2. Add a new ioctl called SGX_IOC_ENCLAVE_SET_ATTRIBUTE that accepts the following data structure: struct sgx_enclave_set_attribute { __u64 addr; __u64 attribute_fd; }; A daemon could sit on top of /dev/sgx/provision and send a file descriptor of this file to a process that needs to be able to provision enclaves. The way this API is used is straight-forward. Lets assume that dev_fd is a handle to /dev/sgx/enclave and prov_fd is a handle to /dev/sgx/provision. You would allow SGX_IOC_ENCLAVE_CREATE to initialize an enclave with the PROVISIONKEY attribute by params.addr = <enclave address>; params.token_fd = prov_fd; ioctl(dev_fd, SGX_IOC_ENCLAVE_SET_ATTRIBUTE, ¶ms); Cc: James Morris <jmorris@namei.org> Cc: Serge E. Hallyn <serge@hallyn.com> Cc: linux-security-module@vger.kernel.org Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- arch/x86/include/uapi/asm/sgx.h | 11 ++++++ arch/x86/kernel/cpu/sgx/driver/driver.h | 2 +- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 45 +++++++++++++++++++++++++ arch/x86/kernel/cpu/sgx/driver/main.c | 23 ++++++++++++- 4 files changed, 79 insertions(+), 2 deletions(-)