Re: [PATCH v20 00/28] Intel SGX1 support

[Sean Christopherson]

On Mon, Apr 22, 2019 at 09:55:47AM -0700, Linus Torvalds wrote:
> On Mon, Apr 22, 2019 at 9:48 AM Sean Christopherson
> <sean.j.christopherson@xxxxxxxxx> wrote:
> >
> > Right, and loading a malicious enclave doesn't change those guarantees
> > (for other enclaves).  Ergo, restricting which enclaves can execute is
> > orthogonal to the security provided by SGX.
> 
> But it is absolutely worth noting that TSX made a lot of attacks both
> easier to _do_, and also easier to _hide_.
> 
> All while being basically completely worthless technology to everybody
> except for some silly SAP benchmark.
> 
> So it is definitely worth at least discussing the downsides of SGX. If
> it ends up being another technology that makes it easier to create
> malware, without actually having a lot of _good_ software use it, the
> patches to enable it should make damn sure that the upsides actually
> outweigh the downsides.
> 
> And if the current setup basically is "you have to disable reasonable
> SElinux protections that lots of distros use today", I think it's
> entirely reasonable saying "the downsides are bigger than the
> upsides".

I'm not arguing against SGX playing nice with SELinux/LSMs, actually the
opposite.  I completely agree that enclaves should be subject to LSM
restrictions.

AIUI, Dr. Greg is proposing a framework that uses SGX's launch control
mechanism to restrict what enclaves can run.  My point is that restricting
what enclaves can run is about protecting the kernel and/or platform, not
the enclaves themselves, i.e. using launch control instead of, or in
addition to, LSMs doesn't change the security guarantees of SGX.