Sasha Levin <sas...@kernel.org> writes: > On Mon, May 18, 2020 at 11:51:07AM +0200, Thomas Gleixner wrote: >>Sasha Levin <sas...@kernel.org> writes: >>> On Fri, May 15, 2020 at 12:24:14PM +0300, Jarkko Sakkinen wrote: >>>> >>>>Can you put me to the CC-loop for this patches. Some SGX-enabled >>>>frameworks such as Graphene use out-of-tree changes to achieve this. >>>>That's where the interest to possibly test this comes from. >>> >>> Indeed, we've seen a few hacks that basically just enable FSGSBASE: >>> >>> - https://github.com/oscarlab/graphene-sgx-driver >>> - https://github.com/occlum/enable_rdfsbase >> >>I'm really amazed by all these security experts enabling a full root >>hole. It clearly puts the SGX hypocrisy into perspective. > > We can bash Intel all we want here, but sadly there are users in the
This is not about bashing Intel. > "wild" who just enable these root holes thinking they're secure, and > those users are the ones running very sensitive workloads. Here's an > example from a book called "Responsible Genomic Data Sharing": > > > https://books.google.com/books?id=y6zWDwAAQBAJ&pg=PA184#v=onepage&q&f=false > > That explains how to use Graphene-SGX which just enables FSGSBASE with > root holes. It's about these SGX promoting security experts which try to tell everyone else that he has no clue about security. Thanks, tglx
