Provide a way to pass verified argv and environments #508
Comments
|
We have a fix for this in Graphene-ng, but it requires protected files to make sense (it adds an option to manifest to load argv from a file, which can be mounted as protected). We could also add third option: specify argv in the manifest itself, but this would require a lot of changes in manifest parsing to allow providing arbitrary argv and doesn't allow to provide the arguments in runtime (instead of build-time). We could merge what we have as is, because it doesn't depend on protected files per se, but it would only start to be useful after also merging filesystem protection. Any thoughts? |
|
I suggest you submit a PR with your solution, and protected-files feature in another PR in the future. At least we'll have a better understanding how your solution works. We are talking only about argv or envvars are also handled by this mechanism? Is it possible to pass argv in a special envvar which will be protected somehow? (To avoid the dependency on protected-files.) |
Ok, I'll wait a bit more to give everyone a chance to reply on this and prepare the PR afterwards.
We used this only for argv, but adding the same thing for env sounds trivial, the code should be almost identical (and I plan to include both in the PR).
Isn't protecting envs exactly as hard as protecting argv? |
Then ignore my question :) |
Currently the process arguments and environment variables are passed from
pal_loaderwithout any verification.There should be a way to specify those in the manifest such that those are measured and can be trusted. This is particular useful for running (mostly) unmodified applications inside the enclave.
The text was updated successfully, but these errors were encountered: