lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri, 4 Dec 2020 03:55:03 +0200
From:   Jarkko Sakkinen <>
To:     "Michael Kerrisk (man-pages)" <>
Cc:     linux-man <>,,
        Dave Hansen <>,
        "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <>,
Subject: Re: [PATCH] sgx.7: New page with overview of Software Guard
 eXtensions (SGX)

On Wed, Dec 02, 2020 at 07:17:42PM +0200, Jarkko Sakkinen wrote:
> On Wed, Dec 02, 2020 at 11:37:01AM +0100, Michael Kerrisk (man-pages) wrote:
> > Hi Jarkko,
> > 
> > Thanks for the page. I'll have some more comments later, most likely.
> > But to begin with, are there any other manual pages that should be
> > listed in a SEE ALSO section for this manual page, and are there any
> > pages in man-pages that you think should refer to this page in their
> > SEE ALSO sections?
> Thanks for quick response.
> SGX does not declare any syscalls but it does have an ioctl API and
> a vDSO.
> I think one thing that the man page is missing is SIGSEGV handling.
> When user space directly invokes ENCLU[EENTER], then the exceptions
> inside are recognized through SIGSEV. This should be probably added,
> and then "SEE ALSO" should point out to sigaction().

Obviously I need to have references to mmap() and mprotect() too.

Ignoring everything else related to this feature and simplify the
concept, in SGX you build an enclave yet to be mapped memory, then
mmap() it and possibly mprotect() it. When you build an enclave, you
assign permissions to each page, and there's an invariant in the kernel
implementation that mmap/mprotect() permissions are not allowed to
surpass the intended permissions. The implementation is multi-process
by nature, i.e. one process can build an enclave and other process can
just map it (e.g. getting fd through fork or SCM_RIGHTS).

Hmm... that would be a good paragraph for my man page (with editing of
course) before any other details, when describing enclave construction


Powered by blists - more mailing lists