[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHAy0tQr17mhpHskr4Mr+ooGyxjbSqy02Z2UA27U7=Ew6MW2Rg@mail.gmail.com>
Date: Thu, 2 Dec 2021 15:38:55 -0500
From: Nathaniel McCallum <nathaniel@...fian.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Reinette Chatre <reinette.chatre@...el.com>,
dave.hansen@...ux.intel.com, jarkko@...nel.org, tglx@...utronix.de,
bp@...en8.de, luto@...nel.org, mingo@...hat.com,
linux-sgx@...r.kernel.org, x86@...nel.org, seanjc@...gle.com,
kai.huang@...el.com, cathy.zhang@...el.com, cedric.xing@...el.com,
haitao.huang@...el.com, mark.shanahan@...el.com, hpa@...or.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/25] x86/sgx and selftests/sgx: Support SGX2
On Thu, Dec 2, 2021 at 1:30 PM Dave Hansen <dave.hansen@...el.com> wrote:
>
> On 12/1/21 11:22 AM, Reinette Chatre wrote:
> > * Support modifying permissions of regular enclave pages belonging to an
> > initialized enclave. New permissions are not allowed to exceed the
> > originally vetted permissions. Modifying permissions is accomplished
> > with a new ioctl SGX_IOC_PAGE_MODP.
>
> It's probably also worth noting that this effectively punts on the issue
> of how to allow enclaves to relax the permissions on pages, like taking
> a page from R=>RW, or R=>RX. RX isn't allowed unless the page was
> *added* originally with RX or RWX.
>
> Since dynamically added pages start with initial RW permissions, they
> can *never* be RX or RWX since they did not start with execute
> permissions. That's a limitation, of course, but it's one that can be
> dealt with separately from this set.
>
> Does that sound sane to everyone?
We (Enarx) need arbitrary permission modifications. But for now we can
just use this patch series and patch the original permissions to be
RWX on all new pages. I think that should be sufficient.
Powered by blists - more mailing lists