lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 3 Dec 2021 10:18:17 -0800
From:   Reinette Chatre <reinette.chatre@...el.com>
To:     Dave Hansen <dave.hansen@...el.com>, <dave.hansen@...ux.intel.com>,
        <jarkko@...nel.org>, <tglx@...utronix.de>, <bp@...en8.de>,
        <luto@...nel.org>, <mingo@...hat.com>, <linux-sgx@...r.kernel.org>,
        <x86@...nel.org>
CC:     <seanjc@...gle.com>, <kai.huang@...el.com>,
        <cathy.zhang@...el.com>, <cedric.xing@...el.com>,
        <haitao.huang@...el.com>, <mark.shanahan@...el.com>,
        <hpa@...or.com>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 10/25] x86/sgx: Support enclave page permission changes

Hi Dave,

On 12/2/2021 3:48 PM, Dave Hansen wrote:
> On 12/1/21 11:23 AM, Reinette Chatre wrote:
>> + * EPCM permissions can be extended anytime directly from the enclave with
>> + * no visibility from the OS. This is accomplished with ENCLU[EMODPE]
>> + * run from within enclave. Accessing pages with the new, extended,
>> + * permissions requires the OS to update the PTE to handle the subsequent
>> + * #PF correctly.
> 
> Hi Reinette,
> 
> I really dislike the Intel nomenclature here.  I know the Intel docs are
> all written around permission "extension", but I find it ambiguous.
> 
> I've been looking at these instructions literally for years now and
> permission extension to me can mean either:
>   1. The set of things you can do is extended
>   2. The set of things you can *NOT* do is extended
> 
> I much rather prefer nomenclature like:
> 
> 	EPCM permissions can be relaxed anytime directly from the
> 	enclave with no visibility from the OS. This is accomplished
> 	with ENCLU[EMODPE] run from within enclave. Accessing pages with
> 	the new, relaxed permissions requires the OS to update the PTE
> 	to handle the subsequent correctly.
> 
> "Relax" is less ambiguous.  Relaxing a restriction and relaxing
> permissions both mean doing things less strictly.  Extending
> restrictions and extending what is allowed are opposites.

Very good point.

> Maybe it's just me and I need to get this through my thick skull at some
> point.  But, I do think it's OK to improve on the architecture names for
> things when they go into the kernel.  The XSAVE XSTATE_BV->xfeatures
> rename comes to mind.
> 
> Anyway, I'd appreciate if you could keep this in mind and consider
> changing it if a future revision is needed if you believe it is more clear.
> 

Will do. I see that there is opportunity to use this terminology in my 
reply to your other message in response to this patch. I'll do so and we 
can then further judge how it sounds.

Reinette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ