[PATCH v20 16/28] x86/sgx: Add provisioning
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Tue Apr 23 14:33:09 UTC 2019
On Fri, Apr 19, 2019 at 03:06:48AM +0000, Huang, Kai wrote:
> On Wed, 2019-04-17 at 13:39 +0300, Jarkko Sakkinen wrote:
> > In order to provide a mechanism for devilering provisoning rights:
> >
> > 1. Add a new device file /dev/sgx/provision that works as a token for
> > allowing an enclave to have the provisioning privileges.
> > 2. Add a new ioctl called SGX_IOC_ENCLAVE_SET_ATTRIBUTE that accepts the
> > following data structure:
> >
> > struct sgx_enclave_set_attribute {
> > __u64 addr;
> > __u64 attribute_fd;
> > };
> >
> > A daemon could sit on top of /dev/sgx/provision and send a file
> > descriptor of this file to a process that needs to be able to provision
> > enclaves.
> >
> > The way this API is used is straight-forward. Lets assume that dev_fd is
> > a handle to /dev/sgx/enclave and prov_fd is a handle to
> > /dev/sgx/provision. You would allow SGX_IOC_ENCLAVE_CREATE to
> > initialize an enclave with the PROVISIONKEY attribute by
> >
> > params.addr = <enclave address>;
> > params.token_fd = prov_fd;
> >
> Should be params.attribute_fd = prov_fd;
>
> Thanks,
> -Kai
Thanks.
/Jarkko
More information about the Linux-security-module-archive
mailing list