SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Mon Jun 3 20:54:05 UTC 2019
On Thu, May 30, 2019 at 09:14:10AM -0700, Andy Lutomirski wrote:
> > What is the "source file" i.e. the target of the check? Enclave file,
> > sigstruct file, or /dev/sgx/enclave?
>
> Enclave file -- that is, the file backing the vma from which the data
> is loaded.
Wonder why KVM gets away without having this given that enclaves are
lot alike VMs.
> It's provided by userspace based on whether it thinks the data in
> question is enclave code. source->vm_file is the file from which the
> code is being loaded. I'm assuming that the user code will only set
> excute_intent ==true if it actually wants to execute the code, so, if
> there's a denial, it will be fatal. The normal case will be that the
> request will be granted on the basis of EXECUTE.
AFAIK user spaces tells that already with the SECINFO flags. I don't
get why we need a duplicate parameter.
/Jarkko
More information about the Linux-security-module-archive
mailing list