SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)

Jarkko Sakkinen jarkko.sakkinen at linux.intel.com
Mon Jun 3 20:54:05 UTC 2019


On Thu, May 30, 2019 at 09:14:10AM -0700, Andy Lutomirski wrote:
> > What is the "source file" i.e. the target of the check?  Enclave file,
> > sigstruct file, or /dev/sgx/enclave?
> 
> Enclave file -- that is, the file backing the vma from which the data
> is loaded.

Wonder why KVM gets away without having this given that enclaves are
lot alike VMs.

> It's provided by userspace based on whether it thinks the data in
> question is enclave code.  source->vm_file is the file from which the
> code is being loaded.  I'm assuming that the user code will only set
> excute_intent ==true if it actually wants to execute the code, so, if
> there's a denial, it will be fatal.  The normal case will be that the
> request will be granted on the basis of EXECUTE.

AFAIK user spaces tells that already with the SECINFO flags. I don't
get why we need a duplicate parameter.

/Jarkko



More information about the Linux-security-module-archive mailing list