[RFC PATCH v4 10/12] security/selinux: Add enclave_load() implementation
Xing, Cedric
cedric.xing at intel.com
Fri Jun 21 21:22:13 UTC 2019
> From: Christopherson, Sean J
> Sent: Wednesday, June 19, 2019 3:24 PM
>
> Intended use of each permission:
>
> - SGX_EXECDIRTY: dynamically load code within the enclave itself
> - SGX_EXECUNMR: load unmeasured code into the enclave, e.g. Graphene
Why does it matter whether a code page is measured or not?
> - SGX_EXECANON: load code from anonymous memory (likely Graphene)
Graphene doesn't load code from anonymous memory. It loads code dynamically though, as in SGX_EXECDIRTY case.
> - SGX_EXECUTE: load an enclave from a file, i.e. normal behavior
Why is SGX_EXECUTE needed from security perspective? Or why isn't FILE__EXECUTE sufficient?
More information about the Linux-security-module-archive
mailing list