[RFC PATCH v4 10/12] security/selinux: Add enclave_load() implementation
luto at kernel.org
Sat Jun 29 23:41:32 UTC 2019
On Tue, Jun 25, 2019 at 2:09 PM Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On 6/21/19 5:22 PM, Xing, Cedric wrote:
> >> From: Christopherson, Sean J
> >> Sent: Wednesday, June 19, 2019 3:24 PM
> >> Intended use of each permission:
> >> - SGX_EXECDIRTY: dynamically load code within the enclave itself
> >> - SGX_EXECUNMR: load unmeasured code into the enclave, e.g. Graphene
> > Why does it matter whether a code page is measured or not?
> It won't be incorporated into an attestation?
Also, if there is, in parallel, a policy that limits the set of
enclave SIGSTRUCTs that are accepted, requiring all code be measured
makes it harder to subvert by writing incompetent or maliciously
More information about the Linux-security-module-archive