Re: [intel-sgx-kernel-dev] [PATCH v11 13/13] intel_sgx: in-kernel launch enclave
From: Jarkko Sakkinen
Date: Mon Jun 25 2018 - 05:41:19 EST
On Thu, 2018-06-21 at 08:32 -0400, Nathaniel McCallum wrote:
> This implies that it should be possible to create MSR activation (and
> an embedded launch enclave?) entirely as a UEFI module. The kernel
> would still get to manage who has access to /dev/sgx and other
> important non-cryptographic policy details. Users would still be able
> to control the cryptographic policy details (via BIOS Secure Boot
> configuration that exists today). Distributions could still control
> cryptographic policy details via signing of the UEFI module with their
> own Secure Boot key (or using something like shim). The UEFI module
> (and possibly the external launch enclave) could be distributed via
> linux-firmware.
>
> Andy/Neil, does this work for you?
Nothing against having UEFI module for MSR activation step.
And we would move the existing in-kernel LE to firmware so that it is
avaible for locked-in-to-non-Intel-values case?
/Jarkko