Re: [PATCH v20 00/28] Intel SGX1 support

From: Andy Lutomirski
Date: Fri Apr 19 2019 - 17:32:03 EST




> On Apr 19, 2019, at 2:19 PM, Jethro Beekman <jethro@xxxxxxxxxxxx> wrote:
>
>> .
>>
>> If we start enforcing equivalent rules on SGX, then the current API will simply not allow enclaves to be loaded â no matter how you slice it, loading an enclave with the current API is indistinguishable from making arbitrary data executable.
>
> Yes this is exactly what I intended here: a very simple change that
> stops SGX from confusing LSM. Just by enforcing that everything that
> looks like a memory write (EADD, EAUG, EDBGWR, etc.) actually requires
> write permissions, reality and LSM should be on the same page.
>
> If you want to go further and actually allow this behavior when your LSM
> would otherwise prohibit it, presumably the same workarounds that exist
> for JITs can be used for SGX.
>
>

I do think we need to follow LSM rules. But my bigger point is that there are policies that donât allow JIT at all. I think we should arrange the SGX API so itâs still usable when such a policy is in effect.