Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)

From: James Morris
Date: Wed May 15 2019 - 18:49:07 EST


On Wed, 15 May 2019, Andy Lutomirski wrote:

> > Why not just use an xattr, like security.sgx ?
>
> Wouldn't this make it so that only someone with CAP_MAC_ADMIN could
> install an enclave? I think that this decision should be left up the
> administrator, and it should be easy to set up a loose policy where
> anyone can load whatever enclave they want. That's what would happen
> in my proposal if there was no LSM loaded or of the LSM policy didn't
> restrict what .sigstruct files were acceptable.
>

You could try user.sigstruct, which does not require any privs.

--
James Morris
<jmorris@xxxxxxxxx>