Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)

From: Jarkko Sakkinen
Date: Mon Jun 03 2019 - 18:20:40 EST


On Thu, May 30, 2019 at 09:14:10AM -0700, Andy Lutomirski wrote:
> > What is the "source file" i.e. the target of the check? Enclave file,
> > sigstruct file, or /dev/sgx/enclave?
>
> Enclave file -- that is, the file backing the vma from which the data
> is loaded.

Wonder why KVM gets away without having this given that enclaves are
lot alike VMs.

> It's provided by userspace based on whether it thinks the data in
> question is enclave code. source->vm_file is the file from which the
> code is being loaded. I'm assuming that the user code will only set
> excute_intent ==true if it actually wants to execute the code, so, if
> there's a denial, it will be fatal. The normal case will be that the
> request will be granted on the basis of EXECUTE.

AFAIK user spaces tells that already with the SECINFO flags. I don't
get why we need a duplicate parameter.

/Jarkko