Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

From: Andy Lutomirski
Date: Tue Jun 04 2019 - 16:36:26 EST

Next message: Andy Lutomirski: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Previous message: Bjorn Helgaas: "Re: [PATCH v2] PCI: Add PCIe 5.0 data rate (32 GT/s) support"
In reply to: Jarkko Sakkinen: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Next in thread: Sean Christopherson: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen
<jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
>
> On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote:
> > Do not allow an enclave page to be mapped with PROT_EXEC if the source
> > page is backed by a file on a noexec file system.
> >
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
>
> Why don't you just check in sgx_encl_add_page() that whether the path
> comes from noexec and deny if SECINFO contains X?
>

SECINFO seems almost entirely useless for this kind of thing because
of SGX2. I'm thinking that SECINFO should be completely ignored for
anything other than its required architectural purpose.

Next message: Andy Lutomirski: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Previous message: Bjorn Helgaas: "Re: [PATCH v2] PCI: Add PCIe 5.0 data rate (32 GT/s) support"
In reply to: Jarkko Sakkinen: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Next in thread: Sean Christopherson: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]