Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()

From: Andy Lutomirski
Date: Fri Sep 18 2020 - 11:09:20 EST


On Tue, Sep 15, 2020 at 4:28 AM Jarkko Sakkinen
<jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
>
> From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
>
> Add vm_ops()->mprotect() for additional constraints for a VMA.
>
> Intel Software Guard eXtensions (SGX) will use this callback to add two
> constraints:
>
> 1. Verify that the address range does not have holes: each page address
> must be filled with an enclave page.
> 2. Verify that VMA permissions won't surpass the permissions of any enclave
> page within the address range. Enclave cryptographically sealed
> permissions for each page address that set the upper limit for possible
> VMA permissions. Not respecting this can cause #GP's to be emitted.

It's been awhile since I looked at this. Can you remind us: is this
just preventing userspace from shooting itself in the foot or is this
something more important?

--Andy