Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()

From: Andy Lutomirski
Date: Fri Sep 18 2020 - 11:09:20 EST

Next message: Joerg Roedel: "[git pull] IOMMU Fixes for Linux v5.9-rc5"
Previous message: Andrey Konovalov: "Re: [PATCH v2 31/37] kasan, x86, s390: update undef CONFIG_KASAN"
In reply to: Borislav Petkov: "Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 15, 2020 at 4:28 AM Jarkko Sakkinen
<jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
>
> From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
>
> Add vm_ops()->mprotect() for additional constraints for a VMA.
>
> Intel Software Guard eXtensions (SGX) will use this callback to add two
> constraints:
>
> 1. Verify that the address range does not have holes: each page address
> must be filled with an enclave page.
> 2. Verify that VMA permissions won't surpass the permissions of any enclave
> page within the address range. Enclave cryptographically sealed
> permissions for each page address that set the upper limit for possible
> VMA permissions. Not respecting this can cause #GP's to be emitted.

It's been awhile since I looked at this. Can you remind us: is this
just preventing userspace from shooting itself in the foot or is this
something more important?

--Andy

Next message: Joerg Roedel: "[git pull] IOMMU Fixes for Linux v5.9-rc5"
Previous message: Andrey Konovalov: "Re: [PATCH v2 31/37] kasan, x86, s390: update undef CONFIG_KASAN"
In reply to: Borislav Petkov: "Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]