Re: [PATCH v39 15/24] x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION

From: Dave Hansen
Date: Tue Oct 20 2020 - 17:19:31 EST


On 10/2/20 9:50 PM, Jarkko Sakkinen wrote:
> + * Failure to explicitly request access to a restricted attribute will cause
> + * sgx_ioc_enclave_init() to fail. Currently, the only restricted attribute
> + * is access to the PROVISION_KEY.

Could we also justify why access is restricted, please? Maybe:

Access is restricted because PROVISION_KEY is burned uniquely
into each each processor, making it a perfect unique identifier
with privacy and fingerprinting implications.

Are there any other reasons for doing it this way?