Re: [PATCH V3 14/30] x86/sgx: Support restricting of enclave page permissions
From: Reinette Chatre
Date: Wed Apr 06 2022 - 15:41:24 EST
Hi Jarkko,
On 4/6/2022 12:30 AM, Jarkko Sakkinen wrote:
> On Tue, 2022-04-05 at 11:59 -0700, Reinette Chatre wrote:
>> I plan to replace the current "secinfo" field in struct sgx_enclave_restrict_permissions
>> with a new "permissions" field that contain only the permissions. Please let
>> me know if you have concerns with this (I also discuss this more in reply to
>> your other message related to the page type change ioctl()).
>
> I'm cool with it but if it is named as "permissions", then
> it is already software-defined entity, i.e. meaning just that
> have this check in place in the ioctl:
>
> if (addp->permissions & !(PROT_READ | PROT_WRITE | PROT_EXEC))
> return -EINVAL;
>
I assume that we do still want to ensure that
PROT_READ is always set.
I was planning to keep it in the "SGX language" since
this is about changing EPCM permissions with values from
a runtime understanding SGX permissions in secinfo that will
be provided to hardware understanding SGX permissions in
secinfo.
Thus:
if (params.permissions & ~SGX_SECINFO_PERMISSION_MASK)
return -EINVAL;
if (!(params.permissions & SGX_SECINFO_R))
return -EINVAL;
Reinette