On Thu, Apr 29, 2021 at 11:55:23AM -0700, Dave Hansen wrote:
On 4/29/21 11:39 AM, Tim Gardner wrote:
I'm just starting my learning curve on SGX, so I don't know if I've missed some setup for the SGX device entries. After looking at arch/x86/kernel/cpu/sgx/driver.c I see that there is no mode value for either sgx_dev_enclave or sgx_dev_provision.
With this patch I can get the SGX self test to complete:
sudo ./test_sgx Warning: no execute permissions on device file /dev/sgx_enclave 0x0000000000000000 0x0000000000002000 0x03 0x0000000000002000 0x0000000000001000 0x05 0x0000000000003000 0x0000000000003000 0x03 SUCCESS
Is the warning even necessary ?
Dang, I just added that warning. I thought it was necessary, but I guess not:
$ ls -l /dev/sgx_enclave crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave $ ./test_sgx 0x0000000000000000 0x0000000000002000 0x03 0x0000000000002000 0x0000000000001000 0x05 0x0000000000003000 0x0000000000003000 0x03 SUCCESS
*But*, is that OK? Should we be happily creating a PROT_EXEC mapping on a ugo-x file? Why were we respecting noexec on the filesystem but not ugo-x on the file?
Yeah, this supports my earlier response:
"EPERM The prot argument asks for PROT_EXEC but the mapped area belongs to a file on a filesystem that was mounted no-exec." https://man7.org/linux/man-pages/man2/mmap.2.html
I guess the right model is to think just as "anonymous memory" with equivalent access control semantics after succesfully opened for read and write.
BTW, this is good material for the man page :-)
/Jarkko