On Nov 18, 2020, at 1:54 PM, Borislav Petkov bp@alien8.de wrote:
On Wed, Nov 18, 2020 at 11:37:55PM +0200, Jarkko Sakkinen wrote:
Just checking that I got this right: you want me to port my anon inode changes from March to be applied on top of tip and send them?
Well, we need to somehow address the issue when some distros map /dev noexec and that is conflicting with SGX due to it needing to mmap with executable permissions but /dev/sgx_enclave is noexec...
I guess the first thing that needs figuring out is why are some distros mounting /dev noexec.
I mean, you can always do the easiest thing: somewhere in the SGX docs say that one of the steps towards running SGX enclaves on such distros is for the admin to map /dev exec. However, does that have other security implications which would make such exec mounting a security hazard?
If so, then the SGX code would need changing...
Questions like those.
I thought we had determined that this was solvable entirely in userspace. Udev can handle this, no?
HTH.
-- Regards/Gruss, Boris.