On Tue, Feb 16, 2021 at 10:38:42AM -0800, Dave Hansen wrote: > On 2/13/21 5:28 AM, Kai Huang wrote: > > SGX driver uses misc device /dev/sgx_enclave to support userspace to > > create enclave. Each file descriptor from opening /dev/sgx_enclave > > represents an enclave. > > Is this strictly true? Does dup(2) create a new enclave? No. > > Unlike SGX driver, KVM doesn't control how guest > > uses EPC, therefore EPC allocated to KVM guest is not associated to an > > encalve, and /dev/sgx_enclave is not suitable for allocating EPC for KVM > > ^ enclave > > > guest. > > > > Having separate device nodes for SGX driver and KVM virtual EPC also > > allows separate permission control for running host SGX enclaves and > > KVM SGX guests. > > Specifically, 'sgx_vepc' is a less restrictive interface. It would make > a lot of sense to more tightly control access compared to 'sgx_enclave'. > > > More specifically, to allocate a virtual EPC instance with particular > > size, the userspace hypervisor opens /dev/sgx_vepc, and uses mmap() > > with the intended size to get an address range of virtual EPC. Then > > it may use the address range to create one KVM memory slot as virtual > > EPC for guest. > > This paragraph doesn't really explain anything important to me. Both > devices require using mmap(). > > With typos in the changelog fixed, I'm OK with the rest: > > Acked-by: Dave Hansen <dave.hansen@xxxxxxxxx> > > BTW... A lot of this patch is just a skeletal device driver. I'm a > horrible device driver writer, so take this ack as "everything seems > explained well" versus "I promise this will pass muster with the guys > who review device drivers all day long." > /Jarkko
