Re: [PATCH v36 23/24] docs: x86/sgx: Document SGX micro architecture and kernel internals

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

> +CPUs starting from Icelake use Total Memory Encryption (TME) in the place of
> +MEE. TME throws away the Merkle tree, which means losing integrity and
> +anti-replay protection but also enables variable size memory pools for EPC.
> +Using this attack for benefit would require an interposer on the system bus.

It is not exactly clear what "this attack" means.

(And it would be cool to explain against what SGX is protecting. I
thought it was malicious RAM, but apparently not on Icelake+).

> +Backing storage
> +===============
> +
> +Backing storage is shared and not accounted. It is implemented as a private
> +shmem file. Providing a backing storage in some form from user space is not
> +possible - accounting would go to invalid state as reclaimed pages would get
> +accounted to the processes of which behalf the kernel happened to be acting on.

"of which behalf" -- I can't parse that?

> +Access control
> +==============
> +
> +`mmap()` permissions are capped by the enclave permissions. A direct
> +consequence of this is that all the pages for an address range must be added
> +before `mmap()` can be applied. Effectively an enclave page with minimum
> +permission in the address range sets the permission cap for the mapping
   ~~~~~~~~~~
    permissions?

									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux