On Wed, Nov 18, 2020 at 05:16:53PM -0800, Andy Lutomirski wrote: > > > > On Nov 18, 2020, at 1:54 PM, Borislav Petkov <bp@xxxxxxxxx> wrote: > > > > On Wed, Nov 18, 2020 at 11:37:55PM +0200, Jarkko Sakkinen wrote: > >> Just checking that I got this right: you want me to port my anon inode > >> changes from March to be applied on top of tip and send them? > > > > Well, we need to somehow address the issue when some distros map /dev > > noexec and that is conflicting with SGX due to it needing to mmap with > > executable permissions but /dev/sgx_enclave is noexec... > > > > I guess the first thing that needs figuring out is why are some distros > > mounting /dev noexec. > > > > I mean, you can always do the easiest thing: somewhere in the SGX > > docs say that one of the steps towards running SGX enclaves on such > > distros is for the admin to map /dev exec. However, does that have other > > security implications which would make such exec mounting a security > > hazard? > > > > If so, then the SGX code would need changing... > > > > Questions like those. > > I thought we had determined that this was solvable entirely in > userspace. Udev can handle this, no? Check my response to Boris. In that seame thread you said that you would post to udev mailing list about the matter? Did you ever got around? Not sure if it matters though. I think we have reasonable information that this is the right solution. https://lore.kernel.org/linux-sgx/CALCETrVBO8ceeT8qXw2rDQgdzJH8U-YLpYNMDGC0VudD4VgTCQ@xxxxxxxxxxxxxx/ > > > > HTH. > > > > -- > > Regards/Gruss, > > Boris. > > > > https://people.kernel.org/tglx/notes-about-netiquette /Jarkko