On Thu, Apr 29, 2021 at 11:55:23AM -0700, Dave Hansen wrote: > On 4/29/21 11:39 AM, Tim Gardner wrote: > > I'm just starting my learning curve on SGX, so I don't know if I've missed > > some setup for the SGX device entries. After looking at arch/x86/kernel/cpu/sgx/driver.c > > I see that there is no mode value for either sgx_dev_enclave or sgx_dev_provision. > > > > With this patch I can get the SGX self test to complete: > > > > sudo ./test_sgx > > Warning: no execute permissions on device file /dev/sgx_enclave > > 0x0000000000000000 0x0000000000002000 0x03 > > 0x0000000000002000 0x0000000000001000 0x05 > > 0x0000000000003000 0x0000000000003000 0x03 > > SUCCESS > > > > Is the warning even necessary ? > > Dang, I just added that warning. I thought it was necessary, but I > guess not: > > $ ls -l /dev/sgx_enclave > crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave > $ ./test_sgx > 0x0000000000000000 0x0000000000002000 0x03 > 0x0000000000002000 0x0000000000001000 0x05 > 0x0000000000003000 0x0000000000003000 0x03 > SUCCESS > > *But*, is that OK? Should we be happily creating a PROT_EXEC mapping on > a ugo-x file? Why were we respecting noexec on the filesystem but not > ugo-x on the file? Yeah, this supports my earlier response: "EPERM The prot argument asks for PROT_EXEC but the mapped area belongs to a file on a filesystem that was mounted no-exec." https://man7.org/linux/man-pages/man2/mmap.2.html I guess the right model is to think just as "anonymous memory" with equivalent access control semantics after succesfully opened for read and write. BTW, this is good material for the man page :-) /Jarkko
