Hi Jarkko, On 5/10/2021 7:52 AM, Jarkko Sakkinen wrote: ...
+There is a hardware constraint that the enclave size must be a power of two, +and the base address must be a multiple of the size. +This can lead to reserving a large region than required by the payload,
a large region than required -> a larger region than required ?
+but the address space can be obviously trimmed after the enclave has been
can be obviously trimmed -> can be trimmed ?
+constructed on,
constructed on -> constructed ?
+with a sequence of +.BR mmap(MAP_FIXED) +calls. +.PP +A process can access enclave by entering into its address space through +a set of entry points, +which must be defined during the construction process. +This requires a complex sequence of CPU instructions, +and kernel assisted exception handling, +encapsulated into +.BR vsgx_enter_enclave +vDSO interface, +provided and documented by +.IR <asm/sgx.h>.
This is not clear to me. This is written as though vsgx_enter_enclave is something very specific that is documented in <asm/sgx.h>. Should it perhaps be vdso_sgx_enter_enclave_t instead? Am I missing where vsgx_enter_enclave is defined? I expect a reader of this man page may want to search for the term "vsgx_enter_enclave" after reading the above.
+.SS Permissions +In order to build an enclave, a process must be able to call +.IR mmap (2) +with +.IR PROT_EXEC +set. +Like for any other type of executable, +the page permissions must be set appropriately. +For this reason, +.I /dev/sgx_enclave +must reside in a partition, +which is not mounted as no-exec, +in order to be usable, +as +.IR mmap(2) +denies +.IR PROT_EXEC +otherwise. +.SH VERSIONS +The SGX feature was added in Linux 5.11. +.SH SEE ALSO +.BR ioctl (2), +.BR mmap() (2),
mmap() (2) -> mmap (2) ?
+.BR mprotect (2)
Reinette
