On Tue, Sep 15, 2020 at 4:28 AM Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > > Add vm_ops()->mprotect() for additional constraints for a VMA. > > Intel Software Guard eXtensions (SGX) will use this callback to add two > constraints: > > 1. Verify that the address range does not have holes: each page address > must be filled with an enclave page. > 2. Verify that VMA permissions won't surpass the permissions of any enclave > page within the address range. Enclave cryptographically sealed > permissions for each page address that set the upper limit for possible > VMA permissions. Not respecting this can cause #GP's to be emitted. It's been awhile since I looked at this. Can you remind us: is this just preventing userspace from shooting itself in the foot or is this something more important? --Andy
