On Thu, Sep 24, 2020 at 02:11:37PM -0500, Haitao Huang wrote: > On Wed, 23 Sep 2020 08:50:56 -0500, Jarkko Sakkinen > <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > >I'll categorically deny noexec in the next patch set version. > > > >/Jarkko > > There are use cases supported currently in which enclave binary is received > via IPC/RPC and held in buffers before EADD. Denying noexec altogether would > break those, right? No. noexec only applies to file-backed VMAs, what you're describing is loading an enclave from an anon VMA, which will still have VM_MAYEXEC. I believe you're thinking of SELinux's EXECMEM, which is required to execute from anonymous memory, and which we talked about (more than once) applying to SGX enclaves. That being said, I still dislike the idea of requiring VM_MAYEXEC, it's a hack that doesn't really buy us much, if anything.
