On Thu, Dec 20, 2018 at 12:32:04PM +0200, Jarkko Sakkinen wrote: > On Wed, Dec 19, 2018 at 06:58:48PM -0800, Andy Lutomirski wrote: > > Can one of you explain why SGX_ENCLAVE_CREATE is better than just > > opening a new instance of /dev/sgx for each encalve? > > I think that fits better to the SCM_RIGHTS scenario i.e. you could send > the enclav to a process that does not have necessarily have rights to > /dev/sgx. Gives more robust environment to configure SGX. Sean, is this why you wanted enclave fd and anon inode and not just use the address space of /dev/sgx? Just taking notes of all observations. I'm not sure what your rationale was (maybe it was somewhere). This was something I made up, and this one is wrong deduction. You can easily get the same benefit with /dev/sgx associated fd representing the enclave. This all means that for v19 I'm going without enclave fd involved with fd to /dev/sgx representing the enclave. No anon inodes will be involved. /Jarkko
