On Thu, May 16, 2019 at 03:45:50PM -0700, Sean Christopherson wrote: > On Thu, May 16, 2019 at 02:02:58PM -0700, Andy Lutomirski wrote: > > > On May 15, 2019, at 10:16 PM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > > There is a problem here though. Usually the enclave itself is just a > > > loader that then loads the application from outside source and creates > > > the executable pages from the content. > > > > > > A great example of this is Graphene that bootstraps unmodified Linux > > > applications to an enclave: > > > > > > https://github.com/oscarlab/graphene > > > > > > > ISTM you should need EXECMEM or similar to run Graphene, then. > > Agreed, Graphene is effectively running arbitrary enclave code. I'm > guessing there is nothing that prevents extending/reworking Graphene to > allow generating the enclave ahead of time so as to avoid populating the > guts of the enclave at runtime, i.e. it's likely possible to run an > unmodified application in an enclave without EXECMEM if that's something > Graphene or its users really care about. I'd guess that also people adding SGX support to containers want somewhat similar framework to work on so that you can just wrap a container with an enclave. /Jarkko
