On Tue, Jul 09, 2019 at 01:41:28PM -0700, Xing, Cedric wrote: > On 7/9/2019 10:09 AM, Sean Christopherson wrote: > >Translating those to SGX, with a lot of input from Stephen, I ended up > >with the following: > > > > - FILE__ENCLAVE_EXECUTE: equivalent to FILE__EXECUTE, required to gain X > > on an enclave page loaded from a regular file > > > > - PROCESS2__ENCLAVE_EXECDIRTY: hybrid of EXECMOD and EXECUTE+WRITE, > > required to gain W->X on an enclave page > > EXECMOD basically indicates a file containing self-modifying code. Your > ENCLAVE_EXECDIRTY is however a process permission, which is illogical. How is it illogical? If a PROCESS wants to EXECute a DIRTY ENCLAVE page, then it needs PROCESS2__ENCLAVE_EXECDIRTY. FILE__EXECMOD on /dev/sgx/enclave is a process permission masquerading as a file permission, let's call it what it is.
