On 2/20/20 2:16 PM, Jarkko Sakkinen wrote: > On Thu, Feb 20, 2020 at 10:48:42AM -0800, Sean Christopherson wrote: >> My biggest concern for allowing PROT_EXEC if RIE is that it would result >> in #PF(SGX) (#GP on Skylake) due to an EPCM violation if the enclave >> actually tried to execute from such a page. This isn't a problem for the >> kernel as the fault will be reported cleanly through the vDSO (or get >> delivered as a SIGSEGV if the enclave isn't entered through the vDSO), but >> it's a bit weird for userspace as userspace will see the #PF(SGX) and >> likely assume the EPC was lost, e.g. silently restart the enclave instead >> of logging an error that the enclave is broken. > > I think right way to fix the current implementation is to -EACCES mmap() > (and mprotect) when !!(current->personality & READ_IMPLIES_EXEC). > I agree. It still means userspace code with an executable stack can't mmap/mprotect enclave pages and request PROT_READ but the check you've proposed would more consistently enforce this which is easier to understand from userspace perspective. -Jordan
