On Thu, Mar 19, 2020 at 12:50:05PM +0100, Jethro Beekman wrote: > Hi all, > > One of our users discovered that some distros (notably at least Ubuntu 20.04) > mount /dev noexec. This prevents mmap(PROT_EXEC) on the SGX device. Do we > have any recourse other than telling distros not to do this if they want to > support SGX? Hmm, going the anon inode approach should avoid that issue, but then folks running SELinux get the short end of the stick due to EXECMEM triggering. The SELinux issue can be hacked around, e.g. by adding a way to identify that a file is an enclave. A similar hack would work for noexec, though it'd likely be an even uglier hack.
