On Tue, Mar 31, 2020 at 10:39:38AM -0700, Andy Lutomirski wrote: > On Tue, Mar 31, 2020 at 4:44 AM Jarkko Sakkinen > <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > > > When creating an enclave attach it to an anonymous file. This prepares the > > code to have a separate interface at runtime, which can be published to the > > user space after the enclave has been fully initialized. > > This isn't an objection per se, but I can't shake the feeling that > this seems ridiculous. This changes the type of object returned by > open() because, without this change, the old type was problematic. > > So I have some questions: > > - Can sgx just ignore the fs noexec option on the chardev inode's fs instead? It's not SGX that nak's. It's mm level decision. > - Would SELinux users *want* to put a useful label on the inode? if > so, can they still accomplish whatever they were trying to accomplish > with this patch applied? What this does is that by default SGX is essentially blocked from anything, which I think is sane. I think from security perspective the EXECMEM requirement brings more clarity than does harm. I'm sure that with this approach it is possible to integrate SGX to software packages such as Kubernetes and end users will most likely take into use through something like Kubernetes. /Jarkko
