On Thu, Apr 09, 2020 at 12:15:36AM +0300, Topi Miettinen wrote: > On 8.4.2020 16.40, Jarkko Sakkinen wrote: > >What starts to be obvious is that we don't do anything in code level > >in SGX particular but instead workaround something around /dev. > > If you take the /dev/sgx path, perhaps you could use KVM as a reference. It > uses a similar special device /dev/kvm, works well with noexec /dev but > still it can be used to do much more complex stuff than SGX. But userspace doesn't need to mmap() /dev/kvm with PROT_EXEC, that's the rub. KVM uses anon inodes for VMs, vCPUs, etc..., but doing that on SGX runs afould of SELinux's PROCESS_EXECMEM, again due to mmap() PROT_EXEC.
