Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
From: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
Date: Mon, 21 Sep 2020 16:14:43 +0300
Cc: Andy Lutomirski <luto@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, linux-sgx@xxxxxxxxxxxxxxx, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Linux-MM <linux-mm@xxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Matthew Wilcox <willy@xxxxxxxxxxxxx>, Jethro Beekman <jethro@xxxxxxxxxxxx>, Darren Kenny <darren.kenny@xxxxxxxxxx>, Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>, asapek@xxxxxxxxxx, Borislav Petkov <bp@xxxxxxxxx>, "Xing, Cedric" <cedric.xing@xxxxxxxxx>, chenalexchen@xxxxxxxxxx, Conrad Parker <conradparker@xxxxxxxxxx>, cyhanish@xxxxxxxxxx, Dave Hansen <dave.hansen@xxxxxxxxx>, "Huang, Haitao" <haitao.huang@xxxxxxxxx>, Josh Triplett <josh@xxxxxxxxxxxxxxxx>, "Huang, Kai" <kai.huang@xxxxxxxxx>, "Svahn, Kai" <kai.svahn@xxxxxxxxx>, Keith Moyer <kmoy@xxxxxxxxxx>, Christian Ludloff <ludloff@xxxxxxxxxx>, Neil Horman <nhorman@xxxxxxxxxx>, Nathaniel McCallum <npmccallum@xxxxxxxxxx>, Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>, David Rientjes <rientjes@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, yaozhangx@xxxxxxxxxx
In-reply-to: <20200921124946.GF6038@linux.intel.com>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
References: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com> <20200915112842.897265-11-jarkko.sakkinen@linux.intel.com> <CALCETrX9T1ZUug=M5ba9g4H5B7kV=yL5RzuTaeAEdy3uAieN_A@mail.gmail.com> <20200918235337.GA21189@sjchrist-ice> <20200921124946.GF6038@linux.intel.com>

On Mon, Sep 21, 2020 at 03:49:56PM +0300, Jarkko Sakkinen wrote:
> The 2nd part of the answer is the answer to the question: why we want to
> feed LSM hooks enclaves exactly in this state.

The question can be further refined as why: why this is the best
possible set of substates to filter in?

"no holes" part is obvious as the consequence of not surpassing
permissions of any of the pages in range, as you could otherwise
break the state with ioctl(SGX_ENCLAVE_ADD_PAGES) with permssions
that are below the mmap permissions.

/Jarkko

References:
- [PATCH v38 00/24] Intel SGX foundations
  - From: Jarkko Sakkinen
- [PATCH v38 10/24] mm: Add vm_ops->mprotect()
  - From: Jarkko Sakkinen
- Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
  - From: Andy Lutomirski
- Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
  - From: Sean Christopherson

Prev by Date: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
Next by Date: Re: [PATCH v38 12/24] x86/sgx: Add SGX_IOC_ENCLAVE_CREATE
Previous by thread: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
Next by thread: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
Index(es):
- Date
- Thread

[Index of Archives] [AMD Graphics] [Linux USB Devel] [Linux Audio Users] [Yosemite News] [Linux Kernel] [Linux SCSI]