On 12/1/21 11:22 AM, Reinette Chatre wrote: > * Support modifying permissions of regular enclave pages belonging to an > initialized enclave. New permissions are not allowed to exceed the > originally vetted permissions. Modifying permissions is accomplished > with a new ioctl SGX_IOC_PAGE_MODP. It's probably also worth noting that this effectively punts on the issue of how to allow enclaves to relax the permissions on pages, like taking a page from R=>RW, or R=>RX. RX isn't allowed unless the page was *added* originally with RX or RWX. Since dynamically added pages start with initial RW permissions, they can *never* be RX or RWX since they did not start with execute permissions. That's a limitation, of course, but it's one that can be dealt with separately from this set. Does that sound sane to everyone?
