On Thu, Dec 2, 2021 at 1:30 PM Dave Hansen <dave.hansen@xxxxxxxxx> wrote: > > On 12/1/21 11:22 AM, Reinette Chatre wrote: > > * Support modifying permissions of regular enclave pages belonging to an > > initialized enclave. New permissions are not allowed to exceed the > > originally vetted permissions. Modifying permissions is accomplished > > with a new ioctl SGX_IOC_PAGE_MODP. > > It's probably also worth noting that this effectively punts on the issue > of how to allow enclaves to relax the permissions on pages, like taking > a page from R=>RW, or R=>RX. RX isn't allowed unless the page was > *added* originally with RX or RWX. > > Since dynamically added pages start with initial RW permissions, they > can *never* be RX or RWX since they did not start with execute > permissions. That's a limitation, of course, but it's one that can be > dealt with separately from this set. > > Does that sound sane to everyone? We (Enarx) need arbitrary permission modifications. But for now we can just use this patch series and patch the original permissions to be RWX on all new pages. I think that should be sufficient.
