On 12/1/21 11:23 AM, Reinette Chatre wrote: > + * EPCM permissions can be extended anytime directly from the enclave with > + * no visibility from the OS. This is accomplished with ENCLU[EMODPE] > + * run from within enclave. Accessing pages with the new, extended, > + * permissions requires the OS to update the PTE to handle the subsequent > + * #PF correctly. Hi Reinette, I really dislike the Intel nomenclature here. I know the Intel docs are all written around permission "extension", but I find it ambiguous. I've been looking at these instructions literally for years now and permission extension to me can mean either: 1. The set of things you can do is extended 2. The set of things you can *NOT* do is extended I much rather prefer nomenclature like: EPCM permissions can be relaxed anytime directly from the enclave with no visibility from the OS. This is accomplished with ENCLU[EMODPE] run from within enclave. Accessing pages with the new, relaxed permissions requires the OS to update the PTE to handle the subsequent correctly. "Relax" is less ambiguous. Relaxing a restriction and relaxing permissions both mean doing things less strictly. Extending restrictions and extending what is allowed are opposites. Maybe it's just me and I need to get this through my thick skull at some point. But, I do think it's OK to improve on the architecture names for things when they go into the kernel. The XSAVE XSTATE_BV->xfeatures rename comes to mind. Anyway, I'd appreciate if you could keep this in mind and consider changing it if a future revision is needed if you believe it is more clear.
