On Wed, Dec 01, 2021 at 11:23:08AM -0800, Reinette Chatre wrote: > In the initial (SGX1) version of SGX, pages in an enclave need to be > created with permissions that support all usages of the pages, from the > time the enclave is initialized until it is unloaded. For example, > pages used by a JIT compiler or when code needs to otherwise be > relocated need to always have RWX permissions. > > SGX2 includes two functions that can be used to modify the enclave page > permissions of regular enclave pages within an initialized enclave. > ENCLS[EMODPR] is run from the OS and used to restrict enclave page > permissions while ENCLU[EMODPE] is run from within the enclave to > extend enclave page permissions. > > Enclave page permission changes need to be approached with care and > for this reason this initial support is to allow enclave page > permission changes _only_ if the new permissions are the same or > more restrictive that the permissions originally vetted at the time the > pages were added to the enclave. Support for extending enclave page > permissions beyond what was originally vetted is deferred. This paragraph is out-of-scope for a commit message. You could have this in the cover letter but not here. I would just remove it. > Whether enclave page permissions are restricted or extended it > is necessary to ensure that the page table entries and enclave page > permissions are in sync. Introduce a new ioctl, SGX_IOC_PAGE_MODP, to SGX_IOC_PAGE_MODP does not match the naming convetion of these: * SGX_IOC_ENCLAVE_CREATE * SGX_IOC_ENCLAVE_ADD_PAGES * SGX_IOC_ENCLAVE_INIT A better name would be SGX_IOC_ENCLAVE_MOD_PROTECTIONS. It doesn't do harm to be a more verbose. /Jarkko