On Mon, 2021-12-06 at 13:16 -0800, Reinette Chatre wrote: > Hi Jarkko, > > On 12/4/2021 2:27 PM, Jarkko Sakkinen wrote: > > On Sun, Dec 05, 2021 at 12:25:59AM +0200, Jarkko Sakkinen wrote: > > > On Wed, Dec 01, 2021 at 11:23:01AM -0800, Reinette Chatre wrote: > > > > === Summary === > > > > > > > > An SGX VMA can only be created if its permissions are the same or > > > > weaker than the Enclave Page Cache Map (EPCM) permissions. After VMA > > > > creation this rule continues to be enforced by the page fault handler. > > > > > > > > With SGX2 the EPCM permissions of a page can change after VMA > > > > creation resulting in the VMA exceeding the EPCM permissions and the > > > > page fault handler incorrectly blocking access. > > > > > > > > Enable the VMA's pages to remain accessible while ensuring that > > > > the page table entries are installed to match the EPCM permissions > > > > without exceeding the VMA perms issions. > > > > > > I don't understand what the short summary means in English, and the > > > commit message is way too bloated to make any conclusions. It really > > > needs a rewrite. > > > > > > These were the questions I could not find answer for: > > > > > > 1. Why it would be by any means safe to remove a permission check? > > The permission check is redundant for SGX1 and incorrect for SGX2. > > In the current SGX1 implementation the permission check in > sgx_encl_load_page() is redundant because an SGX VMA can only be created > if its permissions are the same or weaker than the EPCM permissions. > > In SGX2 a user is able to change EPCM permissions during runtime (while > VMA has the memory mapped). A RW VMA may thus originally have mapped an > enclave page with RW EPCM permissions but since then the enclave page > may have its permissions changed to read-only. The VMA should still be > able to read those enclave pages but the check in sgx_encl_load_page() > will prevent that. > > > > 2. Why not re-issuing mmap()'s is unfeasible? I.e. close existing > > > VMA's and mmap() new ones. > > User is not prevented from closing existing VMAs and creating new ones. > > > 3. Isn't this an API/ABI break? > > Could you please elaborate where you see the API/ABI break? The rule > that new VMAs cannot exceed EPCM permissions is untouched. > > Reinette I just don't understand the description. There's a whole bunch of text but It does not discuss what the patch does in low-level detail what the patch does, e.g. the use of vm_insert_pfn_prot(). I honestly do not get the story here... /Jarkko
