On Fri, Jan 07, 2022 at 10:14:29AM -0600, Haitao Huang wrote: > > > > OK, so the question is: do we need both or would a mechanism just > > > to extend > > > > permissions be sufficient? > > > > > > I do believe that we need both in order to support pages having only > > > the permissions required to support their intended use during the > > > time the > > > particular access is required. While technically it is possible to grant > > > pages all permissions they may need during their lifetime it is safer to > > > remove permissions when no longer required. > > > > So if we imagine a run-time: how EMODPR would be useful, and how using it > > would make things safer? > > > In scenarios of JIT compilers, once code is generated into RW pages, > modifying both PTE and EPCM permissions to RX would be a good defensive > measure. In that case, EMODPR is useful. What is the exact threat we are talking about? /Jarkko
