Hi Jarkko, On 3/19/2022 9:30 AM, Jarkko Sakkinen wrote: > Not allowing to set RW for added TCS pages leads only to a special case > to be handled in the user space run-time. Thus, allow permissions to be > set RW. Originally, it would have probably made more sense to check up > that the permissions are RW. > > Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> > --- > arch/x86/kernel/cpu/sgx/ioctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c > index 83df20e3e633..f79761ad0400 100644 > --- a/arch/x86/kernel/cpu/sgx/ioctl.c > +++ b/arch/x86/kernel/cpu/sgx/ioctl.c > @@ -215,7 +215,7 @@ static int sgx_validate_secinfo(struct sgx_secinfo *secinfo) > * CPU will silently overwrite the permissions as zero, which means > * that we need to validate it ourselves. > */ > - if (pt == SGX_SECINFO_TCS && perm) > + if (pt == SGX_SECINFO_TCS && (perm != 0 || perm != (PROT_READ | PROT_WRITE))) > return -EINVAL; > > if (secinfo->flags & SGX_SECINFO_RESERVED_MASK) The comments above sgx_ioc_enclave_add_pages() seem to indicate that zero permissions are required: "A SECINFO for a TCS is required to always contain zero permissions because CPU silently zeros them. Allowing anything else would cause a mismatch in the measurement." Reinette
