Re: [PATCH V4 00/31] x86/sgx and selftests/sgx: Support SGX2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2022-04-22 at 12:16 +0300, Jarkko Sakkinen wrote:
> On Thu, Apr 21, 2022 at 08:29:31PM -0700, Reinette Chatre wrote:
> > Hi Vijay and Mark,
> > 
> > On 4/21/2022 4:46 PM, Dhanraj, Vijay wrote:
> > > Hi All,
> > > 
> > > I evaluated V4 patch changes with Gramine and ran into an issue when trying to set EPC page permission to PROT_NONE. It looks like with V3 patch series a change was introduced which requires
> > > kernel to have at least R permission when calling RESTRICT IOCTL. This change was done under the assumption that EPCM requires at least R permission for EMODPE/EACCEPT to succeed. But when
> > > testing with V2 version, EACCEPT worked fine with page permission set to PROT_NONE. 
> > > 
> > > Thanks to @Shanahan, Mark for confirming that EPCM does not need to have R value to allow EACCEPT or EMODPE. Given this, can we please revert this change?
> > > 
> > 
> > Thank you very much for pointing this out. I can revert the change
> > to what was done in V2 where the only check is to ensure that W requires R.
> > This is a requirement of EMODPR. Could you please check if this snippet
> > results in things working for you again?
> > 
> > ---8<---
> > diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
> > index 83674d054c13..7c7c8a61196e 100644
> > --- a/arch/x86/kernel/cpu/sgx/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/ioctl.c
> > @@ -855,12 +855,8 @@ static long sgx_ioc_enclave_restrict_permissions(struct sgx_encl *encl,
> >         if (params.permissions & ~SGX_SECINFO_PERMISSION_MASK)
> >                 return -EINVAL;
> >  
> > -       /*
> > -        * Read access is required for the enclave to be able to use the page.
> > -        * SGX instructions like ENCLU[EMODPE] and ENCLU[EACCEPT] require
> > -        * read access.
> > -        */
> > -       if (!(params.permissions & SGX_SECINFO_R))
> > +       if ((params.permissions & SGX_SECINFO_W) &&
> > +           !(params.permissions & SGX_SECINFO_R))
> >                 return -EINVAL;
> >  
> >         if (params.result || params.count)
> 
> Just adding that it's fine for me to revert this.

Jethro, I thought it would be also good to get yor view on the current
series. Is this something that your platform can live with?

BR, Jarkko




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux