On Thu, Oct 12, 2017 at 09:48:15AM -0700, Sean Christopherson wrote:
> On Tue, Oct 10, 2017 at 05:32:53PM +0300, Jarkko Sakkinen wrote:
> > diff --git a/drivers/platform/x86/intel_sgx/sgx_main.c b/drivers/platform/x86/intel_sgx/sgx_main.c
> > new file mode 100644
> > index 000000000000..2ad2dc88edff
> > --- /dev/null
> > +++ b/drivers/platform/x86/intel_sgx/sgx_main.c
> >
> > +static dev_t sgx_devt;
> > +
> > +static void sgx_dev_release(struct device *dev)
> > +{
> > + struct sgx_context *ctx = container_of(dev, struct sgx_context, dev);
> > + kfree(ctx);
> > +}
> > +
> > +static struct sgx_context *sgx_ctx_alloc(struct device *parent)
> > +{
> > + struct sgx_context *ctx;
> > +
> > + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
> > + if (!ctx)
> > + return ERR_PTR(-ENOMEM);
> > +
> > + device_initialize(&ctx->dev);
> > +
> > + ctx->dev.bus = &sgx_subsys;
> > + ctx->dev.parent = parent;
> > + ctx->dev.devt = MKDEV(MAJOR(sgx_devt), 0);
> > + ctx->dev.release = sgx_dev_release;
> > +
> > + dev_set_name(&ctx->dev, "sgx");
>
> /dev/sgx is created with 0600 permissions, does access to SGX really
> need to be restricted to root by default?
I personally am just a fan of whitelisting. It's only matter of a udev
rule.
/Jarkko
