On Mon, Dec 17, 2018 at 11:25:47AM -0800, Andy Lutomirski wrote: > On Mon, Dec 17, 2018 at 11:17 AM Dave Hansen <dave.hansen@xxxxxxxxx> wrote: > > > > On 12/17/18 11:12 AM, Andy Lutomirski wrote: > > > So I'm not saying that you shouldn't do it the way you are now, but I > > > do think that the changelog or at least some emails should explain > > > *why* the enclave needs to keep a pointer to the creating process's > > > mm. And, if you do keep the current model, it would be nice to > > > understand what happens if you do something awful like mremap()ing an > > > enclave, or calling madvise on it, or otherwise abusing the vma. Or > > > doing fork(), for that matter. > > > > Yeah, the code is built to have one VMA and only one VMA per enclave. > > You need to go over the origin of this restriction and what enforces this. > > There is a sad historical reason that you may regret keeping this > restriction. There are plenty of pieces of code out there that think > it's reasonable to spawn a subprocess by calling fork() and then > execve(). (This is *not* a sensible thing to do. One should use > posix_spawn() or some CLONE_VM variant. But even fairly recent > posix_spawn() implementations will fork(). So the driver has to do > *something* sensible on fork() or a bunch of things that use SGX > unsuspectingly via, for example, PKCS #11, are going to be very sad. > I suppose you could make enclaves just not show up in the fork()ed > children, but then you have a different problem: creating an enclave > and then doing daemon() won't work. > > Yes, POSIX traditions are rather silly. ATM enclave VMAs are not copied on fork. Not sure how you would implement COW semantics with enclaves. /Jarkko
