On Thu, May 16, 2019 at 02:02:58PM -0700, Andy Lutomirski wrote: > > On May 15, 2019, at 10:16 PM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > There is a problem here though. Usually the enclave itself is just a > > loader that then loads the application from outside source and creates > > the executable pages from the content. > > > > A great example of this is Graphene that bootstraps unmodified Linux > > applications to an enclave: > > > > https://github.com/oscarlab/graphene > > > > ISTM you should need EXECMEM or similar to run Graphene, then. Agreed, Graphene is effectively running arbitrary enclave code. I'm guessing there is nothing that prevents extending/reworking Graphene to allow generating the enclave ahead of time so as to avoid populating the guts of the enclave at runtime, i.e. it's likely possible to run an unmodified application in an enclave without EXECMEM if that's something Graphene or its users really care about.