On Wed, May 22, 2019 at 03:42:45PM -0700, Andy Lutomirski wrote: > As far as I know from this whole discussion, we still haven't come up > with any credible way to avoid tracking, per enclave page, whether > that page came from unmodified PROT_EXEC memory. So is this in the context that the enclave is read from another VMA and not through a file descriptor? Is that locked in? /Jarkko