On Fri, May 24, 2019 at 09:43:27AM -0700, Andy Lutomirski wrote: > On Fri, May 24, 2019 at 12:24 AM Xing, Cedric <cedric.xing@xxxxxxxxx> wrote: > > /** > > * Summary: > > * - The enclave file resembles a shared object that contains RO/RX/RW segments > > * - FILE__* are assigned to /dev/sgx/enclave, to determine acceptable permissions to mmap()/mprotect(), valid combinations are > > * + FILE__READ - Allow SGX1 enclaves only > > * + FILE__READ|FILE__WRITE - Allow SGX2 enclaves to expand data segments (e.g. heaps, stacks, etc.) > > I think this is a non-starter :( FILE__WRITE also means that you can > write to the file, and the admin / policy author will almost never > want to allow that. Why would FILE__WRITE on /dev/sgx/enclave be a problem? An actual write to /dev/sgx/enclave would yield -EINVAL, no?
