On Mon, May 27, 2019 at 04:34:31PM +0300, Jarkko Sakkinen wrote: > On Thu, May 23, 2019 at 07:17:52AM -0700, Sean Christopherson wrote: > > 1. Do nothing. Userspace would essentially be required to mmap() the > > enclave after EINIT, which is ugly but not breaking since userspace > > could mmap() the enclave with a placeholder VMA prior to building > > the enclave, and then a series of mmap() to establish its "real" > > mapping. > > What it'd break to return error if mmap() is done before EINIT? > > > 2. Propagate the permissions from EADD to the VMAs of the current mm > > if the entire EADD range is mapped and the mapping is PROT_NONE. > > Right now you can do multiple mmap's. If the mmap's must be done after > EINIT, the driver could check that permissions match the permissions in > that range. > > This leaves open how to deal with mprotect() but if the process does not > have FILE__WRITE I guess you cannot do much. > > > 3. Propagate the permissions from EADD to the VMAs of all mm structs > > that have mapped some piece of the enclave, following the matching > > rules from #2. > > For me it looks that allowing mmap's only after EINIT would result the > least confusing implemntation. Obvious problem is of course the requirement of fixed mapping, which is of course nasty. /Jarkko
