On Mon, Jun 3, 2019 at 1:54 PM Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > On Thu, May 30, 2019 at 09:14:10AM -0700, Andy Lutomirski wrote: > > > What is the "source file" i.e. the target of the check? Enclave file, > > > sigstruct file, or /dev/sgx/enclave? > > > > Enclave file -- that is, the file backing the vma from which the data > > is loaded. > > Wonder why KVM gets away without having this given that enclaves are > lot alike VMs. > I would argue it's because access to /dev/kvm means you can execute whatever you code you want in a VM. I don't see how this is avoidable. On the other hand, it would be nice for SGX to not imply this same sort of "execute anything" right, especially since, unlike KVM, SGX is not a sandbox.
