On Thu, May 30, 2019 at 09:14:10AM -0700, Andy Lutomirski wrote: > > What is the "source file" i.e. the target of the check? Enclave file, > > sigstruct file, or /dev/sgx/enclave? > > Enclave file -- that is, the file backing the vma from which the data > is loaded. Wonder why KVM gets away without having this given that enclaves are lot alike VMs. > It's provided by userspace based on whether it thinks the data in > question is enclave code. source->vm_file is the file from which the > code is being loaded. I'm assuming that the user code will only set > excute_intent ==true if it actually wants to execute the code, so, if > there's a denial, it will be fatal. The normal case will be that the > request will be granted on the basis of EXECUTE. AFAIK user spaces tells that already with the SECINFO flags. I don't get why we need a duplicate parameter. /Jarkko
