Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1240714yba; Thu, 16 May 2019 17:25:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqz8iGi6fV080J/y/yhSY6Jpdso8d1/TsmdRlzqp+etVN98tpInAOb7T1nZ2ddYVSLjhiywW X-Received: by 2002:a65:56c3:: with SMTP id w3mr50608588pgs.232.1558052715630; Thu, 16 May 2019 17:25:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558052715; cv=none; d=google.com; s=arc-20160816; b=yFDjIan746lsjauhwqhyeYKcOgzJ0fjKUEMEnEDwveRw0m52QMl3MGBm1iRc+6Pj+F Auar5hS98O+KimOP1zsy4MN/xiBiId+cqmg8/nVyavLzeP9y4kQvVwp4WAx2iIr0pgWo qLbdg+VK/ymBtPwFIUONcXym+bIcFrO1PYdTpYjtbWHWFaW5yS96rVkkCCqqiig0MkIq WHKmKEt/ksbpyh56J+tN5mcFDgqXZD5SyWzAGZi8DkqeqscO4LPH/q/Kb0tIl6zP1VGq oYfeWI48FbWZRyGbJmFqkeiLbFSh81WYw7ObbAHJ0zukqJcJEl4gSNPMJQbGP81jyRLA Xr9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=gHgKqcqbITQ8ZLB+u3DFZf9aQPyFtVJDTtp04bvspnM=; b=bnEKGWjMUKNGEA0V4vuMfXwVnFl3Yta+zmNDtLvh7XjER92dhYoooc1g0h7fxkGMRH SSc3qlNVrpvlb0igV0D5WUQNHggXRhT4LkqWCCa5MhmMqUDa3V+zImv1lKfNPjEdbVm3 fdJbowkqCQ4lv6EgF/+OjHwDkSyTq3G+W7u/ophb2WgwmmlXvRXrB6PDBso8KLYun+wq SMu/0YYNUmHsM4p5UXICrgjR86T8hMkHZJDJzNijwewvx40bD3lqetxoZ9d8Rwk6CGaN vVdt0F1yxNpBRo7KOVPWlA69n95g4FmTwb3OEadLvuxk25wcS6Iy19PCU6WcO6NlZn8N hTSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k5si1903677pgc.322.2019.05.16.17.25.00; Thu, 16 May 2019 17:25:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728606AbfEPWpw (ORCPT + 99 others); Thu, 16 May 2019 18:45:52 -0400 Received: from mga14.intel.com ([192.55.52.115]:20424 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726732AbfEPWpw (ORCPT ); Thu, 16 May 2019 18:45:52 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 May 2019 15:45:51 -0700 X-ExtLoop1: 1 Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.36]) by fmsmga005.fm.intel.com with ESMTP; 16 May 2019 15:45:50 -0700 Date: Thu, 16 May 2019 15:45:50 -0700 From: Sean Christopherson To: Andy Lutomirski Cc: Jarkko Sakkinen , James Morris , "Serge E. Hallyn" , LSM List , Paul Moore , Stephen Smalley , Eric Paris , selinux@vger.kernel.org, Jethro Beekman , "Xing, Cedric" , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) Message-ID: <20190516224550.GC11204@linux.intel.com> References: <20190513102926.GD8743@linux.intel.com> <20190514104323.GA7591@linux.intel.com> <20190514204527.GC1977@linux.intel.com> <20190515013031.GF1977@linux.intel.com> <20190516051622.GC6388@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 16, 2019 at 02:02:58PM -0700, Andy Lutomirski wrote: > > On May 15, 2019, at 10:16 PM, Jarkko Sakkinen wrote: > > There is a problem here though. Usually the enclave itself is just a > > loader that then loads the application from outside source and creates > > the executable pages from the content. > > > > A great example of this is Graphene that bootstraps unmodified Linux > > applications to an enclave: > > > > https://github.com/oscarlab/graphene > > > > ISTM you should need EXECMEM or similar to run Graphene, then. Agreed, Graphene is effectively running arbitrary enclave code. I'm guessing there is nothing that prevents extending/reworking Graphene to allow generating the enclave ahead of time so as to avoid populating the guts of the enclave at runtime, i.e. it's likely possible to run an unmodified application in an enclave without EXECMEM if that's something Graphene or its users really care about.