From: Jarkko Sakkinen <jarkko@kernel.org>
To: Reinette Chatre <reinette.chatre@intel.com>
Cc: mtk.manpages@gmail.com, linux-man@vger.kernel.org,
linux-sgx@vger.kernel.org, dave.hansen@linux.intel.com
Subject: Re: [PATCH v5] sgx.7: New page with overview of Software Guard eXtensions (SGX)
Date: Wed, 12 May 2021 04:16:27 +0300 [thread overview]
Message-ID: <YJssa9DyboM8nWXL@kernel.org> (raw)
In-Reply-To: <7ea35a75-a75d-4071-cbf7-f43c672a5a45@intel.com>
On Tue, May 11, 2021 at 01:22:10PM -0700, Reinette Chatre wrote:
> Hi Jarkko,
>
> On 5/10/2021 7:52 AM, Jarkko Sakkinen wrote:
>
> ...
>
> > +There is a hardware constraint that the enclave size must be a power of two,
> > +and the base address must be a multiple of the size.
> > +This can lead to reserving a large region than required by the payload,
>
> a large region than required -> a larger region than required ?
>
> > +but the address space can be obviously trimmed after the enclave has been
>
> can be obviously trimmed -> can be trimmed ?
>
> > +constructed on,
>
> constructed on -> constructed ?
>
> > +with a sequence of
> > +.BR mmap(MAP_FIXED)
> > +calls.
> > +.PP
> > +A process can access enclave by entering into its address space through
> > +a set of entry points,
> > +which must be defined during the construction process.
> > +This requires a complex sequence of CPU instructions,
> > +and kernel assisted exception handling,
> > +encapsulated into
> > +.BR vsgx_enter_enclave
> > +vDSO interface,
> > +provided and documented by
> > +.IR <asm/sgx.h>.
>
> This is not clear to me. This is written as though vsgx_enter_enclave is
> something very specific that is documented in <asm/sgx.h>. Should it perhaps
> be vdso_sgx_enter_enclave_t instead? Am I missing where vsgx_enter_enclave
> is defined? I expect a reader of this man page may want to search for the
> term "vsgx_enter_enclave" after reading the above.
Yeah, it's now incorrect. I'll fix this. Thanks for pointing out.
>
> > +.SS Permissions
> > +In order to build an enclave, a process must be able to call
> > +.IR mmap (2)
> > +with
> > +.IR PROT_EXEC
> > +set.
> > +Like for any other type of executable,
> > +the page permissions must be set appropriately.
> > +For this reason,
> > +.I /dev/sgx_enclave
> > +must reside in a partition,
> > +which is not mounted as no-exec,
> > +in order to be usable,
> > +as
> > +.IR mmap(2)
> > +denies
> > +.IR PROT_EXEC
> > +otherwise.
> > +.SH VERSIONS
> > +The SGX feature was added in Linux 5.11.
> > +.SH SEE ALSO
> > +.BR ioctl (2),
> > +.BR mmap() (2),
>
> mmap() (2) -> mmap (2) ?
>
> > +.BR mprotect (2)
> >
>
> Reinette
Also, other remarks make sense to me, thanks.
/Jarkko
prev parent reply other threads:[~2021-05-12 1:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-10 14:52 [PATCH v5] sgx.7: New page with overview of Software Guard eXtensions (SGX) Jarkko Sakkinen
2021-05-10 14:58 ` Dave Hansen
2021-05-10 17:33 ` Jarkko Sakkinen
2021-05-11 20:22 ` Reinette Chatre
2021-05-12 1:16 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJssa9DyboM8nWXL@kernel.org \
--to=jarkko@kernel.org \
--cc=dave.hansen@linux.intel.com \
--cc=linux-man@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=reinette.chatre@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.