SGX device & noexec /dev

SGX device & noexec /dev

[Jethro Beekman]

[-- Attachment #1: Type: text/plain, Size: 289 bytes --]

Hi all,

One of our users discovered that some distros (notably at least Ubuntu 20.04) mount /dev noexec. This prevents mmap(PROT_EXEC) on the SGX device. Do we have any recourse other than telling distros not to do this if they want to support SGX?

-- 
Jethro Beekman | Fortanix


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4054 bytes --]

Re: SGX device & noexec /dev

[Sean Christopherson]

On Thu, Mar 19, 2020 at 12:50:05PM +0100, Jethro Beekman wrote:
> Hi all,
> 
> One of our users discovered that some distros (notably at least Ubuntu 20.04)
> mount /dev noexec. This prevents mmap(PROT_EXEC) on the SGX device. Do we
> have any recourse other than telling distros not to do this if they want to
> support SGX?

Hmm, going the anon inode approach should avoid that issue, but then folks
running SELinux get the short end of the stick due to EXECMEM triggering.
The SELinux issue can be hacked around, e.g. by adding a way to identify
that a file is an enclave.  A similar hack would work for noexec, though
it'd likely be an even uglier hack.