From: Reinette Chatre <reinette.chatre@intel.com>
To: Jarkko Sakkinen <jarkko@kernel.org>, mtk.manpages@gmail.com
Cc: linux-man@vger.kernel.org, linux-sgx@vger.kernel.org,
dave.hansen@linux.intel.com
Subject: Re: [PATCH v5] sgx.7: New page with overview of Software Guard eXtensions (SGX)
Date: Tue, 11 May 2021 13:22:10 -0700 [thread overview]
Message-ID: <7ea35a75-a75d-4071-cbf7-f43c672a5a45@intel.com> (raw)
In-Reply-To: <20210510145235.8056-1-jarkko@kernel.org>
Hi Jarkko,
On 5/10/2021 7:52 AM, Jarkko Sakkinen wrote:
...
> +There is a hardware constraint that the enclave size must be a power of two,
> +and the base address must be a multiple of the size.
> +This can lead to reserving a large region than required by the payload,
a large region than required -> a larger region than required ?
> +but the address space can be obviously trimmed after the enclave has been
can be obviously trimmed -> can be trimmed ?
> +constructed on,
constructed on -> constructed ?
> +with a sequence of
> +.BR mmap(MAP_FIXED)
> +calls.
> +.PP
> +A process can access enclave by entering into its address space through
> +a set of entry points,
> +which must be defined during the construction process.
> +This requires a complex sequence of CPU instructions,
> +and kernel assisted exception handling,
> +encapsulated into
> +.BR vsgx_enter_enclave
> +vDSO interface,
> +provided and documented by
> +.IR <asm/sgx.h>.
This is not clear to me. This is written as though vsgx_enter_enclave is
something very specific that is documented in <asm/sgx.h>. Should it
perhaps be vdso_sgx_enter_enclave_t instead? Am I missing where
vsgx_enter_enclave is defined? I expect a reader of this man page may
want to search for the term "vsgx_enter_enclave" after reading the above.
> +.SS Permissions
> +In order to build an enclave, a process must be able to call
> +.IR mmap (2)
> +with
> +.IR PROT_EXEC
> +set.
> +Like for any other type of executable,
> +the page permissions must be set appropriately.
> +For this reason,
> +.I /dev/sgx_enclave
> +must reside in a partition,
> +which is not mounted as no-exec,
> +in order to be usable,
> +as
> +.IR mmap(2)
> +denies
> +.IR PROT_EXEC
> +otherwise.
> +.SH VERSIONS
> +The SGX feature was added in Linux 5.11.
> +.SH SEE ALSO
> +.BR ioctl (2),
> +.BR mmap() (2),
mmap() (2) -> mmap (2) ?
> +.BR mprotect (2)
>
Reinette
next prev parent reply other threads:[~2021-05-11 20:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-10 14:52 [PATCH v5] sgx.7: New page with overview of Software Guard eXtensions (SGX) Jarkko Sakkinen
2021-05-10 14:58 ` Dave Hansen
2021-05-10 17:33 ` Jarkko Sakkinen
2021-05-11 20:22 ` Reinette Chatre [this message]
2021-05-12 1:16 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7ea35a75-a75d-4071-cbf7-f43c672a5a45@intel.com \
--to=reinette.chatre@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=jarkko@kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.