Re: [PATCH 10/25] x86/sgx: Support enclave page permission changes
From: Reinette Chatre
Date: Fri Dec 03 2021 - 13:18:29 EST
Hi Dave,
On 12/2/2021 3:48 PM, Dave Hansen wrote:
On 12/1/21 11:23 AM, Reinette Chatre wrote:
+ * EPCM permissions can be extended anytime directly from the enclave with
+ * no visibility from the OS. This is accomplished with ENCLU[EMODPE]
+ * run from within enclave. Accessing pages with the new, extended,
+ * permissions requires the OS to update the PTE to handle the subsequent
+ * #PF correctly.
Hi Reinette,
I really dislike the Intel nomenclature here. I know the Intel docs are
all written around permission "extension", but I find it ambiguous.
I've been looking at these instructions literally for years now and
permission extension to me can mean either:
1. The set of things you can do is extended
2. The set of things you can *NOT* do is extended
I much rather prefer nomenclature like:
EPCM permissions can be relaxed anytime directly from the
enclave with no visibility from the OS. This is accomplished
with ENCLU[EMODPE] run from within enclave. Accessing pages with
the new, relaxed permissions requires the OS to update the PTE
to handle the subsequent correctly.
"Relax" is less ambiguous. Relaxing a restriction and relaxing
permissions both mean doing things less strictly. Extending
restrictions and extending what is allowed are opposites.
Very good point.
Maybe it's just me and I need to get this through my thick skull at some
point. But, I do think it's OK to improve on the architecture names for
things when they go into the kernel. The XSAVE XSTATE_BV->xfeatures
rename comes to mind.
Anyway, I'd appreciate if you could keep this in mind and consider
changing it if a future revision is needed if you believe it is more clear.
Will do. I see that there is opportunity to use this terminology in my
reply to your other message in response to this patch. I'll do so and we
can then further judge how it sounds.
Reinette