|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2019-09-11 15:25:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] SGX and security modules
Software Guard Extensions (SGX) is a set of security-related
instructions for Intel processors; it allows the creation of private
regions of memory, called "enclaves". The aim of this feature is to work
like an inverted sandbox: instead of protecting the system from malicious
code, it protects an application from a compromised kernel hypervisor,
or other application. Linux support for SGX has existed out-of-tree
for years, and the effort of upstreaming it has reached an
impressive version
22 of the patch set. During the upstreaming discussion, the kernel
developers discovered
that the proposed SGX API did not play nicely with existing security
mechanisms, including Linux security modules
(LSMs).
Software Guard Extensions (SGX) is a set of security-related
instructions for Intel processors; it allows the creation of private
regions of memory, called "enclaves". The aim of this feature is to work
like an inverted sandbox: instead of protecting the system from malicious
code, it protects an application from a compromised kernel hypervisor,
or other application. Linux support for SGX has existed out-of-tree
for years, and the effort of upstreaming it has reached an
impressive version
22 of the patch set. During the upstreaming discussion, the kernel
developers discovered
that the proposed SGX API did not play nicely with existing security
mechanisms, including Linux security modules
(LSMs).
