是否可以在英特尔 SGX 飞地内运行设备驱动程序?或者飞地不可能访问 DMA 内存并执行内存映射 I/O?
我已经有一个映射了所有必要内存的设备驱动程序,但我不知道是否可以创建一个共享这些映射的飞地。我基本上对飞地是否只能访问它们自己的私有内存或者它们是否也可以访问我将映射到它们的任意物理内存感到困惑。
文档似乎说飞地无法访问任意位置的代码,但我想知道数据和 MMIO 的规则。
问问题
180 次
1 回答
1
Enclaves are Statically Linked libraries, as so they share the Process with the application it gets loaded into. Multiple enclaves can be loaded into one process.
An Enclave owns one or more Page Tables, these pages are encrypted and protected from outside access. This is better explained on: https://software.intel.com/sites/default/files/332680-002.pdf, page 28.
Enclaves can access memory from the process they run, but their memory can only be accessed by themselves. DMA access attempts are rejected/aborted, is not possible to map to an enclave's memory, however, you can map to the memory of the process and access it from within the enclave.
Enclaves are by concept isolated from the outside world, they don't have I/O capabilites appart of the Protected File System Library. So, I don't think it's possible to run a driver inside sgx.
于 2018-01-11T10:01:00.460 回答