mprotect not working inside enclave

[NikhilBansal1999]

Hi, I was trying to write a Keystone enclave application. As part of my application, I need to use mprotect inside the enclave. However, since mprotect is not available inside the enclave, I wrote an ocall which takes an address, size, and permissions as arguments and executes the mprotect call from outside the enclave. However, the call to mprotect in the ocall is failing with the error code ENOMEM. Please suggest a correction. I am on the dev branch of Keystone.

[dkohlbre]

Hi, Currently syscall emulation or proxying isn't supported by the eyrie runtime. However, we're actively working on supporting most basic io and memory syscalls (either via implementation in eyrie or proxying to the host automatically for IO). I expect that we'll have support for a number of them landed this week.

Current plans don't include mprotect support yet (its planned, just not soon), though once the scaffolding and examples are in-place we'd happily take pull requests.

Proxying syscalls like mprotect/mmap/etc is not possible in Keystone since the host and host OS have no access to the page tables of the enclave. You are getting errors back because the kernel: 1) doesn't know what virtual pages you are referring to, since the host and enclave have their own page tables, and 2) can't access the enclave page tables to modify them for your mprotect call.

[dayeol]

This is related to syscall impl in runtime. please re-open the issue in keystone-runtime if you still need mprotect support. We won't be able to handle this issue by ourselves at this moment.