I'm have two questions related EMODPE and EACCEPTCOPY SGXv2 instructions. (I'm using the NUC 7CJYH and working on porting large databases inside the enclave efficiently.)
Is there a formal process to request making changes to the instruction set so that SGX/SGXv2 can actually work for real-world applications? Unfortunately, the 128Kb physical memory limit and poorly designed instruction sets (which I thought would be fixed in SGXv2) make it impossible to build a secure and performant server applications running inside SGX.
Because this permission is at the process level, you really cannot change the permission to read-only for the thread that has the exception. It is because that there may be other threads running so the architecture will not allow to change.
Hoang Nguyen, you have misunderstood my question. I'm not asking to change the permission of a given thread. I want to turn a R/W page into a read only page without making an ocall or OS involvement.
If the SGX threat model is that it doesn't trust the OS, it seems like a massive oversight that an enclave cannot restrict it's own page permissions and has to ask the OS to restrict its permissions. That's like building a super secure house, but to close a door inside your house, you have to go outside and ask criminals on the street to come in and close a door for you. This threat model doesn't make sense to me. (And yes I know the enclave needs to EACCEPT, etc. but that whole machinery is full of its own problems).