[$] SGX and security modules

Software Guard Extensions (SGX) is a set of security-relatedinstructions for Intel processors; it allows the creation of privateregions of memory, called "enclaves". The aim of this feature is to worklike an inverted sandbox: instead of protecting the system from maliciouscode, it protects an application from a compromised kernel hypervisor,or other application. Linux support for SGX has existed out-of-treefor years, and the effort of upstreaming it has reached animpressive version22 of the patch set. During the upstreaming discussion, the kerneldevelopers discoveredthat the proposed SGX API did not play nicely with existing securitymechanisms, including Linux security modules(LSMs).