Yeah I 100% trust you :) Correct me if I'm wrong: [`SGX_QUEUE`](https://github.com/dmlc/tvm/blob/7cd986db0e67583bc347ed208c25be4c0d0c32a0/rust/runtime/src/threading.rs#L198) relies on the implementation of `Mutex` inside SGX. In Fortanix's solution, it's relies on [`WaitQueue`](https://github.com/rust-lang/rust/blob/53f2165c544cceeafb308b80ace656ed328c1dc2/src/libstd/sys/sgx/mutex.rs#L25) which depends on [`usercall`](https://github.com/rust-lang/rust/blob/53f2165c544cceeafb308b80ace656ed328c1dc2/src/libstd/sys/sgx/waitqueue.rs#L154) to provide its atomicity. An attacker could easily hi-jack the enclave-runner thus modify the behavior of `WaitQueue` then gain access to the behavior of that `SGX_QUEUE` and further ruins the SGX environment.
A short gif to show how an attacker cheats on Fortanix's SGX app:  -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/dmlc/tvm/issues/2887#issuecomment-480147860
