From 3c903bdac4e503dd27b9b1f761c4abfc55f2464c Mon Sep 17 00:00:00 2001 From: volcano Date: Tue, 25 Jul 2023 18:17:46 +0800 Subject: [PATCH] Support intel-sdk-2.20 and dcap-1.17 --- dockerfile/02_binutils.sh | 2 +- dockerfile/03_sdk.sh | 4 +- dockerfile/Dockerfile.1804.nightly | 6 +- dockerfile/Dockerfile.2004.nightly | 12 +-- dockerfile/Dockerfile.centos8.nightly | 9 +- .../unit-test/enclave/src/test_exception.rs | 7 +- samplecode/unit-test/enclave/src/test_fp.rs | 68 ++++++------ sgx_signal/src/exception.rs | 78 +++++++++++--- sgx_signal/src/manager.rs | 4 +- sgx_trts/src/aex.rs | 101 ++++++++++++++++++ sgx_trts/src/enclave.rs | 9 ++ sgx_trts/src/lib.rs | 1 + sgx_tseal/src/internal.rs | 1 - sgx_types/src/error.rs | 15 ++- sgx_types/src/function.rs | 38 +++++-- sgx_types/src/marker.rs | 1 + sgx_types/src/types.rs | 66 ++++++++++-- 17 files changed, 330 insertions(+), 92 deletions(-) create mode 100644 sgx_trts/src/aex.rs diff --git a/dockerfile/02_binutils.sh b/dockerfile/02_binutils.sh index bf52603c3..cf3477ef8 100644 --- a/dockerfile/02_binutils.sh +++ b/dockerfile/02_binutils.sh @@ -1,7 +1,7 @@ if [ $BINUTILS_DIST != "SELF_BUILT" ] then cd /root && \ - wget https://download.01.org/intel-sgx/sgx-linux/2.17/as.ld.objdump.r4.tar.gz && \ + wget https://download.01.org/intel-sgx/sgx-linux/2.20/as.ld.objdump.r4.tar.gz && \ tar xzf as.ld.objdump.r4.tar.gz && \ cp -r external/toolset/$BINUTILS_DIST/* /usr/bin/ && \ rm -rf ./external ./as.ld.objdump.r4.tar.gz diff --git a/dockerfile/03_sdk.sh b/dockerfile/03_sdk.sh index eb5d0152a..99dd24b0f 100644 --- a/dockerfile/03_sdk.sh +++ b/dockerfile/03_sdk.sh @@ -10,10 +10,10 @@ else cd /root && \ git clone --recursive https://github.com/intel/linux-sgx && \ cd linux-sgx && \ - git checkout sgx_2.17.1 && \ + git checkout sgx_2.20 && \ ./download_prebuilt.sh && \ make -j "$(nproc)" sdk_install_pkg && \ - echo -e 'no\n/opt' | ./linux/installer/bin/sgx_linux_x64_sdk_2.17.101.1.bin && \ + echo -e 'no\n/opt' | ./linux/installer/bin/sgx_linux_x64_sdk_2.20.100.4.bin && \ echo 'source /opt/sgxsdk/environment' >> /root/.bashrc && \ cd /root && \ rm -rf /root/linux-sgx diff --git a/dockerfile/Dockerfile.1804.nightly b/dockerfile/Dockerfile.1804.nightly index 0c2f163bc..b6f761a61 100644 --- a/dockerfile/Dockerfile.1804.nightly +++ b/dockerfile/Dockerfile.1804.nightly @@ -23,15 +23,15 @@ RUN bash /root/03_sdk.sh # Sixth, PSW ENV CODENAME bionic -ENV VERSION 2.17.100.3-bionic1 -ENV DCAP_VERSION 1.14.100.3-bionic1 +ENV VERSION 2.20.100.4-bionic1 +ENV DCAP_VERSION 1.17.100.4-bionic1 COPY 04_psw.sh /root RUN bash /root/04_psw.sh # Seventh, Rust -ENV rust_toolchain nightly-2022-02-23 +ENV rust_toolchain nightly-2022-10-22 COPY 05_rust.sh /root RUN bash /root/05_rust.sh diff --git a/dockerfile/Dockerfile.2004.nightly b/dockerfile/Dockerfile.2004.nightly index ab393aa6d..319310da8 100644 --- a/dockerfile/Dockerfile.2004.nightly +++ b/dockerfile/Dockerfile.2004.nightly @@ -5,10 +5,6 @@ ENV DEBIAN_FRONTEND=noninteractive RUN apt update && apt install -y unzip lsb-release debhelper cmake reprepro autoconf automake bison build-essential curl dpkg-dev expect flex gcc-8 gdb git git-core gnupg kmod libboost-system-dev libboost-thread-dev libcurl4-openssl-dev libiptcdata0-dev libjsoncpp-dev liblog4cpp5-dev libprotobuf-dev libssl-dev libtool libxml2-dev ocaml ocamlbuild pkg-config protobuf-compiler python texinfo uuid-dev vim wget software-properties-common && \ rm -rf /var/lib/apt/lists/* -#20.04 does have gcc-9 -#ADD 01_gcc_8.sh /root -#RUN bash /root/01_gcc_8.sh - ENV BINUTILS_DIST="ubuntu20.04" #ENV BINUTILS_DIST="SELF_BUILT" ENV LD_LIBRARY_PATH=/usr/lib:/usr/local/lib @@ -19,22 +15,22 @@ RUN bash /root/02_binutils.sh #ENV SDK_DIST="SELF_BUILT" ENV SDK_DIST="INTEL_BUILT" -ENV SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.17.101.1.bin" +ENV SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.20.100.4.bin" ADD 03_sdk.sh /root RUN bash /root/03_sdk.sh # Sixth, PSW ENV CODENAME focal -ENV VERSION 2.17.100.3-focal1 -ENV DCAP_VERSION 1.14.100.3-focal1 +ENV VERSION 2.20.100.4-focal1 +ENV DCAP_VERSION 1.17.100.4-focal1 ADD 04_psw.sh /root RUN bash /root/04_psw.sh # Seventh, Rust -ENV rust_toolchain nightly-2022-02-23 +ENV rust_toolchain nightly-2022-10-22 ADD 05_rust.sh /root RUN bash /root/05_rust.sh diff --git a/dockerfile/Dockerfile.centos8.nightly b/dockerfile/Dockerfile.centos8.nightly index aeada9249..9ebd366c8 100644 --- a/dockerfile/Dockerfile.centos8.nightly +++ b/dockerfile/Dockerfile.centos8.nightly @@ -4,25 +4,22 @@ RUN dnf group install -y 'Development Tools' && \ dnf --enablerepo=powertools install -y ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2 libcurl-devel protobuf-devel && \ alternatives --set python /usr/bin/python2 -#ADD 01_gcc_8.sh /root -#RUN bash /root/01_gcc_8.sh - ENV BINUTILS_DIST="centos8" ADD 02_binutils.sh /root RUN bash /root/02_binutils.sh ENV SDK_DIST="INTEL_BUILT" -ENV SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/centos-stream/sgx_linux_x64_sdk_2.17.101.1.bin" +ENV SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.20/distro/centos-stream/sgx_linux_x64_sdk_2.20.100.4.bin" #ENV SDK_DIST="SELF_BUILT" ADD 03_sdk.sh /root RUN bash /root/03_sdk.sh -ENV PSW_REPO="https://download.01.org/intel-sgx/sgx-linux/2.17/distro/centos-stream/sgx_rpm_local_repo.tgz" +ENV PSW_REPO="https://download.01.org/intel-sgx/sgx-linux/2.20/distro/centos-stream/sgx_rpm_local_repo.tgz" ADD 04_psw_rpm.sh /root RUN bash /root/04_psw_rpm.sh -ENV rust_toolchain nightly-2022-02-23 +ENV rust_toolchain nightly-2022-10-22 ADD 05_rust.sh /root RUN bash /root/05_rust.sh diff --git a/samplecode/unit-test/enclave/src/test_exception.rs b/samplecode/unit-test/enclave/src/test_exception.rs index ae2d05783..88a832b7f 100644 --- a/samplecode/unit-test/enclave/src/test_exception.rs +++ b/samplecode/unit-test/enclave/src/test_exception.rs @@ -16,9 +16,8 @@ // under the License.. use sgx_signal::exception::{register_exception, unregister}; -use sgx_signal::ContinueType; +use sgx_signal::{ContinueType, ExceptionInfo}; use sgx_trts::enclave; -use sgx_types::sgx_exception_info_t; use std::backtrace::{self, PrintFormat}; use std::panic; use std::sync::atomic::{AtomicUsize, Ordering}; @@ -49,7 +48,7 @@ pub fn test_exception_handler() { let status = Arc::new(AtomicUsize::new(2)); let handler1 = { let status = Arc::clone(&status); - move |_info: &mut sgx_exception_info_t| { + move |_info: &mut ExceptionInfo| { status.fetch_add(2, Ordering::Relaxed); ContinueType::Search } @@ -57,7 +56,7 @@ pub fn test_exception_handler() { let handler2 = { let status = Arc::clone(&status); - move |_info: &mut sgx_exception_info_t| { + move |_info: &mut ExceptionInfo| { status.store(1, Ordering::Relaxed); ContinueType::Search } diff --git a/samplecode/unit-test/enclave/src/test_fp.rs b/samplecode/unit-test/enclave/src/test_fp.rs index 85f7aac7a..51f0ed379 100644 --- a/samplecode/unit-test/enclave/src/test_fp.rs +++ b/samplecode/unit-test/enclave/src/test_fp.rs @@ -19,7 +19,7 @@ pub fn test_fp64() { let f = 3.7_f64; let g = 3.0_f64; let h = -3.7_f64; - + assert_eq!(f.floor(), 3.0); assert_eq!(g.floor(), 3.0); assert_eq!(h.floor(), -4.0); @@ -28,26 +28,26 @@ pub fn test_fp64() { let g = 4.0_f64; assert_eq!(f.ceil(), 4.0); assert_eq!(g.ceil(), 4.0); - + let f = 3.3_f64; let g = -3.3_f64; assert_eq!(f.round(), 3.0); assert_eq!(g.round(), -3.0); - + let f = 3.7_f64; let g = 3.0_f64; let h = -3.7_f64; assert_eq!(f.trunc(), 3.0); assert_eq!(g.trunc(), 3.0); assert_eq!(h.trunc(), -3.0); - + let x = 3.6_f64; let y = -3.6_f64; let abs_difference_x = (x.fract() - 0.6).abs(); let abs_difference_y = (y.fract() - (-0.6)).abs(); assert!(abs_difference_x < 1e-10); assert!(abs_difference_y < 1e-10); - + let x = 3.5_f64; let y = -3.5_f64; let abs_difference_x = (x.abs() - x).abs(); @@ -60,28 +60,28 @@ pub fn test_fp64() { assert_eq!(f.signum(), 1.0); assert_eq!(f64::NEG_INFINITY.signum(), -1.0); assert!(f64::NAN.signum().is_nan()); - + let f = 3.5_f64; assert_eq!(f.copysign(0.42), 3.5_f64); assert_eq!(f.copysign(-0.42), -3.5_f64); assert_eq!((-f).copysign(0.42), 3.5_f64); assert_eq!((-f).copysign(-0.42), -3.5_f64); assert!(f64::NAN.copysign(1.0).is_nan()); - + let m = 10.0_f64; let x = 4.0_f64; let b = 60.0_f64; // 100.0 let abs_difference = (m.mul_add(x, b) - ((m * x) + b)).abs(); assert!(abs_difference < 1e-10); - + let a: f64 = 7.0; let b = 4.0; assert_eq!(a.div_euclid(b), 1.0); // 7.0 > 4.0 * 1.0 assert_eq!((-a).div_euclid(b), -2.0); // -7.0 >= 4.0 * -2.0 assert_eq!(a.div_euclid(-b), -1.0); // 7.0 >= -4.0 * -1.0 assert_eq!((-a).div_euclid(-b), 2.0); // -7.0 >= -4.0 * 2.0 - + let a: f64 = 7.0; let b = 4.0; assert_eq!(a.rem_euclid(b), 3.0); @@ -90,11 +90,11 @@ pub fn test_fp64() { assert_eq!((-a).rem_euclid(-b), 1.0); // limitation due to round-off error assert!((-f64::EPSILON).rem_euclid(3.0) != 0.0); - + let x = 2.0_f64; let abs_difference = (x.powi(2) - (x * x)).abs(); assert!(abs_difference < 1e-10); - + let x = 2.0_f64; let abs_difference = (x.powf(2.0) - (x * x)).abs(); assert!(abs_difference < 1e-10); @@ -104,77 +104,77 @@ pub fn test_fp64() { let abs_difference = (positive.sqrt() - 2.0).abs(); assert!(abs_difference < 1e-10); assert!(negative.sqrt().is_nan()); - + let one = 1.0_f64; // e^1 let e = one.exp(); // ln(e) - 1 == 0 let abs_difference = (e.ln() - 1.0).abs(); assert!(abs_difference < 1e-10); - + let f = 2.0_f64; // 2^2 - 4 == 0 let abs_difference = (f.exp2() - 4.0).abs(); assert!(abs_difference < 1e-10); - + let one = 1.0_f64; // e^1 let e = one.exp(); // ln(e) - 1 == 0 let abs_difference = (e.ln() - 1.0).abs(); assert!(abs_difference < 1e-10); - + let twenty_five = 25.0_f64; // log5(25) - 2 == 0 let abs_difference = (twenty_five.log(5.0) - 2.0).abs(); assert!(abs_difference < 1e-10); - + let four = 4.0_f64; // log2(4) - 2 == 0 let abs_difference = (four.log2() - 2.0).abs(); assert!(abs_difference < 1e-10); - + let hundred = 100.0_f64; // log10(100) - 2 == 0 let abs_difference = (hundred.log10() - 2.0).abs(); assert!(abs_difference < 1e-10); - + let x = 3.0_f64; let y = -3.0_f64; let abs_difference_x = (x.abs_sub(1.0) - 2.0).abs(); let abs_difference_y = (y.abs_sub(1.0) - 0.0).abs(); assert!(abs_difference_x < 1e-10); assert!(abs_difference_y < 1e-10); - + let x = 8.0_f64; // x^(1/3) - 2 == 0 let abs_difference = (x.cbrt() - 2.0).abs(); assert!(abs_difference < 1e-10); - + let x = 2.0_f64; let y = 3.0_f64; // sqrt(x^2 + y^2) let abs_difference = (x.hypot(y) - (x.powi(2) + y.powi(2)).sqrt()).abs(); assert!(abs_difference < 1e-10); - + let x = std::f64::consts::FRAC_PI_2; let abs_difference = (x.sin() - 1.0).abs(); assert!(abs_difference < 1e-10); - + let x = 2.0 * std::f64::consts::PI; let abs_difference = (x.cos() - 1.0).abs(); assert!(abs_difference < 1e-10); - + let f = std::f64::consts::FRAC_PI_2; // asin(sin(pi/2)) let abs_difference = (f.sin().asin() - std::f64::consts::FRAC_PI_2).abs(); assert!(abs_difference < 1e-10); - + let f = std::f64::consts::FRAC_PI_4; // acos(cos(pi/4)) let abs_difference = (f.cos().acos() - std::f64::consts::FRAC_PI_4).abs(); assert!(abs_difference < 1e-10); - + let f = 1.0_f64; // atan(tan(1)) let abs_difference = (f.tan().atan() - 1.0).abs(); @@ -192,26 +192,26 @@ pub fn test_fp64() { let abs_difference_2 = (y2.atan2(x2) - (3.0 * std::f64::consts::FRAC_PI_4)).abs(); assert!(abs_difference_1 < 1e-10); assert!(abs_difference_2 < 1e-10); - + let x = std::f64::consts::FRAC_PI_4; let f = x.sin_cos(); let abs_difference_0 = (f.0 - x.sin()).abs(); let abs_difference_1 = (f.1 - x.cos()).abs(); assert!(abs_difference_0 < 1e-10); assert!(abs_difference_1 < 1e-10); - + let x = 1e-16_f64; // for very small x, e^x is approximately 1 + x + x^2 / 2 let approx = x + x * x / 2.0; let abs_difference = (x.exp_m1() - approx).abs(); assert!(abs_difference < 1e-20); - + let x = 1e-16_f64; // for very small x, ln(1 + x) is approximately x - x^2 / 2 let approx = x - x * x / 2.0; let abs_difference = (x.ln_1p() - approx).abs(); assert!(abs_difference < 1e-20); - + let e = std::f64::consts::E; let x = 1.0_f64; let f = x.sinh(); @@ -219,7 +219,7 @@ pub fn test_fp64() { let g = ((e * e) - 1.0) / (2.0 * e); let abs_difference = (f - g).abs(); assert!(abs_difference < 1e-10); - + let e = std::f64::consts::E; let x = 1.0_f64; let f = x.cosh(); @@ -228,7 +228,7 @@ pub fn test_fp64() { let abs_difference = (f - g).abs(); // Same result assert!(abs_difference < 1.0e-10); - + let e = std::f64::consts::E; let x = 1.0_f64; let f = x.tanh(); @@ -236,17 +236,17 @@ pub fn test_fp64() { let g = (1.0 - e.powi(-2)) / (1.0 + e.powi(-2)); let abs_difference = (f - g).abs(); assert!(abs_difference < 1.0e-10); - + let x = 1.0_f64; let f = x.sinh().asinh(); let abs_difference = (f - x).abs(); assert!(abs_difference < 1.0e-10); - + let x = 1.0_f64; let f = x.cosh().acosh(); let abs_difference = (f - x).abs(); assert!(abs_difference < 1.0e-10); - + let e = std::f64::consts::E; let f = e.tanh().atanh(); let abs_difference = (f - e).abs(); diff --git a/sgx_signal/src/exception.rs b/sgx_signal/src/exception.rs index dfeb0627c..5ca83d26d 100644 --- a/sgx_signal/src/exception.rs +++ b/sgx_signal/src/exception.rs @@ -20,13 +20,16 @@ use sgx_trts::veh::{ exception_handle, rsgx_register_exception_handler, rsgx_unregister_exception_handler, }; use sgx_types::SE_WORDSIZE; -use sgx_types::{sgx_exception_info_t, sgx_exception_vector_t}; +use sgx_types::{ + sgx_cpu_context_t, sgx_exception_info_t, sgx_exception_type_t, sgx_exception_vector_t, +}; use sgx_types::{EXCEPTION_CONTINUE_EXECUTION, EXCEPTION_CONTINUE_SEARCH}; use std::collections::LinkedList; use std::convert::From; use std::num::NonZeroU64; use std::ops::Drop; -use std::sync::{Arc, Once, SgxRwLock, SgxMutex, PoisonError, ONCE_INIT}; +use std::slice; +use std::sync::{Arc, Once, PoisonError, SgxMutex, SgxRwLock, ONCE_INIT}; use std::u64; #[repr(u32)] @@ -46,7 +49,7 @@ impl From for i32 { } #[allow(unknown_lints, bare_trait_objects)] -type ExceptionHandler = dyn Fn(&mut sgx_exception_info_t) -> ContinueType + Send + Sync; +type ExceptionHandler = dyn Fn(&mut ExceptionInfo) -> ContinueType + Send + Sync; #[derive(Copy, Clone, Debug, Eq, PartialEq, Ord, PartialOrd, Hash)] pub struct HandlerId(NonZeroU64); @@ -71,6 +74,45 @@ impl HandlerId { } } +pub struct ExceptionInfo<'a>(&'a mut sgx_exception_info_t); + +impl<'a> ExceptionInfo<'a> { + #[inline] + fn new(exception_info: &'a mut sgx_exception_info_t) -> ExceptionInfo { + ExceptionInfo(exception_info) + } + + #[inline] + pub fn cpu_context(&mut self) -> &mut sgx_cpu_context_t { + &mut self.0.cpu_context + } + + #[inline] + pub fn faulting_address(&self) -> u64 { + self.0.exinfo.faulting_address + } + + #[inline] + pub fn error_code(&self) -> u32 { + self.0.exinfo.error_code + } + + #[inline] + pub fn exception_vector(&self) -> sgx_exception_vector_t { + self.0.exception_vector + } + + #[inline] + pub fn exception_type(&self) -> sgx_exception_type_t { + self.0.exception_type + } + + #[inline] + pub fn xsave_area(&self) -> &[u8] { + unsafe { slice::from_raw_parts(&self.0.xsave_area as *const _, self.0.xsave_size as usize) } + } +} + struct HandlerNode { id: HandlerId, handler: Arc, @@ -114,32 +156,34 @@ impl GlobalData { } extern "C" fn native_exception_handler(info: *mut sgx_exception_info_t) -> int32_t { + let mut exception_info = ExceptionInfo::new(unsafe { info.as_mut().unwrap() }); if let Ok(handlers) = GlobalData::get().manager.exception_handler.read() { - let info = unsafe { info.as_mut().unwrap() }; for h in handlers.iter() { - match (h.handler)(info) { + match (h.handler)(&mut exception_info) { ContinueType::Search => {} ContinueType::Execution => return EXCEPTION_CONTINUE_EXECUTION, } } } - unsafe { panic_handler(info).into() } + unsafe { panic_handler(&mut exception_info).into() } } -unsafe extern "C" fn panic_handler(info: *mut sgx_exception_info_t) -> ContinueType { - let exception_info = info.as_mut().unwrap(); - let mut rsp = exception_info.cpu_context.rsp; +unsafe extern "C" fn panic_handler(info: &mut ExceptionInfo) -> ContinueType { + let vector = info.exception_vector() as u32 as u64; + let cpu_context = info.cpu_context(); + + let mut rsp = cpu_context.rsp; if rsp & 0xF == 0 { rsp -= SE_WORDSIZE as u64; - exception_info.cpu_context.rsp = rsp; + cpu_context.rsp = rsp; let addr = rsp as *mut u64; - *addr = exception_info.cpu_context.rip; + *addr = cpu_context.rip; } else { } - exception_info.cpu_context.rdi = exception_info.exception_vector as u32 as u64; - exception_info.cpu_context.rsi = exception_info.cpu_context.rip; - exception_info.cpu_context.rip = exception_panic as usize as u64; + cpu_context.rdi = vector; + cpu_context.rsi = cpu_context.rip; + cpu_context.rip = exception_panic as usize as u64; ContinueType::Execution } @@ -188,7 +232,7 @@ impl Drop for ExceptionManager { fn register_exception_impl(first: bool, handler: F) -> Option where - F: Fn(&mut sgx_exception_info_t) -> ContinueType + Sync + Send + 'static, + F: Fn(&mut ExceptionInfo) -> ContinueType + Sync + Send + 'static, { let globals = GlobalData::ensure(); @@ -222,7 +266,7 @@ where /// pub fn register_exception(is_first: bool, handler: F) -> Option where - F: Fn(&mut sgx_exception_info_t) -> ContinueType + Sync + Send + 'static, + F: Fn(&mut ExceptionInfo) -> ContinueType + Sync + Send + 'static, { register_exception_impl(is_first, handler) } @@ -243,7 +287,7 @@ where /// pub fn register(handler: F) -> Option where - F: Fn(&mut sgx_exception_info_t) -> ContinueType + Sync + Send + 'static, + F: Fn(&mut ExceptionInfo) -> ContinueType + Sync + Send + 'static, { register_exception_impl(true, handler) } diff --git a/sgx_signal/src/manager.rs b/sgx_signal/src/manager.rs index bbf67991c..449c5d9e2 100644 --- a/sgx_signal/src/manager.rs +++ b/sgx_signal/src/manager.rs @@ -25,7 +25,7 @@ use std::mem; use std::num::NonZeroU64; use std::sync::Arc; #[allow(deprecated)] -use std::sync::{SgxMutex, PoisonError}; +use std::sync::{PoisonError, SgxMutex}; use std::u64; thread_local! { static SIGNAL_MASK: Cell = Cell::new(SigSet::new()) } @@ -162,8 +162,6 @@ impl ActionId { drop(counter); ActionId(NonZeroU64::new(id).unwrap()) } - - } pub type Action = dyn Fn(&siginfo_t) + Send + Sync; diff --git a/sgx_trts/src/aex.rs b/sgx_trts/src/aex.rs new file mode 100644 index 000000000..5b0a1ff55 --- /dev/null +++ b/sgx_trts/src/aex.rs @@ -0,0 +1,101 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License.. + +use alloc::boxed::Box; +use core::mem::{self, ManuallyDrop}; +use core::ptr; +use sgx_types::*; + +pub type aex_handle = *const sgx_aex_mitigation_node_t; + +/// +/// rsgx_set_ssa_aexnotify allows developers to enable the AEX-Notify feature +/// upon a piece of enclave code. +/// +/// # Description +/// +/// You can enable or disable AEX-Notify in the enclave code using this function. +/// To enable AEX-Notify for critical code that you want to mitigate for single-step +/// attacks, call this function. The following execution will be executed with +/// AEX-Notify enabled until you call this function to disable it. +/// +pub fn rsgx_set_ssa_aexnotify(is_enable: bool) -> SgxError { + let mut flags = 0_i32; + if is_enable { + flags = 1; + } + let ret = unsafe { sgx_set_ssa_aexnotify(flags) }; + + match ret { + sgx_status_t::SGX_SUCCESS => Ok(()), + _ => Err(ret), + } +} + +/// +/// rsgx_register_aex_handler allows developers to register an AEX- Notify handler. +/// +/// # Description +/// +/// The Rust SDK allows you to register custom AEX-Notify functions. You can write your +/// own code to provide an AEX-Notify handler that detects single-step attacks. For instance, +/// you can provide a handler that counts the Async Exit. If the count is abnormal which +/// means single-step attacks occur, you can take proper actions. +/// +pub fn rsgx_register_aex_handler( + handler: sgx_aex_mitigation_fn_t, + args: usize, +) -> SgxResult { + let mut node: Box = Box::new(sgx_aex_mitigation_node_t { + handler, + args: args as *const c_void, + next: ptr::null_mut(), + }); + let node_ptr = &mut *node as *mut sgx_aex_mitigation_node_t; + let ret = unsafe { sgx_register_aex_handler(node_ptr, handler, args as *const _) }; + + match ret { + sgx_status_t::SGX_SUCCESS => { + mem::forget(node); + Ok(node_ptr) + } + _ => Err(ret), + } +} + +/// +/// rsgx_unregister_aex_handler is used to unregister an AEX-Notify handler. +/// +/// # Description +/// +/// The Rust SDK allows you to register custom AEX-Notify functions. You can write your own code to +/// provide an AEX-Notify handler that detects single-step attacks. +/// +pub fn rsgx_unregister_aex_handler(handle: aex_handle) -> SgxError { + unsafe { + let node: ManuallyDrop> = + ManuallyDrop::new(Box::from_raw(handle as *mut sgx_aex_mitigation_node_t)); + let ret = sgx_unregister_aex_handler(node.handler); + match ret { + sgx_status_t::SGX_SUCCESS => { + let _ = ManuallyDrop::into_inner(node); + Ok(()) + } + _ => Err(ret), + } + } +} diff --git a/sgx_trts/src/enclave.rs b/sgx_trts/src/enclave.rs index 4db1b0e32..a0c6c0c0b 100644 --- a/sgx_trts/src/enclave.rs +++ b/sgx_trts/src/enclave.rs @@ -61,6 +61,7 @@ pub struct global_data_t { pub enclave_image_address: u64, pub elrange_start_address: u64, pub elrange_size: u64, + pub edmm_bk_overhead: usize, } #[repr(C)] @@ -74,12 +75,17 @@ pub struct thread_data_t { pub flags: usize, pub xsave_size: usize, pub last_error: usize, + pub aex_mitigation_list: usize, + pub aex_notify_flag: usize, + pub first_ssa_xsave: usize, pub m_next: usize, pub tls_addr: usize, pub tls_array: usize, pub exception_flag: usize, pub cxx_thread_info: [usize; 6], pub stack_commit_addr: usize, + pub aex_notify_entropy_cache: u32, + pub aex_notify_entropy_remaining: i32, } #[derive(Copy, Clone)] @@ -286,6 +292,7 @@ pub struct SgxThreadData { stack_guard: usize, xsave_size: usize, last_error: usize, + first_ssa_xsave: usize, tls_addr: usize, tls_array: usize, exception_flag: usize, @@ -315,6 +322,7 @@ impl SgxThreadData { stack_guard: td.stack_guard, xsave_size: td.xsave_size, last_error: td.last_error, + first_ssa_xsave: td.first_ssa_xsave, tls_addr: td.tls_addr, tls_array: td.tls_array, exception_flag: td.exception_flag, @@ -334,6 +342,7 @@ impl SgxThreadData { stack_guard: td.stack_guard, xsave_size: td.xsave_size, last_error: td.last_error, + first_ssa_xsave: td.first_ssa_xsave, tls_addr: td.tls_addr, tls_array: td.tls_array, exception_flag: td.exception_flag, diff --git a/sgx_trts/src/lib.rs b/sgx_trts/src/lib.rs index 491fa3d0a..0d9df2388 100644 --- a/sgx_trts/src/lib.rs +++ b/sgx_trts/src/lib.rs @@ -86,6 +86,7 @@ extern crate alloc; #[macro_use] mod macros; +pub mod aex; pub mod ascii; pub mod c_str; pub mod cpu_feature; diff --git a/sgx_tseal/src/internal.rs b/sgx_tseal/src/internal.rs index cdf17a65d..4413a0110 100644 --- a/sgx_tseal/src/internal.rs +++ b/sgx_tseal/src/internal.rs @@ -264,7 +264,6 @@ impl SgxInternalSealedData { } pub fn seal_data(additional_text: &[u8], encrypt_text: &[u8]) -> SgxResult { - //let attribute_mask = sgx_attributes_t{flags: SGX_FLAGS_RESERVED | SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG, xfrm: 0}; /* intel sgx sdk 1.8 */ let attribute_mask = sgx_attributes_t { flags: TSEAL_DEFAULT_FLAGSMASK, diff --git a/sgx_types/src/error.rs b/sgx_types/src/error.rs index 812b50cf8..c644331d6 100644 --- a/sgx_types/src/error.rs +++ b/sgx_types/src/error.rs @@ -483,6 +483,7 @@ impl_enum! { SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = 0x0000_E064, SGX_QL_ROOT_CA_UNTRUSTED = 0x0000_E065, SGX_QL_TCB_NOT_SUPPORTED = 0x0000_E066, + SGX_QL_CONFIG_INVALID_JSON = 0x0000_E067, SGX_QL_ERROR_MAX = 0x0000_E0FF, } } @@ -518,7 +519,7 @@ impl sgx_quote3_error_t { sgx_quote3_error_t::SGX_QL_UNSUPPORTED_LOADING_POLICY => { "Unsupported enclave loading policy." } - sgx_quote3_error_t::SGX_QL_INTERFACE_UNAVAILABLE => "Unable to load the QE enclave.", + sgx_quote3_error_t::SGX_QL_INTERFACE_UNAVAILABLE => "Unable to load the PCE enclave.", sgx_quote3_error_t::SGX_QL_PLATFORM_LIB_UNAVAILABLE => { "Unable to find the platform library with the dependent APIs." } @@ -645,6 +646,9 @@ impl sgx_quote3_error_t { sgx_quote3_error_t::SGX_QL_TCB_NOT_SUPPORTED => { "Current TCB level cannot be found in platform/enclave TCB info" } + sgx_quote3_error_t::SGX_QL_CONFIG_INVALID_JSON => { + "The QPL's config file is in JSON format but has a format error" + } sgx_quote3_error_t::SGX_QL_ERROR_MAX => { "Indicate max error to allow better translation." } @@ -798,6 +802,7 @@ impl sgx_quote3_error_t { } sgx_quote3_error_t::SGX_QL_ROOT_CA_UNTRUSTED => "SGX_QL_ROOT_CA_UNTRUSTED", sgx_quote3_error_t::SGX_QL_TCB_NOT_SUPPORTED => "SGX_QL_TCB_NOT_SUPPORTED", + sgx_quote3_error_t::SGX_QL_CONFIG_INVALID_JSON => "SGX_QL_CONFIG_INVALID_JSON", sgx_quote3_error_t::SGX_QL_ERROR_MAX => "SGX_QL_ERROR_MAX", } } @@ -837,6 +842,8 @@ impl_enum! { SGX_QCNL_CACHE_MISSING = 0x0000_B031, SGX_QCNL_CACHE_EXPIRED = 0x0000_B032, SGX_QCNL_ROOT_CA_UNTRUSTED = 0x0000_B033, + SGX_QCNL_CONFIG_INVALID_JSON = 0x0000_B035, + SGX_QCNL_CONFIG_NOT_JSON = 0x0000_B036, } } @@ -887,6 +894,10 @@ impl sgx_qcnl_error_t { sgx_qcnl_error_t::SGX_QCNL_ROOT_CA_UNTRUSTED => { "The certificate used to establish SSL session is untrusted" } + sgx_qcnl_error_t::SGX_QCNL_CONFIG_INVALID_JSON => { + "The config file is in JSON format but has a format error" + } + sgx_qcnl_error_t::SGX_QCNL_CONFIG_NOT_JSON => "The config file is not in JSON format", } } @@ -930,6 +941,8 @@ impl sgx_qcnl_error_t { sgx_qcnl_error_t::SGX_QCNL_CACHE_MISSING => "SGX_QCNL_CACHE_MISSING", sgx_qcnl_error_t::SGX_QCNL_CACHE_EXPIRED => "SGX_QCNL_CACHE_EXPIRED", sgx_qcnl_error_t::SGX_QCNL_ROOT_CA_UNTRUSTED => "SGX_QCNL_ROOT_CA_UNTRUSTED", + sgx_qcnl_error_t::SGX_QCNL_CONFIG_INVALID_JSON => "SGX_QCNL_CONFIG_INVALID_JSON", + sgx_qcnl_error_t::SGX_QCNL_CONFIG_NOT_JSON => "SGX_QCNL_CONFIG_NOT_JSON", } } } diff --git a/sgx_types/src/function.rs b/sgx_types/src/function.rs index db6c77c2a..3cf6a9b0f 100644 --- a/sgx_types/src/function.rs +++ b/sgx_types/src/function.rs @@ -688,6 +688,15 @@ extern "C" { page_properties_from: int32_t, page_properties_to: int32_t, ) -> int32_t; + + /* intel sgx sdk 2.20 */ + pub fn sgx_set_ssa_aexnotify(flags: int32_t) -> sgx_status_t; + pub fn sgx_register_aex_handler( + aex_node: *mut sgx_aex_mitigation_node_t, + handler: sgx_aex_mitigation_fn_t, + args: *const c_void, + ) -> sgx_status_t; + pub fn sgx_unregister_aex_handler(handler: sgx_aex_mitigation_fn_t) -> sgx_status_t; } /* intel sgx sdk 2.18 */ @@ -1089,10 +1098,19 @@ extern "C" { fmspc: *const uint8_t, fmspc_size: uint16_t, pck_ra: *const c_char, - pp_quote_collateral: *mut *mut tdx_ql_qve_collateral_t, + pp_quote_collateral: *mut *mut tdx_ql_qv_collateral_t, + ) -> sgx_quote3_error_t; + /* intel DCAP 1.17 */ + pub fn tdx_ql_get_quote_verification_collateral_with_params( + fmspc: *const uint8_t, + fmspc_size: uint16_t, + pck_ra: *const c_char, + custom_param: *const c_void, + custom_param_length: uint16_t, + pp_quote_collateral: *mut *mut tdx_ql_qv_collateral_t, ) -> sgx_quote3_error_t; pub fn tdx_ql_free_quote_verification_collateral( - p_quote_collateral: *const sgx_ql_qve_collateral_t, + p_quote_collateral: *const tdx_ql_qv_collateral_t, ) -> sgx_quote3_error_t; pub fn sgx_ql_get_qve_identity( pp_qve_identity: *mut *mut c_char, @@ -1104,18 +1122,21 @@ extern "C" { p_qve_identity: *const c_char, p_qve_identity_issuer_chain: *const c_char, ) -> sgx_quote3_error_t; - - /* intel DCAP 1.4 */ + /* intel DCAP 1.14 */ pub fn sgx_ql_get_root_ca_crl( pp_root_ca_crl: *mut *mut uint8_t, p_root_ca_crl_size: *mut uint16_t, ) -> sgx_quote3_error_t; pub fn sgx_ql_free_root_ca_crl(p_root_ca_crl: *const uint8_t) -> sgx_quote3_error_t; - /* intel DCAP 2.14 */ + /* intel DCAP 1.14 */ pub fn sgx_ql_set_logging_callback( logger: sgx_ql_logging_callback_t, loglevel: sgx_ql_log_level_t, ) -> sgx_quote3_error_t; + /* intel DCAP 1.17 */ + pub fn sgx_qpl_clear_cache(cache_type: sgx_qpl_cache_type_t) -> sgx_quote3_error_t; + pub fn sgx_qpl_global_init() -> sgx_quote3_error_t; + pub fn sgx_qpl_global_cleanup() -> sgx_quote3_error_t; } //#[link(name = "sgx_default_qcnl_wrapper")] @@ -1194,6 +1215,11 @@ extern "C" { // user_token: *const uint8_t, // user_token_size: uint16_t, // ) -> sgx_qcnl_error_t; + + /* intel DCAP 1.17 */ + pub fn sgx_qcnl_clear_cache(cache_type: uint32_t) -> sgx_qcnl_error_t; + pub fn sgx_qcnl_global_init() -> sgx_qcnl_error_t; + pub fn sgx_qcnl_global_cleanup() -> sgx_qcnl_error_t; } //#[link(name = "dcap_quoteverify")] @@ -1246,7 +1272,7 @@ extern "C" { pub fn tdx_qv_verify_quote( p_quote: *const uint8_t, quote_size: uint32_t, - p_quote_collateral: *const tdx_ql_qve_collateral_t, + p_quote_collateral: *const tdx_ql_qv_collateral_t, expiration_check_date: time_t, p_collateral_expiration_status: *mut uint32_t, p_quote_verification_result: *mut sgx_ql_qv_result_t, diff --git a/sgx_types/src/marker.rs b/sgx_types/src/marker.rs index 118b09c73..b736b4673 100644 --- a/sgx_types/src/marker.rs +++ b/sgx_types/src/marker.rs @@ -73,6 +73,7 @@ impl_marker_for_array! {BytewiseEquality, /// a contiguous area of memory inside the enclave. Developer needs to /// implement this trait as a marker for the data structure he/she wants /// to feed into SGX apis. +#[allow(clippy::missing_safety_doc)] pub unsafe trait ContiguousMemory {} impl_unsafe_marker_for!(ContiguousMemory, diff --git a/sgx_types/src/types.rs b/sgx_types/src/types.rs index decd4a059..b432fb41b 100644 --- a/sgx_types/src/types.rs +++ b/sgx_types/src/types.rs @@ -32,6 +32,7 @@ pub const SGX_FLAGS_MODE64BIT: uint64_t = 0x0000_0000_0000_0004; //If set, then pub const SGX_FLAGS_PROVISION_KEY: uint64_t = 0x0000_0000_0000_0010; //If set, then the enclave has access to provision key pub const SGX_FLAGS_EINITTOKEN_KEY: uint64_t = 0x0000_0000_0000_0020; //If set, then the enclave has access to EINITTOKEN key pub const SGX_FLAGS_KSS: uint64_t = 0x0000_0000_0000_0080; //If set enclave uses KSS +pub const SGX_FLAGS_AEX_NOTIFY: uint64_t = 0x0000_0000_0000_0400; //If set, then the enclave enables AEX Notify pub const SGX_FLAGS_RESERVED: uint64_t = !(SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG | SGX_FLAGS_MODE64BIT @@ -1057,17 +1058,56 @@ impl_struct! { } } -impl_struct! { - pub struct sgx_exception_info_t { - pub cpu_context: sgx_cpu_context_t, - pub exception_vector: sgx_exception_vector_t, - pub exception_type: sgx_exception_type_t, - pub exinfo: sgx_misc_exinfo_t, +cfg_if! { + if #[cfg(target_arch = "x86")] { + #[repr(C, align(64))] + pub struct sgx_exception_info_t { + pub cpu_context: sgx_cpu_context_t, + pub exception_vector: sgx_exception_vector_t, + pub exception_type: sgx_exception_type_t, + pub exinfo: sgx_misc_exinfo_t, + pub exception_valid: uint32_t, + pub do_aex_mitigation: uint32_t, + pub xsave_size: uint64_t, + pub reserved: [uint64_t; 6], + pub xsave_area: [uint8_t; 0], + } + } else { + #[repr(C, align(64))] + pub struct sgx_exception_info_t { + pub cpu_context: sgx_cpu_context_t, + pub exception_vector: sgx_exception_vector_t, + pub exception_type: sgx_exception_type_t, + pub exinfo: sgx_misc_exinfo_t, + pub exception_valid: uint32_t, + pub do_aex_mitigation: uint32_t, + pub xsave_size: uint64_t, + pub reserved: [uint64_t; 1], + pub xsave_area: [uint8_t; 0], + } } } +impl_struct_ContiguousMemory! { + sgx_exception_info_t; +} + pub type sgx_exception_handler_t = extern "C" fn(info: *mut sgx_exception_info_t) -> int32_t; +/* intel sgx sdk 2.20 */ +// +// sgx_trts_aex.h +// +#[repr(C)] +pub struct sgx_aex_mitigation_node_t { + pub handler: sgx_aex_mitigation_fn_t, + pub args: *const c_void, + pub next: *mut sgx_aex_mitigation_node_t, +} + +pub type sgx_aex_mitigation_fn_t = + extern "C" fn(info: *mut sgx_exception_info_t, args: *const c_void) -> c_void; + // // sgx_tseal.h // @@ -1398,7 +1438,10 @@ pub struct sgx_ql_qve_collateral_t { pub qe_identity_size: uint32_t, } +/* intel DCAP 1.17 */ +// Deprecate structure name tdx_ql_qve_collateral_t pub type tdx_ql_qve_collateral_t = sgx_ql_qve_collateral_t; +pub type tdx_ql_qv_collateral_t = sgx_ql_qve_collateral_t; impl_enum! { #[repr(u8)] @@ -1409,6 +1452,17 @@ impl_enum! { } } +/* intel DCAP 1.17 */ +impl_enum! { + #[repr(u32)] + #[derive(Copy, Clone, PartialEq, Eq, Debug)] + pub enum sgx_qpl_cache_type_t { + SGX_QPL_CACHE_CERTIFICATE = 1, + SGX_QPL_CACHE_QV_COLLATERAL = 2, + SGX_QPL_CACHE_MULTICERTS = 4, + } +} + /* intel DCAP 1.11 */ impl_enum! { #[repr(u32)]