diff --git a/CI-Examples/bash/manifest.template b/CI-Examples/bash/manifest.template index 88547f0bee..5075015047 100644 --- a/CI-Examples/bash/manifest.template +++ b/CI-Examples/bash/manifest.template @@ -20,7 +20,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.enclave_size = "512M" sgx.max_threads = 4 diff --git a/CI-Examples/blender/blender.manifest.template b/CI-Examples/blender/blender.manifest.template index 429359f159..14c8bb0575 100644 --- a/CI-Examples/blender/blender.manifest.template +++ b/CI-Examples/blender/blender.manifest.template @@ -22,7 +22,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sys.stack.size = "8M" sgx.enclave_size = "2048M" sgx.max_threads = 64 diff --git a/CI-Examples/helloworld/helloworld.manifest.template b/CI-Examples/helloworld/helloworld.manifest.template index 694c574e50..e15f0d2b9d 100644 --- a/CI-Examples/helloworld/helloworld.manifest.template +++ b/CI-Examples/helloworld/helloworld.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/CI-Examples/lighttpd/lighttpd.manifest.template b/CI-Examples/lighttpd/lighttpd.manifest.template index c276136ac6..66547bfc94 100644 --- a/CI-Examples/lighttpd/lighttpd.manifest.template +++ b/CI-Examples/lighttpd/lighttpd.manifest.template @@ -21,7 +21,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.enclave_size = "256M" sgx.max_threads = 3 diff --git a/CI-Examples/memcached/memcached.manifest.template b/CI-Examples/memcached/memcached.manifest.template index e0436f4a4b..0e061c250a 100644 --- a/CI-Examples/memcached/memcached.manifest.template +++ b/CI-Examples/memcached/memcached.manifest.template @@ -25,7 +25,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.max_threads = 16 # Memcached does not fail explicitly when enclave memory is exhausted. Instead, Memcached goes into diff --git a/CI-Examples/nginx/nginx.manifest.template b/CI-Examples/nginx/nginx.manifest.template index 3f8e190918..726189acd9 100644 --- a/CI-Examples/nginx/nginx.manifest.template +++ b/CI-Examples/nginx/nginx.manifest.template @@ -27,7 +27,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.enclave_size = "512M" sgx.max_threads = 4 diff --git a/CI-Examples/python/python.manifest.template b/CI-Examples/python/python.manifest.template index da1a904e32..b26898b17c 100644 --- a/CI-Examples/python/python.manifest.template +++ b/CI-Examples/python/python.manifest.template @@ -34,7 +34,6 @@ sys.enable_extra_runtime_domain_names_conf = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.enclave_size = "1G" sgx.max_threads = 32 diff --git a/CI-Examples/redis/redis-server.manifest.template b/CI-Examples/redis/redis-server.manifest.template index b05bfc3792..58c9dddcfe 100644 --- a/CI-Examples/redis/redis-server.manifest.template +++ b/CI-Examples/redis/redis-server.manifest.template @@ -87,15 +87,6 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} # specifying '8' allows to run a maximum of 6 Redis threads which is enough. sgx.max_threads = 8 -# Redis executable is typically a PIE (Position Independent Executable) on most -# modern OS distros (e.g., Ubuntu 18.04). However, on some OS distros (notably, -# CentOS), Redis executable is built as non-PIE. We mark Redis as a non-PIE -# binary unconditionally -- this makes it work on CentOS and doesn't hurt on -# Ubuntu. (Note that non-SGX Gramine correctly distinguishes between PIE and -# non-PIE binaries, but for SGX we need to prearrange enclave memory layout, -# hence the below option.) -sgx.nonpie_binary = true - ############################# SGX: TRUSTED FILES ############################### # Specify all files used by Redis and its dependencies (including all libraries diff --git a/CI-Examples/rust/rust-hyper-http-server.manifest.template b/CI-Examples/rust/rust-hyper-http-server.manifest.template index d7fb3a2eb6..d396061093 100644 --- a/CI-Examples/rust/rust-hyper-http-server.manifest.template +++ b/CI-Examples/rust/rust-hyper-http-server.manifest.template @@ -19,7 +19,6 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/Documentation/devel/onboarding.rst b/Documentation/devel/onboarding.rst index 9938100ca0..1f65810d86 100644 --- a/Documentation/devel/onboarding.rst +++ b/Documentation/devel/onboarding.rst @@ -261,13 +261,11 @@ fine on native Linux but fails under Gramine:: Try to identify the system call in Gramine that goes wrong (e.g., returns an error code whereas it was supposed to finish successfully). - - Analyze the manifest file carefully. If at least one of the binaries - spawned during app execution is non-PIE, then set ``sgx.nonpie_binary = - true``. If you suspect problems with environment variables, see if it works - with ``loader.insecure__use_host_env = true``. If you observe that memory - addresses change constantly and hinder your debugging, set - ``loader.insecure__disable_aslr = true``. But don't use the last two - options in production; use them only for debugging and analysis! + - Analyze the manifest file carefully. If you suspect problems with + environment variables, see if it works with ``loader.insecure__use_host_env + = true``. If you observe that memory addresses change constantly and hinder + your debugging, set ``loader.insecure__disable_aslr = true``. But don't use + these two options in production; use them only for debugging and analysis! - Analyze FS mount points (``fs.mounts``) in the manifest file carefully. Check for duplicate mount points -- remember that a duplicate mount point's diff --git a/Documentation/manifest-syntax.rst b/Documentation/manifest-syntax.rst index f14ae3ab9f..b768e0ffa7 100644 --- a/Documentation/manifest-syntax.rst +++ b/Documentation/manifest-syntax.rst @@ -529,17 +529,6 @@ your system, such ``bash -c ls`` SGX workload will fail. Note this does not apply to the enclaves with :term:`EDMM` enabled, where memory is not reserved upfront and is allocated on demand. -Non-PIE binaries -^^^^^^^^^^^^^^^^ - -:: - - sgx.nonpie_binary = [true|false] - (Default: false) - -This setting tells Gramine whether to use a specially crafted memory layout, -which is required to support non-relocatable binaries (non-PIE). - Number of threads ^^^^^^^^^^^^^^^^^ diff --git a/libos/src/libos_rtld.c b/libos/src/libos_rtld.c index 52c4d1952b..1787c1ba22 100644 --- a/libos/src/libos_rtld.c +++ b/libos/src/libos_rtld.c @@ -849,10 +849,7 @@ int load_elf_object(struct libos_handle* file, struct link_map** out_map) { struct link_map* map = map_elf_object(file, &ehdr); if (!map) { - log_error("Failed to map %s. This may be caused by the binary being non-PIE, in which " - "case Gramine requires a specially-crafted memory layout. You can enable it " - "by adding 'sgx.nonpie_binary = true' to the manifest.", - fname); + log_error("Failed to map %s.", fname); return -EINVAL; } diff --git a/libos/test/abi/x86_64/manifest.template b/libos/test/abi/x86_64/manifest.template index 3ecbe34467..d19e5eaa6d 100644 --- a/libos/test/abi/x86_64/manifest.template +++ b/libos/test/abi/x86_64/manifest.template @@ -6,7 +6,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 4 diff --git a/libos/test/abi/x86_64/stack_arg.manifest.template b/libos/test/abi/x86_64/stack_arg.manifest.template index c7c6edde1f..f350067c42 100644 --- a/libos/test/abi/x86_64/stack_arg.manifest.template +++ b/libos/test/abi/x86_64/stack_arg.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 4 diff --git a/libos/test/abi/x86_64/stack_env.manifest.template b/libos/test/abi/x86_64/stack_env.manifest.template index 368fd19fd3..900ec5b5e8 100644 --- a/libos/test/abi/x86_64/stack_env.manifest.template +++ b/libos/test/abi/x86_64/stack_env.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 4 diff --git a/libos/test/fs/manifest.template b/libos/test/fs/manifest.template index ec30856bfe..ba9e343658 100644 --- a/libos/test/fs/manifest.template +++ b/libos/test/fs/manifest.template @@ -20,7 +20,6 @@ fs.mounts = [ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 16 diff --git a/libos/test/ltp/manifest.template b/libos/test/ltp/manifest.template index 20bbe4d5ec..0da313ca50 100644 --- a/libos/test/ltp/manifest.template +++ b/libos/test/ltp/manifest.template @@ -19,7 +19,6 @@ fs.mounts = [ sys.brk.max_size = "32M" sys.stack.size = "4M" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/argv_from_file.manifest.template b/libos/test/regression/argv_from_file.manifest.template index 7f95168633..94717bfaf9 100644 --- a/libos/test/regression/argv_from_file.manifest.template +++ b/libos/test/regression/argv_from_file.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/argv_from_manifest.manifest.template b/libos/test/regression/argv_from_manifest.manifest.template index ee0f893ff0..802e675626 100644 --- a/libos/test/regression/argv_from_manifest.manifest.template +++ b/libos/test/regression/argv_from_manifest.manifest.template @@ -18,7 +18,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/attestation.manifest.template b/libos/test/regression/attestation.manifest.template index 56f7df223a..f28802309c 100644 --- a/libos/test/regression/attestation.manifest.template +++ b/libos/test/regression/attestation.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/attestation_deprecated_syntax.manifest.template b/libos/test/regression/attestation_deprecated_syntax.manifest.template index 81bc2e06bb..8dcdd7b14b 100644 --- a/libos/test/regression/attestation_deprecated_syntax.manifest.template +++ b/libos/test/regression/attestation_deprecated_syntax.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ sgx.insecure__protected_files_key = "ffeeddccbbaa99887766554433221100" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/bootstrap_cpp.manifest.template b/libos/test/regression/bootstrap_cpp.manifest.template index ed91b7063e..95ae1d9a3b 100644 --- a/libos/test/regression/bootstrap_cpp.manifest.template +++ b/libos/test/regression/bootstrap_cpp.manifest.template @@ -14,7 +14,6 @@ fs.mounts = [ ] sgx.max_threads = 8 -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/debug_log_file.manifest.template b/libos/test/regression/debug_log_file.manifest.template index 66b70b6b49..c30f7e580b 100644 --- a/libos/test/regression/debug_log_file.manifest.template +++ b/libos/test/regression/debug_log_file.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/debug_log_inline.manifest.template b/libos/test/regression/debug_log_inline.manifest.template index fc6426681e..2754dad310 100644 --- a/libos/test/regression/debug_log_inline.manifest.template +++ b/libos/test/regression/debug_log_inline.manifest.template @@ -12,7 +12,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/device_passthrough.manifest.template b/libos/test/regression/device_passthrough.manifest.template index 0ba57ead61..5594acc229 100644 --- a/libos/test/regression/device_passthrough.manifest.template +++ b/libos/test/regression/device_passthrough.manifest.template @@ -9,7 +9,6 @@ fs.mounts = [ { path = "/dev/host-zero", uri = "dev:/dev/zero" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/env_from_file.manifest.template b/libos/test/regression/env_from_file.manifest.template index 01d39ddef0..6e57b078ce 100644 --- a/libos/test/regression/env_from_file.manifest.template +++ b/libos/test/regression/env_from_file.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/env_from_host.manifest.template b/libos/test/regression/env_from_host.manifest.template index 7dd428f1be..f432887b3e 100644 --- a/libos/test/regression/env_from_host.manifest.template +++ b/libos/test/regression/env_from_host.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/env_passthrough.manifest.template b/libos/test/regression/env_passthrough.manifest.template index 45c3e28a72..d0169497b8 100644 --- a/libos/test/regression/env_passthrough.manifest.template +++ b/libos/test/regression/env_passthrough.manifest.template @@ -16,7 +16,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template index ade4202dc2..0511ee365a 100644 --- a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template +++ b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/file_check_policy_strict.manifest.template b/libos/test/regression/file_check_policy_strict.manifest.template index 93177d9fb1..68e1b0cc42 100644 --- a/libos/test/regression/file_check_policy_strict.manifest.template +++ b/libos/test/regression/file_check_policy_strict.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/host_root_fs.manifest.template b/libos/test/regression/host_root_fs.manifest.template index a372baabc8..19eaf42ae3 100644 --- a/libos/test/regression/host_root_fs.manifest.template +++ b/libos/test/regression/host_root_fs.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { type = "tmpfs", path = "/etc" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/hostname_extra_runtime_conf.manifest.template b/libos/test/regression/hostname_extra_runtime_conf.manifest.template index 0a99f03a91..5a4384d421 100644 --- a/libos/test/regression/hostname_extra_runtime_conf.manifest.template +++ b/libos/test/regression/hostname_extra_runtime_conf.manifest.template @@ -12,7 +12,6 @@ fs.mounts = [ sys.enable_extra_runtime_domain_names_conf = true sgx.debug = true -sgx.nonpie_binary = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ diff --git a/libos/test/regression/init_fail.manifest.template b/libos/test/regression/init_fail.manifest.template index 13837d5aff..0b7ac58e4a 100644 --- a/libos/test/regression/init_fail.manifest.template +++ b/libos/test/regression/init_fail.manifest.template @@ -10,7 +10,6 @@ fs.mounts = [ { path = "/test", uri = "file:I_DONT_EXIST" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/init_fail2.manifest.template b/libos/test/regression/init_fail2.manifest.template index da56d8b661..9b93b59cbb 100644 --- a/libos/test/regression/init_fail2.manifest.template +++ b/libos/test/regression/init_fail2.manifest.template @@ -10,7 +10,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/large_mmap.manifest.template b/libos/test/regression/large_mmap.manifest.template index 36316f96d9..ffb425392e 100644 --- a/libos/test/regression/large_mmap.manifest.template +++ b/libos/test/regression/large_mmap.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ ] sgx.enclave_size = "8G" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/manifest.template b/libos/test/regression/manifest.template index e93a4ff519..42731d6606 100644 --- a/libos/test/regression/manifest.template +++ b/libos/test/regression/manifest.template @@ -22,7 +22,6 @@ fs.mounts = [ ] sgx.max_threads = 16 -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/multi_pthread.manifest.template b/libos/test/regression/multi_pthread.manifest.template index 47f2faaf6c..43c55e4fe9 100644 --- a/libos/test/regression/multi_pthread.manifest.template +++ b/libos/test/regression/multi_pthread.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ # app runs with 4 parallel threads + Gramine has couple internal threads sgx.max_threads = 8 -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enable_stats = true diff --git a/libos/test/regression/multi_pthread_exitless.manifest.template b/libos/test/regression/multi_pthread_exitless.manifest.template index 01e2796de0..8e8c8cc99b 100644 --- a/libos/test/regression/multi_pthread_exitless.manifest.template +++ b/libos/test/regression/multi_pthread_exitless.manifest.template @@ -13,7 +13,6 @@ fs.mounts = [ sgx.thread_num = 8 sgx.insecure__rpc_thread_num = 8 -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enable_stats = true diff --git a/libos/test/regression/openmp.manifest.template b/libos/test/regression/openmp.manifest.template index 3342c977c5..e99abfdfa0 100644 --- a/libos/test/regression/openmp.manifest.template +++ b/libos/test/regression/openmp.manifest.template @@ -23,7 +23,6 @@ fs.mounts = [ ] sgx.max_threads = 32 -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/shebang_test_script.manifest.template b/libos/test/regression/shebang_test_script.manifest.template index 487d7e9195..af0129fa08 100644 --- a/libos/test/regression/shebang_test_script.manifest.template +++ b/libos/test/regression/shebang_test_script.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ ] sgx.max_threads = 16 -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/sysfs_common.manifest.template b/libos/test/regression/sysfs_common.manifest.template index eb2c68ba3a..cb20bb103d 100644 --- a/libos/test/regression/sysfs_common.manifest.template +++ b/libos/test/regression/sysfs_common.manifest.template @@ -8,7 +8,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/toml_parsing.manifest.template b/libos/test/regression/toml_parsing.manifest.template index de83e30efb..774ac3b384 100644 --- a/libos/test/regression/toml_parsing.manifest.template +++ b/libos/test/regression/toml_parsing.manifest.template @@ -21,7 +21,6 @@ fs.mount.entrypoint.uri = "file:{{ binary_dir }}/{{ entrypoint }}" # the manifest option below added only so that this feature has any test coverage libos.check_invalid_pointers = false -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/uid_gid.manifest.template b/libos/test/regression/uid_gid.manifest.template index cfc6f76b8a..3323c3beda 100644 --- a/libos/test/regression/uid_gid.manifest.template +++ b/libos/test/regression/uid_gid.manifest.template @@ -11,7 +11,6 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/pal/regression/Bootstrap6.manifest.template b/pal/regression/Bootstrap6.manifest.template index eb68fa0015..08a415c275 100644 --- a/pal/regression/Bootstrap6.manifest.template +++ b/pal/regression/Bootstrap6.manifest.template @@ -4,7 +4,6 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" loader.log_level = "debug" sgx.enclave_size = "8192M" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/pal/regression/Bootstrap7.manifest.template b/pal/regression/Bootstrap7.manifest.template index 02fb7c28ca..486e7ba779 100644 --- a/pal/regression/Bootstrap7.manifest.template +++ b/pal/regression/Bootstrap7.manifest.template @@ -1,7 +1,6 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/pal/regression/File.manifest.template b/pal/regression/File.manifest.template index 65c6e05112..4c600efcdb 100644 --- a/pal/regression/File.manifest.template +++ b/pal/regression/File.manifest.template @@ -1,7 +1,6 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" loader.log_level = "debug" -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/pal/regression/Thread2.manifest.template b/pal/regression/Thread2.manifest.template index 1561880f42..5310cbbb94 100644 --- a/pal/regression/Thread2.manifest.template +++ b/pal/regression/Thread2.manifest.template @@ -2,7 +2,6 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" sgx.max_threads = 2 sgx.enable_stats = true -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/pal/regression/Thread2_exitless.manifest.template b/pal/regression/Thread2_exitless.manifest.template index 1fd0a122d5..85e30a15ca 100644 --- a/pal/regression/Thread2_exitless.manifest.template +++ b/pal/regression/Thread2_exitless.manifest.template @@ -5,7 +5,6 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" sgx.max_threads = 2 sgx.insecure__rpc_thread_num = 2 sgx.enable_stats = true -sgx.nonpie_binary = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/pal/regression/manifest.template b/pal/regression/manifest.template index 630890faa1..4bb581053f 100644 --- a/pal/regression/manifest.template +++ b/pal/regression/manifest.template @@ -5,8 +5,6 @@ loader.insecure__use_cmdline_argv = true sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} -sgx.nonpie_binary = true # all tests are currently non-PIE unless overridden - sgx.allowed_files = [ "file:test.txt", # for File2 test "file:to_send.tmp", # for PalSendHandle test diff --git a/pal/src/host/linux-sgx/host_internal.h b/pal/src/host/linux-sgx/host_internal.h index 3578858b6a..a963d329e9 100644 --- a/pal/src/host/linux-sgx/host_internal.h +++ b/pal/src/host/linux-sgx/host_internal.h @@ -46,7 +46,6 @@ struct pal_enclave { unsigned long thread_num; unsigned long rpc_thread_num; unsigned long ssa_frame_size; - bool nonpie_binary; bool edmm_enabled; enum sgx_attestation_type attestation_type; char* libpal_uri; /* Path to the PAL binary */ diff --git a/pal/src/host/linux-sgx/host_main.c b/pal/src/host/linux-sgx/host_main.c index 0d3a794a9f..36be34c7e5 100644 --- a/pal/src/host/linux-sgx/host_main.c +++ b/pal/src/host/linux-sgx/host_main.c @@ -267,18 +267,11 @@ static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_ goto out; } - if (enclave->nonpie_binary) { - /* executable is non-PIE: enclave base address must cover code segment loaded at some - * hardcoded address (usually 0x400000), and heap cannot start at zero (modern OSes do not - * allow this) */ - enclave->baseaddr = DEFAULT_ENCLAVE_BASE; - enclave_heap_min = MMAP_MIN_ADDR; - } else { - /* executable is PIE: enclave base address can be arbitrary (we choose it same as - * enclave_size), and heap can start immediately at this base address */ - enclave->baseaddr = enclave->size; - enclave_heap_min = enclave->baseaddr; - } + /* set up enclave address space so that it works also for non-PIE binaries: enclave base address + * must cover code segment loaded at some hardcoded address (usually 0x400000), and heap cannot + * start at zero (modern OSes do not allow this) */ + enclave->baseaddr = DEFAULT_ENCLAVE_BASE; + enclave_heap_min = MMAP_MIN_ADDR; sig_path = alloc_concat(g_pal_enclave.application_path, -1, ".sig", -1); if (!sig_path) { @@ -769,15 +762,6 @@ static int parse_loader_config(char* manifest, struct pal_enclave* enclave_info, goto out; } - bool nonpie_binary; - ret = toml_bool_in(manifest_root, "sgx.nonpie_binary", /*defaultval=*/false, &nonpie_binary); - if (ret < 0) { - log_error("Cannot parse 'sgx.nonpie_binary' (the value must be `true` or `false`)"); - ret = -EINVAL; - goto out; - } - enclave_info->nonpie_binary = nonpie_binary; - ret = toml_bool_in(manifest_root, "sgx.enable_stats", /*defaultval=*/false, &g_sgx_enable_stats); if (ret < 0) { diff --git a/python/graminelibos/manifest.py b/python/graminelibos/manifest.py index a4f8d7c2ee..9ced5a062d 100644 --- a/python/graminelibos/manifest.py +++ b/python/graminelibos/manifest.py @@ -103,7 +103,6 @@ def __init__(self, manifest_str): sgx.setdefault('require_pkru', False) sgx.setdefault('require_amx', False) sgx.setdefault('require_exinfo', False) - sgx.setdefault('nonpie_binary', False) sgx.setdefault('enable_stats', False) if not isinstance(sgx['trusted_files'], list): diff --git a/python/graminelibos/sgx_sign.py b/python/graminelibos/sgx_sign.py index d9fb245b98..54d68370c9 100644 --- a/python/graminelibos/sgx_sign.py +++ b/python/graminelibos/sgx_sign.py @@ -480,12 +480,8 @@ def get_mrenclave_and_manifest(manifest_path, libpal, verbose=False): # Populate memory areas memory_areas = get_memory_areas(attr, libpal) - if manifest_sgx['nonpie_binary']: - enclave_base = offs.DEFAULT_ENCLAVE_BASE - enclave_heap_min = offs.MMAP_MIN_ADDR - else: - enclave_base = attr['enclave_size'] - enclave_heap_min = enclave_base + enclave_base = offs.DEFAULT_ENCLAVE_BASE + enclave_heap_min = offs.MMAP_MIN_ADDR manifest_data += b'\0' # in-memory manifest needs NULL-termination