diff --git a/.ci/lib/stage-build-sgx-vm.jenkinsfile b/.ci/lib/stage-build-sgx-vm.jenkinsfile index d328690bc9..b4819fed05 100644 --- a/.ci/lib/stage-build-sgx-vm.jenkinsfile +++ b/.ci/lib/stage-build-sgx-vm.jenkinsfile @@ -57,7 +57,6 @@ stage('build') { -Ddirect=disabled \ -Dsgx=enabled \ -Dtests=enabled \ - -Dsgx_driver=upstream \ $MESON_OPTIONS ninja -vC build/ ''' diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile index 381748e8ff..98579bed44 100644 --- a/.ci/lib/stage-build-sgx.jenkinsfile +++ b/.ci/lib/stage-build-sgx.jenkinsfile @@ -15,19 +15,6 @@ stage('build') { env.MESON_OPTIONS += ' -Ddcap=enabled' } - if (env.SGX_DRIVER == null) { - env.SGX_DRIVER = 'upstream' - } - if (env.SGX_DRIVER == 'oot') { - sh ''' - git clone https://github.com/intel/linux-sgx-driver.git - cd linux-sgx-driver - git checkout 276c5c6a064d22358542f5e0aa96b1c0ace5d695 - ''' - - env.MESON_OPTIONS += ' -Dsgx_driver_include_path=' + env.WORKSPACE + '/linux-sgx-driver' - } - try { sh ''' meson setup build/ \ @@ -37,7 +24,6 @@ stage('build') { -Ddirect=disabled \ -Dsgx=enabled \ -Dtests=enabled \ - -Dsgx_driver="$SGX_DRIVER" \ $MESON_OPTIONS ninja -vC build/ ''' diff --git a/.ci/lib/stage-clean-check.jenkinsfile b/.ci/lib/stage-clean-check.jenkinsfile index 87bf9913c8..29bd1a47f5 100644 --- a/.ci/lib/stage-clean-check.jenkinsfile +++ b/.ci/lib/stage-clean-check.jenkinsfile @@ -20,9 +20,6 @@ stage('clean-check') { # root, and keeps cache there rm -rf .pytest_cache - # We downloaded the OOT SGX driver during build stage - rm -rf linux-sgx-driver - make -C libos/test/regression clean make -C libos/test/fs clean @@ -67,7 +64,6 @@ stage('clean-check') { * Gramine source tree. */ sh 'rm -rf "$PREFIX"' - sh 'rm -rf linux-sgx-driver' sh ''' ./scripts/gitignore-test ''' diff --git a/.gitignore b/.gitignore index 0846b3c4a7..a4cb8f6fec 100644 --- a/.gitignore +++ b/.gitignore @@ -30,9 +30,7 @@ __pycache__ # sgx *.manifest.sgx *.sig -*.token *.cached -.output.sgx_get_token.* .output.sgx_sign.* # gnu global diff --git a/.pylintrc b/.pylintrc index f5c4ec2f29..38cfb46b28 100644 --- a/.pylintrc +++ b/.pylintrc @@ -168,7 +168,6 @@ ignored-classes= # and thus existing member attributes cannot be deduced by static analysis. It # supports qualified module names, as well as Unix pattern matching. ignored-modules= - aesm_pb2, # Show a hint with possible names when a member name was not found. The aspect # of finding the hint is based on edit distance. diff --git a/CI-Examples/.gitignore b/CI-Examples/.gitignore index cd12240b6d..d686185a52 100644 --- a/CI-Examples/.gitignore +++ b/CI-Examples/.gitignore @@ -1,7 +1,6 @@ *.manifest *.manifest.sgx *.sig -*.token *.o *~ *.swp diff --git a/CI-Examples/README.md b/CI-Examples/README.md index 1997f1a6be..46d486dabe 100644 --- a/CI-Examples/README.md +++ b/CI-Examples/README.md @@ -45,8 +45,8 @@ addition, your application sample should have the following elements: command. If your application needs extra building steps, please document them in the `README.md`. In addition, we ask you to provide sufficient comments in the `Makefile` to help users understand the build process. If your application - also runs on Gramine-SGX, please include the commands for signing and - retrieving the token in the `Makefile`. + also runs on Gramine-SGX, please include the command for signing in the + `Makefile`. - Manifest: Please provide the manifest needed for running your application sample. Do not diff --git a/CI-Examples/bash/Makefile b/CI-Examples/bash/Makefile index be9949de80..dc8b8cdd5a 100644 --- a/CI-Examples/bash/Makefile +++ b/CI-Examples/bash/Makefile @@ -63,7 +63,7 @@ regression: all .PHONY: clean clean: - $(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT scripts/testdir/* + $(RM) *.manifest *.manifest.sgx *.sig OUTPUT scripts/testdir/* .PHONY: distclean distclean: clean diff --git a/CI-Examples/blender/Makefile b/CI-Examples/blender/Makefile index 7562769d05..6c1f741046 100644 --- a/CI-Examples/blender/Makefile +++ b/CI-Examples/blender/Makefile @@ -65,8 +65,7 @@ check: all .PHONY: clean clean: $(RM) -r \ - $(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig \ - blender.token + $(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig .PHONY: distclean distclean: clean diff --git a/CI-Examples/busybox/Makefile b/CI-Examples/busybox/Makefile index 9e7b9e907a..bac0cab563 100644 --- a/CI-Examples/busybox/Makefile +++ b/CI-Examples/busybox/Makefile @@ -47,7 +47,7 @@ check: all .PHONY: clean clean: - $(RM) *.token *.sig *.manifest.sgx *.manifest OUTPUT + $(RM) *.sig *.manifest.sgx *.manifest OUTPUT .PHONY: distclean distclean: clean diff --git a/CI-Examples/helloworld/Makefile b/CI-Examples/helloworld/Makefile index 9ff129c28a..cb143a5057 100644 --- a/CI-Examples/helloworld/Makefile +++ b/CI-Examples/helloworld/Makefile @@ -47,7 +47,7 @@ check: all .PHONY: clean clean: - $(RM) *.token *.sig *.manifest.sgx *.manifest helloworld.o helloworld OUTPUT + $(RM) *.sig *.manifest.sgx *.manifest helloworld.o helloworld OUTPUT .PHONY: distclean distclean: clean diff --git a/CI-Examples/lighttpd/Makefile b/CI-Examples/lighttpd/Makefile index a0f2a9b87f..c6ee3f8c14 100644 --- a/CI-Examples/lighttpd/Makefile +++ b/CI-Examples/lighttpd/Makefile @@ -108,7 +108,7 @@ start-gramine-server: all .PHONY: clean clean: $(RM) \ - *.manifest *.manifest.sgx *.token *.sig OUTPUT result-* $(CONF_FILES) + *.manifest *.manifest.sgx *.sig OUTPUT result-* $(CONF_FILES) .PHONY: distclean distclean: clean diff --git a/CI-Examples/memcached/Makefile b/CI-Examples/memcached/Makefile index 01cdab602f..15ce55ead6 100644 --- a/CI-Examples/memcached/Makefile +++ b/CI-Examples/memcached/Makefile @@ -64,7 +64,7 @@ start-gramine-server: all .PHONY: clean clean: - $(RM) *.token *.sig *.manifest.sgx *.manifest memcached .lck + $(RM) *.sig *.manifest.sgx *.manifest memcached .lck .PHONY: distclean distclean: clean diff --git a/CI-Examples/nginx/Makefile b/CI-Examples/nginx/Makefile index 6c7de7a0b2..8654447af2 100644 --- a/CI-Examples/nginx/Makefile +++ b/CI-Examples/nginx/Makefile @@ -128,7 +128,7 @@ start-gramine-server: all .PHONY: clean clean: - $(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT result-* tmp nginx_args + $(RM) *.manifest *.manifest.sgx *.sig OUTPUT result-* tmp nginx_args .PHONY: distclean distclean: clean diff --git a/CI-Examples/python/Makefile b/CI-Examples/python/Makefile index 788096d1ff..3cabdae2bf 100644 --- a/CI-Examples/python/Makefile +++ b/CI-Examples/python/Makefile @@ -48,7 +48,7 @@ endif .PHONY: clean clean: - $(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT* *.PID TEST_STDOUT TEST_STDERR + $(RM) *.manifest *.manifest.sgx *.sig OUTPUT* *.PID TEST_STDOUT TEST_STDERR $(RM) -r scripts/__pycache__ .PHONY: distclean diff --git a/CI-Examples/ra-tls-mbedtls/Makefile b/CI-Examples/ra-tls-mbedtls/Makefile index 520861a34c..ff52285cdd 100644 --- a/CI-Examples/ra-tls-mbedtls/Makefile +++ b/CI-Examples/ra-tls-mbedtls/Makefile @@ -151,7 +151,7 @@ check_dcap_fail: app dcap .PHONY: clean clean: $(RM) -r \ - *.token *.sig *.manifest.sgx *.manifest server client *.so *.so.* OUTPUT + *.sig *.manifest.sgx *.manifest server client *.so *.so.* OUTPUT .PHONY: distclean distclean: clean diff --git a/CI-Examples/ra-tls-nginx/Makefile b/CI-Examples/ra-tls-nginx/Makefile index 394eab4389..5eb9b6d46b 100644 --- a/CI-Examples/ra-tls-nginx/Makefile +++ b/CI-Examples/ra-tls-nginx/Makefile @@ -41,5 +41,4 @@ clean: $(RM) -r \ *.manifest \ *.manifest.sgx \ - *.sig \ - *.token + *.sig diff --git a/CI-Examples/ra-tls-secret-prov/Makefile b/CI-Examples/ra-tls-secret-prov/Makefile index 61852f4705..4dd2998f67 100644 --- a/CI-Examples/ra-tls-secret-prov/Makefile +++ b/CI-Examples/ra-tls-secret-prov/Makefile @@ -216,9 +216,9 @@ check_dcap: app dcap .PHONY: clean clean: $(RM) OUTPUT - cd secret_prov_minimal; $(RM) client server_* *.token *.sig *.manifest.sgx *.manifest - cd secret_prov; $(RM) client server_* *.token *.sig *.manifest.sgx *.manifest - cd secret_prov_pf; $(RM) client server_* *.token *.sig *.manifest.sgx *.manifest + cd secret_prov_minimal; $(RM) client server_* *.sig *.manifest.sgx *.manifest + cd secret_prov; $(RM) client server_* *.sig *.manifest.sgx *.manifest + cd secret_prov_pf; $(RM) client server_* *.sig *.manifest.sgx *.manifest .PHONY: distclean distclean: clean diff --git a/CI-Examples/redis/Makefile b/CI-Examples/redis/Makefile index 35db4363b1..39e0122346 100644 --- a/CI-Examples/redis/Makefile +++ b/CI-Examples/redis/Makefile @@ -116,7 +116,7 @@ start-gramine-server: all .PHONY: clean clean: - $(RM) *.token *.sig *.manifest.sgx *.manifest redis-server *.rdb + $(RM) *.sig *.manifest.sgx *.manifest redis-server *.rdb .PHONY: distclean distclean: clean diff --git a/CI-Examples/rust/Makefile b/CI-Examples/rust/Makefile index ca7c2f5d0d..2988ea7f2b 100644 --- a/CI-Examples/rust/Makefile +++ b/CI-Examples/rust/Makefile @@ -49,7 +49,7 @@ start-gramine-server: all .PHONY: clean clean: - $(RM) -rf *.token *.sig *.manifest.sgx *.manifest result-* OUTPUT + $(RM) -rf *.sig *.manifest.sgx *.manifest result-* OUTPUT .PHONY: distclean distclean: clean diff --git a/CI-Examples/sqlite/Makefile b/CI-Examples/sqlite/Makefile index 981c3ef5ae..3b531c1c02 100644 --- a/CI-Examples/sqlite/Makefile +++ b/CI-Examples/sqlite/Makefile @@ -50,7 +50,7 @@ regression: all .PHONY: clean clean: - $(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT db/* + $(RM) *.manifest *.manifest.sgx *.sig OUTPUT db/* .PHONY: distclean distclean: clean diff --git a/Documentation/conf.py b/Documentation/conf.py index d7dd257725..8356a00e47 100644 --- a/Documentation/conf.py +++ b/Documentation/conf.py @@ -189,7 +189,6 @@ ('manpages/gramine-manifest-check', 'gramine-manifest-check', 'Gramine manifest schema validator', [author], 1), ('manpages/gramine-ratls', 'gramine-ratls', 'RA-TLS wrapper', [author], 1), ('manpages/gramine-sgx-gen-private-key', 'gramine-sgx-gen-private-key', 'Gramine SGX key generator', [author], 1), - ('manpages/gramine-sgx-get-token', 'gramine-sgx-get-token', 'Gramine SGX Token generator', [author], 1), ('manpages/gramine-sgx-ias-request', 'gramine-sgx-ias-request', 'Submit Intel Attestation Service request', [author], 1), ('manpages/gramine-sgx-ias-verify-report', 'gramine-sgx-ias-verify-report', 'Verify Intel Attestation Service report', [author], 1), ('manpages/gramine-sgx-quote-view', 'gramine-sgx-quote-view', 'Display SGX quote', [author], 1), diff --git a/Documentation/devel/building.rst b/Documentation/devel/building.rst index dcb8467010..87af5ce0bd 100644 --- a/Documentation/devel/building.rst +++ b/Documentation/devel/building.rst @@ -73,8 +73,8 @@ Kernel version can be checked using the following command:: uname -r If your current kernel version is 5.11 or higher, you have a built-in SGX -support. The driver is accessible through /dev/sgx_enclave -and /dev/sgx_provision. +support. The driver is accessible through :file:`/dev/sgx_enclave` +and :file:`/dev/sgx_provision`. If your current kernel version is lower than 5.11, then you have two options: @@ -132,8 +132,7 @@ To build Gramine, you need to first set up the build directory. In the root directory of Gramine repo, run the following command (recall that "direct" means non-SGX version):: - meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled \ - -Dsgx_driver=(upstream|oot) -Dsgx_driver_include_path= + meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled .. note:: @@ -152,25 +151,9 @@ Set ``-Ddirect=`` and ``-Dsgx=`` options to ``enabled`` or ``disabled`` according to whether you built the corresponding PAL (the snippet assumes you built both). -The ``-Dsgx_driver`` parameter controls which SGX driver to use: - -* ``upstream`` (default) for upstreamed in-kernel driver (mainline Linux kernel - 5.11+), -* ``oot`` for non-DCAP, out-of-tree version of the driver. - -The ``-Dsgx_driver_include_path`` parameter must point to the absolute path -where the SGX driver was downloaded or installed in the previous step. For -example, for the OOT driver installed at the default path, you can specify -``-Dsgx_driver_include_path="/opt/intel/linux-sgx-driver"``. If this parameter -is omitted, Gramine's build system will try to determine the right path, so, -it's usually not needed. - -.. note:: - - If you have a DCAP driver installed on the system (e.g. on 18.04 Azure), - then you can still use the upstream driver and specify the `upstream header - file `__. - This is because the DCAP and the upstream drivers have compatible APIs. +Since Gramine 1.9, we only support upstream, in-kernel driver and the +``-Dsgx_driver`` option, as well as associated ``-Dsgx_driver_include_path`` and +``-Dsgx_driver_device`` options, are gone. Set ``-Dlibc`` option to ``musl`` if you wish to build musl instead of glibc (which is built by default), or to ``none`` if you do not want to build any @@ -303,8 +286,8 @@ Protect this key and do not disclose it to anyone:: After signing the application's manifest, users may ship the application and Gramine binaries, along with an SGX-specific manifest (``.manifest.sgx`` -extension), the SIGSTRUCT signature file (``.sig`` extension), and the -EINITTOKEN file (``.token`` extension) to execute on another SGX-enabled host. +extension), the SIGSTRUCT signature file (``.sig`` extension) to execute on +another SGX-enabled host. Advanced: building without network access ----------------------------------------- @@ -352,7 +335,7 @@ Proceed with compiling and installing as usual. :: meson setup build/ --prefix=/usr --wrap-mode=nodownload \ - -Ddirect=enabled -Dsgx=enabled -Dsgx_driver=upstream + -Ddirect=enabled -Dsgx=enabled meson compile -C build/ meson install -C build/ diff --git a/Documentation/manpages/gramine-sgx-get-token.rst b/Documentation/manpages/gramine-sgx-get-token.rst deleted file mode 100644 index 584c4dca52..0000000000 --- a/Documentation/manpages/gramine-sgx-get-token.rst +++ /dev/null @@ -1,43 +0,0 @@ -.. program:: gramine-sgx-get-token -.. _gramine-sgx-get-token: - -=============================================================== -:program:`gramine-sgx-get-token` -- Gramine SGX token generator -=============================================================== - -Synopsis -======== - -:command:`gramine-sgx-get-token` [*OPTION*]... --sig sigstruct_file ---output token_file - -Description -=========== - -:program:`gramine-sgx-get-token` is used to generate the SGX token file for -given SIGSTRUCT (".sig" file). - -Using this command is not necessary (it was previously), since the token is -fetched automatically if needed during the first enclave start. - -On upstream/DCAP driver this command does nothing and is deprecated. In -the future, it will be removed altogether. - -Command line arguments -====================== - -.. option:: --sig sigstruct_file, -s sigstruct_file - - Path to the input file containing SIGSTRUCT. - -.. option:: --output token_file, -o token_file - - Path to the output token file. - -.. option:: --verbose, -v - - Print details to standard output. This is the default. - -.. option:: --quiet, -q - - Don't print details to standard output. diff --git a/Documentation/manpages/gramine.rst b/Documentation/manpages/gramine.rst index 49772224bd..e720b52aa7 100644 --- a/Documentation/manpages/gramine.rst +++ b/Documentation/manpages/gramine.rst @@ -26,14 +26,3 @@ Options .. option:: --version Show version and exit. - -Environment variables -===================== - -.. envvar:: GRAMINE_NO_AUTO_GET_TOKEN - - If not empty, for out-of-tree EPID driver :command:`gramine-sgx` will not - automatically generate EINITTOKEN. - - On upstream/DCAP driver the token is never generated and this variable has no - effect. diff --git a/Documentation/python/api.rst b/Documentation/python/api.rst index 22cc8fcb50..dc579bbac2 100644 --- a/Documentation/python/api.rst +++ b/Documentation/python/api.rst @@ -7,7 +7,7 @@ Python API Introduction ------------ -We expose a Python API for manifest, SIGSTRUCT and SGX token management. +We expose a Python API for manifest and SIGSTRUCT management. Examples -------- @@ -37,18 +37,6 @@ To create a |~| signed SIGSTRUCT file from a manifest:: with open('path_to_sigstruct', 'wb') as f: f.write(sigstruct.to_bytes()) -To create a |~| SGX token file from a |~| signed SIGSTRUCT file:: - - from graminelibos import Sigstruct, get_token - - with open('path_to_sigstruct', 'rb') as f: - sigstruct = Sigstruct.from_bytes(f.read()) - - token = get_token(sigstruct) - - with open('path_to_token_file', 'wb') as f: - f.write(token) - API Reference ------------- @@ -65,4 +53,3 @@ API Reference :members: .. autofunction:: graminelibos.get_tbssigstruct .. autofunction:: graminelibos.sign_with_local_key - .. autofunction:: graminelibos.get_token diff --git a/debian/control b/debian/control index 484085bf1c..e96907b242 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: debhelper-compat (= 13), libcurl4-openssl-dev (>= 7.58), libprotobuf-c-dev, libsgx-dcap-quote-verify-dev, - linux-libc-dev (>= 5.11) | linux-headers-amd64 (>= 5.11), + linux-libc-dev (>= 5.11), meson (>= 0.56), nasm, ninja-build (>= 1.8), diff --git a/debian/get-linux-src-path.sh b/debian/get-linux-src-path.sh deleted file mode 100755 index 4ccef12ac0..0000000000 --- a/debian/get-linux-src-path.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -set -e - -dir=$(dpkg-query -W linux-headers-\*-common | while read name version -do - test -n "$version" || continue - dpkg --compare-versions "$version" '>=' '5.11' || continue - - # sanity check: if directory does not exist, break here and not in meson - dir=/usr/src/"$name" - test -d "$dir" || exit 2 - - printf %s\\n "$dir" - break -done) - -test -n "$dir" || exit 1 -printf %s\\n "$dir" diff --git a/debian/gramine.manpages b/debian/gramine.manpages index 51a33ea33f..4bc14afbc1 100644 --- a/debian/gramine.manpages +++ b/debian/gramine.manpages @@ -1,7 +1,6 @@ Documentation/_build/man/gramine-direct.1 Documentation/_build/man/gramine-manifest.1 Documentation/_build/man/gramine-ratls.1 -Documentation/_build/man/gramine-sgx-get-token.1 Documentation/_build/man/gramine-sgx-ias-request.1 Documentation/_build/man/gramine-sgx-ias-verify-report.1 Documentation/_build/man/gramine-sgx-quote-view.1 diff --git a/debian/rules b/debian/rules index bbfa0d26af..b748a177a9 100755 --- a/debian/rules +++ b/debian/rules @@ -27,10 +27,6 @@ override_dh_clean: rm -rf \ python/graminelibos/__pycache__ -SGX_DRIVER_INCLUDE_PATH = \ - $(if $(wildcard /usr/include/$(DEB_BUILD_MULTIARCH)/asm/sgx.h),,\ - -Dsgx_driver_include_path=$(shell debian/get-linux-src-path.sh)/arch/x86/include/uapi) - override_dh_auto_configure: dpkg-buildflags --status @@ -38,8 +34,7 @@ override_dh_auto_configure: --buildtype=release \ -Ddirect=enabled \ -Dsgx=enabled \ - -Ddcap=enabled \ - $(SGX_DRIVER_INCLUDE_PATH) + -Ddcap=enabled # assert correct version if ! dpkg --compare-versions "$$(meson introspect --projectinfo obj-$(DEB_HOST_MULTIARCH) | jq -r .version)" = "$(DEB_VERSION)"; \ diff --git a/gramine.spec b/gramine.spec index dec68c7742..23ce53cda7 100644 --- a/gramine.spec +++ b/gramine.spec @@ -63,8 +63,7 @@ unset PKG_CONFIG_PATH %meson \ --buildtype=release \ -Ddirect=enabled \ - -Dsgx=enabled \ - -Dsgx_driver=upstream + -Dsgx=enabled # assert correct version if ! test "$(meson introspect --projectinfo "%{_vpath_builddir}" | jq -r .version)" = %{version} diff --git a/meson.build b/meson.build index 9ab4eb042d..92ddb88121 100644 --- a/meson.build +++ b/meson.build @@ -105,60 +105,12 @@ if debug endif if sgx - conf_sgx = configuration_data() - - # SGX driver options - sgx_driver = get_option('sgx_driver') - sgx_driver_include_path = get_option('sgx_driver_include_path') - sgx_driver_device = get_option('sgx_driver_device') - - if sgx_driver == 'upstream' - # upstream in-kernel driver (Linux 5.11+) - conf_sgx.set('CONFIG_SGX_DRIVER_UPSTREAM', true) - sgx_driver_header = 'asm/sgx.h' - sgx_driver_include_path_defaults = [ - # standard /usr/include[/x86_64-linux-gnu] from linux-libc-dev - '', - # Ubuntu `linux-headers` package - '/usr/src/linux-headers-@0@/arch/x86/include/uapi'.format( - run_command('uname', '-r').stdout().strip()), - ] - elif sgx_driver == 'oot' - # old non-DCAP driver (https://github.com/intel/linux-sgx-driver) - conf_sgx.set('CONFIG_SGX_DRIVER_OOT', true) - sgx_driver_header = 'sgx_user.h' - sgx_driver_include_path_defaults = ['/opt/intel/linux-sgx-driver'] - else - error('Unknown sgx_driver value') - endif - - if sgx_driver_device != '' - conf_sgx.set_quoted('CONFIG_SGX_DRIVER_DEVICE', sgx_driver_device) - endif - - if sgx_driver_include_path == '' - foreach path : sgx_driver_include_path_defaults - if cc.has_header(path / sgx_driver_header) - sgx_driver_include_path = path - break - endif - endforeach - endif - - sgx_driver_include = sgx_driver_include_path / sgx_driver_header - - if not cc.has_header(sgx_driver_include) - error('Invalid SGX driver configuration (-Dsgx_driver and/or -Dsgx_driver_include_path); ' + - 'expected "@0@" to exist under "@1@"'.format( - sgx_driver_header, sgx_driver_include_path)) - endif + cc.has_header('asm/sgx.h', required: true) if vtune add_project_arguments('-DSGX_VTUNE_PROFILE', language: 'c') vtune_sdk_path = get_option('vtune_sdk_path') endif - - conf_sgx.set('CONFIG_SGX_DRIVER_INCLUDE', sgx_driver_include) endif gen_symbol_map_cmd = [ @@ -254,10 +206,6 @@ if sgx protoc_c_prog = find_program('protoc-c') - if sgx_driver == 'oot' - protoc_prog = find_program('protoc') - endif - threads_dep = dependency('threads') libcurl_dep = curl_proj.get_variable('curl_minimal_dep') diff --git a/meson_options.txt b/meson_options.txt index e29929f6d7..71dd832061 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -21,14 +21,6 @@ option('asan', type: 'combo', choices: ['disabled', 'enabled'], option('libgomp', type: 'combo', choices: ['disabled', 'enabled'], description: 'Build patched libgomp (takes long time)') -option('sgx_driver', type: 'combo', - choices: ['upstream', 'oot'], - description: 'Flavour of the SGX driver') -option('sgx_driver_include_path', type: 'string', - description: 'Path to SGX driver headers (default value depends on sgx_driver)') -option('sgx_driver_device', type: 'string', - description: 'Path to "enclave" device in /dev (default value depends on sgx_driver)') - option('syslibdir', type: 'string', description: 'Path to the system library directory') diff --git a/pal/src/host/linux-sgx/generated_offsets.c b/pal/src/host/linux-sgx/generated_offsets.c index bbd8d3a161..ef9459744c 100644 --- a/pal/src/host/linux-sgx/generated_offsets.c +++ b/pal/src/host/linux-sgx/generated_offsets.c @@ -183,13 +183,5 @@ const struct generated_offset generated_offsets[] = { DEFINE(PAL_XSTATE_ALIGN, PAL_XSTATE_ALIGN), DEFINE(PAL_FP_XSTATE_MAGIC2_SIZE, PAL_FP_XSTATE_MAGIC2_SIZE), - /* driver type */ -#ifdef CONFIG_SGX_DRIVER_OOT - DEFINE(CONFIG_SGX_DRIVER_OOT, 1), -#endif -#ifdef CONFIG_SGX_DRIVER_UPSTREAM - DEFINE(CONFIG_SGX_DRIVER_UPSTREAM, 1), -#endif - OFFSET_END, }; diff --git a/pal/src/host/linux-sgx/host_framework.c b/pal/src/host/linux-sgx/host_framework.c index c77f9bfb94..a178d74010 100644 --- a/pal/src/host/linux-sgx/host_framework.c +++ b/pal/src/host/linux-sgx/host_framework.c @@ -14,19 +14,9 @@ static size_t g_zero_pages_size = 0; int open_sgx_driver(void) { const char* paths_to_try[] = { -#ifdef CONFIG_SGX_DRIVER_DEVICE - /* Always try to use the device path specified in the build config first. */ - CONFIG_SGX_DRIVER_DEVICE, -#endif -#if defined(CONFIG_SGX_DRIVER_OOT) - "/dev/isgx", -#elif defined(CONFIG_SGX_DRIVER_UPSTREAM) - /* DCAP and upstreamed version used different paths in the past. */ - "/dev/sgx_enclave", - "/dev/sgx/enclave", -#else - #error This config should be unreachable. -#endif + /* DCAP and upstreamed version used different paths in the past. */ + "/dev/sgx_enclave", + "/dev/sgx/enclave", }; int ret; for (size_t i = 0; i < ARRAY_SIZE(paths_to_try); i++) { @@ -192,14 +182,12 @@ int create_enclave(sgx_arch_secs_t* secs, sgx_arch_token_t* token) { uint64_t request_mmap_addr = secs->base; uint64_t request_mmap_size = secs->size; -#ifndef CONFIG_SGX_DRIVER_OOT /* newer DCAP/in-kernel SGX drivers allow starting enclave address space with non-zero; * the below trick to start from MMAP_MIN_ADDR is to avoid vm.mmap_min_addr==0 issue */ if (request_mmap_addr < MMAP_MIN_ADDR) { request_mmap_size -= MMAP_MIN_ADDR - request_mmap_addr; request_mmap_addr = MMAP_MIN_ADDR; } -#endif uint64_t addr = DO_SYSCALL(mmap, request_mmap_addr, request_mmap_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED_NOREPLACE | MAP_SHARED, @@ -323,38 +311,6 @@ int add_pages_to_enclave(sgx_arch_secs_t* secs, void* addr, void* user_addr, uns log_debug("Adding pages to enclave: %p-%p [%s:%s] (%s)%s", addr, addr + size, t, p, comment, m); -#ifdef CONFIG_SGX_DRIVER_OOT - /* legacy out-of-tree driver only supports adding one page at a time */ - struct sgx_enclave_add_page param = { - .addr = (uint64_t)addr, - .src = (uint64_t)(user_addr ?: g_zero_pages), - .secinfo = (uint64_t)&secinfo, - .mrmask = skip_eextend ? 0 : (uint16_t)-1, - }; - - uint64_t added_size = 0; - while (added_size < size) { - ret = DO_SYSCALL(ioctl, g_isgx_device, SGX_IOC_ENCLAVE_ADD_PAGE, ¶m); - if (ret < 0) { - if (ret == -EINTR) - continue; - log_error("Enclave add-pages IOCTL failed: %s", unix_strerror(ret)); - return ret; - } - - param.addr += g_page_size; - if (param.src != (uint64_t)g_zero_pages) - param.src += g_page_size; - added_size += g_page_size; - } - - /* need to change permissions for EADDed pages since the initial mmap was with PROT_NONE */ - ret = DO_SYSCALL(mprotect, addr, size, prot); - if (ret < 0) { - log_error("Changing protections of EADDed pages failed: %s", unix_strerror(ret)); - return ret; - } -#else if (!user_addr && g_zero_pages_size < size) { /* not enough contigious zero pages to back up enclave pages, allocate more */ /* TODO: this logic can be removed if we introduce a size cap in ENCLAVE_ADD_PAGES ioctl */ @@ -425,7 +381,6 @@ int add_pages_to_enclave(sgx_arch_secs_t* secs, void* addr, void* user_addr, uns log_error("Cannot map enclave pages: %s", unix_strerror(ret)); return ret; } -#endif /* CONFIG_SGX_DRIVER_OOT */ return 0; } @@ -547,9 +502,7 @@ int edmm_supported_by_driver(bool* out_supported) { } int init_enclave(sgx_arch_secs_t* secs, sgx_sigstruct_t* sigstruct, sgx_arch_token_t* token) { -#ifndef CONFIG_SGX_DRIVER_OOT __UNUSED(token); -#endif unsigned long enclave_valid_addr = secs->base + secs->size - g_page_size; char hex[sizeof(sigstruct->enclave_hash.m) * 2 + 1]; @@ -562,13 +515,7 @@ int init_enclave(sgx_arch_secs_t* secs, sgx_sigstruct_t* sigstruct, sgx_arch_tok log_debug(" isv_svn: %d", sigstruct->isv_svn); struct sgx_enclave_init param = { -#ifdef CONFIG_SGX_DRIVER_OOT - .addr = enclave_valid_addr, -#endif .sigstruct = (uint64_t)sigstruct, -#ifdef CONFIG_SGX_DRIVER_OOT - .einittoken = (uint64_t)token, -#endif }; int ret = DO_SYSCALL(ioctl, g_isgx_device, SGX_IOC_ENCLAVE_INIT, ¶m); if (ret < 0) { diff --git a/pal/src/host/linux-sgx/host_main.c b/pal/src/host/linux-sgx/host_main.c index 33b29878c4..cc5f69dc0d 100644 --- a/pal/src/host/linux-sgx/host_main.c +++ b/pal/src/host/linux-sgx/host_main.c @@ -199,48 +199,9 @@ static int load_enclave_binary(sgx_arch_secs_t* secs, int fd, unsigned long base return ret; } -#if defined(CONFIG_SGX_DRIVER_OOT) -static int get_enclave_token(sgx_arch_token_t* enclave_token, sgx_sigstruct_t* enclave_sigstruct) { - __UNUSED(enclave_sigstruct); - char* token_path = NULL; - int token_fd = -1; - int ret; - - token_path = alloc_concat(g_pal_enclave.application_path, -1, ".token", -1); - if (!token_path) { - ret = -ENOMEM; - goto out; - } - - token_fd = DO_SYSCALL(open, token_path, O_RDONLY | O_CLOEXEC, 0); - if (token_fd < 0) { - log_error("Cannot open token %s. Use gramine-sgx-get-token on the runtime host to create " - "the token file.", token_path); - ret = -EINVAL; - goto out; - } - log_debug("Token file: %s", token_path); - - ret = read_enclave_token(token_fd, enclave_token); - if (ret < 0) { - log_error("Reading enclave token failed: %s", unix_strerror(ret)); - goto out; - } - - ret = 0; -out: - if (token_fd >= 0) - DO_SYSCALL(close, token_fd); - free(token_path); - return ret; -} -#elif defined(CONFIG_SGX_DRIVER_UPSTREAM) static int get_enclave_token(sgx_arch_token_t* enclave_token, sgx_sigstruct_t* enclave_sigstruct) { return create_dummy_enclave_token(enclave_sigstruct, enclave_token); } -#else - #error This config should be unreachable. -#endif static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_to_measure) { int ret = 0; diff --git a/pal/src/host/linux-sgx/host_sgx_driver.h.in b/pal/src/host/linux-sgx/host_sgx_driver.h similarity index 91% rename from pal/src/host/linux-sgx/host_sgx_driver.h.in rename to pal/src/host/linux-sgx/host_sgx_driver.h index eaa4895d37..6855d2008a 100644 --- a/pal/src/host/linux-sgx/host_sgx_driver.h.in +++ b/pal/src/host/linux-sgx/host_sgx_driver.h @@ -10,16 +10,10 @@ #endif #include +#include #include #include -#include <@CONFIG_SGX_DRIVER_INCLUDE@> - -#mesondefine CONFIG_SGX_DRIVER_UPSTREAM -#mesondefine CONFIG_SGX_DRIVER_OOT - -#mesondefine CONFIG_SGX_DRIVER_DEVICE - /* Gramine needs the below subset of SGX instructions' return values */ #ifndef SGX_INVALID_SIG_STRUCT #define SGX_INVALID_SIG_STRUCT 1 diff --git a/pal/src/host/linux-sgx/meson.build b/pal/src/host/linux-sgx/meson.build index e10defc768..2ca861789d 100644 --- a/pal/src/host/linux-sgx/meson.build +++ b/pal/src/host/linux-sgx/meson.build @@ -1,9 +1,3 @@ -host_sgx_driver_h = configure_file( - input: 'host_sgx_driver.h.in', - output: 'host_sgx_driver.h', - configuration: conf_sgx, -) - pal_sgx_inc = [ include_directories( '.', @@ -89,7 +83,6 @@ libpal_sgx = shared_library('pal', pal_sgx_asm_offsets_h, pal_common_sources, pal_linux_common_sources_enclave, - host_sgx_driver_h, include_directories: sgx_inc, @@ -153,7 +146,6 @@ libpal_sgx_host = executable('loader', pal_linux_common_sources_host, pal_sgx_asm_offsets_h, aesm_proto_ch, - host_sgx_driver_h, include_directories: sgx_inc, c_args: [ diff --git a/python/gramine-sgx-get-token b/python/gramine-sgx-get-token deleted file mode 100755 index 11a1b2a0b0..0000000000 --- a/python/gramine-sgx-get-token +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/python3 -# SPDX-License-Identifier: LGPL-3.0-or-later -# Copyright (C) 2021 Intel Corporation -# Borys PopÅ‚awski - -import click - -from graminelibos import Sigstruct, get_token, is_oot - -@click.command() -@click.option('--sig', '-s', type=click.File('rb'), required=True, help='sigstruct file') -@click.option('--output', '-o', type=click.File('wb'), required=True, help='Output token file') -@click.option('--verbose/--quiet', '-v/-q', default=True, help='Display details (on by default)') -def main(sig, output, verbose): - if not is_oot(): - import warnings # pylint: disable=import-outside-toplevel - warnings.warn( - 'gramine-sgx-get-token is deprecated on upstream SGX driver, ' - 'and calling it will be a hard error in the future', - DeprecationWarning) - return - - sig = Sigstruct.from_bytes(sig.read()) - token = get_token(sig, verbose=verbose) - output.write(token) - -if __name__ == '__main__': - main() # pylint: disable=no-value-for-parameter diff --git a/python/graminelibos/__init__.py b/python/graminelibos/__init__.py index a96d57e768..79d0b78ad1 100644 --- a/python/graminelibos/__init__.py +++ b/python/graminelibos/__init__.py @@ -21,6 +21,5 @@ from .manifest import Manifest, ManifestError if _CONFIG_SGX_ENABLED: - from .sgx_get_token import get_token, is_oot from .sgx_sign import get_tbssigstruct, sign_with_local_key, SGX_LIBPAL, SGX_RSA_KEY_PATH from .sigstruct import Sigstruct diff --git a/python/graminelibos/aesm.proto b/python/graminelibos/aesm.proto deleted file mode 100644 index 134281aeb2..0000000000 --- a/python/graminelibos/aesm.proto +++ /dev/null @@ -1,21 +0,0 @@ -syntax = "proto2"; - -message GetTokenReqRaw { - required bytes signature = 1; - required bytes key = 2; - required bytes attributes = 3; - required uint32 timeout = 9; -} - -message GetTokenReq { - required GetTokenReqRaw req = 3; -} - -message GetTokenRetRaw { - required int32 error = 1; - optional bytes token = 2; -} - -message GetTokenRet { - required GetTokenRetRaw ret = 3; -} diff --git a/python/graminelibos/meson.build b/python/graminelibos/meson.build index 1722104526..c2a857b436 100644 --- a/python/graminelibos/meson.build +++ b/python/graminelibos/meson.build @@ -27,18 +27,7 @@ if enable_tests endif if sgx - if sgx_driver == 'oot' - aesm_pb2 = custom_target('aesm_pb2.py', - input: 'aesm.proto', - output: 'aesm_pb2.py', - command: [protoc_prog, '@INPUT@', '--python_out=@OUTDIR@', '--proto_path=@CURRENT_SOURCE_DIR@'], - install: true, - install_dir: python3_pkgdir, - ) - endif - python_src += [ - 'sgx_get_token.py', 'sgx_sign.py', 'sigstruct.py', ] diff --git a/python/graminelibos/sgx_get_token.py b/python/graminelibos/sgx_get_token.py deleted file mode 100644 index 1e71c9d0a0..0000000000 --- a/python/graminelibos/sgx_get_token.py +++ /dev/null @@ -1,138 +0,0 @@ -# SPDX-License-Identifier: LGPL-3.0-or-later -# Copyright (C) 2021 Intel Corporation -# Borys PopÅ‚awski - -import hashlib -import socket -import struct - -import _graminelibos_offsets as offs # pylint: disable=import-error - -def get_optional_sgx_features(sig): - '''Set optional SGX features if they are available on this machine.''' - optional_sgx_features = { - offs.SGX_XFRM_AVX: 'avx', - offs.SGX_XFRM_AVX512: 'avx512f', - offs.SGX_XFRM_MPX: 'mpx', - offs.SGX_XFRM_PKRU: 'pku', # "pku" is not a typo, that's how cpuinfo reports it - offs.SGX_XFRM_AMX: 'amx_tile', - } - - cpu_features = '' - with open('/proc/cpuinfo', 'r') as file: - for line in file: - if line.startswith('flags'): - cpu_features = line.split(':')[1].strip().split() - break - else: - raise Exception('Failed to parse CPU flags') - - xfrms = sig['attribute_xfrms'] - xfrmmask = sig['attribute_xfrm_mask'] - - new_xfrms = xfrms - for (bits, feature) in optional_sgx_features.items(): - # check if SIGSTRUCT.ATTRIBUTEMASK.XFRM doesn't care whether an optional CPU feature is - # enabled or not (XFRM mask should completely unset these bits); set these CPU features as - # enabled if so and if the current system supports these features (for performance) - if bits & xfrmmask == 0 and feature in cpu_features: - new_xfrms |= bits - - return new_xfrms - -def is_oot(): - '''Check if we're dealing with OOT driver.''' - return hasattr(offs, 'CONFIG_SGX_DRIVER_OOT') - -def p64(x): - return x.to_bytes(8, byteorder='little') - -def connect_aesmd(mrenclave, modulus, flags, xfrms): - '''Connect with AESMD.''' - - from . import aesm_pb2 # pylint: disable=import-error,no-name-in-module,import-outside-toplevel - - req_msg = aesm_pb2.GetTokenReq() - req_msg.req.signature = mrenclave - req_msg.req.key = modulus - req_msg.req.attributes = p64(flags) + p64(xfrms) - req_msg.req.timeout = 10000 - - req_msg_raw = req_msg.SerializeToString() - - aesm_service = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) - - # Try to connect to all possible interfaces exposed by aesm service - connections = ( - '/var/run/aesmd/aesm.socket', # named socket (for PSW 1.8+) - '\0sgx_aesm_socket_base' + '\0' * 87 # unnamed socket (for PSW 1.6/1.7) - ) - - for conn in connections: - try: - aesm_service.connect(conn) - except socket.error: - continue - break - else: - raise socket.error('Cannot connect to the AESMD service') - - aesm_service.send(struct.pack('&2 -fi - CMD=("${ENVS[@]}") CMD+=("${PREFIX[@]}") diff --git a/tools/meson.build b/tools/meson.build index 902a949e13..70e573cc38 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -21,7 +21,6 @@ if direct '-D', 'HOST_PAL_PATH=@0@'.format(hostpalpath_direct), '-D', 'LIBPAL_PATH=@0@'.format(hostpalpath_direct / 'libpal.so'), '-D', 'PAL_CMD=@0@'.format(hostpalpath_direct / 'loader'), - '-D', 'CONFIG_SGX_DRIVER=', '@INPUT@', '@OUTPUT@', ], @@ -45,7 +44,6 @@ if sgx '-D', 'HOST_PAL_PATH=@0@'.format(hostpalpath_linux_sgx), '-D', 'LIBPAL_PATH=@0@'.format(hostpalpath_linux_sgx / 'libpal.so'), '-D', 'PAL_CMD=@0@'.format(get_option('prefix') / pkglibdir / 'sgx' / 'loader'), - '-D', 'CONFIG_SGX_DRIVER=@0@'.format(sgx_driver), '@INPUT@', '@OUTPUT@', ], diff --git a/tools/sgx/is-sgx-available/is_sgx_available.cpp b/tools/sgx/is-sgx-available/is_sgx_available.cpp index da95dc4068..52f0a5a734 100644 --- a/tools/sgx/is-sgx-available/is_sgx_available.cpp +++ b/tools/sgx/is-sgx-available/is_sgx_available.cpp @@ -178,9 +178,7 @@ class SgxCpuChecker { }; bool sgx_driver_loaded() { - return file_exists("/dev/isgx") // LKM version - || file_exists("/dev/sgx") // old in-kernel patchset (<= 5.10) or DCAP drivers - || file_exists("/dev/sgx_enclave"); // upstreamed drivers (>= 5.11) + return file_exists("/dev/sgx_enclave"); // upstreamed drivers (>= 5.11) } bool psw_installed() {