diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile index 3f2d9c2600..b4c3d99c6b 100644 --- a/.ci/lib/stage-build-sgx.jenkinsfile +++ b/.ci/lib/stage-build-sgx.jenkinsfile @@ -18,19 +18,12 @@ stage('build') { # test the build with the DCAP driver v1.6 and clean up afterwards cd "$WORKSPACE" - - ISGX_DRIVER_PATH=/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux \ - make ${MAKEOPTS} -C Pal/src/host/Linux-SGX/sgx-driver - make ${MAKEOPTS} - + make ${MAKEOPTS} ISGX_DRIVER_PATH=/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux make ${MAKEOPTS} clean - make ${MAKEOPTS} -C Pal/src/host/Linux-SGX/sgx-driver distclean ''' sh ''' - ISGX_DRIVER_PATH=/opt/intel/linux-sgx-driver \ - make ${MAKEOPTS} -C Pal/src/host/Linux-SGX/sgx-driver - make ${MAKEOPTS} + make ${MAKEOPTS} ISGX_DRIVER_PATH=/opt/intel/linux-sgx-driver ''' try { diff --git a/.ci/run-pylint b/.ci/run-pylint index 5c4679bcdd..7699963555 100755 --- a/.ci/run-pylint +++ b/.ci/run-pylint @@ -18,7 +18,6 @@ find . -name \*.py \ -and -not -path ./LibOS/shim/test/ltp/build/\* \ -and -not -path ./LibOS/shim/test/ltp/install/\* \ -and -not -path ./Examples/pytorch/\* \ - -and -not -path ./Pal/src/host/Linux-SGX/sgx-driver/\* \ | sed 's/./\\&/g' \ | xargs "${PYLINT}" "$@" \ Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \ diff --git a/.gitmodules b/.gitmodules index 6a395bee04..27e6d54987 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ -[submodule "Pal/src/host/Linux-SGX/sgx-driver"] - path = Pal/src/host/Linux-SGX/sgx-driver - url = https://github.com/oscarlab/graphene-sgx-driver.git [submodule "LibOS/shim/test/ltp/src"] path = LibOS/shim/test/ltp/src url = https://github.com/linux-test-project/ltp.git diff --git a/Documentation/building.rst b/Documentation/building.rst index 12f63e5d7d..d5a3f065f7 100644 --- a/Documentation/building.rst +++ b/Documentation/building.rst @@ -72,23 +72,24 @@ Run the following commands on Ubuntu to install SGX-related dependencies:: sudo apt install -y python3-pip sudo /usr/bin/pip3 install protobuf -2. Install the Linux kernel patched with FSGSBASE -""""""""""""""""""""""""""""""""""""""""""""""""" +2a. Install the Linux kernel patched with FSGSBASE +"""""""""""""""""""""""""""""""""""""""""""""""""" FSGSBASE is a feature in recent processors which allows direct access to the FS and GS segment base addresses. For more information about FSGSBASE and its benefits, see `this discussion `__. +FSGSBASE patchset was merged in 5.9. For older kernels it is available as +`separate patches `__. -Work is being done to include FSGSBASE enabling in the upstream Linux kernel. -Currently, the FSGSBASE enabling code is out-of-tree, requiring some patches to -the kernel. +The following instructions to patch and compile a Linux kernel with FSGSBASE +support below are written around Ubuntu 18.04 LTS (Bionic Beaver) with a Linux +5.4 LTS stable kernel but can be adapted for other distros as necessary. These +instructions ensure that the resulting kernel has FSGSBASE support and up to +date security mitigations. -Enabling FSGSBASE support requires building and installing a custom kernel with -backported patches. The instructions to patch and compile a Linux kernel with -FSGSBASE support below are written around Ubuntu 18.04 LTS (Bionic Beaver) with -a Linux 5.4 LTS stable kernel but can be adapted for other distros as necessary. -These instructions ensure that the resulting kernel has FSGSBASE support and up -to date security mitigations. +#. Clone the repository with patches:: + + git clone https://github.com/oscarlab/graphene-sgx-driver #. Setup a build environment for kernel development following `the instructions in the Ubuntu wiki `__. @@ -100,7 +101,7 @@ to date security mitigations. #. Apply the provided FSGSBASE patches to the kernel source tree:: - git am /Pal/src/host/Linux-SGX/sgx-driver/fsgsbase_patches/*.patch + git am /fsgsbase_patches/*.patch The conversation regarding this patchset can be found in the kernel mailing list archives `here @@ -126,6 +127,27 @@ these software packages may not work with recent Linux kernels like 5.4. We recommend to use commit ``b7ccf6f`` of the Intel SGX Linux Driver for Intel SGX DCAP and commit ``0e71c22`` of the Intel SGX SDK/PSW. +2b. Install the Graphene FSGSBASE driver (not for production) +""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" + +If you followed step 2a and installed the patched Linux kernel, skip this step. +Otherwise, you will need a Graphene-specific Linux driver that enables the +FSGSBASE feature available in recent processors. + +.. warning:: + + This module is a |~| quick-and-dirty hack with dangerous security hole + (allows unauthorized local privilege escalation). "Do not use for production" + is not a |~| joke. We use it only for testing on very old kernels where the + patchset does not apply cleanly. + +To install the Graphene FSGSBASE driver, run the following commands:: + + git clone https://github.com/oscarlab/graphene-sgx-driver + cd graphene-sgx-driver + make + sudo insmod gsgx.ko + 3. Generate signing keys """""""""""""""""""""""" @@ -158,22 +180,6 @@ download and install it from: - https://github.com/intel/SGXDataCenterAttestationPrimitives -5. Install the Graphene SGX driver (not for production) -""""""""""""""""""""""""""""""""""""""""""""""""""""""" - -If you followed step 1 and installed the patched Linux kernel, skip this step. -Otherwise, you will need a Graphene-specific Linux driver that enables the -FSGSBASE feature available in recent processors. - -To install the Graphene SGX driver, run the following commands:: - - git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver - cd Pal/src/host/Linux-SGX/sgx-driver - make - # the console will prompt you for the path to the Intel SGX driver code - # (simply press ENTER if you use the in-kernel Intel SGX driver) - sudo insmod gsgx.ko - Building ^^^^^^^^ diff --git a/Documentation/cloud-deployment.rst b/Documentation/cloud-deployment.rst index e9ab4bbec0..76f575dc68 100644 --- a/Documentation/cloud-deployment.rst +++ b/Documentation/cloud-deployment.rst @@ -40,7 +40,6 @@ Building git clone https://github.com/oscarlab/graphene.git cd graphene - git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver/ #. Prepare the signing keys:: diff --git a/Documentation/quickstart.rst b/Documentation/quickstart.rst index 33672d944d..393b98c5f3 100644 --- a/Documentation/quickstart.rst +++ b/Documentation/quickstart.rst @@ -55,7 +55,6 @@ second command should list the process status of :command:`aesm_service`. git clone https://github.com/oscarlab/graphene.git cd graphene - git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver/ export GRAPHENE_DIR=$PWD #. Prepare a signing key:: diff --git a/LICENSE.addendum.txt b/LICENSE.addendum.txt index c07efef9e1..d261fddcc1 100644 --- a/LICENSE.addendum.txt +++ b/LICENSE.addendum.txt @@ -1,9 +1,5 @@ Graphene itself is licensed under the LGPL-3.0-or-later. -Graphene on an SGX host requires a kernel driver (in -Pal/src/host/Linux-SGX/sgx-driver), which is separately licensed under -the GPL. - Graphene also includes the following third party sources (and licenses): mbedtls crypto libraries - Apache 2.0 diff --git a/Pal/Makefile b/Pal/Makefile index 7391ebab14..6c224ba75d 100644 --- a/Pal/Makefile +++ b/Pal/Makefile @@ -33,7 +33,6 @@ format: -path ./src/host/Linux-SGX/tools/common/cJSON.h -prune -o \ -path ./src/host/Linux-SGX/tools/common/cJSON-*/cJSON.c -prune -o \ -path ./src/host/Linux-SGX/tools/common/cJSON-*/cJSON.h -prune -o \ - -path ./src/host/Linux-SGX/sgx-driver -prune -o \ \( -name '*.h' -o -name '*.c' \) -print) .PHONY: distclean diff --git a/Pal/src/host/Linux-SGX/.gitignore b/Pal/src/host/Linux-SGX/.gitignore index 46d88ca1e6..089e45bd5b 100644 --- a/Pal/src/host/Linux-SGX/.gitignore +++ b/Pal/src/host/Linux-SGX/.gitignore @@ -1,6 +1,7 @@ /asm-offsets.h /generated-offsets.s /generated_offsets.py +/gsgx.h /pal-sgx /quote/aesm.pb-c.c /quote/aesm.pb-c.h diff --git a/Pal/src/host/Linux-SGX/Makefile b/Pal/src/host/Linux-SGX/Makefile index ef8007c1b9..24cdedb251 100644 --- a/Pal/src/host/Linux-SGX/Makefile +++ b/Pal/src/host/Linux-SGX/Makefile @@ -14,8 +14,7 @@ CFLAGS += \ -I../../../include/lib \ -I../../../lib/crypto/mbedtls/include \ -I../../../lib/crypto/mbedtls/crypto/include \ - -Iprotected-files \ - -Isgx-driver + -Iprotected-files # Some of the code uses alignof on expressions, which is a GNU extension. # Silence Clang - it complains but does support it. @@ -89,7 +88,7 @@ urts-asm-objs = sgx_entry.o graphene_lib = .lib/graphene-lib.a .PHONY: all -all: sgx-driver/sgx.h $(host_files) tools +all: gsgx.h $(host_files) tools libpal-Linux-SGX.a: $(enclave-objs) $(enclave-asm-objs) $(call cmd,ar_a_o) @@ -138,8 +137,8 @@ gdb_integration/sgx_gdb.so: gdb_integration/sgx_gdb.c enclave_entry.o sgx_entry.o: asm-offsets.h -sgx-driver/sgx.h: - $(MAKE) -C sgx-driver $(notdir $@) +gsgx.h: gsgx.h.in + ./link-intel-driver.py < $< > $@ ifeq ($(filter %clean,$(MAKECMDGOALS)),) include $(wildcard *.d) $(wildcard gdb_integration/*.d) @@ -154,6 +153,7 @@ tools: CLEAN_FILES += $(notdir $(pal_static) $(pal_lib) $(pal_loader)) CLEAN_FILES += gdb_integration/sgx_gdb.so CLEAN_FILES += quote/aesm.pb-c.c quote/aesm.pb-c.h quote/aesm.pb-c.d quote/aesm.pb-c.o +CLEAN_FILES += gsgx.h .PHONY: clean_ clean_: @@ -163,12 +163,10 @@ clean_: .PHONY: clean clean: clean_ - $(MAKE) -C sgx-driver $@ $(MAKE) -C tools $@ .PHONY: distclean distclean: clean_ - $(MAKE) -C sgx-driver $@ $(MAKE) -C tools $@ .PHONY: test diff --git a/Pal/src/host/Linux-SGX/db_misc.c b/Pal/src/host/Linux-SGX/db_misc.c index 0a3f6bc300..2d079b21ba 100644 --- a/Pal/src/host/Linux-SGX/db_misc.c +++ b/Pal/src/host/Linux-SGX/db_misc.c @@ -18,12 +18,7 @@ #include "pal_linux.h" #include "pal_linux_defs.h" #include "pal_security.h" -/* sgx.h is required to define SGX_DCAP, - * and doesn't have a definition for __packed */ -#ifndef __packed -#define __packed __attribute__((packed)) -#endif -#include "sgx.h" +#include "gsgx.h" #include "sgx_api.h" #include "sgx_attest.h" #include "toml.h" diff --git a/Pal/src/host/Linux-SGX/generated-offsets.c b/Pal/src/host/Linux-SGX/generated-offsets.c index 50c74940ca..92566243c7 100644 --- a/Pal/src/host/Linux-SGX/generated-offsets.c +++ b/Pal/src/host/Linux-SGX/generated-offsets.c @@ -11,12 +11,7 @@ #include "sgx_arch.h" #include "sgx_tls.h" -/* sgx.h header from the Intel SGX driver assumes that `__packed` macro was defined */ -#ifndef __packed -#define __packed __attribute__((packed)) -#endif -#include "sgx.h" -#undef __packed +#include "gsgx.h" __attribute__((__used__)) static void dummy(void) { /* defines in sgx_arch.h */ @@ -180,7 +175,4 @@ __attribute__((__used__)) static void dummy(void) { #ifdef SGX_DCAP DEFINE(SGX_DCAP, SGX_DCAP); #endif -#ifdef SGX_DCAP_16_OR_LATER - DEFINE(SGX_DCAP_16_OR_LATER, SGX_DCAP_16_OR_LATER); -#endif } diff --git a/Pal/src/host/Linux-SGX/gsgx.h.in b/Pal/src/host/Linux-SGX/gsgx.h.in new file mode 100644 index 0000000000..7c3beac183 --- /dev/null +++ b/Pal/src/host/Linux-SGX/gsgx.h.in @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: LGPL-3.0-or-later */ +/* (C) Copyright 2020 Intel Corporation + * Dmitrii Kuvaiskii + */ + +#ifndef __ARCH_GSGX_H__ +#define __ARCH_GSGX_H__ + +#ifndef __packed +#define __packed __attribute__((packed)) +#endif + +#include +#include + +#include "@DRIVER_SGX_H@" + +#define GSGX_FILE "/dev/gsgx" + +/* Graphene needs the below subset of SGX instructions' return values */ +#ifndef SGX_INVALID_SIG_STRUCT +#define SGX_INVALID_SIG_STRUCT 1 +#endif + +#ifndef SGX_INVALID_ATTRIBUTE +#define SGX_INVALID_ATTRIBUTE 2 +#endif + +#ifndef SGX_INVALID_MEASUREMENT +#define SGX_INVALID_MEASUREMENT 4 +#endif + +#ifndef SGX_INVALID_SIGNATURE +#define SGX_INVALID_SIGNATURE 8 +#endif + +#ifndef SGX_INVALID_EINITTOKEN +#define SGX_INVALID_EINITTOKEN 16 +#endif + +#ifndef SGX_INVALID_CPUSVN +#define SGX_INVALID_CPUSVN 32 +#endif + +/* SGX_INVALID_LICENSE was renamed to SGX_INVALID_EINITTOKEN in SGX driver 2.1: + * https://github.com/intel/linux-sgx-driver/commit/a7997dafe184d7d527683d8d46c4066db205758d */ +#ifndef SGX_INVALID_LICENSE +#define SGX_INVALID_LICENSE SGX_INVALID_EINITTOKEN +#endif + +#define ISGX_FILE "@ISGX_FILE@" + +@DEFINE_DCAP@ + +#endif /* __ARCH_GSGX_H__ */ diff --git a/Pal/src/host/Linux-SGX/link-intel-driver.py b/Pal/src/host/Linux-SGX/link-intel-driver.py new file mode 100755 index 0000000000..3f30b6690e --- /dev/null +++ b/Pal/src/host/Linux-SGX/link-intel-driver.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 + +import os +import string +import sys + +DRIVER_VERSIONS = { + 'sgx_user.h': '/dev/isgx', + 'include/uapi/asm/sgx_oot.h': '/dev/sgx/enclave', + 'sgx_in_kernel.h': '/dev/sgx/enclave', +} + +def find_intel_sgx_driver(isgx_driver_path): + ''' + Graphene only needs one header from the Intel SGX Driver: + - sgx_user.h for non-DCAP, older version of the driver + (https://github.com/intel/linux-sgx-driver) + - include/uapi/asm/sgx_oot.h for DCAP 1.6+ version of the driver + (https://github.com/intel/SGXDataCenterAttestationPrimitives) + - default sgx_in_kernel.h for in-kernel 32+ version of the driver + (https://lore.kernel.org/linux-sgx/20200716135303.276442-1-jarkko.sakkinen@linux.intel.com) + + This function returns the required header from the SGX driver. + ''' + for header_path, dev_path in DRIVER_VERSIONS.items(): + abs_header_path = os.path.abspath(os.path.join(isgx_driver_path, header_path)) + if os.path.exists(abs_header_path): + return abs_header_path, dev_path + + print('Could not find the header from the Intel SGX Driver (ISGX_DRIVER_PATH={!r})'.format( + isgx_driver_path), file=sys.stderr) + sys.exit(1) + +class MesonTemplate(string.Template): + pattern = ''' + @(?: + (?P@) | + (?P[A-Za-z0-9_]+)@ | + (?P[A-Za-z0-9_]+)@ | + (?P) + ) + ''' + +def main(): + ''' + Find and copy header/device paths from Intel SGX Driver + ''' + try: + isgx_driver_path = os.environ['ISGX_DRIVER_PATH'] + except KeyError: + print( + 'ISGX_DRIVER_PATH environment variable is undefined. You can define\n' + 'ISGX_DRIVER_PATH="" to use the default in-kernel driver\'s C header.', + file=sys.stderr) + sys.exit(1) + + if not isgx_driver_path: + # user did not specify any driver path, use default in-kernel driver's C header + isgx_driver_path = os.path.dirname(os.path.abspath(__file__)) + + header_path, dev_path = find_intel_sgx_driver(isgx_driver_path) + + with sys.stdin: + template = MesonTemplate(sys.stdin.read()) + + sys.stdout.write(template.safe_substitute( + DRIVER_SGX_H=header_path, + ISGX_FILE=dev_path, + DEFINE_DCAP=('#define SGX_DCAP 1' if dev_path == '/dev/sgx/enclave' else '') + )) + + +if __name__ == '__main__': + main() diff --git a/Pal/src/host/Linux-SGX/sgx-driver b/Pal/src/host/Linux-SGX/sgx-driver deleted file mode 160000 index 4386dbeb12..0000000000 --- a/Pal/src/host/Linux-SGX/sgx-driver +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 4386dbeb1260d8743ea3a5fbe4fc5fd61322008c diff --git a/Pal/src/host/Linux-SGX/sgx_framework.c b/Pal/src/host/Linux-SGX/sgx_framework.c index dd18191651..47ec24a754 100644 --- a/Pal/src/host/Linux-SGX/sgx_framework.c +++ b/Pal/src/host/Linux-SGX/sgx_framework.c @@ -146,7 +146,7 @@ int create_enclave(sgx_arch_secs_t* secs, sgx_arch_token_t* token) { uint64_t request_mmap_addr = secs->base; uint64_t request_mmap_size = secs->size; -#ifdef SGX_DCAP_16_OR_LATER +#ifdef SGX_DCAP /* newer DCAP/in-kernel SGX drivers allow starting enclave address space with non-zero; * the below trick to start from DEFAULT_HEAP_MIN is to avoid vm.mmap_min_addr==0 issue */ if (request_mmap_addr < DEFAULT_HEAP_MIN) { @@ -157,7 +157,7 @@ int create_enclave(sgx_arch_secs_t* secs, sgx_arch_token_t* token) { uint64_t addr = INLINE_SYSCALL(mmap, 6, request_mmap_addr, request_mmap_size, PROT_NONE, /* newer DCAP driver requires such initial mmap */ -#ifdef SGX_DCAP_16_OR_LATER +#ifdef SGX_DCAP MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); #else MAP_FIXED | MAP_SHARED, g_isgx_device, 0); @@ -260,7 +260,7 @@ int add_pages_to_enclave(sgx_arch_secs_t* secs, void* addr, void* user_addr, uns SGX_DBG(DBG_I, "adding pages to enclave: %p-%p [%s:%s] (%s)%s\n", addr, addr + size, t, p, comment, m); -#ifdef SGX_DCAP_16_OR_LATER +#ifdef SGX_DCAP if (!user_addr && g_zero_pages_size < size) { /* not enough contigious zero pages to back up enclave pages, allocate more */ /* TODO: this logic can be removed if we introduce a size cap in ENCLAVE_ADD_PAGES ioctl */ @@ -355,7 +355,7 @@ int add_pages_to_enclave(sgx_arch_secs_t* secs, void* addr, void* user_addr, uns SGX_DBG(DBG_I, "Changing protections of EADDed pages returned %d\n", ret); return -ERRNO(ret); } -#endif /* SGX_DCAP_16_OR_LATER */ +#endif /* SGX_DCAP */ return 0; } @@ -372,7 +372,7 @@ int init_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct, SGX_DBG(DBG_I, " mr_enclave: %s\n", ALLOCA_BYTES2HEXSTR(sigstruct->body.enclave_hash.m)); struct sgx_enclave_init param = { -#ifndef SGX_DCAP_16_OR_LATER +#ifndef SGX_DCAP .addr = enclave_valid_addr, #endif .sigstruct = (uint64_t)sigstruct, diff --git a/Pal/src/host/Linux-SGX/sgx_in_kernel.h b/Pal/src/host/Linux-SGX/sgx_in_kernel.h new file mode 100644 index 0000000000..f14c2a03cf --- /dev/null +++ b/Pal/src/host/Linux-SGX/sgx_in_kernel.h @@ -0,0 +1,121 @@ +/* SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) WITH Linux-syscall-note */ +/* + * Copyright(c) 2016-19 Intel Corporation. + */ + +/* TODO: Graphene must remove this file after Intel SGX driver is upstreamed + * and this header is distributed with the system. This header was tested + * with driver versions 32 and 36, it *may* be out of sync with newer + * versions. If possible, use the header found on the system instead of + * this one. */ + +#ifndef _UAPI_ASM_X86_SGX_H +#define _UAPI_ASM_X86_SGX_H + +#include +#include + +/** + * enum sgx_epage_flags - page control flags + * %SGX_PAGE_MEASURE: Measure the page contents with a sequence of + * ENCLS[EEXTEND] operations. + */ +enum sgx_page_flags { + SGX_PAGE_MEASURE = 0x01, +}; + +#define SGX_MAGIC 0xA4 + +#define SGX_IOC_ENCLAVE_CREATE \ + _IOW(SGX_MAGIC, 0x00, struct sgx_enclave_create) +#define SGX_IOC_ENCLAVE_ADD_PAGES \ + _IOWR(SGX_MAGIC, 0x01, struct sgx_enclave_add_pages) +#define SGX_IOC_ENCLAVE_INIT \ + _IOW(SGX_MAGIC, 0x02, struct sgx_enclave_init) +#define SGX_IOC_ENCLAVE_SET_ATTRIBUTE \ + _IOW(SGX_MAGIC, 0x03, struct sgx_enclave_set_attribute) + +/** + * struct sgx_enclave_create - parameter structure for the + * %SGX_IOC_ENCLAVE_CREATE ioctl + * @src: address for the SECS page data + */ +struct sgx_enclave_create { + __u64 src; +}; + +/** + * struct sgx_enclave_add_pages - parameter structure for the + * %SGX_IOC_ENCLAVE_ADD_PAGE ioctl + * @src: start address for the page data + * @offset: starting page offset + * @length: length of the data (multiple of the page size) + * @secinfo: address for the SECINFO data + * @flags: page control flags + * @count: number of bytes added (multiple of the page size) + */ +struct sgx_enclave_add_pages { + __u64 src; + __u64 offset; + __u64 length; + __u64 secinfo; + __u64 flags; + __u64 count; +}; + +/** + * struct sgx_enclave_init - parameter structure for the + * %SGX_IOC_ENCLAVE_INIT ioctl + * @sigstruct: address for the SIGSTRUCT data + */ +struct sgx_enclave_init { + __u64 sigstruct; +}; + +/** + * struct sgx_enclave_set_attribute - parameter structure for the + * %SGX_IOC_ENCLAVE_SET_ATTRIBUTE ioctl + * @attribute_fd: file handle of the attribute file in the securityfs + */ +struct sgx_enclave_set_attribute { + __u64 attribute_fd; +}; + +/** + * struct sgx_enclave_exception - structure to report exceptions encountered in + * __vdso_sgx_enter_enclave() + * + * @leaf: ENCLU leaf from \%eax at time of exception + * @trapnr: exception trap number, a.k.a. fault vector + * @error_code: exception error code + * @address: exception address, e.g. CR2 on a #PF + * @reserved: reserved for future use + */ +struct sgx_enclave_exception { + __u32 leaf; + __u16 trapnr; + __u16 error_code; + __u64 address; + __u64 reserved[2]; +}; + +/** + * typedef sgx_enclave_exit_handler_t - Exit handler function accepted by + * __vdso_sgx_enter_enclave() + * + * @rdi: RDI at the time of enclave exit + * @rsi: RSI at the time of enclave exit + * @rdx: RDX at the time of enclave exit + * @ursp: RSP at the time of enclave exit (untrusted stack) + * @r8: R8 at the time of enclave exit + * @r9: R9 at the time of enclave exit + * @tcs: Thread Control Structure used to enter enclave + * @ret: 0 on success (EEXIT), -EFAULT on an exception + * @e: Pointer to struct sgx_enclave_exception (as provided by caller) + */ +typedef int (*sgx_enclave_exit_handler_t)(long rdi, long rsi, long rdx, + long ursp, long r8, long r9, + void *tcs, int ret, + struct sgx_enclave_exception *e); + +#endif /* _UAPI_ASM_X86_SGX_H */ diff --git a/Tools/gsc/images/graphene_aks.latest.dockerfile b/Tools/gsc/images/graphene_aks.latest.dockerfile index 96903623d7..4dcb3afac6 100644 --- a/Tools/gsc/images/graphene_aks.latest.dockerfile +++ b/Tools/gsc/images/graphene_aks.latest.dockerfile @@ -21,19 +21,18 @@ RUN git clone https://github.com/oscarlab/graphene.git /graphene # Init submodules RUN cd /graphene \ && git fetch origin master \ - && git checkout master \ - && git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver/ + && git checkout master # Create SGX driver for header files -RUN cd /graphene/Pal/src/host/Linux-SGX/sgx-driver \ +RUN cd /graphene/Pal/src/host/Linux-SGX \ && git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git linux-sgx-driver \ && cd linux-sgx-driver \ && git checkout DCAP_1.7 && cp -r driver/linux/* . # Build Graphene-SGX -RUN cd /graphene && ISGX_DRIVER_PATH=/graphene/Pal/src/host/Linux-SGX/sgx-driver/linux-sgx-driver \ +RUN cd /graphene && ISGX_DRIVER_PATH=/graphene/Pal/src/host/Linux-SGX/linux-sgx-driver \ make -s -j4 SGX=1 WERROR=1 \ - && true + && true # Translate runtime symlinks to files RUN for f in $(find /graphene/Runtime -type l); do cp --remove-destination $(realpath $f) $f; done diff --git a/Tools/gsc/templates/Dockerfile.ubuntu18.04.compile.template b/Tools/gsc/templates/Dockerfile.ubuntu18.04.compile.template index 2fa0848290..115d6ffb1a 100644 --- a/Tools/gsc/templates/Dockerfile.ubuntu18.04.compile.template +++ b/Tools/gsc/templates/Dockerfile.ubuntu18.04.compile.template @@ -21,20 +21,18 @@ RUN git clone {{Graphene.Repository}} /graphene # Init submodules RUN cd /graphene \ && git fetch origin {{Graphene.Branch}} \ - && git checkout {{Graphene.Branch}} \ - && git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver/ + && git checkout {{Graphene.Branch}} # Create SGX driver for header files -RUN cd /graphene/Pal/src/host/Linux-SGX/sgx-driver \ +RUN cd /graphene/Pal/src/host/Linux-SGX \ && git clone {{SGXDriver.Repository}} linux-sgx-driver \ && cd linux-sgx-driver \ && git checkout {{SGXDriver.Branch}} # Build Graphene-SGX -RUN cd /graphene && ISGX_DRIVER_PATH=/graphene/Pal/src/host/Linux-SGX/sgx-driver/linux-sgx-driver \ +RUN cd /graphene && ISGX_DRIVER_PATH=/graphene/Pal/src/host/Linux-SGX/linux-sgx-driver \ make -s -j4 SGX=1 {% if debug %} DEBUG=1 {% endif %}WERROR=1 \ {% if linux %} && make -s -j4 WERROR=1{% if debug %} DEBUG=1{% endif %}{% else %} && true{%endif %} # Translate runtime symlinks to files RUN for f in $(find /graphene/Runtime -type l); do cp --remove-destination $(realpath $f) $f; done -