Merge branch 'feature/consolidate-shared-headers' into feature/structs

.github/workflows/main.yml

@@ -195,33 +195,7 @@ jobs:
         run: |
           sudo apt-get -y update && sudo apt-get -y install ccache
 
-      # First, fetch the caches themselves. We need both the base cache that
-      # was used as well as the overlay caches. Note that the base caches may
-      # fail, which is okay.
-      - name: Restore buildroot packages
-        uses: actions/cache/restore@v3
-        with:
-          path: dl.tar
-          key: ${{ needs.build.outputs.buildroot-dl-matched-key }}
-
-      - name: Restore ccache
-        uses: actions/cache/restore@v3
-        with:
-          path: ccache.tar.xz
-          key: ${{ needs.build.outputs.ccache-matched-key }}
-
-      - name: Prepare output directories
-        run: |
-          rm -rf buildroot/dl buildroot-ccache
-          mkdir -p buildroot/dl/ buildroot-ccache/
-          if [[ -f dl.tar ]]; then
-            tar -xf dl.tar -C buildroot
-          fi
-
-          if [[ -f ccache.tar.xz ]]; then
-            tar -xf ccache.tar.xz
-          fi
-
+      # Fetch new cache changes from this workflow run, if any
       - name: Fetch updated buildroot packages
         uses: actions/download-artifact@v4
         with:
@@ -232,7 +206,6 @@ jobs:
         with:
           pattern: keystone-*-ccache
 
-      # Then, combine the caches
       - name: Check which caches to update
         id: check-caches
         run: |
@@ -256,6 +229,32 @@ jobs:
             touch .update-ccache
           fi
 
+      - name: Restore buildroot packages
+        uses: actions/cache/restore@v3
+        if: ${{ steps.check-caches.outputs.BUILDROOT_DL_UPDATE == 'true' }}
+        with:
+          path: dl.tar
+          key: ${{ needs.build.outputs.buildroot-dl-matched-key }}
+
+      - name: Restore ccache
+        uses: actions/cache/restore@v3
+        if: ${{ steps.check-caches.outputs.BUILDROOT_CCACHE_UPDATE == 'true' }}
+        with:
+          path: ccache.tar.xz
+          key: ${{ needs.build.outputs.ccache-matched-key }}
+
+      - name: Prepare output directories
+        run: |
+          rm -rf buildroot/dl buildroot-ccache
+          mkdir -p buildroot/dl/ buildroot-ccache/
+          if [[ -f dl.tar ]]; then
+            tar -xf dl.tar -C buildroot
+          fi
+
+          if [[ -f ccache.tar.xz ]]; then
+            tar -xf ccache.tar.xz
+          fi
+
       - name: Merge caches
         run: |
           if [[ -f .update-buildroot-dl ]]; then
@@ -327,7 +326,7 @@ jobs:
     - name: Checkout Keystone
       uses: actions/checkout@v3
       with:
-        submodules: 'recursive'
+        submodules: 'true'
 
     - name: Run ctest
       run: |

.github/workflows/test-system.yml

@@ -38,7 +38,7 @@ jobs:
         screen -L -dmS qemu bash -c "make run 2>&1 | tee run.log"
 
         # TODO: check for connectivity instead of sleeping
-        sleep 20
+        sleep 60
 
         export CALL_LOGFILE=cmd.log
         echo "" > $CALL_LOGFILE

linux-keystone-driver/Makefile

@@ -8,6 +8,12 @@ ifneq ($(KERNELRELEASE),)
 		keystone-enclave.o \
 	  keystone-sbi.o
 	obj-m += keystone-driver.o
+
+ifeq ($(KEYSTONE_SDK_DIR),)
+    $(error KEYSTONE_SDK_DIR not defined)
+endif
+
+	ccflags-y := -I$(KEYSTONE_SDK_DIR)/include/shared
 else
 
 PWD := $(shell pwd)

linux-keystone-driver/keystone-sbi.c

@@ -1,25 +1,25 @@
 #include "keystone-sbi.h"
 
 struct sbiret sbi_sm_create_enclave(struct keystone_sbi_create_t* args) {
-  return sbi_ecall(KEYSTONE_SBI_EXT_ID,
+  return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE,
       SBI_SM_CREATE_ENCLAVE,
       (unsigned long) args, 0, 0, 0, 0, 0);
 }
 
 struct sbiret sbi_sm_run_enclave(unsigned long eid) {
-  return sbi_ecall(KEYSTONE_SBI_EXT_ID,
+  return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE,
       SBI_SM_RUN_ENCLAVE,
       eid, 0, 0, 0, 0, 0);
 }
 
 struct sbiret sbi_sm_destroy_enclave(unsigned long eid) {
-  return sbi_ecall(KEYSTONE_SBI_EXT_ID,
+  return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE,
       SBI_SM_DESTROY_ENCLAVE,
       eid, 0, 0, 0, 0, 0);
 }
 
 struct sbiret sbi_sm_resume_enclave(unsigned long eid) {
-  return sbi_ecall(KEYSTONE_SBI_EXT_ID,
+  return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE,
       SBI_SM_RESUME_ENCLAVE,
       eid, 0, 0, 0, 0, 0);
 }

linux-keystone-driver/keystone-sbi.h

@@ -6,33 +6,9 @@
 #define _KEYSTONE_SBI_
 
 #include "keystone_user.h"
-#include <asm/sbi.h>
-
-#define KEYSTONE_SBI_EXT_ID     0x08424b45
-#define SBI_SM_CREATE_ENCLAVE   2001
-#define SBI_SM_DESTROY_ENCLAVE  2002
-#define SBI_SM_RUN_ENCLAVE      2003
-#define SBI_SM_RESUME_ENCLAVE   2005
-
+#include "sm_call.h"
 
-struct keystone_sbi_pregion_t
-{
-  uintptr_t paddr;
-  size_t size;
-};
-
-struct keystone_sbi_create_t
-{
-  // Memory regions for the enclave
-  struct keystone_sbi_pregion_t epm_region;
-  struct keystone_sbi_pregion_t utm_region;
-
-  // physical addresses
-  uintptr_t runtime_paddr;
-  uintptr_t user_paddr;
-  uintptr_t free_paddr;
-  uintptr_t free_requested;
-};
+#include <asm/sbi.h>
 
 struct sbiret sbi_sm_create_enclave(struct keystone_sbi_create_t* args);
 struct sbiret sbi_sm_destroy_enclave(unsigned long eid);

overlays/keystone/boot/keystone-sm/Config.in

@@ -1,6 +1,7 @@
 config BR2_TARGET_KEYSTONE_SM
         bool "Keystone security monitor"
-	select BR2_TARGET_OPENSBI
+        select BR2_TARGET_OPENSBI
+        depends on BR2_PACKAGE_HOST_KEYSTONE_SDK
         help
           Keystone security monitor augmentations
           to OpenSBI

overlays/keystone/boot/keystone-sm/keystone-sm.mk

@@ -10,9 +10,12 @@ else
 include $(KEYSTONE)/mkutils/pkg-keystone.mk
 endif
 
-# Make OpenSBI depend on this build
-OPENSBI_DEPENDENCIES += keystone-sm
-$(OPENSBI_TARGET_CONFIGURE): keystone-sm-install
+# Make OpenSBI depend on this build, which depends on the SDK since it contains
+# the shared headers which specify the communication protocol between the host
+# <> kernel <> sm <> runtime <> eapp
+
+OPENSBI_DEPENDENCIES += keystone-sm host-keystone-sdk
+$(OPENSBI_TARGET_CONFIGURE): keystone-sm-install host-keystone-sdk-install
 
 # Point OpenSBI at the correct location of the SM sources
 OPENSBI_MAKE_ENV += PLATFORM_DIR=$(KEYSTONE_SM_BUILDDIR)/plat/

overlays/keystone/package/keystone-driver/Config.in

@@ -1,4 +1,5 @@
 config BR2_PACKAGE_KEYSTONE_DRIVER
         bool "Keystone driver"
+        depends on BR2_PACKAGE_HOST_KEYSTONE_SDK
         help
           Linux driver for the Keystone TEE system

overlays/keystone/package/keystone-driver/keystone-driver.mk

@@ -10,6 +10,8 @@ else
 include $(KEYSTONE)/mkutils/pkg-keystone.mk
 endif
 
+KEYSTONE_DRIVER_DEPENDENCIES += host-keystone-sdk
+
 $(eval $(keystone-package))
 $(eval $(kernel-module))
 $(eval $(generic-package))

overlays/keystone/package/keystone-runtime/Config.in

@@ -1,4 +1,5 @@
 config BR2_PACKAGE_KEYSTONE_RUNTIME
         bool "Keystone Eyrie runtime"
+        depends on BR2_PACKAGE_HOST_KEYSTONE_SDK
         help
           Eyrie runtime

overlays/keystone/package/keystone-sdk/keystone-sdk.mk

@@ -10,13 +10,17 @@ else
 include $(KEYSTONE)/mkutils/pkg-keystone.mk
 endif
 
-HOST_KEYSTONE_SDK_CONF_OPTS += -DKEYSTONE_SDK_DIR=$(HOST_DIR)/usr/share/keystone/sdk \
-                                 -DKEYSTONE_BITS=${KEYSTONE_BITS}
+# Export the variable below for any other keystone packages to use
+export KEYSTONE_SDK_DIR=$(HOST_DIR)/usr/share/keystone/sdk
 
+HOST_KEYSTONE_SDK_CONF_OPTS += -DKEYSTONE_SDK_DIR=$(KEYSTONE_SDK_DIR) \
+                                 -DKEYSTONE_BITS=${KEYSTONE_BITS}
 HOST_KEYSTONE_SDK_DEPENDENCIES += toolchain
 
-# Clean the examples too if we clean this package
-host-keystone-sdk-dirclean: keystone-examples-dirclean
+# Clean dependant packages if we clean this one
+host-keystone-sdk-dirclean: keystone-examples-dirclean \
+                                keystone-sm-dirclean \
+                                keystone-driver-dirclean
 
 $(eval $(host-keystone-package))
 $(eval $(host-cmake-package))

runtime/CMakeLists.txt

@@ -46,6 +46,7 @@ if(DEFINED EYRIE_SRCDIR)
 endif()
 
 include_directories(${KEYSTONE_SDK_DIR}/include/edge)
+include_directories(${KEYSTONE_SDK_DIR}/include/shared)
 include_directories(tmplib)
 include_directories(include)
 

runtime/call/sbi.c

@@ -2,8 +2,6 @@
 
 #include "mm/vm_defs.h"
 
-#define SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE 0x08424b45
-
 #define SBI_CALL(___ext, ___which, ___arg0, ___arg1, ___arg2)    \
   ({                                                             \
     register uintptr_t a0 __asm__("a0") = (uintptr_t)(___arg0);  \

runtime/call/syscall.c

@@ -43,7 +43,7 @@ uintptr_t dispatch_edgecall_syscall(struct edge_syscall* syscall_data_ptr, size_
     return -1;
   }
 
-  ret = sbi_stop_enclave(1);
+  ret = sbi_stop_enclave(STOP_EDGE_CALL_HOST);
 
   if (ret != 0) {
     return -1;
@@ -92,7 +92,7 @@ uintptr_t dispatch_edgecall_ocall( unsigned long call_id,
     goto ocall_error;
   }
 
-  ret = sbi_stop_enclave(1);
+  ret = sbi_stop_enclave(STOP_EDGE_CALL_HOST);
 
   if (ret != 0) {
     goto ocall_error;

runtime/include/call/sbi.h

@@ -8,25 +8,7 @@
 #include <stdint.h>
 #include <stddef.h>
 
-#define SBI_SET_TIMER 0
-#define SBI_CONSOLE_PUTCHAR 1
-#define SBI_CONSOLE_GETCHAR 2
-
-#define SBI_SM_CREATE_ENCLAVE    2001
-#define SBI_SM_DESTROY_ENCLAVE   2002
-#define SBI_SM_RUN_ENCLAVE       2003
-#define SBI_SM_RESUME_ENCLAVE    2005
-#define SBI_SM_RANDOM            3001
-#define SBI_SM_ATTEST_ENCLAVE    3002
-#define SBI_SM_GET_SEALING_KEY   3003
-#define SBI_SM_STOP_ENCLAVE      3004
-#define SBI_SM_EXIT_ENCLAVE      3006
-#define SBI_SM_CALL_PLUGIN       4000
-
-/* Plugin IDs and Call IDs */
-#define SM_MULTIMEM_PLUGIN_ID   0x01
-#define SM_MULTIMEM_CALL_GET_SIZE 0x01
-#define SM_MULTIMEM_CALL_GET_ADDR 0x02
+#include "sm_call.h"
 
 void
 sbi_putchar(char c);

runtime/include/call/syscall.h

@@ -10,12 +10,7 @@
 #include "edge_syscall.h"
 #include "mm/vm.h"
 
-#define RUNTIME_SYSCALL_UNKNOWN             1000
-#define RUNTIME_SYSCALL_OCALL               1001
-#define RUNTIME_SYSCALL_SHAREDCOPY          1002
-#define RUNTIME_SYSCALL_ATTEST_ENCLAVE      1003
-#define RUNTIME_SYSCALL_GET_SEALING_KEY     1004
-#define RUNTIME_SYSCALL_EXIT                1101
+#include "eyrie_call.h"
 
 void handle_syscall(struct encl_ctx* ctx);
 void init_edge_internals(void);

runtime/test/CMakeLists.txt

@@ -9,6 +9,7 @@ include(AddCMockaTest)
 enable_testing()
 
 include_directories(../include)
+include_directories(../../sdk/include/shared/)
 
 add_cmocka_test(test_string SOURCES string.c COMPILE_OPTIONS -I${CMAKE_BINARY_DIR}/cmocka/include LINK_LIBRARIES cmocka)
 add_cmocka_test(test_merkle

scripts/ci/build-keystone.sh

@@ -42,7 +42,7 @@ mount -t overlay overlay \
 	-o lowerdir="$CCACHE_LOWER",upperdir="$CCACHE_UPPER",workdir="$CCACHE_WORK" \
 	"$PWD/buildroot-ccache"
 
-BUILDROOT_CCACHE="$PWD/buildroot-ccache" make -j$(nproc)
+BUILDROOT_CCACHE="$PWD/buildroot-ccache" make -j$(( 2 * $(nproc) ))
 
 EOF
 

scripts/ci/build-runtime.sh

@@ -33,4 +33,4 @@ cmake "$@" \
 	../runtime
 
 # Build
-make -j$(nproc)
+make -j$(( 2 * $(nproc) ))

sdk/include/app/syscall.h

@@ -8,13 +8,8 @@
 #include <stddef.h>
 #include <stdint.h>
 #include "sealing.h"
-/* TODO We should be syncing these more explictly with the runtime
-   defs */
-#define SYSCALL_OCALL 1001
-#define SYSCALL_SHAREDCOPY 1002
-#define SYSCALL_ATTEST_ENCLAVE 1003
-#define SYSCALL_GET_SEALING_KEY 1004
-#define SYSCALL_EXIT 1101
+
+#include "shared/eyrie_call.h"
 
 #define SYSCALL(which, arg0, arg1, arg2, arg3, arg4)           \
   ({                                                           \

sdk/include/host/ElfFile.hpp

@@ -6,10 +6,12 @@
 
 #include <fcntl.h>
 #include <unistd.h>
+
 #include <iostream>
 #include <string>
+
 #include "./common.h"
-#include "./keystone_user.h"
+#include "shared/keystone_user.h"
 
 extern "C" {
 #include "./elf.h"

sdk/include/host/KeystoneDevice.hpp

@@ -11,13 +11,15 @@
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <unistd.h>
+
 #include <cerrno>
 #include <cstring>
 #include <iostream>
+
 #include "./common.h"
-#include "./keystone_user.h"
 #include "Error.hpp"
 #include "Params.hpp"
+#include "shared/keystone_user.h"
 
 namespace Keystone {