[Pal/Linux-SGX] Drop support for old SGX drivers

Signed-off-by: Michał Kowalczyk <[email protected]>
amicrity · Oct 28, 2022 · 13994b2 · 13994b2
1 parent e0ee629
commit 13994b2
Show file tree

Hide file tree

Showing 13 changed files with 32 additions and 106 deletions.
diff --git a/.ci/lib/config-docker.jenkinsfile b/.ci/lib/config-docker.jenkinsfile
@@ -16,9 +16,6 @@ if (fileExists('/dev/sgx_enclave')) {
 if (fileExists('/dev/isgx')) {
     env.DOCKER_ARGS_SGX += ' --device=/dev/isgx:/dev/isgx'
 }
-if (fileExists('/dev/gsgx')) {
-    env.DOCKER_ARGS_SGX += ' --device=/dev/gsgx:/dev/gsgx'
-}
 if (fileExists('/var/run/aesmd/aesm.socket')) {
     env.DOCKER_ARGS_SGX += ' --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket'
 }
diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile
@@ -6,14 +6,6 @@ stage('build') {
         git checkout 276c5c6a064d22358542f5e0aa96b1c0ace5d695
     '''
 
-    sh '''
-        cd /opt/intel
-        git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
-        cd SGXDataCenterAttestationPrimitives
-        git checkout DCAP_1.6
-        # no need to build, we only need the SGX header file (sgx_oot.h)
-    '''
-
     env.MESON_OPTIONS = ''
     if (env.UBSAN == '1') {
         env.MESON_OPTIONS += ' -Dubsan=enabled'
@@ -25,24 +17,6 @@ stage('build') {
         env.MESON_OPTIONS += ' -Dmusl=disabled'
     }
 
-    try {
-        sh '''
-            meson setup build-dcap/ \
-                --werror \
-                --prefix="$PREFIX" \
-                --buildtype="$BUILDTYPE" \
-                -Ddirect=disabled \
-                -Dsgx=enabled \
-                -Dtests=enabled \
-                -Dsgx_driver=dcap1.6 \
-                $MESON_OPTIONS
-            ninja -vC build-dcap
-        '''
-    } finally {
-        archiveArtifacts 'build-dcap/meson-logs/**/*'
-        sh 'rm -rf build-dcap'
-    }
-
     try {
         sh '''
             meson setup build/ \

diff --git a/Documentation/devel/building.rst b/Documentation/devel/building.rst
@@ -187,15 +187,14 @@ The ``-Dsgx_driver`` parameter controls which SGX driver to use:
 
 * ``upstream`` (default) for upstreamed in-kernel driver (mainline Linux kernel
   5.11+),
-* ``dcap1.6`` for Intel DCAP version 1.6 or higher,  but below 1.10,
-* ``dcap1.10`` for Intel DCAP version 1.10 or higher,
 * ``oot`` for non-DCAP, out-of-tree version of the driver.
 
 The ``-Dsgx_driver_include_path`` parameter must point to the absolute path
 where the SGX driver was downloaded or installed in the previous step. For
-example, for the DCAP version 1.41 of the SGX driver, you must specify
-``-Dsgx_driver_include_path="/usr/src/sgx-1.41/include/"``. If this parameter is
-omitted, Gramine's build system will try to determine the right path.
+example, for the OOT driver installed at the default path, you can specify
+``-Dsgx_driver_include_path="/opt/intel/linux-sgx-driver"``. If this parameter
+is omitted, Gramine's build system will try to determine the right path, so,
+it's usually not needed.
 
 .. note::
 

diff --git a/Documentation/sgx-intro.rst b/Documentation/sgx-intro.rst
@@ -90,9 +90,10 @@ For historical reasons, there are three SGX drivers currently (January 2021):
   deprecated
 
 - https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver
-  -- new one, out-of-tree, supports both non-DCAP software infrastructure (with
-  old EPID remote-attestation technique) and the new DCAP (with new ECDSA and
-  more "normal" PKI infrastructure).
+  -- out-of-tree, supports both non-DCAP software infrastructure (with old EPID
+  remote-attestation technique) and the new DCAP (with new ECDSA and
+  more "normal" PKI infrastructure). Deprecated in favor of the upstreamed
+  driver (see below).
 
 - SGX support was upstreamed to the Linux mainline starting from 5.11.
   It currently supports only DCAP attestation. The driver is accessible through

diff --git a/meson.build b/meson.build
@@ -119,22 +119,6 @@ if sgx
         sgx_driver_header = 'sgx_user.h'
         sgx_driver_device_default = '/dev/isgx'
         sgx_driver_include_path_defaults = ['/opt/intel/linux-sgx-driver']
-    elif sgx_driver == 'dcap1.6'
-        # DCAP 1.6+ but below 1.10 (https://github.com/intel/SGXDataCenterAttestationPrimitives)
-        conf_sgx.set('CONFIG_SGX_DRIVER_DCAP_1_6', true)
-        sgx_driver_header = 'uapi/asm/sgx_oot.h'
-        sgx_driver_device_default = '/dev/sgx/enclave'
-        sgx_driver_include_path_defaults = [
-            '/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux/include',
-        ]
-    elif sgx_driver == 'dcap1.10'
-        # DCAP 1.10+ (https://github.com/intel/SGXDataCenterAttestationPrimitives)
-        conf_sgx.set('CONFIG_SGX_DRIVER_DCAP_1_10', true)
-        sgx_driver_header = 'sgx_user.h'
-        sgx_driver_device_default = '/dev/sgx/enclave'
-        sgx_driver_include_path_defaults = [
-            '/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux/include',
-        ]
     else
         error('Unknown sgx_driver value')
     endif

diff --git a/meson_options.txt b/meson_options.txt
@@ -24,7 +24,7 @@ option('libgomp', type: 'combo', choices: ['disabled', 'enabled'],
     description: 'Build patched libgomp (takes long time)')
 
 option('sgx_driver', type: 'combo',
-    choices: ['upstream', 'dcap1.6', 'dcap1.10', 'oot'],
+    choices: ['upstream', 'oot'],
     description: 'Flavour of the SGX driver')
 option('sgx_driver_include_path', type: 'string',
     description: 'Path to SGX driver headers (default value depends on sgx_driver)')

diff --git a/pal/src/host/linux-sgx/generated_offsets.c b/pal/src/host/linux-sgx/generated_offsets.c
@@ -1,7 +1,7 @@
 #include <asm/errno.h>
 
 #include "generated_offsets_build.h"
-#include "host_gsgx.h"
+#include "host_sgx_driver.h"
 #include "pal.h"
 #include "pal_ecall_types.h"
 #include "pal_linux_defs.h"

diff --git a/pal/src/host/linux-sgx/host_framework.c b/pal/src/host/linux-sgx/host_framework.c
@@ -1,42 +1,24 @@
 #include <asm/errno.h>
 
 #include "hex.h"
-#include "host_gsgx.h"
+#include "host_sgx_driver.h"
 #include "host_internal.h"
 #include "linux_utils.h"
 #include "sgx_arch.h"
 
-static int g_gsgx_device = -1;
 static int g_isgx_device = -1;
 
-static void* g_zero_pages       = NULL;
+static void*  g_zero_pages      = NULL;
 static size_t g_zero_pages_size = 0;
 
-int open_sgx_driver(bool need_gsgx) {
-    if (need_gsgx) {
-        g_gsgx_device = DO_SYSCALL(open, GSGX_FILE, O_RDWR | O_CLOEXEC, 0);
-        if (g_gsgx_device < 0) {
-            log_error(
-                "\n\tSystem does not support FSGSBASE instructions, which Gramine requires on SGX.\n\n"
-                "\tThe best option is to move to a newer Linux kernel with FSGSBASE support (5.9+), or\n"
-                "\ta kernel with a back-ported patch to support FSGSBASE.\n"
-                "\tOne may also load the Gramine SGX module, although this is insecure.\n"
-                "\tIf the Gramine SGX module is loaded, check permissions on the device "
-                GSGX_FILE ",\n\tas we cannot open this file.");
-            return g_gsgx_device;
-        }
-    }
-
-    g_isgx_device = DO_SYSCALL(open, ISGX_FILE, O_RDWR | O_CLOEXEC, 0);
-    if (g_isgx_device < 0) {
+int open_sgx_driver(void) {
+    int ret = DO_SYSCALL(open, ISGX_FILE, O_RDWR | O_CLOEXEC, 0);
+    if (ret < 0) {
         log_error("Cannot open device " ISGX_FILE ". "
                   "Please make sure the Intel SGX kernel module is loaded.");
-        if (need_gsgx) {
-            DO_SYSCALL(close, g_gsgx_device);
-            g_gsgx_device = -1;
-        }
-        return g_isgx_device;
+        return ret;
     }
+    g_isgx_device = ret;
 
     return 0;
 }
@@ -410,7 +392,6 @@ int init_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct,
 
     if (ret) {
         const char* error;
-        /* DEP 3/22/17: Try to improve error messages */
         switch (ret) {
             case SGX_INVALID_SIG_STRUCT:
                 error = "Invalid SIGSTRUCT";
@@ -424,7 +405,7 @@ int init_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct,
             case SGX_INVALID_SIGNATURE:
                 error = "Invalid signature";
                 break;
-            case SGX_INVALID_LICENSE:
+            case SGX_INVALID_EINITTOKEN:
                 error = "Invalid EINIT token";
                 break;
             case SGX_INVALID_CPUSVN:

diff --git a/pal/src/host/linux-sgx/host_internal.h b/pal/src/host/linux-sgx/host_internal.h
@@ -61,7 +61,7 @@ struct pal_enclave {
 
 extern struct pal_enclave g_pal_enclave;
 
-int open_sgx_driver(bool need_gsgx);
+int open_sgx_driver(void);
 bool is_wrfsbase_supported(void);
 
 int read_enclave_token(int token_file, sgx_arch_token_t* token);

diff --git a/pal/src/host/linux-sgx/host_main.c b/pal/src/host/linux-sgx/host_main.c
@@ -930,7 +930,7 @@ static int parse_loader_config(char* manifest, struct pal_enclave* enclave_info,
 /* Warning: This function does not free up resources on failure - it assumes that the whole process
  * exits after this function's failure. */
 static int load_enclave(struct pal_enclave* enclave, char* args, size_t args_size, char* env,
-                        size_t env_size, int parent_stream_fd, bool need_gsgx,
+                        size_t env_size, int parent_stream_fd,
                         void* reserved_mem_ranges, size_t reserved_mem_ranges_size) {
     int ret;
     struct timeval tv;
@@ -952,7 +952,7 @@ static int load_enclave(struct pal_enclave* enclave, char* args, size_t args_siz
     }
     log_debug("Gramine parsed TOML manifest file successfully");
 
-    ret = open_sgx_driver(need_gsgx);
+    ret = open_sgx_driver();
     if (ret < 0)
         return ret;
 
@@ -1101,7 +1101,6 @@ __attribute_no_sanitize_address
 int main(int argc, char* argv[], char* envp[]) {
     char* manifest_path = NULL;
     int ret = 0;
-    bool need_gsgx = true;
     char* manifest = NULL;
     void* reserved_mem_ranges = NULL;
     size_t reserved_mem_ranges_size = 0;
@@ -1132,10 +1131,11 @@ int main(int argc, char* argv[], char* envp[]) {
         return -ENOMEM;
     }
 
-    /* check whether host kernel supports FSGSBASE feature, otherwise we need the GSGX driver */
     uint64_t at_hwcap2;
-    if (get_aux_value(envp, AT_HWCAP2, &at_hwcap2) == 0 && (at_hwcap2 & 0x2)) {
-        need_gsgx = false;
+    if (get_aux_value(envp, AT_HWCAP2, &at_hwcap2) != 0 || !(at_hwcap2 & 0x2)) {
+        log_error("Gramine with Linux-SGX backend requires support for FSGSBASE CPU instructions "
+                  "in the host kernel. Please update your system.");
+        return -EINVAL;
     }
 
     g_libpal_path = strdup(argv[1]);
@@ -1208,7 +1208,7 @@ int main(int argc, char* argv[], char* envp[]) {
     char* env = envp[0];
     size_t env_size = envc > 0 ? (envp[envc - 1] - envp[0]) + strlen(envp[envc - 1]) + 1 : 0;
 
-    ret = load_enclave(&g_pal_enclave, args, args_size, env, env_size, parent_stream_fd, need_gsgx,
+    ret = load_enclave(&g_pal_enclave, args, args_size, env, env_size, parent_stream_fd,
                        reserved_mem_ranges, reserved_mem_ranges_size);
     if (ret < 0) {
         log_error("load_enclave() failed with error %d", ret);

diff --git a/pal/src/host/linux-sgx/host_platform.c b/pal/src/host/linux-sgx/host_platform.c
@@ -8,7 +8,7 @@
 #include <stdbool.h>
 
 #include "aesm.pb-c.h"
-#include "host_gsgx.h"
+#include "host_sgx_driver.h"
 #include "host_internal.h"
 #include "host_log.h"
 #include "linux_utils.h"

diff --git a/pal/src/host/linux-sgx/host_gsgx.h.in → pal/src/host/linux-sgx/host_sgx_driver.h.in b/pal/src/host/linux-sgx/host_gsgx.h.in → pal/src/host/linux-sgx/host_sgx_driver.h.in
@@ -15,8 +15,6 @@
 #include <@CONFIG_SGX_DRIVER_HEADER_ABSPATH@>
 
 #mesondefine CONFIG_SGX_DRIVER_UPSTREAM
-#mesondefine CONFIG_SGX_DRIVER_DCAP_1_6
-#mesondefine CONFIG_SGX_DRIVER_DCAP_1_10
 #mesondefine CONFIG_SGX_DRIVER_OOT
 
 #mesondefine CONFIG_SGX_DRIVER_DEVICE
@@ -27,8 +25,6 @@
 
 #define ISGX_FILE CONFIG_SGX_DRIVER_DEVICE
 
-#define GSGX_FILE  "/dev/gsgx"
-
 /* Gramine needs the below subset of SGX instructions' return values */
 #ifndef SGX_INVALID_SIG_STRUCT
 #define SGX_INVALID_SIG_STRUCT  1
@@ -53,9 +49,3 @@
 #ifndef SGX_INVALID_CPUSVN
 #define SGX_INVALID_CPUSVN      32
 #endif
-
-/* SGX_INVALID_LICENSE was renamed to SGX_INVALID_EINITTOKEN in SGX driver 2.1:
- *   https://github.com/intel/linux-sgx-driver/commit/a7997dafe184d7d527683d8d46c4066db205758d */
-#ifndef SGX_INVALID_LICENSE
-#define SGX_INVALID_LICENSE     SGX_INVALID_EINITTOKEN
-#endif
diff --git a/pal/src/host/linux-sgx/meson.build b/pal/src/host/linux-sgx/meson.build
@@ -1,6 +1,6 @@
-gsgx_h = configure_file(
-    input: 'host_gsgx.h.in',
-    output: 'host_gsgx.h',
+host_sgx_driver_h = configure_file(
+    input: 'host_sgx_driver.h.in',
+    output: 'host_sgx_driver.h',
     configuration: conf_sgx,
 )
 
@@ -84,7 +84,7 @@ libpal_sgx = shared_library('pal',
     pal_sgx_asm_offsets_h,
     pal_common_sources,
     pal_linux_common_sources_enclave,
-    gsgx_h,
+    host_sgx_driver_h,
 
     include_directories: sgx_inc,
 
@@ -147,7 +147,7 @@ libpal_sgx_host = executable('loader',
     pal_linux_common_sources_host,
     pal_sgx_asm_offsets_h,
     aesm_proto_ch,
-    gsgx_h,
+    host_sgx_driver_h,
 
     include_directories: sgx_inc,
     c_args: [