From 13994b2c96b25d614f91088cafc400e78ef7875d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Kowalczyk?= Date: Thu, 20 Oct 2022 15:56:48 +0200 Subject: [PATCH] [Pal/Linux-SGX] Drop support for old SGX drivers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: MichaƂ Kowalczyk --- .ci/lib/config-docker.jenkinsfile | 3 -- .ci/lib/stage-build-sgx.jenkinsfile | 26 -------------- Documentation/devel/building.rst | 9 +++-- Documentation/sgx-intro.rst | 7 ++-- meson.build | 16 --------- meson_options.txt | 2 +- pal/src/host/linux-sgx/generated_offsets.c | 2 +- pal/src/host/linux-sgx/host_framework.c | 35 +++++-------------- pal/src/host/linux-sgx/host_internal.h | 2 +- pal/src/host/linux-sgx/host_main.c | 14 ++++---- pal/src/host/linux-sgx/host_platform.c | 2 +- .../{host_gsgx.h.in => host_sgx_driver.h.in} | 10 ------ pal/src/host/linux-sgx/meson.build | 10 +++--- 13 files changed, 32 insertions(+), 106 deletions(-) rename pal/src/host/linux-sgx/{host_gsgx.h.in => host_sgx_driver.h.in} (73%) diff --git a/.ci/lib/config-docker.jenkinsfile b/.ci/lib/config-docker.jenkinsfile index 9c2d09d72c..5af07a6f08 100644 --- a/.ci/lib/config-docker.jenkinsfile +++ b/.ci/lib/config-docker.jenkinsfile @@ -16,9 +16,6 @@ if (fileExists('/dev/sgx_enclave')) { if (fileExists('/dev/isgx')) { env.DOCKER_ARGS_SGX += ' --device=/dev/isgx:/dev/isgx' } -if (fileExists('/dev/gsgx')) { - env.DOCKER_ARGS_SGX += ' --device=/dev/gsgx:/dev/gsgx' -} if (fileExists('/var/run/aesmd/aesm.socket')) { env.DOCKER_ARGS_SGX += ' --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket' } diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile index 93a69bc714..01fb8ab159 100644 --- a/.ci/lib/stage-build-sgx.jenkinsfile +++ b/.ci/lib/stage-build-sgx.jenkinsfile @@ -6,14 +6,6 @@ stage('build') { git checkout 276c5c6a064d22358542f5e0aa96b1c0ace5d695 ''' - sh ''' - cd /opt/intel - git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git - cd SGXDataCenterAttestationPrimitives - git checkout DCAP_1.6 - # no need to build, we only need the SGX header file (sgx_oot.h) - ''' - env.MESON_OPTIONS = '' if (env.UBSAN == '1') { env.MESON_OPTIONS += ' -Dubsan=enabled' @@ -25,24 +17,6 @@ stage('build') { env.MESON_OPTIONS += ' -Dmusl=disabled' } - try { - sh ''' - meson setup build-dcap/ \ - --werror \ - --prefix="$PREFIX" \ - --buildtype="$BUILDTYPE" \ - -Ddirect=disabled \ - -Dsgx=enabled \ - -Dtests=enabled \ - -Dsgx_driver=dcap1.6 \ - $MESON_OPTIONS - ninja -vC build-dcap - ''' - } finally { - archiveArtifacts 'build-dcap/meson-logs/**/*' - sh 'rm -rf build-dcap' - } - try { sh ''' meson setup build/ \ diff --git a/Documentation/devel/building.rst b/Documentation/devel/building.rst index 261d090be5..6d157dd39a 100644 --- a/Documentation/devel/building.rst +++ b/Documentation/devel/building.rst @@ -187,15 +187,14 @@ The ``-Dsgx_driver`` parameter controls which SGX driver to use: * ``upstream`` (default) for upstreamed in-kernel driver (mainline Linux kernel 5.11+), -* ``dcap1.6`` for Intel DCAP version 1.6 or higher, but below 1.10, -* ``dcap1.10`` for Intel DCAP version 1.10 or higher, * ``oot`` for non-DCAP, out-of-tree version of the driver. The ``-Dsgx_driver_include_path`` parameter must point to the absolute path where the SGX driver was downloaded or installed in the previous step. For -example, for the DCAP version 1.41 of the SGX driver, you must specify -``-Dsgx_driver_include_path="/usr/src/sgx-1.41/include/"``. If this parameter is -omitted, Gramine's build system will try to determine the right path. +example, for the OOT driver installed at the default path, you can specify +``-Dsgx_driver_include_path="/opt/intel/linux-sgx-driver"``. If this parameter +is omitted, Gramine's build system will try to determine the right path, so, +it's usually not needed. .. note:: diff --git a/Documentation/sgx-intro.rst b/Documentation/sgx-intro.rst index 9f00c337ba..68423de06c 100644 --- a/Documentation/sgx-intro.rst +++ b/Documentation/sgx-intro.rst @@ -90,9 +90,10 @@ For historical reasons, there are three SGX drivers currently (January 2021): deprecated - https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver - -- new one, out-of-tree, supports both non-DCAP software infrastructure (with - old EPID remote-attestation technique) and the new DCAP (with new ECDSA and - more "normal" PKI infrastructure). + -- out-of-tree, supports both non-DCAP software infrastructure (with old EPID + remote-attestation technique) and the new DCAP (with new ECDSA and + more "normal" PKI infrastructure). Deprecated in favor of the upstreamed + driver (see below). - SGX support was upstreamed to the Linux mainline starting from 5.11. It currently supports only DCAP attestation. The driver is accessible through diff --git a/meson.build b/meson.build index 5cdb1c5c8f..6c2cbc5f28 100644 --- a/meson.build +++ b/meson.build @@ -119,22 +119,6 @@ if sgx sgx_driver_header = 'sgx_user.h' sgx_driver_device_default = '/dev/isgx' sgx_driver_include_path_defaults = ['/opt/intel/linux-sgx-driver'] - elif sgx_driver == 'dcap1.6' - # DCAP 1.6+ but below 1.10 (https://github.com/intel/SGXDataCenterAttestationPrimitives) - conf_sgx.set('CONFIG_SGX_DRIVER_DCAP_1_6', true) - sgx_driver_header = 'uapi/asm/sgx_oot.h' - sgx_driver_device_default = '/dev/sgx/enclave' - sgx_driver_include_path_defaults = [ - '/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux/include', - ] - elif sgx_driver == 'dcap1.10' - # DCAP 1.10+ (https://github.com/intel/SGXDataCenterAttestationPrimitives) - conf_sgx.set('CONFIG_SGX_DRIVER_DCAP_1_10', true) - sgx_driver_header = 'sgx_user.h' - sgx_driver_device_default = '/dev/sgx/enclave' - sgx_driver_include_path_defaults = [ - '/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux/include', - ] else error('Unknown sgx_driver value') endif diff --git a/meson_options.txt b/meson_options.txt index d551beab07..ddb2166cf0 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -24,7 +24,7 @@ option('libgomp', type: 'combo', choices: ['disabled', 'enabled'], description: 'Build patched libgomp (takes long time)') option('sgx_driver', type: 'combo', - choices: ['upstream', 'dcap1.6', 'dcap1.10', 'oot'], + choices: ['upstream', 'oot'], description: 'Flavour of the SGX driver') option('sgx_driver_include_path', type: 'string', description: 'Path to SGX driver headers (default value depends on sgx_driver)') diff --git a/pal/src/host/linux-sgx/generated_offsets.c b/pal/src/host/linux-sgx/generated_offsets.c index 0390d53430..8382bd936e 100644 --- a/pal/src/host/linux-sgx/generated_offsets.c +++ b/pal/src/host/linux-sgx/generated_offsets.c @@ -1,7 +1,7 @@ #include #include "generated_offsets_build.h" -#include "host_gsgx.h" +#include "host_sgx_driver.h" #include "pal.h" #include "pal_ecall_types.h" #include "pal_linux_defs.h" diff --git a/pal/src/host/linux-sgx/host_framework.c b/pal/src/host/linux-sgx/host_framework.c index 1a604e973c..5d919672f9 100644 --- a/pal/src/host/linux-sgx/host_framework.c +++ b/pal/src/host/linux-sgx/host_framework.c @@ -1,42 +1,24 @@ #include #include "hex.h" -#include "host_gsgx.h" +#include "host_sgx_driver.h" #include "host_internal.h" #include "linux_utils.h" #include "sgx_arch.h" -static int g_gsgx_device = -1; static int g_isgx_device = -1; -static void* g_zero_pages = NULL; +static void* g_zero_pages = NULL; static size_t g_zero_pages_size = 0; -int open_sgx_driver(bool need_gsgx) { - if (need_gsgx) { - g_gsgx_device = DO_SYSCALL(open, GSGX_FILE, O_RDWR | O_CLOEXEC, 0); - if (g_gsgx_device < 0) { - log_error( - "\n\tSystem does not support FSGSBASE instructions, which Gramine requires on SGX.\n\n" - "\tThe best option is to move to a newer Linux kernel with FSGSBASE support (5.9+), or\n" - "\ta kernel with a back-ported patch to support FSGSBASE.\n" - "\tOne may also load the Gramine SGX module, although this is insecure.\n" - "\tIf the Gramine SGX module is loaded, check permissions on the device " - GSGX_FILE ",\n\tas we cannot open this file."); - return g_gsgx_device; - } - } - - g_isgx_device = DO_SYSCALL(open, ISGX_FILE, O_RDWR | O_CLOEXEC, 0); - if (g_isgx_device < 0) { +int open_sgx_driver(void) { + int ret = DO_SYSCALL(open, ISGX_FILE, O_RDWR | O_CLOEXEC, 0); + if (ret < 0) { log_error("Cannot open device " ISGX_FILE ". " "Please make sure the Intel SGX kernel module is loaded."); - if (need_gsgx) { - DO_SYSCALL(close, g_gsgx_device); - g_gsgx_device = -1; - } - return g_isgx_device; + return ret; } + g_isgx_device = ret; return 0; } @@ -410,7 +392,6 @@ int init_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct, if (ret) { const char* error; - /* DEP 3/22/17: Try to improve error messages */ switch (ret) { case SGX_INVALID_SIG_STRUCT: error = "Invalid SIGSTRUCT"; @@ -424,7 +405,7 @@ int init_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct, case SGX_INVALID_SIGNATURE: error = "Invalid signature"; break; - case SGX_INVALID_LICENSE: + case SGX_INVALID_EINITTOKEN: error = "Invalid EINIT token"; break; case SGX_INVALID_CPUSVN: diff --git a/pal/src/host/linux-sgx/host_internal.h b/pal/src/host/linux-sgx/host_internal.h index 50fdaabaf8..156b8edd1d 100644 --- a/pal/src/host/linux-sgx/host_internal.h +++ b/pal/src/host/linux-sgx/host_internal.h @@ -61,7 +61,7 @@ struct pal_enclave { extern struct pal_enclave g_pal_enclave; -int open_sgx_driver(bool need_gsgx); +int open_sgx_driver(void); bool is_wrfsbase_supported(void); int read_enclave_token(int token_file, sgx_arch_token_t* token); diff --git a/pal/src/host/linux-sgx/host_main.c b/pal/src/host/linux-sgx/host_main.c index 819ddb3291..36c4f0cc0e 100644 --- a/pal/src/host/linux-sgx/host_main.c +++ b/pal/src/host/linux-sgx/host_main.c @@ -930,7 +930,7 @@ static int parse_loader_config(char* manifest, struct pal_enclave* enclave_info, /* Warning: This function does not free up resources on failure - it assumes that the whole process * exits after this function's failure. */ static int load_enclave(struct pal_enclave* enclave, char* args, size_t args_size, char* env, - size_t env_size, int parent_stream_fd, bool need_gsgx, + size_t env_size, int parent_stream_fd, void* reserved_mem_ranges, size_t reserved_mem_ranges_size) { int ret; struct timeval tv; @@ -952,7 +952,7 @@ static int load_enclave(struct pal_enclave* enclave, char* args, size_t args_siz } log_debug("Gramine parsed TOML manifest file successfully"); - ret = open_sgx_driver(need_gsgx); + ret = open_sgx_driver(); if (ret < 0) return ret; @@ -1101,7 +1101,6 @@ __attribute_no_sanitize_address int main(int argc, char* argv[], char* envp[]) { char* manifest_path = NULL; int ret = 0; - bool need_gsgx = true; char* manifest = NULL; void* reserved_mem_ranges = NULL; size_t reserved_mem_ranges_size = 0; @@ -1132,10 +1131,11 @@ int main(int argc, char* argv[], char* envp[]) { return -ENOMEM; } - /* check whether host kernel supports FSGSBASE feature, otherwise we need the GSGX driver */ uint64_t at_hwcap2; - if (get_aux_value(envp, AT_HWCAP2, &at_hwcap2) == 0 && (at_hwcap2 & 0x2)) { - need_gsgx = false; + if (get_aux_value(envp, AT_HWCAP2, &at_hwcap2) != 0 || !(at_hwcap2 & 0x2)) { + log_error("Gramine with Linux-SGX backend requires support for FSGSBASE CPU instructions " + "in the host kernel. Please update your system."); + return -EINVAL; } g_libpal_path = strdup(argv[1]); @@ -1208,7 +1208,7 @@ int main(int argc, char* argv[], char* envp[]) { char* env = envp[0]; size_t env_size = envc > 0 ? (envp[envc - 1] - envp[0]) + strlen(envp[envc - 1]) + 1 : 0; - ret = load_enclave(&g_pal_enclave, args, args_size, env, env_size, parent_stream_fd, need_gsgx, + ret = load_enclave(&g_pal_enclave, args, args_size, env, env_size, parent_stream_fd, reserved_mem_ranges, reserved_mem_ranges_size); if (ret < 0) { log_error("load_enclave() failed with error %d", ret); diff --git a/pal/src/host/linux-sgx/host_platform.c b/pal/src/host/linux-sgx/host_platform.c index ee15202662..8f16230c98 100644 --- a/pal/src/host/linux-sgx/host_platform.c +++ b/pal/src/host/linux-sgx/host_platform.c @@ -8,7 +8,7 @@ #include #include "aesm.pb-c.h" -#include "host_gsgx.h" +#include "host_sgx_driver.h" #include "host_internal.h" #include "host_log.h" #include "linux_utils.h" diff --git a/pal/src/host/linux-sgx/host_gsgx.h.in b/pal/src/host/linux-sgx/host_sgx_driver.h.in similarity index 73% rename from pal/src/host/linux-sgx/host_gsgx.h.in rename to pal/src/host/linux-sgx/host_sgx_driver.h.in index 6e13c41458..707aa4e457 100644 --- a/pal/src/host/linux-sgx/host_gsgx.h.in +++ b/pal/src/host/linux-sgx/host_sgx_driver.h.in @@ -15,8 +15,6 @@ #include <@CONFIG_SGX_DRIVER_HEADER_ABSPATH@> #mesondefine CONFIG_SGX_DRIVER_UPSTREAM -#mesondefine CONFIG_SGX_DRIVER_DCAP_1_6 -#mesondefine CONFIG_SGX_DRIVER_DCAP_1_10 #mesondefine CONFIG_SGX_DRIVER_OOT #mesondefine CONFIG_SGX_DRIVER_DEVICE @@ -27,8 +25,6 @@ #define ISGX_FILE CONFIG_SGX_DRIVER_DEVICE -#define GSGX_FILE "/dev/gsgx" - /* Gramine needs the below subset of SGX instructions' return values */ #ifndef SGX_INVALID_SIG_STRUCT #define SGX_INVALID_SIG_STRUCT 1 @@ -53,9 +49,3 @@ #ifndef SGX_INVALID_CPUSVN #define SGX_INVALID_CPUSVN 32 #endif - -/* SGX_INVALID_LICENSE was renamed to SGX_INVALID_EINITTOKEN in SGX driver 2.1: - * https://github.com/intel/linux-sgx-driver/commit/a7997dafe184d7d527683d8d46c4066db205758d */ -#ifndef SGX_INVALID_LICENSE -#define SGX_INVALID_LICENSE SGX_INVALID_EINITTOKEN -#endif diff --git a/pal/src/host/linux-sgx/meson.build b/pal/src/host/linux-sgx/meson.build index 54e61ac0fa..3444d9b4b3 100644 --- a/pal/src/host/linux-sgx/meson.build +++ b/pal/src/host/linux-sgx/meson.build @@ -1,6 +1,6 @@ -gsgx_h = configure_file( - input: 'host_gsgx.h.in', - output: 'host_gsgx.h', +host_sgx_driver_h = configure_file( + input: 'host_sgx_driver.h.in', + output: 'host_sgx_driver.h', configuration: conf_sgx, ) @@ -84,7 +84,7 @@ libpal_sgx = shared_library('pal', pal_sgx_asm_offsets_h, pal_common_sources, pal_linux_common_sources_enclave, - gsgx_h, + host_sgx_driver_h, include_directories: sgx_inc, @@ -147,7 +147,7 @@ libpal_sgx_host = executable('loader', pal_linux_common_sources_host, pal_sgx_asm_offsets_h, aesm_proto_ch, - gsgx_h, + host_sgx_driver_h, include_directories: sgx_inc, c_args: [