Remove redundant sgx.nonpie_binary manifest option

It is now unclear why we needed this manifest option in the first place (probably to work around a bug in very old SGX drivers that prohibited mmapping the enclave space from address 0x0). As a side effect, Gramine enclave base address is always 0x0. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
jkr0103 · Feb 27, 2023 · 38aa937 · 38aa937
1 parent b741bd1
commit 38aa937
Showing 53 changed files with 13 additions and 106 deletions.
diff --git a/CI-Examples/bash/manifest.template b/CI-Examples/bash/manifest.template
@@ -20,7 +20,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 sgx.enclave_size = "512M"
 sgx.max_threads = 4
 

diff --git a/CI-Examples/blender/blender.manifest.template b/CI-Examples/blender/blender.manifest.template
@@ -22,7 +22,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 sys.stack.size = "8M"
 sgx.enclave_size = "2048M"
 sgx.max_threads = 64

diff --git a/CI-Examples/helloworld/helloworld.manifest.template b/CI-Examples/helloworld/helloworld.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 
 sgx.trusted_files = [
   "file:{{ gramine.libos }}",

diff --git a/CI-Examples/lighttpd/lighttpd.manifest.template b/CI-Examples/lighttpd/lighttpd.manifest.template
@@ -21,7 +21,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 sgx.enclave_size = "256M"
 sgx.max_threads = 3
 

diff --git a/CI-Examples/memcached/memcached.manifest.template b/CI-Examples/memcached/memcached.manifest.template
@@ -25,7 +25,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 sgx.max_threads = 16
 
 # Memcached does not fail explicitly when enclave memory is exhausted. Instead, Memcached goes into

diff --git a/CI-Examples/nginx/nginx.manifest.template b/CI-Examples/nginx/nginx.manifest.template
@@ -27,7 +27,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 sgx.enclave_size = "512M"
 sgx.max_threads = 4
 

diff --git a/CI-Examples/python/python.manifest.template b/CI-Examples/python/python.manifest.template
@@ -34,7 +34,6 @@ sys.enable_extra_runtime_domain_names_conf = true
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 sgx.enclave_size = "1G"
 sgx.max_threads = 32
 

diff --git a/CI-Examples/redis/redis-server.manifest.template b/CI-Examples/redis/redis-server.manifest.template
@@ -87,15 +87,6 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 # specifying '8' allows to run a maximum of 6 Redis threads which is enough.
 sgx.max_threads = 8
 
-# Redis executable is typically a PIE (Position Independent Executable) on most
-# modern OS distros (e.g., Ubuntu 18.04). However, on some OS distros (notably,
-# CentOS), Redis executable is built as non-PIE. We mark Redis as a non-PIE
-# binary unconditionally -- this makes it work on CentOS and doesn't hurt on
-# Ubuntu. (Note that non-SGX Gramine correctly distinguishes between PIE and
-# non-PIE binaries, but for SGX we need to prearrange enclave memory layout,
-# hence the below option.)
-sgx.nonpie_binary = true
-
 ############################# SGX: TRUSTED FILES ###############################
 
 # Specify all files used by Redis and its dependencies (including all libraries

diff --git a/CI-Examples/rust/rust-hyper-http-server.manifest.template b/CI-Examples/rust/rust-hyper-http-server.manifest.template
@@ -19,7 +19,6 @@ fs.mounts = [
 
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
-sgx.nonpie_binary = true
 
 sgx.trusted_files = [
   "file:{{ gramine.libos }}",

diff --git a/Documentation/devel/onboarding.rst b/Documentation/devel/onboarding.rst
@@ -261,13 +261,11 @@ fine on native Linux but fails under Gramine::
      Try to identify the system call in Gramine that goes wrong (e.g., returns
      an error code whereas it was supposed to finish successfully).
 
-   - Analyze the manifest file carefully. If at least one of the binaries
-     spawned during app execution is non-PIE, then set ``sgx.nonpie_binary =
-     true``. If you suspect problems with environment variables, see if it works
-     with ``loader.insecure__use_host_env = true``. If you observe that memory
-     addresses change constantly and hinder your debugging, set
-     ``loader.insecure__disable_aslr = true``. But don't use the last two
-     options in production; use them only for debugging and analysis!
+   - Analyze the manifest file carefully. If you suspect problems with
+     environment variables, see if it works with ``loader.insecure__use_host_env
+     = true``. If you observe that memory addresses change constantly and hinder
+     your debugging, set ``loader.insecure__disable_aslr = true``. But don't use
+     these two options in production; use them only for debugging and analysis!
 
    - Analyze FS mount points (``fs.mounts``) in the manifest file carefully.
      Check for duplicate mount points -- remember that a duplicate mount point's

diff --git a/Documentation/manifest-syntax.rst b/Documentation/manifest-syntax.rst
@@ -529,17 +529,6 @@ your system, such ``bash -c ls`` SGX workload will fail. Note this does not
 apply to the enclaves with :term:`EDMM` enabled, where memory is not reserved
 upfront and is allocated on demand.
 
-Non-PIE binaries
-^^^^^^^^^^^^^^^^
-
-::
-
-    sgx.nonpie_binary = [true|false]
-    (Default: false)
-
-This setting tells Gramine whether to use a specially crafted memory layout,
-which is required to support non-relocatable binaries (non-PIE).
-
 Number of threads
 ^^^^^^^^^^^^^^^^^
 

diff --git a/libos/src/libos_rtld.c b/libos/src/libos_rtld.c
@@ -849,10 +849,7 @@ int load_elf_object(struct libos_handle* file, struct link_map** out_map) {
 
     struct link_map* map = map_elf_object(file, &ehdr);
     if (!map) {
-        log_error("Failed to map %s. This may be caused by the binary being non-PIE, in which "
-                  "case Gramine requires a specially-crafted memory layout. You can enable it "
-                  "by adding 'sgx.nonpie_binary = true' to the manifest.",
-                  fname);
+        log_error("Failed to map %s.", fname);
         return -EINVAL;
     }
 

diff --git a/libos/test/abi/x86_64/manifest.template b/libos/test/abi/x86_64/manifest.template
@@ -6,7 +6,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = 4

diff --git a/libos/test/abi/x86_64/stack_arg.manifest.template b/libos/test/abi/x86_64/stack_arg.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = 4

diff --git a/libos/test/abi/x86_64/stack_env.manifest.template b/libos/test/abi/x86_64/stack_env.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = 4

diff --git a/libos/test/fs/manifest.template b/libos/test/fs/manifest.template
@@ -20,7 +20,6 @@ fs.mounts = [
 
 fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100"
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = 16

diff --git a/libos/test/ltp/manifest.template b/libos/test/ltp/manifest.template
@@ -19,7 +19,6 @@ fs.mounts = [
 
 sys.brk.max_size = "32M"
 sys.stack.size = "4M"
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/argv_from_file.manifest.template b/libos/test/regression/argv_from_file.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/argv_from_manifest.manifest.template b/libos/test/regression/argv_from_manifest.manifest.template
@@ -18,7 +18,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/attestation.manifest.template b/libos/test/regression/attestation.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
 
 fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100"
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/attestation_deprecated_syntax.manifest.template b/libos/test/regression/attestation_deprecated_syntax.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
 
 sgx.insecure__protected_files_key = "ffeeddccbbaa99887766554433221100"
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/bootstrap_cpp.manifest.template b/libos/test/regression/bootstrap_cpp.manifest.template
@@ -14,7 +14,6 @@ fs.mounts = [
 ]
 
 sgx.max_threads = 8
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/debug_log_file.manifest.template b/libos/test/regression/debug_log_file.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/debug_log_inline.manifest.template b/libos/test/regression/debug_log_inline.manifest.template
@@ -12,7 +12,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/device_passthrough.manifest.template b/libos/test/regression/device_passthrough.manifest.template
@@ -9,7 +9,6 @@ fs.mounts = [
   { path = "/dev/host-zero", uri = "dev:/dev/zero" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/env_from_file.manifest.template b/libos/test/regression/env_from_file.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/env_from_host.manifest.template b/libos/test/regression/env_from_host.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/env_passthrough.manifest.template b/libos/test/regression/env_passthrough.manifest.template
@@ -16,7 +16,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/file_check_policy_strict.manifest.template b/libos/test/regression/file_check_policy_strict.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/host_root_fs.manifest.template b/libos/test/regression/host_root_fs.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { type = "tmpfs", path = "/etc" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/hostname_extra_runtime_conf.manifest.template b/libos/test/regression/hostname_extra_runtime_conf.manifest.template
@@ -12,7 +12,6 @@ fs.mounts = [
 sys.enable_extra_runtime_domain_names_conf = true
 
 sgx.debug = true
-sgx.nonpie_binary = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [

diff --git a/libos/test/regression/init_fail.manifest.template b/libos/test/regression/init_fail.manifest.template
@@ -10,7 +10,6 @@ fs.mounts = [
   { path = "/test", uri = "file:I_DONT_EXIST" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/init_fail2.manifest.template b/libos/test/regression/init_fail2.manifest.template
@@ -10,7 +10,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/large_mmap.manifest.template b/libos/test/regression/large_mmap.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
 ]
 
 sgx.enclave_size = "8G"
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/manifest.template b/libos/test/regression/manifest.template
@@ -22,7 +22,6 @@ fs.mounts = [
 ]
 
 sgx.max_threads = 16
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/multi_pthread.manifest.template b/libos/test/regression/multi_pthread.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
 # app runs with 4 parallel threads + Gramine has couple internal threads
 sgx.max_threads = 8
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.enable_stats = true

diff --git a/libos/test/regression/multi_pthread_exitless.manifest.template b/libos/test/regression/multi_pthread_exitless.manifest.template
@@ -13,7 +13,6 @@ fs.mounts = [
 sgx.thread_num = 8
 sgx.insecure__rpc_thread_num = 8
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.enable_stats = true

diff --git a/libos/test/regression/openmp.manifest.template b/libos/test/regression/openmp.manifest.template
@@ -23,7 +23,6 @@ fs.mounts = [
 ]
 
 sgx.max_threads = 32
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/shebang_test_script.manifest.template b/libos/test/regression/shebang_test_script.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
 ]
 
 sgx.max_threads = 16
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/sysfs_common.manifest.template b/libos/test/regression/sysfs_common.manifest.template
@@ -8,7 +8,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/toml_parsing.manifest.template b/libos/test/regression/toml_parsing.manifest.template
@@ -21,7 +21,6 @@ fs.mount.entrypoint.uri = "file:{{ binary_dir }}/{{ entrypoint }}"
 # the manifest option below added only so that this feature has any test coverage
 libos.check_invalid_pointers = false
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/libos/test/regression/uid_gid.manifest.template b/libos/test/regression/uid_gid.manifest.template
@@ -11,7 +11,6 @@ fs.mounts = [
   { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" },
 ]
 
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/pal/regression/Bootstrap6.manifest.template b/pal/regression/Bootstrap6.manifest.template
@@ -4,7 +4,6 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}"
 loader.log_level = "debug"
 
 sgx.enclave_size = "8192M"
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 

diff --git a/pal/regression/Bootstrap7.manifest.template b/pal/regression/Bootstrap7.manifest.template
@@ -1,7 +1,6 @@
 loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}"
 
 sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ]
-sgx.nonpie_binary = true
 sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}