diff --git a/common/inc/internal/enclave_creator.h b/common/inc/internal/enclave_creator.h index 67d41a7ae2..c7f25088de 100644 --- a/common/inc/internal/enclave_creator.h +++ b/common/inc/internal/enclave_creator.h @@ -65,7 +65,7 @@ public: */ virtual int add_enclave_page(sgx_enclave_id_t enclave_id, void *source, uint64_t offset, const sec_info_t &sinfo, uint32_t attr) = 0; virtual int init_enclave(sgx_enclave_id_t enclave_id, enclave_css_t *enclave_css, SGXLaunchToken *lc, le_prd_css_file_t *prd_css_file = NULL) = 0; - virtual int destroy_enclave(sgx_enclave_id_t enclave_id) = 0; + virtual int destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size = 0) = 0; virtual int initialize(sgx_enclave_id_t enclave_id) = 0; virtual bool use_se_hw() const = 0; diff --git a/psw/urts/enclave.cpp b/psw/urts/enclave.cpp index 7586b1e87f..8890077b7e 100644 --- a/psw/urts/enclave.cpp +++ b/psw/urts/enclave.cpp @@ -240,7 +240,7 @@ void CEnclave::destroy() debug_enclave_info_t *debug_info = const_cast(get_debug_info()); generate_enclave_debug_event(URTS_EXCEPTION_PREREMOVEENCLAVE, debug_info); - get_enclave_creator()->destroy_enclave(ENCLAVE_ID_IOCTL); + get_enclave_creator()->destroy_enclave(ENCLAVE_ID_IOCTL, m_size); m_destroyed = true; //We are going to destory m_rwlock. At this point, maybe an ecall is in progress, and try to get m_rwlock. diff --git a/psw/urts/enclave_creator_hw.h b/psw/urts/enclave_creator_hw.h index db176d976d..c60b400008 100644 --- a/psw/urts/enclave_creator_hw.h +++ b/psw/urts/enclave_creator_hw.h @@ -52,7 +52,7 @@ public: int create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, void **start_addr, bool ae); int add_enclave_page(sgx_enclave_id_t enclave_id, void *source, uint64_t offset, const sec_info_t &sinfo, uint32_t attr); int init_enclave(sgx_enclave_id_t enclave_id, enclave_css_t *enclave_css, SGXLaunchToken *lc, le_prd_css_file_t *prd_css_file); - int destroy_enclave(sgx_enclave_id_t enclave_id); + int destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size); int initialize(sgx_enclave_id_t enclave_id); bool use_se_hw() const; int get_misc_attr(sgx_misc_attribute_t *sgx_misc_attr, metadata_t *metadata, SGXLaunchToken * const lc, uint32_t flag); diff --git a/psw/urts/linux/enclave_creator_hw.cpp b/psw/urts/linux/enclave_creator_hw.cpp index 10c80a94a2..feeb72ecf1 100644 --- a/psw/urts/linux/enclave_creator_hw.cpp +++ b/psw/urts/linux/enclave_creator_hw.cpp @@ -72,39 +72,38 @@ int EnclaveCreatorHW::error_driver2urts(int driver_error) switch(driver_error) { - case ISGX_ERROR: +#if 0 + case SGX_ERROR: if(ENOMEM == errno) ret = SGX_ERROR_OUT_OF_MEMORY; else ret = SGX_ERROR_NO_DEVICE; break; - case ISGX_INVALID_ATTRIBUTE: +#endif + case SGX_INVALID_ATTRIBUTE: ret = SGX_ERROR_INVALID_ATTRIBUTE; break; - case ISGX_INVALID_MEASUREMENT: + case SGX_INVALID_MEASUREMENT: ret = SE_ERROR_INVALID_MEASUREMENT; break; - case ISGX_INVALID_SIG_STRUCT: - case ISGX_INVALID_SIGNATIRE: + case SGX_INVALID_SIG_STRUCT: + case SGX_INVALID_SIGNATURE: ret = SGX_ERROR_INVALID_SIGNATURE; break; - case ISGX_INVALID_LAUNCH_TOKEN: - ret = SE_ERROR_INVALID_LAUNCH_TOKEN; - break; - case ISGX_INVALID_CPUSVN: + case SGX_INVALID_CPUSVN: ret = SGX_ERROR_INVALID_CPUSVN; break; - case ISGX_INVALID_ISVSVN: + case SGX_INVALID_ISVSVN: ret = SGX_ERROR_INVALID_ISVSVN; break; - case ISGX_UNMASKED_EVENT: + case SGX_UNMASKED_EVENT: ret = SGX_ERROR_DEVICE_BUSY; break; - case (int)ISGX_POWER_LOST_ENCLAVE: // [-Wc++11-narrowing] + case (int)SGX_POWER_LOST_ENCLAVE: // [-Wc++11-narrowing] ret = SGX_ERROR_ENCLAVE_LOST; break; default: - SE_TRACE(SE_TRACE_WARNING, "unexpected error %#x from driver, should be uRTS/driver bug\n", ret); + SE_TRACE(SE_TRACE_WARNING, "unexpected error %#X from driver, should be uRTS/driver bug\n", driver_error); ret = SGX_ERROR_UNEXPECTED; break; } @@ -116,15 +115,35 @@ int EnclaveCreatorHW::create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, { assert(secs != NULL && enclave_id != NULL && start_addr != NULL); UNUSED(ae); + int ret = 0; if (false == open_se_device()) return SGX_ERROR_NO_DEVICE; SE_TRACE(SE_TRACE_DEBUG, "\n secs.attibutes.flags = %llx, secs.attributes.xfrm = %llx \n" , secs->attributes.flags, secs->attributes.xfrm); + //SECS:BASEADDR must be naturally aligned on an SECS.SIZE boundary + void* enclave_base = mmap(NULL, (size_t)secs->size *2, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED, m_hdevice, 0); - struct isgx_create_param param = { secs, 0 }; - int ret = ioctl(m_hdevice, ISGX_IOCTL_ENCLAVE_CREATE, ¶m); + if(enclave_base == NULL) + { + SE_TRACE(SE_TRACE_WARNING, "\nISGX_IOCTL_ENCLAVE_CREATE fails: mmap fail\n"); + return SGX_ERROR_OUT_OF_MEMORY; + } + //find a suitable base for enclave + uint64_t base = (uint64_t)enclave_base + (secs->size - ((uint64_t)enclave_base % secs->size)) ; + secs->base = (void*)base; + //remove unneed page + munmap(enclave_base, (size_t)(secs->base) - (size_t)(enclave_base)); + + if(((uint64_t)(enclave_base) + secs->size *2) != ((uint64_t)secs->base + secs->size)) + { + munmap((void*)((size_t)secs->base + secs->size), (size_t)(enclave_base) + (size_t)secs->size - (size_t)(secs->base)); + } + + struct sgx_enclave_create param = {0}; + param.src = (__u64)(secs); + ret = ioctl(m_hdevice, SGX_IOC_ENCLAVE_CREATE, ¶m); if(ret) { SE_TRACE(SE_TRACE_WARNING, "\nISGX_IOCTL_ENCLAVE_CREATE fails: errno = %x\n", errno); return error_driver2urts(ret); @@ -134,11 +153,12 @@ int EnclaveCreatorHW::create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, if(0 == tmp) g_eid_high++; *enclave_id = ((uint64_t)g_eid_high << 32) | g_eid_low; - *start_addr = secs->base = (void *)param.addr; + *start_addr = secs->base; return SGX_SUCCESS; } + int EnclaveCreatorHW::add_enclave_page(sgx_enclave_id_t enclave_id, void *src, uint64_t rva, const sec_info_t &sinfo, uint32_t attr) { assert((rva & ((1<(source); - addp.secinfo = (void *)const_cast(&sinfo); - if(!((1<(source); + addp.secinfo = reinterpret_cast<__u64>(const_cast(&sinfo)); + if(((1<(enclave_css); + struct sgx_enclave_init initp = { 0, 0, 0 }; + initp.addr = (__u64)enclave_id; + initp.sigstruct = reinterpret_cast<__u64>(enclave_css); //launch should NOT be NULL, because it has been checked in urts_com.h::_create_enclave(...) assert(launch != NULL); - initp.einittoken = reinterpret_cast(launch); - ret = ioctl(m_hdevice, ISGX_IOCTL_ENCLAVE_INIT, &initp); + initp.einittoken = reinterpret_cast<__u64>(launch); + ret = ioctl(m_hdevice, SGX_IOC_ENCLAVE_INIT, &initp); if (ret) { SE_TRACE(SE_TRACE_WARNING, "\nISGX_IOCTL_ENCLAVE_INIT fails error = %x\n", ret); return error_driver2urts(ret); @@ -195,14 +216,14 @@ int EnclaveCreatorHW::try_init_enclave(sgx_enclave_id_t enclave_id, enclave_css_ return SGX_SUCCESS; } -int EnclaveCreatorHW::destroy_enclave(sgx_enclave_id_t enclave_id) +//for linux hw mode, enclave_id is actually start address here +int EnclaveCreatorHW::destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size) { int ret = 0; - isgx_destroy_param param = { (unsigned long)enclave_id }; - ret = ioctl(m_hdevice, ISGX_IOCTL_ENCLAVE_DESTROY, ¶m); + ret = munmap((void*)enclave_id, (size_t)enclave_size); - if (-1 == ret) { + if (0 != ret) { SE_TRACE(SE_TRACE_WARNING, "destroy SGX enclave failed, error = %d\n", errno); ret = SGX_ERROR_UNEXPECTED; } diff --git a/psw/urts/linux/isgx_user.h b/psw/urts/linux/isgx_user.h index bee8016bcd..e2cd4b35d6 100644 --- a/psw/urts/linux/isgx_user.h +++ b/psw/urts/linux/isgx_user.h @@ -28,75 +28,66 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ -#ifndef _X86_ISGX_USER_H -#define _X86_ISGX_USER_H - -#include -#include +#ifndef _UAPI_ASM_X86_SGX_H +#define _UAPI_ASM_X86_SGX_H + #include +#include + +#define SGX_MAGIC 0xA4 + +#define SGX_IOC_ENCLAVE_CREATE \ + _IOW(SGX_MAGIC, 0x00, struct sgx_enclave_create) +#define SGX_IOC_ENCLAVE_ADD_PAGE \ + _IOW(SGX_MAGIC, 0x01, struct sgx_enclave_add_page) +#define SGX_IOC_ENCLAVE_INIT \ + _IOW(SGX_MAGIC, 0x02, struct sgx_enclave_init) + + /* SGX leaf instruction return values */ +#define SGX_SUCCESS 0 +#define SGX_INVALID_SIG_STRUCT 1 +#define SGX_INVALID_ATTRIBUTE 2 +#define SGX_BLKSTATE 3 +#define SGX_INVALID_MEASUREMENT 4 +#define SGX_NOTBLOCKABLE 5 +#define SGX_PG_INVLD 6 +#define SGX_LOCKFAIL 7 +#define SGX_INVALID_SIGNATURE 8 +#define SGX_MAC_COMPARE_FAIL 9 +#define SGX_PAGE_NOT_BLOCKED 10 +#define SGX_NOT_TRACKED 11 +#define SGX_VA_SLOT_OCCUPIED 12 +#define SGX_CHILD_PRESENT 13 +#define SGX_ENCLAVE_ACT 14 +#define SGX_ENTRYEPOCH_LOCKED 15 +#define SGX_INVALID_LICENSE 16 +#define SGX_PREV_TRK_INCMPL 17 +#define SGX_PG_IS_SECS 18 +#define SGX_INVALID_CPUSVN 32 +#define SGX_INVALID_ISVSVN 64 +#define SGX_UNMASKED_EVENT 128 +#define SGX_INVALID_KEYNAME 256 + + /* IOCTL return values */ +#define SGX_POWER_LOST_ENCLAVE 0x40000000 +#define SGX_LE_ROLLBACK 0x40000001 + + struct sgx_enclave_create { + __u64 src; + } __attribute__((packed)); + + struct sgx_enclave_add_page { + __u64 addr; + __u64 src; + __u64 secinfo; + __u16 mrmask; + } __attribute__((packed)); + + struct sgx_enclave_init { + __u64 addr; + __u64 sigstruct; + __u64 einittoken; + } __attribute__((packed)); + +#endif /* _UAPI_ASM_X86_SGX_H */ -#define ISGX_IOCTL_ENCLAVE_CREATE _IOWR('p', 0x02, struct isgx_create_param) -#define ISGX_IOCTL_ENCLAVE_ADD_PAGE _IOW('p', 0x03, struct isgx_add_param) -#define ISGX_IOCTL_ENCLAVE_INIT _IOW('p', 0x04, struct isgx_init_param) -#define ISGX_IOCTL_ENCLAVE_DESTROY _IOW('p', 0x06, struct isgx_destroy_param) - -#define SECS_SIZE_OFFSET 0 -#define SECS_BASE_OFFSET (SECS_SIZE_OFFSET + 8) -#define SECS_FLAGS_OFFSET (SECS_BASE_OFFSET + 8) -#define SECS_SSAFRAMESIZE_OFFSET (SECS_SIZE_OFFSET + 164) - -/* SGX leaf instruction return values */ -#define ISGX_SUCCESS 0 -#define ISGX_ERROR -1 -#define ISGX_INVALID_SIG_STRUCT 0x1 -#define ISGX_INVALID_ATTRIBUTE 0x2 -#define ISGX_INVALID_MEASUREMENT 0x4 -#define ISGX_INVALID_SIGNATIRE 0x8 -#define ISGX_INVALID_LAUNCH_TOKEN 0x10 -#define ISGX_INVALID_CPUSVN 0x20 -#define ISGX_INVALID_ISVSVN 0x40 -#define ISGX_UNMASKED_EVENT 0x80 -#define ISGX_INVALID_KEYNAME 0x100 - -/* IOCTL return values */ -#define ISGX_OUT_OF_EPC_PAGES 0xc0000001 -#define ISGX_POWER_LOST_ENCLAVE 0xc0000002 - -/* SECINFO flags */ -#define ISGX_SECINFO_R 0x1 /* Read Access */ -#define ISGX_SECINFO_W 0x2 /* Write Access */ -#define ISGX_SECINFO_X 0x4 /* Execute Access */ -#define ISGX_SECINFO_SECS 0x000 /* SECS */ -#define ISGX_SECINFO_TCS 0x100 /* TCS */ -#define ISGX_SECINFO_REG 0x200 /* Regular Page */ - -struct isgx_secinfo { - __u64 flags; - __u64 reserved[7]; -}; - -struct isgx_create_param { - void *secs; - unsigned long addr; -}; - -#define ISGX_ADD_SKIP_EEXTEND 0x1 - -struct isgx_add_param { - unsigned long addr; - unsigned long user_addr; - void *secinfo; - unsigned int flags; -}; - -struct isgx_init_param { - unsigned long addr; - void *sigstruct; - void *einittoken; -}; - -struct isgx_destroy_param { - unsigned long addr; -}; - -#endif /* _X86_ISGX_USER_H */ diff --git a/psw/urts/loader.cpp b/psw/urts/loader.cpp index 6821d7210d..a1fd16f61e 100644 --- a/psw/urts/loader.cpp +++ b/psw/urts/loader.cpp @@ -438,7 +438,7 @@ int CLoader::build_image(SGXLaunchToken * const lc, sgx_attributes_t * const sec return SGX_SUCCESS; fail: - get_enclave_creator()->destroy_enclave(ENCLAVE_ID_IOCTL); + get_enclave_creator()->destroy_enclave(ENCLAVE_ID_IOCTL, m_secs.size); return ret; } @@ -689,7 +689,7 @@ int CLoader::load_enclave_ex(SGXLaunchToken *lc, bool debug, const metadata_t *m int CLoader::destroy_enclave() { - return get_enclave_creator()->destroy_enclave(ENCLAVE_ID_IOCTL); + return get_enclave_creator()->destroy_enclave(ENCLAVE_ID_IOCTL, m_secs.size); } int CLoader::set_memory_protection() diff --git a/sdk/sign_tool/SignTool/enclave_creator_sign.cpp b/sdk/sign_tool/SignTool/enclave_creator_sign.cpp index ebd6ac3fb7..a92130db86 100644 --- a/sdk/sign_tool/SignTool/enclave_creator_sign.cpp +++ b/sdk/sign_tool/SignTool/enclave_creator_sign.cpp @@ -236,9 +236,10 @@ int EnclaveCreatorST::get_misc_attr(sgx_misc_attribute_t *sgx_misc_attr, metadat return SGX_SUCCESS; } -int EnclaveCreatorST::destroy_enclave(sgx_enclave_id_t enclave_id) +int EnclaveCreatorST::destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size) { UNUSED(enclave_id); + UNUSED(enclave_size); SAFE_FREE_MM(m_ctx); return SGX_SUCCESS; } diff --git a/sdk/sign_tool/SignTool/enclave_creator_sign.h b/sdk/sign_tool/SignTool/enclave_creator_sign.h index 64fe6ea589..d4612a0994 100644 --- a/sdk/sign_tool/SignTool/enclave_creator_sign.h +++ b/sdk/sign_tool/SignTool/enclave_creator_sign.h @@ -49,7 +49,7 @@ public: int init_enclave(sgx_enclave_id_t enclave_id, enclave_css_t *enclave_css, SGXLaunchToken *lc, le_prd_css_file_t *prd_css_file); int get_misc_attr(sgx_misc_attribute_t *sgx_misc_attr, metadata_t *metadata, SGXLaunchToken * const lc, uint32_t flag); bool get_plat_cap(sgx_misc_attribute_t *se_attr); - int destroy_enclave(sgx_enclave_id_t enclave_id); + int destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size); int initialize(sgx_enclave_id_t enclave_id); bool use_se_hw() const; diff --git a/sdk/simulation/urtssim/enclave_creator_sim.cpp b/sdk/simulation/urtssim/enclave_creator_sim.cpp index 3f92291f24..852db2be4e 100644 --- a/sdk/simulation/urtssim/enclave_creator_sim.cpp +++ b/sdk/simulation/urtssim/enclave_creator_sim.cpp @@ -167,8 +167,9 @@ int EnclaveCreatorSim::get_misc_attr(sgx_misc_attribute_t *sgx_misc_attr, metada return SGX_SUCCESS; } -int EnclaveCreatorSim::destroy_enclave(sgx_enclave_id_t enclave_id) +int EnclaveCreatorSim::destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size) { + UNUSED(enclave_size); CEnclave *enclave = CEnclavePool::instance()->get_enclave(enclave_id); if(enclave == NULL) diff --git a/sdk/simulation/urtssim/enclave_creator_sim.h b/sdk/simulation/urtssim/enclave_creator_sim.h index 4732183dda..23d7c88e7d 100644 --- a/sdk/simulation/urtssim/enclave_creator_sim.h +++ b/sdk/simulation/urtssim/enclave_creator_sim.h @@ -43,7 +43,7 @@ public: int create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, void **start_addr, bool ae); int add_enclave_page(sgx_enclave_id_t enclave_id, void *source, uint64_t offset, const sec_info_t &sinfo, uint32_t attr); int init_enclave(sgx_enclave_id_t enclave_id, enclave_css_t *enclave_css, SGXLaunchToken *launch, le_prd_css_file_t *prd_css_file); - virtual int destroy_enclave(sgx_enclave_id_t enclave_id); + virtual int destroy_enclave(sgx_enclave_id_t enclave_id, uint64_t enclave_size); int get_misc_attr(sgx_misc_attribute_t *sgx_misc_attr, metadata_t *metadata, SGXLaunchToken * const lc, uint32_t flag); bool get_plat_cap(sgx_misc_attribute_t *se_attr); int initialize(sgx_enclave_id_t enclave_id);