packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync code from openEuler-21.03

Browse Source 
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
This commit is contained in:
chenmaodong 2021-04-12 10:07:32 +08:00
parent 57ef6a11b9
commit c033d9bc77
17 changed files with 2819 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
0001-add-README.cn.md.patch Normal file
View File

@ -0,0 +1,132 @@
From f42f4dd1b90309648077c3616587881004270019 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 4 Feb 2021 11:29:59 +0800
Subject: [PATCH 1/7] =?UTF-8?q?add=20README.cn.md.=20=E6=B7=BB=E5=8A=A0?=
=?UTF-8?q?=E4=B8=AD=E6=96=87=E5=A3=B0=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.cn.md | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 109 insertions(+)
create mode 100644 README.cn.md
diff --git a/README.cn.md b/README.cn.md
new file mode 100644
index 0000000..360632a
--- /dev/null
+++ b/README.cn.md
@@ -0,0 +1,109 @@
+<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
+
+secGear
+============================
+
+介绍
+-----------
+
+SecGear则是面向计算产业的机密计算安全应用开发套件。旨在方便开发者在不同的硬件设备上提供统一开发框架。目前secGear支持intel SGX硬件和Trustzone itrustee。
+
+构建、安装
+----------------
+
+- [详见 构建、安装](./docs/build_install.md)
+
+开发应用和编译
+------------------------------
+
+开发目录 .../secGear/examples/test/
+
+### 1 编写edl接口文件
+
+ enclave {
+ include "secgear_urts.h"
+ from "secgear_tstdc.edl" import *;
+ trusted {
+ public int get_string([out, size=32]char *buf);
+ };
+ };
+'include "secgear_urts.h" from "secgear_tstdc.edl" import *'是为了屏蔽SGX和iTrustee在调用libc库之间的差异。所以为了开发代码的一致性默认导入这两个文件。
+有关edl语法的详细信息请参阅SGX开发文档定义的EDL(Enclave Definition Language)语法部分。
+目前SGX和iTrustee在基本类型、指针类型和深拷贝方面是相互兼容的。对于user_check、private ecalls、switchless特性仅支持sgx硬件。
+
+保存文件名为test.edl
+
+### 2 编写最外层CMakeLists.txt文件
+
+ cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ project(TEST C)
+ set(CMAKE_C_STANDARD 99)
+ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
+ set(EDL_FILE test.edl)
+ set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
+ set(SECGEAR_INSTALL_PATH /lib64/)
+ if(CC_GP)
+ set(CODETYPE trustzone)
+ set(CODEGEN codegen_arm64)
+ execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
+ string(REPLACE "\n" "" UUID ${UUID})
+ add_definitions(-DPATH="/data/${UUID}.sec")
+ endif()
+ if(CC_SGX)
+ set(CODETYPE sgx)
+ set(CODEGEN codegen_x86_64)
+ add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
+ endif()
+ add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
+ add_subdirectory(${CURRENT_ROOT_PATH}/host)
+
+EDL_FILE、CODETYPE稍后自动构建的时候会用到这些属性。
+UUID在iTrustee中构建安全enclave动态库需要使用UUID命名这里由uuidgen命令自动生成。
+DPATH用于定义非安全侧使用安全侧动态库的绝对路径
+
+### 3 编写非安全侧代码和CMakeLists.txt文件
+
+#### 3.1 创建host目录和main.c文件
+
+ #include <stdio.h>
+ #include "enclave.h"
+ #include "test_u.h"
+
+ #define BUF_LEN 32
+
+ int main()
+ {
+ int retval = 0;
+ char *path = PATH;
+ char buf[BUF_LEN];
+ cc_enclave_t *context = NULL;
+ cc_enclave_result_t res;
+
+ res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ ...
+
+ res = get_string(context, &retval, buf);
+ if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) {
+ printf("Ecall enclave error\n");
+ } else {
+ printf("%s\n", buf);
+ }
+
+ if (context != NULL) {
+ res = cc_enclave_destroy(context);
+ ...
+ }
+ return res;
+ }
+
+enclave.h: secGear库头文件
+test_u.h: 根据edl文件自动生成的非安全侧头文件。
+cc_enclave_create: 用于创建enclave安全上下文。
+get_string: 根据edl中trusted定义的安全侧代理函数该代理函数用于进入到安全侧执行安全代码。
+cc_enclave_destroy: 用于销毁enclave安全上下文。
+
+注意这里调用的get_string函数与在edl中定义的get_string函数有些不同这里的参数比edl中定义的多了前两个参数分别是enclave安全上下文
+和retval参数。这是因为codegen自动生成代码工具通过edl生成的非安全侧代理函数其声明在test_u.h中。
+如果在edl中定义的函数无返回值时例如"public void get_string([out,size=32] char *buf);"则非安全侧代理函数为
+"res=get_string(context, buf)"(这里就不在有retval参数)
+
--
2.27.0

76
0002-it-is-better-to-define-enum-from-0-rather-than-1.patch Normal file
View File

@ -0,0 +1,76 @@
From c7464e2f6a492a84dd0c7c808ba43750961d5143 Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Thu, 4 Feb 2021 16:42:46 +0800
Subject: [PATCH 2/7] it is better to define enum from 0 rather than 1
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
inc/enclave_inc/gp/gp.h | 2 +-
inc/host_inc/enclave.h | 4 ++--
inc/host_inc/status.h | 1 -
src/host_src/gp/gp_enclave.h | 2 +-
4 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/inc/enclave_inc/gp/gp.h b/inc/enclave_inc/gp/gp.h
index 0662110..bed6afd 100644
--- a/inc/enclave_inc/gp/gp.h
+++ b/inc/enclave_inc/gp/gp.h
@@ -25,7 +25,7 @@
#define COUNT(ARR) (sizeof(ARR) / sizeof((ARR)[0]))
enum
{
- SECGEAR_ECALL_FUNCTION = 1,
+ SECGEAR_ECALL_FUNCTION = 0,
};
typedef cc_enclave_result_t (*cc_ecall_func_t)(
diff --git a/inc/host_inc/enclave.h b/inc/host_inc/enclave.h
index 9722ca3..b063ce9 100644
--- a/inc/host_inc/enclave.h
+++ b/inc/host_inc/enclave.h
@@ -34,7 +34,7 @@ extern "C" {
/*the enclave types supported by cloud enclave*/
typedef enum _enclave_type {
- SGX_ENCLAVE_TYPE = 1,
+ SGX_ENCLAVE_TYPE = 0,
GP_ENCLAVE_TYPE,
AUTO_ENCLAVE_TYPE,
ENCLAVE_TYPE_MAX
@@ -42,7 +42,7 @@ typedef enum _enclave_type {
/*the enclave types and version supported by cloud enclave*/
typedef enum _enclave_type_version {
- SGX_ENCLAVE_TYPE_0 = 1,
+ SGX_ENCLAVE_TYPE_0 = 0,
SGX_ENCLAVE_TYPE_MAX,
GP_ENCLAVE_TYPE_0,
GP_ENCLAVE_TYPE_MAX,
diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h
index 30f62d0..90f14a6 100644
--- a/inc/host_inc/status.h
+++ b/inc/host_inc/status.h
@@ -21,7 +21,6 @@ extern "C" {
#define NULL ((void *)0)
#endif
#define SECGEAR_ENUM_MAX 0xffffffff
-#define SGX_MK_ERROR(x) (0x00000000|(x))
typedef enum _enclave_result_t
{
diff --git a/src/host_src/gp/gp_enclave.h b/src/host_src/gp/gp_enclave.h
index 1764b99..52dc911 100644
--- a/src/host_src/gp/gp_enclave.h
+++ b/src/host_src/gp/gp_enclave.h
@@ -17,7 +17,7 @@
enum
{
- SECGEAR_ECALL_FUNCTION = 1,
+ SECGEAR_ECALL_FUNCTION = 0,
};
typedef struct _gp_context{
--
2.27.0

366
0003-update-README.cn.md.patch Normal file
View File

@ -0,0 +1,366 @@
From 2d59a27c4e2ca674ab976a793ea15de6183f8b13 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 4 Feb 2021 17:04:16 +0800
Subject: [PATCH 3/7] update README.cn.md.
---
README.cn.md | 345 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 345 insertions(+)
diff --git a/README.cn.md b/README.cn.md
index 360632a..274c70d 100644
--- a/README.cn.md
+++ b/README.cn.md
@@ -107,3 +107,348 @@ cc_enclave_destroy: 用于销毁enclave安全上下文。
如果在edl中定义的函数无返回值时例如"public void get_string([out,size=32] char *buf);"则非安全侧代理函数为
"res=get_string(context, buf)"(这里就不在有retval参数)
+#### 3.2 编写非安全侧CMakeLists.txt
+
+ #set auto code prefix
+ set(PREFIX test)
+ #set host exec name
+ set(OUTPUT secgear_test)
+ #set host src code
+ set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c)
+
+设置预备的基础变量
+
+ #set auto code
+ if(CC_GP)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
+ endif()
+
+ if(CC_SGX)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
+ endif()
+
+设置使用代码辅助生成工具根据edl文件生成辅助代码。CODEGEN和CODETYPE等变量定义在CMakeList.txt文件.--search-path用于搜索在edl文件中导入依赖的其他edl文件。
+当使用SGX时需要导入sgx提供的基础edl因此这里指定了SGXSDK的patch "--search-path ${SGXSDK}/include)"。
+
+ set(CMAKE_C_FLAGS "-fstack-protector-all -W -Wall -Werror -Wextra -Werror=array-bounds -D_FORTIFY_SOURCE=2 -O2 -ftrapv -fPIE")
+ set(CMAKE_EXE_LINKER_FLAGS "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack")
+
+设置编译选项和链接选项
+
+ if(CC_GP)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${SECGEAR_INSTALL_PATH})
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${SECGEAR_INSTALL_PATH})
+ endif()
+ endif()
+
+在iTrustee硬件环境上设置头文件的搜索路径及编译生成非安全侧二进制文件。
+
+ if(CC_SGX)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${SECGEAR_INSTALL_PATH})
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${SECGEAR_INSTALL_PATH})
+ endif()
+ endif()
+
+在SGX硬件环境上设置头文件的搜索路径及编译生成非安全侧二进制文件。
+
+ if(CC_SIM)
+ target_link_libraries(${OUTPUT} secgearsim)
+ else()
+ target_link_libraries(${OUTPUT} secgear)
+ endif()
+ set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE)
+ if(CC_GP)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION /vendor/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+ endif()
+ if(CC_SGX)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION ${CMAKE_BINARY_DIR}/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+ endif()
+
+
+设置secGear链接库当指定模拟模式CC_SIM时链接libsecgearsim.so否则链接libsecgear.so。
+在iTrustee硬件环境上需指定安装固定的安全白名单。
+
+### 4 编写安全侧代码、CMakeList.txt及基础配置文件
+
+#### 4.1 创建enclave目录 编写hello.c
+
+ #include <stdio.h>
+ #include <string.h>
+ #include "test_t.h"
+
+ #define TA_HELLO_WORLD "secGear hello world!"
+ #define BUF_MAX 32
+ int get_string(char *buf)
+ {
+ strncpy(buf, TA_HELLO_WORLD, strlen(TA_HELLO_WORLD) + 1);
+ return 0;
+ }
+
+test_t.h该头文件为自动生成代码工具codegen通过edl文件生成的头文件。该头文件命名为edl文件名加"_t"。
+
+#### 4.2 编写CMakeList.txt文件
+
+ #set auto code prefix
+ set(PREFIX test)
+ #set sign key
+ set(PEM Enclave_private.pem)
+
+设置enclave签名私钥
+
+ #set sign tool
+ set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh)
+ #set enclave src code
+ set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/hello.c)
+ #set log level
+ set(PRINT_LEVEL 3)
+ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
+
+设置签名工具已经安全侧打印日志level
+
+ if(CC_GP)
+ #set signed output
+ set(OUTPUT ${UUID}.sec)
+ #set itrustee device key
+ set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
+
+ set(WHITE_LIST_0 /vendor/bin/helloworld)
+ set(WHITE_LIST_1 /vendor/bin/secgear_test)
+ set(WHITE_LIST_OWNER root)
+ set(WHITELIST WHITE_LIST_0 WHITE_LIST_1)
+
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
+ endif()
+
+WHITE_LIST_x为设置iTrustee的二进制白名单只有这里定义的白名单在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。
+WHITE_LIST_OWNER为设置运行二进制的用户只有该用户才可以调用安全侧动态库。
+DEVICEPEM该公钥用来动态生成aes秘钥
+AUTO_FILES由edl文件生成的安全侧二进制文件
+
+ if(CC_SGX)
+ set(OUTPUT enclave.signed.so)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
+ endif()
+
+设置自动生成代码及签名动态库。
+
+ set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \
+ -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \
+ -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \
+ -Wno-error=unused-but-set-variable -Wno-error=format-truncation=")
+
+ set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
+
+设置安全侧便编译选项和链接选项。由于安全侧和非安全侧不同,非安全侧的标准动态库不能被安全侧链接。例如:"-nostdlib -nodefaultlibs -nostartfiles"
+
+
+ if(CC_GP)
+ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt")
+
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC")
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s")
+
+ set(ITRUSTEE_TEEDIR ${iTrusteeSDK}/)
+ set(ITRUSTEE_LIBC ${iTrusteeSDK}/thirdparty/open_source/musl/libc)
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${SECGEAR_INSTALL_PATH})
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories( ${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp
+ ${ITRUSTEE_TEEDIR}/include/TA
+ ${ITRUSTEE_TEEDIR}/include/TA/huawei_ext
+ ${ITRUSTEE_LIBC}/arch/aarch64
+ ${ITRUSTEE_LIBC}/
+ ${ITRUSTEE_LIBC}/arch/arm/bits
+ ${ITRUSTEE_LIBC}/arch/generic
+ ${ITRUSTEE_LIBC}/arch/arm
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee)
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE ${SECGEAR_INSTALL_PATH})
+ endif()
+
+ foreach(WHITE_LIST ${WHITELIST})
+ add_definitions(-D${WHITE_LIST}="${${WHITE_LIST}}")
+ endforeach(WHITE_LIST)
+ add_definitions(-DWHITE_LIST_OWNER="${WHITE_LIST_OWNER}")
+
+ target_link_libraries(${PREFIX} -lsecgear_tee)
+
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
+
+ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
+ DESTINATION /data
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+ endif()
+
+manifest.txtitrustee安全侧配置文件后面对该文件进行详解
+指定itrustee特性编译选项设置引用头文件和动态库的路径。
+前面声明的白名单在这里定义。
+itrustee需要链接secgear_tee动态库提供seal接口等。
+
+ if(CC_SGX)
+ set(SGX_DIR ${SGXSDK})
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+ set(LINK_LIBRARY_PATH ${SGX_DIR}/lib64)
+
+ if(CC_SIM)
+ set(Trts_Library_Name sgx_trts_sim)
+ set(Service_Library_Name sgx_tservice_sim)
+ else()
+ set(Trts_Library_Name sgx_trts)
+ set(Service_Library_Name sgx_tservice)
+ endif()
+
+ set(Crypto_Library_Name sgx_tcrypto)
+
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \
+ -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds")
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${LINK_LIBRARY_PATH})
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories(${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${SGX_DIR}/include/tlibc
+ ${SGX_DIR}/include/libcxx
+ ${SGX_DIR}/include
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx)
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE
+ ${LINK_LIBRARY_PATH})
+ endif()
+
+ target_link_libraries(${PREFIX} -Wl,--whole-archive ${Trts_Library_Name} -Wl,--no-whole-archive
+ -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l${Crypto_Library_Name} -l${Service_Library_Name} -Wl,--end-group)
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND openssl genrsa -3 -out ${PEM} 3072
+ COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml)
+ endif()
+
+
+在SGX硬件环境上指定一些与sgx相关的编译选项、链接选项。链接动态库时有所不同因为itrustee是一个具有更多功能的安全操作系统。提供如muslibc和openssl。在编译和链接itrustee时不用链接一些基本库但是sgx没有OS概念。所以要在安全侧调用这些基本库的接口都要以静态的形式在sgxsdk中给出。例如"sgx_trts"
+
+有关更多详细信息请参阅sgx示例的Makefile。最后用enclave配置文件完成签名稍后将进行介绍。secGear尚不支持远程身份验证。
+
+#### 4.3 编写安全侧配置文件
+
+编写与sgx enclave相关的配置文件中Enclave.config.xml文件及enclave.lds文件与官方sgx配置相同。详情参阅官方开发文档。
+
+编写itrustee enclave相关配置文件
+mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。
+
+rsa_public_key_cloud.pem文件请将其他examples的中的拷贝过来这里的设备公钥用于使用临时生成的aes密钥用于对enclave动态库进行加密。
+
+#### 5 构建 安装
+
+进入开发目录cd .../secGear/example/test/
+创建debug目录mkdir debug && cd debug
+cmake构建cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK=sgx_sdk path .. && make && sudo make install sgx硬件环境
+ cmake -DCMAKE_BUILD_TYPE=Debug -DCC_GP=ON -DiTrusteeSDK=gp_sdk path .. && make && sudo make install itrustee硬件环境
+
+Log
+---
+非安全侧日志记录:
+
+非安全侧是开发与普通开发环境一样,可使用通用打印日志接口。
+
+安全侧日志记录:
+
+由于各架构安全能力不同的限制为了像非安全侧一样开发使用日志打印功能因为我们提供了PrintInfo接口将安全端日志记录到syslog系统中。
+相关配置文件为 conf/logrotate.d/secgear和conf/rsyslog.d/secgear.conf文件安装时将安装在系统目录/etc/中。
+
+注意在itrustee上需要include secgear_log.h头文件但是sgx不需要sgx通过ocall功能实现的所以相关代码生成在辅助代码中。
+当文件安装成功后需要运行"systemctl restart rsyslog"使日志功能生效。
+
+日志等级:
+
+ PRINT_ERROR 0
+ PRINT_WARNING 1
+ PRINT_STRACE 2
+ PRINT_DEBUG 3
+
+使用ocall
+---------
+
+目前ocall仅在sgx平台支持itrustee尚不支持。
+
+seal, generate_random接口
+--------------------------------------
+
+接口定义在secgear_dataseal.h、secgear_random.h中。
+注意由于itrustee派生密钥的功能仍然不完善因此目前还没有与密封相关的接口在itrustee平台上支持。
+
+远程证明(尚不支持)
+--------------------------------------
+
+了解更多关于codegener
+--------------------------------------
+
+secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具codegener。edl与intel sgx定义兼容。
+
+
+- [了解更多关于codegener](./docs/codegener.md)
+
+了解更多关于sign_tool
+-----------------------------
+
+
+- [了解更多关于签名工具](./docs/sign_tool.md)
+
+Milestone
+---------
+<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
\ No newline at end of file
--
2.27.0

25
0004-update-README.cn.md.patch Normal file
View File

@ -0,0 +1,25 @@
From 87dfa76438300aa21a7a28cd794c4d7912c40425 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 4 Feb 2021 17:05:14 +0800
Subject: [PATCH 4/7] update README.cn.md.
---
README.cn.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.cn.md b/README.cn.md
index 274c70d..54c32e3 100644
--- a/README.cn.md
+++ b/README.cn.md
@@ -449,6 +449,6 @@ secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具c
- [了解更多关于签名工具](./docs/sign_tool.md)
-Milestone
+里程碑
---------
<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
\ No newline at end of file
--
2.27.0

1521
0005-delete-unnecessary-README.cn.md.patch Normal file
View File

File diff suppressed because it is too large Load Diff

82
0006-fix-issues-about-double-create-destory.patch Normal file
View File

@ -0,0 +1,82 @@
From f1361d482b30dc651485b3ae0665a33148602786 Mon Sep 17 00:00:00 2001
From: liwei3013 <liwei3013@126.com>
Date: Wed, 24 Feb 2021 14:00:10 +0800
Subject: [PATCH 6/7] fix issues about double create/destory
Signed-off-by: liwei3013 <liwei3013@126.com>
---
src/host_src/enclave.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index 14f6aae..e3020d3 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -67,7 +67,6 @@ static void error_handle(cc_enclave_t **l_context, void *handle, p_tee_registere
if (path) {
free(path);
}
- path = NULL;
if (*l_context) {
free(*l_context);
@@ -110,8 +109,14 @@ done:
static bool check_flag(cc_enclave_result_t *res, const char *path, uint32_t flags, const enclave_features_t *features,
const uint32_t features_count, cc_enclave_t **enclave)
{
- if (!path || !enclave || (features_count > 0 && features == NULL)
- || (features_count == 0 && features != NULL) || (flags & SECGEAR_RESERVED_FLAG)) {
+ if (enclave == NULL || *enclave != NULL) {
+ *res = CC_ERROR_BAD_PARAMETERS;
+ print_error_term("Input context should not be NULL or context pointer should be set to NULL\n");
+ return false;
+ }
+
+ if (!path || (features_count > 0 && features == NULL) || (features_count == 0 && features != NULL)
+ || (flags & SECGEAR_RESERVED_FLAG)) {
*res = CC_ERROR_BAD_PARAMETERS;
print_error_term("Parameter error\n");
return false;
@@ -194,8 +199,12 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
}
SECGEAR_CHECK_RES_NO_LOG(res);
- if (!check_flag(&res, path, flags, features, features_count, enclave) || !check_transform_path(&res, path, &l_path)
- || !chose_engine_type(&res, type, version, &type_version)|| !allocate_context_memory(&res, &l_context)) {
+ if (!check_flag(&res, path, flags, features, features_count, enclave)) {
+ return res;
+ }
+
+ if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)
+ || !allocate_context_memory(&res, &l_context)) {
goto done;
}
@@ -267,7 +276,8 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
/* check context and enclave engine context */
if (!context || !context->list_ops_node) {
- print_error_goto("Function context parameter error\n");
+ print_error_term("Function context parameter error\n");
+ return CC_ERROR_BAD_PARAMETERS;
}
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
@@ -294,6 +304,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
pthread_mutex_unlock(&(g_list_ops.mutex_work));
print_error_goto("Close engine failure\n");
}
+ context->list_ops_node = NULL;
}
/* free enclave number resources */
g_list_ops.enclaveState.enclave_count--;
@@ -308,6 +319,5 @@ done:
if (context) {
free(context);
}
- context = NULL;
return res;
}
--
2.27.0

173
0007-to-make-secGear-log-more-clear.patch Normal file
View File

@ -0,0 +1,173 @@
From 956328150ae4a07b2f95cb2d4993b767c14b9e9b Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Fri, 26 Feb 2021 10:06:50 +0800
Subject: [PATCH 7/7] to make secGear log more clear
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
inc/host_inc/status.h | 23 ++++++++++++++++-------
src/host_src/enclave.c | 33 +++++++++++++++++++--------------
src/host_src/enclave_internal.c | 6 +++---
3 files changed, 38 insertions(+), 24 deletions(-)
diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h
index 90f14a6..84c092a 100644
--- a/inc/host_inc/status.h
+++ b/inc/host_inc/status.h
@@ -180,7 +180,7 @@ __attribute__((visibility("default"))) const char *cc_enclave_res2_str(cc_enclav
int32_t _res = (RES); \
if (_res != 0) { \
CCRES = CC_FAIL; \
- print_error_goto("Mutex acquisition or release error \n"); \
+ print_error_goto("%s Mutex acquisition or release error\n", cc_enclave_res2_str(CCRES)); \
} \
} while(0)
@@ -195,12 +195,21 @@ __attribute__((visibility("default"))) const char *cc_enclave_res2_str(cc_enclav
} while(0)
/* jump to done and log according to the type of res */
-#define SECGEAR_CHECK_RES(RES) \
- do { \
- cc_enclave_result_t _res = (RES); \
- if (_res != CC_SUCCESS) { \
- print_error_goto(":%s \n", cc_enclave_res2_str(_res)); \
- } \
+#define SECGEAR_CHECK_RES(RES) \
+ do { \
+ cc_enclave_result_t _res = (RES); \
+ if (_res != CC_SUCCESS) { \
+ print_error_goto("%s \n", cc_enclave_res2_str(_res)); \
+ } \
+ } while(0)
+
+#define SECGEAR_CHECK_RES_UNLOCK(RES) \
+ do { \
+ cc_enclave_result_t _res = (RES); \
+ if (_res != CC_SUCCESS) { \
+ pthread_mutex_unlock(&(g_list_ops.mutex_work)); \
+ print_error_goto("%s \n", cc_enclave_res2_str(_res)); \
+ } \
} while(0)
/* jump done, error log already printed in the previous error function */
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index e3020d3..dc8c5ed 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -110,15 +110,19 @@ static bool check_flag(cc_enclave_result_t *res, const char *path, uint32_t flag
const uint32_t features_count, cc_enclave_t **enclave)
{
if (enclave == NULL || *enclave != NULL) {
- *res = CC_ERROR_BAD_PARAMETERS;
- print_error_term("Input context should not be NULL or context pointer should be set to NULL\n");
+ *res = CC_ERROR_INVALID_ENCLAVE_ID;
return false;
}
-
- if (!path || (features_count > 0 && features == NULL) || (features_count == 0 && features != NULL)
- || (flags & SECGEAR_RESERVED_FLAG)) {
+ if (!path) {
+ *res = CC_ERROR_INVALID_PATH;
+ return false;
+ }
+ if ((features_count > 0 && features == NULL) || (features_count == 0 && features != NULL)) {
*res = CC_ERROR_BAD_PARAMETERS;
- print_error_term("Parameter error\n");
+ return false;
+ }
+ if (flags & SECGEAR_RESERVED_FLAG) {
+ *res = CC_ERROR_NOT_SUPPORTED;
return false;
}
return true;
@@ -197,9 +201,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
if (res == CC_ERROR_UNEXPECTED) {
check = false;
}
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
if (!check_flag(&res, path, flags, features, features_count, enclave)) {
+ print_error_term("%s\n", cc_enclave_res2_str(res));
return res;
}
@@ -239,13 +244,13 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
res = find_engine_open(type_version, &handle);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
res = find_engine_registered(handle, &registered_func, &unregistered_func);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
res = (*registered_func)(&l_context, handle);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
ires = pthread_mutex_unlock(&(g_list_ops.mutex_work));
SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
@@ -256,7 +261,7 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
if (l_context->list_ops_node != NULL && l_context->list_ops_node->ops_desc->ops->cc_create_enclave != NULL) {
/* failure of this function will not bring out additional memory that needs to be managed */
res = l_context->list_ops_node->ops_desc->ops->cc_create_enclave(enclave, features, features_count);
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
} else {
print_error_goto("Enclave type version %d no valid ops function", type_version);
}
@@ -282,21 +287,21 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context);
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
} else {
print_error_goto("Enclave context no valid ops function\n");
}
/* look up enclave engine unregistered */
res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc);
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
/* lock call unregistered func */
pthread_mutex_lock(&(g_list_ops.mutex_work));
SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
/* call enclave engine free node */
res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
if (context->list_ops_node->ops_desc->count == 0) {
ires = dlclose(context->list_ops_node->ops_desc->handle);
if (ires != 0) {
diff --git a/src/host_src/enclave_internal.c b/src/host_src/enclave_internal.c
index de51f2d..9a172bd 100644
--- a/src/host_src/enclave_internal.c
+++ b/src/host_src/enclave_internal.c
@@ -117,8 +117,8 @@ static err2str g_secgearerror [] =
{CC_ERROR_BAD_PARAMETERS, "Invalid parameter."},
{CC_ERROR_BAD_STATE, "Bad state."},
{CC_ERROR_ITEM_NOT_FOUND, "The requested item is not found."},
- {CC_ERROR_NOT_IMPLEMENTED, "opration is not implemented."},
- {CC_ERROR_NOT_SUPPORTED, "operation is not support."},
+ {CC_ERROR_NOT_IMPLEMENTED, "operation is not implemented."},
+ {CC_ERROR_NOT_SUPPORTED, "feature or type is not support."},
{CC_ERROR_NO_DATA, "There is no data."},
{CC_ERROR_OUT_OF_MEMORY, "Out of memory."},
{CC_ERROR_BUSY, "Busy system."},
@@ -231,7 +231,7 @@ cc_enclave_result_t find_engine_open(enclave_type_version_t type, void **handle)
}
if (!*handle) {
res = CC_ERROR_INVALID_HANDLE;
- print_error_goto("The dlopen failure: reason is %s\n", dlerror());
+ print_error_goto("%s\n", dlerror());
} else {
res = CC_SUCCESS;
}
--
2.27.0

25
0008-modify-path-error.patch Normal file
View File

@ -0,0 +1,25 @@
From 4ad45c9dfd22eb5e4193e5769227ad9ecedc8812 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Thu, 4 Mar 2021 11:10:06 +0800
Subject: [PATCH] modify path error
---
tools/codegener/Genheader.ml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/codegener/Genheader.ml b/tools/codegener/Genheader.ml
index 8c7391d..e683670 100644
--- a/tools/codegener/Genheader.ml
+++ b/tools/codegener/Genheader.ml
@@ -316,7 +316,7 @@ let generate_untrusted_header (ec: enclave_content) =
in
let hfile_end = "#endif\n" in
let hfile_include =
- sprintf "#include \"%s_args.h\"\n#include \"enclave_internal.h\"\n" ec.file_shortnm
+ sprintf "#include \"%s_args.h\"\n#include \"secGear/enclave_internal.h\"\n" ec.file_shortnm
in
let agent_id = "#ifndef TEE_SECE_AGENT_ID\n#define TEE_SECE_AGENT_ID 0x53656345\n#endif\n"
in
--
2.27.0

23
0009-fix-sgxssl-edl.patch Normal file
View File

@ -0,0 +1,23 @@
From 171ab61244c87058ab7b4a9f5ea0fbb1d5a84bbc Mon Sep 17 00:00:00 2001
From: liwei3013 <liwei3013@126.com>
Date: Sat, 27 Feb 2021 11:32:50 +0800
Subject: [PATCH 1/6] fix sgxssl edl
Signed-off-by: liwei3013 <liwei3013@126.com>
---
inc/host_inc/sgx/secgear_tssl.edl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/inc/host_inc/sgx/secgear_tssl.edl b/inc/host_inc/sgx/secgear_tssl.edl
index 707c344..2ae7d85 100644
--- a/inc/host_inc/sgx/secgear_tssl.edl
+++ b/inc/host_inc/sgx/secgear_tssl.edl
@@ -1,4 +1,4 @@
// To do: develop key libraries of secGear version, to be compatible with SGX and GP.
enclave {
- from "sgx_tstdc.edl" import *;
+ from "sgx_tsgxssl.edl" import *;
};
--
2.27.0

25
0010-update-docs-build_install.md.patch Normal file
View File

@ -0,0 +1,25 @@
From a960391b449cdc9dc081dbab28e9fbc0aa093cf0 Mon Sep 17 00:00:00 2001
From: liwei3013 <liwei3013@126.com>
Date: Mon, 8 Mar 2021 10:19:54 +0800
Subject: [PATCH 2/6] update docs/build_install.md.
---
docs/build_install.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/build_install.md b/docs/build_install.md
index 9ba1adb..482e8c2 100644
--- a/docs/build_install.md
+++ b/docs/build_install.md
@@ -3,7 +3,7 @@ Install secGear
openEuler x86
1. Refer to https://01.org/intel-software-guard-extensions/downloads download and install the 2.11
- sgx driver, sgx psw, sgx sdx. In the directory of sgx sdk, source environment(for use sgx-sign)
+ sgx driver, sgx psw, sgx sdk. In the directory of sgx sdk, source environment(for use sgx-sign)
2. Refer to https://github.com/ocaml/opam/releases download and install the opam-2.0.7-x86_64-linux.
Run "./opam-2.0.7-x86_64-linux init"
--
2.27.0

25
0011-modify-the-prompt-information.patch Normal file
View File

@ -0,0 +1,25 @@
From 4fc7411abfeef1d80b1ff97ef674322e7391e55d Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Wed, 10 Mar 2021 09:37:54 +0800
Subject: [PATCH 3/6] modify the prompt information
---
tools/codegener/intel/Util.ml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/codegener/intel/Util.ml b/tools/codegener/intel/Util.ml
index 9629e54..f5f9afc 100644
--- a/tools/codegener/intel/Util.ml
+++ b/tools/codegener/intel/Util.ml
@@ -62,7 +62,7 @@ let dedup_list lst =
let usage (progname: string) =
eprintf "usage: %s [options] <file> ...\n" progname;
eprintf "\n[options]\n\
---search-path <path> Specify the search path of EDL files\n\
+--search-path <path> Specify the search path of the dependent files of the EDL files\n\
--use-prefix Prefix untrusted proxy with Enclave name\n\
--header-only Only generate header files\n\
--untrusted Generate untrusted proxy and bridge\n\
--
2.27.0

62
0012-parse-new-error-code-and-del-redundant-print.patch Normal file
View File

@ -0,0 +1,62 @@
From c11313e25c077743ec9fb88d4463a18370dcb881 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Thu, 11 Mar 2021 10:46:05 +0800
Subject: [PATCH 4/6] parse new error code and del redundant print
---
inc/host_inc/status.h | 2 +-
src/host_src/enclave_internal.c | 2 +-
src/host_src/sgx/sgx_enclave.c | 4 +++-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h
index 84c092a..1d18d2e 100644
--- a/inc/host_inc/status.h
+++ b/inc/host_inc/status.h
@@ -56,7 +56,7 @@ typedef enum _enclave_result_t
CC_ERROR_INVALID_ISVSVN, /* The isv svn is greater than the enclave's isv svn */
CC_ERROR_INVALID_KEYNAME, /* The key name is an unsupported value */
CC_ERROR_AE_INVALID_EPIDBLOB, /* Indicates epid blob verification error */
- CC_ERROR_SERVICE_INVALID_PRIVILEGE, /* Enclave has no privilege to get launch token */
+ CC_ERROR_SERVICE_INVALID_PRIVILEGE, /* Enclave not authorized to run */
CC_ERROR_EPID_MEMBER_REVOKED, /* The EPID group membership is revoked */
CC_ERROR_UPDATE_NEEDED, /* SDK need to be update*/
CC_ERROR_MC_NOT_FOUND, /* The Monotonic Counter doesn't exist or has been invalided */
diff --git a/src/host_src/enclave_internal.c b/src/host_src/enclave_internal.c
index 9a172bd..962fc07 100644
--- a/src/host_src/enclave_internal.c
+++ b/src/host_src/enclave_internal.c
@@ -64,7 +64,7 @@ static err2str g_secgearerror [] =
{CC_ERROR_INVALID_ISVSVN, "The isv svn is greater than the enclave's isv svn."},
{CC_ERROR_INVALID_KEYNAME, "The key name is an unsupported value."},
{CC_ERROR_AE_INVALID_EPIDBLOB, "Indicates epid blob verification error."},
- {CC_ERROR_SERVICE_INVALID_PRIVILEGE, "Enclave has no privilege to get launch token."},
+ {CC_ERROR_SERVICE_INVALID_PRIVILEGE, "Enclave not authorized to run."},
{CC_ERROR_EPID_MEMBER_REVOKED, "The EPID group membership is revoked."},
{CC_ERROR_UPDATE_NEEDED, "SDK need to be update."},
{CC_ERROR_MC_NOT_FOUND, "The Monotonic Counter doesn't exist or has been invalided."},
diff --git a/src/host_src/sgx/sgx_enclave.c b/src/host_src/sgx/sgx_enclave.c
index b37c748..a40c408 100644
--- a/src/host_src/sgx/sgx_enclave.c
+++ b/src/host_src/sgx/sgx_enclave.c
@@ -59,6 +59,8 @@ cc_enclave_result_t conversion_res_status(uint32_t enclave_res, enclave_type_ver
return CC_ERROR_OUT_OF_TCS;
case SGX_ERROR_ENCLAVE_CRASHED:
return CC_ERROR_ENCLAVE_DEAD;
+ case SGX_ERROR_SERVICE_INVALID_PRIVILEGE:
+ return CC_ERROR_SERVICE_INVALID_PRIVILEGE;
default:
return CC_ERROR_UNEXPECTED;
}
@@ -131,7 +133,7 @@ cc_enclave_result_t _sgx_create(cc_enclave_t **enclave, const enclave_features_t
NULL, &(l_context->edi), NULL);
if (sgx_res != SGX_SUCCESS) {
res = conversion_res_status(sgx_res, (*enclave)->type);
- print_error_goto("Failed to create sgx enclave %s\n",cc_enclave_res2_str(res));
+ print_error_goto("Failed to create sgx enclave\n");
}
break;
case 1:
--
2.27.0

25
0013-fix-error-print.patch Normal file
View File

@ -0,0 +1,25 @@
From c9938ba0cf6b79b341efb18501827daea67c96ad Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 11 Mar 2021 16:45:20 +0800
Subject: [PATCH 5/6] fix error print
---
tools/codegener/intel/Util.ml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/codegener/intel/Util.ml b/tools/codegener/intel/Util.ml
index f5f9afc..a77637e 100644
--- a/tools/codegener/intel/Util.ml
+++ b/tools/codegener/intel/Util.ml
@@ -187,7 +187,7 @@ let get_file_path (fname: string) =
try
List.find Sys.file_exists fn_list
with
- Not_found -> failwithf "File not found within search paths: %s\n" fname
+ Not_found -> failwithf "File not found within search paths or search paths is permisson denied: %s\n" fname
(* Get the short name of the given file name.
* ------------------------------------------
--
2.27.0

24
0014-set-umask-in-sign_tool.sh.patch Normal file
View File

@ -0,0 +1,24 @@
From c5b813e96262f2af0596d8c5e164aafcd64fb60c Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Fri, 12 Mar 2021 11:42:11 +0800
Subject: [PATCH 6/6] set umask in sign_tool.sh
---
tools/sign_tool/sign_tool.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 9aaf663..8f2189c 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -265,6 +265,7 @@ if [ -z $OUT_FILE ]; then
echo "Error: missing out file"
exit -1
fi
+umask 0077
check_results=`uname -m`
if [ "${ENCLAVE_TYPE}"x == "sgx"x ]; then
if [ "${check_results}"x != "x86_64"x ]; then
--
2.27.0

133
0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch Normal file
View File

@ -0,0 +1,133 @@
From 1680c15af6226a8a205f37162e54dc85a3dfc2b0 Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Wed, 17 Mar 2021 12:34:24 +0800
Subject: 1.fix the race of ecall and enclave destroy 2.add a used flag for
context in case of double destroy or double create
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
environment | 3 ++-
inc/host_inc/enclave.h | 4 +++-
src/host_src/CMakeLists.txt | 4 ++--
src/host_src/enclave.c | 14 +++++++++++---
src/host_src/sgx/sgx_enclave.c | 2 ++
5 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/environment b/environment
index a45ff9e..c438449 100644
--- a/environment
+++ b/environment
@@ -1,2 +1,3 @@
-export CC_SDK=$(pwd)
+file_dir=`readlink -f ${BASH_SOURCE[0]}`
+export CC_SDK=`dirname $file_dir`
export PATH=$PATH:$CC_SDK/bin/
diff --git a/inc/host_inc/enclave.h b/inc/host_inc/enclave.h
index b063ce9..ca9e8da 100644
--- a/inc/host_inc/enclave.h
+++ b/inc/host_inc/enclave.h
@@ -16,7 +16,7 @@
#include <stdint.h>
#include <stddef.h>
#include <stdbool.h>
-
+#include <pthread.h>
#include "status.h"
@@ -62,6 +62,8 @@ typedef struct _enclave {
enclave_type_version_t type;
char *path;
uint32_t flags;
+ pthread_rwlock_t rwlock;
+ bool used_flag;
void *private_data;
/*enclave engine context manage, only one pointer*/
struct list_ops_desc *list_ops_node;
diff --git a/src/host_src/CMakeLists.txt b/src/host_src/CMakeLists.txt
index df4d3bf..25d245f 100644
--- a/src/host_src/CMakeLists.txt
+++ b/src/host_src/CMakeLists.txt
@@ -25,8 +25,8 @@ endif()
add_library(secgear SHARED enclave.c enclave_internal.c ocall_log.c enclave_ocall.c)
add_library(secgearsim SHARED enclave.c enclave_internal.c ocall_log.c enclave_ocall.c)
-target_link_libraries(secgear dl)
-target_link_libraries(secgearsim dl)
+target_link_libraries(secgear dl pthread)
+target_link_libraries(secgearsim dl pthread)
set_target_properties(secgear PROPERTIES
SKIP_BUILD_RPATH TRUE)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index dc8c5ed..204c808 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -109,7 +109,7 @@ done:
static bool check_flag(cc_enclave_result_t *res, const char *path, uint32_t flags, const enclave_features_t *features,
const uint32_t features_count, cc_enclave_t **enclave)
{
- if (enclave == NULL || *enclave != NULL) {
+ if (enclave == NULL || (*enclave != NULL && (*enclave)->used_flag == true)) {
*res = CC_ERROR_INVALID_ENCLAVE_ID;
return false;
}
@@ -217,11 +217,14 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
if (((GP_ENCLAVE_TYPE_0 <= type_version) && (type_version < GP_ENCLAVE_TYPE_MAX)) && (flags & SECGEAR_DEBUG_FLAG)) {
print_warning("This enclave scheme does not support enter enclave debugging\n");
}
-
+
/* initialize the context */
+
+ pthread_rwlock_init(&(l_context->rwlock), NULL);
l_context->path = l_path;
l_context->flags = flags;
l_context->type = type_version;
+ l_context->used_flag = true;
/* if an enclave is created multiple times, first find it in the global list,
* maybe the information about this engine has been filled in the list
@@ -280,11 +283,13 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
p_tee_unregistered unregistered_funcc;
/* check context and enclave engine context */
- if (!context || !context->list_ops_node) {
+ if (!context || !context->list_ops_node || !context->list_ops_node->ops_desc ||
+ !context->list_ops_node->ops_desc->ops || context->used_flag == false) {
print_error_term("Function context parameter error\n");
return CC_ERROR_BAD_PARAMETERS;
}
+ pthread_rwlock_wrlock(&(context->rwlock));
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context);
SECGEAR_CHECK_RES(res);
@@ -322,6 +327,9 @@ done:
free(context->path);
}
if (context) {
+ pthread_rwlock_unlock(&context->rwlock);
+ pthread_rwlock_destroy(&context->rwlock);
+ explicit_bzero(context, sizeof(cc_enclave_t));
free(context);
}
return res;
diff --git a/src/host_src/sgx/sgx_enclave.c b/src/host_src/sgx/sgx_enclave.c
index a40c408..258c58a 100644
--- a/src/host_src/sgx/sgx_enclave.c
+++ b/src/host_src/sgx/sgx_enclave.c
@@ -200,8 +200,10 @@ cc_enclave_result_t cc_enclave_sgx_call_function(
(void)output_buffer_size;
sgx_status_t status;
cc_enclave_result_t cc_status;
+ pthread_rwlock_rdlock(&(enclave->rwlock));
status = sgx_ecall(((sgx_context_t *)(enclave->private_data))->edi, (int)function_id, ocall_table, ms);
cc_status = conversion_res_status(status, enclave->type);
+ pthread_rwlock_unlock(&(enclave->rwlock));
return cc_status;
}
--
1.8.3.1

52
0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch Normal file
View File

@ -0,0 +1,52 @@
From 9d0ff75bf869574b5f96079cf5494fe11d20f160 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Sat, 20 Mar 2021 17:27:36 +0800
Subject: [PATCH] fix wrong spelling and null pointer dereference issue
diff --git a/tools/codegener/intel/CodeGen.ml b/tools/codegener/intel/CodeGen.ml
index dc43942..d9ccf7c 100644
--- a/tools/codegener/intel/CodeGen.ml
+++ b/tools/codegener/intel/CodeGen.ml
@@ -872,7 +872,11 @@ let gen_func_uproxy (tf: Ast.trusted_func) (idx: int) (ec: enclave_content) =
let sgx_ecall_fn = get_sgx_fname SGX_ECALL tf.Ast.tf_is_switchless in
(* Normal case - do ECALL with marshaling structure*)
- let ecall_with_ms = sprintf "result = enclave->list_ops_node->ops_desc->ops->cc_ecall_enclave( \n\
+ let ecall_with_ms = sprintf "if(!enclave || !enclave->list_ops_node || !enclave->list_ops_node->ops_desc ||\n\
+ \t\t!enclave->list_ops_node->ops_desc->ops || \n\
+ \t\t!enclave->list_ops_node->ops_desc->ops->cc_ecall_enclave)\n\
+ \t\treturn CC_ERROR_BAD_PARAMETERS;
+ result = enclave->list_ops_node->ops_desc->ops->cc_ecall_enclave( \n\
\t\tenclave,\n\
\t\t%d,\n\
\t\tNULL,\n\
@@ -885,7 +889,11 @@ let gen_func_uproxy (tf: Ast.trusted_func) (idx: int) (ec: enclave_content) =
(* Rare case - the trusted function doesn't have parameter nor return value.
* In this situation, no marshaling structure is required - passing in NULL.
*)
- let ecall_null = sprintf "result = enclave->list_ops_node->ops_desc->ops->cc_ecall_enclave( \n\
+ let ecall_null = sprintf "if(!enclave || !enclave->list_ops_node || !enclave->list_ops_node->ops_desc ||\n\
+ \t\t!enclave->list_ops_node->ops_desc->ops || \n\
+ \t\t!enclave->list_ops_node->ops_desc->ops->cc_ecall_enclave)\n\
+ \t\treturn CC_ERROR_BAD_PARAMETERS;
+ result = enclave->list_ops_node->ops_desc->ops->cc_ecall_enclave( \n\
\t\tenclave,\n\
\t\t%d,\n\
\t\tNULL,\n\
diff --git a/tools/codegener/intel/Util.ml b/tools/codegener/intel/Util.ml
index a77637e..9dd22bd 100644
--- a/tools/codegener/intel/Util.ml
+++ b/tools/codegener/intel/Util.ml
@@ -187,7 +187,7 @@ let get_file_path (fname: string) =
try
List.find Sys.file_exists fn_list
with
- Not_found -> failwithf "File not found within search paths or search paths is permisson denied: %s\n" fname
+ Not_found -> failwithf "File not found within search paths or search paths is permission denied: %s\n" fname
(* Get the short name of the given file name.
* ------------------------------------------
--
2.27.0

68
secGear.spec
View File

@ -1,6 +1,6 @@
Name: secGear
Version: 0.1.0
Release: 6%{?dist}
Release: 10%{?dist}
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
ExclusiveArch: x86_64
@ -9,6 +9,23 @@ License: Mulan PSL v2
URL: https://gitee.com/openeuler/secGear
Source0: https://gitee.com/openeuler/secGear/repository/archive/v%{version}.tar.gz
Patch0: 0001-add-README.cn.md.patch
Patch1: 0002-it-is-better-to-define-enum-from-0-rather-than-1.patch
Patch2: 0003-update-README.cn.md.patch
Patch3: 0004-update-README.cn.md.patch
Patch4: 0005-delete-unnecessary-README.cn.md.patch
Patch5: 0006-fix-issues-about-double-create-destory.patch
Patch6: 0007-to-make-secGear-log-more-clear.patch
Patch7: 0008-modify-path-error.patch
Patch8: 0009-fix-sgxssl-edl.patch
Patch9: 0010-update-docs-build_install.md.patch
Patch10: 0011-modify-the-prompt-information.patch
Patch11: 0012-parse-new-error-code-and-del-redundant-print.patch
Patch12: 0013-fix-error-print.patch
Patch13: 0014-set-umask-in-sign_tool.sh.patch
Patch14: 0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch
Patch15: 0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch
BuildRequires: gcc python3 automake autoconf libtool
BUildRequires: glibc glibc-devel
%ifarch x86_64
@ -37,7 +54,7 @@ Requires: %{name}%{?isa} = %{version}-%{release}
The %{name}-sim is package contains simulation libraries for developing applications
%prep
%setup -q -n secGear
%autosetup -n %{name} -p1
%build
@ -54,26 +71,27 @@ make
%install
make install DESTDIR=%{buildroot}
install -d %{buildroot}/%{_includedir}/secGear
install -d %{buildroot}/%{_includedir}/secGear/host_inc
install -d %{buildroot}/%{_includedir}/secGear/enclave_inc
#install -pm 644 inc/host_inc/* %{buildroot}/%{_includedir}/secGear/host_inc
%ifarch x86_64
install -d %{buildroot}/%{_includedir}/secGear/host_inc/sgx
install -d %{buildroot}/%{_includedir}/secGear/enclave_inc/sgx
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear/host_inc
install -pm 644 inc/host_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear/host_inc/sgx
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc
install -pm 644 inc/enclave_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc/sgx
install -d %{buildroot}/%{_bindir}
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/sgx/*.edl %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear
install -pm 751 bin/codegen_x86_64 %{buildroot}/%{_bindir}
install -pm 751 tools/sign_tool/sign_tool.sh %{buildroot}/%{_bindir}
%else
install -d %{buildroot}/%{_includedir}/secGear/host_inc/gp
install -d %{buildroot}/%{_includedir}/secGear/enclave_inc/gp
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear/host_inc
install -pm 644 inc/host_inc/gp/*.h %{buildroot}/%{_includedir}/secGear/host_inc/gp
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc
install -pm 644 inc/enclave_inc/gp/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc/gp
install -d %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/gp/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/gp/*.h %{buildroot}/%{_includedir}/secGear
%endif
rm %{buildroot}/home* -rf
pushd %{buildroot}
rm `find . -name secgear_helloworld` -rf
rm `find . -name secgear_seal_data` -rf
popd
%files
%defattr(-,root,root)
@ -86,7 +104,9 @@ rm %{buildroot}/home* -rf
%endif
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/rsyslog.d/secgear.conf
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/logrotate.d/secgear
%files devel
%{_bindir}/*
%{_includedir}/secGear/*
%files sim
@ -99,6 +119,18 @@ rm %{buildroot}/home* -rf
%endif
%changelog
* Sat Mar 20 2021 zhangguangzhi<zhangguangzhi3@huawei.com> - 0.1.0-10
- DESC: backport patch
* Thu Mar 19 2021 wanghongzhe<wanghongzhe@huawei.com> - 0.1.0-9
- DESC: fix local compile error
* Thu Mar 18 2021 gaoyusong<gaoyusong1@huawei.com> - 0.1.0-8
- DESC: backport patch
* Mon Mar 15 2021 zhangguangzhi<zhangguangzhi3@huawei.com> - 0.1.0-7
- DESC: backport patch
* Wed Mar 10 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-6
- DESC: change requires from linux-sgx-sdk to sgxsdk