@@ -10,6 +10,7 @@
#define PAGE_SIZE 4096
#define PAGE_MASK (~(PAGE_SIZE - 1))
+#define SGX_EEXTEND_BLOCK_SIZE 256
#define __aligned(x) __attribute__((__aligned__(x)))
#define __packed __attribute__((packed))
@@ -102,28 +102,69 @@ static bool encl_ioc_create(struct encl *encl)
static bool encl_ioc_add_pages(struct encl *encl, struct encl_segment *seg)
{
struct sgx_enclave_add_pages ioc;
+ struct sgx_enclave_extend ioc_extend;
struct sgx_secinfo secinfo;
+ uint64_t size_full_pages;
+ uint64_t size;
+ uint64_t chunk_offset;
int rc;
+ size_full_pages = size_fit(seg->size, SGX_EEXTEND_BLOCK_SIZE) & PAGE_MASK;
+ size = size_fit(seg->size, SGX_EEXTEND_BLOCK_SIZE);
+
memset(&secinfo, 0, sizeof(secinfo));
secinfo.flags = seg->flags;
+ // Add and extend full pages
ioc.src = (uint64_t)encl->src + seg->offset;
ioc.offset = seg->offset;
- ioc.length = seg->size;
ioc.secinfo = (unsigned long)&secinfo;
+ ioc.length = size_full_pages;
ioc.flags = SGX_PAGE_MEASURE;
- rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc);
- if (rc < 0) {
- fprintf(stderr, "SGX_IOC_ENCLAVE_ADD_PAGES failed: errno=%d.\n",
- errno);
- return false;
+ if (ioc.length > 0) {
+ rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc);
+ if (rc < 0) {
+ fprintf(stderr, "SGX_IOC_ENCLAVE_ADD_PAGES failed: errno=%d.\n",
+ errno);
+ return false;
+ }
+ }
+
+ if (size_full_pages < size) {
+ // Add last, partly measured page
+ ioc.offset = seg->offset + size_full_pages;
+ ioc.length = 0x1000;
+ ioc.flags = 0;
+
+ rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc);
+ if (rc < 0) {
+ fprintf(stderr, "SGX_IOC_ENCLAVE_ADD_PAGES failed: errno=%d.\n",
+ errno);
+ return false;
+ }
+
+ // extend chunks
+ for (chunk_offset = 0; chunk_offset < size - size_full_pages;
+ chunk_offset += SGX_EEXTEND_BLOCK_SIZE) {
+ ioc_extend.offset = seg->offset + size_full_pages + chunk_offset;
+ rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_EXTEND, &ioc_extend);
+ if (rc < 0) {
+ fprintf(stderr, "SGX_IOC_ENCLAVE_EXTEND failed: errno=%d.\n",
+ errno);
+ return false;
+ }
+ }
}
return true;
}
+uint64_t size_fit(uint64_t size_in_bytes, uint64_t block_size)
+{
+ return (size_in_bytes + block_size - 1) & (~(block_size - 1));
+}
+
bool encl_load(const char *path, struct encl *encl)
{
Elf64_Phdr *phdr_tbl;
@@ -197,7 +238,7 @@ bool encl_load(const char *path, struct encl *encl)
}
seg->offset = (phdr->p_offset & PAGE_MASK) - src_offset;
- seg->size = (phdr->p_filesz + PAGE_SIZE - 1) & PAGE_MASK;
+ seg->size = phdr->p_filesz;
printf("0x%016lx 0x%016lx 0x%02x\n", seg->offset, seg->size,
seg->prot);
@@ -209,7 +250,7 @@ bool encl_load(const char *path, struct encl *encl)
encl->src = encl->bin + src_offset;
encl->src_size = encl->segment_tbl[j - 1].offset +
- encl->segment_tbl[j - 1].size;
+ size_fit(encl->segment_tbl[j - 1].size, PAGE_SIZE);
for (encl->encl_size = 4096; encl->encl_size < encl->src_size; )
encl->encl_size <<= 1;
@@ -34,6 +34,7 @@ void encl_delete(struct encl *ctx);
bool encl_load(const char *path, struct encl *encl);
bool encl_measure(struct encl *encl);
bool encl_build(struct encl *encl);
+uint64_t size_fit(uint64_t size_in_bytes, uint64_t block_size);
int sgx_call_vdso(void *rdi, void *rsi, long rdx, u32 function, void *r8, void *r9,
struct sgx_enclave_run *run);
@@ -260,28 +260,25 @@ static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
const uint8_t *data)
{
struct mreextend mreextend;
- int i;
- for (i = 0; i < 0x1000; i += 0x100) {
- memset(&mreextend, 0, sizeof(mreextend));
- mreextend.tag = MREEXTEND;
- mreextend.offset = offset + i;
+ memset(&mreextend, 0, sizeof(mreextend));
+ mreextend.tag = MREEXTEND;
+ mreextend.offset = offset;
- if (!mrenclave_update(ctx, &mreextend))
- return false;
+ if (!mrenclave_update(ctx, &mreextend))
+ return false;
- if (!mrenclave_update(ctx, &data[i + 0x00]))
- return false;
+ if (!mrenclave_update(ctx, &data[0x00]))
+ return false;
- if (!mrenclave_update(ctx, &data[i + 0x40]))
- return false;
+ if (!mrenclave_update(ctx, &data[0x40]))
+ return false;
- if (!mrenclave_update(ctx, &data[i + 0x80]))
- return false;
+ if (!mrenclave_update(ctx, &data[0x80]))
+ return false;
- if (!mrenclave_update(ctx, &data[i + 0xC0]))
- return false;
- }
+ if (!mrenclave_update(ctx, &data[0xC0]))
+ return false;
return true;
}
@@ -289,12 +286,13 @@ static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
struct encl_segment *seg)
{
- uint64_t end = seg->offset + seg->size;
+ uint64_t end = seg->offset + size_fit(seg->size, SGX_EEXTEND_BLOCK_SIZE);
uint64_t offset;
- for (offset = seg->offset; offset < end; offset += PAGE_SIZE) {
- if (!mrenclave_eadd(ctx, offset, seg->flags))
- return false;
+ for (offset = seg->offset; offset < end; offset += SGX_EEXTEND_BLOCK_SIZE) {
+ if (offset % PAGE_SIZE == 0)
+ if (!mrenclave_eadd(ctx, offset, seg->flags))
+ return false;
if (!mrenclave_eextend(ctx, offset, encl->src + offset))
return false;
In order to test the new eextend ioctl, the SGX selftest is modified to only partially measure the last page of segments. Most segments are larger than 4k, so the MEASURE flag for SGX_IOC_ENCLAVE_ADD_PAGE is still being tested. Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com> --- tools/testing/selftests/sgx/defines.h | 1 + tools/testing/selftests/sgx/load.c | 57 ++++++++++++++++++++++++++++----- tools/testing/selftests/sgx/main.h | 1 + tools/testing/selftests/sgx/sigstruct.c | 38 +++++++++++----------- 4 files changed, 69 insertions(+), 28 deletions(-)