This is an automated email from the ASF dual-hosted git repository.
rduan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-sgx-sdk.git
The following commit(s) were added to refs/heads/master by this push:
new 3c903bda Support intel-sdk-2.20 and dcap-1.17
3c903bda is described below
commit 3c903bdac4e503dd27b9b1f761c4abfc55f2464c
Author: volcano <[email protected]>
AuthorDate: Tue Jul 25 18:17:46 2023 +0800
Support intel-sdk-2.20 and dcap-1.17
---
dockerfile/02_binutils.sh | 2 +-
dockerfile/03_sdk.sh | 4 +-
dockerfile/Dockerfile.1804.nightly | 6 +-
dockerfile/Dockerfile.2004.nightly | 12 +--
dockerfile/Dockerfile.centos8.nightly | 9 +-
samplecode/unit-test/enclave/src/test_exception.rs | 7 +-
samplecode/unit-test/enclave/src/test_fp.rs | 68 +++++++-------
sgx_signal/src/exception.rs | 78 ++++++++++++----
sgx_signal/src/manager.rs | 4 +-
sgx_trts/src/aex.rs | 101 +++++++++++++++++++++
sgx_trts/src/enclave.rs | 9 ++
sgx_trts/src/lib.rs | 1 +
sgx_tseal/src/internal.rs | 1 -
sgx_types/src/error.rs | 15 ++-
sgx_types/src/function.rs | 38 ++++++--
sgx_types/src/marker.rs | 1 +
sgx_types/src/types.rs | 66 ++++++++++++--
17 files changed, 330 insertions(+), 92 deletions(-)
diff --git a/dockerfile/02_binutils.sh b/dockerfile/02_binutils.sh
index bf52603c..cf3477ef 100644
--- a/dockerfile/02_binutils.sh
+++ b/dockerfile/02_binutils.sh
@@ -1,7 +1,7 @@
if [ $BINUTILS_DIST != "SELF_BUILT" ]
then
cd /root && \
- wget
https://download.01.org/intel-sgx/sgx-linux/2.17/as.ld.objdump.r4.tar.gz && \
+ wget
https://download.01.org/intel-sgx/sgx-linux/2.20/as.ld.objdump.r4.tar.gz && \
tar xzf as.ld.objdump.r4.tar.gz && \
cp -r external/toolset/$BINUTILS_DIST/* /usr/bin/ && \
rm -rf ./external ./as.ld.objdump.r4.tar.gz
diff --git a/dockerfile/03_sdk.sh b/dockerfile/03_sdk.sh
index eb5d0152..99dd24b0 100644
--- a/dockerfile/03_sdk.sh
+++ b/dockerfile/03_sdk.sh
@@ -10,10 +10,10 @@ else
cd /root && \
git clone --recursive https://github.com/intel/linux-sgx && \
cd linux-sgx && \
- git checkout sgx_2.17.1 && \
+ git checkout sgx_2.20 && \
./download_prebuilt.sh && \
make -j "$(nproc)" sdk_install_pkg && \
- echo -e 'no\n/opt' |
./linux/installer/bin/sgx_linux_x64_sdk_2.17.101.1.bin && \
+ echo -e 'no\n/opt' |
./linux/installer/bin/sgx_linux_x64_sdk_2.20.100.4.bin && \
echo 'source /opt/sgxsdk/environment' >> /root/.bashrc && \
cd /root && \
rm -rf /root/linux-sgx
diff --git a/dockerfile/Dockerfile.1804.nightly
b/dockerfile/Dockerfile.1804.nightly
index 0c2f163b..b6f761a6 100644
--- a/dockerfile/Dockerfile.1804.nightly
+++ b/dockerfile/Dockerfile.1804.nightly
@@ -23,15 +23,15 @@ RUN bash /root/03_sdk.sh
# Sixth, PSW
ENV CODENAME bionic
-ENV VERSION 2.17.100.3-bionic1
-ENV DCAP_VERSION 1.14.100.3-bionic1
+ENV VERSION 2.20.100.4-bionic1
+ENV DCAP_VERSION 1.17.100.4-bionic1
COPY 04_psw.sh /root
RUN bash /root/04_psw.sh
# Seventh, Rust
-ENV rust_toolchain nightly-2022-02-23
+ENV rust_toolchain nightly-2022-10-22
COPY 05_rust.sh /root
RUN bash /root/05_rust.sh
diff --git a/dockerfile/Dockerfile.2004.nightly
b/dockerfile/Dockerfile.2004.nightly
index ab393aa6..319310da 100644
--- a/dockerfile/Dockerfile.2004.nightly
+++ b/dockerfile/Dockerfile.2004.nightly
@@ -5,10 +5,6 @@ ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y unzip lsb-release debhelper cmake reprepro
autoconf automake bison build-essential curl dpkg-dev expect flex gcc-8 gdb git
git-core gnupg kmod libboost-system-dev libboost-thread-dev
libcurl4-openssl-dev libiptcdata0-dev libjsoncpp-dev liblog4cpp5-dev
libprotobuf-dev libssl-dev libtool libxml2-dev ocaml ocamlbuild pkg-config
protobuf-compiler python texinfo uuid-dev vim wget software-properties-common
&& \
rm -rf /var/lib/apt/lists/*
-#20.04 does have gcc-9
-#ADD 01_gcc_8.sh /root
-#RUN bash /root/01_gcc_8.sh
-
ENV BINUTILS_DIST="ubuntu20.04"
#ENV BINUTILS_DIST="SELF_BUILT"
ENV LD_LIBRARY_PATH=/usr/lib:/usr/local/lib
@@ -19,22 +15,22 @@ RUN bash /root/02_binutils.sh
#ENV SDK_DIST="SELF_BUILT"
ENV SDK_DIST="INTEL_BUILT"
-ENV
SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.17.101.1.bin";
+ENV
SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.20.100.4.bin";
ADD 03_sdk.sh /root
RUN bash /root/03_sdk.sh
# Sixth, PSW
ENV CODENAME focal
-ENV VERSION 2.17.100.3-focal1
-ENV DCAP_VERSION 1.14.100.3-focal1
+ENV VERSION 2.20.100.4-focal1
+ENV DCAP_VERSION 1.17.100.4-focal1
ADD 04_psw.sh /root
RUN bash /root/04_psw.sh
# Seventh, Rust
-ENV rust_toolchain nightly-2022-02-23
+ENV rust_toolchain nightly-2022-10-22
ADD 05_rust.sh /root
RUN bash /root/05_rust.sh
diff --git a/dockerfile/Dockerfile.centos8.nightly
b/dockerfile/Dockerfile.centos8.nightly
index aeada924..9ebd366c 100644
--- a/dockerfile/Dockerfile.centos8.nightly
+++ b/dockerfile/Dockerfile.centos8.nightly
@@ -4,25 +4,22 @@ RUN dnf group install -y 'Development Tools' && \
dnf --enablerepo=powertools install -y ocaml ocaml-ocamlbuild
redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2
libcurl-devel protobuf-devel && \
alternatives --set python /usr/bin/python2
-#ADD 01_gcc_8.sh /root
-#RUN bash /root/01_gcc_8.sh
-
ENV BINUTILS_DIST="centos8"
ADD 02_binutils.sh /root
RUN bash /root/02_binutils.sh
ENV SDK_DIST="INTEL_BUILT"
-ENV
SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/centos-stream/sgx_linux_x64_sdk_2.17.101.1.bin";
+ENV
SDK_URL="https://download.01.org/intel-sgx/sgx-linux/2.20/distro/centos-stream/sgx_linux_x64_sdk_2.20.100.4.bin";
#ENV SDK_DIST="SELF_BUILT"
ADD 03_sdk.sh /root
RUN bash /root/03_sdk.sh
-ENV
PSW_REPO="https://download.01.org/intel-sgx/sgx-linux/2.17/distro/centos-stream/sgx_rpm_local_repo.tgz";
+ENV
PSW_REPO="https://download.01.org/intel-sgx/sgx-linux/2.20/distro/centos-stream/sgx_rpm_local_repo.tgz";
ADD 04_psw_rpm.sh /root
RUN bash /root/04_psw_rpm.sh
-ENV rust_toolchain nightly-2022-02-23
+ENV rust_toolchain nightly-2022-10-22
ADD 05_rust.sh /root
RUN bash /root/05_rust.sh
diff --git a/samplecode/unit-test/enclave/src/test_exception.rs
b/samplecode/unit-test/enclave/src/test_exception.rs
index ae2d0578..88a832b7 100644
--- a/samplecode/unit-test/enclave/src/test_exception.rs
+++ b/samplecode/unit-test/enclave/src/test_exception.rs
@@ -16,9 +16,8 @@
// under the License..
use sgx_signal::exception::{register_exception, unregister};
-use sgx_signal::ContinueType;
+use sgx_signal::{ContinueType, ExceptionInfo};
use sgx_trts::enclave;
-use sgx_types::sgx_exception_info_t;
use std::backtrace::{self, PrintFormat};
use std::panic;
use std::sync::atomic::{AtomicUsize, Ordering};
@@ -49,7 +48,7 @@ pub fn test_exception_handler() {
let status = Arc::new(AtomicUsize::new(2));
let handler1 = {
let status = Arc::clone(&status);
- move |_info: &mut sgx_exception_info_t| {
+ move |_info: &mut ExceptionInfo| {
status.fetch_add(2, Ordering::Relaxed);
ContinueType::Search
}
@@ -57,7 +56,7 @@ pub fn test_exception_handler() {
let handler2 = {
let status = Arc::clone(&status);
- move |_info: &mut sgx_exception_info_t| {
+ move |_info: &mut ExceptionInfo| {
status.store(1, Ordering::Relaxed);
ContinueType::Search
}
diff --git a/samplecode/unit-test/enclave/src/test_fp.rs
b/samplecode/unit-test/enclave/src/test_fp.rs
index 85f7aac7..51f0ed37 100644
--- a/samplecode/unit-test/enclave/src/test_fp.rs
+++ b/samplecode/unit-test/enclave/src/test_fp.rs
@@ -19,7 +19,7 @@ pub fn test_fp64() {
let f = 3.7_f64;
let g = 3.0_f64;
let h = -3.7_f64;
-
+
assert_eq!(f.floor(), 3.0);
assert_eq!(g.floor(), 3.0);
assert_eq!(h.floor(), -4.0);
@@ -28,26 +28,26 @@ pub fn test_fp64() {
let g = 4.0_f64;
assert_eq!(f.ceil(), 4.0);
assert_eq!(g.ceil(), 4.0);
-
+
let f = 3.3_f64;
let g = -3.3_f64;
assert_eq!(f.round(), 3.0);
assert_eq!(g.round(), -3.0);
-
+
let f = 3.7_f64;
let g = 3.0_f64;
let h = -3.7_f64;
assert_eq!(f.trunc(), 3.0);
assert_eq!(g.trunc(), 3.0);
assert_eq!(h.trunc(), -3.0);
-
+
let x = 3.6_f64;
let y = -3.6_f64;
let abs_difference_x = (x.fract() - 0.6).abs();
let abs_difference_y = (y.fract() - (-0.6)).abs();
assert!(abs_difference_x < 1e-10);
assert!(abs_difference_y < 1e-10);
-
+
let x = 3.5_f64;
let y = -3.5_f64;
let abs_difference_x = (x.abs() - x).abs();
@@ -60,28 +60,28 @@ pub fn test_fp64() {
assert_eq!(f.signum(), 1.0);
assert_eq!(f64::NEG_INFINITY.signum(), -1.0);
assert!(f64::NAN.signum().is_nan());
-
+
let f = 3.5_f64;
assert_eq!(f.copysign(0.42), 3.5_f64);
assert_eq!(f.copysign(-0.42), -3.5_f64);
assert_eq!((-f).copysign(0.42), 3.5_f64);
assert_eq!((-f).copysign(-0.42), -3.5_f64);
assert!(f64::NAN.copysign(1.0).is_nan());
-
+
let m = 10.0_f64;
let x = 4.0_f64;
let b = 60.0_f64;
// 100.0
let abs_difference = (m.mul_add(x, b) - ((m * x) + b)).abs();
assert!(abs_difference < 1e-10);
-
+
let a: f64 = 7.0;
let b = 4.0;
assert_eq!(a.div_euclid(b), 1.0); // 7.0 > 4.0 * 1.0
assert_eq!((-a).div_euclid(b), -2.0); // -7.0 >= 4.0 * -2.0
assert_eq!(a.div_euclid(-b), -1.0); // 7.0 >= -4.0 * -1.0
assert_eq!((-a).div_euclid(-b), 2.0); // -7.0 >= -4.0 * 2.0
-
+
let a: f64 = 7.0;
let b = 4.0;
assert_eq!(a.rem_euclid(b), 3.0);
@@ -90,11 +90,11 @@ pub fn test_fp64() {
assert_eq!((-a).rem_euclid(-b), 1.0);
// limitation due to round-off error
assert!((-f64::EPSILON).rem_euclid(3.0) != 0.0);
-
+
let x = 2.0_f64;
let abs_difference = (x.powi(2) - (x * x)).abs();
assert!(abs_difference < 1e-10);
-
+
let x = 2.0_f64;
let abs_difference = (x.powf(2.0) - (x * x)).abs();
assert!(abs_difference < 1e-10);
@@ -104,77 +104,77 @@ pub fn test_fp64() {
let abs_difference = (positive.sqrt() - 2.0).abs();
assert!(abs_difference < 1e-10);
assert!(negative.sqrt().is_nan());
-
+
let one = 1.0_f64;
// e^1
let e = one.exp();
// ln(e) - 1 == 0
let abs_difference = (e.ln() - 1.0).abs();
assert!(abs_difference < 1e-10);
-
+
let f = 2.0_f64;
// 2^2 - 4 == 0
let abs_difference = (f.exp2() - 4.0).abs();
assert!(abs_difference < 1e-10);
-
+
let one = 1.0_f64;
// e^1
let e = one.exp();
// ln(e) - 1 == 0
let abs_difference = (e.ln() - 1.0).abs();
assert!(abs_difference < 1e-10);
-
+
let twenty_five = 25.0_f64;
// log5(25) - 2 == 0
let abs_difference = (twenty_five.log(5.0) - 2.0).abs();
assert!(abs_difference < 1e-10);
-
+
let four = 4.0_f64;
// log2(4) - 2 == 0
let abs_difference = (four.log2() - 2.0).abs();
assert!(abs_difference < 1e-10);
-
+
let hundred = 100.0_f64;
// log10(100) - 2 == 0
let abs_difference = (hundred.log10() - 2.0).abs();
assert!(abs_difference < 1e-10);
-
+
let x = 3.0_f64;
let y = -3.0_f64;
let abs_difference_x = (x.abs_sub(1.0) - 2.0).abs();
let abs_difference_y = (y.abs_sub(1.0) - 0.0).abs();
assert!(abs_difference_x < 1e-10);
assert!(abs_difference_y < 1e-10);
-
+
let x = 8.0_f64;
// x^(1/3) - 2 == 0
let abs_difference = (x.cbrt() - 2.0).abs();
assert!(abs_difference < 1e-10);
-
+
let x = 2.0_f64;
let y = 3.0_f64;
// sqrt(x^2 + y^2)
let abs_difference = (x.hypot(y) - (x.powi(2) + y.powi(2)).sqrt()).abs();
assert!(abs_difference < 1e-10);
-
+
let x = std::f64::consts::FRAC_PI_2;
let abs_difference = (x.sin() - 1.0).abs();
assert!(abs_difference < 1e-10);
-
+
let x = 2.0 * std::f64::consts::PI;
let abs_difference = (x.cos() - 1.0).abs();
assert!(abs_difference < 1e-10);
-
+
let f = std::f64::consts::FRAC_PI_2;
// asin(sin(pi/2))
let abs_difference = (f.sin().asin() - std::f64::consts::FRAC_PI_2).abs();
assert!(abs_difference < 1e-10);
-
+
let f = std::f64::consts::FRAC_PI_4;
// acos(cos(pi/4))
let abs_difference = (f.cos().acos() - std::f64::consts::FRAC_PI_4).abs();
assert!(abs_difference < 1e-10);
-
+
let f = 1.0_f64;
// atan(tan(1))
let abs_difference = (f.tan().atan() - 1.0).abs();
@@ -192,26 +192,26 @@ pub fn test_fp64() {
let abs_difference_2 = (y2.atan2(x2) - (3.0 *
std::f64::consts::FRAC_PI_4)).abs();
assert!(abs_difference_1 < 1e-10);
assert!(abs_difference_2 < 1e-10);
-
+
let x = std::f64::consts::FRAC_PI_4;
let f = x.sin_cos();
let abs_difference_0 = (f.0 - x.sin()).abs();
let abs_difference_1 = (f.1 - x.cos()).abs();
assert!(abs_difference_0 < 1e-10);
assert!(abs_difference_1 < 1e-10);
-
+
let x = 1e-16_f64;
// for very small x, e^x is approximately 1 + x + x^2 / 2
let approx = x + x * x / 2.0;
let abs_difference = (x.exp_m1() - approx).abs();
assert!(abs_difference < 1e-20);
-
+
let x = 1e-16_f64;
// for very small x, ln(1 + x) is approximately x - x^2 / 2
let approx = x - x * x / 2.0;
let abs_difference = (x.ln_1p() - approx).abs();
assert!(abs_difference < 1e-20);
-
+
let e = std::f64::consts::E;
let x = 1.0_f64;
let f = x.sinh();
@@ -219,7 +219,7 @@ pub fn test_fp64() {
let g = ((e * e) - 1.0) / (2.0 * e);
let abs_difference = (f - g).abs();
assert!(abs_difference < 1e-10);
-
+
let e = std::f64::consts::E;
let x = 1.0_f64;
let f = x.cosh();
@@ -228,7 +228,7 @@ pub fn test_fp64() {
let abs_difference = (f - g).abs();
// Same result
assert!(abs_difference < 1.0e-10);
-
+
let e = std::f64::consts::E;
let x = 1.0_f64;
let f = x.tanh();
@@ -236,17 +236,17 @@ pub fn test_fp64() {
let g = (1.0 - e.powi(-2)) / (1.0 + e.powi(-2));
let abs_difference = (f - g).abs();
assert!(abs_difference < 1.0e-10);
-
+
let x = 1.0_f64;
let f = x.sinh().asinh();
let abs_difference = (f - x).abs();
assert!(abs_difference < 1.0e-10);
-
+
let x = 1.0_f64;
let f = x.cosh().acosh();
let abs_difference = (f - x).abs();
assert!(abs_difference < 1.0e-10);
-
+
let e = std::f64::consts::E;
let f = e.tanh().atanh();
let abs_difference = (f - e).abs();
diff --git a/sgx_signal/src/exception.rs b/sgx_signal/src/exception.rs
index dfeb0627..5ca83d26 100644
--- a/sgx_signal/src/exception.rs
+++ b/sgx_signal/src/exception.rs
@@ -20,13 +20,16 @@ use sgx_trts::veh::{
exception_handle, rsgx_register_exception_handler,
rsgx_unregister_exception_handler,
};
use sgx_types::SE_WORDSIZE;
-use sgx_types::{sgx_exception_info_t, sgx_exception_vector_t};
+use sgx_types::{
+ sgx_cpu_context_t, sgx_exception_info_t, sgx_exception_type_t,
sgx_exception_vector_t,
+};
use sgx_types::{EXCEPTION_CONTINUE_EXECUTION, EXCEPTION_CONTINUE_SEARCH};
use std::collections::LinkedList;
use std::convert::From;
use std::num::NonZeroU64;
use std::ops::Drop;
-use std::sync::{Arc, Once, SgxRwLock, SgxMutex, PoisonError, ONCE_INIT};
+use std::slice;
+use std::sync::{Arc, Once, PoisonError, SgxMutex, SgxRwLock, ONCE_INIT};
use std::u64;
#[repr(u32)]
@@ -46,7 +49,7 @@ impl From<ContinueType> for i32 {
}
#[allow(unknown_lints, bare_trait_objects)]
-type ExceptionHandler = dyn Fn(&mut sgx_exception_info_t) -> ContinueType +
Send + Sync;
+type ExceptionHandler = dyn Fn(&mut ExceptionInfo) -> ContinueType + Send +
Sync;
#[derive(Copy, Clone, Debug, Eq, PartialEq, Ord, PartialOrd, Hash)]
pub struct HandlerId(NonZeroU64);
@@ -71,6 +74,45 @@ impl HandlerId {
}
}
+pub struct ExceptionInfo<'a>(&'a mut sgx_exception_info_t);
+
+impl<'a> ExceptionInfo<'a> {
+ #[inline]
+ fn new(exception_info: &'a mut sgx_exception_info_t) -> ExceptionInfo {
+ ExceptionInfo(exception_info)
+ }
+
+ #[inline]
+ pub fn cpu_context(&mut self) -> &mut sgx_cpu_context_t {
+ &mut self.0.cpu_context
+ }
+
+ #[inline]
+ pub fn faulting_address(&self) -> u64 {
+ self.0.exinfo.faulting_address
+ }
+
+ #[inline]
+ pub fn error_code(&self) -> u32 {
+ self.0.exinfo.error_code
+ }
+
+ #[inline]
+ pub fn exception_vector(&self) -> sgx_exception_vector_t {
+ self.0.exception_vector
+ }
+
+ #[inline]
+ pub fn exception_type(&self) -> sgx_exception_type_t {
+ self.0.exception_type
+ }
+
+ #[inline]
+ pub fn xsave_area(&self) -> &[u8] {
+ unsafe { slice::from_raw_parts(&self.0.xsave_area as *const _,
self.0.xsave_size as usize) }
+ }
+}
+
struct HandlerNode {
id: HandlerId,
handler: Arc<ExceptionHandler>,
@@ -114,32 +156,34 @@ impl GlobalData {
}
extern "C" fn native_exception_handler(info: *mut sgx_exception_info_t) ->
int32_t {
+ let mut exception_info = ExceptionInfo::new(unsafe {
info.as_mut().unwrap() });
if let Ok(handlers) = GlobalData::get().manager.exception_handler.read() {
- let info = unsafe { info.as_mut().unwrap() };
for h in handlers.iter() {
- match (h.handler)(info) {
+ match (h.handler)(&mut exception_info) {
ContinueType::Search => {}
ContinueType::Execution => return EXCEPTION_CONTINUE_EXECUTION,
}
}
}
- unsafe { panic_handler(info).into() }
+ unsafe { panic_handler(&mut exception_info).into() }
}
-unsafe extern "C" fn panic_handler(info: *mut sgx_exception_info_t) ->
ContinueType {
- let exception_info = info.as_mut().unwrap();
- let mut rsp = exception_info.cpu_context.rsp;
+unsafe extern "C" fn panic_handler(info: &mut ExceptionInfo) -> ContinueType {
+ let vector = info.exception_vector() as u32 as u64;
+ let cpu_context = info.cpu_context();
+
+ let mut rsp = cpu_context.rsp;
if rsp & 0xF == 0 {
rsp -= SE_WORDSIZE as u64;
- exception_info.cpu_context.rsp = rsp;
+ cpu_context.rsp = rsp;
let addr = rsp as *mut u64;
- *addr = exception_info.cpu_context.rip;
+ *addr = cpu_context.rip;
} else {
}
- exception_info.cpu_context.rdi = exception_info.exception_vector as u32 as
u64;
- exception_info.cpu_context.rsi = exception_info.cpu_context.rip;
- exception_info.cpu_context.rip = exception_panic as usize as u64;
+ cpu_context.rdi = vector;
+ cpu_context.rsi = cpu_context.rip;
+ cpu_context.rip = exception_panic as usize as u64;
ContinueType::Execution
}
@@ -188,7 +232,7 @@ impl Drop for ExceptionManager {
fn register_exception_impl<F>(first: bool, handler: F) -> Option<HandlerId>
where
- F: Fn(&mut sgx_exception_info_t) -> ContinueType + Sync + Send + 'static,
+ F: Fn(&mut ExceptionInfo) -> ContinueType + Sync + Send + 'static,
{
let globals = GlobalData::ensure();
@@ -222,7 +266,7 @@ where
///
pub fn register_exception<F>(is_first: bool, handler: F) -> Option<HandlerId>
where
- F: Fn(&mut sgx_exception_info_t) -> ContinueType + Sync + Send + 'static,
+ F: Fn(&mut ExceptionInfo) -> ContinueType + Sync + Send + 'static,
{
register_exception_impl(is_first, handler)
}
@@ -243,7 +287,7 @@ where
///
pub fn register<F>(handler: F) -> Option<HandlerId>
where
- F: Fn(&mut sgx_exception_info_t) -> ContinueType + Sync + Send + 'static,
+ F: Fn(&mut ExceptionInfo) -> ContinueType + Sync + Send + 'static,
{
register_exception_impl(true, handler)
}
diff --git a/sgx_signal/src/manager.rs b/sgx_signal/src/manager.rs
index bbf67991..449c5d9e 100644
--- a/sgx_signal/src/manager.rs
+++ b/sgx_signal/src/manager.rs
@@ -25,7 +25,7 @@ use std::mem;
use std::num::NonZeroU64;
use std::sync::Arc;
#[allow(deprecated)]
-use std::sync::{SgxMutex, PoisonError};
+use std::sync::{PoisonError, SgxMutex};
use std::u64;
thread_local! { static SIGNAL_MASK: Cell<SigSet> = Cell::new(SigSet::new()) }
@@ -162,8 +162,6 @@ impl ActionId {
drop(counter);
ActionId(NonZeroU64::new(id).unwrap())
}
-
-
}
pub type Action = dyn Fn(&siginfo_t) + Send + Sync;
diff --git a/sgx_trts/src/aex.rs b/sgx_trts/src/aex.rs
new file mode 100644
index 00000000..5b0a1ff5
--- /dev/null
+++ b/sgx_trts/src/aex.rs
@@ -0,0 +1,101 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License..
+
+use alloc::boxed::Box;
+use core::mem::{self, ManuallyDrop};
+use core::ptr;
+use sgx_types::*;
+
+pub type aex_handle = *const sgx_aex_mitigation_node_t;
+
+///
+/// rsgx_set_ssa_aexnotify allows developers to enable the AEX-Notify feature
+/// upon a piece of enclave code.
+///
+/// # Description
+///
+/// You can enable or disable AEX-Notify in the enclave code using this
function.
+/// To enable AEX-Notify for critical code that you want to mitigate for
single-step
+/// attacks, call this function. The following execution will be executed with
+/// AEX-Notify enabled until you call this function to disable it.
+///
+pub fn rsgx_set_ssa_aexnotify(is_enable: bool) -> SgxError {
+ let mut flags = 0_i32;
+ if is_enable {
+ flags = 1;
+ }
+ let ret = unsafe { sgx_set_ssa_aexnotify(flags) };
+
+ match ret {
+ sgx_status_t::SGX_SUCCESS => Ok(()),
+ _ => Err(ret),
+ }
+}
+
+///
+/// rsgx_register_aex_handler allows developers to register an AEX- Notify
handler.
+///
+/// # Description
+///
+/// The Rust SDK allows you to register custom AEX-Notify functions. You can
write your
+/// own code to provide an AEX-Notify handler that detects single-step
attacks. For instance,
+/// you can provide a handler that counts the Async Exit. If the count is
abnormal which
+/// means single-step attacks occur, you can take proper actions.
+///
+pub fn rsgx_register_aex_handler(
+ handler: sgx_aex_mitigation_fn_t,
+ args: usize,
+) -> SgxResult<aex_handle> {
+ let mut node: Box<sgx_aex_mitigation_node_t> =
Box::new(sgx_aex_mitigation_node_t {
+ handler,
+ args: args as *const c_void,
+ next: ptr::null_mut(),
+ });
+ let node_ptr = &mut *node as *mut sgx_aex_mitigation_node_t;
+ let ret = unsafe { sgx_register_aex_handler(node_ptr, handler, args as
*const _) };
+
+ match ret {
+ sgx_status_t::SGX_SUCCESS => {
+ mem::forget(node);
+ Ok(node_ptr)
+ }
+ _ => Err(ret),
+ }
+}
+
+///
+/// rsgx_unregister_aex_handler is used to unregister an AEX-Notify handler.
+///
+/// # Description
+///
+/// The Rust SDK allows you to register custom AEX-Notify functions. You can
write your own code to
+/// provide an AEX-Notify handler that detects single-step attacks.
+///
+pub fn rsgx_unregister_aex_handler(handle: aex_handle) -> SgxError {
+ unsafe {
+ let node: ManuallyDrop<Box<sgx_aex_mitigation_node_t>> =
+ ManuallyDrop::new(Box::from_raw(handle as *mut
sgx_aex_mitigation_node_t));
+ let ret = sgx_unregister_aex_handler(node.handler);
+ match ret {
+ sgx_status_t::SGX_SUCCESS => {
+ let _ = ManuallyDrop::into_inner(node);
+ Ok(())
+ }
+ _ => Err(ret),
+ }
+ }
+}
diff --git a/sgx_trts/src/enclave.rs b/sgx_trts/src/enclave.rs
index 4db1b0e3..a0c6c0c0 100644
--- a/sgx_trts/src/enclave.rs
+++ b/sgx_trts/src/enclave.rs
@@ -61,6 +61,7 @@ pub struct global_data_t {
pub enclave_image_address: u64,
pub elrange_start_address: u64,
pub elrange_size: u64,
+ pub edmm_bk_overhead: usize,
}
#[repr(C)]
@@ -74,12 +75,17 @@ pub struct thread_data_t {
pub flags: usize,
pub xsave_size: usize,
pub last_error: usize,
+ pub aex_mitigation_list: usize,
+ pub aex_notify_flag: usize,
+ pub first_ssa_xsave: usize,
pub m_next: usize,
pub tls_addr: usize,
pub tls_array: usize,
pub exception_flag: usize,
pub cxx_thread_info: [usize; 6],
pub stack_commit_addr: usize,
+ pub aex_notify_entropy_cache: u32,
+ pub aex_notify_entropy_remaining: i32,
}
#[derive(Copy, Clone)]
@@ -286,6 +292,7 @@ pub struct SgxThreadData {
stack_guard: usize,
xsave_size: usize,
last_error: usize,
+ first_ssa_xsave: usize,
tls_addr: usize,
tls_array: usize,
exception_flag: usize,
@@ -315,6 +322,7 @@ impl SgxThreadData {
stack_guard: td.stack_guard,
xsave_size: td.xsave_size,
last_error: td.last_error,
+ first_ssa_xsave: td.first_ssa_xsave,
tls_addr: td.tls_addr,
tls_array: td.tls_array,
exception_flag: td.exception_flag,
@@ -334,6 +342,7 @@ impl SgxThreadData {
stack_guard: td.stack_guard,
xsave_size: td.xsave_size,
last_error: td.last_error,
+ first_ssa_xsave: td.first_ssa_xsave,
tls_addr: td.tls_addr,
tls_array: td.tls_array,
exception_flag: td.exception_flag,
diff --git a/sgx_trts/src/lib.rs b/sgx_trts/src/lib.rs
index 491fa3d0..0d9df238 100644
--- a/sgx_trts/src/lib.rs
+++ b/sgx_trts/src/lib.rs
@@ -86,6 +86,7 @@ extern crate alloc;
#[macro_use]
mod macros;
+pub mod aex;
pub mod ascii;
pub mod c_str;
pub mod cpu_feature;
diff --git a/sgx_tseal/src/internal.rs b/sgx_tseal/src/internal.rs
index cdf17a65..4413a011 100644
--- a/sgx_tseal/src/internal.rs
+++ b/sgx_tseal/src/internal.rs
@@ -264,7 +264,6 @@ impl SgxInternalSealedData {
}
pub fn seal_data(additional_text: &[u8], encrypt_text: &[u8]) ->
SgxResult<Self> {
- //let attribute_mask = sgx_attributes_t{flags: SGX_FLAGS_RESERVED |
SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG, xfrm: 0};
/* intel sgx sdk 1.8 */
let attribute_mask = sgx_attributes_t {
flags: TSEAL_DEFAULT_FLAGSMASK,
diff --git a/sgx_types/src/error.rs b/sgx_types/src/error.rs
index 812b50cf..c644331d 100644
--- a/sgx_types/src/error.rs
+++ b/sgx_types/src/error.rs
@@ -483,6 +483,7 @@ impl_enum! {
SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = 0x0000_E064,
SGX_QL_ROOT_CA_UNTRUSTED = 0x0000_E065,
SGX_QL_TCB_NOT_SUPPORTED = 0x0000_E066,
+ SGX_QL_CONFIG_INVALID_JSON = 0x0000_E067,
SGX_QL_ERROR_MAX = 0x0000_E0FF,
}
}
@@ -518,7 +519,7 @@ impl sgx_quote3_error_t {
sgx_quote3_error_t::SGX_QL_UNSUPPORTED_LOADING_POLICY => {
"Unsupported enclave loading policy."
}
- sgx_quote3_error_t::SGX_QL_INTERFACE_UNAVAILABLE => "Unable to
load the QE enclave.",
+ sgx_quote3_error_t::SGX_QL_INTERFACE_UNAVAILABLE => "Unable to
load the PCE enclave.",
sgx_quote3_error_t::SGX_QL_PLATFORM_LIB_UNAVAILABLE => {
"Unable to find the platform library with the dependent APIs."
}
@@ -645,6 +646,9 @@ impl sgx_quote3_error_t {
sgx_quote3_error_t::SGX_QL_TCB_NOT_SUPPORTED => {
"Current TCB level cannot be found in platform/enclave TCB
info"
}
+ sgx_quote3_error_t::SGX_QL_CONFIG_INVALID_JSON => {
+ "The QPL's config file is in JSON format but has a format
error"
+ }
sgx_quote3_error_t::SGX_QL_ERROR_MAX => {
"Indicate max error to allow better translation."
}
@@ -798,6 +802,7 @@ impl sgx_quote3_error_t {
}
sgx_quote3_error_t::SGX_QL_ROOT_CA_UNTRUSTED =>
"SGX_QL_ROOT_CA_UNTRUSTED",
sgx_quote3_error_t::SGX_QL_TCB_NOT_SUPPORTED =>
"SGX_QL_TCB_NOT_SUPPORTED",
+ sgx_quote3_error_t::SGX_QL_CONFIG_INVALID_JSON =>
"SGX_QL_CONFIG_INVALID_JSON",
sgx_quote3_error_t::SGX_QL_ERROR_MAX => "SGX_QL_ERROR_MAX",
}
}
@@ -837,6 +842,8 @@ impl_enum! {
SGX_QCNL_CACHE_MISSING = 0x0000_B031,
SGX_QCNL_CACHE_EXPIRED = 0x0000_B032,
SGX_QCNL_ROOT_CA_UNTRUSTED = 0x0000_B033,
+ SGX_QCNL_CONFIG_INVALID_JSON = 0x0000_B035,
+ SGX_QCNL_CONFIG_NOT_JSON = 0x0000_B036,
}
}
@@ -887,6 +894,10 @@ impl sgx_qcnl_error_t {
sgx_qcnl_error_t::SGX_QCNL_ROOT_CA_UNTRUSTED => {
"The certificate used to establish SSL session is untrusted"
}
+ sgx_qcnl_error_t::SGX_QCNL_CONFIG_INVALID_JSON => {
+ "The config file is in JSON format but has a format error"
+ }
+ sgx_qcnl_error_t::SGX_QCNL_CONFIG_NOT_JSON => "The config file is
not in JSON format",
}
}
@@ -930,6 +941,8 @@ impl sgx_qcnl_error_t {
sgx_qcnl_error_t::SGX_QCNL_CACHE_MISSING =>
"SGX_QCNL_CACHE_MISSING",
sgx_qcnl_error_t::SGX_QCNL_CACHE_EXPIRED =>
"SGX_QCNL_CACHE_EXPIRED",
sgx_qcnl_error_t::SGX_QCNL_ROOT_CA_UNTRUSTED =>
"SGX_QCNL_ROOT_CA_UNTRUSTED",
+ sgx_qcnl_error_t::SGX_QCNL_CONFIG_INVALID_JSON =>
"SGX_QCNL_CONFIG_INVALID_JSON",
+ sgx_qcnl_error_t::SGX_QCNL_CONFIG_NOT_JSON =>
"SGX_QCNL_CONFIG_NOT_JSON",
}
}
}
diff --git a/sgx_types/src/function.rs b/sgx_types/src/function.rs
index db6c77c2..3cf6a9b0 100644
--- a/sgx_types/src/function.rs
+++ b/sgx_types/src/function.rs
@@ -688,6 +688,15 @@ extern "C" {
page_properties_from: int32_t,
page_properties_to: int32_t,
) -> int32_t;
+
+ /* intel sgx sdk 2.20 */
+ pub fn sgx_set_ssa_aexnotify(flags: int32_t) -> sgx_status_t;
+ pub fn sgx_register_aex_handler(
+ aex_node: *mut sgx_aex_mitigation_node_t,
+ handler: sgx_aex_mitigation_fn_t,
+ args: *const c_void,
+ ) -> sgx_status_t;
+ pub fn sgx_unregister_aex_handler(handler: sgx_aex_mitigation_fn_t) ->
sgx_status_t;
}
/* intel sgx sdk 2.18 */
@@ -1089,10 +1098,19 @@ extern "C" {
fmspc: *const uint8_t,
fmspc_size: uint16_t,
pck_ra: *const c_char,
- pp_quote_collateral: *mut *mut tdx_ql_qve_collateral_t,
+ pp_quote_collateral: *mut *mut tdx_ql_qv_collateral_t,
+ ) -> sgx_quote3_error_t;
+ /* intel DCAP 1.17 */
+ pub fn tdx_ql_get_quote_verification_collateral_with_params(
+ fmspc: *const uint8_t,
+ fmspc_size: uint16_t,
+ pck_ra: *const c_char,
+ custom_param: *const c_void,
+ custom_param_length: uint16_t,
+ pp_quote_collateral: *mut *mut tdx_ql_qv_collateral_t,
) -> sgx_quote3_error_t;
pub fn tdx_ql_free_quote_verification_collateral(
- p_quote_collateral: *const sgx_ql_qve_collateral_t,
+ p_quote_collateral: *const tdx_ql_qv_collateral_t,
) -> sgx_quote3_error_t;
pub fn sgx_ql_get_qve_identity(
pp_qve_identity: *mut *mut c_char,
@@ -1104,18 +1122,21 @@ extern "C" {
p_qve_identity: *const c_char,
p_qve_identity_issuer_chain: *const c_char,
) -> sgx_quote3_error_t;
-
- /* intel DCAP 1.4 */
+ /* intel DCAP 1.14 */
pub fn sgx_ql_get_root_ca_crl(
pp_root_ca_crl: *mut *mut uint8_t,
p_root_ca_crl_size: *mut uint16_t,
) -> sgx_quote3_error_t;
pub fn sgx_ql_free_root_ca_crl(p_root_ca_crl: *const uint8_t) ->
sgx_quote3_error_t;
- /* intel DCAP 2.14 */
+ /* intel DCAP 1.14 */
pub fn sgx_ql_set_logging_callback(
logger: sgx_ql_logging_callback_t,
loglevel: sgx_ql_log_level_t,
) -> sgx_quote3_error_t;
+ /* intel DCAP 1.17 */
+ pub fn sgx_qpl_clear_cache(cache_type: sgx_qpl_cache_type_t) ->
sgx_quote3_error_t;
+ pub fn sgx_qpl_global_init() -> sgx_quote3_error_t;
+ pub fn sgx_qpl_global_cleanup() -> sgx_quote3_error_t;
}
//#[link(name = "sgx_default_qcnl_wrapper")]
@@ -1194,6 +1215,11 @@ extern "C" {
// user_token: *const uint8_t,
// user_token_size: uint16_t,
// ) -> sgx_qcnl_error_t;
+
+ /* intel DCAP 1.17 */
+ pub fn sgx_qcnl_clear_cache(cache_type: uint32_t) -> sgx_qcnl_error_t;
+ pub fn sgx_qcnl_global_init() -> sgx_qcnl_error_t;
+ pub fn sgx_qcnl_global_cleanup() -> sgx_qcnl_error_t;
}
//#[link(name = "dcap_quoteverify")]
@@ -1246,7 +1272,7 @@ extern "C" {
pub fn tdx_qv_verify_quote(
p_quote: *const uint8_t,
quote_size: uint32_t,
- p_quote_collateral: *const tdx_ql_qve_collateral_t,
+ p_quote_collateral: *const tdx_ql_qv_collateral_t,
expiration_check_date: time_t,
p_collateral_expiration_status: *mut uint32_t,
p_quote_verification_result: *mut sgx_ql_qv_result_t,
diff --git a/sgx_types/src/marker.rs b/sgx_types/src/marker.rs
index 118b09c7..b736b467 100644
--- a/sgx_types/src/marker.rs
+++ b/sgx_types/src/marker.rs
@@ -73,6 +73,7 @@ impl_marker_for_array! {BytewiseEquality,
/// a contiguous area of memory inside the enclave. Developer needs to
/// implement this trait as a marker for the data structure he/she wants
/// to feed into SGX apis.
+#[allow(clippy::missing_safety_doc)]
pub unsafe trait ContiguousMemory {}
impl_unsafe_marker_for!(ContiguousMemory,
diff --git a/sgx_types/src/types.rs b/sgx_types/src/types.rs
index decd4a05..b432fb41 100644
--- a/sgx_types/src/types.rs
+++ b/sgx_types/src/types.rs
@@ -32,6 +32,7 @@ pub const SGX_FLAGS_MODE64BIT: uint64_t =
0x0000_0000_0000_0004; //If set, then
pub const SGX_FLAGS_PROVISION_KEY: uint64_t = 0x0000_0000_0000_0010; //If set,
then the enclave has access to provision key
pub const SGX_FLAGS_EINITTOKEN_KEY: uint64_t = 0x0000_0000_0000_0020; //If
set, then the enclave has access to EINITTOKEN key
pub const SGX_FLAGS_KSS: uint64_t = 0x0000_0000_0000_0080; //If set enclave
uses KSS
+pub const SGX_FLAGS_AEX_NOTIFY: uint64_t = 0x0000_0000_0000_0400; //If set,
then the enclave enables AEX Notify
pub const SGX_FLAGS_RESERVED: uint64_t = !(SGX_FLAGS_INITTED
| SGX_FLAGS_DEBUG
| SGX_FLAGS_MODE64BIT
@@ -1057,17 +1058,56 @@ impl_struct! {
}
}
-impl_struct! {
- pub struct sgx_exception_info_t {
- pub cpu_context: sgx_cpu_context_t,
- pub exception_vector: sgx_exception_vector_t,
- pub exception_type: sgx_exception_type_t,
- pub exinfo: sgx_misc_exinfo_t,
+cfg_if! {
+ if #[cfg(target_arch = "x86")] {
+ #[repr(C, align(64))]
+ pub struct sgx_exception_info_t {
+ pub cpu_context: sgx_cpu_context_t,
+ pub exception_vector: sgx_exception_vector_t,
+ pub exception_type: sgx_exception_type_t,
+ pub exinfo: sgx_misc_exinfo_t,
+ pub exception_valid: uint32_t,
+ pub do_aex_mitigation: uint32_t,
+ pub xsave_size: uint64_t,
+ pub reserved: [uint64_t; 6],
+ pub xsave_area: [uint8_t; 0],
+ }
+ } else {
+ #[repr(C, align(64))]
+ pub struct sgx_exception_info_t {
+ pub cpu_context: sgx_cpu_context_t,
+ pub exception_vector: sgx_exception_vector_t,
+ pub exception_type: sgx_exception_type_t,
+ pub exinfo: sgx_misc_exinfo_t,
+ pub exception_valid: uint32_t,
+ pub do_aex_mitigation: uint32_t,
+ pub xsave_size: uint64_t,
+ pub reserved: [uint64_t; 1],
+ pub xsave_area: [uint8_t; 0],
+ }
}
}
+impl_struct_ContiguousMemory! {
+ sgx_exception_info_t;
+}
+
pub type sgx_exception_handler_t = extern "C" fn(info: *mut
sgx_exception_info_t) -> int32_t;
+/* intel sgx sdk 2.20 */
+//
+// sgx_trts_aex.h
+//
+#[repr(C)]
+pub struct sgx_aex_mitigation_node_t {
+ pub handler: sgx_aex_mitigation_fn_t,
+ pub args: *const c_void,
+ pub next: *mut sgx_aex_mitigation_node_t,
+}
+
+pub type sgx_aex_mitigation_fn_t =
+ extern "C" fn(info: *mut sgx_exception_info_t, args: *const c_void) ->
c_void;
+
//
// sgx_tseal.h
//
@@ -1398,7 +1438,10 @@ pub struct sgx_ql_qve_collateral_t {
pub qe_identity_size: uint32_t,
}
+/* intel DCAP 1.17 */
+// Deprecate structure name tdx_ql_qve_collateral_t
pub type tdx_ql_qve_collateral_t = sgx_ql_qve_collateral_t;
+pub type tdx_ql_qv_collateral_t = sgx_ql_qve_collateral_t;
impl_enum! {
#[repr(u8)]
@@ -1409,6 +1452,17 @@ impl_enum! {
}
}
+/* intel DCAP 1.17 */
+impl_enum! {
+ #[repr(u32)]
+ #[derive(Copy, Clone, PartialEq, Eq, Debug)]
+ pub enum sgx_qpl_cache_type_t {
+ SGX_QPL_CACHE_CERTIFICATE = 1,
+ SGX_QPL_CACHE_QV_COLLATERAL = 2,
+ SGX_QPL_CACHE_MULTICERTS = 4,
+ }
+}
+
/* intel DCAP 1.11 */
impl_enum! {
#[repr(u32)]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
