Skip to content

[Experimental] Add EDMM support #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 96 commits into
base: sgx_2.17.1_for_occlum
Choose a base branch
from
Draft

[Experimental] Add EDMM support #29

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
96 commits
Select commit Hold shift + click to select a range
95ed80c
Add detection for EDMM support in kernel
haitaohuang Oct 13, 2021
9da656c
EDMM support using kernel interfaces
haitaohuang Aug 24, 2021
6074214
emm: fix typos
haitaohuang Dec 2, 2021
e6b2ff7
update IOCTL definitions for EDMM
haitaohuang Dec 2, 2021
5afb5c5
emm: update kernel branch in README
haitaohuang Dec 5, 2021
5cb4cf7
urts and enclave_common: update for edmm kernel patches v2
haitaohuang Feb 8, 2022
60fda39
sgx_mm_ocalls: add more robust error handling for ioctl() calls
haitaohuang Feb 10, 2022
022a663
EMM: Update README for the kernel patches V2
haitaohuang Feb 11, 2022
1398ae3
urts: check if /dev is mounted with noexec
haitaohuang Mar 7, 2022
3dda98b
emm: add design doc and update README
haitaohuang Mar 8, 2022
151a3bb
TRTS: use a separate spinlock implementation for EMM
haitaohuang Mar 9, 2022
fbe7e62
Revert "urts: check if /dev is mounted with noexec"
haitaohuang Mar 22, 2022
0e57da8
enclave_common and urts: update for EDMM kernel patch V3
haitaohuang Apr 5, 2022
ac72298
emm: update README for edmm V3
haitaohuang Apr 5, 2022
1c664ee
PSW: update for kernel EDMM patch V4
haitaohuang Apr 15, 2022
6f18470
enclave_common: update for kernel patch V5
haitaohuang May 8, 2022
07ba234
sdk/emm: merge ocalls for continuous pages
haitaohuang May 8, 2022
6ca2ce7
trts: fix an overflow
haitaohuang May 8, 2022
0e2de0a
ema: remove unused lock
haitaohuang May 12, 2022
bda6b29
sdk/ema: misc stability fixes
haitaohuang May 15, 2022
c4c1b3d
emm: add custom allocator for internal use
haitaohuang May 13, 2022
139aabb
Update SGX_EMM.md to include sgx_mm_init API
haitaohuang May 27, 2022
ec544fe
enclave_common: simplfy permissions change
haitaohuang May 29, 2022
a6af9b5
emalloc: misc fixes
haitaohuang May 29, 2022
ca27dd4
urts/user_handler: allow OCalls/Exception callback without OCall tables
haitaohuang Jun 6, 2022
5d778d8
sdk/emm: update design doc
haitaohuang Jun 8, 2022
68048bd
psw/enclave_common: remove some unneeded wording from enclave_alloc a…
haitaohuang Jun 15, 2022
e3865c6
EMM: update driver interface for upstream kernel
haitaohuang Jun 28, 2022
a2a4b48
Enclave Common API for EDMM
haitaohuang Jun 28, 2022
8da2132
emm: handle potential spurious #PF
haitaohuang Jul 8, 2022
be1417a
EMM: update design doc
haitaohuang Jul 12, 2022
33718ab
Add sgx-emm submodule
haitaohuang Jul 14, 2022
ee88ac2
EMM: restructure to use sgx-emm submodule
haitaohuang Jul 14, 2022
d9f70c2
Revert "enclave_common: simplfy permissions change"
haitaohuang Aug 17, 2022
fc6f8f6
sgx-emm/api_tests: add a case to change permissions to PT_NONE
haitaohuang Aug 17, 2022
3cdca12
EDMM support with configurable User Region Size
xxu36 Jun 6, 2022
1cbcb2d
Added signtool checking for EDMM related configurations
xxu36 Jul 3, 2022
6b68f96
Support for compatibility
xxu36 Jul 10, 2022
a0b0ff3
Metadata and sdk version selection for compatibility
xxu36 Jul 18, 2022
92a08a3
Fix bookkeeping overhead
xxu36 Aug 23, 2022
5a8e3f1
update API test to use UserRegionSize in config
haitaohuang Jul 19, 2022
4f4d1f1
Update enclave common loader interface
xxu36 Aug 5, 2022
1604f39
Fix build error after adapting enclave common loader changes
xxu36 Aug 11, 2022
6ad7ab1
update for sgx_mm_init returning error.
haitaohuang Aug 18, 2022
a3254d9
sgx-emm: update commit to point to dev
haitaohuang Aug 29, 2022
e2fce97
enclave_common: fix build error in sgx_mm_ocalls.cpp
haitaohuang Aug 29, 2022
b817ce3
update commit for sgx-emm
haitaohuang Aug 30, 2022
3c082a7
sgx-emm/api_tests: add case for longjmp from exception handler
haitaohuang Sep 8, 2022
2b4dcf8
sgx-emm/api_tests: add a case with nested handler
haitaohuang Sep 9, 2022
c9f757f
sgx-emm/api_tests: add random allocation and stack expansion cases
haitaohuang Sep 9, 2022
ec216f7
sgx-emm/api_tests: move random tests to unsafe
haitaohuang Sep 10, 2022
0cb086d
sdk/trts: remove init_rts_ema_root
haitaohuang Sep 11, 2022
720b1c1
urts: add a null pointer check for acquire_thread
haitaohuang Sep 19, 2022
bfeded4
update sgx-emm commit
haitaohuang Sep 19, 2022
0e68258
Add two helper scripts to compile and install
tatetian Dec 24, 2018
020c837
Enable Intel MPX for enclaves by default
tatetian Dec 28, 2018
dfea91f
Add sgx_thread_get_self API
tatetian Jan 4, 2019
dfdabfe
Add integrity-only mode for SGX protected files
Aug 6, 2019
10b7fb3
Refactor scripts that compiles and installs SGX SDK
liqinggd Jan 13, 2020
0a88815
Add --no-start-aesm parameter to psw installation
Feb 12, 2020
a18698f
Add sgx-gdb support for apps running on Occlum
liqinggd Feb 4, 2020
2c68a3e
Support handling exceptions in Occlum's user space
Mar 6, 2020
f359f3c
Add sgx_thread_wait_untrusted_event_timeout_ocall API
liqinggd Mar 15, 2020
2c7dcb0
Support user code manage stack
Apr 29, 2020
572ac00
Add no_mitigation option to compile sdk
liqinggd May 19, 2020
c4c69fb
Add macro to get rid of rdrand for non-supported platforms
jessehui Apr 29, 2020
a7520f1
Create uRTS static library
Jun 8, 2020
9c7875d
Fix urts not found by sgx debugger when statically linked by libocclu…
Jun 28, 2020
d03fcc3
Add optional timeout to the OCall for waiting events
tatetian Jul 3, 2020
ad73520
Add new EDL file for occlum specific usage
jessehui Jul 16, 2020
64c0421
Improve support for urts_sim static library building
jessehui Aug 4, 2020
c15d8f7
Support no-return customer exception handlers
Sep 23, 2020
617d0df
Support to wait event with an absolute timeout
liqinggd Nov 17, 2020
af62b2f
Compile and install DCAP package
Dec 10, 2020
e08e421
Support SGX-GDB to load library's symbol for Glibc
liqinggd Jan 13, 2021
73fc25c
Fix aesm build failure in docker buildx enviroment
Jan 25, 2021
f92b1c1
Enable exception support under simulation mode
Jan 26, 2021
e0546fc
Fix some simulation mode AEX bugs and add SIG64 support
Feb 4, 2021
861a7b6
Remove PSW and DCAP build process
Feb 8, 2021
05b64e2
Fix create enclave failed due to ENOMEM in simulation mode
jessehui Aug 11, 2021
7dafa4a
Solve the simulation mode register signal handler twice issue.
Aug 13, 2021
069f920
Update the simulation mode to align the Occlum implementation
Dec 3, 2021
7ab0aa5
Workaround the Occlum interrupt mode
Dec 7, 2021
ffaa5fa
Update the installation script
Dec 28, 2021
38fdd14
Add one more check in simualtion mode signal hander to confirm the
Dec 30, 2021
968d0f5
Fix se_event_timeout_wait to handle relative and absolute timeout
jessehui Feb 23, 2022
b819fa5
Support parameterized cache size of SGX PFS (apply intel's patch)
lucassong-mh Sep 2, 2022
d786b38
Add fsync to sgx_fflush and sgx_fclose to ensure persistency
lucassong-mh Sep 2, 2022
f1c5425
Fix bug in get_first_executable_segment_info()
Bonjourz Sep 9, 2022
6715a60
Revert "Add fsync to sgx_fflush and sgx_fclose to ensure persistency"…
lucassong-mh Oct 31, 2022
32383ef
Add the interrupt mechanism for dynamically-loaded workloads
tatetian Jun 27, 2020
d01ec4f
Fix the interrupt mode issue by restore the FS and the RFlags
Dec 28, 2021
92ae3ec
Add PKU support: isolating LibOS from userspace apps
Bonjourz Apr 1, 2022
faf8dea
Enlarge the stack size for non-standard exception handler
jessehui Nov 22, 2022
01180a9
Fix edmm compilation in simulation mode
jessehui Nov 22, 2022
5f6ed53
Enable vdso and support interrupt mechanism
jessehui Nov 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Enclave Common API for EDMM 
Adjust Enclave Common API compatible with existing style and definitions:
1) split flags in enclave_alloc to page type and alloc flags
2) return non-OS specific error code
3) add new API enclave_get_features

Update EMM ocall definition:
1) Return EFAULT for all ocall failures
2) align sgx_mm_alloc with enclave_alloc to use separate parameters for page
type and alloc_flags

Signed-off-by: Haitao Huang <4699115+haitaohuang@users.noreply.github.com>
  • Loading branch information
@haitaohuang
haitaohuang committed Jul 14, 2022
commit a2a4b4856da941a183a496982f8424e9611c0e87
5 changes: 5 additions & 0 deletions psw/enclave_common/sgx_enclave_common.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1311,4 +1311,9 @@ extern "C" bool COMM_API enclave_set_information(

return false;
}
uint32_t COMM_API enclave_get_features()
{
//!TODO
return 0;
}
#include "sgx_mm_ocalls.cpp"
137 changes: 101 additions & 36 deletions psw/enclave_common/sgx_enclave_common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,28 @@ typedef enum {
ENCLAVE_PAGE_WRITE = 1 << 1, /* Enables write access to the committed region of pages. */
ENCLAVE_PAGE_EXECUTE = 1 << 2, /* Enables execute access to the committed region of pages. */
ENCLAVE_PAGE_THREAD_CONTROL = 1 << 8, /* The page contains a thread control structure. */
ENCLAVE_PAGE_REG = 2 << 8, /* The page contains a PT_REG page. */
ENCLAVE_PAGE_SS_FIRST = 5 << 8, /* The page contains the first page of a Shadow Stack (future). */
ENCLAVE_PAGE_SS_REST = 6 << 8, /* The page contains a non-first page of a Shadow Stack (future). */
ENCLAVE_PAGE_UNVALIDATED = 1 << 12, /* The page contents that you supply are excluded from measurement and content validation. */
} enclave_page_properties_t;

/*
* Hints to OS on how application may use the pages allocated with enclave_alloc.
*/
typedef enum {
ENCLAVE_EMA_NONE = 0, /* No suggestions provided. */
ENCLAVE_EMA_RESERVE = 1, /* Suggest that the kernel should reserve the memory range and not immediately EAUG pages. */
ENCLAVE_EMA_COMMIT_NOW = 2, /* Gives a hint that the kernel should EAUG pages immediately. */
ENCLAVE_EMA_COMMIT_ON_DEMAND = 4, /* Gives a hint that the kernel can EAUG pages later. */
ENCLAVE_EMA_GROWSDOWN = 16, /* Gives a hint to the kernel that the application will access pages above the
last accessed page. The kernel may want to EAUG pages from higher to lower addresses
with no gaps in addresses above the last committed page. */
ENCLAVE_EMA_GROWSUP = 32, /* Gives a hint to the kernel that the application will access pages below the
last accessed page. The kernel may want to EAUG pages from lower to higher addresses
with no gaps in addresses below the last committed page. */
} enclave_alloc_flags;

typedef enum {
ENCLAVE_LAUNCH_TOKEN = 0x1
} enclave_info_type_t;
Expand All @@ -100,7 +119,7 @@ typedef enum {
#define ENCLAVE_CREATE_EX_EL_RANGE (1 << ENCLAVE_CREATE_EX_EL_RANGE_BIT_IDX) // Reserve Bit 0 for the el_range config

//update the following when adding new extended feature
#define _ENCLAVE_CREATE_LAST_EX_FEATURE_IDX_ ENCLAVE_CREATE_EX_EL_RANGE_BIT_IDX
#define _ENCLAVE_CREATE_LAST_EX_FEATURE_IDX_ ENCLAVE_CREATE_EX_EL_RANGE_BIT_IDX

#define _ENCLAVE_CREATE_EX_FEATURES_MASK_ (((uint32_t)-1) >> (ENCLAVE_CREATE_MAX_EX_FEATURES_COUNT - 1 - _ENCLAVE_CREATE_LAST_EX_FEATURE_IDX_))

Expand Down Expand Up @@ -148,7 +167,7 @@ void* COMM_API enclave_create_ex(
COMM_IN const uint32_t ex_features,
COMM_IN const void* ex_features_p[32],
COMM_OUT_OPT uint32_t* enclave_error);


/* enclave_create()
* Parameters:
Expand All @@ -175,7 +194,7 @@ void* COMM_API enclave_create(
/* enclave_load_data()
* Parameters:
* target_address [in] - The address in the enclave where you want to load the data.
* target_size [in] - The size of the range that you want to load in the enclave, in bytes.
* target_size [in] - The size of the range that you want to load in the enclave, in bytes.
* source_buffer [in, optional] - An optional pointer to the data you want to load into the enclave.
* data_properties [in] - The properties of the pages you want to add to the enclave.
* enclave_error [out, optional] - An optional pointer to a variable that receives an enclave error code.
Expand All @@ -193,7 +212,7 @@ size_t COMM_API enclave_load_data(
/* enclave_initialize()
* Parameters:
* base_address [in] - The enclave base address as returned from the enclave_create API.
* info [in] - A pointer to the architecture-specific information to use to initialize the enclave.
* info [in] - A pointer to the architecture-specific information to use to initialize the enclave.
* info_size [in] - The length of the structure that the info parameter points to, in bytes.
* enclave_error [out, optional] - An optional pointer to a variable that receives an enclave error code.
* Return Value:
Expand Down Expand Up @@ -224,7 +243,7 @@ bool COMM_API enclave_delete(
* info_type[in] - Identifies the type of information requested. initialized.
* output_info[out] - Pointer to information returned by the API
* output_info_size[in, out] - Size of the output_info buffer, in bytes. If the API succeeds, then this will return the number of bytes returned in output_info. If the API fails with, ENCLAVE_INVALID_SIZE, then this will return the required size
* enclave_error [out, optional] - An optional pointer to a variable that receives an enclave error code.
* enclave_error [out, optional] - An optional pointer to a variable that receives an enclave error code.
*/
bool COMM_API enclave_get_information(
COMM_IN void* base_address,
Expand All @@ -239,7 +258,7 @@ bool COMM_API enclave_get_information(
* info_type[in] - Identifies the type of information requested. not been initialized.
* input_info[in] - Pointer to information provided to the API
* input_info_size[in] - Size of the information, in bytes, provided in input_info from the API.
* enclave_error [out, optional] - An optional pointer to a variable that receives an enclave error code.
* enclave_error [out, optional] - An optional pointer to a variable that receives an enclave error code.
*/
bool COMM_API enclave_set_information(
COMM_IN void* base_address,
Expand All @@ -253,56 +272,102 @@ bool COMM_API enclave_set_information(
*
* @param[in] addr Desired page aligned start address.
* @param[in] length Size of the region in bytes of multiples of page size.
* @param[in] flags A bitwise OR of flags describing committing mode, committing
* @param[in] page_properties Page types to be allocated, must be one of these:
* - ENCLAVE_PAGE_REG: regular page type. This is the default if not specified.
* - ENCLAVE_PAGE_SS_FIRST: the first page in shadow stack.
* - ENCLAVE_PAGE_SS_REST: the rest page in shadow stack.
* @param[in] alloc_flags A bitwise OR of flags describing committing mode, committing
* order, address preference, page type. The untrusted side.
* implementation should always invoke mmap syscall with MAP_SHARED|MAP_FIXED_NOREPLACE, and
* translate following additional bits to proper parameters invoking mmap or other SGX specific
* syscall(s) provided by the kernel.
* The flags param of this interface should include exactly one of following for committing mode:
* - SGX_EMA_COMMIT_NOW: reserves memory range with SGX_EMA_PROT_READ|SGX_EMA_PROT_WRITE, if supported,
* The alloc_flags param of this interface should include exactly one of following for committing mode:
* - ENCLAVE_EMA_COMMIT_NOW: reserves memory range with ENCLAVE_PAGE_READ|SGX_EMA_PROT_WRITE, if supported,
* kernel is given a hint to EAUG EPC pages for the area as soon as possible.
* - SGX_EMA_COMMIT_ON_DEMAND: reserves memory range, EPC pages can be EAUGed upon #PF.
* - ENCLAVE_EMA_COMMIT_ON_DEMAND: reserves memory range, EPC pages can be EAUGed upon #PF.
* ORed with zero or one of the committing order flags:
* - SGX_EMA_GROWSDOWN: if supported, a hint given for the kernel to EAUG pages from higher
* - ENCLAVE_EMA_GROWSDOWN: if supported, a hint given for the kernel to EAUG pages from higher
* to lower addresses, no gaps in addresses above the last committed.
* - SGX_EMA_GROWSUP: if supported, a hint given for the kernel to EAUG pages from lower
* - ENCLAVE_EMA_GROWSUP: if supported, a hint given for the kernel to EAUG pages from lower
* to higher addresses, no gaps in addresses below the last committed.
* Optionally ORed with one of following page types:
* - SGX_EMA_PAGE_TYPE_REG: regular page type. This is the default if not specified.
* - SGX_EMA_PAGE_TYPE_SS_FIRST: the first page in shadow stack.
* - SGX_EMA_PAGE_TYPE_SS_REST: the rest page in shadow stack.
* @retval 0 The operation was successful.
* @retval EINVAL Any parameter passed in is not valid.
* @retval errno Error as reported by dependent syscalls, e.g., mmap().
* @retval ENCLAVE_ERROR_SUCCESS(0) The operation was successful.
* @retval ENCLAVE_NOT_SUPPORTED: Enavle feature is not supported by the system
* @retval ENCLAVE_LOST: may be returned if the enclave has been removed or if it has not been initialized (via EINIT)
* @retval ENCLAVE_INVALID_ADDRESS: the start address does not point to an enclave.
* @retval ENCLAVE_INVALID_PARAMETER: an invalid combination of flags was provided.
* @retval ENCLAVE_OUT_OF_MEMORY: No EPC left (some OSes like Linux), or system is out of memory for internal allocation by OS or this function.
* @retval ENCLAVE_DEVICE_NO_MEMORY: NO EPC left (some OSes like Windows)
* @retval ENCLAVE_INVALID_ADDRESS: address does not point to an enclave or valid memory within the enclave
* @retval ENCLAVE_NOT_INITIALIZED: may be returned if the enclave has not been initialized (via EINIT).
* Some configurations may give ENCLAVE_LOST if the enclave has not been initialized.
* @retval ENCLAVE_UNEXPECTED, unexpected error.
*/
int COMM_API enclave_alloc(uint64_t addr, size_t length, int flags);

uint32_t COMM_API enclave_alloc(
COMM_IN uint64_t addr,
COMM_IN size_t length,
COMM_IN uint32_t page_properties,
COMM_IN uint32_t alloc_flags);

/*
* Call OS to change permissions, type, or notify EACCEPT done after TRIM.
*
* @param[in] addr Start address of the memory to change protections.
* @param[in] length Length of the area. This must be a multiple of the page size.
* @param[in] flags_from The original EPCM flags of the EPC pages to be modified.
* @param[in] page_properties_from The original EPCM flags of the EPC pages to be modified.
* Must be bitwise OR of following:
* SGX_EMA_PROT_READ
* SGX_EMA_PROT_WRITE
* SGX_EMA_PROT_EXEC
* SGX_EMA_PAGE_TYPE_REG: regular page, changeable to TRIM or TCS
* SGX_EMA_PAGE_TYPE_TRIM: signal to the kernel EACCEPT is done for TRIM pages.
* @param[in] flags_to The target EPCM flags. This must be bitwise OR of following:
* SGX_EMA_PROT_READ
* SGX_EMA_PROT_WRITE
* SGX_EMA_PROT_EXEC
* SGX_EMA_PAGE_TYPE_TRIM: change the page type to PT_TRIM. Note the address
* ENCLAVE_PAGE_READ
* ENCLAVE_PAGE_WRITE
* ENCLAVE_PAGE_EXEC
* ENCLAVE_PAGE_REG: regular page, changeable to TRIM or TCS
* ENCLAVE_PAGE_TRIM: signal to the kernel EACCEPT is done for TRIM pages.
* @param[in] page_properties_to The target EPCM flags. This must be bitwise OR of following:
* ENCLAVE_PAGE_READ
* ENCLAVE_PAGE_WRITE
* ENCLAVE_PAGE_EXEC
* ENCLAVE_PAGE_TRIM: change the page type to PT_TRIM. Note the address
* range for trimmed pages may still be reserved by enclave with
* proper permissions.
* SGX_EMA_PAGE_TYPE_TCS: change the page type to PT_TCS
* @retval 0 The operation was successful.
* @retval EINVAL A parameter passed in is not valid.
* @retval errno Error as reported by dependent syscalls, e.g., mprotect().
* ENCLAVE_PAGE_TCS: change the page type to PT_TCS
* @retval ENCLAVE_ERROR_SUCCESS(0) The operation was successful.
* @retval ENCLAVE_NOT_SUPPORTED: Enclave feature is not supported by the system
* @retval ENCLAVE_LOST: may be returned if the enclave has been removed or if it has not been initialized (via EINIT)
* @retval ENCLAVE_INVALID_PARAMETER: an invalid combination of flags was provided.
* @retval ENCLAVE_OUT_OF_MEMORY: No EPC left (some OSes like Linux), or system is out of memory for internal allocation by OS or this function.
* @retval ENCLAVE_DEVICE_NO_MEMORY: NO EPC left (some OSes like Windows)
* @retval ENCLAVE_INVALID_ADDRESS: address does not point to an enclave or valid memory within the enclave
* @retval ENCLAVE_NOT_INITIALIZED: may be returned if the enclave has not been initialized (via EINIT).
* Some configurations may give ENCLAVE_LOST if the enclave has not been initialized.
* @retval ENCLAVE_UNEXPECTED, unexpected error.
*/

uint32_t COMM_API enclave_modify(
COMM_IN uint64_t addr,
COMM_IN size_t length,
COMM_IN uint32_t page_properties_from,
COMM_IN uint32_t page_properties_to);




/**
* The enclave features flags describe additional enclave features
* which are supported by the platform. A value of 0 indicates not features are supported.
*/
typedef enum
{
ENCLAVE_FEATURE_NONE = 0,
ENCLAVE_FEATURE_SGX1 = 0x00000001, /* The platform (HW and OS) supports SGX1 */
ENCLAVE_FEATURE_SGX2 = 0x00000002, /* The platform (HW and OS) supports SGX2 */
}enclave_features;

/*
* Get enclave features which are supported by the platform.
* @return an enclave_features enum indicating enclave features which are supported on the platform
*
*/
uint32_t COMM_API enclave_get_features();

int COMM_API enclave_modify(uint64_t addr, size_t length, int flags_from, int flags_to);

#ifdef __cplusplus
}
Expand Down
Loading