diff --git a/.gitmodules b/.gitmodules index 51bbaf0..0885ebe 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,6 @@ [submodule "sdk/bare-sgx"] path = sdk/bare-sgx url = https://github.com/jovanbulck/bare-sgx.git +[submodule "sdk/oe/openenclave"] + path = sdk/oe/openenclave + url = https://github.com/openenclave/openenclave.git diff --git a/app/oe/.gitignore b/app/oe/.gitignore new file mode 100644 index 0000000..48344a5 --- /dev/null +++ b/app/oe/.gitignore @@ -0,0 +1,7 @@ +*_t.* +*_u.* +*.pem +*_args.h +*.signed +enclave/enclave +host/helloworld_host diff --git a/app/oe/Makefile b/app/oe/Makefile new file mode 100644 index 0000000..7ca8209 --- /dev/null +++ b/app/oe/Makefile @@ -0,0 +1,24 @@ +# Copyright (c) Open Enclave SDK contributors. +# Licensed under the MIT License. + +.PHONY: all build clean run simulate + +OE_CRYPTO_LIB := mbedtls +export OE_CRYPTO_LIB + +all: build + +build: + $(MAKE) -C enclave + $(MAKE) -C host + +clean: + $(MAKE) -C enclave clean + $(MAKE) -C host clean + +run: + host/helloworld_host ./enclave/enclave.signed + +simulate: + host/helloworld_host ./enclave/enclave.signed --simulate + diff --git a/app/oe/enclave/Makefile b/app/oe/enclave/Makefile new file mode 100644 index 0000000..27defd8 --- /dev/null +++ b/app/oe/enclave/Makefile @@ -0,0 +1,50 @@ +# Copyright (c) Open Enclave SDK contributors. +# Licensed under the MIT License. + +include ../config.mk + +CRYPTO_LDFLAGS := $(shell pkg-config oeenclave-$(COMPILER) --variable=${OE_CRYPTO_LIB}libs) + +ifeq ($(LVI_MITIGATION), ControlFlow) + ifeq ($(LVI_MITIGATION_BINDIR),) + $(error LVI_MITIGATION_BINDIR is not set) + endif + # Only run once. + ifeq (,$(findstring $(LVI_MITIGATION_BINDIR),$(CC))) + CC := $(LVI_MITIGATION_BINDIR)/$(CC) + endif + COMPILER := $(COMPILER)-lvi-cfg + CRYPTO_LDFLAGS := $(shell pkg-config oeenclave-$(COMPILER) --variable=${OE_CRYPTO_LIB}libslvicfg) +endif + +ifeq ($(OE_CRYPTO_LIB),openssl_3) + CFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --variable=${OE_CRYPTO_LIB}flags) +else + CFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --cflags) +endif +LDFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --libs) +INCDIR=$(shell pkg-config oeenclave-$(COMPILER) --variable=includedir) + +all: + $(MAKE) build + $(MAKE) keys + $(MAKE) sign + +build: + @ echo "Compilers used: $(CC), $(CXX)" + oeedger8r ../helloworld.edl --trusted \ + --search-path $(INCDIR) \ + --search-path $(INCDIR)/openenclave/edl/sgx + $(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 enc.c -o enc.o + $(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 helloworld_t.c -o helloworld_t.o + $(CC) -o enclave helloworld_t.o enc.o $(LDFLAGS) $(CRYPTO_LDFLAGS) + +sign: + oesign sign -e enclave -c helloworld.conf -k private.pem + +clean: + rm -f enc.o enclave enclave.signed private.pem public.pem helloworld_t.o helloworld_t.h helloworld_t.c helloworld_args.h + +keys: + openssl genrsa -out private.pem -3 3072 + openssl rsa -in private.pem -pubout -out public.pem diff --git a/app/oe/enclave/enc.c b/app/oe/enclave/enc.c new file mode 100644 index 0000000..f6e42c7 --- /dev/null +++ b/app/oe/enclave/enc.c @@ -0,0 +1,33 @@ +// Copyright (c) Open Enclave SDK contributors. +// Licensed under the MIT License. + +#include + +// Include the trusted helloworld header that is generated +// during the build. This file is generated by calling the +// sdk tool oeedger8r against the helloworld.edl file. +#include "helloworld_t.h" + +// This is the function that the host calls. It prints +// a message in the enclave before calling back out to +// the host to print a message from there too. +void enclave_helloworld() +{ + // Print a message from the enclave. Note that this + // does not directly call fprintf, but calls into the + // host and calls fprintf from there. This is because + // the fprintf function is not part of the enclave + // as it requires support from the kernel. + fprintf(stdout, "Hello world from the enclave\n"); + + // Call back into the host + oe_result_t result = host_helloworld(); + if (result != OE_OK) + { + fprintf( + stderr, + "Call to host_helloworld failed: result=%u (%s)\n", + result, + oe_result_str(result)); + } +} diff --git a/app/oe/enclave/helloworld.conf b/app/oe/enclave/helloworld.conf new file mode 100644 index 0000000..ca997aa --- /dev/null +++ b/app/oe/enclave/helloworld.conf @@ -0,0 +1,10 @@ +# Copyright (c) Open Enclave SDK contributors. +# Licensed under the MIT License. + +# Enclave settings: +Debug=1 +NumHeapPages=1024 +NumStackPages=1024 +NumTCS=1 +ProductID=1 +SecurityVersion=1 diff --git a/app/oe/helloworld.edl b/app/oe/helloworld.edl new file mode 100644 index 0000000..7296d98 --- /dev/null +++ b/app/oe/helloworld.edl @@ -0,0 +1,17 @@ +// Copyright (c) Open Enclave SDK contributors. +// Licensed under the MIT License. + +enclave { + from "openenclave/edl/syscall.edl" import *; + from "platform.edl" import *; + + trusted { + public void enclave_helloworld(); + }; + + untrusted { + void host_helloworld(); + }; +}; + + diff --git a/app/oe/host/Makefile b/app/oe/host/Makefile new file mode 100644 index 0000000..72f533f --- /dev/null +++ b/app/oe/host/Makefile @@ -0,0 +1,23 @@ +# Copyright (c) Open Enclave SDK contributors. +# Licensed under the MIT License. + +include ../config.mk + +LIBSGXSTEP_DIR=/home/jo/sgx-step/ +LIBSGXSTEP=$(LIBSGXSTEP_DIR)/libsgxstep + +CFLAGS=$(shell pkg-config oehost-$(COMPILER) --cflags) -I$(LIBSGXSTEP_DIR) +LDFLAGS=$(shell pkg-config oehost-$(COMPILER) --libs) -lsgx-step -pthread -L$(LIBSGXSTEP) -lelf +INCDIR=$(shell pkg-config oehost-$(COMPILER) --variable=includedir) + +build: + @ echo "Compilers used: $(CC), $(CXX)" + oeedger8r ../helloworld.edl --untrusted \ + --search-path $(INCDIR) \ + --search-path $(INCDIR)/openenclave/edl/sgx + $(CC) -g -c $(CFLAGS) host.c + $(CC) -g -c $(CFLAGS) helloworld_u.c + $(CC) -o helloworld_host helloworld_u.o host.o $(LDFLAGS) + +clean: + rm -f helloworld_host host.o helloworld_u.o helloworld_u.c helloworld_u.h helloworld_args.h diff --git a/app/oe/host/host.c b/app/oe/host/host.c new file mode 100644 index 0000000..7724c7c --- /dev/null +++ b/app/oe/host/host.c @@ -0,0 +1,99 @@ +// Copyright (c) Open Enclave SDK contributors. +// Licensed under the MIT License. + +#include +#include + +// Include the untrusted helloworld header that is generated +// during the build. This file is generated by calling the +// sdk tool oeedger8r against the helloworld.edl file. +#include "helloworld_u.h" + +#include "libsgxstep/debug.h" +#include "libsgxstep/enclave.h" + +void aep_cb_func(void) +{ + uint64_t erip = edbgrd_erip() - (uint64_t)get_enclave_base(); + info("^^ enclave RIP=%#lx", erip); +} + +bool check_simulate_opt(int* argc, const char* argv[]) +{ + for (int i = 0; i < *argc; i++) + { + if (strcmp(argv[i], "--simulate") == 0) + { + fprintf(stdout, "Running in simulation mode\n"); + memmove(&argv[i], &argv[i + 1], (*argc - i) * sizeof(char*)); + (*argc)--; + return true; + } + } + return false; +} + +// This is the function that the enclave will call back into to +// print a message. +void host_helloworld() +{ + fprintf(stdout, "Enclave called into host to print: Hello World!\n"); +} + +int main(int argc, const char* argv[]) +{ + oe_result_t result; + int ret = 1; + oe_enclave_t* enclave = NULL; + + uint32_t flags = OE_ENCLAVE_FLAG_DEBUG; + if (check_simulate_opt(&argc, argv)) + { + flags |= OE_ENCLAVE_FLAG_SIMULATE; + } + + if (argc != 2) + { + fprintf( + stderr, "Usage: %s enclave_image_path [ --simulate ]\n", argv[0]); + goto exit; + } + + // Create the enclave + result = oe_create_helloworld_enclave( + argv[1], OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave); + if (result != OE_OK) + { + fprintf( + stderr, + "oe_create_helloworld_enclave(): result=%u (%s)\n", + result, + oe_result_str(result)); + goto exit; + } + + // SGX-Step stuff + register_aep_cb(aep_cb_func); + print_enclave_info(); + + // Call into the enclave + result = enclave_helloworld(enclave); + if (result != OE_OK) + { + fprintf( + stderr, + "calling into enclave_helloworld failed: result=%u (%s)\n", + result, + oe_result_str(result)); + goto exit; + } + + ret = 0; + +exit: + // Clean up the enclave if we created one + if (enclave) + oe_terminate_enclave(enclave); + + return ret; +} diff --git a/sdk/oe/0001-Minimal-SGX-Step-bindings.patch b/sdk/oe/0001-Minimal-SGX-Step-bindings.patch new file mode 100644 index 0000000..57f6fb6 --- /dev/null +++ b/sdk/oe/0001-Minimal-SGX-Step-bindings.patch @@ -0,0 +1,83 @@ +From 2cacff71c210c469a424110510a0c3a5f3561ef2 Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck +Date: Wed, 15 Jan 2025 13:40:17 +0000 +Subject: [PATCH] Minimal SGX-Step bindings + +Signed-off-by: Jo Van Bulck +--- + host/sgx/asmdefs.h | 2 +- + host/sgx/calls.c | 20 ++++++++++++++++++++ + include/openenclave/host.h | 6 ++++++ + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/host/sgx/asmdefs.h b/host/sgx/asmdefs.h +index 4b78e1989..9332f9c2b 100644 +--- a/host/sgx/asmdefs.h ++++ b/host/sgx/asmdefs.h +@@ -35,7 +35,7 @@ oe_result_t oe_enter( + uint64_t* arg4, + oe_enclave_t* enclave); + +-extern const uint64_t OE_AEP_ADDRESS; ++extern uint64_t OE_AEP_ADDRESS; + #endif + + #if !defined(__ASSEMBLER__) && (_WIN32) +diff --git a/host/sgx/calls.c b/host/sgx/calls.c +index eed0c4dcf..66bfb3cc5 100644 +--- a/host/sgx/calls.c ++++ b/host/sgx/calls.c +@@ -578,6 +578,25 @@ static void _release_tcs(oe_enclave_t* enclave, void* tcs) + oe_mutex_unlock(&enclave->lock); + } + ++/* minimal SGX-Step bindings */ ++ ++void* __oe_last_tcs; ++ ++void* sgx_get_aep(void) ++{ ++ return (void*) OE_AEP_ADDRESS; ++} ++ ++void sgx_set_aep(void* aep) ++{ ++ OE_AEP_ADDRESS = (uint64_t) aep; ++} ++ ++void *sgx_get_tcs(void) ++{ ++ return __oe_last_tcs; ++} ++ + /* + **============================================================================== + ** +@@ -608,6 +627,7 @@ oe_result_t oe_ecall( + /* Assign a oe_sgx_td_t for this operation */ + if (!(tcs = _assign_tcs(enclave))) + OE_RAISE(OE_OUT_OF_THREADS); ++ __oe_last_tcs = tcs; + + oe_log( + OE_LOG_LEVEL_VERBOSE, +diff --git a/include/openenclave/host.h b/include/openenclave/host.h +index d0f279ec5..864b4b7f5 100644 +--- a/include/openenclave/host.h ++++ b/include/openenclave/host.h +@@ -231,6 +231,12 @@ oe_result_t oe_create_enclave( + uint32_t ecall_count, + oe_enclave_t** enclave); + ++ ++/* minimal SGX-Step bindings */ ++void* sgx_get_aep(void); ++void sgx_set_aep(void* aep); ++void *sgx_get_tcs(void); ++ + /** + * Terminate an enclave and reclaims its resources. + * +-- +2.43.0 + diff --git a/sdk/oe/install_llvm11.sh b/sdk/oe/install_llvm11.sh new file mode 100755 index 0000000..df909ad --- /dev/null +++ b/sdk/oe/install_llvm11.sh @@ -0,0 +1,21 @@ +#!/bin/bash +#set -x + +# NOTE: 20.04 tarball also works on 24.04 +TAR_BASE="clang+llvm-11.0.0-x86_64-linux-gnu-ubuntu-20.04" +TAR_FILE="$TAR_BASE.tar.xz" +TAR_URL="https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/$TAR_FILE" +TMP_DIR="/tmp/llvm-temp" +TARGET_BASE="/usr" + +mkdir -p "$TMP_DIR" +cd $TMP_DIR +if [ ! -e $TAR_FILE ]; then + wget $TAR_URL + tar xvf $TAR_FILE +fi + +sudo mkdir -p /usr/lib/llvm-11/ +sudo cp -r $TMP_DIR/$TAR_BASE/* /usr/lib/llvm-11/ + +echo "Extraction and moving completed." diff --git a/sdk/oe/install_oe_sdk.sh b/sdk/oe/install_oe_sdk.sh new file mode 100755 index 0000000..323b181 --- /dev/null +++ b/sdk/oe/install_oe_sdk.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -e + +git submodule init +git submodule update --recursive --init + +# ---------------------------------------------------------------------- +echo "[ patching SDK ]" +if ! grep -Rq "sgx_set_aep" openenclave +then + ./patch_sdk.sh +fi +echo "OE SDK successfully patched!" + +# ---------------------------------------------------------------------- +echo "[ installing prerequisites ]" +./install_llvm11.sh + +# ---------------------------------------------------------------------- +echo "[ building OE SDK ]" +cd openenclave +mkdir -p build +cd build +cmake -DCMAKE_C_COMPILER=/usr/lib/llvm-11/bin/clang -DCMAKE_CXX_COMPILER=/usr/lib/llvm-11/bin/clang++ -DENABLE_REFMAN=OFF .. +make +sudo make install +source /opt/openenclave/share/openenclave/openenclaverc + +echo "OE SDK succesfully installed!" diff --git a/sdk/oe/openenclave b/sdk/oe/openenclave new file mode 160000 index 0000000..6b2e19b --- /dev/null +++ b/sdk/oe/openenclave @@ -0,0 +1 @@ +Subproject commit 6b2e19b2b2d1f533cdc58d853d185c1ef5b1666e diff --git a/sdk/oe/patch_sdk.sh b/sdk/oe/patch_sdk.sh new file mode 100755 index 0000000..9fbdc7d --- /dev/null +++ b/sdk/oe/patch_sdk.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +cd openenclave + +echo "=== patching AEP/TCS/EBASE ===" +patch -p1 < ../0001-Minimal-SGX-Step-bindings.patch