app/cpl: demonstrate ring0 user space call gates.

README.md

@@ -97,13 +97,14 @@ below.
 | `nox2apic`                       | Configure local APIC device in memory-mapped I/O mode (to make use of SGX-Step's precise single-stepping features).             |
 | `iomem=relaxed, no_timer_check`  | Suppress unneeded warning messages in the kernel logs.                                                                          |
 | `isolcpus=1`                     | Affinitize the victim process to an isolated CPU core.                                                                          |
+| `nosmap, nosmep`                 | Disable Supervisor Mode Access/Execution Prevention (only when using SGX-Step's ring0 call gates) |
 | `dis_ucode_ldr`                  | Disable CPU microcode updates ([Foreshadow](https://foreshadowattack.eu)/L1TF mitigations may affect single-stepping interval). |
 
 Pass the desired boot parameters to the kernel as follows:
 
 ```bash
 $ sudo vim /etc/default/grub
-  # GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nox2apic iomem=relaxed no_timer_check isolcpus=1"
+  # GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nox2apic iomem=relaxed no_timer_check nosmep nosmap isolcpus=1 dis_ucode_ldr"
 $ sudo update-grub && sudo reboot
 ```
 

app/cpl/.gitignore

@@ -0,0 +1,13 @@
+app
+measurements.txt
+measurements_raw.txt
+outlier_idx.txt
+plot.pdf
+xlabels.gp
+
+*.swp
+
+out.txt
+parsed.txt
+parsed_zz.txt
+parsed_strlen.txt

app/cpl/Makefile

@@ -0,0 +1,63 @@
+LIBSGXSTEP_DIR       = ../..
+LIBSGXSTEP           = $(LIBSGXSTEP_DIR)/libsgxstep
+-include $(LIBSGXSTEP)/Makefile.config
+
+URTS_LIB_PATH        = $(LIBSGXSTEP_DIR)/linux-sgx/psw/urts/linux
+
+ifeq ($(SGX_SDK),)
+    SGX_SDK          = /opt/intel/sgxsdk
+endif
+export SGX_SDK
+ifneq ($(SGX_SDK), /opt/intel/sgxsdk)
+    URTS_LD_LIBRARY_PATH = LD_LIBRARY_PATH=$(LIBSGXSTEP_DIR)/linux-sgx/psw/urts/linux
+endif
+
+SUBDIRS              = $(LIBSGXSTEP)
+
+CC                   = gcc
+AS                   = gcc
+LD                   = gcc
+
+CFLAGS              += -fPIC -fno-stack-protector -fno-builtin -fno-jump-tables \
+                       -fno-common -Wno-attributes -g -D_GNU_SOURCE -O0
+INCLUDE              = -I$(SGX_SDK)/include/ -I$(LIBSGXSTEP_DIR) 
+LDFLAGS             += -lsgx-step -lsgx_urts \
+                       -lsgx_uae_service -pthread $(SUBDIRS:%=-L %) -L$(SGX_SDK)/lib64/
+
+SOURCES              = $(shell ls *.c)
+OBJECTS              = $(SOURCES:.c=.o) asm.o
+OUTPUT               = app
+
+BUILDDIRS            = $(SUBDIRS:%=build-%)
+CLEANDIRS            = $(SUBDIRS:%=clean-%)
+
+
+.SILENT:
+all: $(OUTPUT)
+
+run: clean all
+	sudo $(URTS_LD_LIBRARY_PATH) ./app
+
+$(OUTPUT): $(BUILDDIRS) $(OBJECTS)
+	echo "$(INDENT)[LD]" $(OBJECTS) $(LIBS) -o $(OUTPUT) 
+	$(LD) $(OBJECTS) $(LDFLAGS) -o $(OUTPUT) 
+
+%.o : %.c
+	echo "$(INDENT)[CC] " $<
+	$(CC) $(CFLAGS) $(INCLUDE) -c $<
+
+%.o : %.S
+	echo "$(INDENT)[AS] " $<
+	$(AS) $(INCLUDE) -c $< -o $@
+
+clean: $(CLEANDIRS)
+	echo "$(INDENT)[RM]" $(OBJECTS) $(OUTPUT)
+	rm -f $(OBJECTS) $(OUTPUT)
+
+$(BUILDDIRS):
+	echo "$(INDENT)[===] $(@:build-%=%) [===]"
+	$(MAKE) -C $(@:build-%=%) INDENT+="$(INDENT_STEP)" curr-dir=$(curr-dir)/$(@:build-%=%)
+
+$(CLEANDIRS):
+	echo "$(INDENT)[===] $(@:clean-%=%) [===]"
+	$(MAKE) clean -C $(@:clean-%=%) INDENT+="$(INDENT_STEP)" curr-dir=$(curr-dir)/$(@:build-%=%)

app/cpl/README.md

@@ -0,0 +1,39 @@
+Sample output:
+
+```
+[sched.c] continuing on CPU 1
+
+--------------------------------------------------------------------------------
+[main.c] Establishing user space GDT mapping
+--------------------------------------------------------------------------------
+
+[gdt.c] DTR.base=0xfffffe000002d000/size=127 (16 entries)
+[pt.c] /dev/sgx-step opened!
+[pt.c] /dev/mem opened!
+[gdt.c] established user space GDT mapping at 0x7fe3a282c000
+[gdt.c] --------------------------------------------------------------------------------
+[gdt.c] GDT[  0] @0x7fe3a282c000=0x00000000 / 0x00000 (seg sel 0x00); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[  1] @0x7fe3a282c008=0x00000000 / 0xfffff (seg sel 0x08); p=1; dpl=0; type=11; g=1
+[gdt.c] GDT[  2] @0x7fe3a282c010=0x00000000 / 0xfffff (seg sel 0x10); p=1; dpl=0; type=11; g=1
+[gdt.c] GDT[  3] @0x7fe3a282c018=0x00000000 / 0xfffff (seg sel 0x18); p=1; dpl=0; type= 3; g=1
+[gdt.c] GDT[  4] @0x7fe3a282c020=0x00000000 / 0xfffff (seg sel 0x23); p=1; dpl=3; type=11; g=1
+[gdt.c] GDT[  5] @0x7fe3a282c028=0x00000000 / 0xfffff (seg sel 0x2b); p=1; dpl=3; type= 3; g=1
+[gdt.c] GDT[  6] @0x7fe3a282c030=0x00000000 / 0xfffff (seg sel 0x33); p=1; dpl=3; type=11; g=1
+[gdt.c] GDT[  7] @0x7fe3a282c038=0x00000000 / 0x00000 (seg sel 0x38); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[  8] @0x7fe3a282c040=0x0002f000 / 0x0206f (seg sel 0x40); p=1; dpl=0; type=11; g=0
+[gdt.c] GDT[  9] @0x7fe3a282c048=0x0000ffff / 0x0fe00 (seg sel 0x48); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[ 10] @0x7fe3a282c050=0x00000000 / 0x00000 (seg sel 0x50); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[ 11] @0x7fe3a282c058=0x00000000 / 0x00000 (seg sel 0x58); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[ 12] @0x7fe3a282c060=0x00000000 / 0x00000 (seg sel 0x60); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[ 13] @0x7fe3a282c068=0x00000000 / 0x00000 (seg sel 0x68); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[ 14] @0x7fe3a282c070=0x00000000 / 0x00000 (seg sel 0x70); p=0; dpl=0; type= 0; g=0
+[gdt.c] GDT[ 15] @0x7fe3a282c078=0x00000000 / 0x00001 (seg sel 0x7b); p=1; dpl=3; type= 5; g=0
+[gdt.c] --------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+[main.c] Installing ring0 call gate
+--------------------------------------------------------------------------------
+
+[idt.c] IDT[ 13] @0x7fe3a282c068 = 0x40111d (seg sel 0x10); p=1; dpl=3; type=12; ist=0
+[main.c] back from call gate w CPL prev/cur=0/3; RDMSR=0xfee00800
+```

app/cpl/asm.S

@@ -0,0 +1,17 @@
+#define IA32_TIME_STAMP_COUNTER 0x10
+#define IA32_APIC_BASE          0x1b
+
+    .text
+    .global call_gate_func
+call_gate_func:
+    # store CPL (i.e., ring 0)
+    call get_cpl
+    mov %rax, gate_cpl(%rip)
+
+    # store privileged RDMSR result
+    mov $IA32_APIC_BASE, %rdi
+    call rdmsr
+    mov %rax, gate_msr(%rip)
+
+    # return to user space caller
+    lretq

app/cpl/main.c

@@ -0,0 +1,49 @@
+/*
+ *  This file is part of the SGX-Step enclave execution control framework.
+ *
+ *  Copyright (C) 2017 Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>,
+ *                     Raoul Strackx <raoul.strackx@cs.kuleuven.be>
+ *
+ *  SGX-Step is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  SGX-Step is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with SGX-Step. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "libsgxstep/gdt.h"
+#include "libsgxstep/idt.h"
+#include "libsgxstep/cpu.h"
+#include "libsgxstep/sched.h"
+#include "libsgxstep/config.h"
+
+int gate_cpl = -1;
+uint64_t gate_msr = -1;
+void call_gate_func(void);
+
+int main( int argc, char **argv )
+{
+    gdt_t gdt = {0};
+
+    ASSERT( !claim_cpu(VICTIM_CPU) );
+
+    info_event("Establishing user space GDT mapping");
+    map_gdt(&gdt);
+    dump_gdt(&gdt);
+
+    info_event("Installing ring0 call gate");
+    install_call_gate(&gdt, GDT_VECTOR, KERNEL_CS, call_gate_func);
+    dump_gate(get_gate_desc(&gdt, GDT_VECTOR), GDT_VECTOR);
+    do_far_call(GDT_VECTOR);
+
+    info("back from call gate w CPL prev/cur=%d/%d; RDMSR=%p",
+        gate_cpl, get_cpl(), gate_msr);
+    return 0;
+}

app/idt/Makefile

@@ -25,7 +25,7 @@ LDFLAGS             += -lsgx-step -lsgx_urts \
                        -lsgx_uae_service -pthread $(SUBDIRS:%=-L %) -L$(SGX_SDK)/lib64/
 
 SOURCES              = $(shell ls *.c)
-OBJECTS              = $(SOURCES:.c=.o) asm.o
+OBJECTS              = $(SOURCES:.c=.o)
 OUTPUT               = app
 
 BUILDDIRS            = $(SUBDIRS:%=build-%)