general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Build in the MAC of the occlum configuration file with objcopy

Browse Source 
1. Objcopy the MAC of Occlum.json to libocclum-libos.so before signature
during occlum build.
2. Remove the files and codes no longer used.
This commit is contained in:
He Sun 2020-06-03 17:38:59 +08:00 committed by Tate, Hongliang Tian
parent f020fed2ae
commit 28440b0d69
8 changed files with 27 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -73,12 +73,6 @@ install:
install -t $(OCCLUM_PREFIX)/build_sim/bin/ -D build_sim/bin/* install -t $(OCCLUM_PREFIX)/build_sim/bin/ -D build_sim/bin/*
install -d $(OCCLUM_PREFIX)/build_sim/lib/ install -d $(OCCLUM_PREFIX)/build_sim/lib/
install -t $(OCCLUM_PREFIX)/build_sim/lib/ -D build_sim/lib/* install -t $(OCCLUM_PREFIX)/build_sim/lib/ -D build_sim/lib/*
install -d $(OCCLUM_PREFIX)/src/
install -t $(OCCLUM_PREFIX)/src/ -m 444 src/sgxenv.mk
install -d $(OCCLUM_PREFIX)/src/libos/
install -t $(OCCLUM_PREFIX)/src/libos/ -m 444 src/libos/Makefile src/libos/Enclave.lds
install -d $(OCCLUM_PREFIX)/src/libos/src/builtin/
install -t $(OCCLUM_PREFIX)/src/libos/src/builtin/ -m 444 src/libos/src/builtin/*
install -d $(OCCLUM_PREFIX)/include/ install -d $(OCCLUM_PREFIX)/include/
install -t $(OCCLUM_PREFIX)/include/ -m 444 src/pal/include/*.h install -t $(OCCLUM_PREFIX)/include/ -m 444 src/pal/include/*.h
install -d $(OCCLUM_PREFIX)/etc/template/ install -d $(OCCLUM_PREFIX)/etc/template/

35
src/libos/Makefile
View File

@ -23,10 +23,6 @@ include ../sgxenv.mk
# | | |Assembly | | | # | | |Assembly | | |
# | | +----------+ | | # | | +----------+ | |
# | +---------------+ | # | +---------------+ |
# | |LibOS Builtins<-------+ Configurable by Occlum.json
# | +---------------+ |
# | |
# | +---------------+ |
# | |Rust SGX SDK <-----+ # | |Rust SGX SDK <-----+
# | +---------------| | +--+ Dependencies # | +---------------| | +--+ Dependencies
# | |Intel SGX SDK<-----+ # | |Intel SGX SDK<-----+
@ -47,8 +43,6 @@ include ../sgxenv.mk
# be printed. # be printed.
LIBOS_LOG ?= error LIBOS_LOG ?= error
ONLY_REBUILD_BUILTIN ?= 0
LIBOS_SO := $(BUILD_DIR)/lib/libocclum-libos.so LIBOS_SO := $(BUILD_DIR)/lib/libocclum-libos.so
LIBOS_CORE_A := $(BUILD_DIR)/lib/libocclum-libos-core.a LIBOS_CORE_A := $(BUILD_DIR)/lib/libocclum-libos-core.a
LIBOS_CORE_RS_A := $(BUILD_DIR)/lib/libocclum_libos_core_rs.a LIBOS_CORE_RS_A := $(BUILD_DIR)/lib/libocclum_libos_core_rs.a
@ -59,16 +53,14 @@ RUST_TARGET_DIR := $(BUILD_DIR)/src/libos/cargo-target
RUST_OUT_DIR := $(BUILD_DIR)/lib RUST_OUT_DIR := $(BUILD_DIR)/lib
EDL_C_SRCS := $(addprefix $(BUILD_DIR)/src/libos/,src/Enclave_t.c src/Enclave_t.h) EDL_C_SRCS := $(addprefix $(BUILD_DIR)/src/libos/,src/Enclave_t.c src/Enclave_t.h)
EDL_C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,src/Enclave_t.o) EDL_C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,src/Enclave_t.o)
BUILTIN_C_SRCS := $(sort $(wildcard src/builtin/*.c)) C_SRCS := $(sort $(wildcard src/*.c src/*/*.c src/*/*/*.c))
BUILTIN_C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(BUILTIN_C_SRCS:.c=.o))
C_SRCS := $(filter-out $(BUILTIN_C_SRCS),$(sort $(wildcard src/*.c src/*/*.c src/*/*/*.c)))
C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(C_SRCS:.c=.o)) C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(C_SRCS:.c=.o))
CXX_SRCS := $(sort $(wildcard src/*.cpp src/*/*.cpp)) CXX_SRCS := $(sort $(wildcard src/*.cpp src/*/*.cpp))
CXX_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(CXX_SRCS:.cpp=.o)) CXX_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(CXX_SRCS:.cpp=.o))
S_SRCS := $(sort $(wildcard src/*.S src/*/*.S src/*/*/*.S)) S_SRCS := $(sort $(wildcard src/*.S src/*/*.S src/*/*/*.S))
S_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(S_SRCS:.S=.o)) S_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(S_SRCS:.S=.o))
ALL_BUILD_SUBDIRS := $(sort $(patsubst %/,%,$(dir $(LIBOS_SO) $(EDL_C_OBJS) $(BUILTIN_C_OBJS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS)) $(RUST_TARGET_DIR) $(RUST_OUT_DIR))) ALL_BUILD_SUBDIRS := $(sort $(patsubst %/,%,$(dir $(LIBOS_SO) $(EDL_C_OBJS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS)) $(RUST_TARGET_DIR) $(RUST_OUT_DIR)))
C_COMMON_FLAGS := -fno-stack-protector -I./include/ C_COMMON_FLAGS := -fno-stack-protector -I./include/
# SGX GDB support # SGX GDB support
@ -76,13 +68,6 @@ C_COMMON_FLAGS += -g
C_FLAGS := $(SGX_CFLAGS_T) $(C_COMMON_FLAGS) C_FLAGS := $(SGX_CFLAGS_T) $(C_COMMON_FLAGS)
CXX_FLAGS := $(SGX_CXXFLAGS_T) $(C_COMMON_FLAGS) CXX_FLAGS := $(SGX_CXXFLAGS_T) $(C_COMMON_FLAGS)
# Pass builtin values by defining macros
#
# The MAC of Occlum config file must be builtin into the binary
ifdef OCCLUM_BUILTIN_CONF_FILE_MAC
C_FLAGS += -DOCCLUM_BUILTIN_CONF_FILE_MAC='"$(OCCLUM_BUILTIN_CONF_FILE_MAC)"'
endif
_Other_Link_Flags := -L$(RUST_SGX_SDK_DIR)/compiler-rt/ -L$(BUILD_DIR)/lib _Other_Link_Flags := -L$(RUST_SGX_SDK_DIR)/compiler-rt/ -L$(BUILD_DIR)/lib
_Other_Enclave_Libs := -locclum-libos-core -lsgx_tprotected_fs _Other_Enclave_Libs := -locclum-libos-core -lsgx_tprotected_fs
LINK_FLAGS := $(SGX_LFLAGS_T) LINK_FLAGS := $(SGX_LFLAGS_T)
@ -94,16 +79,11 @@ all: $(ALL_BUILD_SUBDIRS) $(LIBOS_SO)
$(ALL_BUILD_SUBDIRS): $(ALL_BUILD_SUBDIRS):
@mkdir -p $@ @mkdir -p $@
LIBOS_SO_DEPS := $(BUILTIN_C_OBJS) $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A) LIBOS_SO_DEPS := $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A)
ifeq ($(ONLY_REBUILD_BUILTIN), 0)
$(LIBOS_SO): $(BUILTIN_C_OBJS) $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A) $(LIBOS_SO): $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A)
@$(CC) $(LIBOS_SO_DEPS) -o $@ $(LINK_FLAGS) @$(CC) $(LIBOS_SO_DEPS) -o $@ $(LINK_FLAGS)
@echo "LINK => $@" @echo "LINK => $@"
else
$(LIBOS_SO): $(BUILTIN_C_OBJS)
@$(CC) $(LIBOS_SO_DEPS) -o $@ $(LINK_FLAGS)
@echo "LINK => $@"
endif
$(LIBOS_CORE_A): $(LIBOS_CORE_RS_A) $(C_OBJS) $(CXX_OBJS) $(S_OBJS) $(EDL_C_OBJS) $(LIBOS_CORE_A): $(LIBOS_CORE_RS_A) $(C_OBJS) $(CXX_OBJS) $(S_OBJS) $(EDL_C_OBJS)
@cp $(LIBOS_CORE_RS_A) $(LIBOS_CORE_A) @cp $(LIBOS_CORE_RS_A) $(LIBOS_CORE_A)
@ -140,10 +120,7 @@ $(BUILD_DIR)/src/libos/%.o: %.S
@$(CC) $(C_FLAGS) -c $< -o $@ @$(CC) $(C_FLAGS) -c $< -o $@
@echo "AS <= $@" @echo "AS <= $@"
clean-builtin: clean:
@-$(RM) -f $(BUILTIN_C_OBJS)
clean: clean-builtin
@-$(RM) -f $(LIBOS_SO) $(LIBOS_CORE_A) $(LIBOS_CORE_RS_A) \ @-$(RM) -f $(LIBOS_SO) $(LIBOS_CORE_A) $(LIBOS_CORE_RS_A) \
$(EDL_C_OBJS) $(EDL_C_SRCS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS) $(EDL_C_OBJS) $(EDL_C_SRCS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS)
@-$(RM) -rf $(RUST_TARGET_DIR) @-$(RM) -rf $(RUST_TARGET_DIR)

14
src/libos/src/builtin/conf_get_hardcoded_file_mac.c
View File

@ -1,14 +0,0 @@
#include <stddef.h>
// The 128-bit MAC of Occlum.json
// Should be provided by Makefile; Set it to all zeros by default.
#ifndef OCCLUM_BUILTIN_CONF_FILE_MAC
#define ALL_ZEROS_32BIT "00-00-00-00"
#define ALL_ZEROS_128BIT (ALL_ZEROS_32BIT"-"ALL_ZEROS_32BIT"-"\
ALL_ZEROS_32BIT"-"ALL_ZEROS_32BIT)
#define OCCLUM_BUILTIN_CONF_FILE_MAC ALL_ZEROS_128BIT
#endif
const char* conf_get_hardcoded_file_mac(void) {
return OCCLUM_BUILTIN_CONF_FILE_MAC;
}

21
src/libos/src/config.rs
View File

@ -45,18 +45,24 @@ lazy_static! {
}; };
} }
// This value will be modified during occlum build
#[no_mangle]
#[link_section = ".builtin_config"]
static OCCLUM_JSON_MAC: [i8; 48] = [0; 48];
fn conf_get_hardcoded_file_mac() -> sgx_aes_gcm_128bit_tag_t { fn conf_get_hardcoded_file_mac() -> sgx_aes_gcm_128bit_tag_t {
// Wrap the unsafe C version to get the safe Rust version assert!(
extern "C" { *OCCLUM_JSON_MAC.last().unwrap() == 0,
fn conf_get_hardcoded_file_mac() -> *const c_char; "must be a null-terminated C string"
} );
let mac_str = unsafe { let mac_str = unsafe {
CStr::from_ptr(conf_get_hardcoded_file_mac()) CStr::from_ptr(&OCCLUM_JSON_MAC as *const i8)
.to_str() .to_str()
.expect("Invalid MAC") .expect("MAC contains non UTF-8 characters")
}; };
let mac = parse_mac(mac_str).expect("Invalid MAC");
let mac = parse_mac(mac_str).expect("MAC string cannot be converted to numbers");
mac mac
} }
@ -68,6 +74,7 @@ fn parse_mac(mac_str: &str) -> Result<sgx_aes_gcm_128bit_tag_t> {
} }
bytes_str_vec bytes_str_vec
}; };
let mut mac: sgx_aes_gcm_128bit_tag_t = Default::default(); let mut mac: sgx_aes_gcm_128bit_tag_t = Default::default();
for (byte_i, byte_str) in bytes_str_vec.iter().enumerate() { for (byte_i, byte_str) in bytes_str_vec.iter().enumerate() {
mac[byte_i] = u8::from_str_radix(byte_str, 16).map_err(|e| errno!(e))?; mac[byte_i] = u8::from_str_radix(byte_str, 16).map_err(|e| errno!(e))?;

6
src/sgxenv.mk
View File

@ -15,11 +15,6 @@ else
BUILD_DIR := $(PROJECT_DIR)/build BUILD_DIR := $(PROJECT_DIR)/build
endif endif
# for sgxenv.mk in .occlum
ifeq ($(CONTEXT), 1)
BUILD_DIR := $(PROJECT_DIR)/build
endif
# If OCCLUM_RELEASE_BUILD equals to 1, y, or yes, then build in release mode # If OCCLUM_RELEASE_BUILD equals to 1, y, or yes, then build in release mode
OCCLUM_RELEASE_BUILD ?= 0 OCCLUM_RELEASE_BUILD ?= 0
ifeq ($(OCCLUM_RELEASE_BUILD), yes) ifeq ($(OCCLUM_RELEASE_BUILD), yes)
@ -75,7 +70,6 @@ Crypto_Library_Name := sgx_tcrypto
KeyExchange_Library_Name := sgx_tkey_exchange KeyExchange_Library_Name := sgx_tkey_exchange
ProtectedFs_Library_Name := sgx_tprotected_fs ProtectedFs_Library_Name := sgx_tprotected_fs
# #
# Export flags used to compile or link untrusted modules # Export flags used to compile or link untrusted modules
# #

1
tools/Makefile
View File

@ -11,7 +11,6 @@ endif
all: all:
@mkdir -p ../$(BUILD_DIR)/bin/ @mkdir -p ../$(BUILD_DIR)/bin/
@ln -s -f ../../tools/occlum ../$(BUILD_DIR)/bin/occlum @ln -s -f ../../tools/occlum ../$(BUILD_DIR)/bin/occlum
@ln -s -f ../../tools/occlum-build-enclave ../$(BUILD_DIR)/bin/occlum-build-enclave
@ln -s -f ../../tools/occlum-gen-default-occlum-json ../$(BUILD_DIR)/bin/occlum-gen-default-occlum-json @ln -s -f ../../tools/occlum-gen-default-occlum-json ../$(BUILD_DIR)/bin/occlum-gen-default-occlum-json
@$(MAKE) --no-print-directory -C protect-integrity @$(MAKE) --no-print-directory -C protect-integrity
@$(MAKE) --no-print-directory -C gen_enclave_conf @$(MAKE) --no-print-directory -C gen_enclave_conf

19
tools/occlum
View File

@ -169,9 +169,7 @@ cmd_build() {
mkdir -p build/bin mkdir -p build/bin
cp "$occlum_dir/$build_dir/bin/occlum-run" build/bin/ cp "$occlum_dir/$build_dir/bin/occlum-run" build/bin/
mkdir -p build/lib mkdir -p build/lib
cp "$occlum_dir/$build_dir/lib/libocclum-libos-core.a" build/lib/
cp "$occlum_dir/$build_dir/lib/libocclum-pal.so" build/lib/ cp "$occlum_dir/$build_dir/lib/libocclum-pal.so" build/lib/
mkdir -p build/src/libos/src/builtin
chmod 531 -R $working_dir/image/bin chmod 531 -R $working_dir/image/bin
chmod 531 -R $working_dir/image/lib chmod 531 -R $working_dir/image/lib
@ -200,17 +198,14 @@ cmd_build() {
export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`parse_occlum_user_space_size` export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`parse_occlum_user_space_size`
echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE" echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE"
cd "$context_dir" cd $context_dir/build/lib && \
mkdir -p src/libos/src/ cp "$occlum_dir/$build_dir/lib/libocclum-libos.so" .
cp "$occlum_dir/src/sgxenv.mk" src/ echo -e "$OCCLUM_BUILTIN_CONF_FILE_MAC\c" > temp_mac_file && \
cp "$occlum_dir/src/libos/Makefile" src/libos/ objcopy --update-section .builtin_config=temp_mac_file libocclum-libos.so && \
cp "$occlum_dir/src/libos/Enclave.lds" src/libos/ rm temp_mac_file
cp -r "$occlum_dir/src/libos/src/builtin" src/libos/src/builtin
cd src/libos && \
make clean-builtin && \
make "$context_dir/build/lib/libocclum-libos.so" ONLY_REBUILD_BUILTIN=1 CONTEXT=1
$occlum_dir/$build_dir/bin/gen_enclave_conf -i "$working_dir/Occlum.json" -o "$context_dir/build/Enclave.xml" $occlum_dir/$build_dir/bin/gen_enclave_conf -i "$working_dir/Occlum.json" -o "$context_dir/build/Enclave.xml"
$ENCLAVE_SIGN_TOOL sign \ $ENCLAVE_SIGN_TOOL sign \
-key $ENCLAVE_SIGN_KEY \ -key $ENCLAVE_SIGN_KEY \
-config "$context_dir/build/Enclave.xml" \ -config "$context_dir/build/Enclave.xml" \

98
tools/occlum-build-enclave
View File

@ -1,98 +0,0 @@
#!/bin/bash
working_dir=`pwd`
this_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
project_dir="$( cd "$( dirname "$this_dir/../../../" )" >/dev/null 2>&1 && pwd )"
SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}"
occlum_conf_json_path=$1
enclave_key_pem_path=$2
protected_occlum_conf_json_path=`basename $occlum_conf_json_path`".protected"
occlum_conf_file_mac=
occlum_user_space_size=
report_arg_error() {
echo $1
echo ""
echo "Usage: occlum-build-enclave Occlum.json Enclave.pem"
}
protect_occlum_json() {
cd $working_dir
"$project_dir/tools/bin/protect-integrity" protect $occlum_conf_json_path
}
print_occlum_conf_file_mac() {
cd $working_dir
"$project_dir/tools/bin/protect-integrity" show-mac $protected_occlum_conf_json_path
}
print_occlum_user_space_size() {
cd $working_dir
local size_with_unit=`cat $occlum_conf_json_path | \
python -c "import sys, json; print json.load(sys.stdin)['vm']['user_space_size']"`
numfmt --from=iec ${size_with_unit::-1}
}
build_enclave_so() {
cd $project_dir/src/libos/
make clean-builtin
make
}
generate_enclave_config() {
cd $working_dir
"$project_dir/tools/bin/gen_enclave_conf" -i $occlum_conf_json_path -o "enclave.config.xml"
}
sign_enclave_so() {
cd $working_dir
rm -f libocclum-libos.signed.so
local enclave_so_path="$project_dir/src/libos/libocclum-libos.so"
$SGX_SDK/bin/x64/sgx_sign sign \
-key $enclave_key_pem_path \
-enclave $enclave_so_path \
-out "libocclum-libos.signed.so" \
-config enclave.config.xml
rm -f enclave.config.xml
}
# ===========================================================================
# Parse input arguments
# ===========================================================================
if [[ $occlum_conf_json_path != *.json ]] ; then
report_arg_error "Error: Expect a JSON file as the first argument!"
exit -1
fi
if [[ $enclave_conf_xml_path != *.xml ]] ; then
report_arg_error "Error: Expect a XML file as the second argument!"
exit -1
fi
if [[ $enclave_key_pem_path != *.pem ]] ; then
report_arg_error "Error: Expect a PEM file as the third argument!"
exit -1
fi
# ===========================================================================
# Build Occlum.json.protected and libocclum-libos.signed.so
# ===========================================================================
set -e
protect_occlum_json
echo "GEN => $protected_occlum_conf_json_path"
export OCCLUM_BUILTIN_CONF_FILE_MAC=`print_occlum_conf_file_mac`
echo "EXPORT => OCCLUM_BUILTIN_CONF_FILE_MAC = $OCCLUM_BUILTIN_CONF_FILE_MAC"
export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`print_occlum_user_space_size`
echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE"
build_enclave_so
generate_enclave_config
sign_enclave_so
echo "SIGN => libocclum-libos.signed.so"