Build in the MAC of the occlum configuration file with objcopy

1. Objcopy the MAC of Occlum.json to libocclum-libos.so before signature during occlum build. 2. Remove the files and codes no longer used.
2020-06-03 17:38:59 +08:00 · 2020-06-03 17:38:59 +08:00 · 28440b0d69
commit 28440b0d69
parent f020fed2ae
8 changed files with 27 additions and 173 deletions
--- a/6
+++ b/6
@ -73,12 +73,6 @@ install:
 	install -t $(OCCLUM_PREFIX)/build_sim/bin/ -D build_sim/bin/*
 	install -d $(OCCLUM_PREFIX)/build_sim/lib/
 	install -t $(OCCLUM_PREFIX)/build_sim/lib/ -D build_sim/lib/*
-	install -d $(OCCLUM_PREFIX)/src/
-	install -t $(OCCLUM_PREFIX)/src/ -m 444 src/sgxenv.mk
-	install -d $(OCCLUM_PREFIX)/src/libos/
-	install -t $(OCCLUM_PREFIX)/src/libos/ -m 444 src/libos/Makefile src/libos/Enclave.lds
-	install -d $(OCCLUM_PREFIX)/src/libos/src/builtin/
-	install -t $(OCCLUM_PREFIX)/src/libos/src/builtin/ -m 444 src/libos/src/builtin/*
 	install -d $(OCCLUM_PREFIX)/include/
 	install -t $(OCCLUM_PREFIX)/include/ -m 444 src/pal/include/*.h
 	install -d $(OCCLUM_PREFIX)/etc/template/
--- a/src/libos/Makefile
+++ b/src/libos/Makefile
@ -23,10 +23,6 @@ include ../sgxenv.mk
 # | |  |Assembly  | | |
 # | |  +----------+ | |
 # | +---------------+ |
-# | |LibOS Builtins<-------+ Configurable by Occlum.json
-# | +---------------+ |
-# |                   |
-# | +---------------+ |
 # | |Rust SGX SDK <-----+
 # | +---------------| | +--+ Dependencies
 # | |Intel SGX SDK<-----+
@ -47,8 +43,6 @@ include ../sgxenv.mk
 # be printed.
 LIBOS_LOG ?= error

-ONLY_REBUILD_BUILTIN ?= 0
-
 LIBOS_SO := $(BUILD_DIR)/lib/libocclum-libos.so
 LIBOS_CORE_A := $(BUILD_DIR)/lib/libocclum-libos-core.a
 LIBOS_CORE_RS_A := $(BUILD_DIR)/lib/libocclum_libos_core_rs.a
@ -59,16 +53,14 @@ RUST_TARGET_DIR := $(BUILD_DIR)/src/libos/cargo-target
 RUST_OUT_DIR := $(BUILD_DIR)/lib
 EDL_C_SRCS := $(addprefix $(BUILD_DIR)/src/libos/,src/Enclave_t.c src/Enclave_t.h)
 EDL_C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,src/Enclave_t.o)
-BUILTIN_C_SRCS := $(sort $(wildcard src/builtin/*.c))
-BUILTIN_C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(BUILTIN_C_SRCS:.c=.o))
-C_SRCS := $(filter-out $(BUILTIN_C_SRCS),$(sort $(wildcard src/*.c src/*/*.c src/*/*/*.c)))
+C_SRCS := $(sort $(wildcard src/*.c src/*/*.c src/*/*/*.c))
 C_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(C_SRCS:.c=.o))
 CXX_SRCS := $(sort $(wildcard src/*.cpp src/*/*.cpp))
 CXX_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(CXX_SRCS:.cpp=.o))
 S_SRCS := $(sort $(wildcard src/*.S src/*/*.S src/*/*/*.S))
 S_OBJS := $(addprefix $(BUILD_DIR)/src/libos/,$(S_SRCS:.S=.o))

-ALL_BUILD_SUBDIRS := $(sort $(patsubst %/,%,$(dir $(LIBOS_SO) $(EDL_C_OBJS) $(BUILTIN_C_OBJS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS)) $(RUST_TARGET_DIR) $(RUST_OUT_DIR)))
+ALL_BUILD_SUBDIRS := $(sort $(patsubst %/,%,$(dir $(LIBOS_SO) $(EDL_C_OBJS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS)) $(RUST_TARGET_DIR) $(RUST_OUT_DIR)))

 C_COMMON_FLAGS := -fno-stack-protector -I./include/
 # SGX GDB support
@ -76,13 +68,6 @@ C_COMMON_FLAGS += -g
 C_FLAGS := $(SGX_CFLAGS_T) $(C_COMMON_FLAGS)
 CXX_FLAGS := $(SGX_CXXFLAGS_T) $(C_COMMON_FLAGS)

-# Pass builtin values by defining macros
-#
-# The MAC of Occlum config file must be builtin into the binary
-ifdef OCCLUM_BUILTIN_CONF_FILE_MAC
-C_FLAGS += -DOCCLUM_BUILTIN_CONF_FILE_MAC='"$(OCCLUM_BUILTIN_CONF_FILE_MAC)"'
-endif
-
 _Other_Link_Flags := -L$(RUST_SGX_SDK_DIR)/compiler-rt/ -L$(BUILD_DIR)/lib
 _Other_Enclave_Libs := -locclum-libos-core -lsgx_tprotected_fs
 LINK_FLAGS := $(SGX_LFLAGS_T)
@ -94,16 +79,11 @@ all: $(ALL_BUILD_SUBDIRS) $(LIBOS_SO)
 $(ALL_BUILD_SUBDIRS):
 	@mkdir -p $@

-LIBOS_SO_DEPS := $(BUILTIN_C_OBJS) $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A)
-ifeq ($(ONLY_REBUILD_BUILTIN), 0)
-$(LIBOS_SO): $(BUILTIN_C_OBJS) $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A)
+LIBOS_SO_DEPS := $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A)
+
+$(LIBOS_SO): $(LIBOS_CORE_A) $(LIBCOMPILER_RT_PATCH_A)
 	@$(CC) $(LIBOS_SO_DEPS) -o $@ $(LINK_FLAGS)
 	@echo "LINK => $@"
-else
-$(LIBOS_SO): $(BUILTIN_C_OBJS)
-	@$(CC) $(LIBOS_SO_DEPS) -o $@ $(LINK_FLAGS)
-	@echo "LINK => $@"
-endif

 $(LIBOS_CORE_A): $(LIBOS_CORE_RS_A) $(C_OBJS) $(CXX_OBJS) $(S_OBJS) $(EDL_C_OBJS)
 	@cp $(LIBOS_CORE_RS_A) $(LIBOS_CORE_A)
@ -140,10 +120,7 @@ $(BUILD_DIR)/src/libos/%.o: %.S
 	@$(CC) $(C_FLAGS) -c $< -o $@
 	@echo "AS <= $@"

-clean-builtin:
-	@-$(RM) -f $(BUILTIN_C_OBJS)
-
-clean: clean-builtin
+clean:
 	@-$(RM) -f $(LIBOS_SO) $(LIBOS_CORE_A) $(LIBOS_CORE_RS_A) \
 		$(EDL_C_OBJS) $(EDL_C_SRCS) $(C_OBJS) $(CXX_OBJS) $(S_OBJS)
 	@-$(RM) -rf $(RUST_TARGET_DIR)
--- a/src/libos/src/builtin/conf_get_hardcoded_file_mac.c
+++ b/src/libos/src/builtin/conf_get_hardcoded_file_mac.c
@ -1,14 +0,0 @@
-#include <stddef.h>
-
-// The 128-bit MAC of Occlum.json
-// Should be provided by Makefile; Set it to all zeros by default.
-#ifndef OCCLUM_BUILTIN_CONF_FILE_MAC
-#define ALL_ZEROS_32BIT                 "00-00-00-00"
-#define ALL_ZEROS_128BIT                (ALL_ZEROS_32BIT"-"ALL_ZEROS_32BIT"-"\
-                                         ALL_ZEROS_32BIT"-"ALL_ZEROS_32BIT)
-#define OCCLUM_BUILTIN_CONF_FILE_MAC    ALL_ZEROS_128BIT
-#endif
-
-const char* conf_get_hardcoded_file_mac(void) {
-    return OCCLUM_BUILTIN_CONF_FILE_MAC;
-}
--- a/src/libos/src/config.rs
+++ b/src/libos/src/config.rs
@ -45,18 +45,24 @@ lazy_static! {
    };
 }

+// This value will be modified during occlum build
+#[no_mangle]
+#[link_section = ".builtin_config"]
+static OCCLUM_JSON_MAC: [i8; 48] = [0; 48];
+
 fn conf_get_hardcoded_file_mac() -> sgx_aes_gcm_128bit_tag_t {
-    // Wrap the unsafe C version to get the safe Rust version
-    extern "C" {
-        fn conf_get_hardcoded_file_mac() -> *const c_char;
-    }
+    assert!(
+        *OCCLUM_JSON_MAC.last().unwrap() == 0,
+        "must be a null-terminated C string"
+    );

    let mac_str = unsafe {
-        CStr::from_ptr(conf_get_hardcoded_file_mac())
+        CStr::from_ptr(&OCCLUM_JSON_MAC as *const i8)
            .to_str()
-            .expect("Invalid MAC")
+            .expect("MAC contains non UTF-8 characters")
    };
-    let mac = parse_mac(mac_str).expect("Invalid MAC");
+
+    let mac = parse_mac(mac_str).expect("MAC string cannot be converted to numbers");
    mac
 }

@ -68,6 +74,7 @@ fn parse_mac(mac_str: &str) -> Result<sgx_aes_gcm_128bit_tag_t> {
        }
        bytes_str_vec
    };
+
    let mut mac: sgx_aes_gcm_128bit_tag_t = Default::default();
    for (byte_i, byte_str) in bytes_str_vec.iter().enumerate() {
        mac[byte_i] = u8::from_str_radix(byte_str, 16).map_err(|e| errno!(e))?;
--- a/src/sgxenv.mk
+++ b/src/sgxenv.mk
@ -15,11 +15,6 @@ else
 	BUILD_DIR := $(PROJECT_DIR)/build
 endif

-# for sgxenv.mk in .occlum
-ifeq ($(CONTEXT), 1)
-	BUILD_DIR := $(PROJECT_DIR)/build
-endif
-
 # If OCCLUM_RELEASE_BUILD equals to 1, y, or yes, then build in release mode
 OCCLUM_RELEASE_BUILD ?= 0
 ifeq ($(OCCLUM_RELEASE_BUILD), yes)
@ -75,7 +70,6 @@ Crypto_Library_Name := sgx_tcrypto
 KeyExchange_Library_Name := sgx_tkey_exchange
 ProtectedFs_Library_Name := sgx_tprotected_fs

-
 #
 # Export flags used to compile or link untrusted modules
 #
--- a/tools/Makefile
+++ b/tools/Makefile
@ -11,7 +11,6 @@ endif
 all:
 	@mkdir -p ../$(BUILD_DIR)/bin/
 	@ln -s -f ../../tools/occlum ../$(BUILD_DIR)/bin/occlum
-	@ln -s -f ../../tools/occlum-build-enclave ../$(BUILD_DIR)/bin/occlum-build-enclave
 	@ln -s -f ../../tools/occlum-gen-default-occlum-json ../$(BUILD_DIR)/bin/occlum-gen-default-occlum-json
 	@$(MAKE) --no-print-directory -C protect-integrity
 	@$(MAKE) --no-print-directory -C gen_enclave_conf
--- a/tools/occlum
+++ b/tools/occlum
@ -169,9 +169,7 @@ cmd_build() {
    mkdir -p build/bin
    cp "$occlum_dir/$build_dir/bin/occlum-run" build/bin/
    mkdir -p build/lib
-    cp "$occlum_dir/$build_dir/lib/libocclum-libos-core.a" build/lib/
    cp "$occlum_dir/$build_dir/lib/libocclum-pal.so" build/lib/
-    mkdir -p build/src/libos/src/builtin

    chmod 531 -R $working_dir/image/bin
    chmod 531 -R $working_dir/image/lib
@ -200,17 +198,14 @@ cmd_build() {
    export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`parse_occlum_user_space_size`
    echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE"

-    cd "$context_dir"
-    mkdir -p src/libos/src/
-    cp "$occlum_dir/src/sgxenv.mk" src/
-    cp "$occlum_dir/src/libos/Makefile" src/libos/
-    cp "$occlum_dir/src/libos/Enclave.lds" src/libos/
-    cp -r "$occlum_dir/src/libos/src/builtin" src/libos/src/builtin
-    cd src/libos && \
-        make clean-builtin && \
-        make "$context_dir/build/lib/libocclum-libos.so" ONLY_REBUILD_BUILTIN=1 CONTEXT=1
+    cd $context_dir/build/lib && \
+    cp "$occlum_dir/$build_dir/lib/libocclum-libos.so" .
+    echo -e "$OCCLUM_BUILTIN_CONF_FILE_MAC\c" > temp_mac_file && \
+    objcopy --update-section .builtin_config=temp_mac_file libocclum-libos.so && \
+    rm temp_mac_file

    $occlum_dir/$build_dir/bin/gen_enclave_conf -i "$working_dir/Occlum.json" -o "$context_dir/build/Enclave.xml"
+
    $ENCLAVE_SIGN_TOOL sign \
        -key $ENCLAVE_SIGN_KEY \
        -config "$context_dir/build/Enclave.xml" \
--- a/tools/occlum-build-enclave
+++ b/tools/occlum-build-enclave
@ -1,98 +0,0 @@
-#!/bin/bash
-
-working_dir=`pwd`
-this_dir="$( cd "$( dirname "${BASH_SOURCE[0]}"  )" >/dev/null 2>&1 && pwd )"
-project_dir="$( cd "$( dirname "$this_dir/../../../"  )" >/dev/null 2>&1 && pwd )"
-
-SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}"
-
-occlum_conf_json_path=$1
-enclave_key_pem_path=$2
-protected_occlum_conf_json_path=`basename $occlum_conf_json_path`".protected"
-
-occlum_conf_file_mac=
-occlum_user_space_size=
-
-
-report_arg_error() {
-    echo $1
-    echo ""
-    echo "Usage: occlum-build-enclave Occlum.json Enclave.pem"
-}
-
-protect_occlum_json() {
-    cd $working_dir
-    "$project_dir/tools/bin/protect-integrity" protect $occlum_conf_json_path
-}
-
-print_occlum_conf_file_mac() {
-    cd $working_dir
-    "$project_dir/tools/bin/protect-integrity" show-mac $protected_occlum_conf_json_path
-}
-
-print_occlum_user_space_size() {
-    cd $working_dir
-    local size_with_unit=`cat $occlum_conf_json_path | \
-        python -c "import sys, json; print json.load(sys.stdin)['vm']['user_space_size']"`
-    numfmt --from=iec ${size_with_unit::-1}
-}
-
-build_enclave_so() {
-    cd $project_dir/src/libos/
-    make clean-builtin
-    make
-}
-
-generate_enclave_config() {
-    cd $working_dir
-    "$project_dir/tools/bin/gen_enclave_conf" -i $occlum_conf_json_path -o "enclave.config.xml"
-}
-
-sign_enclave_so() {
-    cd $working_dir
-    rm -f libocclum-libos.signed.so
-    local enclave_so_path="$project_dir/src/libos/libocclum-libos.so"
-    $SGX_SDK/bin/x64/sgx_sign sign \
-        -key $enclave_key_pem_path \
-        -enclave $enclave_so_path \
-        -out "libocclum-libos.signed.so" \
-        -config enclave.config.xml
-    rm -f enclave.config.xml
-}
-
-# ===========================================================================
-# Parse input arguments
-# ===========================================================================
-
-if [[ $occlum_conf_json_path != *.json ]] ; then
-    report_arg_error "Error: Expect a JSON file as the first argument!"
-    exit -1
-fi
-if [[ $enclave_conf_xml_path != *.xml ]] ; then
-    report_arg_error "Error: Expect a XML file as the second argument!"
-    exit -1
-fi
-if [[ $enclave_key_pem_path != *.pem ]] ; then
-    report_arg_error "Error: Expect a PEM file as the third argument!"
-    exit -1
-fi
-
-# ===========================================================================
-# Build Occlum.json.protected and libocclum-libos.signed.so
-# ===========================================================================
-
-set -e
-
-protect_occlum_json
-echo "GEN => $protected_occlum_conf_json_path"
-
-export OCCLUM_BUILTIN_CONF_FILE_MAC=`print_occlum_conf_file_mac`
-echo "EXPORT => OCCLUM_BUILTIN_CONF_FILE_MAC = $OCCLUM_BUILTIN_CONF_FILE_MAC"
-
-export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`print_occlum_user_space_size`
-echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE"
-
-build_enclave_so
-generate_enclave_config
-sign_enclave_so
-echo "SIGN => libocclum-libos.signed.so"