[tools] Support configuring PKU in Occlum.json

2022-06-01 12:22:46 +08:00 · 2022-06-01 12:22:46 +08:00 · b65cb4e017
commit b65cb4e017
parent 338dda643b
4 changed files with 16 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -124,7 +124,15 @@ Occlum can be configured easily via a configuration file named `Occlum.json`, wh
        "version_number": 0,
        // Whether the enclave is debuggable through special SGX instructions.
        // For production enclave, it is IMPORTANT to set this value to false.
-        "debuggable": true
+        "debuggable": true,
+        // Whether to turn on PKU feature in Occlum
+        // Occlum uses PKU for isolation between LibOS and userspace program,
+        // It is useful for developers to detect potential bugs.
+        //
+        // "pkru" = 0: PKU feature must be disabled
+        // "pkru" = 1: PKU feature must be enabled
+        // "pkru" = 2: PKU feature is enabled if the platform supports it
+        "pkru": 0
    },
    // Mount points and their file systems
    //
--- a/etc/template/Occlum.json
+++ b/etc/template/Occlum.json
@ -33,7 +33,8 @@
        "ext_prod_id": {
            "high": "0x0",
            "low": "0x0"
-        }
+        },
+        "pkru": 0
    },
    "mount": [
        {
--- a/test/Occlum.json
+++ b/test/Occlum.json
@ -36,7 +36,8 @@
        "ext_prod_id": {
            "high": "0x0",
            "low": "0x0"
-        }
+        },
+        "pkru": 0
    },
    "mount": [
        {
--- a/tools/gen_internal_conf/src/main.rs
+++ b/tools/gen_internal_conf/src/main.rs
@ -204,6 +204,7 @@ fn main() {
            ISVEXTPRODID_L: kss_tuple.2,
            ISVFAMILYID_H: kss_tuple.3,
            ISVFAMILYID_L: kss_tuple.4,
+            PKRU: occlum_config.metadata.pkru,
        };
        let enclave_config = serde_xml_rs::to_string(&sgx_enclave_configuration).unwrap();
        debug!("The enclave config:{:?}", enclave_config);
@ -452,6 +453,7 @@ struct OcclumMetadata {
    enable_kss: bool,
    family_id: OcclumMetaID,
    ext_prod_id: OcclumMetaID,
+    pkru: u32,
 }

 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
@ -512,6 +514,7 @@ struct EnclaveConfiguration {
    ISVEXTPRODID_L: u64,
    ISVFAMILYID_H: u64,
    ISVFAMILYID_L: u64,
+    PKRU: u32,
 }

 #[derive(Debug, PartialEq, Clone, Serialize)]