76f91a1aa3
1. Add Occlum.json as Occlum's config file 2. Add tools/bin/build_enclave 3. Add tools/bin/protect_integrity 4. Validate Occlum.json.protected on LibOS startup 5. Parse Occlum.json.protected on LibOS startup 6. Config enclave size using Occlum.json 7. Config process memory sizes using Occlum.json
164 lines
4.1 KiB
C++
164 lines
4.1 KiB
C++
#include "Enclave_t.h"
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <sgx_trts.h>
|
|
#include <sgx_tprotected_fs.h>
|
|
|
|
// ==========================================================================
|
|
// Helper functions
|
|
// ==========================================================================
|
|
|
|
#define PRINTF_BUFSIZE 512
|
|
|
|
static int printf(const char* fmt, ...) {
|
|
char buf[PRINTF_BUFSIZE] = {0};
|
|
va_list args;
|
|
va_start(args, fmt);
|
|
vsnprintf(buf, PRINTF_BUFSIZE, fmt, args);
|
|
va_end(args);
|
|
ocall_print(buf);
|
|
return 0;
|
|
}
|
|
|
|
static int eprintf(const char* fmt, ...) {
|
|
char buf[PRINTF_BUFSIZE] = {0};
|
|
va_list args;
|
|
va_start(args, fmt);
|
|
vsnprintf(buf, PRINTF_BUFSIZE, fmt, args);
|
|
va_end(args);
|
|
ocall_eprint(buf);
|
|
return 0;
|
|
}
|
|
|
|
static void print_mac(sgx_aes_gcm_128bit_tag_t* mac) {
|
|
unsigned char* bytes = (unsigned char*) mac;
|
|
for (size_t bi = 0; bi < sizeof(*mac); bi++) {
|
|
if (bi != 0) printf("-");
|
|
printf("%02x", bytes[bi] & 0xFF);
|
|
}
|
|
printf("\n");
|
|
}
|
|
|
|
|
|
static int open(const char* path) {
|
|
int fd = 0;
|
|
ocall_open(&fd, path);
|
|
return fd;
|
|
}
|
|
|
|
static ssize_t read(int fd, void* buf, size_t size) {
|
|
ssize_t ret = 0;
|
|
ocall_read(&ret, fd, buf, size);
|
|
return ret;
|
|
}
|
|
|
|
static ssize_t write(int fd, const void* buf, size_t size) {
|
|
ssize_t ret = 0;
|
|
ocall_write(&ret, fd, buf, size);
|
|
return ret;
|
|
}
|
|
|
|
static int close(int fd) {
|
|
int ret = 0;
|
|
ocall_close(&ret, fd);
|
|
return ret;
|
|
}
|
|
|
|
// ==========================================================================
|
|
// ECalls
|
|
// ==========================================================================
|
|
|
|
int ecall_protect(const char* input_path, const char* output_path) {
|
|
int input_file = -1;
|
|
SGX_FILE* output_file = NULL;
|
|
size_t len;
|
|
char buf[4 * 1024];
|
|
|
|
input_file = open(input_path);
|
|
if (input_file < 0) {
|
|
eprintf("Error: cannot open the input file at %s\n", input_path);
|
|
goto on_error;
|
|
}
|
|
|
|
output_file = sgx_fopen_integrity_only(output_path, "w");
|
|
if (output_file == NULL) {
|
|
eprintf("Error: cannot create the output file %s\n", output_path);
|
|
goto on_error;
|
|
}
|
|
|
|
while ((len = read(input_file, buf, sizeof(buf))) > 0) {
|
|
if (sgx_fwrite(buf, 1, len, output_file) != len) {
|
|
eprintf("Error: failed to write to the output file %s\n", output_path);
|
|
goto on_error;
|
|
}
|
|
}
|
|
|
|
close(input_file);
|
|
sgx_fclose(output_file);
|
|
return 0;
|
|
on_error:
|
|
if (input_file >= 0) {
|
|
close(input_file);
|
|
}
|
|
if (output_file != NULL) {
|
|
sgx_fclose(output_file);
|
|
sgx_remove(output_path);
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
int ecall_show(const char* protected_file_path) {
|
|
SGX_FILE* protected_file = NULL;
|
|
ssize_t len;
|
|
char buf[4 * 1024];
|
|
|
|
protected_file = sgx_fopen_integrity_only(protected_file_path, "r");
|
|
if (protected_file == NULL) {
|
|
eprintf("Error: failed to open the given protected file %s\n", protected_file_path);
|
|
goto on_error;
|
|
}
|
|
|
|
while ((len = sgx_fread(buf, 1, sizeof(buf), protected_file)) > 0) {
|
|
write(1/* stdout */, buf, len);
|
|
}
|
|
|
|
if (sgx_ferror(protected_file)) {
|
|
eprintf("Error: failed to read the given protected file %s\n", protected_file_path);
|
|
goto on_error;
|
|
}
|
|
|
|
sgx_fclose(protected_file);
|
|
return 0;
|
|
on_error:
|
|
if (protected_file != NULL) {
|
|
sgx_fclose(protected_file);
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
int ecall_show_mac(const char* protected_file_path) {
|
|
SGX_FILE* protected_file = NULL;
|
|
sgx_aes_gcm_128bit_tag_t mac = { 0 };
|
|
|
|
protected_file = sgx_fopen_integrity_only(protected_file_path, "r");
|
|
if (protected_file == NULL) {
|
|
eprintf("Error: failed to open the given protected file %s\n", protected_file_path);
|
|
goto on_error;
|
|
}
|
|
|
|
if (sgx_fget_mac(protected_file, &mac)) {
|
|
eprintf("Error: failed to get the MAC of the protected file %s\n", protected_file_path);
|
|
goto on_error;
|
|
}
|
|
|
|
print_mac(&mac);
|
|
|
|
sgx_fclose(protected_file);
|
|
return 0;
|
|
on_error:
|
|
if (protected_file != NULL) {
|
|
sgx_fclose(protected_file);
|
|
}
|
|
return -1;
|
|
}
|