|
@@ -1,92 +1,122 @@
|
|
-#!$(PAL)
|
|
|
|
-
|
|
|
|
-loader.preload = file:$(SHIMPATH)
|
|
|
|
-loader.exec = file:obj/bin/httpd
|
|
|
|
|
|
+# Apache manifest example
|
|
|
|
+#
|
|
|
|
+# This manifest was prepared and tested on Ubuntu 16.04.
|
|
|
|
+#
|
|
|
|
+# Apache must be run with the pal_loader:
|
|
|
|
+#
|
|
|
|
+# ./pal_loader httpd.manifest <script>
|
|
|
|
+
|
|
|
|
+# The executable to load in Graphene.
|
|
|
|
+loader.exec = file:$(INSTALL_DIR)/bin/httpd
|
|
loader.execname = httpd
|
|
loader.execname = httpd
|
|
|
|
+
|
|
|
|
+# Graphene environment, including the path to the library OS and the debug
|
|
|
|
+# option (inline/none).
|
|
|
|
+loader.preload = file:$(GRAPHENEDIR)/Runtime/libsysdb.so
|
|
|
|
+loader.debug_type = $(GRAPHENEDEBUG)
|
|
|
|
+
|
|
|
|
+# Environment variables
|
|
loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
|
|
loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
|
|
-loader.debug_type = none
|
|
|
|
|
|
|
|
-fs.mount.lib1.type = chroot
|
|
|
|
-fs.mount.lib1.path = /lib
|
|
|
|
-fs.mount.lib1.uri = file:$(LIBCDIR)
|
|
|
|
|
|
+# Mounted FSes. The following "chroot" FSes mount a part of the host FS into the
|
|
|
|
+# guest. Other parts of the host FS will not be available in the guest.
|
|
|
|
|
|
|
|
+# Default glibc files, mounted from the Runtime directory in GRAPHENEDIR.
|
|
|
|
+fs.mount.lib.type = chroot
|
|
|
|
+fs.mount.lib.path = /lib
|
|
|
|
+fs.mount.lib.uri = file:$(GRAPHENEDIR)/Runtime
|
|
|
|
+
|
|
|
|
+# Host-level libraries (/lib/x86_64-linux-gnu) required by Apache
|
|
fs.mount.lib2.type = chroot
|
|
fs.mount.lib2.type = chroot
|
|
fs.mount.lib2.path = /lib/x86_64-linux-gnu
|
|
fs.mount.lib2.path = /lib/x86_64-linux-gnu
|
|
fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
|
|
fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
|
|
|
|
|
|
|
|
+# Host-level directory (/usr) required by Apache (needed for libaprutil-1.so)
|
|
fs.mount.usr.type = chroot
|
|
fs.mount.usr.type = chroot
|
|
fs.mount.usr.path = /usr
|
|
fs.mount.usr.path = /usr
|
|
fs.mount.usr.uri = file:/usr
|
|
fs.mount.usr.uri = file:/usr
|
|
|
|
|
|
|
|
+# Host-level directory (/etc) required by Apache (needed mostly for SSL/TLS)
|
|
|
|
+fs.mount.etc.type = chroot
|
|
|
|
+fs.mount.etc.path = /etc
|
|
|
|
+fs.mount.etc.uri = file:/etc
|
|
|
|
+
|
|
|
|
+# Mount the current working directory
|
|
fs.mount.cwd.type = chroot
|
|
fs.mount.cwd.type = chroot
|
|
-fs.mount.cwd.path = $(PWD)
|
|
|
|
-fs.mount.cwd.uri = file:
|
|
|
|
-
|
|
|
|
-sgx.enclave_size=4G
|
|
|
|
-sgx.allow_file_creation = 1
|
|
|
|
-net.allow_peer.1=:
|
|
|
|
-
|
|
|
|
-# allow to bind on port for listening
|
|
|
|
-net.allow_bind.1 =:
|
|
|
|
-
|
|
|
|
-sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
|
|
|
|
-sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
|
|
|
|
-sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
|
|
|
|
-sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
|
|
|
|
-sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
|
|
|
|
-sgx.trusted_files.libresolv = file:$(LIBCDIR)/libresolv.so.2
|
|
|
|
-sgx.trusted_files.libnssdns = file:/lib/x86_64-linux-gnu/libnss_dns.so.2
|
|
|
|
-sgx.trusted_files.libnssfiles = file:/lib/x86_64-linux-gnu/libnss_files.so.2
|
|
|
|
-sgx.trusted_files.libnsscompact = file:/lib/x86_64-linux-gnu/libnss_compat.so.2
|
|
|
|
-sgx.trusted_files.libnssnis = file:/lib/x86_64-linux-gnu/libnss_nis.so.2
|
|
|
|
-sgx.trusted_files.libpcre = file:/lib/x86_64-linux-gnu/libpcre.so.3
|
|
|
|
-sgx.trusted_files.libapr = file:obj/lib/libapr-1.so.0
|
|
|
|
-sgx.trusted_files.libaprutil = file:obj/lib/libaprutil-1.so.0
|
|
|
|
-sgx.trusted_files.libexpat = file:/lib/x86_64-linux-gnu/libexpat.so.1
|
|
|
|
-sgx.trusted_files.libcrypt = file:/lib/x86_64-linux-gnu/libcrypt.so.1
|
|
|
|
-sgx.trusted_files.libxml2 = file:/usr/lib/x86_64-linux-gnu/libxml2.so.2
|
|
|
|
-sgx.trusted_files.libz = file:/lib/x86_64-linux-gnu/libz.so.1
|
|
|
|
-sgx.trusted_files.liblzma = file:/lib/x86_64-linux-gnu/liblzma.so.5
|
|
|
|
|
|
+fs.mount.cwd.path = $(INSTALL_DIR_ABSPATH)
|
|
|
|
+fs.mount.cwd.uri = file:$(INSTALL_DIR)
|
|
|
|
+
|
|
|
|
+# SGX general options
|
|
|
|
+
|
|
|
|
+# Set the virtual memory size of the SGX enclave. For SGX v1, the enclave
|
|
|
|
+# size must be specified during signing. If Apache needs more virtual memory
|
|
|
|
+# than the enclave size, Graphene will not be able to allocate it.
|
|
|
|
+sgx.enclave_size = 512M
|
|
|
|
+
|
|
|
|
+# Set the maximum number of enclave threads. For SGX v1, the number of enclave
|
|
|
|
+# TCSes must be specified during signing, so the application cannot use more
|
|
|
|
+# threads than the number of TCSes. Note that Graphene also creates an internal
|
|
|
|
+# thread for handling inter-process communication (IPC), and potentially another
|
|
|
|
+# thread for asynchronous events. Therefore, the actual number of threads that
|
|
|
|
+# the application can create is (sgx.thread_num - 2).
|
|
|
|
+#
|
|
|
|
+# We (somewhat arbitrarily) specify 32 threads since mpm_worker_module can create
|
|
|
|
+# up to 25 threads/process.
|
|
|
|
+sgx.thread_num = 32
|
|
|
|
+
|
|
|
|
+# SGX trusted libraries
|
|
|
|
+
|
|
|
|
+# Glibc libraries
|
|
|
|
+sgx.trusted_files.ld = file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2
|
|
|
|
+sgx.trusted_files.libc = file:$(GRAPHENEDIR)/Runtime/libc.so.6
|
|
|
|
+sgx.trusted_files.libm = file:$(GRAPHENEDIR)/Runtime/libm.so.6
|
|
|
|
+sgx.trusted_files.libdl = file:$(GRAPHENEDIR)/Runtime/libdl.so.2
|
|
|
|
+sgx.trusted_files.librt = file:$(GRAPHENEDIR)/Runtime/librt.so.1
|
|
|
|
+sgx.trusted_files.libutil = file:$(GRAPHENEDIR)/Runtime/libutil.so.1
|
|
|
|
+sgx.trusted_files.libpthread = file:$(GRAPHENEDIR)/Runtime/libpthread.so.0
|
|
|
|
+sgx.trusted_files.libresolvOrig = file:$(GRAPHENEDIR)/Runtime/libresolv.so.2 #This library is needed for libphp7.so. If the original library (in /lib/x...) is loaded, then it relies on a different libc version and throws a runtime linker error, so we add this library before and by the first FS mapping rule, it will find the correct library at runtime.
|
|
|
|
+
|
|
|
|
+# Other libraries required by Apache - it looks like the underscores in the next two libs gave nasty errors at runtime?
|
|
|
|
+sgx.trusted_files.libgccs = file:/lib/x86_64-linux-gnu/libgcc_s.so.1
|
|
|
|
+sgx.trusted_files.nssfiles = file:/lib/x86_64-linux-gnu/libnss_files.so.2
|
|
|
|
+sgx.trusted_files.libnsscompat = file:/lib/x86_64-linux-gnu/libnss_compat.so.2
|
|
|
|
+sgx.trusted_files.libnssnis = file:/lib/x86_64-linux-gnu/libnss_nis.so.2
|
|
sgx.trusted_files.libnsl = file:/lib/x86_64-linux-gnu/libnsl.so.1
|
|
sgx.trusted_files.libnsl = file:/lib/x86_64-linux-gnu/libnsl.so.1
|
|
-sgx.trusted_files.libicuuc = file:/usr/lib/x86_64-linux-gnu/libicuuc.so.55
|
|
|
|
-sgx.trusted_files.libicudata = file:/usr/lib/x86_64-linux-gnu/libicudata.so.55
|
|
|
|
-sgx.trusted_files.libstdcpp = file:/usr/lib/x86_64-linux-gnu/libstdc++.so.6
|
|
|
|
-sgx.trusted_files.libgcc_c = file:/lib/x86_64-linux-gnu/libgcc_s.so.1
|
|
|
|
-
|
|
|
|
-sgx.allowed_files.modules = file:obj/modules
|
|
|
|
-sgx.allowed_files.conf = file:obj/conf
|
|
|
|
-sgx.allowed_files.htdocs = file:obj/htdocs
|
|
|
|
-sgx.allowed_files.logs = file:obj/logs
|
|
|
|
-
|
|
|
|
-sgx.trusted_files.conf = file:obj/conf/httpd.conf
|
|
|
|
-sgx.trusted_files.confmime = file:obj/conf/mime.types
|
|
|
|
-
|
|
|
|
-#Source code files
|
|
|
|
-sgx.trusted_files.indexphp = file:obj/htdocs/index.php
|
|
|
|
-sgx.trusted_files.actionphp = file:obj/htdocs/action.php
|
|
|
|
-
|
|
|
|
-sgx.allowed_files.timeop=file:target_time.txt
|
|
|
|
-sgx.allowed_files.phptimeop=file:obj/htdocs/mitigator_phptime.txt
|
|
|
|
-
|
|
|
|
-#Extension and its dependencies (that are not already included above)
|
|
|
|
-sgx.trusted_files.phpini=file:obj/lib/php.ini
|
|
|
|
-sgx.trusted_files.mainextension=file:obj/modules/localattestation_decryption.so
|
|
|
|
-sgx.trusted_files.libphpcpp=file:/usr/lib/libphpcpp.so
|
|
|
|
-sgx.trusted_files.libprotobuf=file:/usr/lib/x86_64-linux-gnu/libprotobuf.so.9
|
|
|
|
-sgx.trusted_files.libuuid=file:/lib/x86_64-linux-gnu/libuuid.so.1
|
|
|
|
-sgx.trusted_files.libcrypto = file:/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
|
|
|
|
-
|
|
|
|
-
|
|
|
|
-## Apache PHP modules (LoadModule command in httpd.conf)
|
|
|
|
-
|
|
|
|
-sgx.trusted_files.mod_authz_core=file:obj/modules/mod_authz_core.so
|
|
|
|
-sgx.trusted_files.mod_access_compat=file:obj/modules/mod_access_compat.so
|
|
|
|
-sgx.trusted_files.mod_filter=file:obj/modules/mod_filter.so
|
|
|
|
-sgx.trusted_files.mod_mime=file:obj/modules/mod_mime.so
|
|
|
|
-sgx.trusted_files.mod_log_config=file:obj/modules/mod_log_config.so
|
|
|
|
-sgx.trusted_files.mod_log_debug=file:obj/modules/mod_log_debug.so
|
|
|
|
-sgx.trusted_files.mod_unixd=file:obj/modules/mod_unixd.so
|
|
|
|
-sgx.trusted_files.mod_status=file:obj/modules/mod_status.so
|
|
|
|
-sgx.trusted_files.mod_dir=file:obj/modules/mod_dir.so
|
|
|
|
-sgx.trusted_files.libphp7=file:obj/modules/libphp7.so
|
|
|
|
|
|
|
|
|
|
+# Apache modules and dependencies
|
|
|
|
+$(HTTPD_TRUSTED_MODS)
|
|
|
|
+$(HTTPD_TRUSTED_LIBS)
|
|
|
|
+
|
|
|
|
+# Apache configuration (trusted)
|
|
|
|
+sgx.trusted_files.conf1 = file:$(INSTALL_DIR)/conf/httpd-graphene.conf
|
|
|
|
+sgx.trusted_files.conf2 = file:$(INSTALL_DIR)/conf/extra/httpd-ssl-graphene.conf
|
|
|
|
+sgx.trusted_files.conf3 = file:$(INSTALL_DIR)/conf/mime.types
|
|
|
|
+
|
|
|
|
+# Apache SSL/TLS files (trusted)
|
|
|
|
+sgx.trusted_files.server_cert = file:$(INSTALL_DIR)/conf/server.crt
|
|
|
|
+sgx.trusted_files.server_key = file:$(INSTALL_DIR)/conf/server.key
|
|
|
|
+
|
|
|
|
+# Apache HTTP documents (trusted)
|
|
|
|
+# We only specify those documents used in our tests/benchmarks.
|
|
|
|
+sgx.trusted_files.htdocs1 = file:$(INSTALL_DIR)/htdocs/index.html
|
|
|
|
+sgx.trusted_files.htdocs2 = file:$(INSTALL_DIR)/htdocs/random/10K.1.html
|
|
|
|
+
|
|
|
|
+# Apache logs directory (untrusted and allowed, since log files are not security-critical)
|
|
|
|
+sgx.allowed_files.logs = file:$(INSTALL_DIR)/logs
|
|
|
|
+
|
|
|
|
+# Name Service Switch (NSS) files, see 'man nsswitch.conf'
|
|
|
|
+sgx.allowed_files.nsswitch = file:/etc/nsswitch.conf
|
|
|
|
+sgx.allowed_files.ethers = file:/etc/ethers
|
|
|
|
+sgx.allowed_files.hosts = file:/etc/hosts
|
|
|
|
+sgx.allowed_files.group = file:/etc/group
|
|
|
|
+sgx.allowed_files.passwd = file:/etc/passwd
|
|
|
|
+
|
|
|
|
+# getaddrinfo(3) configuration file, see 'man gai.conf'
|
|
|
|
+sgx.allowed_files.gaiconf = file:/etc/gai.conf
|
|
|
|
+
|
|
|
|
+sgx.trusted_files.indexphp = file:$(INSTALL_DIR)/htdocs/index.php
|
|
|
|
+sgx.trusted_files.actionphp = file:$(INSTALL_DIR)/htdocs/action.php
|
|
|
|
+sgx.trusted_files.phpini = file:$(INSTALL_DIR)/lib/php.ini
|
|
|
|
+sgx.trusted_files.mainextension=file:$(INSTALL_DIR)/modules/localattestation_decryption.so
|
|
|
|
+sgx.trusted_files.libphpcpp=file:/usr/lib/libphpcpp.so.2.1
|
|
|
|
+sgx.trusted_files.libprotobuf=file:/usr/lib/x86_64-linux-gnu/libprotobuf.so.9
|