Catching up with the Intel SGX driver and SDK

The latest Intel SGX driver allows creating enclave at lower addresses.
Thus, we can deprecate most functionality of the Graphene-SGX driver,
except setting the CR4 register to enable WRFSGSBASE.

The new driver is backward-compatible to SGX driver 1.6 and 1.7, but
requires driver version to to be specified at compilation.

The new driver will interrupt the compilation of whole Graphene-SGX PAL
at the first time, to ask for the SGX driver path and version.

Also changed the interaction with AESMD through a new UNIX socket path
(but old domain name is till tried).

Pal/src/host/Linux-SGX/Makefile

@@ -1,6 +1,6 @@
 include Makefile.am
 
-CFLAGS	+= -I. -Iinclude -I../.. -I../../../include -I../../../lib
+CFLAGS	+= -I. -Iinclude -I../.. -I../../../include -I../../../lib -Isgx-driver
 ASFLAGS += -I. -I../.. -I../../../include
 
 host_files = libpal-Linux-SGX.a pal-sgx debugger/sgx_gdb.so
@@ -15,7 +15,8 @@ enclave-asm-objs = enclave_entry $(patsubst %.S,%,$(wildcard crypto/*.S))
 urts-objs = $(addprefix sgx_,enclave framework main rtld thread process exception graphene)
 urts-asm-objs = sgx_entry
 graphene_lib = ../../.lib/graphene-lib.a
-headers	= $(wildcard *.h) $(wildcard ../../*.h) $(wildcard ../../../lib/*.h)
+headers	= $(wildcard *.h) $(wildcard ../../*.h) $(wildcard ../../../lib/*.h) \
+	  $(addprefix sgx-driver/,graphene-sgx.h isgx_version.h)
 
 all: $(host_files)
 
@@ -65,6 +66,9 @@ debugger/sgx_gdb.so: debugger/sgx_gdb.c debugger/sgx_gdb.h sgx_arch.h
 	$(CC) -Wall -fPIC -O2 -std=gnu99 -fgnu89-inline -c debugger/sgx_gdb.c -o debugger/sgx_gdb.o
 	$(LD) -shared debugger/sgx_gdb.o -o debugger/sgx_gdb.so -lc
 
+sgx-driver/isgx_version.h:
+	cd sgx-driver && make isgx_version.h
+
 ../../libpal.so: ../../libpal-enclave.so
 	ln -s libpal-enclave.so $@
 

Pal/src/host/Linux-SGX/sgx-driver/.gitignore

@@ -7,3 +7,4 @@ Module.symvers
 modules.order
 .tmp_versions
 linux-sgx-driver
+isgx_version.h

Pal/src/host/Linux-SGX/sgx-driver/Makefile

@@ -1,18 +1,25 @@
 ifneq ($(KERNELRELEASE),)
-	ccflags-y += -I$(PWD)/linux-sgx-driver
 	graphene-sgx-y := \
+		gsgx_ioctl_1_6.o \
+		gsgx_ioctl_1_7.o \
+		gsgx_fsgsbase.o \
 		gsgx_main.o
 	obj-m += graphene-sgx.o
 else
 KDIR := /lib/modules/$(shell uname -r)/build
 PWD  := $(shell pwd)
 
-default: linux-sgx-driver/isgx.h
+default: isgx_version.h linux-sgx-driver
 	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) CFLAGS_MODULE="-DDEBUG -g -O0" modules
 
-linux-sgx-driver/isgx.h:
+.INTERMEDIATE: link-sgx-driver
+link-sgx-driver:
 	@./link-intel-driver.py
+
+isgx_version.h linux-sgx-driver: link-sgx-driver
+
 endif
 
 clean:
+	rm -vrf linux-sgx-driver isgx_version.h
 	rm -vrf *.o *.ko *.order *.symvers *.mod.c .tmp_versions .*o.cmd

Pal/src/host/Linux-SGX/sgx-driver/graphene-sgx.h

@@ -5,9 +5,25 @@
 #include <linux/stddef.h>
 #include <linux/types.h>
 
+#include "isgx_version.h"
+
 #define GSGX_FILE	"/dev/gsgx"
 #define GSGX_MINOR	MISC_DYNAMIC_MINOR
 
+#if SDK_DRIVER_VERSION >= KERNEL_VERSION(1, 8, 0)
+
+#ifndef __packed
+#define __packed __attribute__((packed))
+#endif
+
+#include "linux-sgx-driver/sgx_user.h"
+
+#endif
+
+#if SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0)
+
+#include "linux-sgx-driver/isgx_user.h"
+
 #define GSGX_IOCTL_ENCLAVE_CREATE	_IOWR('p', 0x01, struct gsgx_enclave_create)
 #define GSGX_IOCTL_ENCLAVE_ADD_PAGES	_IOW('p',  0x02, struct gsgx_enclave_add_pages)
 #define GSGX_IOCTL_ENCLAVE_INIT		_IOW('p',  0x03, struct gsgx_enclave_init)
@@ -35,4 +51,34 @@ struct gsgx_enclave_init {
 	uint64_t einittoken;
 };
 
+#endif /* SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0) */
+
+#if SDK_DRIVER_VERSION == KERNEL_VERSION(1, 6, 0)
+#define SGX_SUCCESS			ISGX_SUCCESS
+#define SGX_INVALID_SIG_STRUCT		ISGX_INVALID_SIG_STRUCT
+#define SGX_INVALID_ATTRIBUTE		ISGX_INVALID_ATTRIBUTE
+#define SGX_BLKSTATE			ISGX_BLKSTATE
+#define SGX_INVALID_MEASUREMENT		ISGX_INVALID_MEASUREMENT
+#define SGX_NOTBLOCKABLE		ISGX_NOTBLOCKABLE
+#define SGX_PG_INVLD			ISGX_PG_INVLD
+#define SGX_LOCKFAIL			ISGX_LOCKFAIL
+#define SGX_INVALID_SIGNATURE		ISGX_INVALID_SIGNATURE
+#define SGX_MAC_COMPARE_FAIL		ISGX_MAC_COMPARE_FAIL
+#define SGX_PAGE_NOT_BLOCKED		ISGX_PAGE_NOT_BLOCKED
+#define SGX_NOT_TRACKED			ISGX_NOT_TRACKED
+#define SGX_VA_SLOT_OCCUPIED		ISGX_VA_SLOT_OCCUPIED
+#define SGX_CHILD_PRESENT		ISGX_CHILD_PRESENT
+#define SGX_ENCLAVE_ACT			ISGX_ENCLAVE_ACT
+#define SGX_ENTRYEPOCH_LOCKED		ISGX_ENTRYEPOCH_LOCKED
+#define SGX_INVALID_LICENSE		ISGX_INVALID_LICENSE
+#define SGX_PREV_TRK_INCMPL 		ISGX_PREV_TRK_INCMPL
+#define SGX_PG_IS_SECS 			ISGX_PG_IS_SECS
+#define SGX_INVALID_CPUSVN		ISGX_INVALID_CPUSVN
+#define SGX_INVALID_ISVSVN		ISGX_INVALID_ISVSVN
+#define SGX_UNMASKED_EVENT		ISGX_UNMASKED_EVENT
+#define SGX_INVALID_KEYNAME		ISGX_INVALID_KEYNAME
+#define SGX_POWER_LOST_ENCLAVE		ISGX_POWER_LOST_ENCLAVE
+#define SGX_LE_ROLLBACK			ISGX_LE_ROLLBACK
+#endif
+
 #endif /* _X86_GSGX_USER_H */

Pal/src/host/Linux-SGX/sgx-driver/gsgx.h

@@ -1,25 +1,35 @@
-/*
- * (C) Copyright 2013 Intel Corporation
- * Author: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; version 2
- * of the License.
- */
-
-#ifndef __ARCH_GSGX_H__
-#define __ARCH_GSGX_H__
-
-#include <isgx.h>
-#include <isgx_arch.h>
-#include <isgx_user.h>
-
-#include "graphene-sgx.h"
-#include "isgx_ksyms.h"
-
-extern struct vm_operations_struct gsgx_vm_ops;
-
-long gsgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);
-
-#endif /* __ARCH_X86_GSGX_H__ */
+/*
+ * (C) Copyright 2013 Intel Corporation
+ * Author: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; version 2
+ * of the License.
+ */
+
+#ifndef __ARCH_GSGX_H__
+#define __ARCH_GSGX_H__
+
+#include "isgx_version.h"
+#include "graphene-sgx.h"
+
+#if SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0)
+
+#include "isgx_ksyms.h"
+
+extern struct file *isgx_dev;
+
+extern long gsgx_ioctl(struct file *, unsigned int, unsigned long);
+extern int gsgx_mmap(struct file *, struct vm_area_struct *);
+extern unsigned long gsgx_get_unmapped_area(struct file *, unsigned long,
+					    unsigned long, unsigned long,
+					    unsigned long);
+
+extern int gsgx_lookup_ksyms(void);
+
+#endif
+
+extern int gsgx_open(struct inode *, struct file *);
+
+#endif /* __ARCH_GSGX_H__ */

Pal/src/host/Linux-SGX/sgx-driver/gsgx_main.c

@@ -1,6 +1,6 @@
 /*
- * (C) Copyright 2013 Intel Corporation
- * Author: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
+ * (C) Copyright 2015 Intel Corporation
+ * Author: Chia-Che Tsai <chiache-che.tsai@intel.com>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -11,178 +11,30 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/version.h>
-#include <linux/highmem.h>
+#include <linux/fs.h>
 #include <linux/miscdevice.h>
-#include <linux/module.h>
-#include <linux/vmalloc.h>
-#include <linux/security.h>
-#include <asm/tlbflush.h>
+
 #include "gsgx.h"
 
 #define DRV_DESCRIPTION "Graphene SGX Driver"
-#define DRV_VERSION "0.10"
+#define DRV_VERSION "0.10-" SDK_DRIVER_VERSION_STRING
 
 MODULE_DESCRIPTION(DRV_DESCRIPTION);
 MODULE_AUTHOR("Chia-Che Tsai <chia-che.tsai@intel.com>");
 MODULE_VERSION(DRV_VERSION);
 
-IMPORT_KSYM(dac_mmap_min_addr);
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
-static void __enable_fsgsbase(void *v)
-{
-	write_cr4(read_cr4() | X86_CR4_FSGSBASE);
-}
-#endif
-
-static long gsgx_ioctl_enclave_create(struct file *filep, unsigned int cmd,
-				      unsigned long arg)
-{
-	struct gsgx_enclave_create *createp = (struct gsgx_enclave_create *) arg;
-	struct sgx_enclave_create isgx_create;
-	unsigned long old_mmap_min_addr = *KSYM(dac_mmap_min_addr);
-	int ret;
-
-	if (createp->src != GSGX_ENCLAVE_CREATE_NO_ADDR &&
-	    createp->src < old_mmap_min_addr) {
-		*KSYM(dac_mmap_min_addr) = createp->src;
-		old_mmap_min_addr = 0;
-	}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
-	__enable_fsgsbase(NULL);
-	smp_call_function(__enable_fsgsbase, NULL, 1);
-#endif
-
-	isgx_create.src = createp->src;
-	filep->private_data = (void *) createp->src;
-
-	ret = KSYM(isgx_ioctl_enclave_create)(filep, SGX_IOC_ENCLAVE_CREATE,
-					      (unsigned long) &isgx_create);
-
-	if (old_mmap_min_addr)
-		*KSYM(dac_mmap_min_addr) = old_mmap_min_addr;
-	return ret;
-}
-
-static long gsgx_ioctl_enclave_add_pages(struct file *filep, unsigned int cmd,
-					 unsigned long arg)
-{
-	struct gsgx_enclave_add_pages *addp = (struct gsgx_enclave_add_pages *) arg;
-	struct sgx_enclave_add_page isgx_add;
-	uint64_t off;
-	int ret = 0;
-
-	if (!addp->addr || (addp->addr & (PAGE_SIZE - 1)))
-		return -EINVAL;
-	if (!addp->size || (addp->size & (PAGE_SIZE - 1)))
-		return -EINVAL;
-	if (!addp->secinfo)
-		return -EINVAL;
-
-	isgx_add.secinfo = addp->secinfo;
-
-	for (off = 0 ; off < addp->size ; off += PAGE_SIZE) {
-		isgx_add.addr = addp->addr + off;
-		isgx_add.src =
-			addp->flags & GSGX_ENCLAVE_ADD_PAGES_REPEAT_SRC ?
-			addp->user_addr : addp->user_addr + off;
-		isgx_add.mrmask =
-			addp->flags & GSGX_ENCLAVE_ADD_PAGES_SKIP_EEXTEND ?
- 		        0 : ~0;
-		ret = KSYM(isgx_ioctl_enclave_add_page)(filep,
-			SGX_IOC_ENCLAVE_ADD_PAGE, (unsigned long) &isgx_add);
-		if (ret < 0)
-			break;
-	}
-
-	return ret;
-}
-
-static long gsgx_ioctl_enclave_init(struct file *filep, unsigned int cmd,
-				    unsigned long arg)
-{
-	struct gsgx_enclave_init *initp = (struct gsgx_enclave_init *) arg;
-	struct sgx_enclave_init isgx_init;
-
-	isgx_init.addr = initp->addr;
-	isgx_init.sigstruct = initp->sigstruct;
-	isgx_init.einittoken = initp->einittoken;
-
-	return KSYM(isgx_ioctl_enclave_init)(filep, SGX_IOC_ENCLAVE_INIT,
-					     (unsigned long) &isgx_init);
-}
-
-typedef long (*ioctl_t)(struct file *filep, unsigned int cmd, unsigned long arg);
-
-long gsgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
-{
-	char data[256];
-	ioctl_t handler = NULL;
-	long ret;
-
-	switch (cmd) {
-		case GSGX_IOCTL_ENCLAVE_CREATE:
-			handler = gsgx_ioctl_enclave_create;
-			break;
-		case GSGX_IOCTL_ENCLAVE_ADD_PAGES:
-			handler = gsgx_ioctl_enclave_add_pages;
-			break;
-		case GSGX_IOCTL_ENCLAVE_INIT:
-			handler = gsgx_ioctl_enclave_init;
-			break;
-		default:
-			return -EINVAL;
-	}
-
-	if (copy_from_user(data, (void __user *) arg, _IOC_SIZE(cmd)))
-		return -EFAULT;
-
-	ret = handler(filep, cmd, (unsigned long) ((void *) data));
-
-	if (!ret && (cmd & IOC_OUT)) {
-		if (copy_to_user((void __user *) arg, data, _IOC_SIZE(cmd)))
-			return -EFAULT;
-	}
-
-	return ret;
-}
-
-static int gsgx_mmap(struct file *file, struct vm_area_struct *vma)
-{
-	return KSYM(isgx_mmap)(file, vma);
-}
-
-static unsigned long gsgx_get_unmapped_area(struct file *file,
-					    unsigned long addr,
-					    unsigned long len,
-					    unsigned long pgoff,
-					    unsigned long flags)
-{
-	if (file->private_data == (void *) GSGX_ENCLAVE_CREATE_NO_ADDR) {
-		unsigned long unmapped_addr =
-			KSYM(isgx_get_unmapped_area)(file, addr, len,
-						     pgoff, flags);
-		file->private_data = (void *) unmapped_addr;
-		return unmapped_addr;
-	} else {
-		unsigned long unmapped_addr = (unsigned long) file->private_data;
-		struct mm_struct *mm = current->mm;
-		struct vm_area_struct *vma = find_vma(mm, unmapped_addr);
-		if (vma && vma->vm_start <= len)
-			return -EINVAL;
-		return unmapped_addr;
-	}
-}
-
 static const struct file_operations gsgx_fops = {
 	.owner		= THIS_MODULE,
+	.open		= gsgx_open,
+
+#if SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0)
 	.unlocked_ioctl	= gsgx_ioctl,
 #ifdef CONFIG_COMPAT
 	.compat_ioctl	= gsgx_ioctl,
 #endif
 	.mmap		= gsgx_mmap,
 	.get_unmapped_area = gsgx_get_unmapped_area,
+#endif
 };
 
 static struct miscdevice gsgx_dev = {
@@ -192,51 +44,10 @@ static struct miscdevice gsgx_dev = {
 	.mode	= S_IRUGO | S_IWUGO,
 };
 
-IMPORT_KSYM_PROTO(isgx_ioctl_enclave_create, long,
-	struct file *filep, unsigned int cmd, unsigned long arg);
-IMPORT_KSYM_PROTO(isgx_ioctl_enclave_init, long,
-	struct file *filep, unsigned int cmd, unsigned long arg);
-IMPORT_KSYM_PROTO(isgx_ioctl_enclave_add_page, long,
-	struct file *filep, unsigned int cmd, unsigned long arg);
-
-IMPORT_KSYM(isgx_enclave_release);
-IMPORT_KSYM_PROTO(isgx_mmap, int, struct file *, struct vm_area_struct *);
-IMPORT_KSYM_PROTO(isgx_get_unmapped_area, unsigned long,
-	struct file *, unsigned long, unsigned long,
-	unsigned long, unsigned long);
-
-static int gsgx_lookup_ksyms(void)
-{
-	int ret;
-	if ((ret = LOOKUP_KSYM(dac_mmap_min_addr)))
-		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_ioctl_enclave_create)))
-		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_ioctl_enclave_init)))
-		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_ioctl_enclave_add_page)))
-		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_enclave_release)))
-		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_mmap)))
-		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_get_unmapped_area)))
-		return ret;
-	return 0;
-}
-
-struct file *isgx_dev;
-
 static int gsgx_setup(void)
 {
-	unsigned cpu;
 	int ret;
 
-	isgx_dev = filp_open("/dev/isgx", O_RDONLY, 0);
-	if (!isgx_dev) {
-		return PTR_ERR(isgx_dev);
-	}
-
 	ret = misc_register(&gsgx_dev);
 	if (ret) {
 		pr_err("gsgx: misc_register() failed\n");
@@ -244,9 +55,16 @@ static int gsgx_setup(void)
 		return ret;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 0, 0)
-	for_each_online_cpu(cpu) {
-		per_cpu(cpu_tlbstate.cr4, cpu) |= X86_CR4_FSGSBASE;
+#if SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0)
+	isgx_dev = filp_open("/dev/isgx", O_RDONLY, 0);
+	if (!isgx_dev) {
+		return PTR_ERR(isgx_dev);
+	}
+
+	ret = gsgx_lookup_ksyms();
+	if (ret) {
+		pr_err("gsgx: lookup kernel symbols failed\n");
+		return ret;
 	}
 #endif
 
@@ -258,8 +76,10 @@ static void gsgx_teardown(void)
 	if (gsgx_dev.this_device)
 		misc_deregister(&gsgx_dev);
 
+#if SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0)
 	if (isgx_dev)
 		filp_close(isgx_dev, NULL);
+#endif
 }
 
 static int __init gsgx_init(void)
@@ -268,15 +88,8 @@ static int __init gsgx_init(void)
 
 	pr_info("gsgx: " DRV_DESCRIPTION " v" DRV_VERSION "\n");
 
-	ret = gsgx_lookup_ksyms();
-	if (ret) {
-		pr_err("Likely module \"isgx\" is not loaded\n");
-		return ret;
-	}
-
 	ret = gsgx_setup();
 	if (ret) {
-		pr_err("Likely module \"isgx\" is not loaded\n");
 		gsgx_teardown();
 		return ret;
 	}

Pal/src/host/Linux-SGX/sgx-driver/isgx_ksyms.h

@@ -1,6 +1,11 @@
 #ifndef _ISGX_KSYMS_H
 #define _ISGX_KSYMS_H
 
+#include "isgx_version.h"
+
+#if SDK_DRIVER_VERSION < KERNEL_VERSION(1, 8, 0)
+
+#include "linux-sgx-driver/isgx.h"
 #include "ksyms.h"
 
 extern IMPORT_KSYM_PROTO(isgx_ioctl_enclave_create, long,
@@ -18,3 +23,5 @@ extern IMPORT_KSYM_PROTO(isgx_get_unmapped_area, unsigned long,
 	unsigned long, unsigned long);
 
 #endif
+
+#endif

Pal/src/host/Linux-SGX/sgx-driver/link-intel-driver.py

@@ -1,27 +1,60 @@
 #!/usr/bin/python
 
-
-import sys, os, string, subprocess, shutil, fileinput, multiprocessing, re, resource
+import sys, os, re
 
 try:
-    #########################################
-    #### get the locations of directories ###
-    #########################################
+    # get the locations of directories
+    print "\n" + \
+          "*****************************************************************\n" + \
+          "Make sure you have downloaded and installed the Intel sgx driver \n" + \
+          "from https://github.com/01org/linux-sgx-driver.\n" + \
+          "*****************************************************************\n" + \
+          "\n"
+
+    while True:
+        isgx_path = raw_input('Enter the Intel SGX driver derctory: ')
+        if os.path.exists(isgx_path + '/sgx.h'):
+            break
+        if os.path.exists(isgx_path + '/isgx.h'):
+            break
+        print '{0} is not a directory for the Intel SGX driver'.format(isgx_path)
 
-    print "Make sure you have downloaded and installed the Intel sgx driver " + \
-          "from https://github.com/01org/linux-sgx-driver."
+
+    # get the driver version
     while True:
-        isgx = raw_input('Enter the Intel sgx driver derctory: ')
-        if os.path.exists(isgx + '/isgx.h'):
+        isgx_version = raw_input('Enter the driver version (default: 1.8): ')
+        if not isgx_version:
+            isgx_version_major = 1
+            isgx_version_minor = 8
+            break
+        m = re.match('([1-9])\.([0-9]+)', isgx_version)
+        if m:
+            isgx_version_major = m.group(1)
+            isgx_version_minor = m.group(2)
             break
-        print '{0} is not a directory for the Intel sgx driver'.format(isgx)
+        print '{0} is not a valid version (x.xx)'.format(isgx_version)
+
 
+    # create a symbolic link called 'linux-sgx-driver'
     isgx_link = 'linux-sgx-driver'
-    isgx = os.path.abspath(isgx)
-    print isgx_link + ' -> ' + isgx
+    isgx_path = os.path.abspath(isgx_path)
+    print isgx_link + ' -> ' + isgx_path
     if os.path.exists(isgx_link):
         os.unlink(isgx_link)
-    os.symlink(isgx, isgx_link)
+    os.symlink(isgx_path, isgx_link)
+
+
+    # create isgx_version.h
+    with open('isgx_version.h', 'w') as versionfile:
+        print 'create isgx_version.h'
+        print >> versionfile, '#include <linux/version.h>'
+        print >> versionfile
+        print >> versionfile, '#define SDK_DRIVER_VERSION KERNEL_VERSION(' + \
+                              str(isgx_version_major) + ',' + \
+                              str(isgx_version_minor) + ',0)'
+        print >> versionfile, '#define SDK_DRIVER_VERSION_STRING "' + \
+                              str(isgx_version_major) + '.' + \
+                              str(isgx_version_minor) + '"'
 
 except:
     print 'uh-oh: {0}'.format(sys.exc_info()[0])

Pal/src/host/Linux-SGX/sgx_arch.h

@@ -243,8 +243,6 @@ typedef struct {
 
 typedef uint8_t sgx_arch_key128_t[16] __attribute__((aligned(16)));
 
-#include "sgx-driver/graphene-sgx.h"
-
 #else /* !__ASSEMBLER__ */
 
 /* microcode to call ENCLU */

Pal/src/host/Linux-SGX/sgx_framework.c

@@ -6,7 +6,7 @@
 #include "sgx_internal.h"
 #include "sgx_arch.h"
 #include "sgx_enclave.h"
-#include "sgx-driver/graphene-sgx.h"
+#include "graphene-sgx.h"
 
 #include <asm/errno.h>
 
@@ -18,18 +18,12 @@ void * zero_page;
 
 int open_gsgx(void)
 {
-    int fd = INLINE_SYSCALL(open, 3, GSGX_FILE, O_RDWR, 0);
-    if (IS_ERR(fd))
-        return -ERRNO(fd);
-
-    gsgx_device = fd;
-
-    fd = INLINE_SYSCALL(open, 3, ISGX_FILE, O_RDWR, 0);
-    if (IS_ERR(fd))
-        return -ERRNO(fd);
-
-    isgx_device = fd;
-    
+    gsgx_device = INLINE_SYSCALL(open, 3, GSGX_FILE, O_RDWR, 0);
+    if (IS_ERR(gsgx_device))
+        return -ERRNO(gsgx_device);
+    isgx_device = INLINE_SYSCALL(open, 3, ISGX_FILE, O_RDWR, 0);
+    if (IS_ERR(isgx_device))
+        return -ERRNO(isgx_device);
     return 0;
 }
 
@@ -125,8 +119,6 @@ int create_enclave(sgx_arch_secs_t * secs,
                    sgx_arch_token_t * token)
 {
     int flags = MAP_SHARED;
-    if (gsgx_device == -1)
-        return -EACCES;
 
     if (!zero_page) {
         zero_page = (void *)
@@ -148,7 +140,6 @@ int create_enclave(sgx_arch_secs_t * secs,
     memcpy(&secs->mrenclave, &token->mrenclave, sizeof(sgx_arch_hash_t));
     memcpy(&secs->mrsigner,  &token->mrsigner,  sizeof(sgx_arch_hash_t));
 
-    struct gsgx_enclave_create param;
     if (baseaddr) {
         secs->baseaddr = (uint64_t) baseaddr & ~(secs->size - 1);
         flags |= MAP_FIXED;
@@ -156,7 +147,7 @@ int create_enclave(sgx_arch_secs_t * secs,
         secs->baseaddr = 0ULL;
     }
 
-    uint64_t addr = INLINE_SYSCALL(mmap, 6, secs->baseaddr, size,
+    uint64_t addr = INLINE_SYSCALL(mmap, 6, secs->baseaddr, secs->size,
                                    PROT_READ|PROT_WRITE|PROT_EXEC, flags,
                                    isgx_device, 0);
 
@@ -171,13 +162,22 @@ int create_enclave(sgx_arch_secs_t * secs,
     }
 
     secs->baseaddr = addr;
-    param.src = (uint64_t) secs;
+
+#if SDK_DRIVER_VERSION >= KERNEL_VERSION(1, 8, 0)
+    struct sgx_enclave_create param = {
+        .src = (uint64_t) secs,
+    };
+    int ret = INLINE_SYSCALL(ioctl, 3, isgx_device, SGX_IOC_ENCLAVE_CREATE,
+                         &param);
+#else
+    struct gsgx_enclave_create param = {
+        .src = (uint64_t) secs,
+    };
     int ret = INLINE_SYSCALL(ioctl, 3, gsgx_device, GSGX_IOCTL_ENCLAVE_CREATE,
                          &param);
-    
+#endif
+
     if (IS_ERR(ret)) {
-        if (ERRNO(ret) == EBADF)
-            gsgx_device = -1;
         SGX_DBG(DBG_I, "enclave ECREATE failed in enclave creation ioctl - %d\n", ERRNO(ret));
         return -ERRNO(ret);
     }
@@ -208,11 +208,8 @@ int add_pages_to_enclave(sgx_arch_secs_t * secs,
                          bool skip_eextend,
                          const char * comment)
 {
-    if (gsgx_device == -1)
-        return -EACCES;
-
-    struct gsgx_enclave_add_pages param;
     sgx_arch_secinfo_t secinfo;
+    int ret;
 
     memset(&secinfo, 0, sizeof(sgx_arch_secinfo_t));
 
@@ -233,17 +230,6 @@ int add_pages_to_enclave(sgx_arch_secs_t * secs,
             break;
     }
 
-    param.addr = secs->baseaddr + (uint64_t) addr;
-    param.user_addr = (uint64_t) user_addr;
-    param.size = size;
-    param.secinfo = (uint64_t) &secinfo;
-    param.flags = skip_eextend ? GSGX_ENCLAVE_ADD_PAGES_SKIP_EEXTEND : 0;
-
-    if (!param.user_addr) {
-        param.user_addr = (unsigned long) zero_page;
-        param.flags |= GSGX_ENCLAVE_ADD_PAGES_REPEAT_SRC;
-    }
-
     char p[4] = "---";
     const char * t = (type == SGX_PAGE_TCS) ? "TCS" : "REG";
     const char * m = skip_eextend ? "" : " measured";
@@ -265,15 +251,49 @@ int add_pages_to_enclave(sgx_arch_secs_t * secs,
                 addr, addr + size, t, p, comment, m);
 
 
-    int ret = INLINE_SYSCALL(ioctl, 3, gsgx_device,
-                             GSGX_IOCTL_ENCLAVE_ADD_PAGES,
-                             &param);
+#if SDK_DRIVER_VERSION >= KERNEL_VERSION(1, 8, 0)
+    struct sgx_enclave_add_page param = {
+        .addr       = secs->baseaddr + (uint64_t) addr,
+        .src        = (uint64_t) (user_addr ? : zero_page),
+        .secinfo    = (uint64_t) &secinfo,
+        .mrmask     = skip_eextend ? 0 : (uint16_t) -1,
+    };
+
+    uint64_t added_size = 0;
+    while (added_size < size) {
+        ret = INLINE_SYSCALL(ioctl, 3, isgx_device,
+                             SGX_IOC_ENCLAVE_ADD_PAGE, &param);
+        if (IS_ERR(ret)) {
+            SGX_DBG(DBG_I, "Enclave add page returned %d\n", ret);
+            return -ERRNO(ret);
+        }
+
+        param.addr += pagesize;
+        if (param.src != (uint64_t) zero_page) param.src += pagesize;
+        added_size += pagesize;
+    }
+#else
+    struct gsgx_enclave_add_pages param = {
+        .addr       = secs->baseaddr + (uint64_t) addr,
+        .user_addr  = (uint64_t) user_addr,
+        .size       = size,
+        .secinfo    = (uint64_t) &secinfo,
+        .flags      = skip_eextend ? GSGX_ENCLAVE_ADD_PAGES_SKIP_EEXTEND : 0,
+    };
+
+    if (!user_addr) {
+        param.user_addr = (unsigned long) zero_page;
+        param.flags |= GSGX_ENCLAVE_ADD_PAGES_REPEAT_SRC;
+    }
+
+    ret = INLINE_SYSCALL(ioctl, 3, gsgx_device,
+                         GSGX_IOCTL_ENCLAVE_ADD_PAGES,
+                         &param);
     if (IS_ERR(ret)) {
         SGX_DBG(DBG_I, "Enclave add page returned %d\n", ret);
-        if (ERRNO(ret) == EBADF)
-            gsgx_device = -1;
         return -ERRNO(ret);
     }
+#endif
 
     return 0;
 }
@@ -282,9 +302,6 @@ int init_enclave(sgx_arch_secs_t * secs,
                  sgx_arch_sigstruct_t * sigstruct,
                  sgx_arch_token_t * token)
 {
-    if (gsgx_device == -1)
-        return -EACCES;
-
     unsigned long enclave_valid_addr =
                 secs->baseaddr + secs->size - pagesize;
 
@@ -295,23 +312,48 @@ int init_enclave(sgx_arch_secs_t * secs,
         SGX_DBG(DBG_I, " %02x", sigstruct->enclave_hash[i]);
     SGX_DBG(DBG_I, "\n");
 
-    struct gsgx_enclave_init param;
-    param.addr = enclave_valid_addr;
-    // DEP 11/6/16: I think sigstruct and token are supposed to
-    //              be pointers in the new driver
-    param.sigstruct = (uint64_t) sigstruct;
-    param.einittoken = (uint64_t) token;
-
+#if SDK_DRIVER_VERSION >= KERNEL_VERSION(1, 8, 0)
+    struct sgx_enclave_init param = {
+        .addr           = enclave_valid_addr,
+        .sigstruct      = (uint64_t) sigstruct,
+        .einittoken     = (uint64_t) token,
+    };
+    int ret = INLINE_SYSCALL(ioctl, 3, isgx_device, SGX_IOC_ENCLAVE_INIT,
+                             &param);
+#else
+    struct gsgx_enclave_init param = {
+        .addr           = enclave_valid_addr,
+        .sigstruct      = (uint64_t) sigstruct,
+        .einittoken     = (uint64_t) token,
+    };
     int ret = INLINE_SYSCALL(ioctl, 3, gsgx_device, GSGX_IOCTL_ENCLAVE_INIT,
                              &param);
+#endif
+
     if (IS_ERR(ret)) {
-        if (ERRNO(ret) == EBADF)
-            gsgx_device = -1;
         return -ERRNO(ret);
     }
 
     if (ret) {
-        SGX_DBG(DBG_I, "enclave EINIT failed\n");
+        const char * error;
+        /* DEP 3/22/17: Try to improve error messages */
+        switch(ret) {
+        case SGX_INVALID_SIG_STRUCT:
+            error = "Invalid SIGSTRUCT";          break;
+        case SGX_INVALID_ATTRIBUTE:
+            error = "Invalid enclave attribute";  break;
+        case SGX_INVALID_MEASUREMENT:
+            error = "Invalid measurement";        break;
+        case SGX_INVALID_SIGNATURE:
+            error = "Invalid signature";          break;
+        case SGX_INVALID_LICENSE:
+            error = "Invalid EINIT token";        break;
+        case SGX_INVALID_CPUSVN:
+            error = "Invalid CPU SVN";            break;
+        default:
+            error = "Unknown reason";             break;
+        }
+        SGX_DBG(DBG_I, "enclave EINIT failed - %s\n", error);
         return -EPERM;
     }
 

Pal/src/host/Linux-SGX/signer/pal-sgx-get-token

@@ -67,7 +67,26 @@ def connect_aesmd(attr):
     req_msg_raw = req_msg.SerializeToString()
 
     aesm_service = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-    aesm_service.connect("\0sgx_aesm_socket_base" + "\0" * 87)
+    connected = False
+
+    # try to connect to the unnamed socket (for PSW 1.6 and 1.7)
+    if not connected:
+        try:
+            aesm_service.connect("\0sgx_aesm_socket_base" + "\0" * 87)
+            connected = True
+        except socket.error:
+            pass
+
+    # try to connect to the named socket (for PSW 1.8+)
+    if not connected:
+        try:
+            aesm_service.connect("/var/run/aesmd/aesm.socket")
+            connected = True
+        except socket.error:
+            pass
+
+    if not connected:
+        raise socket.error("Cannot connect to the AESMD service")
 
     aesm_service.send(struct.pack("<I", len(req_msg_raw)))
     aesm_service.send(req_msg_raw)