Port PAL to work on latest SGX driver (Issue #12). Fix a few other SGX-related bugs.

LibOS/shim/test/regression/large-mmap.c

@@ -17,16 +17,16 @@ int main() {
     else 
         printf("large-mmap: ftruncate OK\n");
 
-    void* a=mmap(NULL, TEST_LENGTH2, PROT_READ|PROT_WRITE, MAP_SHARED, fileno(fp), 0);
-    if (!a) { perror("mmap"); return 1; }
+    void* a=mmap(NULL, TEST_LENGTH2, PROT_READ|PROT_WRITE, MAP_PRIVATE, fileno(fp), 0);
+    if (a==MAP_FAILED) { perror("mmap 1"); return 1; }
     ((char*)a)[0x80000000]=0xff;
     printf("large-mmap: mmap 1 completed OK\n");
 
     rv = munmap(a, TEST_LENGTH2);
     if (rv) { perror("mumap"); return 1; }
 
-    a=mmap(NULL, TEST_LENGTH, PROT_READ|PROT_WRITE, MAP_SHARED, fileno(fp), 0);
-    if (!a) { perror("mmap"); return 1; }
+    a=mmap(NULL, TEST_LENGTH, PROT_READ|PROT_WRITE, MAP_PRIVATE, fileno(fp), 0);
+    if (a==MAP_FAILED) { perror("mmap 2"); return 1; }
     ((char*)a)[0x100000000]=0xff;
     printf("large-mmap: mmap 2 completed OK\n");
 

LibOS/shim/test/regression/large-mmap.manifest.template

@@ -0,0 +1,23 @@
+loader.preload = file:../../src/libsysdb.so
+loader.env.LD_LIBRARY_PATH = /lib
+loader.debug_type = none
+loader.syscall_symbol = syscalldb
+
+fs.mount.lib.type = chroot
+fs.mount.lib.path = /lib
+fs.mount.lib.uri = file:../../../../Runtime
+
+fs.mount.bin.type = chroot
+fs.mount.bin.path = /bin
+fs.mount.bin.uri = file:/bin
+
+# allow to bind on port 8000
+net.rules.1 = 127.0.0.1:8000:0.0.0.0:0-65535
+# allow to connect to port 8000
+net.rules.2 = 0.0.0.0:0-65535:127.0.0.1:8000
+
+sgx.trusted_files.ld = file:../../../../Runtime/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:../../../../Runtime/libc.so.6
+sgx.trusted_files.testfil = file:testfil
+
+sgx.enclave_size = 5G

LibOS/shim/test/regression/manifest.template

@@ -15,3 +15,6 @@ fs.mount.bin.uri = file:/bin
 net.rules.1 = 127.0.0.1:8000:0.0.0.0:0-65535
 # allow to connect to port 8000
 net.rules.2 = 0.0.0.0:0-65535:127.0.0.1:8000
+
+sgx.trusted_files.ld = file:../../../../Runtime/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:../../../../Runtime/libc.so.6

Pal/regression/Exception.c

@@ -54,7 +54,7 @@ int main (void)
     asm volatile("nop");
 
     DkSetExceptionHandler(handler3, PAL_EVENT_MEMFAULT, 0);
-    *(volatile long *) 0x10000 = 0;
+    *(volatile long *) 0x1000 = 0;
     asm volatile("nop");
 
     return 0;

Pal/src/host/Linux-SGX/db_files.c

@@ -66,11 +66,11 @@ static int file_open (PAL_HANDLE * handle, const char * type, const char * uri,
     hdl->file.realpath = (PAL_STR) path;
 
     sgx_checksum_t * stubs;
-    unsigned int total;
+    uint64_t total;
     int ret = load_trusted_file(hdl, &stubs, &total);
     if (ret < 0) {
-        SGX_DBG(DBG_E, "Accessing file:%s is denied. "
-                "This file is not trusted or allowed.\n", hdl->file.realpath);
+        SGX_DBG(DBG_E, "Accessing file:%s is denied. (%d)"
+                "This file is not trusted or allowed.\n", hdl->file.realpath, ret);
         free(hdl);
         return -PAL_ERROR_DENIED;
     }
@@ -184,8 +184,10 @@ static int file_map (PAL_HANDLE handle, void ** addr, int prot,
     void * umem;
     int ret;
 
-    if (!(prot & PAL_PROT_WRITECOPY) && (prot & PAL_PROT_WRITE))
+    if (!(prot & PAL_PROT_WRITECOPY) && (prot & PAL_PROT_WRITE)) {
+        SGX_DBG(DBG_E, "file_map does not currently support writeable pass-through mappings on SGX.  You may add the PAL_PROT_WRITECOPY (MAP_PRIVATE) flag to your file mapping to keep the writes inside the enclave but they won't be reflected outside of the enclave.\n");
         return -PAL_ERROR_DENIED;
+    }
 
     unsigned long end = (offset + size > total) ? total : offset + size;
     unsigned long map_start, map_end;
@@ -200,8 +202,10 @@ static int file_map (PAL_HANDLE handle, void ** addr, int prot,
 
     ret = ocall_map_untrusted(handle->file.fd, map_start,
                               map_end - map_start, PROT_READ, &umem);
-    if (ret < 0)
+    if (ret < 0) {
+        SGX_DBG(DBG_E, "file_map - ocall returned %d\n", ret);
         return ret;
+    }
 
     if (stubs) {
         ret = verify_trusted_file(handle->file.realpath, umem,
@@ -209,6 +213,7 @@ static int file_map (PAL_HANDLE handle, void ** addr, int prot,
                                   stubs, total);
 
         if (ret < 0) {
+            SGX_DBG(DBG_E, "file_map - verify trusted returned %d\n", ret);
             ocall_unmap_untrusted(umem, map_start - map_end);
             return ret;
         }

Pal/src/host/Linux-SGX/db_main.c

@@ -126,7 +126,7 @@ void pal_linux_main(const char ** arguments, const char ** environments,
     unsigned long start_time = _DkSystemTimeQuery();
 
     /* relocate PAL itself */
-    pal_map.l_addr = sec_info->enclave_addr;
+    pal_map.l_addr = (ElfW(Addr)) sec_info->enclave_addr;
     pal_map.l_name = sec_info->enclave_image;
     elf_get_dynamic_info((void *) pal_map.l_addr + elf_machine_dynamic(),
                          pal_map.l_info, pal_map.l_addr);

Pal/src/host/Linux-SGX/debugger/sgx_gdb.c

@@ -89,6 +89,9 @@ int host_peekdata (pid_t pid, void * addr, void * data, int size)
     return 0;
 }
 
+// DEP 11/6/16: Can't figure out where this is used, but reluctant to delete
+// just yet
+#if 0
 static
 int host_pokedata (pid_t pid, void * addr, void * data, int size)
 {
@@ -102,6 +105,7 @@ int host_pokedata (pid_t pid, void * addr, void * data, int size)
 
     return 0;
 }
+#endif
 
 static inline
 int host_peektids (int memdev, struct enclave_dbginfo * ei)
@@ -234,6 +238,9 @@ int host_peekregs (int memdev, pid_t pid, struct enclave_dbginfo * ei,
     return 0;
 }
 
+// DEP 11/6/16: Can't figure out where this is used, but reluctant to delete
+// just yet
+#if 0
 static
 int host_peekfpregs (int memdev,pid_t pid, struct enclave_dbginfo * ei,
                      struct user_fpregs_struct * fpregdata)
@@ -247,6 +254,7 @@ int host_peekfpregs (int memdev,pid_t pid, struct enclave_dbginfo * ei,
 
     return 0;
 }
+#endif
 
 
 static struct { pid_t pid; int memdev; struct enclave_dbginfo ei; } memdevs[32];

Pal/src/host/Linux-SGX/enclave_framework.c

@@ -95,8 +95,8 @@ int sgx_verify_report (sgx_arch_report_t * report)
 
 struct trusted_file {
     struct list_head list;
-    int index;
-    unsigned int size;
+    int64_t index;
+    uint64_t size;
     int uri_len;
     char uri[URI_MAX];
     sgx_checksum_t checksum, * stubs;
@@ -109,13 +109,13 @@ static int trusted_file_indexes = 0;
 #include <crypto/sha256.h>
 
 int load_trusted_file (PAL_HANDLE file, sgx_checksum_t ** stubptr,
-                       unsigned int * sizeptr)
+                       uint64_t * sizeptr)
 {
     struct trusted_file * tf = NULL, * tmp;
     char uri[URI_MAX];
     int ret, fd = HANDLE_HDR(file)->fds[0], uri_len;
 
-    if (!(HANDLE_HDR(file)->flags & RFD(0)))
+    if (!(HANDLE_HDR(file)->flags & RFD(0))) 
         return -PAL_ERROR_DENIED;
 
     uri_len = _DkStreamGetName(file, uri, URI_MAX);
@@ -143,10 +143,10 @@ int load_trusted_file (PAL_HANDLE file, sgx_checksum_t ** stubptr,
 
     _DkSpinUnlock(&trusted_file_lock);
 
-    if (!tf)
+    if (!tf) 
         return -PAL_ERROR_DENIED;
 
-    if (tf->index < 0)
+    if (tf->index < 0) 
         return tf->index;
 
     if (tf->index && tf->stubs) {
@@ -170,10 +170,10 @@ int load_trusted_file (PAL_HANDLE file, sgx_checksum_t ** stubptr,
                 (tf->size % TRUSTED_STUB_SIZE ? 1 : 0);
 
     sgx_checksum_t * stubs = malloc(sizeof(sgx_checksum_t) * nstubs);
-    if (!tf)
+    if (!tf) 
         return -PAL_ERROR_NOMEM;
 
-    unsigned long offset = 0;
+    uint64_t offset = 0;
     SHA256 sha;
     void * umem;
 
@@ -182,7 +182,7 @@ int load_trusted_file (PAL_HANDLE file, sgx_checksum_t ** stubptr,
         goto failed;
 
     for (; offset < tf->size ; offset += TRUSTED_STUB_SIZE) {
-        unsigned long mapping_size = tf->size - offset;
+        uint64_t mapping_size = tf->size - offset;
         if (mapping_size > TRUSTED_STUB_SIZE)
             mapping_size = TRUSTED_STUB_SIZE;
 

Pal/src/host/Linux-SGX/enclave_ocalls.c

@@ -115,8 +115,8 @@ int ocall_alloc_untrusted (unsigned int size, void ** mem)
     return retval;
 }
 
-int ocall_map_untrusted (int fd, unsigned int offset,
-                         unsigned int size, unsigned short prot,
+int ocall_map_untrusted (int fd, uint64_t offset,
+                         uint64_t size, unsigned short prot,
                          void ** mem)
 {
     int retval = 0;
@@ -141,7 +141,7 @@ int ocall_map_untrusted (int fd, unsigned int offset,
     return retval;
 }
 
-int ocall_unmap_untrusted (const void * mem, unsigned int size)
+int ocall_unmap_untrusted (const void * mem, uint64_t size)
 {
     int retval = 0;
 

Pal/src/host/Linux-SGX/enclave_ocalls.h

@@ -17,11 +17,11 @@ int ocall_print_string (const char * str, unsigned int length);
 
 int ocall_alloc_untrusted (unsigned int size, void ** mem);
 
-int ocall_map_untrusted (int fd, unsigned int offset,
-                         unsigned int size, unsigned short prot,
+int ocall_map_untrusted (int fd, uint64_t offset,
+                         uint64_t size, unsigned short prot,
                          void ** mem);
 
-int ocall_unmap_untrusted (const void * mem, unsigned int size);
+int ocall_unmap_untrusted (const void * mem, uint64_t size);
 
 int ocall_cpuid (unsigned int leaf, unsigned int subleaf,
                  unsigned int values[4]);

Pal/src/host/Linux-SGX/enclave_pages.c

@@ -11,7 +11,7 @@
 
 static unsigned long pgsz = PRESET_PAGESIZE;
 void * heap_base;
-static unsigned long heap_size;
+static uint64_t heap_size;
 
 struct heap_vma {
     struct list_head list;
@@ -64,7 +64,7 @@ static void assert_vma_list (void)
 #endif
 }
 
-void * get_reserved_pages(void * addr, unsigned int size)
+void * get_reserved_pages(void * addr, uint64_t size)
 {
     if (!size)
         return NULL;
@@ -121,7 +121,7 @@ void * get_reserved_pages(void * addr, unsigned int size)
     _DkInternalUnlock(&heap_vma_lock);
 
     asm volatile("int $3");
-    SGX_DBG(DBG_E, "*** Not enough space on the heap (requested = %d) ***\n", size);
+    SGX_DBG(DBG_E, "*** Not enough space on the heap (requested = %llu) ***\n", size);
     return NULL;
 
 allocated:
@@ -213,7 +213,7 @@ allocated:
     return addr;
 }
 
-void free_pages(void * addr, unsigned int size)
+void free_pages(void * addr, uint64_t size)
 {
     void * addr_top = addr + size;
 

Pal/src/host/Linux-SGX/enclave_pages.h

@@ -3,5 +3,5 @@
 
 extern void * heap_base;
 void init_pages (void);
-void * get_reserved_pages (void * addr, unsigned int size);
-void free_pages (void * addr, unsigned int size);
+void * get_reserved_pages (void * addr, uint64_t size);
+void free_pages (void * addr, uint64_t size);

Pal/src/host/Linux-SGX/linux_types.h

@@ -14,6 +14,7 @@
 #include <asm/stat.h>
 #include <asm/fcntl.h>
 #include <sigset.h>
+#include <stdint.h>
 
 #ifndef size_t
 typedef __kernel_size_t size_t;

Pal/src/host/Linux-SGX/ocall_types.h

@@ -62,15 +62,15 @@ typedef struct {
 
 typedef struct {
     int ms_fd;
-    unsigned int ms_offset;
-    unsigned int ms_size;
+    uint64_t ms_offset;
+    uint64_t ms_size;
     unsigned short ms_prot;
     void * ms_mem;
 } ms_ocall_map_untrusted_t;
 
 typedef struct {
     const void * ms_mem;
-    int ms_size;
+    uint64_t ms_size;
 } ms_ocall_unmap_untrusted_t;
 
 typedef struct {

Pal/src/host/Linux-SGX/pal_linux.h

@@ -97,7 +97,7 @@ typedef struct { unsigned char bytes[32]; } sgx_checksum_t;
 
 int init_trusted_files (void);
 int load_trusted_file
-    (PAL_HANDLE file, sgx_checksum_t ** stubptr, unsigned int * sizeptr);
+    (PAL_HANDLE file, sgx_checksum_t ** stubptr, uint64_t * sizeptr);
 int verify_trusted_file
     (const char * uri, void * mem, unsigned int offset, unsigned int size,
      sgx_checksum_t * stubs, unsigned int total_size);

Pal/src/host/Linux-SGX/sgx-driver/graphene-sgx.h

@@ -11,34 +11,28 @@
 #define GSGX_IOCTL_ENCLAVE_CREATE	_IOWR('p', 0x01, struct gsgx_enclave_create)
 #define GSGX_IOCTL_ENCLAVE_ADD_PAGES	_IOW('p',  0x02, struct gsgx_enclave_add_pages)
 #define GSGX_IOCTL_ENCLAVE_INIT		_IOW('p',  0x03, struct gsgx_enclave_init)
-#define GSGX_IOCTL_ENCLAVE_DESTROY	_IOW('p',  0x04, struct gsgx_enclave_destroy)
 
 #define GSGX_ENCLAVE_CREATE_NO_ADDR	((unsigned long) -1)
 
 struct gsgx_enclave_create {
-	void *secs;
-	unsigned long addr;
+	uint64_t src;
 };
 
 #define GSGX_ENCLAVE_ADD_PAGES_SKIP_EEXTEND	0x1
 #define GSGX_ENCLAVE_ADD_PAGES_REPEAT_SRC	0x2
 
 struct gsgx_enclave_add_pages {
-	unsigned int flags;
-	unsigned long addr;
-	unsigned long user_addr;
-	unsigned long size;
-	void *secinfo;
+	uint64_t flags;
+	uint64_t addr;
+	uint64_t user_addr;
+	uint64_t size;
+	uint64_t secinfo;
 };
 
 struct gsgx_enclave_init {
-	unsigned long addr;
-	void *sigstruct;
-	void *einittoken;
-};
-
-struct gsgx_enclave_destroy {
-	unsigned long addr;
+	uint64_t addr;
+	uint64_t sigstruct;
+	uint64_t einittoken;
 };
 
 #endif /* _X86_GSGX_USER_H */

Pal/src/host/Linux-SGX/sgx-driver/gsgx_main.c

@@ -32,13 +32,13 @@ static long gsgx_ioctl_enclave_create(struct file *filep, unsigned int cmd,
 				      unsigned long arg)
 {
 	struct gsgx_enclave_create *createp = (struct gsgx_enclave_create *) arg;
-	struct isgx_create_param isgx_create;
+	struct sgx_enclave_create isgx_create;
 	unsigned long old_mmap_min_addr = *KSYM(dac_mmap_min_addr);
 	int ret;
 
-	if (createp->addr != GSGX_ENCLAVE_CREATE_NO_ADDR &&
-	    createp->addr < old_mmap_min_addr) {
-		*KSYM(dac_mmap_min_addr) = createp->addr;
+	if (createp->src != GSGX_ENCLAVE_CREATE_NO_ADDR &&
+	    createp->src < old_mmap_min_addr) {
+		*KSYM(dac_mmap_min_addr) = createp->src;
 		old_mmap_min_addr = 0;
 	}
 
@@ -46,15 +46,12 @@ static long gsgx_ioctl_enclave_create(struct file *filep, unsigned int cmd,
 	write_cr4(read_cr4() | X86_CR4_FSGSBASE);
 #endif
 
-	isgx_create.secs = createp->secs;
-	filep->private_data = (void *) createp->addr;
+	isgx_create.src = createp->src;
+	filep->private_data = (void *) createp->src;
 
-	ret = KSYM(isgx_ioctl_enclave_create)(filep, ISGX_IOCTL_ENCLAVE_CREATE,
+	ret = KSYM(isgx_ioctl_enclave_create)(filep, SGX_IOC_ENCLAVE_CREATE,
 					      (unsigned long) &isgx_create);
 
-	if (!ret)
-		createp->addr = isgx_create.addr;
-
 	if (old_mmap_min_addr)
 		*KSYM(dac_mmap_min_addr) = old_mmap_min_addr;
 	return ret;
@@ -64,8 +61,8 @@ static long gsgx_ioctl_enclave_add_pages(struct file *filep, unsigned int cmd,
 					 unsigned long arg)
 {
 	struct gsgx_enclave_add_pages *addp = (struct gsgx_enclave_add_pages *) arg;
-	struct isgx_add_param isgx_add;
-	unsigned long off;
+	struct sgx_enclave_add_page isgx_add;
+	uint64_t off;
 	int ret = 0;
 
 	if (!addp->addr || (addp->addr & (PAGE_SIZE - 1)))
@@ -79,14 +76,14 @@ static long gsgx_ioctl_enclave_add_pages(struct file *filep, unsigned int cmd,
 
 	for (off = 0 ; off < addp->size ; off += PAGE_SIZE) {
 		isgx_add.addr = addp->addr + off;
-		isgx_add.user_addr =
+		isgx_add.src =
 			addp->flags & GSGX_ENCLAVE_ADD_PAGES_REPEAT_SRC ?
 			addp->user_addr : addp->user_addr + off;
-		isgx_add.flags =
+		isgx_add.mrmask =
 			addp->flags & GSGX_ENCLAVE_ADD_PAGES_SKIP_EEXTEND ?
-			ISGX_ADD_SKIP_EEXTEND : 0;
+ 		        0 : ~0;
 		ret = KSYM(isgx_ioctl_enclave_add_page)(filep,
-			ISGX_IOCTL_ENCLAVE_ADD_PAGE, (unsigned long) &isgx_add);
+			SGX_IOC_ENCLAVE_ADD_PAGE, (unsigned long) &isgx_add);
 		if (ret < 0)
 			break;
 	}
@@ -98,28 +95,16 @@ static long gsgx_ioctl_enclave_init(struct file *filep, unsigned int cmd,
 				    unsigned long arg)
 {
 	struct gsgx_enclave_init *initp = (struct gsgx_enclave_init *) arg;
-	struct isgx_init_param isgx_init;
+	struct sgx_enclave_init isgx_init;
 
 	isgx_init.addr = initp->addr;
 	isgx_init.sigstruct = initp->sigstruct;
 	isgx_init.einittoken = initp->einittoken;
 
-	return KSYM(isgx_ioctl_enclave_init)(filep, ISGX_IOCTL_ENCLAVE_INIT,
+	return KSYM(isgx_ioctl_enclave_init)(filep, SGX_IOC_ENCLAVE_INIT,
 					     (unsigned long) &isgx_init);
 }
 
-static long gsgx_ioctl_enclave_destroy(struct file *filep, unsigned int cmd,
-				       unsigned long arg)
-{
-	struct gsgx_enclave_destroy *destroyp = (struct gsgx_enclave_destroy *) arg;
-	struct isgx_destroy_param isgx_destroy;
-
-	isgx_destroy.addr = destroyp->addr;
-
-	return KSYM(isgx_ioctl_enclave_destroy)(filep, ISGX_IOCTL_ENCLAVE_DESTROY,
-						(unsigned long) &isgx_destroy);
-}
-
 typedef long (*ioctl_t)(struct file *filep, unsigned int cmd, unsigned long arg);
 
 long gsgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
@@ -138,9 +123,6 @@ long gsgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 		case GSGX_IOCTL_ENCLAVE_INIT:
 			handler = gsgx_ioctl_enclave_init;
 			break;
-		case GSGX_IOCTL_ENCLAVE_DESTROY:
-			handler = gsgx_ioctl_enclave_destroy;
-			break;
 		default:
 			return -EINVAL;
 	}
@@ -208,8 +190,6 @@ IMPORT_KSYM_PROTO(isgx_ioctl_enclave_init, long,
 	struct file *filep, unsigned int cmd, unsigned long arg);
 IMPORT_KSYM_PROTO(isgx_ioctl_enclave_add_page, long,
 	struct file *filep, unsigned int cmd, unsigned long arg);
-IMPORT_KSYM_PROTO(isgx_ioctl_enclave_destroy, long,
-	struct file *filep, unsigned int cmd, unsigned long arg);
 
 IMPORT_KSYM(isgx_enclave_release);
 IMPORT_KSYM_PROTO(isgx_mmap, int, struct file *, struct vm_area_struct *);
@@ -228,8 +208,6 @@ static int gsgx_lookup_ksyms(void)
 		return ret;
 	if ((ret = LOOKUP_KSYM(isgx_ioctl_enclave_add_page)))
 		return ret;
-	if ((ret = LOOKUP_KSYM(isgx_ioctl_enclave_destroy)))
-		return ret;
 	if ((ret = LOOKUP_KSYM(isgx_enclave_release)))
 		return ret;
 	if ((ret = LOOKUP_KSYM(isgx_mmap)))

Pal/src/host/Linux-SGX/sgx-driver/isgx_ksyms.h

@@ -9,8 +9,6 @@ extern IMPORT_KSYM_PROTO(isgx_ioctl_enclave_init, long,
 	struct file *filep, unsigned int cmd, unsigned long arg);
 extern IMPORT_KSYM_PROTO(isgx_ioctl_enclave_add_page, long,
 	struct file *filep, unsigned int cmd, unsigned long arg);
-extern IMPORT_KSYM_PROTO(isgx_ioctl_enclave_destroy, long,
-	struct file *filep, unsigned int cmd, unsigned long arg);
 
 extern IMPORT_KSYM(isgx_enclave_release);
 extern IMPORT_KSYM_PROTO(isgx_mmap, int,

Pal/src/host/Linux-SGX/sgx_framework.c

@@ -11,6 +11,8 @@
 #include <asm/errno.h>
 
 int gsgx_device = -1;
+int isgx_device = -1;
+#define ISGX_FILE "/dev/isgx"
 
 void * zero_page;
 
@@ -21,6 +23,13 @@ int open_gsgx(void)
         return -ERRNO(fd);
 
     gsgx_device = fd;
+
+    fd = INLINE_SYSCALL(open, 3, ISGX_FILE, O_RDWR, 0);
+    if (IS_ERR(fd))
+        return -ERRNO(fd);
+
+    isgx_device = fd;
+    
     return 0;
 }
 
@@ -115,6 +124,7 @@ int create_enclave(sgx_arch_secs_t * secs,
                    unsigned long size,
                    sgx_arch_token_t * token)
 {
+    int flags = MAP_SHARED;
     if (gsgx_device == -1)
         return -EACCES;
 
@@ -139,29 +149,43 @@ int create_enclave(sgx_arch_secs_t * secs,
     memcpy(&secs->mrsigner,  &token->mrsigner,  sizeof(sgx_arch_hash_t));
 
     struct gsgx_enclave_create param;
-    param.secs = secs;
-    if (baseaddr)
-        param.addr = (unsigned long) baseaddr & ~(secs->size - 1);
-    else
-        param.addr = GSGX_ENCLAVE_CREATE_NO_ADDR;
+    if (baseaddr) {
+        secs->baseaddr = (unsigned long) baseaddr & ~(secs->size - 1);
+        flags |= MAP_FIXED;
+    } else 
+        secs->baseaddr = 0ULL;
+
+    secs->baseaddr = INLINE_SYSCALL(mmap, 6, secs->baseaddr, size,
+                                    PROT_READ|PROT_WRITE|PROT_EXEC, flags,
+                                    isgx_device, 0);
+
+    if (IS_ERR_P(secs->baseaddr)) {
+        if (ERRNO_P(secs->baseaddr) == 1 && (flags | MAP_FIXED))
+            pal_printf("Permission denied on mapping enclave.  You may need to set sysctl vm.mmap_min_addr to zero\n");
+        SGX_DBG(DBG_I, "enclave ECREATE failed in allocating EPC memory - %d\n", ERRNO_P(secs->baseaddr));
+        return -ENOMEM;
+    }
 
+    param.src = (unsigned long) secs;
     int ret = INLINE_SYSCALL(ioctl, 3, gsgx_device, GSGX_IOCTL_ENCLAVE_CREATE,
                          &param);
+    
     if (IS_ERR(ret)) {
         if (ERRNO(ret) == EBADF)
             gsgx_device = -1;
+        SGX_DBG(DBG_I, "enclave ECREATE failed in enclave creation ioctl - %d\n", ERRNO(ret));
         return -ERRNO(ret);
     }
 
     if (ret) {
-        SGX_DBG(DBG_I, "enclave ECREATE failed\n");
+        SGX_DBG(DBG_I, "enclave ECREATE failed - %d\n", ret);
         return -EPERM;
     }
 
     secs->attributes.flags |= SGX_FLAGS_INITIALIZED;
 
     SGX_DBG(DBG_I, "enclave created:\n");
-    SGX_DBG(DBG_I, "    base:         0x%016lx\n", param.addr);
+    SGX_DBG(DBG_I, "    base:         0x%016lx\n", secs->baseaddr);
     SGX_DBG(DBG_I, "    size:         0x%x\n",     secs->size);
     SGX_DBG(DBG_I, "    attr:         0x%016lx\n", secs->attributes.flags);
     SGX_DBG(DBG_I, "    xfrm:         0x%016lx\n", secs->attributes.xfrm);
@@ -169,7 +193,6 @@ int create_enclave(sgx_arch_secs_t * secs,
     SGX_DBG(DBG_I, "    isvprodid:    0x%08x\n",   secs->isvprodid);
     SGX_DBG(DBG_I, "    isvsvn:       0x%08x\n",   secs->isvsvn);
 
-    secs->baseaddr = param.addr;
     return 0;
 }
 
@@ -208,9 +231,11 @@ int add_pages_to_enclave(sgx_arch_secs_t * secs,
     param.addr = secs->baseaddr + (uint64_t) addr;
     param.user_addr = (uint64_t) user_addr;
     param.size = size;
-    param.secinfo = &secinfo;
+    param.secinfo = (uint64_t) &secinfo;
     param.flags = skip_eextend ? GSGX_ENCLAVE_ADD_PAGES_SKIP_EEXTEND : 0;
 
+    SGX_DBG(DBG_I, "User addr %x, addr %x (%x, %x), skip_eexten %d\n", param.user_addr, param.addr, secs->baseaddr, addr, skip_eextend);
+    
     if (!param.user_addr) {
         param.user_addr = (unsigned long) zero_page;
         param.flags |= GSGX_ENCLAVE_ADD_PAGES_REPEAT_SRC;
@@ -241,6 +266,7 @@ int add_pages_to_enclave(sgx_arch_secs_t * secs,
                              GSGX_IOCTL_ENCLAVE_ADD_PAGES,
                              &param);
     if (IS_ERR(ret)) {
+        SGX_DBG(DBG_I, "Enclave add page returned %d\n", ret);
         if (ERRNO(ret) == EBADF)
             gsgx_device = -1;
         return -ERRNO(ret);
@@ -268,8 +294,10 @@ int init_enclave(sgx_arch_secs_t * secs,
 
     struct gsgx_enclave_init param;
     param.addr = enclave_valid_addr;
-    param.sigstruct = sigstruct;
-    param.einittoken = token;
+    // DEP 11/6/16: I think sigstruct and token are supposed to
+    //              be pointers in the new driver
+    param.sigstruct = (uint64_t) sigstruct;
+    param.einittoken = (uint64_t) token;
 
     int ret = INLINE_SYSCALL(ioctl, 3, gsgx_device, GSGX_IOCTL_ENCLAVE_INIT,
                              &param);
@@ -287,27 +315,16 @@ int init_enclave(sgx_arch_secs_t * secs,
     return 0;
 }
 
-int destroy_enclave(void * base_addr)
+int destroy_enclave(void * base_addr, size_t length)
 {
-    if (gsgx_device == -1)
-        return -EACCES;
-
-    struct gsgx_enclave_destroy param;
-    param.addr = (unsigned long) base_addr;
 
     SGX_DBG(DBG_I, "destroying enclave...\n");
 
-    int ret = INLINE_SYSCALL(ioctl, 3, gsgx_device, GSGX_IOCTL_ENCLAVE_DESTROY,
-                             &param);
-    if (IS_ERR(ret)) {
-        if (ERRNO(ret) == EBADF)
-            gsgx_device = -1;
-        return -ERRNO(ret);
-    }
+    int ret = INLINE_SYSCALL(munmap, 2, base_addr, length);
 
-    if (ret) {
+    if (IS_ERR(ret)) {
         SGX_DBG(DBG_I, "enclave EDESTROY failed\n");
-        return -EPERM;
+        return -ERRNO(ret);
     }
 
     return 0;

Pal/src/host/Linux-SGX/sgx_internal.h

@@ -105,7 +105,7 @@ int init_enclave(sgx_arch_secs_t * secs,
                  sgx_arch_sigstruct_t * sigstruct,
                  sgx_arch_token_t * token);
 
-int destroy_enclave(void * base_addr);
+int destroy_enclave(void * base_addr, size_t length);
 void exit_process (int status);
 
 int sgx_ecall (long ecall_no, void * ms);

Pal/src/host/Linux-SGX/sgx_main.c

@@ -959,7 +959,7 @@ int pal_init_enclave (const char * manifest_uri,
 void exit_process (int status)
 {
     struct pal_enclave * enclave = current_enclave;
-    destroy_enclave((void *) enclave->baseaddr);
+    destroy_enclave((void *) enclave->baseaddr, enclave->size);
     free(enclave->config);
     free(enclave);
 

README

@@ -54,6 +54,10 @@ with 'apt-get install')
    - python-protobuf (for SGX signing tool)
    - python-crypto (for SGX signing tool)
 
+The following packages are also required for building Graphene for SGX (can
+be installed with 'apt-get install'):
+   - python-protobuf
+
 To build the system, simply run the following commands in the root of the
 source tree:
 

Scripts/regression.py

@@ -14,7 +14,7 @@ class Regression:
         self.executable = executable
         self.prepare = prepare
         self.runs = dict()
-        default_timeout = int(os.getenv('TIMEOUT', '1000'))
+        default_timeout = int(os.getenv('TIMEOUT', '10000'))
         if default_timeout > timeout:
             self.timeout = default_timeout
         else: