db_process.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459
  1. /* -*- mode:c; c-file-style:"k&r"; c-basic-offset: 4; tab-width:4; indent-tabs-mode:nil; mode:auto-fill; fill-column:78; -*- */
  2. /* vim: set ts=4 sw=4 et tw=78 fo=cqt wm=0: */
  3. /* Copyright (C) 2014 Stony Brook University
  4. This file is part of Graphene Library OS.
  5. Graphene Library OS is free software: you can redistribute it and/or
  6. modify it under the terms of the GNU Lesser General Public License
  7. as published by the Free Software Foundation, either version 3 of the
  8. License, or (at your option) any later version.
  9. Graphene Library OS is distributed in the hope that it will be useful,
  10. but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. GNU Lesser General Public License for more details.
  13. You should have received a copy of the GNU Lesser General Public License
  14. along with this program. If not, see <http://www.gnu.org/licenses/>. */
  15. /*
  16. * db_process.c
  17. *
  18. * This source file contains functions to create a child process and terminate
  19. * the running process. Child does not inherit any objects or memory from its
  20. * parent pricess. A Parent process may not modify the execution of its
  21. * children. It can wait for a child to exit using its handle. Also, parent and
  22. * child may communicate through I/O streams provided by the parent to the child
  23. * at creation.
  24. */
  25. #include "pal_defs.h"
  26. #include "pal_linux_defs.h"
  27. #include "pal.h"
  28. #include "pal_internal.h"
  29. #include "pal_linux.h"
  30. #include "pal_debug.h"
  31. #include "pal_error.h"
  32. #include "pal_security.h"
  33. #include "pal_crypto.h"
  34. #include "api.h"
  35. #include <linux/sched.h>
  36. #include <linux/types.h>
  37. #include <linux/fs.h>
  38. typedef __kernel_pid_t pid_t;
  39. #include <asm/fcntl.h>
  40. DEFINE_LIST(trusted_child);
  41. struct trusted_child {
  42. LIST_TYPE(trusted_child) list;
  43. sgx_arch_hash_t mrenclave;
  44. char uri[];
  45. };
  46. DEFINE_LISTP(trusted_child);
  47. static LISTP_TYPE(trusted_child) trusted_children = LISTP_INIT;
  48. static struct spinlock trusted_children_lock = LOCK_INIT;
  49. int register_trusted_child(const char * uri, const char * mrenclave_str)
  50. {
  51. struct trusted_child * tc = NULL, * new;
  52. int uri_len = strlen(uri);
  53. _DkSpinLock(&trusted_children_lock);
  54. listp_for_each_entry(tc, &trusted_children, list) {
  55. if (!memcmp(tc->uri, uri, uri_len + 1)) {
  56. _DkSpinUnlock(&trusted_children_lock);
  57. return 0;
  58. }
  59. }
  60. _DkSpinUnlock(&trusted_children_lock);
  61. new = malloc(sizeof(struct trusted_child) + uri_len);
  62. if (!new)
  63. return -PAL_ERROR_NOMEM;
  64. INIT_LIST_HEAD(new, list);
  65. memcpy(new->uri, uri, uri_len + 1);
  66. char mrenclave_text[sizeof(sgx_arch_hash_t) * 2 + 1] = "\0";
  67. int nbytes = 0;
  68. for (; nbytes < sizeof(sgx_arch_hash_t) ; nbytes++) {
  69. char byte1 = mrenclave_str[nbytes * 2];
  70. char byte2 = mrenclave_str[nbytes * 2 + 1];
  71. unsigned char val = 0;
  72. if (byte1 == 0 || byte2 == 0) {
  73. break;
  74. }
  75. if (!(byte1 >= '0' && byte1 <= '9') &&
  76. !(byte1 >= 'a' && byte1 <= 'f')) {
  77. break;
  78. }
  79. if (!(byte2 >= '0' && byte2 <= '9') &&
  80. !(byte2 >= 'a' && byte2 <= 'f')) {
  81. break;
  82. }
  83. if (byte1 >= '0' && byte1 <= '9')
  84. val = byte1 - '0';
  85. if (byte1 >= 'a' && byte1 <= 'f')
  86. val = byte1 - 'a' + 10;
  87. val *= 16;
  88. if (byte2 >= '0' && byte2 <= '9')
  89. val += byte2 - '0';
  90. if (byte2 >= 'a' && byte2 <= 'f')
  91. val += byte2 - 'a' + 10;
  92. new->mrenclave[nbytes] = val;
  93. snprintf(mrenclave_text + nbytes * 2, 3, "%02x", val);
  94. }
  95. if (nbytes < sizeof(sgx_arch_hash_t)) {
  96. free(new);
  97. return -PAL_ERROR_INVAL;
  98. }
  99. SGX_DBG(DBG_S, "trusted: %s %s\n", mrenclave_text, new->uri);
  100. _DkSpinLock(&trusted_children_lock);
  101. listp_for_each_entry(tc, &trusted_children, list) {
  102. if (!memcmp(tc->uri, uri, uri_len + 1)) {
  103. _DkSpinUnlock(&trusted_children_lock);
  104. free(new);
  105. return 0;
  106. }
  107. }
  108. listp_add_tail(new, &trusted_children, list);
  109. _DkSpinUnlock(&trusted_children_lock);
  110. return 0;
  111. }
  112. struct proc_attestation_data {
  113. sgx_arch_mac_t keyhash_mac;
  114. uint8_t reserved[PAL_ATTESTATION_DATA_SIZE - sizeof(sgx_arch_mac_t)];
  115. } __attribute__((packed));
  116. struct check_child_param {
  117. PAL_MAC_KEY mac_key;
  118. const char * uri;
  119. };
  120. static int check_child_mrenclave (sgx_arch_hash_t * mrenclave,
  121. void * signed_data, void * check_param)
  122. {
  123. struct pal_enclave_state * remote_state = signed_data;
  124. struct proc_attestation_data * data = (void *) &remote_state->data;
  125. /* the process must be a clean process */
  126. if (remote_state->enclave_flags & PAL_ENCLAVE_INITIALIZED)
  127. return 1;
  128. struct check_child_param * param = check_param;
  129. /* must make sure the signer of the report is also the owner of the key,
  130. in order to prevent man-in-the-middle attack */
  131. struct proc_attestation_data check_data;
  132. memset(&check_data, 0, sizeof(struct proc_attestation_data));
  133. lib_AESCMAC((void *) &param->mac_key, AES_CMAC_KEY_LEN,
  134. remote_state->enclave_keyhash,
  135. sizeof(remote_state->enclave_keyhash),
  136. check_data.keyhash_mac, sizeof check_data.keyhash_mac);
  137. if (memcmp(data, &check_data, sizeof(struct proc_attestation_data)))
  138. return 1;
  139. /* always accept our own as child */
  140. if (!memcmp(mrenclave, pal_sec.mrenclave, sizeof(sgx_arch_hash_t))) {
  141. SGX_DBG(DBG_S, "trusted child: <forked>\n");
  142. return 0;
  143. }
  144. struct trusted_child * tc;
  145. _DkSpinLock(&trusted_children_lock);
  146. listp_for_each_entry(tc, &trusted_children, list) {
  147. if (!memcmp(mrenclave, tc->mrenclave, sizeof(sgx_arch_hash_t))) {
  148. _DkSpinUnlock(&trusted_children_lock);
  149. SGX_DBG(DBG_S, "trusted child: %s\n", tc->uri);
  150. return 0;
  151. }
  152. }
  153. _DkSpinUnlock(&trusted_children_lock);
  154. return 1;
  155. }
  156. int _DkProcessCreate (PAL_HANDLE * handle, const char * uri,
  157. int flags, const char ** args)
  158. {
  159. /* only access creating process with regular file */
  160. if (!strpartcmp_static(uri, "file:"))
  161. return -PAL_ERROR_INVAL;
  162. unsigned int child_pid;
  163. int proc_fds[3];
  164. int nargs = 0, ret;
  165. if (args)
  166. for (const char ** a = args ; *a ; a++)
  167. nargs++;
  168. ret = ocall_create_process(uri, nargs, args,
  169. proc_fds,
  170. &child_pid);
  171. if (ret < 0)
  172. return ret;
  173. PAL_HANDLE proc = malloc(HANDLE_SIZE(process));
  174. SET_HANDLE_TYPE(proc, process);
  175. HANDLE_HDR(proc)->flags |= RFD(0)|WFD(1)|RFD(2)|WFD(2)|WRITEABLE(1)|WRITEABLE(2);
  176. proc->process.stream_in = proc_fds[0];
  177. proc->process.stream_out = proc_fds[1];
  178. proc->process.cargo = proc_fds[2];
  179. proc->process.pid = child_pid;
  180. proc->process.nonblocking = PAL_FALSE;
  181. PAL_SESSION_KEY session_key;
  182. ret = _DkStreamKeyExchange(proc, &session_key);
  183. if (ret < 0)
  184. return ret;
  185. struct check_child_param param;
  186. session_key_to_mac_key(&session_key, &param.mac_key);
  187. param.uri = uri;
  188. struct proc_attestation_data data;
  189. memset(&data, 0, sizeof(struct proc_attestation_data));
  190. lib_AESCMAC((void *) &param.mac_key, AES_CMAC_KEY_LEN,
  191. pal_enclave_state.enclave_keyhash,
  192. sizeof(pal_enclave_state.enclave_keyhash),
  193. data.keyhash_mac, sizeof data.keyhash_mac);
  194. SGX_DBG(DBG_P|DBG_S, "Attestation data: %s\n", hex2str(data.keyhash_mac));
  195. ret = _DkStreamAttestationRequest(proc, &data,
  196. &check_child_mrenclave, &param);
  197. if (ret < 0)
  198. return ret;
  199. *handle = proc;
  200. return 0;
  201. }
  202. struct check_parent_param {
  203. PAL_MAC_KEY mac_key;
  204. };
  205. static int check_parent_mrenclave (sgx_arch_hash_t * mrenclave,
  206. void * signed_data, void * check_param)
  207. {
  208. struct pal_enclave_state * remote_state = signed_data;
  209. struct proc_attestation_param * data = (void *) &remote_state->data;
  210. struct check_parent_param * param = check_param;
  211. /* must make sure the signer of the report is also the owner of the key,
  212. in order to prevent man-in-the-middle attack */
  213. struct proc_attestation_data check_data;
  214. memset(&check_data, 0, sizeof(struct proc_attestation_data));
  215. lib_AESCMAC((void *) &param->mac_key, AES_CMAC_KEY_LEN,
  216. remote_state->enclave_keyhash,
  217. sizeof(remote_state->enclave_keyhash),
  218. check_data.keyhash_mac, sizeof check_data.keyhash_mac);
  219. if (memcmp(data, &check_data, sizeof(struct proc_attestation_data)))
  220. return 1;
  221. /* for now, we will accept any enclave as a parent, but eventually
  222. we should check parent, maybe using crypto challenge */
  223. return 0;
  224. }
  225. int init_child_process (PAL_HANDLE * parent_handle)
  226. {
  227. PAL_HANDLE parent = malloc(HANDLE_SIZE(process));
  228. SET_HANDLE_TYPE(parent, process);
  229. HANDLE_HDR(parent)->flags |= RFD(0)|WFD(1)|RFD(2)|WFD(2)|WRITEABLE(1)|WRITEABLE(2);
  230. parent->process.stream_in = pal_sec.proc_fds[0];
  231. parent->process.stream_out = pal_sec.proc_fds[1];
  232. parent->process.cargo = pal_sec.proc_fds[2];
  233. parent->process.pid = pal_sec.ppid;
  234. parent->process.nonblocking = PAL_FALSE;
  235. PAL_SESSION_KEY session_key;
  236. int ret = _DkStreamKeyExchange(parent, &session_key);
  237. if (ret < 0)
  238. return ret;
  239. struct check_parent_param param;
  240. session_key_to_mac_key(&session_key, &param.mac_key);
  241. struct proc_attestation_data data;
  242. memset(&data, 0, sizeof(struct proc_attestation_data));
  243. lib_AESCMAC((void *) &param.mac_key, AES_CMAC_KEY_LEN,
  244. pal_enclave_state.enclave_keyhash,
  245. sizeof(pal_enclave_state.enclave_keyhash),
  246. data.keyhash_mac, sizeof data.keyhash_mac);
  247. SGX_DBG(DBG_P|DBG_S, "Attestation data: %s\n", hex2str(data.keyhash_mac));
  248. ret = _DkStreamAttestationRespond(parent, &data,
  249. &check_parent_mrenclave,
  250. &param);
  251. if (ret < 0)
  252. return ret;
  253. *parent_handle = parent;
  254. return 0;
  255. }
  256. void print_alloced_pages (void);
  257. void _DkProcessExit (int exitcode)
  258. {
  259. #if PRINT_ENCLAVE_STAT
  260. print_alloced_pages();
  261. #endif
  262. ocall_exit();
  263. }
  264. int _DkProcessSandboxCreate (const char * manifest, int flags)
  265. {
  266. return -PAL_ERROR_NOTIMPLEMENTED;
  267. }
  268. static int proc_read (PAL_HANDLE handle, int offset, int count,
  269. void * buffer)
  270. {
  271. return ocall_read(handle->process.stream_in, buffer, count);
  272. }
  273. static int proc_write (PAL_HANDLE handle, int offset, int count,
  274. const void * buffer)
  275. {
  276. int bytes = ocall_write(handle->process.stream_out, buffer, count);
  277. if (bytes == -PAL_ERROR_TRYAGAIN)
  278. HANDLE_HDR(handle)->flags &= ~WRITEABLE(1);
  279. if (bytes < 0)
  280. return bytes;
  281. if (bytes == count)
  282. HANDLE_HDR(handle)->flags |= WRITEABLE(1);
  283. else
  284. HANDLE_HDR(handle)->flags &= ~WRITEABLE(1);
  285. return bytes;
  286. }
  287. static int proc_close (PAL_HANDLE handle)
  288. {
  289. if (handle->process.stream_in != PAL_IDX_POISON) {
  290. ocall_close(handle->process.stream_in);
  291. handle->process.stream_in = PAL_IDX_POISON;
  292. }
  293. if (handle->process.stream_out != PAL_IDX_POISON) {
  294. ocall_close(handle->process.stream_out);
  295. handle->process.stream_out = PAL_IDX_POISON;
  296. }
  297. if (handle->process.cargo != PAL_IDX_POISON) {
  298. ocall_close(handle->process.cargo);
  299. handle->process.cargo = PAL_IDX_POISON;
  300. }
  301. return 0;
  302. }
  303. static int proc_delete (PAL_HANDLE handle, int access)
  304. {
  305. int shutdown;
  306. switch (access) {
  307. case 0:
  308. shutdown = SHUT_RDWR;
  309. break;
  310. case PAL_DELETE_RD:
  311. shutdown = SHUT_RD;
  312. break;
  313. case PAL_DELETE_WR:
  314. shutdown = SHUT_WR;
  315. break;
  316. default:
  317. return -PAL_ERROR_INVAL;
  318. }
  319. if (access != PAL_DELETE_WR &&
  320. handle->process.stream_in != PAL_IDX_POISON) {
  321. ocall_close(handle->process.stream_in);
  322. handle->process.stream_in = PAL_IDX_POISON;
  323. }
  324. if (access != PAL_DELETE_RD &&
  325. handle->process.stream_out != PAL_IDX_POISON) {
  326. ocall_close(handle->process.stream_out);
  327. handle->process.stream_out = PAL_IDX_POISON;
  328. }
  329. if (handle->process.cargo != PAL_IDX_POISON)
  330. ocall_sock_shutdown(handle->process.cargo, shutdown);
  331. return 0;
  332. }
  333. static int proc_attrquerybyhdl (PAL_HANDLE handle, PAL_STREAM_ATTR * attr)
  334. {
  335. if (handle->process.stream_in == PAL_IDX_POISON)
  336. return -PAL_ERROR_BADHANDLE;
  337. int ret = ocall_fionread(handle->process.stream_in);
  338. if (ret < 0)
  339. return -ret;
  340. memset(attr, 0, sizeof(PAL_STREAM_ATTR));
  341. attr->pending_size = ret;
  342. attr->disconnected = HANDLE_HDR(handle)->flags & (ERROR(0)|ERROR(1));
  343. attr->readable = (attr->pending_size > 0);
  344. attr->writeable = HANDLE_HDR(handle)->flags & WRITEABLE(1);
  345. attr->nonblocking = handle->process.nonblocking;
  346. return 0;
  347. }
  348. static int proc_attrsetbyhdl (PAL_HANDLE handle, PAL_STREAM_ATTR * attr)
  349. {
  350. if (handle->process.stream_in == PAL_IDX_POISON)
  351. return -PAL_ERROR_BADHANDLE;
  352. if (attr->nonblocking != handle->process.nonblocking) {
  353. int ret = ocall_fsetnonblock(handle->process.stream_in,
  354. handle->process.nonblocking);
  355. if (ret < 0)
  356. return ret;
  357. handle->process.nonblocking = attr->nonblocking;
  358. }
  359. return 0;
  360. }
  361. struct handle_ops proc_ops = {
  362. .read = &proc_read,
  363. .write = &proc_write,
  364. .close = &proc_close,
  365. .delete = &proc_delete,
  366. .attrquerybyhdl = &proc_attrquerybyhdl,
  367. .attrsetbyhdl = &proc_attrsetbyhdl,
  368. };