Linux 2.1.1 Open Source Gold Release

Signed-off-by: Andy Zhao <yebin.andy.zhao@intel.com>

SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp

@@ -69,6 +69,9 @@ size_t ecall_pointer_user_check(void *val, size_t sz)
     if (sgx_is_outside_enclave(val, sz) != 1)
         abort();
 
+    /*fence after sgx_is_outside_enclave check*/
+    __builtin_ia32_lfence();
+
     char tmp[100] = {0};
     size_t len = sz>100?100:sz;
     

common/inc/internal/se_version.h

@@ -28,6 +28,6 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */
-#define STRFILEVER      "2.1.42002"
-#define COPYRIGHT      "Copyright (C) 2017 Intel Corporation"
+#define STRFILEVER      "2.1.101.42529"
+#define COPYRIGHT      "Copyright (C) 2018 Intel Corporation"
 

download_prebuilt.sh

@@ -66,4 +66,3 @@ if [ $? -ne 0 ]; then
 fi
 
 pushd $out_dir;tar -xf $optlib_name;tar -xf $ae_file_name;rm -f $optlib_name;rm -f $ae_file_name;popd
-

psw/ae/pce/config.xml

@@ -3,7 +3,7 @@
   <ProvisionKey>1</ProvisionKey>
   <LaunchKey>0</LaunchKey>
   <ProdID>0x1</ProdID>
-  <ISVSVN>4</ISVSVN>
+  <ISVSVN>5</ISVSVN>
   <TCSNum>1</TCSNum>
   <TCSMinPool>0</TCSMinPool>
   <TCSPolicy>1</TCSPolicy>

psw/ae/pse/pse_op/config.xml

@@ -3,7 +3,7 @@
     <ProvisionKey>0</ProvisionKey>
     <LaunchKey>0</LaunchKey>
     <ProdID>0x2</ProdID>
-    <ISVSVN>4</ISVSVN>
+    <ISVSVN>6</ISVSVN>
     <TCSNum>1</TCSNum>
     <TCSMinPool>0</TCSMinPool>
     <TCSPolicy>1</TCSPolicy>

psw/ae/pse/pse_pr/config.xml

@@ -3,7 +3,7 @@
     <ProvisionKey>0</ProvisionKey>
     <LaunchKey>0</LaunchKey>
     <ProdID>0x2</ProdID>
-    <ISVSVN>4</ISVSVN>
+    <ISVSVN>6</ISVSVN>
     <TCSNum>1</TCSNum>
     <TCSMinPool>0</TCSMinPool>
     <TCSPolicy>1</TCSPolicy>

psw/ae/pve/config.xml

@@ -3,7 +3,7 @@
   <ProvisionKey>1</ProvisionKey>
   <LaunchKey>0</LaunchKey>
   <ProdID>0x1</ProdID>
-  <ISVSVN>5</ISVSVN>
+  <ISVSVN>6</ISVSVN>
   <TCSNum>1</TCSNum>
   <TCSMinPool>0</TCSMinPool>
   <TCSPolicy>1</TCSPolicy>

psw/ae/pve/provision_enclave.cpp

@@ -137,6 +137,12 @@ uint32_t proc_prov_msg2_data_wrapper(
         goto ret_point;
     }
 
+    //
+    // for user_check SigRL input
+    // based on sigrl_size input parameter
+    //
+    __builtin_ia32_lfence();
+
     if((sigrl==NULL&&sigrl_size!=0)||
         (sigrl!=NULL&&sigrl_size==0)){
         status = PVEC_PARAMETER_ERROR;

psw/ae/pve/provision_msg2.cpp

@@ -243,6 +243,13 @@ pve_status_t proc_prov_msg2_data(const proc_prov_msg2_blob_input_t *msg2_blob_in
         if(NULL!=emp_sigrl){
             //process sigrl_header for hash value generation (used by ECDSA signature)
             ret = prov_msg2_proc_sigrl_header( emp_sigrl, sigrl_size, &msg3_parm);
+
+            //
+            // for user_check SigRL input
+            // based on n2 field in SigRL
+            //
+            __builtin_ia32_lfence();
+
             if( PVEC_SUCCESS!=ret )
                 goto ret_point;
         }

psw/ae/qe/config.xml

@@ -3,7 +3,7 @@
     <ProvisionKey>0</ProvisionKey>
     <LaunchKey>0</LaunchKey>
     <ProdID>0x1</ProdID>
-    <ISVSVN>5</ISVSVN>
+    <ISVSVN>6</ISVSVN>
     <TCSNum>1</TCSNum>
     <TCSMinPool>0</TCSMinPool>
     <TCSPolicy>1</TCSPolicy>

psw/ae/qe/quoting_enclave.cpp

@@ -943,6 +943,13 @@ uint32_t get_quote(
        quote buffer outside enclave. */
     if(!sgx_is_outside_enclave(emp_sig_rl, sig_rl_size))
         return QE_PARAMETER_ERROR;
+
+    //
+    // for user_check SigRL input
+    // based on quote_size input parameter
+    //
+    __builtin_ia32_lfence();
+
     if(!sgx_is_outside_enclave(emp_quote, quote_size))
         return QE_PARAMETER_ERROR;
 
@@ -1073,6 +1080,12 @@ uint32_t get_quote(
         goto CLEANUP;
     }
 
+    //
+    // for user_check SigRL input
+    // based on n2 field in SigRL
+    //
+    __builtin_ia32_lfence();
+
     /* Copy the data in the report into quote body. */
     memset(emp_quote, 0, quote_size);
     quote_body.version = QE_QUOTE_VERSION;

psw/urts/parser/elfparser.cpp

@@ -946,7 +946,6 @@ bool ElfParser::set_memory_protection(uint64_t enclave_base_addr, bool is_after_
     for (int idx = 0; idx < elf_hdr->e_phnum; idx++, prg_hdr++)
     {
        if(prg_hdr->p_type == PT_DYNAMIC ||
-          prg_hdr->p_type == PT_GNU_EH_FRAME || 
           prg_hdr->p_type == PT_GNU_RELRO)
        {
            rva = TRIM_TO_PAGE(enclave_base_addr + prg_hdr->p_vaddr);

sdk/edger8r/linux/CodeGen.ml

@@ -934,7 +934,8 @@ let gen_parm_ptr_direction_pre (plist: Ast.pdecl list) =
 \t\tif (%s%s(%s) != %s) {\n\
 \t\t\tstatus = SGX_ERROR_INVALID_PARAMETER;\n\
 \t\t\tgoto err;\n\
-\t\t}" (mk_len_count v) fn in_ptr_name len_var
+\t\t}\n\n\
+\t\t//\n\t\t// fence after final sizefunc check\n\t\t//\n\t\t__builtin_ia32_lfence();\n\n" (mk_len_count v) fn in_ptr_name len_var
     in
     let malloc_and_copy pre_indent =
       match attr.Ast.pa_direction with
@@ -1148,13 +1149,14 @@ let gen_func_tbridge (fd: Ast.func_decl) (dummy_var: string) =
       in
         sprintf "%s%s%s\t%s\n\t%s\n%s" func_open local_vars dummy_var check_pms invoke_func func_close
     else
-      sprintf "%s%s\t%s\n%s\n%s%s\n%s\t%s\n%s\n%s\n%s"
+      sprintf "%s%s\t%s\n%s\n%s%s\n%s\n%s\n\t%s\n%s\n%s\n%s"
         func_open
         (mk_check_pms fd.Ast.fname)
         declare_ms_ptr
         local_vars
         (gen_check_tbridge_length_overflow fd.Ast.plist)
         (gen_check_tbridge_ptr_parms fd.Ast.plist)
+        "\n\t//\n\t// fence after pointer checks\n\t//\n\t__builtin_ia32_lfence();\n"
         (gen_parm_ptr_direction_pre fd.Ast.plist)
         (if fd.Ast.rtype <> Ast.Void then update_retval else invoke_func)
         (gen_err_mark fd.Ast.plist)
@@ -1175,7 +1177,6 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) =
             sprintf "\n#pragma message(\"Pointer array `%s' in trusted proxy `\"\
                __FUNCTION__ \"' is dangerous. No code generated.\")\n" name
           else
-            let in_ptr_dst_name = mk_in_ptr_dst_name attr.Ast.pa_rdonly parm_accessor in
               if not attr.Ast.pa_chkptr (* [user_check] specified *)
               then sprintf "%s = SGX_CAST(%s, %s);" parm_accessor tystr name
               else
@@ -1184,8 +1185,24 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) =
                     let code_template =
                       [sprintf "if (%s != NULL && sgx_is_within_enclave(%s, %s)) {" name name len_var;
                        sprintf "\t%s = (%s)__tmp;" parm_accessor tystr;
+                       sprintf "\t__tmp_%s = __tmp;" name;
+                       sprintf "\tmemset(__tmp_%s, 0, %s);" name len_var;
+                       sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
+                       sprintf "} else if (%s == NULL) {" name;
+                       sprintf "\t%s = NULL;" parm_accessor;
+                       "} else {";
+                       "\tsgx_ocfree();";
+                       "\treturn SGX_ERROR_INVALID_PARAMETER;";
+                       "}"
+                      ]
+                    in List.fold_left (fun acc s -> acc ^ s ^ "\n\t") "" code_template
+                | Ast.PtrInOut ->
+                    let code_template =
+                      [sprintf "if (%s != NULL && sgx_is_within_enclave(%s, %s)) {" name name len_var;
+                       sprintf "\t%s = (%s)__tmp;" parm_accessor tystr;
+                       sprintf "\t__tmp_%s = __tmp;" name;
+                       sprintf "\tmemcpy(__tmp_%s, %s, %s);" name name len_var;
                        sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
-                       sprintf "\tmemset(%s, 0, %s);" in_ptr_dst_name len_var;
                        sprintf "} else if (%s == NULL) {" name;
                        sprintf "\t%s = NULL;" parm_accessor;
                        "} else {";
@@ -1198,8 +1215,8 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) =
                     let code_template =
               [sprintf "if (%s != NULL && sgx_is_within_enclave(%s, %s)) {" name name len_var;
                sprintf "\t%s = (%s)__tmp;" parm_accessor tystr;
+               sprintf "\tmemcpy(__tmp, %s, %s);" name len_var;
                sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
-               sprintf "\tmemcpy(%s, %s, %s);" in_ptr_dst_name name len_var;
                sprintf "} else if (%s == NULL) {" name;
                sprintf "\t%s = NULL;" parm_accessor;
                "} else {";
@@ -1230,6 +1247,19 @@ let gen_tproxy_local_vars (plist: Ast.pdecl list) =
 let gen_ocalloc_block (fname: string) (plist: Ast.pdecl list) =
   let ms_struct_name = mk_ms_struct_name fname in
   let local_vars_block = sprintf "%s* %s = NULL;\n\tsize_t ocalloc_size = sizeof(%s);\n\tvoid *__tmp = NULL;\n\n" ms_struct_name ms_struct_val ms_struct_name in
+  let local_var (attr: Ast.ptr_attr) (name: string) =
+    if not attr.Ast.pa_chkptr then ""
+    else
+      match attr.Ast.pa_direction with
+        Ast.PtrOut | Ast.PtrInOut -> sprintf "\tvoid *__tmp_%s = NULL;\n" name
+      | _ -> ""
+  in
+  let do_local_var (pd: Ast.pdecl) =
+    let (pty, declr) = pd in
+      match pty with
+        Ast.PTVal _         -> ""
+      | Ast.PTPtr (_, attr) -> local_var attr declr.Ast.identifier
+  in
   let count_ocalloc_size (ty: Ast.atype) (attr: Ast.ptr_attr) (name: string) =
     if not attr.Ast.pa_chkptr then ""
     else sprintf "\tocalloc_size += (%s != NULL && sgx_is_within_enclave(%s, %s)) ? %s : 0;\n" name name (mk_len_var name) (mk_len_var name)
@@ -1252,8 +1282,9 @@ let gen_ocalloc_block (fname: string) (plist: Ast.pdecl list) =
   in
   let new_param_list = List.map conv_array_to_ptr plist
   in
-  let s1 = List.fold_left (fun acc pd -> acc ^ do_count_ocalloc_size pd) local_vars_block new_param_list in
-     List.fold_left (fun acc s -> acc ^ s) s1 do_gen_ocalloc_block
+  let s1 = List.fold_left (fun acc pd -> acc ^ do_local_var pd) local_vars_block new_param_list in
+  let s2 = List.fold_left (fun acc pd -> acc ^ do_count_ocalloc_size pd) s1 new_param_list in
+     List.fold_left (fun acc s -> acc ^ s) s2 do_gen_ocalloc_block
   
 (* Generate trusted proxy code for a given untrusted function. *)
 let gen_func_tproxy (ufunc: Ast.untrusted_func) (idx: int) =
@@ -1270,7 +1301,7 @@ let gen_func_tproxy (ufunc: Ast.untrusted_func) (idx: int) =
       let name = declr.Ast.identifier in
         match attr.Ast.pa_direction with
             Ast.PtrInOut | Ast.PtrOut ->
-              sprintf "\tif (%s) memcpy((void*)%s, %s, %s);\n" name name (mk_parm_accessor name) (mk_len_var name)
+              sprintf "\tif (%s) memcpy((void*)%s, __tmp_%s, %s);\n" name name name (mk_len_var name)
           | _ -> ""
     in List.fold_left (fun acc (pty, declr) ->
              match pty with

sdk/protected_fs/sgx_tprotected_fs/Makefile

@@ -54,7 +54,7 @@ LIBNAME := libsgx_tprotected_fs.a
 all: $(LIBNAME) | $(BUILD_DIR)
 	@$(CP) $< $|
 
-$(LIBNAME): sgx_tprotected_fs_t.h $(OBJ)
+$(LIBNAME): $(OBJ)
 	$(AR) rcsD $@ $(OBJ)
 	
 sgx_tprotected_fs_t.h: $(EDGER8R)

sdk/protected_fs/sgx_uprotected_fs/Makefile

@@ -50,17 +50,18 @@ LIBNAME := libsgx_uprotected_fs.a
 all: $(LIBNAME) | $(BUILD_DIR)
 	$(CP) $< $|
 
-$(LIBNAME): sgx_tprotected_fs_u.h $(OBJ)
+$(LIBNAME): $(OBJ)
 	$(AR) rcsD $@ $(OBJ)
 	
 sgx_tprotected_fs_u.h: $(EDGER8R)
 	$(EDGER8R) --header-only --untrusted $(COMMON_DIR)/inc/sgx_tprotected_fs.edl --search-path $(COMMON_DIR)/inc
 
-$(OBJ): %.o :%.cpp sgx_tprotected_fs_u.h
-	$(CXX) $(CXXFLAGS) $(INCLUDE)  -c $< -o $@
 $(EDGER8R):
 	$(MAKE) -C $(EDGER8R_DIR)
 
+$(OBJ): %.o :%.cpp sgx_tprotected_fs_u.h
+	$(CXX) $(CXXFLAGS) $(INCLUDE)  -c $< -o $@
+
 $(BUILD_DIR):
 	@$(MKDIR) $@
 

sdk/tkey_exchange/simple_vector.cpp

@@ -101,6 +101,10 @@ errno_t vector_get(const simple_vector* v, uint32_t index, void** data)
 {
     if (!v || index >= v->size || !data)
         return 1;
+        
+    //fence after boundary check 
+    __builtin_ia32_lfence();
+
     *data = v->data[index];
     return 0;
 }

sdk/tkey_exchange/tkey_exchange.cpp

@@ -395,6 +395,8 @@ extern "C" sgx_status_t sgx_ra_get_msg3_trusted(
 
     if (!sgx_is_outside_enclave(emp_msg3, msg3_size))
         return SGX_ERROR_INVALID_PARAMETER;
+    //fence after boundary check
+    __builtin_ia32_lfence();
 
     sgx_status_t se_ret = SGX_ERROR_UNEXPECTED;
 

sdk/trts/init_enclave.cpp

@@ -95,6 +95,7 @@ extern "C" int init_enclave(void *enclave_base, void *ms)
     {
         return -1;
     }
+    __builtin_ia32_lfence();
 
     const system_features_t sys_features = *info;
     g_sdk_version = sys_features.version;

sdk/trts/trts_ecall.cpp

@@ -55,6 +55,9 @@ static sgx_status_t is_ecall_allowed(uint32_t ordinal)
         return SGX_ERROR_INVALID_FUNCTION;
     }
     thread_data_t *thread_data = get_thread_data();
+
+    __builtin_ia32_lfence();
+
     if(thread_data->last_sp == thread_data->stack_base_addr)
     {
         // root ECALL, check the priv bits.
@@ -241,6 +244,9 @@ static sgx_status_t trts_ecall(uint32_t ordinal, void *ms)
     if(status == SGX_SUCCESS)
     {
         ecall_func_t func = (ecall_func_t)addr;
+
+        __builtin_ia32_lfence();
+
         status = func(ms);
     }
     

sdk/tseal/tSeal_internal.cpp

@@ -137,6 +137,15 @@ sgx_status_t sgx_unseal_data_helper(const sgx_sealed_data_t *p_sealed_data, uint
         // Return error indicating the blob is corrupted
         return SGX_ERROR_MAC_MISMATCH;
     }
+
+    //
+    // code that calls sgx_unseal_data commonly does some sanity checks
+    // related to plain_text_offset.  We add fence here since we don't 
+    // know what crypto code does and if plain_text_offset-related 
+    // checks mispredict the crypto code could operate on unintended data
+    //
+    __builtin_ia32_lfence();
+
     err = sgx_rijndael128GCM_decrypt(&seal_key, const_cast<uint8_t *>(p_sealed_data->aes_data.payload),
         decrypted_text_length, p_decrypted_text, &payload_iv[0], SGX_SEAL_IV_SIZE,
         const_cast<uint8_t *>(&(p_sealed_data->aes_data.payload[decrypted_text_length])), additional_MACtext_length,