t_instructions.cpp 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351
  1. /*
  2. * Copyright (C) 2011-2016 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. // t_instructions.cpp -- It simulates Enclave instructions.
  32. #include <string.h>
  33. #include <stdlib.h>
  34. #include "arch.h"
  35. #include "util.h"
  36. #include "lowlib.h"
  37. #include "sgx_trts.h"
  38. #include "trts_inst.h"
  39. #include "deriv.h"
  40. #include "t_instructions.h"
  41. #include "td_mngr.h"
  42. ////////////////////////////////////////////////////////////////////////
  43. global_data_sim_t g_global_data_sim = {NULL, {{0}}, 0};
  44. #define GP() abort()
  45. #define GP_ON(cond) do { if (unlikely(cond)) GP(); } while (0)
  46. ////////////////////////////////////////////////////////////////////////
  47. // Simulation for EGETKEY
  48. ////////////////////////////////////////////////////////////////////////
  49. // The hard-coded OwnerEpoch.
  50. static const se_owner_epoch_t SIMU_OWNER_EPOCH_MSR = {
  51. 0x54, 0x48, 0x49, 0x53, 0x49, 0x53, 0x4f, 0x57,
  52. 0x4e, 0x45, 0x52, 0x45, 0x50, 0x4f, 0x43, 0x48,
  53. };
  54. #define check_cpu_svn(kr) do { \
  55. if(memcmp(&kr->cpu_svn, &UPGRADED_CPUSVN, sizeof(UPGRADED_CPUSVN)) && \
  56. memcmp(&kr->cpu_svn, &DEFAULT_CPUSVN, sizeof(DEFAULT_CPUSVN)) && \
  57. memcmp(&kr->cpu_svn, &DOWNGRADED_CPUSVN, sizeof(DOWNGRADED_CPUSVN))){ \
  58. return EGETKEY_INVALID_CPUSVN; \
  59. } \
  60. if ( (!memcmp(&g_global_data_sim.cpusvn_sim, &DEFAULT_CPUSVN, sizeof(DEFAULT_CPUSVN)) && \
  61. !memcmp(&kr->cpu_svn, &UPGRADED_CPUSVN, sizeof(UPGRADED_CPUSVN))) || \
  62. (!memcmp(&g_global_data_sim.cpusvn_sim, &DOWNGRADED_CPUSVN, sizeof(DOWNGRADED_CPUSVN)) && \
  63. memcmp(&kr->cpu_svn, &DOWNGRADED_CPUSVN, sizeof(DOWNGRADED_CPUSVN)))){ \
  64. return EGETKEY_INVALID_CPUSVN; \
  65. } \
  66. } while(0)
  67. #define check_isv_svn(kr, secs) do { \
  68. if (kr->isv_svn > secs->isv_svn) { \
  69. return EGETKEY_INVALID_ISVSVN; \
  70. } \
  71. } while(0)
  72. #define check_attr_flag(secs, flag) do { \
  73. if ((secs->attributes.flags & flag) == 0) { \
  74. return EGETKEY_INVALID_ATTRIBUTE; \
  75. } \
  76. } while(0)
  77. // The hardware EGETKEY instruction will set ZF on failure.
  78. //
  79. // In simulation mode, we can not guarentee that the ZF is always set
  80. // between _EGETKEY ending its life and tRTS testing ZF. Since there
  81. // are additional assembly code in between.
  82. //
  83. // In simulation mode, we check return code instead of ZF.
  84. // c.f. do_egetkey() in trts/linux/trts_pic.S
  85. static int _EGETKEY(sgx_key_request_t* kr, sgx_key_128bit_t okey)
  86. {
  87. // check alignment of KEYREQUEST
  88. GP_ON(((size_t)kr & (KEY_REQUEST_ALIGN_SIZE - 1)) != 0);
  89. // check to see if KEYREQEUST is inside the current enclave
  90. GP_ON(!sgx_is_within_enclave(kr, sizeof(sgx_key_request_t)));
  91. // check alignment of OUTPUTDATA
  92. GP_ON(((size_t)okey & (KEY_ALIGN_SIZE - 1)) != 0);
  93. // check to see if OUTPUTDATA is inside the current enclave
  94. GP_ON(!sgx_is_within_enclave(okey, sizeof(sgx_key_128bit_t)));
  95. // check reserved bits are not set
  96. GP_ON((kr->key_policy & ~(SGX_KEYPOLICY_MRENCLAVE | SGX_KEYPOLICY_MRSIGNER)) != 0);
  97. // check to see if reserved space in KEYREQUEST are valid
  98. const uint8_t* u8ptr = (uint8_t *)(&(kr->reserved1));
  99. for (unsigned i = 0; i < sizeof(kr->reserved1); ++i)
  100. GP_ON(u8ptr[i] != (uint8_t)0);
  101. u8ptr = (uint8_t *)(&(kr->reserved2));
  102. for (unsigned i = 0; i < sizeof(kr->reserved2); ++i)
  103. GP_ON(u8ptr[i] != (uint8_t)0);
  104. secs_t* cur_secs = g_global_data_sim.secs_ptr;
  105. sgx_attributes_t tmp_attr;
  106. derivation_data_t dd;
  107. memset(&dd, 0, sizeof(dd));
  108. dd.key_name = kr->key_name;
  109. // Determine which enclave attributes that must be included in the key.
  110. // Attributes that must always be included INIT & DEBUG.
  111. memset(&tmp_attr, 0, sizeof(tmp_attr));
  112. tmp_attr.flags = kr->attribute_mask.flags | SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG;
  113. tmp_attr.flags &= cur_secs->attributes.flags;
  114. tmp_attr.xfrm = kr->attribute_mask.xfrm & cur_secs->attributes.xfrm;
  115. // HW supports CPUSVN to be set as 0.
  116. // To be consistent with HW behaviour, we replace the cpusvn as DEFAULT_CPUSVN if the input cpusvn is 0.
  117. if(!memcmp(&kr->cpu_svn, &dd.ddpk.cpu_svn, sizeof(sgx_cpu_svn_t)))
  118. {
  119. memcpy(&kr->cpu_svn, &DEFAULT_CPUSVN, sizeof(sgx_cpu_svn_t));
  120. }
  121. switch (kr->key_name) {
  122. case SGX_KEYSELECT_SEAL:
  123. check_isv_svn(kr, cur_secs);
  124. check_cpu_svn(kr);
  125. // assemble derivation data
  126. dd.size = sizeof(dd_seal_key_t);
  127. if (kr->key_policy & SGX_KEYPOLICY_MRENCLAVE) {
  128. memcpy(&dd.ddsk.mrenclave, &cur_secs->mr_enclave, sizeof(sgx_measurement_t));
  129. }
  130. if (kr->key_policy & SGX_KEYPOLICY_MRSIGNER) {
  131. memcpy(&dd.ddsk.mrsigner, &cur_secs->mr_signer, sizeof(sgx_measurement_t));
  132. }
  133. memcpy(&dd.ddsk.tmp_attr, &tmp_attr, sizeof(sgx_attributes_t));
  134. memcpy(&dd.ddsk.attribute_mask, &kr->attribute_mask, sizeof(sgx_attributes_t));
  135. memcpy(dd.ddsk.csr_owner_epoch, SIMU_OWNER_EPOCH_MSR, sizeof(se_owner_epoch_t));
  136. memcpy(&dd.ddsk.cpu_svn,&kr->cpu_svn,sizeof(sgx_cpu_svn_t));
  137. dd.ddsk.isv_svn = kr->isv_svn;
  138. dd.ddsk.isv_prod_id = cur_secs->isv_prod_id;
  139. memcpy(&dd.ddsk.key_id, &kr->key_id, sizeof(sgx_key_id_t));
  140. break;
  141. case SGX_KEYSELECT_REPORT:
  142. // assemble derivation data
  143. dd.size = sizeof(dd_report_key_t);
  144. memcpy(&dd.ddrk.attributes, &cur_secs->attributes, sizeof(sgx_attributes_t));
  145. memcpy(dd.ddrk.csr_owner_epoch, SIMU_OWNER_EPOCH_MSR, sizeof(se_owner_epoch_t));
  146. memcpy(&dd.ddrk.cpu_svn,&(g_global_data_sim.cpusvn_sim),sizeof(sgx_cpu_svn_t));
  147. memcpy(&dd.ddrk.mrenclave, &cur_secs->mr_enclave, sizeof(sgx_measurement_t));
  148. memcpy(&dd.ddrk.key_id, &kr->key_id, sizeof(sgx_key_id_t));
  149. break;
  150. case SGX_KEYSELECT_EINITOKEN:
  151. check_attr_flag(cur_secs, SGX_FLAGS_EINITOKEN_KEY);
  152. check_isv_svn(kr, cur_secs);
  153. check_cpu_svn(kr);
  154. // assemble derivation data
  155. dd.size = sizeof(dd_license_key_t);
  156. memcpy(&dd.ddlk.attributes, &cur_secs->attributes, sizeof(sgx_attributes_t));
  157. memcpy(dd.ddlk.csr_owner_epoch, SIMU_OWNER_EPOCH_MSR, sizeof(se_owner_epoch_t));
  158. memcpy(&dd.ddlk.cpu_svn,&kr->cpu_svn,sizeof(sgx_cpu_svn_t));
  159. dd.ddlk.isv_svn = kr->isv_svn;
  160. dd.ddlk.isv_prod_id = cur_secs->isv_prod_id;
  161. memcpy(&dd.ddlk.key_id, &kr->key_id, sizeof(sgx_key_id_t));
  162. break;
  163. case SGX_KEYSELECT_PROVISION: // Pass through. Only key_name differs.
  164. case SGX_KEYSELECT_PROVISION_SEAL:
  165. check_attr_flag(cur_secs, SGX_FLAGS_PROVISION_KEY);
  166. check_isv_svn(kr, cur_secs);
  167. check_cpu_svn(kr);
  168. // assemble derivation data
  169. dd.size = sizeof(dd_provision_key_t);
  170. memcpy(&dd.ddpk.tmp_attr, &tmp_attr, sizeof(sgx_attributes_t));
  171. memcpy(&dd.ddpk.attribute_mask, &kr->attribute_mask, sizeof(sgx_attributes_t));
  172. memcpy(&dd.ddpk.cpu_svn,&kr->cpu_svn,sizeof(sgx_cpu_svn_t));
  173. dd.ddpk.isv_svn = kr->isv_svn;
  174. dd.ddpk.isv_prod_id = cur_secs->isv_prod_id;
  175. memcpy(&dd.ddpk.mrsigner, &cur_secs->mr_signer, sizeof(sgx_measurement_t));
  176. break;
  177. default:
  178. return EGETKEY_INVALID_KEYNAME;
  179. }
  180. derive_key(&dd, okey);
  181. return 0;
  182. }
  183. ////////////////////////////////////////////////////////////////////////
  184. // Simulation for EREPORT
  185. ////////////////////////////////////////////////////////////////////////
  186. static void _EREPORT(const sgx_target_info_t* ti, const sgx_report_data_t* rd, sgx_report_t* report)
  187. {
  188. // check alignment of TARGETINFO
  189. GP_ON(((size_t)ti & (TARGET_INFO_ALIGN_SIZE - 1)) != 0);
  190. // check to see if TARGETINFO is inside the current enclave
  191. GP_ON(!sgx_is_within_enclave(ti, sizeof(sgx_target_info_t)));
  192. // check alignment of REPORTDATA
  193. GP_ON(((size_t)rd & (REPORT_DATA_ALIGN_SIZE - 1)) != 0);
  194. // check to see if REPORTDATA is inside the current enclave
  195. GP_ON(!sgx_is_within_enclave(rd, sizeof(sgx_report_data_t)));
  196. // check alignment of OUTPUTDATA
  197. GP_ON(((size_t)report & (REPORT_ALIGN_SIZE - 1)) != 0);
  198. // check to see if OUTPUTDATA is inside the current enclave
  199. GP_ON(!sgx_is_within_enclave(report, sizeof(sgx_report_t)));
  200. secs_t* cur_secs = g_global_data_sim.secs_ptr;
  201. SE_DECLSPEC_ALIGN(REPORT_ALIGN_SIZE) sgx_report_t tmp_report;
  202. // assemble REPORT Data
  203. memset(&tmp_report, 0, sizeof(tmp_report));
  204. memcpy(&tmp_report.body.cpu_svn,&(g_global_data_sim.cpusvn_sim),sizeof(sgx_cpu_svn_t));
  205. tmp_report.body.isv_prod_id = cur_secs->isv_prod_id;
  206. tmp_report.body.isv_svn = cur_secs->isv_svn;
  207. memcpy(&tmp_report.body.attributes, &cur_secs->attributes, sizeof(sgx_attributes_t));
  208. memcpy(&tmp_report.body.report_data, rd, sizeof(sgx_report_data_t));
  209. memcpy(&tmp_report.body.mr_enclave, &cur_secs->mr_enclave, sizeof(sgx_measurement_t));
  210. memcpy(&tmp_report.body.mr_signer, &cur_secs->mr_signer, sizeof(sgx_measurement_t));
  211. memcpy(&tmp_report.key_id, get_base_key(SGX_KEYSELECT_REPORT), sizeof(sgx_key_id_t)/2);
  212. // derive the report key
  213. derivation_data_t dd;
  214. memset(&dd, 0, sizeof(dd));
  215. dd.size = sizeof(dd_report_key_t);
  216. dd.key_name = SGX_KEYSELECT_REPORT;
  217. memcpy(&dd.ddrk.mrenclave, &ti->mr_enclave, sizeof(sgx_measurement_t));
  218. memcpy(&dd.ddrk.attributes, &ti->attributes, sizeof(sgx_attributes_t));
  219. memcpy(dd.ddrk.csr_owner_epoch, SIMU_OWNER_EPOCH_MSR, sizeof(se_owner_epoch_t));
  220. memcpy(&dd.ddrk.cpu_svn,&(g_global_data_sim.cpusvn_sim),sizeof(sgx_cpu_svn_t));
  221. memcpy(&dd.ddrk.key_id, &tmp_report.key_id, sizeof(sgx_key_id_t));
  222. // calculate the derived key
  223. sgx_key_128bit_t tmp_report_key;
  224. memset(tmp_report_key, 0, sizeof(tmp_report_key));
  225. derive_key(&dd, tmp_report_key);
  226. // call cryptographic CMAC function
  227. // CMAC data are *NOT* including MAC and KEYID
  228. cmac(&tmp_report_key, reinterpret_cast<uint8_t*>(&tmp_report.body),
  229. sizeof(tmp_report.body), &tmp_report.mac);
  230. memcpy(report, &tmp_report, sizeof(sgx_report_t));
  231. }
  232. ////////////////////////////////////////////////////////////////////////
  233. static void
  234. _EEXIT(uintptr_t dest, uintptr_t xcx, uintptr_t xdx, uintptr_t xsi, uintptr_t xdi)
  235. {
  236. // By simulator convention, XDX contains XBP and XCX contains XSP.
  237. enclu_regs_t regs;
  238. // when the code jump back to the ip after EENTER, the simulation code unwind the stack
  239. // by adding 6*sizeof(uintptr_t), so we substract it in advance.
  240. regs.xsp = xcx - 6 * sizeof(uintptr_t);
  241. regs.xbp = xdx;
  242. regs.xip = dest;
  243. tcs_t *tcs = GET_TCS_PTR(xdx);
  244. GP_ON(tcs == NULL);
  245. // restore the used _tls_array
  246. GP_ON(td_mngr_restore_td(tcs) == false);
  247. // check thread is in use or not
  248. tcs_sim_t *tcs_sim = reinterpret_cast<tcs_sim_t *>(tcs->reserved);
  249. GP_ON(tcs_sim->tcs_state != TCS_STATE_ACTIVE);
  250. tcs_sim->tcs_state = TCS_STATE_INACTIVE;
  251. regs.xax = 0;
  252. regs.xbx = dest;
  253. regs.xcx = tcs_sim->saved_aep;
  254. regs.xsi = xsi;
  255. regs.xdi = xdi;
  256. load_regs(&regs);
  257. // Never returns.....
  258. }
  259. // Master entry functions
  260. #pragma GCC push_options
  261. #pragma GCC optimize ("O0")
  262. uintptr_t _SE3(uintptr_t xax, uintptr_t xbx, uintptr_t xcx,
  263. uintptr_t xdx, uintptr_t xsi, uintptr_t xdi)
  264. {
  265. switch (xax)
  266. {
  267. case SE_EEXIT:
  268. _EEXIT(xbx, xcx, xdx, xsi, xdi);
  269. // never reach here
  270. return 0;
  271. case SE_EGETKEY:
  272. return _EGETKEY(reinterpret_cast<sgx_key_request_t *>(xbx),
  273. reinterpret_cast<uint8_t *>(xcx));
  274. case SE_EREPORT:
  275. _EREPORT(reinterpret_cast<sgx_target_info_t*>(xbx),
  276. reinterpret_cast<sgx_report_data_t*>(xcx),
  277. reinterpret_cast<sgx_report_t*>(xdx));
  278. return 0;
  279. }
  280. GP();
  281. return (uintptr_t)-1;
  282. }
  283. #pragma GCC pop_options