trts.cpp 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323
  1. /*
  2. * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #include "sgx_trts.h"
  32. #include "sgx_edger8r.h"
  33. #include "trts_inst.h"
  34. #include <stdlib.h>
  35. #include <string.h>
  36. #include "util.h"
  37. #include "thread_data.h"
  38. #include "global_data.h"
  39. #include "internal/rts.h"
  40. #ifdef SE_SIM
  41. #include "t_instructions.h" /* for `g_global_data_sim' */
  42. #include "sgx_spinlock.h"
  43. #endif
  44. #ifndef SE_SIM
  45. #include "se_cdefs.h"
  46. // add a version to trts
  47. SGX_ACCESS_VERSION(trts, 1);
  48. #endif
  49. // sgx_is_within_enclave()
  50. // Parameters:
  51. // addr - the start address of the buffer
  52. // size - the size of the buffer
  53. // Return Value:
  54. // 1 - the buffer is strictly within the enclave
  55. // 0 - the whole buffer or part of the buffer is not within the enclave,
  56. // or the buffer is wrap around
  57. //
  58. int sgx_is_within_enclave(const void *addr, size_t size)
  59. {
  60. size_t start = reinterpret_cast<size_t>(addr);
  61. size_t end = 0;
  62. size_t enclave_start = (size_t)&__ImageBase;
  63. size_t enclave_end = enclave_start + g_global_data.enclave_size - 1;
  64. // g_global_data.enclave_end = enclave_base + enclave_size - 1;
  65. // so the enclave range is [enclave_start, enclave_end] inclusively
  66. if(size > 0)
  67. {
  68. end = start + size - 1;
  69. }
  70. else
  71. {
  72. end = start;
  73. }
  74. if( (start <= end) && (start >= enclave_start) && (end <= enclave_end) )
  75. {
  76. return 1;
  77. }
  78. return 0;
  79. }
  80. // sgx_is_outside_enclave()
  81. // Parameters:
  82. // addr - the start address of the buffer
  83. // size - the size of the buffer
  84. // Return Value:
  85. // 1 - the buffer is strictly outside the enclave
  86. // 0 - the whole buffer or part of the buffer is not outside the enclave,
  87. // or the buffer is wrap around
  88. //
  89. int sgx_is_outside_enclave(const void *addr, size_t size)
  90. {
  91. size_t start = reinterpret_cast<size_t>(addr);
  92. size_t end = 0;
  93. size_t enclave_start = (size_t)&__ImageBase;
  94. size_t enclave_end = enclave_start + g_global_data.enclave_size - 1;
  95. // g_global_data.enclave_end = enclave_base + enclave_size - 1;
  96. // so the enclave range is [enclave_start, enclave_end] inclusively
  97. if(size > 0)
  98. {
  99. end = start + size - 1;
  100. }
  101. else
  102. {
  103. end = start;
  104. }
  105. if( (start <= end) && ((end < enclave_start) || (start > enclave_end)) )
  106. {
  107. return 1;
  108. }
  109. return 0;
  110. }
  111. // sgx_ocalloc()
  112. // Parameters:
  113. // size - bytes to allocate on the outside stack
  114. // Return Value:
  115. // the pointer to the allocated space on the outside stack
  116. // NULL - fail to allocate
  117. //
  118. // sgx_ocalloc allocates memory on the outside stack. It is only used for OCALL, and will be auto freed when ECALL returns.
  119. // To achieve this, the outside stack pointer in SSA is updated when the stack memory is allocated,
  120. // but the outside stack pointer saved in the ECALL stack frame is not changed accordingly.
  121. // When doing an OCALL, the stack pointer is set as the value in SSA and EEXIT.
  122. // When ECALL or exception handling returns, the stack pointer is set as the value in the ECALL stack frame and then EEXIT,
  123. // so the outside stack is automatically unwind.
  124. // In addition, sgx_ocalloc needs perform outside stack probe to make sure it is not allocating beyond the end of the stack.
  125. #define OC_ROUND 16
  126. void * sgx_ocalloc(size_t size)
  127. {
  128. // read the outside stack address from current SSA
  129. thread_data_t *thread_data = get_thread_data();
  130. ssa_gpr_t *ssa_gpr = reinterpret_cast<ssa_gpr_t *>(thread_data->first_ssa_gpr);
  131. size_t addr = ssa_gpr->REG(sp_u);
  132. // check u_rsp points to the untrusted address.
  133. // if the check fails, it should be hacked. call abort directly
  134. if(!sgx_is_outside_enclave(reinterpret_cast<void *>(addr), sizeof(size_t)))
  135. {
  136. abort();
  137. }
  138. // size is too large to allocate. call abort() directly.
  139. if(addr < size)
  140. {
  141. abort();
  142. }
  143. // calculate the start address for the allocated memory
  144. addr -= size;
  145. addr &= ~(static_cast<size_t>(OC_ROUND - 1)); // for stack alignment
  146. // the allocated memory has overlap with enclave, abort the enclave
  147. if(!sgx_is_outside_enclave(reinterpret_cast<void *>(addr), size))
  148. {
  149. abort();
  150. }
  151. // probe the outside stack to ensure that we do not skip over the stack3 guard page
  152. // we need to probe all the pages including the first page and the last page
  153. // the first page need to be probed in case uRTS didnot touch that page before EENTER enclave
  154. // the last page need to be probed in case the enclave didnot touch that page before another OCALLOC
  155. size_t first_page = TRIM_TO_PAGE(ssa_gpr->REG(sp_u) - 1);
  156. size_t last_page = TRIM_TO_PAGE(addr);
  157. // To avoid the dead-loop in the following for(...) loop.
  158. // Attacker might fake a stack address that is within address 0x4095.
  159. if (last_page == 0)
  160. {
  161. abort();
  162. }
  163. // the compiler may optimize the following code to probe the pages in any order
  164. // while we only expect the probe order should be from higher addr to lower addr
  165. // so use volatile to avoid optimization by the compiler
  166. for(volatile size_t page = first_page; page >= last_page; page -= SE_PAGE_SIZE)
  167. {
  168. *reinterpret_cast<uint8_t *>(page) = 0;
  169. }
  170. // update the outside stack address in the SSA
  171. ssa_gpr->REG(sp_u) = addr;
  172. return reinterpret_cast<void *>(addr);
  173. }
  174. // sgx_ocfree()
  175. // Parameters:
  176. // N/A
  177. // Return Value:
  178. // N/A
  179. // sgx_ocfree restores the original outside stack pointer in the SSA.
  180. // Do not call this function if you still need the buffer allocated by sgx_ocalloc within the ECALL.
  181. void sgx_ocfree()
  182. {
  183. // ECALL stack frame
  184. // last_sp -> | |
  185. // -------------
  186. // | ret_addr |
  187. // | xbp_u |
  188. // | xsp_u |
  189. thread_data_t *thread_data = get_thread_data();
  190. ssa_gpr_t *ssa_gpr = reinterpret_cast<ssa_gpr_t *>(thread_data->first_ssa_gpr);
  191. uintptr_t *addr = reinterpret_cast<uintptr_t *>(thread_data->last_sp);
  192. uintptr_t usp = *(addr - 3);
  193. if(!sgx_is_outside_enclave(reinterpret_cast<void *>(usp), sizeof(uintptr_t)))
  194. {
  195. abort();
  196. }
  197. ssa_gpr->REG(sp_u) = usp;
  198. }
  199. #ifdef SE_SIM
  200. static sgx_spinlock_t g_seed_lock = SGX_SPINLOCK_INITIALIZER;
  201. static uint32_t get_rand_lcg()
  202. {
  203. sgx_spin_lock(&g_seed_lock);
  204. uint64_t& seed = g_global_data_sim.seed;
  205. seed = (uint64_t)(6364136223846793005ULL * seed + 1);
  206. uint32_t n = (uint32_t)(seed >> 32);
  207. sgx_spin_unlock(&g_seed_lock);
  208. return n;
  209. }
  210. #endif
  211. static sgx_status_t __do_get_rand32(uint32_t* rand_num)
  212. {
  213. #ifndef SE_SIM
  214. /* We expect the CPU has RDRAND support for HW mode. Otherwise, an exception will be thrown
  215. * do_rdrand() will try to call RDRAND for 10 times
  216. */
  217. if(0 == do_rdrand(rand_num))
  218. return SGX_ERROR_UNEXPECTED;
  219. #else
  220. /* use LCG in simulation mode */
  221. *rand_num = get_rand_lcg();
  222. #endif
  223. return SGX_SUCCESS;
  224. }
  225. sgx_status_t sgx_read_rand(unsigned char *rand, size_t length_in_bytes)
  226. {
  227. // check parameters
  228. //
  229. // rand can be within or outside the enclave
  230. if(!rand || !length_in_bytes)
  231. {
  232. return SGX_ERROR_INVALID_PARAMETER;
  233. }
  234. if(!sgx_is_within_enclave(rand, length_in_bytes) && !sgx_is_outside_enclave(rand, length_in_bytes))
  235. {
  236. return SGX_ERROR_INVALID_PARAMETER;
  237. }
  238. // loop to rdrand
  239. uint32_t rand_num = 0;
  240. while(length_in_bytes > 0)
  241. {
  242. sgx_status_t status = __do_get_rand32(&rand_num);
  243. if(status != SGX_SUCCESS)
  244. {
  245. return status;
  246. }
  247. size_t size = (length_in_bytes < sizeof(rand_num)) ? length_in_bytes : sizeof(rand_num);
  248. memcpy(rand, &rand_num, size);
  249. rand += size;
  250. length_in_bytes -= size;
  251. }
  252. memset_s(&rand_num, sizeof(rand_num), 0, sizeof(rand_num));
  253. return SGX_SUCCESS;
  254. }
  255. #include "trts_internal.h"
  256. extern "C" int enter_enclave(int index, void *ms, void *tcs, int cssa)
  257. {
  258. if(get_enclave_state() == ENCLAVE_CRASHED)
  259. {
  260. return SGX_ERROR_ENCLAVE_CRASHED;
  261. }
  262. sgx_status_t error = SGX_ERROR_UNEXPECTED;
  263. if(cssa == 0)
  264. {
  265. if(index >= 0)
  266. {
  267. error = do_ecall(index, ms, tcs);
  268. }
  269. else if(index == ECMD_INIT_ENCLAVE)
  270. {
  271. error = do_init_enclave(ms);
  272. }
  273. else if(index == ECMD_ORET)
  274. {
  275. error = do_oret(ms);
  276. }
  277. }
  278. else if((cssa == 1) && (index == ECMD_EXCEPT))
  279. {
  280. error = trts_handle_exception(tcs);
  281. }
  282. if(error == SGX_ERROR_UNEXPECTED)
  283. {
  284. set_enclave_state(ENCLAVE_CRASHED);
  285. }
  286. return error;
  287. }