load.c (6954B)
1// SPDX-License-Identifier: GPL-2.0 2/* Copyright(c) 2016-20 Intel Corporation. */ 3 4#include <assert.h> 5#include <elf.h> 6#include <errno.h> 7#include <fcntl.h> 8#include <stdbool.h> 9#include <stdio.h> 10#include <stdint.h> 11#include <stdlib.h> 12#include <string.h> 13#include <unistd.h> 14#include <sys/ioctl.h> 15#include <sys/mman.h> 16#include <sys/stat.h> 17#include <sys/time.h> 18#include <sys/types.h> 19#include "defines.h" 20#include "main.h" 21 22void encl_delete(struct encl *encl) 23{ 24 struct encl_segment *heap_seg; 25 26 if (encl->encl_base) 27 munmap((void *)encl->encl_base, encl->encl_size); 28 29 if (encl->bin) 30 munmap(encl->bin, encl->bin_size); 31 32 if (encl->fd) 33 close(encl->fd); 34 35 if (encl->segment_tbl) { 36 heap_seg = &encl->segment_tbl[encl->nr_segments - 1]; 37 munmap(heap_seg->src, heap_seg->size); 38 free(encl->segment_tbl); 39 } 40 41 memset(encl, 0, sizeof(*encl)); 42} 43 44static bool encl_map_bin(const char *path, struct encl *encl) 45{ 46 struct stat sb; 47 void *bin; 48 int ret; 49 int fd; 50 51 fd = open(path, O_RDONLY); 52 if (fd == -1) { 53 perror("enclave executable open()"); 54 return false; 55 } 56 57 ret = stat(path, &sb); 58 if (ret) { 59 perror("enclave executable stat()"); 60 goto err; 61 } 62 63 bin = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); 64 if (bin == MAP_FAILED) { 65 perror("enclave executable mmap()"); 66 goto err; 67 } 68 69 encl->bin = bin; 70 encl->bin_size = sb.st_size; 71 72 close(fd); 73 return true; 74 75err: 76 close(fd); 77 return false; 78} 79 80static bool encl_ioc_create(struct encl *encl) 81{ 82 struct sgx_secs *secs = &encl->secs; 83 struct sgx_enclave_create ioc; 84 int rc; 85 86 assert(encl->encl_base != 0); 87 88 memset(secs, 0, sizeof(*secs)); 89 secs->ssa_frame_size = 1; 90 secs->attributes = SGX_ATTR_MODE64BIT; 91 secs->xfrm = 3; 92 secs->base = encl->encl_base; 93 secs->size = encl->encl_size; 94 95 ioc.src = (unsigned long)secs; 96 rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_CREATE, &ioc); 97 if (rc) { 98 perror("SGX_IOC_ENCLAVE_CREATE failed"); 99 munmap((void *)secs->base, encl->encl_size); 100 return false; 101 } 102 103 return true; 104} 105 106static bool encl_ioc_add_pages(struct encl *encl, struct encl_segment *seg) 107{ 108 struct sgx_enclave_add_pages ioc; 109 struct sgx_secinfo secinfo; 110 int rc; 111 112 memset(&secinfo, 0, sizeof(secinfo)); 113 secinfo.flags = seg->flags; 114 115 ioc.src = (uint64_t)seg->src; 116 ioc.offset = seg->offset; 117 ioc.length = seg->size; 118 ioc.secinfo = (unsigned long)&secinfo; 119 if (seg->measure) 120 ioc.flags = SGX_PAGE_MEASURE; 121 else 122 ioc.flags = 0; 123 124 rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc); 125 if (rc < 0) { 126 perror("SGX_IOC_ENCLAVE_ADD_PAGES failed"); 127 return false; 128 } 129 130 return true; 131} 132 133bool encl_load(const char *path, struct encl *encl, unsigned long heap_size) 134{ 135 const char device_path[] = "/dev/sgx_enclave"; 136 struct encl_segment *seg; 137 Elf64_Phdr *phdr_tbl; 138 off_t src_offset; 139 Elf64_Ehdr *ehdr; 140 struct stat sb; 141 void *ptr; 142 int i, j; 143 int ret; 144 int fd = -1; 145 146 memset(encl, 0, sizeof(*encl)); 147 148 fd = open(device_path, O_RDWR); 149 if (fd < 0) { 150 perror("Unable to open /dev/sgx_enclave"); 151 goto err; 152 } 153 154 ret = stat(device_path, &sb); 155 if (ret) { 156 perror("device file stat()"); 157 goto err; 158 } 159 160 ptr = mmap(NULL, PAGE_SIZE, PROT_READ, MAP_SHARED, fd, 0); 161 if (ptr == (void *)-1) { 162 perror("mmap for read"); 163 goto err; 164 } 165 munmap(ptr, PAGE_SIZE); 166 167#define ERR_MSG \ 168"mmap() succeeded for PROT_READ, but failed for PROT_EXEC.\n" \ 169" Check that /dev does not have noexec set:\n" \ 170" \tmount | grep \"/dev .*noexec\"\n" \ 171" If so, remount it executable: mount -o remount,exec /dev\n\n" 172 173 ptr = mmap(NULL, PAGE_SIZE, PROT_EXEC, MAP_SHARED, fd, 0); 174 if (ptr == (void *)-1) { 175 fprintf(stderr, ERR_MSG); 176 goto err; 177 } 178 munmap(ptr, PAGE_SIZE); 179 180 encl->fd = fd; 181 182 if (!encl_map_bin(path, encl)) 183 goto err; 184 185 ehdr = encl->bin; 186 phdr_tbl = encl->bin + ehdr->e_phoff; 187 188 encl->nr_segments = 1; /* one for the heap */ 189 190 for (i = 0; i < ehdr->e_phnum; i++) { 191 Elf64_Phdr *phdr = &phdr_tbl[i]; 192 193 if (phdr->p_type == PT_LOAD) 194 encl->nr_segments++; 195 } 196 197 encl->segment_tbl = calloc(encl->nr_segments, 198 sizeof(struct encl_segment)); 199 if (!encl->segment_tbl) 200 goto err; 201 202 for (i = 0, j = 0; i < ehdr->e_phnum; i++) { 203 Elf64_Phdr *phdr = &phdr_tbl[i]; 204 unsigned int flags = phdr->p_flags; 205 206 if (phdr->p_type != PT_LOAD) 207 continue; 208 209 seg = &encl->segment_tbl[j]; 210 211 if (!!(flags & ~(PF_R | PF_W | PF_X))) { 212 fprintf(stderr, 213 "%d has invalid segment flags 0x%02x.\n", i, 214 phdr->p_flags); 215 goto err; 216 } 217 218 if (j == 0 && flags != (PF_R | PF_W)) { 219 fprintf(stderr, 220 "TCS has invalid segment flags 0x%02x.\n", 221 phdr->p_flags); 222 goto err; 223 } 224 225 if (j == 0) { 226 src_offset = phdr->p_offset & PAGE_MASK; 227 encl->src = encl->bin + src_offset; 228 229 seg->prot = PROT_READ | PROT_WRITE; 230 seg->flags = SGX_PAGE_TYPE_TCS << 8; 231 } else { 232 seg->prot = (phdr->p_flags & PF_R) ? PROT_READ : 0; 233 seg->prot |= (phdr->p_flags & PF_W) ? PROT_WRITE : 0; 234 seg->prot |= (phdr->p_flags & PF_X) ? PROT_EXEC : 0; 235 seg->flags = (SGX_PAGE_TYPE_REG << 8) | seg->prot; 236 } 237 238 seg->offset = (phdr->p_offset & PAGE_MASK) - src_offset; 239 seg->size = (phdr->p_filesz + PAGE_SIZE - 1) & PAGE_MASK; 240 seg->src = encl->src + seg->offset; 241 seg->measure = true; 242 243 j++; 244 } 245 246 assert(j == encl->nr_segments - 1); 247 248 seg = &encl->segment_tbl[j]; 249 seg->offset = encl->segment_tbl[j - 1].offset + encl->segment_tbl[j - 1].size; 250 seg->size = heap_size; 251 seg->src = mmap(NULL, heap_size, PROT_READ | PROT_WRITE, 252 MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); 253 seg->prot = PROT_READ | PROT_WRITE; 254 seg->flags = (SGX_PAGE_TYPE_REG << 8) | seg->prot; 255 seg->measure = false; 256 257 if (seg->src == MAP_FAILED) 258 goto err; 259 260 encl->src_size = encl->segment_tbl[j].offset + encl->segment_tbl[j].size; 261 262 for (encl->encl_size = 4096; encl->encl_size < encl->src_size; ) 263 encl->encl_size <<= 1; 264 265 return true; 266 267err: 268 if (fd != -1) 269 close(fd); 270 encl_delete(encl); 271 return false; 272} 273 274static bool encl_map_area(struct encl *encl) 275{ 276 size_t encl_size = encl->encl_size; 277 void *area; 278 279 area = mmap(NULL, encl_size * 2, PROT_NONE, 280 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 281 if (area == MAP_FAILED) { 282 perror("reservation mmap()"); 283 return false; 284 } 285 286 encl->encl_base = ((uint64_t)area + encl_size - 1) & ~(encl_size - 1); 287 288 munmap(area, encl->encl_base - (uint64_t)area); 289 munmap((void *)(encl->encl_base + encl_size), 290 (uint64_t)area + encl_size - encl->encl_base); 291 292 return true; 293} 294 295bool encl_build(struct encl *encl) 296{ 297 struct sgx_enclave_init ioc; 298 int ret; 299 int i; 300 301 if (!encl_map_area(encl)) 302 return false; 303 304 if (!encl_ioc_create(encl)) 305 return false; 306 307 /* 308 * Pages must be added before mapping VMAs because their permissions 309 * cap the VMA permissions. 310 */ 311 for (i = 0; i < encl->nr_segments; i++) { 312 struct encl_segment *seg = &encl->segment_tbl[i]; 313 314 if (!encl_ioc_add_pages(encl, seg)) 315 return false; 316 } 317 318 ioc.sigstruct = (uint64_t)&encl->sigstruct; 319 ret = ioctl(encl->fd, SGX_IOC_ENCLAVE_INIT, &ioc); 320 if (ret) { 321 perror("SGX_IOC_ENCLAVE_INIT failed"); 322 return false; 323 } 324 325 return true; 326}