Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable support for enclave-based time tracking by default #661

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion intel-sgx/enclave-runner/src/loader.rs
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ impl<'a> EnclaveBuilder<'a> {
load_and_sign: None,
hash_enclave: None,
forward_panics: false,
force_time_usercalls: true, // By default, keep the old behavior of always doing a usercall on an insecure_time call
force_time_usercalls: false,
cmd_args: None,
};

Expand Down Expand Up @@ -278,6 +278,10 @@ impl<'a> EnclaveBuilder<'a> {
self
}

pub fn forced_insecure_time_usercalls(&self) -> bool {
self.force_time_usercalls
}

fn initialized_args_mut(&mut self) -> &mut Vec<Vec<u8>> {
self.cmd_args.get_or_insert_with(|| vec![b"enclave".to_vec()])
}
Expand Down
1 change: 1 addition & 0 deletions intel-sgx/fortanix-sgx-tools/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ edition = "2018"
[dependencies]
# Project dependencies
aesm-client = { version = "0.6.0", path = "../aesm-client", features = ["sgxs"] }
insecure-time = { version = "0.1.0", path = "../insecure-time" }
sgxs-loaders = { version = "0.4.0", path = "../sgxs-loaders" }
enclave-runner = { version = "0.6.0", path = "../enclave-runner" }
sgxs = { version = "0.8.0", path = "../sgxs" }
Expand Down
8 changes: 8 additions & 0 deletions intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ use std::io::{stderr, Write};
use aesm_client::AesmClient;
use enclave_runner::EnclaveBuilder;
use anyhow::Context;
use insecure_time::Rdtscp;
#[cfg(unix)]
use libc::{c_int, c_void, siginfo_t};
#[cfg(unix)]
Expand Down Expand Up @@ -77,6 +78,7 @@ fn main() -> Result<(), anyhow::Error> {
.build();

let mut enclave_builder = EnclaveBuilder::new(file.as_ref());
let forced_insecure_time_usercalls = enclave_builder.forced_insecure_time_usercalls();

match args.value_of("signature").map(|v| v.parse().expect("validated")) {
Some(Signature::coresident) => { enclave_builder.coresident_signature().context("While loading coresident signature")?; }
Expand All @@ -94,6 +96,12 @@ fn main() -> Result<(), anyhow::Error> {

enclave.run().map_err(|e| {
eprintln!("Error while executing SGX enclave.\n{}", e);
if !forced_insecure_time_usercalls && Rdtscp::is_supported() && e.to_string() == "Enclave panicked: fatal runtime error: assertion failed: usercall_retval.1 == 0\n" {
eprintln!("This might be due to an ABI change related to insecure time in the enclave. If so, this can be resolved by:");
eprintln!(" - recompiling the enclave with a newer toolchain, or");
eprintln!(" - downgrading the enclave runner, or");
eprintln!(" - using a custom enclave runner can calling `EnclaveBuilder::force_insecure_time_usercalls(true)` when building the enclave");
}
std::process::exit(-1)
})
}