diff --git a/core/iwasm/common/wasm_runtime_common.c b/core/iwasm/common/wasm_runtime_common.c index a6e552e9..fbcdfcd0 100644 --- a/core/iwasm/common/wasm_runtime_common.c +++ b/core/iwasm/common/wasm_runtime_common.c @@ -1160,6 +1160,12 @@ wasm_runtime_deinstantiate(WASMModuleInstanceCommon *module_inst) wasm_runtime_deinstantiate_internal(module_inst, false); } +WASMModuleCommon * +wasm_runtime_get_module(WASMModuleInstanceCommon *module_inst) +{ + return (WASMModuleCommon *)((WASMModuleInstance *)module_inst)->module; +} + WASMExecEnv * wasm_runtime_create_exec_env(WASMModuleInstanceCommon *module_inst, uint32 stack_size) diff --git a/core/iwasm/common/wasm_runtime_common.h b/core/iwasm/common/wasm_runtime_common.h index bcfa05cb..cc311ba7 100644 --- a/core/iwasm/common/wasm_runtime_common.h +++ b/core/iwasm/common/wasm_runtime_common.h @@ -488,6 +488,10 @@ wasm_runtime_instantiate(WASMModuleCommon *module, uint32 stack_size, WASM_RUNTIME_API_EXTERN void wasm_runtime_deinstantiate(WASMModuleInstanceCommon *module_inst); +/* See wasm_export.h for description */ +WASM_RUNTIME_API_EXTERN WASMModuleCommon * +wasm_runtime_get_module(WASMModuleInstanceCommon *module_inst); + /* See wasm_export.h for description */ WASM_RUNTIME_API_EXTERN WASMFunctionInstanceCommon * wasm_runtime_lookup_function(WASMModuleInstanceCommon *const module_inst, diff --git a/core/iwasm/include/wasm_export.h b/core/iwasm/include/wasm_export.h index 182c5753..cc173af9 100644 --- a/core/iwasm/include/wasm_export.h +++ b/core/iwasm/include/wasm_export.h @@ -357,6 +357,17 @@ wasm_runtime_load_from_sections(wasm_section_list_t section_list, bool is_aot, WASM_RUNTIME_API_EXTERN void wasm_runtime_unload(wasm_module_t module); +/** + * Get the module hash of a WASM module, currently only available on + * linux-sgx platform when the remote attestation feature is enabled + * + * @param module the WASM module to retrieve + * + * @return the module hash of the WASM module + */ +char * +wasm_runtime_get_module_hash(wasm_module_t module); + /** * Set WASI parameters. * @@ -444,6 +455,16 @@ wasm_runtime_instantiate(const wasm_module_t module, WASM_RUNTIME_API_EXTERN void wasm_runtime_deinstantiate(wasm_module_inst_t module_inst); +/** + * Get WASM module from WASM module instance + * + * @param module_inst the WASM module instance to retrieve + * + * @return the WASM module + */ +WASM_RUNTIME_API_EXTERN wasm_module_t +wasm_runtime_get_module(wasm_module_inst_t module_inst); + WASM_RUNTIME_API_EXTERN bool wasm_runtime_is_wasi_mode(wasm_module_inst_t module_inst); diff --git a/core/iwasm/libraries/lib-rats/lib_rats_common.h b/core/iwasm/libraries/lib-rats/lib_rats_common.h index 223f2fc3..929e105f 100644 --- a/core/iwasm/libraries/lib-rats/lib_rats_common.h +++ b/core/iwasm/libraries/lib-rats/lib_rats_common.h @@ -11,9 +11,14 @@ #include #include +#ifdef __cplusplus +extern "C" { +#endif + #define SGX_QUOTE_MAX_SIZE 8192 #define SGX_USER_DATA_SIZE 64 #define SGX_MEASUREMENT_SIZE 32 + /* clang-format off */ typedef struct rats_sgx_evidence { uint8_t quote[SGX_QUOTE_MAX_SIZE]; /* The quote of the Enclave */ @@ -28,4 +33,8 @@ typedef struct rats_sgx_evidence { } rats_sgx_evidence_t; /* clang-format on */ -#endif \ No newline at end of file +#ifdef __cplusplus +} +#endif + +#endif diff --git a/core/iwasm/libraries/lib-rats/lib_rats_wrapper.c b/core/iwasm/libraries/lib-rats/lib_rats_wrapper.c index 81250d95..59d61f4c 100644 --- a/core/iwasm/libraries/lib-rats/lib_rats_wrapper.c +++ b/core/iwasm/libraries/lib-rats/lib_rats_wrapper.c @@ -16,13 +16,13 @@ #include "bh_common.h" #include "lib_rats_common.h" -extern char wasm_module_hash[SHA256_DIGEST_LENGTH]; - static int librats_collect_wrapper(wasm_exec_env_t exec_env, char **evidence_json, const char *buffer, uint32_t buffer_size) { wasm_module_inst_t module_inst = get_module_inst(exec_env); + wasm_module_t module = wasm_runtime_get_module(module_inst); + char *wasm_module_hash = wasm_runtime_get_module_hash(module); char *json, *str_ret; uint32_t str_ret_offset; @@ -112,4 +112,4 @@ get_lib_rats_export_apis(NativeSymbol **p_lib_rats_apis) { *p_lib_rats_apis = native_symbols_lib_rats; return sizeof(native_symbols_lib_rats) / sizeof(NativeSymbol); -} \ No newline at end of file +} diff --git a/core/iwasm/libraries/lib-rats/lib_rats_wrapper.h b/core/iwasm/libraries/lib-rats/lib_rats_wrapper.h index 294dca77..e334983e 100644 --- a/core/iwasm/libraries/lib-rats/lib_rats_wrapper.h +++ b/core/iwasm/libraries/lib-rats/lib_rats_wrapper.h @@ -10,6 +10,7 @@ #include #include + #include "lib_rats_common.h" #ifdef __cplusplus @@ -44,4 +45,4 @@ librats_parse_evidence(const char *evidence_json, uint32_t json_size, } #endif -#endif \ No newline at end of file +#endif diff --git a/product-mini/platforms/linux-sgx/CMakeLists.txt b/product-mini/platforms/linux-sgx/CMakeLists.txt index cfd3f4b6..306f634e 100644 --- a/product-mini/platforms/linux-sgx/CMakeLists.txt +++ b/product-mini/platforms/linux-sgx/CMakeLists.txt @@ -140,14 +140,14 @@ endif() if (WAMR_BUILD_SGX_IPFS EQUAL 1) execute_process( - COMMAND bash -c "sed -i -E 's/^#define SGX_IPFS 0/#define SGX_IPFS 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl" - COMMAND bash -c "sed -i -E 's/^SGX_IPFS = 0/SGX_IPFS = 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile" + COMMAND bash -c "sed -i -E 's/^#define WASM_ENABLE_SGX_IPFS 0/#define WASM_ENABLE_SGX_IPFS 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl" + COMMAND bash -c "sed -i -E 's/^WAMR_BUILD_SGX_IPFS = 0/WAMR_BUILD_SGX_IPFS = 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile" OUTPUT_VARIABLE cmdOutput ) else() execute_process( - COMMAND bash -c "sed -i -E 's/^#define SGX_IPFS 1/#define SGX_IPFS 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl" - COMMAND bash -c "sed -i -E 's/^SGX_IPFS = 1/SGX_IPFS = 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile" + COMMAND bash -c "sed -i -E 's/^#define WASM_ENABLE_SGX_IPFS 1/#define WASM_ENABLE_SGX_IPFS 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl" + COMMAND bash -c "sed -i -E 's/^WAMR_BUILD_SGX_IPFS = 1/WAMR_BUILD_SGX_IPFS = 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile" OUTPUT_VARIABLE cmdOutput ) endif() diff --git a/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp b/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp index 95a6869c..0a6f24a9 100644 --- a/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp +++ b/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp @@ -103,7 +103,7 @@ enclave_init(sgx_enclave_id_t *p_eid) <= MAX_PATH - 1 - sizeof(TOKEN_FILENAME) - strlen("/")) { /* compose the token path */ strncpy(token_path, home_dir, MAX_PATH); - strncat(token_path, "/", strlen("/")); + strncat(token_path, "/", strlen("/") + 1); strncat(token_path, TOKEN_FILENAME, sizeof(TOKEN_FILENAME) + 1); } else { diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.cpp b/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.cpp index 51d03417..7cb9c3f4 100644 --- a/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.cpp +++ b/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.cpp @@ -14,8 +14,6 @@ #if WASM_ENABLE_LIB_RATS != 0 #include - -char wasm_module_hash[SHA256_DIGEST_LENGTH]; #endif extern "C" { @@ -68,8 +66,17 @@ typedef struct EnclaveModule { uint32 wasi_argc; bool is_xip_file; uint32 total_size_mapped; +#if WASM_ENABLE_LIB_RATS != 0 + char module_hash[SHA256_DIGEST_LENGTH]; + struct EnclaveModule *next; +#endif } EnclaveModule; +#if WASM_ENABLE_LIB_RATS != 0 +static EnclaveModule *enclave_module_list = NULL; +static korp_mutex enclave_module_list_lock = OS_THREAD_MUTEX_INITIALIZER; +#endif + #if WASM_ENABLE_GLOBAL_HEAP_POOL != 0 static char global_heap_buf[WASM_GLOBAL_HEAP_SIZE] = { 0 }; #endif @@ -250,10 +257,17 @@ handle_cmd_load_module(uint64 *args, uint32 argc) *(EnclaveModule **)args_org = enclave_module; #if WASM_ENABLE_LIB_RATS != 0 + /* Calculate the module hash */ SHA256_CTX sha256; SHA256_Init(&sha256); SHA256_Update(&sha256, wasm_file, wasm_file_size); - SHA256_Final((unsigned char *)wasm_module_hash, &sha256); + SHA256_Final((unsigned char *)enclave_module->module_hash, &sha256); + + /* Insert enclave module to enclave module list */ + os_mutex_lock(&enclave_module_list_lock); + enclave_module->next = enclave_module_list; + enclave_module_list = enclave_module; + os_mutex_unlock(&enclave_module_list_lock); #endif LOG_VERBOSE("Load module success.\n"); @@ -267,6 +281,28 @@ handle_cmd_unload_module(uint64 *args, uint32 argc) bh_assert(argc == 1); +#if WASM_ENABLE_LIB_RATS != 0 + /* Remove enclave module from enclave module list */ + os_mutex_lock(&enclave_module_list_lock); + + EnclaveModule *node_prev = NULL; + EnclaveModule *node = enclave_module_list; + + while (node && node != enclave_module) { + node_prev = node; + node = node->next; + } + bh_assert(node == enclave_module); + + if (!node_prev) + enclave_module_list = node->next; + else + node_prev->next = node->next; + + os_mutex_unlock(&enclave_module_list_lock); +#endif + + /* Destroy enclave module resources */ if (enclave_module->wasi_arg_buf) wasm_runtime_free(enclave_module->wasi_arg_buf); @@ -279,6 +315,29 @@ handle_cmd_unload_module(uint64 *args, uint32 argc) LOG_VERBOSE("Unload module success.\n"); } +#if WASM_ENABLE_LIB_RATS != 0 +char * +wasm_runtime_get_module_hash(wasm_module_t module) +{ + EnclaveModule *enclave_module; + char *module_hash = NULL; + + os_mutex_lock(&enclave_module_list_lock); + + enclave_module = enclave_module_list; + while (enclave_module) { + if (enclave_module->module == module) { + module_hash = enclave_module->module_hash; + break; + } + enclave_module = enclave_module->next; + } + os_mutex_unlock(&enclave_module_list_lock); + + return module_hash; +} +#endif + static void handle_cmd_instantiate_module(uint64 *args, uint32 argc) { diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.edl b/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.edl index a0de1696..0de4c640 100644 --- a/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.edl +++ b/product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.edl @@ -3,8 +3,8 @@ * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception */ +#define WASM_ENABLE_SGX_IPFS 0 #define WASM_ENABLE_LIB_RATS 0 -#define SGX_IPFS 0 enclave { from "sgx_tstdc.edl" import *; @@ -14,7 +14,7 @@ enclave { from "rats.edl" import *; from "sgx_tsgxssl.edl" import *; #endif -#if SGX_IPFS != 0 +#if WASM_ENABLE_SGX_IPFS != 0 from "sgx_tprotected_fs.edl" import *; #endif diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Makefile b/product-mini/platforms/linux-sgx/enclave-sample/Makefile index 87bf1f80..b598aad5 100644 --- a/product-mini/platforms/linux-sgx/enclave-sample/Makefile +++ b/product-mini/platforms/linux-sgx/enclave-sample/Makefile @@ -11,7 +11,7 @@ SGX_DEBUG ?= 0 SPEC_TEST ?= 0 # These variables are automatically set by CMakeLists.txt -SGX_IPFS = 0 +WAMR_BUILD_SGX_IPFS = 0 WAMR_BUILD_LIB_RATS = 0 WAMR_BUILD_GLOBAL_HEAP_POOL = 0 WAMR_BUILD_GLOBAL_HEAP_SIZE = 10485760 @@ -112,7 +112,7 @@ else Service_Library_Name := sgx_tservice endif -ifeq ($(SGX_IPFS), 1) +ifeq ($(WAMR_BUILD_SGX_IPFS), 1) Intel_Ipfs_Trusted_Flag = -lsgx_tprotected_fs App_Link_Flags += -lsgx_uprotected_fs endif diff --git a/samples/sgx-ra/README.md b/samples/sgx-ra/README.md index a374d113..39a2f2d9 100644 --- a/samples/sgx-ra/README.md +++ b/samples/sgx-ra/README.md @@ -15,33 +15,38 @@ Before starting, we need to download and install [SGX SDK](https://download.01.o The following commands are an example of the SGX environment installation on Ubuntu 18.04. ``` shell +# Set your platform, you can get the platforms list on +# https://download.01.org/intel-sgx/latest/linux-latest/distro $ cd $HOME -$ # Set your platform, you can get the platforms list on -$ # https://download.01.org/intel-sgx/latest/linux-latest/distro $ SGX_PLATFORM=ubuntu18.04-server $ SGX_SDK_VERSION=2.17.100.3 $ SGX_DRIVER_VERSION=1.41 -$ # install the dependencies + +# install the dependencies $ sudo apt-get update $ sudo apt-get install -y dkms -$ # install SGX Driver + +# install SGX Driver $ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PLATFORM/sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin $ chmod +x sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin $ sudo ./sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin -$ # install SGX SDK + +# install SGX SDK $ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PLATFORM/sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin $ chmod +x sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin $ sudo ./sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin -$ # install SGX DCAP Library + +# install SGX DCAP Library $ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list > /dev/null $ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add - $ sudo apt-get update $ sudo apt-get install -y libsgx-uae-service libsgx-dcap-default-qpl-dev libsgx-dcap-ql-dev libsgx-dcap-quote-verify-dev -$ # install SGX SSL Library + +# install SGX SSL Library $ git clone https://github.com/intel/linux-sgx.git $ cd linux-sgx && make preparation $ sudo cp external/toolset/{current_distr}/* /usr/local/bin -$ # Verify that the paths are correctly set +$ # Verify that the paths are correctly set $ which ar as ld objcopy objdump ranlib $ cd ../ $ git clone https://github.com/intel/intel-sgx-ssl.git @@ -195,4 +200,4 @@ The sample will print the evidence in JSON and the message: *Evidence is trusted - [Intel SGX Software Installation Guide For Linux OS](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf) - [Intel Software Guard Extensions (IntelĀ® SGX) Data Center Attestation Primitives: Library API ](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf) -- [Remote Attestation for Multi-Package Platforms using Intel SGX Datacenter Attestation Primitives (DCAP)](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_Multipackage_SW.pdf) \ No newline at end of file +- [Remote Attestation for Multi-Package Platforms using Intel SGX Datacenter Attestation Primitives (DCAP)](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_Multipackage_SW.pdf)