christoph/wamr
1
Fork 0
Code Releases Activity

Create module hash for each module in SGX lib-rats (#1745)

Browse Source 
Current SGX lib-rats wasm module hash is stored in a global buffer,
which may be overwritten if there are multiple wasm module loadings.
We move the module hash into the enclave module to resolve the issue.

And rename the SGX_IPFS macro/variable in Makefile and Enclave.edl to
make the code more consistent.

And refine the sgx-ra sample document.
This commit is contained in:
Wenyong Huang
2022-11-24 21:48:50 +08:00
committed by GitHub
parent 1032aac60b
commit 29b76dd275
12 changed files with 131 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
product-mini/platforms/linux-sgx/CMakeLists.txt
View File

@ -140,14 +140,14 @@ endif()
if (WAMR_BUILD_SGX_IPFS EQUAL 1)
execute_process(
COMMAND bash -c "sed -i -E 's/^#define SGX_IPFS 0/#define SGX_IPFS 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl"
COMMAND bash -c "sed -i -E 's/^SGX_IPFS = 0/SGX_IPFS = 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile"
COMMAND bash -c "sed -i -E 's/^#define WASM_ENABLE_SGX_IPFS 0/#define WASM_ENABLE_SGX_IPFS 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl"
COMMAND bash -c "sed -i -E 's/^WAMR_BUILD_SGX_IPFS = 0/WAMR_BUILD_SGX_IPFS = 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile"
OUTPUT_VARIABLE cmdOutput
)
else()
execute_process(
COMMAND bash -c "sed -i -E 's/^#define SGX_IPFS 1/#define SGX_IPFS 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl"
COMMAND bash -c "sed -i -E 's/^SGX_IPFS = 1/SGX_IPFS = 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile"
COMMAND bash -c "sed -i -E 's/^#define WASM_ENABLE_SGX_IPFS 1/#define WASM_ENABLE_SGX_IPFS 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl"
COMMAND bash -c "sed -i -E 's/^WAMR_BUILD_SGX_IPFS = 1/WAMR_BUILD_SGX_IPFS = 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Makefile"
OUTPUT_VARIABLE cmdOutput
)
endif()

2
product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp
View File

@ -103,7 +103,7 @@ enclave_init(sgx_enclave_id_t *p_eid)
<= MAX_PATH - 1 - sizeof(TOKEN_FILENAME) - strlen("/")) {
/* compose the token path */
strncpy(token_path, home_dir, MAX_PATH);
strncat(token_path, "/", strlen("/"));
strncat(token_path, "/", strlen("/") + 1);
strncat(token_path, TOKEN_FILENAME, sizeof(TOKEN_FILENAME) + 1);
}
else {

65
product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.cpp
View File

@ -14,8 +14,6 @@
#if WASM_ENABLE_LIB_RATS != 0
#include <openssl/sha.h>
char wasm_module_hash[SHA256_DIGEST_LENGTH];
#endif
extern "C" {
@ -68,8 +66,17 @@ typedef struct EnclaveModule {
uint32 wasi_argc;
bool is_xip_file;
uint32 total_size_mapped;
#if WASM_ENABLE_LIB_RATS != 0
char module_hash[SHA256_DIGEST_LENGTH];
struct EnclaveModule *next;
#endif
} EnclaveModule;
#if WASM_ENABLE_LIB_RATS != 0
static EnclaveModule *enclave_module_list = NULL;
static korp_mutex enclave_module_list_lock = OS_THREAD_MUTEX_INITIALIZER;
#endif
#if WASM_ENABLE_GLOBAL_HEAP_POOL != 0
static char global_heap_buf[WASM_GLOBAL_HEAP_SIZE] = { 0 };
#endif
@ -250,10 +257,17 @@ handle_cmd_load_module(uint64 *args, uint32 argc)
*(EnclaveModule **)args_org = enclave_module;
#if WASM_ENABLE_LIB_RATS != 0
/* Calculate the module hash */
SHA256_CTX sha256;
SHA256_Init(&sha256);
SHA256_Update(&sha256, wasm_file, wasm_file_size);
SHA256_Final((unsigned char *)wasm_module_hash, &sha256);
SHA256_Final((unsigned char *)enclave_module->module_hash, &sha256);
/* Insert enclave module to enclave module list */
os_mutex_lock(&enclave_module_list_lock);
enclave_module->next = enclave_module_list;
enclave_module_list = enclave_module;
os_mutex_unlock(&enclave_module_list_lock);
#endif
LOG_VERBOSE("Load module success.\n");
@ -267,6 +281,28 @@ handle_cmd_unload_module(uint64 *args, uint32 argc)
bh_assert(argc == 1);
#if WASM_ENABLE_LIB_RATS != 0
/* Remove enclave module from enclave module list */
os_mutex_lock(&enclave_module_list_lock);
EnclaveModule *node_prev = NULL;
EnclaveModule *node = enclave_module_list;
while (node && node != enclave_module) {
node_prev = node;
node = node->next;
}
bh_assert(node == enclave_module);
if (!node_prev)
enclave_module_list = node->next;
else
node_prev->next = node->next;
os_mutex_unlock(&enclave_module_list_lock);
#endif
/* Destroy enclave module resources */
if (enclave_module->wasi_arg_buf)
wasm_runtime_free(enclave_module->wasi_arg_buf);
@ -279,6 +315,29 @@ handle_cmd_unload_module(uint64 *args, uint32 argc)
LOG_VERBOSE("Unload module success.\n");
}
#if WASM_ENABLE_LIB_RATS != 0
char *
wasm_runtime_get_module_hash(wasm_module_t module)
{
EnclaveModule *enclave_module;
char *module_hash = NULL;
os_mutex_lock(&enclave_module_list_lock);
enclave_module = enclave_module_list;
while (enclave_module) {
if (enclave_module->module == module) {
module_hash = enclave_module->module_hash;
break;
}
enclave_module = enclave_module->next;
}
os_mutex_unlock(&enclave_module_list_lock);
return module_hash;
}
#endif
static void
handle_cmd_instantiate_module(uint64 *args, uint32 argc)
{

4
product-mini/platforms/linux-sgx/enclave-sample/Enclave/Enclave.edl
View File

@ -3,8 +3,8 @@
* SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
*/
#define WASM_ENABLE_SGX_IPFS 0
#define WASM_ENABLE_LIB_RATS 0
#define SGX_IPFS 0
enclave {
from "sgx_tstdc.edl" import *;
@ -14,7 +14,7 @@ enclave {
from "rats.edl" import *;
from "sgx_tsgxssl.edl" import *;
#endif
#if SGX_IPFS != 0
#if WASM_ENABLE_SGX_IPFS != 0
from "sgx_tprotected_fs.edl" import *;
#endif

4
product-mini/platforms/linux-sgx/enclave-sample/Makefile
View File

@ -11,7 +11,7 @@ SGX_DEBUG ?= 0
SPEC_TEST ?= 0
# These variables are automatically set by CMakeLists.txt
SGX_IPFS = 0
WAMR_BUILD_SGX_IPFS = 0
WAMR_BUILD_LIB_RATS = 0
WAMR_BUILD_GLOBAL_HEAP_POOL = 0
WAMR_BUILD_GLOBAL_HEAP_SIZE = 10485760
@ -112,7 +112,7 @@ else
Service_Library_Name := sgx_tservice
endif
ifeq ($(SGX_IPFS), 1)
ifeq ($(WAMR_BUILD_SGX_IPFS), 1)
Intel_Ipfs_Trusted_Flag = -lsgx_tprotected_fs
App_Link_Flags += -lsgx_uprotected_fs
endif