packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

override with 22.03

Browse Source 
(cherry picked from commit 45653919dada0b9efb74eda9bdbc5040bc3257d1)
This commit is contained in:
zhengxiaoxiao 2022-08-03 09:40:37 +08:00 committed by openeuler-sync-bot
parent 4a982b9a1c
commit 9d6079f4c9
13 changed files with 438 additions and 937 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
0040-fix-context-without-free-error.patch
View File

@ -1,166 +0,0 @@
From 4c4ec07217a59ff96d975a7091116dcd149ce1e5 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Mon, 21 Jun 2021 15:57:26 +0800
Subject: [PATCH] fix context without free error
---
examples/helloworld/host/main.c | 24 +++++++++++++-----------
examples/lrt/host/main.c | 18 ++++++------------
examples/tls_enclave/host/main.c | 20 +++++++++-----------
3 files changed, 28 insertions(+), 34 deletions(-)
diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c
index a26fb6f..0d61c62 100644
--- a/examples/helloworld/host/main.c
+++ b/examples/helloworld/host/main.c
@@ -29,28 +29,28 @@ int main()
if (!context) {
return CC_ERROR_OUT_OF_MEMORY;
}
- cc_enclave_result_t res;
+ cc_enclave_result_t res = CC_FAIL;
printf("Create secgear enclave\n");
char real_p[PATH_MAX];
/* check file exists, if not exist then use absolute path */
if (realpath(path, real_p) == NULL) {
- if (getcwd(real_p, sizeof(real_p)) == NULL) {
- printf("Cannot find enclave.sign.so");
- return -1;
- }
- if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) {
- printf("Failed to strcat enclave.sign.so path");
- return -1;
- }
- (void)strcat(real_p, "/enclave.signed.so");
+ if (getcwd(real_p, sizeof(real_p)) == NULL) {
+ printf("Cannot find enclave.sign.so");
+ goto end;
+ }
+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) {
+ printf("Failed to strcat enclave.sign.so path");
+ goto end;
+ }
+ (void)strcat(real_p, "/enclave.signed.so");
}
res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, context);
if (res != CC_SUCCESS) {
printf("Create enclave error\n");
- return res;
+ goto end;
}
res = get_string(context, &retval, buf);
@@ -64,5 +64,7 @@ int main()
if(res != CC_SUCCESS) {
printf("Destroy enclave error\n");
}
+end:
+ free(context);
return res;
}
diff --git a/examples/lrt/host/main.c b/examples/lrt/host/main.c
index 5108f67..ab3079f 100644
--- a/examples/lrt/host/main.c
+++ b/examples/lrt/host/main.c
@@ -24,11 +24,7 @@ int main()
int retval = 0;
char *path = PATH;
char buf[BUF_LEN];
- cc_enclave_t *context = NULL;
- context = (cc_enclave_t*)malloc(sizeof(cc_enclave_t));
- if (!context) {
- return CC_ERROR_OUT_OF_MEMORY;
- }
+ cc_enclave_t context = {0};
cc_enclave_result_t res;
printf("Create secgear enclave\n");
@@ -47,14 +43,14 @@ int main()
(void)strcat(real_p, "/enclave.signed.so");
}
- res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, context);
+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
if (res != CC_SUCCESS) {
printf("Create enclave error\n");
return res;
}
while(true) {
- res = get_string(context, &retval, buf);
+ res = get_string(&context, &retval, buf);
if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) {
printf("Ecall enclave error\n");
goto out;
@@ -65,11 +61,9 @@ int main()
}
out:
- if (context != NULL) {
- res = cc_enclave_destroy(context);
- if(res != CC_SUCCESS) {
- printf("Destroy enclave error\n");
- }
+ res = cc_enclave_destroy(&context);
+ if(res != CC_SUCCESS) {
+ printf("Destroy enclave error\n");
}
return res;
}
diff --git a/examples/tls_enclave/host/main.c b/examples/tls_enclave/host/main.c
index c801558..56d1563 100644
--- a/examples/tls_enclave/host/main.c
+++ b/examples/tls_enclave/host/main.c
@@ -125,11 +125,8 @@ int start_server(int port)
int main(int argc, const char *argv[])
{
char *path = PATH;
- cc_enclave_t *context = NULL;
- context = (cc_enclave_t*)malloc(sizeof(cc_enclave_t));
- if (!context) {
- return CC_ERROR_OUT_OF_MEMORY;
- }
+ cc_enclave_t context_data = {0};
+ cc_enclave_t *context = &context_data;
struct sockaddr_in client_addr;
socklen_t client_len;
int server_fd = -1;
@@ -148,13 +145,16 @@ int main(int argc, const char *argv[])
}
tlsc_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len);
if (tlsc_fd < 0) {
+ close(server_fd);
return CC_FAIL;
}
printf("Create secgear enclave\n");
res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, context);
if (res != CC_SUCCESS) {
printf("Create enclave error\n");
- goto end;
+ close(tlsc_fd);
+ close(server_fd);
+ return CC_FAIL;
}
res = get_password_and_seal_key(context, argv[3], ENC_KEY_FILE_NAME);
if (res != CC_SUCCESS) {
@@ -171,11 +171,9 @@ int main(int argc, const char *argv[])
printf("enclve tls finish\n");
end:
- if (context != NULL) {
- res = cc_enclave_destroy(context);
- if(res != CC_SUCCESS) {
- printf("Destroy enclave error\n");
- }
+ res = cc_enclave_destroy(context);
+ if(res != CC_SUCCESS) {
+ printf("Destroy enclave error\n");
}
close(tlsc_fd);
close(server_fd);
--
1.8.3.1

36
0040-fix-double-free.patch Normal file
View File

@ -0,0 +1,36 @@
From 297bce40545793d545747e25f614b09a185ef489 Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Wed, 23 Feb 2022 20:33:32 +0800
Subject: [PATCH] fix double free
---
src/host_src/gp/gp_enclave.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c
index c7554de..9bc9514 100644
--- a/src/host_src/gp/gp_enclave.c
+++ b/src/host_src/gp/gp_enclave.c
@@ -255,10 +255,15 @@ static bool handle_ocall(uint32_t agent_id, int dev_fd, void *buffer, cc_ocall_f
}
ret = true;
done:
- free(tmp_input_buffer);
- free(tmp_output_buffer);
- tmp_input_buffer = NULL;
- tmp_output_buffer = NULL;
+ if (tmp_input_buffer != NULL) {
+ free(tmp_input_buffer);
+ tmp_input_buffer = NULL;
+ }
+ if (tmp_output_buffer != NULL) {
+ free(tmp_output_buffer);
+ tmp_output_buffer = NULL;
+ }
+
return ret;
}
--
2.27.0

325
0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch
View File

@ -1,325 +0,0 @@
From f8264a32459ca98b5607f1841b6a3d0876d709f0 Mon Sep 17 00:00:00 2001
From: blue <jingood@yeah.net>
Date: Thu, 14 Oct 2021 03:59:23 +0000
Subject: [PATCH] Fix format and non-standard coding of sigh_tool.sh script
---
tools/sign_tool/sign_tool.sh | 205 ++++++++++++++++++++++---------------------
1 file changed, 103 insertions(+), 102 deletions(-)
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 0435a67..8f50ff5 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -9,19 +9,21 @@
# See the Mulan PSL v2 for more details.
#!/bin/bash
-VERSION=3
API_LEVEL=2
ONE_STEP_MODE=1
-localpath="$(cd "$(dirname "$0")"; pwd)"
+localpath="$(
+ cd "$(dirname "$0")" || exit -1
+ pwd
+)"
pypath="/lib/secGear"
-if [ -f ${localpath}/signtool_v3.py ]; then
+if [ -f "${localpath}/signtool_v3.py" ]; then
signtoolpath=${localpath}
else
signtoolpath=${pypath}
fi
-print_help(){
+print_help() {
echo "sign tool usage: ./sign_tool.sh [options] ..."
echo "[options]"
echo "-c <file> basic config file."
@@ -44,81 +46,81 @@ print_help(){
}
-while getopts "c:d:i:k:m:o:p:s:x:h" opt
-do
+while getopts "c:d:i:k:m:o:p:s:x:h" opt; do
case $opt in
c)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -c is missing or incorrect"
- exit -1
- fi
- CONFIG_FILE=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -c is missing or incorrect"
+ exit -1
+ fi
+ CONFIG_FILE=$OPTARG
+ ;;
d)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -d is missing or incorrect"
- exit -1
- fi
- typeset -l CMD
- CMD=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -d is missing or incorrect"
+ exit -1
+ fi
+ typeset -l CMD
+ CMD=$OPTARG
+ ;;
i)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -i is missing or incorrect"
- exit -1
- fi
- IN_ENCLAVE=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -i is missing or incorrect"
+ exit -1
+ fi
+ IN_ENCLAVE=$OPTARG
+ ;;
k)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -k is missing or incorrect"
- exit -1
- fi
- SIG_KEY=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -k is missing or incorrect"
+ exit -1
+ fi
+ SIG_KEY=$OPTARG
+ ;;
m)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -m is missing or incorrect"
- exit -1
- fi
- A_CONFIG_FILE=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -m is missing or incorrect"
+ exit -1
+ fi
+ A_CONFIG_FILE=$OPTARG
+ ;;
o)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -o is missing or incorrect"
- exit -1
- fi
- OUT_FILE=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -o is missing or incorrect"
+ exit -1
+ fi
+ OUT_FILE=$OPTARG
+ ;;
p)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -p is missing or incorrect"
- exit -1
- fi
- SERVER_PUBKEY=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -p is missing or incorrect"
+ exit -1
+ fi
+ SERVER_PUBKEY=$OPTARG
+ ;;
s)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -s is missing or incorrect"
- exit -1
- fi
- SIGNATURE=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -s is missing or incorrect"
+ exit -1
+ fi
+ SIGNATURE=$OPTARG
+ ;;
x)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -x is missing or incorrect"
- exit -1
- fi
- typeset -l ENCLAVE_TYPE
- ENCLAVE_TYPE=$OPTARG
- ;;
+ if [[ $OPTARG == -* ]]; then
+ echo "Error: parameter for -x is missing or incorrect"
+ exit -1
+ fi
+ typeset -l ENCLAVE_TYPE
+ ENCLAVE_TYPE=$OPTARG
+ ;;
h)
- print_help
- exit 0
- ;;
+ print_help
+ exit 0
+ ;;
?)
- print_help
- exit -1
+ print_help
+ exit -1
+ ;;
esac
done
if [ ${OPTIND} == 1 ]; then
@@ -126,103 +128,102 @@ if [ ${OPTIND} == 1 ]; then
exit 0
fi
-itrustee_start_sign(){
-# check_native_sign
- if [ -z $A_CONFIG_FILE ]; then
+itrustee_start_sign() {
+ # check_native_sign
+ if [ -z "$A_CONFIG_FILE" ]; then
echo "Error: missing additional config_cloud.ini file for signing iTrustee enclave"
exit -1
fi
if [ "${CMD}"x == "sign"x ]; then
- if [ -z $SIGNATURE ]; then
+ if [ -z "$SIGNATURE" ]; then
ONE_STEP_MODE=1
- if [ -z $CONFIG_FILE ]; then
+ if [ -z "$CONFIG_FILE" ]; then
echo "Error: missing basic config file for signing iTrustee enclave"
exit -1
fi
- if [ -z $IN_ENCLAVE ]; then
+ if [ -z "$IN_ENCLAVE" ]; then
echo "Error: missing enclave file"
exit -1
fi
- python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
+ python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
else
ONE_STEP_MODE=0
python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}"
fi
elif [ "${CMD}"x == "digest"x ]; then
ONE_STEP_MODE=0
- if [ -z $CONFIG_FILE ]; then
+ if [ -z "$CONFIG_FILE" ]; then
echo "Error: missing config file for signing iTrustee enclave"
exit -1
fi
- if [ -z $IN_ENCLAVE ]; then
+ if [ -z "$IN_ENCLAVE" ]; then
echo "Error: missing enclave file"
exit -1
fi
- python ${signtoolpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
+ python ${signtoolpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
else
echo "Error: illegal command"
fi
}
-sgx_start_sign(){
- if [ -z $IN_ENCLAVE ]; then
+sgx_start_sign() {
+ if [ -z "$IN_ENCLAVE" ]; then
echo "Error: missing enclave file"
exit -1
fi
SIGDATA_FILE="signdata"
if [ "${CMD}"x == "sign"x ]; then
- if [ -z $SIGNATURE ]; then
- if [ -z $SIG_KEY ]; then
- echo "Error: missing sign key"
- exit -1
- fi
- if [ -z $CONFIG_FILE ]; then
- sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE}
+ if [ -z "$SIGNATURE" ]; then
+ if [ -z "$SIG_KEY" ]; then
+ echo "Error: missing sign key"
+ exit -1
+ fi
+ if [ -z "$CONFIG_FILE" ]; then
+ sgx_sign sign -enclave "${IN_ENCLAVE}" -key "${SIG_KEY}" -out "${OUT_FILE}"
else
- sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} -config ${CONFIG_FILE}
+ sgx_sign sign -enclave "${IN_ENCLAVE}" -key "${SIG_KEY}" -out "${OUT_FILE}" -config "${CONFIG_FILE}"
fi
else
- if [ -z $SERVER_PUBKEY ]; then
+ if [ -z "$SERVER_PUBKEY" ]; then
echo "Error: missing server public key"
exit -1
- fi
- if [ -z $CONFIG_FILE ]; then
- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE}
+ fi
+ if [ -z "$CONFIG_FILE" ]; then
+ sgx_sign catsig -enclave "${IN_ENCLAVE}" -key "${SERVER_PUBKEY}" -sig "${SIGNATURE}" -unsigned "${SIGDATA_FILE}" -out "${OUT_FILE}"
else
- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE}
+ sgx_sign catsig -enclave "${IN_ENCLAVE}" -key "${SERVER_PUBKEY}" -sig "${SIGNATURE}" -unsigned "${SIGDATA_FILE}" -out "${OUT_FILE}" -config "${CONFIG_FILE}"
fi
rm -rf ${SIGDATA_FILE}
fi
elif [ "${CMD}"x == "digest"x ]; then
- if [ -z $CONFIG_FILE ]; then
- sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE}
+ if [ -z "$CONFIG_FILE" ]; then
+ sgx_sign gendata -enclave "${IN_ENCLAVE}" -out "${SIGDATA_FILE}"
else
- sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE} -config ${CONFIG_FILE}
+ sgx_sign gendata -enclave "${IN_ENCLAVE}" -out "${SIGDATA_FILE}" -config "${CONFIG_FILE}"
fi
- cp ${SIGDATA_FILE} ${OUT_FILE}
+ cp "${SIGDATA_FILE}" "${OUT_FILE}"
elif [ "${CMD}"x == "dump"x ]; then
- sgx_sign dump -enclave ${IN_ENCLAVE} -dumpfile ${OUT_FILE}
+ sgx_sign dump -enclave "${IN_ENCLAVE}" -dumpfile "${OUT_FILE}"
else
echo "Error: illegal command"
fi
}
-
-if [ -z $CMD ]; then
+if [ -z "$CMD" ]; then
echo "Error: missing command"
exit -1
fi
-if [ -z $ENCLAVE_TYPE ]; then
+if [ -z "$ENCLAVE_TYPE" ]; then
echo "Error: missing enclave type"
exit -1
fi
-if [ -z $OUT_FILE ]; then
+if [ -z "$OUT_FILE" ]; then
echo "Error: missing out file"
exit -1
fi
umask 0077
-check_results=`uname -m`
+check_results=$(uname -m)
if [ "${ENCLAVE_TYPE}"x == "sgx"x ]; then
if [ "${check_results}"x != "x86_64"x ]; then
echo "Warning: the enclave type does not comply with current architecture"
--
1.8.3.1

39
0042-destroy-rwlock-when-create-enclave-failed.patch Executable file
View File

@ -0,0 +1,39 @@
From e716ff141b967986d35fc65c59ab0e03015dce48 Mon Sep 17 00:00:00 2001
From: houmingyong<houmingyong@huawei.com>
Date: Thu, 13 Jan 2022 10:24:23 +0800
Subject: [PATCH] destroy rwlock when create enclave failed
Conflict:NA
Reference:https://gitee.com/openeuler/secGear/commit/cb80972c3a60261786d76a2a50ab5ce29b312ebd
---
src/host_src/enclave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index 8d6c8a6..e163b58 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -68,6 +68,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r
}
if (enclave) {
+ pthread_rwlock_destroy(&enclave->rwlock);
explicit_bzero(enclave, sizeof(cc_enclave_t));
}
}
@@ -192,7 +193,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
memset(enclave, 0, sizeof(cc_enclave_t));
if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)) {
- goto done;
+ if (l_path) {
+ free(l_path);
+ }
+ return CC_FAIL;
}
/* to do: gp support enter enclave debugging */
--
2.27.0

253
0043-Optimize-README-in-English.patch
View File

@ -1,253 +0,0 @@
From e1be05934ae4ac8df1cc9e97e826ef47539a487c Mon Sep 17 00:00:00 2001
From: blue <jingood@yeah.net>
Date: Thu, 17 Jun 2021 20:41:18 +0800
Subject: [PATCH] Optimize README in English
---
README.en.md | 85 ++++++++++++++++++++++++++++++------------------------------
1 file changed, 42 insertions(+), 43 deletions(-)
diff --git a/README.en.md b/README.en.md
index ec7ada0..8d5f80a 100644
--- a/README.en.md
+++ b/README.en.md
@@ -7,7 +7,7 @@ Introduction
-----------
secGear is an SDK to develop confidential computing apps based on hardware enclave features. The target is to use
-single source code for developers to develop apps running on different hardware. Currently secGear support Intel SGX
+single source code for developers to develop apps running on different hardware. Currently secGear supports Intel SGX
and iTrustee running in ARM Trustzone.
Build and Install
@@ -32,11 +32,11 @@ Assuming the development directory is .../secGear/examples/test/
include "secgear_urts.h", from "secgear_tstdc.edl" import *, to shield the difference between sgx and iTrustee when
calling the C library. So as long as you use the c library functions, for the consistency of your development code,
-the default is to import these two files.
+the two files need be imported.
For details about edl syntax, please refer to the sgx development document Enclave Definition Language Syntax section.
At present, sgx and iTrustee are compatible with each other in basic types, pointer buffers, and deep copy of
-structures, but currently only sgx supports such things as user_check, Granting Access to ECALLs, Using Switchless
+structures, but currently only sgx supports features like user_check, Granting Access to ECALLs, Using Switchless
Calls and so on.
Then save as test.edl
@@ -64,8 +64,8 @@ Then save as test.edl
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
add_subdirectory(${CURRENT_ROOT_PATH}/host)
-Set the CODETYPE EDL_FILE and CODETYPE attributes, which will be used when automatically generated later.
-On the arm platform, the build enclave image needs to be named with a unique UUID, so it is dynamically uniquely
+Set the CODETYPE EDL_FILE and CODETYPE attributes, which will be used when automatically generating code later.
+On ARM platform, the enclave image needs be named with a unique UUID, so it is dynamically uniquely
generated using the uuidgen command. The defined DPATH macro is used when loading the enclave image.
@@ -104,19 +104,19 @@ generated using the uuidgen command. The defined DPATH macro is used when loadin
return res;
}
-#include "enclave.h", import the secGear header file, #include "test_u.h" import the automatically generated code
+#include "enclave.h", to import the secGear header file, #include "test_u.h" to import the automatically generated code
header file. Next, call cc_enclave_create(...) to create the enclave context, and then call the wrapper of the
interface described in the edl file to enter the enclave to execute confidential code.
Finally, call cc_enclave_destroy(...) to destroy the enclave context.
Note that the interface called here has more context and retval parameters than defined in edl file before.
-This is because this function, generated by the automatic code generation tool according to edl, is a wrapper about
-the real enclave code, and its declaration is in the test_u.h header file. Where the context parameter it is the
+This is because this function, generated by the automatic code generation tool according to edl, is a wrapper of
+the real enclave code, and its declaration is in the test_u.h header file. Where the context parameter is the
cc_enclave_t * context created before, and retval is the return value of the function defined in edl, and the res
parameter is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of test.edl.
If the function defined in edl does not return a value, such as "public void get_string([out, size=32]char *buf);",
-then the prototype called by the user will be "res = get_string(context, buf);".
+the prototype called by the user will be "res = get_string(context, buf);".
According to these rules, you can write code when the wrapper function is not generated by code generation tool and
place the wrapper function generation in the compilation phase, which simplifies the development and compilation steps.
@@ -187,7 +187,7 @@ In the case of iTrustee, set the search paths of the header file and compile the
endif()
endif()
-In the case of sgx, set the search paths of the header file and compile the final non-secure binary.
+In the case of SGX, set the search paths of the header file and compile the final non-secure binary.
if(CC_SIM)
target_link_libraries(${OUTPUT} secgearsim)
@@ -238,7 +238,7 @@ interface description in test.edl.
#set sign key
set(PEM Enclave_private.pem)
-Set the name used to sign the enclave private key
+Set the private key file name used to sign the enclave binary
#set sign tool
set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh)
@@ -265,10 +265,9 @@ Set sign tool and the security side log printing level
COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
endif()
-WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image,
+WHITE_LIS_X sets the whitelist of iTrustee, only the host binaries in these paths can call this secure image,
and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths.
-Finally, set the name of the security side image after the final signature, and
-generate auxiliary code.
+Finally, set the name of the security image after the final signing, and generate auxiliary code.
if(CC_SGX)
set(OUTPUT enclave.signed.so)
@@ -278,7 +277,7 @@ generate auxiliary code.
COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
endif()
-In the case of sgx, set the name of the security side image after the final signature, and generate auxiliary code.
+In the case of SGX, set the name of the security image after the final signing, and generate auxiliary code.
set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \
-Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \
@@ -287,9 +286,9 @@ In the case of sgx, set the name of the security side image after the final sign
set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
-Set the security side, no matter whether it is sgx or itrustee will use some compilation and link options, for
+Set the security side, no matter whether it is SGX or iTrustee will use some compilation and link options, for
example, because the security side is different from the non-secure side, the default library of host OS cannot be used,
-so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was introduced.
+so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options is introduced.
if(CC_GP)
configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt")
@@ -344,11 +343,11 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in
endif()
-In the case of iTrustee, generate the configuration file manifest.txt, which details of the configuration file will
-be explained later, specify some compilation options related to itrustee, set the search paths of the header file and
-the link file, and compile the enclave binary.
+In the case of iTrustee, generate the configuration file manifest.txt, and details of the configuration file will
+be explained later, specify some compilation options related to iTrustee, set the search paths of the header file and
+the link file, and build the enclave binary.
-Regarding the use of itrustee ocall, there are some other notes, which will be introduced later. Then define the
+Regarding the use of iTrustee ocall, there are some other notes, which will be introduced later. Then define the
whitelist macro. Next, you need to link to the secgear_tee library, in which there are interfaces for generating
random numbers, seal, unseal, etc. The last step is to sign and install.
@@ -398,14 +397,14 @@ random numbers, seal, unseal, etc. The last step is to sign and install.
COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml)
endif()
-In the case of sgx, specify some compilation, link options related to sgx. When linking libraries, sgx and itrustee
-are quite different. This is because itrustee is a secure OS with more capabilities, such as musl libc and openssl.
-When compiling and link itrustee's enclave, there is no need to link some basic libraries. But sgx has no OS concept.
-The basic library interfaces to be called on the security side are all given in the sgx sdk in the form of static
-libraries, so this requires us to link these static libraries, and in order to be able to use these static libraries
+In the case of SGX, specify some compilation and link options related to SGX. When linking libraries, SGX and iTrustee
+are quite different. This is because iTrustee is a secure OS with more capabilities, such as musl libc and openssl.
+When compiling and link itrustee's enclave, there is no need to link some basic libraries. But SGX has no OS concept.
+The basic library interfaces to be called on the security side are all given in the SGX sdk in form of static
+libraries, so it requires us to link these static libraries, and in order to be able to use these static libraries
correctly, some libraries must be linked between specified options, such as sgx_trts.
-For more detailed information, please refer to the Makefile of sgx examples. Finally, sign the enclave with the
+For more detailed information, please refer to the Makefile of SGX examples. Finally, sign the enclave with the
configuration file, which will be introduced later. Note that secGear does not currently support remote authentication.
set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE)
@@ -414,13 +413,13 @@ Set some safe compilation options.
#### 4.3 Enclave image configuration file
-Write sgx enclave related configuration files
-The configuration content in the Enclave.config.xml and Enclave.lds files is the same as the official sgx
+Write SGX enclave related configuration files
+The configuration content in the Enclave.config.xml and Enclave.lds files is the same as the official SGX
configuration file. For details, please refer to the official development document.
-Write itrustee related configuration files
+Write iTrustee related configuration files
The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated,
-and the other configuration items can refer to the itrustee development document.
+and the other configuration items can refer to the iTrustee development document.
### 5 build and install test
@@ -443,12 +442,12 @@ impossible to directly develop the log function like the non-secure side, Theref
interface to record the security side log to the Syslog system. The related configuration files secgear and secgear.conf
have been installed in the system directory during the build and install secGear phase.
-Note that when using on itrustee, you need to import the secgear_log.h header file, but sgx does not need it.
-Because sgx implements the log function through ocall, the relevant code is in the auxiliary code. And when the
+Note that when using on iTrustee, you need to import the secgear_log.h header file, but SGX does not need it.
+Because SGX implements the log function through ocall, the relevant code is in the auxiliary code. And when the
configuration file is installed, you need to run "systemctl restart rsyslog" to make the log effective.
-Finally, in order to enable itrustee logs to be dumped to the place specified in the configuration file, you also
-need to run /vendor/bin/tlogcat -f. The tlogcat tool is a part of the itrustee sdk.
+Finally, in order to enable iTrustee logs to be dumped to the place specified in the configuration file, you also
+need to run /vendor/bin/tlogcat -f. The tlogcat tool is a part of the iTrustee sdk.
The meaning of log level (set(PRINT_LEVEL 3)).
@@ -457,38 +456,38 @@ The meaning of log level (set(PRINT_LEVEL 3)).
PRINT_STRACE 2
PRINT_DEBUG 3
-At present, there are some differences in the usage of the log function. After the itrustee ocall function is stable,
+At present, there are some differences in the usage of the log function. After the iTrustee ocall function is stablized,
the usage will be unified.
Use ocall
---------
-The secGear ocall function can be used normally on the sgx platform. There are currently restrictions on itrustee:
+The secGear ocall function can be used normally on the SGX platform. There are currently restrictions with iTrustee:
only the specified a3d88d2a-ae2a-4ea5-a37d-35fc5f607e9e uuid can be used,
and two programs that enable ocall cannot be run at the same time,
and config cannot be enabled. ta.instanceKeepAlive.
-Moreover, if the underlying itrustee does not enable ocall, the SDK will only report an error registration ocall failure,
+Moreover, if the underlying iTrustee does not enable ocall, the SDK will only report an error registration ocall failure,
and the ecall function can be used normally.
Seal, generate random number interface
--------------------------------------
The related interface is defined in secgear_dataseal.h, secgear_random.h. For usage, please refer to examples/seal_data.
-Note: Since the feature for itrustee to derive keys is still not perfect, seal related interfaces are not currently
-supported on the itrustee platform.
+Note: Since the feature for iTrustee to derive keys is still not perfect, seal related interfaces are not currently
+supported on the iTrustee platform.
Remote authentication capability is currently not supported.
------------------------------------------------------------
-secGear does not currently support plc, switchless and other about sgx features.
+secGear does not currently support plc, switchless and other about SGX features.
--------------------------------------------------------------------------------
Learning More About codegener
----------------------------
-secGear Introduce EDL (Enclave Description Languate) and intermediate code generation tool codegener. EDL is
+secGear introduces EDL (Enclave Description Languate) and intermediate code generation tool codegener. EDL is
compatible with Intel SGX's definition.
- [Learn how to use codegener](./docs/codegener.md)
@@ -496,7 +495,7 @@ compatible with Intel SGX's definition.
Learning More About sign_tool
-----------------------------
-secGear introduce the signing tool to sign the enclave.
+secGear introduces the signing tool to sign the enclave.
- [Learn how to use signing tool](./docs/sign_tool.md)
--
1.8.3.1

99
0043-fix-partial-resource-leak.patch Executable file
View File

@ -0,0 +1,99 @@
From c64400a742d292585f06590741ceb5b37837e4bc Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Mon, 17 Jan 2022 19:21:12 +0800
Subject: [PATCH] fix partial resource leak
Conflict:NA
Reference:https://gitee.com/openeuler/secGear/pulls/79
---
src/host_src/enclave.c | 49 ++++++++++++++++++------------------------
1 file changed, 21 insertions(+), 28 deletions(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index e163b58..36a50b9 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -264,7 +264,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
{
int32_t ires = 0;
cc_enclave_result_t res = CC_FAIL;
- p_tee_unregistered unregistered_funcc;
+ p_tee_unregistered unregistered_funcc = NULL;
/* check context and enclave engine context */
if (!context || !context->list_ops_node || !context->list_ops_node->ops_desc ||
@@ -273,50 +273,43 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
return CC_ERROR_BAD_PARAMETERS;
}
- ires = pthread_rwlock_wrlock(&(context->rwlock));
- if (ires) {
- return CC_ERROR_BUSY;
- }
+ (void)pthread_rwlock_wrlock(&(context->rwlock));
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context);
- SECGEAR_CHECK_RES(res);
- } else {
- print_error_goto("Enclave context no valid ops function\n");
+ if (res != CC_SUCCESS) {
+ print_warning("destory enclave error\n");
+ }
}
/* look up enclave engine unregistered */
- res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc);
- SECGEAR_CHECK_RES(res);
+ (void)find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc);
/* lock call unregistered func */
- ires = pthread_mutex_lock(&(g_list_ops.mutex_work));
- SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
+ (void)pthread_mutex_lock(&(g_list_ops.mutex_work));
/* call enclave engine free node */
- res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version);
- SECGEAR_CHECK_RES_UNLOCK(res);
+ if (unregistered_funcc) {
+ res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version);
+ if (res != CC_SUCCESS) {
+ print_warning("unregister func error\n");
+ }
+ }
if (context->list_ops_node->ops_desc->count == 0) {
ires = dlclose(context->list_ops_node->ops_desc->handle);
if (ires != 0) {
- res = CC_FAIL;
- pthread_mutex_unlock(&(g_list_ops.mutex_work));
- print_error_goto("Close engine failure\n");
+ print_warning("close engine error\n");
}
context->list_ops_node = NULL;
}
/* free enclave number resources */
g_list_ops.enclaveState.enclave_count--;
- ires = pthread_mutex_unlock(&(g_list_ops.mutex_work));
- SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
+ (void)pthread_mutex_unlock(&(g_list_ops.mutex_work));
- res = CC_SUCCESS;
-done:
- if (context && context->path) {
+ if (context->path) {
free(context->path);
}
- if (context) {
- pthread_rwlock_unlock(&context->rwlock);
- pthread_rwlock_destroy(&context->rwlock);
- explicit_bzero(context, sizeof(cc_enclave_t));
- }
- return res;
+ pthread_rwlock_unlock(&context->rwlock);
+ pthread_rwlock_destroy(&context->rwlock);
+ explicit_bzero(context, sizeof(cc_enclave_t));
+
+ return CC_SUCCESS;
}
--
2.23.0

95
0044-Optimize-Engilish-version-readme-file.patch
View File

@ -1,95 +0,0 @@
From e436bc4efa36a1d83e4059d71e85311cada9b528 Mon Sep 17 00:00:00 2001
From: blue <jingood@yeah.net>
Date: Mon, 28 Jun 2021 08:44:03 +0000
Subject: [PATCH] Optimize Engilish version readme file
---
README.en.md | 43 ++++++++++++++++++++++---------------------
1 file changed, 22 insertions(+), 21 deletions(-)
diff --git a/README.en.md b/README.en.md
index 8d5f80a..617ccac 100644
--- a/README.en.md
+++ b/README.en.md
@@ -6,9 +6,9 @@ secGear
Introduction
-----------
-secGear is an SDK to develop confidential computing apps based on hardware enclave features. The target is to use
-single source code for developers to develop apps running on different hardware. Currently secGear supports Intel SGX
-and iTrustee running in ARM Trustzone.
+secGear is an SDK to develop confidential computing apps based on hardware enclave features. The target is to write
+single source code for apps running on different hardware. Currently secGear supports Intel SGX and iTrustee running
+in ARM Trustzone.
Build and Install
----------------
@@ -30,13 +30,13 @@ Assuming the development directory is .../secGear/examples/test/
};
};
-include "secgear_urts.h", from "secgear_tstdc.edl" import *, to shield the difference between sgx and iTrustee when
-calling the C library. So as long as you use the c library functions, for the consistency of your development code,
-the two files need be imported.
+include "secgear_urts.h", from "secgear_tstdc.edl" import *, to shield the difference between SGX and iTrustee when
+calling the C library. So as long as the C library functions are used, for the consistency of the source code, the two
+files need be imported.
-For details about edl syntax, please refer to the sgx development document Enclave Definition Language Syntax section.
-At present, sgx and iTrustee are compatible with each other in basic types, pointer buffers, and deep copy of
-structures, but currently only sgx supports features like user_check, Granting Access to ECALLs, Using Switchless
+For details about edl syntax, please refer to the SGX development document Enclave Definition Language Syntax section.
+At present, SGX and iTrustee are compatible with each other in basic types, pointer buffers, and deep copy of
+structures, but currently only SGX supports features like user_check, Granting Access to ECALLs, Using Switchless
Calls and so on.
Then save as test.edl
@@ -64,9 +64,9 @@ Then save as test.edl
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
add_subdirectory(${CURRENT_ROOT_PATH}/host)
-Set the CODETYPE EDL_FILE and CODETYPE attributes, which will be used when automatically generating code later.
-On ARM platform, the enclave image needs be named with a unique UUID, so it is dynamically uniquely
-generated using the uuidgen command. The defined DPATH macro is used when loading the enclave image.
+Set the CODETYPE EDL_FILE and CODETYPE attributes, which are used when automatically generating code at later phase.
+On ARM platform, the enclave image needs be named with a unique UUID, so it is dynamically uniquely generated using
+the uuidgen command. The defined DPATH macro is used when loading the enclave image.
### 3 Write the non-secure side code and CMakeLists.txt
@@ -104,22 +104,23 @@ generated using the uuidgen command. The defined DPATH macro is used when loadin
return res;
}
-#include "enclave.h", to import the secGear header file, #include "test_u.h" to import the automatically generated code
+include "enclave.h", to import the secGear header file, include "test_u.h" to import the automatically generated code
header file. Next, call cc_enclave_create(...) to create the enclave context, and then call the wrapper of the
interface described in the edl file to enter the enclave to execute confidential code.
Finally, call cc_enclave_destroy(...) to destroy the enclave context.
-Note that the interface called here has more context and retval parameters than defined in edl file before.
-This is because this function, generated by the automatic code generation tool according to edl, is a wrapper of
-the real enclave code, and its declaration is in the test_u.h header file. Where the context parameter is the
-cc_enclave_t * context created before, and retval is the return value of the function defined in edl, and the res
-parameter is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of test.edl.
+Note that comparing to arguments defined in edl file, the interface called here has two more arguments, context and retval.
+This is because the function, generated by the automatic code generation tool according to edl, is a wrapper ofthe real
+enclave function, and its declaration is in the test_u.h header file. Where the context parameter is the
+cc_enclave_t * context created before calling the funciton, and retval is the return value of the function defined in edl,
+and the res argument is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of
+test.edl.
If the function defined in edl does not return a value, such as "public void get_string([out, size=32]char *buf);",
-the prototype called by the user will be "res = get_string(context, buf);".
+the interface called by the user would be "res = get_string(context, buf);".
-According to these rules, you can write code when the wrapper function is not generated by code generation tool and
-place the wrapper function generation in the compilation phase, which simplifies the development and compilation steps.
+According to these rules, code can be written before the wrapper function is generated by code generation tool in the
+compilation phase, which simplifies the development and compilation steps.
#### 3.2 Write the CMakeLists.txt file of the host.
--
1.8.3.1

97
0044-fix-pointer-without-init-or-check-NULL.patch Executable file
View File

@ -0,0 +1,97 @@
From d550148b0c79e1d544d7edd0eef52750d6422e40 Mon Sep 17 00:00:00 2001
From: houmingyong<houmingyong@huawei.com>
Date: Sat, 8 Jan 2022 17:01:27 +0800
Subject: [PATCH] modify codex
Conflict:NA
Reference:https://gitee.com/openeuler/secGear/pulls/77
---
src/enclave_src/gp/itrustee/error_conversion.c | 14 +++++++-------
src/host_src/gp/gp_enclave.c | 2 +-
tools/codegener/Gentrust.ml | 14 ++++++++------
3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/src/enclave_src/gp/itrustee/error_conversion.c b/src/enclave_src/gp/itrustee/error_conversion.c
index 5177322..f30bc81 100644
--- a/src/enclave_src/gp/itrustee/error_conversion.c
+++ b/src/enclave_src/gp/itrustee/error_conversion.c
@@ -28,13 +28,13 @@ cc_enclave_result_t conversion_res_status(uint32_t enclave_res)
CC_ERROR_READ_DATA, CC_ERROR_WRITE_DATA, CC_ERROR_TRUNCATE_OBJECT, CC_ERROR_SEEK_DATA, CC_ERROR_SYNC_DATA,
CC_ERROR_RENAME_OBJECT, CC_ERROR_INVALID_ENCLAVE,
};
- const int res_table2_begin = 0x80000100U;
- const int res_table3_begin = 0x80001001U;
- const int res_table4_begin = 0xFFFF7000U;
- const int res_table5_begin = 0xFFFF7110U;
- const int res_table6_begin = 0xFFFF7118U;
- const int res_table7_begin = 0xFFFF9110U;
- const int shift = 7;
+ const uint32_t res_table2_begin = 0x80000100U;
+ const uint32_t res_table3_begin = 0x80001001U;
+ const uint32_t res_table4_begin = 0xFFFF7000U;
+ const uint32_t res_table5_begin = 0xFFFF7110U;
+ const uint32_t res_table6_begin = 0xFFFF7118U;
+ const uint32_t res_table7_begin = 0xFFFF9110U;
+ const uint32_t shift = 7;
if (enclave_res < res_table2_begin) {
if (enclave_res < sizeof(result_table1) / sizeof(cc_enclave_result_t)) {
diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c
index c7554de..0bedb71 100644
--- a/src/host_src/gp/gp_enclave.c
+++ b/src/host_src/gp/gp_enclave.c
@@ -79,7 +79,7 @@ static cc_enclave_result_t ta_path_to_uuid(const char *path, TEEC_UUID *uuid)
const int clock_end = 7;
const int unit = 8;
const int uuid_base = 16;
- char uuid_str[UUID_LEN];
+ char uuid_str[UUID_LEN + 1] = {0};
uint64_t uuid_split[gp_token_nums];
const char *uuid_pos = NULL;
diff --git a/tools/codegener/Gentrust.ml b/tools/codegener/Gentrust.ml
index 18af7f2..b62624e 100644
--- a/tools/codegener/Gentrust.ml
+++ b/tools/codegener/Gentrust.ml
@@ -27,23 +27,23 @@ let set_parameters_point (fd : func_decl) =
let pre (_: parameter_type) = "" in
let post = "" in
let generator_in (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) =
- sprintf "uint8_t *%s_%s_p;\n " decl.identifier mem_decl.identifier in
+ sprintf "uint8_t *%s_%s_p = NULL;\n " decl.identifier mem_decl.identifier in
let generator_inout (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) =
- (sprintf "uint8_t *%s_%s_in_p;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p;\n " decl.identifier mem_decl.identifier) in
+ (sprintf "uint8_t *%s_%s_in_p = NULL;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p = NULL;\n " decl.identifier mem_decl.identifier) in
[
- (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p;");
+ (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p = NULL;");
concat "\n "
(List.map
(fun (_, decl) ->
- sprintf "uint8_t *%s_p;" decl.identifier)
+ sprintf "uint8_t *%s_p = NULL;" decl.identifier)
params);
concat "\n "
(List.map (deep_copy_func pre generator_in post) deep_copy_in);
concat "\n "
(List.map
(fun (_, decl) ->
- sprintf "uint8_t *%s_out_p;\n " decl.identifier ^
- sprintf "uint8_t *%s_in_p;" decl.identifier)
+ sprintf "uint8_t *%s_out_p = NULL;\n " decl.identifier ^
+ sprintf "uint8_t *%s_in_p = NULL;" decl.identifier)
params_inout);
concat "\n "
(List.map (deep_copy_func pre generator_inout post) deep_copy_inout);
@@ -156,6 +156,8 @@ let set_ecall_func (tf : trusted_func) =
else
" /* There is no parameters point */";
"";
+ " if (in_buf == NULL || out_buf == NULL)";
+ " goto done;";
sprintf " %s_size_t *args_size = (%s_size_t *)in_buf;" tfd.fname tfd.fname;
" in_buf_offset += size_to_aligned_size(sizeof(*args_size));";
"";
--
2.27.0

83
0045-Corrected-some-spelling-and-grammar-mistakes.patch
View File

@ -1,83 +0,0 @@
From 5539ad4ee098358f594f4dbfb73b2a0d9ed975cb Mon Sep 17 00:00:00 2001
From: lshelen23 <ls19950203@163.com>
Date: Fri, 22 Oct 2021 08:17:15 +0000
Subject: [PATCH] Corrected some spelling and grammar mistakes
---
README.en.md | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/README.en.md b/README.en.md
index 617ccac..0fddd9f 100644
--- a/README.en.md
+++ b/README.en.md
@@ -110,9 +110,9 @@ interface described in the edl file to enter the enclave to execute confidential
Finally, call cc_enclave_destroy(...) to destroy the enclave context.
Note that comparing to arguments defined in edl file, the interface called here has two more arguments, context and retval.
-This is because the function, generated by the automatic code generation tool according to edl, is a wrapper ofthe real
+This is because the function, generated by the automatic code generation tool according to edl, is a wrapper of the real
enclave function, and its declaration is in the test_u.h header file. Where the context parameter is the
-cc_enclave_t * context created before calling the funciton, and retval is the return value of the function defined in edl,
+cc_enclave_t * context created before calling the function, and retval is the return value of the function defined in edl,
and the res argument is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of
test.edl.
@@ -268,7 +268,7 @@ Set sign tool and the security side log printing level
WHITE_LIS_X sets the whitelist of iTrustee, only the host binaries in these paths can call this secure image,
and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths.
-Finally, set the name of the security image after the final signing, and generate auxiliary code.
+Finally, set the name of the security image after the final signing, and generate auxiliary code.
if(CC_SGX)
set(OUTPUT enclave.signed.so)
@@ -345,8 +345,7 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options is int
endif()
In the case of iTrustee, generate the configuration file manifest.txt, and details of the configuration file will
-be explained later, specify some compilation options related to iTrustee, set the search paths of the header file and
-the link file, and build the enclave binary.
+be explained later, specify some compilation options related to iTrustee, set the search paths of the header file and the link file, and build the enclave binary.
Regarding the use of iTrustee ocall, there are some other notes, which will be introduced later. Then define the
whitelist macro. Next, you need to link to the secgear_tee library, in which there are interfaces for generating
@@ -398,7 +397,7 @@ random numbers, seal, unseal, etc. The last step is to sign and install.
COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml)
endif()
-In the case of SGX, specify some compilation and link options related to SGX. When linking libraries, SGX and iTrustee
+In the case of SGX, specify some compilation and link options related to SGX. When linking libraries, SGX and iTrustee
are quite different. This is because iTrustee is a secure OS with more capabilities, such as musl libc and openssl.
When compiling and link itrustee's enclave, there is no need to link some basic libraries. But SGX has no OS concept.
The basic library interfaces to be called on the security side are all given in the SGX sdk in form of static
@@ -416,7 +415,7 @@ Set some safe compilation options.
Write SGX enclave related configuration files
The configuration content in the Enclave.config.xml and Enclave.lds files is the same as the official SGX
-configuration file. For details, please refer to the official development document.
+configuration file. For details, please refer to the official development document.
Write iTrustee related configuration files
The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated,
@@ -457,7 +456,7 @@ The meaning of log level (set(PRINT_LEVEL 3)).
PRINT_STRACE 2
PRINT_DEBUG 3
-At present, there are some differences in the usage of the log function. After the iTrustee ocall function is stablized,
+At present, there are some differences in the usage of the log function. After the iTrustee ocall function is stabilized,
the usage will be unified.
Use ocall
@@ -488,7 +487,7 @@ secGear does not currently support plc, switchless and other about SGX features.
Learning More About codegener
----------------------------
-secGear introduces EDL (Enclave Description Languate) and intermediate code generation tool codegener. EDL is
+secGear introduces EDL (Enclave Description Language) and intermediate code generation tool codegener. EDL is
compatible with Intel SGX's definition.
- [Learn how to use codegener](./docs/codegener.md)
--
1.8.3.1

69
0045-optimize-the-private-key-usage-of-the-single-step-si.patch Executable file
View File

@ -0,0 +1,69 @@
From 4320c1816627fbeff32c4388c36b31eeea24d629 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong1@huawei.com>
Date: Mon, 15 Nov 2021 12:39:39 +0800
Subject: [PATCH] optimize the private key usage of the single-step signature
method
Signed-off-by: gaoyusong <gaoyusong1@huawei.com>
---
docs/sign_tool.md | 3 ++-
examples/helloworld/enclave/config_cloud.ini | 1 +
examples/seal_data/enclave/config_cloud.ini | 1 +
tools/sign_tool/sign_tool.sh | 3 ++-
4 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index a092f19..1da6d06 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -47,7 +47,8 @@ The tool supports the following two modes:
The dump command is used to generate metadata for sgx signed enclave.
-i <file> input parameter, which is enclave to be signed for digest/sign command, and signed enclave for
dump command.
- -k <file> private key required for single-step method.
+ -k <file> private key required for single-step method. NOTE: single-step method is only for the dubug mode,
+ plaintext private key does exist in the production environment.
-m <file> additional config_cloud.ini for trustzone.
-o <file> output parameter, the sign command outputs signed enclave, the digest command outputs signing
material, the dump command outputs data containing the SIGStruct metadata for the SGX signed
diff --git a/examples/helloworld/enclave/config_cloud.ini b/examples/helloworld/enclave/config_cloud.ini
index 552f59c..0960436 100644
--- a/examples/helloworld/enclave/config_cloud.ini
+++ b/examples/helloworld/enclave/config_cloud.ini
@@ -27,6 +27,7 @@ encryptKeyLen = 3072
signType = 1
;;;
;private key for signing TA
+;this private key is only for the dubug mode so plaintext private key does exist in the production environment
;[private key owned by yourself]
signKey = ../../examples/helloworld/enclave/cert/private_key.pem
;;;
diff --git a/examples/seal_data/enclave/config_cloud.ini b/examples/seal_data/enclave/config_cloud.ini
index f0c0e39..2b8a79c 100644
--- a/examples/seal_data/enclave/config_cloud.ini
+++ b/examples/seal_data/enclave/config_cloud.ini
@@ -27,6 +27,7 @@ encryptKeyLen = 3072
signType = 1
;;;
;private key for signing TA
+;this private key is only for the dubug mode so plaintext private key does exist in the production environment
;[private key owned by yourself]
signKey = ../../examples/seal_data/enclave/cert/private_key.pem
;;;
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 0435a67..daca711 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -31,7 +31,8 @@ print_help(){
echo " The dump command is used to generate metadata for sgx signed enclave."
echo "-i <file> input parameter, which is enclave to be signed for digest/sign command, and signed enclave for"
echo " dump command."
- echo "-k <file> private key required for single-step method."
+ echo "-k <file> private key required for single-step method. NOTE: single-step method is only for the dubug mode,"
+ echo " plaintext private key does exist in the production environment."
echo "-m <file> additional config_cloud.ini for trustzone."
echo "-o <file> output parameter, the sign command outputs signed enclave, the digest command outputs signing"
echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed"
--
2.23.0

25
0046-fix-return-value.patch Normal file
View File

@ -0,0 +1,25 @@
From 1f6f2ff01317c6f04de7cab7c3a126e7ce485df7 Mon Sep 17 00:00:00 2001
From: zhengxiaoxiao <zhengxiaoxiao2@huawei.com>
Date: Sun, 15 May 2022 22:00:33 +0800
Subject: [PATCH] fix return value
---
src/host_src/enclave.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index 36a50b9..87a984f 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -196,7 +196,7 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
if (l_path) {
free(l_path);
}
- return CC_FAIL;
+ return res;
}
/* to do: gp support enter enclave debugging */
--
2.36.0.windows.1

33
0047-del-print-uncontrol-form-string.patch Normal file
View File

@ -0,0 +1,33 @@
From 8877dd937ccb482ab830b9a9d4ca02f6a31045b7 Mon Sep 17 00:00:00 2001
From: zhengxiaoxiao <zhengxiaoxiao2@huawei.com>
Date: Sun, 5 Jun 2022 21:29:41 +0800
Subject: [PATCH] del print uncontrol form string
---
src/host_src/enclave.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index 8d6c8a6..6fd7510 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -142,14 +142,14 @@ static bool check_transform_path(cc_enclave_result_t *res, const char *path, cha
/* check file exists and get absolute pathname */
if (realpath(path, real_p) == NULL) {
*res = CC_ERROR_INVALID_PATH;
- print_error_term("Path %s error %s\n", path, strerror(errno));
+ print_error_term("Path error %s\n", strerror(errno));
return false;
}
/* check file permission */
if (access(real_p, R_OK) != 0) {
*res = CC_ERROR_ACCESS_DENIED;
- print_error_term("Path %s error %s\n", path, strerror(errno));
+ print_error_term("Path error %s\n", strerror(errno));
return false;
}
size_t len = strlen(real_p) + 1;
--
2.33.0

55
secGear.spec
View File

@ -1,6 +1,6 @@
Name: secGear
Version: 0.1.0
Release: 23
Release: 29
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
@ -48,19 +48,21 @@ Patch35: 0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch
Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch
Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch
Patch38: 0039-clean-memory-when-it-come-to-error_handle.patch
Patch39: 0040-fix-context-without-free-error.patch
Patch39: 0040-fix-double-free.patch
Patch40: 0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch
Patch41: 0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch
Patch42: 0043-Optimize-README-in-English.patch
Patch43: 0044-Optimize-Engilish-version-readme-file.patch
Patch44: 0045-Corrected-some-spelling-and-grammar-mistakes.patch
Patch41: 0042-destroy-rwlock-when-create-enclave-failed.patch
Patch42: 0043-fix-partial-resource-leak.patch
Patch43: 0044-fix-pointer-without-init-or-check-NULL.patch
Patch44: 0045-optimize-the-private-key-usage-of-the-single-step-si.patch
Patch45: 0046-fix-return-value.patch
Patch46: 0047-del-print-uncontrol-form-string.patch
BuildRequires: gcc python automake autoconf libtool
BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++
%ifarch x86_64
BUildRequires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts openssl
BUildRequires: sgxsdk libsgx-launch libsgx-urts openssl
%else
BUildRequires: itrustee_sdk
BUildRequires: itrustee_sdk itrustee_sdk-devel
%endif
Requires: rsyslog
@ -75,7 +77,12 @@ secGear is an SDK to develop confidential computing apps based on hardware encla
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?isa} = %{version}-%{release} cmake ocaml-dune
Requires: %{name}%{?isa} = %{version}-%{release} cmake
%ifarch x86_64
Requires: sgxsdk
%else
Requires: itrustee_sdk-devel
%endif
%description devel
The %{name}-devel is package contains Header file for developing applications that
us %{name}
@ -166,15 +173,33 @@ popd
systemctl restart rsyslog
%changelog
* Tue Mar 15 2022 duyiwei<duyiwei@kylinos.cn> - 0.1.0-23
- DESC: delete %{?dist}
* Wed Aug 3 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 0.1.0-29
* DESC: override with 22.03
* Tue Jan 11 2022 houmingyong<houmingyong@huawei.com> - 0.1.0-22
* Mon Jun 6 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 0.1.0-28
* DESC: del print uncontrol form string
* Sun May 15 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 0.1.0-27
* DESC: fix return value
* Thu Mar 24 2022 baizhonggui <baizhonggui@huawei.com> - 0.1.0-26
* DESC: delete %{dist}
* Tue Mar 15 2022 wangcheng <wangcheng156@huawei.com> - 0.1.0-25
* DESC: fix the building failure in arm
* Thu Mar 10 2022 wangcheng <wangcheng156@huawei.com> - 0.1.0-24
* DESC: fix some bugs
* Fri Mar 4 2022 gaoyusong <gaoyusong1@huawei.com> - 0.1.0-23
- DESC: fix logs redirection error and del rsa_public_key_cloud.pem
* Wed Feb 23 2022 houmingyong<houmingyong@huawei.com> - 0.1.0-22
- DESC: fix double free bug
* Tue Jan 11 2022 houmingyong<houmingyong@huawei.com> - 0.1.0-21
- DESC: fix no secgear.log after install secGear-devel
* Mon Oct 25 2021 gaoyusong<gaoyusong1@huawei.com> - 0.1.0-21
- DESC: backport some patches from openeuler secGear
* Mon Jul 19 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-20
- DESC: add requires for secGear: libsgx-aesm-launch-plugin ocaml-dune