diff --git a/backport-memset-no-optimize.patch b/backport-memset-no-optimize.patch new file mode 100644 index 0000000000000000000000000000000000000000..3bb78f2f29b801718c897262e7073f0dc44c5ca1 --- /dev/null +++ b/backport-memset-no-optimize.patch @@ -0,0 +1,58 @@ +From c15207d44281663b32ad4a8ede998dd4c7bda6fd Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Thu, 14 Mar 2024 20:20:34 +0800 +Subject: [PATCH] memset no optimize + +Reference:https://gitee.com/openeuler/secGear/commit/c0997efc6a69d465b286347285cb1508a9d9c24b +Conflict:NA +--- + src/enclave_src/gp/itrustee/itrustee_seal_data.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +index b074d6f..e23cb1e 100644 +--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c ++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +@@ -15,6 +15,13 @@ + #include "tee_crypto_api.h" + #include "dataseal_internal.h" + #include "tee_trusted_storage.h" ++ ++#define CC_OPTIMIZE_OFF __attribute__((optimize("O0"))) ++CC_OPTIMIZE_OFF static void *memset_no_optimize(void *ptr, int value, size_t num) ++{ ++ memset(ptr, 0, num); ++} ++ + uint32_t get_sealed_data_size_ex(uint32_t seal_data_len, uint32_t aad_len) + { + if (UINT32_MAX - aad_len <= seal_data_len) { +@@ -139,13 +146,13 @@ TEE_Result itrustee_seal_data(uint8_t *seal_data, uint32_t seal_data_len, void * + result = data_copy(tmp_sealed_data, salt, nonce, mac_data, mac_data_len); + + error0: +- memset(nonce, 0, SEAL_DATA_NONCE_LEN); ++ memset_no_optimize(nonce, 0, SEAL_DATA_NONCE_LEN); + TEE_Free(nonce); + error1: +- memset(salt, 0, SEAL_KEY_SALT_LEN); ++ memset_no_optimize(salt, 0, SEAL_KEY_SALT_LEN); + TEE_Free(salt); + error2: +- memset(key_buf, 0, SEAL_KEY_LEN); ++ memset_no_optimize(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +@@ -249,7 +256,7 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint + } + + done: +- memset(key_buf, 0, SEAL_KEY_LEN); ++ memset_no_optimize(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +-- +2.33.0 + diff --git a/backport-use-memset-instead-of-explicit_bzero.patch b/backport-use-memset-instead-of-explicit_bzero.patch new file mode 100644 index 0000000000000000000000000000000000000000..94ebc29abdbbeff617f91434b78dd88baee94280 --- /dev/null +++ b/backport-use-memset-instead-of-explicit_bzero.patch @@ -0,0 +1,67 @@ +From 248f56df792c14421074a6049ac668464070a574 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Tue, 12 Mar 2024 16:53:22 +0800 +Subject: [PATCH] use memset instead of explicit_bzero + +Reference: https://gitee.com/openeuler/secGear/commit/248f56df792c14421074a6049ac668464070a574 +Conflict: NA +--- + src/enclave_src/gp/itrustee/itrustee_seal_data.c | 8 ++++---- + src/host_src/enclave.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +index cae1734..b074d6f 100644 +--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c ++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +@@ -139,13 +139,13 @@ TEE_Result itrustee_seal_data(uint8_t *seal_data, uint32_t seal_data_len, void * + result = data_copy(tmp_sealed_data, salt, nonce, mac_data, mac_data_len); + + error0: +- explicit_bzero(nonce, SEAL_DATA_NONCE_LEN); ++ memset(nonce, 0, SEAL_DATA_NONCE_LEN); + TEE_Free(nonce); + error1: +- explicit_bzero(salt, SEAL_KEY_SALT_LEN); ++ memset(salt, 0, SEAL_KEY_SALT_LEN); + TEE_Free(salt); + error2: +- explicit_bzero(key_buf, SEAL_KEY_LEN); ++ memset(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +@@ -251,7 +251,7 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint + } + + done: +- explicit_bzero(key_buf, SEAL_KEY_LEN); ++ memset(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index d8b7d35..f13feec 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -70,7 +70,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r + + if (enclave) { + pthread_rwlock_destroy(&enclave->rwlock); +- explicit_bzero(enclave, sizeof(cc_enclave_t)); ++ memset(enclave, 0, sizeof(cc_enclave_t)); + } + } + +@@ -310,7 +310,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + } + pthread_rwlock_unlock(&context->rwlock); + pthread_rwlock_destroy(&context->rwlock); +- explicit_bzero(context, sizeof(cc_enclave_t)); ++ memset(context, 0, sizeof(cc_enclave_t)); + + return CC_SUCCESS; + } +-- +2.33.0 + diff --git a/secGear.spec b/secGear.spec index 6930488507d2f7ad2f8f4b291eadd5a14340265b..bf7b51ad9ea2ed55ab56cdae6cd083736a4709ce 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 38 +Release: 39 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -80,6 +80,8 @@ Patch67: 0068-bugfix-when-input-empty-hash.patch Patch68: 0069-adapt-sign-tool-to-pass-API_LEVEL.patch Patch69: 0070-sign-tool-add-invalid-param-verify.patch Patch70: 0071-adapt-report-with-request-key.patch +Patch71: backport-use-memset-instead-of-explicit_bzero.patch +Patch72: backport-memset-no-optimize.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -211,6 +213,9 @@ popd systemctl restart rsyslog %changelog +* Wed Mar 27 2024 zhengxiaoxiao - 0.1.0-39 +- use memset instead of explicit_bzero + * Wed Sep 13 2023 wangqingsan - 0.1.0-38 - synchronous features