From 9b1b526c93880d44affb067ddbb88f757cfa6eb5 Mon Sep 17 00:00:00 2001 From: zhengxiaoxiao Date: Wed, 27 Mar 2024 10:50:55 +0800 Subject: [PATCH 1/2] use memset instead of explicit_bzero (cherry picked from commit 946b0a1584acded3ad19b716481fff654826fdf3) --- backport-memset-no-optimize.patch | 58 ++++++++++++++++ ...use-memset-instead-of-explicit_bzero.patch | 67 +++++++++++++++++++ secGear.spec | 7 +- 3 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 backport-memset-no-optimize.patch create mode 100644 backport-use-memset-instead-of-explicit_bzero.patch diff --git a/backport-memset-no-optimize.patch b/backport-memset-no-optimize.patch new file mode 100644 index 0000000..3bb78f2 --- /dev/null +++ b/backport-memset-no-optimize.patch @@ -0,0 +1,58 @@ +From c15207d44281663b32ad4a8ede998dd4c7bda6fd Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Thu, 14 Mar 2024 20:20:34 +0800 +Subject: [PATCH] memset no optimize + +Reference:https://gitee.com/openeuler/secGear/commit/c0997efc6a69d465b286347285cb1508a9d9c24b +Conflict:NA +--- + src/enclave_src/gp/itrustee/itrustee_seal_data.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +index b074d6f..e23cb1e 100644 +--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c ++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +@@ -15,6 +15,13 @@ + #include "tee_crypto_api.h" + #include "dataseal_internal.h" + #include "tee_trusted_storage.h" ++ ++#define CC_OPTIMIZE_OFF __attribute__((optimize("O0"))) ++CC_OPTIMIZE_OFF static void *memset_no_optimize(void *ptr, int value, size_t num) ++{ ++ memset(ptr, 0, num); ++} ++ + uint32_t get_sealed_data_size_ex(uint32_t seal_data_len, uint32_t aad_len) + { + if (UINT32_MAX - aad_len <= seal_data_len) { +@@ -139,13 +146,13 @@ TEE_Result itrustee_seal_data(uint8_t *seal_data, uint32_t seal_data_len, void * + result = data_copy(tmp_sealed_data, salt, nonce, mac_data, mac_data_len); + + error0: +- memset(nonce, 0, SEAL_DATA_NONCE_LEN); ++ memset_no_optimize(nonce, 0, SEAL_DATA_NONCE_LEN); + TEE_Free(nonce); + error1: +- memset(salt, 0, SEAL_KEY_SALT_LEN); ++ memset_no_optimize(salt, 0, SEAL_KEY_SALT_LEN); + TEE_Free(salt); + error2: +- memset(key_buf, 0, SEAL_KEY_LEN); ++ memset_no_optimize(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +@@ -249,7 +256,7 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint + } + + done: +- memset(key_buf, 0, SEAL_KEY_LEN); ++ memset_no_optimize(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +-- +2.33.0 + diff --git a/backport-use-memset-instead-of-explicit_bzero.patch b/backport-use-memset-instead-of-explicit_bzero.patch new file mode 100644 index 0000000..94ebc29 --- /dev/null +++ b/backport-use-memset-instead-of-explicit_bzero.patch @@ -0,0 +1,67 @@ +From 248f56df792c14421074a6049ac668464070a574 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Tue, 12 Mar 2024 16:53:22 +0800 +Subject: [PATCH] use memset instead of explicit_bzero + +Reference: https://gitee.com/openeuler/secGear/commit/248f56df792c14421074a6049ac668464070a574 +Conflict: NA +--- + src/enclave_src/gp/itrustee/itrustee_seal_data.c | 8 ++++---- + src/host_src/enclave.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +index cae1734..b074d6f 100644 +--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c ++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +@@ -139,13 +139,13 @@ TEE_Result itrustee_seal_data(uint8_t *seal_data, uint32_t seal_data_len, void * + result = data_copy(tmp_sealed_data, salt, nonce, mac_data, mac_data_len); + + error0: +- explicit_bzero(nonce, SEAL_DATA_NONCE_LEN); ++ memset(nonce, 0, SEAL_DATA_NONCE_LEN); + TEE_Free(nonce); + error1: +- explicit_bzero(salt, SEAL_KEY_SALT_LEN); ++ memset(salt, 0, SEAL_KEY_SALT_LEN); + TEE_Free(salt); + error2: +- explicit_bzero(key_buf, SEAL_KEY_LEN); ++ memset(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +@@ -251,7 +251,7 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint + } + + done: +- explicit_bzero(key_buf, SEAL_KEY_LEN); ++ memset(key_buf, 0, SEAL_KEY_LEN); + TEE_Free(key_buf); + return result; + } +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index d8b7d35..f13feec 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -70,7 +70,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r + + if (enclave) { + pthread_rwlock_destroy(&enclave->rwlock); +- explicit_bzero(enclave, sizeof(cc_enclave_t)); ++ memset(enclave, 0, sizeof(cc_enclave_t)); + } + } + +@@ -310,7 +310,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + } + pthread_rwlock_unlock(&context->rwlock); + pthread_rwlock_destroy(&context->rwlock); +- explicit_bzero(context, sizeof(cc_enclave_t)); ++ memset(context, 0, sizeof(cc_enclave_t)); + + return CC_SUCCESS; + } +-- +2.33.0 + diff --git a/secGear.spec b/secGear.spec index 6930488..bf7b51a 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 38 +Release: 39 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -80,6 +80,8 @@ Patch67: 0068-bugfix-when-input-empty-hash.patch Patch68: 0069-adapt-sign-tool-to-pass-API_LEVEL.patch Patch69: 0070-sign-tool-add-invalid-param-verify.patch Patch70: 0071-adapt-report-with-request-key.patch +Patch71: backport-use-memset-instead-of-explicit_bzero.patch +Patch72: backport-memset-no-optimize.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -211,6 +213,9 @@ popd systemctl restart rsyslog %changelog +* Wed Mar 27 2024 zhengxiaoxiao - 0.1.0-39 +- use memset instead of explicit_bzero + * Wed Sep 13 2023 wangqingsan - 0.1.0-38 - synchronous features -- Gitee From f4bb5ea1fd2c3f8313529bb5b296941fa228c835 Mon Sep 17 00:00:00 2001 From: houmingyong Date: Thu, 20 Jun 2024 19:42:52 +0800 Subject: [PATCH 2/2] synchoronous features --- ...use-memset-instead-of-explicit_bzero.patch | 0 ...ize.patch => 0073-memset-no-optimize.patch | 0 0074-add-codegen-compile-marco.patch | 29 +++++++++++++++++++ 0075-Correct-the-error-in-the-comment.patch | 26 +++++++++++++++++ 0076-change-log-file-permission-0400.patch | 24 +++++++++++++++ secGear.spec | 13 +++++++-- 6 files changed, 89 insertions(+), 3 deletions(-) rename backport-use-memset-instead-of-explicit_bzero.patch => 0072-use-memset-instead-of-explicit_bzero.patch (100%) rename backport-memset-no-optimize.patch => 0073-memset-no-optimize.patch (100%) create mode 100644 0074-add-codegen-compile-marco.patch create mode 100644 0075-Correct-the-error-in-the-comment.patch create mode 100644 0076-change-log-file-permission-0400.patch diff --git a/backport-use-memset-instead-of-explicit_bzero.patch b/0072-use-memset-instead-of-explicit_bzero.patch similarity index 100% rename from backport-use-memset-instead-of-explicit_bzero.patch rename to 0072-use-memset-instead-of-explicit_bzero.patch diff --git a/backport-memset-no-optimize.patch b/0073-memset-no-optimize.patch similarity index 100% rename from backport-memset-no-optimize.patch rename to 0073-memset-no-optimize.patch diff --git a/0074-add-codegen-compile-marco.patch b/0074-add-codegen-compile-marco.patch new file mode 100644 index 0000000..97af32f --- /dev/null +++ b/0074-add-codegen-compile-marco.patch @@ -0,0 +1,29 @@ +From 088eca103708b2d54c4fe46f6dc2da7a21f4f0da Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Thu, 7 Dec 2023 14:08:36 +0800 +Subject: [PATCH] add codegen compile marco + +Reference:https://gitee.com/openeuler/secGear/commit/088eca103708b2d54c4fe46f6dc2da7a21f4f0da +Conflict:Deleted the PL part from the patch. +--- + CMakeLists.txt | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 25e6381..8a6f22b 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -74,7 +74,10 @@ if(${ENCLAVE} STREQUAL "SGX") + set(CC_SGX ON) + endif() + +-add_subdirectory(tools/codegener) ++option(CODEGEN "default off" ON) ++if(CODEGEN) ++ add_subdirectory(tools/codegener) ++endif() + + add_subdirectory(src) + add_subdirectory(component) +-- +2.33.0 diff --git a/0075-Correct-the-error-in-the-comment.patch b/0075-Correct-the-error-in-the-comment.patch new file mode 100644 index 0000000..4af968d --- /dev/null +++ b/0075-Correct-the-error-in-the-comment.patch @@ -0,0 +1,26 @@ +From 985be3c3b4947d1a304ff9171c74ca3fe77a86bf Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiaoGitee +Date: Mon, 1 Apr 2024 17:05:10 +0800 +Subject: [PATCH] Correct the error in the comment. + +Reference:https://gitee.com/openeuler/secGear/commit/985be3c3b4947d1a304ff9171c74ca3fe77a86bf +Conflict:NA +--- + inc/host_inc/status.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h +index 7a7920b..c0ff6c7 100644 +--- a/inc/host_inc/status.h ++++ b/inc/host_inc/status.h +@@ -179,7 +179,7 @@ typedef enum _enclave_result_t + CC_CLIENT_INTR = 0xFFFF4000, /* Interrupted by CFC. Broken control flow is detected. */ + CC_ERROR_TIME_NOT_SET = 0xFFFF5000, /* *< 时间未设置 */ + CC_ERROR_TIME_NEEDS_RESET = 0xFFFF5001, /* *< 时间需要重置 */ +- CC_FAIL = 0xFFFF5002, /* *< 时间需要重置 */ ++ CC_FAIL = 0xFFFF5002, /* *< 操作失败 */ + CC_ERROR_TIMER = 0xFFFF6000, + CC_ERROR_TIMER_CREATE_FAILED, + CC_ERROR_TIMER_DESTORY_FAILED, +-- +2.33.0 diff --git a/0076-change-log-file-permission-0400.patch b/0076-change-log-file-permission-0400.patch new file mode 100644 index 0000000..ebdd183 --- /dev/null +++ b/0076-change-log-file-permission-0400.patch @@ -0,0 +1,24 @@ +From 1b2de0be8912fb1b705454011ed6190f52199f60 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Sat, 11 Jun 2022 12:17:18 +0800 +Subject: [PATCH] change log file permission 0400 + +--- + conf/logrotate.d/secgear | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/conf/logrotate.d/secgear b/conf/logrotate.d/secgear +index 92da41e..f88bb59 100644 +--- a/conf/logrotate.d/secgear ++++ b/conf/logrotate.d/secgear +@@ -5,4 +5,7 @@ + nocompress + copytruncate + size 2048k ++ lastaction ++ chmod 0400 /var/log/secgear/secgear.log.* ++ endscript + } +-- +2.27.0 + diff --git a/secGear.spec b/secGear.spec index bf7b51a..cc8cea2 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 39 +Release: 40 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -80,8 +80,12 @@ Patch67: 0068-bugfix-when-input-empty-hash.patch Patch68: 0069-adapt-sign-tool-to-pass-API_LEVEL.patch Patch69: 0070-sign-tool-add-invalid-param-verify.patch Patch70: 0071-adapt-report-with-request-key.patch -Patch71: backport-use-memset-instead-of-explicit_bzero.patch -Patch72: backport-memset-no-optimize.patch +Patch71: 0072-use-memset-instead-of-explicit_bzero.patch +Patch72: 0073-memset-no-optimize.patch +Patch73: 0074-add-codegen-compile-marco.patch +Patch74: 0075-Correct-the-error-in-the-comment.patch +Patch75: 0076-change-log-file-permission-0400.patch + BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -213,6 +217,9 @@ popd systemctl restart rsyslog %changelog +* Thu Jun 20 2024 houmingyong - 0.1.0-40 +- synchoronous features + * Wed Mar 27 2024 zhengxiaoxiao - 0.1.0-39 - use memset instead of explicit_bzero -- Gitee