diff --git a/0033-modify-the-error-information-when-missing-c-and-m.patch b/0033-modify-the-error-information-when-missing-c-and-m.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ccc725f9d8dc767178730c7b21845557aa9990a --- /dev/null +++ b/0033-modify-the-error-information-when-missing-c-and-m.patch @@ -0,0 +1,34 @@ +From 909a866a5023c8f23b504ce1307283df834d2b55 Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Wed, 26 May 2021 11:49:49 +0800 +Subject: [PATCH 1/6] modify the error information when missing -c and -m + +--- + tools/sign_tool/sign_tool.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 5469f80..0435a67 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -129,7 +129,7 @@ fi + itrustee_start_sign(){ + # check_native_sign + if [ -z $A_CONFIG_FILE ]; then +- echo "Error: missing config file for signing iTrustee enclave" ++ echo "Error: missing additional config_cloud.ini file for signing iTrustee enclave" + exit -1 + fi + +@@ -137,7 +137,7 @@ itrustee_start_sign(){ + if [ -z $SIGNATURE ]; then + ONE_STEP_MODE=1 + if [ -z $CONFIG_FILE ]; then +- echo "Error: missing config file for signing iTrustee enclave" ++ echo "Error: missing basic config file for signing iTrustee enclave" + exit -1 + fi + if [ -z $IN_ENCLAVE ]; then +-- +2.27.0 + diff --git a/0034-normalize-the-log-printed-by-PrintInfo.patch b/0034-normalize-the-log-printed-by-PrintInfo.patch new file mode 100644 index 0000000000000000000000000000000000000000..a4662e0686e3b46c5b8d3ba576eb30259f54de85 --- /dev/null +++ b/0034-normalize-the-log-printed-by-PrintInfo.patch @@ -0,0 +1,55 @@ +From 5a34d5f560f1b35b4ae8892e07ff852af1a7a38a Mon Sep 17 00:00:00 2001 +From: chenmaodong +Date: Mon, 31 May 2021 14:26:34 +0800 +Subject: [PATCH 2/6] normalize the log printed by PrintInfo + +Signed-off-by: chenmaodong +--- + inc/enclave_inc/gp/itrustee/secgear_log.h | 31 +++++++++++------------ + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/inc/enclave_inc/gp/itrustee/secgear_log.h b/inc/enclave_inc/gp/itrustee/secgear_log.h +index 2e27b05..819fa86 100644 +--- a/inc/enclave_inc/gp/itrustee/secgear_log.h ++++ b/inc/enclave_inc/gp/itrustee/secgear_log.h +@@ -24,22 +24,21 @@ + #define PRINT_STRACE 2 + #define PRINT_DEBUG 3 + +-#define PrintInfo(level, fmt, args...) \ +- if (level <= PRINT_LEVEL) { \ +- switch (level) { \ +- case 0: \ +- SLog("%s %s: " fmt "\n", "[secGear][ERROR]", __FUNCTION__, ## args); \ +- break; \ +- case 1: \ +- SLog("%s %s: " fmt "\n", "[secGear][WARNING]", __FUNCTION__, ## args); \ +- break; \ +- case 2: \ +- SLog("%s %s: " fmt "\n", "[secGear][STRACE]", __FUNCTION__, ## args); \ +- break; \ +- default: \ +- SLog("%s %s: " fmt "\n", "[secGear][DEBUG]", __FUNCTION__, ## args); \ +- } \ ++#define PrintInfo(level, fmt, args...) \ ++ if (level <= PRINT_LEVEL) { \ ++ switch (level) { \ ++ case 0: \ ++ SLog("%s " fmt "\n", "[secGear][ERROR]", ## args); \ ++ break; \ ++ case 1: \ ++ SLog("%s " fmt "\n", "[secGear][WARNING]", ## args); \ ++ break; \ ++ case 2: \ ++ SLog("%s " fmt "\n", "[secGear][STRACE]", ## args); \ ++ break; \ ++ default: \ ++ SLog("%s " fmt "\n", "[secGear][DEBUG]", ## args); \ ++ } \ + } + +- + #endif +-- +2.27.0 + diff --git a/0035-itrustee-add-lrt-support-itrustee.patch b/0035-itrustee-add-lrt-support-itrustee.patch new file mode 100644 index 0000000000000000000000000000000000000000..dad75a4198d9c8bbe54a8620b05143d5aca488f4 --- /dev/null +++ b/0035-itrustee-add-lrt-support-itrustee.patch @@ -0,0 +1,99 @@ +From 7fceb33ffd6e4f09faa6ba717f80ba6a51591f36 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 1 Jun 2021 16:38:18 +0800 +Subject: [PATCH 3/6] itrustee: add lrt support itrustee + +Signed-off-by: LiFeng +--- + examples/CMakeLists.txt | 1 + + examples/lrt/CMakeLists.txt | 5 +++-- + examples/lrt/enclave/CMakeLists.txt | 17 ++++++++++++----- + examples/lrt/host/main.c | 1 + + 4 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt +index cfd0171..07fc0fb 100644 +--- a/examples/CMakeLists.txt ++++ b/examples/CMakeLists.txt +@@ -12,6 +12,7 @@ if(CC_GP) + COMMAND cp ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee/*.h ${CMAKE_BINARY_DIR}/inc/secGear/) + add_subdirectory(seal_data) + add_subdirectory(helloworld) ++ #add_subdirectory(lrt) + endif() + + if(CC_SGX) +diff --git a/examples/lrt/CMakeLists.txt b/examples/lrt/CMakeLists.txt +index 9059590..45283a3 100644 +--- a/examples/lrt/CMakeLists.txt ++++ b/examples/lrt/CMakeLists.txt +@@ -20,8 +20,9 @@ set(CODEGEN codegen) + + if(CC_GP) + set(CODETYPE trustzone) +- execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) +- string(REPLACE "\n" "" UUID ${UUID}) ++ # execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) ++ #string(REPLACE "\n" "" UUID ${UUID}) ++ set(UUID f68fd704-6eb1-4d14-b218-722850eb3ef0) + add_definitions(-DPATH="/data/${UUID}.sec") + endif() + +diff --git a/examples/lrt/enclave/CMakeLists.txt b/examples/lrt/enclave/CMakeLists.txt +index 64494cc..acd1607 100644 +--- a/examples/lrt/enclave/CMakeLists.txt ++++ b/examples/lrt/enclave/CMakeLists.txt +@@ -28,9 +28,9 @@ if(CC_GP) + #set signed output + set(OUTPUT ${UUID}.sec) + #set whilelist. default: /vendor/bin/teec_hello +- set(WHITE_LIST_0 /vendor/bin/helloworld) ++ set(WHITE_LIST_0 /vendor/bin/lrt) + set(WHITE_LIST_OWNER root) +- set(WHITE_LIST_1 /vendor/bin/secgear_helloworld) ++ set(WHITE_LIST_1 /vendor/bin/secgear_lrt) + set(WHITELIST WHITE_LIST_0 WHITE_LIST_1) + + set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) +@@ -55,7 +55,7 @@ set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer + set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") + + if(CC_GP) +- configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") ++ # configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") + + set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ") + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC") +@@ -99,8 +99,15 @@ if(CC_GP) + + add_custom_command(TARGET ${PREFIX} + POST_BUILD +- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt +- -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) ++ # COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} ++ COMMAND bash ${SIGN_TOOL} -d digest -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt ++ -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_hash ++ COMMAND openssl rsautl -sign -inkey ${CMAKE_CURRENT_SOURCE_DIR}/cert/private_key.pem -in ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_hash -out ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_signature ++ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -s ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_signature -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} ++ # COMMAND rm -rf ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_hash ++ #COMMAND rm -rf ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_signature ++ ) ++ + + install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} + DESTINATION /data +diff --git a/examples/lrt/host/main.c b/examples/lrt/host/main.c +index ba078c7..92ff47a 100644 +--- a/examples/lrt/host/main.c ++++ b/examples/lrt/host/main.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include "enclave.h" + #include "lrt_u.h" + +-- +2.27.0 + diff --git a/0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch b/0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch new file mode 100644 index 0000000000000000000000000000000000000000..6cba74bd21ab0f577b844bcf5e55902b79127700 --- /dev/null +++ b/0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch @@ -0,0 +1,26 @@ +From 764886f9baa739d9688cb1875692b4687434153b Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 1 Jun 2021 18:48:30 +0800 +Subject: [PATCH 4/6] enclave: use the can-pull image from hub.oepkgs.net + +Signed-off-by: LiFeng +--- + examples/lrt/enclave.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/examples/lrt/enclave.yaml b/examples/lrt/enclave.yaml +index b1bc19b..7734a24 100644 +--- a/examples/lrt/enclave.yaml ++++ b/examples/lrt/enclave.yaml +@@ -28,7 +28,7 @@ spec: + spec: + containers: + - name: hell_lifeng +- image: secgear_hello ++ image: hub.oepkgs.net/lifeng2221dd1/hello_secgear:v1.0 + imagePullPolicy: IfNotPresent + name: helloworld + resources: +-- +2.27.0 + diff --git a/0037-add-description-about-file-parameter-path-for-sign_t.patch b/0037-add-description-about-file-parameter-path-for-sign_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..823daa87057600dc94f6d8f89c932a377b8dd26f --- /dev/null +++ b/0037-add-description-about-file-parameter-path-for-sign_t.patch @@ -0,0 +1,26 @@ +From ac2ccfb69c60dba6eb472d2d62da53f5890a07ce Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Wed, 2 Jun 2021 15:04:34 +0800 +Subject: [PATCH 5/6] add description about file parameter path for + sign_tool.sh + +--- + docs/sign_tool.md | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index e6c6e3b..a092f19 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave. + + ## The sign_tool.sh + +-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave. ++The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave. When signing the trustzone enclave, it is recommended that use the absolute path to specify the file parameters, if provide a relative path, is should be a path relative to 'signtool_v3.py'. + + The tool supports the following two modes: + +-- +2.27.0 + diff --git a/0033-fix-use-after-free-in-cc_enclave_create.patch b/0038-fix-use-after-free-in-cc_enclave_create.patch similarity index 99% rename from 0033-fix-use-after-free-in-cc_enclave_create.patch rename to 0038-fix-use-after-free-in-cc_enclave_create.patch index 19380f1ec3b11880fa214ffee371a1417f9438e8..e306e0b2650dcee791fb0355a6993fa14c7e5857 100644 --- a/0033-fix-use-after-free-in-cc_enclave_create.patch +++ b/0038-fix-use-after-free-in-cc_enclave_create.patch @@ -1,10 +1,10 @@ From f82ae0a78901c62644a53257d72fbc932d350ed7 Mon Sep 17 00:00:00 2001 From: chenmaodong Date: Wed, 2 Jun 2021 17:16:56 +0800 -Subject: [PATCH] fix use-after-free in cc_enclave_create The last parameter - 'enclave' of cc_enclave_create will not be a double pointer, it'll be a - single pointer now. Besides, the memory of parameter 'enclave' will malloc - and free by users, you can check the example to find how to use it. +Subject: [PATCH 6/6] fix use-after-free in cc_enclave_create The last + parameter 'enclave' of cc_enclave_create will not be a double pointer, it'll + be a single pointer now. Besides, the memory of parameter 'enclave' will + malloc and free by users, you can check the example to find how to use it. Signed-off-by: chenmaodong --- diff --git a/secGear.spec b/secGear.spec index 1832f81f4b9675ad3d0e220dd0b782dcb1da405b..ba782af8f8a8e0bf3de38b5e41cf4bd8db45c9e5 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 15%{?dist} +Release: 16%{?dist} Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -41,7 +41,12 @@ Patch28: 0029-some-adaptations-for-trustzone.patch Patch29: 0030-fix-sgx-two-step-mode-bug-add-dump-command.patch Patch30: 0031-set-signtool_v3.py-path.patch Patch31: 0032-del-size_to_aligned_size.patch -Patch32: 0033-fix-use-after-free-in-cc_enclave_create.patch +Patch32: 0033-modify-the-error-information-when-missing-c-and-m.patch +Patch33: 0034-normalize-the-log-printed-by-PrintInfo.patch +Patch34: 0035-itrustee-add-lrt-support-itrustee.patch +Patch35: 0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch +Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch +Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune @@ -154,6 +159,9 @@ popd %endif %changelog +* Thu June 3 2021 chenmaodong - 0.1.0-16 +- DESC: backport some patches from openeuler secGear + * Wed June 2 2021 chenmaodong - 0.1.0-15 - DESC: fix uaf in cc_enclave_create