diff --git a/0040-fix-double-free.patch b/0040-fix-double-free.patch new file mode 100644 index 0000000000000000000000000000000000000000..807856443f68a94027cde57ba747aeb69a74c954 --- /dev/null +++ b/0040-fix-double-free.patch @@ -0,0 +1,36 @@ +From 297bce40545793d545747e25f614b09a185ef489 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Wed, 23 Feb 2022 20:33:32 +0800 +Subject: [PATCH] fix double free + +--- + src/host_src/gp/gp_enclave.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index c7554de..9bc9514 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -255,10 +255,15 @@ static bool handle_ocall(uint32_t agent_id, int dev_fd, void *buffer, cc_ocall_f + } + ret = true; + done: +- free(tmp_input_buffer); +- free(tmp_output_buffer); +- tmp_input_buffer = NULL; +- tmp_output_buffer = NULL; ++ if (tmp_input_buffer != NULL) { ++ free(tmp_input_buffer); ++ tmp_input_buffer = NULL; ++ } ++ if (tmp_output_buffer != NULL) { ++ free(tmp_output_buffer); ++ tmp_output_buffer = NULL; ++ } ++ + return ret; + } + +-- +2.27.0 + diff --git a/0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch b/0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch new file mode 100644 index 0000000000000000000000000000000000000000..486269fdf9e6b7bda2f6837db14378664a9d5f17 --- /dev/null +++ b/0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch @@ -0,0 +1,50 @@ +From a3a3a1e9e19f5595cb66fdc7928da70ca9f250a5 Mon Sep 17 00:00:00 2001 +From: chenmaodong +Date: Wed, 8 Sep 2021 16:48:05 +0800 +Subject: [PATCH] fix logs redirection error and delete + rsa_public_key_cloud.pem + +PrintInfo will send the message from enclave to host with a program +name "[secGear]", however it'll print the wrong program name while +there are multi threads, so we delete this rule. On the same time, we +delete rsa_public_key_cloud.pem, because itrustee_sdk will provide it + +Signed-off-by: chenmaodong +--- + conf/rsyslog.d/secgear.conf | 3 +-- + tools/sign_tool/cloud/rsa_public_key_cloud.pem | 11 ----------- + 2 files changed, 1 insertion(+), 13 deletions(-) + delete mode 100644 tools/sign_tool/cloud/rsa_public_key_cloud.pem + +diff --git a/conf/rsyslog.d/secgear.conf b/conf/rsyslog.d/secgear.conf +index b835a94..7f1d898 100644 +--- a/conf/rsyslog.d/secgear.conf ++++ b/conf/rsyslog.d/secgear.conf +@@ -1,6 +1,5 @@ + #Do not modify this file +-if (($programname == 'teeos') or ($programname == 'secGear')) and \ +- ($msg contains '[secGear]') then { ++if ($msg contains '[secGear]') then { + action(type="omfile" fileCreateMode="0600" file="/var/log/secgear/secgear.log") + stop + } +diff --git a/tools/sign_tool/cloud/rsa_public_key_cloud.pem b/tools/sign_tool/cloud/rsa_public_key_cloud.pem +deleted file mode 100644 +index a321f63..0000000 +--- a/tools/sign_tool/cloud/rsa_public_key_cloud.pem ++++ /dev/null +@@ -1,11 +0,0 @@ +------BEGIN PUBLIC KEY----- +-MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzAPwbnbgBg7JgXERA9Bx +-p7GLI1S3e1zL83RMd2+GXb6kO4yMKUL3NUCE2HhA2BtQYmLyGovx59UUcKnU58is +-Xux++kH+A2shmOPjYvEFuX0Kt8tc19b8M9b/iHsY8ZmKykqia2a5U+IrECRFJo5p +-DWUnl7jrHVtq78BSR1c7iXG1frrEC0AYCuqKJo/fxfmOKL0Y9mENCB3nAwjn9unD +-BsO/OhkqvvB3nkeuMfNKPh4wCqtQPve13eTojbuxjX/3ePijplTI5X2Gr+n6Ximn +-fYRlytQmMgMl/db0ARSKNApq9bmwzVNrnGWWZWJksdRvf6iL7t17Gs4L9AApOuC9 +-WkzxPvwp5ZUqjsGd4oJGWeC6ZE6BTw2vxE+xMFI9uAKHxq9pBKkcGMa0g4fANNNV +-+W+8JZGanxEXKB3y/M7BCyQAPCWOHC/RNjmRA1gczLYCPzC4pWu935UZdF1RR6zY +-CD3t+FoOGGET/g4CwWgyhb5qkp65Hs6ayYt/DUAqo+yBAgMBAAE= +------END PUBLIC KEY----- +-- +1.8.3.1 + diff --git a/0042-destroy-rwlock-when-create-enclave-failed.patch b/0042-destroy-rwlock-when-create-enclave-failed.patch new file mode 100755 index 0000000000000000000000000000000000000000..a6ecb5a31a9efcdff65760cfe2d7263205ab0de0 --- /dev/null +++ b/0042-destroy-rwlock-when-create-enclave-failed.patch @@ -0,0 +1,39 @@ +From e716ff141b967986d35fc65c59ab0e03015dce48 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Thu, 13 Jan 2022 10:24:23 +0800 +Subject: [PATCH] destroy rwlock when create enclave failed + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/commit/cb80972c3a60261786d76a2a50ab5ce29b312ebd + +--- + src/host_src/enclave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 8d6c8a6..e163b58 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -68,6 +68,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r + } + + if (enclave) { ++ pthread_rwlock_destroy(&enclave->rwlock); + explicit_bzero(enclave, sizeof(cc_enclave_t)); + } + } +@@ -192,7 +193,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin + + memset(enclave, 0, sizeof(cc_enclave_t)); + if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)) { +- goto done; ++ if (l_path) { ++ free(l_path); ++ } ++ return CC_FAIL; + } + + /* to do: gp support enter enclave debugging */ +-- +2.27.0 + diff --git a/0043-fix-partial-resource-leak.patch b/0043-fix-partial-resource-leak.patch new file mode 100755 index 0000000000000000000000000000000000000000..9b091c42ba180a0131ea7ed9a308879dc49a4774 --- /dev/null +++ b/0043-fix-partial-resource-leak.patch @@ -0,0 +1,99 @@ +From c64400a742d292585f06590741ceb5b37837e4bc Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Mon, 17 Jan 2022 19:21:12 +0800 +Subject: [PATCH] fix partial resource leak + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/pulls/79 + +--- + src/host_src/enclave.c | 49 ++++++++++++++++++------------------------ + 1 file changed, 21 insertions(+), 28 deletions(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index e163b58..36a50b9 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -264,7 +264,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + { + int32_t ires = 0; + cc_enclave_result_t res = CC_FAIL; +- p_tee_unregistered unregistered_funcc; ++ p_tee_unregistered unregistered_funcc = NULL; + + /* check context and enclave engine context */ + if (!context || !context->list_ops_node || !context->list_ops_node->ops_desc || +@@ -273,50 +273,43 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + return CC_ERROR_BAD_PARAMETERS; + } + +- ires = pthread_rwlock_wrlock(&(context->rwlock)); +- if (ires) { +- return CC_ERROR_BUSY; +- } ++ (void)pthread_rwlock_wrlock(&(context->rwlock)); + if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) { + res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context); +- SECGEAR_CHECK_RES(res); +- } else { +- print_error_goto("Enclave context no valid ops function\n"); ++ if (res != CC_SUCCESS) { ++ print_warning("destory enclave error\n"); ++ } + } + + /* look up enclave engine unregistered */ +- res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc); +- SECGEAR_CHECK_RES(res); ++ (void)find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc); + + /* lock call unregistered func */ +- ires = pthread_mutex_lock(&(g_list_ops.mutex_work)); +- SECGEAR_CHECK_MUTEX_RES_CC(ires, res); ++ (void)pthread_mutex_lock(&(g_list_ops.mutex_work)); + /* call enclave engine free node */ +- res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version); +- SECGEAR_CHECK_RES_UNLOCK(res); ++ if (unregistered_funcc) { ++ res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version); ++ if (res != CC_SUCCESS) { ++ print_warning("unregister func error\n"); ++ } ++ } + if (context->list_ops_node->ops_desc->count == 0) { + ires = dlclose(context->list_ops_node->ops_desc->handle); + if (ires != 0) { +- res = CC_FAIL; +- pthread_mutex_unlock(&(g_list_ops.mutex_work)); +- print_error_goto("Close engine failure\n"); ++ print_warning("close engine error\n"); + } + context->list_ops_node = NULL; + } + /* free enclave number resources */ + g_list_ops.enclaveState.enclave_count--; +- ires = pthread_mutex_unlock(&(g_list_ops.mutex_work)); +- SECGEAR_CHECK_MUTEX_RES_CC(ires, res); ++ (void)pthread_mutex_unlock(&(g_list_ops.mutex_work)); + +- res = CC_SUCCESS; +-done: +- if (context && context->path) { ++ if (context->path) { + free(context->path); + } +- if (context) { +- pthread_rwlock_unlock(&context->rwlock); +- pthread_rwlock_destroy(&context->rwlock); +- explicit_bzero(context, sizeof(cc_enclave_t)); +- } +- return res; ++ pthread_rwlock_unlock(&context->rwlock); ++ pthread_rwlock_destroy(&context->rwlock); ++ explicit_bzero(context, sizeof(cc_enclave_t)); ++ ++ return CC_SUCCESS; + } +-- +2.23.0 + diff --git a/0044-fix-pointer-without-init-or-check-NULL.patch b/0044-fix-pointer-without-init-or-check-NULL.patch new file mode 100755 index 0000000000000000000000000000000000000000..c1f491b3fa8436ee58d7f24ff56e460ec0fe2db1 --- /dev/null +++ b/0044-fix-pointer-without-init-or-check-NULL.patch @@ -0,0 +1,97 @@ +From d550148b0c79e1d544d7edd0eef52750d6422e40 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Sat, 8 Jan 2022 17:01:27 +0800 +Subject: [PATCH] modify codex + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/pulls/77 +--- + src/enclave_src/gp/itrustee/error_conversion.c | 14 +++++++------- + src/host_src/gp/gp_enclave.c | 2 +- + tools/codegener/Gentrust.ml | 14 ++++++++------ + 3 files changed, 16 insertions(+), 14 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/error_conversion.c b/src/enclave_src/gp/itrustee/error_conversion.c +index 5177322..f30bc81 100644 +--- a/src/enclave_src/gp/itrustee/error_conversion.c ++++ b/src/enclave_src/gp/itrustee/error_conversion.c +@@ -28,13 +28,13 @@ cc_enclave_result_t conversion_res_status(uint32_t enclave_res) + CC_ERROR_READ_DATA, CC_ERROR_WRITE_DATA, CC_ERROR_TRUNCATE_OBJECT, CC_ERROR_SEEK_DATA, CC_ERROR_SYNC_DATA, + CC_ERROR_RENAME_OBJECT, CC_ERROR_INVALID_ENCLAVE, + }; +- const int res_table2_begin = 0x80000100U; +- const int res_table3_begin = 0x80001001U; +- const int res_table4_begin = 0xFFFF7000U; +- const int res_table5_begin = 0xFFFF7110U; +- const int res_table6_begin = 0xFFFF7118U; +- const int res_table7_begin = 0xFFFF9110U; +- const int shift = 7; ++ const uint32_t res_table2_begin = 0x80000100U; ++ const uint32_t res_table3_begin = 0x80001001U; ++ const uint32_t res_table4_begin = 0xFFFF7000U; ++ const uint32_t res_table5_begin = 0xFFFF7110U; ++ const uint32_t res_table6_begin = 0xFFFF7118U; ++ const uint32_t res_table7_begin = 0xFFFF9110U; ++ const uint32_t shift = 7; + + if (enclave_res < res_table2_begin) { + if (enclave_res < sizeof(result_table1) / sizeof(cc_enclave_result_t)) { +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index c7554de..0bedb71 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -79,7 +79,7 @@ static cc_enclave_result_t ta_path_to_uuid(const char *path, TEEC_UUID *uuid) + const int clock_end = 7; + const int unit = 8; + const int uuid_base = 16; +- char uuid_str[UUID_LEN]; ++ char uuid_str[UUID_LEN + 1] = {0}; + uint64_t uuid_split[gp_token_nums]; + + const char *uuid_pos = NULL; +diff --git a/tools/codegener/Gentrust.ml b/tools/codegener/Gentrust.ml +index 18af7f2..b62624e 100644 +--- a/tools/codegener/Gentrust.ml ++++ b/tools/codegener/Gentrust.ml +@@ -27,23 +27,23 @@ let set_parameters_point (fd : func_decl) = + let pre (_: parameter_type) = "" in + let post = "" in + let generator_in (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) = +- sprintf "uint8_t *%s_%s_p;\n " decl.identifier mem_decl.identifier in ++ sprintf "uint8_t *%s_%s_p = NULL;\n " decl.identifier mem_decl.identifier in + let generator_inout (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) = +- (sprintf "uint8_t *%s_%s_in_p;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p;\n " decl.identifier mem_decl.identifier) in ++ (sprintf "uint8_t *%s_%s_in_p = NULL;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p = NULL;\n " decl.identifier mem_decl.identifier) in + [ +- (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p;"); ++ (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p = NULL;"); + concat "\n " + (List.map + (fun (_, decl) -> +- sprintf "uint8_t *%s_p;" decl.identifier) ++ sprintf "uint8_t *%s_p = NULL;" decl.identifier) + params); + concat "\n " + (List.map (deep_copy_func pre generator_in post) deep_copy_in); + concat "\n " + (List.map + (fun (_, decl) -> +- sprintf "uint8_t *%s_out_p;\n " decl.identifier ^ +- sprintf "uint8_t *%s_in_p;" decl.identifier) ++ sprintf "uint8_t *%s_out_p = NULL;\n " decl.identifier ^ ++ sprintf "uint8_t *%s_in_p = NULL;" decl.identifier) + params_inout); + concat "\n " + (List.map (deep_copy_func pre generator_inout post) deep_copy_inout); +@@ -156,6 +156,8 @@ let set_ecall_func (tf : trusted_func) = + else + " /* There is no parameters point */"; + ""; ++ " if (in_buf == NULL || out_buf == NULL)"; ++ " goto done;"; + sprintf " %s_size_t *args_size = (%s_size_t *)in_buf;" tfd.fname tfd.fname; + " in_buf_offset += size_to_aligned_size(sizeof(*args_size));"; + ""; +-- +2.27.0 + diff --git a/0045-optimize-the-private-key-usage-of-the-single-step-si.patch b/0045-optimize-the-private-key-usage-of-the-single-step-si.patch new file mode 100755 index 0000000000000000000000000000000000000000..e6012267c4dca581b83bd35fddb12c55ba80f0a7 --- /dev/null +++ b/0045-optimize-the-private-key-usage-of-the-single-step-si.patch @@ -0,0 +1,69 @@ +From 4320c1816627fbeff32c4388c36b31eeea24d629 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Mon, 15 Nov 2021 12:39:39 +0800 +Subject: [PATCH] optimize the private key usage of the single-step signature + method + +Signed-off-by: gaoyusong +--- + docs/sign_tool.md | 3 ++- + examples/helloworld/enclave/config_cloud.ini | 1 + + examples/seal_data/enclave/config_cloud.ini | 1 + + tools/sign_tool/sign_tool.sh | 3 ++- + 4 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index a092f19..1da6d06 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -47,7 +47,8 @@ The tool supports the following two modes: + The dump command is used to generate metadata for sgx signed enclave. + -i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for + dump command. +- -k private key required for single-step method. ++ -k private key required for single-step method. NOTE: single-step method is only for the dubug mode, ++ plaintext private key does exist in the production environment. + -m additional config_cloud.ini for trustzone. + -o output parameter, the sign command outputs signed enclave, the digest command outputs signing + material, the dump command outputs data containing the SIGStruct metadata for the SGX signed +diff --git a/examples/helloworld/enclave/config_cloud.ini b/examples/helloworld/enclave/config_cloud.ini +index 552f59c..0960436 100644 +--- a/examples/helloworld/enclave/config_cloud.ini ++++ b/examples/helloworld/enclave/config_cloud.ini +@@ -27,6 +27,7 @@ encryptKeyLen = 3072 + signType = 1 + ;;; + ;private key for signing TA ++;this private key is only for the dubug mode so plaintext private key does exist in the production environment + ;[private key owned by yourself] + signKey = ../../examples/helloworld/enclave/cert/private_key.pem + ;;; +diff --git a/examples/seal_data/enclave/config_cloud.ini b/examples/seal_data/enclave/config_cloud.ini +index f0c0e39..2b8a79c 100644 +--- a/examples/seal_data/enclave/config_cloud.ini ++++ b/examples/seal_data/enclave/config_cloud.ini +@@ -27,6 +27,7 @@ encryptKeyLen = 3072 + signType = 1 + ;;; + ;private key for signing TA ++;this private key is only for the dubug mode so plaintext private key does exist in the production environment + ;[private key owned by yourself] + signKey = ../../examples/seal_data/enclave/cert/private_key.pem + ;;; +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 0435a67..daca711 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -31,7 +31,8 @@ print_help(){ + echo " The dump command is used to generate metadata for sgx signed enclave." + echo "-i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for" + echo " dump command." +- echo "-k private key required for single-step method." ++ echo "-k private key required for single-step method. NOTE: single-step method is only for the dubug mode," ++ echo " plaintext private key does exist in the production environment." + echo "-m additional config_cloud.ini for trustzone." + echo "-o output parameter, the sign command outputs signed enclave, the digest command outputs signing" + echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed" +-- +2.23.0 + diff --git a/secGear.spec b/secGear.spec index 30da8577f9844daa25c950b4a331f52f013b0246..60da95daad81e696d7e008ca25152427c4ab0a81 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 22%{?dist} +Release: 25%{?dist} Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -48,19 +48,24 @@ Patch35: 0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch Patch38: 0039-clean-memory-when-it-come-to-error_handle.patch -Patch39: 0040-fix-logs-redirection-error-and-delete-rsa_public_key.patch +Patch39: 0040-fix-double-free.patch +Patch40: 0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch +Patch41: 0042-destroy-rwlock-when-create-enclave-failed.patch +Patch42: 0043-fix-partial-resource-leak.patch +Patch43: 0044-fix-pointer-without-init-or-check-NULL.patch +Patch44: 0045-optimize-the-private-key-usage-of-the-single-step-si.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ %ifarch x86_64 BUildRequires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts openssl %else -BUildRequires: itrustee_sdk +BUildRequires: itrustee_sdk itrustee_sdk-devel %endif Requires: rsyslog %ifarch x86_64 -Requires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts libsgx-aesm-launch-plugin +Requires: sgxsdk libsgx-launch libsgx-urts libsgx-aesm-launch-plugin %else Requires: itrustee_sdk %endif @@ -70,7 +75,12 @@ secGear is an SDK to develop confidential computing apps based on hardware encla %package devel Summary: Development files for %{name} -Requires: %{name}%{?isa} = %{version}-%{release} cmake ocaml-dune +Requires: %{name}%{?isa} = %{version}-%{release} cmake +%ifarch x86_64 +Requires: sgxsdk +%else +Requires: itrustee_sdk-devel +%endif %description devel The %{name}-devel is package contains Header file for developing applications that us %{name} @@ -161,8 +171,17 @@ popd systemctl restart rsyslog %changelog -* Mon Mar 14 2022 gaoyusong - 0.1.0-22 -- DESC: fix logs redirection error and del rsa_pub.key +* Tue Mar 15 2022 wangcheng - 0.1.0-25 +* DESC: fix the building failure in arm + +* Thu Mar 10 2022 wangcheng - 0.1.0-24 +* DESC: fix some bugs + +* Fri Mar 4 2022 gaoyusong - 0.1.0-23 +- DESC: fix logs redirection error and del rsa_public_key_cloud.pem + +* Wed Feb 23 2022 houmingyong - 0.1.0-22 +- DESC: fix double free bug * Tue Jan 11 2022 houmingyong - 0.1.0-21 - DESC: fix no secgear.log after install secGear-devel