From 9d6079f4c97e4accd7074364e4447aa01d4c8124 Mon Sep 17 00:00:00 2001 From: zhengxiaoxiao Date: Wed, 3 Aug 2022 09:40:37 +0800 Subject: [PATCH] override with 22.03 (cherry picked from commit 45653919dada0b9efb74eda9bdbc5040bc3257d1) --- 0040-fix-context-without-free-error.patch | 166 --------- 0040-fix-double-free.patch | 36 ++ ...on-standard-coding-of-sigh_tool.sh-s.patch | 325 ------------------ ...oy-rwlock-when-create-enclave-failed.patch | 39 +++ 0043-Optimize-README-in-English.patch | 253 -------------- 0043-fix-partial-resource-leak.patch | 99 ++++++ ...ptimize-Engilish-version-readme-file.patch | 95 ----- ...x-pointer-without-init-or-check-NULL.patch | 97 ++++++ ...d-some-spelling-and-grammar-mistakes.patch | 83 ----- ...vate-key-usage-of-the-single-step-si.patch | 69 ++++ 0046-fix-return-value.patch | 25 ++ 0047-del-print-uncontrol-form-string.patch | 33 ++ secGear.spec | 55 ++- 13 files changed, 438 insertions(+), 937 deletions(-) delete mode 100644 0040-fix-context-without-free-error.patch create mode 100644 0040-fix-double-free.patch delete mode 100644 0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch create mode 100755 0042-destroy-rwlock-when-create-enclave-failed.patch delete mode 100644 0043-Optimize-README-in-English.patch create mode 100755 0043-fix-partial-resource-leak.patch delete mode 100644 0044-Optimize-Engilish-version-readme-file.patch create mode 100755 0044-fix-pointer-without-init-or-check-NULL.patch delete mode 100644 0045-Corrected-some-spelling-and-grammar-mistakes.patch create mode 100755 0045-optimize-the-private-key-usage-of-the-single-step-si.patch create mode 100644 0046-fix-return-value.patch create mode 100644 0047-del-print-uncontrol-form-string.patch diff --git a/0040-fix-context-without-free-error.patch b/0040-fix-context-without-free-error.patch deleted file mode 100644 index 6592fdc..0000000 --- a/0040-fix-context-without-free-error.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 4c4ec07217a59ff96d975a7091116dcd149ce1e5 Mon Sep 17 00:00:00 2001 -From: yanlu -Date: Mon, 21 Jun 2021 15:57:26 +0800 -Subject: [PATCH] fix context without free error - ---- - examples/helloworld/host/main.c | 24 +++++++++++++----------- - examples/lrt/host/main.c | 18 ++++++------------ - examples/tls_enclave/host/main.c | 20 +++++++++----------- - 3 files changed, 28 insertions(+), 34 deletions(-) - -diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c -index a26fb6f..0d61c62 100644 ---- a/examples/helloworld/host/main.c -+++ b/examples/helloworld/host/main.c -@@ -29,28 +29,28 @@ int main() - if (!context) { - return CC_ERROR_OUT_OF_MEMORY; - } -- cc_enclave_result_t res; -+ cc_enclave_result_t res = CC_FAIL; - - printf("Create secgear enclave\n"); - - char real_p[PATH_MAX]; - /* check file exists, if not exist then use absolute path */ - if (realpath(path, real_p) == NULL) { -- if (getcwd(real_p, sizeof(real_p)) == NULL) { -- printf("Cannot find enclave.sign.so"); -- return -1; -- } -- if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) { -- printf("Failed to strcat enclave.sign.so path"); -- return -1; -- } -- (void)strcat(real_p, "/enclave.signed.so"); -+ if (getcwd(real_p, sizeof(real_p)) == NULL) { -+ printf("Cannot find enclave.sign.so"); -+ goto end; -+ } -+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) { -+ printf("Failed to strcat enclave.sign.so path"); -+ goto end; -+ } -+ (void)strcat(real_p, "/enclave.signed.so"); - } - - res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, context); - if (res != CC_SUCCESS) { - printf("Create enclave error\n"); -- return res; -+ goto end; - } - - res = get_string(context, &retval, buf); -@@ -64,5 +64,7 @@ int main() - if(res != CC_SUCCESS) { - printf("Destroy enclave error\n"); - } -+end: -+ free(context); - return res; - } -diff --git a/examples/lrt/host/main.c b/examples/lrt/host/main.c -index 5108f67..ab3079f 100644 ---- a/examples/lrt/host/main.c -+++ b/examples/lrt/host/main.c -@@ -24,11 +24,7 @@ int main() - int retval = 0; - char *path = PATH; - char buf[BUF_LEN]; -- cc_enclave_t *context = NULL; -- context = (cc_enclave_t*)malloc(sizeof(cc_enclave_t)); -- if (!context) { -- return CC_ERROR_OUT_OF_MEMORY; -- } -+ cc_enclave_t context = {0}; - cc_enclave_result_t res; - - printf("Create secgear enclave\n"); -@@ -47,14 +43,14 @@ int main() - (void)strcat(real_p, "/enclave.signed.so"); - } - -- res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, context); -+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); - if (res != CC_SUCCESS) { - printf("Create enclave error\n"); - return res; - } - - while(true) { -- res = get_string(context, &retval, buf); -+ res = get_string(&context, &retval, buf); - if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) { - printf("Ecall enclave error\n"); - goto out; -@@ -65,11 +61,9 @@ int main() - } - - out: -- if (context != NULL) { -- res = cc_enclave_destroy(context); -- if(res != CC_SUCCESS) { -- printf("Destroy enclave error\n"); -- } -+ res = cc_enclave_destroy(&context); -+ if(res != CC_SUCCESS) { -+ printf("Destroy enclave error\n"); - } - return res; - } -diff --git a/examples/tls_enclave/host/main.c b/examples/tls_enclave/host/main.c -index c801558..56d1563 100644 ---- a/examples/tls_enclave/host/main.c -+++ b/examples/tls_enclave/host/main.c -@@ -125,11 +125,8 @@ int start_server(int port) - int main(int argc, const char *argv[]) - { - char *path = PATH; -- cc_enclave_t *context = NULL; -- context = (cc_enclave_t*)malloc(sizeof(cc_enclave_t)); -- if (!context) { -- return CC_ERROR_OUT_OF_MEMORY; -- } -+ cc_enclave_t context_data = {0}; -+ cc_enclave_t *context = &context_data; - struct sockaddr_in client_addr; - socklen_t client_len; - int server_fd = -1; -@@ -148,13 +145,16 @@ int main(int argc, const char *argv[]) - } - tlsc_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len); - if (tlsc_fd < 0) { -+ close(server_fd); - return CC_FAIL; - } - printf("Create secgear enclave\n"); - res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, context); - if (res != CC_SUCCESS) { - printf("Create enclave error\n"); -- goto end; -+ close(tlsc_fd); -+ close(server_fd); -+ return CC_FAIL; - } - res = get_password_and_seal_key(context, argv[3], ENC_KEY_FILE_NAME); - if (res != CC_SUCCESS) { -@@ -171,11 +171,9 @@ int main(int argc, const char *argv[]) - printf("enclve tls finish\n"); - - end: -- if (context != NULL) { -- res = cc_enclave_destroy(context); -- if(res != CC_SUCCESS) { -- printf("Destroy enclave error\n"); -- } -+ res = cc_enclave_destroy(context); -+ if(res != CC_SUCCESS) { -+ printf("Destroy enclave error\n"); - } - close(tlsc_fd); - close(server_fd); --- -1.8.3.1 - diff --git a/0040-fix-double-free.patch b/0040-fix-double-free.patch new file mode 100644 index 0000000..8078564 --- /dev/null +++ b/0040-fix-double-free.patch @@ -0,0 +1,36 @@ +From 297bce40545793d545747e25f614b09a185ef489 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Wed, 23 Feb 2022 20:33:32 +0800 +Subject: [PATCH] fix double free + +--- + src/host_src/gp/gp_enclave.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index c7554de..9bc9514 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -255,10 +255,15 @@ static bool handle_ocall(uint32_t agent_id, int dev_fd, void *buffer, cc_ocall_f + } + ret = true; + done: +- free(tmp_input_buffer); +- free(tmp_output_buffer); +- tmp_input_buffer = NULL; +- tmp_output_buffer = NULL; ++ if (tmp_input_buffer != NULL) { ++ free(tmp_input_buffer); ++ tmp_input_buffer = NULL; ++ } ++ if (tmp_output_buffer != NULL) { ++ free(tmp_output_buffer); ++ tmp_output_buffer = NULL; ++ } ++ + return ret; + } + +-- +2.27.0 + diff --git a/0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch b/0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch deleted file mode 100644 index fc6425e..0000000 --- a/0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch +++ /dev/null @@ -1,325 +0,0 @@ -From f8264a32459ca98b5607f1841b6a3d0876d709f0 Mon Sep 17 00:00:00 2001 -From: blue -Date: Thu, 14 Oct 2021 03:59:23 +0000 -Subject: [PATCH] Fix format and non-standard coding of sigh_tool.sh script - ---- - tools/sign_tool/sign_tool.sh | 205 ++++++++++++++++++++++--------------------- - 1 file changed, 103 insertions(+), 102 deletions(-) - -diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh -index 0435a67..8f50ff5 100755 ---- a/tools/sign_tool/sign_tool.sh -+++ b/tools/sign_tool/sign_tool.sh -@@ -9,19 +9,21 @@ - # See the Mulan PSL v2 for more details. - - #!/bin/bash --VERSION=3 - API_LEVEL=2 - ONE_STEP_MODE=1 - --localpath="$(cd "$(dirname "$0")"; pwd)" -+localpath="$( -+ cd "$(dirname "$0")" || exit -1 -+ pwd -+)" - pypath="/lib/secGear" --if [ -f ${localpath}/signtool_v3.py ]; then -+if [ -f "${localpath}/signtool_v3.py" ]; then - signtoolpath=${localpath} - else - signtoolpath=${pypath} - fi - --print_help(){ -+print_help() { - echo "sign tool usage: ./sign_tool.sh [options] ..." - echo "[options]" - echo "-c basic config file." -@@ -44,81 +46,81 @@ print_help(){ - - } - --while getopts "c:d:i:k:m:o:p:s:x:h" opt --do -+while getopts "c:d:i:k:m:o:p:s:x:h" opt; do - case $opt in - c) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -c is missing or incorrect" -- exit -1 -- fi -- CONFIG_FILE=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -c is missing or incorrect" -+ exit -1 -+ fi -+ CONFIG_FILE=$OPTARG -+ ;; - d) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -d is missing or incorrect" -- exit -1 -- fi -- typeset -l CMD -- CMD=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -d is missing or incorrect" -+ exit -1 -+ fi -+ typeset -l CMD -+ CMD=$OPTARG -+ ;; - i) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -i is missing or incorrect" -- exit -1 -- fi -- IN_ENCLAVE=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -i is missing or incorrect" -+ exit -1 -+ fi -+ IN_ENCLAVE=$OPTARG -+ ;; - k) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -k is missing or incorrect" -- exit -1 -- fi -- SIG_KEY=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -k is missing or incorrect" -+ exit -1 -+ fi -+ SIG_KEY=$OPTARG -+ ;; - m) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -m is missing or incorrect" -- exit -1 -- fi -- A_CONFIG_FILE=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -m is missing or incorrect" -+ exit -1 -+ fi -+ A_CONFIG_FILE=$OPTARG -+ ;; - o) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -o is missing or incorrect" -- exit -1 -- fi -- OUT_FILE=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -o is missing or incorrect" -+ exit -1 -+ fi -+ OUT_FILE=$OPTARG -+ ;; - p) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -p is missing or incorrect" -- exit -1 -- fi -- SERVER_PUBKEY=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -p is missing or incorrect" -+ exit -1 -+ fi -+ SERVER_PUBKEY=$OPTARG -+ ;; - s) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -s is missing or incorrect" -- exit -1 -- fi -- SIGNATURE=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -s is missing or incorrect" -+ exit -1 -+ fi -+ SIGNATURE=$OPTARG -+ ;; - x) -- if [[ $OPTARG == -* ]]; then -- echo "Error: parameter for -x is missing or incorrect" -- exit -1 -- fi -- typeset -l ENCLAVE_TYPE -- ENCLAVE_TYPE=$OPTARG -- ;; -+ if [[ $OPTARG == -* ]]; then -+ echo "Error: parameter for -x is missing or incorrect" -+ exit -1 -+ fi -+ typeset -l ENCLAVE_TYPE -+ ENCLAVE_TYPE=$OPTARG -+ ;; - h) -- print_help -- exit 0 -- ;; -+ print_help -+ exit 0 -+ ;; - ?) -- print_help -- exit -1 -+ print_help -+ exit -1 -+ ;; - esac - done - if [ ${OPTIND} == 1 ]; then -@@ -126,103 +128,102 @@ if [ ${OPTIND} == 1 ]; then - exit 0 - fi - --itrustee_start_sign(){ --# check_native_sign -- if [ -z $A_CONFIG_FILE ]; then -+itrustee_start_sign() { -+ # check_native_sign -+ if [ -z "$A_CONFIG_FILE" ]; then - echo "Error: missing additional config_cloud.ini file for signing iTrustee enclave" - exit -1 - fi - - if [ "${CMD}"x == "sign"x ]; then -- if [ -z $SIGNATURE ]; then -+ if [ -z "$SIGNATURE" ]; then - ONE_STEP_MODE=1 -- if [ -z $CONFIG_FILE ]; then -+ if [ -z "$CONFIG_FILE" ]; then - echo "Error: missing basic config file for signing iTrustee enclave" - exit -1 - fi -- if [ -z $IN_ENCLAVE ]; then -+ if [ -z "$IN_ENCLAVE" ]; then - echo "Error: missing enclave file" - exit -1 - fi -- python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" -+ python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" - else - ONE_STEP_MODE=0 - python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}" - fi - elif [ "${CMD}"x == "digest"x ]; then - ONE_STEP_MODE=0 -- if [ -z $CONFIG_FILE ]; then -+ if [ -z "$CONFIG_FILE" ]; then - echo "Error: missing config file for signing iTrustee enclave" - exit -1 - fi -- if [ -z $IN_ENCLAVE ]; then -+ if [ -z "$IN_ENCLAVE" ]; then - echo "Error: missing enclave file" - exit -1 - fi -- python ${signtoolpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" -+ python ${signtoolpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" - else - echo "Error: illegal command" - fi - } - --sgx_start_sign(){ -- if [ -z $IN_ENCLAVE ]; then -+sgx_start_sign() { -+ if [ -z "$IN_ENCLAVE" ]; then - echo "Error: missing enclave file" - exit -1 - fi - SIGDATA_FILE="signdata" - if [ "${CMD}"x == "sign"x ]; then -- if [ -z $SIGNATURE ]; then -- if [ -z $SIG_KEY ]; then -- echo "Error: missing sign key" -- exit -1 -- fi -- if [ -z $CONFIG_FILE ]; then -- sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} -+ if [ -z "$SIGNATURE" ]; then -+ if [ -z "$SIG_KEY" ]; then -+ echo "Error: missing sign key" -+ exit -1 -+ fi -+ if [ -z "$CONFIG_FILE" ]; then -+ sgx_sign sign -enclave "${IN_ENCLAVE}" -key "${SIG_KEY}" -out "${OUT_FILE}" - else -- sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} -config ${CONFIG_FILE} -+ sgx_sign sign -enclave "${IN_ENCLAVE}" -key "${SIG_KEY}" -out "${OUT_FILE}" -config "${CONFIG_FILE}" - fi - else -- if [ -z $SERVER_PUBKEY ]; then -+ if [ -z "$SERVER_PUBKEY" ]; then - echo "Error: missing server public key" - exit -1 -- fi -- if [ -z $CONFIG_FILE ]; then -- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} -+ fi -+ if [ -z "$CONFIG_FILE" ]; then -+ sgx_sign catsig -enclave "${IN_ENCLAVE}" -key "${SERVER_PUBKEY}" -sig "${SIGNATURE}" -unsigned "${SIGDATA_FILE}" -out "${OUT_FILE}" - else -- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE} -+ sgx_sign catsig -enclave "${IN_ENCLAVE}" -key "${SERVER_PUBKEY}" -sig "${SIGNATURE}" -unsigned "${SIGDATA_FILE}" -out "${OUT_FILE}" -config "${CONFIG_FILE}" - fi - rm -rf ${SIGDATA_FILE} - fi - elif [ "${CMD}"x == "digest"x ]; then -- if [ -z $CONFIG_FILE ]; then -- sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE} -+ if [ -z "$CONFIG_FILE" ]; then -+ sgx_sign gendata -enclave "${IN_ENCLAVE}" -out "${SIGDATA_FILE}" - else -- sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE} -config ${CONFIG_FILE} -+ sgx_sign gendata -enclave "${IN_ENCLAVE}" -out "${SIGDATA_FILE}" -config "${CONFIG_FILE}" - fi -- cp ${SIGDATA_FILE} ${OUT_FILE} -+ cp "${SIGDATA_FILE}" "${OUT_FILE}" - elif [ "${CMD}"x == "dump"x ]; then -- sgx_sign dump -enclave ${IN_ENCLAVE} -dumpfile ${OUT_FILE} -+ sgx_sign dump -enclave "${IN_ENCLAVE}" -dumpfile "${OUT_FILE}" - else - echo "Error: illegal command" - fi - } - -- --if [ -z $CMD ]; then -+if [ -z "$CMD" ]; then - echo "Error: missing command" - exit -1 - fi --if [ -z $ENCLAVE_TYPE ]; then -+if [ -z "$ENCLAVE_TYPE" ]; then - echo "Error: missing enclave type" - exit -1 - fi --if [ -z $OUT_FILE ]; then -+if [ -z "$OUT_FILE" ]; then - echo "Error: missing out file" - exit -1 - fi - umask 0077 --check_results=`uname -m` -+check_results=$(uname -m) - if [ "${ENCLAVE_TYPE}"x == "sgx"x ]; then - if [ "${check_results}"x != "x86_64"x ]; then - echo "Warning: the enclave type does not comply with current architecture" --- -1.8.3.1 - diff --git a/0042-destroy-rwlock-when-create-enclave-failed.patch b/0042-destroy-rwlock-when-create-enclave-failed.patch new file mode 100755 index 0000000..a6ecb5a --- /dev/null +++ b/0042-destroy-rwlock-when-create-enclave-failed.patch @@ -0,0 +1,39 @@ +From e716ff141b967986d35fc65c59ab0e03015dce48 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Thu, 13 Jan 2022 10:24:23 +0800 +Subject: [PATCH] destroy rwlock when create enclave failed + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/commit/cb80972c3a60261786d76a2a50ab5ce29b312ebd + +--- + src/host_src/enclave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 8d6c8a6..e163b58 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -68,6 +68,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r + } + + if (enclave) { ++ pthread_rwlock_destroy(&enclave->rwlock); + explicit_bzero(enclave, sizeof(cc_enclave_t)); + } + } +@@ -192,7 +193,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin + + memset(enclave, 0, sizeof(cc_enclave_t)); + if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)) { +- goto done; ++ if (l_path) { ++ free(l_path); ++ } ++ return CC_FAIL; + } + + /* to do: gp support enter enclave debugging */ +-- +2.27.0 + diff --git a/0043-Optimize-README-in-English.patch b/0043-Optimize-README-in-English.patch deleted file mode 100644 index 05009d8..0000000 --- a/0043-Optimize-README-in-English.patch +++ /dev/null @@ -1,253 +0,0 @@ -From e1be05934ae4ac8df1cc9e97e826ef47539a487c Mon Sep 17 00:00:00 2001 -From: blue -Date: Thu, 17 Jun 2021 20:41:18 +0800 -Subject: [PATCH] Optimize README in English - ---- - README.en.md | 85 ++++++++++++++++++++++++++++++------------------------------ - 1 file changed, 42 insertions(+), 43 deletions(-) - -diff --git a/README.en.md b/README.en.md -index ec7ada0..8d5f80a 100644 ---- a/README.en.md -+++ b/README.en.md -@@ -7,7 +7,7 @@ Introduction - ----------- - - secGear is an SDK to develop confidential computing apps based on hardware enclave features. The target is to use --single source code for developers to develop apps running on different hardware. Currently secGear support Intel SGX -+single source code for developers to develop apps running on different hardware. Currently secGear supports Intel SGX - and iTrustee running in ARM Trustzone. - - Build and Install -@@ -32,11 +32,11 @@ Assuming the development directory is .../secGear/examples/test/ - - include "secgear_urts.h", from "secgear_tstdc.edl" import *, to shield the difference between sgx and iTrustee when - calling the C library. So as long as you use the c library functions, for the consistency of your development code, --the default is to import these two files. -+the two files need be imported. - - For details about edl syntax, please refer to the sgx development document Enclave Definition Language Syntax section. - At present, sgx and iTrustee are compatible with each other in basic types, pointer buffers, and deep copy of --structures, but currently only sgx supports such things as user_check, Granting Access to ECALLs, Using Switchless -+structures, but currently only sgx supports features like user_check, Granting Access to ECALLs, Using Switchless - Calls and so on. - - Then save as test.edl -@@ -64,8 +64,8 @@ Then save as test.edl - add_subdirectory(${CURRENT_ROOT_PATH}/enclave) - add_subdirectory(${CURRENT_ROOT_PATH}/host) - --Set the CODETYPE EDL_FILE and CODETYPE attributes, which will be used when automatically generated later. --On the arm platform, the build enclave image needs to be named with a unique UUID, so it is dynamically uniquely -+Set the CODETYPE EDL_FILE and CODETYPE attributes, which will be used when automatically generating code later. -+On ARM platform, the enclave image needs be named with a unique UUID, so it is dynamically uniquely - generated using the uuidgen command. The defined DPATH macro is used when loading the enclave image. - - -@@ -104,19 +104,19 @@ generated using the uuidgen command. The defined DPATH macro is used when loadin - return res; - } - --#include "enclave.h", import the secGear header file, #include "test_u.h" import the automatically generated code -+#include "enclave.h", to import the secGear header file, #include "test_u.h" to import the automatically generated code - header file. Next, call cc_enclave_create(...) to create the enclave context, and then call the wrapper of the - interface described in the edl file to enter the enclave to execute confidential code. - Finally, call cc_enclave_destroy(...) to destroy the enclave context. - - Note that the interface called here has more context and retval parameters than defined in edl file before. --This is because this function, generated by the automatic code generation tool according to edl, is a wrapper about --the real enclave code, and its declaration is in the test_u.h header file. Where the context parameter it is the -+This is because this function, generated by the automatic code generation tool according to edl, is a wrapper of -+the real enclave code, and its declaration is in the test_u.h header file. Where the context parameter is the - cc_enclave_t * context created before, and retval is the return value of the function defined in edl, and the res - parameter is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of test.edl. - - If the function defined in edl does not return a value, such as "public void get_string([out, size=32]char *buf);", --then the prototype called by the user will be "res = get_string(context, buf);". -+the prototype called by the user will be "res = get_string(context, buf);". - - According to these rules, you can write code when the wrapper function is not generated by code generation tool and - place the wrapper function generation in the compilation phase, which simplifies the development and compilation steps. -@@ -187,7 +187,7 @@ In the case of iTrustee, set the search paths of the header file and compile the - endif() - endif() - --In the case of sgx, set the search paths of the header file and compile the final non-secure binary. -+In the case of SGX, set the search paths of the header file and compile the final non-secure binary. - - if(CC_SIM) - target_link_libraries(${OUTPUT} secgearsim) -@@ -238,7 +238,7 @@ interface description in test.edl. - #set sign key - set(PEM Enclave_private.pem) - --Set the name used to sign the enclave private key -+Set the private key file name used to sign the enclave binary - - #set sign tool - set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh) -@@ -265,10 +265,9 @@ Set sign tool and the security side log printing level - COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp) - endif() - --WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image, -+WHITE_LIS_X sets the whitelist of iTrustee, only the host binaries in these paths can call this secure image, - and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths. --Finally, set the name of the security side image after the final signature, and --generate auxiliary code. -+Finally, set the name of the security image after the final signing, and generate auxiliary code. - - if(CC_SGX) - set(OUTPUT enclave.signed.so) -@@ -278,7 +277,7 @@ generate auxiliary code. - COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include) - endif() - --In the case of sgx, set the name of the security side image after the final signature, and generate auxiliary code. -+In the case of SGX, set the name of the security image after the final signing, and generate auxiliary code. - - set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \ - -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \ -@@ -287,9 +286,9 @@ In the case of sgx, set the name of the security side image after the final sign - - set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") - --Set the security side, no matter whether it is sgx or itrustee will use some compilation and link options, for -+Set the security side, no matter whether it is SGX or iTrustee will use some compilation and link options, for - example, because the security side is different from the non-secure side, the default library of host OS cannot be used, --so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was introduced. -+so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options is introduced. - - if(CC_GP) - configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") -@@ -344,11 +343,11 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in - - endif() - --In the case of iTrustee, generate the configuration file manifest.txt, which details of the configuration file will --be explained later, specify some compilation options related to itrustee, set the search paths of the header file and --the link file, and compile the enclave binary. -+In the case of iTrustee, generate the configuration file manifest.txt, and details of the configuration file will -+be explained later, specify some compilation options related to iTrustee, set the search paths of the header file and -+the link file, and build the enclave binary. - --Regarding the use of itrustee ocall, there are some other notes, which will be introduced later. Then define the -+Regarding the use of iTrustee ocall, there are some other notes, which will be introduced later. Then define the - whitelist macro. Next, you need to link to the secgear_tee library, in which there are interfaces for generating - random numbers, seal, unseal, etc. The last step is to sign and install. - -@@ -398,14 +397,14 @@ random numbers, seal, unseal, etc. The last step is to sign and install. - COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml) - endif() - --In the case of sgx, specify some compilation, link options related to sgx. When linking libraries, sgx and itrustee --are quite different. This is because itrustee is a secure OS with more capabilities, such as musl libc and openssl. --When compiling and link itrustee's enclave, there is no need to link some basic libraries. But sgx has no OS concept. --The basic library interfaces to be called on the security side are all given in the sgx sdk in the form of static --libraries, so this requires us to link these static libraries, and in order to be able to use these static libraries -+In the case of SGX, specify some compilation and link options related to SGX. When linking libraries, SGX and iTrustee -+are quite different. This is because iTrustee is a secure OS with more capabilities, such as musl libc and openssl. -+When compiling and link itrustee's enclave, there is no need to link some basic libraries. But SGX has no OS concept. -+The basic library interfaces to be called on the security side are all given in the SGX sdk in form of static -+libraries, so it requires us to link these static libraries, and in order to be able to use these static libraries - correctly, some libraries must be linked between specified options, such as sgx_trts. - --For more detailed information, please refer to the Makefile of sgx examples. Finally, sign the enclave with the -+For more detailed information, please refer to the Makefile of SGX examples. Finally, sign the enclave with the - configuration file, which will be introduced later. Note that secGear does not currently support remote authentication. - - set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE) -@@ -414,13 +413,13 @@ Set some safe compilation options. - - #### 4.3 Enclave image configuration file - --Write sgx enclave related configuration files --The configuration content in the Enclave.config.xml and Enclave.lds files is the same as the official sgx -+Write SGX enclave related configuration files -+The configuration content in the Enclave.config.xml and Enclave.lds files is the same as the official SGX - configuration file. For details, please refer to the official development document. - --Write itrustee related configuration files -+Write iTrustee related configuration files - The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated, --and the other configuration items can refer to the itrustee development document. -+and the other configuration items can refer to the iTrustee development document. - - ### 5 build and install test - -@@ -443,12 +442,12 @@ impossible to directly develop the log function like the non-secure side, Theref - interface to record the security side log to the Syslog system. The related configuration files secgear and secgear.conf - have been installed in the system directory during the build and install secGear phase. - --Note that when using on itrustee, you need to import the secgear_log.h header file, but sgx does not need it. --Because sgx implements the log function through ocall, the relevant code is in the auxiliary code. And when the -+Note that when using on iTrustee, you need to import the secgear_log.h header file, but SGX does not need it. -+Because SGX implements the log function through ocall, the relevant code is in the auxiliary code. And when the - configuration file is installed, you need to run "systemctl restart rsyslog" to make the log effective. - --Finally, in order to enable itrustee logs to be dumped to the place specified in the configuration file, you also --need to run /vendor/bin/tlogcat -f. The tlogcat tool is a part of the itrustee sdk. -+Finally, in order to enable iTrustee logs to be dumped to the place specified in the configuration file, you also -+need to run /vendor/bin/tlogcat -f. The tlogcat tool is a part of the iTrustee sdk. - - The meaning of log level (set(PRINT_LEVEL 3)). - -@@ -457,38 +456,38 @@ The meaning of log level (set(PRINT_LEVEL 3)). - PRINT_STRACE 2 - PRINT_DEBUG 3 - --At present, there are some differences in the usage of the log function. After the itrustee ocall function is stable, -+At present, there are some differences in the usage of the log function. After the iTrustee ocall function is stablized, - the usage will be unified. - - Use ocall - --------- - --The secGear ocall function can be used normally on the sgx platform. There are currently restrictions on itrustee: -+The secGear ocall function can be used normally on the SGX platform. There are currently restrictions with iTrustee: - - only the specified a3d88d2a-ae2a-4ea5-a37d-35fc5f607e9e uuid can be used, - and two programs that enable ocall cannot be run at the same time, - and config cannot be enabled. ta.instanceKeepAlive. - --Moreover, if the underlying itrustee does not enable ocall, the SDK will only report an error registration ocall failure, -+Moreover, if the underlying iTrustee does not enable ocall, the SDK will only report an error registration ocall failure, - and the ecall function can be used normally. - - Seal, generate random number interface - -------------------------------------- - - The related interface is defined in secgear_dataseal.h, secgear_random.h. For usage, please refer to examples/seal_data. --Note: Since the feature for itrustee to derive keys is still not perfect, seal related interfaces are not currently --supported on the itrustee platform. -+Note: Since the feature for iTrustee to derive keys is still not perfect, seal related interfaces are not currently -+supported on the iTrustee platform. - - Remote authentication capability is currently not supported. - ------------------------------------------------------------ - --secGear does not currently support plc, switchless and other about sgx features. -+secGear does not currently support plc, switchless and other about SGX features. - -------------------------------------------------------------------------------- - - Learning More About codegener - ---------------------------- - --secGear Introduce EDL (Enclave Description Languate) and intermediate code generation tool codegener. EDL is -+secGear introduces EDL (Enclave Description Languate) and intermediate code generation tool codegener. EDL is - compatible with Intel SGX's definition. - - - [Learn how to use codegener](./docs/codegener.md) -@@ -496,7 +495,7 @@ compatible with Intel SGX's definition. - Learning More About sign_tool - ----------------------------- - --secGear introduce the signing tool to sign the enclave. -+secGear introduces the signing tool to sign the enclave. - - - [Learn how to use signing tool](./docs/sign_tool.md) - --- -1.8.3.1 - diff --git a/0043-fix-partial-resource-leak.patch b/0043-fix-partial-resource-leak.patch new file mode 100755 index 0000000..9b091c4 --- /dev/null +++ b/0043-fix-partial-resource-leak.patch @@ -0,0 +1,99 @@ +From c64400a742d292585f06590741ceb5b37837e4bc Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Mon, 17 Jan 2022 19:21:12 +0800 +Subject: [PATCH] fix partial resource leak + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/pulls/79 + +--- + src/host_src/enclave.c | 49 ++++++++++++++++++------------------------ + 1 file changed, 21 insertions(+), 28 deletions(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index e163b58..36a50b9 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -264,7 +264,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + { + int32_t ires = 0; + cc_enclave_result_t res = CC_FAIL; +- p_tee_unregistered unregistered_funcc; ++ p_tee_unregistered unregistered_funcc = NULL; + + /* check context and enclave engine context */ + if (!context || !context->list_ops_node || !context->list_ops_node->ops_desc || +@@ -273,50 +273,43 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context) + return CC_ERROR_BAD_PARAMETERS; + } + +- ires = pthread_rwlock_wrlock(&(context->rwlock)); +- if (ires) { +- return CC_ERROR_BUSY; +- } ++ (void)pthread_rwlock_wrlock(&(context->rwlock)); + if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) { + res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context); +- SECGEAR_CHECK_RES(res); +- } else { +- print_error_goto("Enclave context no valid ops function\n"); ++ if (res != CC_SUCCESS) { ++ print_warning("destory enclave error\n"); ++ } + } + + /* look up enclave engine unregistered */ +- res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc); +- SECGEAR_CHECK_RES(res); ++ (void)find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc); + + /* lock call unregistered func */ +- ires = pthread_mutex_lock(&(g_list_ops.mutex_work)); +- SECGEAR_CHECK_MUTEX_RES_CC(ires, res); ++ (void)pthread_mutex_lock(&(g_list_ops.mutex_work)); + /* call enclave engine free node */ +- res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version); +- SECGEAR_CHECK_RES_UNLOCK(res); ++ if (unregistered_funcc) { ++ res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version); ++ if (res != CC_SUCCESS) { ++ print_warning("unregister func error\n"); ++ } ++ } + if (context->list_ops_node->ops_desc->count == 0) { + ires = dlclose(context->list_ops_node->ops_desc->handle); + if (ires != 0) { +- res = CC_FAIL; +- pthread_mutex_unlock(&(g_list_ops.mutex_work)); +- print_error_goto("Close engine failure\n"); ++ print_warning("close engine error\n"); + } + context->list_ops_node = NULL; + } + /* free enclave number resources */ + g_list_ops.enclaveState.enclave_count--; +- ires = pthread_mutex_unlock(&(g_list_ops.mutex_work)); +- SECGEAR_CHECK_MUTEX_RES_CC(ires, res); ++ (void)pthread_mutex_unlock(&(g_list_ops.mutex_work)); + +- res = CC_SUCCESS; +-done: +- if (context && context->path) { ++ if (context->path) { + free(context->path); + } +- if (context) { +- pthread_rwlock_unlock(&context->rwlock); +- pthread_rwlock_destroy(&context->rwlock); +- explicit_bzero(context, sizeof(cc_enclave_t)); +- } +- return res; ++ pthread_rwlock_unlock(&context->rwlock); ++ pthread_rwlock_destroy(&context->rwlock); ++ explicit_bzero(context, sizeof(cc_enclave_t)); ++ ++ return CC_SUCCESS; + } +-- +2.23.0 + diff --git a/0044-Optimize-Engilish-version-readme-file.patch b/0044-Optimize-Engilish-version-readme-file.patch deleted file mode 100644 index d4490d7..0000000 --- a/0044-Optimize-Engilish-version-readme-file.patch +++ /dev/null @@ -1,95 +0,0 @@ -From e436bc4efa36a1d83e4059d71e85311cada9b528 Mon Sep 17 00:00:00 2001 -From: blue -Date: Mon, 28 Jun 2021 08:44:03 +0000 -Subject: [PATCH] Optimize Engilish version readme file - ---- - README.en.md | 43 ++++++++++++++++++++++--------------------- - 1 file changed, 22 insertions(+), 21 deletions(-) - -diff --git a/README.en.md b/README.en.md -index 8d5f80a..617ccac 100644 ---- a/README.en.md -+++ b/README.en.md -@@ -6,9 +6,9 @@ secGear - Introduction - ----------- - --secGear is an SDK to develop confidential computing apps based on hardware enclave features. The target is to use --single source code for developers to develop apps running on different hardware. Currently secGear supports Intel SGX --and iTrustee running in ARM Trustzone. -+secGear is an SDK to develop confidential computing apps based on hardware enclave features. The target is to write -+single source code for apps running on different hardware. Currently secGear supports Intel SGX and iTrustee running -+in ARM Trustzone. - - Build and Install - ---------------- -@@ -30,13 +30,13 @@ Assuming the development directory is .../secGear/examples/test/ - }; - }; - --include "secgear_urts.h", from "secgear_tstdc.edl" import *, to shield the difference between sgx and iTrustee when --calling the C library. So as long as you use the c library functions, for the consistency of your development code, --the two files need be imported. -+include "secgear_urts.h", from "secgear_tstdc.edl" import *, to shield the difference between SGX and iTrustee when -+calling the C library. So as long as the C library functions are used, for the consistency of the source code, the two -+files need be imported. - --For details about edl syntax, please refer to the sgx development document Enclave Definition Language Syntax section. --At present, sgx and iTrustee are compatible with each other in basic types, pointer buffers, and deep copy of --structures, but currently only sgx supports features like user_check, Granting Access to ECALLs, Using Switchless -+For details about edl syntax, please refer to the SGX development document Enclave Definition Language Syntax section. -+At present, SGX and iTrustee are compatible with each other in basic types, pointer buffers, and deep copy of -+structures, but currently only SGX supports features like user_check, Granting Access to ECALLs, Using Switchless - Calls and so on. - - Then save as test.edl -@@ -64,9 +64,9 @@ Then save as test.edl - add_subdirectory(${CURRENT_ROOT_PATH}/enclave) - add_subdirectory(${CURRENT_ROOT_PATH}/host) - --Set the CODETYPE EDL_FILE and CODETYPE attributes, which will be used when automatically generating code later. --On ARM platform, the enclave image needs be named with a unique UUID, so it is dynamically uniquely --generated using the uuidgen command. The defined DPATH macro is used when loading the enclave image. -+Set the CODETYPE EDL_FILE and CODETYPE attributes, which are used when automatically generating code at later phase. -+On ARM platform, the enclave image needs be named with a unique UUID, so it is dynamically uniquely generated using -+the uuidgen command. The defined DPATH macro is used when loading the enclave image. - - - ### 3 Write the non-secure side code and CMakeLists.txt -@@ -104,22 +104,23 @@ generated using the uuidgen command. The defined DPATH macro is used when loadin - return res; - } - --#include "enclave.h", to import the secGear header file, #include "test_u.h" to import the automatically generated code -+include "enclave.h", to import the secGear header file, include "test_u.h" to import the automatically generated code - header file. Next, call cc_enclave_create(...) to create the enclave context, and then call the wrapper of the - interface described in the edl file to enter the enclave to execute confidential code. - Finally, call cc_enclave_destroy(...) to destroy the enclave context. - --Note that the interface called here has more context and retval parameters than defined in edl file before. --This is because this function, generated by the automatic code generation tool according to edl, is a wrapper of --the real enclave code, and its declaration is in the test_u.h header file. Where the context parameter is the --cc_enclave_t * context created before, and retval is the return value of the function defined in edl, and the res --parameter is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of test.edl. -+Note that comparing to arguments defined in edl file, the interface called here has two more arguments, context and retval. -+This is because the function, generated by the automatic code generation tool according to edl, is a wrapper ofthe real -+enclave function, and its declaration is in the test_u.h header file. Where the context parameter is the -+cc_enclave_t * context created before calling the funciton, and retval is the return value of the function defined in edl, -+and the res argument is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of -+test.edl. - - If the function defined in edl does not return a value, such as "public void get_string([out, size=32]char *buf);", --the prototype called by the user will be "res = get_string(context, buf);". -+the interface called by the user would be "res = get_string(context, buf);". - --According to these rules, you can write code when the wrapper function is not generated by code generation tool and --place the wrapper function generation in the compilation phase, which simplifies the development and compilation steps. -+According to these rules, code can be written before the wrapper function is generated by code generation tool in the -+compilation phase, which simplifies the development and compilation steps. - - #### 3.2 Write the CMakeLists.txt file of the host. - --- -1.8.3.1 - diff --git a/0044-fix-pointer-without-init-or-check-NULL.patch b/0044-fix-pointer-without-init-or-check-NULL.patch new file mode 100755 index 0000000..c1f491b --- /dev/null +++ b/0044-fix-pointer-without-init-or-check-NULL.patch @@ -0,0 +1,97 @@ +From d550148b0c79e1d544d7edd0eef52750d6422e40 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Sat, 8 Jan 2022 17:01:27 +0800 +Subject: [PATCH] modify codex + +Conflict:NA +Reference:https://gitee.com/openeuler/secGear/pulls/77 +--- + src/enclave_src/gp/itrustee/error_conversion.c | 14 +++++++------- + src/host_src/gp/gp_enclave.c | 2 +- + tools/codegener/Gentrust.ml | 14 ++++++++------ + 3 files changed, 16 insertions(+), 14 deletions(-) + +diff --git a/src/enclave_src/gp/itrustee/error_conversion.c b/src/enclave_src/gp/itrustee/error_conversion.c +index 5177322..f30bc81 100644 +--- a/src/enclave_src/gp/itrustee/error_conversion.c ++++ b/src/enclave_src/gp/itrustee/error_conversion.c +@@ -28,13 +28,13 @@ cc_enclave_result_t conversion_res_status(uint32_t enclave_res) + CC_ERROR_READ_DATA, CC_ERROR_WRITE_DATA, CC_ERROR_TRUNCATE_OBJECT, CC_ERROR_SEEK_DATA, CC_ERROR_SYNC_DATA, + CC_ERROR_RENAME_OBJECT, CC_ERROR_INVALID_ENCLAVE, + }; +- const int res_table2_begin = 0x80000100U; +- const int res_table3_begin = 0x80001001U; +- const int res_table4_begin = 0xFFFF7000U; +- const int res_table5_begin = 0xFFFF7110U; +- const int res_table6_begin = 0xFFFF7118U; +- const int res_table7_begin = 0xFFFF9110U; +- const int shift = 7; ++ const uint32_t res_table2_begin = 0x80000100U; ++ const uint32_t res_table3_begin = 0x80001001U; ++ const uint32_t res_table4_begin = 0xFFFF7000U; ++ const uint32_t res_table5_begin = 0xFFFF7110U; ++ const uint32_t res_table6_begin = 0xFFFF7118U; ++ const uint32_t res_table7_begin = 0xFFFF9110U; ++ const uint32_t shift = 7; + + if (enclave_res < res_table2_begin) { + if (enclave_res < sizeof(result_table1) / sizeof(cc_enclave_result_t)) { +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index c7554de..0bedb71 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -79,7 +79,7 @@ static cc_enclave_result_t ta_path_to_uuid(const char *path, TEEC_UUID *uuid) + const int clock_end = 7; + const int unit = 8; + const int uuid_base = 16; +- char uuid_str[UUID_LEN]; ++ char uuid_str[UUID_LEN + 1] = {0}; + uint64_t uuid_split[gp_token_nums]; + + const char *uuid_pos = NULL; +diff --git a/tools/codegener/Gentrust.ml b/tools/codegener/Gentrust.ml +index 18af7f2..b62624e 100644 +--- a/tools/codegener/Gentrust.ml ++++ b/tools/codegener/Gentrust.ml +@@ -27,23 +27,23 @@ let set_parameters_point (fd : func_decl) = + let pre (_: parameter_type) = "" in + let post = "" in + let generator_in (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) = +- sprintf "uint8_t *%s_%s_p;\n " decl.identifier mem_decl.identifier in ++ sprintf "uint8_t *%s_%s_p = NULL;\n " decl.identifier mem_decl.identifier in + let generator_inout (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) = +- (sprintf "uint8_t *%s_%s_in_p;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p;\n " decl.identifier mem_decl.identifier) in ++ (sprintf "uint8_t *%s_%s_in_p = NULL;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p = NULL;\n " decl.identifier mem_decl.identifier) in + [ +- (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p;"); ++ (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p = NULL;"); + concat "\n " + (List.map + (fun (_, decl) -> +- sprintf "uint8_t *%s_p;" decl.identifier) ++ sprintf "uint8_t *%s_p = NULL;" decl.identifier) + params); + concat "\n " + (List.map (deep_copy_func pre generator_in post) deep_copy_in); + concat "\n " + (List.map + (fun (_, decl) -> +- sprintf "uint8_t *%s_out_p;\n " decl.identifier ^ +- sprintf "uint8_t *%s_in_p;" decl.identifier) ++ sprintf "uint8_t *%s_out_p = NULL;\n " decl.identifier ^ ++ sprintf "uint8_t *%s_in_p = NULL;" decl.identifier) + params_inout); + concat "\n " + (List.map (deep_copy_func pre generator_inout post) deep_copy_inout); +@@ -156,6 +156,8 @@ let set_ecall_func (tf : trusted_func) = + else + " /* There is no parameters point */"; + ""; ++ " if (in_buf == NULL || out_buf == NULL)"; ++ " goto done;"; + sprintf " %s_size_t *args_size = (%s_size_t *)in_buf;" tfd.fname tfd.fname; + " in_buf_offset += size_to_aligned_size(sizeof(*args_size));"; + ""; +-- +2.27.0 + diff --git a/0045-Corrected-some-spelling-and-grammar-mistakes.patch b/0045-Corrected-some-spelling-and-grammar-mistakes.patch deleted file mode 100644 index bee02cb..0000000 --- a/0045-Corrected-some-spelling-and-grammar-mistakes.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 5539ad4ee098358f594f4dbfb73b2a0d9ed975cb Mon Sep 17 00:00:00 2001 -From: lshelen23 -Date: Fri, 22 Oct 2021 08:17:15 +0000 -Subject: [PATCH] Corrected some spelling and grammar mistakes - ---- - README.en.md | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/README.en.md b/README.en.md -index 617ccac..0fddd9f 100644 ---- a/README.en.md -+++ b/README.en.md -@@ -110,9 +110,9 @@ interface described in the edl file to enter the enclave to execute confidential - Finally, call cc_enclave_destroy(...) to destroy the enclave context. - - Note that comparing to arguments defined in edl file, the interface called here has two more arguments, context and retval. --This is because the function, generated by the automatic code generation tool according to edl, is a wrapper ofthe real -+This is because the function, generated by the automatic code generation tool according to edl, is a wrapper of the real - enclave function, and its declaration is in the test_u.h header file. Where the context parameter is the --cc_enclave_t * context created before calling the funciton, and retval is the return value of the function defined in edl, -+cc_enclave_t * context created before calling the function, and retval is the return value of the function defined in edl, - and the res argument is the return value of the wrapped function. The prefix of test_u.h is consistent with the prefix of - test.edl. - -@@ -268,7 +268,7 @@ Set sign tool and the security side log printing level - - WHITE_LIS_X sets the whitelist of iTrustee, only the host binaries in these paths can call this secure image, - and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths. --Finally, set the name of the security image after the final signing, and generate auxiliary code. -+Finally, set the name of the security image after the final signing, and generate auxiliary code. - - if(CC_SGX) - set(OUTPUT enclave.signed.so) -@@ -345,8 +345,7 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options is int - endif() - - In the case of iTrustee, generate the configuration file manifest.txt, and details of the configuration file will --be explained later, specify some compilation options related to iTrustee, set the search paths of the header file and --the link file, and build the enclave binary. -+be explained later, specify some compilation options related to iTrustee, set the search paths of the header file and the link file, and build the enclave binary. - - Regarding the use of iTrustee ocall, there are some other notes, which will be introduced later. Then define the - whitelist macro. Next, you need to link to the secgear_tee library, in which there are interfaces for generating -@@ -398,7 +397,7 @@ random numbers, seal, unseal, etc. The last step is to sign and install. - COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml) - endif() - --In the case of SGX, specify some compilation and link options related to SGX. When linking libraries, SGX and iTrustee -+In the case of SGX, specify some compilation and link options related to SGX. When linking libraries, SGX and iTrustee - are quite different. This is because iTrustee is a secure OS with more capabilities, such as musl libc and openssl. - When compiling and link itrustee's enclave, there is no need to link some basic libraries. But SGX has no OS concept. - The basic library interfaces to be called on the security side are all given in the SGX sdk in form of static -@@ -416,7 +415,7 @@ Set some safe compilation options. - - Write SGX enclave related configuration files - The configuration content in the Enclave.config.xml and Enclave.lds files is the same as the official SGX --configuration file. For details, please refer to the official development document. -+configuration file. For details, please refer to the official development document. - - Write iTrustee related configuration files - The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated, -@@ -457,7 +456,7 @@ The meaning of log level (set(PRINT_LEVEL 3)). - PRINT_STRACE 2 - PRINT_DEBUG 3 - --At present, there are some differences in the usage of the log function. After the iTrustee ocall function is stablized, -+At present, there are some differences in the usage of the log function. After the iTrustee ocall function is stabilized, - the usage will be unified. - - Use ocall -@@ -488,7 +487,7 @@ secGear does not currently support plc, switchless and other about SGX features. - Learning More About codegener - ---------------------------- - --secGear introduces EDL (Enclave Description Languate) and intermediate code generation tool codegener. EDL is -+secGear introduces EDL (Enclave Description Language) and intermediate code generation tool codegener. EDL is - compatible with Intel SGX's definition. - - - [Learn how to use codegener](./docs/codegener.md) --- -1.8.3.1 - diff --git a/0045-optimize-the-private-key-usage-of-the-single-step-si.patch b/0045-optimize-the-private-key-usage-of-the-single-step-si.patch new file mode 100755 index 0000000..e601226 --- /dev/null +++ b/0045-optimize-the-private-key-usage-of-the-single-step-si.patch @@ -0,0 +1,69 @@ +From 4320c1816627fbeff32c4388c36b31eeea24d629 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Mon, 15 Nov 2021 12:39:39 +0800 +Subject: [PATCH] optimize the private key usage of the single-step signature + method + +Signed-off-by: gaoyusong +--- + docs/sign_tool.md | 3 ++- + examples/helloworld/enclave/config_cloud.ini | 1 + + examples/seal_data/enclave/config_cloud.ini | 1 + + tools/sign_tool/sign_tool.sh | 3 ++- + 4 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index a092f19..1da6d06 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -47,7 +47,8 @@ The tool supports the following two modes: + The dump command is used to generate metadata for sgx signed enclave. + -i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for + dump command. +- -k private key required for single-step method. ++ -k private key required for single-step method. NOTE: single-step method is only for the dubug mode, ++ plaintext private key does exist in the production environment. + -m additional config_cloud.ini for trustzone. + -o output parameter, the sign command outputs signed enclave, the digest command outputs signing + material, the dump command outputs data containing the SIGStruct metadata for the SGX signed +diff --git a/examples/helloworld/enclave/config_cloud.ini b/examples/helloworld/enclave/config_cloud.ini +index 552f59c..0960436 100644 +--- a/examples/helloworld/enclave/config_cloud.ini ++++ b/examples/helloworld/enclave/config_cloud.ini +@@ -27,6 +27,7 @@ encryptKeyLen = 3072 + signType = 1 + ;;; + ;private key for signing TA ++;this private key is only for the dubug mode so plaintext private key does exist in the production environment + ;[private key owned by yourself] + signKey = ../../examples/helloworld/enclave/cert/private_key.pem + ;;; +diff --git a/examples/seal_data/enclave/config_cloud.ini b/examples/seal_data/enclave/config_cloud.ini +index f0c0e39..2b8a79c 100644 +--- a/examples/seal_data/enclave/config_cloud.ini ++++ b/examples/seal_data/enclave/config_cloud.ini +@@ -27,6 +27,7 @@ encryptKeyLen = 3072 + signType = 1 + ;;; + ;private key for signing TA ++;this private key is only for the dubug mode so plaintext private key does exist in the production environment + ;[private key owned by yourself] + signKey = ../../examples/seal_data/enclave/cert/private_key.pem + ;;; +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 0435a67..daca711 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -31,7 +31,8 @@ print_help(){ + echo " The dump command is used to generate metadata for sgx signed enclave." + echo "-i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for" + echo " dump command." +- echo "-k private key required for single-step method." ++ echo "-k private key required for single-step method. NOTE: single-step method is only for the dubug mode," ++ echo " plaintext private key does exist in the production environment." + echo "-m additional config_cloud.ini for trustzone." + echo "-o output parameter, the sign command outputs signed enclave, the digest command outputs signing" + echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed" +-- +2.23.0 + diff --git a/0046-fix-return-value.patch b/0046-fix-return-value.patch new file mode 100644 index 0000000..ab65aec --- /dev/null +++ b/0046-fix-return-value.patch @@ -0,0 +1,25 @@ +From 1f6f2ff01317c6f04de7cab7c3a126e7ce485df7 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Sun, 15 May 2022 22:00:33 +0800 +Subject: [PATCH] fix return value + +--- + src/host_src/enclave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 36a50b9..87a984f 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -196,7 +196,7 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin + if (l_path) { + free(l_path); + } +- return CC_FAIL; ++ return res; + } + + /* to do: gp support enter enclave debugging */ +-- +2.36.0.windows.1 + diff --git a/0047-del-print-uncontrol-form-string.patch b/0047-del-print-uncontrol-form-string.patch new file mode 100644 index 0000000..91150d1 --- /dev/null +++ b/0047-del-print-uncontrol-form-string.patch @@ -0,0 +1,33 @@ +From 8877dd937ccb482ab830b9a9d4ca02f6a31045b7 Mon Sep 17 00:00:00 2001 +From: zhengxiaoxiao +Date: Sun, 5 Jun 2022 21:29:41 +0800 +Subject: [PATCH] del print uncontrol form string + +--- + src/host_src/enclave.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c +index 8d6c8a6..6fd7510 100644 +--- a/src/host_src/enclave.c ++++ b/src/host_src/enclave.c +@@ -142,14 +142,14 @@ static bool check_transform_path(cc_enclave_result_t *res, const char *path, cha + /* check file exists and get absolute pathname */ + if (realpath(path, real_p) == NULL) { + *res = CC_ERROR_INVALID_PATH; +- print_error_term("Path %s error %s\n", path, strerror(errno)); ++ print_error_term("Path error %s\n", strerror(errno)); + return false; + } + + /* check file permission */ + if (access(real_p, R_OK) != 0) { + *res = CC_ERROR_ACCESS_DENIED; +- print_error_term("Path %s error %s\n", path, strerror(errno)); ++ print_error_term("Path error %s\n", strerror(errno)); + return false; + } + size_t len = strlen(real_p) + 1; +-- +2.33.0 + diff --git a/secGear.spec b/secGear.spec index 8447322..8c81430 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 23 +Release: 29 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -48,19 +48,21 @@ Patch35: 0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch Patch38: 0039-clean-memory-when-it-come-to-error_handle.patch -Patch39: 0040-fix-context-without-free-error.patch +Patch39: 0040-fix-double-free.patch Patch40: 0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch -Patch41: 0042-Fix-format-and-non-standard-coding-of-sigh_tool.sh-s.patch -Patch42: 0043-Optimize-README-in-English.patch -Patch43: 0044-Optimize-Engilish-version-readme-file.patch -Patch44: 0045-Corrected-some-spelling-and-grammar-mistakes.patch +Patch41: 0042-destroy-rwlock-when-create-enclave-failed.patch +Patch42: 0043-fix-partial-resource-leak.patch +Patch43: 0044-fix-pointer-without-init-or-check-NULL.patch +Patch44: 0045-optimize-the-private-key-usage-of-the-single-step-si.patch +Patch45: 0046-fix-return-value.patch +Patch46: 0047-del-print-uncontrol-form-string.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ %ifarch x86_64 -BUildRequires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts openssl +BUildRequires: sgxsdk libsgx-launch libsgx-urts openssl %else -BUildRequires: itrustee_sdk +BUildRequires: itrustee_sdk itrustee_sdk-devel %endif Requires: rsyslog @@ -75,7 +77,12 @@ secGear is an SDK to develop confidential computing apps based on hardware encla %package devel Summary: Development files for %{name} -Requires: %{name}%{?isa} = %{version}-%{release} cmake ocaml-dune +Requires: %{name}%{?isa} = %{version}-%{release} cmake +%ifarch x86_64 +Requires: sgxsdk +%else +Requires: itrustee_sdk-devel +%endif %description devel The %{name}-devel is package contains Header file for developing applications that us %{name} @@ -166,14 +173,32 @@ popd systemctl restart rsyslog %changelog -* Tue Mar 15 2022 duyiwei - 0.1.0-23 -- DESC: delete %{?dist} +* Wed Aug 3 2022 zhengxiaoxiao - 0.1.0-29 +* DESC: override with 22.03 -* Tue Jan 11 2022 houmingyong - 0.1.0-22 -- DESC: fix no secgear.log after install secGear-devel +* Mon Jun 6 2022 zhengxiaoxiao - 0.1.0-28 +* DESC: del print uncontrol form string -* Mon Oct 25 2021 gaoyusong - 0.1.0-21 -- DESC: backport some patches from openeuler secGear +* Sun May 15 2022 zhengxiaoxiao - 0.1.0-27 +* DESC: fix return value + +* Thu Mar 24 2022 baizhonggui - 0.1.0-26 +* DESC: delete %{dist} + +* Tue Mar 15 2022 wangcheng - 0.1.0-25 +* DESC: fix the building failure in arm + +* Thu Mar 10 2022 wangcheng - 0.1.0-24 +* DESC: fix some bugs + +* Fri Mar 4 2022 gaoyusong - 0.1.0-23 +- DESC: fix logs redirection error and del rsa_public_key_cloud.pem + +* Wed Feb 23 2022 houmingyong - 0.1.0-22 +- DESC: fix double free bug + +* Tue Jan 11 2022 houmingyong - 0.1.0-21 +- DESC: fix no secgear.log after install secGear-devel * Mon Jul 19 2021 chenmaodong - 0.1.0-20 - DESC: add requires for secGear: libsgx-aesm-launch-plugin ocaml-dune -- Gitee