oscarlab / graphene-sgx-driver Goto Github PK

Just a heads up 👍
https://github.com/sirlucjan/kernel-patches/blob/master/5.8/fsgsbase-patches-v3/0001-fsgsbase-patches.patch

I checked out the tag DCAP 1.6 from the DCAP repo and tried building the Graphene SGX driver on Ubuntu 18.04.

In DCAP 1.6 the sgx.h file in driver/linux/include/uapi/asm/ has been renamed to sgx_oot.h.

Fixing this in link-intel-driver.py by

diff --git a/link-intel-driver.py b/link-intel-driver.py
index cfd6867..166a8ed 100755
--- a/link-intel-driver.py
+++ b/link-intel-driver.py
@@ -4,7 +4,8 @@ import sys, os, shutil

 DRIVER_VERSIONS = {
         'sgx_user.h':             '/dev/isgx',
-        'include/uapi/asm/sgx.h': '/dev/sgx',
+        'include/uapi/asm/sgx.h': '/dev/sgx', # DCAP < 1.6
+        'include/uapi/asm/sgx_oot.h': '/dev/sgx', # DCAP >= 1.6
 }

 def find_intel_sgx_driver():

causes the copying of DCAP sgx_oot.h to sgx.h to succeed but now the following occurs when building the driver:

Enter the Intel SGX driver dir with C headers: /home/e/SGXDataCenterAttestationPrimitives/driver/linux
make -C /lib/modules/4.15.0-96-generic/build M=/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver CFLAGS_MODULE="-DDEBUG -g -O0" modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-96-generic'
  CC [M]  /home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.o
In file included from /home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.c:23:0:
/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.h:29:2: error: #error "Cannot find SGX_INVALID_LICENSE nor SGX_INVALID_EINITTOKEN in Linux SGX Driver headers"
 #error "Cannot find SGX_INVALID_LICENSE nor SGX_INVALID_EINITTOKEN in Linux SGX Driver headers"
  ^~~~~
scripts/Makefile.build:337: recipe for target '/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.o' failed
make[2]: *** [/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.o] Error 1
Makefile:1577: recipe for target '_module_/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver' failed
make[1]: *** [_module_/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-96-generic'
Makefile:9: recipe for target 'default' failed
make: *** [default] Error 2

This repository is not updated for 2 years, and not planned to be updated. In the meantime, the FSGSBASE patch was merged into Linux 5.9 and back-ported to Linux 5.4, and there is little reason to recommend the insecure workarounds/patches from this repository. Moreover, "Graphene" was renamed to "Gramine", and does not mention this repository.

Could the admin of this repo archive it? @donporter @chiache I'm not sure if you're the owners of this repo still.

I'm using an Intel NUC and running Ubuntu 16.04.

When I suspend and then resume the NUC, and then run Graphene-SGX's (commit 80030b1157da371251f632e325df71e9454b4e55) helloworld test, the application crashes. GDB indicates that the crash occurs from the illegal WRFSBASE instruction that occurs in the inline assembly of Graphene-SGX's (Pal/src/host/Linux-SGX/sgx_api.h) wrfsbase wrapper function.

To reproduce:

# suspend and resume machine

cd ~/src/graphene/LibOS/shim/test/native/
SGX=1 ./pal_loader ./helloworld`

The debug output is: helloworld-debug-log.txt

Are all patches now upstream in mainline kernel?

error

when I Install the Linux kernel patched with FSGSBASE, During buid the Build the linux-image and linux-header .deb files（make -j $(getconf _NPROCESSORS_ONLN) deb-pkg LOCALVERSION=-custom），it cames a error:

debian/rules:6:recipe for target 'build' failed
make[2]: *** [deb-pkg] Error 2
dpkg-buildpackage:Error: debian/rules build subprocess returned exit status 2
script/Makefile.package:73: recipe for target 'deb-pkg' failed
make[1]: *** [deb-pkg] Error 2
Makefile:1469: recipe for target 'deb-pkg' failed
make: *** [deb-pkg] Error 2

Does this error related to this patch?

Description:

I flow the Building with SGX support,and tried to build a Linux kernel with FSGSBASE patch.when I run this command:

make -j $(getconf _NPROCESSORS_ONLN) deb-pkg LOCALVERSION=-custom

$(getconf _NPROCESSORS_ONLN) in my computer's value is 16.

I am very new to this and wasn't able to find a solution.

infos:

• os : Ubuntu 18.04
• current kernel: 5.4.0-72-generic
• arch:x86_64
• cpu:Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Would anyone be able to help me?

Please let me know if you need any more information.

Thanks a lot !

Starting from kernel v5.4.50 (see changelog) the FSGSBASE bit in CR4 is pinned -- roughly meaning that the kernel undoes any attempt to flip the bit.

This is visible in the native_write_cr4 function, which is called by the __write_cr4 function used in the driver.

As a result, although the driver loads successfully, FSGSBASE is not persistently enabled. In particular, it is disabled by the time __enable_fsgsbase returns.