packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches from openeuler secGear

Browse Source 
Signed-off-by: whzhe <wanghongzhe@huawei.com>
This commit is contained in:
whzhe 2021-06-03 10:16:22 +08:00
parent 6a34c7beba
commit 87b6486674
7 changed files with 254 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
0033-modify-the-error-information-when-missing-c-and-m.patch Normal file
View File

@ -0,0 +1,34 @@
From 909a866a5023c8f23b504ce1307283df834d2b55 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Wed, 26 May 2021 11:49:49 +0800
Subject: [PATCH 1/6] modify the error information when missing -c and -m
---
tools/sign_tool/sign_tool.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 5469f80..0435a67 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -129,7 +129,7 @@ fi
itrustee_start_sign(){
# check_native_sign
if [ -z $A_CONFIG_FILE ]; then
- echo "Error: missing config file for signing iTrustee enclave"
+ echo "Error: missing additional config_cloud.ini file for signing iTrustee enclave"
exit -1
fi
@@ -137,7 +137,7 @@ itrustee_start_sign(){
if [ -z $SIGNATURE ]; then
ONE_STEP_MODE=1
if [ -z $CONFIG_FILE ]; then
- echo "Error: missing config file for signing iTrustee enclave"
+ echo "Error: missing basic config file for signing iTrustee enclave"
exit -1
fi
if [ -z $IN_ENCLAVE ]; then
--
2.27.0

55
0034-normalize-the-log-printed-by-PrintInfo.patch Normal file
View File

@ -0,0 +1,55 @@
From 5a34d5f560f1b35b4ae8892e07ff852af1a7a38a Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Mon, 31 May 2021 14:26:34 +0800
Subject: [PATCH 2/6] normalize the log printed by PrintInfo
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
inc/enclave_inc/gp/itrustee/secgear_log.h | 31 +++++++++++------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/inc/enclave_inc/gp/itrustee/secgear_log.h b/inc/enclave_inc/gp/itrustee/secgear_log.h
index 2e27b05..819fa86 100644
--- a/inc/enclave_inc/gp/itrustee/secgear_log.h
+++ b/inc/enclave_inc/gp/itrustee/secgear_log.h
@@ -24,22 +24,21 @@
#define PRINT_STRACE 2
#define PRINT_DEBUG 3
-#define PrintInfo(level, fmt, args...) \
- if (level <= PRINT_LEVEL) { \
- switch (level) { \
- case 0: \
- SLog("%s %s: " fmt "\n", "[secGear][ERROR]", __FUNCTION__, ## args); \
- break; \
- case 1: \
- SLog("%s %s: " fmt "\n", "[secGear][WARNING]", __FUNCTION__, ## args); \
- break; \
- case 2: \
- SLog("%s %s: " fmt "\n", "[secGear][STRACE]", __FUNCTION__, ## args); \
- break; \
- default: \
- SLog("%s %s: " fmt "\n", "[secGear][DEBUG]", __FUNCTION__, ## args); \
- } \
+#define PrintInfo(level, fmt, args...) \
+ if (level <= PRINT_LEVEL) { \
+ switch (level) { \
+ case 0: \
+ SLog("%s " fmt "\n", "[secGear][ERROR]", ## args); \
+ break; \
+ case 1: \
+ SLog("%s " fmt "\n", "[secGear][WARNING]", ## args); \
+ break; \
+ case 2: \
+ SLog("%s " fmt "\n", "[secGear][STRACE]", ## args); \
+ break; \
+ default: \
+ SLog("%s " fmt "\n", "[secGear][DEBUG]", ## args); \
+ } \
}
-
#endif
--
2.27.0

99
0035-itrustee-add-lrt-support-itrustee.patch Normal file
View File

@ -0,0 +1,99 @@
From 7fceb33ffd6e4f09faa6ba717f80ba6a51591f36 Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Tue, 1 Jun 2021 16:38:18 +0800
Subject: [PATCH 3/6] itrustee: add lrt support itrustee
Signed-off-by: LiFeng <lifeng68@huawei.com>
---
examples/CMakeLists.txt | 1 +
examples/lrt/CMakeLists.txt | 5 +++--
examples/lrt/enclave/CMakeLists.txt | 17 ++++++++++++-----
examples/lrt/host/main.c | 1 +
4 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt
index cfd0171..07fc0fb 100644
--- a/examples/CMakeLists.txt
+++ b/examples/CMakeLists.txt
@@ -12,6 +12,7 @@ if(CC_GP)
COMMAND cp ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee/*.h ${CMAKE_BINARY_DIR}/inc/secGear/)
add_subdirectory(seal_data)
add_subdirectory(helloworld)
+ #add_subdirectory(lrt)
endif()
if(CC_SGX)
diff --git a/examples/lrt/CMakeLists.txt b/examples/lrt/CMakeLists.txt
index 9059590..45283a3 100644
--- a/examples/lrt/CMakeLists.txt
+++ b/examples/lrt/CMakeLists.txt
@@ -20,8 +20,9 @@ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
- string(REPLACE "\n" "" UUID ${UUID})
+ # execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
+ #string(REPLACE "\n" "" UUID ${UUID})
+ set(UUID f68fd704-6eb1-4d14-b218-722850eb3ef0)
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
diff --git a/examples/lrt/enclave/CMakeLists.txt b/examples/lrt/enclave/CMakeLists.txt
index 64494cc..acd1607 100644
--- a/examples/lrt/enclave/CMakeLists.txt
+++ b/examples/lrt/enclave/CMakeLists.txt
@@ -28,9 +28,9 @@ if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
#set whilelist. default: /vendor/bin/teec_hello
- set(WHITE_LIST_0 /vendor/bin/helloworld)
+ set(WHITE_LIST_0 /vendor/bin/lrt)
set(WHITE_LIST_OWNER root)
- set(WHITE_LIST_1 /vendor/bin/secgear_helloworld)
+ set(WHITE_LIST_1 /vendor/bin/secgear_lrt)
set(WHITELIST WHITE_LIST_0 WHITE_LIST_1)
set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
@@ -55,7 +55,7 @@ set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer
set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
if(CC_GP)
- configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt")
+ # configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt")
set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ")
set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC")
@@ -99,8 +99,15 @@ if(CC_GP)
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
+ # COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
+ COMMAND bash ${SIGN_TOOL} -d digest -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_hash
+ COMMAND openssl rsautl -sign -inkey ${CMAKE_CURRENT_SOURCE_DIR}/cert/private_key.pem -in ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_hash -out ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_signature
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -s ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_signature -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
+ # COMMAND rm -rf ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_hash
+ #COMMAND rm -rf ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/temp_signature
+ )
+
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/examples/lrt/host/main.c b/examples/lrt/host/main.c
index ba078c7..92ff47a 100644
--- a/examples/lrt/host/main.c
+++ b/examples/lrt/host/main.c
@@ -13,6 +13,7 @@
#include <stdio.h>
#include <unistd.h>
#include <linux/limits.h>
+#include <string.h>
#include "enclave.h"
#include "lrt_u.h"
--
2.27.0

26
0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch Normal file
View File

@ -0,0 +1,26 @@
From 764886f9baa739d9688cb1875692b4687434153b Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Tue, 1 Jun 2021 18:48:30 +0800
Subject: [PATCH 4/6] enclave: use the can-pull image from hub.oepkgs.net
Signed-off-by: LiFeng <lifeng68@huawei.com>
---
examples/lrt/enclave.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/lrt/enclave.yaml b/examples/lrt/enclave.yaml
index b1bc19b..7734a24 100644
--- a/examples/lrt/enclave.yaml
+++ b/examples/lrt/enclave.yaml
@@ -28,7 +28,7 @@ spec:
spec:
containers:
- name: hell_lifeng
- image: secgear_hello
+ image: hub.oepkgs.net/lifeng2221dd1/hello_secgear:v1.0
imagePullPolicy: IfNotPresent
name: helloworld
resources:
--
2.27.0

26
0037-add-description-about-file-parameter-path-for-sign_t.patch Normal file
View File

@ -0,0 +1,26 @@
From ac2ccfb69c60dba6eb472d2d62da53f5890a07ce Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Wed, 2 Jun 2021 15:04:34 +0800
Subject: [PATCH 5/6] add description about file parameter path for
sign_tool.sh
---
docs/sign_tool.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index e6c6e3b..a092f19 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave.
## The sign_tool.sh
-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave.
+The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave. When signing the trustzone enclave, it is recommended that use the absolute path to specify the file parameters, if provide a relative path, is should be a path relative to 'signtool_v3.py'.
The tool supports the following two modes:
--
2.27.0

8
0033-fix-use-after-free-in-cc_enclave_create.patch → 0038-fix-use-after-free-in-cc_enclave_create.patch
View File

@ -1,10 +1,10 @@
From f82ae0a78901c62644a53257d72fbc932d350ed7 Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Wed, 2 Jun 2021 17:16:56 +0800
Subject: [PATCH] fix use-after-free in cc_enclave_create The last parameter
'enclave' of cc_enclave_create will not be a double pointer, it'll be a
single pointer now. Besides, the memory of parameter 'enclave' will malloc
and free by users, you can check the example to find how to use it.
Subject: [PATCH 6/6] fix use-after-free in cc_enclave_create The last
parameter 'enclave' of cc_enclave_create will not be a double pointer, it'll
be a single pointer now. Besides, the memory of parameter 'enclave' will
malloc and free by users, you can check the example to find how to use it.
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---

12
secGear.spec
View File

@ -1,6 +1,6 @@
Name: secGear
Version: 0.1.0
Release: 15%{?dist}
Release: 16%{?dist}
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
@ -41,7 +41,12 @@ Patch28: 0029-some-adaptations-for-trustzone.patch
Patch29: 0030-fix-sgx-two-step-mode-bug-add-dump-command.patch
Patch30: 0031-set-signtool_v3.py-path.patch
Patch31: 0032-del-size_to_aligned_size.patch
Patch32: 0033-fix-use-after-free-in-cc_enclave_create.patch
Patch32: 0033-modify-the-error-information-when-missing-c-and-m.patch
Patch33: 0034-normalize-the-log-printed-by-PrintInfo.patch
Patch34: 0035-itrustee-add-lrt-support-itrustee.patch
Patch35: 0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch
Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch
Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch
BuildRequires: gcc python automake autoconf libtool
BUildRequires: glibc glibc-devel cmake ocaml-dune
@ -154,6 +159,9 @@ popd
%endif
%changelog
* Thu June 3 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-16
- DESC: backport some patches from openeuler secGear
* Wed June 2 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-15
- DESC: fix uaf in cc_enclave_create