[PAL] Validate entrypoint ELF file separately

Previously, the entrypoint ELF file (`loader.entrypoint` in manifest)
contents were validated during file read and file mmap, just like with
all other files. In particular, Linux-SGX PAL expects the entrypoint to
be marked as `sgx.trusted_files` and validates its SHA256 hash during
file read/mmap.

However, future commits will move handling of `sgx.trusted_files` to the
LibOS layer. Thus, file read/mmap at the PAL layer will lose validation
guarantees. This commit introduces a separate `loader.entrypoint.sha256`
manifest option and a corresponding logic to validate the (only
required) entrypoint file. A new assumption is made now, that the only
file to be loaded by PAL (and not by LibOS) is this entrypoint file;
this assumption can be made because the entrypoint has no dependencies.

As a side effect, `loader.entrypoint` (which was previously a URI of the
entrypoint file) is renamed to `loader.entrypoint.uri`. Additionally,
all Gramine tests either remove `loader.entrypoint` (and corresponding
`sgx.trusted_files`) or rename it to explicit `loader.entrypoint.uri`.

Signed-off-by: Dmitrii Kuvaiskii <[email protected]>

Documentation/manifest-syntax.rst

@@ -69,19 +69,30 @@ Loader entrypoint
 
 ::
 
-   loader.entrypoint = "[URI]"
+   loader.entrypoint.uri = "[URI]"
    (Default: "<path to libsysdb.so>")
 
-This specifies the LibOS component that Gramine will load and run before loading
-the first executable of the user application. **Note**: currently, there is only
-one LibOS implementation: ``libsysdb.so``, and there is no need to specify this
-option explicitly.
+   loader.entrypoint.sha256 = "[HASH]"
+
+``loader.entrypoint.uri`` specifies the LibOS component that Gramine will load
+and run before loading the first executable of the user application. **Note**:
+currently, there is only one LibOS implementation: ``libsysdb.so``, and there is
+no need to specify this option explicitly.
+
+Additionally, the loader entrypoint is cryptographically hashed at build time.
+At startup, Gramine verifies that the entrypoint's hash matches what is stored
+in the manifest in ``loader.entrypoint.sha256``. The signer tool will
+automatically generate the hash of this file and add it to the SGX-specific
+manifest (``.manifest.sgx``). The manifest writer may also explicitly specify
+the hash; in this case, hashing of the file will be skipped by the signer tool
+and the value in ``loader.entrypoint.sha256`` will be used instead.
 
 Note that the loader (the PAL binary) loads the LibOS binary specified in
 ``loader.entrypoint`` and passes control to this binary. Next, the LibOS binary
 loads the actual executable (the user application) specified in
 ``libos.entrypoint``. Also note that, in contrast to ``libos.entrypoint``, the
-``loader.entrypoint`` option specifies a PAL URI (with the ``file:`` prefix).
+``loader.entrypoint.uri`` option specifies a PAL URI (with the ``file:``
+prefix).
 
 .. _libos-entrypoint:
 
@@ -1359,3 +1370,15 @@ In addition, the application manifest must also contain ``sgx.debug = true``.
    independently.
 
 See :ref:`vtune-sgx-profiling` for more information.
+
+Deprecated options
+------------------
+
+Loader entrypoint (deprecated syntax)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   loader.entrypoint = "[URI]"
+
+This syntax was renamed to ``loader.entrypoint.uri``.

libos/test/abi/x86_64/manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 fs.mounts = [
@@ -10,6 +9,5 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/abi/x86_64/stack_arg.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 # The argv source file must set argv[0] as the basename of the entrypoint. This is crucial for
@@ -15,7 +14,6 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
 

libos/test/abi/x86_64/stack_env.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.foo = "bar"
@@ -15,6 +14,5 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/fs/manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
@@ -29,7 +28,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ binary_dir }}/{{ entrypoint }}",
   "file:{{ gramine.runtimedir() }}/",
   "file:{{ arch_libdir }}/libgcc_s.so.1",

libos/test/ltp/manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/lib:/usr/lib64"
@@ -36,7 +35,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ binary_dir }}/{{ entrypoint }}",
   "file:{{ gramine.runtimedir() }}/ld-linux-x86-64.so.2",
   "file:{{ gramine.runtimedir() }}/libc.so.6",

libos/test/regression/argv_from_file.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/argv_from_manifest.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -22,7 +21,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/attestation.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.ra_client_spid = "{{ env.get('RA_CLIENT_SPID', '') }}"
 sgx.ra_client_linkable = {{ 'true' if env.get('RA_CLIENT_LINKABLE', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/bootstrap_cpp.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
@@ -18,7 +17,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ arch_libdir }}/libgcc_s.so.1",
   "file:/usr{{ arch_libdir }}/libstdc++.so.6",

libos/test/regression/debug_log_file.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -17,7 +16,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/debug_log_inline.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -16,7 +15,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/device_ioctl.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -12,7 +11,6 @@ fs.mounts = [
 sgx.debug = true
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/device_ioctl_fail.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "device_ioctl" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -14,7 +13,6 @@ fs.mounts = [
 sgx.debug = true
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/device_ioctl_parse_fail.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -12,7 +11,6 @@ fs.mounts = [
 sgx.debug = true
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/device_passthrough.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -13,7 +12,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/env_from_file.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/env_from_host.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -15,7 +14,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/env_passthrough.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -20,7 +19,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/eventfd_fork.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -14,7 +13,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/eventfd_fork_allowed_failing.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "eventfd_fork" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.log_level = "warning"  # to print the warning about eventfd usage in child process
@@ -20,7 +19,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/fcntl_lock_child_only.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -16,7 +15,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

libos/test/regression/file_check_policy_allow_all_but_log.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "file_check_policy" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -18,9 +17,9 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.file_check_policy = "allow_all_but_log"
 
-# there are no "file:{{ gramine.libos }}" and "file:{{ gramine.runtimedir() }}/"
-# entries in `sgx.trusted_files` -- this is on purpose; we want to test that
-# `allow_all_but_log` also applies to Gramine-runtime files (e.g., LibOS binary)
+# there is no "file:{{ gramine.runtimedir() }}/" entry in `sgx.trusted_files` -- this is on purpose;
+# we want to test that `allow_all_but_log` also applies to Gramine-runtime files (e.g., libc
+# binaries)
 
 sgx.trusted_files = [
   "file:{{ binary_dir }}/{{ entrypoint }}",

libos/test/regression/file_check_policy_strict.manifest.template

@@ -1,6 +1,5 @@
 {% set entrypoint = "file_check_policy" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.file_check_policy = "strict"
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
 
   # test TOML inline table syntax without `sha256`

libos/test/regression/fork_and_access_file.manifest.template

@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -13,7 +12,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
-  "file:{{ gramine.libos }}",
   "file:{{ gramine.runtimedir(libc) }}/",
   "file:{{ binary_dir }}/{{ entrypoint }}",
   "file:fork_and_access_file_testfile",