[LibOS] Move trusted and allowed files logic to LibOS

Now `gramine-direct` behaves similarly to `gramine-sgx`: it reads `sgx.allowed_files` and `sgx.trusted_files` arrays, as well as `sgx.file_check_policy`, and applies the corresponding file-access rules. Note that the names of the manifest options are kept the same for backward compatibility; a future commit will introduce new, more appropriate aliases. Several tests that were previously SGX PAL-specific only are now enabled on `gramine-direct` as well. All LTP tests, even though they are run under `gramine-direct` only, check the allowed/trusted files logic now. As the primary effect of this commit, the SGX PAL code is significantly simplified and is closer to the native Linux (`direct`) PAL code. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
gramineproject · Sep 26, 2024 · fe3f3f9 · fe3f3f9
1 parent ceb2863
commit fe3f3f9
Show file tree

Hide file tree

Showing 42 changed files with 1,257 additions and 1,027 deletions.
diff --git a/CI-Examples/blender/Makefile b/CI-Examples/blender/Makefile
@@ -41,7 +41,7 @@ $(BLENDER_DIR)/blender:
 $(RUN_DIR):
 	mkdir -p $@
 
-blender.manifest: blender.manifest.template | $(RUN_DIR)
+blender.manifest: blender.manifest.template $(BLENDER_DIR)/blender | $(RUN_DIR)
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -56,7 +56,7 @@ blender.sig blender.manifest.sgx: sgx_outputs
 	@:
 
 .INTERMEDIATE: sgx_outputs
-sgx_outputs: $(BLENDER_DIR)/blender blender.manifest | $(RUN_DIR)
+sgx_outputs: blender.manifest | $(RUN_DIR)
 	gramine-sgx-sign \
 		--output blender.manifest.sgx \
 		--manifest blender.manifest

diff --git a/CI-Examples/busybox/Makefile b/CI-Examples/busybox/Makefile
@@ -42,7 +42,7 @@ $(SRCDIR)/.config: $(SRCDIR)/Makefile
 $(SRCDIR)/busybox: $(SRCDIR)/.config
 	$(MAKE) -C $(SRCDIR)
 
-busybox.manifest: busybox.manifest.template
+busybox.manifest: busybox.manifest.template busybox
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -57,7 +57,7 @@ busybox.manifest.sgx busybox.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: busybox.manifest busybox
+sgx_sign: busybox.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/CI-Examples/helloworld/Makefile b/CI-Examples/helloworld/Makefile
@@ -21,7 +21,7 @@ helloworld: helloworld.o
 
 helloworld.o: helloworld.c
 
-helloworld.manifest: helloworld.manifest.template
+helloworld.manifest: helloworld.manifest.template helloworld
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		$< $@
@@ -44,7 +44,7 @@ helloworld.sig helloworld.manifest.sgx: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: helloworld.manifest helloworld
+sgx_sign: helloworld.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/CI-Examples/lighttpd/Makefile b/CI-Examples/lighttpd/Makefile
@@ -47,7 +47,7 @@ $(LIGHTTPD_SRC).tar.gz:
 	../common_tools/download --output $@ --sha256 $(LIGHTTPD_HASH) \
 		$(foreach mirror,$(LIGHTTPD_MIRRORS),--url $(mirror)/$(LIGHTTPD_SRC).tar.gz)
 
-lighttpd.manifest: lighttpd.manifest.template
+lighttpd.manifest: lighttpd.manifest.template $(INSTALL_DIR)/sbin/lighttpd
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -60,7 +60,7 @@ lighttpd.manifest.sgx lighttpd.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: lighttpd.manifest $(INSTALL_DIR)/sbin/lighttpd
+sgx_sign: lighttpd.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/CI-Examples/memcached/Makefile b/CI-Examples/memcached/Makefile
@@ -33,7 +33,7 @@ $(SRCDIR)/memcached: $(SRCDIR)/configure
 	cd $(SRCDIR) && ./configure
 	$(MAKE) -C $(SRCDIR)
 
-memcached.manifest: memcached.manifest.template
+memcached.manifest: memcached.manifest.template memcached
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -45,7 +45,7 @@ memcached.manifest.sgx memcached.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: memcached.manifest memcached
+sgx_sign: memcached.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/CI-Examples/nginx/Makefile b/CI-Examples/nginx/Makefile
@@ -50,7 +50,10 @@ $(NGINX_SRC).tar.gz:
 	../common_tools/download --output $@ --sha256 $(NGINX_SHA256) \
 		$(foreach mirror,$(NGINX_MIRRORS),--url $(mirror)/$(NGINX_SRC).tar.gz)
 
-nginx.manifest: nginx.manifest.template
+nginx.manifest: nginx.manifest.template $(INSTALL_DIR)/sbin/nginx \
+                $(INSTALL_DIR)/conf/nginx-gramine.conf \
+                $(TEST_DATA) nginx_args \
+                $(INSTALL_DIR)/conf/server.crt
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -64,10 +67,7 @@ nginx.manifest.sgx nginx.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: nginx.manifest $(INSTALL_DIR)/sbin/nginx \
-		$(INSTALL_DIR)/conf/nginx-gramine.conf \
-		$(TEST_DATA) \
-		$(INSTALL_DIR)/conf/server.crt
+sgx_sign: nginx.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/CI-Examples/ra-tls-mbedtls/Makefile b/CI-Examples/ra-tls-mbedtls/Makefile
@@ -56,7 +56,7 @@ client: src/client.c
 
 ############################### SERVER MANIFEST ###############################
 
-server.manifest: server.manifest.template
+server.manifest: server.manifest.template server
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -71,14 +71,14 @@ server.manifest.sgx server.sig: sgx_sign_server
 	@:
 
 .INTERMEDIATE: sgx_sign_server
-sgx_sign_server: server.manifest server
+sgx_sign_server: server.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx
 
 ########################### CLIENT (DCAP) MANIFEST ############################
 
-client_dcap.manifest: client.manifest.template
+client_dcap.manifest: client.manifest.template client
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -88,14 +88,14 @@ client_dcap.manifest.sgx client_dcap.sig: sgx_sign_client_dcap
 	@:
 
 .INTERMEDIATE: sgx_sign_client_dcap
-sgx_sign_client_dcap: client_dcap.manifest client
+sgx_sign_client_dcap: client_dcap.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx
 
 ########################### CLIENT (EPID) MANIFEST ############################
 
-client_epid.manifest: client.manifest.template
+client_epid.manifest: client.manifest.template client
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -105,7 +105,7 @@ client_epid.manifest.sgx client_epid.sig: sgx_sign_client_epid
 	@:
 
 .INTERMEDIATE: sgx_sign_client_epid
-sgx_sign_client_epid: client_epid.manifest client
+sgx_sign_client_epid: client_epid.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/CI-Examples/ra-tls-secret-prov/Makefile b/CI-Examples/ra-tls-secret-prov/Makefile
@@ -76,7 +76,8 @@ secret_prov_pf/client: secret_prov_pf/client.c
 
 # TODO: Simplify after https://github.com/gramineproject/gramine/issues/878 is fixed (manifest paths
 #       should be relative to the manifest, not to current dir) - drop `cd` and `notdir`.
-secret_prov_minimal/client.manifest: secret_prov_minimal/client.manifest.template
+secret_prov_minimal/client.manifest: secret_prov_minimal/client.manifest.template \
+                                     secret_prov_minimal/client
 	cd secret_prov_minimal && \
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
@@ -92,15 +93,15 @@ secret_prov_minimal/client.manifest.sgx secret_prov_minimal/client.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign_secret_prov_minimal_client
-sgx_sign_secret_prov_minimal_client: secret_prov_minimal/client.manifest secret_prov_minimal/client
+sgx_sign_secret_prov_minimal_client: secret_prov_minimal/client.manifest
 	cd secret_prov_minimal && \
 	gramine-sgx-sign \
 		--manifest $(notdir $<) \
 		--output $(notdir $<.sgx)
 
 ############################### CLIENT MANIFEST ###############################
 
-secret_prov/client.manifest: secret_prov/client.manifest.template
+secret_prov/client.manifest: secret_prov/client.manifest.template secret_prov/client
 	cd secret_prov && \
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
@@ -114,15 +115,15 @@ secret_prov/client.manifest.sgx secret_prov/client.sig: sgx_sign_secret_prov_cli
 	@:
 
 .INTERMEDIATE: sgx_sign_secret_prov_client
-sgx_sign_secret_prov_client: secret_prov/client.manifest secret_prov/client
+sgx_sign_secret_prov_client: secret_prov/client.manifest
 	cd secret_prov && \
 	gramine-sgx-sign \
 		--manifest $(notdir $<) \
 		--output $(notdir $<.sgx)
 
 ############################## PF CLIENT MANIFEST #############################
 
-secret_prov_pf/client.manifest: secret_prov_pf/client.manifest.template
+secret_prov_pf/client.manifest: secret_prov_pf/client.manifest.template secret_prov_pf/client
 	cd secret_prov_pf && \
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
@@ -136,7 +137,7 @@ secret_prov_pf/client.manifest.sgx secret_prov_pf/client.sig: sgx_sign_secret_pr
 	@:
 
 .INTERMEDIATE: sgx_sign_secret_prov_pf_client
-sgx_sign_secret_prov_pf_client: secret_prov_pf/client.manifest secret_prov_pf/client
+sgx_sign_secret_prov_pf_client: secret_prov_pf/client.manifest
 	cd secret_prov_pf && \
 	gramine-sgx-sign \
 		--manifest $(notdir $<) \

diff --git a/CI-Examples/redis/Makefile b/CI-Examples/redis/Makefile
@@ -70,25 +70,25 @@ endif
 # information to run Redis under Gramine / Gramine-SGX. We create
 # redis-server.manifest (to be run under non-SGX Gramine) by replacing variables
 # in the template file using the "gramine-manifest" script.
-
-redis-server.manifest: redis-server.manifest.template
+#
+# "gramine-manifest" also measures all Redis trusted files and adds the
+# measurements to the resulting manifest file.
+redis-server.manifest: redis-server.manifest.template $(SRCDIR)/src/redis-server
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
 		$< > $@
 
-# Manifest for Gramine-SGX requires special "gramine-sgx-sign" procedure. This
-# procedure measures all Redis trusted files, adds the measurement to the
-# resulting manifest.sgx file (among other, less important SGX options) and
-# creates redis-server.sig (SIGSTRUCT object).
-
 # Make on Ubuntu <= 20.04 doesn't support "Rules with Grouped Targets" (`&:`),
 # see the helloworld example for details on this workaround.
 redis-server.sig redis-server.manifest.sgx: sgx_outputs
 	@:
 
+# Manifest for Gramine-SGX requires special "gramine-sgx-sign" procedure. This
+# procedure creates the final manifest.sgx file and an SGX-specific
+# redis-server.sig file (SIGSTRUCT object).
 .INTERMEDIATE: sgx_outputs
-sgx_outputs: redis-server.manifest $(SRCDIR)/src/redis-server
+sgx_outputs: redis-server.manifest
 	gramine-sgx-sign \
 		--manifest redis-server.manifest \
 		--output redis-server.manifest.sgx

diff --git a/CI-Examples/rust/Makefile b/CI-Examples/rust/Makefile
@@ -25,7 +25,7 @@ endif
 $(SELF_EXE): Cargo.toml
 	cargo build --release
 
-rust-hyper-http-server.manifest: rust-hyper-http-server.manifest.template
+rust-hyper-http-server.manifest: rust-hyper-http-server.manifest.template $(SELF_EXE)
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
@@ -38,7 +38,7 @@ rust-hyper-http-server.manifest.sgx rust-hyper-http-server.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: rust-hyper-http-server.manifest $(SELF_EXE)
+sgx_sign: rust-hyper-http-server.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx

diff --git a/Documentation/manpages/gramine-manifest.rst b/Documentation/manpages/gramine-manifest.rst
@@ -36,6 +36,17 @@ Command line arguments
 
    Disable schema validation, as described above in :option:`--check`.
 
+.. option:: --chroot <path>
+
+    When calculating cryptographic hashes of trusted files, measure files inside
+    a |~| chroot instead of paths in root of the file system. Requires that all
+    paths in manifest are absolute, and those will be interpreted as relative to
+    the directory specified as the value of the option.
+
+    Note you need to be very careful that the Gramine runtime binaries are
+    exactly the same inside chroot as the ones used to execute
+    :program:`gramine-manifest`.
+
 Functions and constants available in templates
 ==============================================
 

diff --git a/libos/include/libos_fs.h b/libos/include/libos_fs.h
@@ -20,6 +20,33 @@
 #include "list.h"
 #include "pal.h"
 
+enum file_check_policy {
+    FILE_CHECK_POLICY_STRICT = 0,
+    FILE_CHECK_POLICY_ALLOW_ALL_BUT_LOG,
+};
+extern enum file_check_policy g_file_check_policy;
+
+struct trusted_file_hash {
+    uint8_t bytes[32];
+};
+struct trusted_chunk_hash {
+    uint8_t bytes[16];
+};
+struct trusted_file;
+struct allowed_file;
+
+struct trusted_file* get_trusted_file(const char* path);
+struct allowed_file* get_allowed_file(const char* path);
+size_t get_chunk_hashes_size(size_t file_size);
+int load_trusted_file(struct trusted_file* tf, size_t file_size,
+                      struct trusted_chunk_hash** out_chunk_hashes);
+int read_and_verify_trusted_file(PAL_HANDLE handle, uint64_t offset, size_t count, uint8_t* buf,
+                                 size_t file_size, struct trusted_chunk_hash* chunk_hashes);
+int register_allowed_file(const char* path);
+int init_trusted_files(void);
+int init_allowed_files(void);
+int init_file_check_policy(void);
+
 struct libos_handle;
 
 /* Describes mount parameters. Passed to `mount_fs`, and to the `mount` callback. */
@@ -532,6 +559,7 @@ extern struct libos_dentry* g_dentry_root;
 
 /* initialization for fs and mounts */
 int init_fs(void);
+int init_trusted_allowed_files(void);
 int init_mount_root(void);
 int init_mount(void);
 int mount_etcfs(void);