sort resources, minor fixes

keystone-enclave · Mar 27, 2024 · 997be31 · 997be31
1 parent 2a5afeb
commit 997be31
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 18 deletions.
diff --git a/sdk/include/host/Enclave.hpp b/sdk/include/host/Enclave.hpp
@@ -49,7 +49,6 @@ class Enclave {
   std::vector<resource_hash_t> absent;
   std::vector<ElfFile*> allElfFiles;
 
-  Error addStandard(const char* eapppath, const char* runtimepath, const char* loaderpath);
   static uint64_t calculateEpmPages(std::vector<ElfFile*> allElfFiles, size_t freeMemSize);
   // linearly advances as we write to epm
   uintptr_t epmFreeOffset;
@@ -61,6 +60,9 @@ class Enclave {
   Error materializeResourceInfo(resource_ptr_t residentResPtrs[],
     ElfFile* allElfFiles[], std::vector<resource_info_t> resInfos);
   static Error measureResidentArr(hash_ctx_t& hash_ctx, std::vector<resource_info_t> resident);
+  static bool resourceInfoCompare(const resource_info_t& a, const resource_info_t& b);
+  static bool resourceHashCompare(const resource_hash_t& a, const resource_hash_t& b);
+  void sortAllResources();
 
  public:
   Enclave();
@@ -72,14 +74,15 @@ class Enclave {
   void* getSharedBuffer();
   size_t getSharedBufferSize();
   Error registerOcallDispatch(OcallFunc func);
-  Error finalize(const char* filepath, const char* runtime, const char* loaderpath, Params _params);
   Error destroy();
   Error run(uintptr_t* ret = nullptr);
 
   Error addResidentResource(const char* name, uintptr_t type, const char* filepath, bool identity);
   Error addAbsentResource(const char* name, uintptr_t type, const char* hash, bool identity);
+  Error addStandard(const char* eapppath, const char* runtimepath, const char* loaderpath);
   // Call after adding all needed resources to fully create the enclave.
   Error finalize();
+  Error finalize(const char* filepath, const char* runtime, const char* loaderpath, Params _params);
 };
 
 }  // namespace Keystone
diff --git a/sdk/include/shared/sm_call.h b/sdk/include/shared/sm_call.h
@@ -63,7 +63,7 @@ struct keystone_sbi_create_t {
 
 // TODO(Evgeny): how do we ensure no compiler re-ordering?
 #define MSR_NAME_LEN 64
-// #include "../common/sha3.h" // TODO(Evgeny): fix the include
+// #include "common/sha3.h" // TODO(Evgeny): fix the include
 #define MDSIZE 64
 #define MSR_START_FILENAME "__0start"
 #define MSR_RUNTIME_FILENAME "__1runtime"
@@ -88,7 +88,7 @@ typedef struct {
   uintptr_t val;
 } runtime_val_t;
 
-// TODO(Evgeny): a way to make this more convenient? should I make the pointers typed?
+// TODO(Evgeny): a way to make this more convenient?
 typedef struct {
   uintptr_t runtime_arr, id_res_arr,
     id_abs_arr, res_arr, abs_arr, pad_start;
@@ -97,7 +97,7 @@ typedef struct {
   // resource_hash_t identity_absent[];
   // resource_ptr_t resident[];
   // resource_hash_t absent[];
-  // byte data[];
+  // byte pad_start[];
 } enclave_bundle_header_t;
 
 #endif  // __SM_CALL_H__
diff --git a/sdk/src/host/Enclave.cpp b/sdk/src/host/Enclave.cpp
@@ -76,6 +76,8 @@ Enclave::measureResidentArr(hash_ctx_t& hash_ctx, std::vector<resource_info_t> r
 
 Error
 Enclave::measureSelf(char* hash) {
+  sortAllResources();
+
   hash_ctx_t hash_ctx;
   hash_init(&hash_ctx);
 
@@ -203,12 +205,40 @@ Enclave::materializeResourceInfo(resource_ptr_t residentResPtrs[], ElfFile* elfF
   return Error::Success;
 }
 
+bool
+Enclave::resourceInfoCompare(const resource_info_t& a, const resource_info_t& b) {
+  return strcmp(a.name, b.name) < 0;
+}
+
+bool
+Enclave::resourceHashCompare(const resource_hash_t& a, const resource_hash_t& b) {
+  return strcmp(a.name, b.name) < 0;
+}
+
+void
+Enclave::sortAllResources() {
+  // sort by filename
+  std::sort(identityResident.begin(), identityResident.end(), resourceInfoCompare);
+  std::sort(identityAbsent.begin(), identityAbsent.end(), resourceHashCompare);
+  std::sort(resident.begin(), resident.end(), resourceInfoCompare);
+  std::sort(absent.begin(), absent.end(), resourceHashCompare);
+}
+
 Error
 Enclave::finalize() {
-  // TODO(Evgeny): ensure this is not called twice, no adds after, etc.
-  // TODO(Evgeny): improve error messages
-  // TODO(Evgeny): add comments to functions
-  // TODO(Evgeny): sort by filename
+  sortAllResources();
+
+  // confirm start executable is present
+  bool startExecutablePresent = false;
+  for (const resource_info_t& resInfo : identityResident) {
+    if (strcmp(resInfo.name, MSR_START_FILENAME) == 0) {
+      startExecutablePresent = true;
+      break;
+    }
+  }
+  if (!startExecutablePresent) {
+    return Error::BadArgument;
+  }
 
   Error err = Error::Success;
   pDevice = KeystoneDevice();
@@ -221,11 +251,11 @@ Enclave::finalize() {
   }
 
   // allocate enclave memory
-  for (const resource_info_t& res_info : identityResident) {
-    allElfFiles.push_back(new ElfFile(res_info.filepath));
+  for (const resource_info_t& resInfo : identityResident) {
+    allElfFiles.push_back(new ElfFile(resInfo.filepath));
   }
-  for (const resource_info_t& res_info : resident) {
-    allElfFiles.push_back(new ElfFile(res_info.filepath));
+  for (const resource_info_t& resInfo : resident) {
+    allElfFiles.push_back(new ElfFile(resInfo.filepath));
   }
   uint64_t requiredPages = calculateEpmPages(allElfFiles, params.getFreeMemSize());
   err = pDevice.create(requiredPages);
@@ -257,7 +287,7 @@ Enclave::finalize() {
     + (uintptr_t) (sizeof(resource_hash_t) * absent.size());
   useEpm(0, ebundle_h->pad_start); // contiguous ebundle_h and arrays, then page padding
 
-  // fill in the arrays & data
+  // fill in the arrays and copy files
   runtime_val_t* runtime_arr = (runtime_val_t*) (ebase + ebundle_h->runtime_arr);
   runtime_arr[0] = {.name = MSR_FREE_MEM, .val = params.getFreeMemSize()};
   runtime_arr[1] = {.name = MSR_UT_MEM, .val = params.getUntrustedSize()};
@@ -275,13 +305,12 @@ Enclave::finalize() {
   err = pDevice.mapUtm();
   if (err != Error::Success) {
     ERROR(
-        "failed to finalize enclave - cannot obtain the untrusted buffer "
+        "failed to finalize enclave - cannot map the untrusted buffer "
         "pointer \n");
     destroy();
     return err;
   }
 
-  // TODO(Evgeny): validate that loader is present
   return Error::Success;
 }
 

diff --git a/sm/src/attest.c b/sm/src/attest.c
@@ -132,7 +132,7 @@ unsigned long validate_and_hash_enclave(struct enclave* enclave){
     return SBI_ERR_SM_ENCLAVE_ILLEGAL_ARGUMENT;
   }
 
-  hash_finalize(enclave->identity, &ctx_copy); // TODO(Evgeny): use identity for sealing key derivation
+  hash_finalize(enclave->identity, &ctx_copy);
   hash_finalize(enclave->hash, &ctx);
 
   return SBI_ERR_SM_ENCLAVE_SUCCESS;

diff --git a/sm/src/enclave.c b/sm/src/enclave.c
@@ -650,7 +650,7 @@ unsigned long get_sealing_key(uintptr_t sealing_key, uintptr_t key_ident,
   /* derive key */
   ret = sm_derive_sealing_key((unsigned char *)key_struct->key,
                               (const unsigned char *)key_ident, key_ident_size,
-                              (const unsigned char *)enclaves[eid].hash);
+                              (const unsigned char *)enclaves[eid].identity);
   if (ret)
     return SBI_ERR_SM_ENCLAVE_UNKNOWN_ERROR;