diff --git a/Pal/src/host/Linux-SGX/sgx_framework.c b/Pal/src/host/Linux-SGX/sgx_framework.c index 7627bca89b..46afa73894 100644 --- a/Pal/src/host/Linux-SGX/sgx_framework.c +++ b/Pal/src/host/Linux-SGX/sgx_framework.c @@ -110,13 +110,13 @@ bool is_wrfsbase_supported(void) { return true; } -int create_enclave(sgx_arch_secs_t* secs, sgx_arch_token_t* token) { +int create_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct) { assert(secs->size && IS_POWER_OF_2(secs->size)); assert(IS_ALIGNED(secs->base, secs->size)); secs->ssa_frame_size = SSA_FRAME_SIZE / g_page_size; /* SECS expects SSA frame size in pages */ - secs->misc_select = token->masked_misc_select_le; - memcpy(&secs->attributes, &token->body.attributes, sizeof(sgx_attributes_t)); + secs->misc_select = sigstruct->body.misc_select; + memcpy(&secs->attributes, &sigstruct->body.attributes, sizeof(sgx_attributes_t)); /* Do not initialize secs->mr_signer and secs->mr_enclave here as they are * not used by ECREATE to populate the internal SECS. SECS's mr_enclave is diff --git a/Pal/src/host/Linux-SGX/sgx_internal.h b/Pal/src/host/Linux-SGX/sgx_internal.h index 7e52b54ea2..ad6f72fc84 100644 --- a/Pal/src/host/Linux-SGX/sgx_internal.h +++ b/Pal/src/host/Linux-SGX/sgx_internal.h @@ -72,7 +72,7 @@ bool is_wrfsbase_supported(void); int read_enclave_token(int token_file, sgx_arch_token_t* token); int read_enclave_sigstruct(int sigfile, sgx_arch_enclave_css_t* sig); -int create_enclave(sgx_arch_secs_t* secs, sgx_arch_token_t* token); +int create_enclave(sgx_arch_secs_t* secs, sgx_arch_enclave_css_t* sigstruct); enum sgx_page_type { SGX_PAGE_SECS, SGX_PAGE_TCS, SGX_PAGE_REG }; int add_pages_to_enclave(sgx_arch_secs_t* secs, void* addr, void* user_addr, unsigned long size, diff --git a/Pal/src/host/Linux-SGX/sgx_main.c b/Pal/src/host/Linux-SGX/sgx_main.c index 351082fbc5..a5ef92a17f 100644 --- a/Pal/src/host/Linux-SGX/sgx_main.c +++ b/Pal/src/host/Linux-SGX/sgx_main.c @@ -14,6 +14,7 @@ #include "asan.h" #include "debug_map.h" #include "gdb_integration/sgx_gdb.h" +#include "gsgx.h" #include "linux_utils.h" #include "pal_internal-arch.h" #include "pal_linux_defs.h" @@ -200,15 +201,20 @@ static int load_enclave_binary(sgx_arch_secs_t* secs, int fd, unsigned long base static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_to_measure) { int ret = 0; int enclave_image = -1; - sgx_arch_token_t enclave_token; - sgx_arch_enclave_css_t enclave_sigstruct; + int enclave_mem = -1; sgx_arch_secs_t enclave_secs; unsigned long enclave_entry_addr; unsigned long enclave_heap_min; + + sgx_arch_enclave_css_t enclave_sigstruct; char* sig_path = NULL; + int sigfile_fd = -1; + + /* Launch Token (aka EINITTOKEN) is used only on EPID (non-FLC-based) platforms and completely + * ignored on DCAP (FLC-based) platforms */ + sgx_arch_token_t enclave_token; char* token_path = NULL; - int sigfile_fd = -1, token_fd = -1; - int enclave_mem = -1; + int token_fd = -1; /* this array may overflow the stack, so we allocate it in BSS */ static void* tcs_addrs[MAX_DBG_THREADS]; @@ -246,6 +252,13 @@ static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_ goto out; } + ret = read_enclave_sigstruct(sigfile_fd, &enclave_sigstruct); + if (ret < 0) { + log_error("Reading enclave sigstruct failed: %d", ret); + goto out; + } + +#ifndef SGX_DCAP token_path = alloc_concat(g_pal_enclave.application_path, -1, ".token", -1); if (!token_path) { ret = -ENOMEM; @@ -266,10 +279,11 @@ static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_ log_error("Reading enclave token failed: %d", ret); goto out; } +#endif #ifdef DEBUG if (enclave->profile_enable) { - if (!(enclave_token.body.attributes.flags & SGX_FLAGS_DEBUG)) { + if (!(enclave_sigstruct.body.attributes.flags & SGX_FLAGS_DEBUG)) { log_error("Cannot use 'sgx.profile' with a production enclave"); ret = -EINVAL; goto out; @@ -288,16 +302,10 @@ static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_ } #endif - ret = read_enclave_sigstruct(sigfile_fd, &enclave_sigstruct); - if (ret < 0) { - log_error("Reading enclave sigstruct failed: %d", ret); - goto out; - } - memset(&enclave_secs, 0, sizeof(enclave_secs)); enclave_secs.base = enclave->baseaddr; enclave_secs.size = enclave->size; - ret = create_enclave(&enclave_secs, &enclave_token); + ret = create_enclave(&enclave_secs, &enclave_sigstruct); if (ret < 0) { log_error("Creating enclave failed: %d", ret); goto out; diff --git a/python/graminelibos/sgx_get_token.py b/python/graminelibos/sgx_get_token.py index 900aee3ecb..21b713c2b2 100644 --- a/python/graminelibos/sgx_get_token.py +++ b/python/graminelibos/sgx_get_token.py @@ -89,20 +89,6 @@ def connect_aesmd(mrenclave, modulus, flags, xfrms): return ret_msg.ret.token -def create_dummy_token(flags, xfrms, misc_select): - ''' - Create dummy token with a few fields initialized with real values and others - with a placeholder ('\\0') - ''' - token = bytearray(304) - - # fields read by create_enclave() in sgx_framework.c - struct.pack_into('