oscarlab / graphene-sgx-driver Goto Github PK

View Code? Open in Web Editor NEW

11.0 18.0 17.0 114 KB

Linux kernel SGX driver for Graphene

License: GNU General Public License v3.0

Makefile 4.29% C 72.26% Python 23.45%

graphene-sgx-driver's Introduction

Graphene SGX Driver

Graphene SGX Driver for use with the Graphene Library OS

This helper repository serves two purposes:

It contains the sources of the Graphene SGX driver (the GSGX driver).
It extracts the required C header from the Intel SGX driver (copied as sgx.h).

The Graphene SGX Driver is a Linux kernel module installed under /dev/gsgx. Its sole purpose is to enable the FSGSBASE instruction in user space. Current Linux versions do not allow enabling this instruction from user land, thus the need for this driver. In the future, when support for it will be added to Linux, this driver won't be needed.

Warning: This module shouldn't be used on production as it introduces a local privilege escalation vulnerability. Enabling FSGSBASE properly is a much more complex task and most likely can't be achieved in an out-of-tree driver. If you're interested in having this feature in production, you should test the kernel patchset which is currently being upstreamed (the most recent version at the time of writing: https://lore.kernel.org/linux-doc/[email protected]/). Alternatively, you should use the patchset provided in this repository, which is the backport for Linux kernel 5.4 LTS (based on the upstream patchset v13 from 28 May 2020).

Additionally, this repository contains the script link-intel-driver.py to find and copy the required C header from the Intel SGX driver installed on the system. The supported versions of the Intel SGX driver are:

In-kernel SGX driver, only versions 32+ (https://lore.kernel.org/linux-sgx/[email protected])
DCAP driver, only versions 1.6+ (https://github.com/intel/SGXDataCenterAttestationPrimitives)
Older out-of-tree non-DCAP driver, only versions 1.9+ (https://github.com/intel/linux-sgx-driver)

To install the Graphene SGX driver, please run:

sudo rmmod graphene_sgx || true  # for legacy driver (was previously named `graphene_sgx`)
sudo rmmod gsgx || true
make
sudo insmod gsgx.ko

graphene-sgx-driver's People

Contributors

Stargazers

Watchers

Forkers

rainfld mkow sgx-java chiache asu-es-courses yamahata points-org thomasknauth hw42 ian0371 jiazhang0 specio puneetse sruffell johnvenn gausk

graphene-sgx-driver's Issues

DCAP 1.6 support

I checked out the tag DCAP 1.6 from the DCAP repo and tried building the Graphene SGX driver on Ubuntu 18.04.

In DCAP 1.6 the sgx.h file in driver/linux/include/uapi/asm/ has been renamed to sgx_oot.h.

Fixing this in link-intel-driver.py by

diff --git a/link-intel-driver.py b/link-intel-driver.py
index cfd6867..166a8ed 100755
--- a/link-intel-driver.py
+++ b/link-intel-driver.py
@@ -4,7 +4,8 @@ import sys, os, shutil

 DRIVER_VERSIONS = {
         'sgx_user.h':             '/dev/isgx',
-        'include/uapi/asm/sgx.h': '/dev/sgx',
+        'include/uapi/asm/sgx.h': '/dev/sgx', # DCAP < 1.6
+        'include/uapi/asm/sgx_oot.h': '/dev/sgx', # DCAP >= 1.6
 }

 def find_intel_sgx_driver():

causes the copying of DCAP sgx_oot.h to sgx.h to succeed but now the following occurs when building the driver:

Enter the Intel SGX driver dir with C headers: /home/e/SGXDataCenterAttestationPrimitives/driver/linux
make -C /lib/modules/4.15.0-96-generic/build M=/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver CFLAGS_MODULE="-DDEBUG -g -O0" modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-96-generic'
  CC [M]  /home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.o
In file included from /home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.c:23:0:
/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.h:29:2: error: #error "Cannot find SGX_INVALID_LICENSE nor SGX_INVALID_EINITTOKEN in Linux SGX Driver headers"
 #error "Cannot find SGX_INVALID_LICENSE nor SGX_INVALID_EINITTOKEN in Linux SGX Driver headers"
  ^~~~~
scripts/Makefile.build:337: recipe for target '/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.o' failed
make[2]: *** [/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver/gsgx.o] Error 1
Makefile:1577: recipe for target '_module_/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver' failed
make[1]: *** [_module_/home/e/graphene/Pal/src/host/Linux-SGX/sgx-driver] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-96-generic'
Makefile:9: recipe for target 'default' failed
make: *** [default] Error 2

Patches still required?

Are all patches now upstream in mainline kernel?

Driver unable to set FSGSBASE bit in kernel v5.4.50 and later versions

Starting from kernel v5.4.50 (see changelog) the FSGSBASE bit in CR4 is pinned -- roughly meaning that the kernel undoes any attempt to flip the bit.

This is visible in the native_write_cr4 function, which is called by the __write_cr4 function used in the driver.

As a result, although the driver loads successfully, FSGSBASE is not persistently enabled. In particular, it is disabled by the time __enable_fsgsbase returns.

Build Linux kernel patch error

error

when I Install the Linux kernel patched with FSGSBASE, During buid the Build the linux-image and linux-header .deb files（make -j $(getconf _NPROCESSORS_ONLN) deb-pkg LOCALVERSION=-custom），it cames a error:

debian/rules:6:recipe for target 'build' failed
make[2]: *** [deb-pkg] Error 2
dpkg-buildpackage:Error: debian/rules build subprocess returned exit status 2
script/Makefile.package:73: recipe for target 'deb-pkg' failed
make[1]: *** [deb-pkg] Error 2
Makefile:1469: recipe for target 'deb-pkg' failed
make: *** [deb-pkg] Error 2

Does this error related to this patch?

Description:

I flow the Building with SGX support,and tried to build a Linux kernel with FSGSBASE patch.when I run this command:

make -j $(getconf _NPROCESSORS_ONLN) deb-pkg LOCALVERSION=-custom

$(getconf _NPROCESSORS_ONLN) in my computer's value is 16.

I am very new to this and wasn't able to find a solution.

infos:

os : Ubuntu 18.04
current kernel: 5.4.0-72-generic
arch:x86_64
cpu:Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Would anyone be able to help me?

Please let me know if you need any more information.

Thanks a lot !

fsgsbase not properly re-enabled on wakeup

I'm using an Intel NUC and running Ubuntu 16.04.

When I suspend and then resume the NUC, and then run Graphene-SGX's (commit 80030b1157da371251f632e325df71e9454b4e55) helloworld test, the application crashes. GDB indicates that the crash occurs from the illegal WRFSBASE instruction that occurs in the inline assembly of Graphene-SGX's (Pal/src/host/Linux-SGX/sgx_api.h) wrfsbase wrapper function.

To reproduce:

# suspend and resume machine

cd ~/src/graphene/LibOS/shim/test/native/
SGX=1 ./pal_loader ./helloworld`

The debug output is: helloworld-debug-log.txt

Request to archive this repository

This repository is not updated for 2 years, and not planned to be updated. In the meantime, the FSGSBASE patch was merged into Linux 5.9 and back-ported to Linux 5.4, and there is little reason to recommend the insecure workarounds/patches from this repository. Moreover, "Graphene" was renamed to "Gramine", and does not mention this repository.

Could the admin of this repo archive it? @donporter @chiache I'm not sure if you're the owners of this repo still.

Missing 4 recent patches

Just a heads up 👍
https://github.com/sirlucjan/kernel-patches/blob/master/5.8/fsgsbase-patches-v3/0001-fsgsbase-patches.patch