From 0ea84c18d5ce0fa6227e33de64dca7fc9525909e Mon Sep 17 00:00:00 2001
From: haosanzi <shirong@linux.alibaba.com>
Date: Wed, 9 Sep 2020 12:45:09 +0800
Subject: [PATCH] rune/libenclave/skeleton && sgx-tools: Resolve the launch
 token adaptation problem on sgx2 + in-tree

- sgx-tools gen-token command reports an error when running on machine with FLC
- Operations related to lanunch token are not supported on machine with FLC

Signed-off-by: Shirong Hao shirong@linux.alibaba.com
---
 .../internal/runtime/pal/skeleton/Makefile    | 22 ++++++++++---------
 .../runtime/pal/skeleton/liberpal-skeleton.c  |  6 +++--
 .../internal/runtime/pal/skeleton/sgx.h       |  5 +++++
 .../internal/runtime/pal/skeleton/sgxutils.c  |  9 ++++++++
 sgx-tools/gen-token.go                        |  5 +++++
 5 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/rune/libenclave/internal/runtime/pal/skeleton/Makefile b/rune/libenclave/internal/runtime/pal/skeleton/Makefile
index 0720acd..9b0809b 100644
--- a/rune/libenclave/internal/runtime/pal/skeleton/Makefile
+++ b/rune/libenclave/internal/runtime/pal/skeleton/Makefile
@@ -9,17 +9,14 @@ ENCL_CFLAGS := -Wall -Werror -static -nostdlib -nostartfiles -fPIC \
 	       -fno-stack-protector -mrdrnd -std=gnu11
 HOST_LDFLAGS := -fPIC -shared -Wl,-Bsymbolic
 
-IS_OOT_DRIVER := $(shell [ ! -e /dev/isgx ])
-IS_SGX_FLC := $(shell lscpu | grep -q sgx_lc)
+IS_SGX_FLC ?= $(shell if lscpu | grep -q sgx_lc; then echo "1"; else echo "0"; fi;)
 
 PRODUCT_ENCLAVE ?=
 
 TEST_CUSTOM_PROGS := $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss $(OUTPUT)/liberpal-skeleton-v1.so $(OUTPUT)/liberpal-skeleton-v2.so $(OUTPUT)/liberpal-skeleton-v3.so $(OUTPUT)/signing_key.pem
 
-ifeq ($(IS_OOT_DRIVER),1)
-    TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token
-else ifeq ($(IS_SGX_FLC),)
-    TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token
+ifeq ($(IS_SGX_FLC),0)
+        TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token
 endif
 
 all: $(TEST_CUSTOM_PROGS)
@@ -62,16 +59,18 @@ $(OUTPUT)/signing_key.pem:
 	openssl genrsa -3 -out $@ 3072
 
 ifeq ($(PRODUCT_ENCLAVE),1)
-    PRODUCT_OPT := -p
+        PRODUCT_OPT := -p
 else
-    PRODUCT_OPT :=
+        PRODUCT_OPT :=
 endif
 
 $(OUTPUT)/encl.ss: $(OUTPUT)/encl.bin $(OUTPUT)/signing_key.pem
 	$(OUTPUT)/sgxsign $(PRODUCT_OPT) signing_key.pem $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss
 
+ifeq ($(IS_SGX_FLC),0)
 $(OUTPUT)/encl.token: $(OUTPUT)/encl.ss
 	sgx-tools gen-token --signature encl.ss --token $@
+endif
 
 $(OUTPUT)/sgxsign: sgxsign.c sgxutils.c
 	$(CC) -I../include -o $@ $^ -lcrypto
@@ -85,8 +84,11 @@ EXTRA_CLEAN := \
 	$(OUTPUT)/sgxsign \
 	$(OUTPUT)/liberpal-skeleton*.o \
 	$(OUTPUT)/liberpal-skeleton*.so \
-	$(OUTPUT)/signing_key.pem \
-	$(OUTPUT)/encl.token
+	$(OUTPUT)/signing_key.pem
+
+ifeq ($(IS_SGX_FLC),0)
+        EXTRA_CLEAN += $(OUTPUT)/encl.token
+endif
 
 clean:
 	rm -f ${EXTRA_CLEAN}
diff --git a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c
index ea66367..7935a89 100644
--- a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c
+++ b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c
@@ -433,8 +433,10 @@ int __pal_init(pal_attr_t *attr)
 	if (!load_sigstruct(SIGSTRUCT, &sigstruct))
 		return -ENOENT;
 
-	if (!load_token(TOKEN, &token))
-		return -ENOENT;
+	if (!is_launch_control_supported()) {
+		if (!load_token(TOKEN, &token))
+			return -ENOENT;
+	}
 
 	if (!encl_build(&secs, bin, bin_size, &sigstruct, &token))
 		return -EINVAL;
diff --git a/rune/libenclave/internal/runtime/pal/skeleton/sgx.h b/rune/libenclave/internal/runtime/pal/skeleton/sgx.h
index af5eea6..23272be 100644
--- a/rune/libenclave/internal/runtime/pal/skeleton/sgx.h
+++ b/rune/libenclave/internal/runtime/pal/skeleton/sgx.h
@@ -7,6 +7,7 @@
 
 #include <linux/types.h>
 #include <linux/ioctl.h>
+#include <stdbool.h>
 
 /**
  * enum sgx_epage_flags - page control flags
@@ -19,6 +20,9 @@ enum sgx_page_flags {
 
 #define	SGX_LEAF	0x12
 
+// CPUID leafs
+#define	CPUIID_EXTENDED_FEATURE_FLAGS	0x7
+
 /**
  *CPUID function 1
  *ECX[26] enums general support for XSAVE
@@ -163,4 +167,5 @@ typedef int (*sgx_enclave_exit_handler_t)(long rdi, long rsi, long rdx,
 					  struct sgx_enclave_exception *e);
 
 void get_sgx_xfrm_by_cpuid(uint64_t *xfrm);
+bool is_launch_control_supported(void);
 #endif /* _UAPI_ASM_X86_SGX_H */
diff --git a/rune/libenclave/internal/runtime/pal/skeleton/sgxutils.c b/rune/libenclave/internal/runtime/pal/skeleton/sgxutils.c
index 001ce55..6dd352a 100644
--- a/rune/libenclave/internal/runtime/pal/skeleton/sgxutils.c
+++ b/rune/libenclave/internal/runtime/pal/skeleton/sgxutils.c
@@ -88,3 +88,12 @@ void get_sgx_xfrm_by_cpuid(uint64_t *xfrm)
 		*xfrm &= (((uint64_t)cpu_info[3] << 32) | cpu_info[2]);
 	}
 }
+
+bool is_launch_control_supported(void)
+{
+	int cpu_info[4] = {0, 0, 0, 0};
+
+	__cpuidex(cpu_info, CPUIID_EXTENDED_FEATURE_FLAGS, 0);
+
+	return !!(cpu_info[2] & 0x40000000);
+}
diff --git a/sgx-tools/gen-token.go b/sgx-tools/gen-token.go
index 6fe368f..26d600a 100644
--- a/sgx-tools/gen-token.go
+++ b/sgx-tools/gen-token.go
@@ -32,6 +32,11 @@ For example, generate the token file according to the given signature file:
 		},
 	},
 	Action: func(context *cli.Context) error {
+
+		if intelsgx.IsSGXLaunchControlSupported() {
+			return fmt.Errorf("gen-token command is unable to run without SGX launch control feature")
+		}
+
 		sigPath := context.String("signature")
 		if sigPath == "" {
 			return fmt.Errorf("signature argument cannot be empty")
-- 
GitLab