rune/libenclave/skeleton && sgx-tools: Resolve the launch token adaptation...

rune/libenclave/skeleton && sgx-tools: Resolve the launch token adaptation problem on sgx2 + in-tree

- sgx-tools gen-token command reports an error when running on machine with FLC
- Operations related to lanunch token are not supported on machine with FLC

Signed-off-by: Shirong Hao shirong@linux.alibaba.com

rune/libenclave/internal/runtime/pal/skeleton/Makefile

@@ -9,16 +9,13 @@ ENCL_CFLAGS := -Wall -Werror -static -nostdlib -nostartfiles -fPIC \
 	       -fno-stack-protector -mrdrnd -std=gnu11
 HOST_LDFLAGS := -fPIC -shared -Wl,-Bsymbolic
 
-IS_OOT_DRIVER := $(shell [ ! -e /dev/isgx ])
-IS_SGX_FLC := $(shell lscpu | grep -q sgx_lc)
+IS_SGX_FLC ?= $(shell if lscpu | grep -q sgx_lc; then echo "1"; else echo "0"; fi;)
 
 PRODUCT_ENCLAVE ?=
 
 TEST_CUSTOM_PROGS := $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss $(OUTPUT)/liberpal-skeleton-v1.so $(OUTPUT)/liberpal-skeleton-v2.so $(OUTPUT)/liberpal-skeleton-v3.so $(OUTPUT)/signing_key.pem
 
-ifeq ($(IS_OOT_DRIVER),1)
-    TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token
-else ifeq ($(IS_SGX_FLC),)
+ifeq ($(IS_SGX_FLC),0)
         TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token
 endif
 
@@ -70,8 +67,10 @@ endif
 $(OUTPUT)/encl.ss: $(OUTPUT)/encl.bin $(OUTPUT)/signing_key.pem
 	$(OUTPUT)/sgxsign $(PRODUCT_OPT) signing_key.pem $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss
 
+ifeq ($(IS_SGX_FLC),0)
 $(OUTPUT)/encl.token: $(OUTPUT)/encl.ss
 	sgx-tools gen-token --signature encl.ss --token $@
+endif
 
 $(OUTPUT)/sgxsign: sgxsign.c sgxutils.c
 	$(CC) -I../include -o $@ $^ -lcrypto
@@ -85,8 +84,11 @@ EXTRA_CLEAN := \
 	$(OUTPUT)/sgxsign \
 	$(OUTPUT)/liberpal-skeleton*.o \
 	$(OUTPUT)/liberpal-skeleton*.so \
-	$(OUTPUT)/signing_key.pem \
-	$(OUTPUT)/encl.token
+	$(OUTPUT)/signing_key.pem
+
+ifeq ($(IS_SGX_FLC),0)
+        EXTRA_CLEAN += $(OUTPUT)/encl.token
+endif
 
 clean:
 	rm -f ${EXTRA_CLEAN}

rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c

@@ -433,8 +433,10 @@ int __pal_init(pal_attr_t *attr)
 	if (!load_sigstruct(SIGSTRUCT, &sigstruct))
 		return -ENOENT;
 
+	if (!is_launch_control_supported()) {
 		if (!load_token(TOKEN, &token))
 			return -ENOENT;
+	}
 
 	if (!encl_build(&secs, bin, bin_size, &sigstruct, &token))
 		return -EINVAL;

rune/libenclave/internal/runtime/pal/skeleton/sgx.h

@@ -7,6 +7,7 @@
 
 #include <linux/types.h>
 #include <linux/ioctl.h>
+#include <stdbool.h>
 
 /**
  * enum sgx_epage_flags - page control flags
@@ -19,6 +20,9 @@ enum sgx_page_flags {
 
 #define	SGX_LEAF	0x12
 
+// CPUID leafs
+#define	CPUIID_EXTENDED_FEATURE_FLAGS	0x7
+
 /**
  *CPUID function 1
  *ECX[26] enums general support for XSAVE
@@ -163,4 +167,5 @@ typedef int (*sgx_enclave_exit_handler_t)(long rdi, long rsi, long rdx,
 					  struct sgx_enclave_exception *e);
 
 void get_sgx_xfrm_by_cpuid(uint64_t *xfrm);
+bool is_launch_control_supported(void);
 #endif /* _UAPI_ASM_X86_SGX_H */

rune/libenclave/internal/runtime/pal/skeleton/sgxutils.c

@@ -88,3 +88,12 @@ void get_sgx_xfrm_by_cpuid(uint64_t *xfrm)
 		*xfrm &= (((uint64_t)cpu_info[3] << 32) | cpu_info[2]);
 	}
 }
+
+bool is_launch_control_supported(void)
+{
+	int cpu_info[4] = {0, 0, 0, 0};
+
+	__cpuidex(cpu_info, CPUIID_EXTENDED_FEATURE_FLAGS, 0);
+
+	return !!(cpu_info[2] & 0x40000000);
+}

sgx-tools/gen-token.go

@@ -32,6 +32,11 @@ For example, generate the token file according to the given signature file:
 		},
 	},
 	Action: func(context *cli.Context) error {
+
+		if intelsgx.IsSGXLaunchControlSupported() {
+			return fmt.Errorf("gen-token command is unable to run without SGX launch control feature")
+		}
+
 		sigPath := context.String("signature")
 		if sigPath == "" {
 			return fmt.Errorf("signature argument cannot be empty")