├── LibOS ├── shim │ ├── test │ │ ├── .gitignore │ │ ├── regression │ │ │ ├── tmp │ │ │ │ └── .dummy │ │ │ ├── trusted_testfile │ │ │ ├── unknown_testfile │ │ │ ├── init_fail.c │ │ │ ├── exit.c │ │ │ ├── helloworld.c │ │ │ ├── bootstrap_cpp.cpp │ │ │ ├── shared_object.c │ │ │ ├── bootstrap_static.c │ │ │ ├── syscall.c │ │ │ ├── abort.c │ │ │ ├── debug.c │ │ │ ├── bootstrap_pie.c │ │ │ ├── str_close_leak.c │ │ │ ├── exec.c │ │ │ ├── debug_log_inline.manifest │ │ │ ├── debug_regs-x86_64.c │ │ │ ├── env_from_host.manifest │ │ │ ├── openmp.c │ │ │ ├── abort_multithread.c │ │ │ ├── debug_log_file.manifest │ │ │ ├── env_from_file.manifest │ │ │ ├── file_check_policy.c │ │ │ ├── argv_from_file.manifest │ │ │ ├── proc_path.c │ │ │ ├── init_fail2.manifest │ │ │ ├── host_root_fs.c │ │ │ ├── init_fail.manifest │ │ │ ├── file_check_policy_strict.manifest │ │ │ ├── host_root_fs.manifest │ │ │ ├── file_check_policy_allow_all_but_log.manifest │ │ │ ├── fdleak.c │ │ │ ├── multi_pthread.manifest │ │ │ ├── fstat_cwd.c │ │ │ ├── debug.gdb │ │ │ ├── multi_pthread_exitless.manifest │ │ │ ├── debug_regs-x86_64.gdb │ │ │ ├── large_mmap.manifest │ │ │ ├── multi_pthread.c │ │ │ ├── attestation.manifest.template │ │ │ ├── pipe_nonblocking.c │ │ │ ├── stat_invalid_args.c │ │ │ ├── poll.c │ │ │ ├── bootstrap.c │ │ │ ├── sighandler_reset.c │ │ │ ├── pipe.c │ │ │ ├── large_mmap.c │ │ │ └── ppoll.c │ │ ├── ltp │ │ │ ├── .gitignore │ │ │ ├── ltp-all.cfg │ │ │ ├── makevars.mk │ │ │ ├── Makefile.testcases │ │ │ └── contrib │ │ │ │ └── conf_missing.py │ │ ├── Makefile │ │ └── fs │ │ │ ├── copy_sendfile.c │ │ │ ├── .gitignore │ │ │ ├── copy_whole.c │ │ │ ├── copy_seq.c │ │ │ ├── README.md │ │ │ ├── copy_rev.c │ │ │ ├── copy_mmap_whole.c │ │ │ ├── truncate.c │ │ │ └── stat.c │ ├── src │ │ ├── shim.map │ │ ├── .gitignore │ │ ├── vdso │ │ │ ├── .gitignore │ │ │ ├── vdso-data.S │ │ │ ├── arch │ │ │ │ └── x86_64 │ │ │ │ │ ├── vdso.h │ │ │ │ │ └── vdso_syscall.h │ │ │ └── vdso-note.S │ │ ├── shim_object.c │ │ ├── sys │ │ │ ├── shim_fork.c │ │ │ └── shim_getrandom.c │ │ ├── generated-offsets.c │ │ ├── shim_arch_prctl-x86_64.c │ │ └── utils │ │ │ └── strobjs.c │ ├── include │ │ ├── arch │ │ │ └── x86_64 │ │ │ │ ├── shim_vdso-arch.h │ │ │ │ └── shim_types-arch.h │ │ ├── shim_context.h │ │ ├── shim_vdso.h │ │ ├── shim_entry.h │ │ └── shim_defs.h │ └── Makefile ├── .gitignore ├── glibc-checksums └── glibc-patches │ └── hp-timing-2.27.patch ├── tests ├── .gitignore └── benchmarks │ ├── .gitignore │ ├── helloworld.c │ ├── http-root │ └── Makefile │ ├── Makefile │ ├── nginx.conf │ ├── basic.manifest.template │ └── basic.py ├── Documentation ├── .gitignore ├── _templates │ └── .gitignore ├── devel │ ├── DCO │ │ └── index.rst │ ├── contributing.rst │ ├── benchmarks.rst │ └── setup.rst ├── requirements.txt ├── Doxyfile-pal-linux ├── Doxyfile-pal-linux-sgx ├── _static │ └── css │ │ └── graphene.css ├── Doxyfile-libos ├── Doxyfile-pal ├── libos │ └── shim-init.rst ├── Doxyfile ├── manpages │ ├── quote_dump.rst │ ├── pal_loader.rst │ └── is_sgx_available.rst ├── Makefile └── glossary.rst ├── Examples ├── curl │ ├── .gitignore │ ├── test-docroot │ │ └── index.html │ └── README.md ├── nodejs │ ├── .gitignore │ ├── helloworld.js │ └── README.md ├── bash │ ├── scripts │ │ ├── somefile │ │ └── bash_test.sh │ ├── .gitignore │ └── README.md ├── blender │ ├── data │ │ ├── .gitignore │ │ └── scenes │ │ │ └── simple_scene.blend │ ├── .gitignore │ └── test_all_scenes.sh ├── pytorch │ ├── .gitignore │ ├── input.jpg │ └── download-pretrained-model.py ├── ra-tls-secret-prov │ ├── files │ │ ├── plain.txt │ │ ├── wrap-key │ │ └── README │ ├── .gitignore │ ├── src │ │ └── secret_prov_min_client.c │ └── certs │ │ ├── README │ │ ├── server2-sha256.crt │ │ └── test-ca-sha256.crt ├── capnproto │ ├── .gitignore │ └── README ├── nodejs-express-server │ ├── .gitignore │ ├── package.json │ ├── helloworld.js │ └── README.md ├── openvino │ ├── .gitignore │ └── images │ │ └── horses.jpg ├── busybox │ ├── .gitignore │ └── README.md ├── redis │ └── .gitignore ├── memcached │ └── .gitignore ├── gcc │ ├── ld-gcc-5-trusted-files │ ├── test_files │ │ ├── gzip.patch │ │ ├── .gitignore │ │ └── helloworld.c │ ├── ld-gcc-7-trusted-files │ └── README.md ├── python-simple │ ├── scripts │ │ ├── helloworld.py │ │ └── test-http.py │ └── run-tests.sh ├── .gitignore ├── nginx │ ├── .gitignore │ └── ssl │ │ └── ca_config.conf ├── apache │ ├── .gitignore │ └── ssl │ │ └── ca_config.conf ├── lighttpd │ └── .gitignore ├── ra-tls-mbedtls │ └── .gitignore ├── tensorflow-lite │ ├── .gitignore │ └── README.md ├── r │ └── scripts │ │ └── sample.r ├── python-scipy-insecure │ └── scripts │ │ ├── test-numpy.py │ │ └── test-scipy.py └── common_tools │ └── get_deps.sh ├── Tools ├── .gitignore ├── gsc │ ├── test │ │ ├── .gitignore │ │ ├── bash.manifest │ │ ├── ubuntu18.04-nodejs.manifest │ │ ├── ubuntu18.04-python3.manifest │ │ ├── ubuntu18.04-bash.dockerfile │ │ ├── ubuntu18.04-numpy.manifest │ │ ├── ubuntu18.04-pytorch.manifest │ │ ├── ubuntu18.04-hello-world.dockerfile │ │ ├── ubuntu18.04-python3-trusted-args.dockerfile │ │ ├── ubuntu18.04-python3.dockerfile │ │ ├── ubuntu18.04-nodejs.dockerfile │ │ ├── ubuntu18.04-numpy.dockerfile │ │ └── ubuntu18.04-pytorch.dockerfile │ ├── .gitignore │ ├── config.yaml.template │ ├── gsc │ ├── templates │ │ ├── apploader.template │ │ ├── Dockerfile.ubuntu18.04.sign.template │ │ └── entrypoint.manifest.template │ └── images │ │ └── graphene_aks.latest.dockerfile ├── Makefile └── argv_serializer.c ├── .ci ├── lib │ ├── config-debug.jenkinsfile │ ├── config-release.jenkinsfile │ ├── config-ubuntu16.04.jenkinsfile │ ├── config-ubuntu18.04.jenkinsfile │ ├── stage-clean-check-prepare.jenkinsfile │ ├── stage-lint.jenkinsfile │ ├── config.jenkinsfile │ └── stage-build-nosgx.jenkinsfile ├── isdistro ├── docs.jenkinsfile ├── run-shellcheck ├── linux-direct-ubuntu18.04-gcc-glibc227.jenkinsfile ├── linux-sgx-ubuntu16.04-gcc-release.jenkinsfile ├── linux-sgx-ubuntu18.04-gcc-release.jenkinsfile ├── linux-direct-ubuntu16.04-gcc-debug.jenkinsfile ├── linux-direct-ubuntu18.04-gcc-debug.jenkinsfile ├── linux-sgx-ubuntu16.04-gcc-release-apps.jenkinsfile ├── linux-sgx-ubuntu18.04-gcc-release-apps.jenkinsfile ├── linux-direct-ubuntu16.04-gcc-release.jenkinsfile ├── linux-direct-ubuntu18.04-gcc-release.jenkinsfile └── run-pylint ├── Pal ├── include │ ├── lib │ │ ├── .gitignore │ │ ├── debug_map.h │ │ └── perm.h │ ├── arch │ │ └── x86_64 │ │ │ ├── Skeleton │ │ │ ├── pal_host-arch.h │ │ │ ├── sigcontext.h │ │ │ └── ucontext.h │ │ │ ├── Linux-SGX │ │ │ ├── ucontext.h │ │ │ ├── sigcontext.h │ │ │ └── pal_host-arch.h │ │ │ ├── rng-arch.h │ │ │ ├── Linux │ │ │ └── pal_host-arch.h │ │ │ └── pal_internal-arch.h │ ├── pal │ │ ├── generated-offsets-build.h │ │ └── pal_debug.h │ └── host │ │ └── Linux-common │ │ ├── linux_utils.h │ │ └── topo_info.h ├── lib │ ├── crypto │ │ ├── .gitignore │ │ ├── adapters │ │ │ └── mbedtls_adapter.h │ │ └── udivmodti4.h │ ├── .gitignore │ └── string │ │ ├── memcmp.c │ │ ├── ctype.c │ │ ├── strcmp.c │ │ ├── strspn.c │ │ ├── strstr.c │ │ └── memset.c ├── src │ ├── host │ │ ├── Linux-SGX │ │ │ ├── tools │ │ │ │ ├── pf_crypt │ │ │ │ │ ├── .gitignore │ │ │ │ │ └── Makefile │ │ │ │ ├── common │ │ │ │ │ └── .gitignore │ │ │ │ ├── ias-request │ │ │ │ │ ├── .gitignore │ │ │ │ │ └── Makefile │ │ │ │ ├── pf_tamper │ │ │ │ │ ├── .gitignore │ │ │ │ │ └── Makefile │ │ │ │ ├── quote-dump │ │ │ │ │ ├── .gitignore │ │ │ │ │ └── Makefile │ │ │ │ ├── is-sgx-available │ │ │ │ │ ├── .gitignore │ │ │ │ │ └── Makefile │ │ │ │ ├── verify-ias-report │ │ │ │ │ ├── .gitignore │ │ │ │ │ └── Makefile │ │ │ │ ├── Makefile │ │ │ │ └── ra-tls │ │ │ │ │ └── ra_tls_verify_dcap_urts.c │ │ │ ├── gdb_integration │ │ │ │ ├── common │ │ │ │ ├── graphene_sgx_gdb.py │ │ │ │ └── sgx_gdb.h │ │ │ ├── pal.map.template │ │ │ ├── .gitignore │ │ │ ├── sgx_enclave.h │ │ │ ├── enclave_pages.h │ │ │ ├── enclave_ecalls.h │ │ │ ├── sgx_gdb_info.c │ │ │ ├── signer │ │ │ │ ├── pal-sgx-sign │ │ │ │ └── pal-sgx-get-token │ │ │ ├── ecall_types.h │ │ │ ├── Makefile.am │ │ │ ├── sgx_log.c │ │ │ ├── enclave_platform.c │ │ │ └── sgx_log.h │ │ ├── Linux │ │ │ ├── gdb_integration │ │ │ │ ├── common │ │ │ │ └── graphene_linux_gdb.py │ │ │ ├── pal.map.template │ │ │ ├── pal_linux_defs.h │ │ │ ├── pal_security.h │ │ │ ├── pal_start-x86_64.S │ │ │ └── Makefile.am │ │ ├── Skeleton │ │ │ ├── pal.map.template │ │ │ ├── db_rtld.c │ │ │ ├── Makefile.am │ │ │ ├── db_exception.c │ │ │ ├── db_main.c │ │ │ ├── db_memory.c │ │ │ ├── db_object.c │ │ │ ├── db_mutex.c │ │ │ ├── Makefile │ │ │ └── db_events.c │ │ └── Linux-common │ │ │ ├── stack_protector.c │ │ │ └── main_exec_path.c │ ├── pal_defs.h │ ├── db_mutex.c │ ├── pal-symbols │ └── db_process.c ├── regression │ ├── Exit.c │ ├── Thread2.manifest │ ├── Bootstrap3.manifest │ ├── Process3.manifest │ ├── Thread2_exitless.manifest │ ├── Process2.c │ ├── Bootstrap6.manifest │ ├── Sleep.c │ ├── Preload1.c │ ├── Preload2.c │ ├── ..Bootstrap.c │ ├── manifest.template │ ├── File.manifest │ ├── Process3.c │ ├── Bootstrap7.c │ ├── Bootstrap3.c │ ├── Segment.c │ ├── Pie.c │ ├── HelloWorld.c │ ├── Hex.c │ ├── Failure.c │ ├── Exception2.c │ ├── .gitignore │ ├── Yield.c │ └── Event2.c ├── crt_init │ └── Makefile └── Makefile ├── Runtime ├── .gitignore └── Makefile ├── python ├── graphenelibos │ ├── __init__.py │ ├── aesm.proto │ └── meson.build ├── graphene-sgx-sign ├── graphene-sgx-get-token └── meson.build ├── .gitmodules ├── Scripts ├── Makefile ├── clean-check-prepare ├── manifest.mk ├── clean-check-test-copy ├── Makefile.python ├── Makefile.Host ├── gitignore-test └── run-pytest ├── .clang-format ├── meson_options.txt ├── Makefile ├── .dir-locals.el ├── .github ├── PULL_REQUEST_TEMPLATE.md └── ISSUE_TEMPLATE.md ├── .gitignore ├── meson.build └── LICENSE.addendum.txt /LibOS/shim/test/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/.gitignore: -------------------------------------------------------------------------------- 1 | .asv/ 2 | -------------------------------------------------------------------------------- /Documentation/.gitignore: -------------------------------------------------------------------------------- 1 | _build 2 | -------------------------------------------------------------------------------- /Documentation/_templates/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Examples/curl/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | -------------------------------------------------------------------------------- /Examples/nodejs/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/tmp/.dummy: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Tools/.gitignore: -------------------------------------------------------------------------------- 1 | /argv_serializer 2 | -------------------------------------------------------------------------------- /Tools/gsc/test/.gitignore: -------------------------------------------------------------------------------- 1 | *.yaml 2 | -------------------------------------------------------------------------------- /Examples/bash/scripts/somefile: -------------------------------------------------------------------------------- 1 | dummy 2 | -------------------------------------------------------------------------------- /Examples/blender/data/.gitignore: -------------------------------------------------------------------------------- 1 | images/ 2 | -------------------------------------------------------------------------------- /.ci/lib/config-debug.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.DEBUG = '1' 2 | -------------------------------------------------------------------------------- /Examples/pytorch/.gitignore: -------------------------------------------------------------------------------- 1 | /*.pt 2 | /pal_loader 3 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/files/plain.txt: -------------------------------------------------------------------------------- 1 | helloworld -------------------------------------------------------------------------------- /Pal/include/lib/.gitignore: -------------------------------------------------------------------------------- 1 | /uthash.h 2 | /toml.h 3 | -------------------------------------------------------------------------------- /Runtime/.gitignore: -------------------------------------------------------------------------------- 1 | /pal-Linux 2 | /pal-Linux-SGX 3 | -------------------------------------------------------------------------------- /Examples/capnproto/.gitignore: -------------------------------------------------------------------------------- 1 | /src 2 | /addressbook 3 | -------------------------------------------------------------------------------- /Pal/lib/crypto/.gitignore: -------------------------------------------------------------------------------- 1 | /mbedtls/* 2 | /*.tar.gz 3 | -------------------------------------------------------------------------------- /Tools/gsc/test/bash.manifest: -------------------------------------------------------------------------------- 1 | sgx.enclave_size = "4G" 2 | -------------------------------------------------------------------------------- /.ci/lib/config-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | // env.DEBUG is not set 2 | -------------------------------------------------------------------------------- /Documentation/devel/DCO/index.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../../../DCO 2 | -------------------------------------------------------------------------------- /Examples/bash/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | /scripts/testdir/* 3 | -------------------------------------------------------------------------------- /Examples/nodejs-express-server/.gitignore: -------------------------------------------------------------------------------- 1 | /node_modules/ 2 | -------------------------------------------------------------------------------- /Examples/nodejs/helloworld.js: -------------------------------------------------------------------------------- 1 | console.log("Hello World"); 2 | -------------------------------------------------------------------------------- /LibOS/shim/src/shim.map: -------------------------------------------------------------------------------- 1 | SHIM { 2 | local: *; 3 | }; 4 | -------------------------------------------------------------------------------- /Pal/lib/.gitignore: -------------------------------------------------------------------------------- 1 | /toml.c 2 | /toml.h 3 | /toml.patched 4 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/pf_crypt/.gitignore: -------------------------------------------------------------------------------- 1 | /pf_crypt 2 | -------------------------------------------------------------------------------- /tests/benchmarks/.gitignore: -------------------------------------------------------------------------------- 1 | /helloworld 2 | /write_pages 3 | -------------------------------------------------------------------------------- /Examples/openvino/.gitignore: -------------------------------------------------------------------------------- 1 | *.bmp 2 | /model/ 3 | /openvino/ 4 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/trusted_testfile: -------------------------------------------------------------------------------- 1 | trusted_testfile 2 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/unknown_testfile: -------------------------------------------------------------------------------- 1 | unknown_testfile 2 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/common/.gitignore: -------------------------------------------------------------------------------- 1 | /cJSON* 2 | /*.gz 3 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/ias-request/.gitignore: -------------------------------------------------------------------------------- 1 | /ias_request 2 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/pf_tamper/.gitignore: -------------------------------------------------------------------------------- 1 | /pf_tamper 2 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/quote-dump/.gitignore: -------------------------------------------------------------------------------- 1 | /quote_dump 2 | -------------------------------------------------------------------------------- /Examples/busybox/.gitignore: -------------------------------------------------------------------------------- 1 | /src 2 | /busybox 3 | /busybox.tar.bz2 4 | -------------------------------------------------------------------------------- /Examples/redis/.gitignore: -------------------------------------------------------------------------------- 1 | /redis.tar.gz 2 | /redis-server 3 | /src 4 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/gdb_integration/common: -------------------------------------------------------------------------------- 1 | ../../../../gdb_integration/ -------------------------------------------------------------------------------- /Pal/src/host/Linux/gdb_integration/common: -------------------------------------------------------------------------------- 1 | ../../../../gdb_integration/ -------------------------------------------------------------------------------- /tests/benchmarks/helloworld.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /Documentation/devel/contributing.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../../CONTRIBUTING.rst 2 | -------------------------------------------------------------------------------- /Examples/curl/test-docroot/index.html: -------------------------------------------------------------------------------- 1 | 2 | Hello World! 3 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/is-sgx-available/.gitignore: -------------------------------------------------------------------------------- 1 | /is_sgx_available 2 | -------------------------------------------------------------------------------- /Examples/blender/.gitignore: -------------------------------------------------------------------------------- 1 | /blender.tar.xz 2 | /blender_dir/ 3 | /run_dir/ 4 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/verify-ias-report/.gitignore: -------------------------------------------------------------------------------- 1 | /verify_ias_report 2 | -------------------------------------------------------------------------------- /Tools/gsc/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | config.yaml 3 | config.aks.*.yaml 4 | *.pem 5 | -------------------------------------------------------------------------------- /Examples/memcached/.gitignore: -------------------------------------------------------------------------------- 1 | /.lck 2 | /memcached 3 | /memcached.tar.gz 4 | /src 5 | -------------------------------------------------------------------------------- /LibOS/shim/test/ltp/.gitignore: -------------------------------------------------------------------------------- 1 | /build/ 2 | /install/ 3 | /ltp*.xml 4 | /pal_loader 5 | -------------------------------------------------------------------------------- /Examples/gcc/ld-gcc-5-trusted-files: -------------------------------------------------------------------------------- 1 | # No additional gcc-5 specific trusted files required. -------------------------------------------------------------------------------- /Examples/gcc/test_files/gzip.patch: -------------------------------------------------------------------------------- 1 | 2020c2020 2 | < static char * 3 | --- 4 | > char * 5 | -------------------------------------------------------------------------------- /LibOS/shim/src/.gitignore: -------------------------------------------------------------------------------- 1 | /libsysdb.so.cached 2 | /asm-offsets.h 3 | /generated-offsets.s 4 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-nodejs.manifest: -------------------------------------------------------------------------------- 1 | sgx.enclave_size = "2G" 2 | sgx.thread_num = 16 3 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-python3.manifest: -------------------------------------------------------------------------------- 1 | sgx.enclave_size = "4G" 2 | sgx.thread_num = 8 3 | -------------------------------------------------------------------------------- /Examples/python-simple/scripts/helloworld.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | print("Hello World") 4 | -------------------------------------------------------------------------------- /Pal/src/host/Linux/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: $(PAL_SYMBOLS) 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /.ci/lib/config-ubuntu16.04.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.GLIBC_VERSION = '2.27' 2 | env.PYTHONVERSION = 'python3.5' 3 | -------------------------------------------------------------------------------- /.ci/lib/config-ubuntu18.04.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.GLIBC_VERSION = '2.31' 2 | env.PYTHONVERSION = 'python3.6' 3 | -------------------------------------------------------------------------------- /Documentation/requirements.txt: -------------------------------------------------------------------------------- 1 | sphinx==1.8.0 2 | breathe<4.13.0 3 | recommonmark 4 | sphinx_rtd_theme 5 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: $(PAL_SYMBOLS) 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: $(PAL_SYMBOLS) 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /python/graphenelibos/__init__.py: -------------------------------------------------------------------------------- 1 | '''Python support for Graphene''' 2 | 3 | __version__ = '@VERSION@' 4 | -------------------------------------------------------------------------------- /Examples/pytorch/input.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/clearlinux/graphene/master/Examples/pytorch/input.jpg -------------------------------------------------------------------------------- /Examples/.gitignore: -------------------------------------------------------------------------------- 1 | *.manifest 2 | *.manifest.sgx 3 | *.sig 4 | *.token 5 | pal_loader 6 | *.o 7 | *~ 8 | *.swp 9 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-bash.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | RUN apt-get update 4 | 5 | CMD ["bash"] 6 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-numpy.manifest: -------------------------------------------------------------------------------- 1 | sgx.enclave_size = "2G" 2 | sgx.thread_num = 32 3 | sys.stack.size = "2M" 4 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-pytorch.manifest: -------------------------------------------------------------------------------- 1 | sgx.enclave_size = "4G" 2 | sgx.thread_num = 32 3 | sys.stack.size = "2M" 4 | -------------------------------------------------------------------------------- /Examples/gcc/test_files/.gitignore: -------------------------------------------------------------------------------- 1 | /bzip2 2 | /bzip2.c 3 | /bzip2.copy 4 | /gzip 5 | /gzip.c 6 | /gzip_broken.c 7 | /hello 8 | -------------------------------------------------------------------------------- /Examples/nginx/.gitignore: -------------------------------------------------------------------------------- 1 | *.tar.gz 2 | /install/* 3 | /nginx-*/* 4 | /OUTPUT 5 | /result-* 6 | /ssl/ca.* 7 | /ssl/server.* 8 | -------------------------------------------------------------------------------- /Examples/openvino/images/horses.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/clearlinux/graphene/master/Examples/openvino/images/horses.jpg -------------------------------------------------------------------------------- /.ci/lib/stage-clean-check-prepare.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('clean-check-prepare') { 2 | sh './Scripts/clean-check-prepare' 3 | } 4 | -------------------------------------------------------------------------------- /LibOS/shim/src/vdso/.gitignore: -------------------------------------------------------------------------------- 1 | /.vdso-linked-for-reloc-check.so 2 | /.vdso-no-reloc-checked 3 | /vdso-data.c 4 | /vdso.so.dbg 5 | -------------------------------------------------------------------------------- /python/graphene-sgx-sign: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | from graphenelibos.sgx_sign import main 5 | sys.exit(main()) 6 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/files/wrap-key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/clearlinux/graphene/master/Examples/ra-tls-secret-prov/files/wrap-key -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-hello-world.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | RUN apt-get update 4 | 5 | CMD ["echo", "\"Hello World!\""] 6 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "LibOS/shim/test/ltp/src"] 2 | path = LibOS/shim/test/ltp/src 3 | url = https://github.com/linux-test-project/ltp.git 4 | -------------------------------------------------------------------------------- /Examples/apache/.gitignore: -------------------------------------------------------------------------------- 1 | /*.tar.gz 2 | /httpd-*/* 3 | /install/* 4 | /OUTPUT 5 | /pal_loader 6 | /result-* 7 | /ssl/ca.* 8 | /ssl/server.* 9 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/init_fail.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | printf("Hello world\n"); 5 | return 42; 6 | } 7 | -------------------------------------------------------------------------------- /python/graphene-sgx-get-token: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | from graphenelibos.sgx_get_token import main 5 | sys.exit(main()) 6 | -------------------------------------------------------------------------------- /Examples/blender/data/scenes/simple_scene.blend: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/clearlinux/graphene/master/Examples/blender/data/scenes/simple_scene.blend -------------------------------------------------------------------------------- /LibOS/shim/test/regression/exit.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, const char** argv, const char** envp) { 4 | return 113; 5 | } 6 | -------------------------------------------------------------------------------- /Examples/lighttpd/.gitignore: -------------------------------------------------------------------------------- 1 | !/lighttpd-generic.conf 2 | /*.conf 3 | /*.tar.gz 4 | /install/ 5 | /lighttpd-*/ 6 | /lighttpd.conf 7 | /OUTPUT 8 | /result-* 9 | -------------------------------------------------------------------------------- /Examples/ra-tls-mbedtls/.gitignore: -------------------------------------------------------------------------------- 1 | /*.tar.gz 2 | /OUTPUT 3 | /client 4 | /client-dcap-trusted-libs 5 | /client-epid-trusted-libs 6 | /mbedtls 7 | /server 8 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/helloworld.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char** argv) { 4 | printf("Hello world!\n"); 5 | return 0; 6 | } 7 | -------------------------------------------------------------------------------- /Pal/lib/crypto/adapters/mbedtls_adapter.h: -------------------------------------------------------------------------------- 1 | #ifndef MBEDTLS_ADAPTER_H 2 | #define MBEDTLS_ADAPTER_H 3 | 4 | int mbedtls_to_pal_error(int error); 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-pal-linux: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "PAL Linux" 3 | OUTPUT_DIRECTORY = _build/doxygen-pal-linux 4 | INPUT = ../Pal/src/host/Linux 5 | -------------------------------------------------------------------------------- /LibOS/.gitignore: -------------------------------------------------------------------------------- 1 | /glibc-*.tar.gz 2 | /glibc-*.*/ 3 | /glibc-build/ 4 | /build.log 5 | 6 | /gcc-*.tar.gz 7 | /gcc-*.*.*/ 8 | /gcc-build/ 9 | /gcc-build.log 10 | -------------------------------------------------------------------------------- /.ci/isdistro: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | test "$#" -eq 1 || exit 2 4 | . /etc/os-release || exit 3 5 | test "$1" = "$VERSION_CODENAME" || test "$1" = "$ID"-"$VERSION_ID" || exit 1 6 | -------------------------------------------------------------------------------- /Examples/gcc/test_files/helloworld.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) { 4 | printf("Hello world (%s)!\n", argv[0]); 5 | return 0; 6 | } 7 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/bootstrap_cpp.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | std::cout << "User Program Started" << std::endl; 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /Pal/regression/Exit.c: -------------------------------------------------------------------------------- 1 | #include "api.h" 2 | #include "pal.h" 3 | #include "pal_debug.h" 4 | 5 | int main(int argc, char** argv, char** envp) { 6 | DkProcessExit(112); 7 | } 8 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-pal-linux-sgx: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "PAL Linux-SGX" 3 | OUTPUT_DIRECTORY = _build/doxygen-pal-linux-sgx 4 | INPUT = ../Pal/src/host/Linux-SGX 5 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/shared_object.c: -------------------------------------------------------------------------------- 1 | /* a simple helloworld test */ 2 | 3 | #include 4 | 5 | int main(void) { 6 | printf("Hello world\n"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /Documentation/_static/css/graphene.css: -------------------------------------------------------------------------------- 1 | .rst-content dl:not(.docutils)>dt { 2 | font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace; 3 | } 4 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-libos: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "LibOS" 3 | OUTPUT_DIRECTORY = _build/doxygen-libos 4 | INPUT = \ 5 | ../LibOS/shim/include \ 6 | ../LibOS/shim/src 7 | -------------------------------------------------------------------------------- /LibOS/glibc-checksums: -------------------------------------------------------------------------------- 1 | 881ca905e6b5eec724de7948f14d66a07d97bdee8013e1b2a7d021ff5d540522 glibc-2.27.tar.gz 2 | cb2d64fb808affff30d8a99a85de9d2aa67dc2cbac4ae99af4500d6cfea2bda7 glibc-2.31.tar.gz 3 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Skeleton/pal_host-arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * This file contains Skeleton-specific functions related to the PAL. 5 | */ 6 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-python3-trusted-args.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | RUN apt-get update \ 4 | && apt-get install -y python3 5 | 6 | CMD ["python3", "-c", "print('HelloWorld!')"] 7 | -------------------------------------------------------------------------------- /tests/benchmarks/http-root/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | all: 10K.1.html 3 | 4 | 10K.1.html: 5 | dd if=/dev/urandom of=$@ bs=1000 count=10 6 | 7 | .PHONY: clean 8 | clean: 9 | $(RM) *.html 10 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/.gitignore: -------------------------------------------------------------------------------- 1 | /asm-offsets.h 2 | /generated-offsets.s 3 | /generated_offsets.py 4 | /gsgx.h 5 | /pal-sgx 6 | /quote/aesm.pb-c.c 7 | /quote/aesm.pb-c.h 8 | 9 | *.pem 10 | *.pub 11 | -------------------------------------------------------------------------------- /python/meson.build: -------------------------------------------------------------------------------- 1 | subdir('graphenelibos') 2 | 3 | if sgx 4 | install_data([ 5 | 'graphene-sgx-get-token', 6 | 'graphene-sgx-sign', 7 | ], install_dir: get_option('bindir')) 8 | endif 9 | -------------------------------------------------------------------------------- /Examples/tensorflow-lite/.gitignore: -------------------------------------------------------------------------------- 1 | /bazel-*-installer-linux-*.sh 2 | /image.bmp 3 | /inception_v3.pb 4 | /inception_v3.tflite 5 | /inception_v3_2018_04_27.tgz 6 | /labels.txt 7 | /tensorflow 8 | /tensorflow.tar.gz 9 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Skeleton/sigcontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #ifndef _SKELETON_SIGCONTEXT_H 4 | #define _SKELETON_SIGCONTEXT_H 5 | 6 | #endif /* _SKELETON_SIGCONTEXT_H */ 7 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/bootstrap_static.c: -------------------------------------------------------------------------------- 1 | /* a simple helloworld test */ 2 | 3 | #include 4 | 5 | int main(int argc, char** argv) { 6 | printf("Hello world (%s)!\n", argv[0]); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /.ci/lib/stage-lint.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('lint') { 2 | sh ''' 3 | if .ci/isdistro bionic 4 | then 5 | ./.ci/run-pylint -f text 6 | fi 7 | ./.ci/run-shellcheck 8 | ''' 9 | } 10 | -------------------------------------------------------------------------------- /Pal/regression/Thread2.manifest: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:Thread2" 2 | loader.argv0_override = "Thread2" 3 | 4 | sgx.thread_num = 2 5 | sgx.enable_stats = 1 6 | sgx.nonpie_binary = 1 7 | 8 | sgx.trusted_files.entrypoint = "file:Thread2" 9 | -------------------------------------------------------------------------------- /Pal/src/pal_defs.h: -------------------------------------------------------------------------------- 1 | #ifndef PAL_DEFS_H 2 | #define PAL_DEFS_H 3 | 4 | /* statically allocate slab manager */ 5 | #define STATIC_SLAB 1 6 | 7 | /* maximum length of URIs */ 8 | #define URI_MAX 4096 9 | 10 | #endif /* PAL_DEFS_H */ 11 | -------------------------------------------------------------------------------- /Examples/r/scripts/sample.r: -------------------------------------------------------------------------------- 1 | print(sample(1:3)) 2 | print(sample(1:3, size=3, replace=FALSE)) # same as previous line 3 | print(sample(c(2,5,3), size=4, replace=TRUE)) 4 | print(sample(1:2, size=10, prob=c(1,3), replace=TRUE)) 5 | print("success") 6 | -------------------------------------------------------------------------------- /tests/benchmarks/Makefile: -------------------------------------------------------------------------------- 1 | BENCHMARKS = \ 2 | helloworld \ 3 | write_pages 4 | 5 | .PHONY: all 6 | all: $(BENCHMARKS) 7 | $(MAKE) -C http-root $@ 8 | 9 | .PHONY: clean 10 | clean: 11 | $(MAKE) -C http-root $@ 12 | $(RM) $(BENCHMARKS) 13 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/.gitignore: -------------------------------------------------------------------------------- 1 | /*.tar.gz 2 | /OUTPUT 3 | /files/input.txt 4 | /mbedtls 5 | /pf_crypt 6 | /secret_prov_client 7 | /secret_prov_min_client 8 | /secret_prov_pf_client 9 | /secret_prov_server_dcap 10 | /secret_prov_server_epid 11 | -------------------------------------------------------------------------------- /LibOS/shim/include/arch/x86_64/shim_vdso-arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #ifndef _SHIM_VDSO_ARCH_H_ 4 | #define _SHIM_VDSO_ARCH_H_ 5 | 6 | #define LINUX_VDSO_FILENAME "linux-vdso.so.1" 7 | 8 | #endif /* _SHIM_VDSO_ARCH_H_ */ 9 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/syscall.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char** argv) { 5 | const char buf[] = "Hello world\n"; 6 | INLINE_SYSCALL(write, 3, 1, buf, sizeof(buf) - 1); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /LibOS/shim/test/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../Scripts/Makefile.configs 2 | 3 | SUBDIRS = regression fs 4 | 5 | .PHONY: all clean sgx-tokens distclean 6 | all clean sgx-tokens distclean: 7 | for d in $(SUBDIRS); do \ 8 | $(MAKE) -C $$d $@ || exit 255; \ 9 | done 10 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/copy_sendfile.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | sendfile_fd(input_path, output_path, fi, fo, size); 5 | printf("sendfile_fd(%zu) OK\n", size); 6 | } 7 | -------------------------------------------------------------------------------- /Tools/gsc/config.yaml.template: -------------------------------------------------------------------------------- 1 | Distro: "ubuntu18.04" 2 | Graphene: 3 | Repository: "https://github.com/oscarlab/graphene.git" 4 | Branch: "master" 5 | SGXDriver: 6 | Repository: "https://github.com/01org/linux-sgx-driver.git" 7 | Branch: "sgx_driver_1.9" 8 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/sgx_enclave.h: -------------------------------------------------------------------------------- 1 | #include "pal_linux.h" 2 | #include "pal_security.h" 3 | 4 | int ecall_enclave_start(char* libpal_uri, char* args, size_t args_size, char* env, size_t env_size); 5 | 6 | int ecall_thread_start(void); 7 | 8 | int ecall_thread_reset(void); 9 | -------------------------------------------------------------------------------- /Pal/regression/Bootstrap3.manifest: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:Bootstrap3" 2 | loader.log_level = "debug" 3 | loader.preload = "file:Preload1.so,file:Preload2.so" 4 | loader.argv0_override = "Bootstrap3" 5 | 6 | sgx.trusted_files.entrypoint = "file:Bootstrap3" 7 | sgx.nonpie_binary = 1 8 | -------------------------------------------------------------------------------- /Pal/regression/Process3.manifest: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:Process3" 2 | loader.log_level = "debug" 3 | loader.preload = "file:Preload1.so,file:Preload2.so" 4 | loader.insecure__use_cmdline_argv = 1 5 | 6 | sgx.nonpie_binary = 1 7 | 8 | sgx.trusted_files.entrypoint = "file:Process3" 9 | -------------------------------------------------------------------------------- /Pal/regression/Thread2_exitless.manifest: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:Thread2" 2 | loader.argv0_override = "Thread2" 3 | 4 | sgx.thread_num = 2 5 | sgx.rpc_thread_num = 2 6 | sgx.enable_stats = 1 7 | sgx.nonpie_binary = 1 8 | 9 | sgx.trusted_files.entrypoint = "file:Thread2" 10 | -------------------------------------------------------------------------------- /Scripts/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | all: ; 3 | 4 | .PHONY: clean 5 | clean: 6 | $(RM) -r __pycache__ 7 | 8 | .PHONY: distclean 9 | distclean: clean 10 | 11 | .PHONY: format 12 | format: ; 13 | 14 | .PHONY: test 15 | test: ; 16 | 17 | .PHONY: sgx-tokens 18 | sgx-tokens: ; 19 | -------------------------------------------------------------------------------- /Examples/gcc/ld-gcc-7-trusted-files: -------------------------------------------------------------------------------- 1 | sgx.trusted_files.crtbeginSo = \"file:/usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o\"\nsgx.trusted_files.libgccsso = \"file:/usr/lib/gcc/x86_64-linux-gnu/7/libgcc_s.so.1\"\nsgx.trusted_files.crtendSo = \"file:/usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o\" 2 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/abort.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /* Test if the correct error code is propagated on a signal-induced exit. This should report 134 4 | * (128 + 6 where 6 is SIGABRT) as its return code. */ 5 | 6 | int main(int argc, char* arvg[]) { 7 | abort(); 8 | } 9 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/enclave_pages.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int init_enclave_pages(void); 5 | void* get_enclave_heap_top(void); 6 | void* get_enclave_pages(void* addr, size_t size, bool is_pal_internal); 7 | int free_enclave_pages(void* addr, size_t size); 8 | -------------------------------------------------------------------------------- /Runtime/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | all: 3 | 4 | .PHONY: clean 5 | clean: 6 | $(RM) *.a *.o *.so *.so.* pal-* 7 | 8 | .PHONY: distclean 9 | distclean: clean 10 | 11 | .PHONY: format 12 | format: 13 | 14 | .PHONY: test 15 | test: 16 | 17 | .PHONY: sgx-tokens 18 | sgx-tokens: 19 | -------------------------------------------------------------------------------- /Pal/regression/Process2.c: -------------------------------------------------------------------------------- 1 | #include "api.h" 2 | #include "pal.h" 3 | #include "pal_debug.h" 4 | 5 | int main(int argc, char** argv, char** envp) { 6 | PAL_STR args[1] = {0}; 7 | if (DkProcessCreate("file:Bootstrap", args) == NULL) 8 | return 1; 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/enclave_ecalls.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #ifndef _ENCLAVE_ECALLS_H_ 4 | #define _ENCLAVE_ECALLS_H_ 5 | 6 | void handle_ecall(long ecall_index, void* ecall_args, void* exit_target, void* enclave_base_addr); 7 | 8 | #endif /* _ENCLAVE_ECALLS_H_ */ 9 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-pal: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "PAL" 3 | OUTPUT_DIRECTORY = _build/doxygen-pal 4 | INPUT = ../Pal/include/arch/x86_64 ../Pal/include/pal ../Pal/src 5 | EXCLUDE = ../Pal/src/host 6 | MACRO_EXPANSION = YES 7 | EXPAND_ONLY_PREDEF = YES 8 | PREDEFINED = noreturn= __x86_64__=1 9 | -------------------------------------------------------------------------------- /Documentation/libos/shim-init.rst: -------------------------------------------------------------------------------- 1 | LibOS documentation 2 | =================== 3 | 4 | .. note:: 5 | 6 | This file is more like a |~| stub, not yet a |~| real documentation. 7 | 8 | There is a |~| random function: 9 | 10 | .. doxygenfunction:: object_wait_with_retry 11 | :project: libos 12 | -------------------------------------------------------------------------------- /Examples/pytorch/download-pretrained-model.py: -------------------------------------------------------------------------------- 1 | from torchvision import models 2 | import torch 3 | 4 | output_filename = "alexnet-pretrained.pt" 5 | alexnet = models.alexnet(pretrained=True) 6 | torch.save(alexnet, output_filename) 7 | 8 | print("Pre-trained model was saved in \"%s\"" % output_filename) 9 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/files/README: -------------------------------------------------------------------------------- 1 | This directory contains auto-generated Protected Files, encrypted via pf_crypt. 2 | In particular, it contains: 3 | 4 | - `plain.txt` -- file to encrypt 5 | - `wrap-key` -- pre-generated wrap key 6 | 7 | Also, `input.txt` is generated by encoding `plain.txt` using `wrap-key`. 8 | -------------------------------------------------------------------------------- /.ci/docs.jenkinsfile: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent { 3 | dockerfile { filename '.ci/ubuntu18.04.dockerfile' } 4 | } 5 | stages { 6 | stage('build') { 7 | steps { 8 | sh 'make -C Documentation html SPHINXOPTS="-W"' 9 | } 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Linux-SGX/ucontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * Linux-SGX PAL uses Linux's ucontext.h 5 | */ 6 | 7 | #ifndef _LINUX_SGX_UCONTEXT_H 8 | #define _LINUX_SGX_UCONTEXT_H 9 | 10 | #include "Linux/ucontext.h" 11 | 12 | #endif /* _LINUX_SGX_UCONTEXT_H */ 13 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Skeleton/ucontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * Skeleton uses Linux's ucontext.h (for now) 5 | */ 6 | 7 | #ifndef _SKELETON_UCONTEXT_H 8 | #define _SKELETON_UCONTEXT_H 9 | 10 | #include "Linux/ucontext.h" 11 | 12 | #endif /* _SKELETON_UCONTEXT_H */ 13 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Linux-SGX/sigcontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * Linux-SGX PAL uses Linux's sigcontext.h 5 | */ 6 | 7 | #ifndef _LINUX_SGX_SIGCONTEXT_H 8 | #define _LINUX_SGX_SIGCONTEXT_H 9 | 10 | #include "Linux/sigcontext.h" 11 | 12 | #endif /* _LINUX_SGX_SIGCONTEXT_H */ 13 | -------------------------------------------------------------------------------- /LibOS/shim/test/ltp/ltp-all.cfg: -------------------------------------------------------------------------------- 1 | # KEEP THIS FILE SORTED 2 | # in case of trouble, use ./contrib/conf_lint.py < FILENAME 3 | 4 | [DEFAULT] 5 | timeout = 30 6 | 7 | # Uses inline assembly to run tkill syscall directly, which can actually abort the whole Docker 8 | # container by sending SIGHUP to PID 1. 9 | [signal06] 10 | skip = yes 11 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-python3.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | RUN apt-get update \ 4 | && apt-get install -y python3 \ 5 | && mkdir -p /graphene/Examples 6 | 7 | # Build environment of this Dockerfile should point to the root of Graphene's Examples/ 8 | COPY python-simple/ /graphene/Examples 9 | 10 | CMD ["python3"] 11 | -------------------------------------------------------------------------------- /tests/benchmarks/nginx.conf: -------------------------------------------------------------------------------- 1 | error_log nginx-error.log; 2 | pid nginx.pid; 3 | 4 | events {} 5 | 6 | http { 7 | access_log nginx-access.log; 8 | 9 | server { 10 | listen 8002 default_server; 11 | listen [::]:8002 default_server; 12 | server_name _; 13 | 14 | root http-root; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /.clang-format: -------------------------------------------------------------------------------- 1 | BasedOnStyle: Google 2 | AlignConsecutiveAssignments: true 3 | AlignConsecutiveMacros: true 4 | AllowShortFunctionsOnASingleLine: Empty 5 | AllowShortIfStatementsOnASingleLine: false 6 | ColumnLimit: 100 7 | DerivePointerAlignment: false 8 | IndentWidth: 4 9 | ObjCBlockIndentWidth: 4 10 | PointerAlignment: Left 11 | TabWidth: 4 12 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/.gitignore: -------------------------------------------------------------------------------- 1 | /*.manifest 2 | /*.xml 3 | 4 | /pal_loader 5 | 6 | /copy_mmap_rev 7 | /copy_mmap_seq 8 | /copy_mmap_whole 9 | /copy_rev 10 | /copy_sendfile 11 | /copy_seq 12 | /copy_whole 13 | /delete 14 | /open_close 15 | /open_flags 16 | /read_write 17 | /seek_tell 18 | /stat 19 | /truncate 20 | /.cache 21 | 22 | /bin 23 | /lib 24 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/debug.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | __attribute__((noinline)) static void func(void) { 4 | printf("hello\n"); 5 | fflush(stdout); 6 | /* Prevent tail call, so that we get a stack trace including func(). */ 7 | __asm__ volatile(""); 8 | } 9 | 10 | int main(void) { 11 | func(); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /Pal/regression/Bootstrap6.manifest: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:Bootstrap" 2 | loader.log_level = "debug" 3 | loader.preload = "file:Preload1.so,file:Preload2.so" 4 | loader.argv0_override = "Bootstrap" 5 | 6 | fs.mount.root.uri = "file:" 7 | 8 | sgx.enclave_size = "8192M" 9 | sgx.nonpie_binary = 1 10 | 11 | sgx.trusted_files.entrypoint = "file:Bootstrap" 12 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-nodejs.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | WORKDIR /app 4 | 5 | RUN apt-get update \ 6 | && apt-get -y install nodejs \ 7 | && mkdir -p /graphene/Examples 8 | 9 | # Build environment of this Dockerfile should point to the root of Graphene's Examples/ 10 | COPY nodejs/ /graphene/Examples 11 | 12 | CMD ["node"] 13 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Linux-SGX/pal_host-arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * This file contains Linux-SGX-specific functions related to the PAL. 5 | */ 6 | 7 | #ifndef __LINUX_SGX_X86_64_PAL_HOST_ARCH_H__ 8 | #define __LINUX_SGX_X86_64_PAL_HOST_ARCH_H__ 9 | 10 | #endif /* __LINUX_SGX_X86_64_PAL_HOST_ARCH_H__ */ 11 | -------------------------------------------------------------------------------- /meson_options.txt: -------------------------------------------------------------------------------- 1 | # TODO: after deprecating 18.04/bionic, change these to type: 'feature' 2 | option('direct', type: 'combo', choices: ['disabled', 'enabled'], 3 | description: 'Build and install graphene (aka Linux aka nonsgx)') 4 | option('sgx', type: 'combo', choices: ['disabled', 'enabled'], 5 | description: 'Build and install graphene-sgx (aka Linux-SGX)') 6 | -------------------------------------------------------------------------------- /Examples/bash/scripts/bash_test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | times=$1 4 | [ "$times" -gt 0 ] 2>/dev/null || times=300 5 | 6 | for (( c=1; c<=times; c++ )) 7 | do 8 | echo "hello $c" 9 | cp somefile testdir/somefile 10 | cat somefile > testdir/createdfile 11 | ls testdir/ 12 | rm -rf testdir/somefile testdir/createdfile 13 | date +"current date is %D" 14 | done 15 | -------------------------------------------------------------------------------- /LibOS/shim/test/ltp/makevars.mk: -------------------------------------------------------------------------------- 1 | # Everything here must be absolute because other Makefiles assume this. 2 | ROOTDIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) 3 | 4 | SRCDIR = $(ROOTDIR)/src 5 | BUILDDIR = $(ROOTDIR)/build 6 | INSTALLDIR = $(ROOTDIR)/install 7 | TESTCASEDIR = $(INSTALLDIR)/testcases/bin 8 | LTPSCENARIO = $(INSTALLDIR)/runtest/syscalls 9 | RUNLTPOPTS = 10 | -------------------------------------------------------------------------------- /Scripts/clean-check-prepare: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | top_dir="$(readlink -m "${BASH_SOURCE[0]}/../..")" 6 | clean_dir="$top_dir.clean-check.clean" 7 | 8 | if [ -n "${JENKINS_HOME:-}" ] || [ -n "${HUDSON_HOME:-}" ]; then 9 | clean_dir="/tmp/$(basename "$clean_dir")" 10 | fi 11 | 12 | rm -rf "$clean_dir" 13 | cp -a "$top_dir" "$clean_dir" 14 | -------------------------------------------------------------------------------- /Examples/blender/test_all_scenes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | for i in `ls "$DATA_DIR"/scenes/`; 6 | do 7 | rm -f "$DATA_DIR"/images/"$i"0001.png 8 | ./pal_loader "../blender" -b /data/scenes/$i -t 4 -F PNG -o /data/images/$i -f 1 9 | # TODO add a better test, probably some diff with a precomputed image 10 | [ -f "$DATA_DIR"/images/"$i"0001.png ] 11 | done 12 | -------------------------------------------------------------------------------- /Examples/nodejs-express-server/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "nodejs-express-server", 3 | "version": "1.0.0", 4 | "description": "Node.js express server hello world sample app.", 5 | "main": "helloworld.js", 6 | "dependencies": { 7 | "express": "^4.17.1" 8 | }, 9 | "author": "Eduardo Rodriguez", 10 | "email": "erodrig@us.ibm.com", 11 | "license": "ISC" 12 | } 13 | -------------------------------------------------------------------------------- /Pal/regression/Sleep.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | int main(int argc, char** argv, char** envp) { 5 | long sleeping = 3000000; 6 | 7 | pal_printf("Enter Main Thread\n"); 8 | pal_printf("Sleeping %ld microsecond...\n", sleeping); 9 | DkThreadDelayExecution(sleeping); 10 | pal_printf("Leave Main Thread\n"); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /Pal/regression/Preload1.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | /* prototype required due to -Wmissing-prototypes */ 5 | void preload_func1(void); 6 | 7 | void preload_func1(void) { 8 | pal_printf("Preloaded Function 1 Called\n"); 9 | } 10 | 11 | int main(int argc, char** argv, char** envp) { 12 | pal_printf("Binary 1 Preloaded\n"); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /Pal/regression/Preload2.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | /* prototype required due to -Wmissing-prototypes */ 5 | void preload_func2(void); 6 | 7 | void preload_func2(void) { 8 | pal_printf("Preloaded Function 2 Called\n"); 9 | } 10 | 11 | int main(int argc, char** argv, char** envp) { 12 | pal_printf("Binary 2 Preloaded\n"); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_rtld.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains host-specific code related to linking and reporting ELFs to debugger. 6 | */ 7 | 8 | #include "pal_rtld.h" 9 | 10 | void _DkDebugMapAdd(const char* name, void* addr) {} 11 | 12 | void _DkDebugMapRemove(void* addr) {} 13 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-numpy.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | RUN apt-get update \ 4 | && apt-get install -y python3 python3-pip git \ 5 | && pip3 install numpy \ 6 | && mkdir -p /graphene/Examples 7 | 8 | # Build environment of this Dockerfile should point to the root of Graphene's Examples/ 9 | COPY python-scipy-insecure/ /graphene/Examples 10 | 11 | CMD ["python3"] 12 | -------------------------------------------------------------------------------- /LibOS/shim/include/shim_context.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * This file contains definitions for CPU context. 5 | */ 6 | 7 | #ifndef _SHIM_CONTEXT_H_ 8 | #define _SHIM_CONTEXT_H_ 9 | 10 | void shim_xstate_init(void); 11 | uint64_t shim_xstate_size(void); 12 | void shim_xstate_restore(const void* xstate_extended); 13 | 14 | #endif /* _SHIM_CONTEXT_H_ */ 15 | -------------------------------------------------------------------------------- /Pal/regression/..Bootstrap.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | int main(int argc, char** argv, char** envp) { 5 | /* check if the program is loaded */ 6 | pal_printf("User Program Started\n"); 7 | 8 | /* check control block */ 9 | /* check executable name */ 10 | pal_printf("Loaded Executable: %s\n", pal_control.executable); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /Pal/regression/manifest.template: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:$(ENTRYPOINT)" 2 | loader.log_level = "debug" 3 | loader.insecure__use_cmdline_argv = 1 4 | 5 | fs.mount.root.uri = "file:" 6 | sgx.trusted_files.entrypoint = "file:$(ENTRYPOINT)" 7 | sgx.nonpie_binary = 1 # all tests are currently non-PIE unless overridden 8 | 9 | sgx.allowed_files.to_send_tmp = "file:to_send.tmp" # for SendHandle test 10 | -------------------------------------------------------------------------------- /Pal/regression/File.manifest: -------------------------------------------------------------------------------- 1 | pal.entrypoint = "file:File" 2 | loader.argv0_override = "File" 3 | loader.log_level = "debug" 4 | 5 | fs.mount.root.uri = "file:" 6 | 7 | sgx.nonpie_binary = 1 8 | 9 | sgx.trusted_files.tmp1 = "file:File" 10 | sgx.trusted_files.tmp2 = "file:../regression/File" 11 | sgx.allowed_files.tmp3 = "file:file_nonexist.tmp" 12 | sgx.allowed_files.tmp4 = "file:file_delete.tmp" 13 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/bootstrap_pie.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static void* ptr = NULL; 4 | 5 | int main(int argc, const char** argv, const char** envp) { 6 | printf("User program started\n"); 7 | printf("Local Address in Executable: %p\n", &ptr); 8 | 9 | for (int i = 0; i < argc; i++) { 10 | printf("argv[%d] = %s\n", i, argv[i]); 11 | } 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /Pal/src/host/Linux/pal_linux_defs.h: -------------------------------------------------------------------------------- 1 | #ifndef PAL_LINUX_DEFS_H 2 | #define PAL_LINUX_DEFS_H 3 | 4 | /* mmap minimum address cannot start at zero (modern OSes do not allow this) */ 5 | #define MMAP_MIN_ADDR 0x10000 6 | 7 | #define THREAD_STACK_SIZE (PRESET_PAGESIZE * 16) /* 64KB user stack */ 8 | #define ALT_STACK_SIZE (PRESET_PAGESIZE * 16) /* 64KB signal stack */ 9 | 10 | #endif /* PAL_LINUX_DEFS_H */ 11 | -------------------------------------------------------------------------------- /.ci/lib/config.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.DOCKER_ARGS_COMMON = ''' 2 | --device=/dev/kmsg:/dev/kmsg 3 | ''' 4 | env.DOCKER_ARGS_SGX = ''' 5 | --volume=/lib/modules:/lib/modules:ro 6 | --volume=/usr/src:/usr/src:ro 7 | --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket 8 | --device=/dev/gsgx:/dev/gsgx 9 | --device=/dev/isgx:/dev/isgx 10 | ''' 11 | env.WERROR = '1' 12 | env.MAKEOPTS = '-j8' 13 | -------------------------------------------------------------------------------- /LibOS/shim/src/vdso/vdso-data.S: -------------------------------------------------------------------------------- 1 | .section .rodata 2 | 3 | .global vdso_so 4 | .type vdso_so, @object 5 | .align 4 6 | vdso_so: 7 | .incbin "vdso/vdso.so" 8 | 9 | .global vdso_so_end 10 | .type vdso_so_end, @object 11 | .align 4 12 | vdso_so_end: 13 | 14 | .global vdso_so_size 15 | .type vdso_so_size, @object 16 | .size vdso_so_size, 8 17 | .align 8 18 | vdso_so_size: 19 | .quad vdso_so_end - vdso_so 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/copy_whole.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | void* data = alloc_buffer(size); 5 | read_fd(input_path, fi, data, size); 6 | printf("read_fd(%zu) input OK\n", size); 7 | write_fd(output_path, fo, data, size); 8 | printf("write_fd(%zu) output OK\n", size); 9 | free(data); 10 | } 11 | -------------------------------------------------------------------------------- /Tools/gsc/gsc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # SPDX-License-Identifier: LGPL-3.0-or-later 3 | # Copyright (C) 2020 Intel Corp. 4 | # Anjo Vahldiek-Oberwagner 5 | 6 | import sys 7 | import os 8 | 9 | sys.path.insert(0, os.path.dirname(__file__)) 10 | from gsc import main # pylint: disable=import-error,wrong-import-position 11 | 12 | sys.exit(main(sys.argv)) 13 | -------------------------------------------------------------------------------- /Pal/lib/string/memcmp.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #include 4 | 5 | #include "api.h" 6 | 7 | int memcmp(const void* lhs, const void* rhs, size_t count) { 8 | const unsigned char* l = lhs; 9 | const unsigned char* r = rhs; 10 | while (count && *l == *r) { 11 | count--; 12 | l++; 13 | r++; 14 | } 15 | return count ? *l - *r : 0; 16 | } 17 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/str_close_leak.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char** argv) { 7 | for (int i = 0; i < 1000000; i++) { 8 | int fd = open("/proc/meminfo", O_RDONLY); 9 | if (fd == -1) 10 | abort(); 11 | close(fd); 12 | } 13 | 14 | printf("Success\n"); 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | include Scripts/Makefile.configs 2 | 3 | targets = all clean format test sgx-tokens distclean 4 | 5 | ifneq ($(filter sgx-tokens,$(MAKECMDGOALS)),) 6 | ifneq ($(SGX),1) 7 | $(error "The 'sgx-tokens' target requires SGX=1") 8 | endif 9 | endif 10 | 11 | .PHONY: $(targets) 12 | $(targets): 13 | $(MAKE) -C Scripts $@ 14 | $(MAKE) -C Pal $@ 15 | $(MAKE) -C LibOS $@ 16 | $(MAKE) -C Runtime $@ 17 | $(MAKE) -C Tools $@ 18 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/rng-arch.h: -------------------------------------------------------------------------------- 1 | #ifndef _X86_64_RNG_ARCH_H 2 | #define _X86_64_RNG_ARCH_H 3 | 4 | #include 5 | 6 | /* get a 64 bit random number; compile with -mrdrnd */ 7 | static inline unsigned long long get_rand64(void) { 8 | unsigned long long rand64; 9 | while (__builtin_ia32_rdrand64_step(&rand64) == 0) 10 | /*nop*/; 11 | return rand64; 12 | } 13 | 14 | #endif /* _X86_64_RNG_ARCH_H */ 15 | -------------------------------------------------------------------------------- /Documentation/Doxyfile: -------------------------------------------------------------------------------- 1 | # This is a common Doxyfile, actual listings are built from Doxyfile-* 2 | 3 | GENERATE_XML = YES 4 | XML_PROGRAMLISTING = NO 5 | XML_OUTPUT = xml 6 | 7 | GENERATE_HTML = NO 8 | GENERATE_LATEX = NO 9 | 10 | WARN_NO_PARAMDOC = YES 11 | WARN_AS_ERROR = NO 12 | OPTIMIZE_OUTPUT_FOR_C = YES 13 | EXTRACT_STATIC = YES 14 | 15 | ALIASES = "rst=\verbatim embed:rst:leading-asterisk" 16 | ALIASES += "endrst=\endverbatim" 17 | -------------------------------------------------------------------------------- /Examples/python-simple/scripts/test-http.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | import urllib.request 5 | 6 | request = urllib.request.Request("http://" + sys.argv[1] + ":" + sys.argv[2] + "/index.html") 7 | opener = urllib.request.build_opener() 8 | response = opener.open(request, timeout=10) 9 | while True: 10 | data = response.read(1024) 11 | if data: 12 | print(data.decode()) 13 | else: 14 | break 15 | -------------------------------------------------------------------------------- /LibOS/shim/include/arch/x86_64/shim_types-arch.h: -------------------------------------------------------------------------------- 1 | #ifndef _SHIM_TYPES_ARCH_H_ 2 | #define _SHIM_TYPES_ARCH_H_ 3 | 4 | #include 5 | 6 | #include "shim_tcb-arch.h" 7 | 8 | /* asm/signal.h */ 9 | #define NUM_SIGS 64 10 | #define SIGRTMIN 32 11 | 12 | typedef struct { 13 | unsigned long __val[NUM_SIGS / (8 * sizeof(unsigned long))]; 14 | } __sigset_t; 15 | 16 | #define RED_ZONE_SIZE 128 17 | 18 | #endif /* _SHIM_TYPES_ARCH_H_ */ 19 | -------------------------------------------------------------------------------- /LibOS/shim/include/shim_vdso.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* 3 | * Copyright 2018 Intel Corporation. 4 | * Copyright 2018 Isaku Yamahata 5 | * 6 | */ 7 | 8 | #ifndef _SHIM_VDSO_H_ 9 | #define _SHIM_VDSO_H_ 10 | 11 | extern const uint8_t vdso_so[]; 12 | extern const size_t vdso_so_size; 13 | 14 | #endif /* _SHIM_VDSO_H_ */ 15 | -------------------------------------------------------------------------------- /Scripts/manifest.mk: -------------------------------------------------------------------------------- 1 | ifeq ($(PAL_HOST),) 2 | $(error include Makefile.configs before including manifest.mk) 3 | endif 4 | 5 | MAKEFILE_MANIFEST_DIR := $(dir $(lastword $(MAKEFILE_LIST))) 6 | 7 | %.manifest: %.manifest.template 8 | $(call cmd,manifest,$*,$(manifest_rules)) 9 | 10 | %.manifest: manifest.template 11 | $(call cmd,manifest,$*,$(manifest_rules)) 12 | 13 | -include $(MAKEFILE_MANIFEST_DIR)/../Pal/src/host/$(PAL_HOST)/manifest.mk 14 | -------------------------------------------------------------------------------- /Pal/include/pal/generated-offsets-build.h: -------------------------------------------------------------------------------- 1 | #ifndef GENERATED_OFFSETS_BUILD_H 2 | #define GENERATED_OFFSETS_BUILD_H 3 | 4 | #define DEFINE(name, value) \ 5 | __asm__ volatile(".ascii \"GENERATED_INTEGER " #name " %0 \"\n" ::"i"(value)) 6 | 7 | #define OFFSET(name, str, member) DEFINE(name, offsetof(struct str, member)) 8 | #define OFFSET_T(name, str_t, member) DEFINE(name, offsetof(str_t, member)) 9 | 10 | #endif /* GENERATED_OFFSETS_BUILD_H */ 11 | -------------------------------------------------------------------------------- /Pal/regression/Process3.c: -------------------------------------------------------------------------------- 1 | #include "api.h" 2 | #include "pal.h" 3 | #include "pal_debug.h" 4 | 5 | int main(int argc, char** argv, char** envp) { 6 | PAL_STR args[1] = {0}; 7 | 8 | // Hack to differentiate parent from child 9 | if (argc == 1) { 10 | PAL_HANDLE child = DkProcessCreate(pal_control.executable, args); 11 | 12 | if (child) 13 | pal_printf("Creating child OK\n"); 14 | } 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/is-sgx-available/Makefile: -------------------------------------------------------------------------------- 1 | PREFIX ?= /usr/local 2 | 3 | .PHONY: all 4 | all: is_sgx_available 5 | 6 | .PHONY: install 7 | install: 8 | install -D is_sgx_available -t ${PREFIX}/bin 9 | 10 | .PHONY: clean 11 | clean: 12 | $(RM) is_sgx_available 13 | 14 | .PHONY: distclean 15 | distclean: clean 16 | 17 | is_sgx_available: is_sgx_available.cpp 18 | g++ -O2 -std=c++14 -DNDEBUG -Wall -Wextra -Wno-multichar -masm=intel $< -o $@ 19 | -------------------------------------------------------------------------------- /Tools/Makefile: -------------------------------------------------------------------------------- 1 | include ../Scripts/Makefile.configs 2 | include ../Scripts/Makefile.rules 3 | 4 | .PHONY: all 5 | all: argv_serializer 6 | 7 | .PHONY: test sgx-tokens 8 | test sgx-tokens: 9 | 10 | .PHONY: format 11 | format: 12 | clang-format -i $(shell find . \( -name '*.h' -o -name '*.c' \) -print) 13 | 14 | %: %.c 15 | $(call cmd,csingle) 16 | 17 | .PHONY: clean 18 | clean: 19 | $(RM) argv_serializer *.d 20 | 21 | .PHONY: distclean 22 | distclean: clean 23 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../../Scripts/Makefile.configs 2 | include ../../../../../Scripts/Makefile.rules 3 | 4 | targets = all clean distclean install 5 | 6 | .PHONY: $(targets) 7 | $(targets): 8 | $(MAKE) -C common $@ 9 | $(MAKE) -C is-sgx-available $@ 10 | $(MAKE) -C quote-dump $@ 11 | $(MAKE) -C ias-request $@ 12 | $(MAKE) -C verify-ias-report $@ 13 | $(MAKE) -C ra-tls $@ 14 | $(MAKE) -C pf_crypt $@ 15 | $(MAKE) -C pf_tamper $@ 16 | -------------------------------------------------------------------------------- /Tools/gsc/test/ubuntu18.04-pytorch.dockerfile: -------------------------------------------------------------------------------- 1 | From ubuntu:18.04 2 | 3 | RUN apt-get update \ 4 | && apt-get install -y python3 python3-pip \ 5 | && pip3 install torch torchvision \ 6 | && mkdir -p /graphene/Examples 7 | 8 | # Build environment of this Dockerfile should point to the root of Graphene's Examples/ 9 | COPY pytorch/ /graphene/Examples 10 | 11 | WORKDIR /graphene/Examples 12 | 13 | RUN python3 download-pretrained-model.py 14 | 15 | CMD ["python3"] 16 | -------------------------------------------------------------------------------- /LibOS/shim/src/vdso/arch/x86_64/vdso.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #ifndef _SHIM_VDSO_X86_64_H_ 4 | #define _SHIM_VDSO_X86_64_H_ 5 | 6 | #include "shim_types.h" 7 | 8 | int __vdso_clock_gettime(clockid_t clock, struct timespec* t); 9 | int __vdso_gettimeofday(struct timeval* tv, struct timezone* tz); 10 | time_t __vdso_time(time_t* t); 11 | long __vdso_getcpu(unsigned* cpu, struct getcpu_cache* unused); 12 | 13 | #endif /* _SHIM_VDSO_X86_64_H_ */ 14 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/src/secret_prov_min_client.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Labs */ 3 | 4 | #include 5 | #include 6 | 7 | int main(int argc, char** argv) { 8 | char* secret = getenv("SECRET_PROVISION_SECRET_STRING"); 9 | if (secret) 10 | printf("--- Received secret = '%s' ---\n", secret); 11 | else 12 | printf("--- Did not receive any secret! ---\n"); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-common/stack_protector.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation */ 3 | 4 | #include "api.h" 5 | #include "linux_utils.h" 6 | #include "pal_internal.h" 7 | 8 | /* we use GCC's stack protector; when it detects corrupted stack, it calls __stack_chk_fail() */ 9 | noreturn void __stack_chk_fail(void) { 10 | printf("Stack protector: Graphene PAL internal stack corruption detected\n"); 11 | _DkProcessExit(1); 12 | } 13 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/exec.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 700 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, const char** argv, const char** envp) { 8 | int newfd = dup(1); 9 | char fd_argv[4]; 10 | snprintf(fd_argv, 4, "%d", newfd); 11 | char* const new_argv[] = {"./exec_victim", fd_argv, NULL}; 12 | 13 | setenv("IN_EXECVE", "1", 1); 14 | 15 | execv(new_argv[0], new_argv); 16 | return 1; 17 | } 18 | -------------------------------------------------------------------------------- /Pal/include/host/Linux-common/linux_utils.h: -------------------------------------------------------------------------------- 1 | #ifndef _LINUX_UTILS_H 2 | #define _LINUX_UTILS_H 3 | 4 | double get_bogomips_from_cpuinfo_buf(const char* buf); 5 | double sanitize_bogomips_value(double); 6 | 7 | char* get_main_exec_path(void); 8 | 9 | int read_text_file_to_cstr(const char* path, char** out); 10 | 11 | /* called only from GCC-emitted code; declare here to suppress GCC warn "no previous prototype" */ 12 | noreturn void __stack_chk_fail(void); 13 | 14 | #endif // _LINUX_UTILS_H 15 | 16 | -------------------------------------------------------------------------------- /Scripts/clean-check-test-copy: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | # Creates a test copy where you can check `make clean` without messing with 6 | # your main dir. 7 | 8 | top_dir="$(readlink -m "${BASH_SOURCE[0]}/../..")" 9 | test_dir="$top_dir.clean-check.test" 10 | 11 | if [ -n "${JENKINS_HOME:-}" ] || [ -n "${HUDSON_HOME:-}" ]; then 12 | test_dir="/tmp/$(basename "$test_dir")" 13 | fi 14 | 15 | rm -rf "$test_dir" 16 | cp -a "$top_dir" "$test_dir" 17 | echo "$test_dir" 18 | -------------------------------------------------------------------------------- /Pal/regression/Bootstrap7.c: -------------------------------------------------------------------------------- 1 | #include "pal_debug.h" 2 | 3 | int main(int argc, char** argv, char** envp) { 4 | /* check if the programriables in the manifest should appear is loaded */ 5 | pal_printf("User Program Started\n"); 6 | 7 | /* check control block */ 8 | /* print all environmental variables */ 9 | /* environmental variables in Manifest should appear */ 10 | for (int i = 0; envp[i]; i++) { 11 | pal_printf("%s\n", envp[i]); 12 | } 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /Pal/regression/Bootstrap3.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | void preload_func1(void); 5 | void preload_func2(void); 6 | 7 | int main(int argc, char** argv, char** envp) { 8 | /* check if the program is loaded */ 9 | pal_printf("User Program Started\n"); 10 | 11 | /* check control block */ 12 | /* check executable name */ 13 | pal_printf("Loaded Executable: %s\n", pal_control.executable); 14 | 15 | preload_func1(); 16 | preload_func2(); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /Examples/python-scipy-insecure/scripts/test-numpy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import timeit 4 | 5 | import numpy 6 | 7 | try: 8 | import numpy.core._dotblas 9 | except ImportError: 10 | pass 11 | 12 | print("numpy version: " + numpy.__version__) 13 | 14 | x = numpy.random.random((1000, 1000)) 15 | 16 | setup = "import numpy; x = numpy.random.random((1000, 1000))" 17 | count = 5 18 | 19 | t = timeit.Timer("numpy.dot(x, x.T)", setup=setup) 20 | print("numpy.dot: " + str(t.timeit(count)/count) + " sec") 21 | -------------------------------------------------------------------------------- /Pal/src/host/Linux/pal_security.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | #ifndef PAL_SECURITY_H 5 | #define PAL_SECURITY_H 6 | 7 | #include 8 | 9 | #include "pal.h" 10 | #include "sysdeps/generic/ldsodefs.h" 11 | 12 | extern struct pal_sec { 13 | /* system variables */ 14 | unsigned int process_id; 15 | int random_device; 16 | } g_pal_sec; 17 | 18 | #define RANDGEN_DEVICE "/dev/urandom" 19 | 20 | #endif /* PAL_SECURITY_H */ 21 | -------------------------------------------------------------------------------- /python/graphenelibos/aesm.proto: -------------------------------------------------------------------------------- 1 | message GetTokenReqRaw { 2 | required bytes signature = 1; 3 | required bytes key = 2; 4 | required bytes attributes = 3; 5 | required uint32 timeout = 9; 6 | } 7 | 8 | message GetTokenReq { 9 | required GetTokenReqRaw req = 3; 10 | } 11 | 12 | message GetTokenRetRaw { 13 | required int32 error = 1; 14 | optional bytes token = 2; 15 | } 16 | 17 | message GetTokenRet { 18 | required GetTokenRetRaw ret = 3; 19 | } 20 | -------------------------------------------------------------------------------- /.dir-locals.el: -------------------------------------------------------------------------------- 1 | ((nil . ((indent-tabs-mode . nil) 2 | (tab-width . 4) 3 | (fill-column . 100))) 4 | (c-mode . ((c-file-style . "k&r") 5 | (c-basic-offset . 4))) 6 | (makefile-mode . ((indent-tabs-mode . t))) 7 | (asm-mode . ((indent-tabs-mode . t))) 8 | (shell-script-mode . ((indent-tabs-mode . t))) 9 | ("\.git/COMMIT_EDITMSG" . ((nil . ((fill-column . 80))))) 10 | (rst-mode . ((fill-column . 80))) 11 | ((nil . ((truncate-lines . t))) 12 | (text-mode . ((eval . ((turn-on-auto-fill))))))) 13 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 5 | 6 | ## Description of the changes 7 | 8 | 11 | 12 | ## How to test this PR? 13 | 14 | -------------------------------------------------------------------------------- /Examples/python-scipy-insecure/scripts/test-scipy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import timeit 4 | 5 | setup = "import numpy;\ 6 | import scipy.linalg as linalg;\ 7 | x = numpy.random.random((1000,1000));\ 8 | z = numpy.dot(x, x.T)" 9 | count = 5 10 | 11 | t = timeit.Timer("linalg.cholesky(z, lower=True)", setup=setup) 12 | print("linalg.cholesky: " + str(t.timeit(count)/count) + "sec") 13 | 14 | t = timeit.Timer("linalg.svd(z)", setup=setup) 15 | print("linalg.svd: " + str(t.timeit(count)/count) + "sec") 16 | -------------------------------------------------------------------------------- /Pal/src/host/Linux/pal_start-x86_64.S: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * pal_start-x86_64.S 5 | * 6 | * This file contains architecture-specific implementation of pal_start. 7 | */ 8 | 9 | #include "sysdep-arch.h" 10 | 11 | .text 12 | ENTRY(pal_start) 13 | movq %rsp, %rdi /* 1st arg for pal_linux_main: initial RSP */ 14 | movq %rdx, %rsi /* 2nd arg: fini callback */ 15 | xorq %rbp, %rbp /* mark the last stack frame with RBP == 0 (for debuggers) */ 16 | andq $~15, %rsp 17 | call pal_linux_main 18 | -------------------------------------------------------------------------------- /.ci/run-shellcheck: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | cd "$(git rev-parse --show-toplevel)" 6 | 7 | LC_ALL=C.UTF-8 shellcheck "$@" \ 8 | Examples/bash/scripts/bash_test.sh \ 9 | Examples/common_tools/benchmark-http.sh \ 10 | Examples/python-simple/run-tests.sh \ 11 | Runtime/pal_loader \ 12 | Scripts/clean-check \ 13 | Scripts/clean-check-prepare \ 14 | Scripts/clean-check-test-copy \ 15 | Scripts/download \ 16 | Scripts/gitignore-test \ 17 | Scripts/run-pytest \ 18 | .ci/run-pylint \ 19 | .ci/run-shellcheck 20 | -------------------------------------------------------------------------------- /Examples/nodejs/README.md: -------------------------------------------------------------------------------- 1 | # Node.js 2 | 3 | This directory contains a Makefile and template manifest to run Node.js on Graphene. We tested it 4 | with Node.js 8.10.0 on Ubuntu 18.04. This example uses Node.js installed on the system instead of 5 | compiling from source as some of the other examples do. 6 | 7 | The Makefile and the template manifest contain comments to hopefully make them easier to understand. 8 | 9 | # Quick Start 10 | 11 | To run the regression test execute ```make check```. To do the same for SGX, execute ```make SGX=1 12 | check```. 13 | -------------------------------------------------------------------------------- /Documentation/devel/benchmarks.rst: -------------------------------------------------------------------------------- 1 | Benchmarking 2 | ============ 3 | 4 | We have some `Airspeed Velocity `__ benchmarks 5 | available. 6 | 7 | After :doc:`building graphene <../building>`: 8 | 9 | .. code-block:: sh 10 | 11 | cd tests 12 | make -C benchmarks 13 | ISGX_DRIVER_PATH=/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux asv run -ve $SOME_OLD_COMMIT^..HEAD 14 | 15 | The first time you run the benchmark, you will be asked some questions about 16 | your current machine. See ASV documentation for more info. 17 | -------------------------------------------------------------------------------- /LibOS/shim/Makefile: -------------------------------------------------------------------------------- 1 | include ../../Scripts/Makefile.configs 2 | 3 | MAKEFLAGS += --check-symlink-times 4 | 5 | .PHONY: all 6 | all: 7 | $(MAKE) -C src 8 | 9 | .PHONY: test 10 | test: 11 | $(MAKE) -C test 12 | 13 | .PHONY: sgx-tokens 14 | sgx-tokens: 15 | $(MAKE) -C test sgx-tokens 16 | 17 | clean_targets = clean distclean 18 | .PHONY: $(clean_targets) 19 | $(clean_targets): 20 | $(MAKE) -C src $@ 21 | $(MAKE) -C test $@ 22 | 23 | .PHONY: format 24 | format: 25 | clang-format -i $(shell find . -path ./test/ltp -prune -o \( -name '*.h' -o -name '*.c' \) -print) 26 | -------------------------------------------------------------------------------- /Pal/crt_init/Makefile: -------------------------------------------------------------------------------- 1 | include ../../Scripts/Makefile.configs 2 | include ../../Scripts/Makefile.rules 3 | 4 | files_to_build += user_start.o user_shared_start.o 5 | 6 | .PHONY: all test 7 | all: $(files_to_build) 8 | test: 9 | 10 | user_start.o: user_start-$(ARCH).S 11 | $(call cmd,as_o_S) 12 | 13 | ASFLAGS-user_shared_start.o = -DSHARED -fPIC 14 | user_shared_start.o: user_start-$(ARCH).S 15 | $(call cmd,as_o_S) 16 | 17 | include $(wildcard *.d) 18 | 19 | .PHONY: clean 20 | clean: 21 | $(RM) $(files_to_build) *.d 22 | 23 | .PHONY: distclean 24 | distclean: clean 25 | -------------------------------------------------------------------------------- /Pal/regression/Segment.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | void* dummy = &dummy; 5 | 6 | int main(int argc, char** argv, char** envp) { 7 | if (!DkSegmentRegisterSet(PAL_SEGMENT_FS, dummy)) { 8 | pal_printf("Error setting FS\n"); 9 | return 1; 10 | } 11 | 12 | void** ptr; 13 | __asm__ volatile("mov %%fs:0, %0" : "=r"(ptr)::"memory"); 14 | 15 | if (ptr != &dummy) { 16 | pal_printf("Wrong FS set: %p\n", ptr); 17 | return 1; 18 | } 19 | 20 | pal_printf("Test OK\n"); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/certs/README: -------------------------------------------------------------------------------- 1 | This directory contains pre-generated example certificates, copied from mbedTLS 2 | for simplicity. In particular: 3 | 4 | - `test-ca-sha256.crt` -- RSA SHA256 root CA certificate in PEM format. Loaded 5 | in client (attester) so that client can verify the server's certificate. 6 | - `server2-sha256.crt` -- RSA SHA256 leaf server certificate in PEM format. 7 | Loaded in server (verifier), so it will send it to the client during TLS 8 | handshake. 9 | - `server2.key` -- RSA private key in PEM format. Loaded in server (verifier). 10 | -------------------------------------------------------------------------------- /LibOS/shim/src/shim_object.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "shim_internal.h" 3 | 4 | int object_wait_with_retry(PAL_HANDLE handle) { 5 | PAL_BOL ret; 6 | do { 7 | ret = DkSynchronizationObjectWait(handle, NO_TIMEOUT); 8 | } while (!ret && (PAL_NATIVE_ERRNO() == PAL_ERROR_INTERRUPTED || 9 | PAL_NATIVE_ERRNO() == PAL_ERROR_TRYAGAIN)); 10 | 11 | if (!ret) { 12 | debug("waiting on %p resulted in error %s", handle, pal_strerror(PAL_NATIVE_ERRNO())); 13 | return -PAL_NATIVE_ERRNO(); 14 | } 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /.ci/lib/stage-build-nosgx.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('build') { 2 | sh ''' 3 | make ${MAKEOPTS} 4 | make ${MAKEOPTS} test 5 | make ${MAKEOPTS} -C Pal/src PAL_HOST=Skeleton 6 | ''' 7 | 8 | try { 9 | sh ''' 10 | meson build \ 11 | -Ddirect=enabled \ 12 | -Dsgx=disabled 13 | ninja -C build 14 | DESTDIR=$PWD/install ninja -C build install 15 | ''' 16 | } finally { 17 | archiveArtifacts 'build/meson-logs/**/*' 18 | } 19 | sh 'rm -rf build install' 20 | } 21 | -------------------------------------------------------------------------------- /Examples/nodejs-express-server/helloworld.js: -------------------------------------------------------------------------------- 1 | const express = require('express') 2 | const app = express() 3 | const args = process.argv; 4 | 5 | if (args == null || args.length != 3) { 6 | console.log('Error: The only argument required is the port number.') 7 | return; 8 | } 9 | 10 | const port = process.argv[2]; 11 | 12 | if (isNaN(port)) { 13 | console.log('Error: Port argument is not a number.') 14 | return; 15 | } 16 | 17 | app.get('/', (req, res) => res.send('Hello World!')) 18 | 19 | app.listen(port, () => console.log(`Example app listening on port ${port}!`)) 20 | -------------------------------------------------------------------------------- /Pal/lib/string/ctype.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: MIT */ 2 | /* Adapted from musl v1.2.1. Copyright © 2005-2020 Rich Felker, et al. */ 3 | 4 | #include "api.h" 5 | 6 | int islower(int c) { 7 | return (unsigned)c - 'a' < 26; 8 | } 9 | 10 | int toupper(int c) { 11 | if (islower(c)) 12 | return c & 0x5f; 13 | return c; 14 | } 15 | 16 | int isalpha(int c) { 17 | return ((unsigned)c | 32) - 'a' < 26; 18 | } 19 | 20 | int isdigit(int c) { 21 | return (unsigned)c - '0' < 10; 22 | } 23 | 24 | int isalnum(int c) { 25 | return isalpha(c) || isdigit(c); 26 | } 27 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/sgx_gdb_info.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #include "pal_debug.h" 7 | #include "sgx_internal.h" 8 | 9 | /* This function is hooked by our gdb integration script and should be left as is. */ 10 | __attribute__((__noinline__)) void update_debugger(void) { 11 | __asm__ volatile(""); // Required in addition to __noinline__ to prevent deleting this function. 12 | // See GCC docs. 13 | } 14 | -------------------------------------------------------------------------------- /Tools/gsc/templates/apploader.template: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -ex 4 | 5 | # Set default PAL to Linux-SGX 6 | if [ -z "$GSC_PAL" ] || [ "$GSC_PAL" == "Linux-SGX" ] 7 | then 8 | GSC_PAL=Linux-SGX 9 | /graphene/python/graphene-sgx-get-token -output /entrypoint.token -sig /entrypoint.sig 10 | /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init /entrypoint {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %} 11 | else 12 | /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init /entrypoint {{binary_arguments}} "${@}" 13 | fi 14 | -------------------------------------------------------------------------------- /Tools/argv_serializer.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Invisible Things Lab 3 | * Michał Kowalczyk 4 | */ 5 | 6 | /* Helper tool for protected argv ("loader.argv_src_file" manifest option). See Graphene 7 | * documentation for usage. 8 | */ 9 | 10 | #include 11 | #include 12 | 13 | int main(int argc, char* argv[]) { 14 | for (int i = 1; i < argc; i++) 15 | if (fwrite(argv[i], strlen(argv[i]) + 1, 1, stdout) != 1) 16 | return 1; 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /Examples/apache/ssl/ca_config.conf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | default_bits = 4096 3 | default_md = sha512 4 | default_keyfile = example.com.key 5 | prompt = no 6 | encrypt_key = no 7 | distinguished_name = req_distinguished_name 8 | 9 | [ req_distinguished_name ] 10 | countryName = "XX" # C= 11 | localityName = "XXXXX" # L= 12 | organizationName = "My Company" # O= 13 | organizationalUnitName = "Department" # OU= 14 | commonName = "*.example.com" # CN= 15 | emailAddress = "me@example.com" # email 16 | 17 | -------------------------------------------------------------------------------- /Examples/nginx/ssl/ca_config.conf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | default_bits = 4096 3 | default_md = sha512 4 | default_keyfile = example.com.key 5 | prompt = no 6 | encrypt_key = no 7 | distinguished_name = req_distinguished_name 8 | 9 | [ req_distinguished_name ] 10 | countryName = "XX" # C= 11 | localityName = "XXXXX" # L= 12 | organizationName = "My Company" # O= 13 | organizationalUnitName = "Department" # OU= 14 | commonName = "*.example.com" # CN= 15 | emailAddress = "me@example.com" # email 16 | 17 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/debug_log_inline.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:bootstrap" 3 | loader.argv0_override = "bootstrap" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.log_level = "debug" 7 | 8 | fs.mount.lib.type = "chroot" 9 | fs.mount.lib.path = "/lib" 10 | fs.mount.lib.uri = "file:../../../../Runtime" 11 | 12 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 13 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 14 | sgx.trusted_files.bootstrap = "file:bootstrap" 15 | 16 | sgx.nonpie_binary = 1 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /install 3 | 4 | # No editor backup files. 5 | *.sw* 6 | *.backup 7 | *.orig 8 | \#*# 9 | *~ 10 | 11 | .lib 12 | *.i 13 | *.s 14 | *.e 15 | *.d 16 | pal.map 17 | 18 | # object file/libraries 19 | *.a 20 | *.o 21 | *.so 22 | *.so.* 23 | 24 | # python 25 | *.py[co] 26 | __pycache__ 27 | 28 | # sgx 29 | *.manifest.sgx 30 | *.sig 31 | *.token 32 | *.cached 33 | .output.sgx_get_token.* 34 | .output.sgx_sign.* 35 | 36 | # gnu global 37 | GPATH 38 | GTAGS 39 | GSYMS 40 | GRTAGS 41 | 42 | # tags/etags 43 | tags 44 | TAGS 45 | 46 | # cscope 47 | cscope.* 48 | ncscope.* 49 | *cscope* 50 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/debug_regs-x86_64.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | volatile uint64_t val = 0; 5 | 6 | __asm__ volatile("int3"); 7 | 8 | __asm__ volatile( 9 | "movq %1, %%rdx\n" 10 | "int3\n" 11 | "movq %%rdx, %0\n" 12 | : "=m"(val) 13 | : "m"(val) 14 | : "rdx"); 15 | 16 | __asm__ volatile( 17 | "movhps %1, %%xmm0\n" 18 | "movlps %1, %%xmm0\n" 19 | "int3\n" 20 | "movlps %%xmm0, %0\n" 21 | : "=m"(val) 22 | : "m"(val) 23 | : "xmm0"); 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/env_from_host.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | loader.argv0_override = "bootstrap" 3 | libos.entrypoint = "file:bootstrap" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.insecure__use_host_env = 1 7 | 8 | fs.mount.lib.type = "chroot" 9 | fs.mount.lib.path = "/lib" 10 | fs.mount.lib.uri = "file:../../../../Runtime" 11 | 12 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 13 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 14 | sgx.trusted_files.bootstrap = "file:bootstrap" 15 | 16 | sgx.nonpie_binary = 1 17 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/signer/pal-sgx-sign: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # pylint: disable=invalid-name,import-error,wrong-import-position 3 | 4 | import sys 5 | import os 6 | import pathlib 7 | 8 | try: 9 | fspath = os.fspath 10 | except AttributeError: 11 | fspath = str 12 | 13 | # this is needed, so import generated_offsets works as backup from main python package 14 | sys.path.insert(0, fspath(pathlib.Path(__file__).parent.parent)) 15 | 16 | sys.path.insert(0, fspath((pathlib.Path(__file__) / '../../../../../../python').resolve())) 17 | from graphenelibos.sgx_sign import main 18 | 19 | sys.exit(main()) 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/openmp.c: -------------------------------------------------------------------------------- 1 | /* build with: gcc -fopenmp openmp-test.c -o openmp-test */ 2 | #include 3 | #include 4 | #include 5 | 6 | int v[10]; 7 | 8 | int main(void) { 9 | /* We need to limit the number of threads, otherwise OpenMP spawns as many threads as available 10 | * logical cores on the machine, which may exceed the TCS count specified in the manifest. 11 | */ 12 | #pragma omp parallel for num_threads(10) 13 | for (int i = 0; i < 10; i++) { 14 | v[i] = i; 15 | } 16 | 17 | printf("first: %d, last: %d\n", v[0], v[9]); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/signer/pal-sgx-get-token: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # pylint: disable=invalid-name,import-error,wrong-import-position 3 | 4 | import sys 5 | import os 6 | import pathlib 7 | 8 | try: 9 | fspath = os.fspath 10 | except AttributeError: 11 | fspath = str 12 | 13 | # this is needed, so import generated_offsets works as backup from main python package 14 | sys.path.insert(0, fspath(pathlib.Path(__file__).parent.parent)) 15 | 16 | sys.path.insert(0, fspath((pathlib.Path(__file__) / '../../../../../../python').resolve())) 17 | from graphenelibos.sgx_get_token import main 18 | 19 | sys.exit(main()) 20 | -------------------------------------------------------------------------------- /LibOS/shim/src/vdso/vdso-note.S: -------------------------------------------------------------------------------- 1 | /* This .note section informs dynamic linker about vDSO */ 2 | .section .note.Linux, "a", @note 3 | 4 | .balign 4 5 | .long 6 /* namesz */ 6 | .long 4 /* descsz */ 7 | .long 0 /* type */ 8 | .string "Linux" /* name */ 9 | .zero 2 /* padding for 4-byte alignment */ 10 | .long 267008 /* LINUX_VERSION_CODE */ 11 | 12 | .balign 4 13 | .long 6 /* namesz */ 14 | .long 4 /* descsz */ 15 | .long 0x100 /* type */ 16 | .string "Linux" /* name */ 17 | .zero 2 /* padding for 4-byte alignment */ 18 | .long 0 /* CONFIG_BUILD_SALT. 0 for now. 19 | TODO: make it compile-time configurable */ 20 | -------------------------------------------------------------------------------- /Pal/lib/string/strcmp.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #include "api.h" 4 | 5 | int strcmp(const char* lhs, const char* rhs) { 6 | while (*lhs == *rhs && *lhs) { 7 | lhs++; 8 | rhs++; 9 | } 10 | return *(unsigned char*)lhs - *(unsigned char*)rhs; 11 | } 12 | 13 | int strncmp(const char* lhs, const char* rhs, size_t maxlen) { 14 | if (!maxlen) 15 | return 0; 16 | 17 | maxlen--; 18 | while (*lhs == *rhs && *lhs && maxlen) { 19 | lhs++; 20 | rhs++; 21 | maxlen--; 22 | } 23 | return *(unsigned char*)lhs - *(unsigned char*)rhs; 24 | } 25 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/abort_multithread.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | /* Test if abort() in a child thread kills the whole process. This should report 134 (128 + 6 where 6 | * 6 is SIGABRT) as its return code. */ 7 | 8 | static void* thread_abort(void* arg) { 9 | abort(); 10 | return NULL; /* not reached */ 11 | } 12 | 13 | int main(int argc, char* arvg[]) { 14 | pthread_t thread; 15 | pthread_create(&thread, NULL, thread_abort, NULL); 16 | pthread_join(thread, NULL); 17 | 18 | printf("Main thread returns successfully (must not happen)\n"); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/debug_log_file.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:bootstrap" 3 | loader.argv0_override = "bootstrap" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.log_level = "debug" 7 | loader.log_file = "tmp/debug_log_file.log" 8 | 9 | fs.mount.lib.type = "chroot" 10 | fs.mount.lib.path = "/lib" 11 | fs.mount.lib.uri = "file:../../../../Runtime" 12 | 13 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 14 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 15 | sgx.trusted_files.bootstrap = "file:bootstrap" 16 | 17 | sgx.nonpie_binary = 1 18 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/ecall_types.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | enum { 4 | ECALL_ENCLAVE_START = 0, 5 | ECALL_THREAD_START, 6 | ECALL_THREAD_RESET, 7 | ECALL_NR, 8 | }; 9 | 10 | struct pal_sec; 11 | struct rpc_queue; 12 | 13 | typedef struct { 14 | char* ms_libpal_uri; 15 | size_t ms_libpal_uri_len; 16 | char* ms_args; 17 | size_t ms_args_size; 18 | char* ms_env; 19 | size_t ms_env_size; 20 | struct pal_sec* ms_sec_info; 21 | struct rpc_queue* rpc_queue; /* pointer to RPC queue in untrusted mem */ 22 | } ms_ecall_enclave_start_t; 23 | -------------------------------------------------------------------------------- /LibOS/shim/src/sys/shim_fork.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #include // without this header we are missing `size_t` definition in "signal.h" ... 7 | #include 8 | #include 9 | 10 | #include "shim_internal.h" 11 | #include "shim_table.h" 12 | 13 | long shim_do_fork(void) { 14 | return shim_do_clone(SIGCHLD, 0, NULL, NULL, 0); 15 | } 16 | 17 | long shim_do_vfork(void) { 18 | return shim_do_clone(CLONE_VFORK | CLONE_VM | SIGCHLD, 0, NULL, NULL, 0); 19 | } 20 | -------------------------------------------------------------------------------- /Pal/include/pal/pal_debug.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains definitions of APIs used for debug purposes. 6 | */ 7 | 8 | #ifndef PAL_DEBUG_H 9 | #define PAL_DEBUG_H 10 | 11 | #include "pal.h" 12 | 13 | int pal_printf(const char* fmt, ...) __attribute__((format(printf, 1, 2))); 14 | int pal_fdprintf(int fd, const char* fmt, ...) __attribute__((format(printf, 2, 3))); 15 | void warn(const char* format, ...); 16 | 17 | void DkDebugMapAdd(PAL_STR uri, PAL_PTR start_addr); 18 | void DkDebugMapRemove(PAL_PTR start_addr); 19 | 20 | #endif /* PAL_DEBUG_H */ 21 | -------------------------------------------------------------------------------- /Documentation/manpages/quote_dump.rst: -------------------------------------------------------------------------------- 1 | .. program:: quote_dump 2 | 3 | ==================================================== 4 | :program:`quote_dump` -- Display SGX quote structure 5 | ==================================================== 6 | 7 | Synopsis 8 | ======== 9 | 10 | :command:`quote_dump` [*OPTION*]... *FILE* 11 | 12 | Description 13 | =========== 14 | 15 | `quote_dump` displays internal structure of an :term:`SGX` quote contained 16 | in *FILE*. 17 | 18 | Command line arguments 19 | ====================== 20 | 21 | .. option:: -h, --help 22 | 23 | Display usage. 24 | 25 | .. option:: -m, --msb 26 | 27 | Print hex strings in big-endian order. 28 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/env_from_file.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:bootstrap" 3 | loader.argv0_override = "bootstrap" 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | loader.env_src_file = "file:env_test_input" 6 | 7 | fs.mount.lib.type = "chroot" 8 | fs.mount.lib.path = "/lib" 9 | fs.mount.lib.uri = "file:../../../../Runtime" 10 | 11 | sgx.allowed_files.env = "file:env_test_input" 12 | 13 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 14 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 15 | sgx.trusted_files.bootstrap = "file:bootstrap" 16 | 17 | sgx.nonpie_binary = 1 18 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/file_check_policy.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char** argv) { 7 | if (argc != 2) { 8 | fprintf(stderr, "Usage: %s file_check_policy_testfile\n", argv[0]); 9 | return 1; 10 | } 11 | 12 | FILE* fp = fopen(argv[1], "r"); 13 | if (!fp) { 14 | perror("fopen failed"); 15 | return 2; 16 | } 17 | 18 | int reti = fclose(fp); 19 | if (reti) { 20 | perror("fclose failed"); 21 | return 3; 22 | } 23 | 24 | printf("file_check_policy succeeded\n"); 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-common/main_exec_path.c: -------------------------------------------------------------------------------- 1 | #include "api.h" 2 | #include "linux_utils.h" 3 | #include "sysdep-arch.h" 4 | 5 | /* In theory we could get symlink length using `lstat`, but that does not work on `/proc/self/exe` 6 | * (because it's not really a symlink). */ 7 | #define BUF_SIZE 1023u 8 | 9 | char* get_main_exec_path(void) { 10 | char* buf = malloc(BUF_SIZE + 1); 11 | if (!buf) { 12 | return NULL; 13 | } 14 | 15 | ssize_t len = INLINE_SYSCALL(readlink, 3, "/proc/self/exe", buf, BUF_SIZE); 16 | if (len < 0) { 17 | free(buf); 18 | return NULL; 19 | } 20 | buf[len] = '\0'; 21 | 22 | return buf; 23 | } 24 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/argv_from_file.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:bootstrap" 3 | loader.argv0_override = "bootstrap" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.argv_src_file = "file:argv_test_input" 7 | 8 | fs.mount.lib.type = "chroot" 9 | fs.mount.lib.path = "/lib" 10 | fs.mount.lib.uri = "file:../../../../Runtime" 11 | 12 | sgx.allowed_files.argv = "file:argv_test_input" 13 | 14 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 15 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 16 | sgx.trusted_files.bootstrap = "file:bootstrap" 17 | 18 | sgx.nonpie_binary = 1 19 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/proc_path.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char** argv) { 7 | struct stat root, proc_root; 8 | 9 | if (stat("/", &root) == -1) { 10 | perror("stat"); 11 | exit(1); 12 | } 13 | 14 | if (stat("/proc/1/root", &proc_root) == -1) { 15 | perror("stat"); 16 | exit(1); 17 | } 18 | 19 | if (root.st_dev == proc_root.st_dev && root.st_ino == proc_root.st_ino) { 20 | printf("proc path test success\n"); 21 | } else { 22 | printf("proc path test failure\n"); 23 | } 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/copy_seq.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | size_t max_step = 16; 5 | if (size > 65536) 6 | max_step = 256; 7 | 8 | void* data = alloc_buffer(max_step); 9 | ssize_t offset = 0; 10 | ssize_t step; 11 | while (offset < size) { 12 | if (offset + max_step <= size) 13 | step = rand() % max_step + 1; 14 | else 15 | step = size - offset; 16 | read_fd(input_path, fi, data, step); 17 | write_fd(output_path, fo, data, step); 18 | offset += step; 19 | } 20 | free(data); 21 | } 22 | -------------------------------------------------------------------------------- /Pal/regression/Pie.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | char str[13] = "Hello World\n"; 5 | 6 | int main(int argc, char** argv, char** envp) { 7 | pal_printf("start program: %s\n", pal_control.executable); 8 | 9 | PAL_HANDLE out = DkStreamOpen("dev:tty", PAL_ACCESS_WRONLY, 0, 0, 0); 10 | 11 | if (out == NULL) { 12 | pal_printf("DkStreamOpen failed\n"); 13 | return -1; 14 | } 15 | 16 | int bytes = DkStreamWrite(out, 0, sizeof(str) - 1, str, NULL); 17 | 18 | if (bytes < 0) { 19 | pal_printf("DkStreamWrite failed\n"); 20 | return -1; 21 | } 22 | 23 | DkObjectClose(out); 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /Pal/regression/HelloWorld.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | char str[13] = "Hello World\n"; 5 | 6 | int main(int argc, char** argv, char** envp) { 7 | pal_printf("start program: %s\n", pal_control.executable); 8 | 9 | PAL_HANDLE out = DkStreamOpen("dev:tty", PAL_ACCESS_WRONLY, 0, 0, 0); 10 | 11 | if (out == NULL) { 12 | pal_printf("DkStreamOpen failed\n"); 13 | return -1; 14 | } 15 | 16 | int bytes = DkStreamWrite(out, 0, sizeof(str) - 1, str, NULL); 17 | 18 | if (bytes < 0) { 19 | pal_printf("DkStreamWrite failed\n"); 20 | return -1; 21 | } 22 | 23 | DkObjectClose(out); 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu18.04-gcc-glibc227.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu18.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | env.GLIBC_VERSION = '2.27' 8 | 9 | docker.build( 10 | "local:${env.BUILD_TAG}", 11 | '-f .ci/ubuntu18.04.dockerfile .' 12 | ).inside("${env.DOCKER_ARGS_COMMON}") { 13 | load '.ci/lib/stage-lint.jenkinsfile' 14 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 15 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 16 | load '.ci/lib/stage-clean-check.jenkinsfile' 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /Pal/regression/Hex.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "api.h" 4 | #include "hex.h" 5 | #include "pal.h" 6 | #include "pal_debug.h" 7 | 8 | char x[] = {0xde, 0xad, 0xbe, 0xef}; 9 | char y[] = {0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd}; 10 | 11 | static_assert(sizeof(x) <= sizeof(y), "array x is longer than array y"); 12 | char hex_buf[sizeof(y) * 2 + 1]; 13 | 14 | noreturn void __abort(void) { 15 | // ENOTRECOVERABLE = 131 16 | DkProcessExit(131); 17 | } 18 | 19 | int main(void) { 20 | pal_printf("Hex test 1 is %s\n", BYTES2HEXSTR(x, hex_buf, sizeof(hex_buf))); 21 | pal_printf("Hex test 2 is %s\n", BYTES2HEXSTR(y, hex_buf, sizeof(hex_buf))); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/quote-dump/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../../../Scripts/Makefile.configs 2 | include ../../../../../../Scripts/Makefile.rules 3 | 4 | CFLAGS += -I../.. \ 5 | -I../common \ 6 | -D_GNU_SOURCE 7 | 8 | LDLIBS += -L../common \ 9 | -L../../../../../lib/crypto/mbedtls/install/lib \ 10 | -lsgx_util -lmbedcrypto 11 | 12 | PREFIX ?= /usr/local 13 | 14 | .PHONY: all 15 | all: quote_dump 16 | 17 | quote_dump: quote_dump.o 18 | $(call cmd,csingle) 19 | 20 | .PHONY: install 21 | install: 22 | install -D quote_dump -t ${PREFIX}/bin 23 | 24 | .PHONY: clean 25 | clean: 26 | $(RM) *.o quote_dump 27 | 28 | .PHONY: distclean 29 | distclean: clean 30 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/ias-request/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../../../Scripts/Makefile.configs 2 | include ../../../../../../Scripts/Makefile.rules 3 | 4 | CFLAGS += -I../.. \ 5 | -I../common \ 6 | -D_GNU_SOURCE 7 | 8 | LDLIBS += -L../common \ 9 | -L../../../../../lib/crypto/mbedtls/install/lib \ 10 | -lsgx_util -lmbedcrypto 11 | 12 | PREFIX ?= /usr/local 13 | 14 | .PHONY: all 15 | all: ias_request 16 | 17 | ias_request: ias_request.o 18 | $(call cmd,csingle) 19 | 20 | .PHONY: install 21 | install: 22 | install -D ias_request -t ${PREFIX}/bin 23 | 24 | .PHONY: clean 25 | clean: 26 | $(RM) *.o ias_request 27 | 28 | .PHONY: distclean 29 | distclean: clean 30 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/init_fail2.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:init_fail" 3 | loader.argv0_override = "init_fail" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | 7 | fs.mount.lib.type = "chroot" 8 | fs.mount.lib.path = "/lib" 9 | fs.mount.lib.uri = "file:../../../../Runtime" 10 | 11 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 12 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 13 | sgx.trusted_files.init_fail = "file:init_fail" 14 | 15 | sgx.nonpie_binary = 1 16 | 17 | # this is an impossible combination of options, LibOS must fail very early in init process 18 | sgx.enclave_size = "256M" 19 | sys.brk.max_size = "512M" 20 | -------------------------------------------------------------------------------- /Pal/lib/string/strspn.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: MIT */ 2 | /* Adapted from musl v1.2.1. Copyright © 2005-2020 Rich Felker, et al. */ 3 | 4 | #include "api.h" 5 | 6 | #define BITOP(a,b,op) \ 7 | ((a)[(size_t)(b)/(8*sizeof *(a))] op (size_t)1<<((size_t)(b)%(8*sizeof *(a)))) 8 | 9 | size_t strspn(const char* s, const char* c) { 10 | const char* a = s; 11 | size_t byteset[32/sizeof(size_t)] = { 0 }; 12 | 13 | if (!c[0]) 14 | return 0; 15 | 16 | if (!c[1]) { 17 | for (; *s == *c; s++); 18 | return s - a; 19 | } 20 | 21 | for (; *c && BITOP(byteset, *(unsigned char*)c, |=); c++); 22 | for (; *s && BITOP(byteset, *(unsigned char*)s, &); s++); 23 | return s - a; 24 | } 25 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/Makefile.am: -------------------------------------------------------------------------------- 1 | # Add host-specific compilation rules here 2 | 3 | CFLAGS += -fPIC -Wp,-U_FORTIFY_SOURCE \ 4 | -fno-stack-protector -fno-builtin 5 | 6 | CFLAGS += -Wextra -Wno-unused-parameter -Wno-sign-compare $(call cc-option,-Wnull-dereference) 7 | 8 | ASFLAGS += -DPIC -DSHARED -fPIC -DASSEMBLER -Wa,--noexecstack \ 9 | -x assembler-with-cpp 10 | LDFLAGS += -shared -nostdlib -z combreloc -z defs \ 11 | --version-script $(HOST_DIR)/pal.map -T $(HOST_DIR)/pal-$(ARCH).lds \ 12 | --eh-frame-hdr 13 | 14 | pal_loader = 15 | pal_sec = 16 | pal_lib = $(HOST_DIR)/libpal.so 17 | pal_lib_deps = pal-symbols $(HOST_DIR)/pal.map.template $(HOST_DIR)/pal-$(ARCH).lds 18 | pal_lib_post = 19 | pal_static = 20 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 9 | 10 | ## Description of the problem 11 | 12 | ## Steps to reproduce 13 | 18 | 19 | ## Expected results 20 | 21 | ## Actual results 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/pf_crypt/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../../../Scripts/Makefile.configs 2 | include ../../../../../../Scripts/Makefile.rules 3 | 4 | CFLAGS += -I../.. \ 5 | -I../common \ 6 | -I../../protected-files \ 7 | -D_GNU_SOURCE 8 | 9 | LDLIBS += -L../common \ 10 | -L../../../../../lib/crypto/mbedtls/install/lib \ 11 | -lsgx_util -lmbedcrypto 12 | 13 | PREFIX ?= /usr/local 14 | 15 | pf_crypt: pf_crypt.o 16 | $(call cmd,csingle) 17 | 18 | .PHONY: all 19 | all: pf_crypt 20 | 21 | .PHONY: install 22 | install: 23 | install -D pf_crypt -t ${PREFIX}/bin 24 | 25 | .PHONY: clean 26 | clean: 27 | $(RM) *.o pf_crypt 28 | 29 | .PHONY: distclean 30 | distclean: clean 31 | -------------------------------------------------------------------------------- /Documentation/Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | SOURCEDIR = . 8 | BUILDDIR = _build 9 | 10 | # Put it first so that "make" without argument is like "make help". 11 | help: 12 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 13 | 14 | clean: 15 | $(RM) -r "$(BUILDDIR)" 16 | 17 | .PHONY: help Makefile Doxyfile clean 18 | 19 | # Catch-all target: route all unknown targets to Sphinx using the new 20 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 21 | %: Makefile 22 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 23 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu16.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu16.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | env.SGX = '1' 8 | 9 | docker.build( 10 | "local:${env.BUILD_TAG}", 11 | '-f .ci/ubuntu16.04.dockerfile .' 12 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 13 | load '.ci/lib/stage-lint.jenkinsfile' 14 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 15 | load '.ci/lib/stage-build-sgx.jenkinsfile' 16 | load '.ci/lib/stage-test.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu18.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu18.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | env.SGX = '1' 8 | 9 | docker.build( 10 | "local:${env.BUILD_TAG}", 11 | '-f .ci/ubuntu18.04.dockerfile .' 12 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 13 | load '.ci/lib/stage-lint.jenkinsfile' 14 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 15 | load '.ci/lib/stage-build-sgx.jenkinsfile' 16 | load '.ci/lib/stage-test.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/README.md: -------------------------------------------------------------------------------- 1 | Test purpose 2 | ------------ 3 | 4 | These tests perform common FS operations in various ways to exercise the Graphene FS subsystem: 5 | 6 | - open/close 7 | - read/write 8 | - create/delete 9 | - read/change size 10 | - seek/tell 11 | - memory-mapped read/write 12 | - sendfile 13 | - copy directory in different ways 14 | 15 | How to execute 16 | -------------- 17 | 18 | Run `make test` (tests both regular files and protected files). 19 | Run `make fs-test` to only test regular files. 20 | 21 | (SGX only) Protected file tests assume that the SGX tools were installed in this directory: 22 | 23 | ``` 24 | cd $graphene/Pal/src/host/Linux-SGX/tools 25 | make install PREFIX=$graphene/LibOS/shim/test/fs 26 | ``` 27 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/host_root_fs.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | static int showdir(char* path) { 5 | struct dirent* de; 6 | 7 | DIR* dir = opendir(path); 8 | if (!dir) { 9 | printf("Could not open directory `%s`\n", path); 10 | return 1; 11 | } 12 | 13 | printf("Contents of directory `%s`:\n", path); 14 | while ((de = readdir(dir))) 15 | printf(" %s\n", de->d_name); 16 | printf("\n"); 17 | 18 | closedir(dir); 19 | return 0; 20 | } 21 | 22 | int main(int argc, char** argv) { 23 | if (showdir("/")) 24 | return 1; 25 | 26 | if (showdir("/var/")) 27 | return 1; 28 | 29 | puts("Test was successful"); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/verify-ias-report/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../../../Scripts/Makefile.configs 2 | include ../../../../../../Scripts/Makefile.rules 3 | 4 | CFLAGS += -I../.. \ 5 | -I../common \ 6 | -D_GNU_SOURCE 7 | 8 | LDLIBS += -L../common \ 9 | -L../../../../../lib/crypto/mbedtls/install/lib \ 10 | -lsgx_util -lmbedcrypto 11 | 12 | PREFIX ?= /usr/local 13 | 14 | .PHONY: all 15 | all: verify_ias_report 16 | 17 | verify_ias_report: verify_ias_report.o 18 | $(call cmd,csingle) 19 | 20 | .PHONY: install 21 | install: 22 | install -D verify_ias_report -t ${PREFIX}/bin 23 | 24 | .PHONY: clean 25 | clean: 26 | $(RM) *.o verify_ias_report 27 | 28 | .PHONY: distclean 29 | distclean: clean 30 | -------------------------------------------------------------------------------- /Pal/src/host/Linux/gdb_integration/graphene_linux_gdb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # SPDX-License-Identifier: LGPL-3.0-or-later */ 3 | # Copyright (C) 2020 Intel Corporation 4 | # Michał Kowalczyk 5 | 6 | import os 7 | import gdb # pylint: disable=import-error 8 | 9 | def main(): 10 | for filename in [ 11 | 'common/pagination_gdb.py', 12 | 'common/debug_map_gdb.py', 13 | 'common/graphene.gdb', 14 | ]: 15 | print("[%s] Loading %s..." % (os.path.basename(__file__), filename)) 16 | path = os.path.join(os.path.dirname(__file__), filename) 17 | gdb.execute("source " + path) 18 | 19 | if __name__ == '__main__': 20 | main() 21 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/init_fail.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:init_fail" 3 | loader.argv0_override = "init_fail" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | 7 | fs.mount.lib.type = "chroot" 8 | fs.mount.lib.path = "/lib" 9 | fs.mount.lib.uri = "file:../../../../Runtime" 10 | 11 | # purposefully force mount failure to cause early shim abort 12 | fs.mount.test.type = "chroot" 13 | fs.mount.test.path = "/test" 14 | fs.mount.test.uri = "file:I_DONT_EXIST" 15 | 16 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 17 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 18 | sgx.trusted_files.init_fail = "file:init_fail" 19 | 20 | sgx.nonpie_binary = 1 21 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu16.04-gcc-debug.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu16.04.jenkinsfile' 6 | load '.ci/lib/config-debug.jenkinsfile' 7 | 8 | docker.build( 9 | "local:${env.BUILD_TAG}", 10 | '-f .ci/ubuntu16.04.dockerfile .' 11 | ).inside("${env.DOCKER_ARGS_COMMON}") { 12 | load '.ci/lib/stage-lint.jenkinsfile' 13 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 14 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 15 | load '.ci/lib/stage-test.jenkinsfile' 16 | load '.ci/lib/stage-test-direct.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu18.04-gcc-debug.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu18.04.jenkinsfile' 6 | load '.ci/lib/config-debug.jenkinsfile' 7 | 8 | docker.build( 9 | "local:${env.BUILD_TAG}", 10 | '-f .ci/ubuntu18.04.dockerfile .' 11 | ).inside("${env.DOCKER_ARGS_COMMON}") { 12 | load '.ci/lib/stage-lint.jenkinsfile' 13 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 14 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 15 | load '.ci/lib/stage-test.jenkinsfile' 16 | load '.ci/lib/stage-test-direct.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu16.04-gcc-release-apps.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu16.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | env.SGX = '1' 8 | 9 | docker.build( 10 | "local:${env.BUILD_TAG}", 11 | '-f .ci/ubuntu16.04.dockerfile .' 12 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 13 | load '.ci/lib/stage-lint.jenkinsfile' 14 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 15 | load '.ci/lib/stage-build-sgx.jenkinsfile' 16 | load '.ci/lib/stage-test-sgx.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu18.04-gcc-release-apps.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu18.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | env.SGX = '1' 8 | 9 | docker.build( 10 | "local:${env.BUILD_TAG}", 11 | '-f .ci/ubuntu18.04.dockerfile .' 12 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 13 | load '.ci/lib/stage-lint.jenkinsfile' 14 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 15 | load '.ci/lib/stage-build-sgx.jenkinsfile' 16 | load '.ci/lib/stage-test-sgx.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/file_check_policy_strict.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:file_check_policy" 3 | loader.argv0_override = "file_check_policy" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.insecure__use_cmdline_argv = 1 7 | 8 | fs.mount.lib.type = "chroot" 9 | fs.mount.lib.path = "/lib" 10 | fs.mount.lib.uri = "file:../../../../Runtime" 11 | 12 | sgx.file_check_policy = "strict" 13 | 14 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 15 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 16 | sgx.trusted_files.file_check_policy = "file:file_check_policy" 17 | 18 | sgx.trusted_files.test = "file:trusted_testfile" 19 | 20 | sgx.nonpie_binary = 1 21 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu16.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu16.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | 8 | docker.build( 9 | "local:${env.BUILD_TAG}", 10 | '-f .ci/ubuntu16.04.dockerfile .' 11 | ).inside("${env.DOCKER_ARGS_COMMON}") { 12 | load '.ci/lib/stage-lint.jenkinsfile' 13 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 14 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 15 | load '.ci/lib/stage-test.jenkinsfile' 16 | load '.ci/lib/stage-test-direct.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu18.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave') { 2 | checkout scm 3 | 4 | load '.ci/lib/config.jenkinsfile' 5 | load '.ci/lib/config-ubuntu18.04.jenkinsfile' 6 | load '.ci/lib/config-release.jenkinsfile' 7 | 8 | docker.build( 9 | "local:${env.BUILD_TAG}", 10 | '-f .ci/ubuntu18.04.dockerfile .' 11 | ).inside("${env.DOCKER_ARGS_COMMON}") { 12 | load '.ci/lib/stage-lint.jenkinsfile' 13 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 14 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 15 | load '.ci/lib/stage-test.jenkinsfile' 16 | load '.ci/lib/stage-test-direct.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/host_root_fs.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:host_root_fs" 3 | loader.argv0_override = "host_root_fs" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | 7 | fs.root.type = "chroot" 8 | fs.root.path = "/" 9 | fs.root.uri = "file:/" 10 | 11 | fs.mount.graphene_lib.type = "chroot" 12 | fs.mount.graphene_lib.path = "/lib" 13 | fs.mount.graphene_lib.uri = "file:../../../../Runtime" 14 | 15 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 16 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 17 | sgx.trusted_files.libdl = "file:../../../../Runtime/libdl.so.2" 18 | sgx.trusted_files.host_root_fs = "file:host_root_fs" 19 | 20 | sgx.nonpie_binary = 1 21 | -------------------------------------------------------------------------------- /LibOS/shim/test/ltp/Makefile.testcases: -------------------------------------------------------------------------------- 1 | include ../../../makevars.mk 2 | 3 | testcases = $(shell cd $(ROOTDIR); \ 4 | ./runltp_xml.py $(RUNLTPOPTS) -c ltp.cfg --list-executables $(LTPSCENARIO)) 5 | 6 | exec_target = $(testcases) 7 | manifests = $(addsuffix .manifest,$(testcases)) 8 | target = $(manifests) $(testcases) etc/nsswitch.conf etc/passwd 9 | 10 | include $(ROOTDIR)/Makefile.Test 11 | 12 | etc/nsswitch.conf: 13 | mkdir -p etc 14 | printf "passwd: compat\ngroup: compat\nshadow: compat\nhosts: files\n" > $@ 15 | 16 | etc/passwd: 17 | mkdir -p etc 18 | printf "root:x:0:0:root:/root:/bin/bash\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" > $@ 19 | 20 | .PHONY: sgx-tokens 21 | sgx-tokens: $(call expand_target_to_token,$(testcases)) 22 | -------------------------------------------------------------------------------- /LibOS/shim/src/vdso/arch/x86_64/vdso_syscall.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | #ifndef VDSO_SYSCALL_H_ 6 | #define VDSO_SYSCALL_H_ 7 | 8 | #include "shim_entry_api.h" 9 | 10 | static inline long vdso_arch_syscall(long nr, long arg1, long arg2) { 11 | long ret; 12 | __asm__ volatile( 13 | "lea .Lret%=(%%rip), %%rcx\n" 14 | "jmp *%%gs:%c[syscalldb]\n" 15 | ".Lret%=:\n" 16 | : "=a" (ret) 17 | : "0" (nr), "D"(arg1), "S"(arg2), [syscalldb] "i"(SHIM_SYSCALLDB_OFFSET) 18 | : "memory", "rcx", "r11" 19 | ); 20 | return ret; 21 | } 22 | 23 | #endif // VDSO_SYSCALL_H_ 24 | -------------------------------------------------------------------------------- /Pal/lib/string/strstr.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #include "api.h" 4 | 5 | char* strstr(const char* haystack, const char* needle) { 6 | size_t h_len = strlen(haystack); 7 | size_t n_len = strlen(needle); 8 | unsigned int o = 0; 9 | 10 | if (n_len == 0) 11 | /* this is pretty bad, but it's done to mimic strstr's signature from libc */ 12 | return (char*)haystack; 13 | 14 | if (h_len < n_len) 15 | return NULL; 16 | 17 | while (o <= h_len - n_len) { 18 | size_t i = 0; 19 | while (i < n_len && haystack[o + i] == needle[i]) 20 | i++; 21 | if (i == n_len) 22 | return (char*)&haystack[o]; 23 | o++; 24 | } 25 | return NULL; 26 | } 27 | -------------------------------------------------------------------------------- /Pal/src/host/Linux/Makefile.am: -------------------------------------------------------------------------------- 1 | # Add host-specific compilation rules here 2 | SEC_DIR = security/$(PAL_HOST) 3 | 4 | CFLAGS += -fPIC -Wp,-U_FORTIFY_SOURCE -fno-builtin $(call cc-option,-Wtrampolines) 5 | 6 | CFLAGS += -Wextra $(call cc-option,-Wnull-dereference) 7 | 8 | ASFLAGS += -DPIC -DSHARED -fPIC -DASSEMBLER -Wa,--noexecstack \ 9 | -x assembler-with-cpp 10 | LDFLAGS += -shared -nostdlib -z combreloc -z defs \ 11 | --version-script $(HOST_DIR)/pal.map -T $(HOST_DIR)/pal-$(ARCH).lds \ 12 | --eh-frame-hdr \ 13 | -z relro -z now 14 | 15 | pal_loader = $(HOST_DIR)/libpal.so 16 | pal_lib = $(HOST_DIR)/libpal.so 17 | pal_lib_deps = pal-symbols $(HOST_DIR)/pal.map.template $(HOST_DIR)/pal-$(ARCH).lds 18 | pal_lib_post = 19 | pal_static = $(HOST_DIR)/libpal.a 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/copy_rev.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | size_t max_step = 16; 5 | if (size > 65536) 6 | max_step = 256; 7 | 8 | void* data = alloc_buffer(max_step); 9 | ssize_t offset = size; 10 | ssize_t step; 11 | while (offset > 0) { 12 | if (offset > max_step) 13 | step = rand() % max_step + 1; 14 | else 15 | step = offset; 16 | offset -= step; 17 | seek_fd(input_path, fi, offset, SEEK_SET); 18 | seek_fd(output_path, fo, offset, SEEK_SET); 19 | read_fd(input_path, fi, data, step); 20 | write_fd(output_path, fo, data, step); 21 | } 22 | free(data); 23 | } 24 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/file_check_policy_allow_all_but_log.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:file_check_policy" 3 | loader.argv0_override = "file_check_policy" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.insecure__use_cmdline_argv = 1 7 | 8 | fs.mount.lib.type = "chroot" 9 | fs.mount.lib.path = "/lib" 10 | fs.mount.lib.uri = "file:../../../../Runtime" 11 | 12 | sgx.file_check_policy = "allow_all_but_log" 13 | 14 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 15 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 16 | sgx.trusted_files.file_check_policy = "file:file_check_policy" 17 | 18 | sgx.trusted_files.test = "file:trusted_testfile" 19 | 20 | sgx.nonpie_binary = 1 21 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/fdleak.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | /* This is supposed to expose resource leaks where close()d files are not properly cleaned up. */ 9 | 10 | int main(int argc, char** argv) { 11 | for (int i = 0; i < 10000; i++) { 12 | int fd = open(argv[0], O_RDONLY); 13 | if (fd == -1) 14 | abort(); 15 | char buf[1024]; 16 | ssize_t read_ret = read(fd, buf, sizeof(buf)); 17 | if (read_ret == -1) 18 | abort(); 19 | int ret = close(fd); 20 | if (ret == -1) 21 | abort(); 22 | } 23 | 24 | puts("Test succeeded."); 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/pf_tamper/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../../../Scripts/Makefile.configs 2 | include ../../../../../../Scripts/Makefile.rules 3 | 4 | CFLAGS += -I../.. \ 5 | -I../common \ 6 | -I../../protected-files \ 7 | -I../../../../../include/lib \ 8 | -D_GNU_SOURCE 9 | 10 | LDLIBS += -L../common \ 11 | -L../../../../../lib/crypto/mbedtls/install/lib \ 12 | -lsgx_util -lmbedcrypto 13 | 14 | PREFIX ?= /usr/local 15 | 16 | pf_tamper: pf_tamper.o 17 | $(call cmd,csingle) 18 | 19 | .PHONY: all 20 | all: pf_tamper 21 | 22 | .PHONY: install 23 | install: 24 | install -D pf_tamper -t ${PREFIX}/bin 25 | 26 | .PHONY: clean 27 | clean: 28 | $(RM) *.o pf_tamper 29 | 30 | .PHONY: distclean 31 | distclean: clean 32 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/multi_pthread.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | loader.env.LD_LIBRARY_PATH = "/lib" 3 | loader.argv0_override = "multi_pthread" 4 | libos.entrypoint = "file:multi_pthread" 5 | 6 | fs.mount.lib.type = "chroot" 7 | fs.mount.lib.path = "/lib" 8 | fs.mount.lib.uri = "file:../../../../Runtime" 9 | 10 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 11 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 12 | sgx.trusted_files.libpthread = "file:../../../../Runtime/libpthread.so.0" 13 | sgx.trusted_files.multi_pthread = "file:multi_pthread" 14 | 15 | # app runs with 4 parallel threads + Graphene has couple internal threads 16 | sgx.thread_num = 8 17 | 18 | sgx.nonpie_binary = 1 19 | sgx.enable_stats = 1 20 | -------------------------------------------------------------------------------- /tests/benchmarks/basic.manifest.template: -------------------------------------------------------------------------------- 1 | #sgx.enable_stats = 1 2 | 3 | loader.preload = file:@GRAPHENEDIR@/Runtime/libsysdb.so 4 | loader.env.LD_LIBRARY_PATH = /lib 5 | loader.syscall_symbol = syscalldb 6 | loader.insecure__use_cmdline_argv = 1 7 | 8 | fs.mount.graphene_lib.type = chroot 9 | fs.mount.graphene_lib.path = /lib 10 | fs.mount.graphene_lib.uri = file:@GRAPHENEDIR@/Runtime 11 | 12 | sgx.trusted_files.ld = file:@GRAPHENEDIR@/Runtime/ld-linux-x86-64.so.2 13 | sgx.trusted_files.libc = file:@GRAPHENEDIR@/Runtime/libc.so.6 14 | sgx.trusted_files.libdl = file:@GRAPHENEDIR@/Runtime/libdl.so.2 15 | sgx.trusted_files.libm = file:@GRAPHENEDIR@/Runtime/libm.so.6 16 | sgx.trusted_files.libpthread = file:@GRAPHENEDIR@/Runtime/libpthread.so.0 17 | 18 | sgx.thread_num = 3 19 | 20 | #sgx.nonpie_binary = 1 21 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/fstat_cwd.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 700 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char** argv) { 11 | int r, fd; 12 | struct stat buf; 13 | 14 | fd = open(".", O_DIRECTORY); 15 | if (fd == -1) { 16 | printf("Opening CWD returned error %d\n", errno); 17 | return -1; 18 | } 19 | 20 | r = fstat(fd, &buf); 21 | if (r == -1) { 22 | printf("fstat on directory fd returned error %d\n", errno); 23 | return -1; 24 | } 25 | 26 | close(fd); 27 | 28 | if (S_ISDIR(buf.st_mode)) 29 | printf("fstat returned the fd type as S_IFDIR\n"); 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/debug.gdb: -------------------------------------------------------------------------------- 1 | set breakpoint pending on 2 | set pagination off 3 | 4 | # Check if debug sources are loaded in our program, and we can break inside. 5 | 6 | tbreak func 7 | commands 8 | echo \n\n 9 | backtrace 10 | echo \n\n 11 | 12 | # Check if we can break inside PAL and get a full backtrace (across glibc). 13 | 14 | tbreak dev_write 15 | commands 16 | echo \n\n 17 | backtrace 18 | echo \n\n 19 | continue 20 | end 21 | 22 | # Check if we can break inside OCALL (SGX only). 23 | 24 | tbreak sgx_ocall_write 25 | commands 26 | echo \n\n 27 | backtrace 28 | echo \n\n 29 | continue 30 | end 31 | 32 | continue 33 | end 34 | 35 | run 36 | -------------------------------------------------------------------------------- /LibOS/shim/src/generated-offsets.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "generated-offsets-build.h" 4 | #include "shim_internal.h" 5 | #include "shim_tcb.h" 6 | 7 | __attribute__((__used__)) static void dummy(void) { 8 | OFFSET_T(SHIM_TCB_OFF, PAL_TCB, libos_tcb); 9 | OFFSET_T(SHIM_TCB_LIBOS_STACK_OFF, shim_tcb_t, libos_stack_bottom); 10 | OFFSET_T(SHIM_TCB_SCRATCH_PC_OFF, shim_tcb_t, syscall_scratch_pc); 11 | 12 | OFFSET_T(PAL_CONTEXT_FPREGS_OFF, struct PAL_CONTEXT, fpregs); 13 | OFFSET_T(PAL_CONTEXT_MXCSR_OFF, struct PAL_CONTEXT, mxcsr); 14 | OFFSET_T(PAL_CONTEXT_FPCW_OFF, struct PAL_CONTEXT, fpcw); 15 | OFFSET_T(PAL_CONTEXT_FPREGS_USED_OFF, struct PAL_CONTEXT, is_fpregs_used); 16 | 17 | DEFINE(SHIM_XSTATE_ALIGN, SHIM_XSTATE_ALIGN); 18 | DEFINE(RED_ZONE_SIZE, RED_ZONE_SIZE); 19 | } 20 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/multi_pthread_exitless.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | loader.env.LD_LIBRARY_PATH = "/lib" 3 | libos.entrypoint = "file:multi_pthread" 4 | loader.argv0_override = "multi_pthread" 5 | 6 | fs.mount.lib.type = "chroot" 7 | fs.mount.lib.path = "/lib" 8 | fs.mount.lib.uri = "file:../../../../Runtime" 9 | 10 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 11 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 12 | sgx.trusted_files.libpthread = "file:../../../../Runtime/libpthread.so.0" 13 | sgx.trusted_files.multi_pthread = "file:multi_pthread" 14 | 15 | # app runs with 4 parallel threads + Graphene has couple internal threads 16 | sgx.thread_num = 8 17 | sgx.rpc_thread_num = 8 18 | 19 | sgx.nonpie_binary = 1 20 | sgx.enable_stats = 1 21 | -------------------------------------------------------------------------------- /python/graphenelibos/meson.build: -------------------------------------------------------------------------------- 1 | conf = configuration_data() 2 | conf.set('VERSION', meson.project_version()) 3 | 4 | init_py = configure_file( 5 | input: '__init__.py', 6 | output: '__init__.py', 7 | configuration: conf, 8 | ) 9 | 10 | python3_pkgdir = join_paths(python3mod.sysconfig_path('platlib'), 'graphenelibos') 11 | 12 | install_data([ 13 | init_py, 14 | ], install_dir: python3_pkgdir) 15 | 16 | if sgx 17 | offsets_py = configure_file( 18 | input: '../../Pal/src/host/Linux-SGX/generated_offsets.py', 19 | output: '_offsets.py', 20 | configuration: configuration_data(), 21 | ) 22 | 23 | install_data([ 24 | offsets_py, 25 | '_aesm_pb2.py', 26 | 'sgx_get_token.py', 27 | 'sgx_sign.py', 28 | ], install_dir: python3_pkgdir) 29 | endif 30 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/gdb_integration/graphene_sgx_gdb.py: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | # Copyright (C) 2020 Intel Corporation 3 | # Michał Kowalczyk 4 | # Paweł Marczewski 5 | 6 | import os 7 | 8 | import gdb # pylint: disable=import-error 9 | 10 | def main(): 11 | for filename in [ 12 | 'common/pagination_gdb.py', 13 | 'common/debug_map_gdb.py', 14 | 'common/graphene.gdb', 15 | 'graphene_sgx.gdb', 16 | ]: 17 | print("[%s] Loading %s..." % (os.path.basename(__file__), filename)) 18 | path = os.path.join(os.path.dirname(__file__), filename) 19 | gdb.execute("source " + path) 20 | 21 | 22 | if __name__ == "__main__": 23 | main() 24 | -------------------------------------------------------------------------------- /Documentation/manpages/pal_loader.rst: -------------------------------------------------------------------------------- 1 | .. program:: pal_loader 2 | 3 | ====================================== 4 | :program:`pal_loader` -- Run something 5 | ====================================== 6 | 7 | .. note:: 8 | 9 | This page is a stub. 10 | 11 | Synopsis 12 | ======== 13 | 14 | :command:`pal_loader` [SGX] [GDB] {<*APPLICATION*>} [<*ARGS*> ...] 15 | 16 | Description 17 | =========== 18 | 19 | Command line arguments 20 | ====================== 21 | 22 | .. option:: SGX 23 | 24 | Enable :term:`SGX`. 25 | 26 | .. seealso:: 27 | 28 | :envvar:`SGX environment variable ` 29 | For an equivalent. 30 | 31 | Environment variables 32 | ===================== 33 | 34 | .. envvar:: SGX 35 | 36 | If not empty and not ``0``, enable :term:`SGX`. Could be used instead of 37 | :option:`SGX option `. 38 | -------------------------------------------------------------------------------- /Examples/tensorflow-lite/README.md: -------------------------------------------------------------------------------- 1 | This example demonstrates how to run TensorFlow Lite v1.9. In particular, the 2 | example runs `label_image` program on Graphene. It reads an input image 3 | `image.bmp` from the current directory and uses TensorFlow Lite and the 4 | Inception v3 model to label the image. 5 | 6 | To install build dependencies on Ubuntu there is a convenience target invoked 7 | with `make install-dependencies-ubuntu`. This also serves as a starting point to 8 | figure out which packages to install on newer releases of Ubuntu. 9 | 10 | To build TensorFlow Lite and Graphene artifacts: 11 | - without SGX do `make` 12 | - with SGX do `make SGX=1 ` 13 | 14 | To run the image labeling example: 15 | - without Graphene do `make run-native` 16 | - with Graphene do `make run-graphene` 17 | - with Graphene-SGX do `make SGX=1 run-graphene` 18 | -------------------------------------------------------------------------------- /Pal/regression/Failure.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "pal.h" 4 | #include "pal_debug.h" 5 | #include "pal_error.h" 6 | 7 | int handled = 0; 8 | 9 | static void FailureHandler(bool is_in_pal, PAL_NUM arg, PAL_CONTEXT* context) { 10 | __UNUSED(is_in_pal); 11 | 12 | pal_printf("Failure notified: %s\n", pal_strerror((unsigned long)arg)); 13 | 14 | handled = 1; 15 | } 16 | 17 | int main(int argc, char** argv, char** envp) { 18 | pal_printf("Enter Main Thread\n"); 19 | 20 | DkSetExceptionHandler(FailureHandler, PAL_EVENT_FAILURE); 21 | 22 | PAL_HANDLE out = DkStreamOpen("foo:unknown", PAL_ACCESS_WRONLY, 0, 0, 0); 23 | 24 | if (!out && !handled) { 25 | pal_printf("DkStreamOpen failed\n"); 26 | return -1; 27 | } 28 | 29 | pal_printf("Leave Main Thread\n"); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Examples/curl/README.md: -------------------------------------------------------------------------------- 1 | # Curl 2 | 3 | This directory contains a Makefile and template manifest to run curl on Graphene. We tested it with 4 | curl 7.47.0 on Ubuntu 16.04 and with curl 7.58.0 on Ubuntu 18.04. This example uses curl installed 5 | on the system instead of compiling from source as some of the other examples do. On Ubuntu 16.04, 6 | please make sure that `libnss-mdns` is installed and if not, run the following command: 7 | 8 | ```sh 9 | sudo apt-get install libnss-mdns 10 | ``` 11 | 12 | The Makefile and the template manifest contain comments to hopefully make them easier to understand. 13 | 14 | # Quick Start 15 | 16 | To run the regression test execute ```make check```. To do the same for SGX, execute ```make SGX=1 17 | check```. The regression test downloads the index page of `example.com`, thus it requires Internet 18 | connection. 19 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/debug_regs-x86_64.gdb: -------------------------------------------------------------------------------- 1 | set breakpoint pending on 2 | set pagination off 3 | 4 | # Run until trap #1 5 | run 6 | 7 | # Run until trap #2, check RDX register read 8 | set val = 0x1000100010001000 9 | continue 10 | echo \n\n 11 | print/x $rdx 12 | echo \n\n 13 | 14 | # Check RDX register write 15 | set $rdx = 0x2000200020002000 16 | next 17 | echo \n\n 18 | print/x val 19 | echo \n\n 20 | 21 | # Run until trap #3, check XMM0 register read 22 | set val = 0x3000300030003000 23 | continue 24 | echo \n\n 25 | print/x $xmm0.uint128 26 | echo \n\n 27 | 28 | # Check XMM0 register write 29 | set $xmm0.uint128 = 0x4000400040004000 30 | next 31 | echo \n\n 32 | print/x val 33 | echo \n\n 34 | 35 | # Run until end 36 | continue 37 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/large_mmap.manifest: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:large_mmap" 3 | loader.argv0_override = "large_mmap" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | 7 | # application allocates 2GB and 4GB memory regions which may occasionally fail 8 | # in an SGX enclave restricted to 8GB of virtual space if ASLR is enabled 9 | loader.insecure__disable_aslr = 1 10 | 11 | fs.mount.lib.type = "chroot" 12 | fs.mount.lib.path = "/lib" 13 | fs.mount.lib.uri = "file:../../../../Runtime" 14 | 15 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 16 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 17 | sgx.trusted_files.large_mmap = "file:large_mmap" 18 | 19 | sgx.allowed_files.testfile = "file:testfile" 20 | 21 | sgx.enclave_size = "8G" 22 | 23 | sgx.nonpie_binary = 1 24 | -------------------------------------------------------------------------------- /Pal/regression/Exception2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "pal.h" 4 | #include "pal_debug.h" 5 | 6 | int count = 0; 7 | int i = 0; 8 | 9 | static void handler(bool is_in_pal, PAL_NUM arg, PAL_CONTEXT* context) { 10 | __UNUSED(is_in_pal); 11 | 12 | pal_printf("failure in the handler: 0x%08lx\n", arg); 13 | count++; 14 | 15 | if (count == 30) 16 | DkProcessExit(0); 17 | } 18 | 19 | int main(void) { 20 | pal_printf("Enter Main Thread\n"); 21 | 22 | DkSetExceptionHandler(handler, PAL_EVENT_ARITHMETIC_ERROR); 23 | 24 | __asm__ volatile ( 25 | "movq $1, %%rax\n" 26 | "cqo\n" 27 | "movq $0, %%rbx\n" 28 | "divq %%rbx\n" 29 | "nop\n" 30 | ::: "rax", "rbx", "rdx", "cc"); 31 | 32 | pal_printf("Leave Main Thread\n"); 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /Pal/src/db_mutex.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs that provides operations of mutexes. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_defs.h" 11 | #include "pal_error.h" 12 | #include "pal_internal.h" 13 | 14 | PAL_HANDLE 15 | DkMutexCreate(PAL_NUM initialCount) { 16 | PAL_HANDLE handle = NULL; 17 | int ret = _DkMutexCreate(&handle, initialCount); 18 | 19 | if (ret < 0) { 20 | _DkRaiseFailure(-ret); 21 | handle = NULL; 22 | } 23 | 24 | return handle; 25 | } 26 | 27 | void DkMutexRelease(PAL_HANDLE handle) { 28 | if (!handle || !IS_HANDLE_TYPE(handle, mutex)) { 29 | _DkRaiseFailure(PAL_ERROR_INVAL); 30 | return; 31 | } 32 | 33 | _DkMutexRelease(handle); 34 | } 35 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/Makefile.am: -------------------------------------------------------------------------------- 1 | # Add host-specific compilation rules here 2 | 3 | CFLAGS += -fPIC -maes -Wp,-U_FORTIFY_SOURCE -fno-builtin $(call cc-option,-Wtrampolines) 4 | 5 | CFLAGS += -Wextra $(call cc-option,-Wnull-dereference) 6 | 7 | ASFLAGS += -DPIC -DSHARED -fPIC -DASSEMBLER -Wa,--noexecstack \ 8 | -x assembler-with-cpp 9 | LDFLAGS += -shared -nostdlib -z combreloc -z defs \ 10 | --version-script $(HOST_DIR)/pal.map -T $(HOST_DIR)/enclave.lds \ 11 | --eh-frame-hdr \ 12 | --hash-style=gnu -z relro -z now 13 | 14 | CRYPTO_PROVIDER = mbedtls 15 | CFLAGS += -DCRYPTO_USE_MBEDTLS 16 | 17 | pal_loader = $(HOST_DIR)/pal-sgx 18 | pal_lib = $(HOST_DIR)/libpal.so 19 | pal_lib_deps = pal-symbols $(HOST_DIR)/pal.map.template $(HOST_DIR)/enclave.lds 20 | pal_static = $(HOST_DIR)/libpal.a 21 | pal_signer = pal-sgx-get-token pal-sgx-sign aesm_pb2.py 22 | -------------------------------------------------------------------------------- /Scripts/Makefile.python: -------------------------------------------------------------------------------- 1 | # By default, Graphene runs the system Python 3.5 executable. 2 | PYTHONVERSION ?= python3.5 3 | PYTHONPATH ?= /usr 4 | 5 | # Fedora/RedHat use /usr/lib64, Ubuntu /usr/lib 6 | ifneq ($(wildcard $(PYTHONPATH)/lib64/*),) 7 | PYTHONLIBDIR = lib64 8 | else 9 | PYTHONLIBDIR = lib 10 | endif 11 | PYTHONHOME := $(PYTHONPATH)/$(PYTHONLIBDIR)/$(PYTHONVERSION) 12 | 13 | PYTHONDISTHOME := $(PYTHONPATH)/$(PYTHONLIBDIR)/python3/dist-packages 14 | ifeq ($(wildcard $(PYTHONDISTHOME)/*),) 15 | # Fedora/RedHat case 16 | PYTHONDISTHOME := $(PYTHONPATH)/$(PYTHONLIBDIR)/$(PYTHONVERSION)/site-packages 17 | endif 18 | 19 | PYTHONEXEC := $(PYTHONPATH)/bin/$(PYTHONVERSION) 20 | PYTHONSHORTVERSION := $(subst python,,$(subst .,,$(PYTHONVERSION))) 21 | 22 | # Fedora/Redhat and Ubuntu use for example x86_64-linux-gnu 23 | PYTHON_ARCH_LONG := $(ARCH)-linux-gnu 24 | -------------------------------------------------------------------------------- /Scripts/Makefile.Host: -------------------------------------------------------------------------------- 1 | all_hosts = Skeleton Linux Linux-SGX 2 | 3 | ifneq ($(MAKEFILE_CONFIGS_INCLUDED),y) 4 | $(error do not include Makefile.Host directly. include Makefile.configs) 5 | endif 6 | 7 | ifeq ($(PAL_HOST),) 8 | ifeq ($(findstring linux,$(SYS)),linux) 9 | PAL_HOST := Linux 10 | else 11 | $(error Unsupported platform: $(SYS)) 12 | endif 13 | endif 14 | 15 | ifeq ($(SGX_RUN),1) 16 | $(error "SGX_RUN has been removed. Always set SGX=1 if building for SGX and use the 'sgx-tokens' make target to build launch/EINIT tokens") 17 | endif 18 | 19 | ifeq ($(SGX),1) 20 | PAL_HOST := $(patsubst %-SGX,%,$(PAL_HOST))-SGX 21 | endif 22 | 23 | ifeq ($(findstring $(PAL_HOST),$(all_hosts)),) 24 | $(error Unsupported platform: $(PAL_HOST)) 25 | endif 26 | 27 | export PAL_HOST 28 | 29 | .DEFAULT_GOAL := all 30 | .PHONY: print_host 31 | print_host: 32 | @echo $(PAL_HOST) 33 | -------------------------------------------------------------------------------- /LibOS/shim/include/shim_entry.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | /* 7 | * This file describes Graphene's entrypoints from userspace (mostly from patched glibc). 8 | */ 9 | 10 | #ifndef SHIM_ENTRY_H_ 11 | #define SHIM_ENTRY_H_ 12 | 13 | /*! 14 | * \brief LibOS syscall emulation entrypoint. 15 | * 16 | * Actual implementation and ABI are architecture-specific, but generally should dump the CPU 17 | * context and call `shim_emulate_syscall`. 18 | */ 19 | void syscalldb(void); 20 | 21 | /*! 22 | * \brief Register a new library after loading by dynamic linker. 23 | * 24 | * Used mostly for debugger integration. 25 | */ 26 | int register_library(const char* name, unsigned long load_address); 27 | 28 | #endif /* SHIM_ENTRY_H_ */ 29 | -------------------------------------------------------------------------------- /Examples/busybox/README.md: -------------------------------------------------------------------------------- 1 | # Busybox 2 | 3 | This directory contains the Makefile and the template manifest for the most 4 | recent version of Busybox (as of this writing, commit ac78f2ac96). This was 5 | tested on a machine with SGX v1 and Ubuntu 16.04. 6 | 7 | The Makefile and the template manifest contain extensive comments and are made 8 | self-explanatory. Please review them to gain understanding in Graphene-SGX 9 | and requirements for applications running under Graphene-SGX. 10 | 11 | # Quick Start 12 | 13 | ```sh 14 | # build Busybox and the final manifest 15 | make SGX=1 16 | 17 | # run Busybox shell in non-SGX Graphene 18 | ./pal_loader busybox sh 19 | 20 | # run Busybox shell in Graphene-SGX 21 | SGX=1 ./pal_loader busybox sh 22 | 23 | # now a shell session should be running e.g. typing: 24 | ls 25 | # should run program `ls` which lists current working directory 26 | ``` 27 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_exception.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs to set up handlers of exceptions issued by the host, and the methods to 6 | * pass the exceptions to the upcalls. 7 | */ 8 | 9 | #include "api.h" 10 | #include "pal.h" 11 | #include "pal_defs.h" 12 | #include "pal_error.h" 13 | #include "pal_internal.h" 14 | 15 | typedef void (*PAL_UPCALL)(PAL_PTR, PAL_NUM, PAL_CONTEXT*); 16 | 17 | int (*_DkExceptionHandlers[PAL_EVENT_NUM_BOUND])(int, PAL_UPCALL, int) = { 18 | /* reserved */ NULL, 19 | /* DivZero */ NULL, 20 | /* MemFault */ NULL, 21 | /* Illegal */ NULL, 22 | /* Quit */ NULL, 23 | /* Interrupt */ NULL, 24 | /* Failure */ NULL, 25 | }; 26 | 27 | void _DkRaiseFailure(int error) { 28 | /* needs to be implemented */ 29 | } 30 | -------------------------------------------------------------------------------- /Scripts/gitignore-test: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | # Intended to be run after a build. Returns 1 (i.e. failure) if there's at 6 | # least one modified or untracked file which is not gitignored. 7 | 8 | # Don't inline it in the if, since we want to exit on error return codes (set -e). 9 | status="$(git status --porcelain)" 10 | 11 | if [ -z "$status" ]; then 12 | echo "No not-gitignored changes :]" 13 | exit 0 14 | fi 15 | 16 | echo "================================================================================" 17 | echo " ERROR: Files modified by build, but not gitignored:" 18 | echo "--------------------------------------------------------------------------------" 19 | echo "$status" 20 | git submodule foreach --recursive git status --porcelain 21 | echo "================================================================================" 22 | exit 1 23 | -------------------------------------------------------------------------------- /.ci/run-pylint: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | cd "$(git rev-parse --show-toplevel)" 6 | 7 | # pylint3 was replaced with pylint from Ubuntu 19.10 8 | PYLINT=$(command -v pylint3) || true 9 | if [ -z "$PYLINT" ]; then 10 | PYLINT=$(command -v pylint) 11 | fi 12 | 13 | find . -name \*.py \ 14 | -and -not -path ./Pal/lib/crypto/mbedtls/\* \ 15 | -and -not -path ./LibOS/glibc-build/\* \ 16 | -and -not -path ./LibOS/glibc-\?.\?\?/\* \ 17 | -and -not -path ./LibOS/shim/test/ltp/src/\* \ 18 | -and -not -path ./LibOS/shim/test/ltp/build/\* \ 19 | -and -not -path ./LibOS/shim/test/ltp/install/\* \ 20 | -and -not -path ./Examples/pytorch/\* \ 21 | | sed 's/./\\&/g' \ 22 | | xargs "${PYLINT}" "$@" \ 23 | Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \ 24 | Pal/src/host/Linux-SGX/signer/pal-sgx-sign \ 25 | python/graphene-sgx-get-token \ 26 | python/graphene-sgx-sign 27 | -------------------------------------------------------------------------------- /Tools/gsc/templates/Dockerfile.ubuntu18.04.sign.template: -------------------------------------------------------------------------------- 1 | # Sign image in a separate stage to ensure that signing key is never part of the final image 2 | 3 | FROM {{image}} as unsigned_image 4 | 5 | RUN locale-gen en_US.UTF-8 6 | ENV LC_ALL en_US.UTF-8 7 | ENV LANG en_US.UTF-8 8 | ENV LANGUAGE en_US.UTF-8 9 | 10 | COPY gsc-signer-key.pem /gsc-signer-key.pem 11 | 12 | RUN /graphene/python/graphene-sgx-sign \ 13 | -libpal /graphene/Runtime/libpal-Linux-SGX.so \ 14 | -key /gsc-signer-key.pem \ 15 | -manifest /entrypoint.manifest \ 16 | -output /entrypoint.manifest.sgx 17 | 18 | # This trick removes all temporary files from the previous commands (including gsc-signer-key.pem) 19 | FROM {{image}} 20 | 21 | COPY --from=unsigned_image /*.sig / 22 | COPY --from=unsigned_image /*.sgx / 23 | 24 | RUN rm /graphene/python/graphene-sgx-sign /graphene/python/graphenelibos/sgx_sign.py 25 | -------------------------------------------------------------------------------- /Examples/bash/README.md: -------------------------------------------------------------------------------- 1 | # Bash example 2 | 3 | This directory contains an example for running Bash in Graphene, including 4 | the Makefile and a template for generating the manifest. The application is 5 | tested on Ubuntu 16.04, with both normal Linux and SGX platforms. 6 | 7 | # Generating the manifest 8 | 9 | ## Building for Linux 10 | 11 | Run `make` (non-debug) or `make DEBUG=1` (debug) in the directory. 12 | 13 | ## Building for SGX 14 | 15 | Run `make SGX=1` (non-debug) or `make SGX=1 DEBUG=1` (debug) in the directory. 16 | 17 | # Running Bash with Graphene 18 | 19 | Here's an example of running Bash scripts under Graphene: 20 | 21 | Without SGX: 22 | ``` 23 | ./pal_loader ./bash -c "ls" 24 | ./pal_loader ./bash -c "cd scripts && bash bash_test.sh 2" 25 | ``` 26 | 27 | With SGX: 28 | ``` 29 | SGX=1 ./pal_loader ./bash -c "ls" 30 | SGX=1 ./pal_loader ./bash -c "cd scripts && bash bash_test.sh 2" 31 | ``` 32 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/Linux/pal_host-arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * This file contains Linux on x86_64 specific functions related to the PAL. 5 | */ 6 | 7 | #ifndef __LINUX_X86_64_PAL_HOST_ARCH_H__ 8 | #define __LINUX_X86_64_PAL_HOST_ARCH_H__ 9 | 10 | #ifdef IN_PAL 11 | 12 | #if defined(__i386__) 13 | #include 14 | #else 15 | #include 16 | #endif 17 | 18 | #include "sysdep-arch.h" 19 | 20 | /* Graphene uses GCC's stack protector that looks for canary at gs:[0x8], but this function changes 21 | * the GS register value, so we disable stack protector here (even though it is mostly inlined) */ 22 | __attribute__((__optimize__("-fno-stack-protector"))) static inline int pal_set_tcb(PAL_TCB* tcb) { 23 | return INLINE_SYSCALL(arch_prctl, 2, ARCH_SET_GS, tcb); 24 | } 25 | 26 | #endif /* IN_PAL */ 27 | 28 | #endif /* __LINUX_X86_64_PAL_HOST_ARCH_H__ */ 29 | -------------------------------------------------------------------------------- /Pal/lib/string/memset.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Invisible Things Lab 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #include 7 | 8 | #include "api.h" 9 | 10 | void* memset(void* dest, int ch, size_t count) { 11 | char* d = dest; 12 | #if defined(__x86_64__) 13 | /* "Beginning with processors based on Intel microarchitecture code name Ivy Bridge, REP string 14 | * operation using MOVSB and STOSB can provide both flexible and high-performance REP string 15 | * operations for software in common situations like memory copy and set operations" 16 | * Intel 64 and IA-32 Architectures Optimization Reference Manual 17 | */ 18 | __asm__ volatile("rep stosb" : "+D"(d), "+c"(count) : "a"((uint8_t)ch) : "cc", "memory"); 19 | #else 20 | while (count--) 21 | *d++ = ch; 22 | #endif 23 | return dest; 24 | } 25 | -------------------------------------------------------------------------------- /LibOS/shim/src/shim_arch_prctl-x86_64.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University 3 | * Copyright (C) 2020 Intel Corporation 4 | * Michał Kowalczyk 5 | * Borys Popławski 6 | */ 7 | 8 | #include 9 | 10 | #include "pal.h" 11 | #include "shim_internal.h" 12 | #include "shim_table.h" 13 | #include "shim_tcb.h" 14 | 15 | long shim_do_arch_prctl(int code, void* addr) { 16 | switch (code) { 17 | case ARCH_SET_FS: 18 | set_tls((unsigned long)addr); 19 | return 0; 20 | 21 | case ARCH_GET_FS: 22 | return DkSegmentRegisterGet(PAL_SEGMENT_FS, addr) ? 0 : -PAL_ERRNO(); 23 | 24 | default: 25 | log_warning("Not supported flag (0x%x) passed to arch_prctl\n", code); 26 | return -ENOSYS; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Pal/regression/.gitignore: -------------------------------------------------------------------------------- 1 | /*.tmp 2 | /*.xml 3 | /*.manifest 4 | 5 | !Bootstrap3.manifest 6 | !Bootstrap6.manifest 7 | !Bootstrap7.manifest 8 | !File.manifest 9 | !Process3.manifest 10 | !Thread2.manifest 11 | !Thread2_exitless.manifest 12 | 13 | /pal_loader 14 | 15 | /.cache 16 | /..Bootstrap 17 | /AttestationReport 18 | /avl_tree_test 19 | /Bootstrap 20 | /Bootstrap3 21 | /Bootstrap6 22 | /Bootstrap7 23 | /Directory 24 | /Event 25 | /Event2 26 | /Exception 27 | /Exception2 28 | /Exit 29 | /Failure 30 | /File 31 | /File2 32 | /HelloWorld 33 | /Hex 34 | /Memory 35 | /Misc 36 | /Pie 37 | /Pipe 38 | /Preload1.so 39 | /Preload2.so 40 | /Process 41 | /Process2 42 | /Process3 43 | /Process4 44 | /Segment 45 | /Select 46 | /Semaphore 47 | /SendHandle 48 | /Sleep 49 | /Socket 50 | /Symbols 51 | /Tcp 52 | /Thread 53 | /Thread2 54 | /Thread2_exitless 55 | /Udp 56 | /Wait 57 | /Yield 58 | /normalize_path 59 | 60 | /test_file_0 61 | /test_file_1 62 | /test_file_2 63 | -------------------------------------------------------------------------------- /Pal/include/lib/debug_map.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | /* 7 | * Internal debug maps, used to communicate with GDB. 8 | * 9 | * Note that this is part of a common library, and not part of libpal, to support setups in which 10 | * the debug maps are maintained in an "outer" binary instead of the main PAL binary. 11 | */ 12 | 13 | #ifndef PAL_DEBUG_MAP_H 14 | #define PAL_DEBUG_MAP_H 15 | 16 | struct debug_map { 17 | char* name; 18 | void* addr; 19 | 20 | struct debug_map* _Atomic next; 21 | }; 22 | 23 | extern struct debug_map* _Atomic g_debug_map; 24 | 25 | /* GDB will set a breakpoint on this function. */ 26 | void debug_map_update_debugger(void); 27 | 28 | int debug_map_add(const char* name, void* addr); 29 | int debug_map_remove(void* addr); 30 | 31 | #endif /* PAL_DEBUG_MAP_H */ 32 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/multi_pthread.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define THREAD_NUM 32 8 | #define CONC_THREAD_NUM 4 9 | 10 | atomic_int counter = 0; 11 | 12 | static void* inc(void* arg) { 13 | counter++; 14 | return NULL; 15 | } 16 | 17 | int main(int argc, char** argv) { 18 | for (int i = 0; i < THREAD_NUM; i++) { 19 | pthread_t thread[CONC_THREAD_NUM]; 20 | 21 | /* create several threads running in parallel */ 22 | for (int j = 0; j < CONC_THREAD_NUM; j++) { 23 | pthread_create(&thread[j], NULL, inc, NULL); 24 | } 25 | 26 | /* join threads and continue with the next batch */ 27 | for (int j = 0; j < CONC_THREAD_NUM; j++) { 28 | pthread_join(thread[j], NULL); 29 | } 30 | } 31 | 32 | printf("%d Threads Created\n", counter); 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/sgx_log.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #include 7 | 8 | #include "pal_debug.h" 9 | #include "pal_internal.h" 10 | #include "pal_linux.h" 11 | #include "perm.h" 12 | #include "sgx_log.h" 13 | 14 | int g_urts_log_level = PAL_LOG_DEFAULT_LEVEL; 15 | int g_urts_log_fd = PAL_LOG_DEFAULT_FD; 16 | 17 | int urts_log_init(const char* path) { 18 | int ret; 19 | 20 | if (g_urts_log_fd != PAL_LOG_DEFAULT_FD) { 21 | ret = INLINE_SYSCALL(close, 1, g_urts_log_fd); 22 | g_urts_log_fd = PAL_LOG_DEFAULT_FD; 23 | if (ret < 0) 24 | return ret; 25 | } 26 | 27 | ret = INLINE_SYSCALL(open, 3, path, O_WRONLY | O_APPEND | O_CREAT, PERM_rw_______); 28 | if (ret < 0) 29 | return ret; 30 | g_urts_log_fd = ret; 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/copy_mmap_whole.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | if (size > 0) { 5 | // map whole input/output file 6 | void* in = mmap_fd(input_path, fi, PROT_READ, 0, size); 7 | printf("mmap_fd(%zu) input OK\n", size); 8 | void* out = mmap_fd(output_path, fo, PROT_WRITE, 0, size); 9 | printf("mmap_fd(%zu) output OK\n", size); 10 | // copy data 11 | if (ftruncate(fo, size) != 0) 12 | fatal_error("ftruncate(%s, %zu) failed: %s\n", output_path, size, strerror(errno)); 13 | printf("ftruncate(%zu) output OK\n", size); 14 | memcpy(out, in, size); 15 | // unmap 16 | munmap_fd(input_path, in, size); 17 | printf("munmap_fd(%zu) input OK\n", size); 18 | munmap_fd(output_path, out, size); 19 | printf("munmap_fd(%zu) output OK\n", size); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Pal/include/lib/perm.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | /* 7 | * Human-readable macros for common file permissions. 8 | * Inspired by Linux patch by Ingo Molnar (https://lwn.net/Articles/696231/). 9 | */ 10 | 11 | #ifndef PERM_H 12 | #define PERM_H 13 | 14 | #define PERM_r________ 0400 15 | #define PERM_r__r_____ 0440 16 | #define PERM_r__r__r__ 0444 17 | 18 | #define PERM_rw_______ 0600 19 | #define PERM_rw_r_____ 0640 20 | #define PERM_rw_r__r__ 0644 21 | #define PERM_rw_rw_r__ 0664 22 | #define PERM_rw_rw_rw_ 0666 23 | 24 | #define PERM_r_x______ 0500 25 | #define PERM_r_xr_x___ 0550 26 | #define PERM_r_xr_xr_x 0555 27 | 28 | #define PERM_rwx______ 0700 29 | #define PERM_rwxr_x___ 0750 30 | #define PERM_rwxr_xr_x 0755 31 | #define PERM_rwxrwxr_x 0775 32 | #define PERM_rwxrwxrwx 0777 33 | 34 | #endif /* PERM_H */ 35 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/gdb_integration/sgx_gdb.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define MAX_DBG_THREADS 1024 4 | 5 | /* This address is shared between our GDB and Graphene-SGX and must 6 | * reside in non-enclave memory. Graphene-SGX puts an enclave_dbginfo 7 | * object at this address and periodically updates it. Our GDB 8 | * reads the object from this address to update its internal structs 9 | * and learn about enclave layout, active threads, etc. */ 10 | #define DBGINFO_ADDR 0x100000000000 11 | 12 | /* This struct is read using PTRACE_PEEKDATA in 8B increments 13 | * therefore it is aligned as uint64_t. */ 14 | struct __attribute__((aligned(__alignof__(uint64_t)))) enclave_dbginfo { 15 | int pid; 16 | uint64_t base; 17 | uint64_t size; 18 | uint64_t ssa_frame_size; 19 | void* aep; 20 | void* eresume; 21 | int thread_tids[MAX_DBG_THREADS]; 22 | void* tcs_addrs[MAX_DBG_THREADS]; 23 | uint64_t thread_stepping[MAX_DBG_THREADS / 64]; /* bit vector */ 24 | }; 25 | -------------------------------------------------------------------------------- /Pal/lib/crypto/udivmodti4.h: -------------------------------------------------------------------------------- 1 | /* ===-- udivmodti4.c - Implement __udivmodti4 -----------------------------=== 2 | * 3 | * The LLVM Compiler Infrastructure 4 | * 5 | * This file is dual licensed under the MIT and the University of Illinois Open 6 | * Source Licenses. See LICENSE.TXT for details. 7 | * 8 | * ===----------------------------------------------------------------------=== 9 | * 10 | * This file implements __udivmodti4 for the compiler_rt library. 11 | * 12 | * ===----------------------------------------------------------------------=== 13 | */ 14 | 15 | #ifndef _UDIVMODTI4_ 16 | #define _UDIVMODTI4_ 17 | 18 | typedef long long di_int; 19 | typedef unsigned long long du_int; 20 | 21 | typedef int si_int; 22 | typedef unsigned int su_int; 23 | 24 | typedef int ti_int __attribute__((mode (TI))); 25 | typedef unsigned int tu_int __attribute__((mode (TI))); 26 | 27 | tu_int __udivti3(tu_int a, tu_int b); 28 | 29 | #endif /* _UDIVMODTI4_ */ 30 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_main.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains the main function of the PAL loader, which loads and processes environment, 6 | * arguments and manifest. 7 | */ 8 | 9 | #include "api.h" 10 | #include "pal.h" 11 | #include "pal_debug.h" 12 | #include "pal_defs.h" 13 | #include "pal_error.h" 14 | #include "pal_internal.h" 15 | 16 | /* must implement "pal_start", and call "pal_main" inside */ 17 | void pal_start(void); 18 | 19 | unsigned long _DkGetAllocationAlignment(void) { 20 | return 0; 21 | } 22 | 23 | void _DkGetAvailableUserAddressRange(PAL_PTR* start, PAL_PTR* end) { 24 | /* needs to be implemented */ 25 | } 26 | 27 | PAL_NUM _DkGetProcessId(void) { 28 | return 0; 29 | } 30 | 31 | int _DkGetCPUInfo(PAL_CPU_INFO* ci) { 32 | /* needs to be implemented */ 33 | return 0; 34 | } 35 | 36 | int _DkGetTopologyInfo(PAL_TOPO_INFO* topo_info) { 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/attestation.manifest.template: -------------------------------------------------------------------------------- 1 | loader.preload = "file:../../src/libsysdb.so" 2 | libos.entrypoint = "file:attestation" 3 | loader.argv0_override = "attestation" 4 | 5 | loader.env.LD_LIBRARY_PATH = "/lib" 6 | loader.insecure__use_cmdline_argv = 1 7 | 8 | fs.mount.lib.type = "chroot" 9 | fs.mount.lib.path = "/lib" 10 | fs.mount.lib.uri = "file:../../../../Runtime" 11 | 12 | fs.mount.bin.type = "chroot" 13 | fs.mount.bin.path = "/bin" 14 | fs.mount.bin.uri = "file:/bin" 15 | 16 | # sgx-related 17 | sgx.trusted_files.ld = "file:../../../../Runtime/ld-linux-x86-64.so.2" 18 | sgx.trusted_files.libc = "file:../../../../Runtime/libc.so.6" 19 | sgx.trusted_files.libdl = "file:../../../../Runtime/libdl.so.2" 20 | sgx.trusted_files.libm = "file:../../../../Runtime/libm.so.6" 21 | sgx.trusted_files.attestation = "file:attestation" 22 | 23 | sgx.nonpie_binary = 1 24 | 25 | sgx.remote_attestation = 1 26 | sgx.ra_client_spid = "$(RA_CLIENT_SPID)" 27 | sgx.ra_client_linkable = $(RA_CLIENT_LINKABLE) 28 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_memory.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs that allocate, free or protect virtual memory. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_debug.h" 11 | #include "pal_defs.h" 12 | #include "pal_error.h" 13 | #include "pal_internal.h" 14 | 15 | bool _DkCheckMemoryMappable(const void* addr, size_t size) { 16 | return true; 17 | } 18 | 19 | int _DkVirtualMemoryAlloc(void** paddr, uint64_t size, int alloc_type, int prot) { 20 | return -PAL_ERROR_NOTIMPLEMENTED; 21 | } 22 | 23 | int _DkVirtualMemoryFree(void* addr, uint64_t size) { 24 | return -PAL_ERROR_NOTIMPLEMENTED; 25 | } 26 | 27 | int _DkVirtualMemoryProtect(void* addr, uint64_t size, int prot) { 28 | return -PAL_ERROR_NOTIMPLEMENTED; 29 | } 30 | 31 | unsigned long _DkMemoryQuota(void) { 32 | return 0; 33 | } 34 | 35 | unsigned long _DkMemoryAvailableQuota(void) { 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /Scripts/run-pytest: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | # A wrapper for running pytest, either manually or through a Makefile. 6 | # Usage: 7 | # PAL_HOST=Linux .../run-pytest 8 | # PAL_HOST=Linux-SGX .../run-pytest 9 | # SGX=1 .../run-pytest 10 | 11 | PROJECT_ROOT=$(realpath "$(dirname "$0")/..") 12 | 13 | # Determine PAL_HOST if we're not being run from inside Makefile. 14 | if [[ "$PAL_HOST" == "" ]]; then 15 | if [[ "$SGX" == "1" ]]; then 16 | export PAL_HOST="Linux-SGX" 17 | else 18 | export PAL_HOST="Linux" 19 | fi 20 | echo "Running pytest for PAL_HOST = $PAL_HOST" 21 | fi 22 | 23 | # Add path to regression.py common library. 24 | export PYTHONPATH="$PROJECT_ROOT/Scripts:$PYTHONPATH" 25 | 26 | # Environment variables needed by regression.py 27 | export PAL_LOADER="$PROJECT_ROOT/Runtime/pal-$PAL_HOST" 28 | export LIBPAL_PATH="$PROJECT_ROOT/Runtime/libpal-$PAL_HOST.so" 29 | export HOST_PAL_PATH="$PROJECT_ROOT/Pal/src/host/$PAL_HOST" 30 | 31 | exec python3 -m pytest "$@" 32 | -------------------------------------------------------------------------------- /Documentation/devel/setup.rst: -------------------------------------------------------------------------------- 1 | Development setup 2 | ================= 3 | 4 | For contributors, we strongly suggest using the following configuration 5 | according to your editors. 6 | 7 | Emacs configuration 8 | ------------------- 9 | 10 | No change needed. See :file:`.dir-locals.el`. 11 | 12 | Vim configuration 13 | ----------------- 14 | 15 | Please add the following script to the end of your :file:`~/.vimrc`, 16 | or place in :file:`~/.vim/after/ftplugin/c.vim` if you have other plugins. 17 | 18 | .. code-block:: vim 19 | 20 | let dirname = expand('%:p:h') 21 | let giturl = system('cd '.dirname.'; git config --get remote.origin.url 2>/dev/null') 22 | if giturl =~ 'oscarlab/graphene' 23 | set textwidth=100 tabstop=4 softtabstop=4 shiftwidth=4 expandtab 24 | endif 25 | 26 | au BufRead,BufNewFile *.rst imap \|~\| 27 | au BufRead,BufNewFile *.rst set textwidth=80 28 | 29 | .. warning:: 30 | 31 | Due to security concerns, we do not suggest using Vim modelines or 32 | :file:`.exrc`. 33 | -------------------------------------------------------------------------------- /Examples/capnproto/README: -------------------------------------------------------------------------------- 1 | # Cap'n Proto and Addressbook example 2 | 3 | This directory contains the Makefile and the template manifest for the Addressbook example of the 4 | Cap'n Proto protocol. Addressbook is the sample application that uses Cap'n Proto from the official 5 | documentation (copied from the official GitHub repo, v0.7.0). We use the preinstalled libcapnp 6 | library on the host OS instead of downloading the sources, building, and linking Addressbook against 7 | the built library (which is possible but would require more effort). This was tested on machines 8 | with SGX v1 and Ubuntu 16.04/18.04. 9 | 10 | Please install the following prerequisites: `sudo apt install -y libcapnp-dev capnproto`. 11 | 12 | # Quick Start 13 | 14 | ```sh 15 | # build Addressbook and the final manifest 16 | make SGX=1 17 | 18 | # run original Addressbook 19 | ./addressbook write 20 | 21 | # run Addressbook in non-SGX Graphene 22 | ./pal_loader addressbook write 23 | 24 | # run Addressbook in Graphene-SGX 25 | SGX=1 ./pal_loader addressbook write 26 | ``` 27 | -------------------------------------------------------------------------------- /Pal/regression/Yield.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | PAL_HANDLE parent_thread, child_thread; 5 | 6 | static int child(void* args) { 7 | int i; 8 | pal_printf("Enter Child Thread\n"); 9 | 10 | for (i = 0; i < 100; i++) { 11 | DkThreadDelayExecution(3000); 12 | DkThreadResume(parent_thread); 13 | pal_printf("parent yielded\n"); 14 | } 15 | 16 | pal_printf("Leave Child Thread\n"); 17 | return 0; 18 | } 19 | 20 | int main(void) { 21 | int i; 22 | pal_printf("Enter Parent Thread\n"); 23 | 24 | parent_thread = pal_control.first_thread; 25 | child_thread = DkThreadCreate(&child, NULL); 26 | 27 | if (child_thread == NULL) { 28 | pal_printf("DkThreadCreate failed\n"); 29 | return -1; 30 | } 31 | 32 | for (i = 0; i < 100; i++) { 33 | DkThreadDelayExecution(3000); 34 | DkThreadResume(child_thread); 35 | pal_printf("child yielded\n"); 36 | } 37 | 38 | pal_printf("Leave Parent Thread\n"); 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_object.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs for closing or polling PAL handles. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_debug.h" 11 | #include "pal_defs.h" 12 | #include "pal_error.h" 13 | #include "pal_internal.h" 14 | 15 | /* Wait on a synchronization handle and return 0 if this handle's event was triggered 16 | * or error code otherwise (e.g., due to timeout). */ 17 | int _DkSynchronizationObjectWait(PAL_HANDLE handle, int64_t timeout_us) { 18 | return -PAL_ERROR_NOTIMPLEMENTED; 19 | } 20 | 21 | /* Wait for specific events on all handles in the handle array and return multiple events 22 | * (including errors) reported by the host. Return 0 on success, PAL error on failure. */ 23 | int _DkStreamsWaitEvents(size_t count, PAL_HANDLE* handle_array, PAL_FLG* events, 24 | PAL_FLG* ret_events, int64_t timeout_us) { 25 | return -PAL_ERROR_NOTIMPLEMENTED; 26 | } 27 | -------------------------------------------------------------------------------- /Examples/common_tools/get_deps.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: LGPL-3.0-or-later */ 3 | # Copyright (C) 2020 Intel Corporation 4 | # Michał Kowalczyk 5 | 6 | set -eu -o pipefail 7 | 8 | # Arguments: binaries for which to generate manifest trusted files list. 9 | 10 | # Be careful: We have to skip vdso, which doesn't have a corresponding file on the disk (we assume 11 | # that such files have paths starting with '/', seems ldd aways prints absolute paths). Also, old 12 | # ldd (from Ubuntu 16.04) prints vdso differently than newer ones: 13 | # old: 14 | # linux-vdso.so.1 => (0x00007ffd31fee000) 15 | # new: 16 | # linux-vdso.so.1 (0x00007ffd31fee000) 17 | DEPS=$(ldd "$@" \ 18 | | awk '{ 19 | if ($2 == "=>" && $3 ~ /^\/.*$/) { 20 | print $3 21 | } else if ($1 ~ /^\/.*$/ && $2 ~ /^\(.+\)$/) { 22 | print $1 23 | } 24 | }' \ 25 | | sort | uniq) 26 | 27 | for DEP in $DEPS; do 28 | # generate Graphene manifest line 29 | echo "sgx.trusted_files.\"$DEP\" = \"file:$DEP\"" 30 | done 31 | -------------------------------------------------------------------------------- /Pal/include/arch/x86_64/pal_internal-arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #ifndef PAL_INTERNAL_ARCH_H_ 7 | #define PAL_INTERNAL_ARCH_H_ 8 | 9 | #include "assert.h" 10 | 11 | #define ARCH_PROBE_STACK(size, page_size) \ 12 | assert(size / page_size > 0); \ 13 | __asm__ volatile( \ 14 | "mov %%rsp, %%rdx\n" \ 15 | "1:\n" \ 16 | "sub %0, %%rsp\n" \ 17 | "orq $0, (%%rsp)\n" \ 18 | "loop 1b\n" \ 19 | "mov %%rdx, %%rsp\n" \ 20 | : \ 21 | : "ri"(page_size), "c"(size / page_size) \ 22 | : "memory", "cc", "rdx" \ 23 | ) 24 | 25 | #endif // PAL_INTERNAL_ARCH_H_ 26 | -------------------------------------------------------------------------------- /Documentation/manpages/is_sgx_available.rst: -------------------------------------------------------------------------------- 1 | .. program:: is_sgx_available 2 | 3 | ====================================================================== 4 | :program:`is_sgx_available` -- Check environment for SGX compatibility 5 | ====================================================================== 6 | 7 | Synopsis 8 | ======== 9 | 10 | :command:`is_sgx_available` [--quiet] 11 | 12 | Description 13 | =========== 14 | 15 | `is_sgx_available` checks the CPU and operating system for :term:`SGX` 16 | compatibility. A detailed report is printed unless suppressed by the 17 | :option:`--quiet` option. 18 | 19 | Command line arguments 20 | ====================== 21 | 22 | .. option:: --quiet 23 | 24 | Suppress displaying detailed report. See exit status for the result. 25 | 26 | Exit status 27 | =========== 28 | 29 | 0 30 | SGX version 1 is available and ready 31 | 32 | 1 33 | No CPU cupport 34 | 35 | 2 36 | No BIOS support 37 | 38 | 3 39 | SGX Platform Software (:term:`PSW`) is not installed 40 | 41 | 4 42 | The ``aesmd`` :term:`PSW` daemon is not running 43 | -------------------------------------------------------------------------------- /meson.build: -------------------------------------------------------------------------------- 1 | project( 2 | 'graphene', 'c', 3 | version: '1.0', 4 | license: 'LGPLv3+', 5 | 6 | # DISTRO EOL meson_version 7 | # xenial 2021.04 0.29 8 | # xenial-backports 2021.04 0.40 9 | # bionic 2023.04 0.45 10 | # buster 2022 0.49 11 | # buster-backports 2022 0.52 12 | # focal 2025.04 0.53 13 | # 14 | # https://wiki.ubuntu.com/Releases 15 | # https://wiki.debian.org/DebianReleases#Production_Releases 16 | meson_version: '>=0.45', 17 | ) 18 | 19 | prefix = get_option('prefix') 20 | pkglibexecdir = join_paths(get_option('libexecdir'), meson.project_name()) 21 | pkgdatadir = join_paths(get_option('datadir'), meson.project_name()) 22 | 23 | direct = get_option('direct') == 'enabled' 24 | sgx = get_option('sgx') == 'enabled' 25 | 26 | # TODO: after deprecating 18.04/bionic, update this to import('python') 27 | python3mod = import('python3') 28 | python3 = python3mod.find_python() 29 | 30 | subdir('Runtime') 31 | subdir('python') 32 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/truncate.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | static void file_truncate(const char* file_path_1, const char* file_path_2, size_t size) { 4 | if (truncate(file_path_1, size) != 0) 5 | fatal_error("Failed to truncate file %s to %zu: %s\n", file_path_1, size, strerror(errno)); 6 | printf("truncate(%s) to %zu OK\n", file_path_1, size); 7 | 8 | int fd = open_output_fd(file_path_2, /*rdwr=*/false); 9 | printf("open(%s) output OK\n", file_path_2); 10 | 11 | if (ftruncate(fd, size) != 0) 12 | fatal_error("Failed to ftruncate file %s to %zu: %s\n", file_path_2, size, strerror(errno)); 13 | printf("ftruncate(%s) to %zu OK\n", file_path_2, size); 14 | 15 | close_fd(file_path_2, fd); 16 | printf("close(%s) output OK\n", file_path_2); 17 | } 18 | 19 | int main(int argc, char* argv[]) { 20 | if (argc < 4) 21 | fatal_error("Usage: %s \n", argv[0]); 22 | 23 | setup(); 24 | size_t size = strtoul(argv[3], NULL, 10); 25 | file_truncate(argv[1], argv[2], size); 26 | 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /Documentation/glossary.rst: -------------------------------------------------------------------------------- 1 | Glossary 2 | ======== 3 | 4 | .. keep this file sorted lexicographically 5 | 6 | .. glossary:: 7 | 8 | PAL 9 | Platform Adaptation Layer 10 | 11 | PAL is the layer of Graphene that implements a narrow Drawbridge-like ABI 12 | interface (with function names starting with the `Dk` prefix) 13 | 14 | .. seealso:: 15 | 16 | https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/asplos2011-drawbridge.pdf 17 | 18 | Whenever Graphene requires a service from the host platform (memory 19 | allocation, thread management and synchronization, file system and network 20 | stacks, etc.), it calls the corresponding PAL functionality. The PAL ABI 21 | is host-platform agnostic and is backed by the host-platform specific PAL, 22 | for example, the Linux-SGX PAL. 23 | 24 | SGX 25 | Software Guard Extensions is a set of instructions on Intel processors for 26 | creating Trusted Execution Environments (:term:`TEE`). See 27 | :doc:`/sgx-intro`. 28 | 29 | Thread Control Block 30 | 31 | .. todo:: TBD 32 | -------------------------------------------------------------------------------- /LibOS/shim/include/shim_defs.h: -------------------------------------------------------------------------------- 1 | #ifndef _SHIM_DEFS_H_ 2 | #define _SHIM_DEFS_H_ 3 | 4 | #include "shim_syscalls.h" 5 | 6 | /* Names and values are taken from the Linux kernel. */ 7 | #define ERESTARTSYS 512 /* Usual case - restart if SA_RESTART is set. */ 8 | #define ERESTARTNOINTR 513 /* Always restart. */ 9 | #define ERESTARTNOHAND 514 /* Restart if no signal handler. */ 10 | 11 | /* Internal LibOS stack size: 3 pages + one guard page. */ 12 | #define SHIM_THREAD_LIBOS_STACK_SIZE (3 * PAGE_SIZE + PAGE_SIZE) 13 | 14 | #define DEFAULT_BRK_MAX_SIZE (256 * 1024) /* 256KB */ 15 | #define DEFAULT_SYS_STACK_SIZE (256 * 1024) /* 256KB */ 16 | 17 | #define CP_INIT_VMA_SIZE (64 * 1024 * 1024) /* 64MB */ 18 | 19 | /* debug message printout */ 20 | #define DEBUGBUF_SIZE 256 21 | #define DEBUGBUF_BREAK 0 22 | 23 | #define DEFAULT_VMA_COUNT 64 24 | 25 | /* ELF aux vectors */ 26 | #define REQUIRED_ELF_AUXV 8 /* number of LibOS-supported vectors */ 27 | #define REQUIRED_ELF_AUXV_SPACE 16 /* extra memory space (in bytes) */ 28 | #define LIBOS_SYSCALL_BOUND __NR_syscalls 29 | 30 | #endif /* _SHIM_DEFS_H_ */ 31 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_mutex.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | #include "api.h" 5 | #include "pal.h" 6 | #include "pal_defs.h" 7 | #include "pal_error.h" 8 | #include "pal_internal.h" 9 | 10 | int _DkMutexCreate(PAL_HANDLE* handle, int initialCount) { 11 | return -PAL_ERROR_NOTIMPLEMENTED; 12 | } 13 | 14 | int _DkMutexLockTimeout(struct mutex_handle* m, int64_t timeout_us) { 15 | return -PAL_ERROR_NOTIMPLEMENTED; 16 | } 17 | 18 | int _DkMutexLock(struct mutex_handle* m) { 19 | return -PAL_ERROR_NOTIMPLEMENTED; 20 | } 21 | 22 | int _DkMutexAcquireTimeout(PAL_HANDLE handle, int64_t timeout_us) { 23 | return -PAL_ERROR_NOTIMPLEMENTED; 24 | } 25 | 26 | int _DkMutexUnlock(struct mutex_handle* m) { 27 | return -PAL_ERROR_NOTIMPLEMENTED; 28 | } 29 | 30 | void _DkMutexRelease(PAL_HANDLE handle) { 31 | /* Not implemented yet */ 32 | } 33 | 34 | static int mutex_wait(PAL_HANDLE handle, int64_t timeout_us) { 35 | return -PAL_ERROR_NOTIMPLEMENTED; 36 | } 37 | 38 | struct handle_ops g_mutex_ops = { 39 | .wait = &mutex_wait, 40 | }; 41 | -------------------------------------------------------------------------------- /LibOS/glibc-patches/hp-timing-2.27.patch: -------------------------------------------------------------------------------- 1 | diff --git a/sysdeps/x86_64/hp-timing.h b/sysdeps/x86_64/hp-timing.h 2 | index ec543bef03b6c2d138c28c2ffd813c6649f7b9e8..1b84ecfe9540f4d3ff1f6c62928ecb64ed71c4be 100644 3 | --- a/sysdeps/x86_64/hp-timing.h 4 | +++ b/sysdeps/x86_64/hp-timing.h 5 | @@ -17,24 +17,7 @@ 6 | . */ 7 | 8 | #ifndef _HP_TIMING_H 9 | -#define _HP_TIMING_H 1 10 | 11 | -/* We always assume having the timestamp register. */ 12 | -#define HP_TIMING_AVAIL (1) 13 | -#define HP_SMALL_TIMING_AVAIL (1) 14 | - 15 | -/* We indeed have inlined functions. */ 16 | -#define HP_TIMING_INLINE (1) 17 | - 18 | -/* We use 64bit values for the times. */ 19 | -typedef unsigned long long int hp_timing_t; 20 | - 21 | -/* The "=A" constraint used in 32-bit mode does not work in 64-bit mode. */ 22 | -#define HP_TIMING_NOW(Var) \ 23 | - ({ unsigned int _hi, _lo; \ 24 | - asm volatile ("rdtsc" : "=a" (_lo), "=d" (_hi)); \ 25 | - (Var) = ((unsigned long long int) _hi << 32) | _lo; }) 26 | - 27 | -#include 28 | +#include 29 | 30 | #endif /* hp-timing.h */ 31 | -------------------------------------------------------------------------------- /LibOS/shim/test/ltp/contrib/conf_missing.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # SPDX-License-Identifier: LGPL-3.0-or-later 3 | # Copyright (C) 2019 Wojtek Porczyk 4 | 5 | import argparse 6 | import configparser 7 | 8 | argparser = argparse.ArgumentParser() 9 | argparser.add_argument('--config', '-c', metavar='FILENAME', 10 | type=argparse.FileType('r'), 11 | help='location of ltp.cfg file') 12 | argparser.add_argument('file', metavar='FILENAME', 13 | type=argparse.FileType('r'), nargs='?', default='-', 14 | help='LTP scenario file') 15 | 16 | def main(args=None): 17 | args = argparser.parse_args(args) 18 | config = configparser.ConfigParser() 19 | config.read_file(args.config) 20 | 21 | with args.file: 22 | for line in args.file: 23 | line = line.strip() 24 | if not line or line[0] == '#': 25 | continue 26 | 27 | tag, cmd = line.split(maxsplit=1) 28 | if not tag in config and not any(c in cmd for c in '|;&'): 29 | print(f'[{tag}]\nmust-pass =\n') 30 | 31 | if __name__ == '__main__': 32 | main() 33 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/pipe_nonblocking.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | int main(void) { 9 | int p[2]; 10 | 11 | if (pipe2(p, O_NONBLOCK | O_CLOEXEC) < 0) { 12 | err(1, "pipe2"); 13 | } 14 | 15 | ssize_t ret = write(p[1], "a", 1); 16 | if (ret < 0) { 17 | err(1, "write"); 18 | } else if (ret != 1) { 19 | errx(1, "invalid return value from write: %zd\n", ret); 20 | } 21 | 22 | char c; 23 | ret = read(p[0], &c, 1); 24 | if (ret < 0) { 25 | err(1, "read"); 26 | } else if (ret != 1) { 27 | errx(1, "invalid return value from read: %zd\n", ret); 28 | } 29 | 30 | ret = read(p[0], &c, 1); 31 | if (ret > 0) { 32 | errx(1, "read returned unexpected data: %zd\n", ret); 33 | } else if (ret == 0) { 34 | errx(1, "read returned 0 instead of EAGAIN\n"); 35 | } else if (errno != EAGAIN && errno != EWOULDBLOCK) { 36 | err(1, "unexpected read failure"); 37 | } 38 | 39 | puts("TEST OK"); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../../Scripts/Makefile.configs 2 | include Makefile.am 3 | 4 | CFLAGS += \ 5 | -I. \ 6 | -I../.. \ 7 | -I../../../include \ 8 | -I../../../include/arch/$(ARCH) \ 9 | -I../../../include/arch/$(ARCH)/$(PAL_HOST) \ 10 | -I../../../include/host/Skeleton \ 11 | -I../../../include/lib \ 12 | -I../../../include/pal 13 | 14 | ASFLAGS += \ 15 | -I. \ 16 | -I../.. \ 17 | -I../../../include 18 | 19 | host_files = libpal-Skeleton.a pal.map 20 | 21 | defs = -DIN_PAL 22 | CFLAGS += $(defs) 23 | ASFLAGS += $(defs) 24 | objs = $(addprefix db_,files devices pipes eventfd sockets streams memory threading \ 25 | mutex events process object main rtld misc exception) 26 | 27 | .PHONY: all 28 | all: $(host_files) 29 | 30 | libpal-Skeleton.a: $(addsuffix .o,$(objs)) 31 | $(call cmd,ar_a_o) 32 | 33 | %.o: %.c 34 | $(call cmd,cc_o_c) 35 | 36 | %.o: %.S 37 | $(call cmd,as_o_S) 38 | 39 | include ../../../../Scripts/Makefile.rules 40 | 41 | .PHONY: clean 42 | clean: 43 | $(RM) $(addsuffix .o,$(objs)) $(addsuffix .d,$(objs)) $(host_files) $(pal_lib) 44 | 45 | .PHONY: distclean 46 | distclean: clean 47 | -------------------------------------------------------------------------------- /LibOS/shim/src/sys/shim_getrandom.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #include 7 | #include 8 | 9 | #include "shim_internal.h" 10 | #include "shim_table.h" 11 | 12 | long shim_do_getrandom(char* buf, size_t count, unsigned int flags) { 13 | if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) 14 | return -EINVAL; 15 | 16 | if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) 17 | return -EINVAL; 18 | 19 | /* Weird, but that's what kernel does */ 20 | if (count > INT_MAX) 21 | count = INT_MAX; 22 | 23 | if (test_user_memory(buf, count, /*write=*/true)) 24 | return -EFAULT; 25 | 26 | /* In theory, DkRandomBitsRead may block on some PALs (which conflicts with GRND_NONBLOCK flag), 27 | * but this shouldn't be possible in practice, so we don't care. 28 | */ 29 | int ret = DkRandomBitsRead(buf, count); 30 | if (ret < 0) 31 | return -EINVAL; 32 | 33 | return count; 34 | } 35 | -------------------------------------------------------------------------------- /Pal/src/host/Skeleton/db_events.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains implementation of Drawbridge event synchronization APIs. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_defs.h" 11 | #include "pal_error.h" 12 | #include "pal_internal.h" 13 | 14 | int _DkEventCreate(PAL_HANDLE* event, bool initialState, bool isnotification) { 15 | return -PAL_ERROR_NOTIMPLEMENTED; 16 | } 17 | 18 | int _DkEventSet(PAL_HANDLE event, int wakeup) { 19 | return -PAL_ERROR_NOTIMPLEMENTED; 20 | } 21 | 22 | int _DkEventWaitTimeout(PAL_HANDLE event, int64_t timeout_us) { 23 | return -PAL_ERROR_NOTIMPLEMENTED; 24 | } 25 | 26 | int _DkEventClear(PAL_HANDLE event) { 27 | return -PAL_ERROR_NOTIMPLEMENTED; 28 | } 29 | 30 | static int event_close(PAL_HANDLE handle) { 31 | return -PAL_ERROR_NOTIMPLEMENTED; 32 | } 33 | 34 | static int event_wait(PAL_HANDLE handle, int64_t timeout_us) { 35 | return -PAL_ERROR_NOTIMPLEMENTED; 36 | } 37 | 38 | struct handle_ops g_event_ops = { 39 | .close = &event_close, 40 | .wait = &event_wait, 41 | }; 42 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/stat_invalid_args.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 700 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int main(int argc, char** argv) { 10 | int r; 11 | struct stat buf; 12 | 13 | char* goodpath = argv[0]; 14 | char* badpath = (void*)-1; 15 | 16 | struct stat* goodbuf = &buf; 17 | struct stat* badbuf = (void*)-1; 18 | 19 | /* check stat() */ 20 | r = stat(badpath, goodbuf); 21 | if (r == -1 && errno == EFAULT) 22 | printf("stat(invalid-path-ptr) correctly returned error\n"); 23 | 24 | r = stat(goodpath, badbuf); 25 | if (r == -1 && errno == EFAULT) 26 | printf("stat(invalid-buf-ptr) correctly returned error\n"); 27 | 28 | /* check lstat() */ 29 | r = lstat(badpath, goodbuf); 30 | if (r == -1 && errno == EFAULT) 31 | printf("lstat(invalid-path-ptr) correctly returned error\n"); 32 | 33 | r = lstat(goodpath, badbuf); 34 | if (r == -1 && errno == EFAULT) 35 | printf("lstat(invalid-buf-ptr) correctly returned error\n"); 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /Examples/nodejs-express-server/README.md: -------------------------------------------------------------------------------- 1 | # Running Node.js express server with Graphene SGX 2 | 3 | This is a Node.js application, runs an express server, listening on a given port. 4 | 5 | ## Environment 6 | 7 | This application was tested with Node.js version 8. 8 | 9 | ## Prerequisites 10 | 11 | This project requires Node.js to be installed. 12 | See https://nodejs.org/ for more details on how to install Node.js. 13 | 14 | Run `npm install`, which installs all dependencies and modules needed for this application. See 15 | `package.json` for more details on Node.js dependencies needed for this project. At this point, the 16 | application itself can be executed without Graphene by running `node helloworld.js`. 17 | 18 | ## Steps to run without SGX 19 | 20 | 1. Run `make`. 21 | 2. Run `./pal_loader nodejs helloworld.js 3000`. 22 | 3. The expected output should be the following: `Example app listening on port 3000!` 23 | 24 | ## Steps to run with SGX 25 | 26 | 1. Run `make SGX=1` in order to build the application using SGX. 27 | 2. Run `./pal_loader SGX nodejs helloworld.js 3000` 28 | 3. The expected output should be the following: `Example app listening on port 3000!` 29 | -------------------------------------------------------------------------------- /tests/benchmarks/basic.py: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-3.0-or-later 2 | # Copyright (c) 2020 Intel Corporation 3 | # Wojtek Porczyk 4 | # 5 | 6 | from . import Exec 7 | 8 | # pylint: disable=invalid-name 9 | 10 | class HelloWorld: 11 | # pylint: disable=no-self-use 12 | 13 | helloworld = Exec('helloworld', manifest_template='basic.manifest.template') 14 | setup = helloworld.setup 15 | 16 | def time_graphene_nosgx(self): 17 | self.helloworld.run_in_graphene(sgx=False) 18 | 19 | def time_graphene_sgx(self): 20 | self.helloworld.run_in_graphene(sgx=True) 21 | 22 | class WritePages: 23 | # pylint: disable=no-self-use 24 | 25 | write_pages = Exec('write_pages', manifest_template='basic.manifest.template') 26 | params = [10000, 100000, 1000000, 10000000] 27 | param_names = ['pagecount'] 28 | setup = write_pages.setup 29 | 30 | def time_graphene_nosgx(self, pagecount): 31 | self.write_pages.run_in_graphene(str(pagecount), sgx=False) 32 | 33 | def time_graphene_sgx(self, pagecount): 34 | self.write_pages.run_in_graphene(str(pagecount), sgx=True) 35 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/poll.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(void) { 8 | int ret; 9 | int fd[2]; 10 | char string[] = "Hello, world!\n"; 11 | 12 | ret = pipe(fd); 13 | if (ret < 0) { 14 | perror("pipe creation failed"); 15 | return 1; 16 | } 17 | 18 | struct pollfd outfds[] = { 19 | {.fd = fd[1], .events = POLLOUT}, 20 | }; 21 | ret = poll(outfds, 1, -1); 22 | if (ret <= 0) { 23 | perror("poll with POLLOUT failed"); 24 | return 1; 25 | } 26 | printf("poll(POLLOUT) returned %d file descriptors\n", ret); 27 | 28 | struct pollfd infds[] = { 29 | {.fd = fd[0], .events = POLLIN}, 30 | }; 31 | size_t len = strlen(string) + 1; 32 | if (write(fd[1], string, len) != len) { 33 | perror("write error"); 34 | return 1; 35 | } 36 | ret = poll(infds, 1, -1); 37 | if (ret <= 0) { 38 | perror("poll with POLLIN failed"); 39 | return 1; 40 | } 41 | printf("poll(POLLIN) returned %d file descriptors\n", ret); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/bootstrap.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, const char** argv, const char** envp) { 6 | printf("User Program Started\n"); 7 | 8 | printf("# of arguments: %d\n", argc); 9 | 10 | for (int i = 0; i < argc; i++) { 11 | printf("argv[%d] = %s\n", i, argv[i]); 12 | } 13 | 14 | puts(""); 15 | size_t envs_cnt = 0; 16 | for (size_t i = 0; envp[i]; i++) 17 | envs_cnt++; 18 | printf("# of envs: %zu\n", envs_cnt); 19 | for (size_t i = 0; envp[i]; i++) { 20 | printf("envp[%zu] = %s\n", i, envp[i]); 21 | } 22 | 23 | /* Make sure argv strings follow the compact encoding where (1) all strings 24 | are located adjacently and (2) in increasing order. */ 25 | size_t sum_len = 0; 26 | for (int i = 0; i < argc; i++) { 27 | sum_len += strlen(argv[i]) + 1; 28 | } 29 | 30 | size_t chunk_len = argv[argc - 1] + strlen(argv[argc - 1]) - argv[0]; 31 | if (sum_len != chunk_len + 1) { 32 | printf("argv strings are not adjacent or not in increasing order\n"); 33 | return 1; 34 | } 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/enclave_platform.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2019, Texas A&M University */ 3 | 4 | #include "pal_internal.h" 5 | #include "pal_linux.h" 6 | #include "pal_linux_error.h" 7 | #include "pal_security.h" 8 | 9 | int sgx_get_quote(const sgx_spid_t* spid, const sgx_quote_nonce_t* nonce, 10 | const sgx_report_data_t* report_data, bool linkable, char** quote, 11 | size_t* quote_len) { 12 | /* must align all arguments to sgx_report() so that EREPORT doesn't complain */ 13 | __sgx_mem_aligned sgx_report_t report; 14 | __sgx_mem_aligned sgx_target_info_t targetinfo = g_pal_sec.qe_targetinfo; 15 | __sgx_mem_aligned sgx_report_data_t _report_data = *report_data; 16 | 17 | int ret = sgx_report(&targetinfo, &_report_data, &report); 18 | if (ret) { 19 | log_error("Failed to get enclave report\n"); 20 | return -PAL_ERROR_DENIED; 21 | } 22 | 23 | ret = ocall_get_quote(spid, linkable, &report, nonce, quote, quote_len); 24 | if (ret < 0) { 25 | log_error("Failed to get quote\n"); 26 | return unix_to_pal_error(ERRNO(ret)); 27 | } 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /Tools/gsc/images/graphene_aks.latest.dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 AS graphene 2 | 3 | RUN env DEBIAN_FRONTEND=noninteractive apt-get update \ 4 | && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ 5 | autoconf \ 6 | bison \ 7 | build-essential \ 8 | coreutils \ 9 | gawk \ 10 | git \ 11 | libcurl4-openssl-dev \ 12 | libprotobuf-c-dev \ 13 | protobuf-c-compiler \ 14 | python3-protobuf \ 15 | wget 16 | 17 | RUN git clone https://github.com/oscarlab/graphene.git /graphene 18 | 19 | RUN cd /graphene \ 20 | && git fetch origin master \ 21 | && git checkout master 22 | 23 | RUN cd /graphene/Pal/src/host/Linux-SGX \ 24 | && git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git linux-sgx-driver \ 25 | && cd linux-sgx-driver \ 26 | && git checkout DCAP_1.7 && cp -r driver/linux/* . 27 | 28 | RUN cd /graphene \ 29 | && ISGX_DRIVER_PATH=/graphene/Pal/src/host/Linux-SGX/linux-sgx-driver \ 30 | make -s -j WERROR=1 SGX=1 31 | 32 | 33 | 34 | # Translate runtime symlinks to files 35 | RUN for f in $(find /graphene/Runtime -type l); do cp --remove-destination $(realpath $f) $f; done 36 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/sighandler_reset.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 700 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | static int count = 0; 10 | 11 | static void handler(int signum) { 12 | printf("Got signal %d\n", signum); 13 | fflush(stdout); 14 | count++; 15 | } 16 | 17 | int main() { 18 | 19 | struct sigaction action; 20 | action.sa_handler = handler; 21 | action.sa_flags = SA_RESETHAND; // one shot 22 | 23 | int ret = sigaction(SIGCHLD, &action, NULL); 24 | if (ret < 0) { 25 | fprintf(stderr, "sigaction failed\n"); 26 | return 1; 27 | } 28 | 29 | int pid = fork(); 30 | if (pid < 0) { 31 | fprintf(stderr, "fork failed\n"); 32 | return 1; 33 | } 34 | 35 | if (pid == 0) { 36 | /* child signals parent -- only 1 must go through */ 37 | kill(getppid(), SIGCHLD); 38 | kill(getppid(), SIGCHLD); 39 | exit(0); 40 | } 41 | 42 | wait(NULL); 43 | 44 | printf("Handler was invoked %d time(s).\n", count); 45 | 46 | if (count != 1) 47 | return 1; 48 | 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /Tools/gsc/templates/entrypoint.manifest.template: -------------------------------------------------------------------------------- 1 | libos.entrypoint = "file:/{{binary}}" 2 | loader.preload = "file:/graphene/Runtime/libsysdb.so" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/graphene/Runtime:{{"{{library_paths}}"}}" 5 | loader.env.PATH = "{{"{{env_path}}"}}" 6 | loader.log_level = {% if debug %} "debug" {% else %} "error" {% endif %} 7 | 8 | fs.root.type = "chroot" 9 | fs.root.path = "/" 10 | fs.root.uri = "file:/" 11 | 12 | # Graphene's default working dir is '/', so change the working directory to the desired one 13 | fs.start_dir = "{{working_dir}}" 14 | 15 | sgx.nonpie_binary = 1 16 | 17 | {% if insecure_args %} 18 | # !! INSECURE !! Allow passing command-line arguments from the host without validation. 19 | # Most Docker images rely on runtime arguments and hence, a more general technique is required. 20 | # The issue is documented at https://github.com/oscarlab/graphene/issues/1520. 21 | loader.arg0_override = "{{binary}}" 22 | loader.insecure__use_cmdline_argv = 1 23 | {% else %} 24 | loader.argv_src_file = "file:/trusted_argv" 25 | sgx.trusted_files.trusted_argv = "file:/trusted_argv" 26 | {% endif %} 27 | 28 | # All trusted files and the user defined manifest specifications should be after this line 29 | -------------------------------------------------------------------------------- /Pal/src/pal-symbols: -------------------------------------------------------------------------------- 1 | DkVirtualMemoryAlloc 2 | DkVirtualMemoryFree 3 | DkVirtualMemoryProtect 4 | DkThreadCreate 5 | DkThreadDelayExecution 6 | DkThreadYieldExecution 7 | DkThreadExit 8 | DkThreadResume 9 | DkThreadSetCpuAffinity 10 | DkThreadGetCpuAffinity 11 | DkMutexCreate 12 | DkNotificationEventCreate 13 | DkSynchronizationEventCreate 14 | DkMutexRelease 15 | DkEventSet 16 | DkEventClear 17 | DkSynchronizationObjectWait 18 | DkStreamsWaitEvents 19 | DkStreamOpen 20 | DkStreamRead 21 | DkStreamWrite 22 | DkStreamMap 23 | DkStreamUnmap 24 | DkStreamSetLength 25 | DkStreamFlush 26 | DkStreamDelete 27 | DkSendHandle 28 | DkReceiveHandle 29 | DkStreamWaitForClient 30 | DkStreamGetName 31 | DkStreamAttributesQueryByHandle 32 | DkStreamAttributesQuery 33 | DkProcessCreate 34 | DkProcessExit 35 | DkSystemTimeQuery 36 | DkRandomBitsRead 37 | DkCpuIdRetrieve 38 | DkObjectClose 39 | DkSetExceptionHandler 40 | DkSegmentRegisterGet 41 | DkSegmentRegisterSet 42 | DkStreamChangeName 43 | DkStreamAttributesSetByHandle 44 | DkMemoryAvailableQuota 45 | DkDebugMapAdd 46 | DkDebugMapRemove 47 | DkAttestationReport 48 | DkAttestationQuote 49 | DkSetProtectedFilesKey 50 | DkDebugLog 51 | pal_printf 52 | pal_control_addr 53 | pal_strerror 54 | warn 55 | -------------------------------------------------------------------------------- /Pal/src/db_process.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This source file contains functions to create a child process and terminate the running process. 6 | * Child does not inherit any objects or memory from its parent process. A parent process may not 7 | * modify the execution of its children. It can wait for a child to exit using its handle. Also, 8 | * parent and child may communicate through I/O streams provided by the parent to the child at 9 | * creation. 10 | */ 11 | 12 | #include "api.h" 13 | #include "pal.h" 14 | #include "pal_debug.h" 15 | #include "pal_defs.h" 16 | #include "pal_error.h" 17 | #include "pal_internal.h" 18 | 19 | PAL_HANDLE DkProcessCreate(PAL_STR exec_uri, PAL_STR* args) { 20 | assert(exec_uri); 21 | 22 | PAL_HANDLE handle = NULL; 23 | int ret = _DkProcessCreate(&handle, exec_uri, args); 24 | 25 | if (ret < 0) { 26 | _DkRaiseFailure(-ret); 27 | handle = NULL; 28 | } 29 | 30 | return handle; 31 | } 32 | 33 | noreturn void DkProcessExit(PAL_NUM exitcode) { 34 | _DkProcessExit(exitcode); 35 | _DkRaiseFailure(PAL_ERROR_NOTKILLABLE); 36 | die_or_inf_loop(); 37 | } 38 | -------------------------------------------------------------------------------- /Pal/regression/Event2.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_debug.h" 3 | 4 | static PAL_HANDLE event1; 5 | 6 | int count = 0; 7 | 8 | static int thread_func(void* args) { 9 | DkThreadDelayExecution(1000); 10 | 11 | pal_printf("In thread 1\n"); 12 | 13 | while (count < 100) 14 | count++; 15 | 16 | DkEventSet(event1); 17 | DkThreadExit(/*clear_child_tid=*/NULL); 18 | /* UNREACHABLE */ 19 | } 20 | 21 | int main(int argc, char** argv) { 22 | pal_printf("Enter main thread\n"); 23 | 24 | PAL_HANDLE thd1; 25 | 26 | event1 = DkNotificationEventCreate(0); 27 | if (!event1) { 28 | pal_printf("DkNotificationEventCreate failed\n"); 29 | return -1; 30 | } 31 | 32 | thd1 = DkThreadCreate(&thread_func, 0); 33 | if (!thd1) { 34 | pal_printf("DkThreadCreate failed\n"); 35 | return -1; 36 | } 37 | 38 | /* wait till thread thd1 is done */ 39 | DkSynchronizationObjectWait(event1, NO_TIMEOUT); 40 | 41 | if (count != 100) 42 | return -1; 43 | 44 | /* this wait should return immediately */ 45 | DkSynchronizationObjectWait(event1, NO_TIMEOUT); 46 | 47 | pal_printf("Success, leave main thread\n"); 48 | return 0; 49 | } 50 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/tools/ra-tls/ra_tls_verify_dcap_urts.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation */ 3 | 4 | /* 5 | * To load libsgx_dcap_quoteverify.so, it needs some symbols which are normally 6 | * provided by libsgx_urts.so (or libsgx_urts_sim.so). To use it in Graphene, 7 | * there are two workarounds to solve this: 1) load libsgx_urts.so or 2) create 8 | * dummy functions and always return failure. In this example we use 2). 9 | */ 10 | #define DUMMY_FUNCTION(f) \ 11 | __attribute__((visibility("default"))) int f(void); \ 12 | int f(void) { \ 13 | return /*SGX_ERROR_UNEXPECTED*/ 1; \ 14 | } 15 | 16 | /* Provide these dummies since we are not using libsgx_urts.so. */ 17 | DUMMY_FUNCTION(sgx_create_enclave) 18 | DUMMY_FUNCTION(sgx_destroy_enclave) 19 | DUMMY_FUNCTION(sgx_ecall) 20 | /* ocalls in sgx_tstdc.edl */ 21 | DUMMY_FUNCTION(sgx_oc_cpuidex) 22 | DUMMY_FUNCTION(sgx_thread_set_untrusted_event_ocall) 23 | DUMMY_FUNCTION(sgx_thread_setwait_untrusted_events_ocall) 24 | DUMMY_FUNCTION(sgx_thread_set_multiple_untrusted_events_ocall) 25 | DUMMY_FUNCTION(sgx_thread_wait_untrusted_event_ocall) 26 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/pipe.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, char** argv) { 8 | int pipefds[2]; 9 | char buffer[1024]; 10 | size_t bufsize = sizeof(buffer); 11 | 12 | if (pipe(pipefds) < 0) { 13 | perror("pipe error"); 14 | return 1; 15 | } 16 | 17 | int pid = fork(); 18 | 19 | if (pid < 0) { 20 | perror("fork error"); 21 | return 1; 22 | } else if (pid == 0) { 23 | /* client */ 24 | close(pipefds[1]); 25 | 26 | if (read(pipefds[0], &buffer, bufsize) < 0) { 27 | perror("read error"); 28 | return 1; 29 | } 30 | buffer[bufsize - 1] = '\0'; 31 | 32 | printf("read on pipe: %s\n", buffer); 33 | } else { 34 | /* server */ 35 | close(pipefds[0]); 36 | 37 | snprintf(buffer, bufsize, "Hello from write end of pipe!"); 38 | if (write(pipefds[1], &buffer, strlen(buffer) + 1) < 0) { 39 | perror("write error"); 40 | return 1; 41 | } 42 | 43 | wait(NULL); /* wait for child termination, just for sanity */ 44 | } 45 | 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /Pal/include/host/Linux-common/topo_info.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Vijay Dhanraj 4 | */ 5 | 6 | #ifndef TOPO_INFO_H_ 7 | #define TOPO_INFO_H_ 8 | 9 | #include "pal.h" 10 | 11 | /* Opens a pseudo-file describing HW resources such as online CPUs and counts the number of 12 | * HW resources present in the file (if count == true) or simply reads the integer stored in the 13 | * file (if count == false). For example on a single-core machine, calling this function on 14 | * `/sys/devices/system/cpu/online` with count == true will return 1 and 0 with count == false. 15 | * Returns UNIX error code on failure. 16 | * N.B: Understands complex formats like "1,3-5,6" when called with count == true. 17 | */ 18 | int get_hw_resource(const char* filename, bool count); 19 | 20 | /* Reads up to count bytes from the file into the buf passed. 21 | * Returns 0 or number of bytes read on success and UNIX error code on failure. 22 | */ 23 | int read_file_buffer(const char* filename, char* buf, size_t count); 24 | /* Fills topo_info with CPU and NUMA topology from the host */ 25 | int get_topology_info(PAL_TOPO_INFO* topo_info); 26 | 27 | #endif // TOPO_INFO_H_ 28 | -------------------------------------------------------------------------------- /LICENSE.addendum.txt: -------------------------------------------------------------------------------- 1 | Graphene itself is licensed under the LGPL-3.0-or-later. 2 | 3 | Graphene also includes the following third party sources (and licenses): 4 | 5 | mbedtls crypto libraries - Apache 2.0 6 | 7 | Internet Software Consortium (permissive license): Pal/lib/network/inet_pton.c 8 | 9 | MIT JOS (mix of MIT and BSD licenses): 10 | * Pal/lib/stdlib/printfmt.c 11 | 12 | cJSON - MIT 13 | uthash - BSD revised 14 | 15 | A number of files taken from other C libraries: 16 | * glibc - LGPL 17 | ** clone, sysdeps.h (and variants) used in code 18 | ** Pal/src/host/Linux/clone-x86_64.S 19 | ** LibOS/shim/include/elf.h 20 | ** LibOS/shim/src/elf/ - basically the whole directory, and most code related to linking and loading (e.g., Pal/src/db_rtld.c) 21 | ** Pal/include/elf/elf.h 22 | ** Pal/include/sysdeps/generic/ldsodefs.h 23 | ** Pal/include/sysdeps/generic/sysdep.h 24 | ** Pal/lib/network/hton.c 25 | ** Pal/lib/string/atoi.c 26 | ** Pal/lib/string/strchr.c 27 | ** Pal/lib/string/strlen.c 28 | ** Pal/src/dynamic_link.h, do-rel.h , dl-machine-x86_64.h 29 | ** Pal/include/arch/x86_64/Linux/ - whole directory - for signal API definitions 30 | ** We also build a patched glibc 31 | 32 | * musl - MIT 33 | ** Pal/lib/string/strspn.c 34 | ** Pal/lib/string/ctype.c 35 | -------------------------------------------------------------------------------- /Pal/Makefile: -------------------------------------------------------------------------------- 1 | include ../Scripts/Makefile.configs 2 | 3 | DIRS = src crt_init regression 4 | 5 | .PHONY: all 6 | all: 7 | $(MAKE) -C src 8 | $(MAKE) -C crt_init 9 | 10 | clean_targets = clean distclean 11 | .PHONY: $(clean_targets) 12 | $(clean_targets): 13 | $(MAKE) -C src $@ 14 | $(MAKE) -C crt_init $@ 15 | $(MAKE) -C regression $@ 16 | $(MAKE) -C lib $@ 17 | 18 | .PHONY: test 19 | test: 20 | $(MAKE) -C src test 21 | $(MAKE) -C crt_init test 22 | $(MAKE) -C regression 23 | 24 | .PHONY: sgx-tokens 25 | sgx-tokens: 26 | $(MAKE) -C regression sgx-tokens 27 | 28 | .PHONY: format 29 | format: 30 | clang-format -i $(shell find . -path ./lib/crypto/mbedtls -prune -o \ 31 | -path ./lib/crypto/udivmodti4.c -prune -o \ 32 | -path ./src/host/Linux-SGX/tools/common/cJSON.c -prune -o \ 33 | -path ./src/host/Linux-SGX/tools/common/cJSON.h -prune -o \ 34 | -path ./src/host/Linux-SGX/tools/common/cJSON-*/cJSON.c -prune -o \ 35 | -path ./src/host/Linux-SGX/tools/common/cJSON-*/cJSON.h -prune -o \ 36 | \( -name '*.h' -o -name '*.c' \) -print) 37 | 38 | .PHONY: distclean 39 | distclean: clean 40 | -------------------------------------------------------------------------------- /LibOS/shim/src/utils/strobjs.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains functions to allocate / free a fixed-size string object. 6 | */ 7 | 8 | #include "shim_internal.h" 9 | #include "shim_lock.h" 10 | #include "shim_utils.h" 11 | 12 | static struct shim_lock str_mgr_lock; 13 | 14 | #define SYSTEM_LOCK() lock(&str_mgr_lock) 15 | #define SYSTEM_UNLOCK() unlock(&str_mgr_lock) 16 | #define SYSTEM_LOCKED() locked(&str_mgr_lock) 17 | 18 | #define STR_MGR_ALLOC 32 19 | 20 | #define OBJ_TYPE struct shim_str 21 | #include "memmgr.h" 22 | 23 | static MEM_MGR str_mgr = NULL; 24 | 25 | int init_str_mgr(void) { 26 | if (!create_lock(&str_mgr_lock)) { 27 | return -ENOMEM; 28 | } 29 | str_mgr = create_mem_mgr(init_align_up(STR_MGR_ALLOC)); 30 | if (!str_mgr) { 31 | destroy_lock(&str_mgr_lock); 32 | return -ENOMEM; 33 | } 34 | return 0; 35 | } 36 | 37 | struct shim_str* get_str_obj(void) { 38 | return get_mem_obj_from_mgr_enlarge(str_mgr, size_align_up(STR_MGR_ALLOC)); 39 | } 40 | 41 | int free_str_obj(struct shim_str* str) { 42 | if (str == NULL) 43 | return 0; 44 | 45 | free_mem_obj_to_mgr(str_mgr, str); 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/certs/server2-sha256.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER 3 | MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN 4 | MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G 5 | A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN 6 | AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN 7 | owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz 8 | NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM 9 | tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P 10 | hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya 11 | HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD 12 | VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw 13 | FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh 14 | Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U 15 | HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9 16 | 1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv 17 | a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0 18 | e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo 19 | pMZqLmbBm/7WPLc= 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /Examples/ra-tls-secret-prov/certs/test-ca-sha256.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER 3 | MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN 4 | MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G 5 | A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G 6 | CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx 7 | mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny 8 | 50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n 9 | YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL 10 | R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu 11 | KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj 12 | UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/ 13 | MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA 14 | A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl 15 | oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW 16 | 5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb 17 | +EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL 18 | yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4 19 | /anT1dVxr/BtwJfiESoK3/4CeXR1 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /Pal/src/host/Linux-SGX/sgx_log.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | /* 7 | * Outer PAL logging interface. This is initialized separately to inner PAL, but (once it's 8 | * initialized) should output at the level and to the file specified in manifest. 9 | */ 10 | 11 | #ifndef SGX_LOG_H_ 12 | #define SGX_LOG_H_ 13 | 14 | #include "pal.h" 15 | #include "pal_debug.h" 16 | 17 | extern int g_urts_log_level; 18 | extern int g_urts_log_fd; 19 | 20 | int urts_log_init(const char* path); 21 | int urts_log_printf(const char* fmt, ...) __attribute__((format(printf, 1, 2))); 22 | 23 | #define _urts_log(level, fmt...) \ 24 | do { \ 25 | if ((level) <= g_urts_log_level) \ 26 | pal_fdprintf(g_urts_log_fd, fmt); \ 27 | } while(0) 28 | 29 | #define urts_log_error(fmt...) _urts_log(PAL_LOG_ERROR, fmt) 30 | #define urts_log_warning(fmt...) _urts_log(PAL_LOG_WARNING, fmt) 31 | #define urts_log_debug(fmt...) _urts_log(PAL_LOG_DEBUG, fmt) 32 | #define urts_log_trace(fmt...) _urts_log(PAL_LOG_TRACE, fmt) 33 | 34 | #endif /* SGX_LOG_H_ */ 35 | -------------------------------------------------------------------------------- /Examples/gcc/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | ***TODO: this example should be reworked to use a standalone gcc version, not the one from the 4 | system and readded to Jenkins*** 5 | 6 | This directory contains a Makefile and template manifests to run gcc and its related tools on 7 | Graphene. We tested with gcc version 5.5.0 and binutils (as, ld) version 2.26.1 on Ubuntu 16.04. We 8 | also tested on Ubuntu 18.04 with gcc version 7.4.0 and binutils version 2.30. This example uses the 9 | package version of gcc and related tools (as, cc1, collect2, ld) installed on the system instead of 10 | compiling them from source as some of the other examples do. 11 | 12 | The Makefile and the template manifest contain comments to hopefully make them easier to understand. 13 | 14 | # Quick Start 15 | 16 | To run the regression tests execute ```make check```. To do the same for SGX, execute ```SGX=1 make 17 | check```. The regression tests build three sample programs - helloworld.c, bzip2.c and gzip.c - and 18 | test their functionality. 19 | 20 | By looking at the Makefile "check" target you can see how gcc is invoked to compile individual 21 | source files under the hood. If you want to compile different and/or more complex applications, you 22 | would likely need to tweak the manifest files to whitelist additional files. 23 | -------------------------------------------------------------------------------- /Examples/python-simple/run-tests.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | # === hellworld === 6 | echo -e "\n\nRunning helloworld.py:" 7 | ./pal_loader ./python scripts/helloworld.py > OUTPUT 8 | grep -q "Hello World" OUTPUT && echo "[ Success 1/3 ]" 9 | rm OUTPUT 10 | 11 | # === fibonacci === 12 | echo -e "\n\nRunning fibonacci.py:" 13 | ./pal_loader ./python scripts/fibonacci.py > OUTPUT 14 | grep -q "fib2 55" OUTPUT && echo "[ Success 2/3 ]" 15 | rm OUTPUT 16 | 17 | # === web server and client (on port 8005) === 18 | echo -e "\n\nRunning HTTP server dummy-web-server.py in the background:" 19 | ./pal_loader ./python scripts/dummy-web-server.py 8005 & echo $! > server.PID 20 | sleep 30 # Graphene-SGX takes a lot of time to initialize 21 | 22 | echo -e "\n\nRunning HTTP client test-http.py:" 23 | ./pal_loader ./python scripts/test-http.py localhost 8005 > OUTPUT1 24 | wget -q http://localhost:8005/ -O OUTPUT2 25 | echo >> OUTPUT2 # include newline since wget doesn't add it 26 | # check if all lines from OUTPUT2 are included in OUTPUT1 27 | # TODO: simplify after fixing Graphene logging subsystem, which currently mixes its output with the 28 | # application output. 29 | diff OUTPUT1 OUTPUT2 | grep -q '^>' || echo "[ Success 3/3 ]" 30 | kill "$(cat server.PID)" 31 | rm -f OUTPUT1 OUTPUT2 server.PID 32 | -------------------------------------------------------------------------------- /LibOS/shim/test/fs/stat.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | static void file_stat(const char* file_path, bool writable) { 4 | struct stat st; 5 | const char* type = writable ? "output" : "input"; 6 | 7 | if (stat(file_path, &st) != 0) 8 | fatal_error("Failed to stat file %s: %s\n", file_path, strerror(errno)); 9 | printf("stat(%s) %s 1 OK: %zu\n", file_path, type, st.st_size); 10 | 11 | int fd = writable ? open_output_fd(file_path, /*rdwr=*/false) : open_input_fd(file_path); 12 | printf("open(%s) %s 2 OK\n", file_path, type); 13 | 14 | if (stat(file_path, &st) != 0) 15 | fatal_error("Failed to stat file %s: %s\n", file_path, strerror(errno)); 16 | printf("stat(%s) %s 2 OK: %zu\n", file_path, type, st.st_size); 17 | 18 | if (fstat(fd, &st) != 0) 19 | fatal_error("Failed to fstat file %s: %s\n", file_path, strerror(errno)); 20 | printf("fstat(%s) %s 2 OK: %zu\n", file_path, type, st.st_size); 21 | 22 | close_fd(file_path, fd); 23 | printf("close(%s) %s 2 OK\n", file_path, type); 24 | } 25 | 26 | int main(int argc, char* argv[]) { 27 | if (argc < 3) 28 | fatal_error("Usage: %s \n", argv[0]); 29 | 30 | setup(); 31 | file_stat(argv[1], false); 32 | file_stat(argv[2], true); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/large_mmap.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define TEST_LENGTH 0x10000f000 8 | #define TEST_LENGTH2 0x8000f000 9 | 10 | int main(void) { 11 | FILE* fp = fopen("testfile", "a+"); 12 | if (!fp) { 13 | perror("fopen"); 14 | return 1; 15 | } 16 | int rv = ftruncate(fileno(fp), TEST_LENGTH); 17 | if (rv) { 18 | perror("ftruncate"); 19 | return 1; 20 | } else { 21 | printf("large_mmap: ftruncate OK\n"); 22 | } 23 | 24 | void* a = mmap(NULL, TEST_LENGTH2, PROT_READ | PROT_WRITE, MAP_PRIVATE, fileno(fp), 0); 25 | if (a == MAP_FAILED) { 26 | perror("mmap 1"); 27 | return 1; 28 | } 29 | ((char*)a)[0x80000000] = 0xff; 30 | printf("large_mmap: mmap 1 completed OK\n"); 31 | 32 | rv = munmap(a, TEST_LENGTH2); 33 | if (rv) { 34 | perror("mumap"); 35 | return 1; 36 | } 37 | 38 | a = mmap(NULL, TEST_LENGTH, PROT_READ | PROT_WRITE, MAP_PRIVATE, fileno(fp), 0); 39 | if (a == MAP_FAILED) { 40 | perror("mmap 2"); 41 | return 1; 42 | } 43 | ((char*)a)[0x100000000] = 0xff; 44 | printf("large_mmap: mmap 2 completed OK\n"); 45 | 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /LibOS/shim/test/regression/ppoll.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int main(void) { 10 | int ret; 11 | int fd[2]; 12 | char string[] = "Hello, world!\n"; 13 | struct timespec tv = {.tv_sec = 10, .tv_nsec = 0}; 14 | 15 | ret = pipe(fd); 16 | if (ret < 0) { 17 | perror("pipe creation failed"); 18 | return 1; 19 | } 20 | 21 | struct pollfd outfds[] = { 22 | {.fd = fd[1], .events = POLLOUT}, 23 | }; 24 | ret = ppoll(outfds, 1, &tv, NULL); 25 | if (ret <= 0) { 26 | perror("ppoll with POLLOUT failed"); 27 | return 1; 28 | } 29 | printf("ppoll(POLLOUT) returned %d file descriptors\n", ret); 30 | 31 | struct pollfd infds[] = { 32 | {.fd = fd[0], .events = POLLIN}, 33 | }; 34 | 35 | size_t len = strlen(string) + 1; 36 | if (write(fd[1], string, len) != len) { 37 | perror("write error"); 38 | return 1; 39 | } 40 | 41 | ret = ppoll(infds, 1, &tv, NULL); 42 | if (ret <= 0) { 43 | perror("ppoll with POLLIN failed"); 44 | return 1; 45 | } 46 | printf("ppoll(POLLIN) returned %d file descriptors\n", ret); 47 | 48 | return 0; 49 | } 50 | --------------------------------------------------------------------------------