├── .ci ├── almalinux8.dockerfile ├── almalinux9.dockerfile ├── alpine3.17.dockerfile ├── check-no-syscall.sh ├── check-python-platlib-almalinux8.dockerfile ├── check-python-platlib-almalinux9.dockerfile ├── check-python-platlib-debian11.dockerfile ├── check-python-platlib-ubuntu20.04.dockerfile ├── check-python-platlib-ubuntu22.04.dockerfile ├── check-python-platlib.jenkinsfile ├── check-rwx.py ├── debian11.dockerfile ├── debian12.dockerfile ├── docs.jenkinsfile ├── intel-sgx-deb.key ├── isdistro ├── lib │ ├── config-asan.jenkinsfile │ ├── config-clang.jenkinsfile │ ├── config-debug.jenkinsfile │ ├── config-docker.jenkinsfile │ ├── config-release.jenkinsfile │ ├── config-ubsan.jenkinsfile │ ├── config.jenkinsfile │ ├── stage-build-nosgx.jenkinsfile │ ├── stage-build-sgx-vm.jenkinsfile │ ├── stage-build-sgx.jenkinsfile │ ├── stage-clean-check-prepare.jenkinsfile │ ├── stage-clean-check.jenkinsfile │ ├── stage-clean-vm.jenkinsfile │ ├── stage-lint.jenkinsfile │ ├── stage-test-direct.jenkinsfile │ ├── stage-test-sgx.jenkinsfile │ ├── stage-test-vm.jenkinsfile │ └── stage-test.jenkinsfile ├── linux-direct-sanitizers.jenkinsfile ├── linux-direct-ubuntu20.04-gcc-debug.jenkinsfile ├── linux-direct-ubuntu20.04-gcc-release.jenkinsfile ├── linux-sgx-edmm.jenkinsfile ├── linux-sgx-sanitizers.jenkinsfile ├── linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile ├── linux-sgx-ubuntu20.04-gcc-release.jenkinsfile ├── linux-sgx-ubuntu20.04-musl.jenkinsfile ├── linux-sgx-ubuntu22.04-gcc-release.jenkinsfile ├── linux-sgx-ubuntu24.04-gcc-release.jenkinsfile ├── linux-sgx-vm-gcc-release.jenkinsfile ├── pkg-apk-alpine3.17.jenkinsfile ├── pkg-deb-debian11.jenkinsfile ├── pkg-deb-debian12.jenkinsfile ├── pkg-rpm-almalinux8.jenkinsfile ├── pkg-rpm-almalinux9.jenkinsfile ├── run-shellcheck ├── ubuntu20.04.dockerfile ├── ubuntu22.04.dockerfile └── ubuntu24.04.dockerfile ├── .clang-format ├── .dir-locals.el ├── .github ├── ISSUE_TEMPLATE │ ├── 1-bug-report.yml │ ├── 2-feature-request.yml │ └── config.yml └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── .gitmodules ├── .pylintrc ├── .readthedocs.yaml ├── CHARTER.rst ├── CI-Examples ├── .gitignore ├── README.md ├── bash │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── manifest.template │ └── scripts │ │ ├── bash_test.sh │ │ └── somefile ├── blender │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── blender.manifest.template │ ├── data │ │ ├── .gitignore │ │ └── scenes │ │ │ └── simple_scene.blend │ └── test_all_scenes.sh ├── busybox │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── busybox.manifest.template │ └── helper-files │ │ └── hosts ├── common_tools │ ├── benchmark-http.sh │ └── download ├── helloworld │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── helloworld.c │ └── helloworld.manifest.template ├── lighttpd │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── lighttpd-generic.conf │ └── lighttpd.manifest.template ├── memcached │ ├── .gitignore │ ├── Makefile │ ├── README.md │ └── memcached.manifest.template ├── nginx │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── nginx-gramine.conf.template │ ├── nginx.manifest.template │ └── ssl │ │ └── ca_config.conf ├── python │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── helper-files │ │ └── hosts │ ├── python.manifest.template │ ├── run-tests.sh │ └── scripts │ │ ├── dummy-web-server.py │ │ ├── helloworld.py │ │ ├── sgx-quote.py │ │ ├── sgx-report.py │ │ ├── test-http.py │ │ ├── test-numpy.py │ │ └── test-scipy.py ├── ra-tls-mbedtls │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── client.manifest.template │ ├── server.manifest.template │ ├── src │ │ ├── client.c │ │ └── server.c │ └── ssl │ │ └── ca_config.conf ├── ra-tls-nginx │ ├── Makefile │ ├── README.md │ ├── html │ │ └── index.html │ ├── nginx.conf │ ├── nginx.manifest.template │ └── run.sh ├── ra-tls-secret-prov │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── helper-files │ │ └── hosts │ ├── secret_prov │ │ ├── client.c │ │ ├── client.manifest.template │ │ └── server.c │ ├── secret_prov_minimal │ │ ├── client.c │ │ ├── client.manifest.template │ │ └── server.c │ ├── secret_prov_pf │ │ ├── client.c │ │ ├── client.manifest.template │ │ ├── enc_files │ │ │ └── .gitkeep │ │ ├── plain_files │ │ │ └── input.txt │ │ └── server.c │ └── ssl │ │ └── ca_config.conf ├── redis │ ├── .gitignore │ ├── Makefile │ ├── README.md │ └── redis-server.manifest.template ├── rust │ ├── .cargo │ │ └── config.toml │ ├── .gitignore │ ├── Cargo.toml │ ├── Makefile │ ├── README.md │ ├── rust-hyper-http-server.manifest.template │ └── src │ │ └── main.rs └── sqlite │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── db │ └── .gitkeep │ ├── manifest.template │ └── scripts │ ├── create.sql │ ├── select.sql │ ├── select.txt │ └── update.sql ├── CODE_OF_CONDUCT.rst ├── CONTRIBUTING.rst ├── DCO ├── Documentation ├── .gitignore ├── Doxyfile ├── Doxyfile-libos ├── Doxyfile-pal ├── Doxyfile-pal-linux ├── Doxyfile-pal-linux-sgx ├── Makefile ├── _static │ └── css │ │ └── gramine.css ├── _templates │ ├── .gitignore │ └── layout.html ├── attestation.rst ├── conf.py ├── curated-installation.rst ├── devel │ ├── DCO │ │ └── index.rst │ ├── building.rst │ ├── charter.rst │ ├── coding-style.rst │ ├── contributing.rst │ ├── debugging.rst │ ├── features.md │ ├── howto-doc.rst │ ├── new-syscall.rst │ ├── onboarding.rst │ ├── packaging.rst │ └── setup.rst ├── glossary.rst ├── gramine-users.rst ├── gramine_logo.svg ├── gsc-installation.rst ├── img │ ├── dcap.svg │ ├── epid.svg │ ├── marblerun.svg │ └── ratls.svg ├── index.rst ├── installation.rst ├── libos │ └── libos-init.rst ├── management-team.rst ├── manifest-syntax.rst ├── manpages │ ├── gramine-argv-serializer.rst │ ├── gramine-manifest-check.rst │ ├── gramine-manifest.rst │ ├── gramine-ratls.rst │ ├── gramine-sgx-gen-private-key.rst │ ├── gramine-sgx-get-token.rst │ ├── gramine-sgx-ias-request.rst │ ├── gramine-sgx-ias-verify-report.rst │ ├── gramine-sgx-quote-view.rst │ ├── gramine-sgx-sign.rst │ ├── gramine-sgx-sigstruct-view.rst │ ├── gramine.rst │ ├── index.rst │ └── is-sgx-available.rst ├── pal │ └── host-abi.rst ├── performance.rst ├── python │ ├── api.rst │ └── writing-sgx-sign-plugins.rst ├── requirements.txt ├── run-sample-application.rst ├── scag-installation.rst ├── sgx-intro.rst ├── sgx-setup.rst ├── tutorials-index.rst └── tutorials │ ├── cczoo │ └── index.rst │ └── pytorch │ ├── img │ ├── intro-01.svg │ └── workflow.svg │ └── index.rst ├── LICENSE.addendum.txt ├── LICENSE.txt ├── README.rst ├── SECURITY.md ├── common ├── include │ ├── api.h │ ├── api_fortified.h │ ├── arch │ │ └── x86_64 │ │ │ └── cpu.h │ ├── asan.h │ ├── assert.h │ ├── avl_tree.h │ ├── callbacks.h │ ├── crypto.h │ ├── generated_offsets_build.h │ ├── hex.h │ ├── init.h │ ├── iovec.h │ ├── linux_eventfd.h │ ├── linux_socket.h │ ├── list.h │ ├── log.h │ ├── memmgr.h │ ├── meson.build │ ├── nodiscard.h │ ├── pal_error.h │ ├── path_utils.h │ ├── perm.h │ ├── seqlock.h │ ├── slabmgr.h │ ├── socket_utils.h │ ├── spinlock.h │ ├── stat.h │ ├── string_utils.h │ ├── toml_utils.h │ └── unix_error.h ├── meson.build ├── proto │ ├── aesm.proto │ └── meson.build └── src │ ├── arch │ ├── meson.build │ └── x86_64 │ │ ├── cpu.c │ │ ├── ct_memequal.nasm │ │ ├── meson.build │ │ └── no_exec_stack.nasm │ ├── asan.c │ ├── avl_tree.c │ ├── crypto │ └── adapters │ │ └── mbedtls_adapter.c │ ├── generated_offsets_print.c │ ├── init.c │ ├── ioctls │ ├── ioctls.c │ ├── ioctls.h │ └── meson.build │ ├── location.c │ ├── meson.build │ ├── pal_error.c │ ├── path_utils.c │ ├── printf.c │ ├── protected_files │ ├── README.rst │ ├── lru_cache.c │ ├── lru_cache.h │ ├── meson.build │ ├── protected_files.c │ ├── protected_files.h │ ├── protected_files_format.h │ └── protected_files_internal.h │ ├── socket_utils.c │ ├── stack_protector.c │ ├── string │ ├── atoi.c │ ├── ctype.c │ ├── memcmp.c │ ├── memcpy.c │ ├── memset.c │ ├── strchr.c │ ├── strcmp.c │ ├── strlen.c │ ├── strspn.c │ ├── strstr.c │ ├── toml_utils.c │ └── util.c │ ├── string_utils.c │ ├── ubsan.c │ └── unix_error.c ├── debian ├── .gitignore ├── changelog ├── control ├── copyright ├── get-linux-src-path.sh ├── gramine-ratls-dcap.install ├── gramine-ratls-epid.install ├── gramine.install ├── gramine.manpages ├── rules └── source │ └── format ├── gramine.spec ├── libos ├── include │ ├── arch │ │ └── x86_64 │ │ │ ├── gramine_entry_api.h │ │ │ ├── libos_cpuid.h │ │ │ ├── libos_internal_arch.h │ │ │ ├── libos_tcb_arch.h │ │ │ ├── libos_vdso_arch.h │ │ │ └── linux_abi │ │ │ ├── errors_arch.h │ │ │ ├── signals_arch.h │ │ │ ├── syscalls_nr_arch.h │ │ │ └── types_arch.h │ ├── generated_offsets.c │ ├── gramine_hash.h.in │ ├── libos_checkpoint.h │ ├── libos_context.h │ ├── libos_defs.h │ ├── libos_entry.h │ ├── libos_flags_conv.h │ ├── libos_fs.h │ ├── libos_fs_encrypted.h │ ├── libos_fs_lock.h │ ├── libos_fs_mem.h │ ├── libos_fs_proc.h │ ├── libos_fs_pseudo.h │ ├── libos_handle.h │ ├── libos_internal.h │ ├── libos_ipc.h │ ├── libos_lock.h │ ├── libos_pollable_event.h │ ├── libos_process.h │ ├── libos_refcount.h │ ├── libos_rwlock.h │ ├── libos_signal.h │ ├── libos_socket.h │ ├── libos_sync.h │ ├── libos_table.h │ ├── libos_tcb.h │ ├── libos_thread.h │ ├── libos_types.h │ ├── libos_utils.h │ ├── libos_vdso.h │ ├── libos_vma.h │ ├── linux_abi │ │ ├── errors.h │ │ ├── fs.h │ │ ├── futex.h │ │ ├── ioctl.h │ │ ├── limits.h │ │ ├── memory.h │ │ ├── net.h │ │ ├── poll.h │ │ ├── process.h │ │ ├── random.h │ │ ├── sched.h │ │ ├── signals.h │ │ ├── sysinfo.h │ │ ├── time.h │ │ └── types.h │ └── meson.build ├── meson.build ├── src │ ├── arch │ │ ├── meson.build │ │ └── x86_64 │ │ │ ├── fs_proc │ │ │ └── info.c │ │ │ ├── libos.lds │ │ │ ├── libos_arch_prctl.c │ │ │ ├── libos_context.c │ │ │ ├── libos_cpuid.c │ │ │ ├── libos_elf_entry.nasm │ │ │ ├── libos_table.c │ │ │ ├── meson.build │ │ │ ├── start.S │ │ │ └── syscallas.S │ ├── bookkeep │ │ ├── libos_handle.c │ │ ├── libos_pid.c │ │ ├── libos_process.c │ │ ├── libos_signal.c │ │ ├── libos_thread.c │ │ └── libos_vma.c │ ├── fs │ │ ├── chroot │ │ │ ├── encrypted.c │ │ │ └── fs.c │ │ ├── dev │ │ │ ├── attestation.c │ │ │ └── fs.c │ │ ├── etc │ │ │ └── fs.c │ │ ├── eventfd │ │ │ └── fs.c │ │ ├── libos_dcache.c │ │ ├── libos_fs.c │ │ ├── libos_fs_encrypted.c │ │ ├── libos_fs_hash.c │ │ ├── libos_fs_lock.c │ │ ├── libos_fs_mem.c │ │ ├── libos_fs_path.c │ │ ├── libos_fs_pseudo.c │ │ ├── libos_fs_synthetic.c │ │ ├── libos_fs_util.c │ │ ├── libos_namei.c │ │ ├── pipe │ │ │ └── fs.c │ │ ├── proc │ │ │ ├── fs.c │ │ │ ├── info.c │ │ │ ├── ipc_thread.c │ │ │ └── thread.c │ │ ├── shm │ │ │ └── fs.c │ │ ├── socket │ │ │ └── fs.c │ │ ├── sys │ │ │ ├── cache_info.c │ │ │ ├── cpu_info.c │ │ │ ├── fs.c │ │ │ └── node_info.c │ │ └── tmpfs │ │ │ └── fs.c │ ├── gramine_hash.c │ ├── ipc │ │ ├── libos_ipc.c │ │ ├── libos_ipc_child.c │ │ ├── libos_ipc_fs_lock.c │ │ ├── libos_ipc_pid.c │ │ ├── libos_ipc_process_info.c │ │ ├── libos_ipc_signal.c │ │ ├── libos_ipc_sync.c │ │ ├── libos_ipc_vmid.c │ │ └── libos_ipc_worker.c │ ├── libos.map │ ├── libos_async.c │ ├── libos_call.c │ ├── libos_checkpoint.c │ ├── libos_debug.c │ ├── libos_init.c │ ├── libos_malloc.c │ ├── libos_object.c │ ├── libos_parser.c │ ├── libos_pollable_event.c │ ├── libos_rtld.c │ ├── libos_rwlock.c │ ├── libos_syscalls.c │ ├── libos_utils.c │ ├── meson.build │ ├── net │ │ ├── ip.c │ │ └── unix.c │ ├── sync │ │ ├── libos_sync_client.c │ │ └── libos_sync_server.c │ ├── sys │ │ ├── libos_access.c │ │ ├── libos_alarm.c │ │ ├── libos_brk.c │ │ ├── libos_clone.c │ │ ├── libos_dup.c │ │ ├── libos_epoll.c │ │ ├── libos_eventfd.c │ │ ├── libos_exec.c │ │ ├── libos_exit.c │ │ ├── libos_fcntl.c │ │ ├── libos_file.c │ │ ├── libos_fork.c │ │ ├── libos_futex.c │ │ ├── libos_getcwd.c │ │ ├── libos_getpid.c │ │ ├── libos_getrandom.c │ │ ├── libos_getrlimit.c │ │ ├── libos_getuid.c │ │ ├── libos_ioctl.c │ │ ├── libos_mlock.c │ │ ├── libos_mmap.c │ │ ├── libos_open.c │ │ ├── libos_pipe.c │ │ ├── libos_poll.c │ │ ├── libos_sched.c │ │ ├── libos_sigaction.c │ │ ├── libos_sleep.c │ │ ├── libos_socket.c │ │ ├── libos_stat.c │ │ ├── libos_time.c │ │ ├── libos_uname.c │ │ ├── libos_wait.c │ │ └── libos_wrappers.c │ ├── utils │ │ └── log.c │ └── vdso │ │ ├── arch │ │ ├── meson.build │ │ └── x86_64 │ │ │ ├── meson.build │ │ │ ├── vdso.c │ │ │ ├── vdso.h │ │ │ ├── vdso.lds │ │ │ ├── vdso_note.S │ │ │ └── vdso_syscall.h │ │ ├── meson.build │ │ └── vdso_data.S └── test │ ├── .gitignore │ ├── abi │ ├── common │ │ ├── common.c │ │ └── stack_auxiliary.c │ ├── meson.build │ └── x86_64 │ │ ├── atexit_func.nasm │ │ ├── call_auxiliary.nasm │ │ ├── fpu_control_word.nasm │ │ ├── manifest.template │ │ ├── meson.build │ │ ├── mxcsr.nasm │ │ ├── rflags.nasm │ │ ├── stack.nasm │ │ ├── stack_arg.manifest.template │ │ ├── stack_arg.nasm │ │ ├── stack_env.manifest.template │ │ ├── stack_env.nasm │ │ ├── test_entrypoint.py │ │ └── tests.toml │ ├── common │ └── x86_64 │ │ └── exit.nasm │ ├── fs │ ├── Makefile │ ├── README.md │ ├── chmod_stat.c │ ├── common.c │ ├── common.h │ ├── common_copy.c │ ├── copy_mmap_rev.c │ ├── copy_mmap_seq.c │ ├── copy_mmap_whole.c │ ├── copy_rev.c │ ├── copy_sendfile.c │ ├── copy_seq.c │ ├── copy_whole.c │ ├── delete.c │ ├── manifest.template │ ├── meson.build │ ├── multiple_writers.c │ ├── open_close.c │ ├── open_flags.c │ ├── read_write.c │ ├── read_write_mmap.c │ ├── seek_tell.c │ ├── seek_tell_truncate.c │ ├── stat.c │ ├── test_enc.py │ ├── test_fs.py │ ├── test_tmpfs.py │ ├── tests.toml │ └── truncate.c │ ├── ltp │ ├── .gitignore │ ├── Makefile │ ├── README.rst │ ├── contrib │ │ ├── conf_lint.py │ │ ├── conf_merge.py │ │ ├── conf_missing.py │ │ ├── conf_remove_must_pass.py │ │ └── conf_subtract.py │ ├── ltp.cfg │ ├── ltp_all.cfg │ ├── ltp_sgx.cfg │ ├── manifest.template │ ├── test_ltp.py │ └── tests.toml │ ├── meson.build │ └── regression │ ├── .gitignore │ ├── Makefile │ ├── abort.c │ ├── abort_multithread.c │ ├── argv_from_file.manifest.template │ ├── argv_from_manifest.manifest.template │ ├── asm │ ├── meson.build │ └── x86_64 │ │ ├── iret_emulation.nasm │ │ ├── meson.build │ │ └── test_x86_64.py │ ├── attestation.c │ ├── attestation.manifest.template │ ├── avx.c │ ├── bootstrap.c │ ├── bootstrap_cpp.cpp │ ├── bootstrap_cpp.manifest.template │ ├── bootstrap_pie.c │ ├── bootstrap_static.c │ ├── close_range.c │ ├── common.h │ ├── console.c │ ├── cpuid.c │ ├── debug.c │ ├── debug.gdb │ ├── debug_log_file.manifest.template │ ├── debug_log_inline.manifest.template │ ├── debug_regs_x86_64.c │ ├── debug_regs_x86_64.gdb │ ├── devfs.c │ ├── device_ioctl.c │ ├── device_ioctl.manifest.template │ ├── device_ioctl_fail.manifest.template │ ├── device_ioctl_parse_fail.c │ ├── device_ioctl_parse_fail.manifest.template │ ├── device_passthrough.c │ ├── device_passthrough.manifest.template │ ├── double_fork.c │ ├── dump.c │ ├── dump.h │ ├── env_from_file.manifest.template │ ├── env_from_host.manifest.template │ ├── env_passthrough.manifest.template │ ├── epoll_epollet.c │ ├── epoll_test.c │ ├── eventfd.c │ ├── eventfd_fork.c │ ├── eventfd_fork.manifest.template │ ├── eventfd_fork_allowed_failing.manifest.template │ ├── eventfd_races.c │ ├── eventfd_read_then_write.c │ ├── exec.c │ ├── exec_fork.c │ ├── exec_invalid_args.c │ ├── exec_null.c │ ├── exec_same.c │ ├── exec_script.c │ ├── exec_victim.c │ ├── exit.c │ ├── exit_group.c │ ├── fcntl_lock.c │ ├── fcntl_lock_child_only.c │ ├── fcntl_lock_child_only.manifest.template │ ├── fdleak.c │ ├── file_check_policy.c │ ├── file_check_policy_allow_all_but_log.manifest.template │ ├── file_check_policy_strict.manifest.template │ ├── file_size.c │ ├── flock_lock.c │ ├── fopen_cornercases.c │ ├── fork_and_access_file.c │ ├── fork_and_access_file.gdb │ ├── fork_and_access_file.manifest.template │ ├── fork_and_access_file_testfile │ ├── fork_and_exec.c │ ├── fork_disallowed.manifest.template │ ├── fp_multithread.c │ ├── fstat_cwd.c │ ├── futex.h │ ├── futex_bitset.c │ ├── futex_requeue.c │ ├── futex_timeout.c │ ├── futex_wake_op.c │ ├── getcwd.c │ ├── getdents.c │ ├── getdents_lseek.c │ ├── getsockname.c │ ├── getsockopt.c │ ├── gettimeofday.c │ ├── groups.c │ ├── helloworld.c │ ├── host_root_fs.c │ ├── host_root_fs.manifest.template │ ├── hostname.c │ ├── hostname_extra_runtime_conf.manifest.template │ ├── in_out_instruction.c │ ├── init_fail.c │ ├── init_fail.manifest.template │ ├── init_fail2.manifest.template │ ├── install_musl_tests.sh │ ├── itimer.c │ ├── keys.c │ ├── kill_all.c │ ├── large_dir_read.c │ ├── large_file.c │ ├── large_mmap.c │ ├── large_mmap.manifest.template │ ├── madvise.c │ ├── manifest.template │ ├── meson.build │ ├── mkfifo.c │ ├── mmap_file.c │ ├── mmap_file_backed.c │ ├── mmap_file_emulated.c │ ├── mprotect_file_fork.c │ ├── mprotect_prot_growsdown.c │ ├── multi_pthread.c │ ├── multi_pthread.manifest.template │ ├── multi_pthread_exitless.manifest.template │ ├── munmap.c │ ├── open_file.c │ ├── open_opath.c │ ├── openmp.c │ ├── openmp.manifest.template │ ├── pipe.c │ ├── pipe_nonblocking.c │ ├── pipe_ocloexec.c │ ├── poll.c │ ├── poll_closed_fd.c │ ├── poll_many_types.c │ ├── ppoll.c │ ├── proc_common.c │ ├── proc_cpuinfo.c │ ├── proc_path.c │ ├── proc_stat.c │ ├── pselect.c │ ├── pthread_set_get_affinity.c │ ├── rdtsc.c │ ├── readdir.c │ ├── rename_unlink.c │ ├── rename_unlink_fchown.c │ ├── run_test.c │ ├── rw_file.c │ ├── rw_file.h │ ├── rwlock.c │ ├── rwlock.manifest.template │ ├── sched.c │ ├── sched_set_get_affinity.c │ ├── scripts │ ├── bar.sh │ ├── baz.sh │ └── foo.sh │ ├── sealed_file.c │ ├── select.c │ ├── send_handle.c │ ├── shadow_pseudo_fs.manifest.template │ ├── shared_object.c │ ├── shebang_test_script.manifest.template │ ├── shebang_test_script.sh │ ├── shm.c │ ├── shm.manifest.template │ ├── sid.c │ ├── sigaction_per_process.c │ ├── sigaltstack.c │ ├── sighandler_divbyzero.c │ ├── sighandler_reset.c │ ├── sighandler_sigpipe.c │ ├── signal_multithread.c │ ├── sigprocmask_pending.c │ ├── sigterm_multithread.c │ ├── sigterm_multithread.manifest.template │ ├── socket_ioctl.c │ ├── socket_ioctl.manifest.template │ ├── spinlock.c │ ├── stat_invalid_args.c │ ├── synthetic.c │ ├── syscall.c │ ├── syscall_restart.c │ ├── sysfs_common.c │ ├── sysfs_common.manifest.template │ ├── tcp_ancillary.c │ ├── tcp_einprogress.c │ ├── tcp_ipv6_v6only.c │ ├── tcp_msg_peek.c │ ├── test_libos.py │ ├── test_sigterm.sh │ ├── tests.toml │ ├── tests_musl.toml │ ├── tmp │ └── .gitkeep │ ├── tmp_enc │ ├── .gitkeep │ ├── mrenclaves │ │ └── .gitkeep │ └── mrsigners │ │ └── .gitkeep │ ├── toml_parsing.manifest.template │ ├── udp.c │ ├── uid_gid.c │ ├── uid_gid.manifest.template │ ├── unix.c │ ├── unknown_testfile │ └── vfork_and_exec.c ├── meson.build ├── meson_options.txt ├── packaging ├── alpine │ ├── .gitignore │ └── APKBUILD └── docker │ ├── Dockerfile │ ├── build.sh │ └── restart_aesm.sh ├── pal ├── gdb_integration │ ├── debug_map_gdb.py │ ├── gramine.gdb │ ├── language_gdb.py │ └── pagination_gdb.py ├── include │ ├── arch │ │ └── x86_64 │ │ │ ├── linux-sgx │ │ │ ├── pal_host_arch.h │ │ │ ├── sigcontext.h │ │ │ └── ucontext.h │ │ │ ├── linux │ │ │ ├── pal_host_arch.h │ │ │ ├── sigcontext.h │ │ │ ├── sigreturn.h │ │ │ ├── sigset.h │ │ │ └── ucontext.h │ │ │ ├── pal_arch.h │ │ │ ├── pal_topology.h │ │ │ ├── skeleton │ │ │ ├── pal_host_arch.h │ │ │ ├── sigcontext.h │ │ │ └── ucontext.h │ │ │ └── vm │ │ │ ├── pal_host_arch.h │ │ │ ├── sigcontext.h │ │ │ └── ucontext.h │ ├── elf │ │ └── elf.h │ ├── host │ │ └── linux-common │ │ │ ├── debug_map.h │ │ │ ├── etc_host_info.h │ │ │ ├── etc_host_info_internal.h │ │ │ ├── linux_utils.h │ │ │ ├── pal_flags_conv.h │ │ │ ├── syscall.h │ │ │ └── topo_info.h │ ├── meson.build │ ├── pal │ │ └── pal.h │ ├── pal_internal.h │ └── pal_rtld.h ├── meson.build ├── regression │ ├── ..Bootstrap.c │ ├── .gitignore │ ├── AttestationReport.c │ ├── Bootstrap.c │ ├── Bootstrap6.manifest.template │ ├── Bootstrap7.c │ ├── Bootstrap7.manifest.template │ ├── Directory.c │ ├── Event.c │ ├── Exception.c │ ├── Exception2.c │ ├── Exit.c │ ├── File.c │ ├── File.manifest.template │ ├── File2.c │ ├── HelloWorld.c │ ├── Hex.c │ ├── Makefile │ ├── Misc.c │ ├── Pie.c │ ├── Pipe.c │ ├── Process.c │ ├── Process4.c │ ├── Segment.c │ ├── Symbols.c │ ├── Thread.c │ ├── Thread2.c │ ├── Thread2.manifest.template │ ├── Thread2_edmm.manifest.template │ ├── Thread2_exitless.manifest.template │ ├── avl_tree_test.c │ ├── crt_init │ │ ├── arch │ │ │ ├── meson.build │ │ │ └── x86_64 │ │ │ │ ├── meson.build │ │ │ │ └── user_start.nasm │ │ ├── meson.build │ │ └── start_main.c │ ├── ipv4_parser.c │ ├── ipv6_parser.c │ ├── manifest.template │ ├── memory.c │ ├── memory_management.c │ ├── meson.build │ ├── normalize_path.c │ ├── pal_regression.h │ ├── printf_test.c │ ├── send_handle.c │ ├── strtoll_test.c │ ├── test_pal.py │ ├── tests.toml │ └── utils.c └── src │ ├── arch │ ├── meson.build │ └── x86_64 │ │ ├── meson.build │ │ └── pal_cpuid.c │ ├── host │ ├── linux-common │ │ ├── arch │ │ │ ├── meson.build │ │ │ └── x86_64 │ │ │ │ ├── meson.build │ │ │ │ ├── stack_probe.nasm │ │ │ │ └── syscall.S │ │ ├── bogomips.c │ │ ├── debug_map.c │ │ ├── etc_host_info.c │ │ ├── file_info.c │ │ ├── file_utils.c │ │ ├── gramine_unix_socket_addr.c │ │ ├── main_exec_path.c │ │ ├── meson.build │ │ ├── proc_maps.c │ │ ├── reserved_ranges.c │ │ ├── timespec_utils.c │ │ └── topo_info.c │ ├── linux-sgx │ │ ├── common_manifest_sgx_parser.c │ │ ├── enclave.lds │ │ ├── enclave_api.S │ │ ├── enclave_api.h │ │ ├── enclave_ecalls.c │ │ ├── enclave_ecalls.h │ │ ├── enclave_edmm.c │ │ ├── enclave_entry.S │ │ ├── enclave_framework.c │ │ ├── enclave_ocalls.c │ │ ├── enclave_ocalls.h │ │ ├── enclave_platform.c │ │ ├── enclave_tf.h │ │ ├── enclave_tf_structs.h │ │ ├── enclave_xstate.c │ │ ├── gdb_integration │ │ │ ├── gramine_sgx.gdb │ │ │ ├── gramine_sgx_gdb.py │ │ │ ├── sgx_gdb.c │ │ │ └── sgx_gdb.h │ │ ├── generated_offsets.c │ │ ├── host_ecalls.c │ │ ├── host_ecalls.h │ │ ├── host_entry.S │ │ ├── host_exception.c │ │ ├── host_framework.c │ │ ├── host_internal.h │ │ ├── host_log.c │ │ ├── host_log.h │ │ ├── host_main.c │ │ ├── host_ocalls.c │ │ ├── host_perf_data.c │ │ ├── host_platform.c │ │ ├── host_process.c │ │ ├── host_process.h │ │ ├── host_profile.c │ │ ├── host_sgx_driver.h.in │ │ ├── host_syscall.c │ │ ├── host_syscall.h │ │ ├── host_thread.c │ │ ├── meson.build │ │ ├── pal.map.template │ │ ├── pal_console.c │ │ ├── pal_devices.c │ │ ├── pal_ecall_types.h │ │ ├── pal_eventfd.c │ │ ├── pal_events.c │ │ ├── pal_exception.c │ │ ├── pal_files.c │ │ ├── pal_host.h │ │ ├── pal_linux.h │ │ ├── pal_linux_defs.h │ │ ├── pal_linux_error.h │ │ ├── pal_linux_types.h │ │ ├── pal_main.c │ │ ├── pal_memory.c │ │ ├── pal_misc.c │ │ ├── pal_object.c │ │ ├── pal_ocall_types.h │ │ ├── pal_pipes.c │ │ ├── pal_process.c │ │ ├── pal_rpc_queue.h │ │ ├── pal_rtld.c │ │ ├── pal_sgx.h │ │ ├── pal_sockets.c │ │ ├── pal_streams.c │ │ ├── pal_tcb.h │ │ ├── pal_threading.c │ │ ├── sgx_arch.h │ │ └── sgx_attest.h │ ├── linux │ │ ├── arch │ │ │ ├── meson.build │ │ │ └── x86_64 │ │ │ │ ├── meson.build │ │ │ │ ├── pal.lds │ │ │ │ ├── pal_arch_exception.c │ │ │ │ ├── pal_arch_misc.c │ │ │ │ └── pal_start.S │ │ ├── gdb_integration │ │ │ └── gramine_linux_gdb.py │ │ ├── meson.build │ │ ├── pal.map.template │ │ ├── pal_console.c │ │ ├── pal_devices.c │ │ ├── pal_eventfd.c │ │ ├── pal_events.c │ │ ├── pal_exception.c │ │ ├── pal_files.c │ │ ├── pal_host.h │ │ ├── pal_linux.h │ │ ├── pal_linux_defs.h │ │ ├── pal_linux_error.h │ │ ├── pal_main.c │ │ ├── pal_memory.c │ │ ├── pal_misc.c │ │ ├── pal_object.c │ │ ├── pal_pipes.c │ │ ├── pal_process.c │ │ ├── pal_rtld.c │ │ ├── pal_sockets.c │ │ ├── pal_streams.c │ │ └── pal_threading.c │ ├── meson.build │ ├── skeleton │ │ ├── arch │ │ │ ├── meson.build │ │ │ └── x86_64 │ │ │ │ ├── meson.build │ │ │ │ └── pal.lds │ │ ├── meson.build │ │ ├── pal.map.template │ │ ├── pal_console.c │ │ ├── pal_devices.c │ │ ├── pal_eventfd.c │ │ ├── pal_events.c │ │ ├── pal_exception.c │ │ ├── pal_files.c │ │ ├── pal_host.h │ │ ├── pal_main.c │ │ ├── pal_memory.c │ │ ├── pal_misc.c │ │ ├── pal_object.c │ │ ├── pal_pipes.c │ │ ├── pal_process.c │ │ ├── pal_rtld.c │ │ ├── pal_sockets.c │ │ ├── pal_streams.c │ │ └── pal_threading.c │ ├── tdx │ │ ├── README.md │ │ ├── meson.build │ │ ├── pal.lds │ │ ├── pal.map.template │ │ ├── pal_bootloader.S │ │ ├── pal_console.c │ │ ├── pal_devices.c │ │ ├── pal_eventfd.c │ │ ├── pal_events.c │ │ ├── pal_exception.c │ │ ├── pal_files.c │ │ ├── pal_host.h │ │ ├── pal_main.c │ │ ├── pal_memory.c │ │ ├── pal_misc.c │ │ ├── pal_object.c │ │ ├── pal_pipes.c │ │ ├── pal_process.c │ │ ├── pal_rtld.c │ │ ├── pal_sockets.c │ │ ├── pal_streams.c │ │ ├── pal_threading.c │ │ ├── tdx_arch.c │ │ ├── tdx_arch.h │ │ ├── tdx_quote.h │ │ ├── tdx_tdcall.S │ │ └── vm_callbacks.c │ ├── vm-common │ │ ├── README.md │ │ ├── external │ │ │ ├── fuse_kernel.h │ │ │ ├── realpath.c │ │ │ └── realpath.h │ │ ├── generated_offsets.c │ │ ├── kernel_acpi_madt.c │ │ ├── kernel_acpi_madt.h │ │ ├── kernel_apic.c │ │ ├── kernel_apic.h │ │ ├── kernel_debug.c │ │ ├── kernel_debug.h │ │ ├── kernel_events.S │ │ ├── kernel_files.c │ │ ├── kernel_files.h │ │ ├── kernel_hob.h │ │ ├── kernel_interrupts.c │ │ ├── kernel_interrupts.h │ │ ├── kernel_memory.c │ │ ├── kernel_memory.h │ │ ├── kernel_multicore.S │ │ ├── kernel_multicore.c │ │ ├── kernel_multicore.h │ │ ├── kernel_multicore64.S │ │ ├── kernel_pci.c │ │ ├── kernel_pci.h │ │ ├── kernel_sched.c │ │ ├── kernel_sched.h │ │ ├── kernel_static_structs.S │ │ ├── kernel_syscalls.c │ │ ├── kernel_syscalls.h │ │ ├── kernel_thread.c │ │ ├── kernel_thread.h │ │ ├── kernel_time.c │ │ ├── kernel_time.h │ │ ├── kernel_virtio.c │ │ ├── kernel_virtio.h │ │ ├── kernel_virtio_console.c │ │ ├── kernel_virtio_fs.c │ │ ├── kernel_virtio_vsock.c │ │ ├── kernel_virtio_vsock.h │ │ ├── kernel_vmm_inputs.c │ │ ├── kernel_vmm_inputs.h │ │ ├── kernel_xsave.c │ │ ├── kernel_xsave.h │ │ ├── meson.build │ │ ├── pal_common.h │ │ ├── pal_common_console.c │ │ ├── pal_common_eventfd.c │ │ ├── pal_common_events.c │ │ ├── pal_common_exception.c │ │ ├── pal_common_files.c │ │ ├── pal_common_misc.c │ │ ├── pal_common_object.c │ │ ├── pal_common_pipes.c │ │ ├── pal_common_sockets.c │ │ ├── pal_common_structs.h │ │ ├── pal_common_tf.c │ │ ├── pal_common_tf.h │ │ ├── pal_common_threading.c │ │ ├── pal_linux_error.h │ │ └── vm_callbacks.h │ └── vm │ │ ├── README.md │ │ ├── bios │ │ ├── bios.S │ │ └── bios.lds │ │ ├── meson.build │ │ ├── pal.lds │ │ ├── pal.map.template │ │ ├── pal_console.c │ │ ├── pal_devices.c │ │ ├── pal_eventfd.c │ │ ├── pal_events.c │ │ ├── pal_exception.c │ │ ├── pal_files.c │ │ ├── pal_host.h │ │ ├── pal_main.c │ │ ├── pal_memory.c │ │ ├── pal_misc.c │ │ ├── pal_object.c │ │ ├── pal_pipes.c │ │ ├── pal_process.c │ │ ├── pal_rtld.c │ │ ├── pal_sockets.c │ │ ├── pal_streams.c │ │ ├── pal_threading.c │ │ ├── vm_bootloader.S │ │ └── vm_callbacks.c │ ├── meson.build │ ├── pal_events.c │ ├── pal_exception.c │ ├── pal_main.c │ ├── pal_memory.c │ ├── pal_misc.c │ ├── pal_object.c │ ├── pal_process.c │ ├── pal_rtld.c │ ├── pal_sockets.c │ ├── pal_streams.c │ ├── pal_symbols │ ├── pal_threading.c │ ├── printf.c │ └── slab.c ├── pytest.ini ├── python ├── gramine-gen-depend ├── gramine-manifest ├── gramine-manifest-check ├── gramine-sgx-gen-private-key ├── gramine-sgx-get-token ├── gramine-sgx-sign ├── gramine-sgx-sigstruct-view ├── gramine-test ├── graminelibos.dist-info │ ├── METADATA.in │ ├── entry_points.txt │ └── meson.build ├── graminelibos │ ├── __init__.py │ ├── aesm.proto │ ├── gen_jinja_env.py │ ├── manifest.py │ ├── manifest_check.py │ ├── meson.build │ ├── ninja_syntax.py │ ├── regression.py │ ├── sgx_get_token.py │ ├── sgx_sign.py │ ├── sigstruct.py │ └── util_tests.py └── meson.build ├── scripts ├── check-no-reloc.sh ├── clean-check ├── clean-check-prepare ├── clean-check-test-copy ├── docker_seccomp.json ├── docker_seccomp_aug_2022.json ├── docker_seccomp_mar_2021.json ├── download ├── gen-pal-map.py ├── get-python-platlib.py ├── gitignore-check-files ├── gitignore-test ├── makedist.sh ├── meson-clang-format.sh ├── meson-render-script.py ├── meson.build ├── run-pylint └── wait_for_server ├── subprojects ├── .gitignore ├── README.rst ├── cJSON-1.7.12.wrap ├── curl-8.8.0.wrap ├── gcc-10.2.0.wrap ├── glibc-2.39-1.wrap ├── mbedtls-3.6.0.wrap ├── musl-1.2.5.wrap ├── packagefiles │ ├── cJSON │ │ └── meson.build │ ├── curl-8.8.0 │ │ ├── compile.sh │ │ └── meson.build │ ├── gcc-10.2.0 │ │ ├── compile.sh │ │ ├── libgomp-replace-futex-instruction.patch │ │ └── meson.build │ ├── glibc-2.39 │ │ ├── compile-no-patches.sh │ │ ├── compile.sh │ │ ├── fix-fortify-source.patch │ │ ├── gramine-syscall.patch │ │ ├── hp-timing.patch │ │ ├── meson.build │ │ └── meson_options.txt │ ├── mbedtls │ │ ├── compile-curl.sh │ │ ├── compile-gramine.sh │ │ ├── compile-pal.sh │ │ ├── compile.sh │ │ ├── gramine.patch │ │ ├── include │ │ │ └── mbedtls │ │ │ │ └── config-pal.h │ │ ├── meson.build │ │ └── meson_options.txt │ ├── musl-1.2.5 │ │ ├── compile.sh │ │ ├── meson.build │ │ └── musl-1.2.5.patch │ ├── tomlc99 │ │ ├── meson.build │ │ ├── toml.c.patch │ │ └── toml.h.patch │ └── uthash │ │ ├── meson.build │ │ └── src │ │ ├── meson.build │ │ └── uthash.h.patch ├── tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5.wrap └── uthash-2.1.0.wrap ├── tests ├── test_chroot.py ├── test_ldd.py └── test_sgx_sign.py └── tools ├── argv_serializer.c ├── gramine-vm.in ├── gramine.in ├── meson.build ├── sgx ├── common │ ├── ias.c │ ├── ias.h │ ├── meson.build │ ├── pf_util.c │ ├── pf_util.h │ ├── quote.c │ ├── quote.h │ ├── util.c │ └── util.h ├── ias-request │ ├── ias_request.c │ └── meson.build ├── is-sgx-available │ ├── is_sgx_available.cpp │ └── meson.build ├── meson.build ├── pf_crypt │ ├── meson.build │ └── pf_crypt.c ├── pf_tamper │ ├── meson.build │ └── pf_tamper.c ├── quote-view │ ├── meson.build │ └── quote_view.c ├── ra-tls │ ├── gramine-ratls.c │ ├── meson.build │ ├── ra_tls.h │ ├── ra_tls.map │ ├── ra_tls_attest.c │ ├── ra_tls_common.h │ ├── ra_tls_verify_common.c │ ├── ra_tls_verify_dcap.c │ ├── ra_tls_verify_dcap_gramine.c │ ├── ra_tls_verify_epid.c │ ├── secret_prov.h │ ├── secret_prov.map │ ├── secret_prov_attest.c │ ├── secret_prov_common.c │ ├── secret_prov_common.h │ └── secret_prov_verify.c └── verify-ias-report │ ├── meson.build │ └── verify_ias_report.c └── vcs_tag.in /.ci/almalinux8.dockerfile: -------------------------------------------------------------------------------- 1 | FROM almalinux:8 2 | 3 | RUN dnf install -y \ 4 | 'dnf-command(config-manager)' \ 5 | epel-release \ 6 | git \ 7 | jq \ 8 | rpm-build 9 | RUN dnf config-manager --set-enabled -y powertools 10 | 11 | # NOTE: COPY invalidates docker cache when source file changes, 12 | # so `dnf builddep` will rerun if dependencies change, despite no change 13 | # in dockerfile. 14 | COPY gramine.spec /gramine.spec 15 | RUN dnf builddep -y /gramine.spec 16 | -------------------------------------------------------------------------------- /.ci/almalinux9.dockerfile: -------------------------------------------------------------------------------- 1 | FROM almalinux:9 2 | 3 | RUN dnf install -y \ 4 | 'dnf-command(config-manager)' \ 5 | epel-release \ 6 | git \ 7 | jq \ 8 | rpm-build 9 | RUN dnf config-manager --set-enabled -y crb 10 | 11 | # NOTE: COPY invalidates docker cache when source file changes, 12 | # so `dnf builddep` will rerun if dependencies change, despite no change 13 | # in dockerfile. 14 | COPY gramine.spec /gramine.spec 15 | RUN dnf builddep -y /gramine.spec 16 | -------------------------------------------------------------------------------- /.ci/alpine3.17.dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.17 2 | 3 | RUN apk add \ 4 | alpine-sdk \ 5 | doas \ 6 | jq \ 7 | meson \ 8 | nasm 9 | 10 | COPY packaging/alpine/APKBUILD /APKBUILD 11 | RUN abuild -F -r builddeps 12 | RUN rm -f /APKBUILD 13 | -------------------------------------------------------------------------------- /.ci/check-no-syscall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Try to detect if compiler emitted SYSCALL instruction in an ELF file by 4 | # disassembling. This is not foolproof, please only use for CI. 5 | 6 | set -e 7 | 8 | # find only instructions, not symbols 9 | PATTERN='^[0-9a-f:[:blank:]]*syscall' 10 | 11 | while test $# -gt 0 12 | do 13 | OBJDUMP=$(objdump -d -M intel-mnemonic "$1") 14 | if printf %s "$OBJDUMP" | grep -q -i "$PATTERN" 15 | then 16 | printf "ERROR: found syscall instruction in %s:\n" "$1" 17 | printf %s\\n "$OBJDUMP" | grep -C20 -i "$PATTERN" 18 | exit 1 19 | fi 20 | shift 21 | done 22 | -------------------------------------------------------------------------------- /.ci/check-python-platlib-almalinux8.dockerfile: -------------------------------------------------------------------------------- 1 | FROM almalinux:8 2 | 3 | RUN dnf install -y python3 4 | 5 | COPY scripts/get-python-platlib.py /get-python-platlib.py 6 | RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" 7 | -------------------------------------------------------------------------------- /.ci/check-python-platlib-almalinux9.dockerfile: -------------------------------------------------------------------------------- 1 | FROM almalinux:9 2 | 3 | COPY scripts/get-python-platlib.py /get-python-platlib.py 4 | RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" 5 | -------------------------------------------------------------------------------- /.ci/check-python-platlib-debian11.dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bullseye-backports 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN apt-get update && apt-get install -y \ 6 | python3 \ 7 | python3-distutils \ 8 | python3-setuptools 9 | 10 | COPY scripts/get-python-platlib.py /get-python-platlib.py 11 | RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" 12 | -------------------------------------------------------------------------------- /.ci/check-python-platlib-ubuntu20.04.dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN apt-get update && apt-get install -y \ 6 | python3 \ 7 | python3-distutils \ 8 | python3-setuptools 9 | 10 | COPY scripts/get-python-platlib.py /get-python-platlib.py 11 | RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" 12 | -------------------------------------------------------------------------------- /.ci/check-python-platlib-ubuntu22.04.dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN apt-get update && apt-get install -y \ 6 | python3 \ 7 | python3-distutils \ 8 | python3-setuptools 9 | 10 | COPY scripts/get-python-platlib.py /get-python-platlib.py 11 | RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" 12 | -------------------------------------------------------------------------------- /.ci/check-python-platlib.jenkinsfile: -------------------------------------------------------------------------------- 1 | node() { 2 | checkout scm 3 | 4 | [ 5 | 'debian11', 6 | 'ubuntu22.04', 7 | 'ubuntu20.04', 8 | 'almalinux9', 9 | 'almalinux8', 10 | ].each { distro -> 11 | docker.build( 12 | "local:${env.BUILD_TAG}", "-f .ci/check-python-platlib-${distro}.dockerfile ." 13 | ).inside() { 14 | sh ''' 15 | python3 -c "import sys; sys.exit('$(python3 ./scripts/get-python-platlib.py /usr/local)' not in sys.path)" 16 | ''' 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/check-rwx.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import sys 5 | from elftools.elf.elffile import ELFFile 6 | from elftools.elf.constants import P_FLAGS 7 | 8 | argparser = argparse.ArgumentParser() 9 | argparser.add_argument('infile', type=argparse.FileType('rb')) 10 | 11 | args = argparser.parse_args() 12 | 13 | elf = ELFFile(args.infile) 14 | for i, segment in enumerate(elf.iter_segments()): 15 | if segment.header.p_flags & P_FLAGS.PF_X and segment.header.p_flags & P_FLAGS.PF_W: 16 | print(f"error in {args.infile.name}: segment {i} is both writable and executable") 17 | sys.exit(1) 18 | -------------------------------------------------------------------------------- /.ci/docs.jenkinsfile: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent { 3 | dockerfile { filename '.ci/debian12.dockerfile' } 4 | } 5 | stages { 6 | stage('build') { 7 | steps { 8 | sh 'make -C Documentation html SPHINXOPTS="-W"' 9 | } 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /.ci/isdistro: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | test "$#" -eq 1 || exit 2 4 | . /etc/os-release || exit 3 5 | test "$1" = "$VERSION_CODENAME" || test "$1" = "$ID"-"$VERSION_ID" || exit 1 6 | -------------------------------------------------------------------------------- /.ci/lib/config-asan.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.ASAN = '1' 2 | env.LTP_TIMEOUT_FACTOR = '2' 3 | -------------------------------------------------------------------------------- /.ci/lib/config-clang.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.CC = "clang" 2 | env.CXX = "clang++" 3 | env.AS = "clang" 4 | 5 | /* 6 | * TODO: Our examples all use: 7 | * 8 | * ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine) 9 | * 10 | * which gives the wrong answer ("/lib/x86_64-pc-linux-gnu") when CC is "clang". 11 | */ 12 | env.ARCH_LIBDIR = "/lib/x86_64-linux-gnu" 13 | -------------------------------------------------------------------------------- /.ci/lib/config-debug.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.DEBUG = '1' 2 | env.BUILDTYPE = 'debug' 3 | -------------------------------------------------------------------------------- /.ci/lib/config-docker.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.PREFIX = env.WORKSPACE + '/usr' 2 | 3 | // don't mess with PATH before reading this: https://issues.jenkins.io/browse/JENKINS-49076 4 | env.DOCKER_ARGS_COMMON = """ 5 | --env=PATH=${env.PREFIX}/bin:${env.PATH} 6 | """ 7 | env.DOCKER_ARGS_SGX = ''' 8 | --volume=/lib/modules:/lib/modules:ro 9 | --volume=/usr/src:/usr/src:ro 10 | ''' 11 | 12 | if (fileExists('/dev/sgx_enclave')) { 13 | env.DOCKER_ARGS_SGX += ' --device=/dev/sgx_enclave:/dev/sgx_enclave' 14 | } 15 | if (fileExists('/dev/isgx')) { 16 | env.DOCKER_ARGS_SGX += ' --device=/dev/isgx:/dev/isgx' 17 | } 18 | if (fileExists('/var/run/aesmd/aesm.socket')) { 19 | env.DOCKER_ARGS_SGX += ' --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket' 20 | } 21 | -------------------------------------------------------------------------------- /.ci/lib/config-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | // env.DEBUG is not set 2 | env.BUILDTYPE = 'release' 3 | -------------------------------------------------------------------------------- /.ci/lib/config-ubsan.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.UBSAN = '1' 2 | -------------------------------------------------------------------------------- /.ci/lib/config.jenkinsfile: -------------------------------------------------------------------------------- 1 | env.MAKEOPTS = '-j8' 2 | 3 | python_platlib = sh(returnStdout: true, script: 'python3 scripts/get-python-platlib.py "$PREFIX"') 4 | env.PYTHONPATH = python_platlib + ':' + env.WORKSPACE + '/scripts' 5 | 6 | // in Jenkins we can't write anything to $HOME, we must contain ourselves in $WORKSPACE 7 | env.XDG_CONFIG_HOME = env.WORKSPACE + '/XDG_CONFIG_HOME' 8 | env.CARGO_HOME = env.WORKSPACE + '/CARGO_HOME' 9 | 10 | env.RA_TLS_ALLOW_OUTDATED_TCB_INSECURE = '1' 11 | env.RA_TLS_ALLOW_HW_CONFIG_NEEDED = '1' 12 | env.RA_TLS_ALLOW_SW_HARDENING_NEEDED = '1' 13 | env.RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE = '1' 14 | 15 | env.LC_ALL = 'C.UTF-8' 16 | env.LANG = env.LC_ALL 17 | -------------------------------------------------------------------------------- /.ci/lib/stage-clean-check-prepare.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('clean-check-prepare') { 2 | sh './scripts/clean-check-prepare' 3 | } 4 | -------------------------------------------------------------------------------- /.ci/lib/stage-clean-vm.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('clean-vm') { 2 | sh ''' 3 | rm -rf device-testing-tools driver 4 | rm -rf libos/test/regression/gramine_test_dev_ioctl.h 5 | ''' 6 | } 7 | -------------------------------------------------------------------------------- /.ci/lib/stage-lint.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('lint') { 2 | sh ''' 3 | ./scripts/gitignore-check-files 4 | ./.ci/run-shellcheck 5 | ''' 6 | } 7 | -------------------------------------------------------------------------------- /.ci/lib/stage-test-vm.jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('test') { 2 | timeout(time: 15, unit: 'MINUTES') { 3 | sh ''' 4 | export PWD_FOR_VM=$PWD 5 | 6 | cd device-testing-tools/initramfs_builder 7 | 8 | # we add `/sbin` to PATH to find insmod and poweroff programs 9 | ./run.sh PWD_FOR_VM=$PWD_FOR_VM SGX=$SGX IS_VM=$IS_VM PATH=/sbin:$PATH \ 10 | PKG_CONFIG_PATH=$PKG_CONFIG_PATH PYTHONPATH=$PYTHONPATH \ 11 | XDG_CONFIG_HOME=$XDG_CONFIG_HOME GRAMINE_PKGLIBDIR=$GRAMINE_PKGLIBDIR | tee OUTPUT 12 | grep "TESTS OK" OUTPUT 13 | ''' 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave && aesni') { 2 | checkout scm 3 | 4 | load '.ci/lib/config-docker.jenkinsfile' 5 | docker.build( 6 | "local:${env.BUILD_TAG}", 7 | '-f .ci/ubuntu20.04.dockerfile .' 8 | ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_mar_2021.json") { 9 | load '.ci/lib/config.jenkinsfile' 10 | load '.ci/lib/config-debug.jenkinsfile' 11 | 12 | load '.ci/lib/stage-lint.jenkinsfile' 13 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 14 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 15 | load '.ci/lib/stage-test.jenkinsfile' 16 | load '.ci/lib/stage-test-direct.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('nonsgx_slave && aesni') { 2 | checkout scm 3 | 4 | load '.ci/lib/config-docker.jenkinsfile' 5 | docker.build( 6 | "local:${env.BUILD_TAG}", 7 | '-f .ci/ubuntu20.04.dockerfile .' 8 | ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_mar_2021.json") { 9 | load '.ci/lib/config.jenkinsfile' 10 | load '.ci/lib/config-release.jenkinsfile' 11 | 12 | load '.ci/lib/stage-lint.jenkinsfile' 13 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 14 | load '.ci/lib/stage-build-nosgx.jenkinsfile' 15 | load '.ci/lib/stage-test.jenkinsfile' 16 | load '.ci/lib/stage-test-direct.jenkinsfile' 17 | load '.ci/lib/stage-clean-check.jenkinsfile' 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6 && aesni') { 2 | checkout scm 3 | 4 | env.SGX = '1' 5 | env.SGX_DRIVER = 'oot' 6 | 7 | load '.ci/lib/config-docker.jenkinsfile' 8 | docker.build( 9 | "local:${env.BUILD_TAG}", 10 | '-f .ci/ubuntu20.04.dockerfile .' 11 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 12 | load '.ci/lib/config.jenkinsfile' 13 | load '.ci/lib/config-release.jenkinsfile' 14 | 15 | load '.ci/lib/stage-lint.jenkinsfile' 16 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 17 | load '.ci/lib/stage-build-sgx.jenkinsfile' 18 | load '.ci/lib/stage-test-sgx.jenkinsfile' 19 | load '.ci/lib/stage-clean-check.jenkinsfile' 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu20.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6 && aesni') { 2 | checkout scm 3 | 4 | env.SGX = '1' 5 | env.SGX_DRIVER = 'oot' 6 | 7 | load '.ci/lib/config-docker.jenkinsfile' 8 | docker.build( 9 | "local:${env.BUILD_TAG}", 10 | '-f .ci/ubuntu20.04.dockerfile .' 11 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 12 | load '.ci/lib/config.jenkinsfile' 13 | load '.ci/lib/config-release.jenkinsfile' 14 | 15 | load '.ci/lib/stage-lint.jenkinsfile' 16 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 17 | load '.ci/lib/stage-build-sgx.jenkinsfile' 18 | load '.ci/lib/stage-test.jenkinsfile' 19 | load '.ci/lib/stage-clean-check.jenkinsfile' 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx_slave_2.6 && aesni') { 2 | checkout scm 3 | 4 | env.SGX = '1' 5 | env.SGX_DRIVER = 'oot' 6 | env.GRAMINE_MUSL = '1' 7 | 8 | load '.ci/lib/config-docker.jenkinsfile' 9 | docker.build( 10 | "local:${env.BUILD_TAG}", 11 | '-f .ci/ubuntu20.04.dockerfile .' 12 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 13 | load '.ci/lib/config.jenkinsfile' 14 | load '.ci/lib/config-release.jenkinsfile' 15 | 16 | load '.ci/lib/stage-lint.jenkinsfile' 17 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 18 | load '.ci/lib/stage-build-sgx.jenkinsfile' 19 | load '.ci/lib/stage-test.jenkinsfile' 20 | load '.ci/lib/stage-clean-check.jenkinsfile' 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu22.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx') { 2 | checkout scm 3 | 4 | env.SGX = '1' 5 | 6 | load '.ci/lib/config-docker.jenkinsfile' 7 | docker.build( 8 | "local:${env.BUILD_TAG}", 9 | '-f .ci/ubuntu22.04.dockerfile .' 10 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 11 | load '.ci/lib/config.jenkinsfile' 12 | load '.ci/lib/config-release.jenkinsfile' 13 | 14 | load '.ci/lib/stage-lint.jenkinsfile' 15 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 16 | load '.ci/lib/stage-build-sgx.jenkinsfile' 17 | load '.ci/lib/stage-test.jenkinsfile' 18 | load '.ci/lib/stage-clean-check.jenkinsfile' 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /.ci/linux-sgx-ubuntu24.04-gcc-release.jenkinsfile: -------------------------------------------------------------------------------- 1 | node('sgx') { 2 | checkout scm 3 | 4 | env.SGX = '1' 5 | 6 | load '.ci/lib/config-docker.jenkinsfile' 7 | docker.build( 8 | "local:${env.BUILD_TAG}", 9 | '-f .ci/ubuntu24.04.dockerfile .' 10 | ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { 11 | load '.ci/lib/config.jenkinsfile' 12 | load '.ci/lib/config-release.jenkinsfile' 13 | 14 | load '.ci/lib/stage-lint.jenkinsfile' 15 | load '.ci/lib/stage-clean-check-prepare.jenkinsfile' 16 | load '.ci/lib/stage-build-sgx.jenkinsfile' 17 | load '.ci/lib/stage-test.jenkinsfile' 18 | load '.ci/lib/stage-clean-check.jenkinsfile' 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /.ci/run-shellcheck: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | cd "$(git rev-parse --show-toplevel)" 6 | 7 | LC_ALL=C.UTF-8 shellcheck "$@" \ 8 | CI-Examples/bash/scripts/bash_test.sh \ 9 | CI-Examples/common_tools/benchmark-http.sh \ 10 | CI-Examples/python/run-tests.sh \ 11 | tools/gramine.in \ 12 | scripts/clean-check \ 13 | scripts/clean-check-prepare \ 14 | scripts/clean-check-test-copy \ 15 | scripts/download \ 16 | scripts/gitignore-test \ 17 | scripts/run-pylint \ 18 | .ci/run-shellcheck 19 | -------------------------------------------------------------------------------- /.clang-format: -------------------------------------------------------------------------------- 1 | BasedOnStyle: Google 2 | AlignConsecutiveAssignments: true 3 | AlignConsecutiveMacros: true 4 | AllowShortFunctionsOnASingleLine: Empty 5 | AllowShortIfStatementsOnASingleLine: false 6 | ColumnLimit: 100 7 | DerivePointerAlignment: false 8 | IndentWidth: 4 9 | ObjCBlockIndentWidth: 4 10 | PointerAlignment: Left 11 | TabWidth: 4 12 | -------------------------------------------------------------------------------- /.dir-locals.el: -------------------------------------------------------------------------------- 1 | ((nil . ((indent-tabs-mode . nil) 2 | (tab-width . 4) 3 | (fill-column . 100))) 4 | (c-mode . ((c-file-style . "k&r") 5 | (c-basic-offset . 4))) 6 | (makefile-mode . ((indent-tabs-mode . t))) 7 | (shell-script-mode . ((indent-tabs-mode . t))) 8 | ("\.git/COMMIT_EDITMSG" . ((nil . ((fill-column . 80))))) 9 | (markdown-mode . ((fill-column . 80))) 10 | (rst-mode . ((fill-column . 80))) 11 | ((nil . ((truncate-lines . t))) 12 | (text-mode . ((eval . ((turn-on-auto-fill))))))) 13 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/2-feature-request.yml: -------------------------------------------------------------------------------- 1 | name: 🧭 Feature request 2 | description: Suggest a feature 3 | body: 4 | - type: textarea 5 | attributes: 6 | label: Description of the feature 7 | description: | 8 | Please be precise and concise. 9 | validations: 10 | required: true 11 | - type: textarea 12 | attributes: 13 | label: Why Gramine should implement it? 14 | description: | 15 | Features introduce complexity and add maintenance cost. Please ensure that this cost is justified. 16 | validations: 17 | required: true 18 | 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: true 2 | contact_links: 3 | - name: 💬 I need help with Gramine usage 4 | url: https://github.com/gramineproject/gramine/discussions/categories/general 5 | about: Open a discussion thread 6 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 5 | 6 | ## Description of the changes 7 | 8 | 11 | 12 | ## How to test this PR? 13 | 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /install 3 | /obj-* 4 | 5 | # No editor backup files. 6 | *.sw* 7 | *.backup 8 | *.orig 9 | \#*# 10 | *~ 11 | 12 | .lib 13 | *.i 14 | *.s 15 | *.e 16 | *.d 17 | pal.map 18 | 19 | # object file/libraries 20 | *.a 21 | *.o 22 | *.so 23 | *.so.* 24 | 25 | # python 26 | *.py[co] 27 | __pycache__ 28 | .pytest_cache 29 | 30 | # sgx 31 | *.manifest.sgx 32 | *.sig 33 | *.token 34 | *.cached 35 | .output.sgx_get_token.* 36 | .output.sgx_sign.* 37 | 38 | # gnu global 39 | GPATH 40 | GTAGS 41 | GSYMS 42 | GRTAGS 43 | 44 | # tags/etags 45 | tags 46 | TAGS 47 | 48 | # cscope 49 | cscope.* 50 | ncscope.* 51 | *cscope* 52 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "libos/test/ltp/src"] 2 | path = libos/test/ltp/src 3 | url = https://github.com/linux-test-project/ltp.git 4 | -------------------------------------------------------------------------------- /.readthedocs.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | # The recent version of urllib3 (v2.0) only supports OpenSSL 1.1.1+. However, the ReadTheDocs 4 | # engine that we use for generating our web documentation by default uses older OpenSSL. The 5 | # workaround is to pin a specific OS distro and Python version. 6 | # See also https://github.com/readthedocs/readthedocs.org/issues/10290. 7 | build: 8 | os: ubuntu-22.04 9 | tools: 10 | python: "3.11" 11 | apt_packages: 12 | - doxygen 13 | 14 | python: 15 | install: 16 | - requirements: Documentation/requirements.txt 17 | 18 | sphinx: 19 | fail_on_warning: true 20 | -------------------------------------------------------------------------------- /CI-Examples/.gitignore: -------------------------------------------------------------------------------- 1 | *.manifest 2 | *.manifest.sgx 3 | *.sig 4 | *.token 5 | *.o 6 | *~ 7 | *.swp 8 | -------------------------------------------------------------------------------- /CI-Examples/bash/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | /scripts/testdir/* 3 | -------------------------------------------------------------------------------- /CI-Examples/bash/README.md: -------------------------------------------------------------------------------- 1 | # Bash example 2 | 3 | This directory contains an example for running Bash in Gramine, including 4 | the Makefile and a template for generating the manifest. 5 | 6 | # Generating the manifest 7 | 8 | ## Building for Linux 9 | 10 | Run `make` (non-debug) or `make DEBUG=1` (debug) in the directory. 11 | 12 | ## Building for SGX 13 | 14 | Run `make SGX=1` (non-debug) or `make SGX=1 DEBUG=1` (debug) in the directory. 15 | 16 | # Running Bash with Gramine 17 | 18 | Here's an example of running Bash scripts under Gramine: 19 | 20 | Without SGX: 21 | ``` 22 | gramine-direct ./bash -c "ls" 23 | gramine-direct ./bash -c "cd scripts && bash bash_test.sh 2" 24 | ``` 25 | 26 | With SGX: 27 | ``` 28 | gramine-sgx ./bash -c "ls" 29 | gramine-sgx ./bash -c "cd scripts && bash bash_test.sh 2" 30 | ``` 31 | -------------------------------------------------------------------------------- /CI-Examples/bash/scripts/bash_test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | times=$1 7 | [ "$times" -gt 0 ] 2>/dev/null || times=300 8 | 9 | for (( c=1; c<=times; c++ )) 10 | do 11 | echo "hello $c" 12 | cp somefile testdir/somefile 13 | cat somefile > testdir/createdfile 14 | ls testdir/ 15 | rm -rf testdir/somefile testdir/createdfile 16 | date +"current date is %D" 17 | done 18 | -------------------------------------------------------------------------------- /CI-Examples/bash/scripts/somefile: -------------------------------------------------------------------------------- 1 | dummy 2 | -------------------------------------------------------------------------------- /CI-Examples/blender/.gitignore: -------------------------------------------------------------------------------- 1 | /blender.tar.xz 2 | /blender_dir/ 3 | /run_dir/ 4 | -------------------------------------------------------------------------------- /CI-Examples/blender/README.md: -------------------------------------------------------------------------------- 1 | # Blender 2 | 3 | This directory contains a Makefile and template manifest to run Blender v2.82 on 4 | Gramine. 5 | 6 | # Quick Start 7 | 8 | To run the test execute ```make check```. To do the same for SGX, execute 9 | ```make SGX=1 check```. 10 | -------------------------------------------------------------------------------- /CI-Examples/blender/data/.gitignore: -------------------------------------------------------------------------------- 1 | images/ 2 | -------------------------------------------------------------------------------- /CI-Examples/blender/data/scenes/simple_scene.blend: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gramineproject/gramine-tdx/b6e97234ec8afce4a5fb6ce94aeea6869a3bb82e/CI-Examples/blender/data/scenes/simple_scene.blend -------------------------------------------------------------------------------- /CI-Examples/blender/test_all_scenes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | set -e 7 | 8 | if test -n "$SGX" 9 | then 10 | GRAMINE=gramine-sgx 11 | else 12 | GRAMINE=gramine-direct 13 | fi 14 | 15 | for i in `ls "$DATA_DIR"/scenes/`; 16 | do 17 | rm -f "$DATA_DIR"/images/"$i"0001.png 18 | $GRAMINE "../blender" -b /data/scenes/$i -t 4 -F PNG -o /data/images/$i -f 1 19 | # TODO add a better test, probably some diff with a precomputed image 20 | [ -f "$DATA_DIR"/images/"$i"0001.png ] 21 | done 22 | -------------------------------------------------------------------------------- /CI-Examples/busybox/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | /busybox 3 | /busybox.tar.bz2 4 | /src 5 | -------------------------------------------------------------------------------- /CI-Examples/busybox/helper-files/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | 3 | # The following lines are desirable for IPv6 capable hosts 4 | ::1 ip6-localhost ip6-loopback 5 | fe00::0 ip6-localnet 6 | ff00::0 ip6-mcastprefix 7 | ff02::1 ip6-allnodes 8 | ff02::2 ip6-allrouters 9 | -------------------------------------------------------------------------------- /CI-Examples/helloworld/.gitignore: -------------------------------------------------------------------------------- 1 | /helloworld 2 | /*.o 3 | /OUTPUT 4 | -------------------------------------------------------------------------------- /CI-Examples/helloworld/README.md: -------------------------------------------------------------------------------- 1 | # Hello World 2 | 3 | This directory contains a Makefile and a manifest template for running a simple 4 | "Hello World" program in Gramine. It can be used as a sanity test for your 5 | Gramine installation. 6 | 7 | # Building 8 | 9 | ## Building for Linux 10 | 11 | Run `make` (non-debug) or `make DEBUG=1` (debug) in the directory. 12 | 13 | ## Building for SGX 14 | 15 | Run `make SGX=1` (non-debug) or `make SGX=1 DEBUG=1` (debug) in the directory. 16 | 17 | # Run Hello World with Gramine 18 | 19 | Without SGX: 20 | ```sh 21 | gramine-direct helloworld 22 | ``` 23 | 24 | With SGX: 25 | ```sh 26 | gramine-sgx helloworld 27 | ``` 28 | -------------------------------------------------------------------------------- /CI-Examples/helloworld/helloworld.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2023 Gramine contributors 2 | * SPDX-License-Identifier: BSD-3-Clause */ 3 | 4 | #include 5 | 6 | int main(void) { 7 | printf("Hello, world\n"); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /CI-Examples/helloworld/helloworld.manifest.template: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Gramine contributors 2 | # SPDX-License-Identifier: BSD-3-Clause 3 | 4 | # Hello World manifest file example 5 | 6 | libos.entrypoint = "/helloworld" 7 | loader.log_level = "{{ log_level }}" 8 | 9 | loader.env.LD_LIBRARY_PATH = "/lib" 10 | 11 | fs.mounts = [ 12 | { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, 13 | { path = "/helloworld", uri = "file:helloworld" }, 14 | ] 15 | 16 | sgx.debug = true 17 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 18 | 19 | sgx.trusted_files = [ 20 | "file:helloworld", 21 | "file:{{ gramine.runtimedir() }}/", 22 | ] 23 | -------------------------------------------------------------------------------- /CI-Examples/lighttpd/.gitignore: -------------------------------------------------------------------------------- 1 | /*.conf 2 | !/lighttpd-generic.conf 3 | /*.tar.gz 4 | /install/ 5 | /lighttpd-*/ 6 | /lighttpd.conf 7 | /OUTPUT 8 | /result-* 9 | -------------------------------------------------------------------------------- /CI-Examples/memcached/.gitignore: -------------------------------------------------------------------------------- 1 | /.lck 2 | /memcached 3 | /memcached.tar.gz 4 | /src 5 | -------------------------------------------------------------------------------- /CI-Examples/nginx/.gitignore: -------------------------------------------------------------------------------- 1 | *.tar.gz 2 | /install/* 3 | /nginx-*/* 4 | /nginx_args 5 | /OUTPUT 6 | /result-* 7 | /ssl/ca.* 8 | /ssl/server.* 9 | -------------------------------------------------------------------------------- /CI-Examples/nginx/ssl/ca_config.conf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Gramine contributors 2 | # SPDX-License-Identifier: BSD-3-Clause 3 | 4 | [ req ] 5 | default_bits = 4096 6 | default_md = sha512 7 | default_keyfile = example.com.key 8 | prompt = no 9 | encrypt_key = no 10 | distinguished_name = req_distinguished_name 11 | 12 | [ req_distinguished_name ] 13 | countryName = "XX" # C= 14 | localityName = "XXXXX" # L= 15 | organizationName = "My Company" # O= 16 | organizationalUnitName = "Department" # OU= 17 | commonName = "*.example.com" # CN= 18 | emailAddress = "me@example.com" # email 19 | 20 | -------------------------------------------------------------------------------- /CI-Examples/python/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | /OUTPUT1 3 | /OUTPUT2 4 | /server.PID 5 | /TEST_STDERR 6 | /TEST_STDOUT 7 | -------------------------------------------------------------------------------- /CI-Examples/python/helper-files/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | 3 | # The following lines are desirable for IPv6 capable hosts 4 | ::1 ip6-localhost ip6-loopback 5 | fe00::0 ip6-localnet 6 | ff00::0 ip6-mcastprefix 7 | ff02::1 ip6-allnodes 8 | ff02::2 ip6-allrouters 9 | -------------------------------------------------------------------------------- /CI-Examples/python/scripts/helloworld.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | print("Hello World") 7 | -------------------------------------------------------------------------------- /CI-Examples/python/scripts/test-http.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | import sys 7 | import urllib.request 8 | 9 | request = urllib.request.Request("http://" + sys.argv[1] + ":" + sys.argv[2] + "/index.html") 10 | opener = urllib.request.build_opener() 11 | response = opener.open(request, timeout=10) 12 | while True: 13 | data = response.read(1024) 14 | if data: 15 | print(data.decode()) 16 | else: 17 | break 18 | -------------------------------------------------------------------------------- /CI-Examples/python/scripts/test-numpy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | import timeit 7 | 8 | import numpy 9 | 10 | try: 11 | import numpy.core._dotblas 12 | except ImportError: 13 | pass 14 | 15 | print("numpy version: " + numpy.__version__) 16 | 17 | x = numpy.random.random((1000, 1000)) 18 | 19 | setup = "import numpy; x = numpy.random.random((1000, 1000))" 20 | count = 5 21 | 22 | t = timeit.Timer("numpy.dot(x, x.T)", setup=setup) 23 | print("numpy.dot: " + str(t.timeit(count)/count) + " sec") 24 | -------------------------------------------------------------------------------- /CI-Examples/python/scripts/test-scipy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | import timeit 7 | 8 | setup = """\ 9 | import numpy 10 | import scipy.linalg as linalg 11 | x = numpy.random.random((100,100)) 12 | z = numpy.dot(x, x.T) 13 | """ 14 | count = 5 15 | 16 | t = timeit.Timer("linalg.cholesky(z, lower=True)", setup=setup) 17 | print("linalg.cholesky: " + str(t.timeit(count)/count) + "sec") 18 | 19 | t = timeit.Timer("linalg.svd(z)", setup=setup) 20 | print("linalg.svd: " + str(t.timeit(count)/count) + "sec") 21 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-mbedtls/.gitignore: -------------------------------------------------------------------------------- 1 | /*.tar.gz 2 | /OUTPUT 3 | /client 4 | /mbedtls 5 | /server 6 | /ssl/ca.* 7 | /ssl/server.* 8 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-mbedtls/ssl/ca_config.conf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Gramine contributors 2 | # SPDX-License-Identifier: BSD-3-Clause 3 | 4 | [ req ] 5 | default_bits = 4096 6 | default_md = sha512 7 | default_keyfile = example.com.key 8 | prompt = no 9 | encrypt_key = no 10 | distinguished_name = req_distinguished_name 11 | 12 | [ req_distinguished_name ] 13 | countryName = "XX" # C= 14 | localityName = "XXXXX" # L= 15 | organizationName = "My Company" # O= 16 | organizationalUnitName = "Department" # OU= 17 | commonName = "localhost" # CN= 18 | emailAddress = "me@example.com" # email 19 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-nginx/html/index.html: -------------------------------------------------------------------------------- 1 | 2 | hello, world 3 |

hello, world

4 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Gramine contributors 2 | # SPDX-License-Identifier: BSD-3-Clause 3 | 4 | error_log stderr warn; 5 | pid /tmp/nginx.pid; 6 | daemon off; 7 | 8 | events {} 9 | 10 | http { 11 | sendfile off; 12 | default_type application/octet-stream; 13 | access_log off; 14 | gzip on; 15 | 16 | client_body_temp_path /tmp/nginx/body; 17 | fastcgi_temp_path /tmp/nginx/fastcgi; 18 | proxy_temp_path /tmp/nginx/proxy; 19 | scgi_temp_path /tmp/nginx/scgi; 20 | uwsgi_temp_path /tmp/nginx/uwsgi; 21 | 22 | server { 23 | listen 8000 ssl; 24 | 25 | ssl_certificate /tmp/crt.pem; 26 | ssl_certificate_key /tmp/key.pem; 27 | root /srv/www/html; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-nginx/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright (C) 2023 Gramine contributors 4 | # SPDX-License-Identifier: BSD-3-Clause 5 | 6 | set -e 7 | 8 | gramine-sgx nginx & 9 | pid=$! 10 | 11 | ../../scripts/wait_for_server 60 localhost 8000 12 | 13 | test "$(curl --insecure -s https://localhost:8000/)" = "$(cat html/index.html)" 14 | ret=$? 15 | 16 | kill $pid 17 | wait $pid 18 | 19 | if test $ret -eq 0 20 | then 21 | echo OK 22 | else 23 | echo FAIL 24 | fi 25 | 26 | exit $ret 27 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | /secret_prov/client 3 | /secret_prov/server_epid 4 | /secret_prov/server_dcap 5 | /secret_prov_minimal/client 6 | /secret_prov_minimal/server_epid 7 | /secret_prov_minimal/server_dcap 8 | /secret_prov_pf/client 9 | /secret_prov_pf/server_epid 10 | /secret_prov_pf/server_dcap 11 | /secret_prov_pf/wrap_key 12 | /secret_prov_pf/enc_files/input.txt 13 | 14 | /ssl/ca.* 15 | /ssl/server.* 16 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/helper-files/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | 3 | # The following lines are desirable for IPv6 capable hosts 4 | ::1 ip6-localhost ip6-loopback 5 | fe00::0 ip6-localnet 6 | ff00::0 ip6-mcastprefix 7 | ff02::1 ip6-allnodes 8 | ff02::2 ip6-allrouters 9 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/secret_prov_minimal/client.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2023 Gramine contributors 2 | * SPDX-License-Identifier: BSD-3-Clause */ 3 | 4 | #include 5 | #include 6 | 7 | int main(void) { 8 | char* secret = getenv("SECRET_PROVISION_SECRET_STRING"); 9 | if (secret) 10 | printf("--- Received secret = '%s' ---\n", secret); 11 | else 12 | printf("--- Did not receive any secret! ---\n"); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/secret_prov_minimal/server.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2023 Gramine contributors 2 | * SPDX-License-Identifier: BSD-3-Clause */ 3 | 4 | #include 5 | 6 | #include "secret_prov.h" 7 | 8 | #define PORT "4433" 9 | #define SRV_CRT_PATH "../ssl/server.crt" 10 | #define SRV_KEY_PATH "../ssl/server.key" 11 | 12 | int main(void) { 13 | uint8_t secret[] = "A_SIMPLE_SECRET"; 14 | puts("--- Starting the Secret Provisioning server on port " PORT " ---"); 15 | int ret = secret_provision_start_server(secret, sizeof(secret), 16 | PORT, SRV_CRT_PATH, SRV_KEY_PATH, 17 | NULL, NULL); 18 | if (ret < 0) { 19 | fprintf(stderr, "[error] secret_provision_start_server() returned %d\n", ret); 20 | return 1; 21 | } 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/secret_prov_pf/enc_files/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gramineproject/gramine-tdx/b6e97234ec8afce4a5fb6ce94aeea6869a3bb82e/CI-Examples/ra-tls-secret-prov/secret_prov_pf/enc_files/.gitkeep -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/secret_prov_pf/plain_files/input.txt: -------------------------------------------------------------------------------- 1 | helloworld -------------------------------------------------------------------------------- /CI-Examples/ra-tls-secret-prov/ssl/ca_config.conf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Gramine contributors 2 | # SPDX-License-Identifier: BSD-3-Clause 3 | 4 | [ req ] 5 | default_bits = 4096 6 | default_md = sha512 7 | default_keyfile = example.com.key 8 | prompt = no 9 | encrypt_key = no 10 | distinguished_name = req_distinguished_name 11 | 12 | [ req_distinguished_name ] 13 | countryName = "XX" # C= 14 | localityName = "XXXXX" # L= 15 | organizationName = "My Company" # O= 16 | organizationalUnitName = "Department" # OU= 17 | commonName = "localhost" # CN= 18 | emailAddress = "me@example.com" # email 19 | -------------------------------------------------------------------------------- /CI-Examples/redis/.gitignore: -------------------------------------------------------------------------------- 1 | /redis.tar.gz 2 | /redis-server 3 | /src 4 | -------------------------------------------------------------------------------- /CI-Examples/rust/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | # Emit the .d file with paths relative to the project directory, so that Make 2 | # understands that they refer to the same target that we wrote in the Makefile. 3 | build.dep-info-basedir = "." 4 | -------------------------------------------------------------------------------- /CI-Examples/rust/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | /OUTPUT 3 | /result-* 4 | /Cargo.lock 5 | -------------------------------------------------------------------------------- /CI-Examples/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Gramine contributors 2 | # SPDX-License-Identifier: BSD-3-Clause 3 | 4 | [package] 5 | name = "rust-hyper-http-server" 6 | version = "0.1.0" 7 | edition = "2021" 8 | 9 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 10 | 11 | [dependencies] 12 | hyper = { version = "0.14", features = ["full"] } 13 | tokio = { version = "1", features = ["full"] } 14 | -------------------------------------------------------------------------------- /CI-Examples/sqlite/.gitignore: -------------------------------------------------------------------------------- 1 | /OUTPUT 2 | /db/* 3 | !/db/.gitkeep 4 | -------------------------------------------------------------------------------- /CI-Examples/sqlite/db/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gramineproject/gramine-tdx/b6e97234ec8afce4a5fb6ce94aeea6869a3bb82e/CI-Examples/sqlite/db/.gitkeep -------------------------------------------------------------------------------- /CI-Examples/sqlite/scripts/create.sql: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2023 Gramine contributors 2 | * SPDX-License-Identifier: BSD-3-Clause */ 3 | 4 | DROP TABLE IF EXISTS tab; 5 | 6 | CREATE TABLE tab ( 7 | id INTEGER, 8 | str TEXT 9 | ); 10 | 11 | INSERT INTO tab (id, str) VALUES (1, ''), (2, ''), (3, ''), (4, ''); 12 | -------------------------------------------------------------------------------- /CI-Examples/sqlite/scripts/select.sql: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2023 Gramine contributors 2 | * SPDX-License-Identifier: BSD-3-Clause */ 3 | 4 | SELECT id, str FROM tab ORDER BY id DESC; 5 | -------------------------------------------------------------------------------- /CI-Examples/sqlite/scripts/select.txt: -------------------------------------------------------------------------------- 1 | 4|row 4 2 | 3|row 3 3 | 2|row 2 4 | 1|row 1 5 | -------------------------------------------------------------------------------- /CI-Examples/sqlite/scripts/update.sql: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2023 Gramine contributors 2 | * SPDX-License-Identifier: BSD-3-Clause */ 3 | 4 | UPDATE tab SET str = 'row ' || id; 5 | -------------------------------------------------------------------------------- /Documentation/.gitignore: -------------------------------------------------------------------------------- 1 | _build 2 | -------------------------------------------------------------------------------- /Documentation/Doxyfile: -------------------------------------------------------------------------------- 1 | # This is a common Doxyfile, actual listings are built from Doxyfile-* 2 | 3 | GENERATE_XML = YES 4 | XML_PROGRAMLISTING = NO 5 | XML_OUTPUT = xml 6 | 7 | GENERATE_HTML = NO 8 | GENERATE_LATEX = NO 9 | 10 | WARN_NO_PARAMDOC = YES 11 | WARN_AS_ERROR = NO 12 | OPTIMIZE_OUTPUT_FOR_C = YES 13 | EXTRACT_STATIC = YES 14 | 15 | ALIASES = "rst=\verbatim embed:rst:leading-asterisk" 16 | ALIASES += "endrst=\endverbatim" 17 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-libos: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "LibOS" 3 | OUTPUT_DIRECTORY = _build/doxygen-libos 4 | INPUT = \ 5 | ../libos/include \ 6 | ../libos/src 7 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-pal: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "PAL" 3 | OUTPUT_DIRECTORY = _build/doxygen-pal 4 | INPUT = ../pal/include/arch/x86_64 ../pal/include/pal ../pal/include ../common/include/iovec.h 5 | MACRO_EXPANSION = YES 6 | EXPAND_ONLY_PREDEF = YES 7 | PREDEFINED = noreturn= __x86_64__=1 8 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-pal-linux: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "PAL Linux" 3 | OUTPUT_DIRECTORY = _build/doxygen-pal-linux 4 | INPUT = ../pal/src/host/linux 5 | -------------------------------------------------------------------------------- /Documentation/Doxyfile-pal-linux-sgx: -------------------------------------------------------------------------------- 1 | @INCLUDE = Doxyfile 2 | PROJECT_NAME = "PAL Linux-SGX" 3 | OUTPUT_DIRECTORY = _build/doxygen-pal-linux-sgx 4 | INPUT = ../pal/src/host/linux-sgx 5 | -------------------------------------------------------------------------------- /Documentation/Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | SOURCEDIR = . 8 | BUILDDIR = _build 9 | 10 | # Put it first so that "make" without argument is like "make help". 11 | help: 12 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 13 | 14 | clean: 15 | $(RM) -r "$(BUILDDIR)" 16 | 17 | .PHONY: help Makefile Doxyfile clean 18 | 19 | # Catch-all target: route all unknown targets to Sphinx using the new 20 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 21 | %: Makefile 22 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 23 | -------------------------------------------------------------------------------- /Documentation/_static/css/gramine.css: -------------------------------------------------------------------------------- 1 | .rst-content dl:not(.docutils)>dt { 2 | font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace; 3 | } 4 | 5 | /* adds scrollbar to sidenav */ 6 | .wy-side-scroll { 7 | width: auto; 8 | overflow-y: auto; 9 | } 10 | -------------------------------------------------------------------------------- /Documentation/_templates/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gramineproject/gramine-tdx/b6e97234ec8afce4a5fb6ce94aeea6869a3bb82e/Documentation/_templates/.gitignore -------------------------------------------------------------------------------- /Documentation/_templates/layout.html: -------------------------------------------------------------------------------- 1 | {% extends '!layout.html' %} 2 | {% block document %} 3 | {% if READTHEDOCS and current_version == 'latest' %} 4 |
5 |

Caution

6 |

7 | This is documentation for the development version of the project, aka 8 | master branch. If you installed Gramine from packages, documentation 9 | for the stable version is available at 10 | https://gramine.readthedocs.io/en/stable/. 11 |

12 |
13 | {% endif %} 14 | {{ super() }} 15 | {% endblock %} 16 | -------------------------------------------------------------------------------- /Documentation/devel/DCO/index.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../../../DCO 2 | -------------------------------------------------------------------------------- /Documentation/devel/charter.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../../CHARTER.rst 2 | -------------------------------------------------------------------------------- /Documentation/devel/contributing.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../../CONTRIBUTING.rst 2 | -------------------------------------------------------------------------------- /Documentation/gsc-installation.rst: -------------------------------------------------------------------------------- 1 | Gramine Shielded Containers 2 | =========================== 3 | 4 | The Gramine Shielded Containers (GSC) tool transforms a base Docker image into a 5 | new, "graminized" image which includes the Gramine Library OS and the 6 | Gramine-specific app configuration. It uses Gramine to execute the application 7 | inside an Intel SGX enclave. 8 | 9 | At first a base Docker image has to be graminized via the ``gsc build`` command. 10 | In a second step, the image must be signed via a ``gsc sign-image`` command. 11 | Subsequently, the image can be run using ``docker run``. 12 | 13 | Note that the GSC tool is split from core Gramine and is hosted here: 14 | 15 | - https://github.com/gramineproject/gsc -- GitHub repository, 16 | - https://gramine.readthedocs.io/projects/gsc -- documentation. 17 | -------------------------------------------------------------------------------- /Documentation/libos/libos-init.rst: -------------------------------------------------------------------------------- 1 | LibOS documentation 2 | =================== 3 | 4 | .. note:: 5 | 6 | This file is more like a |~| stub, not yet a |~| real documentation. 7 | 8 | There is a |~| random function: 9 | 10 | .. doxygenfunction:: event_wait_with_retry 11 | :project: libos 12 | -------------------------------------------------------------------------------- /Documentation/manpages/index.rst: -------------------------------------------------------------------------------- 1 | Manual pages 2 | ============ 3 | 4 | The following man pages are available: 5 | 6 | .. toctree:: 7 | :maxdepth: 1 8 | :glob: 9 | 10 | * 11 | -------------------------------------------------------------------------------- /Documentation/requirements.txt: -------------------------------------------------------------------------------- 1 | # 2 | # keep versions synced with version in Debian stable 3 | # 4 | 5 | # https://tracker.debian.org/pkg/sphinx 6 | sphinx==5.3.* 7 | 8 | # https://tracker.debian.org/pkg/myst-parser 9 | myst-parser==0.18.* 10 | 11 | # https://tracker.debian.org/pkg/sphinx-rtd-theme 12 | sphinx_rtd_theme==1.2.* 13 | 14 | # https://tracker.debian.org/pkg/breathe 15 | breathe==4.34.* 16 | 17 | # https://tracker.debian.org/pkg/python-tomli 18 | tomli==2.0.* 19 | 20 | # https://tracker.debian.org/pkg/python-tomli-w 21 | tomli-w==1.0.* 22 | 23 | # https://tracker.debian.org/pkg/voluptuous 24 | voluptuous==0.12.* 25 | -------------------------------------------------------------------------------- /Documentation/tutorials-index.rst: -------------------------------------------------------------------------------- 1 | Tutorials 2 | ========= 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | 7 | tutorials/pytorch/index.rst 8 | tutorials/cczoo/index.rst 9 | -------------------------------------------------------------------------------- /LICENSE.addendum.txt: -------------------------------------------------------------------------------- 1 | Gramine itself is licensed under the LGPL-3.0-or-later. 2 | 3 | Examples (the `CI-Examples` subdirectory) are licensed under BSD-3-Clause, 4 | except for several C files. See each file for its license. 5 | 6 | Gramine also includes the following third party sources (and licenses): 7 | * cJSON - MIT 8 | * curl/libcurl - MIT derivative 9 | * GCC/libgomp (built only optionally and not included by default) - GPL v3.0 10 | * Mbed TLS - Apache 2.0 11 | * Ninja (python/graminelibos/ninja_syntax.py) - Apache 2.0 12 | * tomlc99 - MIT 13 | * uthash - BSD revised 14 | 15 | A number of files taken from other C libraries: 16 | * glibc - LGPL 17 | ** pal/include/elf/elf.h 18 | ** pal/include/arch/x86_64/linux/ - whole directory - for signal API definitions 19 | ** We also build a patched glibc 20 | 21 | * musl - MIT 22 | ** common/src/string/strspn.c 23 | ** common/src/string/ctype.c 24 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Reporting Security Issues 2 | 3 | Please report security issues to security@gramineproject.io. 4 | 5 | Please note that the Gramine team analyzes security bugs only on the current 6 | `master` branch. This implies that you must reproduce the bug on master before 7 | reporting. 8 | 9 | The Gramine team will send a response indicating the next steps in handling your 10 | report. After the initial reply to your report, the security team will keep you 11 | informed of the progress towards a fix and full announcement, and may ask for 12 | additional information or guidance. 13 | 14 | If the bug report is correct, we will acknowledge your contributions by 15 | specifying your name in the commit message. Please provide the preferred 16 | name/nick to put there. 17 | -------------------------------------------------------------------------------- /common/include/init.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #pragma once 7 | 8 | /* 9 | * Call the constructors specified in `.init_array`. Should be called during initialization. 10 | * 11 | * NOTE: Glibc handles `.init_array` by itself, so normal executables compiled against Glibc (e.g. 12 | * Linux-SGX untrusted runtime) should not call this. 13 | */ 14 | void call_init_array(void); 15 | -------------------------------------------------------------------------------- /common/include/iovec.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #pragma once 7 | 8 | struct iovec { 9 | void* iov_base; 10 | size_t iov_len; 11 | }; 12 | -------------------------------------------------------------------------------- /common/include/linux_eventfd.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define EFD_SEMAPHORE (1 << 0) 6 | #define EFD_CLOEXEC O_CLOEXEC 7 | #define EFD_NONBLOCK O_NONBLOCK 8 | -------------------------------------------------------------------------------- /common/include/meson.build: -------------------------------------------------------------------------------- 1 | common_inc = [ 2 | include_directories( 3 | '.', 4 | 'arch' / host_machine.cpu_family(), 5 | ), 6 | ] 7 | -------------------------------------------------------------------------------- /common/include/nodiscard.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2024 Intel Corporation 3 | * Mariusz Zaborski 4 | */ 5 | 6 | /* 7 | * This file contains a definition for NODISCARD, a macro that wraps 8 | * the nodiscard attribute introduced in C23. However, because Gramine supports 9 | * older systems that might not have support for C23, we have to wrap it on our 10 | * own and change it to a no-op on systems that don't support it. 11 | * TODO: Remove the macros and use [[nodiscard]] directly, after dropping *EL8 12 | * and Ubuntu 20.04 support. 13 | */ 14 | 15 | #pragma once 16 | 17 | #if defined(__has_c_attribute) 18 | #if __has_c_attribute(nodiscard) 19 | #define NODISCARD [[nodiscard]] 20 | #endif 21 | #endif 22 | 23 | #ifndef NODISCARD 24 | #define NODISCARD 25 | #endif 26 | -------------------------------------------------------------------------------- /common/include/path_utils.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | 9 | bool get_norm_path(const char* path, char* buf, size_t* inout_size); 10 | 11 | bool get_base_name(const char* path, char* buf, size_t* inout_size); 12 | 13 | bool is_dot_or_dotdot(const char* name); 14 | -------------------------------------------------------------------------------- /common/include/unix_error.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Mariusz Zaborski 4 | */ 5 | 6 | #pragma once 7 | 8 | /* err - value of error code, either positive or negative */ 9 | const char* unix_strerror(int err); 10 | -------------------------------------------------------------------------------- /common/meson.build: -------------------------------------------------------------------------------- 1 | subdir('include') 2 | subdir('src') 3 | 4 | if sgx 5 | subdir('proto') 6 | endif 7 | -------------------------------------------------------------------------------- /common/src/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /common/src/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | common_src_arch_nasm = nasm_gen.process( 2 | 'ct_memequal.nasm', 3 | ) 4 | 5 | common_src_arch_c = files( 6 | 'cpu.c', 7 | ) 8 | 9 | common_src_arch = [ 10 | common_src_arch_nasm, 11 | common_src_arch_c, 12 | ] 13 | -------------------------------------------------------------------------------- /common/src/arch/x86_64/no_exec_stack.nasm: -------------------------------------------------------------------------------- 1 | section .note.GNU-stack noalloc noexec write 2 | -------------------------------------------------------------------------------- /common/src/init.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #include "init.h" 7 | 8 | /* 9 | * Helper symbols for accessing the `.init_array` section at run time. These are part of default 10 | * linker script (you can see it by running `ld --verbose`) as well as our custom linker scripts. 11 | * 12 | * NOTE: We rely on the fact that each ELF object (PAL, LibOS) contains its own copy of this module, 13 | * referring to `__init_array_start` and `__init_array_end` in that object. 14 | */ 15 | extern void (*__init_array_start)(void); 16 | extern void (*__init_array_end)(void); 17 | 18 | void call_init_array(void) { 19 | void (**func)(void); 20 | for (func = &__init_array_start; func < &__init_array_end; func++) { 21 | (*func)(); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /common/src/ioctls/meson.build: -------------------------------------------------------------------------------- 1 | ioctls_inc = [ 2 | include_directories('.'), 3 | common_inc, 4 | ] 5 | 6 | ioctls_dep = declare_dependency( 7 | sources: [ 8 | 'ioctls.c', 9 | 'ioctls.h', 10 | ], 11 | include_directories: ioctls_inc, 12 | ) 13 | -------------------------------------------------------------------------------- /common/src/location.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #include "api.h" 7 | #include "callbacks.h" 8 | 9 | void default_describe_location(uintptr_t addr, char* buf, size_t buf_size) { 10 | snprintf(buf, buf_size, "0x%lx", addr); 11 | } 12 | 13 | void describe_location(uintptr_t addr, char* buf, size_t buf_size) 14 | __attribute__((weak, alias("default_describe_location"))); 15 | -------------------------------------------------------------------------------- /common/src/protected_files/meson.build: -------------------------------------------------------------------------------- 1 | protected_files_inc = [ 2 | include_directories('.'), 3 | common_inc, 4 | ] 5 | 6 | protected_files_dep = declare_dependency( 7 | sources: [ 8 | 'lru_cache.c', 9 | 'protected_files.c', 10 | 11 | 'lru_cache.h', 12 | 'protected_files_format.h', 13 | 'protected_files.h', 14 | 'protected_files_internal.h', 15 | ], 16 | 17 | include_directories: protected_files_inc, 18 | 19 | dependencies: [ 20 | uthash_dep, 21 | ] 22 | ) 23 | -------------------------------------------------------------------------------- /common/src/stack_protector.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #include 7 | 8 | #include "callbacks.h" 9 | #include "log.h" 10 | 11 | /* declare here to silence GCC's "error: no previous prototype" */ 12 | noreturn void __stack_chk_fail(void); 13 | 14 | noreturn void __stack_chk_fail(void) { 15 | log_always("Stack protector: Gramine internal stack corruption detected"); 16 | abort(); 17 | } 18 | -------------------------------------------------------------------------------- /common/src/string/ctype.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: MIT */ 2 | /* Adapted from musl v1.2.1. Copyright © 2005-2020 Rich Felker, et al. */ 3 | 4 | #include "api.h" 5 | 6 | int islower(int c) { 7 | return (unsigned)c - 'a' < 26; 8 | } 9 | 10 | int isupper(int c) { 11 | return (unsigned)c - 'A' < 26; 12 | } 13 | 14 | int tolower(int c) { 15 | if (isupper(c)) 16 | return c | 32; 17 | return c; 18 | } 19 | 20 | int toupper(int c) { 21 | if (islower(c)) 22 | return c & 0x5f; 23 | return c; 24 | } 25 | 26 | int isalpha(int c) { 27 | return ((unsigned)c | 32) - 'a' < 26; 28 | } 29 | 30 | int isdigit(int c) { 31 | return (unsigned)c - '0' < 10; 32 | } 33 | 34 | int isxdigit(int c) { 35 | return isdigit(c) || (unsigned)tolower(c) - 'a' < 6; 36 | } 37 | 38 | int isalnum(int c) { 39 | return isalpha(c) || isdigit(c); 40 | } 41 | -------------------------------------------------------------------------------- /common/src/string/memcmp.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #include "api.h" 4 | 5 | #ifndef ASAN 6 | __attribute__((alias("_real_memcmp"))) 7 | int memcmp(const void*, const void*, size_t); 8 | #endif 9 | 10 | __attribute_no_sanitize_address 11 | int _real_memcmp(const void* lhs, const void* rhs, size_t count) { 12 | const unsigned char* l = lhs; 13 | const unsigned char* r = rhs; 14 | while (count && *l == *r) { 15 | count--; 16 | l++; 17 | r++; 18 | } 19 | return count ? *l - *r : 0; 20 | } 21 | -------------------------------------------------------------------------------- /common/src/string/strchr.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #include "api.h" 7 | 8 | char* strchr(const char* s, int c) { 9 | while (true) { 10 | if (*s == c) 11 | return (char*)s; 12 | if (*s == '\0') 13 | return NULL; 14 | s++; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /common/src/string/strcmp.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #include "api.h" 4 | 5 | int strcmp(const char* lhs, const char* rhs) { 6 | while (*lhs == *rhs && *lhs) { 7 | lhs++; 8 | rhs++; 9 | } 10 | return *(unsigned char*)lhs - *(unsigned char*)rhs; 11 | } 12 | 13 | int strncmp(const char* lhs, const char* rhs, size_t maxlen) { 14 | if (!maxlen) 15 | return 0; 16 | 17 | maxlen--; 18 | while (*lhs == *rhs && *lhs && maxlen) { 19 | lhs++; 20 | rhs++; 21 | maxlen--; 22 | } 23 | return *(unsigned char*)lhs - *(unsigned char*)rhs; 24 | } 25 | -------------------------------------------------------------------------------- /common/src/string/strlen.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #include "api.h" 7 | 8 | size_t strnlen(const char* str, size_t maxlen) { 9 | size_t len; 10 | for (len = 0; len < maxlen && str[len] != '\0'; len++) 11 | ; 12 | return len; 13 | } 14 | 15 | size_t strlen(const char* str) { 16 | size_t len; 17 | for (len = 0; str[len] != '\0'; len++) 18 | ; 19 | return len; 20 | } 21 | -------------------------------------------------------------------------------- /common/src/string/strspn.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: MIT */ 2 | /* Adapted from musl v1.2.1. Copyright © 2005-2020 Rich Felker, et al. */ 3 | 4 | #include "api.h" 5 | 6 | #define BITOP(a,b,op) \ 7 | ((a)[(size_t)(b)/(8*sizeof *(a))] op (size_t)1<<((size_t)(b)%(8*sizeof *(a)))) 8 | 9 | size_t strspn(const char* s, const char* c) { 10 | const char* a = s; 11 | size_t byteset[32/sizeof(size_t)] = { 0 }; 12 | 13 | if (!c[0]) 14 | return 0; 15 | 16 | if (!c[1]) { 17 | for (; *s == *c; s++); 18 | return s - a; 19 | } 20 | 21 | for (; *c && BITOP(byteset, *(unsigned char*)c, |=); c++); 22 | for (; *s && BITOP(byteset, *(unsigned char*)s, &); s++); 23 | return s - a; 24 | } 25 | -------------------------------------------------------------------------------- /common/src/string/strstr.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #include "api.h" 4 | 5 | char* strstr(const char* haystack, const char* needle) { 6 | size_t h_len = strlen(haystack); 7 | size_t n_len = strlen(needle); 8 | unsigned int o = 0; 9 | 10 | if (n_len == 0) 11 | /* this is pretty bad, but it's done to mimic strstr's signature from libc */ 12 | return (char*)haystack; 13 | 14 | if (h_len < n_len) 15 | return NULL; 16 | 17 | while (o <= h_len - n_len) { 18 | size_t i = 0; 19 | while (i < n_len && haystack[o + i] == needle[i]) 20 | i++; 21 | if (i == n_len) 22 | return (char*)&haystack[o]; 23 | o++; 24 | } 25 | return NULL; 26 | } 27 | -------------------------------------------------------------------------------- /debian/.gitignore: -------------------------------------------------------------------------------- 1 | /*.debhelper.log 2 | /*.substvars 3 | /.debhelper 4 | /build* 5 | /debhelper-build-stamp 6 | /files 7 | /gramine 8 | /gramine-ratls-dcap 9 | /gramine-ratls-epid 10 | /tmp 11 | -------------------------------------------------------------------------------- /debian/get-linux-src-path.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | dir=$(dpkg-query -W linux-headers-\*-common | while read name version 6 | do 7 | test -n "$version" || continue 8 | dpkg --compare-versions "$version" '>=' '5.11' || continue 9 | 10 | # sanity check: if directory does not exist, break here and not in meson 11 | dir=/usr/src/"$name" 12 | test -d "$dir" || exit 2 13 | 14 | printf %s\\n "$dir" 15 | break 16 | done) 17 | 18 | test -n "$dir" || exit 1 19 | printf %s\\n "$dir" 20 | -------------------------------------------------------------------------------- /debian/gramine-ratls-dcap.install: -------------------------------------------------------------------------------- 1 | usr/lib/${DEB_HOST_MULTIARCH}/libra_tls_verify_dcap* 2 | usr/lib/${DEB_HOST_MULTIARCH}/libsecret_prov_verify_dcap* 3 | usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libra_tls_verify_dcap* 4 | usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libsecret_prov_verify_dcap* 5 | -------------------------------------------------------------------------------- /debian/gramine-ratls-epid.install: -------------------------------------------------------------------------------- 1 | usr/lib/${DEB_HOST_MULTIARCH}/libra_tls_verify_epid* 2 | usr/lib/${DEB_HOST_MULTIARCH}/libsecret_prov_verify_epid* 3 | usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libra_tls_verify_epid* 4 | usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libsecret_prov_verify_epid* 5 | -------------------------------------------------------------------------------- /debian/gramine.manpages: -------------------------------------------------------------------------------- 1 | Documentation/_build/man/gramine-direct.1 2 | Documentation/_build/man/gramine-manifest.1 3 | Documentation/_build/man/gramine-ratls.1 4 | Documentation/_build/man/gramine-sgx-get-token.1 5 | Documentation/_build/man/gramine-sgx-ias-request.1 6 | Documentation/_build/man/gramine-sgx-ias-verify-report.1 7 | Documentation/_build/man/gramine-sgx-quote-view.1 8 | Documentation/_build/man/gramine-sgx-sign.1 9 | Documentation/_build/man/gramine-sgx-sigstruct-view.1 10 | Documentation/_build/man/gramine-sgx.1 11 | Documentation/_build/man/is-sgx-available.1 12 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (native) 2 | -------------------------------------------------------------------------------- /libos/include/arch/x86_64/libos_cpuid.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | */ 4 | 5 | /*! 6 | * \brief Get CPU feature flags. 7 | * 8 | * \param[out] out_cpu_flags On success, set to CPU feature flags. 9 | * 10 | * \returns 0 on success, negative on failure. 11 | * 12 | * This function returns a new buffer with CPU feature flags, the caller is responsible to free it 13 | * afterwards. 14 | */ 15 | int libos_get_cpu_flags(char** out_cpu_flags); 16 | -------------------------------------------------------------------------------- /libos/include/arch/x86_64/libos_internal_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | #define LIBOS_ELF_HOST_MACHINE EM_X86_64 6 | -------------------------------------------------------------------------------- /libos/include/arch/x86_64/libos_vdso_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | #define LINUX_VDSO_FILENAME "linux-vdso.so.1" 6 | -------------------------------------------------------------------------------- /libos/include/arch/x86_64/linux_abi/signals_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #define SIGS_CNT 64 12 | #define SIGRTMIN 32 13 | 14 | typedef struct { 15 | unsigned long __val[SIGS_CNT / (8 * sizeof(unsigned long))]; 16 | } __sigset_t; 17 | 18 | #define RED_ZONE_SIZE 128 19 | -------------------------------------------------------------------------------- /libos/include/arch/x86_64/linux_abi/types_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | typedef unsigned int uid_t; 11 | typedef unsigned int gid_t; 12 | typedef int pid_t; 13 | typedef unsigned int mode_t; 14 | typedef long off_t; 15 | typedef long long loff_t; 16 | typedef uint32_t dev_t; 17 | typedef unsigned long ino_t; 18 | typedef int clockid_t; 19 | -------------------------------------------------------------------------------- /libos/include/generated_offsets.c: -------------------------------------------------------------------------------- 1 | #include "generated_offsets_build.h" 2 | #include "libos_internal.h" 3 | #include "libos_tcb.h" 4 | 5 | const char* generated_offsets_name = "LIBOS"; 6 | 7 | const struct generated_offset generated_offsets[] = { 8 | OFFSET_T(LIBOS_TCB_OFF, PAL_TCB, libos_tcb), 9 | OFFSET_T(LIBOS_TCB_LIBOS_STACK_OFF, libos_tcb_t, libos_stack_bottom), 10 | OFFSET_T(LIBOS_TCB_SCRATCH_PC_OFF, libos_tcb_t, syscall_scratch_pc), 11 | 12 | OFFSET_T(PAL_CONTEXT_FPREGS_OFF, struct PAL_CONTEXT, fpregs), 13 | OFFSET_T(PAL_CONTEXT_MXCSR_OFF, struct PAL_CONTEXT, mxcsr), 14 | OFFSET_T(PAL_CONTEXT_FPCW_OFF, struct PAL_CONTEXT, fpcw), 15 | OFFSET_T(PAL_CONTEXT_FPREGS_USED_OFF, struct PAL_CONTEXT, is_fpregs_used), 16 | 17 | DEFINE(LIBOS_XSTATE_ALIGN, LIBOS_XSTATE_ALIGN), 18 | DEFINE(RED_ZONE_SIZE, RED_ZONE_SIZE), 19 | 20 | OFFSET_END, 21 | }; 22 | -------------------------------------------------------------------------------- /libos/include/gramine_hash.h.in: -------------------------------------------------------------------------------- 1 | #define GRAMINE_COMMIT_HASH "@GRAMINE_COMMIT_HASH_MARKER@" 2 | -------------------------------------------------------------------------------- /libos/include/libos_context.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * This file contains definitions for CPU context. 5 | */ 6 | 7 | #pragma once 8 | 9 | #include 10 | 11 | void libos_xstate_init(void); 12 | uint64_t libos_xstate_size(void); 13 | void libos_xstate_restore(const void* xstate_extended); 14 | -------------------------------------------------------------------------------- /libos/include/libos_defs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "linux_abi/syscalls_nr_arch.h" 4 | 5 | /* Internal LibOS stack size: 7 pages + one guard page normally, 15 pages + one guard page when ASan 6 | * is enabled (stack sanitization causes functions to take up more space). */ 7 | #ifdef ASAN 8 | #define LIBOS_THREAD_LIBOS_STACK_SIZE (15 * PAGE_SIZE + PAGE_SIZE) 9 | #else 10 | #define LIBOS_THREAD_LIBOS_STACK_SIZE (7 * PAGE_SIZE + PAGE_SIZE) 11 | #endif 12 | 13 | #define DEFAULT_BRK_MAX_SIZE (256 * 1024) /* 256KB */ 14 | #define DEFAULT_SYS_STACK_SIZE (256 * 1024) /* 256KB */ 15 | 16 | #define DEFAULT_VMA_COUNT 64 17 | 18 | /* ELF aux vectors */ 19 | #define REQUIRED_ELF_AUXV 14 /* number of LibOS-supported vectors */ 20 | #define REQUIRED_ELF_AUXV_SPACE 16 /* extra memory space (in bytes) */ 21 | 22 | #define LIBOS_SYSCALL_BOUND __NR_syscalls 23 | -------------------------------------------------------------------------------- /libos/include/libos_fs_proc.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University 3 | * Copyright (C) 2022 IBM Corporation 4 | */ 5 | 6 | #pragma once 7 | 8 | #include "pal.h" 9 | 10 | int print_to_str(char** str, size_t off, size_t* size, const char* fmt, ...); 11 | 12 | /* every architecture must implement the following 2 functions */ 13 | int proc_cpuinfo_display_cpu(char** str, size_t* size, size_t* max, 14 | const struct pal_topo_info* topo, 15 | const struct pal_cpu_info* cpu, size_t i, 16 | struct pal_cpu_thread_info* thread); 17 | 18 | int proc_cpuinfo_display_tail(char** str, size_t* size, size_t* max, 19 | const struct pal_cpu_info* cpu); 20 | -------------------------------------------------------------------------------- /libos/include/libos_vdso.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* 3 | * Copyright 2018 Intel Corporation. 4 | * Copyright 2018 Isaku Yamahata 5 | * 6 | */ 7 | 8 | #pragma once 9 | 10 | extern const uint8_t vdso_so[]; 11 | extern const size_t vdso_so_size; 12 | -------------------------------------------------------------------------------- /libos/include/linux_abi/errors.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include "linux_abi/errors_arch.h" 12 | 13 | #define ERESTARTSYS 512 /* Usual case - restart if SA_RESTART is set. */ 14 | #define ERESTARTNOINTR 513 /* Always restart. */ 15 | #define ERESTARTNOHAND 514 /* Restart if no signal handler. */ 16 | -------------------------------------------------------------------------------- /libos/include/linux_abi/futex.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include 12 | -------------------------------------------------------------------------------- /libos/include/linux_abi/ioctl.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include 12 | -------------------------------------------------------------------------------- /libos/include/linux_abi/net.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include 12 | #include 13 | -------------------------------------------------------------------------------- /libos/include/linux_abi/poll.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include 12 | #include 13 | 14 | struct linux_fd_set { 15 | unsigned long fds_bits[1024 / (8 * sizeof(unsigned long))]; 16 | }; 17 | 18 | #ifndef EPOLLNVAL 19 | /* This is not defined in the older kernels e.g. the default kernel on Ubuntu 18.04. */ 20 | #define EPOLLNVAL ((uint32_t)0x00000020) 21 | #endif 22 | -------------------------------------------------------------------------------- /libos/include/linux_abi/process.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include 12 | #include // for CLONE_* stuff 13 | #include 14 | -------------------------------------------------------------------------------- /libos/include/linux_abi/random.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #define GRND_NONBLOCK 0x0001 12 | #define GRND_RANDOM 0x0002 13 | #define GRND_INSECURE 0x0004 14 | -------------------------------------------------------------------------------- /libos/include/linux_abi/sched.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 11 | /* These need to be binary-identical with the ones used by Linux. */ 12 | 13 | struct __kernel_sched_param { 14 | int __sched_priority; 15 | }; 16 | -------------------------------------------------------------------------------- /libos/include/linux_abi/types.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Michał Kowalczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | /* Types and structures used by various Linux ABIs (e.g. syscalls). */ 9 | /* These need to be binary-identical with the ones used by Linux. */ 10 | 11 | #include "linux_abi/types_arch.h" 12 | -------------------------------------------------------------------------------- /libos/include/meson.build: -------------------------------------------------------------------------------- 1 | includes_libos = [ 2 | include_directories( 3 | '.', 4 | 'arch/@0@'.format(host_machine.cpu_family()), 5 | ), 6 | includes_pal_for_libos, 7 | common_inc, 8 | ] 9 | 10 | libos_generated_offsets_print = executable('libos-generated-offsets-print', 11 | 'generated_offsets.c', 12 | generated_offsets_print_src, 13 | include_directories: includes_libos, 14 | c_args: cflags_libos, 15 | ) 16 | 17 | libos_asm_offsets_h = custom_target('asm_offsets.h[libos]', 18 | command: [libos_generated_offsets_print, '--h'], 19 | capture: true, 20 | output: 'asm_offsets.h', 21 | ) 22 | 23 | gramine_hash_header = vcs_tag( 24 | command: ['git', 'rev-parse', '--verify', 'HEAD' ], 25 | input: 'gramine_hash.h.in', 26 | output: 'gramine_hash.h', 27 | replace_string: '@GRAMINE_COMMIT_HASH_MARKER@', 28 | ) 29 | -------------------------------------------------------------------------------- /libos/src/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /libos/src/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | libos_sources_arch_list = { 2 | 'fs_proc/info.c': {}, 3 | 'libos_arch_prctl.c': {}, 4 | 'libos_context.c': {}, 5 | 'libos_cpuid.c': {}, 6 | 'libos_elf_entry.nasm': { 'type': 'nasm' }, 7 | 'libos_table.c': {}, 8 | 'start.S': {}, 9 | 'syscallas.S': {}, 10 | } 11 | 12 | libos_sources_arch = files() 13 | 14 | foreach src, params : libos_sources_arch_list 15 | if params.get('type', '') == 'nasm' 16 | libos_sources_arch += nasm_gen.process(src) 17 | else 18 | libos_sources_arch += files(src) 19 | endif 20 | endforeach 21 | 22 | libos_lds = meson.current_source_dir() / 'libos.lds' 23 | -------------------------------------------------------------------------------- /libos/src/arch/x86_64/start.S: -------------------------------------------------------------------------------- 1 | /* Our PAL loader invokes this entrypoint with all registers unspecified, except %rsp. 2 | * For detailed description of the stack layout see pal/src/pal_rtld.c:start_execution(). 3 | */ 4 | 5 | .text 6 | .globl libos_start 7 | .type libos_start,@function 8 | libos_start: 9 | .cfi_startproc 10 | 11 | # Clear the frame pointer. The ABI suggests this be done, to mark 12 | # the outermost frame obviously. 13 | xorq %rbp, %rbp 14 | 15 | # Arguments for libos_init: 16 | movq 0(%rsp), %r8 # argc, unused by libos_init, used to calculate location of envp 17 | leaq 8(%rsp), %rdi # argv 18 | leaq 8(%rdi,%r8,8), %rsi # envp, after all args (including argv[argc] = NULL) 19 | 20 | # Required by System V AMD64 ABI. 21 | andq $~0xF, %rsp 22 | 23 | callq *libos_init@GOTPCREL(%rip) 24 | 25 | .cfi_endproc 26 | -------------------------------------------------------------------------------- /libos/src/fs/libos_fs_path.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #include "libos_fs.h" 7 | 8 | static int hstat(struct libos_handle* handle, struct stat* buf) { 9 | if (!handle->inode) { 10 | return -EINVAL; 11 | } 12 | return generic_inode_hstat(handle, buf); 13 | } 14 | 15 | static struct libos_fs_ops path_fs_ops = { 16 | .hstat = hstat, 17 | }; 18 | 19 | static struct libos_d_ops path_d_ops = {}; 20 | 21 | struct libos_fs path_builtin_fs = { 22 | .name = "path", 23 | .fs_ops = &path_fs_ops, 24 | .d_ops = &path_d_ops, 25 | }; 26 | -------------------------------------------------------------------------------- /libos/src/gramine_hash.c: -------------------------------------------------------------------------------- 1 | #include "gramine_hash.h" 2 | 3 | const char g_gramine_commit_hash[] = GRAMINE_COMMIT_HASH; 4 | -------------------------------------------------------------------------------- /libos/src/libos.map: -------------------------------------------------------------------------------- 1 | LIBOS { 2 | local: *; 3 | }; 4 | -------------------------------------------------------------------------------- /libos/src/libos_object.c: -------------------------------------------------------------------------------- 1 | #include "libos_internal.h" 2 | #include "pal.h" 3 | 4 | int event_wait_with_retry(PAL_HANDLE handle) { 5 | int ret; 6 | do { 7 | ret = PalEventWait(handle, /*timeout=*/NULL); 8 | } while (ret == -PAL_ERROR_INTERRUPTED || ret == -PAL_ERROR_TRYAGAIN); 9 | 10 | if (ret < 0) { 11 | log_error("waiting on an event with retry failed: %s", pal_strerror(ret)); 12 | return pal_to_unix_errno(ret); 13 | } 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /libos/src/sys/libos_fork.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #include "libos_table.h" 7 | #include "linux_abi/process.h" 8 | #include "linux_abi/signals.h" 9 | 10 | long libos_syscall_fork(void) { 11 | return libos_syscall_clone(SIGCHLD, 0, NULL, NULL, 0); 12 | } 13 | 14 | long libos_syscall_vfork(void) { 15 | return libos_syscall_clone(CLONE_VFORK | CLONE_VM | SIGCHLD, 0, NULL, NULL, 0); 16 | } 17 | -------------------------------------------------------------------------------- /libos/src/vdso/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /libos/src/vdso/arch/x86_64/vdso.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | #include "libos_types.h" 6 | 7 | int __vdso_clock_gettime(clockid_t clock, struct timespec* t); 8 | int __vdso_gettimeofday(struct timeval* tv, struct timezone* tz); 9 | time_t __vdso_time(time_t* t); 10 | long __vdso_getcpu(unsigned* cpu, void* unused_cache); 11 | -------------------------------------------------------------------------------- /libos/src/vdso/arch/x86_64/vdso_note.S: -------------------------------------------------------------------------------- 1 | #include "gramine_hash.h" 2 | 3 | /* This .note section informs dynamic linker about vDSO */ 4 | .section .note.Linux, "a", @note 5 | 6 | .balign 4 7 | .long 2f - 1f /* namesz */ 8 | .long 4 /* descsz */ 9 | .long 0 /* type */ 10 | 1: .asciz "Linux" /* name */ 11 | 2: .balign 4 12 | .long 0x41300 /* desc: LINUX_VERSION_CODE */ 13 | 14 | /* Already aligned to 4. */ 15 | .long 2f - 1f /* namesz */ 16 | .long 4f - 3f /* descsz */ 17 | .long 0x100 /* type */ 18 | 1: .asciz "Linux" /* name */ 19 | 2: .balign 4 20 | 3: .asciz GRAMINE_COMMIT_HASH 21 | 4: .balign 4 22 | -------------------------------------------------------------------------------- /libos/src/vdso/meson.build: -------------------------------------------------------------------------------- 1 | subdir('arch') 2 | -------------------------------------------------------------------------------- /libos/src/vdso/vdso_data.S: -------------------------------------------------------------------------------- 1 | .section .rodata 2 | 3 | .global vdso_so 4 | .type vdso_so, @object 5 | .align 4 6 | vdso_so: 7 | .incbin VDSO_SO_FULL_PATH 8 | 9 | .global vdso_so_end 10 | .type vdso_so_end, @object 11 | .align 4 12 | vdso_so_end: 13 | 14 | .global vdso_so_size 15 | .type vdso_so_size, @object 16 | .size vdso_so_size, 8 17 | .align 8 18 | vdso_so_size: 19 | .quad vdso_so_end - vdso_so 20 | -------------------------------------------------------------------------------- /libos/test/.gitignore: -------------------------------------------------------------------------------- 1 | /**/*.dat 2 | /**/*.manifest 3 | /**/*.xml 4 | 5 | /**/build.ninja 6 | /**/.ninja_* 7 | -------------------------------------------------------------------------------- /libos/test/abi/common/common.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Mariusz Zaborski 4 | */ 5 | 6 | /* 7 | * We have to add a function declaration to avoid warnings. 8 | * This function is used with NASM, so creating a header is pointless. 9 | */ 10 | int test_str_neq(const char* orig, const char* new); 11 | 12 | int test_str_neq(const char* orig, const char* new) { 13 | if (orig == new) 14 | return 0; 15 | 16 | while (*orig && *orig == *new) { 17 | orig++; 18 | new++; 19 | } 20 | 21 | return *orig != *new; 22 | } 23 | -------------------------------------------------------------------------------- /libos/test/abi/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/atexit_func.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | ; rdx contains a function pointer that the application should register with atexit. 6 | ; Gramine sets rdx to NULL - it does not use this feature at all. 7 | 8 | extern test_exit 9 | global _start 10 | 11 | section .text 12 | 13 | _start: 14 | mov rdi, rdx 15 | jmp test_exit 16 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/call_auxiliary.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | ; Verify auxiliary which should be in: 6 | ; 'rsp + 8 + (8 * (argc + 1)) + (8 * (env_count + 1))' 7 | ; In this test we don't pass any additional arguments so argc is 1, 8 | ; we also should not have any environment variables so env_count is 0. 9 | 10 | extern test_exit 11 | extern verify_auxiliary 12 | global _start 13 | 14 | %define argc 1 15 | %define env_count 0 16 | 17 | section .text 18 | 19 | _start: 20 | lea rdi, [rsp + 8 + 8 * (argc + 1) + 8 * (env_count + 1)] 21 | call verify_auxiliary 22 | 23 | mov rdi, rax 24 | jmp test_exit 25 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/fpu_control_word.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | ; The x87 FPU Control Word register: 6 | ; +--+--+--+--+--+--+--+--+--+--+--+--+--+ 7 | ; | X| RC| PC| R| R|PM|UM|OM|ZM|DM|IM| 8 | ; +--+--+--+--+--+--+--+--+--+--+--+--+--+ 9 | ; The x87 FPU Control Word should be set as follow: 10 | ; +--+--+--+--+--+--+--+--+--+--+--+--+--+ 11 | ; | X| 0 0| 1 1| X| X| 1| 1| 1| 1| 1| 1| 12 | ; +--+--+--+--+--+--+--+--+--+--+--+--+--+ 13 | 14 | extern test_exit 15 | global _start 16 | 17 | section .text 18 | 19 | _start: 20 | fstcw [rsp] 21 | 22 | mov ax, [rsp] 23 | mov rdi, rax 24 | and rdi, 0b0111100111111 25 | xor rdi, 0b0001100111111 26 | 27 | jmp test_exit 28 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | fs.mounts = [ 5 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 6 | ] 7 | 8 | sgx.debug = true 9 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 10 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }} 11 | 12 | sgx.trusted_files = [ 13 | "file:{{ gramine.libos }}", 14 | "file:{{ binary_dir }}/{{ entrypoint }}", 15 | ] 16 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/mxcsr.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | ; The MXCSR register: 6 | ; +--+--+--+--+--+--+--+--+--+---+--+--+--+--+--+--+ 7 | ; |FZ| RC|PM|UM|OM|ZM|DM|IM|DAZ|PE|UE|OE|ZE|DE|IE| 8 | ; +--+--+--+--+--+--+--+--+--+---+--+--+--+--+--+--+ 9 | ; The MXCSR should be set as follow: 10 | ; +--+--+--+--+--+--+--+--+--+---+--+--+--+--+--+--+ 11 | ; | 0| 0 0| 1| 1| 1| 1| 1| 1| 0| 0| 0| 0| 0| 0| 0| 12 | ; +--+--+--+--+--+--+--+--+--+---+--+--+--+--+--+--+ 13 | 14 | extern test_exit 15 | 16 | global _start 17 | 18 | section .text 19 | 20 | _start: 21 | stmxcsr [rsp] 22 | 23 | mov edi, [rsp] 24 | xor rdi, 0b0001111110000000 25 | 26 | jmp test_exit 27 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/rflags.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | ; The rFlags should be cleared. 6 | ; Verify OF, DF, SF, ZF, AF, PF, CF 7 | ; The EFLAGS: 8 | ; +--+--+--+--+--+--+--+--+--+--+--+--+ 9 | ; |OF|DF|IF|TF|SF|ZF| 0|AF| 0|PF| 1|CF| 10 | ; +--+--+--+--+--+--+--+--+--+--+--+--+ 11 | ; Mask to get interesting bits: 12 | ; +--+--+--+--+--+--+--+--+--+--+--+--+ 13 | ; | 1| 1| 0| 0| 1| 1| 0| 1| 0| 1| 0| 1| 14 | ; +--+--+--+--+--+--+--+--+--+--+--+--+ 15 | 16 | extern test_exit 17 | 18 | global _start 19 | 20 | section .text 21 | 22 | _start: 23 | pushfq 24 | pop rdi 25 | 26 | and rdi, 0b110011010101 27 | 28 | jmp test_exit 29 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/stack.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | ; "The end of the input argument area shall be aligned on a 16..." 6 | 7 | extern test_exit 8 | 9 | global _start 10 | 11 | section .text 12 | 13 | _start: 14 | xor rdi, rdi 15 | 16 | mov rax, rsp 17 | and rax, 0xF 18 | setne dil 19 | 20 | jmp test_exit 21 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/stack_arg.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | # The argv source file must set argv[0] as the basename of the entrypoint. This is crucial for 5 | # stack tests because if argv[0] contains an absolute path to the binary, then tests become 6 | # unreliable. 7 | loader.argv_src_file = "file:stack_arg_argv_input" 8 | 9 | fs.mounts = [ 10 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 11 | ] 12 | 13 | sgx.debug = true 14 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 15 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ binary_dir }}/{{ entrypoint }}", 20 | ] 21 | 22 | sgx.allowed_files = [ 23 | "file:stack_arg_argv_input", 24 | ] 25 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/stack_env.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.foo = "bar" 5 | loader.env.env0 = "val0" 6 | 7 | loader.insecure__use_cmdline_argv = true 8 | 9 | fs.mounts = [ 10 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 11 | ] 12 | 13 | sgx.debug = true 14 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 15 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ binary_dir }}/{{ entrypoint }}", 20 | ] 21 | -------------------------------------------------------------------------------- /libos/test/abi/x86_64/tests.toml: -------------------------------------------------------------------------------- 1 | binary_dir = "@GRAMINE_PKGLIBDIR@/tests/libos/entrypoint" 2 | 3 | manifests = [ 4 | "atexit_func", 5 | "fpu_control_word", 6 | "mxcsr", 7 | "rflags", 8 | "stack", 9 | "stack_arg", 10 | "stack_env", 11 | "stack_auxiliary", 12 | ] 13 | -------------------------------------------------------------------------------- /libos/test/common/x86_64/exit.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Mariusz Zaborski 4 | 5 | global test_exit 6 | 7 | %define __NR_exit 60 8 | 9 | section .text 10 | 11 | test_exit: 12 | xor rax, rax 13 | test rdi, rdi 14 | setne al 15 | mov rdi, rax 16 | mov rax, __NR_exit 17 | syscall 18 | -------------------------------------------------------------------------------- /libos/test/fs/Makefile: -------------------------------------------------------------------------------- 1 | # Disable implicit rules so that Make doesn't try to compile the binaries 2 | .SUFFIXES: 3 | 4 | .PHONY: all 5 | all: 6 | @echo "Use gramine-test for running tests." 7 | 8 | # TODO: Python tests should not produce leftovers 9 | .PHONY: clean 10 | clean: 11 | gramine-test clean 12 | $(RM) -r \ 13 | .pytest_cache \ 14 | __pycache__ \ 15 | *.xml \ 16 | tmp/* 17 | -------------------------------------------------------------------------------- /libos/test/fs/README.md: -------------------------------------------------------------------------------- 1 | Test purpose 2 | ------------ 3 | 4 | These tests perform common FS operations in various ways to exercise the Gramine 5 | FS subsystem: 6 | 7 | - open/close 8 | - read/write 9 | - create/delete 10 | - read/change size 11 | - seek/tell 12 | - memory-mapped read/write 13 | - sendfile 14 | - copy directory in different ways 15 | 16 | How to execute 17 | -------------- 18 | 19 | - `gramine-test pytest -v` 20 | 21 | Encrypted file tests assume that Gramine was built with SGX enabled (see comment 22 | in `test_enc.py`). 23 | -------------------------------------------------------------------------------- /libos/test/fs/copy_rev.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | assert(!OVERFLOWS(off_t, size)); 5 | 6 | size_t max_step = 16; 7 | if (size > 65536) 8 | max_step = 256; 9 | 10 | void* data = alloc_buffer(max_step); 11 | off_t offset = size; 12 | size_t step; 13 | while (offset > 0) { 14 | if (offset > (off_t)max_step) 15 | step = rand() % max_step + 1; 16 | else 17 | step = offset; 18 | offset -= step; 19 | seek_fd(input_path, fi, offset, SEEK_SET); 20 | seek_fd(output_path, fo, offset, SEEK_SET); 21 | read_fd(input_path, fi, data, step); 22 | write_fd(output_path, fo, data, step); 23 | } 24 | free(data); 25 | } 26 | -------------------------------------------------------------------------------- /libos/test/fs/copy_sendfile.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | sendfile_fd(input_path, output_path, fi, fo, size); 5 | printf("sendfile_fd(%zu) OK\n", size); 6 | } 7 | -------------------------------------------------------------------------------- /libos/test/fs/copy_seq.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | size_t max_step = 16; 5 | if (size > 65536) 6 | max_step = 256; 7 | 8 | void* data = alloc_buffer(max_step); 9 | size_t offset = 0; 10 | size_t step; 11 | while (offset < size) { 12 | if (offset + max_step <= size) 13 | step = rand() % max_step + 1; 14 | else 15 | step = size - offset; 16 | read_fd(input_path, fi, data, step); 17 | write_fd(output_path, fo, data, step); 18 | offset += step; 19 | } 20 | free(data); 21 | } 22 | -------------------------------------------------------------------------------- /libos/test/fs/copy_whole.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void copy_data(int fi, int fo, const char* input_path, const char* output_path, size_t size) { 4 | void* data = alloc_buffer(size); 5 | read_fd(input_path, fi, data, size); 6 | printf("read_fd(%zu) input OK\n", size); 7 | write_fd(output_path, fo, data, size); 8 | printf("write_fd(%zu) output OK\n", size); 9 | free(data); 10 | } 11 | -------------------------------------------------------------------------------- /libos/test/fs/tests.toml: -------------------------------------------------------------------------------- 1 | binary_dir = "@GRAMINE_PKGLIBDIR@/tests/libos/fs" 2 | 3 | manifests = [ 4 | "chmod_stat", 5 | "copy_mmap_rev", 6 | "copy_mmap_seq", 7 | "copy_mmap_whole", 8 | "copy_rev", 9 | "copy_sendfile", 10 | "copy_seq", 11 | "copy_whole", 12 | "delete", 13 | "multiple_writers", 14 | "open_close", 15 | "open_flags", 16 | "read_write", 17 | "read_write_mmap", 18 | "seek_tell", 19 | "seek_tell_truncate", 20 | "stat", 21 | "truncate", 22 | ] 23 | -------------------------------------------------------------------------------- /libos/test/ltp/.gitignore: -------------------------------------------------------------------------------- 1 | /build/ 2 | /install/ 3 | 4 | /etc 5 | -------------------------------------------------------------------------------- /libos/test/ltp/ltp_all.cfg: -------------------------------------------------------------------------------- 1 | # KEEP THIS FILE SORTED 2 | # in case of trouble, use ./contrib/conf_lint.py < FILENAME 3 | 4 | [DEFAULT] 5 | timeout = 30 6 | 7 | # Uses inline assembly to run tkill syscall directly, which can actually abort the whole Docker 8 | # container by sending SIGHUP to PID 1. 9 | [signal06] 10 | skip = yes 11 | -------------------------------------------------------------------------------- /libos/test/ltp/tests.toml: -------------------------------------------------------------------------------- 1 | binary_dir = "install/testcases/bin" 2 | 3 | manifests_cmd = "LTP_CONFIG='ltp.cfg' ./test_ltp.py --list" 4 | -------------------------------------------------------------------------------- /libos/test/meson.build: -------------------------------------------------------------------------------- 1 | subdir('abi') 2 | subdir('regression') 3 | subdir('fs') 4 | -------------------------------------------------------------------------------- /libos/test/regression/.gitignore: -------------------------------------------------------------------------------- 1 | /nonexisting_testfile 2 | /testfile 3 | /trusted_testfile 4 | 5 | /tmp/* 6 | !/tmp/.gitkeep 7 | /tmp_enc/* 8 | !/tmp_enc/.gitkeep 9 | -------------------------------------------------------------------------------- /libos/test/regression/Makefile: -------------------------------------------------------------------------------- 1 | # Disable implicit rules so that Make doesn't try to compile the binaries 2 | .SUFFIXES: 3 | 4 | .PHONY: all 5 | all: 6 | @echo "Use gramine-test for running tests." 7 | 8 | # TODO: Python tests should not produce leftovers 9 | .PHONY: clean 10 | clean: 11 | gramine-test clean 12 | $(RM) -r \ 13 | *.dat \ 14 | .pytest_cache \ 15 | __pycache__ \ 16 | *.xml \ 17 | testfile \ 18 | trusted_testfile \ 19 | asm/x86_64/__pycache__ \ 20 | tmp/* 21 | find tmp_enc/ -not -path '*/.*' -type f -delete 22 | -------------------------------------------------------------------------------- /libos/test/regression/abort.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /* Test if the correct error code is propagated on a signal-induced exit. This should report 134 4 | * (128 + 6 where 6 is SIGABRT) as its return code. */ 5 | 6 | int main(int argc, char* arvg[]) { 7 | abort(); 8 | } 9 | -------------------------------------------------------------------------------- /libos/test/regression/abort_multithread.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | /* Test if abort() in a child thread kills the whole process. This should report 134 (128 + 6 where 6 | * 6 is SIGABRT) as its return code. */ 7 | 8 | static void* thread_abort(void* arg) { 9 | abort(); 10 | return NULL; /* not reached */ 11 | } 12 | 13 | int main(int argc, char* arvg[]) { 14 | pthread_t thread; 15 | pthread_create(&thread, NULL, thread_abort, NULL); 16 | pthread_join(thread, NULL); 17 | 18 | printf("Main thread returns successfully (must not happen)\n"); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /libos/test/regression/argv_from_file.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | loader.argv_src_file = "file:argv_test_input" 8 | 9 | fs.mounts = [ 10 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 11 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 12 | ] 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.allowed_files = [ 18 | "file:argv_test_input", 19 | ] 20 | 21 | sgx.trusted_files = [ 22 | "file:{{ gramine.libos }}", 23 | "file:{{ gramine.runtimedir(libc) }}/", 24 | "file:{{ binary_dir }}/{{ entrypoint }}", 25 | ] 26 | -------------------------------------------------------------------------------- /libos/test/regression/argv_from_manifest.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | loader.argv = [ 8 | "{{ entrypoint }}", 9 | "THIS", 10 | "SHOULD GO", 11 | "TO", 12 | "THE", 13 | "APP ", # note the trailing space (app should see this trailing space in its argv[5]) 14 | ] 15 | 16 | fs.mounts = [ 17 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 18 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 19 | ] 20 | 21 | sgx.debug = true 22 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 23 | 24 | sgx.trusted_files = [ 25 | "file:{{ gramine.libos }}", 26 | "file:{{ gramine.runtimedir(libc) }}/", 27 | "file:{{ binary_dir }}/{{ entrypoint }}", 28 | ] 29 | -------------------------------------------------------------------------------- /libos/test/regression/asm/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /libos/test/regression/asm/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | common_lib = static_library('common_lib', 2 | nasm_gen.process('../../../common/x86_64/exit.nasm') 3 | ) 4 | 5 | tests = { 6 | 'iret_emulation': {}, 7 | } 8 | 9 | install_dir = pkglibdir / 'tests' / 'libos' / 'regression' / 'asm' / 'x86_64' 10 | 11 | foreach name, params : tests 12 | filenames = nasm_gen.process('@0@.nasm'.format(name)) 13 | 14 | exe = executable(name, 15 | filenames, 16 | 17 | link_with: [ 18 | params.get('link_with', [common_lib]), 19 | ], 20 | 21 | link_args: params.get('link_args', ['-nostdlib', '-static']), 22 | include_directories: params.get('include_directories', []), 23 | 24 | install: true, 25 | install_dir: install_dir, 26 | ) 27 | endforeach 28 | -------------------------------------------------------------------------------- /libos/test/regression/asm/x86_64/test_x86_64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import unittest 4 | 5 | from graminelibos.regression import ( 6 | USES_MUSL, 7 | RegressionTestCase, 8 | ) 9 | 10 | # These tests don't require libc, so it doesn't make sense to run them 11 | # twice (once with glibc and once with musl) as the result is not dependable on libc. 12 | @unittest.skipIf(USES_MUSL, 'Assembly tests are disabled with musl') 13 | class TC_00_X86_64(RegressionTestCase): 14 | # The iret emulation is used only on PAL/Linux-SGX. 15 | # However, it doesn't hurt to run this test also on PAL/Linux to verify the test itself. 16 | def test_010_iret_emulation(self): 17 | self.run_binary(['asm/x86_64/iret_emulation']) 18 | -------------------------------------------------------------------------------- /libos/test/regression/bootstrap_pie.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static void* ptr = NULL; 4 | 5 | int main(int argc, const char** argv, const char** envp) { 6 | printf("User program started\n"); 7 | printf("Local Address in Executable: %p\n", &ptr); 8 | 9 | for (int i = 0; i < argc; i++) { 10 | printf("argv[%d] = %s\n", i, argv[i]); 11 | } 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /libos/test/regression/bootstrap_static.c: -------------------------------------------------------------------------------- 1 | /* a simple helloworld test */ 2 | 3 | #include 4 | 5 | int main(int argc, char** argv) { 6 | printf("Hello world (%s)!\n", argv[0]); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /libos/test/regression/debug.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | __attribute__((noinline)) static void func(void) { 4 | printf("hello\n"); 5 | fflush(stdout); 6 | /* Prevent tail call, so that we get a stack trace including func(). */ 7 | __asm__ volatile(""); 8 | } 9 | 10 | int main(void) { 11 | func(); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /libos/test/regression/debug.gdb: -------------------------------------------------------------------------------- 1 | set breakpoint pending on 2 | set pagination off 3 | set backtrace past-main on 4 | 5 | # Check if debug sources are loaded in our program, and we can break inside. 6 | 7 | tbreak func 8 | commands 9 | echo \n\n 10 | backtrace 11 | echo \n\n 12 | 13 | # Check if we can break inside PAL and get a full backtrace (across libc). 14 | 15 | tbreak console_write 16 | commands 17 | echo \n\n 18 | backtrace 19 | echo \n\n 20 | continue 21 | end 22 | 23 | # Check if we can break inside OCALL (SGX only). 24 | 25 | tbreak sgx_ocall_write 26 | commands 27 | echo \n\n 28 | backtrace 29 | echo \n\n 30 | continue 31 | end 32 | 33 | continue 34 | end 35 | 36 | run 37 | -------------------------------------------------------------------------------- /libos/test/regression/debug_log_file.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | 8 | loader.log_level = "debug" 9 | loader.log_file = "tmp/debug_log_file.log" 10 | 11 | fs.mounts = [ 12 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 13 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 14 | ] 15 | 16 | sgx.debug = true 17 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 18 | 19 | sgx.trusted_files = [ 20 | "file:{{ gramine.libos }}", 21 | "file:{{ gramine.runtimedir(libc) }}/", 22 | "file:{{ binary_dir }}/{{ entrypoint }}", 23 | ] 24 | -------------------------------------------------------------------------------- /libos/test/regression/debug_log_inline.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | 8 | loader.log_level = "debug" 9 | 10 | fs.mounts = [ 11 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 12 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 13 | ] 14 | 15 | sgx.debug = true 16 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 17 | 18 | sgx.trusted_files = [ 19 | "file:{{ gramine.libos }}", 20 | "file:{{ gramine.runtimedir(libc) }}/", 21 | "file:{{ binary_dir }}/{{ entrypoint }}", 22 | ] 23 | -------------------------------------------------------------------------------- /libos/test/regression/debug_regs_x86_64.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | volatile uint64_t val = 0; 5 | 6 | __asm__ volatile("int3"); 7 | 8 | __asm__ volatile( 9 | "movq %1, %%rdx\n" 10 | "int3\n" 11 | "movq %%rdx, %0\n" 12 | "int3\n" 13 | : "=m"(val) 14 | : "m"(val) 15 | : "rdx"); 16 | 17 | __asm__ volatile( 18 | "movhps %1, %%xmm0\n" 19 | "movlps %1, %%xmm0\n" 20 | "int3\n" 21 | "movlps %%xmm0, %0\n" 22 | "int3\n" 23 | : "=m"(val) 24 | : "m"(val) 25 | : "xmm0"); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /libos/test/regression/debug_regs_x86_64.gdb: -------------------------------------------------------------------------------- 1 | set breakpoint pending on 2 | set pagination off 3 | 4 | # Run until trap #1 5 | run 6 | 7 | # Run until trap #2, check RDX register read 8 | set val = 0x1000100010001000 9 | continue 10 | echo \n\n 11 | print/x $rdx 12 | echo \n\n 13 | 14 | # Check RDX register write 15 | set $rdx = 0x2000200020002000 16 | continue 17 | echo \n\n 18 | print/x val 19 | echo \n\n 20 | 21 | # Run until trap #3, check XMM0 register read 22 | set val = 0x3000300030003000 23 | continue 24 | echo \n\n 25 | print/x $xmm0.uint128 26 | echo \n\n 27 | 28 | # Check XMM0 register write 29 | set $xmm0.uint128 = 0x4000400040004000 30 | continue 31 | echo \n\n 32 | print/x val 33 | echo \n\n 34 | 35 | # Run until end 36 | continue 37 | -------------------------------------------------------------------------------- /libos/test/regression/device_ioctl_fail.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "device_ioctl" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | 8 | fs.mounts = [ 9 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 10 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 11 | { path = "/dev/gramine_test_dev", uri = "dev:/dev/gramine_test_dev" }, 12 | ] 13 | 14 | sgx.debug = true 15 | 16 | sgx.trusted_files = [ 17 | "file:{{ gramine.libos }}", 18 | "file:{{ gramine.runtimedir(libc) }}/", 19 | "file:{{ binary_dir }}/{{ entrypoint }}", 20 | ] 21 | 22 | sgx.allowed_files = [ 23 | "dev:/dev/gramine_test_dev", 24 | ] 25 | 26 | sys.allowed_ioctls = [ 27 | # no allowed IOCTLs to force test failure 28 | ] 29 | -------------------------------------------------------------------------------- /libos/test/regression/device_passthrough.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | { path = "/dev/host-zero", uri = "dev:/dev/zero" }, 10 | ] 11 | 12 | sgx.debug = true 13 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 14 | 15 | sgx.trusted_files = [ 16 | "file:{{ gramine.libos }}", 17 | "file:{{ gramine.runtimedir(libc) }}/", 18 | "file:{{ binary_dir }}/{{ entrypoint }}", 19 | ] 20 | 21 | sgx.allowed_files = [ 22 | "dev:/dev/zero", 23 | ] 24 | -------------------------------------------------------------------------------- /libos/test/regression/dump.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #pragma once 7 | 8 | /* 9 | * Dumps the whole directory tree, displaying link targets and file contents. In addition to 10 | * examining the output, can be used to verify that: 11 | * 12 | * - all files can be examined with `lstat`, 13 | * - directories can be listed, 14 | * - symlinks can be examined with `readlink`, 15 | * - regular files can be opened and read. 16 | * 17 | * Returns 0 on success, -1 on failure. 18 | * 19 | * Example output: 20 | * 21 | * dir: directory 22 | * dir/file: file 23 | * [dir/file] contents of dir/file 24 | * dir/dir2: directory 25 | * dir/dir2/link: link: /link/target 26 | */ 27 | int dump_path(const char* path); 28 | -------------------------------------------------------------------------------- /libos/test/regression/env_from_file.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | loader.env_src_file = "file:env_test_input" 8 | 9 | fs.mounts = [ 10 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 11 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 12 | ] 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.allowed_files = [ 18 | "file:env_test_input", 19 | ] 20 | 21 | sgx.trusted_files = [ 22 | "file:{{ gramine.libos }}", 23 | "file:{{ gramine.runtimedir(libc) }}/", 24 | "file:{{ binary_dir }}/{{ entrypoint }}", 25 | ] 26 | -------------------------------------------------------------------------------- /libos/test/regression/env_from_host.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | loader.insecure__use_host_env = true 8 | 9 | fs.mounts = [ 10 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 11 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 12 | ] 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ gramine.runtimedir(libc) }}/", 20 | "file:{{ binary_dir }}/{{ entrypoint }}", 21 | ] 22 | -------------------------------------------------------------------------------- /libos/test/regression/eventfd_fork.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | ] 10 | 11 | sys.insecure__allow_eventfd = true 12 | 13 | sgx.debug = true 14 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 15 | 16 | sgx.trusted_files = [ 17 | "file:{{ gramine.libos }}", 18 | "file:{{ gramine.runtimedir(libc) }}/", 19 | "file:{{ binary_dir }}/{{ entrypoint }}", 20 | ] 21 | -------------------------------------------------------------------------------- /libos/test/regression/exec.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 700 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, const char** argv, const char** envp) { 8 | int newfd = dup(1); 9 | char fd_argv[4]; 10 | snprintf(fd_argv, 4, "%d", newfd); 11 | char* const new_argv[] = {(char*)"./exec_victim", fd_argv, NULL}; 12 | 13 | setenv("IN_EXECVE", "1", 1); 14 | 15 | execv(new_argv[0], new_argv); 16 | return 1; 17 | } 18 | -------------------------------------------------------------------------------- /libos/test/regression/exec_null.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | 5 | int main(void) { 6 | syscall(__NR_execve, "./exec_victim", NULL, NULL); 7 | return 1; 8 | } 9 | -------------------------------------------------------------------------------- /libos/test/regression/exec_script.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(void) { 6 | char* const argv[] = {(char*)"foo.sh", (char*)"STRING FROM EXECVE", NULL}; 7 | 8 | /* The pathname arg to `execv()` differs from `argv[0]` on purpose: we want to test the corner 9 | * case where `argv[0]` is overridden by the file pathname for interpreter scripts in execve 10 | * family of syscalls. */ 11 | execv("scripts/foo.sh", argv); 12 | err(EXIT_FAILURE, "execve failed"); 13 | } 14 | -------------------------------------------------------------------------------- /libos/test/regression/exit.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, const char** argv, const char** envp) { 4 | return 113; 5 | } 6 | -------------------------------------------------------------------------------- /libos/test/regression/fcntl_lock_child_only.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | 10 | { type = "encrypted", path = "/tmp_enc/", uri = "file:tmp_enc/" }, 11 | ] 12 | 13 | fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" 14 | 15 | sgx.debug = true 16 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 17 | 18 | sgx.trusted_files = [ 19 | "file:{{ gramine.libos }}", 20 | "file:{{ gramine.runtimedir(libc) }}/", 21 | "file:{{ binary_dir }}/{{ entrypoint }}", 22 | ] 23 | -------------------------------------------------------------------------------- /libos/test/regression/fork_and_access_file.gdb: -------------------------------------------------------------------------------- 1 | set breakpoint pending on 2 | set pagination off 3 | set backtrace past-main on 4 | 5 | # We want to check what happens in the child process after fork() 6 | set follow-fork-mode child 7 | 8 | # Cannot detach after fork because of some bug in SGX version of GDB (GDB would segfault) 9 | set detach-on-fork off 10 | 11 | tbreak fork 12 | commands 13 | echo BREAK ON FORK\n 14 | 15 | shell echo "WRITING NEW CONTENT IN FORK_AND_ACCESS_FILE_TESTFILE" > fork_and_access_file_testfile 16 | 17 | tbreak die_or_inf_loop 18 | commands 19 | echo EXITING GDB WITH A GRAMINE ERROR\n 20 | quit 21 | end 22 | 23 | tbreak exit 24 | commands 25 | echo EXITING GDB WITHOUT A GRAMINE ERROR\n 26 | quit 27 | end 28 | 29 | continue 30 | end 31 | 32 | run 33 | -------------------------------------------------------------------------------- /libos/test/regression/fork_and_access_file.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | ] 10 | 11 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '16' }} 12 | sgx.debug = true 13 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 14 | 15 | sgx.trusted_files = [ 16 | "file:{{ gramine.libos }}", 17 | "file:{{ gramine.runtimedir(libc) }}/", 18 | "file:{{ binary_dir }}/{{ entrypoint }}", 19 | "file:fork_and_access_file_testfile", 20 | ] 21 | -------------------------------------------------------------------------------- /libos/test/regression/fork_and_access_file_testfile: -------------------------------------------------------------------------------- 1 | fork_and_access_file_testfile -------------------------------------------------------------------------------- /libos/test/regression/fork_disallowed.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "fork_and_exec" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.log_level = "warning" 7 | loader.env.LD_LIBRARY_PATH = "/lib" 8 | 9 | fs.mounts = [ 10 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 11 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 12 | ] 13 | 14 | # must print a warning: "The app tried to create a subprocess, but this is disabled" 15 | sys.disallow_subprocesses = true 16 | 17 | sgx.debug = true 18 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 19 | 20 | sgx.trusted_files = [ 21 | "file:{{ gramine.libos }}", 22 | "file:{{ gramine.runtimedir(libc) }}/", 23 | "file:{{ binary_dir }}/{{ entrypoint }}", 24 | ] 25 | -------------------------------------------------------------------------------- /libos/test/regression/fstat_cwd.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 700 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int main(int argc, char** argv) { 11 | int r, fd; 12 | struct stat buf; 13 | 14 | fd = open(".", O_DIRECTORY); 15 | if (fd == -1) { 16 | printf("Opening CWD returned error %d\n", errno); 17 | return -1; 18 | } 19 | 20 | r = fstat(fd, &buf); 21 | if (r == -1) { 22 | printf("fstat on directory fd returned error %d\n", errno); 23 | return -1; 24 | } 25 | 26 | close(fd); 27 | 28 | if (S_ISDIR(buf.st_mode)) 29 | printf("fstat returned the fd type as S_IFDIR\n"); 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /libos/test/regression/helloworld.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char** argv) { 4 | printf("Hello world!\n"); 5 | return 0; 6 | } 7 | -------------------------------------------------------------------------------- /libos/test/regression/host_root_fs.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | static int showdir(const char* path) { 5 | struct dirent* de; 6 | 7 | DIR* dir = opendir(path); 8 | if (!dir) { 9 | printf("Could not open directory `%s`\n", path); 10 | return 1; 11 | } 12 | 13 | printf("Contents of directory `%s`:\n", path); 14 | while ((de = readdir(dir))) 15 | printf(" %s\n", de->d_name); 16 | printf("\n"); 17 | 18 | closedir(dir); 19 | return 0; 20 | } 21 | 22 | int main(int argc, char** argv) { 23 | if (showdir("/")) 24 | return 1; 25 | 26 | if (showdir("/var/")) 27 | return 1; 28 | 29 | puts("Test was successful"); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /libos/test/regression/host_root_fs.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ binary_dir }}/{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.root.uri = "file:/" 7 | 8 | fs.mounts = [ 9 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 10 | # overwrite host "/etc" - we don't want host-level configuration files, e.g. dynamic loader caches 11 | { type = "tmpfs", path = "/etc" }, 12 | ] 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ gramine.runtimedir(libc) }}/", 20 | "file:{{ binary_dir }}/{{ entrypoint }}", 21 | ] 22 | -------------------------------------------------------------------------------- /libos/test/regression/hostname_extra_runtime_conf.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "hostname" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | loader.insecure__use_cmdline_argv = true 6 | 7 | fs.mounts = [ 8 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 9 | { path = "/hostname", uri = "file:{{ binary_dir }}/hostname" }, 10 | ] 11 | 12 | sys.enable_extra_runtime_domain_names_conf = true 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ gramine.runtimedir(libc) }}/", 20 | "file:{{ binary_dir }}/hostname", 21 | ] 22 | -------------------------------------------------------------------------------- /libos/test/regression/init_fail.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | printf("Hello world\n"); 5 | return 42; 6 | } 7 | -------------------------------------------------------------------------------- /libos/test/regression/init_fail.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | # purposefully force mount failure to cause early LibOS abort 10 | { path = "/test", uri = "file:I_DONT_EXIST" }, 11 | ] 12 | 13 | sgx.debug = true 14 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 15 | 16 | sgx.trusted_files = [ 17 | "file:{{ gramine.libos }}", 18 | "file:{{ gramine.runtimedir(libc) }}/", 19 | "file:{{ binary_dir }}/{{ entrypoint }}", 20 | ] 21 | -------------------------------------------------------------------------------- /libos/test/regression/init_fail2.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "init_fail" -%} 2 | 3 | loader.entrypoint = "file:{{ gramine.libos }}" 4 | libos.entrypoint = "{{ entrypoint }}" 5 | 6 | loader.env.LD_LIBRARY_PATH = "/lib" 7 | 8 | fs.mounts = [ 9 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 10 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 11 | ] 12 | 13 | sgx.debug = true 14 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 15 | 16 | # this is an impossible combination of options, LibOS must fail very early in init process 17 | sgx.enclave_size = "256M" 18 | sys.brk.max_size = "512M" 19 | 20 | sgx.trusted_files = [ 21 | "file:{{ gramine.libos }}", 22 | "file:{{ gramine.runtimedir(libc) }}/", 23 | "file:{{ binary_dir }}/{{ entrypoint }}", 24 | ] 25 | -------------------------------------------------------------------------------- /libos/test/regression/install_musl_tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Usage: 4 | # 5 | # install_musl_tests destdir musl_a musl_b musl_c... 6 | # 7 | # Installs `musl_*` binaries to a target directory, removing the `musl_` prefix. 8 | 9 | set -e 10 | 11 | DEST_DIR="$1" 12 | shift 1 13 | 14 | mkdir -p ${DEST_DIR} 15 | 16 | for file in "$@" 17 | do 18 | bn=`basename "${file}"` 19 | cp "${file}" "${DEST_DIR}/${bn#musl_}" 20 | done 21 | -------------------------------------------------------------------------------- /libos/test/regression/multi_pthread.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | ] 10 | 11 | # app runs with 4 parallel threads + Gramine has couple internal threads 12 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | sgx.enable_stats = true 17 | 18 | sgx.trusted_files = [ 19 | "file:{{ gramine.libos }}", 20 | "file:{{ gramine.runtimedir(libc) }}/", 21 | "file:{{ binary_dir }}/{{ entrypoint }}", 22 | ] 23 | -------------------------------------------------------------------------------- /libos/test/regression/multi_pthread_exitless.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "multi_pthread" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/multi_pthread", uri = "file:{{ binary_dir }}/multi_pthread" }, 9 | ] 10 | 11 | # app runs with 4 parallel threads + Gramine has couple internal threads 12 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} 13 | sgx.insecure__rpc_thread_num = 8 14 | 15 | sgx.debug = true 16 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 17 | sgx.enable_stats = true 18 | 19 | sgx.trusted_files = [ 20 | "file:{{ gramine.libos }}", 21 | "file:{{ gramine.runtimedir(libc) }}/", 22 | "file:{{ binary_dir }}/multi_pthread", 23 | ] 24 | -------------------------------------------------------------------------------- /libos/test/regression/open_file.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation 3 | * Mariusz Zaborski 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include "common.h" 11 | 12 | int main(int argc, const char** argv) { 13 | if (argc != 2) { 14 | fprintf(stderr, "This test requires a file to test"); 15 | return 1; 16 | } 17 | 18 | int fd = CHECK(open(argv[1], O_RDONLY)); 19 | CHECK(close(fd)); 20 | 21 | puts("TEST OK"); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /libos/test/regression/openmp.c: -------------------------------------------------------------------------------- 1 | /* build with: gcc -fopenmp openmp-test.c -o openmp-test */ 2 | #include 3 | #include 4 | #include 5 | 6 | int v[10]; 7 | 8 | int main(void) { 9 | /* We need to limit the number of threads, otherwise OpenMP spawns as many threads as available 10 | * logical cores on the machine, which may exceed the TCS count specified in the manifest. 11 | */ 12 | #pragma omp parallel for num_threads(10) 13 | for (int i = 0; i < 10; i++) { 14 | v[i] = i; 15 | } 16 | 17 | printf("first: %d, last: %d\n", v[0], v[9]); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /libos/test/regression/proc_path.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char** argv) { 7 | struct stat root, proc_root; 8 | 9 | if (stat("/", &root) == -1) { 10 | perror("stat"); 11 | exit(1); 12 | } 13 | 14 | if (stat("/proc/1/root", &proc_root) == -1) { 15 | perror("stat"); 16 | exit(1); 17 | } 18 | 19 | if (root.st_dev == proc_root.st_dev && root.st_ino == proc_root.st_ino) { 20 | printf("proc path test success\n"); 21 | } else { 22 | printf("proc path test failure\n"); 23 | } 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /libos/test/regression/run_test.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | /* Wrapper for invoking testing code from inside Gramine (`gramine_run_test`). */ 7 | 8 | #include 9 | 10 | #include "gramine_entry_api.h" 11 | 12 | int main(int argc, char** argv) { 13 | if (argc != 2) { 14 | fprintf(stderr, "usage: %s TEST_NAME\n", argv[0]); 15 | return 1; 16 | } 17 | 18 | const char* test_name = argv[1]; 19 | int ret = gramine_run_test(test_name); 20 | printf("gramine_run_test(\"%s\") = %d\n", test_name, ret); 21 | return ret == 0 ? 0 : 1; 22 | } 23 | -------------------------------------------------------------------------------- /libos/test/regression/rwlock.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | loader.insecure__use_cmdline_argv = true 6 | 7 | fs.mounts = [ 8 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 9 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 10 | ] 11 | 12 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '200' }} 13 | sgx.debug = true 14 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 15 | 16 | sgx.trusted_files = [ 17 | "file:{{ gramine.libos }}", 18 | "file:{{ gramine.runtimedir(libc) }}/", 19 | "file:{{ binary_dir }}/{{ entrypoint }}", 20 | ] 21 | -------------------------------------------------------------------------------- /libos/test/regression/scripts/bar.sh: -------------------------------------------------------------------------------- 1 | #! scripts/baz.sh ECHO FOXTROT GOLF 2 | -------------------------------------------------------------------------------- /libos/test/regression/scripts/baz.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | echo TEST OK Printing Args: $0 $@ 3 | -------------------------------------------------------------------------------- /libos/test/regression/scripts/foo.sh: -------------------------------------------------------------------------------- 1 | #!scripts/bar.sh ALPHA BRAVO CHARLIE DELTA 2 | 3 | # ^^^ 4 | # three intermediate spaces in the shebang line above are for testing purposes 5 | -------------------------------------------------------------------------------- /libos/test/regression/shared_object.c: -------------------------------------------------------------------------------- 1 | /* a simple helloworld test */ 2 | 3 | #include 4 | 5 | int main(void) { 6 | printf("Hello world\n"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /libos/test/regression/shebang_test_script.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | # ^ ^^ 4 | # leading tab and trailing tabs+spaces in the shebang line above are for testing purposes 5 | 6 | exec scripts/foo.sh 7 | -------------------------------------------------------------------------------- /libos/test/regression/shm.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | { type = "untrusted_shm", path = "/dev/shm", uri = "dev:/dev/shm" }, 10 | ] 11 | 12 | sgx.debug = true 13 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 14 | 15 | sgx.allowed_files = [ 16 | "dev:/dev/shm/shm_test", 17 | ] 18 | 19 | sgx.trusted_files = [ 20 | "file:{{ gramine.libos }}", 21 | "file:{{ gramine.runtimedir(libc) }}/", 22 | "file:{{ binary_dir }}/{{ entrypoint }}", 23 | ] 24 | -------------------------------------------------------------------------------- /libos/test/regression/sigterm_multithread.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | sys.enable_sigterm_injection = true 7 | 8 | fs.mounts = [ 9 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 10 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 11 | ] 12 | 13 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '16' }} 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ gramine.runtimedir(libc) }}/", 20 | "file:{{ binary_dir }}/{{ entrypoint }}", 21 | ] 22 | -------------------------------------------------------------------------------- /libos/test/regression/syscall.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(void) { 8 | long ret = 0; 9 | #ifdef __x86_64__ 10 | __asm__ volatile ( 11 | "syscall" 12 | : "=a"(ret) 13 | : "0"(__NR_getpid) 14 | : "memory", "cc", "rcx", "r11" 15 | ); 16 | #endif 17 | if (ret != 1) 18 | errx(EXIT_FAILURE, "getpid syscall: %ld (expected 1)", ret); 19 | 20 | puts("TEST OK"); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /libos/test/regression/sysfs_common.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Paweł Marczewski 4 | */ 5 | 6 | #include "dump.h" 7 | 8 | int main(int argc, char** argv) { 9 | if (dump_path("/sys") < 0) 10 | return 1; 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /libos/test/regression/sysfs_common.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib" 5 | 6 | fs.mounts = [ 7 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 8 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 9 | ] 10 | 11 | sgx.debug = true 12 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 13 | 14 | sgx.trusted_files = [ 15 | "file:{{ gramine.libos }}", 16 | "file:{{ gramine.runtimedir(libc) }}/", 17 | "file:{{ binary_dir }}/{{ entrypoint }}", 18 | ] 19 | -------------------------------------------------------------------------------- /libos/test/regression/test_sigterm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | rm -f tmp/shell_fifo 6 | mkfifo tmp/shell_fifo 7 | 8 | $@ 2>&1 >tmp/shell_fifo & 9 | pid=$! 10 | 11 | while read line; do 12 | case "$line" in 13 | *READY*) 14 | break 15 | ;; 16 | *) 17 | ;; 18 | esac 19 | done 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, char** argv) { 8 | uid_t uid = getuid(); 9 | uid_t euid = geteuid(); 10 | 11 | if (uid != 1338 || euid != 1338) { 12 | errx(EXIT_FAILURE, "UID/effective UID are not equal to the value in the manifest"); 13 | } 14 | 15 | uid_t gid = getgid(); 16 | uid_t egid = getegid(); 17 | 18 | if (gid != 1337 || egid != 1337) { 19 | errx(EXIT_FAILURE, "GID/effective GID are not equal to the value in the manifest"); 20 | } 21 | 22 | puts("TEST OK"); 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /libos/test/regression/uid_gid.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ gramine.libos }}" 2 | libos.entrypoint = "{{ entrypoint }}" 3 | 4 | loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}" 5 | 6 | loader.uid = 1338 7 | loader.gid = 1337 8 | 9 | fs.mounts = [ 10 | { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, 11 | { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, 12 | ] 13 | 14 | sgx.debug = true 15 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 16 | 17 | sgx.trusted_files = [ 18 | "file:{{ gramine.libos }}", 19 | "file:{{ gramine.runtimedir(libc) }}/", 20 | "file:{{ binary_dir }}/{{ entrypoint }}", 21 | ] 22 | -------------------------------------------------------------------------------- /libos/test/regression/unknown_testfile: -------------------------------------------------------------------------------- 1 | unknown_testfile 2 | -------------------------------------------------------------------------------- /packaging/alpine/.gitignore: -------------------------------------------------------------------------------- 1 | /build-dist/ 2 | /pkg/ 3 | /src/ 4 | -------------------------------------------------------------------------------- /packaging/docker/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | usage() { 4 | echo "Usage: build.sh [ubuntu20,ubuntu22]" 5 | exit 1 6 | } 7 | 8 | if [ $# -ne 1 ]; then 9 | usage 10 | fi 11 | 12 | image="" 13 | codename="" 14 | 15 | case "$1" in 16 | ubuntu20) 17 | image="ubuntu:20.04" 18 | codename="focal" 19 | ;; 20 | ubuntu22) 21 | image="ubuntu:22.04" 22 | codename="jammy" 23 | ;; 24 | *) 25 | usage 26 | ;; 27 | esac 28 | 29 | docker build \ 30 | --build-arg UBUNTU_IMAGE="${image}" \ 31 | --build-arg UBUNTU_CODENAME="${codename}" \ 32 | -t gramineproject/gramine:stable-"${codename}" \ 33 | . 34 | -------------------------------------------------------------------------------- /packaging/docker/restart_aesm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | killall -q aesm_service || true 6 | 7 | AESM_PATH=/opt/intel/sgx-aesm-service/aesm LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm exec /opt/intel/sgx-aesm-service/aesm/aesm_service --no-syslog 8 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/linux-sgx/pal_host_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * This file contains Linux-SGX-specific functions related to the PAL. 5 | */ 6 | 7 | #pragma once 8 | 9 | /* Linux v5.16 supports Intel AMX. To enable this feature, Linux added several XSTATE-related 10 | * arch_prctl() commands. To support Gramine on older Linux kernels, we explicitly define 11 | * the required ARCH_REQ_XCOMP_PERM command. See 12 | * https://elixir.bootlin.com/linux/v5.16/source/arch/x86/include/uapi/asm/prctl.h */ 13 | #ifndef ARCH_REQ_XCOMP_PERM 14 | #define ARCH_REQ_XCOMP_PERM 0x1023 15 | #endif 16 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/linux-sgx/sigcontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * Linux-SGX PAL uses Linux's sigcontext.h 5 | */ 6 | 7 | #pragma once 8 | 9 | #include "linux/sigcontext.h" 10 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/linux-sgx/ucontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * Linux-SGX PAL uses Linux's ucontext.h 5 | */ 6 | 7 | #pragma once 8 | 9 | #include "linux/ucontext.h" 10 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/linux/sigreturn.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | void syscall_rt_sigreturn(void); 6 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/skeleton/pal_host_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | /* 6 | * This file contains Skeleton-specific functions related to the PAL. 7 | */ 8 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/skeleton/sigcontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/skeleton/ucontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | /* 6 | * Skeleton uses Linux's ucontext.h (for now) 7 | */ 8 | #include "linux/ucontext.h" 9 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/vm/pal_host_arch.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/vm/sigcontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | -------------------------------------------------------------------------------- /pal/include/arch/x86_64/vm/ucontext.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | -------------------------------------------------------------------------------- /pal/include/host/linux-common/etc_host_info.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Mariusz Zaborski 4 | */ 5 | 6 | #pragma once 7 | 8 | #include "pal.h" 9 | 10 | int parse_resolv_conf(struct pal_dns_host_conf* conf); 11 | 12 | int get_hosts_hostname(char* hostname, size_t size); 13 | -------------------------------------------------------------------------------- /pal/include/host/linux-common/etc_host_info_internal.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Mariusz Zaborski 4 | */ 5 | 6 | /* 7 | * This file contains a list of external functions for which Gramine has unit tests. 8 | */ 9 | 10 | #pragma once 11 | 12 | bool parse_ip_addr_ipv4(const char** pptr, uint32_t* out_addr); 13 | bool parse_ip_addr_ipv6(const char** pptr, uint16_t out_addr[static 8]); 14 | -------------------------------------------------------------------------------- /pal/include/host/linux-common/topo_info.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Vijay Dhanraj 4 | */ 5 | 6 | #pragma once 7 | 8 | #include "pal.h" 9 | 10 | /* Reads up to count bytes from the file into the buf passed. 11 | * Returns 0 or number of bytes read on success and UNIX error code on failure. 12 | */ 13 | ssize_t read_file_buffer(const char* filename, char* buf, size_t count); 14 | 15 | /* Fills topo_info with CPU and NUMA topology from the host */ 16 | int get_topology_info(struct pal_topo_info* topo_info); 17 | -------------------------------------------------------------------------------- /pal/include/meson.build: -------------------------------------------------------------------------------- 1 | includes_pal_common = [ 2 | include_directories( 3 | '.', 4 | 'pal', 5 | 'arch' / host_machine.cpu_family(), 6 | ), 7 | common_inc, 8 | ] 9 | 10 | includes_pal_for_libos = [ 11 | include_directories( 12 | '.', 13 | 'pal', 14 | 'elf', 15 | 'arch' / host_machine.cpu_family(), 16 | 'arch' / host_machine.cpu_family() / 'linux', 17 | ), 18 | # PAL headers use `api.h`, `cpu.h` etc. 19 | common_inc, 20 | ] 21 | -------------------------------------------------------------------------------- /pal/meson.build: -------------------------------------------------------------------------------- 1 | subdir('include') 2 | subdir('src') 3 | 4 | if enable_tests 5 | subdir('regression') 6 | endif 7 | 8 | if debug 9 | install_data( 10 | 'gdb_integration/gramine.gdb', 11 | 'gdb_integration/debug_map_gdb.py', 12 | 'gdb_integration/language_gdb.py', 13 | 'gdb_integration/pagination_gdb.py', 14 | install_dir: pkglibdir / 'gdb_integration', 15 | ) 16 | endif 17 | -------------------------------------------------------------------------------- /pal/regression/..Bootstrap.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_regression.h" 3 | 4 | int main(int argc, char** argv, char** envp) { 5 | /* check if the program is loaded */ 6 | pal_printf("User Program Started\n"); 7 | 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /pal/regression/.gitignore: -------------------------------------------------------------------------------- 1 | /*.tmp 2 | /*.xml 3 | /*.manifest 4 | 5 | /build.ninja 6 | /.ninja_* 7 | -------------------------------------------------------------------------------- /pal/regression/Bootstrap6.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "Bootstrap" -%} 2 | 3 | loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" 4 | loader.log_level = "debug" 5 | 6 | sgx.enclave_size = "8192M" 7 | sgx.debug = true 8 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 9 | 10 | sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] 11 | -------------------------------------------------------------------------------- /pal/regression/Bootstrap7.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_regression.h" 3 | 4 | int main(int argc, char** argv, char** envp) { 5 | pal_printf("User Program Started\n"); 6 | 7 | for (int i = 0; envp[i]; i++) 8 | pal_printf("%s\n", envp[i]); 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /pal/regression/Exception2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "pal.h" 4 | #include "pal_regression.h" 5 | 6 | int count = 0; 7 | int i = 0; 8 | 9 | static void handler(bool is_in_pal, uintptr_t addr, PAL_CONTEXT* context) { 10 | __UNUSED(is_in_pal); 11 | 12 | pal_printf("failure in the handler: 0x%08lx\n", addr); 13 | count++; 14 | 15 | if (count == 30) 16 | PalProcessExit(0); 17 | } 18 | 19 | int main(void) { 20 | pal_printf("Enter Main Thread\n"); 21 | 22 | PalSetExceptionHandler(handler, PAL_EVENT_ARITHMETIC_ERROR); 23 | 24 | __asm__ volatile ( 25 | "movq $1, %%rax\n" 26 | "cqo\n" 27 | "movq $0, %%rbx\n" 28 | "divq %%rbx\n" 29 | "nop\n" 30 | ::: "rax", "rbx", "rdx", "cc"); 31 | 32 | pal_printf("Leave Main Thread\n"); 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /pal/regression/Exit.c: -------------------------------------------------------------------------------- 1 | #include "api.h" 2 | #include "pal.h" 3 | #include "pal_regression.h" 4 | 5 | int main(int argc, char** argv, char** envp) { 6 | PalProcessExit(112); 7 | } 8 | -------------------------------------------------------------------------------- /pal/regression/File.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" 2 | loader.log_level = "debug" 3 | 4 | sgx.debug = true 5 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 6 | 7 | sgx.allowed_files = [ 8 | "file:{{ binary_dir }}/{{ entrypoint }}", 9 | "file:{{ entrypoint }}.manifest", 10 | "file:../regression/{{ entrypoint }}.manifest", 11 | "file:file_nonexist.tmp", 12 | "file:file_delete.tmp", 13 | ] 14 | -------------------------------------------------------------------------------- /pal/regression/HelloWorld.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_regression.h" 3 | 4 | char str[13] = "Hello World\n"; 5 | 6 | int main(int argc, char** argv, char** envp) { 7 | pal_printf("start program: HelloWorld\n"); 8 | 9 | PAL_HANDLE out = NULL; 10 | int ret = PalStreamOpen("console:", PAL_ACCESS_WRONLY, /*share_flags=*/0, PAL_CREATE_NEVER, 11 | /*options=*/0, &out); 12 | 13 | if (ret < 0) { 14 | pal_printf("PalStreamOpen failed\n"); 15 | return 1; 16 | } 17 | 18 | size_t bytes = sizeof(str) - 1; 19 | ret = PalStreamWrite(out, 0, &bytes, str); 20 | 21 | if (ret < 0 || bytes != sizeof(str) - 1) { 22 | pal_printf("PalStreamWrite failed\n"); 23 | return 1; 24 | } 25 | 26 | PalObjectDestroy(out); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /pal/regression/Hex.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "hex.h" 4 | #include "pal.h" 5 | #include "pal_regression.h" 6 | 7 | char x[] = {0xde, 0xad, 0xbe, 0xef}; 8 | char y[] = {0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd}; 9 | 10 | static_assert(sizeof(x) <= sizeof(y), "array x is longer than array y"); 11 | char hex_buf[sizeof(y) * 2 + 1]; 12 | 13 | int main(void) { 14 | pal_printf("Hex test 1 is %s\n", bytes2hex(x, sizeof(x), hex_buf, sizeof(hex_buf))); 15 | pal_printf("Hex test 2 is %s\n", bytes2hex(y, sizeof(y), hex_buf, sizeof(hex_buf))); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /pal/regression/Makefile: -------------------------------------------------------------------------------- 1 | # Disable implicit rules so that Make doesn't try to compile the binaries 2 | .SUFFIXES: 3 | 4 | .PHONY: all 5 | all: 6 | @echo "Use gramine-test for running tests." 7 | 8 | # TODO: Python tests should not produce leftovers 9 | .PHONY: clean 10 | clean: 11 | gramine-test clean 12 | $(RM) -r \ 13 | .pytest_cache \ 14 | __pycache__ \ 15 | *.xml \ 16 | *.tmp 17 | -------------------------------------------------------------------------------- /pal/regression/Pie.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_regression.h" 3 | 4 | char str[13] = "Hello World\n"; 5 | 6 | int main(int argc, char** argv, char** envp) { 7 | pal_printf("start program: Pie\n"); 8 | 9 | PAL_HANDLE out = NULL; 10 | int ret = PalStreamOpen("console:", PAL_ACCESS_WRONLY, /*share_flags=*/0, PAL_CREATE_NEVER, 11 | /*options=*/0, &out); 12 | 13 | if (ret < 0) { 14 | pal_printf("PalStreamOpen failed\n"); 15 | return 1; 16 | } 17 | 18 | size_t bytes = sizeof(str) - 1; 19 | ret = PalStreamWrite(out, 0, &bytes, str); 20 | 21 | if (ret < 0 || bytes != sizeof(str) - 1) { 22 | pal_printf("PalStreamWrite failed\n"); 23 | return 1; 24 | } 25 | 26 | PalObjectDestroy(out); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /pal/regression/Segment.c: -------------------------------------------------------------------------------- 1 | #include "pal.h" 2 | #include "pal_regression.h" 3 | 4 | uintptr_t dummy = (uintptr_t)&dummy; 5 | 6 | int main(int argc, char** argv, char** envp) { 7 | if (PalSegmentBaseSet(PAL_SEGMENT_FS, dummy) < 0) { 8 | pal_printf("Error setting FS\n"); 9 | return 1; 10 | } 11 | 12 | uintptr_t* ptr; 13 | __asm__ volatile("mov %%fs:0, %0" : "=r"(ptr)::"memory"); 14 | 15 | if (ptr != &dummy) { 16 | pal_printf("Wrong FS set: %p\n", ptr); 17 | return 1; 18 | } 19 | 20 | pal_printf("Test OK\n"); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /pal/regression/Thread2.manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" 2 | 3 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '2' }} 4 | sgx.enable_stats = true 5 | sgx.debug = true 6 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 7 | 8 | sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] 9 | -------------------------------------------------------------------------------- /pal/regression/Thread2_edmm.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "Thread2" -%} 2 | 3 | loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" 4 | 5 | sgx.max_threads = 1 6 | sgx.debug = true 7 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 8 | 9 | sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] 10 | -------------------------------------------------------------------------------- /pal/regression/Thread2_exitless.manifest.template: -------------------------------------------------------------------------------- 1 | {% set entrypoint = "Thread2" -%} 2 | 3 | loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" 4 | 5 | sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '2' }} 6 | sgx.insecure__rpc_thread_num = 2 7 | sgx.enable_stats = true 8 | sgx.debug = true 9 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 10 | 11 | sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] 12 | -------------------------------------------------------------------------------- /pal/regression/crt_init/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /pal/regression/crt_init/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | pal_regression_arch_user_start = nasm_gen.process('user_start.nasm') 2 | -------------------------------------------------------------------------------- /pal/regression/crt_init/meson.build: -------------------------------------------------------------------------------- 1 | pal_regression_user_start = files('start_main.c') 2 | 3 | # Arch-specific meson.build must define the following Meson variables: 4 | # - `pal_regression_arch_user_start` - a list of arch-specific sources. 5 | subdir('arch') 6 | pal_regression_user_start += pal_regression_arch_user_start 7 | -------------------------------------------------------------------------------- /pal/regression/crt_init/start_main.c: -------------------------------------------------------------------------------- 1 | #include "pal_regression.h" 2 | 3 | int pal_regression_start_main(int argc, char** argv, char** envp, 4 | int (*main)(int argc, char** argv, char** envp)); 5 | 6 | int pal_regression_start_main(int argc, char** argv, char** envp, 7 | int (*main)(int argc, char** argv, char** envp)) { 8 | init_memory_management(); 9 | return main(argc, argv, envp); 10 | } 11 | -------------------------------------------------------------------------------- /pal/regression/manifest.template: -------------------------------------------------------------------------------- 1 | loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" 2 | loader.log_level = "debug" 3 | loader.insecure__use_cmdline_argv = true 4 | 5 | sgx.debug = true 6 | sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 7 | 8 | # for Exception test (memfault handler) 9 | sgx.use_exinfo = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} 10 | 11 | sgx.allowed_files = [ 12 | "file:test.txt", # for File2 test 13 | "file:to_send.tmp", # for PalSendHandle test 14 | ] 15 | 16 | sgx.trusted_files = [ 17 | "file:{{ binary_dir }}/{{ entrypoint }}", 18 | ] 19 | -------------------------------------------------------------------------------- /pal/src/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /pal/src/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | pal_common_sources_arch = files( 2 | 'pal_cpuid.c', 3 | ) 4 | -------------------------------------------------------------------------------- /pal/src/host/linux-common/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /pal/src/host/linux-common/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | pal_linux_common_sources_host_arch = files( 2 | 'syscall.S', 3 | ) 4 | pal_linux_common_sources_host_arch += nasm_gen.process('stack_probe.nasm') 5 | -------------------------------------------------------------------------------- /pal/src/host/linux-common/arch/x86_64/stack_probe.nasm: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: LGPL-3.0-or-later 2 | ; Copyright (C) 2022 Intel Corporation 3 | ; Borys Popławski 4 | 5 | global probe_stack 6 | section .text 7 | 8 | ; void probe_stack(size_t pages_count) 9 | probe_stack: 10 | mov rcx, rdi 11 | mov rdi, rsp 12 | 13 | .Lrep: 14 | sub rsp, 0x1000 15 | or QWORD [rsp], 0 16 | loop .Lrep 17 | 18 | mov rsp, rdi 19 | ret 20 | -------------------------------------------------------------------------------- /pal/src/host/linux-common/main_exec_path.c: -------------------------------------------------------------------------------- 1 | #include "api.h" 2 | #include "linux_utils.h" 3 | #include "syscall.h" 4 | 5 | /* In theory we could get symlink length using `lstat`, but that does not work on `/proc/self/exe` 6 | * (because it's not really a symlink). */ 7 | #define BUF_SIZE 1023u 8 | 9 | char* get_main_exec_path(void) { 10 | char* buf = malloc(BUF_SIZE + 1); 11 | if (!buf) { 12 | return NULL; 13 | } 14 | 15 | ssize_t len = DO_SYSCALL(readlink, "/proc/self/exe", buf, BUF_SIZE); 16 | if (len < 0) { 17 | free(buf); 18 | return NULL; 19 | } 20 | buf[len] = '\0'; 21 | 22 | return buf; 23 | } 24 | -------------------------------------------------------------------------------- /pal/src/host/linux-common/meson.build: -------------------------------------------------------------------------------- 1 | pal_linux_common_sources_enclave = files( 2 | 'bogomips.c', 3 | 'gramine_unix_socket_addr.c', 4 | 'file_info.c', 5 | ) 6 | pal_linux_common_sources_host = files( 7 | 'debug_map.c', 8 | 'etc_host_info.c', 9 | 'file_utils.c', 10 | 'main_exec_path.c', 11 | 'proc_maps.c', 12 | 'reserved_ranges.c', 13 | 'timespec_utils.c', 14 | 'topo_info.c', 15 | ) 16 | 17 | # Arch-specific meson.build must define the following Meson variables: 18 | # - `pal_linux_common_sources_host_arch` - a list of arch-specific sources. 19 | subdir('arch') 20 | pal_linux_common_sources_host += pal_linux_common_sources_host_arch 21 | 22 | pal_linux_common_sources = [ 23 | pal_linux_common_sources_enclave, 24 | pal_linux_common_sources_host, 25 | ] 26 | -------------------------------------------------------------------------------- /pal/src/host/linux-sgx/enclave_ecalls.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | #pragma once 4 | 5 | void handle_ecall(long ecall_index, void* ecall_args, void* exit_target, void* enclave_base_addr); 6 | -------------------------------------------------------------------------------- /pal/src/host/linux-sgx/host_ecalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "sgx_arch.h" 6 | #include "pal.h" 7 | #include "pal_topology.h" 8 | 9 | int ecall_enclave_start(char* libpal_uri, char* args, size_t args_size, char* env, size_t env_size, 10 | int parent_stream_fd, sgx_target_info_t* qe_targetinfo, 11 | struct pal_topo_info* topo_info, struct pal_dns_host_conf* host_conf, 12 | bool edmm_enabled, void* reserved_mem_ranges, 13 | size_t reserved_mem_ranges_size); 14 | 15 | int ecall_thread_start(void); 16 | 17 | int ecall_thread_reset(void); 18 | -------------------------------------------------------------------------------- /pal/src/host/linux-sgx/host_process.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2021 Intel Corporation 3 | * Wojtek Porczyk 4 | */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | int sgx_create_process(size_t nargs, const char** args, const char* manifest, 11 | void* reserved_mem_ranges, size_t reserved_mem_ranges_size, 12 | int* out_stream_fd); 13 | 14 | int sgx_init_child_process(int parent_stream_fd, char** out_application_path, char** out_manifest, 15 | void** out_reserved_mem_ranges, size_t* out_reserved_mem_ranges_size); 16 | -------------------------------------------------------------------------------- /pal/src/host/linux-sgx/host_syscall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "syscall.h" 4 | 5 | long do_syscall_intr(long nr, ...); 6 | void do_syscall_intr_after_check1(void); 7 | void do_syscall_intr_after_check2(void); 8 | void do_syscall_intr_eintr(void); 9 | 10 | #define DO_SYSCALL_INTERRUPTIBLE(name, args...) do_syscall_intr(__NR_##name, ##args) 11 | -------------------------------------------------------------------------------- /pal/src/host/linux-sgx/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: @PAL_SYMBOLS@ 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /pal/src/host/linux-sgx/pal_sgx.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2022 Intel Corporation 3 | * Borys Popławski 4 | */ 5 | 6 | #include "pal.h" 7 | #include "sgx_arch.h" 8 | 9 | static inline uint64_t PAL_TO_SGX_PROT(pal_prot_flags_t pal_prot) { 10 | return (pal_prot & PAL_PROT_READ ? SGX_SECINFO_FLAGS_R : 0) 11 | | (pal_prot & PAL_PROT_WRITE ? SGX_SECINFO_FLAGS_W : 0) 12 | | (pal_prot & PAL_PROT_EXEC ? SGX_SECINFO_FLAGS_X : 0); 13 | } 14 | -------------------------------------------------------------------------------- /pal/src/host/linux/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /pal/src/host/linux/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | pal_direct_sources_arch = files( 2 | 'pal_arch_exception.c', 3 | 'pal_arch_misc.c', 4 | 'pal_start.S', 5 | ) 6 | 7 | pal_direct_lds = meson.current_source_dir() / 'pal.lds' 8 | -------------------------------------------------------------------------------- /pal/src/host/linux/arch/x86_64/pal_start.S: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | 3 | /* 4 | * pal_start-x86_64.S 5 | * 6 | * This file contains architecture-specific implementation of pal_start. 7 | */ 8 | 9 | .text 10 | .global pal_start 11 | .type pal_start, @function 12 | .align 0x10 13 | pal_start: 14 | .cfi_startproc 15 | movq %rsp, %rdi /* 1st arg for pal_linux_main: initial RSP */ 16 | movq %rdx, %rsi /* 2nd arg: fini callback */ 17 | xorq %rbp, %rbp /* mark the last stack frame with RBP == 0 (for debuggers) */ 18 | andq $~0xf, %rsp 19 | call pal_linux_main 20 | /* Unreachable. */ 21 | .cfi_endproc 22 | -------------------------------------------------------------------------------- /pal/src/host/linux/gdb_integration/gramine_linux_gdb.py: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-3.0-or-later 2 | # Copyright (C) 2020 Intel Corporation 3 | # Michał Kowalczyk 4 | 5 | import os 6 | import gdb # pylint: disable=import-error 7 | 8 | def main(): 9 | common_path = '../../gdb_integration/' 10 | for filename in [ 11 | common_path + 'language_gdb.py', 12 | common_path + 'pagination_gdb.py', 13 | common_path + 'debug_map_gdb.py', 14 | common_path + 'gramine.gdb', 15 | ]: 16 | print("[%s] Loading %s..." % (os.path.basename(__file__), filename)) 17 | path = os.path.join(os.path.dirname(__file__), filename) 18 | gdb.execute("source " + path) 19 | 20 | if __name__ == '__main__': 21 | main() 22 | -------------------------------------------------------------------------------- /pal/src/host/linux/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: @PAL_SYMBOLS@ 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /pal/src/host/linux/pal_linux_defs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* mmap minimum address cannot start at zero (modern OSes do not allow this) */ 4 | #define MMAP_MIN_ADDR 0x10000 5 | 6 | #define THREAD_STACK_SIZE (PRESET_PAGESIZE * 16) /* 64KB user stack */ 7 | #define ALT_STACK_SIZE (PRESET_PAGESIZE * 16) /* 64KB signal stack */ 8 | -------------------------------------------------------------------------------- /pal/src/host/meson.build: -------------------------------------------------------------------------------- 1 | subdir('linux-common') 2 | if skeleton 3 | subdir('skeleton') 4 | endif 5 | if direct 6 | subdir('linux') 7 | endif 8 | if sgx 9 | subdir('linux-sgx') 10 | endif 11 | 12 | if vm or tdx 13 | subdir('vm-common') 14 | endif 15 | if vm 16 | subdir('vm') 17 | endif 18 | if tdx 19 | subdir('tdx') 20 | endif 21 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/arch/meson.build: -------------------------------------------------------------------------------- 1 | subdir(host_machine.cpu_family()) 2 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/arch/x86_64/meson.build: -------------------------------------------------------------------------------- 1 | pal_skeleton_lds = meson.current_source_dir() / 'pal.lds' 2 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: @PAL_SYMBOLS@ 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/pal_exception.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs to set up handlers of exceptions issued by the host, and the methods to 6 | * pass the exceptions to the upcalls. 7 | */ 8 | 9 | #include "api.h" 10 | #include "pal.h" 11 | #include "pal_error.h" 12 | #include "pal_internal.h" 13 | 14 | __attribute__((unused)) // Should be used by exception handling logic 15 | static pal_event_handler_t g_handlers[PAL_EVENT_NUM_BOUND] = {0}; 16 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/pal_main.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains the main function of the PAL loader, which loads and processes environment, 6 | * arguments and manifest. 7 | */ 8 | 9 | #include "api.h" 10 | #include "pal.h" 11 | #include "pal_error.h" 12 | #include "pal_internal.h" 13 | 14 | /* must implement "pal_start", and call "pal_main" inside */ 15 | void pal_start(void); 16 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/pal_object.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs for closing or polling PAL handles. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_error.h" 11 | #include "pal_internal.h" 12 | 13 | int _PalStreamsWaitEvents(size_t count, PAL_HANDLE* handle_array, pal_wait_flags_t* events, 14 | pal_wait_flags_t* ret_events, uint64_t* timeout_us) { 15 | return -PAL_ERROR_NOTIMPLEMENTED; 16 | } 17 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/pal_rtld.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains host-specific code related to linking and reporting ELFs to debugger. 6 | */ 7 | 8 | #include 9 | 10 | #include "pal_rtld.h" 11 | 12 | void _PalDebugMapAdd(const char* name, void* addr) {} 13 | 14 | void _PalDebugMapRemove(void* addr) {} 15 | 16 | int _PalDebugDescribeLocation(uintptr_t addr, char* buf, size_t buf_size) { 17 | __UNUSED(addr); 18 | __UNUSED(buf); 19 | __UNUSED(buf_size); 20 | return -ENOSYS; 21 | } 22 | -------------------------------------------------------------------------------- /pal/src/host/skeleton/pal_streams.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2014 Stony Brook University */ 3 | 4 | /* 5 | * This file contains APIs to open, read, write and get attributes of streams. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_error.h" 11 | #include "pal_internal.h" 12 | 13 | int _PalSendHandle(PAL_HANDLE target_process, PAL_HANDLE cargo) { 14 | return -PAL_ERROR_NOTIMPLEMENTED; 15 | } 16 | 17 | int _PalReceiveHandle(PAL_HANDLE source_process, PAL_HANDLE* out_cargo) { 18 | return -PAL_ERROR_NOTIMPLEMENTED; 19 | } 20 | 21 | int _PalInitDebugStream(const char* path) { 22 | return -PAL_ERROR_NOTIMPLEMENTED; 23 | } 24 | 25 | int _PalDebugLog(const void* buf, size_t size) { 26 | return -PAL_ERROR_NOTIMPLEMENTED; 27 | } 28 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: @PAL_SYMBOLS@ 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_console.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | struct handle_ops g_console_ops = { 9 | .open = &pal_common_console_open, 10 | .read = &pal_common_console_read, 11 | .write = &pal_common_console_write, 12 | .destroy = &pal_common_console_destroy, 13 | .flush = &pal_common_console_flush, 14 | }; 15 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_eventfd.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | struct handle_ops g_eventfd_ops = { 9 | .open = &pal_common_eventfd_open, 10 | .read = &pal_common_eventfd_read, 11 | .write = &pal_common_eventfd_write, 12 | .destroy = &pal_common_eventfd_destroy, 13 | .attrquerybyhdl = &pal_common_eventfd_attrquerybyhdl, 14 | }; 15 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_events.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | int _PalEventCreate(struct pal_handle** handle_ptr, bool init_signaled, bool auto_clear) { 9 | return pal_common_event_create(handle_ptr, init_signaled, auto_clear); 10 | } 11 | 12 | void _PalEventSet(struct pal_handle* handle) { 13 | pal_common_event_set(handle); 14 | } 15 | 16 | void _PalEventClear(struct pal_handle* handle) { 17 | pal_common_event_clear(handle); 18 | } 19 | 20 | int _PalEventWait(struct pal_handle* handle, uint64_t* timeout_us) { 21 | return pal_common_event_wait(handle, timeout_us); 22 | } 23 | 24 | struct handle_ops g_event_ops = {}; 25 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_exception.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | /* 5 | * This file contains APIs to set up signal handlers and seccomp. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_error.h" 11 | #include "pal_internal.h" 12 | 13 | /* nothing to do here; all logic is in vm-common/pal_common_exception.c */ 14 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_object.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | int _PalStreamsWaitEvents(size_t count, PAL_HANDLE* handle_array, pal_wait_flags_t* events, 9 | pal_wait_flags_t* ret_events, uint64_t* timeout_us) { 10 | return pal_common_streams_wait_events(count, handle_array, events, ret_events, timeout_us); 11 | } 12 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_pipes.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | struct handle_ops g_pipe_ops = { 9 | .open = &pal_common_pipe_open, 10 | .waitforclient = &pal_common_pipe_waitforclient, 11 | .read = &pal_common_pipe_read, 12 | .write = &pal_common_pipe_write, 13 | .destroy = &pal_common_pipe_destroy, 14 | .delete = &pal_common_pipe_delete, 15 | .attrquerybyhdl = &pal_common_pipe_attrquerybyhdl, 16 | .attrsetbyhdl = &pal_common_pipe_attrsetbyhdl, 17 | }; 18 | -------------------------------------------------------------------------------- /pal/src/host/tdx/pal_rtld.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal_error.h" 5 | #include "pal_rtld.h" 6 | 7 | void _PalDebugMapAdd(const char* name, void* addr) { 8 | __UNUSED(name); 9 | __UNUSED(addr); 10 | } 11 | 12 | void _PalDebugMapRemove(void* addr) { 13 | __UNUSED(addr); 14 | } 15 | 16 | int _PalDebugDescribeLocation(uintptr_t addr, char* buf, size_t buf_size) { 17 | __UNUSED(addr); 18 | __UNUSED(buf); 19 | __UNUSED(buf_size); 20 | return -PAL_ERROR_NOTIMPLEMENTED; 21 | } 22 | -------------------------------------------------------------------------------- /pal/src/host/vm-common/README.md: -------------------------------------------------------------------------------- 1 | Heavily relies on x86-64 and `q35` (PCI-based) machine type in QEMU. 2 | -------------------------------------------------------------------------------- /pal/src/host/vm-common/external/realpath.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #pragma once 5 | 6 | int realpath(const char* path, char* got_path, char** out_got_path); 7 | -------------------------------------------------------------------------------- /pal/src/host/vm-common/kernel_debug.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | /* Debug prints using VMM's serial port. */ 5 | 6 | #pragma once 7 | 8 | #define SERIAL_IO_PORT 0x3F8 9 | 10 | #include 11 | 12 | void debug_serial_io_write_char(char c); 13 | void debug_serial_io_write(const char* str); 14 | void debug_serial_io_write_int(const char* str, uint64_t x); 15 | -------------------------------------------------------------------------------- /pal/src/host/vm-common/kernel_files.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | /* Declarations for common operations on files. */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | /* underlying virtio-fs driver operates only on limited amount of data (VIRTIO_FS_SHARED_BUF_SIZE), 11 | * so file-related functions must not exceed this limit when calling into the driver */ 12 | #define FILE_CHUNK_SIZE (16 * 1024UL) 13 | 14 | #define PATH_MAX 512 15 | #define MAX_READLINKS 32 16 | 17 | int read_text_file_to_cstr(const char* path, char** out_buf, uint64_t* out_size); 18 | int emulate_file_map_via_read(uint64_t nodeid, uint64_t fh, void* addr, uint64_t offset, 19 | uint64_t size); 20 | -------------------------------------------------------------------------------- /pal/src/host/vm-common/kernel_syscalls.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | /* Declarations for syscalls. */ 5 | 6 | #pragma once 7 | 8 | /* we only use MSRs relevant to 64-bit SYSCALL/SYSRET flows; thus we don't use legacy MSR_CSTAR */ 9 | /* these MSRs are allowed to be natively accessed in Intel TDX, so they don't need hardening */ 10 | #define MSR_STAR 0xc0000081 /* target CS/SS selectors from GDT */ 11 | #define MSR_LSTAR 0xc0000082 /* target 64-bit RIP on `syscall` instruction */ 12 | #define MSR_SYSCALL_MASK 0xc0000084 /* RFLAGS mask to apply on `syscall` instruction */ 13 | 14 | /* rt_sigreturn has a special return-from-syscall path, see kernel_events.S */ 15 | #define SYSCALL_RT_SIGRETURN 15 16 | 17 | int syscalls_init(void); 18 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal.map.template: -------------------------------------------------------------------------------- 1 | PAL { 2 | global: @PAL_SYMBOLS@ 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_console.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | struct handle_ops g_console_ops = { 9 | .open = &pal_common_console_open, 10 | .read = &pal_common_console_read, 11 | .write = &pal_common_console_write, 12 | .destroy = &pal_common_console_destroy, 13 | .flush = &pal_common_console_flush, 14 | }; 15 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_eventfd.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | struct handle_ops g_eventfd_ops = { 9 | .open = &pal_common_eventfd_open, 10 | .read = &pal_common_eventfd_read, 11 | .write = &pal_common_eventfd_write, 12 | .destroy = &pal_common_eventfd_destroy, 13 | .attrquerybyhdl = &pal_common_eventfd_attrquerybyhdl, 14 | }; 15 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_events.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | int _PalEventCreate(struct pal_handle** handle_ptr, bool init_signaled, bool auto_clear) { 9 | return pal_common_event_create(handle_ptr, init_signaled, auto_clear); 10 | } 11 | 12 | void _PalEventSet(struct pal_handle* handle) { 13 | pal_common_event_set(handle); 14 | } 15 | 16 | void _PalEventClear(struct pal_handle* handle) { 17 | pal_common_event_clear(handle); 18 | } 19 | 20 | int _PalEventWait(struct pal_handle* handle, uint64_t* timeout_us) { 21 | return pal_common_event_wait(handle, timeout_us); 22 | } 23 | 24 | struct handle_ops g_event_ops = {}; 25 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_exception.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | /* 5 | * This file contains APIs to set up signal handlers and seccomp. 6 | */ 7 | 8 | #include "api.h" 9 | #include "pal.h" 10 | #include "pal_error.h" 11 | #include "pal_internal.h" 12 | 13 | /* nothing to do here; all logic is in vm-common/pal_common_exception.c */ 14 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_object.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | int _PalStreamsWaitEvents(size_t count, PAL_HANDLE* handle_array, pal_wait_flags_t* events, 9 | pal_wait_flags_t* ret_events, uint64_t* timeout_us) { 10 | return pal_common_streams_wait_events(count, handle_array, events, ret_events, timeout_us); 11 | } 12 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_pipes.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal.h" 5 | #include "pal_common.h" 6 | #include "pal_internal.h" 7 | 8 | struct handle_ops g_pipe_ops = { 9 | .open = &pal_common_pipe_open, 10 | .waitforclient = &pal_common_pipe_waitforclient, 11 | .read = &pal_common_pipe_read, 12 | .write = &pal_common_pipe_write, 13 | .destroy = &pal_common_pipe_destroy, 14 | .delete = &pal_common_pipe_delete, 15 | .attrquerybyhdl = &pal_common_pipe_attrquerybyhdl, 16 | .attrsetbyhdl = &pal_common_pipe_attrsetbyhdl, 17 | }; 18 | -------------------------------------------------------------------------------- /pal/src/host/vm/pal_rtld.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Corporation */ 3 | 4 | #include "pal_error.h" 5 | #include "pal_rtld.h" 6 | 7 | void _PalDebugMapAdd(const char* name, void* addr) { 8 | __UNUSED(name); 9 | __UNUSED(addr); 10 | } 11 | 12 | void _PalDebugMapRemove(void* addr) { 13 | __UNUSED(addr); 14 | } 15 | 16 | int _PalDebugDescribeLocation(uintptr_t addr, char* buf, size_t buf_size) { 17 | __UNUSED(addr); 18 | __UNUSED(buf); 19 | __UNUSED(buf_size); 20 | return -PAL_ERROR_NOTIMPLEMENTED; 21 | } 22 | -------------------------------------------------------------------------------- /pal/src/meson.build: -------------------------------------------------------------------------------- 1 | cflags_pal_common = [ 2 | '-DIN_PAL', 3 | '-ffreestanding', 4 | '-fPIC', 5 | ] 6 | 7 | pal_common_sources = files( 8 | 'pal_events.c', 9 | 'pal_exception.c', 10 | 'pal_main.c', 11 | 'pal_memory.c', 12 | 'pal_misc.c', 13 | 'pal_object.c', 14 | 'pal_process.c', 15 | 'pal_rtld.c', 16 | 'pal_sockets.c', 17 | 'pal_streams.c', 18 | 'pal_threading.c', 19 | 'printf.c', 20 | 'slab.c', 21 | ) 22 | 23 | # Arch-specific meson.build must define the following Meson variables: 24 | # - `pal_common_sources_arch` - a list of arch-specific sources. 25 | subdir('arch') 26 | pal_common_sources += pal_common_sources_arch 27 | 28 | subdir('host') 29 | -------------------------------------------------------------------------------- /pytest.ini: -------------------------------------------------------------------------------- 1 | # Configuration file for Gramine's regression tests. 2 | 3 | [pytest] 4 | 5 | # Don't search for Python files inside LTP 6 | norecursedirs = libos/test/ltp/* 7 | 8 | # Display details logged by our test runner 9 | log_level = INFO 10 | log_format = %(message)s 11 | 12 | # Don't show full tracebacks from Python (but display stdout/stderr/logs) 13 | # Disable warnings from third-party Python modules 14 | addopts = --tb=short --disable-warnings 15 | 16 | # Include all details in the JUnit XML report 17 | junit_logging = all 18 | -------------------------------------------------------------------------------- /python/graminelibos.dist-info/METADATA.in: -------------------------------------------------------------------------------- 1 | Metadata-Version: 2.1 2 | Name: @NAME@libos 3 | Version: @VERSION@ 4 | Home-page: https://gramineproject.io/ 5 | License: @LICENSE@ 6 | -------------------------------------------------------------------------------- /python/graminelibos.dist-info/entry_points.txt: -------------------------------------------------------------------------------- 1 | [gramine.sgx_sign] 2 | file = graminelibos.sgx_sign:sign_with_file 3 | -------------------------------------------------------------------------------- /python/graminelibos.dist-info/meson.build: -------------------------------------------------------------------------------- 1 | install_dir = python3_platlib / 'graminelibos.dist-info' 2 | conf = configuration_data() 3 | conf.set('NAME', meson.project_name()) 4 | conf.set('VERSION', meson.project_version()) 5 | conf.set('LICENSE', ', '.join(meson.project_license())) 6 | 7 | # https://packaging.python.org/en/latest/specifications/core-metadata/ 8 | configure_file( 9 | input: 'METADATA.in', 10 | output: 'METADATA', 11 | install_dir: install_dir, 12 | configuration: conf, 13 | ) 14 | 15 | install_data('entry_points.txt', install_dir: install_dir) 16 | -------------------------------------------------------------------------------- /python/graminelibos/aesm.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto2"; 2 | 3 | message GetTokenReqRaw { 4 | required bytes signature = 1; 5 | required bytes key = 2; 6 | required bytes attributes = 3; 7 | required uint32 timeout = 9; 8 | } 9 | 10 | message GetTokenReq { 11 | required GetTokenReqRaw req = 3; 12 | } 13 | 14 | message GetTokenRetRaw { 15 | required int32 error = 1; 16 | optional bytes token = 2; 17 | } 18 | 19 | message GetTokenRet { 20 | required GetTokenRetRaw ret = 3; 21 | } 22 | -------------------------------------------------------------------------------- /python/meson.build: -------------------------------------------------------------------------------- 1 | subdir('graminelibos') 2 | subdir('graminelibos.dist-info') 3 | 4 | install_data([ 5 | 'gramine-gen-depend', 6 | 'gramine-manifest', 7 | 'gramine-manifest-check', 8 | ], install_dir: get_option('bindir')) 9 | 10 | if enable_tests 11 | install_data([ 12 | 'gramine-test', 13 | ], install_dir: get_option('bindir')) 14 | endif 15 | 16 | if sgx 17 | install_data([ 18 | 'gramine-sgx-gen-private-key', 19 | 'gramine-sgx-get-token', 20 | 'gramine-sgx-sign', 21 | 'gramine-sgx-sigstruct-view', 22 | ], install_dir: get_option('bindir')) 23 | endif 24 | -------------------------------------------------------------------------------- /scripts/check-no-reloc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | test $# -eq 2 || exit 2 5 | 6 | relocs=$(LC_ALL=C readelf -r "$1") 7 | case "$relocs" in 8 | *'There are no relocations in this file.'*) 9 | cp -a "$1" "$2" 10 | ;; 11 | *) 12 | printf %s\\n "$relocs" 13 | exit 1 14 | ;; 15 | esac 16 | -------------------------------------------------------------------------------- /scripts/clean-check-prepare: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | top_dir="$(readlink -m "${BASH_SOURCE[0]}/../..")" 6 | clean_dir="$top_dir.clean-check.clean" 7 | 8 | if [ -n "${JENKINS_HOME:-}" ] || [ -n "${HUDSON_HOME:-}" ]; then 9 | clean_dir="/tmp/$(basename "$clean_dir")" 10 | fi 11 | 12 | rm -rf "$clean_dir" 13 | cp -a "$top_dir" "$clean_dir" 14 | -------------------------------------------------------------------------------- /scripts/clean-check-test-copy: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | # Creates a test copy where you can check `make clean` without messing with 6 | # your main dir. 7 | 8 | top_dir="$(readlink -m "${BASH_SOURCE[0]}/../..")" 9 | test_dir="$top_dir.clean-check.test" 10 | 11 | if [ -n "${JENKINS_HOME:-}" ] || [ -n "${HUDSON_HOME:-}" ]; then 12 | test_dir="/tmp/$(basename "$test_dir")" 13 | fi 14 | 15 | rm -rf "$test_dir" 16 | cp -a "$top_dir" "$test_dir" 17 | echo "$test_dir" 18 | -------------------------------------------------------------------------------- /scripts/docker_seccomp.json: -------------------------------------------------------------------------------- 1 | docker_seccomp_mar_2021.json -------------------------------------------------------------------------------- /scripts/gitignore-check-files: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | # Intended to be run before a build. Returns 1 (i.e. failure) if there's at 6 | # least one file that should be ignored. 7 | 8 | files="$(git ls-files -i -o --exclude-standard)" 9 | if [ -z "${files}" ]; then 10 | exit 0 11 | fi 12 | 13 | echo "================================================================================" 14 | echo " ERROR: Files ignored by git exist in the repository: " 15 | echo "--------------------------------------------------------------------------------" 16 | echo "${files}" 17 | echo "================================================================================" 18 | exit 1 19 | -------------------------------------------------------------------------------- /scripts/gitignore-test: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | # Intended to be run after a build. Returns 1 (i.e. failure) if there's at 6 | # least one modified or untracked file which is not gitignored. 7 | 8 | # Don't inline it in the if, since we want to exit on error return codes (set -e). 9 | status="$(git status --porcelain)" 10 | 11 | if [ -z "$status" ]; then 12 | echo "No not-gitignored changes :]" 13 | exit 0 14 | fi 15 | 16 | echo "================================================================================" 17 | echo " ERROR: Files modified by build, but not gitignored:" 18 | echo "--------------------------------------------------------------------------------" 19 | echo "$status" 20 | git submodule foreach --recursive git status --porcelain 21 | echo "================================================================================" 22 | exit 1 23 | -------------------------------------------------------------------------------- /scripts/makedist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | BUILDDIR=build-dist 6 | 7 | rm -rf "$BUILDDIR" 8 | # it doesn't matter what options we have here, this is only for meson dist 9 | meson setup "$BUILDDIR" -Dskeleton=enabled -Dlibgomp=enabled >&2 10 | meson dist -C "$BUILDDIR" --no-test --include-subprojects --formats=gztar >&2 11 | 12 | tarball=$(meson introspect --projectinfo "$BUILDDIR" | jq -r '.descriptive_name + "-" + .version').tar.gz 13 | tarball_orig=$(meson introspect --projectinfo "$BUILDDIR" | jq -r '.descriptive_name + "_" + .version | sub("-"; "~")').orig.tar.gz 14 | 15 | # sanity check 16 | ( 17 | cd "$BUILDDIR"/meson-dist 18 | sha256sum -c "$tarball".sha256sum 19 | ) >&2 20 | 21 | cp "$BUILDDIR"/meson-dist/"$tarball" "$tarball" 22 | cp "$BUILDDIR"/meson-dist/"$tarball" "$tarball_orig" 23 | printf %s\\n "$tarball_orig" 24 | -------------------------------------------------------------------------------- /scripts/meson-clang-format.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | if test x"$1" = x-d 6 | then 7 | # debug mode: just print, and developer is responsible for running in source root 8 | FINDACTION="-print" 9 | else 10 | test -n "$MESON_SOURCE_ROOT" 11 | cd "$MESON_SOURCE_ROOT" 12 | FINDACTION="-exec clang-format -i {} +" 13 | fi 14 | 15 | find pal libos tools \ 16 | -path common/src/crypto/mbedtls -prune -o \ 17 | -path tools/sgx/common/cJSON.c -prune -o \ 18 | -path tools/sgx/common/cJSON.h -prune -o \ 19 | -path tools/sgx/common/cJSON-\*/cJSON.c -prune -o \ 20 | -path tools/sgx/common/cJSON-\*/cJSON.h -prune -o \ 21 | -path libos/test/ltp -prune -o \ 22 | -path libos/glibc\* -prune -o \ 23 | \( -name \*.c -o -name \*.h \) \ 24 | $FINDACTION 25 | -------------------------------------------------------------------------------- /scripts/meson.build: -------------------------------------------------------------------------------- 1 | foreach script : [ 2 | 'check-no-reloc.sh', 3 | 'gen-pal-map.py', 4 | 'get-python-platlib.py', 5 | 'meson-clang-format.sh', 6 | 'meson-render-script.py', 7 | ] 8 | set_variable('@0@_prog'.format(script.split('.')[0].underscorify()), 9 | find_program(script)) 10 | endforeach 11 | -------------------------------------------------------------------------------- /scripts/wait_for_server: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | 5 | usage() { 6 | echo "Usage: wait_for_server TIMEOUT IP PORT" 7 | exit 1 8 | } 9 | 10 | if [ $# -ne 3 ]; then 11 | usage 12 | fi 13 | 14 | exec timeout $1 bash -c "while ! nc -z -w1 $2 $3; do sleep 1; done" 15 | -------------------------------------------------------------------------------- /subprojects/.gitignore: -------------------------------------------------------------------------------- 1 | /packagecache 2 | 3 | /cJSON-*/ 4 | /curl-*/ 5 | /gcc-*/ 6 | /glibc-*/ 7 | /mbedtls-*/ 8 | /musl-*/ 9 | /tomlc99-*/ 10 | /uthash-*/ 11 | -------------------------------------------------------------------------------- /subprojects/cJSON-1.7.12.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = cJSON-1.7.12 3 | source_url = https://github.com/DaveGamble/cJSON/archive/v1.7.12.tar.gz 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/cJSON-1.7.12.tar.gz 5 | source_filename = cJSON-1.7.12.tar.gz 6 | source_hash = 760687665ab41a5cff9c40b1053c19572bcdaadef1194e5cba1b5e6f824686e7 7 | patch_directory = cJSON 8 | -------------------------------------------------------------------------------- /subprojects/curl-8.8.0.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = curl-8.8.0 3 | source_url = https://curl.se/download/curl-8.8.0.tar.gz 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/curl-8.8.0.tar.gz 5 | source_filename = curl-8.8.0.tar.gz 6 | source_hash = 77c0e1cd35ab5b45b659645a93b46d660224d0024f1185e8a95cdb27ae3d787d 7 | patch_directory = curl-8.8.0 8 | -------------------------------------------------------------------------------- /subprojects/gcc-10.2.0.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = gcc-10.2.0 3 | source_url = https://ftp.gnu.org/gnu/gcc/gcc-10.2.0/gcc-10.2.0.tar.gz 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/gcc-10.2.0.tar.gz 5 | source_filename = gcc-10.2.0.tar.gz 6 | source_hash = 27e879dccc639cd7b0cc08ed575c1669492579529b53c9ff27b0b96265fa867d 7 | patch_directory = gcc-10.2.0 8 | -------------------------------------------------------------------------------- /subprojects/glibc-2.39-1.wrap: -------------------------------------------------------------------------------- 1 | # NOTE: We use a custom version number (the `-1` suffix) to force Meson to rebuild when there is a 2 | # breaking change to the interface between Glibc and Gramine. The important part is that the 3 | # directory in `subprojects` has to change (`subprojects/glibc-2.39-1`, `subprojects/glibc-2.39-2` 4 | # etc.) 5 | 6 | [wrap-file] 7 | directory = glibc-2.39-1 8 | source_url = https://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.gz 9 | source_fallback_url = https://packages.gramineproject.io/distfiles/glibc-2.39.tar.gz 10 | source_filename = glibc-2.39.tar.gz 11 | source_hash = 97f84f3b7588cd54093a6f6389b0c1a81e70d99708d74963a2e3eab7c7dc942d 12 | patch_directory = glibc-2.39 13 | 14 | # this unpacks the sources to `glibc-2.39-1/glibc-2.39` 15 | lead_directory_missing = true 16 | -------------------------------------------------------------------------------- /subprojects/mbedtls-3.6.0.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = mbedtls-3.6.0 3 | source_url = https://github.com/Mbed-TLS/mbedtls/releases/download/v3.6.0/mbedtls-3.6.0.tar.bz2 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/mbedtls-3.6.0.tar.bz2 5 | source_filename = mbedtls-3.6.0.tar.bz2 6 | source_hash = 3ecf94fcfdaacafb757786a01b7538a61750ebd85c4b024f56ff8ba1490fcd38 7 | 8 | patch_directory = mbedtls 9 | 10 | # this unpacks the sources to `mbedtls-3.6.0/mbedtls-3.6.0` 11 | lead_directory_missing = true 12 | -------------------------------------------------------------------------------- /subprojects/musl-1.2.5.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = musl-1.2.5 3 | source_url = https://musl.libc.org/releases/musl-1.2.5.tar.gz 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/musl-1.2.5.tar.gz 5 | source_filename = musl-1.2.5.tar.gz 6 | source_hash = a9a118bbe84d8764da0ea0d28b3ab3fae8477fc7e4085d90102b8596fc7c75e4 7 | patch_directory = musl-1.2.5 8 | -------------------------------------------------------------------------------- /subprojects/packagefiles/cJSON/meson.build: -------------------------------------------------------------------------------- 1 | project('cJSON', 'c') 2 | 3 | cjson_dep = declare_dependency( 4 | sources: files('cJSON.c', 'cJSON.h'), 5 | include_directories: include_directories('.'), 6 | ) 7 | -------------------------------------------------------------------------------- /subprojects/packagefiles/curl-8.8.0/meson.build: -------------------------------------------------------------------------------- 1 | project('curl', 'c', version: '8.8.0') 2 | 3 | curl_libs_output = [ 4 | 'libcurl.a', 5 | ] 6 | 7 | curl = custom_target('curl', 8 | command: [ 9 | find_program('compile.sh'), 10 | '@CURRENT_SOURCE_DIR@', 11 | meson.current_build_dir(), 12 | '@PRIVATE_DIR@', 13 | meson.build_root() / 'subprojects', 14 | ], 15 | 16 | depends: subproject('mbedtls-3.6.0').get_variable('mbedtls_curl_libs'), 17 | output: curl_libs_output, 18 | ) 19 | 20 | curl_minimal_dep = declare_dependency( 21 | link_with: curl, 22 | include_directories: 'include', 23 | ) 24 | -------------------------------------------------------------------------------- /subprojects/packagefiles/glibc-2.39/meson_options.txt: -------------------------------------------------------------------------------- 1 | option('vm', type: 'combo', choices: ['disabled', 'enabled'], yield: true, 2 | description: 'Build Virtual Machine (VM, currently only x86-64) PAL') 3 | option('tdx', type: 'combo', choices: ['disabled', 'enabled'], yield: true, 4 | description: 'Build Trusted Domain Extensions (aka TDX) PAL') 5 | -------------------------------------------------------------------------------- /subprojects/packagefiles/mbedtls/compile-curl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -ex 4 | 5 | CURRENT_SOURCE_DIR="$1" 6 | VENDOR_SOURCE_DIR="$2" 7 | CURRENT_BUILD_DIR="$3" 8 | PRIVATE_DIR="$4" 9 | SUBPROJ_ROOT="$5" 10 | shift 5 11 | 12 | rm -rf "$PRIVATE_DIR" 13 | 14 | cp -ar "$VENDOR_SOURCE_DIR" "$PRIVATE_DIR" 15 | cp "$CURRENT_SOURCE_DIR"/include/mbedtls/*.h "$PRIVATE_DIR"/include/mbedtls/ 16 | patch -p1 --directory "$PRIVATE_DIR" <"$CURRENT_SOURCE_DIR"/gramine.patch 17 | 18 | make -C "$PRIVATE_DIR" lib SUFFIX="''" install DESTDIR="$SUBPROJ_ROOT"/mbedtls-curl 19 | 20 | for output in $@ 21 | do 22 | cp -a "$PRIVATE_DIR"/library/"$(basename "$output")" "$output" 23 | done 24 | -------------------------------------------------------------------------------- /subprojects/packagefiles/mbedtls/compile-gramine.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | CFLAGS='-O2' 4 | 5 | export CFLAGS 6 | exec "$(dirname "$0")"/compile.sh "$@" 7 | -------------------------------------------------------------------------------- /subprojects/packagefiles/mbedtls/compile-pal.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | CFLAGS='-O2 -DMBEDTLS_CONFIG_FILE=\"mbedtls/config-pal.h\"' 4 | 5 | # TODO: We disable the stack protector because the default configuration doesn't work inside 6 | # Gramine. Instead, we should pass the right stack protector options from Meson. 7 | CFLAGS="$CFLAGS -fno-stack-protector" 8 | 9 | # Generate position-independent code even for a static library, so that it can be used in PAL and 10 | # LibOS 11 | CFLAGS="$CFLAGS -fPIC" 12 | 13 | # Don't assume standard library exists (currently Clang emits references to `bcmp`) 14 | CFLAGS="$CFLAGS -ffreestanding" 15 | 16 | export CFLAGS 17 | exec "$(dirname "$0")"/compile.sh "$@" 18 | -------------------------------------------------------------------------------- /subprojects/packagefiles/mbedtls/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -ex 4 | 5 | CURRENT_SOURCE_DIR="$1" 6 | VENDOR_SOURCE_DIR="$2" 7 | CURRENT_BUILD_DIR="$3" 8 | PRIVATE_DIR="$4" 9 | shift 4 10 | 11 | OUTPUTS="" 12 | while test "$#" -gt 0 && ! test "$1" = -- 13 | do 14 | OUTPUTS="$OUTPUTS $1" 15 | shift 16 | done 17 | if test "$1" = -- 18 | then 19 | shift 20 | fi 21 | 22 | rm -rf "$PRIVATE_DIR" 23 | 24 | cp -ar "$VENDOR_SOURCE_DIR" "$PRIVATE_DIR" 25 | cp "$CURRENT_SOURCE_DIR"/include/mbedtls/*.h "$PRIVATE_DIR"/include/mbedtls/ 26 | patch -p1 --directory "$PRIVATE_DIR" <"$CURRENT_SOURCE_DIR"/gramine.patch 27 | 28 | make -C "$PRIVATE_DIR" lib "$@" 29 | 30 | for output in $OUTPUTS 31 | do 32 | cp -a "$PRIVATE_DIR"/library/"$(basename "$output")" "$output" 33 | done 34 | -------------------------------------------------------------------------------- /subprojects/packagefiles/mbedtls/meson_options.txt: -------------------------------------------------------------------------------- 1 | option('libc', type: 'combo', choices: ['none', 'glibc', 'musl'], value: 'glibc', yield: true) 2 | -------------------------------------------------------------------------------- /subprojects/packagefiles/tomlc99/meson.build: -------------------------------------------------------------------------------- 1 | project('tomlc99', 'c') 2 | 3 | patch_prog = find_program('patch') 4 | 5 | tomlc99_src = [] 6 | foreach src : ['toml.c', 'toml.h'] 7 | src_patch = '@0@.patch'.format(src) 8 | tomlc99_src += custom_target(src, 9 | command: [ 10 | patch_prog, 11 | '-p1', 12 | '--quiet', 13 | '--directory=@CURRENT_SOURCE_DIR@', 14 | '--input=@0@'.format(src_patch), 15 | '--output=-', 16 | ], 17 | input: [src_patch, src], 18 | output: src, 19 | capture: true, 20 | ) 21 | endforeach 22 | 23 | tomlc99_dep = declare_dependency( 24 | sources: tomlc99_src, 25 | include_directories: include_directories('.'), 26 | ) 27 | 28 | -------------------------------------------------------------------------------- /subprojects/packagefiles/uthash/meson.build: -------------------------------------------------------------------------------- 1 | project('uthash', 'c') 2 | 3 | patch_prog = find_program('patch') 4 | 5 | subdir('src') 6 | 7 | uthash_dep = declare_dependency( 8 | sources: uthash_h, 9 | include_directories: include_directories('src/'), 10 | ) 11 | -------------------------------------------------------------------------------- /subprojects/packagefiles/uthash/src/meson.build: -------------------------------------------------------------------------------- 1 | uthash_h = custom_target('uthash.h', 2 | command: [ 3 | patch_prog, 4 | '-p1', 5 | '--quiet', 6 | '--directory=@CURRENT_SOURCE_DIR@', 7 | '--input=uthash.h.patch', 8 | '--output=-', 9 | ], 10 | input: ['uthash.h.patch', 'uthash.h'], 11 | output: 'uthash.h', 12 | capture: true, 13 | ) 14 | -------------------------------------------------------------------------------- /subprojects/tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5 3 | source_url = https://github.com/cktan/tomlc99/archive/208203af46bdbdb29ba199660ed78d09c220b6c5.tar.gz 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5.tar.gz 5 | source_filename = tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5.tar.gz 6 | source_hash = 7313913fde1ac0b0a31a34e4fc8e1048c0cb1b0813e7da24a44b4cc3c80f0e89 7 | patch_directory = tomlc99 8 | -------------------------------------------------------------------------------- /subprojects/uthash-2.1.0.wrap: -------------------------------------------------------------------------------- 1 | [wrap-file] 2 | directory = uthash-2.1.0 3 | source_url = https://github.com/troydhanson/uthash/archive/v2.1.0.tar.gz 4 | source_fallback_url = https://packages.gramineproject.io/distfiles/uthash-2.1.0.tar.gz 5 | source_filename = uthash-2.1.0.tar.gz 6 | source_hash = 152ccd8e64d0f495377232e3964d06c7ec8bb8c3fbd3217f8a5702614f9a669e 7 | patch_directory = uthash 8 | -------------------------------------------------------------------------------- /tools/argv_serializer.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2020 Invisible Things Lab 3 | * Michał Kowalczyk 4 | */ 5 | 6 | /* Helper tool for protected argv ("loader.argv_src_file" manifest option). See Gramine 7 | * documentation for usage. 8 | */ 9 | 10 | #include 11 | #include 12 | 13 | int main(int argc, char* argv[]) { 14 | for (int i = 1; i < argc; i++) 15 | if (fwrite(argv[i], strlen(argv[i]) + 1, 1, stdout) != 1) 16 | return 1; 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /tools/sgx/ias-request/meson.build: -------------------------------------------------------------------------------- 1 | executable('gramine-sgx-ias-request', 2 | 'ias_request.c', 3 | 4 | dependencies: [ 5 | sgx_ias_util_dep, 6 | sgx_util_dep, 7 | ], 8 | 9 | install: true, 10 | install_rpath: get_option('prefix') / get_option('libdir'), 11 | ) 12 | -------------------------------------------------------------------------------- /tools/sgx/is-sgx-available/meson.build: -------------------------------------------------------------------------------- 1 | executable('is-sgx-available', 2 | 'is_sgx_available.cpp', 3 | 4 | cpp_args: [ 5 | '-Wno-multichar', 6 | ], 7 | 8 | install: true, 9 | install_rpath: get_option('prefix') / get_option('libdir'), 10 | ) 11 | -------------------------------------------------------------------------------- /tools/sgx/meson.build: -------------------------------------------------------------------------------- 1 | subdir('common') 2 | 3 | subdir('ias-request') 4 | subdir('is-sgx-available') 5 | subdir('pf_crypt') 6 | subdir('pf_tamper') 7 | subdir('quote-view') 8 | subdir('ra-tls') 9 | subdir('verify-ias-report') 10 | -------------------------------------------------------------------------------- /tools/sgx/pf_crypt/meson.build: -------------------------------------------------------------------------------- 1 | executable('gramine-sgx-pf-crypt', 2 | 'pf_crypt.c', 3 | 4 | dependencies: [ 5 | sgx_util_dep, 6 | ], 7 | 8 | install: true, 9 | install_rpath: get_option('prefix') / get_option('libdir'), 10 | ) 11 | -------------------------------------------------------------------------------- /tools/sgx/pf_tamper/meson.build: -------------------------------------------------------------------------------- 1 | executable('gramine-sgx-pf-tamper', 2 | 'pf_tamper.c', 3 | 4 | dependencies: [ 5 | sgx_util_dep, 6 | ], 7 | 8 | include_directories: common_inc, # for api.h 9 | 10 | install: true, 11 | install_rpath: get_option('prefix') / get_option('libdir'), 12 | ) 13 | -------------------------------------------------------------------------------- /tools/sgx/quote-view/meson.build: -------------------------------------------------------------------------------- 1 | executable('gramine-sgx-quote-view', 2 | 'quote_view.c', 3 | 4 | dependencies: [ 5 | sgx_util_dep, 6 | ], 7 | 8 | install: true, 9 | install_rpath: get_option('prefix') / get_option('libdir'), 10 | ) 11 | -------------------------------------------------------------------------------- /tools/sgx/ra-tls/ra_tls.map: -------------------------------------------------------------------------------- 1 | RA_TLS { 2 | global: ra_tls_set_measurement_callback; ra_tls_verify_callback_der; ra_tls_verify_callback_extended_der; ra_tls_create_key_and_crt_der; 3 | local: *; 4 | }; 5 | 6 | -------------------------------------------------------------------------------- /tools/sgx/ra-tls/secret_prov.map: -------------------------------------------------------------------------------- 1 | SECRET_PROV { 2 | global: secret_provision_write; secret_provision_read; secret_provision_close; secret_provision_get; secret_provision_start; secret_provision_start_server; 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /tools/sgx/ra-tls/secret_prov_common.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-3.0-or-later */ 2 | /* Copyright (C) 2023 Intel Labs */ 3 | 4 | /* Internal Secret Prov details, not intended for external use. */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | #include "mbedtls/ssl.h" 11 | 12 | int secret_provision_common_write(mbedtls_ssl_context* ssl, const uint8_t* buf, size_t size); 13 | int secret_provision_common_read(mbedtls_ssl_context* ssl, uint8_t* buf, size_t size); 14 | int secret_provision_common_close(mbedtls_ssl_context* ssl); 15 | -------------------------------------------------------------------------------- /tools/sgx/verify-ias-report/meson.build: -------------------------------------------------------------------------------- 1 | executable('gramine-sgx-ias-verify-report', 2 | 'verify_ias_report.c', 3 | 4 | dependencies: [ 5 | sgx_ias_util_dep, 6 | sgx_util_dep, 7 | ], 8 | 9 | install: true, 10 | install_rpath: get_option('prefix') / get_option('libdir'), 11 | ) 12 | -------------------------------------------------------------------------------- /tools/vcs_tag.in: -------------------------------------------------------------------------------- 1 | VCS_TAG=@VCS_TAG@ 2 | --------------------------------------------------------------------------------