├── runtime ├── util │ ├── empty.c │ └── CMakeLists.txt ├── .gitignore ├── include │ ├── loader │ │ └── loader.h │ ├── sys │ │ ├── env.h │ │ ├── interrupt.h │ │ ├── timex.h │ │ └── auxvec.h │ ├── mm │ │ ├── page_swap.h │ │ ├── freemem.h │ │ ├── mm.h │ │ └── common.h │ ├── util │ │ ├── string.h │ │ ├── rt_elf.h │ │ ├── rt_util.h │ │ ├── asm_helpers.h │ │ └── regs.h │ ├── crypto │ │ ├── merkle.h │ │ └── sha256.h │ └── call │ │ ├── sbi.h │ │ ├── syscall.h │ │ └── linux_wrap.h ├── loader │ └── CMakeLists.txt ├── test │ ├── mock.h │ ├── CMakeLists.txt │ └── string.c ├── tmplib │ ├── uio.h │ ├── CMakeLists.txt │ ├── README │ ├── partial_linkage.h │ ├── asm │ │ └── linkage.h │ └── linux │ │ ├── linkage.h │ │ └── const.h ├── .clang-format ├── call │ └── CMakeLists.txt ├── crypto │ └── CMakeLists.txt ├── mm │ ├── CMakeLists.txt │ ├── freemem_ld.c │ └── vm.c ├── runtime.ld.S ├── loader-binary │ ├── CMakeLists.txt │ └── loader.lds ├── .fast-setup.sh ├── sys │ ├── CMakeLists.txt │ └── interrupt.c └── README.md ├── docs ├── source │ ├── _static │ │ ├── .PLACEHOLDER │ │ └── images │ │ │ ├── enclave_lifecycle.png │ │ │ ├── keystone_overview.png │ │ │ ├── keystone_workflow.png │ │ │ ├── sealing_key_deriv.png │ │ │ └── keystone_key_hierarchy.png │ ├── Runtimes │ │ ├── seL4.rst │ │ └── Eyrie.rst │ ├── Getting-Started │ │ ├── Tutorials │ │ │ ├── Build-Enclave-App-Benchmark.rst │ │ │ ├── Build-Enclave-App-seL4.rst │ │ │ └── index.rst │ │ ├── How-Keystone-Works │ │ │ └── index.rst │ │ ├── QEMU-Setup-Repository.rst │ │ ├── Running-Keystone-with-QEMU.rst │ │ ├── Running-Keystone-on-Hardware.rst │ │ ├── QEMU-Install-Dependencies.rst │ │ └── FAQ.rst │ ├── Security-Monitor │ │ └── enclave_lifecycle.dot │ ├── Building-Components │ │ └── Eyrie.rst │ └── Keystone-Applications │ │ └── Compiling-Applications.rst ├── .gitignore ├── requirements.txt ├── README.md ├── Makefile └── make.bat ├── examples ├── tests │ ├── .gitignore │ ├── loop │ │ ├── retval │ │ └── loop.s │ ├── malloc │ │ ├── retval │ │ └── malloc.c │ ├── stack │ │ ├── retval │ │ └── stack.S │ ├── untrusted │ │ ├── retval │ │ ├── edge_wrapper.h │ │ ├── untrusted.c │ │ └── edge_wrapper.c │ ├── attestation │ │ ├── retval │ │ ├── edge_wrapper.h │ │ ├── attestation.c │ │ └── edge_wrapper.c │ ├── data-sealing │ │ ├── retval │ │ └── data-sealing.h │ ├── long-nop │ │ ├── retval │ │ ├── nop.s │ │ ├── func_base.s │ │ ├── generate_func.sh │ │ └── nop.h │ ├── fibonacci │ │ ├── retval │ │ └── fibonacci.c │ ├── app.lds │ ├── fib-bench │ │ └── fib-bench.c │ └── edge_wrapper.h ├── hello │ ├── eapp │ │ └── hello.c │ ├── host │ │ └── host.cpp │ └── CMakeLists.txt ├── hello-native │ └── eapp │ │ └── eapp_native.c ├── attestation │ └── eapp │ │ └── attestor.c └── CMakeLists.txt ├── sm ├── .gitignore ├── tests │ ├── cmocka │ │ ├── libcmocka-static.a │ │ └── libcmocka-static-32.a │ └── mock │ │ ├── ipi.c │ │ ├── secure_boot.c │ │ └── mprv.c ├── src │ ├── platform │ │ ├── hifive │ │ │ ├── platform.h │ │ │ └── platform.c │ │ ├── sifive │ │ │ └── fu540 │ │ │ │ ├── platform.c │ │ │ │ └── platform.h │ │ ├── generic │ │ │ └── platform.h │ │ ├── fpga │ │ │ └── ariane │ │ │ │ └── platform.h │ │ └── mpfs │ │ │ └── platform.h │ ├── sm_assert.h │ ├── ed25519 │ │ ├── sc.h │ │ ├── keypair.c │ │ ├── sign.c │ │ └── fe.h │ ├── plugins │ │ ├── multimem.h │ │ ├── plugins.h │ │ ├── plugins.c │ │ └── multimem.c │ ├── safe_math_util.h │ ├── cpu.h │ ├── sm-sbi-opensbi.h │ ├── ipi.h │ ├── ipi.c │ ├── sm.h │ ├── cpu.c │ ├── hkdf_sha3_512 │ │ └── hkdf_sha3_512.h │ ├── hmac_sha3 │ │ └── hmac_sha3.h │ ├── sha3 │ │ └── sha3.h │ └── crypto.c ├── plat │ ├── hifive │ │ └── unmatched │ │ │ ├── objects.mk │ │ │ └── unmatched.c │ ├── fpga │ │ └── ariane │ │ │ ├── config.mk │ │ │ └── objects.mk │ ├── generic │ │ ├── config.mk │ │ ├── generic.c │ │ └── objects.mk │ ├── mpfs │ │ ├── objects.mk │ │ ├── crypto.h │ │ └── crypto_interpose.c │ └── sifive │ │ └── fu540 │ │ └── config.mk ├── LICENSE └── tools │ └── Makefile ├── sdk ├── tests │ ├── test_binary │ │ └── tests │ │ │ ├── .gitignore │ │ │ ├── stack │ │ │ ├── Makefile │ │ │ └── stack.s │ │ │ ├── app.lds │ │ │ ├── app.mk │ │ │ └── Makefile │ └── scripts │ │ ├── setup_test.sh │ │ └── setup_binary.sh ├── include │ ├── host │ │ ├── keystone.h │ │ ├── Elfloader.hpp │ │ ├── hash_util.hpp │ │ └── common.h │ ├── verifier │ │ ├── report.h │ │ ├── ed25519 │ │ │ ├── sc.h │ │ │ └── fe.h │ │ ├── Keys.hpp │ │ └── test_dev_key.h │ ├── app │ │ ├── string.h │ │ ├── eapp_utils.h │ │ ├── malloc.h │ │ └── sealing.h │ ├── shared │ │ └── eyrie_call.h │ └── common │ │ └── sha3.h ├── src │ ├── app │ │ ├── encret.s │ │ ├── CMakeLists.txt │ │ └── syscall.c │ ├── verifier │ │ ├── keys.cpp │ │ ├── ed25519 │ │ │ ├── keypair.c │ │ │ └── sign.c │ │ └── CMakeLists.txt │ ├── CMakeLists.txt │ ├── edge │ │ └── CMakeLists.txt │ └── host │ │ ├── CMakeLists.txt │ │ ├── hash_util.cpp │ │ ├── Log.cpp │ │ └── Memory.cpp ├── .gitignore ├── .prebuilt_tools_shasums ├── .clang-format ├── .post-install │ └── CMakeLists.txt └── .fast-setup.sh ├── overlays └── keystone │ ├── external.desc │ ├── board │ ├── sifive │ │ └── hifive-unmatched │ │ │ ├── src │ │ │ └── uboot │ │ │ │ ├── keystone │ │ │ │ ├── sha3 │ │ │ │ │ ├── Makefile │ │ │ │ │ └── sha3.h │ │ │ │ ├── ed25519 │ │ │ │ │ ├── Makefile │ │ │ │ │ ├── sc.h │ │ │ │ │ ├── keypair.c │ │ │ │ │ ├── sign.c │ │ │ │ │ ├── LICENSE │ │ │ │ │ └── fe.h │ │ │ │ ├── Makefile │ │ │ │ ├── keystone_use_test_keys.h │ │ │ │ └── keystone_test_dev_key.h │ │ │ │ └── keystone.h │ │ │ ├── extlinux.conf │ │ │ ├── genimage_sdcard.cfg │ │ │ ├── post-build.sh │ │ │ └── patches │ │ │ ├── uboot │ │ │ └── 0007-keystone-prefer-mmc-boot-for-unmatched.patch │ │ │ └── linux │ │ │ └── 0003-Revert-riscv-dts-sifive-unmatched-Link-the-tmp451-wi.patch │ ├── cva6 │ │ ├── post-build.sh │ │ ├── configs │ │ │ └── uboot-cva6.config │ │ ├── post-image.sh │ │ └── patches │ │ │ ├── opensbi │ │ │ ├── 0003-remove-PLATFORM_RISCV_XLEN-in-ariane-config.patch │ │ │ └── 0002-workaround-to-fix-CVA6-32-bit-ABi-is-incompatible-is.patch │ │ │ └── linux │ │ │ ├── 0003-Add-Xilinx-emaclite.patch │ │ │ └── 0006-fix-netif_napi_add-to-many-argument.patch │ └── mpfs │ │ ├── post-build.sh │ │ ├── uboot-fragment-rootfs.config │ │ ├── hss-config.yaml │ │ └── patches │ │ └── dt-overlay-mchp │ │ └── 0001-move-devtree.patch │ ├── boot │ ├── hss │ │ ├── Config.in │ │ └── hss.mk │ ├── keystone-bootrom │ │ ├── Config.in │ │ └── keystone-bootrom.mk │ └── keystone-sm │ │ └── Config.in │ ├── package │ ├── keystone-sdk │ │ ├── Config.in.host │ │ └── keystone-sdk.mk │ ├── keystone-runtime │ │ ├── Config.in │ │ └── keystone-runtime.mk │ ├── keystone-driver │ │ ├── Config.in │ │ └── keystone-driver.mk │ └── keystone-examples │ │ └── Config.in │ ├── configs │ ├── initramfs.txt │ ├── sifive_logo.txt │ ├── riscv64_firesim_defconfig │ ├── riscv64_sifive_defconfig │ ├── riscv32_generic_defconfig │ └── riscv64_generic_defconfig │ ├── patches │ └── opensbi │ │ ├── opensbi-change-basename.patch │ │ └── opensbi-firmware-secure-boot.patch │ └── Config.in ├── .gitignore ├── mkutils ├── args.mk └── plat │ ├── hifive_unmatched │ └── run.mk │ ├── mpfs │ └── run.mk │ └── cva6 │ └── run.mk ├── bootrom ├── use_test_keys.h ├── ed25519 │ ├── sc.h │ ├── keypair.c │ ├── sign.c │ ├── LICENSE │ └── fe.h ├── bootloader.lds ├── sanctum_params.lds ├── Makefile ├── test_dev_key.h ├── string.h └── sha3 │ └── sha3.h ├── scripts ├── grep.patterns ├── ci │ ├── configs │ │ ├── global.sh │ │ └── track.sh │ ├── utils │ │ ├── wait_for.py │ │ └── find_tty.sh │ ├── plat │ │ ├── cva6 │ │ │ ├── expected.log │ │ │ ├── flash-os.sh │ │ │ └── test.sh │ │ ├── mpfs │ │ │ ├── expected.log │ │ │ ├── flash-firmware.sh │ │ │ ├── flash-os.sh │ │ │ └── test.sh │ │ ├── hifive_unmatched │ │ │ ├── expected.log │ │ │ ├── test.sh │ │ │ └── flash-os.sh │ │ └── generic │ │ │ ├── expected.log │ │ │ └── test.sh │ └── build-runtime.sh └── gdb │ └── mpfs.cfg ├── fast-setup.sh ├── .gitmodules ├── .readthedocs.yaml ├── .github └── ISSUE_TEMPLATE │ └── bug_report.md ├── linux-keystone-driver ├── Makefile ├── keystone-sbi.h ├── README.md └── keystone-sbi.c ├── docker ├── Dockerfile.nobuild ├── README.md ├── Dockerfile.32.nobuild └── Dockerfile └── tests └── test-qemu.expected.log /runtime/util/empty.c: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/source/_static/.PLACEHOLDER: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/tests/.gitignore: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /examples/tests/loop/retval: -------------------------------------------------------------------------------- 1 | 54321 2 | -------------------------------------------------------------------------------- /examples/tests/malloc/retval: -------------------------------------------------------------------------------- 1 | 11411 2 | -------------------------------------------------------------------------------- /examples/tests/stack/retval: -------------------------------------------------------------------------------- 1 | 12345 2 | -------------------------------------------------------------------------------- /examples/tests/untrusted/retval: -------------------------------------------------------------------------------- 1 | 13 2 | -------------------------------------------------------------------------------- /examples/tests/attestation/retval: -------------------------------------------------------------------------------- 1 | 0 2 | -------------------------------------------------------------------------------- /examples/tests/data-sealing/retval: -------------------------------------------------------------------------------- 1 | 0 2 | -------------------------------------------------------------------------------- /examples/tests/long-nop/retval: -------------------------------------------------------------------------------- 1 | 12345 2 | -------------------------------------------------------------------------------- /sm/.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | *.o 3 | *.d 4 | -------------------------------------------------------------------------------- /examples/tests/fibonacci/retval: -------------------------------------------------------------------------------- 1 | 14930352 2 | -------------------------------------------------------------------------------- /sdk/tests/test_binary/tests/.gitignore: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /examples/tests/long-nop/nop.s: -------------------------------------------------------------------------------- 1 | addi x0, x0, 0 2 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | .*.swp 2 | build/ 3 | !.PLACEHOLDER 4 | -------------------------------------------------------------------------------- /sdk/include/host/keystone.h: -------------------------------------------------------------------------------- 1 | #include "Enclave.hpp" 2 | -------------------------------------------------------------------------------- /sdk/include/verifier/report.h: -------------------------------------------------------------------------------- 1 | #include "Report.hpp" 2 | -------------------------------------------------------------------------------- /overlays/keystone/external.desc: -------------------------------------------------------------------------------- 1 | name: KEYSTONE 2 | desc: Keystone Enclave 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.swp 3 | .venv/ 4 | build*/ 5 | riscv/ 6 | riscv64/ 7 | riscv32/ 8 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | Sphinx==6.1.3 2 | sphinx_rtd_theme==1.3.0 3 | recommonmark 4 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/sha3/Makefile: -------------------------------------------------------------------------------- 1 | obj-y += sha3.o -------------------------------------------------------------------------------- /overlays/keystone/boot/hss/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_TARGET_HSS 2 | bool "Microchip HSS" 3 | -------------------------------------------------------------------------------- /runtime/.gitignore: -------------------------------------------------------------------------------- 1 | eyrie-rt 2 | .options_log 3 | *.o 4 | obj/ 5 | .exists 6 | .format-diff 7 | -------------------------------------------------------------------------------- /sdk/include/host/Elfloader.hpp: -------------------------------------------------------------------------------- 1 | #include "ElfFile.hpp" 2 | 3 | int parseElf(char* fileName); 4 | -------------------------------------------------------------------------------- /sdk/src/app/encret.s: -------------------------------------------------------------------------------- 1 | .globl EAPP_RETURN 2 | EAPP_RETURN: 3 | li a7, 1101 4 | ecall 5 | 6 | -------------------------------------------------------------------------------- /runtime/include/loader/loader.h: -------------------------------------------------------------------------------- 1 | #include "loader/elf.h" 2 | 3 | int loadElf(elf_t* elf, bool user); 4 | -------------------------------------------------------------------------------- /sdk/tests/test_binary/tests/stack/Makefile: -------------------------------------------------------------------------------- 1 | APP = stack 2 | APP_A_SRCS = stack.s 3 | include ../app.mk 4 | 5 | -------------------------------------------------------------------------------- /runtime/util/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(UTIL_SOURCES printf.c rt_util.c string.c) 3 | add_library(rt_util ${UTIL_SOURCES}) -------------------------------------------------------------------------------- /docs/source/Runtimes/seL4.rst: -------------------------------------------------------------------------------- 1 | Using seL4 as a Keystone Runtime 2 | ================================ 3 | 4 | Upcoming 5 | -------------------------------------------------------------------------------- /examples/hello/eapp/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | printf("hello, world!\n"); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone.h: -------------------------------------------------------------------------------- 1 | /* 2 | * keystone.h 3 | */ 4 | 5 | int keystone_init(void); -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/ed25519/Makefile: -------------------------------------------------------------------------------- 1 | obj-y += fe.o ge.o keypair.o sc.o sign.o verify.o -------------------------------------------------------------------------------- /sm/tests/cmocka/libcmocka-static.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/sm/tests/cmocka/libcmocka-static.a -------------------------------------------------------------------------------- /runtime/loader/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(LOADER_SOURCES elf.c elf32.c elf64.c loader.c) 3 | add_library(rt_loader ${LOADER_SOURCES}) 4 | -------------------------------------------------------------------------------- /sm/src/platform/hifive/platform.h: -------------------------------------------------------------------------------- 1 | 2 | // No special data needed for default platform 3 | struct platform_enclave_data{ 4 | 5 | }; 6 | -------------------------------------------------------------------------------- /sm/tests/cmocka/libcmocka-static-32.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/sm/tests/cmocka/libcmocka-static-32.a -------------------------------------------------------------------------------- /runtime/test/mock.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma once 6 | 7 | #include 8 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/Makefile: -------------------------------------------------------------------------------- 1 | # Keystone Secure Boot 2 | obj-y += keystone.o sha3/ ed25519/ 3 | 4 | -------------------------------------------------------------------------------- /sdk/.gitignore: -------------------------------------------------------------------------------- 1 | *.riscv 2 | *.eapp_riscv 3 | *.swp 4 | *.o 5 | *.a 6 | *~ 7 | *_entry.h 8 | bins/ 9 | build/ 10 | build64/ 11 | build32/ 12 | -------------------------------------------------------------------------------- /docs/source/_static/images/enclave_lifecycle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/docs/source/_static/images/enclave_lifecycle.png -------------------------------------------------------------------------------- /docs/source/_static/images/keystone_overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/docs/source/_static/images/keystone_overview.png -------------------------------------------------------------------------------- /docs/source/_static/images/keystone_workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/docs/source/_static/images/keystone_workflow.png -------------------------------------------------------------------------------- /docs/source/_static/images/sealing_key_deriv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/docs/source/_static/images/sealing_key_deriv.png -------------------------------------------------------------------------------- /sm/tests/mock/ipi.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void __wrap_send_and_sync_pmp_ipi(int region_idx, int type, uint8_t perm) 4 | { 5 | return; 6 | } 7 | -------------------------------------------------------------------------------- /examples/tests/long-nop/func_base.s: -------------------------------------------------------------------------------- 1 | addi sp, sp, -64 2 | li a0, 0xdeadbeef 3 | STORE a0, (sp) 4 | return: 5 | li a0, 12345 6 | li a7, 1101 7 | ecall 8 | -------------------------------------------------------------------------------- /docs/source/_static/images/keystone_key_hierarchy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keystone-enclave/keystone/HEAD/docs/source/_static/images/keystone_key_hierarchy.png -------------------------------------------------------------------------------- /docs/source/Getting-Started/Tutorials/Build-Enclave-App-Benchmark.rst: -------------------------------------------------------------------------------- 1 | Tutorial 3: Benchmarks (Incomplete) 2 | ====================================== 3 | 4 | Upcoming 5 | -------------------------------------------------------------------------------- /runtime/include/sys/env.h: -------------------------------------------------------------------------------- 1 | #ifndef __ENV_H__ 2 | #define __ENV_H__ 3 | 4 | #include "util/rt_elf.h" 5 | 6 | void* setup_start(void* _sp, ELF(Ehdr) *hdr); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-sdk/Config.in.host: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_HOST_KEYSTONE_SDK 2 | bool "Keystone SDK" 3 | help 4 | SDK for Keystone enclaves 5 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/Tutorials/Build-Enclave-App-seL4.rst: -------------------------------------------------------------------------------- 1 | Tutorial 4: Build Enclave with seL4 (Incomplete) 2 | ================================================ 3 | 4 | Upcoming 5 | -------------------------------------------------------------------------------- /sdk/.prebuilt_tools_shasums: -------------------------------------------------------------------------------- 1 | 05211edea5a47ebaf906ef4bed2c9609a93e8c6ad5e45f8c87678eabbfd424e7 1.0.tar.gz 2 | bdc9e3ec47ac461ecc7865609fda6b820439c36130e9da9275af010d9f4fe4bc 2.0.tar.gz 3 | -------------------------------------------------------------------------------- /overlays/keystone/configs/initramfs.txt: -------------------------------------------------------------------------------- 1 | dir /dev 755 0 0 2 | nod /dev/console 644 0 0 c 5 1 3 | nod /dev/null 644 0 0 c 1 3 4 | nod /dev/urandom 600 0 0 c 1 9 5 | slink /init /bin/busybox 755 0 0 6 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/post-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | cp -rf $BR2_EXTERNAL_KEYSTONE_PATH/board/cva6/cva6-sdk/rootfs/* $BUILDROOT_OVERLAYDIR/ | true 4 | 5 | # Install udev rules & systemd units 6 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/How-Keystone-Works/index.rst: -------------------------------------------------------------------------------- 1 | How Keystone Works 2 | ========================================= 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | 7 | RISC-V-Background 8 | Keystone-Basics -------------------------------------------------------------------------------- /examples/tests/long-nop/generate_func.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat $5 > $2 4 | echo ".section .text" >> $2 5 | echo "eapp_entry:" >> $2 6 | echo "add:" >> $2 7 | yes "$(cat $3)" | head -n $1 >> $2 8 | cat $4 >> $2 9 | -------------------------------------------------------------------------------- /mkutils/args.mk: -------------------------------------------------------------------------------- 1 | 2 | ################ 3 | ## Seperators ## 4 | ################ 5 | 6 | null := 7 | space := $(null) # 8 | 9 | define SEPERATE_LIST 10 | $(subst $(space),$(1),$(strip $(2))) 11 | endef 12 | -------------------------------------------------------------------------------- /runtime/include/mm/page_swap.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | void 6 | pswap_init(void); 7 | 8 | void 9 | page_swap_epm(uintptr_t back_page, uintptr_t epm_page, uintptr_t swap_page); 10 | -------------------------------------------------------------------------------- /sm/plat/hifive/unmatched/objects.mk: -------------------------------------------------------------------------------- 1 | 2 | carray-platform_override_modules-y += hifive_unmatched 3 | platform-objs-y += ../hifive/unmatched/unmatched.o 4 | platform-cflags-y += -I$(src_dir)/platform/generic/sifive 5 | -------------------------------------------------------------------------------- /runtime/tmplib/uio.h: -------------------------------------------------------------------------------- 1 | #ifndef _UIO_H_ 2 | #define _UIO_H_ 3 | 4 | /* See Linux's include/uapi/linux/uio.h */ 5 | struct iovec{ 6 | void* buffer_start; 7 | size_t len; 8 | } 9 | 10 | #endif /* _UIO_H_ */ 11 | -------------------------------------------------------------------------------- /bootrom/use_test_keys.h: -------------------------------------------------------------------------------- 1 | #include "test_dev_key.h" 2 | memcpy(sanctum_dev_secret_key, _sanctum_dev_secret_key, _sanctum_dev_secret_key_len); 3 | memcpy(sanctum_dev_public_key, _sanctum_dev_public_key, _sanctum_dev_public_key_len); 4 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-runtime/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_KEYSTONE_RUNTIME 2 | bool "Keystone Eyrie runtime" 3 | depends on BR2_PACKAGE_HOST_KEYSTONE_SDK 4 | help 5 | Eyrie runtime 6 | -------------------------------------------------------------------------------- /sdk/tests/test_binary/tests/stack/stack.s: -------------------------------------------------------------------------------- 1 | .section .text 2 | 3 | eapp_entry: 4 | add: 5 | addi sp, sp, -64 6 | li a0, 0xdeadbeef 7 | sd a0, (sp) 8 | return: 9 | li a0, 12345 10 | li a7, 1101 11 | ecall 12 | -------------------------------------------------------------------------------- /examples/tests/loop/loop.s: -------------------------------------------------------------------------------- 1 | .section .text 2 | 3 | eapp_entry: 4 | li a0, 10000000 5 | mv a1, zero 6 | loop: 7 | beq a0, a1, return 8 | addi a0, a0, -1 9 | j loop 10 | return: 11 | li a0, 54321 12 | li a7, 1101 13 | ecall 14 | -------------------------------------------------------------------------------- /overlays/keystone/boot/keystone-bootrom/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_TARGET_KEYSTONE_BOOTROM 2 | bool "Keystone bootrom" 3 | help 4 | Minimal bootrom for keystone to test secure boot 5 | functionality. Based on Sanctum. 6 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-driver/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_KEYSTONE_DRIVER 2 | bool "Keystone driver" 3 | depends on BR2_PACKAGE_HOST_KEYSTONE_SDK 4 | help 5 | Linux driver for the Keystone TEE system 6 | -------------------------------------------------------------------------------- /runtime/tmplib/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(TMPLIB_SOURCES uaccess.S) 3 | 4 | add_library(rt_tmplib ${TMPLIB_SOURCES}) 5 | target_compile_options(rt_tmplib PRIVATE -include partial_linkage.h) 6 | target_compile_definitions(rt_tmplib PRIVATE __ASSEMBLY__) -------------------------------------------------------------------------------- /overlays/keystone/board/mpfs/post-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Add usb network interface 4 | 5 | cat <> $TARGET_DIR/etc/network/interfaces 6 | 7 | auto usb0 8 | iface usb0 inet dhcp 9 | pre-up /etc/network/nfs_check 10 | 11 | EOF 12 | -------------------------------------------------------------------------------- /examples/tests/long-nop/nop.h: -------------------------------------------------------------------------------- 1 | #if __riscv_xlen == 64 2 | # define STORE sd 3 | # define LOAD ld 4 | # define LOG_REGBYTES 3 5 | #elif __riscv_xlen == 32 6 | # define STORE sw 7 | # define LOAD lw 8 | # define LOG_REGBYTES 2 9 | #endif 10 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/extlinux.conf: -------------------------------------------------------------------------------- 1 | default buildroot 2 | label buildroot 3 | kernel /boot/Image.gz 4 | fdt /boot/hifive-unmatched-a00.dtb 5 | append root=/dev/mmcblk0p3 rootfstype=ext4 rootwait console=ttySIF0,115200 earlycon 6 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/configs/uboot-cva6.config: -------------------------------------------------------------------------------- 1 | CONFIG_MMC_WRITE=y 2 | CONFIG_BOOTCOMMAND="mmc info; mmc read 90000000 100000 10000; setenv fdt_high 0xffffffffffffffff; bootm 90000000 - $(fdtcontroladdr)" 3 | CONFIG_USE_BOOTARGS=y 4 | CONFIG_BOOTARGS="cma=128M" 5 | -------------------------------------------------------------------------------- /overlays/keystone/boot/keystone-sm/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_TARGET_KEYSTONE_SM 2 | bool "Keystone security monitor" 3 | depends on BR2_PACKAGE_HOST_KEYSTONE_SDK 4 | help 5 | Keystone security monitor augmentations 6 | to OpenSBI 7 | -------------------------------------------------------------------------------- /scripts/grep.patterns: -------------------------------------------------------------------------------- 1 | # Detect bolded buildroot output lines 2 | \[7m>>>.*\[27m 3 | 4 | # Detect our own log output 5 | \[1m.*\[m 6 | 7 | # Detect make error messages 8 | make\(\[[0-9]*\]\)\?: \*\*\* \[.*\] Error [0-9]* 9 | 10 | # Detect dirclean lines 11 | rm -Rf .* 12 | -------------------------------------------------------------------------------- /sm/src/sm_assert.h: -------------------------------------------------------------------------------- 1 | #ifndef __SM_ASSERT_H__ 2 | 3 | #include 4 | #include 5 | 6 | #define sm_assert(cond) { \ 7 | if (!(cond)) { \ 8 | sbi_printf("[SM] assertion_failed\r\n"); \ 9 | sbi_hart_hang(); \ 10 | } \ 11 | } 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /overlays/keystone/board/mpfs/uboot-fragment-rootfs.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_BOOTARGS=y 2 | CONFIG_BOOTARGS="earlycon root=/dev/mmcblk0p3 rootwait uio_pdrv_genirq.of_id=generic-uio cma=128M@0x98000000 g_ether.host_addr=de:ad:be:ef:de:ad g_ether.dev_addr=de:ad:ca:fe:d0:0d" 3 | CONFIG_MPFS_PRIORITISE_QSPI_BOOT=n 4 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/keystone_use_test_keys.h: -------------------------------------------------------------------------------- 1 | #include "keystone_test_dev_key.h" 2 | memcpy(sanctum_dev_secret_key, _sanctum_dev_secret_key, _sanctum_dev_secret_key_len); 3 | memcpy(sanctum_dev_public_key, _sanctum_dev_public_key, _sanctum_dev_public_key_len); -------------------------------------------------------------------------------- /sdk/.clang-format: -------------------------------------------------------------------------------- 1 | BasedOnStyle: Google 2 | IndentWidth: 2 3 | TabWidth: 2 4 | ColumnLimit: 80 5 | AlignAfterOpenBracket: AlwaysBreak 6 | AlwaysBreakAfterReturnType: TopLevel 7 | DerivePointerAlignment: false 8 | PointerAlignment: Left 9 | AlignConsecutiveAssignments: true 10 | SpacesInAngles: false 11 | -------------------------------------------------------------------------------- /runtime/.clang-format: -------------------------------------------------------------------------------- 1 | BasedOnStyle: Google 2 | IndentWidth: 2 3 | TabWidth: 2 4 | ColumnLimit: 80 5 | AlignAfterOpenBracket: AlwaysBreak 6 | AlwaysBreakAfterReturnType: TopLevel 7 | DerivePointerAlignment: false 8 | PointerAlignment: Left 9 | AlignConsecutiveAssignments: true 10 | SpacesInAngles: false 11 | -------------------------------------------------------------------------------- /sm/tests/mock/secure_boot.c: -------------------------------------------------------------------------------- 1 | #include "crypto.h" 2 | 3 | byte __wrap_sanctum_sm_hash[MDSIZE]; 4 | byte __wrap_sanctum_sm_signature[SIGNATURE_SIZE]; 5 | byte __wrap_sanctum_sm_public_key[PRIVATE_KEY_SIZE]; 6 | byte __wrap_sanctum_sm_secret_key[PUBLIC_KEY_SIZE]; 7 | byte __wrap_sanctum_dev_public_key[PUBLIC_KEY_SIZE]; 8 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Building Docs 2 | 3 | ``` 4 | sudo pip install -r requirements.txt 5 | make html 6 | ``` 7 | 8 | # Local Hosting 9 | 10 | You can locally host the built doc by running 11 | 12 | ``` 13 | python2 -m SimpleHTTPServer 14 | ``` 15 | 16 | or 17 | 18 | ``` 19 | python3 -m http.server 20 | ``` 21 | 22 | -------------------------------------------------------------------------------- /sm/src/platform/sifive/fu540/platform.c: -------------------------------------------------------------------------------- 1 | #include "fu540_internal.c" 2 | #include "waymasks.c" 3 | 4 | uint64_t platform_random(){ 5 | #pragma message("Platform has no entropy source, this is unsafe. TEST ONLY") 6 | unsigned long cycles; 7 | asm volatile ("rdcycle %0" : "=r" (cycles)); 8 | return cycles; 9 | } 10 | -------------------------------------------------------------------------------- /bootrom/ed25519/sc.h: -------------------------------------------------------------------------------- 1 | #ifndef SC_H 2 | #define SC_H 3 | 4 | /* 5 | The set of scalars is \Z/l 6 | where l = 2^252 + 27742317777372353535851937790883648493. 7 | */ 8 | 9 | void sc_reduce(unsigned char *s); 10 | void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c); 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /sm/src/ed25519/sc.h: -------------------------------------------------------------------------------- 1 | #ifndef SC_H 2 | #define SC_H 3 | 4 | /* 5 | The set of scalars is \Z/l 6 | where l = 2^252 + 27742317777372353535851937790883648493. 7 | */ 8 | 9 | void sc_reduce(unsigned char *s); 10 | void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c); 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /sdk/tests/scripts/setup_test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | DIR="/usr/src/gtest" 3 | if [ ! -d "$DIR" ]; then 4 | apt-get -y install libgtest-dev 5 | fi 6 | prevdir=$(pwd) 7 | GLIB=$DIR/libgtest.so 8 | if [ ! -d "$GLIB" ]; then 9 | cd $DIR 10 | cmake CMakeLists.txt -DBUILD_SHARED_LIBS=ON 11 | make 12 | cp *.so /usr/lib 13 | cd $prevdir 14 | fi 15 | -------------------------------------------------------------------------------- /sm/src/plugins/multimem.h: -------------------------------------------------------------------------------- 1 | #ifndef __SM_MULTIMEM_H__ 2 | #define __SM_MULTIMEM_H__ 3 | 4 | #include "plugins/plugins.h" 5 | #include "enclave.h" 6 | 7 | #define MULTIMEM_GET_OTHER_REGION_SIZE 0x1 8 | #define MULTIMEM_GET_OTHER_REGION_ADDR 0x2 9 | 10 | uintptr_t do_sbi_multimem(enclave_id id, uintptr_t call_id, uintptr_t arg0); 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /docs/source/Runtimes/Eyrie.rst: -------------------------------------------------------------------------------- 1 | The Eyrie Modular Runtime 2 | ========================= 3 | 4 | Upcoming 5 | 6 | The Eyrie runtime is not a submodule of Keystone or the Keystone SDK 7 | git repositories. It is versioned independently and should be manually 8 | updated when needed. 9 | 10 | See build :doc:`instructions`. 11 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-examples/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_KEYSTONE_EXAMPLES 2 | bool "Keystone examples" 3 | depends on BR2_PACKAGE_HOST_KEYSTONE_SDK 4 | depends on BR2_PACKAGE_KEYSTONE_RUNTIME 5 | help 6 | Example applications for Keystone, showing a variety 7 | of functionalities and features 8 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/QEMU-Setup-Repository.rst: -------------------------------------------------------------------------------- 1 | Setup Repository 2 | ---------------------------- 3 | 4 | Keystone uses submodule vendoring to manage dependencies to Buildroot and CMocka. 5 | 6 | Clone the submodules with the following command: 7 | 8 | :: 9 | 10 | git clone --recurse-submodules https://github.com/keystone-enclave/keystone.git 11 | -------------------------------------------------------------------------------- /sdk/.post-install/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | install(CODE "message(\"\n * Keystone SDK has been installed at ${out_dir}\")") 2 | install(CODE "message(\" * Use `make uninstall` to uninstall\")") 3 | install(CODE "message(\" * Please add the following to your shell's start-up file (e.g., $HOME/.bashrc)\")") 4 | install(CODE "message(\" export KEYSTONE_SDK_DIR=${out_dir}\")") 5 | -------------------------------------------------------------------------------- /runtime/call/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(CALL_SOURCES sbi.c syscall.c) 3 | 4 | if(LINUX_SYSCALL) 5 | list(APPEND CALL_SOURCES linux_wrap.c) 6 | endif() 7 | 8 | if(IO_SYSCALL) 9 | list(APPEND CALL_SOURCES io_wrap.c) 10 | endif() 11 | 12 | if(NET_SYSCALL) 13 | list(APPEND CALL_SOURCES net_wrap.c) 14 | endif() 15 | 16 | add_library(rt_call STATIC ${CALL_SOURCES}) 17 | -------------------------------------------------------------------------------- /runtime/crypto/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(CRYPTO_SOURCES "") 3 | 4 | if(PAGE_CRYPTO) 5 | list(APPEND CRYPTO_SOURCES aes.c) 6 | endif() 7 | 8 | if(PAGE_HASH) 9 | list(APPEND CRYPTO_SOURCES sha256.c merkle.c) 10 | endif() 11 | 12 | if(NOT CRYPTO_SOURCES) 13 | list(APPEND CRYPTO_SOURCES ../util/empty.c) 14 | endif() 15 | 16 | add_library(rt_crypto ${CRYPTO_SOURCES}) -------------------------------------------------------------------------------- /sdk/include/verifier/ed25519/sc.h: -------------------------------------------------------------------------------- 1 | #ifndef SC_H 2 | #define SC_H 3 | 4 | /* 5 | The set of scalars is \Z/l 6 | where l = 2^252 + 27742317777372353535851937790883648493. 7 | */ 8 | 9 | void 10 | sc_reduce(unsigned char* s); 11 | void 12 | sc_muladd( 13 | unsigned char* s, const unsigned char* a, const unsigned char* b, 14 | const unsigned char* c); 15 | 16 | #endif 17 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/ed25519/sc.h: -------------------------------------------------------------------------------- 1 | #ifndef SC_H 2 | #define SC_H 3 | 4 | /* 5 | The set of scalars is \Z/l 6 | where l = 2^252 + 27742317777372353535851937790883648493. 7 | */ 8 | 9 | void sc_reduce(unsigned char *s); 10 | void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c); 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /bootrom/bootloader.lds: -------------------------------------------------------------------------------- 1 | OUTPUT_ARCH( "riscv" ) 2 | 3 | ENTRY( _entry ) 4 | 5 | SECTIONS 6 | { 7 | . = 0x1000; /* boot loader lives in boot ROM after the device tree */ 8 | PROVIDE( reset_vector = . ); 9 | .text : 10 | { 11 | PROVIDE( _entry = . ); 12 | *(.reset) 13 | *(*) 14 | } 15 | . = ALIGN(4); 16 | PROVIDE( _dtb = . ); 17 | } 18 | 19 | INCLUDE sanctum_params.lds 20 | -------------------------------------------------------------------------------- /runtime/include/util/string.h: -------------------------------------------------------------------------------- 1 | #ifndef __STRING_H__ 2 | #define __STRING_H__ 3 | #include 4 | #include 5 | void* memcpy(void* dest, const void* src, size_t len); 6 | void* memset(void* dest, int byte, size_t len); 7 | int memcmp(const void* ptr1, const void* ptr2, size_t len); 8 | int strcmp (const char *p1, const char *p2); 9 | size_t strlen (const char *str); 10 | #endif 11 | -------------------------------------------------------------------------------- /sdk/src/verifier/keys.cpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include 6 | 7 | PublicKey::PublicKey(std::string hexstr) {} 8 | -------------------------------------------------------------------------------- /sm/plat/fpga/ariane/config.mk: -------------------------------------------------------------------------------- 1 | include $(src_dir)/platform/$(PLATFORM)/config.mk 2 | 3 | ifeq ($(KEYSTONE_SM),) 4 | $(error KEYSTONE_SM not defined for SM) 5 | endif 6 | 7 | ifeq ($(KEYSTONE_SDK_DIR),) 8 | $(error KEYSTONE_SDK_DIR not defined) 9 | endif 10 | 11 | platform-cflags-y = -I$(KEYSTONE_SM)/src -I$(src_dir)/platform/$(PLATFORM)/include \ 12 | -I$(KEYSTONE_SDK_DIR)/include/shared 13 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/Tutorials/index.rst: -------------------------------------------------------------------------------- 1 | Tutorials 2 | ========= 3 | 4 | Keystone has several tutorials on building different applications and 5 | benchmarks. More will be added over time. 6 | 7 | .. toctree:: 8 | :maxdepth: 1 9 | 10 | Build-Enclave-App-Hello-World 11 | Build-Enclave-App-Hello-World-Native 12 | Build-Enclave-App-Benchmark 13 | Build-Enclave-App-seL4 14 | Remote-Attestation 15 | -------------------------------------------------------------------------------- /runtime/include/util/rt_elf.h: -------------------------------------------------------------------------------- 1 | #ifndef __RT_ELF_H__ 2 | #define __RT_ELF_H__ 3 | 4 | #include "util/elf.h" 5 | 6 | /* Internal helper macros */ 7 | #define _strip(X) X 8 | #define __elf(type, len) Elf##len##_##type 9 | #define _elf(type, len) __elf(type, len) 10 | 11 | /* Convenience macros so we don't have to ifdef on __riscv_xlen */ 12 | #define ELF(type) _elf(type, _strip(__riscv_xlen)) 13 | 14 | #endif // __RT_ELF_H__ 15 | -------------------------------------------------------------------------------- /sdk/include/app/string.h: -------------------------------------------------------------------------------- 1 | #ifndef __STRING_H__ 2 | #define __STRING_H__ 3 | #include 4 | #include 5 | void* 6 | memcpy(void* dest, const void* src, size_t len); 7 | void* 8 | memset(void* dest, int byte, size_t len); 9 | int 10 | memcmp(const void* ptr1, const void* ptr2, size_t len); 11 | void* 12 | memmove(void* dest, const void* src, size_t count); 13 | size_t 14 | strlen(char* str); 15 | 16 | #endif 17 | -------------------------------------------------------------------------------- /examples/tests/stack/stack.S: -------------------------------------------------------------------------------- 1 | #if __riscv_xlen == 64 2 | # define STORE sd 3 | # define LOAD ld 4 | # define LOG_REGBYTES 3 5 | #elif __riscv_xlen == 32 6 | # define STORE sw 7 | # define LOAD lw 8 | # define LOG_REGBYTES 2 9 | #endif 10 | 11 | .section .text 12 | 13 | eapp_entry: 14 | add: 15 | addi sp, sp, -64 16 | li a0, 0xdeadbeef 17 | STORE a0, (sp) 18 | return: 19 | li a0, 12345 20 | li a7, 1101 21 | ecall 22 | -------------------------------------------------------------------------------- /sdk/include/shared/eyrie_call.h: -------------------------------------------------------------------------------- 1 | #ifndef __EYRIE_CALL_H__ 2 | #define __EYRIE_CALL_H__ 3 | 4 | #define RUNTIME_SYSCALL_UNKNOWN 1000 5 | #define RUNTIME_SYSCALL_OCALL 1001 6 | #define RUNTIME_SYSCALL_SHAREDCOPY 1002 7 | #define RUNTIME_SYSCALL_ATTEST_ENCLAVE 1003 8 | #define RUNTIME_SYSCALL_GET_SEALING_KEY 1004 9 | #define RUNTIME_SYSCALL_EXIT 1101 10 | 11 | #endif // __EYRIE_CALL_H__ 12 | -------------------------------------------------------------------------------- /sm/plat/hifive/unmatched/unmatched.c: -------------------------------------------------------------------------------- 1 | #include "fu740.c" 2 | #include "sm.h" 3 | 4 | static int unmatched_final_init(bool cold_boot, const struct fdt_match *match) { 5 | sm_init(cold_boot); 6 | return sifive_fu740_final_init(cold_boot, match); 7 | } 8 | 9 | const struct platform_override hifive_unmatched = { 10 | .match_table = sifive_fu740_match, 11 | .tlbr_flush_limit = sifive_fu740_tlbr_flush_limit, 12 | .final_init = unmatched_final_init 13 | }; 14 | -------------------------------------------------------------------------------- /bootrom/ed25519/keypair.c: -------------------------------------------------------------------------------- 1 | #include "ed25519.h" 2 | #include "sha3/sha3.h" 3 | #include "ge.h" 4 | 5 | 6 | void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed) { 7 | ge_p3 A; 8 | 9 | sha3(seed, 32, private_key, 64); 10 | private_key[0] &= 248; 11 | private_key[31] &= 63; 12 | private_key[31] |= 64; 13 | 14 | ge_scalarmult_base(&A, private_key); 15 | ge_p3_tobytes(public_key, &A); 16 | } 17 | -------------------------------------------------------------------------------- /sm/src/ed25519/keypair.c: -------------------------------------------------------------------------------- 1 | #include "ed25519.h" 2 | #include "../sha3/sha3.h" 3 | #include "ge.h" 4 | 5 | 6 | void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed) { 7 | ge_p3 A; 8 | 9 | sha3(seed, 32, private_key, 64); 10 | private_key[0] &= 248; 11 | private_key[31] &= 63; 12 | private_key[31] |= 64; 13 | 14 | ge_scalarmult_base(&A, private_key); 15 | ge_p3_tobytes(public_key, &A); 16 | } 17 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/Running-Keystone-with-QEMU.rst: -------------------------------------------------------------------------------- 1 | Testing Keystone with QEMU 2 | ==================================== 3 | 4 | `QEMU `_ is an open source machine emulator with support for RISC-V. 5 | 6 | Follow the instructions below to setup a QEMU environment for testing Keystone. 7 | 8 | .. toctree:: 9 | :maxdepth: 1 10 | 11 | ./QEMU-Setup-Repository 12 | ./QEMU-Install-Dependencies 13 | ./QEMU-Compile-Sources 14 | ./QEMU-Run-Tests 15 | -------------------------------------------------------------------------------- /sm/src/platform/sifive/fu540/platform.h: -------------------------------------------------------------------------------- 1 | #ifndef _FU540_H_ 2 | #define _FU540_H_ 3 | 4 | #include "waymasks.h" 5 | 6 | struct platform_enclave_data { 7 | /* 0 means don't do cache partitioning. Otherwise the number of ways 8 | required. */ 9 | size_t num_ways; 10 | /* Used if there is a waymask needed (>0 num_ways)*/ 11 | waymask_t saved_mask; 12 | 13 | /* 0 for doesn't use scratchpad, 1 for does */ 14 | int use_scratch; 15 | }; 16 | 17 | #endif /* _FU540_H_ */ 18 | -------------------------------------------------------------------------------- /sm/src/plugins/plugins.h: -------------------------------------------------------------------------------- 1 | #ifndef __SM_PLUGINS_H__ 2 | #define __SM_PLUGINS_H__ 3 | 4 | #include "../sm.h" 5 | #include "../enclave.h" 6 | 7 | /* PLUGIN IDs */ 8 | #define PLUGIN_ID_MULTIMEM 0x1 9 | 10 | #ifdef PLUGIN_ENABLE_MULTIMEM 11 | #include "plugins/multimem.h" 12 | #endif 13 | 14 | uintptr_t 15 | call_plugin( 16 | enclave_id id, 17 | uintptr_t plugin_id, 18 | uintptr_t call_id, 19 | uintptr_t arg0, 20 | uintptr_t arg1 21 | ); 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /runtime/tmplib/README: -------------------------------------------------------------------------------- 1 | This is a temporary way to handle files/features from linux that we need. 2 | 3 | Files taken from riscv-linux: 4 | arch/riscv/lib/uaccess.S -> uaccess.S 5 | arch/riscv/include/asm/asm.h-> asm/asm.h 6 | arch/riscv/include/asm/csr.h-> asm/csr.h 7 | arch/riscv/include/asm/linkage.h -> asm/linkage.h 8 | include/uapi/linux/const.h -> linux/const.h 9 | include/linux/linkage.h -> linux/linkage.h 10 | 11 | Files containing modified linux bits: 12 | partial_linkage.h 13 | uaccess.h -------------------------------------------------------------------------------- /sm/src/safe_math_util.h: -------------------------------------------------------------------------------- 1 | #ifndef _SAFE_MATH_UTIL_H_ 2 | #define _SAFE_MATH_UTIL_H_ 3 | 4 | // TODO: We may want to add checks for GCC/Clang version. We also want 5 | // to add wrappers for other checked math functions. 6 | 7 | #if __riscv_xlen == 32 8 | #define CHECKED_ADD(a, b, out) (__builtin_uadd_overflow(a, b, (unsigned int*) out)) 9 | #else 10 | #define CHECKED_ADD(a, b, out) (__builtin_uaddl_overflow(a, b, (unsigned long int*) out)) 11 | #endif 12 | 13 | #endif /* _SAFE_MATH_UTIL_H_ */ 14 | -------------------------------------------------------------------------------- /sdk/src/verifier/ed25519/keypair.c: -------------------------------------------------------------------------------- 1 | #include "common/sha3.h" 2 | #include "ed25519/ed25519.h" 3 | #include "ed25519/ge.h" 4 | 5 | void 6 | ed25519_create_keypair( 7 | unsigned char* public_key, unsigned char* private_key, 8 | const unsigned char* seed) { 9 | ge_p3 A; 10 | 11 | sha3(seed, 32, private_key, 64); 12 | private_key[0] &= 248; 13 | private_key[31] &= 63; 14 | private_key[31] |= 64; 15 | 16 | ge_scalarmult_base(&A, private_key); 17 | ge_p3_tobytes(public_key, &A); 18 | } 19 | -------------------------------------------------------------------------------- /overlays/keystone/patches/opensbi/opensbi-change-basename.patch: -------------------------------------------------------------------------------- 1 | diff --git a/Makefile b/Makefile 2 | index f619ef7..9a4bdef 100644 3 | --- a/Makefile 4 | +++ b/Makefile 5 | @@ -46,7 +46,7 @@ ifdef PLATFORM_DIR 6 | ifdef PLATFORM 7 | platform_parent_dir=$(platform_dir_path) 8 | else 9 | - PLATFORM=$(shell basename $(platform_dir_path)) 10 | + PLATFORM=$(notdir $(basename $(platform_dir_path))) 11 | platform_parent_dir=$(subst $(PLATFORM),,$(platform_dir_path)) 12 | endif 13 | else 14 | -------------------------------------------------------------------------------- /scripts/ci/configs/global.sh: -------------------------------------------------------------------------------- 1 | 2 | ####################################################### 3 | ## Globally known parameters (not machine dependent) ## 4 | ####################################################### 5 | 6 | # mpfs 7 | export TTY_IDVENDOR_mpfs="10c4" 8 | export TTY_IDPRODUCT_mpfs="ea71" 9 | 10 | # cva6 11 | export TTY_IDVENDOR_cva6="0403" 12 | export TTY_IDPRODUCT_cva6="6001" 13 | 14 | # hifive_unmatched 15 | export TTY_IDVENDOR_hifive_unmatched="0403" 16 | export TTY_IDPRODUCT_hifive_unmatched="6010" 17 | -------------------------------------------------------------------------------- /examples/tests/app.lds: -------------------------------------------------------------------------------- 1 | OUTPUT_ARCH( "riscv" ) 2 | 3 | SECTIONS 4 | { 5 | . = 0x00001000; 6 | .text : { 7 | *(.text._start) 8 | *(.text) 9 | } 10 | . = ALIGN(0x1000); 11 | .rodata : 12 | { 13 | *(.rdata) 14 | *(.rodata) 15 | } 16 | .data : { *(.data) } 17 | .bss : { *(.bss) } 18 | .debug : { *(.debug) } 19 | 20 | . = ALIGN(0x1000); 21 | .malloc_zone : 22 | { 23 | __malloc_start = .; 24 | . = . + 4096; 25 | __malloc_zone_stop = .; 26 | } 27 | _end = .; 28 | } 29 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/ed25519/keypair.c: -------------------------------------------------------------------------------- 1 | #include "ed25519.h" 2 | #include "../sha3/sha3.h" 3 | #include "ge.h" 4 | 5 | 6 | void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed) { 7 | ge_p3 A; 8 | 9 | sha3(seed, 32, private_key, 64); 10 | private_key[0] &= 248; 11 | private_key[31] &= 63; 12 | private_key[31] |= 64; 13 | 14 | ge_scalarmult_base(&A, private_key); 15 | ge_p3_tobytes(public_key, &A); 16 | } 17 | -------------------------------------------------------------------------------- /sdk/tests/test_binary/tests/app.lds: -------------------------------------------------------------------------------- 1 | OUTPUT_ARCH( "riscv" ) 2 | 3 | SECTIONS 4 | { 5 | . = 0x00001000; 6 | .text : { 7 | *(.text._start) 8 | *(.text) 9 | } 10 | . = ALIGN(0x1000); 11 | .rodata : 12 | { 13 | *(.rdata) 14 | *(.rodata) 15 | } 16 | .data : { *(.data) } 17 | .bss : { *(.bss) } 18 | .debug : { *(.debug) } 19 | 20 | . = ALIGN(0x1000); 21 | .malloc_zone : 22 | { 23 | __malloc_start = .; 24 | . = . + 4096; 25 | __malloc_zone_stop = .; 26 | } 27 | _end = .; 28 | } 29 | -------------------------------------------------------------------------------- /examples/tests/data-sealing/data-sealing.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 Fraunhofer AISEC 3 | * Authors: Benedikt Kopf 4 | * Lukas Auer 5 | * Mathias Morbitzer 6 | * 7 | * data-sealing.h 8 | * 9 | * All Rights Reserved. See LICENSE for license details. 10 | */ 11 | 12 | #include "app/sealing.h" 13 | 14 | #define OCALL_PRINT_BUFFER 1 15 | 16 | unsigned long ocall_print_buffer(char *data, size_t data_len); 17 | -------------------------------------------------------------------------------- /sm/plat/generic/config.mk: -------------------------------------------------------------------------------- 1 | # Here, we just include the config.mk from the standard generic implementation 2 | include $(src_dir)/platform/$(PLATFORM)/config.mk 3 | 4 | # We do need to make sure to include headers for the SM 5 | ifeq ($(KEYSTONE_SM),) 6 | $(error KEYSTONE_SM not defined for SM) 7 | endif 8 | 9 | ifeq ($(KEYSTONE_SDK_DIR),) 10 | $(error KEYSTONE_SDK_DIR not defined) 11 | endif 12 | 13 | platform-cflags-y = -I$(KEYSTONE_SM)/src -I$(src_dir)/platform/$(PLATFORM)/include \ 14 | -I$(KEYSTONE_SDK_DIR)/include/shared 15 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/Running-Keystone-on-Hardware.rst: -------------------------------------------------------------------------------- 1 | Example Hardware Deployment 2 | =========================== 3 | 4 | Currently we support the following boards: 5 | 6 | - CVA6 (Tape-out, Simulation, FPGA Emulation) 7 | - Project page: https://github.com/openhwgroup/cva6 8 | - :doc:`Keystone deployment guidec` 9 | 10 | - SiFive HiFive Unleashed (Development Board) 11 | - Product page: https://www.sifive.com/boards/hifive-unleashed 12 | - :doc:`Keystone deployment guidec` 13 | 14 | -------------------------------------------------------------------------------- /sdk/src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | include(${src_dir}/macros.cmake) 2 | 3 | set(libmodules app edge host verifier) 4 | set(enabled_libmodules app edge host verifier) 5 | 6 | # Common 7 | file(GLOB_RECURSE 8 | COMMON_SOURCE_FILES 9 | common/*.[c|cpp]) 10 | 11 | foreach(module ${enabled_libmodules}) 12 | add_subdirectory(${module}) 13 | endforeach() 14 | 15 | install(DIRECTORY ${CMAKE_SOURCE_DIR}/include/common 16 | DESTINATION ${out_dir}/include) 17 | install(DIRECTORY ${CMAKE_SOURCE_DIR}/include/shared 18 | DESTINATION ${out_dir}/include) 19 | -------------------------------------------------------------------------------- /examples/tests/malloc/malloc.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | #include "malloc.h" 7 | 8 | void EAPP_ENTRY eapp_entry(){ 9 | int arg; 10 | int* ptr = (int*) malloc(sizeof(int)); 11 | *ptr = 11411; 12 | arg = *ptr; 13 | 14 | EAPP_RETURN(arg); 15 | } 16 | -------------------------------------------------------------------------------- /overlays/keystone/Config.in: -------------------------------------------------------------------------------- 1 | 2 | # Bootloaders 3 | source "$BR2_EXTERNAL_KEYSTONE_PATH/boot/keystone-bootrom/Config.in" 4 | source "$BR2_EXTERNAL_KEYSTONE_PATH/boot/keystone-sm/Config.in" 5 | source "$BR2_EXTERNAL_KEYSTONE_PATH/boot/hss/Config.in" 6 | 7 | # Packages 8 | source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-driver/Config.in" 9 | source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-sdk/Config.in.host" 10 | source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-runtime/Config.in" 11 | source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-examples/Config.in" 12 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/post-image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ $# -ne 2 ]; then 4 | echo "usage: post-image.sh " 5 | exit 1 6 | fi 7 | 8 | if [ $2 -eq 32 ]; then 9 | UIMAGE_ADDRESS=0x80400000 10 | elif [ $2 -eq 64 ]; then 11 | UIMAGE_ADDRESS=0x80200000 12 | else 13 | echo "invalid xlen" 14 | exit 1 15 | fi 16 | 17 | # Generate uboot image 18 | gzip -9 -k --force $1/Image > $1/Image.gz 19 | $BUILDROOT_BUILDDIR/host/bin/mkimage -A riscv -O linux -T kernel -a $UIMAGE_ADDRESS -e $UIMAGE_ADDRESS -C gzip -n "CV$2A6Linux" -d $1/Image.gz $1/uImage 20 | -------------------------------------------------------------------------------- /runtime/include/sys/interrupt.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef _INTERRUPT_H_ 6 | #define _INTERRUPT_H_ 7 | 8 | #define INTERRUPT_CAUSE_SOFTWARE 1 9 | #define INTERRUPT_CAUSE_TIMER 5 10 | #define INTERRUPT_CAUSE_EXTERNAL 9 11 | 12 | void init_timer(void); 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-driver/keystone-driver.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Keystone driver 4 | # 5 | ################################################################################ 6 | 7 | ifeq ($(KEYSTONE_DRIVER),) 8 | $(error KEYSTONE_DRIVER directory not defined) 9 | else 10 | include $(KEYSTONE)/mkutils/pkg-keystone.mk 11 | endif 12 | 13 | KEYSTONE_DRIVER_DEPENDENCIES += host-keystone-sdk 14 | 15 | $(eval $(keystone-package)) 16 | $(eval $(kernel-module)) 17 | $(eval $(generic-package)) 18 | -------------------------------------------------------------------------------- /runtime/include/util/rt_util.h: -------------------------------------------------------------------------------- 1 | #ifndef _RT_UTIL_H_ 2 | #define _RT_UTIL_H_ 3 | 4 | #include 5 | 6 | #include "util/regs.h" 7 | #include "mm/vm_defs.h" 8 | 9 | #define FATAL_DEBUG 10 | 11 | size_t rt_util_getrandom(void* vaddr, size_t buflen); 12 | void not_implemented_fatal(struct encl_ctx* ctx); 13 | void rt_util_misc_fatal(); 14 | void rt_page_fault(struct encl_ctx* ctx); 15 | void tlb_flush(void); 16 | 17 | extern unsigned char rt_copy_buffer_1[RISCV_PAGE_SIZE]; 18 | extern unsigned char rt_copy_buffer_2[RISCV_PAGE_SIZE]; 19 | 20 | #endif /* _RT_UTIL_H_ */ 21 | -------------------------------------------------------------------------------- /scripts/ci/utils/wait_for.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 -u 2 | 3 | import sys 4 | import os 5 | 6 | if len(sys.argv) != 3: 7 | print('usage: wait_for.py [file] [pattern]') 8 | exit(1) 9 | 10 | file = open(sys.argv[1], 'rb', buffering=0) 11 | file.seek(0, os.SEEK_END) 12 | pattern = sys.argv[2].encode('utf-8') 13 | 14 | index = 0 15 | while True: 16 | if index == len(pattern): 17 | exit(0) 18 | 19 | n = os.read(file.fileno(), 1) 20 | if n is None: 21 | exit(1) 22 | 23 | if len(n) > 0: 24 | if n[0] == pattern[index]: 25 | index += 1 26 | else: 27 | index = 0 28 | -------------------------------------------------------------------------------- /scripts/ci/plat/cva6/expected.log: -------------------------------------------------------------------------------- 1 | Verifying archive integrity... MD5 checksums are OK. All good. 2 | Uncompressing Keystone Enclave Package 3 | testing test-stack 4 | testing test-loop 5 | testing test-malloc 6 | testing test-long-nop 7 | testing test-fibonacci 8 | testing test-fib-bench 9 | testing test-attestation 10 | Attestation report is invalid 11 | testing test-untrusted 12 | Enclave said: hello world! 13 | Enclave said: 2nd hello world! 14 | Enclave said value: 13 15 | Enclave said value: 20 16 | testing test-data-sealing 17 | Enclave said: Sealing key derivation successful! 18 | -------------------------------------------------------------------------------- /scripts/ci/plat/mpfs/expected.log: -------------------------------------------------------------------------------- 1 | Verifying archive integrity... MD5 checksums are OK. All good. 2 | Uncompressing Keystone Enclave Package 3 | testing test-stack 4 | testing test-loop 5 | testing test-malloc 6 | testing test-long-nop 7 | testing test-fibonacci 8 | testing test-fib-bench 9 | testing test-attestation 10 | Attestation report is invalid 11 | testing test-untrusted 12 | Enclave said: hello world! 13 | Enclave said: 2nd hello world! 14 | Enclave said value: 13 15 | Enclave said value: 20 16 | testing test-data-sealing 17 | Enclave said: Sealing key derivation successful! 18 | -------------------------------------------------------------------------------- /sm/src/plugins/plugins.c: -------------------------------------------------------------------------------- 1 | #include "plugins.h" 2 | 3 | #ifdef PLUGIN_ENABLE_MULTIMEM 4 | #include "multimem.c" 5 | #endif 6 | 7 | uintptr_t 8 | call_plugin( 9 | enclave_id id, 10 | uintptr_t plugin_id, 11 | uintptr_t call_id, 12 | uintptr_t arg0, 13 | uintptr_t arg1) 14 | { 15 | switch(plugin_id) { 16 | #ifdef PLUGIN_ENABLE_MULTIMEM 17 | case PLUGIN_ID_MULTIMEM: 18 | return do_sbi_multimem(id, call_id, arg0); 19 | break; 20 | #endif 21 | default: 22 | // TOO fix it 23 | return SBI_ERR_SM_NOT_IMPLEMENTED; 24 | } 25 | } 26 | 27 | -------------------------------------------------------------------------------- /runtime/mm/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(MM_SOURCES vm.c page_swap.c mm.c freemem.c) 3 | 4 | if(PAGING) 5 | list(APPEND MM_SOURCES paging.c) 6 | endif() 7 | 8 | add_library(rt_mm ${MM_SOURCES}) 9 | 10 | set(LD_MM_SOURCES vm.c freemem_ld.c mm.c) 11 | add_library(ld_mm ${LD_MM_SOURCES}) 12 | target_compile_options(ld_mm PUBLIC -DLOADER_BIN) 13 | 14 | # Filter out any externally defined use flags 15 | get_target_property(LD_MM_CFLAGS ld_mm COMPILE_OPTIONS) 16 | list(FILTER LD_MM_CFLAGS EXCLUDE REGEX "-DUSE_.*") 17 | set_target_properties(ld_mm PROPERTIES COMPILE_OPTIONS "${LD_MM_CFLAGS}") 18 | -------------------------------------------------------------------------------- /runtime/runtime.ld.S: -------------------------------------------------------------------------------- 1 | #include "mm/vm_defs.h" 2 | 3 | OUTPUT_ARCH( "riscv" ) 4 | 5 | SECTIONS 6 | { 7 | . = 0xffffffffc0000000; 8 | PROVIDE(rt_base = .); 9 | .text : { 10 | *(.text._start) 11 | *(.text.encl_trap_handler) 12 | *(.text) 13 | } 14 | . = ALIGN(RISCV_PAGE_SIZE); 15 | .rodata : 16 | { 17 | *(.rdata) 18 | *(.rodata) 19 | } 20 | .data : { *(.data) } 21 | .bss : { *(.bss) } 22 | . = ALIGN(RISCV_PAGE_SIZE); 23 | .kernel_stack : { 24 | . += 8 * RISCV_PAGE_SIZE; 25 | PROVIDE(kernel_stack_end = .); 26 | } 27 | 28 | _end = .; 29 | } 30 | -------------------------------------------------------------------------------- /fast-setup.sh: -------------------------------------------------------------------------------- 1 | git submodule update --init --recursive --depth 1 2 | echo "please read this file for further instructions" 3 | 4 | ### INSTRUCTIONS 5 | # make -j 12 # change 12 to desired parallelism 6 | ### find port in command from make, 9821 at the time of writing 7 | # make run 8 | ### switch terminals 9 | # scp -i build-generic64/overlay/root/.ssh/id-rsa -P build-generic64/buildroot.build/build/keystone-*/*.ko root@localhost:. 10 | # scp -i build-generic64/overlay/root/.ssh/id-rsa -P build-generic64/buildroot.build/build/keystone-examples-*/*/*.ke root@localhost:. 11 | -------------------------------------------------------------------------------- /runtime/loader-binary/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(LOADER_SOURCES loader.S loader-binary.c) 3 | set(LOADER_LINK_SCRIPT ${CMAKE_CURRENT_SOURCE_DIR}/loader.lds) 4 | 5 | add_executable(loader ${LOADER_SOURCES}) 6 | target_link_libraries(loader rt_call ld_mm rt_util rt_loader gcc) 7 | target_link_options(loader PRIVATE -static -nostdlib -T ${LOADER_LINK_SCRIPT}) 8 | 9 | add_custom_target(loader.bin ALL 10 | DEPENDS loader 11 | COMMAND ${CMAKE_OBJCOPY} -O binary --only-section .text 12 | ${CMAKE_CURRENT_BINARY_DIR}/loader 13 | ${CMAKE_SOURCE_DIR}/loader.bin) 14 | -------------------------------------------------------------------------------- /scripts/ci/plat/hifive_unmatched/expected.log: -------------------------------------------------------------------------------- 1 | Verifying archive integrity... MD5 checksums are OK. All good. 2 | Uncompressing Keystone Enclave Package 3 | testing test-stack 4 | testing test-loop 5 | testing test-malloc 6 | testing test-long-nop 7 | testing test-fibonacci 8 | testing test-fib-bench 9 | testing test-attestation 10 | Attestation report SIGNATURE is valid 11 | testing test-untrusted 12 | Enclave said: hello world! 13 | Enclave said: 2nd hello world! 14 | Enclave said value: 13 15 | Enclave said value: 20 16 | testing test-data-sealing 17 | Enclave said: Sealing key derivation successful! 18 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/genimage_sdcard.cfg: -------------------------------------------------------------------------------- 1 | image sdcard.img { 2 | hdimage { 3 | partition-table-type = "gpt" 4 | } 5 | 6 | partition u-boot-spl { 7 | image = "u-boot-spl.bin" 8 | offset = 17K 9 | partition-type-uuid = 5b193300-fc78-40cd-8002-e86c45580b47 10 | } 11 | 12 | partition u-boot { 13 | image = "u-boot.itb" 14 | offset = 1041K 15 | partition-type-uuid = 2e54b353-1271-4842-806f-e436d6af6985 16 | } 17 | 18 | partition rootfs { 19 | image = "rootfs.ext4" 20 | partition-type-uuid = 0fc63daf-8483-4772-8e79-3d69d8477de4 21 | bootable = true 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /runtime/include/sys/timex.h: -------------------------------------------------------------------------------- 1 | #ifndef _TIME_X_ 2 | #define _TIME_X_ 3 | typedef unsigned long cycles_t; 4 | 5 | static inline cycles_t get_cycles_inline(void) 6 | { 7 | cycles_t n; 8 | 9 | __asm__ __volatile__ ( 10 | "rdtime %0" 11 | : "=r" (n)); 12 | return n; 13 | } 14 | #define get_cycles get_cycles_inline 15 | 16 | static inline uint64_t get_cycles64(void) 17 | { 18 | return get_cycles(); 19 | } 20 | 21 | #define ARCH_HAS_READ_CURRENT_TIMER 22 | 23 | static inline int read_current_timer(unsigned long *timer_val) 24 | { 25 | *timer_val = get_cycles(); 26 | return 0; 27 | } 28 | 29 | #endif 30 | -------------------------------------------------------------------------------- /sm/LICENSE: -------------------------------------------------------------------------------- 1 | This distribution includes Keystone security monitor and relevant parts. 2 | The Keystone security monitor as a whole is released under BSD 3-Clause License 3 | (SPDX Identifier: BSD-3-Clause) 4 | However, it contains some parts that are compatible with the BSD 3-Clause. 5 | The following clarifies the license of the distribution: 6 | 7 | 1) Every source file in ed25519/ directory is under zlib License 8 | (SPDX Identifier: Zlib) 9 | 10 | 2) Every source file in sha512/ directory is under MIT License 11 | (SPDX Identifier: MIT) 12 | 13 | 3) Everything else is under BSD 3-Clause 14 | 15 | Keystone Team 16 | -------------------------------------------------------------------------------- /sm/plat/generic/generic.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | #include "sm.h" 7 | 8 | static int generic_final_init(bool cold_boot, const struct fdt_match *match) { 9 | sm_init(cold_boot); 10 | return 0; 11 | } 12 | 13 | static const struct fdt_match generic_match[] = { 14 | { .compatible = "riscv-virtio" }, 15 | { .compatible = "riscv-virtio,qemu" }, 16 | { }, 17 | }; 18 | 19 | const struct platform_override generic = { 20 | .match_table = generic_match, 21 | .final_init = generic_final_init 22 | }; 23 | -------------------------------------------------------------------------------- /runtime/include/util/asm_helpers.h: -------------------------------------------------------------------------------- 1 | #ifndef _ASM_HELPERS_H_ 2 | #define _ASM_HELPERS_H_ 3 | 4 | #if __riscv_xlen == 64 5 | #define STORE sd 6 | #define LOAD ld 7 | #define SWAP amoswap.d 8 | #define LOG_REGBYTES 3 9 | #define WORD .dword 10 | #elif __riscv_xlen == 32 11 | #define STORE sw 12 | #define LOAD lw 13 | #define SWAP amoswap.w 14 | #define LOG_REGBYTES 2 15 | #define WORD .word 16 | #endif 17 | 18 | #define LWU lwu 19 | #define REGBYTES (1< 5 | #include 6 | 7 | #define NEXT_PAGE(page) *((uintptr_t*)page) 8 | #define LIST_EMPTY(list) ((list).count == 0 || (list).head == 0) 9 | #define LIST_INIT(list) { (list).count = 0; (list).head = 0; (list).tail = 0; } 10 | 11 | struct pg_list 12 | { 13 | uintptr_t head; 14 | uintptr_t tail; 15 | unsigned int count; 16 | }; 17 | 18 | void spa_init(uintptr_t base, size_t size); 19 | uintptr_t spa_get(void); 20 | uintptr_t spa_get_zero(void); 21 | void spa_put(uintptr_t page); 22 | unsigned int spa_available(); 23 | #endif 24 | -------------------------------------------------------------------------------- /examples/tests/attestation/edge_wrapper.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef _EDGE_WRAPPER_H_ 6 | #define _EDGE_WRAPPER_H_ 7 | 8 | void edge_init(); 9 | 10 | unsigned long ocall_print_buffer(char* data, size_t data_len); 11 | void ocall_print_value(unsigned long val); 12 | 13 | void ocall_copy_report(void* report, size_t len); 14 | #endif /* _EDGE_WRAPPER_H_ */ 15 | -------------------------------------------------------------------------------- /examples/tests/fibonacci/fibonacci.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | 7 | unsigned long fibonacci_rec(unsigned long in){ 8 | if( in <= 1) 9 | return 1; 10 | else 11 | return fibonacci_rec(in-1)+fibonacci_rec(in-2); 12 | } 13 | 14 | void EAPP_ENTRY eapp_entry(){ 15 | int arg = 35; 16 | EAPP_RETURN(fibonacci_rec(arg)); 17 | } 18 | -------------------------------------------------------------------------------- /sdk/include/app/eapp_utils.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef _EAPP_UTILS_ 6 | #define _EAPP_UTILS_ 7 | 8 | // This is a hacky way of getting the return value into a0, works for now 9 | void 10 | EAPP_RETURN(unsigned long rval) __attribute__((noreturn)); 11 | 12 | #define EAPP_ENTRY __attribute__((__section__(".text._start"))) 13 | 14 | #endif /* _EAPP_UTILS_ */ 15 | -------------------------------------------------------------------------------- /sdk/include/app/malloc.h: -------------------------------------------------------------------------------- 1 | #ifndef __MALLOC_H__ 2 | #define __MALLOC_H__ 3 | 4 | #include 5 | 6 | void* malloc(size_t); 7 | void 8 | free(void*); 9 | void* 10 | realloc(void*, size_t); 11 | void* memalign(size_t, size_t); 12 | void* valloc(size_t); 13 | void* pvalloc(size_t); 14 | void* calloc(size_t, size_t); 15 | void 16 | cfree(void*); 17 | int malloc_trim(size_t); 18 | size_t 19 | malloc_usable_size(void*); 20 | void 21 | malloc_stats(void); 22 | int 23 | mallopt(int, int); 24 | struct mallinfo 25 | mallinfo(void); 26 | 27 | typedef struct freelist_entry { 28 | size_t size; 29 | struct freelist_entry* next; 30 | } * fle; 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | SOURCEDIR = source 8 | BUILDDIR = build 9 | 10 | # Put it first so that "make" without argument is like "make help". 11 | help: 12 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 13 | 14 | .PHONY: help Makefile 15 | 16 | # Catch-all target: route all unknown targets to Sphinx using the new 17 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 18 | %: Makefile 19 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) -------------------------------------------------------------------------------- /examples/tests/untrusted/edge_wrapper.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef _EDGE_WRAPPER_H_ 6 | #define _EDGE_WRAPPER_H_ 7 | #include "edge/edge_call.h" 8 | 9 | void edge_init(); 10 | 11 | unsigned long ocall_print_buffer(char* data, size_t data_len); 12 | void ocall_print_value(unsigned long val); 13 | void ocall_get_string(struct edge_data* retdata); 14 | #endif /* _EDGE_WRAPPER_H_ */ 15 | -------------------------------------------------------------------------------- /sm/plat/fpga/ariane/objects.mk: -------------------------------------------------------------------------------- 1 | # 2 | # SPDX-License-Identifier: BSD-2-Clause 3 | # 4 | # Copyright (C) 2019 FORTH-ICS/CARV 5 | # Panagiotis Peristerakis 6 | # 7 | include $(src_dir)/platform/$(PLATFORM)/objects.mk 8 | 9 | # And then also define custom keystone SM functionality 10 | ifeq ($(PLATFORM),) 11 | $(error PLATFORM not defined for SM) 12 | endif 13 | 14 | platform-genflags-y += "-DTARGET_PLATFORM_HEADER=\"platform/$(PLATFORM)/platform.h\"" 15 | 16 | include $(KEYSTONE_SM)/src/objects.mk 17 | platform-objs-y += $(addprefix ../../../src/,$(subst .c,.o,$(keystone-sm-sources))) 18 | 19 | carray-platform_override_modules-y += platform 20 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "buildroot"] 2 | path = buildroot 3 | url = https://github.com/buildroot/buildroot.git 4 | [submodule "runtime/test/cmocka"] 5 | path = runtime/test/cmocka 6 | url = https://gitlab.com/cmocka/cmocka 7 | [submodule "overlays/keystone/board/cva6/cva6-sdk"] 8 | path = overlays/keystone/board/cva6/cva6-sdk 9 | url = https://github.com/openhwgroup/cva6-sdk 10 | [submodule "overlays/microchip"] 11 | path = overlays/microchip 12 | url = https://github.com/linux4microchip/buildroot-external-microchip 13 | [submodule "scripts/ci/utils/relay_ft245r"] 14 | path = scripts/ci/utils/relay_ft245r 15 | url = https://github.com/vpatron/relay_ft245r 16 | -------------------------------------------------------------------------------- /.readthedocs.yaml: -------------------------------------------------------------------------------- 1 | # .readthedocs.yaml 2 | # Read the Docs configuration file 3 | # See https://docs.readthedocs.io/en/stable/config-file/v2.html for details 4 | 5 | # Required 6 | version: 2 7 | 8 | # Set the version of Python and other tools you might need 9 | build: 10 | os: ubuntu-22.04 11 | tools: 12 | python: "3.11" 13 | 14 | # Build documentation in the docs/ directory with Sphinx 15 | sphinx: 16 | configuration: docs/source/conf.py 17 | 18 | # We recommend specifying your dependencies to enable reproducible builds: 19 | # https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html 20 | python: 21 | install: 22 | - requirements: docs/requirements.txt 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **Build Failure** 14 | If you ran into build problems, please add these information 15 | (1) Results of `git submodule status` 16 | (2) Your Linux distribution (e.g., Ubuntu 14.04) 17 | (3) The branch you're working on (e.g., `master` or `dev`) 18 | 19 | **Screenshots or Error Log** 20 | If applicable, add screenshots/error logs to help explain your problem. 21 | 22 | **Additional context** 23 | Add any other context about the problem here. 24 | -------------------------------------------------------------------------------- /runtime/include/crypto/merkle.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef USE_PAGING 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | typedef union merkle_node { 10 | struct { 11 | uintptr_t ptr; 12 | uint8_t hash[32]; 13 | union { 14 | struct { 15 | union merkle_node *left, *right; 16 | }; 17 | union merkle_node* children[2]; 18 | }; 19 | }; 20 | struct { 21 | uint64_t raw_words[8]; 22 | }; 23 | } merkle_node_t; 24 | 25 | int 26 | merk_insert(merkle_node_t* root, uintptr_t key, const uint8_t hash[32]); 27 | bool 28 | merk_verify( 29 | volatile merkle_node_t* root, uintptr_t key, const uint8_t hash_out[32]); 30 | 31 | #endif 32 | -------------------------------------------------------------------------------- /sm/src/platform/generic/platform.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PLATFORM_H_ 3 | #define _PLATFORM_H_ 4 | 5 | // No special data needed for default platform 6 | struct platform_enclave_data{ 7 | 8 | }; 9 | 10 | // Enclave configuration 11 | #define ENCL_MAX 16 12 | #define ENCLAVE_REGIONS_MAX 8 13 | 14 | // SM configuration 15 | #define SMM_BASE 0x80000000 16 | #define SMM_SIZE 0x200000 17 | 18 | // PMP configuration 19 | #define PMP_N_REG 8 20 | #define PMP_MAX_N_REGION 16 21 | 22 | // CPU configuration 23 | #define MAX_HARTS 16 24 | 25 | // Initialization functions 26 | void sm_copy_key(void); 27 | 28 | #endif // _PLATFORM_H_ 29 | 30 | -------------------------------------------------------------------------------- /sdk/include/host/hash_util.hpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2020, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #pragma once 6 | 7 | extern "C" { 8 | #include "common/sha3.h" 9 | } 10 | 11 | typedef sha3_ctx_t hash_ctx_t; 12 | 13 | void 14 | hash_init(hash_ctx_t* hash_ctx); 15 | void 16 | hash_extend(hash_ctx_t* hash_ctx, const void* ptr, size_t len); 17 | void 18 | hash_extend_page(hash_ctx_t* hash_ctx, const void* ptr); 19 | void 20 | hash_finalize(void* md, hash_ctx_t* hash_ctx); 21 | -------------------------------------------------------------------------------- /sm/src/platform/fpga/ariane/platform.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PLATFORM_H_ 3 | #define _PLATFORM_H_ 4 | 5 | // No special data needed for default platform 6 | struct platform_enclave_data{ 7 | 8 | }; 9 | 10 | // Enclave configuration 11 | #define ENCL_MAX 16 12 | #define ENCLAVE_REGIONS_MAX 8 13 | 14 | // SM configuration 15 | #define SMM_BASE 0x80000000 16 | #define SMM_SIZE 0x100000 17 | 18 | // PMP configuration 19 | #define PMP_N_REG 8 20 | #define PMP_MAX_N_REGION 16 21 | 22 | // CPU configuration 23 | #define MAX_HARTS 5 24 | 25 | 26 | // Initialization functions 27 | void sm_copy_key(void); 28 | 29 | #endif // _PLATFORM_H_ 30 | -------------------------------------------------------------------------------- /examples/tests/attestation/attestation.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | #include "app/string.h" 7 | #include "app/syscall.h" 8 | 9 | #include "edge_wrapper.h" 10 | 11 | void EAPP_ENTRY eapp_entry(){ 12 | edge_init(); 13 | 14 | char* data = "nonce"; 15 | char buffer[2048]; 16 | 17 | attest_enclave((void*) buffer, data, 5); 18 | 19 | ocall_copy_report(buffer, 2048); 20 | 21 | EAPP_RETURN(0); 22 | } 23 | -------------------------------------------------------------------------------- /linux-keystone-driver/Makefile: -------------------------------------------------------------------------------- 1 | DRIVER = keystone-driver.ko 2 | 3 | ifneq ($(KERNELRELEASE),) 4 | keystone-driver-y := \ 5 | keystone.o \ 6 | keystone-page.o \ 7 | keystone-ioctl.o \ 8 | keystone-enclave.o \ 9 | keystone-sbi.o 10 | obj-m += keystone-driver.o 11 | 12 | ifeq ($(KEYSTONE_SDK_DIR),) 13 | $(error KEYSTONE_SDK_DIR not defined) 14 | endif 15 | 16 | ccflags-y := -I$(KEYSTONE_SDK_DIR)/include/shared 17 | else 18 | 19 | PWD := $(shell pwd) 20 | LINUXSRC := $(PWD)/../linux 21 | 22 | default: 23 | $(MAKE) -C $(LINUXSRC) ARCH=riscv CROSS_COMPILE=riscv$(KEYSTONE_BITS)-unknown-linux-gnu- M=$(PWD) 24 | 25 | endif 26 | 27 | clean: 28 | rm -rvf *.o *.ko *.order *.symvers *.mod.c .tmp_versions .*o.cmd 29 | -------------------------------------------------------------------------------- /runtime/tmplib/partial_linkage.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define ASM_NL ; 4 | #define ALIGN __ALIGN 5 | #define ALIGN_STR __ALIGN_STR 6 | 7 | #ifndef ENTRY 8 | #define ENTRY(name) \ 9 | .globl name ASM_NL \ 10 | ALIGN ASM_NL \ 11 | name: 12 | #endif 13 | 14 | #ifndef END 15 | #define END(name) \ 16 | .size name, .-name 17 | #endif 18 | 19 | /* If symbol 'name' is treated as a subroutine (gets called, and returns) 20 | * then please use ENDPROC to mark 'name' as STT_FUNC for the benefit of 21 | * static analysis tools such as stack depth analyzer. 22 | */ 23 | #ifndef ENDPROC 24 | #define ENDPROC(name) \ 25 | .type name, @function ASM_NL \ 26 | END(name) 27 | #endif 28 | -------------------------------------------------------------------------------- /scripts/gdb/mpfs.cfg: -------------------------------------------------------------------------------- 1 | target remote :3333 2 | 3 | python 4 | import os 5 | 6 | builddir = os.environ['BUILDROOT_BUILDDIR'] + '/build' 7 | imagedir = os.environ['BUILDROOT_BUILDDIR'] + '/images' 8 | 9 | gdb.execute(f'add-symbol-file {builddir}/hss-v2023.06/Default/hss-l2scratch.elf') 10 | gdb.execute(f'add-symbol-file {builddir}/linux-custom/vmlinux') 11 | gdb.execute(f'add-symbol-file {builddir}/uboot-linux4microchip+fpga-2023.02/u-boot') 12 | gdb.execute(f'source {builddir}/linux-custom/vmlinux-gdb.py') 13 | 14 | # Add pretty printers 15 | gdb.execute(f'source {builddir}/host-gcc-final-11.4.0/build/riscv64-buildroot-linux-gnu/libstdc++-v3/python/gdb.py') 16 | 17 | end 18 | 19 | # Force hardware breakpoints 20 | mem 0 0 ro 21 | -------------------------------------------------------------------------------- /sm/src/platform/mpfs/platform.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PLATFORM_H_ 3 | #define _PLATFORM_H_ 4 | 5 | // No special data needed for default platform 6 | struct platform_enclave_data{ 7 | 8 | }; 9 | 10 | // Enclave configuration 11 | #define ENCL_MAX 16 12 | #define ENCLAVE_REGIONS_MAX 8 13 | 14 | // SM configuration 15 | // todo dont think this is correct 16 | #define SMM_BASE 0x80000000 17 | #define SMM_SIZE 0x200000 18 | 19 | // PMP configuration 20 | #define PMP_N_REG 16 21 | #define PMP_MAX_N_REGION 16 22 | 23 | // CPU configuration 24 | #define MAX_HARTS 5 25 | 26 | // Initialization functions 27 | void sm_copy_key(void); 28 | 29 | #endif // _PLATFORM_H_ 30 | -------------------------------------------------------------------------------- /mkutils/plat/hifive_unmatched/run.mk: -------------------------------------------------------------------------------- 1 | ######################### 2 | ## Flush SD card image ## 3 | ######################### 4 | 5 | DEVICE ?= 6 | EXTEND ?= 0 7 | FLUSH_IMAGE ?= $(BUILDROOT_BUILDDIR)/images/sdcard.img 8 | 9 | flush: 10 | ifeq ($(DEVICE),) 11 | $(call log,error,Set target device to env DEVICE) 12 | else 13 | $(call log,info,Flushing SD image) 14 | sudo dd if=$(FLUSH_IMAGE) of=$(DEVICE) bs=64k iflag=fullblock oflag=direct conv=fsync status=progress 15 | 16 | ifeq ($(EXTEND),1) 17 | $(call log,info,Extending rootfs end of the block device) 18 | echo "w" | sudo fdisk $(DEVICE) 19 | echo "- +" | sudo sfdisk -N 3 $(DEVICE) 20 | sudo e2fsck -f $(DEVICE)3 21 | sudo resize2fs $(DEVICE)3 22 | endif 23 | 24 | endif 25 | -------------------------------------------------------------------------------- /scripts/ci/configs/track.sh: -------------------------------------------------------------------------------- 1 | 2 | # Global configuration 3 | export RELAY_SERIAL="AH02O23H" 4 | 5 | export RELAY_ID_global=1 6 | export RELAY_ID_mpfs=8 7 | export RELAY_ID_cva6=4 8 | export RELAY_ID_hifive_unmatched=5 9 | 10 | # MPFS configuration 11 | 12 | export SC_INSTALL_DIR="/opt/microchip/SoftConsole-v2022.2-RISC-V-747/" 13 | export FPGENPROG=$(which fpgenprog) 14 | 15 | export HOST_IP_mpfs="10.42.0.1" 16 | export BOARD_IP_mpfs="10.42.0.205" 17 | 18 | # CVA6 configuration 19 | 20 | export TFTP_DIR="/srv/tftp" 21 | 22 | export HOST_IP_cva6="10.42.1.1" 23 | export BOARD_IP_cva6="10.42.1.171" 24 | 25 | # Unmatched configuration 26 | 27 | export HOST_IP_hifive_unmatched="10.42.1.1" 28 | export BOARD_IP_hifive_unmatched="10.42.1.27" 29 | -------------------------------------------------------------------------------- /sdk/src/app/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(keystone-eapp C ASM) 2 | 3 | set(CFLAGS "-Wall -Werror") 4 | set(LDFLAGS "-static") 5 | 6 | set(SOURCE_FILES 7 | encret.s 8 | string.c 9 | syscall.c 10 | tiny-malloc.c 11 | ) 12 | 13 | set(INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/include/app) 14 | 15 | set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CFLAGS}") 16 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LDFLAGS}") 17 | 18 | include_directories(${INCLUDE_DIRS}) 19 | 20 | add_library(${PROJECT_NAME} STATIC ${SOURCE_FILES}) 21 | set_target_properties(${PROJECT_NAME} PROPERTIES DEFINE_SYMBOL "") 22 | 23 | install(TARGETS ${PROJECT_NAME} DESTINATION ${out_dir}/lib) 24 | install(DIRECTORY ${INCLUDE_DIRS} DESTINATION ${out_dir}/include) 25 | -------------------------------------------------------------------------------- /sm/tools/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = -I../src -I../opensbi/include 3 | FW_PATH ?= ../../build/sm.build/platform/generic/firmware 4 | FW_ELF_PATH = $(FW_PATH)/fw_payload.elf 5 | FW_BIN_PATH = $(FW_PATH)/fw_payload.bin 6 | FW_SIZE = $(shell readelf --program-headers $(FW_ELF_PATH) | grep RWE | sed "s/^.*\(0x[0-9a-f]*\)[ \t]*\(RWE\).*$$/\1/") 7 | 8 | all: hashgen 9 | 10 | hashgen: sha3.o hash_generator.o 11 | $(CC) $(CFLAGS) -o $@ $^ 12 | 13 | sha3.o: ../src/sha3/sha3.c 14 | $(CC) -c $^ $(CFLAGS) 15 | 16 | hash_generator.o: hash_generator.c 17 | $(CC) -c $^ $(CFLAGS) 18 | 19 | hash: $(FW_ELF_PATH) $(FW_BIN_PATH) hashgen 20 | ./hashgen $(FW_BIN_PATH) $(FW_SIZE) > sm_expected_hash.h 21 | 22 | clean: 23 | rm -f *.o hashgen sm_expected_hash.h 24 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/QEMU-Install-Dependencies.rst: -------------------------------------------------------------------------------- 1 | Install Dependencies 2 | ---------------------------- 3 | 4 | We tested Keystone with QEMU Ubuntu 16.04/18.04/20.04 and derivatives. 5 | 6 | Ubuntu 7 | ####################### 8 | 9 | Install the following packages. 10 | 11 | :: 12 | 13 | sudo apt update 14 | sudo apt install autoconf automake autotools-dev bc \ 15 | bison build-essential curl expat jq libexpat1-dev flex gawk gcc git \ 16 | gperf libgmp-dev libmpc-dev libmpfr-dev libtool texinfo tmux \ 17 | patchutils zlib1g-dev wget bzip2 patch vim-common lbzip2 python3 \ 18 | pkg-config libglib2.0-dev libpixman-1-dev libssl-dev screen \ 19 | device-tree-compiler expect makeself unzip cpio rsync cmake ninja-build p7zip-full 20 | -------------------------------------------------------------------------------- /sdk/include/app/sealing.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 Fraunhofer AISEC 3 | * Authors: Benedikt Kopf 4 | * Lukas Auer 5 | * Mathias Morbitzer 6 | * 7 | * sealing.h 8 | * 9 | * Provides the necessary definitions to derive a seal key 10 | * 11 | * All Rights Reserved. See LICENSE for license details. 12 | */ 13 | 14 | #ifndef SEALING_H 15 | #define SEALING_H 16 | 17 | #define SEALING_KEY_SIZE 128 18 | #define SIGNATURE_SIZE 64 19 | 20 | /* sealing key structure */ 21 | struct sealing_key { 22 | uint8_t key[SEALING_KEY_SIZE]; 23 | uint8_t signature[SIGNATURE_SIZE]; 24 | }; 25 | 26 | #endif /* SEALING_H */ 27 | -------------------------------------------------------------------------------- /scripts/ci/utils/find_tty.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | if [[ "$#" -ne 3 ]]; then 5 | echo "usage: find_tty.sh [idvendor] [idproduct] [index]" 6 | exit 1 7 | fi 8 | 9 | TTY_IDVENDOR="$1"; shift 10 | TTY_IDPRODUCT="$1"; shift 11 | 12 | # See if we can find the correct TTYs 13 | TTYS=() 14 | 15 | for f in /sys/class/tty/ttyUSB* ; do 16 | if [[ $(cat $f/../../../../idVendor) == "$TTY_IDVENDOR" ]] && \ 17 | [[ $(cat $f/../../../../idProduct) == "$TTY_IDPRODUCT" ]]; then 18 | # This is one of the TTYs we are looking for 19 | TTYS+=("$(basename $f)") 20 | fi 21 | done 22 | 23 | if [[ "$1" -lt "${#TTYS[@]}" ]]; then 24 | echo "/dev/${TTYS[$1]}" 25 | exit 0 26 | fi 27 | 28 | exit 1 29 | 30 | -------------------------------------------------------------------------------- /sm/src/cpu.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef __CPU_H__ 6 | #define __CPU_H__ 7 | 8 | #include "sm.h" 9 | #include "enclave.h" 10 | 11 | /* hart state for regulating SBI */ 12 | struct cpu_state 13 | { 14 | int is_enclave; 15 | enclave_id eid; 16 | }; 17 | 18 | /* external functions */ 19 | int cpu_is_enclave_context(void); 20 | int cpu_get_enclave_id(void); 21 | void cpu_enter_enclave_context(enclave_id eid); 22 | void cpu_exit_enclave_context(void); 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /linux-keystone-driver/keystone-sbi.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef _KEYSTONE_SBI_ 6 | #define _KEYSTONE_SBI_ 7 | 8 | #include "keystone_user.h" 9 | #include "sm_call.h" 10 | 11 | #include 12 | 13 | struct sbiret sbi_sm_create_enclave(struct keystone_sbi_create_t* args); 14 | struct sbiret sbi_sm_destroy_enclave(unsigned long eid); 15 | struct sbiret sbi_sm_run_enclave(unsigned long eid); 16 | struct sbiret sbi_sm_resume_enclave(unsigned long eid); 17 | 18 | #endif 19 | -------------------------------------------------------------------------------- /sdk/src/edge/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(keystone-edge C ASM) 2 | 3 | set(CFLAGS "-Wall -Werror") 4 | set(LDFLAGS "-static") 5 | set(DEFINES "-DIO_SYSCALL_WRAPPING") 6 | 7 | set(SOURCE_FILES 8 | edge_call.c 9 | edge_dispatch.c 10 | edge_syscall.c 11 | ) 12 | 13 | set(INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/include/edge) 14 | 15 | set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CFLAGS}") 16 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LDFLAGS}") 17 | 18 | include_directories(${INCLUDE_DIRS}) 19 | add_definitions(${DEFINES}) 20 | 21 | add_library(${PROJECT_NAME} STATIC ${SOURCE_FILES}) 22 | 23 | install(TARGETS ${PROJECT_NAME} DESTINATION ${out_dir}/lib) 24 | install(DIRECTORY ${INCLUDE_DIRS} DESTINATION ${out_dir}/include) 25 | -------------------------------------------------------------------------------- /sm/plat/generic/objects.mk: -------------------------------------------------------------------------------- 1 | # We include the default objects.mk 2 | ifeq ($(PLATFORM),) 3 | $(error PLATFORM not defined for SM) 4 | endif 5 | 6 | include $(src_dir)/platform/$(PLATFORM)/objects.mk 7 | 8 | # And then also define custom keystone SM functionality 9 | platform-genflags-y += "-DTARGET_PLATFORM_HEADER=\"platform/$(PLATFORM)/platform.h\"" 10 | 11 | include $(KEYSTONE_SM)/src/objects.mk 12 | platform-objs-y += $(addprefix ../../src/,$(subst .c,.o,$(keystone-sm-sources))) 13 | 14 | ifeq ($(KEYSTONE_PLATFORM),generic) 15 | 16 | carray-platform_override_modules-y += generic 17 | platform-objs-y += generic.o 18 | 19 | else ifeq ($(KEYSTONE_PLATFORM),hifive_unmatched) 20 | 21 | include $(KEYSTONE_SM)/plat/hifive/unmatched/objects.mk 22 | 23 | endif 24 | -------------------------------------------------------------------------------- /runtime/tmplib/asm/linkage.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2015 Regents of the University of California 3 | * 4 | * This program is free software; you can redistribute it and/or 5 | * modify it under the terms of the GNU General Public License 6 | * as published by the Free Software Foundation, version 2. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * GNU General Public License for more details. 12 | */ 13 | 14 | #ifndef _ASM_RISCV_LINKAGE_H 15 | #define _ASM_RISCV_LINKAGE_H 16 | 17 | #define __ALIGN .balign 4 18 | #define __ALIGN_STR ".balign 4" 19 | 20 | #endif /* _ASM_RISCV_LINKAGE_H */ 21 | -------------------------------------------------------------------------------- /runtime/tmplib/linux/linkage.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2015 Regents of the University of California 3 | * 4 | * This program is free software; you can redistribute it and/or 5 | * modify it under the terms of the GNU General Public License 6 | * as published by the Free Software Foundation, version 2. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * GNU General Public License for more details. 12 | */ 13 | 14 | #ifndef _ASM_RISCV_LINKAGE_H 15 | #define _ASM_RISCV_LINKAGE_H 16 | 17 | #define __ALIGN .balign 4 18 | #define __ALIGN_STR ".balign 4" 19 | 20 | #endif /* _ASM_RISCV_LINKAGE_H */ 21 | -------------------------------------------------------------------------------- /sm/src/sm-sbi-opensbi.h: -------------------------------------------------------------------------------- 1 | #ifndef _SM_SBI_OPENSBI_H_ 2 | #define _SM_SBI_OPENSBI_H_ 3 | 4 | #define SBI_SM_EVENT 0x0100 5 | #include "sbi/sbi_trap.h" 6 | #include "sbi/sbi_error.h" 7 | #include "sbi/sbi_scratch.h" 8 | #include 9 | 10 | #include "sm_call.h" 11 | 12 | /* Inbound interfaces */ 13 | extern struct sbi_ecall_extension ecall_keystone_enclave; 14 | 15 | //int sbi_sm_interface(struct sbi_scratch *scratch, unsigned long extension_id, 16 | // struct sbi_trap_regs *regs, 17 | // unsigned long *out_val, 18 | // struct sbi_trap_info *out_trap); 19 | //void sm_ipi_process(); 20 | 21 | /* Outbound interfaces */ 22 | //int sm_sbi_send_ipi(uintptr_t recipient_mask); 23 | #endif /*_SM_SBI_OPENSBI_H_*/ 24 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-runtime/keystone-runtime.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Runtime 4 | # 5 | ################################################################################ 6 | 7 | ifeq ($(KEYSTONE_RUNTIME),) 8 | $(error KEYSTONE_RUNTIME directory not defined) 9 | else 10 | include $(KEYSTONE)/mkutils/pkg-keystone.mk 11 | endif 12 | 13 | # This is a bit of a dummy package, we only want it to copy its sources so that 14 | # we can use it in the examples. Also, for change tracking as described in 15 | # pkg-keystone.mk 16 | 17 | # Clean the examples too if we clean this package 18 | keystone-runtime-dirclean: keystone-examples-dirclean 19 | 20 | $(eval $(keystone-package)) 21 | $(eval $(generic-package)) 22 | -------------------------------------------------------------------------------- /runtime/loader-binary/loader.lds: -------------------------------------------------------------------------------- 1 | OUTPUT_ARCH("riscv") 2 | 3 | ENTRY( _start ) 4 | 5 | PAGE_SIZE = 0x1000; /* TODO: figure out the page size to use here */ 6 | STACK_SIZE = DEFINED(__stack_size__) ? __stack_size__ : 0x1000; 7 | 8 | SECTIONS 9 | { 10 | .text : 11 | { 12 | PROVIDE( _start = . ); 13 | *(._start) 14 | *(.text) 15 | *(.rdata) 16 | *(.rodata) 17 | *(.data) 18 | *(.bss) 19 | 20 | /* 21 | * Only text section is copied into final loader binary 22 | * Stack is added to text section as temporary stack space for loader 23 | */ 24 | . = ALIGN(8); 25 | PROVIDE ( _sstack = . ); 26 | *(._sstack); 27 | . = . + STACK_SIZE; 28 | . = ALIGN(8); 29 | PROVIDE ( _estack = . ); 30 | *(._estack); 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /sm/src/ipi.h: -------------------------------------------------------------------------------- 1 | #ifndef __PMP_IPI_H__ 2 | #define __PMP_IPI_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #define SBI_PMP_IPI_TYPE_SET 0 9 | #define SBI_PMP_IPI_TYPE_UNSET 1 10 | 11 | struct sbi_pmp_ipi_info { 12 | unsigned long type; 13 | unsigned long __dummy; 14 | unsigned long rid; 15 | unsigned long perm; 16 | }; 17 | 18 | void sbi_pmp_ipi_local_update(struct sbi_tlb_info *info); 19 | 20 | #define SBI_PMP_IPI_INFO_SIZE sizeof(struct sbi_pmp_ipi_info) 21 | 22 | int sbi_pmp_ipi_init(struct sbi_scratch* scratch, bool cold_boot); 23 | 24 | int sbi_pmp_ipi_request(ulong hmask, ulong hbase, struct sbi_pmp_ipi_info* info); 25 | 26 | void send_and_sync_pmp_ipi(int region_idx, int type, uint8_t perm); 27 | #endif 28 | -------------------------------------------------------------------------------- /runtime/include/mm/mm.h: -------------------------------------------------------------------------------- 1 | #ifndef _MM_H_ 2 | #define _MM_H_ 3 | #include 4 | #include 5 | 6 | #include "mm/vm_defs.h" 7 | 8 | uintptr_t translate(uintptr_t va); 9 | pte* pte_of_va(uintptr_t va); 10 | uintptr_t map_page(uintptr_t vpn, uintptr_t ppn, int flags); 11 | uintptr_t alloc_page(uintptr_t vpn, int flags); 12 | uintptr_t realloc_page(uintptr_t vpn, int flags); 13 | void free_page(uintptr_t vpn); 14 | size_t alloc_pages(uintptr_t vpn, size_t count, int flags); 15 | void free_pages(uintptr_t vpn, size_t count); 16 | size_t test_va_range(uintptr_t vpn, size_t count); 17 | 18 | uintptr_t get_program_break(); 19 | void set_program_break(uintptr_t new_break); 20 | 21 | void map_with_reserved_page_table(uintptr_t base, uintptr_t size, uintptr_t ptr, pte* l2_pt, pte* l3_pt); 22 | 23 | #endif /* _MM_H_ */ 24 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/patches/opensbi/0003-remove-PLATFORM_RISCV_XLEN-in-ariane-config.patch: -------------------------------------------------------------------------------- 1 | From 59ed69975a392eb232be6091da247a94fc5d2767 Mon Sep 17 00:00:00 2001 2 | From: sahmad 3 | Date: Thu, 2 Nov 2023 16:25:17 +0800 4 | Subject: [PATCH 3/3] remove PLATFORM_RISCV_XLEN in ariane config 5 | 6 | --- 7 | platform/fpga/ariane/config.mk | 1 - 8 | 1 file changed, 1 deletion(-) 9 | 10 | diff --git a/platform/fpga/ariane/config.mk b/platform/fpga/ariane/config.mk 11 | index 3556461..5716c13 100644 12 | --- a/platform/fpga/ariane/config.mk 13 | +++ b/platform/fpga/ariane/config.mk 14 | @@ -7,7 +7,6 @@ 15 | 16 | #for more infos, check out /platform/template/config.mk 17 | 18 | -PLATFORM_RISCV_XLEN = 64 19 | 20 | # Blobs to build 21 | FW_TEXT_START=0x80000000 22 | -- 23 | 2.34.1 24 | 25 | -------------------------------------------------------------------------------- /overlays/keystone/boot/keystone-bootrom/keystone-bootrom.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # bootrom 4 | # 5 | ################################################################################ 6 | 7 | ifeq ($(KEYSTONE_BOOTROM),) 8 | $(error KEYSTONE_BOOTROM directory not defined) 9 | else 10 | include $(KEYSTONE)/mkutils/pkg-keystone.mk 11 | endif 12 | 13 | define KEYSTONE_BOOTROM_BUILD_CMDS 14 | $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all 15 | endef 16 | 17 | KEYSTONE_BOOTROM_INSTALL_IMAGES = YES 18 | define KEYSTONE_BOOTROM_INSTALL_IMAGES_CMDS 19 | $(INSTALL) -m 0644 -D $(@D)/bootrom.bin $(BINARIES_DIR)/bootrom.bin 20 | $(INSTALL) -m 0644 -D $(@D)/bootrom.elf $(BINARIES_DIR)/bootrom.elf 21 | endef 22 | 23 | $(eval $(keystone-package)) 24 | $(eval $(generic-package)) 25 | -------------------------------------------------------------------------------- /sdk/src/host/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(keystone-host CXX) 2 | 3 | set(CFLAGS "-Wall -Werror") 4 | set(LDFLAGS "-static") 5 | 6 | set(SOURCE_FILES 7 | elf.c 8 | elf32.c 9 | elf64.c 10 | hash_util.cpp 11 | ElfFile.cpp 12 | KeystoneDevice.cpp 13 | Enclave.cpp 14 | Memory.cpp 15 | PhysicalEnclaveMemory.cpp 16 | SimulatedEnclaveMemory.cpp 17 | ) 18 | 19 | set(INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/include/host) 20 | 21 | set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CFLAGS}") 22 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LDFLAGS}") 23 | 24 | include_directories(${INCLUDE_DIRS}) 25 | 26 | add_library(${PROJECT_NAME} STATIC ${SOURCE_FILES} ${COMMON_SOURCE_FILES}) 27 | 28 | install(TARGETS ${PROJECT_NAME} DESTINATION ${out_dir}/lib) 29 | install(DIRECTORY ${INCLUDE_DIRS} DESTINATION ${out_dir}/include) 30 | -------------------------------------------------------------------------------- /sdk/src/verifier/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(keystone-verifier C CXX) 2 | 3 | set(CFLAGS "-Wall -Werror") 4 | set(LDFLAGS "-static") 5 | 6 | set(SOURCE_FILES 7 | json11.cpp 8 | keys.cpp 9 | Report.cpp 10 | ed25519/fe.c 11 | ed25519/ge.c 12 | ed25519/keypair.c 13 | ed25519/sc.c 14 | ed25519/sign.c 15 | ed25519/verify.c 16 | ) 17 | 18 | set(INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/include/verifier) 19 | 20 | set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CFLAGS}") 21 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LDFLAGS}") 22 | 23 | include_directories(${INCLUDE_DIRS}) 24 | 25 | add_library(${PROJECT_NAME} STATIC ${SOURCE_FILES} ${COMMON_SOURCE_FILES}) 26 | 27 | install(TARGETS ${PROJECT_NAME} DESTINATION ${out_dir}/lib) 28 | install(DIRECTORY ${INCLUDE_DIRS} DESTINATION ${out_dir}/include) 29 | -------------------------------------------------------------------------------- /sm/tests/mock/mprv.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int __wrap_copy1_to_sm(uint8_t *dst, uint8_t *src) 4 | { 5 | *dst = *src; 6 | return 0; 7 | } 8 | 9 | int __wrap_copy_word_to_sm(uint64_t *dst, uint64_t *src) 10 | { 11 | *dst = *src; 12 | return 0; 13 | } 14 | 15 | int __wrap_copy_block_to_sm(uint64_t *dst, uint64_t *src) 16 | { 17 | for (int i = 0; i < 8; i++) 18 | *dst++ = *src++; 19 | return 0; 20 | } 21 | 22 | int __wrap_copy1_from_sm(uint8_t *dst, uint8_t *src) 23 | { 24 | *dst = *src; 25 | return 0; 26 | } 27 | 28 | int __wrap_copy_word_from_sm(uint64_t *dst, uint64_t *src) 29 | { 30 | *dst = *src; 31 | return 0; 32 | } 33 | 34 | int __wrap_copy_block_from_sm(uint64_t *dst, uint64_t *src) 35 | { 36 | for (int i = 0; i < 8; i++) 37 | *dst++ = *src++; 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /scripts/ci/plat/mpfs/flash-firmware.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | ########### 8 | ## Flash ## 9 | ########### 10 | set -x 11 | 12 | power_on 13 | make -C build-mpfs64/buildroot.build/build/hss-v2023.06 program 2>/dev/null > "$LOGFILE" 14 | power_off 15 | 16 | # Check if flashing was successful 17 | [[ ! -z $(cat "$LOGFILE" | grep "mpfsBootmodeProgrammer completed successfully") ]] 18 | 19 | ########### 20 | ## Check ## 21 | ########### 22 | 23 | TTYDEV=$(find_tty 0) 24 | start_record_tty "$TTYDEV" 115200 "$LOGFILE" mpfs-tty 25 | power_on ; sleep 30; power_off 26 | stop_record_tty mpfs-tty 27 | 28 | # At least the first hart should have started 29 | [[ ! -z $(cat "$LOGFILE" | sed -e 's/\x1b\[[0-9;]*m//g' | grep "u54 State Change: \[Running\]") ]] 30 | 31 | exit 0 32 | -------------------------------------------------------------------------------- /examples/hello-native/eapp/eapp_native.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "eapp_utils.h" 6 | #include "string.h" 7 | #include "edge_call.h" 8 | #include 9 | 10 | #define OCALL_PRINT_STRING 1 11 | 12 | unsigned long ocall_print_string(char* string); 13 | 14 | int main(){ 15 | 16 | ocall_print_string("Hello World"); 17 | 18 | EAPP_RETURN(0); 19 | } 20 | 21 | unsigned long ocall_print_string(char* string){ 22 | unsigned long retval; 23 | ocall(OCALL_PRINT_STRING, string, strlen(string)+1, &retval ,sizeof(unsigned long)); 24 | return retval; 25 | } 26 | -------------------------------------------------------------------------------- /docs/source/Security-Monitor/enclave_lifecycle.dot: -------------------------------------------------------------------------------- 1 | digraph G { 2 | node [color=gray] 3 | Invalid -> Allocated [color=blue,label="allocate_eid\n(create_enclave)"]; 4 | node [color=orange] 5 | Allocated -> Fresh [color=orange,label="create_enclave\nafter\nvalidate and hash"]; 6 | node [color=red] 7 | Allocated -> Destroying [color=red,label="destory_enclave\n(first step)"]; 8 | node [color=green] 9 | Fresh -> Running [color=green,label="run_enclave"]; 10 | Fresh -> Destroying [color=red,label="destory_enclave\n(first step)"]; 11 | Running -> Stopped [color=yellow1,label="exit/stop_enclave"]; 12 | Stopped -> Running [color=green,label="resume_enclave"]; 13 | Stopped -> Destroying [color=red,label="destory_enclave\n(first step)"]; 14 | Destroying -> Invalid [color=gray,label="free_eid\n(destory_enclave\nlast step)"]; 15 | } 16 | -------------------------------------------------------------------------------- /docs/source/Building-Components/Eyrie.rst: -------------------------------------------------------------------------------- 1 | Configuring and building Eyrie 2 | ============================== 3 | 4 | The Eyrie runtime can be configured and built either with standard 5 | ``make`` and setting the ``OPTIONS_FLAGS`` environment variable, or by 6 | using the ``build.sh`` wrapper script. 7 | 8 | OPTIONS_FLAGS 9 | ------------- 10 | 11 | Eyrie supports specifiying plugins via the ``OPTIONS_FLAGS`` 12 | environment variable. See the Eyrie Makefile and ``build.sh`` wrapper 13 | for an up-to-date list of plugins. 14 | 15 | 16 | build.sh wrapper 17 | ---------------- 18 | 19 | ``build.sh`` supports automatically setting and rebuilding the Eyrie 20 | runtime based on commandline options. 21 | 22 | Example:: 23 | 24 | ./build.sh freemem env_setup 25 | 26 | Will cleanly rebuild Eyrie with free memory management and libc-style 27 | environment initialization. 28 | -------------------------------------------------------------------------------- /linux-keystone-driver/README.md: -------------------------------------------------------------------------------- 1 | # Keystone Enclave Driver 2 | 3 | This is a loadable kernel module for Keystone Enclave. To build the 4 | module, make with the top-level 5 | [Keystone](https://github.com/keystone-enclave/keystone) build 6 | process. 7 | 8 | # Compatibility 9 | 10 | The driver will always work correctly with the version of riscv-linux 11 | pointed to by the top-level 12 | [Keystone](https://github.com/keystone-enclave/keystone) repository. 13 | 14 | For the upstream linux, loadable modules for RISC-V only work on kernel versions later than 4.17. 15 | 16 | To use the module in 4.15, please use this version 17 | 18 | https://github.com/riscv/riscv-linux/tree/65e929792fb9b632c20be118fa0795b26cc89fe4 19 | 20 | If you are using kernel earlier than 4.15, you might need to apply Zong's patch by yourself. 21 | 22 | https://lore.kernel.org/patchwork/patch/933133/ 23 | -------------------------------------------------------------------------------- /runtime/tmplib/linux/const.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 | /* const.h: Macros for dealing with constants. */ 3 | 4 | #ifndef _LINUX_CONST_H 5 | #define _LINUX_CONST_H 6 | 7 | /* Some constant macros are used in both assembler and 8 | * C code. Therefore we cannot annotate them always with 9 | * 'UL' and other type specifiers unilaterally. We 10 | * use the following macros to deal with this. 11 | * 12 | * Similarly, _AT() will cast an expression with a type in C, but 13 | * leave it unchanged in asm. 14 | */ 15 | 16 | #ifdef __ASSEMBLY__ 17 | #define _AC(X,Y) X 18 | #define _AT(T,X) X 19 | #else 20 | #define __AC(X,Y) (X##Y) 21 | #define _AC(X,Y) __AC(X,Y) 22 | #define _AT(T,X) ((T)(X)) 23 | #endif 24 | 25 | #define _BITUL(x) (_AC(1,UL) << (x)) 26 | #define _BITULL(x) (_AC(1,ULL) << (x)) 27 | 28 | #endif /* !(_LINUX_CONST_H) */ 29 | -------------------------------------------------------------------------------- /linux-keystone-driver/keystone-sbi.c: -------------------------------------------------------------------------------- 1 | #include "keystone-sbi.h" 2 | 3 | struct sbiret sbi_sm_create_enclave(struct keystone_sbi_create_t* args) { 4 | return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, 5 | SBI_SM_CREATE_ENCLAVE, 6 | (unsigned long) args, 0, 0, 0, 0, 0); 7 | } 8 | 9 | struct sbiret sbi_sm_run_enclave(unsigned long eid) { 10 | return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, 11 | SBI_SM_RUN_ENCLAVE, 12 | eid, 0, 0, 0, 0, 0); 13 | } 14 | 15 | struct sbiret sbi_sm_destroy_enclave(unsigned long eid) { 16 | return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, 17 | SBI_SM_DESTROY_ENCLAVE, 18 | eid, 0, 0, 0, 0, 0); 19 | } 20 | 21 | struct sbiret sbi_sm_resume_enclave(unsigned long eid) { 22 | return sbi_ecall(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, 23 | SBI_SM_RESUME_ENCLAVE, 24 | eid, 0, 0, 0, 0, 0); 25 | } 26 | -------------------------------------------------------------------------------- /runtime/mm/freemem_ld.c: -------------------------------------------------------------------------------- 1 | #include "mm/freemem.h" 2 | #include "mm/common.h" 3 | #include "mm/vm_defs.h" 4 | #include "util/string.h" 5 | 6 | static uintptr_t freeBase; 7 | static uintptr_t freeEnd; 8 | 9 | void spa_init(uintptr_t base, size_t size) 10 | { 11 | freeBase = base; 12 | freeEnd = freeBase + size; 13 | } 14 | 15 | uintptr_t spa_get() 16 | { 17 | return spa_get_zero(); // not allowed, so change to safe 18 | } 19 | 20 | uintptr_t spa_get_zero() 21 | { 22 | if (freeBase >= freeEnd) { 23 | return 0; 24 | } 25 | uintptr_t new_page = freeBase; 26 | memset((void *) new_page, 0, RISCV_PAGE_SIZE); 27 | 28 | freeBase += RISCV_PAGE_SIZE; 29 | return new_page; 30 | } 31 | 32 | void spa_put(uintptr_t page) 33 | { 34 | assert(false); // not implemented 35 | } 36 | 37 | unsigned int spa_available() 38 | { 39 | return (freeEnd - freeBase) / RISCV_PAGE_SIZE; 40 | } 41 | -------------------------------------------------------------------------------- /sdk/tests/test_binary/tests/app.mk: -------------------------------------------------------------------------------- 1 | CC = riscv64-unknown-linux-gnu-gcc 2 | CFLAGS = -Wall -Werror 3 | LINK = riscv64-unknown-linux-gnu-ld 4 | AS = riscv64-unknown-linux-gnu-as 5 | 6 | SDK_LIB_DIR = $(KEYSTONE_SDK_DIR)/lib 7 | SDK_APP_LIB = $(SDK_LIB_DIR)/libkeystone-eapp.a 8 | SDK_INCLUDE_DIR = $(SDK_LIB_DIR)/app/include 9 | 10 | LDFLAGS = -static -L$(SDK_LIB_DIR) -lkeystone-eapp 11 | CFLAGS += -I$(SDK_INCLUDE_DIR) 12 | 13 | APP_C_OBJS = $(patsubst %.c,%.o, $(APP_C_SRCS)) 14 | APP_A_OBJS = $(patsubst %.s,%.o, $(APP_A_SRCS)) 15 | APP_LDS ?= ../app.lds 16 | 17 | APP_BIN = $(patsubst %,%.eapp_riscv,$(APP)) 18 | 19 | all: $(APP_BIN) 20 | 21 | $(APP_C_OBJS): %.o: %.c 22 | $(CC) $(CFLAGS) -c $< 23 | 24 | $(APP_BIN): %.eapp_riscv : $(APP_C_OBJS) $(APP_A_OBJS) $(SDK_APP_LIB) 25 | $(LINK) $(LDFLAGS) -o $@ $^ -T $(APP_LDS) 26 | chmod -x $@ 27 | 28 | clean: 29 | rm -f *.o $(APP_BIN) $(EXTRA_CLEAN) 30 | -------------------------------------------------------------------------------- /examples/hello/host/host.cpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "edge/edge_call.h" 6 | #include "host/keystone.h" 7 | 8 | using namespace Keystone; 9 | 10 | int 11 | main(int argc, char** argv) { 12 | Enclave enclave; 13 | Params params; 14 | 15 | params.setFreeMemSize(256 * 1024); 16 | params.setUntrustedSize(256 * 1024); 17 | 18 | enclave.init(argv[1], argv[2], argv[3], params); 19 | 20 | enclave.registerOcallDispatch(incoming_call_dispatch); 21 | edge_call_init_internals( 22 | (uintptr_t)enclave.getSharedBuffer(), enclave.getSharedBufferSize()); 23 | 24 | enclave.run(); 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /scripts/ci/plat/generic/expected.log: -------------------------------------------------------------------------------- 1 | Verifying archive integrity... MD5 checksums are OK. All good. 2 | Uncompressing Keystone Enclave Package 3 | testing test-stack 4 | testing test-loop 5 | testing test-malloc 6 | testing test-long-nop 7 | testing test-fibonacci 8 | testing test-fib-bench 9 | testing test-attestation 10 | Attestation report SIGNATURE is valid 11 | testing test-untrusted 12 | Enclave said: hello world! 13 | Enclave said: 2nd hello world! 14 | Enclave said value: 13 15 | Enclave said value: 20 16 | testing test-data-sealing 17 | Enclave said: Sealing key derivation successful! 18 | Verifying archive integrity... MD5 checksums are OK. All good. 19 | Uncompressing Keystone Enclave Package 20 | Enclave said value: 5000 21 | Enclave said value: 10000 22 | Attestation report SIGNATURE is valid 23 | Enclave and SM hashes match with expected. 24 | Returned data in the report match with the nonce sent. 25 | -------------------------------------------------------------------------------- /bootrom/sanctum_params.lds: -------------------------------------------------------------------------------- 1 | . = 0x801ff000; /* the last page before the payload */ 2 | 3 | /* ## manufacturer_keys : */ 4 | 5 | /* 32 Bytes : manufacturer public key */ 6 | PROVIDE( sanctum_m_public_key = . ); 7 | . += 0x20; 8 | 9 | /* 32 Bytes : device public key */ 10 | PROVIDE( sanctum_dev_public_key = . ); 11 | . += 0x20; 12 | 13 | /* 64 Bytes : device secret key */ 14 | PROVIDE( sanctum_dev_secret_key = . ); 15 | . += 0x40; 16 | 17 | /* ## security_monitor_keys : */ 18 | 19 | /* 64 Bytes : security monitor hash */ 20 | PROVIDE( sanctum_sm_hash = . ); 21 | . += 0x40; 22 | 23 | /* 32 Bytes : security monitor public key */ 24 | PROVIDE( sanctum_sm_public_key = . ); 25 | . += 0x20; 26 | 27 | /* 64 Bytes : security monitor secret key */ 28 | PROVIDE( sanctum_sm_secret_key = . ); 29 | . += 0x40; 30 | 31 | /* 64 Bytes : security monitor's signature by device */ 32 | PROVIDE( sanctum_sm_signature = . ); 33 | . += 0x40; 34 | -------------------------------------------------------------------------------- /sm/plat/mpfs/objects.mk: -------------------------------------------------------------------------------- 1 | # 2 | # SPDX-License-Identifier: BSD-2-Clause 3 | # 4 | # Copyright (c) 2019 Western Digital Corporation or its affiliates. 5 | # 6 | # Authors: 7 | # Atish Patra 8 | # 9 | 10 | ifeq ($(KEYSTONE_SDK_DIR),) 11 | $(error KEYSTONE_SDK_DIR not defined) 12 | endif 13 | 14 | # Define our platform 15 | export PLATFORM=mpfs 16 | 17 | # Ensure that standard SM crypto does not get built here 18 | export KEYSTONE_SM_NO_CRYPTO=y 19 | include $(KEYSTONE_SM)/src/objects.mk 20 | 21 | platform-genflags-y += -I$(KEYSTONE_SM)/plat/$(PLATFORM) -I$(KEYSTONE_SM)/src \ 22 | -I$(KEYSTONE_SDK_DIR)/include/shared 23 | platform-genflags-y += -DTARGET_PLATFORM_HEADER=\"platform/$(PLATFORM)/platform.h\" 24 | 25 | platform-objs-y += $(addprefix $(KEYSTONE_SM)/src/,$(subst .c,.o,$(keystone-sm-sources))) 26 | platform-objs-y += $(KEYSTONE_SM)/plat/$(PLATFORM)/crypto_interpose.o 27 | -------------------------------------------------------------------------------- /docker/Dockerfile.nobuild: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | ARG CHECKOUT=master 3 | RUN apt update 4 | 5 | RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata 6 | 7 | RUN apt -y install autoconf automake autotools-dev bc \ 8 | bison build-essential curl expat libexpat1-dev flex gawk gcc git \ 9 | gperf libgmp-dev libmpc-dev libmpfr-dev libtool texinfo tmux \ 10 | patchutils zlib1g-dev wget bzip2 patch vim-common lbzip2 python \ 11 | pkg-config libglib2.0-dev libpixman-1-dev libssl-dev screen \ 12 | device-tree-compiler expect makeself unzip cpio rsync cmake ninja-build p7zip-full 13 | 14 | RUN apt-get update && apt-get install --reinstall ca-certificates 15 | RUN git clone https://github.com/keystone-enclave/keystone /keystone 16 | RUN cd /keystone && \ 17 | git checkout $CHECKOUT && \ 18 | rmdir linux qemu buildroot && \ 19 | ./fast-setup.sh 20 | 21 | ENTRYPOINT cd /keystone && . ./source.sh 22 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | # Building Docker Image 2 | 3 | To build the image with master branch: 4 | ```bash 5 | docker build -t keystoneenclaveorg/keystone:master . 6 | ``` 7 | 8 | 9 | dev branch: 10 | 11 | ```bash 12 | docker build -t keystoneenclaveorg/keystone:dev --build-arg CHECKOUT=dev . 13 | ``` 14 | 15 | any other branches or tags: 16 | ```bash 17 | docker build -t keystoneenclaveorg/keystone: --build-arg CHECKOUT= . 18 | ``` 19 | 20 | # Building CI images 21 | 22 | RV64: 23 | ``` 24 | docker build -t keystoneenclaveorg/keystone:init-rv64gc --build-arg CHECKOUT=master . --platform linux/x86_64 -f Dockerfile.nobuild 25 | docker push keystoneenclaveorg/keystone:init-rv64gc 26 | ``` 27 | 28 | RV32: 29 | 30 | ``` 31 | docker build -t keystoneenclaveorg/keystone:init-rv32gc --build-arg CHECKOUT=master . --platform linux/x86_64 -f Dockerfile.32.nobuild 32 | docker push keystoneenclaveorg/keystone:init-rv32gc 33 | ``` 34 | -------------------------------------------------------------------------------- /docker/Dockerfile.32.nobuild: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | ARG CHECKOUT=master 3 | RUN apt update 4 | 5 | RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata 6 | 7 | RUN apt -y install autoconf automake autotools-dev bc \ 8 | bison build-essential curl expat libexpat1-dev flex gawk gcc git \ 9 | gperf libgmp-dev libmpc-dev libmpfr-dev libtool texinfo tmux \ 10 | patchutils zlib1g-dev wget bzip2 patch vim-common lbzip2 python \ 11 | pkg-config libglib2.0-dev libpixman-1-dev libssl-dev screen \ 12 | device-tree-compiler expect makeself unzip cpio rsync cmake ninja-build p7zip-full 13 | 14 | RUN apt-get update && apt-get install --reinstall ca-certificates 15 | RUN git clone https://github.com/keystone-enclave/keystone /keystone 16 | RUN cd /keystone && \ 17 | git checkout $CHECKOUT && \ 18 | rmdir linux qemu buildroot && \ 19 | BITS=32 ./fast-setup.sh 20 | 21 | ENTRYPOINT cd /keystone && . ./source.sh 22 | -------------------------------------------------------------------------------- /mkutils/plat/mpfs/run.mk: -------------------------------------------------------------------------------- 1 | 2 | ########################### 3 | ## Flash and run targets ## 4 | ########################### 5 | 6 | export SC_INSTALL_DIR ?= /opt/microchip/SoftConsole-v2022.2-RISC-V-747 7 | 8 | OPENOCD_FLAGS := -c "gdb_port 3333" -c "telnet_port 4444" -c "tcl_port 6666" \ 9 | -c "set DEVICE MPFS" -c "set JTAG_KHZ 11000" 10 | 11 | ifneq ($(MPFS_COREID),) 12 | OPENOCD_FLAGS += -c "set COREID $(MPFS_COREID)" 13 | endif 14 | 15 | OPENOCD_FLAGS += --file board/microsemi-riscv.cfg 16 | 17 | run: 18 | $(call log,info,Starting OpenOCD) 19 | $(SC_INSTALL_DIR)/openocd/bin/openocd $(OPENOCD_FLAGS) 20 | 21 | debug-connect: 22 | $(call log,info,Connecting to OpenOCD) 23 | PYTHONPATH=$(BUILDROOT_BUILDDIR)/build/host-gcc-final-11.4.0/libstdc++-v3/python \ 24 | $(BUILDROOT_BUILDDIR)/host/bin/riscv64-buildroot-linux-gnu-gdb \ 25 | -iex "set KEYSTONE=$(KEYSTONE)" \ 26 | -x $(KEYSTONE)/scripts/gdb/mpfs.cfg 27 | -------------------------------------------------------------------------------- /sdk/src/host/hash_util.cpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2020, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | extern "C" { 6 | #include "common/sha3.h" 7 | } 8 | #include "Memory.hpp" 9 | #include "hash_util.hpp" 10 | 11 | #define RISCV_PGSIZE (1 << 12) 12 | 13 | void 14 | hash_init(hash_ctx_t* hash_ctx) { 15 | sha3_init(hash_ctx, MDSIZE); 16 | } 17 | 18 | void 19 | hash_extend(hash_ctx_t* hash_ctx, const void* ptr, size_t len) { 20 | sha3_update(hash_ctx, ptr, len); 21 | } 22 | 23 | void 24 | hash_extend_page(hash_ctx_t* hash_ctx, const void* ptr) { 25 | sha3_update(hash_ctx, ptr, RISCV_PGSIZE); 26 | } 27 | 28 | void 29 | hash_finalize(void* md, hash_ctx_t* hash_ctx) { 30 | sha3_final(md, hash_ctx); 31 | } 32 | -------------------------------------------------------------------------------- /docs/make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | pushd %~dp0 4 | 5 | REM Command file for Sphinx documentation 6 | 7 | if "%SPHINXBUILD%" == "" ( 8 | set SPHINXBUILD=sphinx-build 9 | ) 10 | set SOURCEDIR=source 11 | set BUILDDIR=build 12 | 13 | if "%1" == "" goto help 14 | 15 | %SPHINXBUILD% >NUL 2>NUL 16 | if errorlevel 9009 ( 17 | echo. 18 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 19 | echo.installed, then set the SPHINXBUILD environment variable to point 20 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 21 | echo.may add the Sphinx directory to PATH. 22 | echo. 23 | echo.If you don't have Sphinx installed, grab it from 24 | echo.http://sphinx-doc.org/ 25 | exit /b 1 26 | ) 27 | 28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% 29 | goto end 30 | 31 | :help 32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% 33 | 34 | :end 35 | popd 36 | -------------------------------------------------------------------------------- /docs/source/Getting-Started/FAQ.rst: -------------------------------------------------------------------------------- 1 | FAQ 2 | === 3 | 4 | Q: What can I run Keystone on? 5 | - A: Keystone can be run on real RISC-V hardware, on FPGA, and in 6 | simulation. See `Getting Started <#>`_ 7 | 8 | Q: What is the difference between the SM and runtime? 9 | - A: The SM is part of the Keystone TCB, and is trusted by all 10 | components. The runtime is a (technically) optional part of the 11 | enclave itself. While the enclave app trusts it, it is not part 12 | of the trusted boot process and is not part of the Keystone TCB. 13 | 14 | Q: Why are enclaves/SM/etc written in C? Why not Rust (or another modern language)? 15 | - A: Rust RV64 support was unavailable when Keystone was 16 | started. Few options for the security monitor besides C were 17 | available. We are keeping a close eye on Rust support as it 18 | matures for RV64, and expect to support it for enclaves at a 19 | minimum. 20 | -------------------------------------------------------------------------------- /bootrom/ed25519/sign.c: -------------------------------------------------------------------------------- 1 | #include "ed25519.h" 2 | #include "sha3/sha3.h" 3 | #include "ge.h" 4 | #include "sc.h" 5 | 6 | 7 | void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) { 8 | sha3_ctx_t hash; 9 | unsigned char hram[64]; 10 | unsigned char r[64]; 11 | ge_p3 R; 12 | 13 | 14 | sha3_init(&hash, 64); 15 | sha3_update(&hash, private_key + 32, 32); 16 | sha3_update(&hash, message, message_len); 17 | sha3_final(r, &hash); 18 | 19 | sc_reduce(r); 20 | ge_scalarmult_base(&R, r); 21 | ge_p3_tobytes(signature, &R); 22 | 23 | sha3_init(&hash, 64); 24 | sha3_update(&hash, signature, 32); 25 | sha3_update(&hash, public_key, 32); 26 | sha3_update(&hash, message, message_len); 27 | sha3_final(hram, &hash); 28 | 29 | sc_reduce(hram); 30 | sc_muladd(signature + 32, hram, private_key, r); 31 | } 32 | -------------------------------------------------------------------------------- /overlays/keystone/configs/sifive_logo.txt: -------------------------------------------------------------------------------- 1 | 2 | SIFIVE, INC. 3 | 4 | 5555555555555555555555555 5 | 5555 5555 6 | 5555 5555 7 | 5555 5555 8 | 5555 5555555555555555555555 9 | 5555 555555555555555555555555 10 | 5555 5555 11 | 5555 5555 12 | 5555 5555 13 | 5555555555555555555555555555 55555 14 | 55555 555555555 55555 15 | 55555 55555 55555 16 | 55555 5 55555 17 | 55555 55555 18 | 55555 55555 19 | 55555 55555 20 | 55555 55555 21 | 55555 55555 22 | 555555555 23 | 55555 24 | 5 25 | 26 | SiFive RISC-V Core IP 27 | -------------------------------------------------------------------------------- /sdk/include/host/common.h: -------------------------------------------------------------------------------- 1 | #ifndef __COMMON_H__ 2 | #define __COMMON_H__ 3 | 4 | #include "shared/sm_err.h" 5 | 6 | #define RT_NOEXEC 0 7 | #define USER_NOEXEC 1 8 | #define RT_FULL 2 9 | #define USER_FULL 3 10 | #define UTM_FULL 4 11 | 12 | #define PAGE_BITS 12 13 | #define PAGE_SIZE (1UL << PAGE_BITS) 14 | #define ROUND_UP(n, b) (((((n)-1ul) >> (b)) + 1ul) << (b)) 15 | #define ROUND_DOWN(n, b) (n & ~((2 << (b - 1)) - 1)) 16 | #define PAGE_DOWN(n) ROUND_DOWN(n, PAGE_BITS) 17 | #define PAGE_UP(n) ROUND_UP(n, PAGE_BITS) 18 | 19 | #define BOOST_STRINGIZE(X) BOOST_DO_STRINGIZE(X) 20 | #define BOOST_DO_STRINGIZE(X) #X 21 | 22 | #define KEYSTONE_DEV_PATH "/dev/keystone_enclave" 23 | 24 | #define MSG(str) \ 25 | "[Keystone SDK] " __FILE__ ":" BOOST_STRINGIZE(__LINE__) " : " str 26 | #define ERROR(str, ...) fprintf(stderr, MSG(str) "\n", ##__VA_ARGS__) 27 | #define PERROR(str) perror(MSG(str)) 28 | #define IS_ALIGNED(x, align) (!((x) & (align - 1))) 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /sm/src/ed25519/sign.c: -------------------------------------------------------------------------------- 1 | #include "ed25519.h" 2 | #include "../sha3/sha3.h" 3 | #include "ge.h" 4 | #include "sc.h" 5 | 6 | 7 | void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) { 8 | sha3_ctx_t hash; 9 | unsigned char hram[64]; 10 | unsigned char r[64]; 11 | ge_p3 R; 12 | 13 | 14 | sha3_init(&hash, 64); 15 | sha3_update(&hash, private_key + 32, 32); 16 | sha3_update(&hash, message, message_len); 17 | sha3_final(r, &hash); 18 | 19 | sc_reduce(r); 20 | ge_scalarmult_base(&R, r); 21 | ge_p3_tobytes(signature, &R); 22 | 23 | sha3_init(&hash, 64); 24 | sha3_update(&hash, signature, 32); 25 | sha3_update(&hash, public_key, 32); 26 | sha3_update(&hash, message, message_len); 27 | sha3_final(hram, &hash); 28 | 29 | sc_reduce(hram); 30 | sc_muladd(signature + 32, hram, private_key, r); 31 | } 32 | -------------------------------------------------------------------------------- /sdk/src/verifier/ed25519/sign.c: -------------------------------------------------------------------------------- 1 | #include "common/sha3.h" 2 | #include "ed25519/ed25519.h" 3 | #include "ed25519/ge.h" 4 | #include "ed25519/sc.h" 5 | 6 | void 7 | ed25519_sign( 8 | unsigned char* signature, const unsigned char* message, size_t message_len, 9 | const unsigned char* public_key, const unsigned char* private_key) { 10 | sha3_ctx_t hash; 11 | unsigned char hram[64]; 12 | unsigned char r[64]; 13 | ge_p3 R; 14 | 15 | sha3_init(&hash, 64); 16 | sha3_update(&hash, private_key + 32, 32); 17 | sha3_update(&hash, message, message_len); 18 | sha3_final(r, &hash); 19 | 20 | sc_reduce(r); 21 | ge_scalarmult_base(&R, r); 22 | ge_p3_tobytes(signature, &R); 23 | 24 | sha3_init(&hash, 64); 25 | sha3_update(&hash, signature, 32); 26 | sha3_update(&hash, public_key, 32); 27 | sha3_update(&hash, message, message_len); 28 | sha3_final(hram, &hash); 29 | 30 | sc_reduce(hram); 31 | sc_muladd(signature + 32, hram, private_key, r); 32 | } 33 | -------------------------------------------------------------------------------- /sdk/include/verifier/Keys.hpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #pragma once 6 | 7 | #include 8 | 9 | typedef unsigned char byte; 10 | 11 | #define ATTEST_DATA_MAXLEN 1024 12 | #define MDSIZE 64 13 | #define SIGNATURE_SIZE 64 14 | #define PUBLIC_KEY_SIZE 32 15 | 16 | class PublicKey { 17 | public: 18 | byte data[PUBLIC_KEY_SIZE]; 19 | explicit PublicKey(std::string hexstr); 20 | }; 21 | 22 | class DevicePublicKey : public PublicKey { 23 | public: 24 | explicit DevicePublicKey(std::string hexstr) : PublicKey(hexstr) {} 25 | }; 26 | 27 | class SecurityMonitorPublicKey : public PublicKey { 28 | public: 29 | explicit SecurityMonitorPublicKey(std::string hexstr) : PublicKey(hexstr) {} 30 | }; 31 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/post-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | FUSDK_VER="2023.08.00" 4 | 5 | # Copy extlinux config 6 | mkdir -p $TARGET_DIR/boot/extlinux 7 | cp $BR2_EXTERNAL_KEYSTONE_PATH/board/sifive/hifive-unmatched/extlinux.conf $TARGET_DIR/boot/extlinux/extlinux.conf 8 | 9 | # Install udev rules & systemd units 10 | mkdir -p $TARGET_DIR/usr/lib/systemd/system 11 | mkdir -p $TARGET_DIR/etc/udev/rules.d 12 | wget -P "${TARGET_DIR}/etc/udev/rules.d" "https://raw.githubusercontent.com/sifive/freedom-u-sdk/${FUSDK_VER}/recipes-sifive/unmatched-udev-rules/files/unmatched/99-pwm-leds.rules" 13 | wget -P "${TARGET_DIR}/usr/lib/systemd/system" "https://raw.githubusercontent.com/sifive/freedom-u-sdk/${FUSDK_VER}/recipes-sifive/unmatched-systemd-units/files/led-bootstate-green.service" 14 | wget -P "${TARGET_DIR}/usr/lib/systemd/system" "https://raw.githubusercontent.com/sifive/freedom-u-sdk/${FUSDK_VER}/recipes-sifive/unmatched-systemd-units/files/led-bootstate-green.timer" 15 | -------------------------------------------------------------------------------- /runtime/include/call/sbi.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef __SBI_H_ 6 | #define __SBI_H_ 7 | 8 | #include 9 | #include 10 | 11 | #include "sm_call.h" 12 | 13 | void 14 | sbi_putchar(char c); 15 | void 16 | sbi_set_timer(uint64_t stime_value); 17 | uintptr_t 18 | sbi_stop_enclave(uint64_t request); 19 | void 20 | sbi_exit_enclave(uint64_t retval); 21 | uintptr_t 22 | sbi_random(); 23 | uintptr_t 24 | sbi_query_multimem(size_t *size); 25 | uintptr_t 26 | sbi_query_multimem_addr(uintptr_t *addr); 27 | uintptr_t 28 | sbi_attest_enclave(void* report, void* buf, uintptr_t len); 29 | uintptr_t 30 | sbi_get_sealing_key(uintptr_t key_struct, uintptr_t key_ident, uintptr_t len); 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /runtime/test/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0) 2 | project(eyrie_test) 3 | list(APPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/cmocka/cmake/Modules") 4 | 5 | set(WITH_EXAMPLES false) 6 | add_subdirectory(cmocka) 7 | 8 | include(AddCMockaTest) 9 | enable_testing() 10 | 11 | include_directories(../include) 12 | include_directories(../../sdk/include/shared/) 13 | 14 | add_cmocka_test(test_string SOURCES string.c COMPILE_OPTIONS -I${CMAKE_BINARY_DIR}/cmocka/include LINK_LIBRARIES cmocka) 15 | add_cmocka_test(test_merkle 16 | SOURCES merkle.c ../crypto/sha256.c 17 | COMPILE_OPTIONS -DUSE_PAGE_HASH -DUSE_PAGING -D__riscv_xlen=64 -I${CMAKE_BINARY_DIR}/cmocka/include -g 18 | LINK_LIBRARIES cmocka) 19 | add_cmocka_test(test_pageswap 20 | SOURCES page_swap.c ../crypto/merkle.c ../crypto/sha256.c ../crypto/aes.c 21 | COMPILE_OPTIONS -DUSE_PAGE_HASH -DUSE_PAGE_CRYPTO -DUSE_PAGING -D__riscv_xlen=64 -I${CMAKE_BINARY_DIR}/cmocka/include -g 22 | LINK_LIBRARIES cmocka) 23 | 24 | -------------------------------------------------------------------------------- /bootrom/ed25519/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015 Orson Peters , altered by Ilia Lebedev 2 | 3 | This software is provided 'as-is', without any express or implied warranty. In no event will the 4 | authors be held liable for any damages arising from the use of this software. 5 | 6 | Permission is granted to anyone to use this software for any purpose, including commercial 7 | applications, and to alter it and redistribute it freely, subject to the following restrictions: 8 | 9 | 1. The origin of this software must not be misrepresented; you must not claim that you wrote the 10 | original software. If you use this software in a product, an acknowledgment in the product 11 | documentation would be appreciated but is not required. 12 | 13 | 2. Altered source versions must be plainly marked as such, and must not be misrepresented as 14 | being the original software. 15 | 16 | 3. This notice may not be removed or altered from any source distribution. 17 | 18 | -------------------------------------------------------------------------------- /bootrom/Makefile: -------------------------------------------------------------------------------- 1 | 2 | # We override some of the variables that we get from the Buildroot 3 | # infrastructure here. Specifically, we don't want to use the provided 4 | # CFLAGS since these assume that the build target isn't firmware-like 5 | # (i.e. we want nostdlib, nostartfiles, etc). 6 | 7 | override CFLAGS := \ 8 | -mcmodel=medany \ 9 | -nostdlib -nostartfiles -fno-common -std=gnu11 \ 10 | -static \ 11 | -fPIC \ 12 | -O2 -Wall 13 | O ?=. 14 | 15 | # ^ consider taking out -g -Og and putting in -O2 16 | 17 | bootloaders=\ 18 | $(O)/bootrom.elf \ 19 | $(O)/bootrom.bin 20 | 21 | .PHONY: all 22 | all: $(bootloaders) 23 | 24 | .PHONY: clean 25 | clean: 26 | rm -f $(bootloaders) 27 | 28 | bootrom_sources = \ 29 | ./bootloader.S \ 30 | ./bootloader.c \ 31 | ./ed25519/*.c \ 32 | ./sha3/*.c 33 | 34 | %.elf: $(bootrom_sources) bootloader.lds 35 | $(CC) $(CFLAGS) -I./ -L . -T bootloader.lds -o $@ $(bootrom_sources) 36 | 37 | %.bin: %.elf 38 | $(OBJCOPY) -O binary --only-section=.text $< $@; 39 | 40 | -------------------------------------------------------------------------------- /runtime/include/sys/auxvec.h: -------------------------------------------------------------------------------- 1 | //PARTIAL elf.h from musl-libc 2 | #ifndef _ELF_H_ 3 | #define _ELF_H_ 4 | 5 | #define AT_NULL 0 6 | #define AT_IGNORE 1 7 | #define AT_EXECFD 2 8 | #define AT_PHDR 3 9 | #define AT_PHENT 4 10 | #define AT_PHNUM 5 11 | #define AT_PAGESZ 6 12 | #define AT_BASE 7 13 | #define AT_FLAGS 8 14 | #define AT_ENTRY 9 15 | #define AT_NOTELF 10 16 | #define AT_UID 11 17 | #define AT_EUID 12 18 | #define AT_GID 13 19 | #define AT_EGID 14 20 | #define AT_CLKTCK 17 21 | 22 | 23 | #define AT_PLATFORM 15 24 | #define AT_HWCAP 16 25 | 26 | 27 | 28 | 29 | #define AT_FPUCW 18 30 | 31 | 32 | #define AT_DCACHEBSIZE 19 33 | #define AT_ICACHEBSIZE 20 34 | #define AT_UCACHEBSIZE 21 35 | 36 | 37 | 38 | #define AT_IGNOREPPC 22 39 | 40 | #define AT_SECURE 23 41 | 42 | #define AT_BASE_PLATFORM 24 43 | 44 | #define AT_RANDOM 25 45 | 46 | #define AT_HWCAP2 26 47 | 48 | #define AT_EXECFN 31 49 | 50 | 51 | 52 | #define AT_SYSINFO 32 53 | #define AT_SYSINFO_EHDR 33 54 | 55 | #endif /* _ELF_H_ */ 56 | -------------------------------------------------------------------------------- /sm/src/ipi.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "ipi.h" 9 | #include "pmp.h" 10 | 11 | void sbi_pmp_ipi_local_update(struct sbi_tlb_info *__info) 12 | { 13 | struct sbi_pmp_ipi_info* info = (struct sbi_pmp_ipi_info *) __info; 14 | if (info->type == SBI_PMP_IPI_TYPE_SET) { 15 | pmp_set_keystone(info->rid, (uint8_t) info->perm); 16 | } else { 17 | pmp_unset(info->rid); 18 | } 19 | } 20 | 21 | void send_and_sync_pmp_ipi(int region_idx, int type, uint8_t perm) 22 | { 23 | ulong mask = 0; 24 | ulong source_hart = current_hartid(); 25 | struct sbi_tlb_info tlb_info; 26 | sbi_hsm_hart_interruptible_mask(sbi_domain_thishart_ptr(), 0, &mask); 27 | 28 | SBI_TLB_INFO_INIT(&tlb_info, type, 0, region_idx, perm, 29 | sbi_pmp_ipi_local_update, source_hart); 30 | sbi_tlb_request(mask, 0, &tlb_info); 31 | } 32 | 33 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/patches/uboot/0007-keystone-prefer-mmc-boot-for-unmatched.patch: -------------------------------------------------------------------------------- 1 | From 5ab2e687c5ba9ff45af57f29e4973da40e4914cf Mon Sep 17 00:00:00 2001 2 | From: Akihiro Saiki 3 | Date: Thu, 16 Nov 2023 00:31:32 +0900 4 | Subject: [PATCH 7/7] keystone: prefer mmc boot for unmatched 5 | 6 | --- 7 | include/configs/sifive-unmatched.h | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/include/configs/sifive-unmatched.h b/include/configs/sifive-unmatched.h 11 | index 5e8fab031a..f73d1a231e 100644 12 | --- a/include/configs/sifive-unmatched.h 13 | +++ b/include/configs/sifive-unmatched.h 14 | @@ -20,10 +20,10 @@ 15 | /* Environment options */ 16 | 17 | #define BOOT_TARGET_DEVICES(func) \ 18 | + func(MMC, mmc, 0) \ 19 | func(NVME, nvme, 0) \ 20 | func(NVME, nvme, 1) \ 21 | func(USB, usb, 0) \ 22 | - func(MMC, mmc, 0) \ 23 | func(SCSI, scsi, 0) \ 24 | func(PXE, pxe, na) \ 25 | func(DHCP, dhcp, na) 26 | -- 27 | 2.34.1 28 | 29 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/ed25519/sign.c: -------------------------------------------------------------------------------- 1 | #include "ed25519.h" 2 | #include "../sha3/sha3.h" 3 | #include "ge.h" 4 | #include "sc.h" 5 | 6 | 7 | void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) { 8 | sha3_ctx_t hash; 9 | unsigned char hram[64]; 10 | unsigned char r[64]; 11 | ge_p3 R; 12 | 13 | 14 | sha3_init(&hash, 64); 15 | sha3_update(&hash, private_key + 32, 32); 16 | sha3_update(&hash, message, message_len); 17 | sha3_final(r, &hash); 18 | 19 | sc_reduce(r); 20 | ge_scalarmult_base(&R, r); 21 | ge_p3_tobytes(signature, &R); 22 | 23 | sha3_init(&hash, 64); 24 | sha3_update(&hash, signature, 32); 25 | sha3_update(&hash, public_key, 32); 26 | sha3_update(&hash, message, message_len); 27 | sha3_final(hram, &hash); 28 | 29 | sc_reduce(hram); 30 | sc_muladd(signature + 32, hram, private_key, r); 31 | } 32 | -------------------------------------------------------------------------------- /sm/src/sm.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef sm_h 6 | #define sm_h 7 | 8 | #include 9 | #include "pmp.h" 10 | #include "sm-sbi.h" 11 | #include 12 | 13 | #include "sm_call.h" 14 | #include "sm_err.h" 15 | 16 | void sm_init(bool cold_boot); 17 | 18 | /* platform specific functions */ 19 | #define ATTESTATION_KEY_LENGTH 64 20 | void sm_retrieve_pubkey(void* dest); 21 | void sm_sign(void* sign, const void* data, size_t len); 22 | int sm_derive_sealing_key(unsigned char *key, 23 | const unsigned char *key_ident, 24 | size_t key_ident_size, 25 | const unsigned char *enclave_hash); 26 | 27 | int osm_pmp_set(uint8_t perm); 28 | #endif 29 | -------------------------------------------------------------------------------- /runtime/include/call/syscall.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef __SYSCALL_H__ 6 | #define __SYSCALL_H__ 7 | 8 | #include "util/printf.h" 9 | #include "util/regs.h" 10 | #include "edge_syscall.h" 11 | #include "mm/vm.h" 12 | 13 | #include "eyrie_call.h" 14 | 15 | void handle_syscall(struct encl_ctx* ctx); 16 | void init_edge_internals(void); 17 | uintptr_t dispatch_edgecall_syscall(struct edge_syscall* syscall_data_ptr, 18 | size_t data_len); 19 | 20 | // Define this to enable printing of a large amount of syscall information 21 | //#define USE_INTERNAL_STRACE 1 22 | 23 | #ifdef USE_INTERNAL_STRACE 24 | #define print_strace printf 25 | #else 26 | #define print_strace(...) 27 | #endif 28 | 29 | #endif /* syscall.h */ 30 | -------------------------------------------------------------------------------- /bootrom/test_dev_key.h: -------------------------------------------------------------------------------- 1 | /* These are known device TESTING keys, use them for testing on platforms/qemu */ 2 | 3 | #warning Using TEST device root key. No integrity guarantee. 4 | static const unsigned char _sanctum_dev_secret_key[] = { 5 | 0x40, 0xa0, 0x99, 0x47, 0x8c, 0xce, 0xfa, 0x3a, 0x06, 0x63, 0xab, 0xc9, 6 | 0x5e, 0x7a, 0x1e, 0xc9, 0x54, 0xb4, 0xf5, 0xf6, 0x45, 0xba, 0xd8, 0x04, 7 | 0xdb, 0x13, 0xe7, 0xd7, 0x82, 0x6c, 0x70, 0x73, 0x57, 0x6a, 0x9a, 0xb6, 8 | 0x21, 0x60, 0xd9, 0xd1, 0xc6, 0xae, 0xdc, 0x29, 0x85, 0x2f, 0xb9, 0x60, 9 | 0xee, 0x51, 0x32, 0x83, 0x5a, 0x16, 0x89, 0xec, 0x06, 0xa8, 0x72, 0x34, 10 | 0x51, 0xaa, 0x0e, 0x4a 11 | }; 12 | static const size_t _sanctum_dev_secret_key_len = 64; 13 | 14 | static const unsigned char _sanctum_dev_public_key[] = { 15 | 0x0f, 0xaa, 0xd4, 0xff, 0x01, 0x17, 0x85, 0x83, 0xba, 0xa5, 0x88, 0x96, 16 | 0x6f, 0x7c, 0x1f, 0xf3, 0x25, 0x64, 0xdd, 0x17, 0xd7, 0xdc, 0x2b, 0x46, 17 | 0xcb, 0x50, 0xa8, 0x4a, 0x69, 0x27, 0x0b, 0x4c 18 | }; 19 | static const size_t _sanctum_dev_public_key_len = 32; 20 | -------------------------------------------------------------------------------- /overlays/keystone/package/keystone-sdk/keystone-sdk.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Keystone SDK 4 | # 5 | ################################################################################ 6 | 7 | ifeq ($(KEYSTONE_SDK),) 8 | $(error KEYSTONE_SDK directory not defined) 9 | else 10 | include $(KEYSTONE)/mkutils/pkg-keystone.mk 11 | endif 12 | 13 | # Export the variable below for any other keystone packages to use 14 | export KEYSTONE_SDK_DIR=$(HOST_DIR)/usr/share/keystone/sdk 15 | 16 | HOST_KEYSTONE_SDK_CONF_OPTS += -DKEYSTONE_SDK_DIR=$(KEYSTONE_SDK_DIR) \ 17 | -DKEYSTONE_BITS=${KEYSTONE_BITS} 18 | HOST_KEYSTONE_SDK_DEPENDENCIES += toolchain 19 | 20 | # Clean dependant packages if we clean this one 21 | host-keystone-sdk-dirclean: keystone-examples-dirclean \ 22 | keystone-sm-dirclean \ 23 | keystone-driver-dirclean 24 | 25 | $(eval $(host-keystone-package)) 26 | $(eval $(host-cmake-package)) 27 | -------------------------------------------------------------------------------- /runtime/include/call/linux_wrap.h: -------------------------------------------------------------------------------- 1 | #ifdef USE_LINUX_SYSCALL 2 | #ifndef _LINUX_WRAP_H_ 3 | #define _LINUX_WRAP_H_ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | struct timespec; 10 | 11 | uintptr_t linux_uname(void* buf); 12 | uintptr_t linux_clock_gettime(__clockid_t clock, struct timespec *tp); 13 | uintptr_t linux_rt_sigprocmask(int how, const sigset_t *set, sigset_t *oldset); 14 | uintptr_t linux_getrandom(void *buf, size_t buflen, unsigned int flags); 15 | uintptr_t linux_getpid(); 16 | uintptr_t linux_set_tid_address(int* tidptr); 17 | uintptr_t linux_RET_ZERO_wrap(unsigned long which); 18 | uintptr_t linux_RET_BAD_wrap(unsigned long which); 19 | uintptr_t syscall_munmap(void *addr, size_t length); 20 | uintptr_t syscall_mmap(void *addr, size_t length, int prot, int flags, 21 | int fd, __off_t offset); 22 | uintptr_t syscall_mprotect(void *addr, size_t len, int prot); 23 | uintptr_t syscall_brk(void* addr); 24 | #endif /* _LINUX_WRAP_H_ */ 25 | #endif /* USE_LINUX_SYSCALL */ 26 | -------------------------------------------------------------------------------- /sdk/tests/test_binary/tests/Makefile: -------------------------------------------------------------------------------- 1 | CC = riscv64-unknown-linux-gnu-g++ 2 | OBJCOPY = riscv64-unknown-linux-gnu-objcopy 3 | 4 | SDK_LIB_DIR =$(KEYSTONE_SDK_DIR)/lib 5 | SDK_HOST_LIB = $(SDK_LIB_DIR)/libkeystone-host.a 6 | SDK_EDGE_LIB = $(SDK_LIB_DIR)/libkeystone-edge.a 7 | SDK_VERIFIER_LIB = $(SDK_LIB_DIR)/libkeystone-verifier.a 8 | 9 | SDK_INCLUDE_HOST_DIR = $(SDK_LIB_DIR)/host/include 10 | SDK_INCLUDE_EDGE_DIR = $(SDK_LIB_DIR)/edge/include 11 | SDK_INCLUDE_VERIFIER_DIR = $(SDK_LIB_DIR)/verifier 12 | 13 | RUNTIME=eyrie-rt 14 | RUNNER=test-runner.riscv 15 | CCFLAGS = -I$(SDK_INCLUDE_HOST_DIR) -I$(SDK_INCLUDE_EDGE_DIR) -I$(SDK_INCLUDE_VERIFIER_DIR) -std=c++11 16 | LDFLAGS = -L$(SDK_LIB_DIR) 17 | 18 | TESTS=stack 19 | 20 | SRCS = $(patsubst %.riscv, %.cpp, $(RUNNER)) 21 | OBJS = $(patsubst %.riscv, %.o,$(RUNNER)) $(KEYSTONE_OBJ) edge_wrapper.o 22 | 23 | all: 24 | $(foreach test, $(TESTS),\ 25 | $(MAKE) -C $(test);\ 26 | ) 27 | 28 | clean: 29 | rm -f *.o *.riscv test 30 | $(foreach test, $(TESTS), \ 31 | $(MAKE) -C $(test) clean; \ 32 | ) 33 | -------------------------------------------------------------------------------- /overlays/keystone/board/mpfs/hss-config.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # HSS Payload Generator - buildroot configuration file 3 | # 4 | 5 | # This configuration file is almost verbatim copied from the one in overlays/microchip/board/microchip/icicle/config.yaml, 6 | # with the only changes being to u-boot's starting addresses. Since we need quite a lot of contiguous physical memory 7 | # (for VTA and Keystone), we've had to shift some of the firmwares around in order to make room. This configuration file 8 | # simply causes u-boot to be loaded at 0x90200000 rather that 0x80200000. See this spreadsheet for memory maps: 9 | # 10 | # https://docs.google.com/spreadsheets/d/1udkXU-yJFux_UKdjfGWhB8Kl4OM-iYosNJppex-5UYA 11 | 12 | set-name: 'PolarFire-SoC-HSS::U-Boot' 13 | 14 | hart-entry-points: {u54_1: '0x90200000', u54_2: '0x90200000', u54_3: '0x90200000', u54_4: '0x90200000'} 15 | 16 | payloads: 17 | src.bin: {exec-addr: '0x90200000', owner-hart: u54_1, secondary-hart: u54_2, secondary-hart: u54_3, secondary-hart: u54_4, priv-mode: prv_s, ancilliary-data: mpfs-icicle-kit.dtb} 18 | -------------------------------------------------------------------------------- /examples/tests/fib-bench/fib-bench.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | 7 | unsigned long read_cycles(void) 8 | { 9 | unsigned long cycles; 10 | asm volatile ("rdcycle %0" : "=r" (cycles)); 11 | return cycles; 12 | } 13 | 14 | unsigned long fibonacci_rec(unsigned long in){ 15 | if( in <= 1) 16 | return 1; 17 | else 18 | return fibonacci_rec(in-1)+fibonacci_rec(in-2); 19 | } 20 | 21 | // Returns the number of cycles for a given fibonacci execution 22 | unsigned long fib_eapp(unsigned long in) { 23 | unsigned long start = read_cycles(); 24 | fibonacci_rec(in); 25 | unsigned long end = read_cycles(); 26 | return end - start; 27 | } 28 | 29 | void EAPP_ENTRY eapp_entry(){ 30 | int arg = 35; 31 | EAPP_RETURN(fib_eapp(arg)); 32 | } 33 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/ed25519/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015 Orson Peters , altered by Ilia Lebedev 2 | 3 | This software is provided 'as-is', without any express or implied warranty. In no event will the 4 | authors be held liable for any damages arising from the use of this software. 5 | 6 | Permission is granted to anyone to use this software for any purpose, including commercial 7 | applications, and to alter it and redistribute it freely, subject to the following restrictions: 8 | 9 | 1. The origin of this software must not be misrepresented; you must not claim that you wrote the 10 | original software. If you use this software in a product, an acknowledgment in the product 11 | documentation would be appreciated but is not required. 12 | 13 | 2. Altered source versions must be plainly marked as such, and must not be misrepresented as 14 | being the original software. 15 | 16 | 3. This notice may not be removed or altered from any source distribution. 17 | 18 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/patches/opensbi/0002-workaround-to-fix-CVA6-32-bit-ABi-is-incompatible-is.patch: -------------------------------------------------------------------------------- 1 | From e2d72c215bbd0fe5970ece55fbd52d33c35d5b7e Mon Sep 17 00:00:00 2001 2 | From: sahmad 3 | Date: Mon, 30 Oct 2023 20:50:21 +0800 4 | Subject: [PATCH 2/2] workaround to fix CVA6 32 bit "ABi is incompatible" issue 5 | 6 | --- 7 | firmware/payloads/objects.mk | 11 ----------- 8 | 1 file changed, 11 deletions(-) 9 | 10 | diff --git a/firmware/payloads/objects.mk b/firmware/payloads/objects.mk 11 | index 21e0185..1223cce 100644 12 | --- a/firmware/payloads/objects.mk 13 | +++ b/firmware/payloads/objects.mk 14 | @@ -6,14 +6,3 @@ 15 | # Authors: 16 | # Anup Patel 17 | # 18 | - 19 | -firmware-bins-$(FW_PAYLOAD) += payloads/test.bin 20 | - 21 | -test-y += test_head.o 22 | -test-y += test_main.o 23 | - 24 | -%/test.o: $(foreach obj,$(test-y),%/$(obj)) 25 | - $(call merge_objs,$@,$^) 26 | - 27 | -%/test.dep: $(foreach dep,$(test-y:.o=.dep),%/$(dep)) 28 | - $(call merge_deps,$@,$^) 29 | -- 30 | 2.34.1 31 | 32 | -------------------------------------------------------------------------------- /examples/tests/edge_wrapper.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #ifndef _EDGE_WRAPPER_H_ 6 | #define _EDGE_WRAPPER_H_ 7 | 8 | #include "edge/edge_call.h" 9 | #include "host/keystone.h" 10 | 11 | typedef struct packaged_str{ 12 | unsigned long str_offset; 13 | size_t len; 14 | } packaged_str_t; 15 | 16 | typedef unsigned char byte; 17 | 18 | void edge_init(Keystone::Enclave* enclave); 19 | 20 | void print_buffer_wrapper(void* buffer); 21 | unsigned long print_buffer(char* str); 22 | 23 | void print_value_wrapper(void* buffer); 24 | void print_value(unsigned long val); 25 | 26 | void copy_report_wrapper(void* buffer); 27 | void copy_report(void* shared_buffer); 28 | 29 | void get_host_string_wrapper(void* buffer); 30 | const char* get_host_string(); 31 | 32 | #endif /* _EDGE_WRAPPER_H_ */ 33 | -------------------------------------------------------------------------------- /scripts/ci/plat/cva6/flash-os.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | if [[ -z "$KEYSTONE_BITS" ]]; then 8 | echo "KEYSTONE_BITS undefined" 9 | exit 1 10 | fi 11 | 12 | OS_FILENAME="build-cva6$KEYSTONE_BITS/buildroot.build/images/uImage" 13 | get_platform_var HOST_IP 14 | get_platform_var BOARD_IP 15 | 16 | ########### 17 | ## Flash ## 18 | ########### 19 | set -x 20 | 21 | TTYDEV=$(find_tty 0) 22 | touch "$LOGFILE" 23 | start_record_tty "$TTYDEV" 115200 "$LOGFILE" cva6-tty 24 | 25 | power_on 26 | wait_for "Hit any key to stop autoboot" 27 | echo 'a' > "$TTYDEV" 28 | 29 | rm -f "$TFTP_DIR/uImage" 30 | cp "$OS_FILENAME" "$TFTP_DIR/uImage" 31 | 32 | # Configure TFTP 33 | echo "setenv serverip $HOST_IP" > "$TTYDEV" ; sleep 1 34 | echo "setenv ipaddr $BOARD_IP" > "$TTYDEV" ; sleep 1 35 | 36 | echo "tftp uImage" > "$TTYDEV" 37 | wait_for "=>" 38 | echo "mmc write 80200000 100000 10000" > "$TTYDEV" 39 | wait_for "=>" 40 | 41 | stop_record_tty cva6-tty 42 | power_off 43 | exit 0 44 | -------------------------------------------------------------------------------- /runtime/.fast-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script is only for Travis test. Do not run in your local repository 4 | echo "Starting..." 5 | if ( $(command -v riscv64-unknown-linux-gnu-gcc > /dev/null) && 6 | $(command -v riscv64-unknown-elf-gcc > /dev/null) ) 7 | then 8 | echo "RISCV tools are already installed" 9 | else 10 | echo "Downloading Prebuilt RISC-V Toolchain... " 11 | 12 | # The 1.0 version expected libmpfr.so.4, modern Ubuntu has .6 13 | TOOL_VER=1.0 14 | if [[ $(ldconfig -p | grep "libmpfr.so.6") ]]; then 15 | echo "Downloading tools v2.0 (support for libmpfr.so.6)" 16 | TOOL_VER=2.0 17 | fi 18 | 19 | export RISCV=$(pwd)/riscv 20 | export PATH=$PATH:$RISCV/bin 21 | wget https://github.com/keystone-enclave/firesim-riscv-tools-prebuilt/archive/${TOOL_VER}.tar.gz 22 | tar -xzvf ${TOOL_VER}.tar.gz 23 | cd firesim-riscv-tools-prebuilt-${TOOL_VER} 24 | ./installrelease.sh > riscv-tools-install.log 25 | mv distrib riscv 26 | cp -R riscv ../ 27 | cd .. 28 | echo "Toolchain has been installed in $RISCV" 29 | fi 30 | 31 | -------------------------------------------------------------------------------- /bootrom/string.h: -------------------------------------------------------------------------------- 1 | #ifndef __STRING_H__ 2 | #define __STRING_H__ 3 | 4 | void* memcpy(void* dest, const void* src, size_t len) 5 | { 6 | const char* s = src; 7 | char *d = dest; 8 | 9 | if ((((uintptr_t)dest | (uintptr_t)src) & (sizeof(uintptr_t)-1)) == 0) { 10 | while ((void*)d < (dest + len - (sizeof(uintptr_t)-1))) { 11 | *(uintptr_t*)d = *(const uintptr_t*)s; 12 | d += sizeof(uintptr_t); 13 | s += sizeof(uintptr_t); 14 | } 15 | } 16 | 17 | while (d < (char*)(dest + len)) 18 | *d++ = *s++; 19 | 20 | return dest; 21 | } 22 | 23 | void* memset(void* dest, int byte, size_t len) 24 | { 25 | if ((((uintptr_t)dest | len) & (sizeof(uintptr_t)-1)) == 0) { 26 | uintptr_t word = byte & 0xFF; 27 | word |= word << 8; 28 | word |= word << 16; 29 | word |= word << 16 << 16; 30 | 31 | uintptr_t *d = dest; 32 | while (d < (uintptr_t*)(dest + len)) 33 | *d++ = word; 34 | } else { 35 | char *d = dest; 36 | while (d < (char*)(dest + len)) 37 | *d++ = byte; 38 | } 39 | return dest; 40 | } 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /examples/tests/attestation/edge_wrapper.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "edge/edge_call.h" 6 | #include "edge_wrapper.h" 7 | #include "app/eapp_utils.h" 8 | #include "app/string.h" 9 | #include "app/syscall.h" 10 | 11 | void edge_init(){ 12 | /* Nothing for now, will probably register buffers/callsites 13 | later */ 14 | } 15 | 16 | void ocall_print_value(unsigned long val){ 17 | 18 | unsigned long val_ = val; 19 | ocall(2, &val_, sizeof(unsigned long), 0, 0); 20 | 21 | return; 22 | } 23 | 24 | unsigned long ocall_print_buffer(char* data, size_t data_len){ 25 | 26 | unsigned long retval; 27 | ocall(1, data, data_len, &retval ,sizeof(unsigned long)); 28 | 29 | return retval; 30 | } 31 | 32 | void ocall_copy_report(void* report, size_t len) { 33 | ocall(3, report, len, 0, 0); 34 | } 35 | -------------------------------------------------------------------------------- /mkutils/plat/cva6/run.mk: -------------------------------------------------------------------------------- 1 | ###################### 2 | ## CVA6 Flash SD Card ## 3 | ###################### 4 | 5 | 6 | 7 | PAYLOAD = $(BUILDROOT_BUILDDIR)/images/fw_payload.bin 8 | KERNEL = $(BUILDROOT_BUILDDIR)/images/uImage 9 | SDDEVICE_PART1 = $(shell lsblk $(SD_DEVICE) -no PATH | head -2 | tail -1) 10 | SDDEVICE_PART2 = $(shell lsblk $(SD_DEVICE) -no PATH | head -3 | tail -1) 11 | 12 | flash: $(SD_DEVICE) 13 | $(info PAYLOAD INFORMATION) 14 | $(info $(PAYLOAD)) 15 | $(info $(SD_DEVICE)) 16 | $(info $(SDDEVICE_PART1)) 17 | $(info $(SDDEVICE_PART2)) 18 | sgdisk --clear -g --new=1:2048:4M --new=2:512M:0 --typecode=1:3000 --typecode=2:8300 $(SD_DEVICE) 19 | dd if=$(PAYLOAD) of=$(SDDEVICE_PART1) status=progress oflag=sync bs=1M 20 | dd if=$(KERNEL) of=$(SDDEVICE_PART2) status=progress oflag=sync bs=1M 21 | 22 | debug-connect: 23 | $(call log,info,Connecting to OpenOCD) 24 | $(BUILDROOT_BUILDDIR)/host/bin/riscv64-buildroot-linux-gnu-gdb \ 25 | -iex "set KEYSTONE=$(KEYSTONE)" \ 26 | -x $(KEYSTONE)/scripts/gdb/cva6.cfg 27 | -------------------------------------------------------------------------------- /sm/src/cpu.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "cpu.h" 6 | #include 7 | 8 | #ifndef TARGET_PLATFORM_HEADER 9 | #error "SM requires a defined platform to build" 10 | #endif 11 | 12 | // Special target platform header, set by configure script 13 | #include TARGET_PLATFORM_HEADER 14 | 15 | static struct cpu_state cpus[MAX_HARTS] = {0,}; 16 | 17 | int cpu_is_enclave_context(void) 18 | { 19 | return cpus[csr_read(mhartid)].is_enclave; 20 | } 21 | 22 | int cpu_get_enclave_id(void) 23 | { 24 | return cpus[csr_read(mhartid)].eid; 25 | } 26 | 27 | void cpu_enter_enclave_context(enclave_id eid) 28 | { 29 | cpus[csr_read(mhartid)].is_enclave = 1; 30 | cpus[csr_read(mhartid)].eid = eid; 31 | } 32 | 33 | void cpu_exit_enclave_context(void) 34 | { 35 | cpus[csr_read(mhartid)].is_enclave = 0; 36 | } 37 | -------------------------------------------------------------------------------- /tests/test-qemu.expected.log: -------------------------------------------------------------------------------- 1 | Running "insmod keystone-driver.ko" in QEMU ... 2 | Uploading "tests.ke" to QEMU ... 3 | Running "./tests.ke" in QEMU ... 4 | Verifying archive integrity... All good. 5 | Uncompressing Keystone Enclave Package 6 | testing stack 7 | testing loop 8 | testing malloc 9 | testing long-nop 10 | testing fibonacci 11 | testing fib-bench 12 | testing attestation 13 | Attestation report SIGNATURE is valid 14 | testing untrusted 15 | Enclave said: hello world! 16 | Enclave said: 2nd hello world! 17 | Enclave said value: 13 18 | Enclave said value: 20 19 | testing data-sealing 20 | Enclave said: Sealing key derivation successful! 21 | Uploading "attestor.ke" to QEMU ... 22 | Uploading "fw_jump.bin" to QEMU ... 23 | Running "./attestor.ke" in QEMU ... 24 | Verifying archive integrity... All good. 25 | Uncompressing Keystone Enclave Package 26 | Enclave said value: 5000 27 | Enclave said value: 10000 28 | Attestation report SIGNATURE is valid 29 | Enclave and SM hashes match with expected. 30 | Returned data in the report match with the nonce sent. 31 | Running "poweroff" in QEMU ... 32 | -------------------------------------------------------------------------------- /overlays/keystone/boot/hss/hss.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # HSS 4 | # 5 | ################################################################################ 6 | 7 | HSS_VERSION = v2023.06 8 | HSS_SITE = $(call github,polarfire-soc,hart-software-services,$(HSS_VERSION)) 9 | HSS_DEPENDENCIES += keystone-sm 10 | 11 | HSS_MAKE_OPTS += BOARD=mpfs-icicle-kit-es CROSS_COMPILE=riscv64-buildroot-linux-gnu- \ 12 | PLATFORM_CFLAGS="-fno-pic" PATH=$(BR_PATH) KEYSTONE_SM=$(KEYSTONE_SM_BUILDDIR) 13 | 14 | define HSS_CONFIGURE_CMDS 15 | cp $(@D)/boards/mpfs-icicle-kit-es/def_config $(@D)/.config 16 | ln -sf $(STAGING_DIR)/usr/include/gnu/stubs-{lp64d.h,lp64.h} 17 | endef 18 | 19 | define HSS_BUILD_CMDS 20 | $(MAKE) $(HSS_MAKE_OPTS) -C $(@D) 21 | endef 22 | 23 | define HSS_INSTALL_TARGET_CMDS 24 | $(INSTALL) -m 0644 -D $(@D)/Default/hss-envm-wrapper.bin $(BINARIES_DIR)/hss-envm-wrapper.bin 25 | $(INSTALL) -m 0644 -D $(@D)/Default/hss-l2scratch.bin $(BINARIES_DIR)/hss-l2scratch.bin 26 | endef 27 | 28 | $(eval $(generic-package)) 29 | -------------------------------------------------------------------------------- /sm/src/hkdf_sha3_512/hkdf_sha3_512.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 Fraunhofer AISEC 3 | * Authors: Benedikt Kopf 4 | * Lukas Auer 5 | * Mathias Morbitzer 6 | * 7 | * hkdf_sha3_512.h 8 | * 9 | * All Rights Reserved. See LICENSE for license details. 10 | */ 11 | 12 | #ifndef HDKF_SHA3_512_H 13 | #define HDKF_SHA3_512_H 14 | 15 | int hkdf_sha3_512(const unsigned char *salt, int salt_len, 16 | const unsigned char *in_key, int in_key_len, 17 | const unsigned char *info, int info_len, 18 | unsigned char *out_key, int out_key_length); 19 | void hkdf_extract(const unsigned char *salt, int salt_len, 20 | const unsigned char *in_key, int in_key_len, 21 | unsigned char *prk); 22 | int hkdf_expand(const unsigned char *prk, int prk_len, 23 | const unsigned char *info, int info_len, 24 | unsigned char *out_key, int out_key_len); 25 | 26 | #endif /* HDKF_SHA3_512_H */ 27 | -------------------------------------------------------------------------------- /docs/source/Keystone-Applications/Compiling-Applications.rst: -------------------------------------------------------------------------------- 1 | Compiling Applications 2 | ====================== 3 | 4 | Building a host and enclave application using the SDK is 5 | straight-forward. See Keystone-Demo and the 6 | :doc:`Tutorials` as examples. 7 | 8 | Toolchain 9 | --------- 10 | 11 | All compilation will need to be done using the riscv64- toolchain. 12 | 13 | Libraries 14 | --------- 15 | 16 | Hosts and enclave applications will want to link against the edge library ``libkeystone-edge.a`` 17 | 18 | Hosts will want to link against the host library ``libkeystone-host.a`` 19 | 20 | Applications will want to link against the enclave app library ``libkeystone-app.a`` 21 | 22 | Applications 23 | ------------ 24 | 25 | eapps may be a standard unmodified statically linked binary. This 26 | requires most options for the `eyrie` runtime to be enabled. 27 | 28 | Otherwise, eapps need to be linked in a specific way. As this may 29 | change, please see the ``app.lds`` linker script in the ``sdk/examples/tests`` 30 | directory to see the most up to date linking requirements. 31 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/keystone_test_dev_key.h: -------------------------------------------------------------------------------- 1 | /* These are known device TESTING keys, use them for testing on platforms/qemu */ 2 | 3 | #warning Using TEST device root key. No integrity guarantee. 4 | 5 | static const unsigned char _sanctum_dev_secret_key[] = { 6 | 0x40, 0xa0, 0x99, 0x47, 0x8c, 0xce, 0xfa, 0x3a, 0x06, 0x63, 0xab, 0xc9, 7 | 0x5e, 0x7a, 0x1e, 0xc9, 0x54, 0xb4, 0xf5, 0xf6, 0x45, 0xba, 0xd8, 0x04, 8 | 0xdb, 0x13, 0xe7, 0xd7, 0x82, 0x6c, 0x70, 0x73, 0x57, 0x6a, 0x9a, 0xb6, 9 | 0x21, 0x60, 0xd9, 0xd1, 0xc6, 0xae, 0xdc, 0x29, 0x85, 0x2f, 0xb9, 0x60, 10 | 0xee, 0x51, 0x32, 0x83, 0x5a, 0x16, 0x89, 0xec, 0x06, 0xa8, 0x72, 0x34, 11 | 0x51, 0xaa, 0x0e, 0x4a 12 | }; 13 | 14 | static const size_t _sanctum_dev_secret_key_len = 64; 15 | 16 | static const unsigned char _sanctum_dev_public_key[] = { 17 | 0x0f, 0xaa, 0xd4, 0xff, 0x01, 0x17, 0x85, 0x83, 0xba, 0xa5, 0x88, 0x96, 18 | 0x6f, 0x7c, 0x1f, 0xf3, 0x25, 0x64, 0xdd, 0x17, 0xd7, 0xdc, 0x2b, 0x46, 19 | 0xcb, 0x50, 0xa8, 0x4a, 0x69, 0x27, 0x0b, 0x4c 20 | }; 21 | 22 | static const size_t _sanctum_dev_public_key_len = 32; -------------------------------------------------------------------------------- /scripts/ci/build-runtime.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Arguments: 5 | # 1. Runtime source directory 6 | # 2. Platform (i.e. generic, mpfs, etc) 7 | # 3. Bitness (i.e. 32, 64) 8 | # 4... variable number of args with USE flags 9 | 10 | if [[ "$#" -lt 3 ]]; then 11 | echo "usage: build-runtime.sh [src dir] [platform] [bits] [build args ...]" 12 | exit 1 13 | fi 14 | 15 | # Parse arguments 16 | KEYSTONE_RUNTIME="$1" ; shift 17 | KEYSTONE_PLATFORM="$1" ; shift 18 | KEYSTONE_BITS="$1" ; shift 19 | BUILD_UUID=$(uuid) 20 | 21 | # Create build directory 22 | mkdir -p "build-runtime-$BUILD_UUID" 23 | cd "build-runtime-$BUILD_UUID" || exit 1 24 | 25 | # Configure cmake 26 | BUILDDIR="$KEYSTONE_RUNTIME/../build-$KEYSTONE_PLATFORM$KEYSTONE_BITS/buildroot.build" 27 | export PATH="$BUILDDIR/host/bin:$PATH" 28 | 29 | cmake "$@" \ 30 | -DCMAKE_C_COMPILER="$(which riscv$KEYSTONE_BITS-buildroot-linux-gnu-gcc)" \ 31 | -DCMAKE_OBJCOPY="$(which riscv$KEYSTONE_BITS-buildroot-linux-gnu-objcopy)" \ 32 | -DKEYSTONE_SDK_DIR="$BUILDDIR/per-package/keystone-examples/host/usr/share/keystone/sdk" \ 33 | ../runtime 34 | 35 | # Build 36 | make -j$(( 2 * $(nproc) )) 37 | -------------------------------------------------------------------------------- /sm/plat/mpfs/crypto.h: -------------------------------------------------------------------------------- 1 | #ifndef __CRYPTO_H__ 2 | #define __CRYPTO_H__ 3 | 4 | // Include relevant libecc headers 5 | 6 | #include 7 | 8 | typedef sha512_context hash_ctx; 9 | typedef unsigned char byte; 10 | 11 | #define MDSIZE 64 12 | #define SIGNATURE_SIZE 64 13 | #define PRIVATE_KEY_SIZE 64 // includes public key 14 | #define PUBLIC_KEY_SIZE 32 15 | 16 | extern byte sm_hash[MDSIZE]; 17 | extern byte sm_signature[SIGNATURE_SIZE]; 18 | extern byte sm_public_key[PUBLIC_KEY_SIZE]; 19 | extern byte sm_private_key[PRIVATE_KEY_SIZE]; 20 | 21 | void hash_init(hash_ctx* hash_ctx); 22 | void hash_extend(hash_ctx* hash_ctx, const void* ptr, size_t len); 23 | void hash_extend_page(hash_ctx* hash_ctx, const void* ptr); 24 | void hash_finalize(void* md, hash_ctx* hash_ctx); 25 | 26 | void sign(void* sign, const void* data, size_t len, const byte* public_key, const byte* private_key); 27 | int kdf(const unsigned char* salt, size_t salt_len, 28 | const unsigned char* ikm, size_t ikm_len, 29 | const unsigned char* info, size_t info_len, 30 | unsigned char* okm, size_t okm_len); 31 | 32 | #endif /* __CRYPTO_H__ */ 33 | -------------------------------------------------------------------------------- /scripts/ci/plat/mpfs/flash-os.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | ########### 8 | ## Flash ## 9 | ########### 10 | set -x 11 | 12 | # Wait for the board to come up a bit. We'll hammer it with serial 13 | # input to ensure that we halt the boot at HSS 14 | 15 | TTYDEV=$(find_tty 0) 16 | configure_tty "$TTYDEV" 115200 17 | 18 | power_on 19 | NOW=$(date +%s) 20 | 21 | # Disable output when actually hammering cause this is spammy 22 | set +x 23 | while [[ $(( $(date +%s) - $NOW )) -lt 10 ]]; do echo 'a' > "$TTYDEV" ; done 24 | set -x 25 | 26 | # Board should have halted, kick it into flash update mode 27 | 28 | echo "" > "$TTYDEV" 29 | echo "usbdmsc" > "$TTYDEV" 30 | 31 | # Wait a bit for the USB to connect then flash 32 | sleep 10 33 | FOUND_DEVICE="" 34 | for d in /dev/sd? ; do 35 | if [[ ! -z $(udevadm info --query=all -n "$d" | grep -i polarfire) ]]; then 36 | FOUND_DEVICE="yes" 37 | dd if="build-mpfs64/buildroot.build/images/sdcard.img" of="$d" bs=4M oflag=direct 38 | break 39 | fi 40 | done 41 | 42 | power_off 43 | [[ ! -z "$FOUND_DEVICE" ]] 44 | 45 | exit 0 46 | -------------------------------------------------------------------------------- /runtime/mm/vm.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "mm/vm.h" 4 | 5 | uintptr_t runtime_va_start; 6 | 7 | /* root page table */ 8 | pte* root_page_table; 9 | 10 | #ifdef LOADER_BIN 11 | 12 | /* no-ops */ 13 | 14 | uintptr_t kernel_va_to_pa(void* ptr) 15 | { 16 | return (uintptr_t) ptr; 17 | } 18 | 19 | uintptr_t __va(uintptr_t pa) 20 | { 21 | return pa; 22 | } 23 | 24 | uintptr_t __pa(uintptr_t va) 25 | { 26 | return va; 27 | } 28 | 29 | #else // !LOADER_BIN 30 | 31 | uintptr_t kernel_va_to_pa(void* ptr) 32 | { 33 | return (uintptr_t) ptr - kernel_offset; 34 | } 35 | 36 | uintptr_t __va(uintptr_t pa) 37 | { 38 | return (pa - load_pa_start) + EYRIE_LOAD_START; 39 | } 40 | 41 | uintptr_t __pa(uintptr_t va) 42 | { 43 | return (va - EYRIE_LOAD_START) + load_pa_start; 44 | } 45 | 46 | /* Program break */ 47 | uintptr_t program_break; 48 | 49 | /* freemem */ 50 | uintptr_t freemem_va_start; 51 | size_t freemem_size; 52 | 53 | /* shared buffer */ 54 | uintptr_t shared_buffer; 55 | uintptr_t shared_buffer_size; 56 | 57 | uintptr_t kernel_offset; 58 | uintptr_t load_pa_start; 59 | 60 | #endif // LOADER_BIN 61 | 62 | 63 | -------------------------------------------------------------------------------- /scripts/ci/plat/mpfs/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | if [[ -z "$CMD_LOGFILE" ]]; then 8 | echo "CMD_LOGFILE undefined" 9 | exit 1 10 | fi 11 | 12 | get_platform_var BOARD_IP 13 | 14 | ############### 15 | ## Run tests ## 16 | ############### 17 | set -x 18 | 19 | # Fix permissions on the key 20 | chmod 600 build-mpfs64/buildroot.build/target/root/.ssh/id-rsa 21 | 22 | # Start the board 23 | export KEYSTONE_PLATFORM=mpfs 24 | export KEYSTONE_BITS=64 25 | export KEYSTONE_IP="$BOARD_IP" 26 | 27 | TTYDEV=$(find_tty 1) 28 | start_record_tty "$TTYDEV" 115200 "$LOGFILE" mpfs-tty 29 | power_on 30 | 31 | # TODO: check for connectivity instead of sleeping 32 | sleep 60 33 | 34 | export CALL_LOGFILE="$CMD_LOGFILE" 35 | touch "$CALL_LOGFILE" 36 | 37 | KEYSTONE_COMMAND="modprobe keystone-driver" make call 38 | KEYSTONE_COMMAND="/usr/share/keystone/examples/tests.ke" make call 39 | # TODO: attestation does not yet work in mpfs 40 | #KEYSTONE_COMMAND="/usr/share/keystone/examples/attestor.ke" make call 41 | 42 | power_off 43 | stop_record_tty mpfs-tty 44 | exit 0 45 | -------------------------------------------------------------------------------- /sdk/include/common/sha3.h: -------------------------------------------------------------------------------- 1 | // sha3.h 2 | // 19-Nov-11 Markku-Juhani O. Saarinen 3 | #ifndef __SHA3_H_ 4 | #define __SHA3_H_ 5 | 6 | #include 7 | #include 8 | 9 | #ifndef KECCAKF_ROUNDS 10 | #define KECCAKF_ROUNDS 24 11 | #endif 12 | 13 | #ifndef ROTL64 14 | #define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) 15 | #endif 16 | 17 | #define MDSIZE 64 18 | 19 | // state context 20 | typedef struct { 21 | union { // state: 22 | uint8_t b[200]; // 8-bit bytes 23 | uint64_t q[25]; // 64-bit words 24 | } st; 25 | int pt, rsiz, mdlen; // these don't overflow 26 | } sha3_ctx_t; 27 | 28 | // Compression function. 29 | void 30 | sha3_keccakf(uint64_t st[25]); 31 | 32 | // OpenSSL - like interfece 33 | int 34 | sha3_init(sha3_ctx_t* c, int mdlen); // mdlen = hash output in bytes 35 | int 36 | sha3_update(sha3_ctx_t* c, const void* data, size_t len); 37 | int 38 | sha3_final(void* md, sha3_ctx_t* c); // digest goes to md 39 | 40 | // compute a sha3 hash (md) of given byte length from "in" 41 | void* 42 | sha3(const void* in, size_t inlen, void* md, int mdlen); 43 | 44 | #endif /* __SHA3_H_ */ 45 | -------------------------------------------------------------------------------- /examples/hello/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set(eapp_bin hello) 2 | set(eapp_src eapp/hello.c) 3 | set(host_bin hello-runner) 4 | set(host_src host/host.cpp) 5 | set(package_name "hello.ke") 6 | set(package_script "./hello-runner hello eyrie-rt loader.bin") 7 | set(eyrie_plugins "io_syscall linux_syscall env_setup") 8 | 9 | # eapp 10 | 11 | add_executable(${eapp_bin} ${eapp_src}) 12 | target_link_libraries(${eapp_bin} "-static") 13 | 14 | # host 15 | 16 | add_executable(${host_bin} ${host_src}) 17 | target_link_libraries(${host_bin} ${KEYSTONE_LIB_HOST} ${KEYSTONE_LIB_EDGE}) 18 | 19 | # add target for Eyrie runtime (see keystone.cmake) 20 | 21 | set(eyrie_files_to_copy .options_log eyrie-rt loader.bin) 22 | add_eyrie_runtime(${eapp_bin}-eyrie 23 | ${eyrie_plugins} 24 | ${eyrie_files_to_copy}) 25 | 26 | # add target for packaging (see keystone.cmake) 27 | 28 | add_keystone_package(${eapp_bin}-package 29 | ${package_name} 30 | ${package_script} 31 | ${eyrie_files_to_copy} ${eapp_bin} ${host_bin}) 32 | 33 | add_dependencies(${eapp_bin}-package ${eapp_bin}-eyrie) 34 | 35 | # add package to the top-level target 36 | add_dependencies(examples ${eapp_bin}-package) 37 | -------------------------------------------------------------------------------- /scripts/ci/plat/generic/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | if [[ -z "$CMD_LOGFILE" ]]; then 5 | echo "CMD_LOGFILE undefined" 6 | exit 1 7 | fi 8 | 9 | if [[ -z "$KEYSTONE_BITS" ]]; then 10 | echo "KEYSTONE_BITS undefined" 11 | exit 1 12 | fi 13 | 14 | ############### 15 | ## Run tests ## 16 | ############### 17 | set -x 18 | 19 | # Fix permissions on the key 20 | chmod 600 "build-generic$KEYSTONE_BITS/buildroot.build/target/root/.ssh/id-rsa" 21 | 22 | # Launch QEMU 23 | export KEYSTONE_PLATFORM="generic" 24 | export QEMU_PORT=$(( RANDOM + 1024 )) 25 | export LD_LIBRARY_PATH="build-generic$KEYSTONE_BITS/buildroot.build/host/lib" 26 | screen -L -dmS qemu bash -c "make run 2>&1 | tee $LOGFILE" 27 | 28 | # TODO: check for connectivity instead of sleeping 29 | sleep 60 30 | 31 | export CALL_LOGFILE="$CMD_LOGFILE" 32 | echo "" > "$CALL_LOGFILE" 33 | 34 | KEYSTONE_COMMAND="modprobe keystone-driver" make call 35 | KEYSTONE_COMMAND="/usr/share/keystone/examples/tests.ke" make call 36 | KEYSTONE_COMMAND="/usr/share/keystone/examples/attestor.ke" make call 37 | KEYSTONE_COMMAND="poweroff" make call 38 | 39 | screen -S qemu -X quit 40 | exit 0 41 | -------------------------------------------------------------------------------- /bootrom/ed25519/fe.h: -------------------------------------------------------------------------------- 1 | #ifndef FE_H 2 | #define FE_H 3 | 4 | #include "fixedint.h" 5 | 6 | 7 | /* 8 | fe means field element. 9 | Here the field is \Z/(2^255-19). 10 | An element t, entries t[0]...t[9], represents the integer 11 | t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. 12 | Bounds on each t[i] vary depending on context. 13 | */ 14 | 15 | 16 | typedef int32_t fe[10]; 17 | 18 | 19 | void fe_0(fe h); 20 | void fe_1(fe h); 21 | 22 | void fe_frombytes(fe h, const unsigned char *s); 23 | void fe_tobytes(unsigned char *s, const fe h); 24 | 25 | void fe_copy(fe h, const fe f); 26 | int fe_isnegative(const fe f); 27 | int fe_isnonzero(const fe f); 28 | void fe_cmov(fe f, const fe g, unsigned int b); 29 | void fe_cswap(fe f, fe g, unsigned int b); 30 | 31 | void fe_neg(fe h, const fe f); 32 | void fe_add(fe h, const fe f, const fe g); 33 | void fe_invert(fe out, const fe z); 34 | void fe_sq(fe h, const fe f); 35 | void fe_sq2(fe h, const fe f); 36 | void fe_mul(fe h, const fe f, const fe g); 37 | void fe_mul121666(fe h, fe f); 38 | void fe_pow22523(fe out, const fe z); 39 | void fe_sub(fe h, const fe f, const fe g); 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /runtime/test/string.c: -------------------------------------------------------------------------------- 1 | #include "../util/string.c" 2 | 3 | #include "mock.h" 4 | 5 | static void 6 | test_unaligned_memcpy(void** ctx) { 7 | char src[32]; 8 | char dst[32] = {}; 9 | char acc = 1; 10 | // populate acc 11 | for (int i = 0; i < 32; i++) { 12 | acc *= 251; 13 | src[i] = acc; 14 | } 15 | // do the memcpy 16 | memcpy(dst + 1, src + 3, 29); 17 | // check 18 | assert_int_equal(dst[0], 0); 19 | assert_int_equal(dst[30], 0); 20 | assert_int_equal(dst[31], 0); 21 | for (int i = 0; i < 29; i++) { 22 | assert_int_equal(dst[i + 1], src[i + 3]); 23 | } 24 | } 25 | 26 | static void 27 | test_unaligned_memset(void** ctx) { 28 | char dst[32] = {}; 29 | memset(dst + 1, 'A', 29); 30 | assert_int_equal(dst[0], 0); 31 | assert_int_equal(dst[30], 0); 32 | assert_int_equal(dst[31], 0); 33 | for (int i = 0; i < 29; i++) { 34 | assert_int_equal(dst[i + 1], 'A'); 35 | } 36 | } 37 | 38 | int 39 | main() { 40 | const struct CMUnitTest tests[] = { 41 | cmocka_unit_test(test_unaligned_memcpy), 42 | cmocka_unit_test(test_unaligned_memset), 43 | }; 44 | return cmocka_run_group_tests(tests, NULL, NULL); 45 | } 46 | -------------------------------------------------------------------------------- /sm/src/ed25519/fe.h: -------------------------------------------------------------------------------- 1 | #ifndef FE_H 2 | #define FE_H 3 | 4 | #include "fixedint.h" 5 | 6 | 7 | /* 8 | fe means field element. 9 | Here the field is \Z/(2^255-19). 10 | An element t, entries t[0]...t[9], represents the integer 11 | t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. 12 | Bounds on each t[i] vary depending on context. 13 | */ 14 | 15 | 16 | typedef int32_t fe[10]; 17 | 18 | 19 | void fe_0(fe h); 20 | void fe_1(fe h); 21 | 22 | void fe_frombytes(fe h, const unsigned char *s); 23 | void fe_tobytes(unsigned char *s, const fe h); 24 | 25 | void fe_copy(fe h, const fe f); 26 | int fe_isnegative(const fe f); 27 | int fe_isnonzero(const fe f); 28 | void fe_cmov(fe f, const fe g, unsigned int b); 29 | void fe_cswap(fe f, fe g, unsigned int b); 30 | 31 | void fe_neg(fe h, const fe f); 32 | void fe_add(fe h, const fe f, const fe g); 33 | void fe_invert(fe out, const fe z); 34 | void fe_sq(fe h, const fe f); 35 | void fe_sq2(fe h, const fe f); 36 | void fe_mul(fe h, const fe f, const fe g); 37 | void fe_mul121666(fe h, fe f); 38 | void fe_pow22523(fe out, const fe z); 39 | void fe_sub(fe h, const fe f, const fe g); 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /examples/tests/untrusted/untrusted.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | #include "app/string.h" 7 | #include "app/syscall.h" 8 | #include "app/malloc.h" 9 | #include "edge_wrapper.h" 10 | 11 | void EAPP_ENTRY eapp_entry(){ 12 | 13 | char* msg = "hello world!\n"; 14 | char* msg2 = "2nd hello world!\n"; 15 | 16 | edge_init(); 17 | 18 | unsigned long ret = ocall_print_buffer(msg, 13); 19 | ocall_print_buffer(msg2, 17); 20 | 21 | ocall_print_value(ret); 22 | 23 | struct edge_data pkgstr; 24 | ocall_get_string(&pkgstr); 25 | 26 | void* host_str = malloc(pkgstr.size); 27 | copy_from_shared(host_str, pkgstr.offset, pkgstr.size); 28 | 29 | int i; 30 | int ct; 31 | for(i = 0; i < pkgstr.size; i++){ 32 | if( ((char*)host_str)[i] == 'l' ){ 33 | ct++; 34 | } 35 | } 36 | 37 | ocall_print_value(ct); 38 | 39 | EAPP_RETURN(ret); 40 | } 41 | -------------------------------------------------------------------------------- /scripts/ci/plat/hifive_unmatched/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | if [[ -z "$CMD_LOGFILE" ]]; then 8 | echo "CMD_LOGFILE undefined" 9 | exit 1 10 | fi 11 | 12 | get_platform_var BOARD_IP 13 | 14 | ############### 15 | ## Run tests ## 16 | ############### 17 | set -x 18 | 19 | # Fix permissions on the key 20 | chmod 600 "build-hifive_unmatched64/buildroot.build/target/root/.ssh/id-rsa" 21 | 22 | # Start the board 23 | export KEYSTONE_PLATFORM="hifive_unmatched" 24 | export KEYSTONE_IP="$BOARD_IP" 25 | 26 | TTYDEV=$(find_tty 1) 27 | start_record_tty "$TTYDEV" 115200 "$LOGFILE" hfu-tty 28 | power_on_btn 29 | 30 | # TODO: check for connectivity instead of sleeping 31 | sleep 60 32 | 33 | export CALL_LOGFILE="$CMD_LOGFILE" 34 | touch "$CALL_LOGFILE" 35 | 36 | KEYSTONE_COMMAND="modprobe keystone-driver" make call 37 | KEYSTONE_COMMAND="/usr/share/keystone/examples/tests.ke" make call 38 | # TODO: attestation does not yet work in unmatched 39 | #KEYSTONE_COMMAND="/usr/share/keystone/examples/attestor.ke" make call 40 | 41 | power_off_btn 42 | stop_record_tty hfu-tty 43 | exit 0 44 | -------------------------------------------------------------------------------- /bootrom/sha3/sha3.h: -------------------------------------------------------------------------------- 1 | // sha3.h 2 | // 19-Nov-11 Markku-Juhani O. Saarinen 3 | 4 | #ifndef SHA3_H 5 | #define SHA3_H 6 | 7 | #include 8 | #include 9 | 10 | #ifndef KECCAKF_ROUNDS 11 | #define KECCAKF_ROUNDS 24 12 | #endif 13 | 14 | #ifndef ROTL64 15 | #define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) 16 | #endif 17 | 18 | // state context 19 | typedef struct { 20 | union { // state: 21 | uint8_t b[200]; // 8-bit bytes 22 | uint64_t q[25]; // 64-bit words 23 | } st; 24 | int pt, rsiz, mdlen; // these don't overflow 25 | } sha3_ctx_t; 26 | 27 | // Compression function. 28 | void sha3_keccakf(uint64_t st[25]); 29 | 30 | // OpenSSL - like interfece 31 | int sha3_init(sha3_ctx_t *c, int mdlen); // mdlen = hash output in bytes 32 | int sha3_update(sha3_ctx_t *c, const void *data, size_t len); 33 | int sha3_final(void *md, sha3_ctx_t *c); // digest goes to md 34 | 35 | // compute a sha3 hash (md) of given byte length from "in" 36 | void *sha3(const void *in, size_t inlen, void *md, int mdlen); 37 | 38 | #endif 39 | 40 | -------------------------------------------------------------------------------- /overlays/keystone/configs/riscv64_firesim_defconfig: -------------------------------------------------------------------------------- 1 | BR2_riscv=y 2 | BR2_TOOLCHAIN_BUILDROOT_GLIBC=y 3 | BR2_TOOLCHAIN_BUILDROOT_CXX=y 4 | BR2_PACKAGE_HOST_GDB=y 5 | BR2_PACKAGE_HOST_GDB_TUI=y 6 | BR2_PACKAGE_HOST_GDB_PYTHON3=y 7 | BR2_CCACHE=y 8 | BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_KEYSTONE_PATH)/patches" 9 | BR2_PER_PACKAGE_DIRECTORIES=y 10 | BR2_SSP_NONE=y 11 | BR2_ROOTFS_DEVICE_CREATION_STATIC=y 12 | BR2_TARGET_GENERIC_ROOT_PASSWD="sifive" 13 | BR2_SYSTEM_BIN_SH_BASH=y 14 | BR2_SYSTEM_DHCP="eth0" 15 | BR2_ROOTFS_OVERLAY="/invalid" 16 | BR2_LINUX_KERNEL=y 17 | BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y 18 | BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_KEYSTONE_PATH)/configs/linux64-defconfig" 19 | BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y 20 | BR2_PACKAGE_DROPBEAR=y 21 | BR2_TARGET_ROOTFS_EXT2=y 22 | BR2_TARGET_ROOTFS_INITRAMFS=y 23 | BR2_PACKAGE_KEYSTONE_SM=y 24 | BR2_PACKAGE_KEYSTONE_DRIVER=y 25 | BR2_PACKAGE_HOST_KEYSTONE_SDK=y 26 | BR2_PACKAGE_KEYSTONE_RUNTIME=y 27 | BR2_PACKAGE_KEYSTONE_EXAMPLES=y 28 | BR2_TARGET_OPENSBI_CUSTOM_VERSION=y 29 | BR2_TARGET_OPENSBI_CUSTOM_VERSION_VALUE="1.1" 30 | BR2_TARGET_OPENSBI_PLAT="generic" 31 | # BR2_TARGET_OPENSBI_INSTALL_DYNAMIC_IMG is not set 32 | -------------------------------------------------------------------------------- /scripts/ci/plat/hifive_unmatched/flash-os.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | OS_FILENAME="build-hifive_unmatched64/buildroot.build/images/sdcard.img" 8 | get_platform_var HOST_IP 9 | get_platform_var BOARD_IP 10 | 11 | ########### 12 | ## Flash ## 13 | ########### 14 | set -x 15 | 16 | TTYDEV=$(find_tty 1) 17 | touch "$LOGFILE" 18 | start_record_tty "$TTYDEV" 115200 "$LOGFILE" hfu-tty 19 | 20 | power_on_btn 21 | wait_for "Hit any key to stop autoboot" 22 | echo 'a' > "$TTYDEV" 23 | 24 | rm -rf "$TFTP_DIR/sdcard.img" 25 | cp "$OS_FILENAME" "$TFTP_DIR/sdcard.img" 26 | 27 | # Configure TFTP 28 | echo "setenv serverip $HOST_IP" > "$TTYDEV" ; sleep 1 29 | echo "setenv ipaddr $BOARD_IP" > "$TTYDEV" ; sleep 1 30 | 31 | echo "tftp sdcard.img" > "$TTYDEV" 32 | wait_for "=>" 33 | echo "mmc write 80210000 0 100000" > "$TTYDEV" 34 | wait_for "=>" 35 | 36 | stop_record_tty hfu-tty 37 | power_off_btn 38 | 39 | # For some reason, the UART for this board does not like 40 | # being closed and then opened again quickly. This leads to 41 | # test failures later on, so we delay a bit extra. 42 | sleep 5 43 | exit 0 44 | -------------------------------------------------------------------------------- /sdk/include/verifier/test_dev_key.h: -------------------------------------------------------------------------------- 1 | #ifndef _TEST_DEV_KEY_H_ 2 | #define _TEST_DEV_KEY_H_ 3 | 4 | /* These are known device TESTING keys, use them for testing on platforms/qemu 5 | */ 6 | 7 | #warning Using TEST device root key. No integrity guarantee. 8 | static const unsigned char _sanctum_dev_secret_key[] = { 9 | 0x40, 0xa0, 0x99, 0x47, 0x8c, 0xce, 0xfa, 0x3a, 0x06, 0x63, 0xab, 10 | 0xc9, 0x5e, 0x7a, 0x1e, 0xc9, 0x54, 0xb4, 0xf5, 0xf6, 0x45, 0xba, 11 | 0xd8, 0x04, 0xdb, 0x13, 0xe7, 0xd7, 0x82, 0x6c, 0x70, 0x73, 0x57, 12 | 0x6a, 0x9a, 0xb6, 0x21, 0x60, 0xd9, 0xd1, 0xc6, 0xae, 0xdc, 0x29, 13 | 0x85, 0x2f, 0xb9, 0x60, 0xee, 0x51, 0x32, 0x83, 0x5a, 0x16, 0x89, 14 | 0xec, 0x06, 0xa8, 0x72, 0x34, 0x51, 0xaa, 0x0e, 0x4a}; 15 | static const size_t _sanctum_dev_secret_key_len = 64; 16 | 17 | static const unsigned char _sanctum_dev_public_key[] = { 18 | 0x0f, 0xaa, 0xd4, 0xff, 0x01, 0x17, 0x85, 0x83, 0xba, 0xa5, 0x88, 19 | 0x96, 0x6f, 0x7c, 0x1f, 0xf3, 0x25, 0x64, 0xdd, 0x17, 0xd7, 0xdc, 20 | 0x2b, 0x46, 0xcb, 0x50, 0xa8, 0x4a, 0x69, 0x27, 0x0b, 0x4c}; 21 | static const size_t _sanctum_dev_public_key_len = 32; 22 | 23 | #endif /* _TEST_DEV_KEY_H_ */ 24 | -------------------------------------------------------------------------------- /overlays/keystone/configs/riscv64_sifive_defconfig: -------------------------------------------------------------------------------- 1 | BR2_riscv=y 2 | BR2_TOOLCHAIN_BUILDROOT_GLIBC=y 3 | BR2_TOOLCHAIN_BUILDROOT_CXX=y 4 | BR2_PACKAGE_HOST_GDB=y 5 | BR2_PACKAGE_HOST_GDB_TUI=y 6 | BR2_PACKAGE_HOST_GDB_PYTHON3=y 7 | BR2_CCACHE=y 8 | BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_KEYSTONE_PATH)/patches" 9 | BR2_PER_PACKAGE_DIRECTORIES=y 10 | BR2_SSP_NONE=y 11 | BR2_ROOTFS_DEVICE_CREATION_STATIC=y 12 | BR2_TARGET_GENERIC_ROOT_PASSWD="sifive" 13 | BR2_SYSTEM_BIN_SH_BASH=y 14 | BR2_SYSTEM_DHCP="eth0" 15 | BR2_ROOTFS_OVERLAY="/invalid" 16 | BR2_LINUX_KERNEL=y 17 | BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y 18 | BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_KEYSTONE_PATH)/configs/linux64-sifive-defconfig" 19 | BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y 20 | BR2_PACKAGE_DROPBEAR=y 21 | BR2_TARGET_ROOTFS_EXT2=y 22 | BR2_TARGET_ROOTFS_INITRAMFS=y 23 | BR2_PACKAGE_KEYSTONE_SM=y 24 | BR2_PACKAGE_KEYSTONE_DRIVER=y 25 | BR2_PACKAGE_HOST_KEYSTONE_SDK=y 26 | BR2_PACKAGE_KEYSTONE_RUNTIME=y 27 | BR2_PACKAGE_KEYSTONE_EXAMPLES=y 28 | BR2_TARGET_OPENSBI_CUSTOM_VERSION=y 29 | BR2_TARGET_OPENSBI_CUSTOM_VERSION_VALUE="1.1" 30 | BR2_TARGET_OPENSBI_PLAT="sifive" 31 | # BR2_TARGET_OPENSBI_INSTALL_DYNAMIC_IMG is not set 32 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | ARG CHECKOUT=master 3 | RUN apt update 4 | 5 | RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata 6 | 7 | RUN apt -y install autoconf automake autotools-dev bc \ 8 | bison build-essential curl expat libexpat1-dev flex gawk gcc git \ 9 | gperf libgmp-dev libmpc-dev libmpfr-dev libtool texinfo tmux \ 10 | patchutils zlib1g-dev wget bzip2 patch vim-common lbzip2 python \ 11 | pkg-config libglib2.0-dev libpixman-1-dev libssl-dev screen \ 12 | device-tree-compiler expect makeself unzip cpio rsync cmake ninja-build p7zip-full 13 | 14 | RUN apt-get update && apt-get install --reinstall ca-certificates 15 | RUN git clone https://github.com/keystone-enclave/keystone /keystone 16 | RUN cd /keystone && \ 17 | git checkout $CHECKOUT && \ 18 | rmdir linux qemu buildroot && \ 19 | ./fast-setup.sh && \ 20 | . ./source.sh && \ 21 | rm -rf firesim-riscv-tools-prebuilt-* && \ 22 | rm -f 2.0.tar.gz && \ 23 | rm -f build && \ 24 | mkdir build && \ 25 | cd build && \ 26 | cmake .. && \ 27 | make -j$(nproc) 28 | 29 | ENTRYPOINT cd /keystone && . ./source.sh && cd /keystone/build && make run-tests 30 | -------------------------------------------------------------------------------- /sdk/src/host/Log.cpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2020, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "Log.hpp" 6 | 7 | namespace Keystone { 8 | 9 | /* Close and free the ofstream if applicable. */ 10 | static void 11 | DestroyIfFile(std::ostream* os) { 12 | if (os != &std::cout && os != &std::cerr) { 13 | dynamic_cast(os)->close(); 14 | delete os; 15 | } 16 | } 17 | 18 | Logger::~Logger() { 19 | ForceWrite_(); 20 | DestroyIfFile(os_); 21 | } 22 | 23 | bool 24 | Logger::ResetOutputStream_(std::ostream* replacement) { 25 | if (!replacement) { 26 | return false; 27 | } 28 | 29 | if (replacement->fail()) { 30 | DestroyIfFile(replacement); 31 | return false; 32 | } 33 | 34 | ForceWrite_(); 35 | DestroyIfFile(os_); 36 | os_ = replacement; 37 | return true; 38 | } 39 | 40 | Logger LogDebug{false}; 41 | Logger LogInfo{}; 42 | Logger LogWarn{}; 43 | Logger LogError{}; 44 | 45 | } // namespace Keystone 46 | -------------------------------------------------------------------------------- /sm/plat/mpfs/crypto_interpose.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include "page.h" 4 | 5 | #include 6 | 7 | #include 8 | 9 | void hash_init(hash_ctx* ctx) { 10 | // sha512_init(ctx); 11 | } 12 | 13 | void hash_extend(hash_ctx* ctx, const void* ptr, size_t len) { 14 | // sha512_update(ctx, ptr, len); 15 | } 16 | 17 | void hash_extend_page(hash_ctx* ctx, const void* ptr) { 18 | // sha512_update(ctx, ptr, RISCV_PGSIZE); 19 | } 20 | 21 | void hash_finalize(void* md, hash_ctx* ctx) { 22 | // sha512_final(ctx, md); 23 | 24 | // For now, just set to 0 25 | sbi_memset(md, 0, MDSIZE); 26 | } 27 | 28 | void sign(void* sign, const void* data, size_t len, const byte* public_key, const byte* private_key) { 29 | // For now, just set to 0 30 | sbi_memset(sign, 0, SIGNATURE_SIZE); 31 | } 32 | 33 | int kdf(const unsigned char* salt, size_t salt_len, 34 | const unsigned char* ikm, size_t ikm_len, 35 | const unsigned char* info, size_t info_len, 36 | unsigned char* okm, size_t okm_len) { 37 | // For now, just set to 0 38 | sbi_memset(okm, 0, okm_len); 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /sm/src/platform/hifive/platform.c: -------------------------------------------------------------------------------- 1 | /* Default platform does nothing special here */ 2 | #include "../../enclave.h" 3 | 4 | unsigned long platform_init_global_once(){ 5 | return SBI_ERR_SM_ENCLAVE_SUCCESS; 6 | } 7 | 8 | unsigned long platform_init_global(){ 9 | return SBI_ERR_SM_ENCLAVE_SUCCESS; 10 | } 11 | 12 | void platform_init_enclave(struct enclave* enclave){ 13 | return; 14 | } 15 | 16 | void platform_destroy_enclave(struct enclave* enclave){ 17 | return; 18 | } 19 | 20 | unsigned long platform_create_enclave(struct enclave* enclave){ 21 | return SBI_ERR_SM_ENCLAVE_SUCCESS; 22 | } 23 | 24 | void platform_switch_to_enclave(struct enclave* enclave){ 25 | return; 26 | } 27 | 28 | void platform_switch_from_enclave(struct enclave* enclave){ 29 | return; 30 | } 31 | 32 | uint64_t platform_random(){ 33 | #pragma message("Platform has no entropy source, this is unsafe. TEST ONLY") 34 | static uint64_t w = 0, s = 0xb5ad4eceda1ce2a9; 35 | 36 | unsigned long cycles; 37 | asm volatile ("rdcycle %0" : "=r" (cycles)); 38 | 39 | // from Middle Square Weyl Sequence algorithm 40 | uint64_t x = cycles; 41 | x *= x; 42 | x += (w += s); 43 | return (x>>32) | (x<<32); 44 | } 45 | -------------------------------------------------------------------------------- /examples/attestation/eapp/attestor.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | #include "app/syscall.h" 7 | #include "edge/edge_common.h" 8 | 9 | #define OCALL_PRINT_BUFFER 1 10 | #define OCALL_PRINT_VALUE 2 11 | #define OCALL_COPY_REPORT 3 12 | #define OCALL_GET_STRING 4 13 | 14 | int 15 | main() { 16 | struct edge_data retdata; 17 | ocall(OCALL_GET_STRING, NULL, 0, &retdata, sizeof(struct edge_data)); 18 | 19 | for (unsigned long i = 1; i <= 10000; i++) { 20 | if (i % 5000 == 0) { 21 | ocall(OCALL_PRINT_VALUE, &i, sizeof(unsigned long), 0, 0); 22 | } 23 | } 24 | 25 | char nonce[2048]; 26 | if (retdata.size > 2048) retdata.size = 2048; 27 | copy_from_shared(nonce, retdata.offset, retdata.size); 28 | 29 | char buffer[2048]; 30 | attest_enclave((void*)buffer, nonce, retdata.size); 31 | 32 | ocall(OCALL_COPY_REPORT, buffer, 2048, 0, 0); 33 | 34 | EAPP_RETURN(0); 35 | } 36 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/patches/linux/0003-Add-Xilinx-emaclite.patch: -------------------------------------------------------------------------------- 1 | From 7ddbbfe0c7969880e0ec9e9a846e1e0e1a48a27b Mon Sep 17 00:00:00 2001 2 | From: sahmad 3 | Date: Thu, 26 Oct 2023 18:09:03 +0800 4 | Subject: [PATCH 3/5] Add-Xilinx-emaclite 5 | 6 | --- 7 | drivers/net/ethernet/xilinx/Kconfig | 3 ++- 8 | 1 file changed, 2 insertions(+), 1 deletion(-) 9 | 10 | diff --git a/drivers/net/ethernet/xilinx/Kconfig b/drivers/net/ethernet/xilinx/Kconfig 11 | index 0014729b8865..04ad75640a6a 100644 12 | --- a/drivers/net/ethernet/xilinx/Kconfig 13 | +++ b/drivers/net/ethernet/xilinx/Kconfig 14 | @@ -6,6 +6,7 @@ 15 | config NET_VENDOR_XILINX 16 | bool "Xilinx devices" 17 | default y 18 | + depends on PPC || PPC32 || MICROBLAZE || ARCH_ZYNQ || MIPS || RISCV 19 | help 20 | If you have a network (Ethernet) card belonging to this class, say Y. 21 | 22 | @@ -18,7 +19,7 @@ if NET_VENDOR_XILINX 23 | 24 | config XILINX_EMACLITE 25 | tristate "Xilinx 10/100 Ethernet Lite support" 26 | - depends on HAS_IOMEM 27 | + depends on HAS_IOMEM || RISCV 28 | select PHYLIB 29 | help 30 | This driver supports the 10/100 Ethernet Lite from Xilinx. 31 | -- 32 | 2.34.1 33 | 34 | -------------------------------------------------------------------------------- /sm/src/plugins/multimem.c: -------------------------------------------------------------------------------- 1 | #include "plugins/multimem.h" 2 | #include "sm.h" 3 | #include 4 | #include "mprv.h" 5 | 6 | static uintptr_t multimem_get_other_region_size(enclave_id eid, size_t *size_out) 7 | { 8 | int mem_id = get_enclave_region_index(eid, REGION_OTHER); 9 | if (mem_id == -1) 10 | return -1; 11 | size_t out = get_enclave_region_size(eid, mem_id); 12 | return copy_word_from_sm((uintptr_t)size_out, &out); 13 | } 14 | 15 | static uintptr_t multimem_get_other_region_addr(enclave_id eid, size_t *size_out) 16 | { 17 | int mem_id = get_enclave_region_index(eid, REGION_OTHER); 18 | if (mem_id == -1) 19 | return -1; 20 | size_t out = get_enclave_region_base(eid, mem_id); 21 | return copy_word_from_sm((uintptr_t)size_out, &out); 22 | } 23 | 24 | uintptr_t do_sbi_multimem(enclave_id eid, uintptr_t call_id, uintptr_t arg0) 25 | { 26 | switch(call_id) 27 | { 28 | case MULTIMEM_GET_OTHER_REGION_SIZE: 29 | return multimem_get_other_region_size(eid, (size_t *)arg0); 30 | case MULTIMEM_GET_OTHER_REGION_ADDR: 31 | return multimem_get_other_region_addr(eid, (size_t *)arg0); 32 | default: 33 | return 0; 34 | } 35 | return 0; 36 | } 37 | -------------------------------------------------------------------------------- /runtime/sys/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | set(SYS_SOURCES entry.S boot.c env.c interrupt.c) 3 | add_executable(eyrie-build EXCLUDE_FROM_ALL ${SYS_SOURCES}) 4 | 5 | # The ordering of these libraries is important, make sure that any symbols which may be 6 | # required by one library are defined by the time that it is added to this list 7 | 8 | target_link_libraries(eyrie-build 9 | rt_call rt_mm rt_crypto rt_tmplib rt_util rt_loader 10 | gcc ${KEYSTONE_SDK_DIR}/lib/libkeystone-edge.a) 11 | target_link_options(eyrie-build PRIVATE -static -nostdlib -T $) 12 | add_dependencies(eyrie-build rt_linkscript) 13 | 14 | add_custom_target(eyrie-rt ALL 15 | DEPENDS options_log eyrie-build 16 | COMMAND ${CMAKE_OBJCOPY} -I binary 17 | --add-section .options_log=${CMAKE_BINARY_DIR}/.options_log 18 | --set-section-flags .options_log=noload,readonly 19 | ${CMAKE_CURRENT_BINARY_DIR}/eyrie-build) 20 | 21 | add_custom_command(TARGET eyrie-rt POST_BUILD 22 | COMMAND cp ${CMAKE_CURRENT_BINARY_DIR}/eyrie-build ${CMAKE_SOURCE_DIR}/eyrie-rt || true 23 | COMMAND cp ${CMAKE_BINARY_DIR}/.options_log ${CMAKE_SOURCE_DIR}/.options_log || true) 24 | -------------------------------------------------------------------------------- /sdk/tests/scripts/setup_binary.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | ################################################################ 5 | # Replace the variables # 6 | ################################################################ 7 | NAME=tests 8 | VAULT_DIR=$(cd `dirname $0` && pwd) 9 | BUILD_COMMAND=make 10 | OUTPUT_DIR=$(pwd) 11 | TEST_DIR=$CMAKE_SOURCE_DIR/test_binary/tests 12 | EYRIE_DIR=$CMAKE_BINARY_DIR/eyrie 13 | EYRIE_PLUGINS="freemem" 14 | 15 | # Download Eyrie Runtime 16 | if [ ! -d $EYRIE_DIR ] 17 | then 18 | git clone https://github.com/keystone-enclave/keystone-runtime $EYRIE_DIR 19 | fi 20 | cd $EYRIE_DIR; git checkout 73ce863; cd .. 21 | 22 | ################################################################ 23 | # Build Enclave # 24 | ################################################################ 25 | # create a build directory 26 | OUTPUT_FILES_DIR=$OUTPUT_DIR 27 | mkdir -p $OUTPUT_FILES_DIR 28 | 29 | # build eyrie runtime 30 | $EYRIE_DIR/build.sh $EYRIE_PLUGINS 31 | 32 | make -C $TEST_DIR 33 | 34 | cp $TEST_DIR/stack/stack.eapp_riscv $OUTPUT_FILES_DIR 35 | cp $EYRIE_DIR/eyrie-rt $OUTPUT_FILES_DIR 36 | 37 | -------------------------------------------------------------------------------- /sm/plat/sifive/fu540/config.mk: -------------------------------------------------------------------------------- 1 | # 2 | # SPDX-License-Identifier: BSD-2-Clause 3 | # 4 | # Copyright (c) 2019 Western Digital Corporation or its affiliates. 5 | # 6 | # Authors: 7 | # Atish Patra 8 | # 9 | 10 | # Compiler flags 11 | platform-cppflags-y = 12 | platform-cflags-y = -I../src 13 | platform-asflags-y = 14 | platform-ldflags-y = 15 | 16 | # Command for platform specific "make run" 17 | platform-runcmd = qemu-system-riscv$(PLATFORM_RISCV_XLEN) -M sifive_u -m 256M \ 18 | -nographic -bios $(build_dir)/platform/sifive/fu540/firmware/fw_payload.elf 19 | 20 | # Blobs to build 21 | FW_TEXT_START=0x80000000 22 | FW_DYNAMIC=y 23 | FW_JUMP=y 24 | ifeq ($(PLATFORM_RISCV_XLEN), 32) 25 | # This needs to be 4MB aligned for 32-bit system 26 | FW_JUMP_ADDR=0x80400000 27 | else 28 | # This needs to be 2MB aligned for 64-bit system 29 | FW_JUMP_ADDR=0x80200000 30 | endif 31 | FW_JUMP_FDT_ADDR=0x88000000 32 | FW_PAYLOAD=y 33 | ifeq ($(PLATFORM_RISCV_XLEN), 32) 34 | # This needs to be 4MB aligned for 32-bit system 35 | FW_PAYLOAD_OFFSET=0x400000 36 | else 37 | # This needs to be 2MB aligned for 64-bit system 38 | FW_PAYLOAD_OFFSET=0x200000 39 | endif 40 | FW_PAYLOAD_FDT_ADDR=0x88000000 41 | -------------------------------------------------------------------------------- /overlays/keystone/board/cva6/patches/linux/0006-fix-netif_napi_add-to-many-argument.patch: -------------------------------------------------------------------------------- 1 | From 1e01634ef8a426f1c58cb1c6455a4a92516f24c0 Mon Sep 17 00:00:00 2001 2 | From: sahmad 3 | Date: Thu, 26 Oct 2023 18:33:21 +0800 4 | Subject: [PATCH 6/6] fix netif_napi_add to many argument 5 | 6 | --- 7 | drivers/net/ethernet/lowrisc/lowrisc_100MHz.c | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/drivers/net/ethernet/lowrisc/lowrisc_100MHz.c b/drivers/net/ethernet/lowrisc/lowrisc_100MHz.c 11 | index a047e5ec460a..4c0b82ff36be 100644 12 | --- a/drivers/net/ethernet/lowrisc/lowrisc_100MHz.c 13 | +++ b/drivers/net/ethernet/lowrisc/lowrisc_100MHz.c 14 | @@ -760,7 +760,7 @@ static int lowrisc_100MHz_probe(struct platform_device *ofdev) 15 | ndev->netdev_ops = &lowrisc_netdev_ops; 16 | ndev->flags &= ~IFF_MULTICAST; 17 | ndev->watchdog_timeo = TX_TIMEOUT; 18 | - netif_napi_add(ndev, &priv->napi, lowrisc_ether_poll, 64); 19 | + netif_napi_add(ndev, &priv->napi, lowrisc_ether_poll); 20 | 21 | printk("lowrisc-digilent-ethernet: Lowrisc ethernet platform (%llX-%llX) mapped to %lx\n", 22 | lowrisc_ethernet[0].start, 23 | -- 24 | 2.34.1 25 | 26 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/patches/linux/0003-Revert-riscv-dts-sifive-unmatched-Link-the-tmp451-wi.patch: -------------------------------------------------------------------------------- 1 | From 95f7b206d1ba7b52eb44139e74ade5440b6711c2 Mon Sep 17 00:00:00 2001 2 | From: Ruinland Tsai 3 | Date: Wed, 13 Apr 2022 17:47:41 +0800 4 | Subject: [PATCH 3/3] Revert "riscv: dts: sifive unmatched: Link the tmp451 5 | with its power supply" 6 | 7 | This reverts commit f6f7fbb89bf8dc9132fde55cfe67483138eea880. 8 | 9 | Upstream-Status: Pending 10 | Signed-off-by: Thomas Perrot 11 | --- 12 | arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts | 1 - 13 | 1 file changed, 1 deletion(-) 14 | 15 | diff --git a/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts b/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts 16 | index e4ad9c40abd3..eafede7e1edd 100644 17 | --- a/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts 18 | +++ b/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts 19 | @@ -141,7 +141,6 @@ &i2c0 { 20 | temperature-sensor@4c { 21 | compatible = "ti,tmp451"; 22 | reg = <0x4c>; 23 | - vcc-supply = <&vdd_bpro>; 24 | interrupt-parent = <&gpio>; 25 | interrupts = <6 IRQ_TYPE_LEVEL_LOW>; 26 | }; 27 | -- 28 | 2.39.1 29 | 30 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/ed25519/fe.h: -------------------------------------------------------------------------------- 1 | #ifndef FE_H 2 | #define FE_H 3 | 4 | #include "fixedint.h" 5 | 6 | 7 | /* 8 | fe means field element. 9 | Here the field is \Z/(2^255-19). 10 | An element t, entries t[0]...t[9], represents the integer 11 | t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. 12 | Bounds on each t[i] vary depending on context. 13 | */ 14 | 15 | 16 | typedef int32_t fe[10]; 17 | 18 | 19 | void fe_0(fe h); 20 | void fe_1(fe h); 21 | 22 | void fe_frombytes(fe h, const unsigned char *s); 23 | void fe_tobytes(unsigned char *s, const fe h); 24 | 25 | void fe_copy(fe h, const fe f); 26 | int fe_isnegative(const fe f); 27 | int fe_isnonzero(const fe f); 28 | void fe_cmov(fe f, const fe g, unsigned int b); 29 | void fe_cswap(fe f, fe g, unsigned int b); 30 | 31 | void fe_neg(fe h, const fe f); 32 | void fe_add(fe h, const fe f, const fe g); 33 | void fe_invert(fe out, const fe z); 34 | void fe_sq(fe h, const fe f); 35 | void fe_sq2(fe h, const fe f); 36 | void fe_mul(fe h, const fe f, const fe g); 37 | void fe_mul121666(fe h, fe f); 38 | void fe_pow22523(fe out, const fe z); 39 | void fe_sub(fe h, const fe f, const fe g); 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /sm/src/hmac_sha3/hmac_sha3.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 Fraunhofer AISEC 3 | * Authors: Benedikt Kopf 4 | * Lukas Auer 5 | * Mathias Morbitzer 6 | * 7 | * hmac_sha3.h 8 | * 9 | * All Rights Reserved. See LICENSE for license details. 10 | */ 11 | 12 | #ifndef HMAC_SHA3_H 13 | #define HMAC_SHA3_H 14 | 15 | #include "../sha3/sha3.h" 16 | 17 | // Internal block length of sha3_512 in bytes 18 | #define SHA3_512_BLOCK_LEN 72 19 | // Output hash length of sha3_512 in bytes 20 | #define SHA3_512_HASH_LEN 64 21 | 22 | typedef struct { 23 | sha3_ctx_t sha3_ctx; 24 | unsigned char key[SHA3_512_BLOCK_LEN]; 25 | } hmac_sha3_ctx_t; 26 | 27 | void hmac_sha3(const unsigned char *key, int key_len, 28 | const unsigned char *text, int text_len, unsigned char *hash); 29 | void hmac_sha3_init(hmac_sha3_ctx_t *ctx, 30 | const unsigned char *key, int key_len); 31 | void hmac_sha3_update(hmac_sha3_ctx_t *ctx, 32 | const unsigned char *text, int text_len); 33 | void hmac_sha3_final(hmac_sha3_ctx_t *ctx, unsigned char *hash); 34 | 35 | #endif /* HMAC_SHA3_H */ 36 | -------------------------------------------------------------------------------- /examples/tests/untrusted/edge_wrapper.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "app/eapp_utils.h" 6 | #include "app/string.h" 7 | #include "app/syscall.h" 8 | #include "edge_wrapper.h" 9 | 10 | void edge_init(){ 11 | /* Nothing for now, will probably register buffers/callsites 12 | later */ 13 | } 14 | 15 | #define OCALL_PRINT_BUFFER 1 16 | #define OCALL_PRINT_VALUE 2 17 | #define OCALL_GET_STRING 4 18 | 19 | void ocall_print_value(unsigned long val){ 20 | 21 | unsigned long val_ = val; 22 | ocall(OCALL_PRINT_VALUE, &val_, sizeof(unsigned long), 0, 0); 23 | 24 | return; 25 | } 26 | 27 | unsigned long ocall_print_buffer(char* data, size_t data_len){ 28 | 29 | unsigned long retval; 30 | ocall(OCALL_PRINT_BUFFER, data, data_len, &retval ,sizeof(unsigned long)); 31 | 32 | return retval; 33 | } 34 | 35 | void ocall_get_string(struct edge_data* retdata){ 36 | ocall(OCALL_GET_STRING, NULL, 0, retdata, sizeof(struct edge_data)); 37 | return; 38 | } 39 | -------------------------------------------------------------------------------- /overlays/keystone/configs/riscv32_generic_defconfig: -------------------------------------------------------------------------------- 1 | BR2_riscv=y 2 | BR2_RISCV_32=y 3 | BR2_TOOLCHAIN_BUILDROOT_CXX=y 4 | BR2_PACKAGE_HOST_GDB=y 5 | BR2_PACKAGE_HOST_GDB_TUI=y 6 | BR2_PACKAGE_HOST_GDB_PYTHON3=y 7 | BR2_CCACHE=y 8 | BR2_CCACHE_INITIAL_SETUP="-M0 -F0" 9 | BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_KEYSTONE_PATH)/patches" 10 | BR2_PER_PACKAGE_DIRECTORIES=y 11 | BR2_SSP_NONE=y 12 | BR2_TARGET_GENERIC_ROOT_PASSWD="sifive" 13 | BR2_SYSTEM_BIN_SH_BASH=y 14 | BR2_SYSTEM_DHCP="eth0" 15 | BR2_ROOTFS_OVERLAY="/invalid" 16 | BR2_LINUX_KERNEL=y 17 | BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y 18 | BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_KEYSTONE_PATH)/configs/linux32-defconfig" 19 | BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y 20 | BR2_PACKAGE_DROPBEAR=y 21 | BR2_TARGET_ROOTFS_EXT2=y 22 | BR2_TARGET_OPENSBI=y 23 | BR2_TARGET_OPENSBI_CUSTOM_VERSION=y 24 | BR2_TARGET_OPENSBI_CUSTOM_VERSION_VALUE="1.1" 25 | BR2_TARGET_OPENSBI_PLAT="generic" 26 | # BR2_TARGET_OPENSBI_INSTALL_DYNAMIC_IMG is not set 27 | BR2_PACKAGE_HOST_QEMU=y 28 | BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y 29 | BR2_TARGET_KEYSTONE_BOOTROM=y 30 | BR2_TARGET_KEYSTONE_SM=y 31 | BR2_PACKAGE_KEYSTONE_DRIVER=y 32 | BR2_PACKAGE_HOST_KEYSTONE_SDK=y 33 | BR2_PACKAGE_KEYSTONE_RUNTIME=y 34 | BR2_PACKAGE_KEYSTONE_EXAMPLES=y 35 | -------------------------------------------------------------------------------- /sdk/include/verifier/ed25519/fe.h: -------------------------------------------------------------------------------- 1 | #ifndef FE_H 2 | #define FE_H 3 | 4 | #include "fixedint.h" 5 | 6 | /* 7 | fe means field element. 8 | Here the field is \Z/(2^255-19). 9 | An element t, entries t[0]...t[9], represents the integer 10 | t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. 11 | Bounds on each t[i] vary depending on context. 12 | */ 13 | 14 | typedef int32_t fe[10]; 15 | 16 | void 17 | fe_0(fe h); 18 | void 19 | fe_1(fe h); 20 | 21 | void 22 | fe_frombytes(fe h, const unsigned char* s); 23 | void 24 | fe_tobytes(unsigned char* s, const fe h); 25 | 26 | void 27 | fe_copy(fe h, const fe f); 28 | int 29 | fe_isnegative(const fe f); 30 | int 31 | fe_isnonzero(const fe f); 32 | void 33 | fe_cmov(fe f, const fe g, unsigned int b); 34 | void 35 | fe_cswap(fe f, fe g, unsigned int b); 36 | 37 | void 38 | fe_neg(fe h, const fe f); 39 | void 40 | fe_add(fe h, const fe f, const fe g); 41 | void 42 | fe_invert(fe out, const fe z); 43 | void 44 | fe_sq(fe h, const fe f); 45 | void 46 | fe_sq2(fe h, const fe f); 47 | void 48 | fe_mul(fe h, const fe f, const fe g); 49 | void 50 | fe_mul121666(fe h, fe f); 51 | void 52 | fe_pow22523(fe out, const fe z); 53 | void 54 | fe_sub(fe h, const fe f, const fe g); 55 | 56 | #endif 57 | -------------------------------------------------------------------------------- /scripts/ci/plat/cva6/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Source global test configuration file 5 | . scripts/ci/test-setup.sh 6 | 7 | if [[ -z "$CMD_LOGFILE" ]]; then 8 | echo "CMD_LOGFILE undefined" 9 | exit 1 10 | fi 11 | 12 | if [[ -z "$KEYSTONE_BITS" ]]; then 13 | echo "KEYSTONE_BITS undefined" 14 | exit 1 15 | fi 16 | 17 | get_platform_var BOARD_IP 18 | 19 | ############### 20 | ## Run tests ## 21 | ############### 22 | set -x 23 | 24 | # Fix permissions on the key 25 | chmod 600 "build-cva6$KEYSTONE_BITS/buildroot.build/target/root/.ssh/id-rsa" 26 | 27 | # Start the board 28 | export KEYSTONE_PLATFORM=cva6 29 | export KEYSTONE_IP="$BOARD_IP" 30 | 31 | TTYDEV=$(find_tty 0) 32 | start_record_tty "$TTYDEV" 115200 "$LOGFILE" cva6-tty 33 | power_on 34 | 35 | # TODO: check for connectivity instead of sleeping 36 | sleep 300 37 | 38 | export CALL_LOGFILE="$CMD_LOGFILE" 39 | touch "$CALL_LOGFILE" 40 | 41 | KEYSTONE_COMMAND="modprobe keystone-driver" make call 42 | KEYSTONE_COMMAND="/usr/share/keystone/examples/tests.ke" make call 43 | # TODO: attestation does not yet work in cva6 44 | #KEYSTONE_COMMAND="/usr/share/keystone/examples/attestor.ke" make call 45 | 46 | power_off 47 | stop_record_tty cva6-tty 48 | exit 0 49 | -------------------------------------------------------------------------------- /sm/src/sha3/sha3.h: -------------------------------------------------------------------------------- 1 | // sha3.h 2 | // 19-Nov-11 Markku-Juhani O. Saarinen 3 | 4 | #ifndef SHA3_H 5 | #define SHA3_H 6 | 7 | #ifdef __riscv_xlen 8 | #include 9 | #else 10 | #include 11 | #include 12 | #endif 13 | 14 | #ifndef KECCAKF_ROUNDS 15 | #define KECCAKF_ROUNDS 24 16 | #endif 17 | 18 | #ifndef ROTL64 19 | #define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) 20 | #endif 21 | 22 | // state context 23 | typedef struct { 24 | union { // state: 25 | uint8_t b[200]; // 8-bit bytes 26 | uint64_t q[25]; // 64-bit words 27 | } st; 28 | int pt, rsiz, mdlen; // these don't overflow 29 | } sha3_ctx_t; 30 | 31 | // Compression function. 32 | void sha3_keccakf(uint64_t st[25]); 33 | 34 | // OpenSSL - like interfece 35 | int sha3_init(sha3_ctx_t *c, int mdlen); // mdlen = hash output in bytes 36 | int sha3_update(sha3_ctx_t *c, const void *data, size_t len); 37 | int sha3_final(void *md, sha3_ctx_t *c); // digest goes to md 38 | 39 | // compute a sha3 hash (md) of given byte length from "in" 40 | void *sha3(const void *in, size_t inlen, void *md, int mdlen); 41 | 42 | #endif 43 | 44 | -------------------------------------------------------------------------------- /sdk/src/host/Memory.cpp: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "Memory.hpp" 6 | 7 | #include 8 | 9 | #include "shared/keystone_user.h" 10 | 11 | namespace Keystone { 12 | 13 | Memory::Memory() { 14 | epmFreeList = 0; 15 | startAddr = 0; 16 | } 17 | 18 | void 19 | Memory::startRuntimeMem() { 20 | runtimePhysAddr = getCurrentEPMAddress(); 21 | } 22 | 23 | void 24 | Memory::startEappMem() { 25 | eappPhysAddr = getCurrentEPMAddress(); 26 | } 27 | 28 | void 29 | Memory::startFreeMem() { 30 | freePhysAddr = getCurrentEPMAddress(); 31 | } 32 | 33 | void 34 | Memory::incrementEPMFreeList() { 35 | epmFreeList += PAGE_SIZE; 36 | } 37 | 38 | uintptr_t 39 | Memory::allocPages(size_t size) { 40 | uintptr_t addr = epmFreeList; 41 | if (size % PAGE_SIZE > 0) { 42 | epmFreeList += (size / PAGE_SIZE + 1) * PAGE_SIZE; 43 | } else { 44 | epmFreeList += (size / PAGE_SIZE) * PAGE_SIZE; 45 | } 46 | return addr; 47 | } 48 | 49 | } // namespace Keystone 50 | -------------------------------------------------------------------------------- /overlays/keystone/board/sifive/hifive-unmatched/src/uboot/keystone/sha3/sha3.h: -------------------------------------------------------------------------------- 1 | // sha3.h 2 | // 19-Nov-11 Markku-Juhani O. Saarinen 3 | 4 | #ifndef SHA3_H 5 | #define SHA3_H 6 | 7 | #include 8 | //#include 9 | #include 10 | 11 | #ifndef KECCAKF_ROUNDS 12 | #define KECCAKF_ROUNDS 24 13 | #endif 14 | 15 | #ifndef ROTL64 16 | #define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) 17 | #endif 18 | 19 | // state context 20 | typedef struct { 21 | union { // state: 22 | uint8_t b[200]; // 8-bit bytes 23 | uint64_t q[25]; // 64-bit words 24 | } st; 25 | int pt, rsiz, mdlen; // these don't overflow 26 | } sha3_ctx_t; 27 | 28 | // Compression function. 29 | void sha3_keccakf(uint64_t st[25]); 30 | 31 | // OpenSSL - like interfece 32 | int sha3_init(sha3_ctx_t *c, int mdlen); // mdlen = hash output in bytes 33 | int sha3_update(sha3_ctx_t *c, const void *data, size_t len); 34 | int sha3_final(void *md, sha3_ctx_t *c); // digest goes to md 35 | 36 | // compute a sha3 hash (md) of given byte length from "in" 37 | void *sha3(const void *in, size_t inlen, void *md, int mdlen); 38 | 39 | #endif 40 | 41 | -------------------------------------------------------------------------------- /overlays/keystone/configs/riscv64_generic_defconfig: -------------------------------------------------------------------------------- 1 | BR2_riscv=y 2 | BR2_TOOLCHAIN_BUILDROOT_GLIBC=y 3 | BR2_TOOLCHAIN_BUILDROOT_CXX=y 4 | BR2_PACKAGE_HOST_GDB=y 5 | BR2_PACKAGE_HOST_GDB_TUI=y 6 | BR2_PACKAGE_HOST_GDB_PYTHON3=y 7 | BR2_CCACHE=y 8 | BR2_CCACHE_INITIAL_SETUP="-M0 -F0" 9 | BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_KEYSTONE_PATH)/patches" 10 | BR2_PER_PACKAGE_DIRECTORIES=y 11 | BR2_SSP_NONE=y 12 | BR2_TARGET_GENERIC_ROOT_PASSWD="sifive" 13 | BR2_SYSTEM_BIN_SH_BASH=y 14 | BR2_SYSTEM_DHCP="eth0" 15 | BR2_ROOTFS_OVERLAY="/invalid" 16 | BR2_LINUX_KERNEL=y 17 | BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y 18 | BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_KEYSTONE_PATH)/configs/linux64-defconfig" 19 | BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y 20 | BR2_PACKAGE_DROPBEAR=y 21 | BR2_TARGET_ROOTFS_EXT2=y 22 | BR2_TARGET_OPENSBI=y 23 | BR2_TARGET_OPENSBI_CUSTOM_VERSION=y 24 | BR2_TARGET_OPENSBI_CUSTOM_VERSION_VALUE="1.1" 25 | BR2_TARGET_OPENSBI_PLAT="generic" 26 | # BR2_TARGET_OPENSBI_INSTALL_DYNAMIC_IMG is not set 27 | BR2_PACKAGE_HOST_QEMU=y 28 | BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y 29 | BR2_TARGET_KEYSTONE_BOOTROM=y 30 | BR2_TARGET_KEYSTONE_SM=y 31 | BR2_PACKAGE_KEYSTONE_DRIVER=y 32 | BR2_PACKAGE_HOST_KEYSTONE_SDK=y 33 | BR2_PACKAGE_KEYSTONE_RUNTIME=y 34 | BR2_PACKAGE_KEYSTONE_EXAMPLES=y 35 | -------------------------------------------------------------------------------- /runtime/include/util/regs.h: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | 6 | #ifndef _REGS_H_ 7 | #define _REGS_H_ 8 | #include 9 | 10 | struct regs { 11 | uintptr_t sepc; // use this slot as sepc 12 | uintptr_t ra; 13 | uintptr_t sp; 14 | uintptr_t gp; 15 | uintptr_t tp; 16 | uintptr_t t0; 17 | uintptr_t t1; 18 | uintptr_t t2; 19 | uintptr_t s0; 20 | uintptr_t s1; 21 | uintptr_t a0; 22 | uintptr_t a1; 23 | uintptr_t a2; 24 | uintptr_t a3; 25 | uintptr_t a4; 26 | uintptr_t a5; 27 | uintptr_t a6; 28 | uintptr_t a7; 29 | uintptr_t s2; 30 | uintptr_t s3; 31 | uintptr_t s4; 32 | uintptr_t s5; 33 | uintptr_t s6; 34 | uintptr_t s7; 35 | uintptr_t s8; 36 | uintptr_t s9; 37 | uintptr_t s10; 38 | uintptr_t s11; 39 | uintptr_t t3; 40 | uintptr_t t4; 41 | uintptr_t t5; 42 | uintptr_t t6; 43 | }; 44 | 45 | struct encl_ctx { 46 | struct regs regs; 47 | /* Supervisor CSRs */ 48 | uintptr_t sstatus;//32 49 | uintptr_t sbadaddr;//33 50 | uintptr_t scause;//34 51 | }; 52 | #endif /* _REGS_H_ */ 53 | -------------------------------------------------------------------------------- /examples/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.10) 2 | project(keystone_examples C CXX ASM) 3 | 4 | # check if SDK has been built and KEYSTONE_SDK_DIR configuration variable exists 5 | if (NOT DEFINED KEYSTONE_SDK_DIR) 6 | message(FATAL_ERROR "Please set KEYSTONE_SDK_DIR configuration variable to an installed SDK path") 7 | endif() 8 | 9 | set(ENV{KEYSTONE_SDK_DIR} ${KEYSTONE_SDK_DIR}) 10 | 11 | if (DEFINED PATH) 12 | set(ENV{PATH} ${PATH}) 13 | endif() 14 | 15 | include(${KEYSTONE_SDK_DIR}/cmake/macros.cmake) 16 | include(ExternalProject) 17 | find_package(Git REQUIRED) 18 | 19 | use_riscv_toolchain(${KEYSTONE_BITS}) 20 | 21 | # export include directory 22 | include_directories(AFTER ${KEYSTONE_SDK_DIR}/include) 23 | 24 | # set paths to the libraries 25 | set(KEYSTONE_LIB_HOST ${KEYSTONE_SDK_DIR}/lib/libkeystone-host.a) 26 | set(KEYSTONE_LIB_EDGE ${KEYSTONE_SDK_DIR}/lib/libkeystone-edge.a) 27 | set(KEYSTONE_LIB_VERIFIER ${KEYSTONE_SDK_DIR}/lib/libkeystone-verifier.a) 28 | set(KEYSTONE_LIB_EAPP ${KEYSTONE_SDK_DIR}/lib/libkeystone-eapp.a) 29 | 30 | # create a phony target "examples" 31 | add_custom_target("examples") 32 | 33 | # add all examples below 34 | add_subdirectory(hello) 35 | add_subdirectory(hello-native) 36 | add_subdirectory(attestation) 37 | add_subdirectory(tests) 38 | -------------------------------------------------------------------------------- /sm/src/crypto.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "crypto.h" 6 | #include "page.h" 7 | 8 | void hash_init(hash_ctx* ctx) 9 | { 10 | sha3_init(ctx, MDSIZE); 11 | } 12 | 13 | void hash_extend(hash_ctx* ctx, const void* ptr, size_t len) 14 | { 15 | sha3_update(ctx, ptr, len); 16 | } 17 | 18 | void hash_extend_page(hash_ctx* ctx, const void* ptr) 19 | { 20 | sha3_update(ctx, ptr, RISCV_PGSIZE); 21 | } 22 | 23 | void hash_finalize(void* md, hash_ctx* ctx) 24 | { 25 | sha3_final(md, ctx); 26 | } 27 | 28 | void sign(void* sign, const void* data, size_t len, const unsigned char* public_key, const unsigned char* private_key) 29 | { 30 | ed25519_sign(sign, data, len, public_key, private_key); 31 | } 32 | 33 | int kdf(const unsigned char* salt, size_t salt_len, 34 | const unsigned char* ikm, size_t ikm_len, 35 | const unsigned char* info, size_t info_len, 36 | unsigned char* okm, size_t okm_len) 37 | { 38 | return hkdf_sha3_512(salt, salt_len, ikm, ikm_len, info, info_len, okm, okm_len); 39 | } 40 | -------------------------------------------------------------------------------- /sdk/.fast-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # only for Travis. do not run 4 | echo "Starting..." 5 | if ( $(command -v riscv64-unknown-linux-gnu-gcc > /dev/null) && 6 | $(command -v riscv64-unknown-elf-gcc > /dev/null) ) 7 | then 8 | echo "RISCV tools are already installed" 9 | else 10 | echo "Downloading Prebuilt RISC-V Toolchain... " 11 | 12 | # The 1.0 version expected libmpfr.so.4, modern Ubuntu has .6 13 | TOOL_VER=1.0 14 | if [[ $(ldconfig -p | grep "libmpfr.so.6") ]]; then 15 | echo "Downloading tools v2.0 (support for libmpfr.so.6)" 16 | TOOL_VER=2.0 17 | fi 18 | 19 | export RISCV=$(pwd)/riscv 20 | export PATH=$PATH:$RISCV/bin 21 | wget https://keystone-enclave.eecs.berkeley.edu/files/${TOOL_VER}.tar.gz 22 | 23 | # Check tool integrity 24 | echo "Verifying prebuilt toolchain integrity..." 25 | sha256sum -c .prebuilt_tools_shasums --status --ignore-missing 26 | if [[ $? != 0 ]] 27 | then 28 | echo "Toolchain binary download incomplete or corrupted. You can build the toolchain locally or try again." 29 | exit 1 30 | fi 31 | 32 | tar -xzvf ${TOOL_VER}.tar.gz 33 | cd firesim-riscv-tools-prebuilt-${TOOL_VER} 34 | ./installrelease.sh > riscv-tools-install.log 35 | mv distrib riscv 36 | cp -R riscv ../ 37 | cd .. 38 | echo "Toolchain has been installed in $RISCV" 39 | fi 40 | -------------------------------------------------------------------------------- /sdk/src/app/syscall.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "syscall.h" 6 | 7 | /* this implementes basic system calls for the enclave */ 8 | 9 | int 10 | ocall( 11 | unsigned long call_id, void* data, size_t data_len, void* return_buffer, 12 | size_t return_len) { 13 | return SYSCALL_5(RUNTIME_SYSCALL_OCALL, 14 | call_id, data, data_len, return_buffer, return_len); 15 | } 16 | 17 | int 18 | copy_from_shared(void* dst, uintptr_t offset, size_t data_len) { 19 | return SYSCALL_3(RUNTIME_SYSCALL_SHAREDCOPY, dst, offset, data_len); 20 | } 21 | 22 | int 23 | attest_enclave(void* report, void* data, size_t size) { 24 | return SYSCALL_3(RUNTIME_SYSCALL_ATTEST_ENCLAVE, report, data, size); 25 | } 26 | 27 | /* returns sealing key */ 28 | int 29 | get_sealing_key( 30 | struct sealing_key* sealing_key_struct, size_t sealing_key_struct_size, 31 | void* key_ident, size_t key_ident_size) { 32 | return SYSCALL_4(RUNTIME_SYSCALL_GET_SEALING_KEY, 33 | sealing_key_struct, sealing_key_struct_size, 34 | key_ident, key_ident_size); 35 | } 36 | -------------------------------------------------------------------------------- /runtime/README.md: -------------------------------------------------------------------------------- 1 | # Keystone Eyrie Modular Runtime 2 | 3 | Eyrie only builds as part of the Keystone [sdk](https://github.com/keystone-enclave/keystone-sdk). 4 | 5 | We strongly encourage using the top-level [Keystone](https://github.com/keystone-enclave/keystone) build process. 6 | 7 | # Compatibility 8 | 9 | | Name | Version | 10 | |--------------|----------------| 11 | | Keystone SDK | v1.0 or higher | 12 | | Keystone SM | v1.0 or higher | 13 | 14 | # Building 15 | 16 | ## Building the Eyrie Runtime 17 | 18 | Make sure you've properly set the environment variable `KEYSTONE_SDK_DIR` to point to the Keystone SDK installation path. 19 | 20 | Then, run `./build.sh [features]`. 21 | 22 | ## Running the tests 23 | 24 | Make sure you checked out all submodules with `git submodule update --init`. 25 | 26 | Then, run `make test`. 27 | 28 | If a test fails and you'd like more detail, enter into `obj/test` and run the binary for the failed test. e.g. if `test_string` fails, run `obj/test/test_string`. 29 | 30 | ## Build options 31 | 32 | See the sdk Makefile for feature selection. 33 | 34 | # Contributing 35 | 36 | The Eyrie Runtime is licensed under the 3-clause BSD license. See LICENSE for more details. 37 | 38 | Before submitting a pull request to GitHub, make sure you format your code first. 39 | 40 | ```sh 41 | make format 42 | ``` 43 | -------------------------------------------------------------------------------- /runtime/include/mm/common.h: -------------------------------------------------------------------------------- 1 | #ifndef __COMMON_H__ 2 | #define __COMMON_H__ 3 | 4 | #include 5 | #include "call/sbi.h" 6 | #include "util/printf.h" 7 | 8 | #define RISCV_EXCP_INST_MISALIGNED 0 9 | #define RISCV_EXCP_INST_FAULT 1 10 | #define RISCV_EXCP_ILLEGAL_INST 2 11 | #define RISCV_EXCP_BREAKPOINT 3 12 | #define RISCV_EXCP_LOAD_MISALIGNED 4 13 | #define RISCV_EXCP_LOAD_FAULT 5 14 | #define RISCV_EXCP_STORE_MISALIGNED 6 15 | #define RISCV_EXCP_STORE_FAULT 7 16 | #define RISCV_EXCP_ECALL_U 8 17 | #define RISCV_EXCP_ECALL_S 9 18 | // reserved 10 19 | #define RISCV_EXCP_ECALL_M 11 20 | #define RISCV_EXCP_INST_PAGE_FAULT 12 21 | #define RISCV_EXCP_LOAD_PAGE_FAULT 13 22 | // reserved 14 23 | #define RISCV_EXCP_STORE_PAGE_FAULT 15 24 | 25 | #undef assert 26 | #define assert(x) \ 27 | if(!(x)) { printf("assertion failed at %s:%d\r\n", __FILE__, __LINE__);\ 28 | sbi_exit_enclave(-1); \ 29 | } 30 | 31 | #ifdef USE_DEBUG 32 | #define debug(format, ...) \ 33 | printf ("[debug] " format " (%s:%d)\r\n", ## __VA_ARGS__, __FILE__, __LINE__) 34 | #else 35 | #define debug(format, ...) \ 36 | ; 37 | #endif 38 | 39 | #define warn(format, ...) \ 40 | printf ("[warn] " format " (%s:%d)\r\n", ## __VA_ARGS__, __FILE__, __LINE__) 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /runtime/include/crypto/sha256.h: -------------------------------------------------------------------------------- 1 | /********************************************************************* 2 | * Filename: sha256.h 3 | * Author: Brad Conte (brad AT bradconte.com) 4 | * Copyright: 5 | * Disclaimer: This code is presented "as is" without any guarantees. 6 | * Details: Defines the API for the corresponding SHA1 implementation. 7 | *********************************************************************/ 8 | 9 | #ifndef SHA256_H 10 | #define SHA256_H 11 | 12 | /*************************** HEADER FILES ***************************/ 13 | #include 14 | 15 | /****************************** MACROS ******************************/ 16 | #define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest 17 | 18 | /**************************** DATA TYPES ****************************/ 19 | typedef unsigned char BYTE; // 8-bit byte 20 | typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines 21 | 22 | typedef struct { 23 | BYTE data[64]; 24 | WORD datalen; 25 | unsigned long long bitlen; 26 | WORD state[8]; 27 | } SHA256_CTX; 28 | 29 | /*********************** FUNCTION DECLARATIONS **********************/ 30 | void 31 | sha256_init(SHA256_CTX* ctx); 32 | void 33 | sha256_update(SHA256_CTX* ctx, const BYTE data[], size_t len); 34 | void 35 | sha256_final(SHA256_CTX* ctx, BYTE hash[]); 36 | 37 | #endif // SHA256_H 38 | -------------------------------------------------------------------------------- /runtime/sys/interrupt.c: -------------------------------------------------------------------------------- 1 | //****************************************************************************** 2 | // Copyright (c) 2018, The Regents of the University of California (Regents). 3 | // All Rights Reserved. See LICENSE for license details. 4 | //------------------------------------------------------------------------------ 5 | #include "util/regs.h" 6 | #include "call/sbi.h" 7 | #include "sys/timex.h" 8 | #include "sys/interrupt.h" 9 | #include "util/printf.h" 10 | #include 11 | 12 | #define DEFAULT_CLOCK_DELAY 10000 13 | 14 | void init_timer(void) 15 | { 16 | sbi_set_timer(get_cycles64() + DEFAULT_CLOCK_DELAY); 17 | csr_set(sstatus, SR_SPIE); 18 | csr_set(sie, SIE_STIE | SIE_SSIE); 19 | } 20 | 21 | void handle_timer_interrupt() 22 | { 23 | sbi_stop_enclave(0); 24 | unsigned long next_cycle = get_cycles64() + DEFAULT_CLOCK_DELAY; 25 | sbi_set_timer(next_cycle); 26 | csr_set(sstatus, SR_SPIE); 27 | return; 28 | } 29 | 30 | void handle_interrupts(struct encl_ctx* regs) 31 | { 32 | unsigned long cause = regs->scause; 33 | 34 | switch(cause) { 35 | case INTERRUPT_CAUSE_TIMER: 36 | handle_timer_interrupt(); 37 | break; 38 | /* ignore other interrupts */ 39 | case INTERRUPT_CAUSE_SOFTWARE: 40 | case INTERRUPT_CAUSE_EXTERNAL: 41 | default: 42 | sbi_stop_enclave(0); 43 | return; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /overlays/keystone/patches/opensbi/opensbi-firmware-secure-boot.patch: -------------------------------------------------------------------------------- 1 | diff --git firmware/fw_base.ldS firmware/fw_base.ldS 2 | index 0ac75f2..9aa9c1a 100644 3 | --- a/firmware/fw_base.ldS 4 | +++ b/firmware/fw_base.ldS 5 | @@ -79,3 +79,39 @@ 6 | . = ALIGN(0x1000); /* Need this to create proper sections */ 7 | 8 | PROVIDE(_fw_end = .); 9 | + 10 | + /* # Sanctum params */ 11 | + /* ================ */ 12 | + . = 0x801ff000; /* the last page before the payload */ 13 | + 14 | + /* ## manufacturer_keys : */ 15 | + 16 | + /* 32 Bytes : manufacturer public key */ 17 | + PROVIDE( sanctum_m_public_key = . ); 18 | + . += 0x20; 19 | + 20 | + /* 32 Bytes : device public key */ 21 | + PROVIDE( sanctum_dev_public_key = . ); 22 | + . += 0x20; 23 | + 24 | + /* 64 Bytes : device secret key */ 25 | + PROVIDE( sanctum_dev_secret_key = . ); 26 | + . += 0x40; 27 | + 28 | + /* ## security_monitor_keys : */ 29 | + 30 | + /* 64 Bytes : security monitor hash */ 31 | + PROVIDE( sanctum_sm_hash = . ); 32 | + . += 0x40; 33 | + 34 | + /* 32 Bytes : security monitor public key */ 35 | + PROVIDE( sanctum_sm_public_key = . ); 36 | + . += 0x20; 37 | + 38 | + /* 64 Bytes : security monitor secret key */ 39 | + PROVIDE( sanctum_sm_secret_key = . ); 40 | + . += 0x40; 41 | + 42 | + /* 64 Bytes : security monitor's signature by device */ 43 | + PROVIDE( sanctum_sm_signature = . ); 44 | + . += 0x40; 45 | -------------------------------------------------------------------------------- /overlays/keystone/board/mpfs/patches/dt-overlay-mchp/0001-move-devtree.patch: -------------------------------------------------------------------------------- 1 | diff --git a/mpfs_icicle.its b/mpfs_icicle.its 2 | index 7995ae0..a8ae0e2 100644 3 | --- a/mpfs_icicle.its 4 | +++ b/mpfs_icicle.its 5 | @@ -21,8 +21,8 @@ 6 | arch = "riscv"; 7 | os = "linux"; 8 | compression = "gzip"; 9 | - load = <0x80200000>; 10 | - entry = <0x80200000>; 11 | + load = <0x90200000>; 12 | + entry = <0x90200000>; 13 | hash-1 { 14 | algo = "sha256"; 15 | }; 16 | @@ -33,7 +33,7 @@ 17 | type = "flat_dt"; 18 | arch = "riscv"; 19 | compression = "none"; 20 | - load = <0x8a000000>; 21 | + load = <0x94000000>; 22 | hash-1 { 23 | algo = "sha256"; 24 | }; 25 | @@ -44,7 +44,7 @@ 26 | type = "flat_dt"; 27 | arch = "riscv"; 28 | compression = "none"; 29 | - load = <0x8a080000>; 30 | + load = <0x94004000>; 31 | hash-1 { 32 | algo = "sha256"; 33 | }; 34 | @@ -55,7 +55,7 @@ 35 | type = "flat_dt"; 36 | arch = "riscv"; 37 | compression = "none"; 38 | - load = <0x8a090000>; 39 | + load = <0x94008000>; 40 | hash-1 { 41 | algo = "sha256"; 42 | }; 43 | @@ -66,7 +66,7 @@ 44 | type = "flat_dt"; 45 | arch = "riscv"; 46 | compression = "none"; 47 | - load = <0x8a0a0000>; 48 | + load = <0x9400C000>; 49 | hash-1 { 50 | algo = "sha256"; 51 | }; 52 | 53 | --------------------------------------------------------------------------------