Merge branch 'keystone-enclave:master' into dev-cva6-support

.gitignore

@@ -1,7 +1,7 @@
 *~
 *.swp
 .venv/
-build/
+build*/
 riscv/
 riscv64/
 riscv32/

Makefile

@@ -34,6 +34,8 @@ include mkutils/log.mk
 BUILDROOT_CONFIGFILE    ?= qemu_riscv$(KEYSTONE_BITS)_virt_defconfig
 ifeq ($(KEYSTONE_PLATFORM),mpfs)
 	EXTERNALS += microchip
+else ifeq ($(KEYSTONE_PLATFORM),unmatched)
+    BUILDROOT_CONFIGFILE = riscv64_hifive_unmatched_defconfig
 endif
 
 # Highest priority external
@@ -120,3 +122,4 @@ linux-configure: $(BUILDROOT_BUILDDIR)/.config
 #################
 
 -include mkutils/plat/$(KEYSTONE_PLATFORM)/run.mk
+

examples/attestation/CMakeLists.txt

@@ -3,7 +3,7 @@ set(eapp_src eapp/attestor.c)
 set(host_bin attestor-runner)
 set(host_src host/attestor-runner.cpp host/host.cpp host/verifier.cpp)
 set(package_name "attestor.ke")
-set(package_script "./attestor-runner attestor eyrie-rt --sm-bin fw_jump.bin")
+set(package_script "./attestor-runner attestor eyrie-rt loader.bin --sm-bin fw_jump.bin")
 
 if(RISCV32)
   set(eyrie_plugins "freemem rv32")
@@ -35,11 +35,17 @@ target_include_directories(${host_bin}
 
 # add target for Eyrie runtime (see keystone.cmake)
 
-set(eyrie_files_to_copy .options_log eyrie-rt)
+set(eyrie_files_to_copy .options_log eyrie-rt loader.bin)
 add_eyrie_runtime(${eapp_bin}-eyrie
   ${eyrie_plugins}
   ${eyrie_files_to_copy})
 
+# add sm binary -- TODO: fix, should come from upper levels
+if(NOT DEFINED fw_bin)
+  message(AUTHOR_WARNING "fw_bin should be defined by upper CMake files/ build system. Setting to default")
+  set(fw_bin ../../../images/fw_jump.bin)
+endif()
+
 # add target for packaging (see keystone.cmake)
 
 add_keystone_package(${eapp_bin}-package

examples/attestation/host/attestor-runner.cpp

@@ -19,10 +19,10 @@
 
 int
 main(int argc, char** argv) {
-  if (argc < 3 || argc > 8) {
+  if (argc < 4 || argc > 9) {
     printf(
-        "Usage: %s <eapp> <runtime> [--utm-size SIZE(K)] [--freemem-size "
-        "SIZE(K)] [--utm-ptr 0xPTR] [--sm-bin SM_BIN_PATH]\n",
+        "Usage: %s <eapp> <runtime> <loader> [--utm-size SIZE(K)] "
+        "[--freemem-size SIZE(K)] [--utm-ptr 0xPTR] [--sm-bin SM_BIN_PATH]\n",
         argv[0]);
     return 0;
   }
@@ -45,10 +45,11 @@ main(int argc, char** argv) {
 
   char* eapp_file   = argv[1];
   char* rt_file     = argv[2];
+  char* ld_file     = argv[3];
   char* sm_bin_file = NULL;
 
   int c;
-  int opt_index = 3;
+  int opt_index = 4;
   while (1) {
     c = getopt_long(argc, argv, "u:p:f:s:", long_options, &opt_index);
 
@@ -72,12 +73,17 @@ main(int argc, char** argv) {
     }
   }
 
+  if (sm_bin_file == NULL) {
+    printf("--sm-bin is missing.\n");
+    return 0;
+  }
+
   Keystone::Params params;
 
   params.setFreeMemSize(freemem_size);
   params.setUntrustedMem(utm_ptr, untrusted_size);
 
-  Verifier verifier{params, eapp_file, rt_file, sm_bin_file};
+  Verifier verifier{params, eapp_file, rt_file, ld_file, sm_bin_file};
   verifier.run();
 
   return 0;

examples/attestation/host/host.cpp

@@ -235,7 +235,7 @@ Host::dispatch_ocall(RunData& run_data) {
 Report
 Host::run(const std::string& nonce) {
   Keystone::Enclave enclave;
-  enclave.init(eapp_file_.c_str(), rt_file_.c_str(), params_);
+  enclave.init(eapp_file_.c_str(), rt_file_.c_str(), ld_file_.c_str(), params_);
 
   RunData run_data{
       SharedBuffer{enclave.getSharedBuffer(), enclave.getSharedBufferSize()},

examples/attestation/host/host.h

@@ -58,8 +58,9 @@ class Host {
 public:
 Host(
     const Keystone::Params& params, const std::string& eapp_file,
-    const std::string& rt_file)
-    : params_(params), eapp_file_(eapp_file), rt_file_(rt_file) {}
+    const std::string& rt_file, const std::string& ld_file)
+    : params_(params), eapp_file_(eapp_file), rt_file_(rt_file),
+      ld_file_(ld_file) {}
     // Given a random nonce from the remote verifier, this method leaves
     // it for the enclave to fetch, and returns the attestation report
     // from the enclave to the verifier.
@@ -79,6 +80,7 @@ Host(
  const Keystone::Params params_;
  const std::string eapp_file_;
  const std::string rt_file_;
+ const std::string ld_file_;
 };
 
 #endif /* _ATTESTATION_HOST_H_ */

examples/attestation/host/verifier.cpp

@@ -23,7 +23,7 @@
 void
 Verifier::run() {
   const std::string nonce = std::to_string(random() % 0x100000000);
-  Host host(params_, eapp_file_, rt_file_);
+  Host host(params_, eapp_file_, rt_file_, ld_file_);
   Report report = host.run(nonce);
   verify_report(report, nonce);
 }
@@ -78,13 +78,7 @@ Verifier::verify_data(Report& report, const std::string& nonce) {
 
 void
 Verifier::compute_expected_enclave_hash(byte* expected_enclave_hash) {
-  Keystone::Enclave enclave;
-  Keystone::Params simulated_params = params_;
-  simulated_params.setSimulated(true);
-  // This will cause validate_and_hash_enclave to be called when
-  // isSimulated() == true.
-  enclave.init(eapp_file_.c_str(), rt_file_.c_str(), simulated_params);
-  memcpy(expected_enclave_hash, enclave.getHash(), MDSIZE);
+  Keystone::Enclave::measure((char*) expected_enclave_hash, eapp_file_.c_str(), rt_file_.c_str(), ld_file_.c_str());
 }
 
 void

examples/attestation/host/verifier.h

@@ -22,10 +22,11 @@ class Verifier {
  public:
   Verifier(
       const Keystone::Params& params, const std::string& eapp_file,
-      const std::string& rt_file, const std::string& sm_bin_file)
+      const std::string& rt_file, const std::string& ld_file, const std::string& sm_bin_file)
       : params_(params),
         eapp_file_(eapp_file),
         rt_file_(rt_file),
+        ld_file_(ld_file),
         sm_bin_file_(sm_bin_file) {}
   // This method generates a random nonce, invokes the run() method
   // of the Host, and verifies that the returned attestation report
@@ -59,5 +60,6 @@ class Verifier {
   const Keystone::Params params_;
   const std::string eapp_file_;
   const std::string rt_file_;
+  const std::string ld_file_;
   const std::string sm_bin_file_;
 };

examples/hello-native/CMakeLists.txt

@@ -3,7 +3,7 @@ set(eapp_src eapp/eapp_native.c)
 set(host_bin hello-native-runner)
 set(host_src host/host_native.cpp)
 set(package_name "hello-native.ke")
-set(package_script "./hello-native-runner hello-native eyrie-rt")
+set(package_script "./hello-native-runner hello-native eyrie-rt loader.bin")
 
 if(RISCV32)
   set(eyrie_plugins "rv32 freemem")
@@ -34,7 +34,7 @@ target_include_directories(${host_bin}
 
 # add target for Eyrie runtime (see keystone.cmake)
 
-set(eyrie_files_to_copy .options_log eyrie-rt)
+set(eyrie_files_to_copy .options_log eyrie-rt loader.bin)
 add_eyrie_runtime(${eapp_bin}-eyrie
   ${eyrie_plugins}
   ${eyrie_files_to_copy})

examples/hello-native/host/host_native.cpp

@@ -30,7 +30,7 @@ main(int argc, char** argv) {
   params.setFreeMemSize(1024 * 1024);
   params.setUntrustedMem(DEFAULT_UNTRUSTED_PTR, 1024 * 1024);
 
-  enclave.init(argv[1], argv[2], params);
+  enclave.init(argv[1], argv[2], argv[3], params);
 
   enclave.registerOcallDispatch(incoming_call_dispatch);
 

examples/hello/CMakeLists.txt

@@ -3,7 +3,7 @@ set(eapp_src eapp/hello.c)
 set(host_bin hello-runner)
 set(host_src host/host.cpp)
 set(package_name "hello.ke")
-set(package_script "./hello-runner hello eyrie-rt")
+set(package_script "./hello-runner hello eyrie-rt loader.bin")
 
 if(RISCV32)
   set(eyrie_plugins "freemem io_syscall linux_syscall env_setup rv32")
@@ -23,7 +23,7 @@ target_link_libraries(${host_bin} ${KEYSTONE_LIB_HOST} ${KEYSTONE_LIB_EDGE})
 
 # add target for Eyrie runtime (see keystone.cmake)
 
-set(eyrie_files_to_copy .options_log eyrie-rt)
+set(eyrie_files_to_copy .options_log eyrie-rt loader.bin)
 add_eyrie_runtime(${eapp_bin}-eyrie
   ${eyrie_plugins}
   ${eyrie_files_to_copy})

examples/hello/host/host.cpp

@@ -12,10 +12,10 @@ main(int argc, char** argv) {
   Enclave enclave;
   Params params;
 
-  params.setFreeMemSize(1024 * 1024);
-  params.setUntrustedMem(DEFAULT_UNTRUSTED_PTR, 1024 * 1024);
+  params.setFreeMemSize(256 * 1024);
+  params.setUntrustedMem(DEFAULT_UNTRUSTED_PTR, 256 * 1024);
 
-  enclave.init(argv[1], argv[2], params);
+  enclave.init(argv[1], argv[2], argv[3], params);
 
   enclave.registerOcallDispatch(incoming_call_dispatch);
   edge_call_init_internals(

examples/tests/CMakeLists.txt

@@ -80,9 +80,9 @@ foreach (test IN ITEMS ${all_test_bins})
   file(APPEND ${test_script_tmp} "echo 'testing ${test}'\n")
   if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${test}/retval)
     execute_process(COMMAND cat ${CMAKE_CURRENT_SOURCE_DIR}/${test}/retval OUTPUT_VARIABLE retval)
-    file(APPEND ${test_script_tmp} "./${host_bin} ${test} eyrie-rt --retval ${retval}")
+    file(APPEND ${test_script_tmp} "./${host_bin} ${test} eyrie-rt loader.bin --retval ${retval}")
   else()
-    file(APPEND ${test_script_tmp} "./${host_bin} ${test} eyrie-rt\n")
+    file(APPEND ${test_script_tmp} "./${host_bin} ${test} eyrie-rt loader.bin\n")
   endif()
 endforeach(test)
 
@@ -102,7 +102,7 @@ target_link_libraries(${host_bin} ${KEYSTONE_LIB_HOST} ${KEYSTONE_LIB_EDGE} ${KE
 
 # add target for Eyrie runtime (see keystone.cmake)
 
-set(eyrie_files_to_copy .options_log eyrie-rt)
+set(eyrie_files_to_copy .options_log eyrie-rt loader.bin)
 add_eyrie_runtime(test-eyrie
   ${eyrie_plugins}
   ${eyrie_files_to_copy})

examples/tests/test-runner.cpp

@@ -55,7 +55,7 @@ copy_report(void* buffer) {
 
 int
 main(int argc, char** argv) {
-  if (argc < 3 || argc > 8) {
+  if (argc < 4 || argc > 9) {
     printf(
         "Usage: %s <eapp> <runtime> [--utm-size SIZE(K)] [--freemem-size "
         "SIZE(K)] [--time] [--load-only] [--utm-ptr 0xPTR] [--retval EXPECTED]\n",
@@ -83,6 +83,7 @@ main(int argc, char** argv) {
 
   char* eapp_file = argv[1];
   char* rt_file   = argv[2];
+  char* ld_file   = argv[3];
 
   int c;
   int opt_index = 3;
@@ -121,7 +122,7 @@ main(int argc, char** argv) {
     asm volatile("rdcycle %0" : "=r"(cycles1));
   }
 
-  enclave.init(eapp_file, rt_file, params);
+  enclave.init(eapp_file, rt_file, ld_file, params);
 
   if (self_timing) {
     asm volatile("rdcycle %0" : "=r"(cycles2));
@@ -133,7 +134,7 @@ main(int argc, char** argv) {
     asm volatile("rdcycle %0" : "=r"(cycles3));
   }
 
-  uintptr_t encl_ret;
+  unsigned long encl_ret;
   if (!load_only) enclave.run(&encl_ret);
 
   if (retval_exist && encl_ret != retval) {

fast-setup.sh

@@ -0,0 +1,10 @@
+git submodule update --init --recursive --depth 1
+echo "please read this file for further instructions"
+
+### INSTRUCTIONS
+# make -j 12 # change 12 to desired parallelism
+### find port in command from make, 9821 at the time of writing
+# make run
+### switch terminals
+# scp -i build-generic64/overlay/root/.ssh/id-rsa -P <PORT_NUMBER> build-generic64/buildroot.build/build/keystone-*/*.ko root@localhost:.
+# scp -i build-generic64/overlay/root/.ssh/id-rsa -P <PORT_NUMBER> build-generic64/buildroot.build/build/keystone-examples-*/*/*.ke root@localhost:.

linux-keystone-driver/keystone-enclave.c

@@ -11,25 +11,6 @@ DEFINE_MUTEX(idr_enclave_lock);
 #define ENCLAVE_IDR_MIN 0x1000
 #define ENCLAVE_IDR_MAX 0xffff
 
-unsigned long calculate_required_pages(
-    unsigned long eapp_sz,
-    unsigned long eapp_stack_sz,
-    unsigned long rt_sz,
-    unsigned long rt_stack_sz)
-{
-  unsigned long req_pages = 0;
-
-  req_pages += PAGE_UP(eapp_sz)/PAGE_SIZE;
-  req_pages += PAGE_UP(eapp_stack_sz)/PAGE_SIZE;
-  req_pages += PAGE_UP(rt_sz)/PAGE_SIZE;
-  req_pages += PAGE_UP(rt_stack_sz)/PAGE_SIZE;
-
-  // FIXME: calculate the required number of pages for the page table.
-  // For now, we must allocate at least 1 (top) + 2 (enclave) + 2 (runtime) pages for pg tables
-  req_pages += 15;
-  return req_pages;
-}
-
 /* Smart destroy, handles partial initialization of epm and utm etc */
 int destroy_enclave(struct enclave* enclave)
 {

linux-keystone-driver/keystone-ioctl.c

@@ -7,6 +7,7 @@
 #include "keystone_user.h"
 #include <asm/sbi.h>
 #include <linux/uaccess.h>
+#include <linux/string.h>
 
 int __keystone_destroy_enclave(unsigned int ueid);
 
@@ -76,7 +77,7 @@ int keystone_finalize_enclave(unsigned long arg)
   ret = sbi_sm_create_enclave(&create_args);
 
   if (ret.error) {
-    keystone_err("keystone_create_enclave: SBI call failed with error codd %ld\n", ret.error);
+    keystone_err("keystone_create_enclave: SBI call failed with error code %ld\n", ret.error);
     goto error_destroy_enclave;
   }
 

linux-keystone-driver/keystone.h

@@ -90,13 +90,6 @@ int utm_destroy(struct utm* utm);
 int utm_init(struct utm* utm, size_t untrusted_size);
 paddr_t epm_va_to_pa(struct epm* epm, vaddr_t addr);
 
-
-unsigned long calculate_required_pages(
-		unsigned long eapp_sz,
-		unsigned long eapp_stack_sz,
-		unsigned long rt_sz,
-		unsigned long rt_stack_sz);
-
 #define keystone_info(fmt, ...) \
   pr_info("keystone_enclave: " fmt, ##__VA_ARGS__)
 #define keystone_err(fmt, ...) \

mkutils/plat/unmatched/run.mk

@@ -0,0 +1,25 @@
+#########################
+## Flush SD card image ##
+#########################
+
+DEVICE      ?=
+EXTEND      ?= 0
+FLUSH_IMAGE ?= $(BUILDROOT_BUILDDIR)/images/sdcard.img
+
+flush:
+ifeq ($(DEVICE),)
+	$(call log,error,Set target device to env DEVICE)
+else
+	$(call log,info,Flushing SD image)
+	sudo dd if=$(FLUSH_IMAGE) of=$(DEVICE) bs=64k iflag=fullblock oflag=direct conv=fsync status=progress
+
+ifeq ($(EXTEND),1)
+	$(call log,info,Extending rootfs end of the block device)
+	echo "w" | sudo fdisk $(DEVICE)
+	echo "- +" | sudo sfdisk -N 3 $(DEVICE)
+	sudo e2fsck -f $(DEVICE)3
+	sudo resize2fs $(DEVICE)3
+endif
+
+endif
+

overlays/keystone/board/sifive/hifive-unmatched/extlinux.conf

@@ -0,0 +1,5 @@
+default buildroot
+label buildroot
+   kernel /boot/Image.gz
+   fdt /boot/hifive-unmatched-a00.dtb
+   append root=/dev/mmcblk0p3 rootfstype=ext4 rootwait console=ttySIF0,115200 earlycon