Linux 2.14 Open Source Gold Release

Supported loading enclave at address 0.
Upgraded Intel(R) Quote Verification Enclave to integrate SgxSSL/OpenSSL version 1.1.1k.
Updated the DCAP driver V1.33 with stability fixes, released as V1.33.2. This is to support
  legacy solutions not ready to transition to the latest DCAP driver V1.41 or kernel 5.11+.
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

Author: llly

.gitignore

@@ -18,16 +18,12 @@
 /build/
 /linux/installer/bin/*.bin
 
-
 # files downloaded in preparation phase
 Intel redistributable binary.txt
 Master_EULA_for_Intel_Sw_Development_Products.pdf
-external/ippcp_internal/inc/ippcp.h
-external/ippcp_internal/inc/ippcpdefs.h
-external/ippcp_internal/inc/ippversion.h
-external/ippcp_internal/inc/sgx_ippcp.h
-external/ippcp_internal/license/
+external/ippcp_internal/
 external/toolset/
+psw/ae/data/prebuilt/README.md
 redist.txt
 
 # directory created when running reproducibility scripts

README.md

@@ -40,6 +40,8 @@ The Linux\* Intel(R) SGX software stack is comprised of the Intel(R) SGX driver,
 
 The [SGXDataCenterAttestationPrimitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) project maintains an out-of-tree driver for the Linux\* Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete. It is used on the platforms with *Flexible Launch Control* and *Intel(R) AES New Instructions* support and could support both Elliptic Curve Digital Signature algorithm (ECDSA) based attestation and Enhanced Privacy Identification (EPID) based attestation.
 
+**Note**: Ice Lake Xeon-SP (and the future Xeon-SP platforms) doesn't support EPID attestation.
+
 The [linux-sgx-driver](https://github.com/01org/linux-sgx-driver) project hosts the other out-of-tree driver for the Linux\* Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete. It is used to support Enhanced Privacy Identification (EPID) based attestation on the platforms without *Flexible Launch Control*. 
 
 The [intel-device-plugins-for-kubernetes](https://github.com/intel/intel-device-plugins-for-kubernetes) project enables users to run container applications running Intel(R) SGX enclaves in Kubernetes clusters. It also gives instructions how to set up ECDSA based attestation in a cluster.

SampleCode/SampleEnclave/App/Edger8rSyntax/Pointers.cpp

@@ -50,19 +50,19 @@ void edger8r_pointer_attributes(void)
     assert(strcmp(c, "SGX_SUCCESS") == 0);
 
 
-    val = 0;
+    val = 1;
     ret = ecall_pointer_in(global_eid, &val);
     if (ret != SGX_SUCCESS)
         abort();
-    assert(val == 0);
+    assert(val == 1);
 
-    val = 0;
+    val = 1;
     ret = ecall_pointer_out(global_eid, &val);
     if (ret != SGX_SUCCESS)
         abort();
     assert(val == 1234);
 
-    val = 0;
+    val = 1;
     ret = ecall_pointer_in_out(global_eid, &val);
     if (ret != SGX_SUCCESS)
         abort();

SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp

@@ -98,6 +98,7 @@ void ecall_pointer_in(int* val)
 {
     if (sgx_is_within_enclave(val, sizeof(int)) != 1)
         abort();
+    assert(*val == 1);
     *val = 1234;
 }
 
@@ -119,6 +120,7 @@ void ecall_pointer_in_out(int* val)
 {
     if (sgx_is_within_enclave(val, sizeof(int)) != 1)
         abort();
+    assert(*val == 1);
     *val = 1234;
 }
 

build-scripts/sgx-asm-pp.py

@@ -30,6 +30,7 @@
 #
 #
 
+
 __version__ = '1.0.1'
 import sys
 import os

common/inc/internal/enclave_creator.h

@@ -57,11 +57,13 @@ class EnclaveCreator : private Uncopyable
 {
 public:
     /*
-    @quote      the EPC reserved;
-    @enclave_id identify the unique enclave;
-    @start_addr is the linear address allocated for Enclave;
+    @secs          is a pointer to the architecture-specific information to use to create the enclave;
+    @enclave_id    identify the unique enclave;
+    @start_addr    is the linear address allocated for enclave;
+    @ex_features   is the bitmask defining the extended features to activate on the enclave creation;
+    @ex_features_p is the array of pointers to extended feature control structures;
     */
-    virtual int create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, void **start_addr, bool ae = false) = 0;
+    virtual int create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, void **start_addr, const uint32_t ex_features, const void* ex_features_p[32]) = 0;
     /*
     *@attr can be REMOVABLE
     */
@@ -83,6 +85,7 @@ class EnclaveCreator : private Uncopyable
     virtual int trim_range(uint64_t fromaddr, uint64_t toaddr) = 0;
     virtual int trim_accept(uint64_t addr) = 0;
     virtual int remove_range(uint64_t fromaddr, uint64_t numpages) = 0;
+    
     // destructor
     virtual ~EnclaveCreator() {};
 };

common/inc/internal/global_data.h

@@ -48,7 +48,7 @@
 typedef struct _global_data_t
 {
     sys_word_t     sdk_version;
-    sys_word_t     enclave_size;
+    sys_word_t     enclave_size;            /* the size of the virtual address range that the enclave will use*/
     sys_word_t     heap_offset;
     sys_word_t     heap_size;
     sys_word_t     rsrv_offset;
@@ -61,6 +61,9 @@ typedef struct _global_data_t
     uint32_t       layout_entry_num;
     uint32_t       reserved;
     layout_t       layout_table[LAYOUT_ENTRY_NUM];
+    uint64_t       enclave_image_address;   /* the base address of the enclave image */
+    uint64_t       elrange_start_address;   /* the base address provided in the enclave's SECS (SECS.BASEADDR) */
+    uint64_t       elrange_size;            /* the size of the enclave address range provided in the enclave's SECS (SECS.SIZE) */
 } global_data_t;
 
 #define ENCLAVE_INIT_NOT_STARTED  0

common/inc/internal/metadata.h

@@ -40,6 +40,12 @@
 #define MAJOR_VERSION 2                 //MAJOR_VERSION should not larger than 0ffffffff
 #define MINOR_VERSION 4                 //MINOR_VERSION should not larger than 0ffffffff
 
+#define SGX_2_ELRANGE_MAJOR_VERSION 12
+#define SGX_1_ELRANGE_MAJOR_VERSION 11
+
+#define SGX_MAJOR_VERSION_GAP 10
+
+
 #define SGX_2_1_MAJOR_VERSION 2         //MAJOR_VERSION should not larger than 0ffffffff
 #define SGX_2_1_MINOR_VERSION 2         //MINOR_VERSION should not larger than 0ffffffff
 
@@ -168,6 +174,13 @@ typedef struct _patch_entry_t
     uint32_t reserved[4];
 } patch_entry_t;
 
+typedef struct _elrange_config_entry_t
+{
+    uint64_t enclave_image_address;
+    uint64_t elrange_start_address;
+    uint64_t elrange_size;
+}elrange_config_entry_t;
+
 typedef struct _metadata_t 
 {
     uint64_t            magic_num;             /* The magic number identifying the file as a signed enclave image */

common/inc/internal/se_debugger_lib.h

@@ -87,6 +87,7 @@ typedef struct _debug_enclave_info_t
     PADDED_POINTER(void, lpFileName);
     PADDED_POINTER(void, g_peak_heap_used_addr);
     PADDED_POINTER(void, g_peak_rsrv_mem_committed_addr);
+    uint64_t elrange_start_address;
     PADDED_POINTER(void, dyn_sec);
     sgx_misc_select_t  misc_select;
     /* The following members are optional or unused */

common/inc/internal/se_version.h

@@ -31,20 +31,20 @@
 #ifndef _SE_VERSION_H_
 #define _SE_VERSION_H_
 
-#define STRFILEVER    "2.13.103.1"
+#define STRFILEVER    "2.14.100.2"
 #define SGX_MAJOR_VERSION       2
-#define SGX_MINOR_VERSION       13
-#define SGX_REVISION_VERSION    103
+#define SGX_MINOR_VERSION       14
+#define SGX_REVISION_VERSION    100
 #define MAKE_VERSION_UINT(major,minor,rev)  (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev)
 #define VERSION_UINT        MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION)
 
 #define COPYRIGHT      "Copyright (C) 2021 Intel Corporation"
 
-#define UAE_SERVICE_VERSION       "2.3.210.1"
-#define URTS_VERSION              "1.1.114.1"
-#define ENCLAVE_COMMON_VERSION    "1.0.117.1"
-#define LAUNCH_VERSION            "1.0.112.1"
-#define EPID_VERSION              "1.0.112.1"
-#define QUOTE_EX_VERSION          "1.1.112.1"
+#define UAE_SERVICE_VERSION       "2.3.211.2"
+#define URTS_VERSION              "1.1.115.2"
+#define ENCLAVE_COMMON_VERSION    "1.1.118.2"
+#define LAUNCH_VERSION            "1.0.113.2"
+#define EPID_VERSION              "1.0.113.2"
+#define QUOTE_EX_VERSION          "1.1.113.2"
 
 #endif

common/inc/sgx_error.h

@@ -44,9 +44,8 @@ typedef enum _status_t
     SGX_ERROR_ENCLAVE_LOST       = SGX_MK_ERROR(0x0004),      /* Enclave lost after power transition or used in child process created by linux:fork() */
     SGX_ERROR_INVALID_STATE      = SGX_MK_ERROR(0x0005),      /* SGX API is invoked in incorrect order or state */
     SGX_ERROR_FEATURE_NOT_SUPPORTED = SGX_MK_ERROR(0x0008),   /* Feature is not supported on this platform */
-    SGX_PTHREAD_EXIT                          =    SGX_MK_ERROR(0x0009),    /* Enclave is exited with pthread_exit() */
-
-
+    SGX_PTHREAD_EXIT             = SGX_MK_ERROR(0x0009),      /* Enclave is exited with pthread_exit() */
+    SGX_ERROR_MEMORY_MAP_FAILURE = SGX_MK_ERROR(0x000a),      /* Failed to reserve memory for the enclave */
 
     SGX_ERROR_INVALID_FUNCTION   = SGX_MK_ERROR(0x1001),      /* The ecall/ocall index is invalid */
     SGX_ERROR_OUT_OF_TCS         = SGX_MK_ERROR(0x1003),      /* The enclave is out of TCS */

common/src/se_memory.c

@@ -38,7 +38,10 @@
 void* se_virtual_alloc(void* address, size_t size, uint32_t type)
 {
     UNUSED(type);
-    void* pRet = mmap(address, size, PROT_READ | PROT_WRITE, MAP_PRIVATE |  MAP_ANONYMOUS, -1, 0);
+    int mmap_flag = MAP_PRIVATE |  MAP_ANONYMOUS;
+    if(address != NULL)
+        mmap_flag |= MAP_FIXED;
+    void* pRet = mmap(address, size, PROT_READ | PROT_WRITE, mmap_flag, -1, 0);
     if(MAP_FAILED == pRet)
         return NULL;
     return pRet;

download_prebuilt.sh

@@ -33,11 +33,11 @@
 
 top_dir=`dirname $0`
 out_dir=$top_dir
-optlib_name=optimized_libs_2.13.3.tar.gz
-ae_file_name=prebuilt_ae_2.13.3.tar.gz
+optlib_name=optimized_libs_2.14.tar.gz
+ae_file_name=prebuilt_ae_2.14.tar.gz
 binutils_file_name=as.ld.objdump.gold.r3.tar.gz
-checksum_file=SHA256SUM_prebuilt_2.13.3.cfg
-server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.13.3
+checksum_file=SHA256SUM_prebuilt_2.14.cfg
+server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.14
 server_optlib_url=$server_url_path/$optlib_name
 server_ae_url=$server_url_path/$ae_file_name
 server_binutils_url=$server_url_path/$binutils_file_name

external/dcap_source

@@ -32,18 +32,18 @@
 
 top_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 openssl_out_dir=$top_dir/openssl_source
-openssl_ver=1.1.1i
+openssl_ver=1.1.1k
 openssl_ver_name=openssl-$openssl_ver
 sgxssl_github_archive=https://github.com/intel/intel-sgx-ssl/archive
-sgxssl_ver=2.13
+sgxssl_ver=2.14
 sgxssl_ver_name=v$sgx_ver
 sgxssl_file_name=lin_$sgxssl_ver\_$openssl_ver
 build_script=$top_dir/Linux/build_openssl.sh
 server_url_path=https://www.openssl.org/source
 full_openssl_url=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz
 
-sgxssl_chksum=95997e75d0ea09e525626ce3812bbd3dd972382a20a989bcf1c3acb9746d2a23
-openssl_chksum=e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242
+sgxssl_chksum=825e58823f2ec39bcfb69c2c62cc4e769bdac057ade10b362cdeac1f5a563954
+openssl_chksum=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
 rm -f check_sum_sgxssl.txt check_sum_openssl.txt
 if [ ! -f $build_script ]; then
 	wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $top_dir || exit 1

external/ippcp_internal/0001-Add-mitigation-support-to-assembly-code.patch

@@ -220,6 +220,21 @@ if [ -d /run/systemd/system ]; then
     systemctl start remount-dev-exec
 fi
 
+trigger_udev() {
+    if ! which udevadm &> /dev/null; then
+        return 0
+    fi
+    udevadm control --reload || :
+    udevadm trigger || :
+}
+
+# Add sgx_prv for in-kernel driver.
+if [ -c /dev/sgx_provision -o -c /dev/sgx/provision ]; then
+    /usr/bin/getent group sgx_prv &> /dev/null || /usr/sbin/groupadd sgx_prv
+    trigger_udev
+fi
+
+
 $AESM_PATH/cse_provision_tool 2> /dev/null || true
 rm -f $AESM_PATH/cse_provision_tool
 

external/sgxssl/prepare_sgxssl.sh

@@ -1,2 +1,3 @@
 DeliveryName	InstallName	FileCheckSum	FileFeature	FileOwner
 <deliverydir>/build/linux/libsgx_pce.signed.so	<installdir>/lib/libsgx_pce.signed.so	0	main	STP
+<deliverydir>/linux/installer/common/sgx-aesm-service/92-sgx-provision.rules	<installdir>/etc/udev/rules.d/93-sgx-provision.rules	0	main	STP

linux/installer/common/psw/install.sh

@@ -9,7 +9,6 @@ DeliveryName	InstallName	FileCheckSum	FileFeature	FileOwner
 <deliverydir>/build/linux/aesmd.service	<installdir>/aesm/aesmd.service	0	main	STP
 <deliverydir>/build/linux/aesm_service	<installdir>/aesm/aesm_service	0	main	STP
 <deliverydir>/psw/ae/aesm_service/config/network/aesmd.conf	<installdir>/aesm/conf/aesmd.conf	0	main	STP
-<deliverydir>/linux/installer/common/sgx-aesm-service/92-sgx-provision.rules	<installdir>/aesm/conf/udev/rules.d/92-sgx-provision.rules	0	main	STP
 <deliverydir>/linux/installer/common/sgx-aesm-service/linksgx.sh	<installdir>/aesm/linksgx.sh	0	main	STP
 <deliverydir>/linux/installer/common/sgx-aesm-service/startup.sh	<installdir>/startup.sh	0	main	STP
 <deliverydir>/linux/installer/common/sgx-aesm-service/cleanup.sh	<installdir>/cleanup.sh	0	main	STP

linux/installer/common/sgx-aesm-service/BOMs/libsgx-ae-pce.txt

@@ -84,6 +84,9 @@ $(PACKAGES):
 		install $(PACKAGE_ROOT_FOLDER)/$@/$(LIB_DIR)/* $(DESTDIR)/$@/$(USR_LIB_PATH), \
 		install -d $(shell readlink -m $(DESTDIR)/$@/$(AESM_SERVICE_PACKAGE_PATH)/$(AESM_SERVICE_PACKAGE_NAME)) && \
 		cp -r $(PACKAGE_ROOT_FOLDER)/$@/* $(DESTDIR)/$@/$(AESM_SERVICE_PACKAGE_PATH)/$(AESM_SERVICE_PACKAGE_NAME)) 
+	$(if $(wildcard $(PACKAGE_ROOT_FOLDER)/$@/$(ETC_DIR)/.*), \
+		install -d $(shell readlink -m $(DESTDIR)/$@/$(ETC_DIR)) && \
+		cp -fr $(PACKAGE_ROOT_FOLDER)/$@/$(ETC_DIR)/* $(DESTDIR)/$@/$(ETC_DIR))
 	$(if $(wildcard $(PACKAGE_ROOT_FOLDER)/$@/aesm/data/.*), \
 		install -d $(shell readlink -m $(DESTDIR)/$@/$(VAR_OPT_PATH)) && \
 		cp -fr $(DESTDIR)/$@/$(AESM_SERVICE_PACKAGE_PATH)/$(AESM_SERVICE_PACKAGE_NAME)/aesm/data \

linux/installer/common/sgx-aesm-service/BOMs/sgx-aesm-service.txt

@@ -36,12 +36,8 @@ if test $(id -u) -ne 0; then
 fi
 
 /usr/bin/getent group sgx_prv &> /dev/null
-if [ $? != "0" -a -c /dev/sgx/provision ]; then
-    # Add sgx_prv for in-kernel driver.
-    /usr/sbin/groupadd sgx_prv
-    udevadm trigger
+if [ $? == "0" ]; then
+    /usr/sbin/usermod -aG sgx_prv aesmd &> /dev/null
 fi
 
-/usr/sbin/usermod -aG sgx_prv aesmd &> /dev/null
-
 echo

linux/installer/common/sgx-aesm-service/Makefile

@@ -17,10 +17,17 @@ set -e
 # for details, see http://www.debian.org/doc/debian-policy/ or
 # the debian-policy package
 
+trigger_udev() {
+    if ! which udevadm &> /dev/null; then
+        return 0
+    fi
+    udevadm control --reload || :
+    udevadm trigger || :
+}
 
 case "$1" in
     configure)
-        udevadm trigger &> /dev/null || true
+        trigger_udev
         systemctl enable remount-dev-exec &> /dev/null || true
         systemctl start remount-dev-exec &> /dev/null || true
     ;;