Skip to content

Commit

Permalink
Update SGX SDK to 2.21.100.1 (#431)
Browse files Browse the repository at this point in the history
  • Loading branch information
nick-mobilecoin authored Oct 17, 2023
2 parents c890555 + 0449dd8 commit 210aeb0
Show file tree
Hide file tree
Showing 8 changed files with 60 additions and 27 deletions.
4 changes: 2 additions & 2 deletions .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,14 @@ RUN apt-get update \
&& rm -r /var/lib/apt/lists

# Install SGX_SDK
ARG SGX_URL=https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.20.100.4.bin
ARG SGX_URL=https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.21.100.1.bin
RUN curl -o sgx.bin "${SGX_URL}" \
&& chmod +x ./sgx.bin \
&& ./sgx.bin --prefix=/opt/intel \
&& rm ./sgx.bin

# Install DCAP libraries
ARG DCAP_VERSION=1.17.100.4-jammy1
ARG DCAP_VERSION=1.18.100.1-jammy1
RUN mkdir -p /etc/apt/keyrings \
&& wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor | tee /etc/apt/keyrings/intel-sgx.gpg > /dev/null \
&& echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" | tee /etc/apt/sources.list.d/intel-sgx.list \
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ jobs:
- uses: actions/checkout@v4
- uses: mobilecoinfoundation/actions/dcap-libs@main
with:
version: 1.17.100.4-jammy1
version: 1.18.100.1-jammy1
- id: suppression
run: |
if [ "${{ matrix.rust }}" == "stable" ]; then
Expand Down Expand Up @@ -98,10 +98,10 @@ jobs:
- uses: actions/checkout@v4
- uses: mobilecoinfoundation/actions/sgxsdk@main
with:
version: 2.20.100.4
version: 2.21.100.1
- uses: mobilecoinfoundation/actions/dcap-libs@main
with:
version: 1.17.100.4-jammy1
version: 1.18.100.1-jammy1
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.rust }}
Expand All @@ -122,10 +122,10 @@ jobs:
- uses: actions/checkout@v4
- uses: mobilecoinfoundation/actions/sgxsdk@main
with:
version: 2.20.100.4
version: 2.21.100.1
- uses: mobilecoinfoundation/actions/dcap-libs@main
with:
version: 1.17.100.4-jammy1
version: 1.18.100.1-jammy1
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.rust }}
Expand All @@ -146,10 +146,10 @@ jobs:
- uses: actions/checkout@v4
- uses: mobilecoinfoundation/actions/sgxsdk@main
with:
version: 2.20.100.4
version: 2.21.100.1
- uses: mobilecoinfoundation/actions/dcap-libs@main
with:
version: 1.17.100.4-jammy1
version: 1.18.100.1-jammy1
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.rust }}
Expand Down Expand Up @@ -187,10 +187,10 @@ jobs:
- uses: actions/checkout@v4
- uses: mobilecoinfoundation/actions/sgxsdk@main
with:
version: 2.20.100.4
version: 2.21.100.1
- uses: mobilecoinfoundation/actions/dcap-libs@main
with:
version: 1.17.100.4-jammy1
version: 1.18.100.1-jammy1
- uses: dtolnay/rust-toolchain@stable
with:
components: llvm-tools-preview
Expand Down
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Changed

- The SGX SDK version is now 2.20.100.4
- The SGX SDK version is now 2.21.100.1

## [0.8.0] - 2023-09-21

Expand Down
19 changes: 12 additions & 7 deletions core/build/headers/sgx_dcap_quoteverify.h
Original file line number Diff line number Diff line change
Expand Up @@ -49,18 +49,23 @@ extern "C" {
* When the Quoting Verification Library is linked to a process, it needs to know the proper enclave loading policy.
* The library may be linked with a long lived process, such as a service, where it can load the enclaves and leave
* them loaded (persistent). This better ensures that the enclaves will be available upon quote requests and not subject
* to EPC limitations if loaded on demand. However, if the Quoting library is linked with an application process, there
* may be many applications with the Quoting library and a better utilization of EPC is to load and unloaded the quoting
* enclaves on demand (ephemeral). The library will be shipped with a default policy of loading enclaves and leaving
* them loaded until the library is unloaded (PERSISTENT). If the policy is set to EPHEMERAL, then the QE and PCE will
* be loaded and unloaded on-demand. If either enclave is already loaded when the policy is change to EPHEMERAL, the
* enclaves will be unloaded before returning.
* to EPC limitations if loaded on demand. However, if the QVL is linked with an application process, there may be many
* applications with the QVL and a better utilization of EPC is to load and unloaded the quote verification enclaves on
* demand (ephemeral). The library will be shipped with a default policy of loading enclaves and leaving
* them loaded until the library is unloaded (PERSISTENT). If the policy is set to EPHEMERAL, then the QvE will
* be loaded and unloaded on-demand.
* Supported policies:
* SGX_QL_EPHEMERAL - Default policy. QvE is initialized and terminated on every quote verification function call.
* SGX_QL_PERSISTENT - All the threads will share single QvE instance, and QvE is initialized on first use and reused until process ends.
* SGX_QL_EPHEMERAL_QVE_MULTI_THREAD - QvE is loaded per thread and be unloaded before function exit.
* SGX_QL_PERSISTENT_QVE_MULTI_THREAD - QvE is loaded per thread and only be unloaded before thread exit.
*
* NOTE: QvE load policy should be only set once in one process, change the policy means all threads will be impacted.
*
* @param policy Sets the requested enclave loading policy to either SGX_QL_PERSISTENT, SGX_QL_EPHEMERAL or SGX_QL_DEFAULT.
*
* @return SGX_QL_SUCCESS Successfully set the enclave loading policy for the quoting library's enclaves.
* @return SGX_QL_UNSUPPORTED_LOADING_POLICY The selected policy is not support by the quoting library.
* @return SGX_QL_ERROR_UNEXPECTED Unexpected internal error.
*
**/
quote3_error_t sgx_qv_set_enclave_load_policy(sgx_ql_request_policy_t policy);
Expand Down
3 changes: 3 additions & 0 deletions core/build/headers/sgx_pce.h
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ typedef enum _sgx_ql_request_policy
SGX_QL_PERSISTENT, ///< QE is initialized on first use and reused until process ends.
SGX_QL_EPHEMERAL, ///< QE is initialized and terminated on every quote.
///< If a previous QE exists, it is stopped & restarted before quoting.
SGX_QL_EPHEMERAL_QVE_MULTI_THREAD, ///< Only used for quote verification, QvE is loaded per thread and be unloaded before function exit.
SGX_QL_PERSISTENT_QVE_MULTI_THREAD, ///< Only used for quote verification, QvE is loaded per thread and be unloaded before thread exit.

SGX_QL_DEFAULT = SGX_QL_PERSISTENT
} sgx_ql_request_policy_t;

Expand Down
14 changes: 7 additions & 7 deletions core/build/headers/sgx_quote_4.h
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@

#pragma pack(push, 1)

#define TD_INFO_RESERVED_BYTES 112
#define TD_INFO_RESERVED_BYTES_V1 112
typedef struct _tee_info_t /* 512 bytes */
{
tee_attributes_t attributes; /* ( 0) TD's attributes */
Expand All @@ -56,7 +56,7 @@ typedef struct _tee_info_t /* 512 bytes */
tee_measurement_t mr_owner; /* (112) Software defined ID for the guest TD's owner */
tee_measurement_t mr_owner_config; /* (160) Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS */
tee_measurement_t rt_mr[4]; /* (208) Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers */
uint8_t reserved[TD_INFO_RESERVED_BYTES]; /* (400) Reserved, must be zero */
uint8_t reserved[TD_INFO_RESERVED_BYTES_V1]; /* (400) Reserved, must be zero */
} tee_info_t;


Expand All @@ -66,7 +66,7 @@ typedef struct _tee_tcb_svn_t
uint8_t tcb_svn[TEE_TCB_SVN_SIZE];
} tee_tcb_svn_t;

#define TD_TEE_TCB_INFO_RESERVED_BYTES 111
#define TD_TEE_TCB_INFO_RESERVED_BYTES_V1 111
typedef struct _tee_tcb_info_t
{
uint8_t valid[8]; /* ( 0) Indicates TEE_TCB_INFO fields which are valid
Expand All @@ -77,7 +77,7 @@ typedef struct _tee_tcb_info_t
tee_measurement_t mr_seam; /* ( 24) Measurement of the SEAM module */
tee_measurement_t mr_seam_signer; /* ( 72) Measurement of SEAM module signer. (Not populated for Intel SEAM modules) */
tee_attributes_t attributes; /* (120) Additional configuration attributes.(Not populated for Intel SEAM modules) */
uint8_t reserved[TD_TEE_TCB_INFO_RESERVED_BYTES]; /* (128) Reserved, must be zero */
uint8_t reserved[TD_TEE_TCB_INFO_RESERVED_BYTES_V1];/* (128) Reserved, must be zero */
} tee_tcb_info_t;

/** The SGX_QL_SGX_QL_ALG_ECDSA_P256 specific data structure. Appears in the signature_data[] of the sgx_quote3_t
Expand Down Expand Up @@ -123,7 +123,7 @@ typedef struct _sgx_quote4_header_t {
typedef struct _sgx_report2_body_t {
tee_tcb_svn_t tee_tcb_svn; ///< 0: TEE_TCB_SVN Array
tee_measurement_t mr_seam; ///< 16: Measurement of the SEAM module
tee_measurement_t mrsigner_seam; ///< 64: Measurement of a 3rd party SEAM module’s signer (SHA384 hash).
tee_measurement_t mrsigner_seam; ///< 64: Measurement of a 3rd party SEAM module’s signer (SHA384 hash).
/// The value is 0’ed for Intel SEAM module
tee_attributes_t seam_attributes; ///< 112: MBZ: TDX 1.0
tee_attributes_t td_attributes; ///< 120: TD's attributes
Expand All @@ -141,12 +141,12 @@ typedef struct _sgx_report2_body_t {
typedef struct _sgx_quote4_t {
sgx_quote4_header_t header; ///< 0: The quote header.
sgx_report2_body_t report_body; ///< 48: The REPORT of the TD that is attesting remotely.
uint32_t signature_data_len; ///< 656: The length of the signature_data. Varies depending on the type of sign_type.
uint32_t signature_data_len; ///< 632: The length of the signature_data. Varies depending on the type of sign_type.
#ifdef _MSC_VER
#pragma warning(push)
#pragma warning ( disable:4200 )
#endif
uint8_t signature_data[]; ///< 660: Contains the variable length containing the quote signature and support data for the signature.
uint8_t signature_data[]; ///< 636: Contains the variable length containing the quote signature and support data for the signature.
#ifdef _MSC_VER
#pragma warning(pop)
#endif
Expand Down
3 changes: 3 additions & 0 deletions core/build/headers/sgx_report2.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@
#ifndef _SGX_REPORT2_H_
#define _SGX_REPORT2_H_

#include <stdint.h>

#define TEE_HASH_384_SIZE 48 /* SHA384 */
#define TEE_MAC_SIZE 32 /* Message SHA 256 HASH Code - 32 bytes */

Expand Down Expand Up @@ -67,6 +69,7 @@ typedef struct _tee_attributes_t
#define TEE_REPORT2_TYPE 0x81 /* TEE Report Type2 */
#define TEE_REPORT2_SUBTYPE 0x0 /* SUBTYPE for Report Type2 is 0 */
#define TEE_REPORT2_VERSION 0x0 /* VERSION for Report Type2 is 0 */
#define TEE_REPORT2_VERSION_SERVICETD 0x1 /* VERSION for Report Type2 which mr_servicetd is used */

typedef struct _tee_report_type_t {
uint8_t type; /* Trusted Execution Environment(TEE) type:
Expand Down
24 changes: 23 additions & 1 deletion dcap/types/src/request_policy.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ pub enum RequestPolicy {
/// previous quoting enclave exists, it is stopped and restarted before
/// quoting.
Ephemeral,
/// Only used for quote verification, QvE is loaded per thread and be
/// unloaded before thread exit.
PersistentQveMultiThread,
/// Only used for quote verification, QvE is loaded per thread and be
/// unloaded before function exit.
EphemeralQveMultiThread,
}

impl TryFrom<sgx_ql_request_policy_t> for RequestPolicy {
Expand All @@ -26,6 +32,12 @@ impl TryFrom<sgx_ql_request_policy_t> for RequestPolicy {
match p {
sgx_ql_request_policy_t::SGX_QL_PERSISTENT => Ok(Self::Persistent),
sgx_ql_request_policy_t::SGX_QL_EPHEMERAL => Ok(Self::Ephemeral),
sgx_ql_request_policy_t::SGX_QL_PERSISTENT_QVE_MULTI_THREAD => {
Ok(Self::PersistentQveMultiThread)
}
sgx_ql_request_policy_t::SGX_QL_EPHEMERAL_QVE_MULTI_THREAD => {
Ok(Self::EphemeralQveMultiThread)
}
p => Err(FfiError::UnknownEnumValue(p.0.into())),
}
}
Expand All @@ -36,6 +48,12 @@ impl From<RequestPolicy> for sgx_ql_request_policy_t {
match p {
RequestPolicy::Persistent => sgx_ql_request_policy_t::SGX_QL_PERSISTENT,
RequestPolicy::Ephemeral => sgx_ql_request_policy_t::SGX_QL_EPHEMERAL,
RequestPolicy::PersistentQveMultiThread => {
sgx_ql_request_policy_t::SGX_QL_PERSISTENT_QVE_MULTI_THREAD
}
RequestPolicy::EphemeralQveMultiThread => {
sgx_ql_request_policy_t::SGX_QL_EPHEMERAL_QVE_MULTI_THREAD
}
}
}
}
Expand All @@ -48,6 +66,8 @@ mod test {
#[parameterized(
persistent = { sgx_ql_request_policy_t::SGX_QL_PERSISTENT, RequestPolicy::Persistent },
ephemeral = { sgx_ql_request_policy_t::SGX_QL_EPHEMERAL, RequestPolicy::Ephemeral },
persistent_qve_multi_thread = { sgx_ql_request_policy_t::SGX_QL_PERSISTENT_QVE_MULTI_THREAD, RequestPolicy::PersistentQveMultiThread },
ephemeral_qve_multi_thread = { sgx_ql_request_policy_t::SGX_QL_EPHEMERAL_QVE_MULTI_THREAD, RequestPolicy::EphemeralQveMultiThread },
defualt = { sgx_ql_request_policy_t::SGX_QL_DEFAULT, RequestPolicy::Persistent },
)]
fn from_sgx_to_policy(sgx_policy: sgx_ql_request_policy_t, expected: RequestPolicy) {
Expand All @@ -58,14 +78,16 @@ mod test {
#[parameterized(
persistent = { RequestPolicy::Persistent, sgx_ql_request_policy_t::SGX_QL_PERSISTENT },
ephemeral = { RequestPolicy::Ephemeral, sgx_ql_request_policy_t::SGX_QL_EPHEMERAL },
persistent_qve_multi_thread = { RequestPolicy::PersistentQveMultiThread, sgx_ql_request_policy_t::SGX_QL_PERSISTENT_QVE_MULTI_THREAD },
ephemeral_qve_multi_thread = { RequestPolicy::EphemeralQveMultiThread, sgx_ql_request_policy_t::SGX_QL_EPHEMERAL_QVE_MULTI_THREAD },
)]
fn from_policy_to_sgx(policy: RequestPolicy, expected: sgx_ql_request_policy_t) {
let sgx_policy: sgx_ql_request_policy_t = policy.into();
assert_eq!(sgx_policy, expected);
}
#[test]
fn sgx_policy_out_of_bounds_panics() {
let result = RequestPolicy::try_from(sgx_ql_request_policy_t(2));
let result = RequestPolicy::try_from(sgx_ql_request_policy_t(4));
assert!(result.is_err());
}
}

0 comments on commit 210aeb0

Please sign in to comment.