Blob loading feature

enclave/core/sgx/globals.c

@@ -127,6 +127,8 @@ extern volatile const oe_sgx_enclave_properties_t oe_enclave_properties_sgx;
 static volatile uint64_t _enclave_rva;
 static volatile uint64_t _reloc_rva;
 static volatile uint64_t _reloc_size;
+static volatile uint64_t _blob_rva;
+static volatile uint64_t _blob_size;
 
 #endif
 
@@ -196,6 +198,39 @@ size_t __oe_get_reloc_size()
 #endif
 }
 
+/*
+**==============================================================================
+**
+** blob boundaries:
+**
+**==============================================================================
+*/
+
+const void* __oe_get_blob_base()
+{
+    const unsigned char* base = __oe_get_enclave_base();
+
+#if defined(__linux__)
+    return base + _blob_rva;
+#else
+#error "unsupported"
+#endif
+}
+
+const void* __oe_get_blob_end()
+{
+    return (const uint8_t*)__oe_get_blob_base() + __oe_get_blob_size();
+}
+
+size_t __oe_get_blob_size()
+{
+#if defined(__linux__)
+    return _blob_size;
+#else
+#error "unsupported"
+#endif
+}
+
 /*
 **==============================================================================
 **

enclave/core/sgx/linux/threadlocal.c

@@ -363,7 +363,8 @@ void __cxa_thread_atexit(void (*destructor)(void*), void* object)
 oe_result_t oe_thread_local_cleanup(td_t* td)
 {
     /* OE thread local clean up not required in SW mode for SGXLKL */
-    if (td->simulate) return OE_OK;
+    if (td->simulate)
+        return OE_OK;
 
     /* Call tls atexit functions in reverse order*/
     if (_tls_atexit_functions)

host/sgx/loadelf.c

@@ -407,7 +407,8 @@ static oe_result_t _calculate_size(
     const oe_enclave_image_t* image,
     size_t* image_size)
 {
-    *image_size = image->image_size + image->reloc_size;
+    *image_size = image->image_size + image->reloc_size +
+                  oe_round_up_to_page_size(image->blob_size);
     return OE_OK;
 }
 
@@ -444,6 +445,8 @@ static oe_result_t _unload(oe_enclave_image_t* image)
 **
 **     [RELOCATION-PAGES]:
 **
+**     [BLOB-PAGES]: flags=reg|r content=(.oeblob section)
+**
 **     [HEAP-PAGES]: flags=reg|w|r content=0x00000000
 **
 **     [THREAD-PAGES]:
@@ -512,6 +515,68 @@ static oe_result_t _add_relocation_pages(
     return result;
 }
 
+static oe_result_t _add_blob_pages(
+    oe_sgx_load_context_t* context,
+    uint64_t enclave_addr,
+    const void* blob_data,
+    const size_t blob_size,
+    uint64_t* vaddr)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    if (!context || !vaddr)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    /* Add any blob pages as regular-read-only pages. */
+    if (blob_data && blob_size)
+    {
+        const uint8_t* p = (const uint8_t*)blob_data;
+        size_t n = blob_size;
+
+        /* Add whole pages. */
+        while (n > OE_PAGE_SIZE)
+        {
+            const uint64_t addr = enclave_addr + *vaddr;
+            const uint64_t src = (uint64_t)p;
+            const uint64_t flags = SGX_SECINFO_REG | SGX_SECINFO_R;
+            const bool extend = true;
+
+            OE_CHECK(oe_sgx_load_enclave_data(
+                context, enclave_addr, addr, src, flags, extend));
+
+            (*vaddr) += OE_PAGE_SIZE;
+
+            /* Advance to the next page. */
+            p += OE_PAGE_SIZE;
+            n -= OE_PAGE_SIZE;
+        }
+
+        /* Add remaining bytes. */
+        if (n)
+        {
+            uint8_t page[OE_PAGE_SIZE];
+            const uint64_t addr = enclave_addr + *vaddr;
+            const uint64_t src = (uint64_t)page;
+            const uint64_t flags = SGX_SECINFO_REG | SGX_SECINFO_R;
+            const bool extend = true;
+
+            /* Copy remaining bytes followed by zero-padding. */
+            memcpy(page, p, n);
+            memset(page + n, 0, OE_PAGE_SIZE - n);
+
+            OE_CHECK(oe_sgx_load_enclave_data(
+                context, enclave_addr, addr, src, flags, extend));
+
+            (*vaddr) += OE_PAGE_SIZE;
+        }
+    }
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
 static oe_result_t _add_segment_pages(
     oe_sgx_load_context_t* context,
     uint64_t enclave_addr,
@@ -595,6 +660,14 @@ static oe_result_t _add_pages(
         image->reloc_size,
         vaddr));
 
+    /* Add the .oeblob section pages if any. */
+    OE_CHECK(_add_blob_pages(
+        context,
+        enclave->addr,
+        image->u.elf.blob_data,
+        image->blob_size,
+        vaddr));
+
     result = OE_OK;
 
 done:
@@ -679,16 +752,25 @@ static oe_result_t _patch(oe_enclave_image_t* image, size_t enclave_end)
     OE_CHECK(_get_symbol_rva(image, "_enclave_rva", &enclave_rva));
     OE_CHECK(_set_uint64_t_symbol_value(image, "_enclave_rva", enclave_rva));
 
+    /* Keep track of the current rva starting at the end of image. */
+    size_t rva = image->image_size;
+
     /* reloc right after image */
-    oeprops->image_info.reloc_rva = image->image_size;
+    oeprops->image_info.reloc_rva = rva;
     oeprops->image_info.reloc_size = image->reloc_size;
     OE_CHECK(
         _set_uint64_t_symbol_value(image, "_reloc_rva", image->image_size));
     OE_CHECK(
         _set_uint64_t_symbol_value(image, "_reloc_size", image->reloc_size));
+    rva += image->reloc_size;
+
+    /* blob right after reloc */
+    OE_CHECK(_set_uint64_t_symbol_value(image, "_blob_rva", rva));
+    OE_CHECK(_set_uint64_t_symbol_value(image, "_blob_size", image->blob_size));
+    rva += oe_round_up_to_page_size(image->blob_size);
 
-    /* heap right after image */
-    oeprops->image_info.heap_rva = image->image_size + image->reloc_size;
+    /* heap right after blob */
+    oeprops->image_info.heap_rva = rva;
 
     if (image->tdata_size)
     {
@@ -788,6 +870,19 @@ oe_result_t oe_load_elf_enclave_image(
         0)
         OE_RAISE(OE_FAILURE);
 
+    /* Save pointer to blob data and blob size */
+    {
+        elf64_t* elf = &image->u.elf.elf;
+        unsigned char* data;
+        size_t size;
+
+        if (elf64_find_section(elf, ".oeblob", &data, &size) == 0)
+        {
+            image->u.elf.blob_data = data;
+            image->blob_size = size;
+        }
+    }
+
     if (oe_get_current_logging_level() >= OE_LOG_LEVEL_VERBOSE)
         _dump_relocations(image->u.elf.reloc_data, image->reloc_size);
 

include/openenclave/internal/globals.h

@@ -20,6 +20,11 @@ const void* __oe_get_reloc_base(void);
 const void* __oe_get_reloc_end(void);
 size_t __oe_get_reloc_size(void);
 
+/* blob data (from the .oeblob section) */
+const void* __oe_get_blob_base(void);
+const void* __oe_get_blob_end(void);
+size_t __oe_get_blob_size(void);
+
 /* Heap */
 const void* __oe_get_heap_base(void);
 const void* __oe_get_heap_end(void);

include/openenclave/internal/load.h

@@ -50,6 +50,7 @@ typedef struct _oe_enclave_elf_image
     oe_elf_segment_t* segments;
     size_t num_segments;
     void* reloc_data;
+    void* blob_data;
 } oe_enclave_elf_image_t;
 
 typedef struct _oe_enclave_pe_image
@@ -81,6 +82,9 @@ struct _oe_enclave_image
     /* size of relocation */
     size_t reloc_size;
 
+    /* size of blob section */
+    size_t blob_size;
+
     /* Thread-local storage .tdata section */
     uint64_t tdata_rva;
     uint64_t tdata_size;

tests/CMakeLists.txt

@@ -27,6 +27,7 @@ add_subdirectory(tools)
 if (OE_SGX)
     add_subdirectory(cpuid)
     add_subdirectory(aesm)
+    add_subdirectory(blob)
     add_subdirectory(debugger)
     add_subdirectory(host_verify)
     add_subdirectory(switchless)

tests/blob/CMakeLists.txt

@@ -0,0 +1,12 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_subdirectory(host)
+add_subdirectory(enc)
+
+set(BLOB ${CMAKE_CURRENT_SOURCE_DIR}/enc/blob.txt)
+
+add_test(tests/blob
+    ${CMAKE_CURRENT_BINARY_DIR}/host/blob_host
+    ${CMAKE_CURRENT_BINARY_DIR}/enc/blob_enc_with_blob
+    ${BLOB})

tests/blob/README.md

@@ -0,0 +1,22 @@
+blob test
+=========
+
+This test verifies the .oeblob section loading feature. Enclave image files may
+optionally include an .oeblob section. If present, the section is loaded and
+measured during enclave loading.  Enclaves may access this section at runtime
+with the following functions.
+
+```
+extern const void* __oe_get_blob_base(void);
+extern size_t __oe_get_blob_size(void);
+```
+
+This test uses the **objcopy** command to add an .oeblob section. For example:
+
+```
+$ objcopy --add-section .oeblob=blob.txt --set-section-flags .oeblob=noload,readonly blob_enc blob_enc_with_blob
+```
+
+The host program loads the **blob_enc_with_blob** enclave and then passes it
+a copy of the blob file. The enclave compares the expected blob contents with
+the actual contents of the .oeblob section.

tests/blob/blob.edl

@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+enclave
+{
+    trusted
+    {
+        public void test_blob([in, size=size] const void* data, size_t size);
+    };
+};

tests/blob/enc/CMakeLists.txt

@@ -0,0 +1,37 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+##==============================================================================
+##
+## Rules to create blob_enc and blob_with_blob
+##
+##==============================================================================
+
+oeedl_file(../blob.edl enclave gen)
+
+add_enclave(TARGET blob_enc
+    UUID a72d9831-4c4b-461d-bf83-e4d3d58cc40b SOURCES enc.c ${gen})
+
+target_include_directories(blob_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(blob_enc oelibc)
+
+##==============================================================================
+##
+## Rules to create the enclave with the .oeblob section
+##
+##==============================================================================
+
+set(ENCLAVE_IN ${CMAKE_CURRENT_BINARY_DIR}/blob_enc)
+set(ENCLAVE_OUT ${ENCLAVE_IN}_with_blob)
+set(BLOB ${CMAKE_CURRENT_SOURCE_DIR}/blob.txt)
+
+add_custom_command(
+    OUTPUT ${ENCLAVE_OUT}
+    DEPENDS ${ENCLAVE_IN}
+    COMMAND objcopy
+        --add-section .oeblob=${BLOB}
+        --set-section-flags .oeblob=noload,readonly
+        ${ENCLAVE_IN} ${ENCLAVE_OUT})
+
+add_custom_target(add_blob ALL DEPENDS ${ENCLAVE_OUT})