This repository has been archived by the owner on Oct 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 38
/
Copy pathsgx_enclave.mk
145 lines (124 loc) · 5.28 KB
/
sgx_enclave.mk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
SGX_MODE ?= HW
export SGX_MODE
USE_OPT_LIBS ?= 0
export USE_OPT_LIBS
##
## linux sdk
##
SGX_DIR ?= $$HOME/linux-sgx
SGX_LIBDIR ?= $(SGX_DIR)/lib
SGX_INCLUDEDIR ?= $(SGX_DIR)/include
SGX_BINDIR ?= $(SGX_DIR)/bin
SGX_EDGER8R ?= $(SGX_BINDIR)/sgx_edger8r
SGX_SIGN ?= $(SGX_BINDIR)/sgx_sign
export SGX_LIBDIR
export SGX_INCLUDEDIR
##
## edger8r
##
%_t.c: %.edl %_t.h
mv $*_t.h $*_t.h.bak
$(SGX_EDGER8R) --trusted --trusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) $<; RES=$$?; mv $*_t.h.bak $*_t.h; exit $$RES
%_t.h: %.edl
$(SGX_EDGER8R) --trusted --trusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) --header-only $<
%_u.c: %.edl %_u.h
mv $*_u.h $*_u.h.bak
$(SGX_EDGER8R) --untrusted --untrusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) $<; RES=$$?; mv $*_u.h.bak $*_u.h; exit $$RES
%_u.h: %.edl
$(SGX_EDGER8R) --untrusted --untrusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) --header-only $<
LLVM_BOLT ?= llvm-bolt
##
## pyxed/Intel Xed
##
PYXED_DIR = $(builddir)/pyxed
PYXED_PYTHONPATH = $(builddir)/pyxed/build/instdir/lib/python3.7/site-packages
PYXED_GIT = https://github.com/huku-/pyxed
PYXED_GIT_REV = b197cfe675533bd4720ff890002ee98ae52ceb3f
$(PYXED_PYTHONPATH):
rm -rf $(PYXED_DIR)
mkdir -p $(PYXED_DIR)
git init $(PYXED_DIR)
git -C $(PYXED_DIR) remote add origin $(PYXED_GIT)
git -C $(PYXED_DIR) fetch --depth 1 $(PYXED_GIT) $(PYXED_GIT_REV)
git -C $(PYXED_DIR) checkout FETCH_HEAD
git -C $(PYXED_DIR) submodule update --init --recursive --depth 1
awk '/^static PyMethodDef methods\[\] =$$/ {ARG=4}; { if (ARG>0) {ARG=ARG-1} else {print} }' < $(PYXED_DIR)/pyxed.c > $(PYXED_DIR)/pyxed.c.new
mv $(PYXED_DIR)/pyxed.c.new $(PYXED_DIR)/pyxed.c #XXX Hack remove after pyxed bugfix.
mkdir -p $(PYXED_DIR)/build/instdir
( cd $(PYXED_DIR); python3 setup.py install --prefix build/instdir )
##
## linking
##
ENCLAVE_CFLAGS = -fvisibility=hidden -fPIC -I$(SGX_INCLUDEDIR)/tlibc -fno-jump-tables -mno-red-zone -fno-builtin -ffreestanding
ENCLAVE_LDFLAGS = \
-Wl,-z,relro,-z,now,-z,noexecstack \
-Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(builddir) -L$(SGX_LIBDIR) \
-Wl,--whole-archive -lsgx_trts -Wl,--no-whole-archive \
-Wl,--start-group -lsgx_tstdc -lselib -Wl,--end-group \
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-allow-shlib-undefined \
-Wl,-eenclave_entry -Wl,--export-dynamic -Wl,--build-id=none \
-Wl,--defsym,__ImageBase=0 -Wl,--emit-relocs
$(builddir)/lib%.unstripped.so: CFLAGS += $(ENCLAVE_CFLAGS)
$(builddir)/lib%.unstripped.so: $(builddir)/%_t.o
$(CC) $(LDFLAGS) -o $@ $(filter %.o,$^) $(LDLIBS) \
$(ENCLAVE_LDFLAGS) -Wl,--version-script=lib$*.lds -Wl,-soname,lib$*.so
$(builddir)/%.hardened.unstripped.so: $(builddir)/%.unstripped.so
$(LLVM_BOLT) -trap-old-code -use-gnu-stack -update-debug-sections -update-end -v=2 \
-skip-funcs=$(shell cat bolt_skip_funcs.txt) \
-eliminate-unreachable=0 -strip-rep-ret=0 -simplify-conditional-tail-calls=0 \
-align-macro-fusion=none \
-insert-lfences \
-o $@ $<
$(builddir)/%.hardened.unsigned.so: $(builddir)/%.hardened.unstripped.so $(PYXED_PYTHONPATH)
objdump -w -j .text --no-show-raw-insn -d $(builddir)/$*.unstripped.so | \
bin/funcs_with_memindjmp > $(builddir)/funcs_with_memindjmp
objdump -w -j .text -d $< | \
PYTHONPATH=$(PYXED_PYTHONPATH) python3 bin/lvi_checker $(builddir)/funcs_with_memindjmp
objdump -j .text --no-show-raw-insn -d $< | \
egrep '^\s+[0-9a-f]+:\s+(cpuid|getsec|rdpmc|sgdt|sidt|sldt|str|vmcall|vmfunc|rdtscp?|int[0-9a-z]*|iret|syscall|sysenter)\s+' | \
wc -l | grep -q '^0$$'
strip --strip-all $< -o $@
$(builddir)/%.unsigned.so: $(builddir)/%.unstripped.so
strip --strip-all $< -o $@
##
## signing
##
%.debug.key:
openssl genrsa -out $@ -3 3072
%.pub: %.key
openssl rsa -out $@ -in $< -pubout
%.hardened.config.xml: %.config.xml
cp $< $@
%.debug.config.xml: %.config.xml
sed -e 's@<DisableDebug>1</DisableDebug>@<DisableDebug>0</DisableDebug>@' $< > $@
$(builddir)/%.debug.signdata: $(builddir)/%.unstripped.so %.debug.config.xml
$(SGX_SIGN) gendata -out $@ -enclave $(builddir)/$*.unstripped.so -config $*.debug.config.xml
$(builddir)/%.debug.so: $(builddir)/%.unstripped.so $(builddir)/%.debug.signdata %.debug.config.xml %.debug.pub $(builddir)/%.debug.sig
$(SGX_SIGN) catsig \
-out $@ \
-enclave $(builddir)/$*.unstripped.so \
-unsigned $(builddir)/$*.debug.signdata \
-config $*.debug.config.xml \
-key $*.debug.pub \
-sig $(builddir)/$*.debug.sig
%.hardened.key: %.key
cp $< $@
%.hardened.test.key: %.key
cp $< $@
$(builddir)/%.test.unsigned.so: $(builddir)/%.unsigned.so
cp $< $@
$(builddir)/%.signdata: $(builddir)/%.unsigned.so %.config.xml
$(SGX_SIGN) gendata -out $@ -enclave $(builddir)/$*.unsigned.so -config $*.config.xml
$(builddir)/%.mrenclave: $(builddir)/%.signdata
perl -e 'undef $$/; print unpack("x188 H64", <>);' $< > $@
@echo mrenclave: $$(cat $@)
$(builddir)/%.sig: $(builddir)/%.signdata %.key
openssl dgst -sha256 -out $@ -sign $*.key $(builddir)/$*.signdata
$(builddir)/%.signed.so: $(builddir)/%.unsigned.so $(builddir)/%.signdata %.config.xml %.pub $(builddir)/%.sig
$(SGX_SIGN) catsig \
-out $@ \
-enclave $(builddir)/$*.unsigned.so \
-unsigned $(builddir)/$*.signdata \
-config $*.config.xml \
-key $*.pub \
-sig $(builddir)/$*.sig