[LibOS] Move trusted and allowed files logic to LibOS

Now `gramine-direct` behaves similarly to `gramine-sgx`: it reads `sgx.allowed_files` and `sgx.trusted_files` arrays, as well as `sgx.file_check_policy`, and applies the corresponding file-access rules. Note that the names of the manifest options are kept the same for backward compatibility; a future commit will introduce new, more appropriate aliases. Several tests that were previously SGX PAL-specific only are now enabled on `gramine-direct` as well. All LTP tests, even though they are run under `gramine-direct` only, check the allowed/trusted files logic now. As the primary effect of this commit, the SGX PAL code is significantly simplified and is closer to the native Linux (`direct`) PAL code. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
gramineproject · Aug 8, 2024 · 2ed3b55 · 2ed3b55
1 parent bf4eae4
commit 2ed3b55
Show file tree

Hide file tree

Showing 41 changed files with 1,239 additions and 1,016 deletions.
diff --git a/CI-Examples/blender/Makefile b/CI-Examples/blender/Makefile
@@ -41,7 +41,7 @@ $(BLENDER_DIR)/blender:
 $(RUN_DIR):
  mkdir -p $@
 
-blender.manifest: blender.manifest.template | $(RUN_DIR)
+blender.manifest: blender.manifest.template $(BLENDER_DIR)/blender | $(RUN_DIR)
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -56,7 +56,7 @@ blender.sig blender.manifest.sgx: sgx_outputs
  @:
 
 .INTERMEDIATE: sgx_outputs
-sgx_outputs: $(BLENDER_DIR)/blender blender.manifest | $(RUN_DIR)
+sgx_outputs: blender.manifest | $(RUN_DIR)
  gramine-sgx-sign \
  --output blender.manifest.sgx \
  --manifest blender.manifest

diff --git a/CI-Examples/busybox/Makefile b/CI-Examples/busybox/Makefile
@@ -42,7 +42,7 @@ $(SRCDIR)/.config: $(SRCDIR)/Makefile
 $(SRCDIR)/busybox: $(SRCDIR)/.config
  $(MAKE) -C $(SRCDIR)
 
-busybox.manifest: busybox.manifest.template
+busybox.manifest: busybox.manifest.template busybox
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -57,7 +57,7 @@ busybox.manifest.sgx busybox.sig: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: busybox.manifest busybox
+sgx_sign: busybox.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/CI-Examples/helloworld/Makefile b/CI-Examples/helloworld/Makefile
@@ -21,7 +21,7 @@ helloworld: helloworld.o
 
 helloworld.o: helloworld.c
 
-helloworld.manifest: helloworld.manifest.template
+helloworld.manifest: helloworld.manifest.template helloworld
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  $< $@
@@ -44,7 +44,7 @@ helloworld.sig helloworld.manifest.sgx: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: helloworld.manifest helloworld
+sgx_sign: helloworld.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/CI-Examples/lighttpd/Makefile b/CI-Examples/lighttpd/Makefile
@@ -47,7 +47,7 @@ $(LIGHTTPD_SRC).tar.gz:
  ../common_tools/download --output $@ --sha256 $(LIGHTTPD_HASH) \
  $(foreach mirror,$(LIGHTTPD_MIRRORS),--url $(mirror)/$(LIGHTTPD_SRC).tar.gz)
 
-lighttpd.manifest: lighttpd.manifest.template
+lighttpd.manifest: lighttpd.manifest.template $(INSTALL_DIR)/sbin/lighttpd
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -60,7 +60,7 @@ lighttpd.manifest.sgx lighttpd.sig: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: lighttpd.manifest $(INSTALL_DIR)/sbin/lighttpd
+sgx_sign: lighttpd.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/CI-Examples/memcached/Makefile b/CI-Examples/memcached/Makefile
@@ -33,7 +33,7 @@ $(SRCDIR)/memcached: $(SRCDIR)/configure
  cd $(SRCDIR) && ./configure
  $(MAKE) -C $(SRCDIR)
 
-memcached.manifest: memcached.manifest.template
+memcached.manifest: memcached.manifest.template memcached
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -45,7 +45,7 @@ memcached.manifest.sgx memcached.sig: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: memcached.manifest memcached
+sgx_sign: memcached.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/CI-Examples/nginx/Makefile b/CI-Examples/nginx/Makefile
@@ -50,7 +50,10 @@ $(NGINX_SRC).tar.gz:
  ../common_tools/download --output $@ --sha256 $(NGINX_SHA256) \
  $(foreach mirror,$(NGINX_MIRRORS),--url $(mirror)/$(NGINX_SRC).tar.gz)
 
-nginx.manifest: nginx.manifest.template
+nginx.manifest: nginx.manifest.template $(INSTALL_DIR)/sbin/nginx \
+ $(INSTALL_DIR)/conf/nginx-gramine.conf \
+ $(TEST_DATA) nginx_args \
+ $(INSTALL_DIR)/conf/server.crt
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -64,10 +67,7 @@ nginx.manifest.sgx nginx.sig: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: nginx.manifest $(INSTALL_DIR)/sbin/nginx \
- $(INSTALL_DIR)/conf/nginx-gramine.conf \
- $(TEST_DATA) \
- $(INSTALL_DIR)/conf/server.crt
+sgx_sign: nginx.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/CI-Examples/ra-tls-mbedtls/Makefile b/CI-Examples/ra-tls-mbedtls/Makefile
@@ -56,7 +56,7 @@ client: src/client.c
 
 ############################### SERVER MANIFEST ###############################
 
-server.manifest: server.manifest.template
+server.manifest: server.manifest.template server
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -71,14 +71,14 @@ server.manifest.sgx server.sig: sgx_sign_server
  @:
 
 .INTERMEDIATE: sgx_sign_server
-sgx_sign_server: server.manifest server
+sgx_sign_server: server.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx
 
 ########################### CLIENT (DCAP) MANIFEST ############################
 
-client_dcap.manifest: client.manifest.template
+client_dcap.manifest: client.manifest.template client
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -88,14 +88,14 @@ client_dcap.manifest.sgx client_dcap.sig: sgx_sign_client_dcap
  @:
 
 .INTERMEDIATE: sgx_sign_client_dcap
-sgx_sign_client_dcap: client_dcap.manifest client
+sgx_sign_client_dcap: client_dcap.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx
 
 ########################### CLIENT (EPID) MANIFEST ############################
 
-client_epid.manifest: client.manifest.template
+client_epid.manifest: client.manifest.template client
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -105,7 +105,7 @@ client_epid.manifest.sgx client_epid.sig: sgx_sign_client_epid
  @:
 
 .INTERMEDIATE: sgx_sign_client_epid
-sgx_sign_client_epid: client_epid.manifest client
+sgx_sign_client_epid: client_epid.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/CI-Examples/ra-tls-secret-prov/Makefile b/CI-Examples/ra-tls-secret-prov/Makefile
@@ -76,7 +76,8 @@ secret_prov_pf/client: secret_prov_pf/client.c
 
 # TODO: Simplify after https:/gramineproject/gramine/issues/878 is fixed (manifest paths
 # should be relative to the manifest, not to current dir) - drop `cd` and `notdir`.
-secret_prov_minimal/client.manifest: secret_prov_minimal/client.manifest.template
+secret_prov_minimal/client.manifest: secret_prov_minimal/client.manifest.template \
+ secret_prov_minimal/client
  cd secret_prov_minimal && \
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
@@ -92,15 +93,15 @@ secret_prov_minimal/client.manifest.sgx secret_prov_minimal/client.sig: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign_secret_prov_minimal_client
-sgx_sign_secret_prov_minimal_client: secret_prov_minimal/client.manifest secret_prov_minimal/client
+sgx_sign_secret_prov_minimal_client: secret_prov_minimal/client.manifest
  cd secret_prov_minimal && \
  gramine-sgx-sign \
  --manifest $(notdir $<) \
  --output $(notdir $<.sgx)
 
 ############################### CLIENT MANIFEST ###############################
 
-secret_prov/client.manifest: secret_prov/client.manifest.template
+secret_prov/client.manifest: secret_prov/client.manifest.template secret_prov/client
  cd secret_prov && \
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
@@ -114,15 +115,15 @@ secret_prov/client.manifest.sgx secret_prov/client.sig: sgx_sign_secret_prov_cli
  @:
 
 .INTERMEDIATE: sgx_sign_secret_prov_client
-sgx_sign_secret_prov_client: secret_prov/client.manifest secret_prov/client
+sgx_sign_secret_prov_client: secret_prov/client.manifest
  cd secret_prov && \
  gramine-sgx-sign \
  --manifest $(notdir $<) \
  --output $(notdir $<.sgx)
 
 ############################## PF CLIENT MANIFEST #############################
 
-secret_prov_pf/client.manifest: secret_prov_pf/client.manifest.template
+secret_prov_pf/client.manifest: secret_prov_pf/client.manifest.template secret_prov_pf/client
  cd secret_prov_pf && \
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
@@ -136,7 +137,7 @@ secret_prov_pf/client.manifest.sgx secret_prov_pf/client.sig: sgx_sign_secret_pr
  @:
 
 .INTERMEDIATE: sgx_sign_secret_prov_pf_client
-sgx_sign_secret_prov_pf_client: secret_prov_pf/client.manifest secret_prov_pf/client
+sgx_sign_secret_prov_pf_client: secret_prov_pf/client.manifest
  cd secret_prov_pf && \
  gramine-sgx-sign \
  --manifest $(notdir $<) \

diff --git a/CI-Examples/redis/Makefile b/CI-Examples/redis/Makefile
@@ -70,25 +70,25 @@ endif
 # information to run Redis under Gramine / Gramine-SGX. We create
 # redis-server.manifest (to be run under non-SGX Gramine) by replacing variables
 # in the template file using the "gramine-manifest" script.
-
-redis-server.manifest: redis-server.manifest.template
+#
+# "gramine-manifest" also measures all Redis trusted files and adds the
+# measurements to the resulting manifest file.
+redis-server.manifest: redis-server.manifest.template $(SRCDIR)/src/redis-server
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
  $< > $@
 
-# Manifest for Gramine-SGX requires special "gramine-sgx-sign" procedure. This
-# procedure measures all Redis trusted files, adds the measurement to the
-# resulting manifest.sgx file (among other, less important SGX options) and
-# creates redis-server.sig (SIGSTRUCT object).
-
 # Make on Ubuntu <= 20.04 doesn't support "Rules with Grouped Targets" (`&:`),
 # see the helloworld example for details on this workaround.
 redis-server.sig redis-server.manifest.sgx: sgx_outputs
  @:
 
+# Manifest for Gramine-SGX requires special "gramine-sgx-sign" procedure. This
+# procedure creates the final manifest.sgx file and an SGX-specific
+# redis-server.sig file (SIGSTRUCT object).
 .INTERMEDIATE: sgx_outputs
-sgx_outputs: redis-server.manifest $(SRCDIR)/src/redis-server
+sgx_outputs: redis-server.manifest
  gramine-sgx-sign \
  --manifest redis-server.manifest \
  --output redis-server.manifest.sgx

diff --git a/CI-Examples/rust/Makefile b/CI-Examples/rust/Makefile
@@ -25,7 +25,7 @@ endif
 $(SELF_EXE): Cargo.toml
  cargo build --release
 
-rust-hyper-http-server.manifest: rust-hyper-http-server.manifest.template
+rust-hyper-http-server.manifest: rust-hyper-http-server.manifest.template $(SELF_EXE)
  gramine-manifest \
  -Dlog_level=$(GRAMINE_LOG_LEVEL) \
  -Darch_libdir=$(ARCH_LIBDIR) \
@@ -38,7 +38,7 @@ rust-hyper-http-server.manifest.sgx rust-hyper-http-server.sig: sgx_sign
  @:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: rust-hyper-http-server.manifest $(SELF_EXE)
+sgx_sign: rust-hyper-http-server.manifest
  gramine-sgx-sign \
  --manifest $< \
  --output $<.sgx

diff --git a/Documentation/manpages/gramine-manifest.rst b/Documentation/manpages/gramine-manifest.rst
@@ -40,6 +40,17 @@ Command line arguments
 
  Disable schema validation, as described above in :option:`--check`.
 
+.. option:: --chroot <path>
+
+ When calculating cryptographic hashes of trusted files, measure files inside
+ a |~| chroot instead of paths in root of the file system. Requires that all
+ paths in manifest are absolute, and those will be interpreted as relative to
+ the directory specified as the value of the option.
+
+ Note you need to be very careful that the Gramine runtime binaries are
+ exactly the same inside chroot as the ones used to execute
+ :program:`gramine-manifest`.
+
 Functions and constants available in templates
 ==============================================
 

diff --git a/libos/include/libos_fs.h b/libos/include/libos_fs.h
@@ -20,6 +20,33 @@
 #include "list.h"
 #include "pal.h"
 
+enum {
+ FILE_CHECK_POLICY_STRICT = 0,
+ FILE_CHECK_POLICY_ALLOW_ALL_BUT_LOG,
+};
+extern int g_file_check_policy;
+
+struct trusted_file_hash {
+ uint8_t bytes[32];
+};
+struct trusted_chunk_hash {
+ uint8_t bytes[16];
+};
+struct trusted_file;
+struct allowed_file;
+
+struct trusted_file* get_trusted_file(const char* path);
+struct allowed_file* get_allowed_file(const char* path);
+size_t get_chunk_hashes_size(size_t file_size);
+int load_trusted_file(struct trusted_file* tf, size_t file_size,
+ struct trusted_chunk_hash** out_chunk_hashes);
+int copy_and_verify_trusted_file(PAL_HANDLE handle, uint64_t offset, size_t count, uint8_t* buf,
+ size_t file_size, struct trusted_chunk_hash* chunk_hashes);
+int register_allowed_file(const char* path);
+int init_trusted_files(void);
+int init_allowed_files(void);
+int init_file_check_policy(void);
+
 struct libos_handle;
 
 /* Describes mount parameters. Passed to `mount_fs`, and to the `mount` callback. */
@@ -532,6 +559,7 @@ extern struct libos_dentry* g_dentry_root;
 
 /* initialization for fs and mounts */
 int init_fs(void);
+int init_trusted_allowed_files(void);
 int init_mount_root(void);
 int init_mount(void);
 int mount_etcfs(void);