sdk/oe: minimal bindings for OpenEnclave SDK

.gitmodules

@@ -10,3 +10,6 @@
 [submodule "sdk/bare-sgx"]
 	path = sdk/bare-sgx
 	url = https://github.com/jovanbulck/bare-sgx.git
+[submodule "sdk/oe/openenclave"]
+	path = sdk/oe/openenclave
+	url = https://github.com/openenclave/openenclave.git

app/oe/.gitignore

@@ -0,0 +1,7 @@
+*_t.*
+*_u.*
+*.pem
+*_args.h
+*.signed
+enclave/enclave
+host/helloworld_host

app/oe/Makefile

@@ -0,0 +1,24 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+.PHONY: all build clean run simulate
+
+OE_CRYPTO_LIB := mbedtls
+export OE_CRYPTO_LIB
+
+all: build
+
+build:
+	$(MAKE) -C enclave
+	$(MAKE) -C host
+
+clean:
+	$(MAKE) -C enclave clean
+	$(MAKE) -C host clean
+
+run:
+	host/helloworld_host ./enclave/enclave.signed
+
+simulate:
+	host/helloworld_host ./enclave/enclave.signed --simulate
+

app/oe/enclave/Makefile

@@ -0,0 +1,50 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+include ../config.mk
+
+CRYPTO_LDFLAGS := $(shell pkg-config oeenclave-$(COMPILER) --variable=${OE_CRYPTO_LIB}libs)
+
+ifeq ($(LVI_MITIGATION), ControlFlow)
+    ifeq ($(LVI_MITIGATION_BINDIR),)
+        $(error LVI_MITIGATION_BINDIR is not set)
+    endif
+    # Only run once.
+    ifeq (,$(findstring $(LVI_MITIGATION_BINDIR),$(CC)))
+        CC := $(LVI_MITIGATION_BINDIR)/$(CC)
+    endif
+    COMPILER := $(COMPILER)-lvi-cfg
+    CRYPTO_LDFLAGS := $(shell pkg-config oeenclave-$(COMPILER) --variable=${OE_CRYPTO_LIB}libslvicfg)
+endif
+
+ifeq ($(OE_CRYPTO_LIB),openssl_3)
+  CFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --variable=${OE_CRYPTO_LIB}flags)
+else
+  CFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --cflags)
+endif
+LDFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --libs)
+INCDIR=$(shell pkg-config oeenclave-$(COMPILER) --variable=includedir)
+
+all:
+	$(MAKE) build
+	$(MAKE) keys
+	$(MAKE) sign
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	oeedger8r ../helloworld.edl --trusted \
+		--search-path $(INCDIR) \
+		--search-path $(INCDIR)/openenclave/edl/sgx
+	$(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 enc.c -o enc.o
+	$(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 helloworld_t.c -o helloworld_t.o
+	$(CC) -o enclave helloworld_t.o enc.o $(LDFLAGS) $(CRYPTO_LDFLAGS)
+
+sign:
+	oesign sign -e enclave -c helloworld.conf -k private.pem
+
+clean:
+	rm -f enc.o enclave enclave.signed private.pem public.pem helloworld_t.o helloworld_t.h helloworld_t.c helloworld_args.h
+
+keys:
+	openssl genrsa -out private.pem -3 3072
+	openssl rsa -in private.pem -pubout -out public.pem

app/oe/enclave/enc.c

@@ -0,0 +1,33 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <stdio.h>
+
+// Include the trusted helloworld header that is generated
+// during the build. This file is generated by calling the
+// sdk tool oeedger8r against the helloworld.edl file.
+#include "helloworld_t.h"
+
+// This is the function that the host calls. It prints
+// a message in the enclave before calling back out to
+// the host to print a message from there too.
+void enclave_helloworld()
+{
+    // Print a message from the enclave. Note that this
+    // does not directly call fprintf, but calls into the
+    // host and calls fprintf from there. This is because
+    // the fprintf function is not part of the enclave
+    // as it requires support from the kernel.
+    fprintf(stdout, "Hello world from the enclave\n");
+
+    // Call back into the host
+    oe_result_t result = host_helloworld();
+    if (result != OE_OK)
+    {
+        fprintf(
+            stderr,
+            "Call to host_helloworld failed: result=%u (%s)\n",
+            result,
+            oe_result_str(result));
+    }
+}

app/oe/enclave/helloworld.conf

@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Enclave settings:
+Debug=1
+NumHeapPages=1024
+NumStackPages=1024
+NumTCS=1
+ProductID=1
+SecurityVersion=1

app/oe/helloworld.edl

@@ -0,0 +1,17 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+enclave {
+    from "openenclave/edl/syscall.edl" import *;
+    from "platform.edl" import *;
+
+    trusted {
+        public void enclave_helloworld();
+    };
+
+    untrusted {
+        void host_helloworld();
+    };
+};
+
+

app/oe/host/Makefile

@@ -0,0 +1,23 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+include ../config.mk
+
+LIBSGXSTEP_DIR=../../../
+LIBSGXSTEP=$(LIBSGXSTEP_DIR)/libsgxstep
+
+CFLAGS=$(shell pkg-config oehost-$(COMPILER) --cflags) -I$(LIBSGXSTEP_DIR) 
+LDFLAGS=$(shell pkg-config oehost-$(COMPILER) --libs) -lsgx-step -pthread -L$(LIBSGXSTEP) -lelf
+INCDIR=$(shell pkg-config oehost-$(COMPILER) --variable=includedir)
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	oeedger8r ../helloworld.edl --untrusted \
+		--search-path $(INCDIR) \
+		--search-path $(INCDIR)/openenclave/edl/sgx
+	$(CC) -g -c $(CFLAGS) host.c
+	$(CC) -g -c $(CFLAGS) helloworld_u.c
+	$(CC) -o helloworld_host helloworld_u.o host.o $(LDFLAGS)
+
+clean:
+	rm -f helloworld_host host.o helloworld_u.o helloworld_u.c helloworld_u.h helloworld_args.h

app/oe/host/host.c

@@ -0,0 +1,99 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <stdio.h>
+
+// Include the untrusted helloworld header that is generated
+// during the build. This file is generated by calling the
+// sdk tool oeedger8r against the helloworld.edl file.
+#include "helloworld_u.h"
+
+#include "libsgxstep/debug.h"
+#include "libsgxstep/enclave.h"
+
+void aep_cb_func(void)
+{
+    uint64_t erip = edbgrd_erip() - (uint64_t)get_enclave_base();
+    info("^^ enclave RIP=%#lx", erip);
+}
+
+bool check_simulate_opt(int* argc, const char* argv[])
+{
+    for (int i = 0; i < *argc; i++)
+    {
+        if (strcmp(argv[i], "--simulate") == 0)
+        {
+            fprintf(stdout, "Running in simulation mode\n");
+            memmove(&argv[i], &argv[i + 1], (*argc - i) * sizeof(char*));
+            (*argc)--;
+            return true;
+        }
+    }
+    return false;
+}
+
+// This is the function that the enclave will call back into to
+// print a message.
+void host_helloworld()
+{
+    fprintf(stdout, "Enclave called into host to print: Hello World!\n");
+}
+
+int main(int argc, const char* argv[])
+{
+    oe_result_t result;
+    int ret = 1;
+    oe_enclave_t* enclave = NULL;
+
+    uint32_t flags = OE_ENCLAVE_FLAG_DEBUG;
+    if (check_simulate_opt(&argc, argv))
+    {
+        flags |= OE_ENCLAVE_FLAG_SIMULATE;
+    }
+
+    if (argc != 2)
+    {
+        fprintf(
+            stderr, "Usage: %s enclave_image_path [ --simulate  ]\n", argv[0]);
+        goto exit;
+    }
+
+    // Create the enclave
+    result = oe_create_helloworld_enclave(
+        argv[1], OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave);
+    if (result != OE_OK)
+    {
+        fprintf(
+            stderr,
+            "oe_create_helloworld_enclave(): result=%u (%s)\n",
+            result,
+            oe_result_str(result));
+        goto exit;
+    }
+
+    // SGX-Step stuff
+    register_aep_cb(aep_cb_func);
+    print_enclave_info();
+
+    // Call into the enclave
+    result = enclave_helloworld(enclave);
+    if (result != OE_OK)
+    {
+        fprintf(
+            stderr,
+            "calling into enclave_helloworld failed: result=%u (%s)\n",
+            result,
+            oe_result_str(result));
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    // Clean up the enclave if we created one
+    if (enclave)
+        oe_terminate_enclave(enclave);
+
+    return ret;
+}

sdk/oe/0001-Minimal-SGX-Step-bindings.patch

@@ -0,0 +1,83 @@
+From 2cacff71c210c469a424110510a0c3a5f3561ef2 Mon Sep 17 00:00:00 2001
+From: Jo Van Bulck <[email protected]>
+Date: Wed, 15 Jan 2025 13:40:17 +0000
+Subject: [PATCH] Minimal SGX-Step bindings
+
+Signed-off-by: Jo Van Bulck <[email protected]>
+---
+ host/sgx/asmdefs.h         |  2 +-
+ host/sgx/calls.c           | 20 ++++++++++++++++++++
+ include/openenclave/host.h |  6 ++++++
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/host/sgx/asmdefs.h b/host/sgx/asmdefs.h
+index 4b78e1989..9332f9c2b 100644
+--- a/host/sgx/asmdefs.h
++++ b/host/sgx/asmdefs.h
+@@ -35,7 +35,7 @@ oe_result_t oe_enter(
+     uint64_t* arg4,
+     oe_enclave_t* enclave);
+
+-extern const uint64_t OE_AEP_ADDRESS;
++extern uint64_t OE_AEP_ADDRESS;
+ #endif
+
+ #if !defined(__ASSEMBLER__) && (_WIN32)
+diff --git a/host/sgx/calls.c b/host/sgx/calls.c
+index eed0c4dcf..66bfb3cc5 100644
+--- a/host/sgx/calls.c
++++ b/host/sgx/calls.c
+@@ -578,6 +578,25 @@ static void _release_tcs(oe_enclave_t* enclave, void* tcs)
+     oe_mutex_unlock(&enclave->lock);
+ }
+
++/* minimal SGX-Step bindings */
++
++void* __oe_last_tcs;
++
++void* sgx_get_aep(void)
++{
++    return (void*) OE_AEP_ADDRESS;
++}
++
++void sgx_set_aep(void* aep)
++{
++    OE_AEP_ADDRESS = (uint64_t) aep;
++}
++
++void *sgx_get_tcs(void)
++{
++    return __oe_last_tcs;
++}
++
+ /*
+ **==============================================================================
+ **
+@@ -608,6 +627,7 @@ oe_result_t oe_ecall(
+     /* Assign a oe_sgx_td_t for this operation */
+     if (!(tcs = _assign_tcs(enclave)))
+         OE_RAISE(OE_OUT_OF_THREADS);
++    __oe_last_tcs = tcs;
+
+     oe_log(
+         OE_LOG_LEVEL_VERBOSE,
+diff --git a/include/openenclave/host.h b/include/openenclave/host.h
+index d0f279ec5..864b4b7f5 100644
+--- a/include/openenclave/host.h
++++ b/include/openenclave/host.h
+@@ -231,6 +231,12 @@ oe_result_t oe_create_enclave(
+     uint32_t ecall_count,
+     oe_enclave_t** enclave);
+
++
++/* minimal SGX-Step bindings */
++void* sgx_get_aep(void);
++void sgx_set_aep(void* aep);
++void *sgx_get_tcs(void);
++
+ /**
+  * Terminate an enclave and reclaims its resources.
+  *
+-- 
+2.43.0
+

sdk/oe/install_llvm11.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+#set -x
+
+# NOTE: 20.04 tarball also works on 24.04
+TAR_BASE="clang+llvm-11.0.0-x86_64-linux-gnu-ubuntu-20.04"
+TAR_FILE="$TAR_BASE.tar.xz"
+TAR_URL="https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/$TAR_FILE"
+TMP_DIR="/tmp/llvm-temp"
+TARGET_BASE="/usr"
+
+mkdir -p "$TMP_DIR"
+cd $TMP_DIR
+if [ ! -e $TAR_FILE ]; then
+    wget $TAR_URL
+    tar xvf $TAR_FILE
+fi
+
+sudo mkdir -p /usr/lib/llvm-11/
+sudo cp -r $TMP_DIR/$TAR_BASE/* /usr/lib/llvm-11/
+
+echo "Extraction and moving completed."