Linux 2.3.1 Open Source Gold Release

Bug fixes

Signed-off-by: Li, Xun <[email protected]>

Author: llly

README.md

@@ -137,10 +137,10 @@ To build the Intel(R) SGX PSW installer, enter the following command:
   ```
   $ make deb_sgx_enclave_common_pkg
   ```
-  You can find the generated Intel(R) SGX PSW installer ``libsgx-enclave-common_${version}-${revision}_amd64.deb`` located under `linux/installer/deb/libsgx-enclave-common`, where `${version}` refers to the version number and the `${revision}` refers to the revision number of the package.   
-  **Note**: On Ubuntu 18.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``libsgx-enclave-common-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped:
+  You can find the generated Intel(R) SGX PSW installer ``libsgx-enclave-common_${version}-${revision}_${arch}.deb`` located under `linux/installer/deb/libsgx-enclave-common`, where `${version}` refers to the version number and the `${arch}` refers to the platform.   
+  **Note**: On Ubuntu 18.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``libsgx-enclave-common-dbgsym_${version}-${revision}_${arch}.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped:
    ```
-   $ export DEB_BUILD_OPTIONS="nostrip"
+   $export DEB_BUILD_OPTIONS="nostrip"
    ```
   **Note**: The above command builds the Intel(R) SGX PSW with default configuration firstly and then generates the target PSW Installer. To build the Intel(R) SGX PSW Installer without optimization and with full debug information kept in the tools and libraries, enter the following command:
   ```
@@ -158,12 +158,6 @@ To build the Intel(R) SGX PSW installer, enter the following command:
   ```
   $ make psw_install_pkg DEBUG=1
   ```
-To build the Intel(R) SGX PSW development installer, enter the following command:
-- On Ubuntu 16.04 and Ubuntu 18.04:
-  ```
-  $ make deb_sgx_enclave_common_dev_pkg
-  ```
-  You can find the generated Intel(R) SGX PSW development installer ``libsgx-enclave-common-dev_${version}-${revision}_${arch}.deb`` located under `linux/installer/deb/libsgx-enclave-common-dev`.
 
 Install the Intel(R) SGX SDK
 ------------------------
@@ -298,12 +292,12 @@ To install the Intel(R) SGX PSW, invoke the installer with root privilege:
 - On Ubuntu 16.04 and Ubuntu 18.04:
   ```
   $ cd linux/installer/deb/libsgx-enclave-common
-  $ sudo dpkg -i ./libsgx-enclave-common_${version}-${revision}_amd64.deb
+  $ sudo dpkg -i ./libsgx-enclave-common_${version}-${revision}_${arch}.deb
   ```
   **NOTE**: To debug with sgx-gdb on Ubuntu 16.04, you need to ensure the Intel(R) SGX PSW is built under the condition that the environment variable ``DEB_BUILD_OPTIONS="nostrip"`` is set. On Ubuntu 18.04, you need to install the debug package by entering the following command:
   ```
   $ cd linux/installer/deb/libsgx-enclave-common
-  $ sudo dpkg -i ./libsgx-enclave-common-dbgsym_${version}-${revision}_amd64.ddeb
+  $ sudo dpkg -i ./libsgx-enclave-common-dbgsym_${version}-${revision}_${arch}.ddeb
   ```
 - On Red Hat Enterprise Linux 7.4 and CentOS 7.5:
 - On Fedora 27:

common/inc/internal/mini_snprintf.h

@@ -52,8 +52,6 @@
 #include <stdarg.h>
 #include <limits.h>
 
-#include "sl_util.h"
-
 /*===========================================================================
  * Interface
  *===========================================================================*/

common/inc/internal/se_version.h

@@ -28,7 +28,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */
-#define STRFILEVER    "2.3.100.46354"
+#define STRFILEVER    "2.3.101.46683"
 #define COPYRIGHT      "Copyright (C) 2018 Intel Corporation"
 
 #define URTS_VERSION              "1.0.101.0"

common/inc/sgx_uswitchless.h

@@ -72,6 +72,7 @@
 #include "sgx_error.h"
 #include "sgx_eid.h"
 #include "sgx_defs.h"
+#include "sgx_urts.h"
 
 /*
  * A worker can be either trusted (executed inside enclave) or untrusted

download_prebuilt.sh

@@ -33,10 +33,10 @@
 
 top_dir=`dirname $0`
 out_dir=$top_dir
-optlib_name=optimized_libs_2.3.tar.gz
-ae_file_name=prebuilt_ae_2.3.tar.gz
-checksum_file=SHA256SUM_prebuilt_2.3.txt
-server_url_path=https://download.01.org/intel-sgx/linux-2.3/
+optlib_name=optimized_libs_2.3.1.tar.gz
+ae_file_name=prebuilt_ae_2.3.1.tar.gz
+checksum_file=SHA256SUM_prebuilt_2.3.1.txt
+server_url_path=https://download.01.org/intel-sgx/linux-2.3.1/
 server_optlib_url=$server_url_path/$optlib_name
 server_ae_url=$server_url_path/$ae_file_name
 server_checksum_url=$server_url_path/$checksum_file

linux/installer/bin/build-installpkg.sh

@@ -57,7 +57,7 @@ BUILD_DIR=${ROOT_DIR}/build/linux
 # Get the architecture of the build from generated binary
 get_arch()
 {
-    local a=$(readelf -h $BUILD_DIR/sgx_sign | sed -n '2p' | awk '{print $6}')
+    local a=$(readelf -h $BUILD_DIR/sgx_sign | sed -n '2p' | awk '/:/{print $6}')
     test $a = 02 && echo 'x86_64' || echo 'x86'
 }
 

linux/installer/common/libsgx-enclave-common/createTarball.sh

@@ -47,7 +47,7 @@ rm -fr ${INSTALL_PATH}
 # Get the architecture of the build from generated binary
 get_arch()
 {
-    local a=$(readelf -h $(find ${BUILD_DIR} -name "*.so*" |head -n 1) | sed -n '2p' | awk '{print $6}')
+    local a=$(readelf -h $(find ${BUILD_DIR} -name "*.so*" |head -n 1) | sed -n '2p' | awk '/:/{print $6}')
     test $a = 02 && echo 'x64' || echo 'x86'
 }
 

linux/installer/common/psw/createTarball.sh

@@ -47,7 +47,7 @@ rm -fr ${INSTALL_PATH}
 # Get the architecture of the build from generated binary
 get_arch()
 {
-    local a=$(readelf -h $BUILD_DIR/sgx_sign | sed -n '2p' | awk '{print $6}')
+    local a=$(readelf -h $BUILD_DIR/sgx_sign | sed -n '2p' | awk '/:/{print $6}')
     test $a = 02 && echo 'x64' || echo 'x86'
 }
 

linux/installer/common/sdk/createTarball.sh

@@ -47,7 +47,7 @@ rm -fr ${INSTALL_PATH}
 # Get the architecture of the build from generated binary
 get_arch()
 {
-    local a=$(readelf -h $BUILD_DIR/sgx_sign | sed -n '2p' | awk '{print $6}')
+    local a=$(readelf -h $BUILD_DIR/sgx_sign | sed -n '2p' | awk '/:/{print $6}')
     test $a = 02 && echo 'x64' || echo 'x86'
 }
 

psw/ae/aesm_service/Makefile

@@ -193,7 +193,6 @@ COMMON_SRC += ./source/qe/QEClass.cpp                  \
               ./source/pse_op/pse_op_psda_ocall.cpp \
               ./source/pse_op/pse_op_vmc_sqlite_ocall.cpp \
               upse.cpp  \
-              upse_iclsInit.cpp \
               helper.cpp \
               sigma_helper.cpp \
               interface_ocsp.cpp \

psw/ae/aesm_service/source/aesm/application/aesm_logic.cpp

@@ -270,12 +270,6 @@ void AESMLogic::service_stop()
     }
     (void)aesm_free_thread(pse_thread);//release thread handle to free memory
 
-    ae_ret = aesm_wait_thread(CPSEClass::instance().icls_thread, &thread_ret, AESM_STOP_TIMEOUT);
-    if (ae_ret != AE_SUCCESS || thread_ret != AE_SUCCESS)
-    {
-        AESM_DBG_INFO("aesm_wait_thread failed(icls_thread):(ae %d) (%d)", ae_ret, thread_ret);
-    }
-    (void)aesm_free_thread(CPSEClass::instance().icls_thread);//release thread handle to free memory
     //waiting for pending threads util timeout
     stop_all_long_lived_threads(0);//waiting for pending threads util timeout
     CPVEClass::instance().unload_enclave();

psw/ae/aesm_service/source/pse_op/PSEClass.cpp

@@ -65,23 +65,6 @@
             (ret) = AE_FAILURE; break; }              \
             else if ((ret) != 0) { break; }
 
-extern uint32_t upse_iclsInit();
-
-static ae_error_t thread_to_init_icls(aesm_thread_arg_type_t arg)
-{
-    UNUSED(arg);
-    AESM_DBG_INFO("start to init_icls");
-    // Just ignore the return value because the ME may still be working
-    uint32_t status_provision = upse_iclsInit();
-    if (status_provision != 0)
-    {
-        // Provisioning failed , maybe caused by missing of iCls client, etc.
-        AESM_LOG_INFO_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_START]);
-        // This is logged as a WARNING here, since the system may not require PS capability
-        AESM_LOG_INFO_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_FAIL_DAL]);
-    }
-    return AE_SUCCESS;
-}
 ae_error_t CPSEClass::init_ps(void)
 {
     // Try to establish PSDA session during startup
@@ -111,49 +94,19 @@ ae_error_t CPSEClass::init_ps(void)
 
     // Will fail if CSME is not provisioned
     ae_error_t ret = pPSDA->get_csme_gid(&PSDAService::instance().csme_gid);
-    bool bCalledIcls = false;
     if (ret != AE_SUCCESS) 
     {
-        // As long as get_csme_gid fails, call iclsInit to trigger provisioning
-        uint32_t status_provision = upse_iclsInit();
-        bCalledIcls = true;
-        if (status_provision != 0)
-        {
-            // Provisioning failed , maybe caused by missing of iCls client, etc.
-            AESM_LOG_INFO_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_START]);
-            // This is logged as a WARNING here, since the system may not require PS capability
-            AESM_LOG_WARN_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_FAIL_DAL]);
-            delete pPSDA;
-            pPSDA = NULL;
-            return AESM_PSE_PR_PSDA_PROVISION_ERROR;
-        }
-        else
-        {
-            // try to get CSME GID again
-            ret = pPSDA->get_csme_gid(&PSDAService::instance().csme_gid);
-            if (ret != AE_SUCCESS)
-            {
-                // Failed to get CSME GID
-                AESM_LOG_INFO_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_START]);
-                // This is logged as a WARNING here, since the system may not require PS capability
-                AESM_LOG_WARN_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_FAIL_DAL]);
-                delete pPSDA;
-                pPSDA = NULL;
-                return ret;
-            }
-        }
+        // Failed to get CSME GID
+        AESM_LOG_INFO_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_START]);
+        // This is logged as a WARNING here, since the system may not require PS capability
+        AESM_LOG_WARN_ADMIN("%s", g_admin_event_string_table[SGX_ADMIN_EVENT_PS_INIT_FAIL_DAL]);
+        delete pPSDA;
+        pPSDA = NULL;
+        return ret;
     }
     delete pPSDA;
     pPSDA = NULL;
 
-    if (!bCalledIcls)
-    {
-        // call iclsInit in a separate thread to trigger re-key if iclsInit was not called
-        ae_error_t ae_thread_ret = aesm_create_thread(thread_to_init_icls, 0, &icls_thread);
-        if (AE_SUCCESS != ae_thread_ret) {
-            AESM_DBG_WARN("Fail to create thread to init icls:( ae %d)", ae_thread_ret);
-        }
-    }
     // Set state to PROVISIONED
     m_status = PSE_STATUS_CSE_PROVISIONED;
 

psw/ae/aesm_service/source/pse_op/PSEClass.h

@@ -60,7 +60,6 @@ class CPSEClass: public SingletonEnclave<CPSEClass>
         m_status = PSE_STATUS_INIT;
         m_ps_cap = PS_CAP_NOT_AVAILABLE;
         m_freq = se_get_tick_count_freq();
-        icls_thread = NULL;
     };
     ~CPSEClass(){
     };
@@ -71,7 +70,6 @@ class CPSEClass: public SingletonEnclave<CPSEClass>
     uint64_t m_ps_cap;
     uint64_t m_freq;
 public:
-    aesm_thread_t icls_thread;
     ae_error_t init_ps(void);
 
     ae_error_t create_session(

psw/ae/aesm_service/source/upse/u_long_term_pairing.cpp

@@ -56,7 +56,6 @@
 
 #endif
 #define PSEPR_LOST_ENCLAVE_RETRY_COUNT        3
-extern uint32_t upse_iclsInit();
 
 
 // FLOW
@@ -106,12 +105,6 @@ ae_error_t create_sigma_long_term_pairing(bool* p_new_pairing)
 
             if(status == AESM_PSDA_NOT_PROVISONED_ERROR)
             {
-                // retry CSE Provision
-                if (upse_iclsInit() == 0)
-                {
-                    rcount--;
-                    continue;
-                }
                 break;
             }
 

psw/ae/aesm_service/source/upse/upse_iclsInit.cpp

@@ -229,9 +229,7 @@ int EnclaveCreatorSim::initialize(sgx_enclave_id_t enclave_id)
     assert(global_data_sim_ptr != NULL);
 
     // Initialize the `seed' to `g_global_data_sim'.
-    struct timespec ts;
-    clock_gettime(CLOCK_REALTIME, &ts);
-    global_data_sim_ptr->seed = (uint64_t)ts.tv_sec * 1000000000ULL + (uint64_t)ts.tv_nsec;
+    global_data_sim_ptr->seed = (uint64_t)time(NULL);
 
     global_data_sim_ptr->secs_ptr = ce->get_secs();
     sgx_cpu_svn_t temp_cpusvn = {{0}};

sdk/simulation/urtssim/enclave_creator_sim.cpp

@@ -202,7 +202,7 @@ extern "C" sgx_status_t sgx_unseal_data(const sgx_sealed_data_t *p_sealed_data,
     {
         return SGX_ERROR_INVALID_PARAMETER;
     }
-    if (!sgx_is_within_enclave(p_decrypted_text_length, sizeof(*p_decrypted_text_length)))
+    if (!sgx_is_within_enclave(p_decrypted_text_length, sizeof(p_decrypted_text_length)))
     {
         return SGX_ERROR_INVALID_PARAMETER;
     }
@@ -217,8 +217,8 @@ extern "C" sgx_status_t sgx_unseal_data(const sgx_sealed_data_t *p_sealed_data,
     }
 
     if((p_additional_MACtext_length != NULL) && 
-       (!(sgx_is_within_enclave(p_additional_MACtext_length, sizeof(*p_additional_MACtext_length)) ||
-          sgx_is_outside_enclave(p_additional_MACtext_length, sizeof(*p_additional_MACtext_length)))))
+       (!(sgx_is_within_enclave(p_additional_MACtext_length, sizeof(p_additional_MACtext_length)) ||
+          sgx_is_outside_enclave(p_additional_MACtext_length, sizeof(p_additional_MACtext_length)))))
     {
         return SGX_ERROR_INVALID_PARAMETER;
     }

sdk/tseal/tSeal.cpp

@@ -196,8 +196,8 @@ extern "C" sgx_status_t sgx_unmac_aadata(const sgx_sealed_data_t *p_sealed_data,
     {
         return SGX_ERROR_INVALID_PARAMETER;
     }
-    if(!(sgx_is_within_enclave(p_additional_MACtext_length, sizeof(*p_additional_MACtext_length)) ||
-        sgx_is_outside_enclave(p_additional_MACtext_length, sizeof(*p_additional_MACtext_length))))
+    if(!(sgx_is_within_enclave(p_additional_MACtext_length, sizeof(p_additional_MACtext_length)) ||
+        sgx_is_outside_enclave(p_additional_MACtext_length, sizeof(p_additional_MACtext_length))))
     {
         return SGX_ERROR_INVALID_PARAMETER;
     }