Fine tune OCALL opt-out granularity.

Previously, even if an enclave does not use a particular ocall, the ocall will still exist in the host binary since the ocall implementation was placed in the same file as some other symbol that the application (host) needs. To solve this, OCALLS for some core system edls are placed into separate c files whereever possible. This ensures that if an enclave does not need an ocall, the implementation of the ocall will not be picked up. Note: Weak Symbols (OE_WEAK_ALIAS) is not a viable solution since the linker will still link in the weak symbol if it is placed in a file that contains another symbol needed by the application. fixes openenclave#3254 fixes openenclave#3255 Note: Not all system ocall implementations have been moved to separate C files. Signed-off-by: Anand Krishnamoorthi <[email protected]>
BRMcLaren · Aug 19, 2020 · 868126b · 868126b
1 parent c9884d1
commit 868126b
Show file tree

Hide file tree

Showing 15 changed files with 228 additions and 200 deletions.
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
@@ -228,7 +228,9 @@ if (OE_SGX)
     sgx/exception.c
     sgx/load.c
     sgx/loadelf.c
-    sgx/ocalls.c
+    sgx/ocalls/debug.c
+    sgx/ocalls/ocalls.c
+    sgx/ocalls/thread.c
     sgx/quote.c
     sgx/registers.c
     sgx/report.c
@@ -320,7 +322,10 @@ list(
   ../common/argv.c
   asym_keys.c
   calls.c
-  ocalls.c
+  ocalls/log.c
+  ocalls/ocalls.c
+  ocalls/memory.c
+  ocalls/write.c
   error.c
   files.c
   fopen.c

diff --git a/host/linux/time.c b/host/linux/time.c
@@ -4,7 +4,7 @@
 #include <errno.h>
 #include <openenclave/internal/time.h>
 #include <time.h>
-#include "../ocalls.h"
+#include "../ocalls/ocalls.h"
 
 static const uint64_t _SEC_TO_MSEC = 1000UL;
 static const uint64_t _MSEC_TO_NSEC = 1000000UL;

diff --git a/host/ocalls.c b/host/ocalls.c
diff --git a/host/ocalls/log.c b/host/ocalls/log.c
@@ -0,0 +1,18 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/trace.h>
+
+#include "core_u.h"
+
+/* A dummy ocall used to check if the logging.edl is imported. */
+void oe_log_is_supported_ocall()
+{
+}
+
+void oe_log_ocall(uint32_t log_level, const char* message)
+{
+    oe_log_message(true, (oe_log_level_t)log_level, message);
+}
diff --git a/host/ocalls/memory.c b/host/ocalls/memory.c
@@ -0,0 +1,9 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include "core_u.h"
+
+void* oe_realloc_ocall(void* ptr, size_t size)
+{
+    return realloc(ptr, size);
+}
diff --git a/host/ocalls/ocalls.c b/host/ocalls/ocalls.c
@@ -0,0 +1,18 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <stdlib.h>
+
+#include "core_u.h"
+#include "ocalls.h"
+
+void HandleMalloc(uint64_t arg_in, uint64_t* arg_out)
+{
+    if (arg_out)
+        *arg_out = (uint64_t)malloc(arg_in);
+}
+
+void HandleFree(uint64_t arg)
+{
+    free((void*)arg);
+}
diff --git a/host/ocalls.h → host/ocalls/ocalls.h b/host/ocalls.h → host/ocalls/ocalls.h
diff --git a/host/ocalls/write.c b/host/ocalls/write.c
@@ -0,0 +1,17 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <stdio.h>
+
+#include "core_u.h"
+
+void oe_write_ocall(int device, const char* str, size_t maxlen)
+{
+    if (str && (device == 0 || device == 1))
+    {
+        FILE* stream = (device == 0) ? stdout : stderr;
+        size_t len = strnlen(str, maxlen);
+        fprintf(stream, "%.*s", (int)len, str);
+        fflush(stream);
+    }
+}
diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
@@ -9,7 +9,7 @@
 #include <openenclave/internal/safemath.h>
 
 #include "../../calls.h"
-#include "../../ocalls.h"
+#include "../../ocalls/ocalls.h"
 #include "enclave.h"
 
 // clang-format off

diff --git a/host/sgx/calls.c b/host/sgx/calls.c
@@ -31,10 +31,10 @@
 #include <openenclave/internal/utils.h>
 #include "../calls.h"
 #include "../hostthread.h"
-#include "../ocalls.h"
+#include "../ocalls/ocalls.h"
 #include "asmdefs.h"
 #include "enclave.h"
-#include "ocalls.h"
+#include "ocalls/ocalls.h"
 
 /*
 **==============================================================================

diff --git a/host/sgx/ocalls/debug.c b/host/sgx/ocalls/debug.c
@@ -0,0 +1,135 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/argv.h>
+#include <openenclave/internal/elf.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/safecrt.h>
+#include <openenclave/internal/safemath.h>
+
+#include "../enclave.h"
+#include "platform_u.h"
+
+static char** _backtrace_symbols(
+    oe_enclave_t* enclave,
+    void* const* buffer,
+    int size)
+{
+    char** ret = NULL;
+
+    elf64_t elf = ELF64_INIT;
+    bool elf_loaded = false;
+    size_t malloc_size = 0;
+    const char unknown[] = "<unknown>";
+    char* ptr = NULL;
+
+    if (!enclave || enclave->magic != ENCLAVE_MAGIC || !buffer || !size)
+        goto done;
+
+    /* Open the enclave ELF64 image */
+    {
+        if (elf64_load(enclave->path, &elf) != 0)
+            goto done;
+
+        elf_loaded = true;
+    }
+
+    /* Determine total memory requirements */
+    {
+        /* Calculate space for the array of string pointers */
+        if (oe_safe_mul_sizet((size_t)size, sizeof(char*), &malloc_size) !=
+            OE_OK)
+            goto done;
+
+        /* Calculate space for each string */
+        for (int i = 0; i < size; i++)
+        {
+            const uint64_t vaddr = (uint64_t)buffer[i] - enclave->addr;
+            const char* name = elf64_get_function_name(&elf, vaddr);
+
+            if (!name)
+                name = unknown;
+
+            if (oe_safe_add_sizet(malloc_size, strlen(name), &malloc_size) !=
+                OE_OK)
+                goto done;
+
+            if (oe_safe_add_sizet(malloc_size, sizeof(char), &malloc_size) !=
+                OE_OK)
+                goto done;
+        }
+    }
+
+    /* Allocate the array of string pointers, followed by the strings */
+    if (!(ptr = (char*)malloc(malloc_size)))
+        goto done;
+
+    /* Set pointer to array of strings */
+    ret = (char**)ptr;
+
+    /* Skip over array of strings */
+    ptr += (size_t)size * sizeof(char*);
+
+    /* Copy strings into return buffer */
+    for (int i = 0; i < size; i++)
+    {
+        const uint64_t vaddr = (uint64_t)buffer[i] - enclave->addr;
+        const char* name = elf64_get_function_name(&elf, vaddr);
+
+        if (!name)
+            name = unknown;
+
+        size_t name_size = strlen(name) + sizeof(char);
+        oe_memcpy_s(ptr, name_size, name, name_size);
+        ret[i] = ptr;
+        ptr += name_size;
+    }
+
+done:
+
+    if (elf_loaded)
+        elf64_unload(&elf);
+
+    return ret;
+}
+
+oe_result_t oe_sgx_backtrace_symbols_ocall(
+    oe_enclave_t* oe_enclave,
+    const uint64_t* buffer,
+    size_t size,
+    void* symbols_buffer,
+    size_t symbols_buffer_size,
+    size_t* symbols_buffer_size_out)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    char** strings = NULL;
+
+    /* Reject invalid parameters. */
+    if (!oe_enclave || !buffer || size > OE_INT_MAX || !symbols_buffer_size_out)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    /* Convert the addresses into symbol strings. */
+    if (!(strings =
+              _backtrace_symbols(oe_enclave, (void* const*)buffer, (int)size)))
+    {
+        OE_RAISE(OE_FAILURE);
+    }
+
+    *symbols_buffer_size_out = symbols_buffer_size;
+
+    OE_CHECK(oe_argv_to_buffer(
+        (const char**)strings,
+        size,
+        symbols_buffer,
+        symbols_buffer_size,
+        symbols_buffer_size_out));
+
+    result = OE_OK;
+
+done:
+
+    if (strings)
+        free(strings);
+
+    return result;
+}