On Mon, Mar 23, 2020 at 05:46:30AM +0200, Jarkko Sakkinen wrote:
> Improve encl.lds to create an ELF image that can be easily loaded without
> needing the conversion to a raw binary. This is achieved by adding PHDRS to
> encl.lds that describes the different segments.
>
> With a simple Python program it is easy to see that the changes result in a
> sane memory layout [1]:
>
> Flags Start End
> rw- 0x0000000000200000 0x0000000000201000
> r-x 0x0000000000201000 0x0000000000202000
> rw- 0x0000000000202000 0x0000000000205000
>
> These are the start and end positions in the enclave ELF image for
> different enclave memory areas. Since all the sections are marked as being
> allocated, an ELF enclave loader can be solely based on p_offset, p_memsz
> and p_flags fields of struct Elf64_Phdr.
>
> [1]
> import sys
> from elftools.elf.elffile import ELFFile
>
> PAGE_SIZE = 0x1000
>
> if __name__ == '__main__':
> flags2str = ['---', '--x', '-w-', '-wx', 'r--', 'r-x', 'rw-', 'rwx']
>
> if len(sys.argv) != 2:
> sys.exit(1)
>
> with open(sys.argv[1], 'rb') as file:
> file = ELFFile(file)
>
> print('{:<5} {:<18} {:<18}'.format('Flags', 'Start', 'End'))
>
> for seg in file.iter_segments():
> if seg['p_type'] != 'PT_LOAD':
> continue
>
> flags = flags2str[seg['p_flags']]
>
> start = seg['p_offset'] & ~(PAGE_SIZE - 1)
> end = start +
> (seg['p_filesz'] + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1)
>
> print('{:<5} 0x{:0>16x} 0x{:0>16x}'.format(flags, start, end))
>
> Cc: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> ---
> tools/testing/selftests/sgx/encl.lds | 14 ++++++++++----
> tools/testing/selftests/sgx/encl_bootstrap.S | 2 +-
> 2 files changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/tools/testing/selftests/sgx/encl.lds b/tools/testing/selftests/sgx/encl.lds
> index 9a56d3064104..0fbbda7e665e 100644
> --- a/tools/testing/selftests/sgx/encl.lds
> +++ b/tools/testing/selftests/sgx/encl.lds
> @@ -1,25 +1,31 @@
> OUTPUT_FORMAT(elf64-x86-64)
>
> +PHDRS
> +{
> + tcs PT_LOAD;
> + text PT_LOAD;
> + data PT_LOAD;
> +}
> +
> SECTIONS
> {
> . = 0;
> .tcs : {
> *(.tcs*)
> - }
> + } : tcs
>
> . = ALIGN(4096);
> .text : {
> *(.text*)
> *(.rodata*)
> - }
> + } : text
>
> . = ALIGN(4096);
> .data : {
> *(.data*)
> - }
> + } : data
>
> /DISCARD/ : {
> - *(.data*)
> *(.comment*)
> *(.note*)
> *(.debug*)
> diff --git a/tools/testing/selftests/sgx/encl_bootstrap.S b/tools/testing/selftests/sgx/encl_bootstrap.S
> index 3a1479f1cdcf..b9ea6130e422 100644
> --- a/tools/testing/selftests/sgx/encl_bootstrap.S
> +++ b/tools/testing/selftests/sgx/encl_bootstrap.S
> @@ -7,7 +7,7 @@
> .byte 0x0f, 0x01, 0xd7
> .endm
>
> - .section ".tcs", "a"
> + .section ".tcs", "aw"
> .balign 4096
>
> .fill 1, 8, 0 # STATE (set by CPU)
> --
> 2.25.1
>
These changes have been squashed to my tree. Please provide patches
if something feels not right.
The changes were live coded on a Geminilake NUC that I brought home
last week and are tested quite extensively.
The place for improvement would be to call sgx_encl_build_segment()
based on segments in the program header table so that the permissions
would be assigned dynamically.
/Jarkko
