diff --git a/SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp b/SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp
index a64e10df5..0b09eaa91 100644
--- a/SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp
+++ b/SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp
@@ -69,6 +69,9 @@ size_t ecall_pointer_user_check(void *val, size_t sz)
if (sgx_is_outside_enclave(val, sz) != 1)
abort();
+ /*fence after sgx_is_outside_enclave check*/
+ __builtin_ia32_lfence();
+
char tmp[100] = {0};
size_t len = sz>100?100:sz;
diff --git a/common/inc/internal/se_version.h b/common/inc/internal/se_version.h
index dfde598eb..e09e94a4a 100644
--- a/common/inc/internal/se_version.h
+++ b/common/inc/internal/se_version.h
@@ -28,6 +28,6 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
-#define STRFILEVER "2.1.42002"
-#define COPYRIGHT "Copyright (C) 2017 Intel Corporation"
+#define STRFILEVER "2.1.101.42529"
+#define COPYRIGHT "Copyright (C) 2018 Intel Corporation"
diff --git a/download_prebuilt.sh b/download_prebuilt.sh
index 4cf7871d0..7b869cded 100755
--- a/download_prebuilt.sh
+++ b/download_prebuilt.sh
@@ -66,4 +66,3 @@ if [ $? -ne 0 ]; then
fi
pushd $out_dir;tar -xf $optlib_name;tar -xf $ae_file_name;rm -f $optlib_name;rm -f $ae_file_name;popd
-
diff --git a/psw/ae/data/prebuilt/le_prod_css.bin b/psw/ae/data/prebuilt/le_prod_css.bin
index ed66ad7ff..eb58216f4 100644
Binary files a/psw/ae/data/prebuilt/le_prod_css.bin and b/psw/ae/data/prebuilt/le_prod_css.bin differ
diff --git a/psw/ae/pce/config.xml b/psw/ae/pce/config.xml
index 7f0e92757..5ccfda8c3 100644
--- a/psw/ae/pce/config.xml
+++ b/psw/ae/pce/config.xml
@@ -3,7 +3,7 @@
1
0
0x1
- 4
+ 5
1
0
1
diff --git a/psw/ae/pse/pse_op/config.xml b/psw/ae/pse/pse_op/config.xml
index d947c85a8..f014763f4 100644
--- a/psw/ae/pse/pse_op/config.xml
+++ b/psw/ae/pse/pse_op/config.xml
@@ -3,7 +3,7 @@
0
0
0x2
- 4
+ 6
1
0
1
diff --git a/psw/ae/pse/pse_pr/config.xml b/psw/ae/pse/pse_pr/config.xml
index a13ecbed2..d830ba42f 100644
--- a/psw/ae/pse/pse_pr/config.xml
+++ b/psw/ae/pse/pse_pr/config.xml
@@ -3,7 +3,7 @@
0
0
0x2
- 4
+ 6
1
0
1
diff --git a/psw/ae/pve/config.xml b/psw/ae/pve/config.xml
index 08e38dac6..332eefc62 100644
--- a/psw/ae/pve/config.xml
+++ b/psw/ae/pve/config.xml
@@ -3,7 +3,7 @@
1
0
0x1
- 5
+ 6
1
0
1
diff --git a/psw/ae/pve/provision_enclave.cpp b/psw/ae/pve/provision_enclave.cpp
index 9af74fafa..b970e776c 100644
--- a/psw/ae/pve/provision_enclave.cpp
+++ b/psw/ae/pve/provision_enclave.cpp
@@ -137,6 +137,12 @@ uint32_t proc_prov_msg2_data_wrapper(
goto ret_point;
}
+ //
+ // for user_check SigRL input
+ // based on sigrl_size input parameter
+ //
+ __builtin_ia32_lfence();
+
if((sigrl==NULL&&sigrl_size!=0)||
(sigrl!=NULL&&sigrl_size==0)){
status = PVEC_PARAMETER_ERROR;
diff --git a/psw/ae/pve/provision_msg2.cpp b/psw/ae/pve/provision_msg2.cpp
index 7363e6113..4fa3b0b2c 100644
--- a/psw/ae/pve/provision_msg2.cpp
+++ b/psw/ae/pve/provision_msg2.cpp
@@ -243,6 +243,13 @@ pve_status_t proc_prov_msg2_data(const proc_prov_msg2_blob_input_t *msg2_blob_in
if(NULL!=emp_sigrl){
//process sigrl_header for hash value generation (used by ECDSA signature)
ret = prov_msg2_proc_sigrl_header( emp_sigrl, sigrl_size, &msg3_parm);
+
+ //
+ // for user_check SigRL input
+ // based on n2 field in SigRL
+ //
+ __builtin_ia32_lfence();
+
if( PVEC_SUCCESS!=ret )
goto ret_point;
}
diff --git a/psw/ae/qe/config.xml b/psw/ae/qe/config.xml
index 9a8083ec0..6cbcb20bb 100644
--- a/psw/ae/qe/config.xml
+++ b/psw/ae/qe/config.xml
@@ -3,7 +3,7 @@
0
0
0x1
- 5
+ 6
1
0
1
diff --git a/psw/ae/qe/quoting_enclave.cpp b/psw/ae/qe/quoting_enclave.cpp
index 41fd1d949..8b187cea1 100644
--- a/psw/ae/qe/quoting_enclave.cpp
+++ b/psw/ae/qe/quoting_enclave.cpp
@@ -943,6 +943,13 @@ uint32_t get_quote(
quote buffer outside enclave. */
if(!sgx_is_outside_enclave(emp_sig_rl, sig_rl_size))
return QE_PARAMETER_ERROR;
+
+ //
+ // for user_check SigRL input
+ // based on quote_size input parameter
+ //
+ __builtin_ia32_lfence();
+
if(!sgx_is_outside_enclave(emp_quote, quote_size))
return QE_PARAMETER_ERROR;
@@ -1073,6 +1080,12 @@ uint32_t get_quote(
goto CLEANUP;
}
+ //
+ // for user_check SigRL input
+ // based on n2 field in SigRL
+ //
+ __builtin_ia32_lfence();
+
/* Copy the data in the report into quote body. */
memset(emp_quote, 0, quote_size);
quote_body.version = QE_QUOTE_VERSION;
diff --git a/psw/urts/parser/elfparser.cpp b/psw/urts/parser/elfparser.cpp
index 230aede6c..b65902164 100644
--- a/psw/urts/parser/elfparser.cpp
+++ b/psw/urts/parser/elfparser.cpp
@@ -946,7 +946,6 @@ bool ElfParser::set_memory_protection(uint64_t enclave_base_addr, bool is_after_
for (int idx = 0; idx < elf_hdr->e_phnum; idx++, prg_hdr++)
{
if(prg_hdr->p_type == PT_DYNAMIC ||
- prg_hdr->p_type == PT_GNU_EH_FRAME ||
prg_hdr->p_type == PT_GNU_RELRO)
{
rva = TRIM_TO_PAGE(enclave_base_addr + prg_hdr->p_vaddr);
diff --git a/sdk/edger8r/linux/CodeGen.ml b/sdk/edger8r/linux/CodeGen.ml
index 6305a66c8..714617634 100644
--- a/sdk/edger8r/linux/CodeGen.ml
+++ b/sdk/edger8r/linux/CodeGen.ml
@@ -934,7 +934,8 @@ let gen_parm_ptr_direction_pre (plist: Ast.pdecl list) =
\t\tif (%s%s(%s) != %s) {\n\
\t\t\tstatus = SGX_ERROR_INVALID_PARAMETER;\n\
\t\t\tgoto err;\n\
-\t\t}" (mk_len_count v) fn in_ptr_name len_var
+\t\t}\n\n\
+\t\t//\n\t\t// fence after final sizefunc check\n\t\t//\n\t\t__builtin_ia32_lfence();\n\n" (mk_len_count v) fn in_ptr_name len_var
in
let malloc_and_copy pre_indent =
match attr.Ast.pa_direction with
@@ -1148,13 +1149,14 @@ let gen_func_tbridge (fd: Ast.func_decl) (dummy_var: string) =
in
sprintf "%s%s%s\t%s\n\t%s\n%s" func_open local_vars dummy_var check_pms invoke_func func_close
else
- sprintf "%s%s\t%s\n%s\n%s%s\n%s\t%s\n%s\n%s\n%s"
+ sprintf "%s%s\t%s\n%s\n%s%s\n%s\n%s\n\t%s\n%s\n%s\n%s"
func_open
(mk_check_pms fd.Ast.fname)
declare_ms_ptr
local_vars
(gen_check_tbridge_length_overflow fd.Ast.plist)
(gen_check_tbridge_ptr_parms fd.Ast.plist)
+ "\n\t//\n\t// fence after pointer checks\n\t//\n\t__builtin_ia32_lfence();\n"
(gen_parm_ptr_direction_pre fd.Ast.plist)
(if fd.Ast.rtype <> Ast.Void then update_retval else invoke_func)
(gen_err_mark fd.Ast.plist)
@@ -1175,7 +1177,6 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) =
sprintf "\n#pragma message(\"Pointer array `%s' in trusted proxy `\"\
__FUNCTION__ \"' is dangerous. No code generated.\")\n" name
else
- let in_ptr_dst_name = mk_in_ptr_dst_name attr.Ast.pa_rdonly parm_accessor in
if not attr.Ast.pa_chkptr (* [user_check] specified *)
then sprintf "%s = SGX_CAST(%s, %s);" parm_accessor tystr name
else
@@ -1184,8 +1185,24 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) =
let code_template =
[sprintf "if (%s != NULL && sgx_is_within_enclave(%s, %s)) {" name name len_var;
sprintf "\t%s = (%s)__tmp;" parm_accessor tystr;
+ sprintf "\t__tmp_%s = __tmp;" name;
+ sprintf "\tmemset(__tmp_%s, 0, %s);" name len_var;
+ sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
+ sprintf "} else if (%s == NULL) {" name;
+ sprintf "\t%s = NULL;" parm_accessor;
+ "} else {";
+ "\tsgx_ocfree();";
+ "\treturn SGX_ERROR_INVALID_PARAMETER;";
+ "}"
+ ]
+ in List.fold_left (fun acc s -> acc ^ s ^ "\n\t") "" code_template
+ | Ast.PtrInOut ->
+ let code_template =
+ [sprintf "if (%s != NULL && sgx_is_within_enclave(%s, %s)) {" name name len_var;
+ sprintf "\t%s = (%s)__tmp;" parm_accessor tystr;
+ sprintf "\t__tmp_%s = __tmp;" name;
+ sprintf "\tmemcpy(__tmp_%s, %s, %s);" name name len_var;
sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
- sprintf "\tmemset(%s, 0, %s);" in_ptr_dst_name len_var;
sprintf "} else if (%s == NULL) {" name;
sprintf "\t%s = NULL;" parm_accessor;
"} else {";
@@ -1198,8 +1215,8 @@ let tproxy_fill_ms_field (pd: Ast.pdecl) =
let code_template =
[sprintf "if (%s != NULL && sgx_is_within_enclave(%s, %s)) {" name name len_var;
sprintf "\t%s = (%s)__tmp;" parm_accessor tystr;
+ sprintf "\tmemcpy(__tmp, %s, %s);" name len_var;
sprintf "\t__tmp = (void *)((size_t)__tmp + %s);" len_var;
- sprintf "\tmemcpy(%s, %s, %s);" in_ptr_dst_name name len_var;
sprintf "} else if (%s == NULL) {" name;
sprintf "\t%s = NULL;" parm_accessor;
"} else {";
@@ -1230,6 +1247,19 @@ let gen_tproxy_local_vars (plist: Ast.pdecl list) =
let gen_ocalloc_block (fname: string) (plist: Ast.pdecl list) =
let ms_struct_name = mk_ms_struct_name fname in
let local_vars_block = sprintf "%s* %s = NULL;\n\tsize_t ocalloc_size = sizeof(%s);\n\tvoid *__tmp = NULL;\n\n" ms_struct_name ms_struct_val ms_struct_name in
+ let local_var (attr: Ast.ptr_attr) (name: string) =
+ if not attr.Ast.pa_chkptr then ""
+ else
+ match attr.Ast.pa_direction with
+ Ast.PtrOut | Ast.PtrInOut -> sprintf "\tvoid *__tmp_%s = NULL;\n" name
+ | _ -> ""
+ in
+ let do_local_var (pd: Ast.pdecl) =
+ let (pty, declr) = pd in
+ match pty with
+ Ast.PTVal _ -> ""
+ | Ast.PTPtr (_, attr) -> local_var attr declr.Ast.identifier
+ in
let count_ocalloc_size (ty: Ast.atype) (attr: Ast.ptr_attr) (name: string) =
if not attr.Ast.pa_chkptr then ""
else sprintf "\tocalloc_size += (%s != NULL && sgx_is_within_enclave(%s, %s)) ? %s : 0;\n" name name (mk_len_var name) (mk_len_var name)
@@ -1252,8 +1282,9 @@ let gen_ocalloc_block (fname: string) (plist: Ast.pdecl list) =
in
let new_param_list = List.map conv_array_to_ptr plist
in
- let s1 = List.fold_left (fun acc pd -> acc ^ do_count_ocalloc_size pd) local_vars_block new_param_list in
- List.fold_left (fun acc s -> acc ^ s) s1 do_gen_ocalloc_block
+ let s1 = List.fold_left (fun acc pd -> acc ^ do_local_var pd) local_vars_block new_param_list in
+ let s2 = List.fold_left (fun acc pd -> acc ^ do_count_ocalloc_size pd) s1 new_param_list in
+ List.fold_left (fun acc s -> acc ^ s) s2 do_gen_ocalloc_block
(* Generate trusted proxy code for a given untrusted function. *)
let gen_func_tproxy (ufunc: Ast.untrusted_func) (idx: int) =
@@ -1270,7 +1301,7 @@ let gen_func_tproxy (ufunc: Ast.untrusted_func) (idx: int) =
let name = declr.Ast.identifier in
match attr.Ast.pa_direction with
Ast.PtrInOut | Ast.PtrOut ->
- sprintf "\tif (%s) memcpy((void*)%s, %s, %s);\n" name name (mk_parm_accessor name) (mk_len_var name)
+ sprintf "\tif (%s) memcpy((void*)%s, __tmp_%s, %s);\n" name name name (mk_len_var name)
| _ -> ""
in List.fold_left (fun acc (pty, declr) ->
match pty with
diff --git a/sdk/protected_fs/sgx_tprotected_fs/Makefile b/sdk/protected_fs/sgx_tprotected_fs/Makefile
index 653f2dd90..86a510474 100644
--- a/sdk/protected_fs/sgx_tprotected_fs/Makefile
+++ b/sdk/protected_fs/sgx_tprotected_fs/Makefile
@@ -54,7 +54,7 @@ LIBNAME := libsgx_tprotected_fs.a
all: $(LIBNAME) | $(BUILD_DIR)
@$(CP) $< $|
-$(LIBNAME): sgx_tprotected_fs_t.h $(OBJ)
+$(LIBNAME): $(OBJ)
$(AR) rcsD $@ $(OBJ)
sgx_tprotected_fs_t.h: $(EDGER8R)
diff --git a/sdk/protected_fs/sgx_uprotected_fs/Makefile b/sdk/protected_fs/sgx_uprotected_fs/Makefile
index 37f750cee..5c1215263 100644
--- a/sdk/protected_fs/sgx_uprotected_fs/Makefile
+++ b/sdk/protected_fs/sgx_uprotected_fs/Makefile
@@ -50,17 +50,18 @@ LIBNAME := libsgx_uprotected_fs.a
all: $(LIBNAME) | $(BUILD_DIR)
$(CP) $< $|
-$(LIBNAME): sgx_tprotected_fs_u.h $(OBJ)
+$(LIBNAME): $(OBJ)
$(AR) rcsD $@ $(OBJ)
sgx_tprotected_fs_u.h: $(EDGER8R)
$(EDGER8R) --header-only --untrusted $(COMMON_DIR)/inc/sgx_tprotected_fs.edl --search-path $(COMMON_DIR)/inc
-$(OBJ): %.o :%.cpp sgx_tprotected_fs_u.h
- $(CXX) $(CXXFLAGS) $(INCLUDE) -c $< -o $@
$(EDGER8R):
$(MAKE) -C $(EDGER8R_DIR)
+$(OBJ): %.o :%.cpp sgx_tprotected_fs_u.h
+ $(CXX) $(CXXFLAGS) $(INCLUDE) -c $< -o $@
+
$(BUILD_DIR):
@$(MKDIR) $@
diff --git a/sdk/tkey_exchange/simple_vector.cpp b/sdk/tkey_exchange/simple_vector.cpp
index e791f16ea..46a1995aa 100644
--- a/sdk/tkey_exchange/simple_vector.cpp
+++ b/sdk/tkey_exchange/simple_vector.cpp
@@ -101,6 +101,10 @@ errno_t vector_get(const simple_vector* v, uint32_t index, void** data)
{
if (!v || index >= v->size || !data)
return 1;
+
+ //fence after boundary check
+ __builtin_ia32_lfence();
+
*data = v->data[index];
return 0;
}
diff --git a/sdk/tkey_exchange/tkey_exchange.cpp b/sdk/tkey_exchange/tkey_exchange.cpp
index 4b791b325..87118245c 100644
--- a/sdk/tkey_exchange/tkey_exchange.cpp
+++ b/sdk/tkey_exchange/tkey_exchange.cpp
@@ -395,6 +395,8 @@ extern "C" sgx_status_t sgx_ra_get_msg3_trusted(
if (!sgx_is_outside_enclave(emp_msg3, msg3_size))
return SGX_ERROR_INVALID_PARAMETER;
+ //fence after boundary check
+ __builtin_ia32_lfence();
sgx_status_t se_ret = SGX_ERROR_UNEXPECTED;
diff --git a/sdk/trts/init_enclave.cpp b/sdk/trts/init_enclave.cpp
index 129933aad..6d39fdbc6 100644
--- a/sdk/trts/init_enclave.cpp
+++ b/sdk/trts/init_enclave.cpp
@@ -95,6 +95,7 @@ extern "C" int init_enclave(void *enclave_base, void *ms)
{
return -1;
}
+ __builtin_ia32_lfence();
const system_features_t sys_features = *info;
g_sdk_version = sys_features.version;
diff --git a/sdk/trts/trts_ecall.cpp b/sdk/trts/trts_ecall.cpp
index 960af3d0b..a4579e0a6 100644
--- a/sdk/trts/trts_ecall.cpp
+++ b/sdk/trts/trts_ecall.cpp
@@ -55,6 +55,9 @@ static sgx_status_t is_ecall_allowed(uint32_t ordinal)
return SGX_ERROR_INVALID_FUNCTION;
}
thread_data_t *thread_data = get_thread_data();
+
+ __builtin_ia32_lfence();
+
if(thread_data->last_sp == thread_data->stack_base_addr)
{
// root ECALL, check the priv bits.
@@ -241,6 +244,9 @@ static sgx_status_t trts_ecall(uint32_t ordinal, void *ms)
if(status == SGX_SUCCESS)
{
ecall_func_t func = (ecall_func_t)addr;
+
+ __builtin_ia32_lfence();
+
status = func(ms);
}
diff --git a/sdk/tseal/tSeal_internal.cpp b/sdk/tseal/tSeal_internal.cpp
index cdb205914..59a341eda 100644
--- a/sdk/tseal/tSeal_internal.cpp
+++ b/sdk/tseal/tSeal_internal.cpp
@@ -137,6 +137,15 @@ sgx_status_t sgx_unseal_data_helper(const sgx_sealed_data_t *p_sealed_data, uint
// Return error indicating the blob is corrupted
return SGX_ERROR_MAC_MISMATCH;
}
+
+ //
+ // code that calls sgx_unseal_data commonly does some sanity checks
+ // related to plain_text_offset. We add fence here since we don't
+ // know what crypto code does and if plain_text_offset-related
+ // checks mispredict the crypto code could operate on unintended data
+ //
+ __builtin_ia32_lfence();
+
err = sgx_rijndael128GCM_decrypt(&seal_key, const_cast(p_sealed_data->aes_data.payload),
decrypted_text_length, p_decrypted_text, &payload_iv[0], SGX_SEAL_IV_SIZE,
const_cast(&(p_sealed_data->aes_data.payload[decrypted_text_length])), additional_MACtext_length,