Merge #339

bors[bot] · ssavvides · web-flow · commit 0edaf72598b8 · 2021-08-18T06:07:16.000Z
339: `sgx-detect` support for confidentiality-only protection EPC r=jethrogb a=ssavvides Fixes #332 Co-authored-by: Savvas Savvides <savvas.savvides@fortanix.com>
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/sgxs-tools/Cargo.toml b/sgxs-tools/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "sgxs-tools"
-version = "0.8.4"
+version = "0.8.5"
 authors = ["Fortanix, Inc."]
 license = "MPL-2.0"
 description = """
diff --git a/sgxs-tools/src/sgx_detect/interpret.rs b/sgxs-tools/src/sgx_detect/interpret.rs
@@ -121,6 +121,7 @@ impl From<CpuidResult> for Cpuid12h1 {
 pub enum EpcType {
     Invalid,
     ConfidentialityIntegrityProtected,
+    ConfidentialityProtectedOnly,
     Unknown,
 }
 
@@ -146,6 +147,7 @@ impl From<(u32, CpuidResult)> for Cpuid12hEnum {
                 let ty = match v.ecx & 0xf {
                     0 => EpcType::Invalid,
                     1 => EpcType::ConfidentialityIntegrityProtected,
+                    2 => EpcType::ConfidentialityProtectedOnly,
                     n => {
                         warn!("CPUID 12h, sub-leaf {} (EPC section) unknown EPC type: {:x}h. EAX={:08x}, EBX={:08x}, ECX={:08x}, EDX={:08x}", subleaf, n, v.eax, v.ebx, v.ecx, v.edx);
                         EpcType::Unknown
@@ -314,7 +316,7 @@ impl From<Vec<u8>> for EfiSoftwareguardstatus {
 pub enum AesmStatus {
     Absent,
     Installed,
-    Running
+    Running,
 }
 
 #[derive(Debug, Clone, Default, Serialize, Deserialize)]
diff --git a/sgxs-tools/src/sgx_detect/main.rs b/sgxs-tools/src/sgx_detect/main.rs
@@ -219,7 +219,7 @@ impl EinittokenProvider for TimeoutHardError<AesmClient> {
 }
 
 impl SgxSupport {
-    fn detect(env_config :tests::EnvConfig) -> Self {
+    fn detect(env_config: tests::EnvConfig) -> Self {
         fn rcerr<T>(v: Result<T, Error>) -> Result<T, Rc<Error>> {
             v.map_err(Rc::new)
         }
@@ -290,7 +290,7 @@ impl SgxSupport {
         let nodeagent_status = (|| {
             let mut response = reqwest::get("http://localhost:9092/v1/sys/version")?;
             let ver: NodeAgentVersion = response.json()?;
-            Ok(NodeAgentVersion{version: ver.version})
+            Ok(NodeAgentVersion { version: ver.version })
         })();
         let permdaemon_status = (|| -> Result<(), Error> {
             let mut isgx = false;
@@ -371,7 +371,7 @@ fn main() {
         (@arg PLAIN:    --plaintext                                             "Disable color and UTF-8 output")
         (@arg VERBOSE:  --verbose -v                                            "Print extra information when encountering issues")
         (@group environment_type =>
-            (@arg ENCLAVE_OS: --("enclave-os")                                   "Run extra diagnostics tests for EnclaveOS")
+            (@arg ENCLAVE_OS: --("enclave-os")                                  "Run extra diagnostics tests for EnclaveOS")
             (@arg ENCLAVE_MANAGER: --("enclave-manager")                        "Run extra diagnostics tests for Enclave Manager")
             (@arg DATA_SHIELD: --("data-shield")                                "Run extra diagnostics tests for Data Shield")
         )
diff --git a/sgxs-tools/src/sgx_detect/proc_macro.rs b/sgxs-tools/src/sgx_detect/proc_macro.rs
@@ -220,7 +220,7 @@ pub fn dependency(
         panic = Some("Adding dependencies after `define_dependencies!` invocation".into());
     }
     if let Some(msg) = panic {
-        panic!(msg);
+        panic!("{}", msg);
     }
 
     item
diff --git a/sgxs-tools/src/sgx_detect/tests/mod.rs b/sgxs-tools/src/sgx_detect/tests/mod.rs
@@ -155,7 +155,7 @@ impl Print for SgxCpuConfiguration {
 struct EnclaveAttributes {
     standard_attributes: bool,
     kss: bool,
-    cpuid_12h_1: Result<Cpuid12h1, Rc<Error>>
+    cpuid_12h_1: Result<Cpuid12h1, Rc<Error>>,
 }
 
 #[dependency]
@@ -198,8 +198,16 @@ impl Print for EnclaveAttributes {
 #[optional_inner]
 #[derive(Clone, Update)]
 struct EnclavePageCache {
-    total_size: u64,
+    // Total size of confidentiality and integrity protected EPC
+    total_size_cip: u64,
+
+    // Total size of confidentiality protected only EPC
+    total_size_cpo: u64,
+
+    // Whether any pages were identified as unknown
     any_unknown: bool,
+
+    // Intel SGX Capability Enumeration Leaf
     cpuid_12h_epc: Result<Vec<Cpuid12hEnum>, Rc<Error>>,
 }
 
@@ -210,30 +218,38 @@ impl Dependency<SgxCpuSupport> for EnclavePageCache {
     fn update_dependency(&mut self, dependency: &SgxCpuSupport, support: &SgxSupport) {
         self.inner = match (&dependency.inner, &support.cpuid_12h_epc) {
             (Some(SgxCpuSupportInner { sgx: Ok(true) }), Ok(c)) => {
-                let mut total_size = 0;
+                let mut total_size_cip = 0;
+                let mut total_size_cpo = 0;
                 let mut any_unknown = false;
                 for section in c {
                     match section {
                         Cpuid12hEnum::Epc {
                             ty: EpcType::ConfidentialityIntegrityProtected,
                             phys_size,
                             ..
-                        } => total_size += phys_size,
+                        } => total_size_cip += phys_size,
+                        Cpuid12hEnum::Epc {
+                            ty: EpcType::ConfidentialityProtectedOnly,
+                            phys_size,
+                            ..
+                        } => total_size_cpo += phys_size,
                         Cpuid12hEnum::Invalid => unreachable!(),
                         _ => any_unknown = true,
                     }
                 }
 
                 Some(EnclavePageCacheInner {
-                    total_size,
+                    total_size_cip,
+                    total_size_cpo,
                     any_unknown,
-                    cpuid_12h_epc: Ok(c.clone())
+                    cpuid_12h_epc: Ok(c.clone()),
                 })
-            },
+            }
             (Some(_), c) => Some(EnclavePageCacheInner {
-                total_size: 0,
+                total_size_cip: 0,
+                total_size_cpo: 0,
                 any_unknown: true,
-                cpuid_12h_epc: c.clone()
+                cpuid_12h_epc: c.clone(),
             }),
             _ => None,
         };
@@ -249,7 +265,7 @@ impl Print for EnclavePageCache {
     fn supported(&self) -> Status {
         match self.inner {
             // Minimum useful EPC size: 1 VA + 1 SECS + 2 REG + 1 TCS
-            Some(EnclavePageCacheInner { total_size, .. }) if total_size >= 0x5000 => {
+            Some(EnclavePageCacheInner { total_size_cip, total_size_cpo, .. }) if total_size_cip >= 0x5000 || total_size_cpo >= 0x5000 => {
                 Status::Supported
             }
             Some(EnclavePageCacheInner {
@@ -336,14 +352,27 @@ impl Print for EpcSize {
     }
 
     fn print(&self, level: usize) {
+        fn epc_size_unit(total_size: u64) -> (f64, &'static str) {
+            let mut epc_size = total_size as f64 / 1024.0 / 1024.0;
+            let mut epc_unit = "MiB";
+            if epc_size >= 1024.0 {
+                epc_size /= 1024.0;
+                epc_unit = "GiB";
+            }
+            (epc_size, epc_unit)
+        }
+
         if let Some(epc) = &self.epc {
-            println!(
-                "{:width$}{}: {:.1}MiB",
-                "",
-                self.name(),
-                epc.total_size as f64 / (1048576.),
-                width = level * 2
-            );
+            print!("{:width$}{}:", "", self.name(), width = level * 2);
+            if epc.total_size_cip > 0 {
+                let (epc_size, epc_unit) = epc_size_unit(epc.total_size_cip);
+                print!(" {:.1}{}", epc_size, epc_unit);
+            }
+            if epc.total_size_cpo > 0 {
+                let (epc_size, epc_unit) = epc_size_unit(epc.total_size_cpo);
+                print!(" {:.1}{} (no integrity protection)", epc_size, epc_unit);
+            }
+            println!();
         }
     }
 }
@@ -398,7 +427,7 @@ impl Print for FlcCpuSupport {
 #[derive(Clone, Default, Update)]
 struct FlcCpuConfiguration {
     sgx_conf: Status,
-    msr_3ah: Option<Result<Msr3ah, Rc<Error>>>
+    msr_3ah: Option<Result<Msr3ah, Rc<Error>>>,
 }
 
 #[dependency]
@@ -533,7 +562,7 @@ impl Update for DeviceLoader {
             },
             #[cfg(windows)]
             devpath: Err(Rc::new(IoError::new(ErrorKind::NotFound, "Device Driver Path not supported in Windows").into())),
-            modstatus: support.sgxdev_status.clone()
+            modstatus: support.sgxdev_status.clone(),
         });
     }
 }
@@ -877,7 +906,7 @@ struct EnclaveManager {
     version: Result<String, Rc<Error>>,
 }
 
-impl Update for EnclaveManager{
+impl Update for EnclaveManager {
     fn update(&mut self, support: &SgxSupport) {
         self.inner = Some(EnclaveManagerInner {
             version: match support.node_agent.clone() {
@@ -894,7 +923,7 @@ impl Print for EnclaveManager {
     }
 
     fn print(&self, level: usize) {
-        if self.supported() == Status::Supported  {
+        if self.supported() == Status::Supported {
             println!("{:width$}{}{} ({})", "", self.supported().paint(), self.name(), self.inner.as_ref().map(|inner| inner.version.clone().unwrap()).unwrap(), width = level * 2);
         } else {
             println!("{:width$}{}{}", "", self.supported().paint(), self.name(), width = level * 2);
@@ -908,7 +937,7 @@ struct PermDaemon {
     service: Result<(), Rc<Error>>,
 }
 
-impl Update for PermDaemon{
+impl Update for PermDaemon {
     fn update(&mut self, support: &SgxSupport) {
         self.inner = Some(PermDaemonInner {
             service: support.perm_daemon.clone()
@@ -923,7 +952,7 @@ impl Print for PermDaemon {
 
     fn print(&self, level: usize) {
         if self.supported() == Status::Supported {
-            println!( "{:width$}{}{}", "", self.supported().paint(), self.name(), width = level * 2);
+            println!("{:width$}{}{}", "", self.supported().paint(), self.name(), width = level * 2);
         } else {
             println!("{:width$}{}{} {}", "", self.supported().paint(), self.name(), "(Okay if container runtime is CRI-O (openshift))", width = level * 2);
         }
diff --git a/sgxs-tools/src/sgx_detect/tests/scaffold.rs b/sgxs-tools/src/sgx_detect/tests/scaffold.rs
@@ -33,7 +33,7 @@ pub enum EnvConfig {
 }
 
 impl Default for EnvConfig {
-    fn default() -> Self {EnvConfig::Generic}
+    fn default() -> Self { EnvConfig::Generic }
 }
 
 pub trait Print: Name {
@@ -97,7 +97,7 @@ pub type TypeIdIdx = u8;
 pub struct DetectItemMap {
     next: TypeIdIdx,
     map: FnvHashMap<TypeId, TypeIdIdx>,
-    store: Vec<Box<dyn DetectItem>>
+    store: Vec<Box<dyn DetectItem>>,
 }
 
 impl DetectItemMap {

Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ pub fn dependency(`
`220`	`220`	panic = Some("Adding dependencies after `define_dependencies!` invocation".into());
`221`	`221`	`}`
`222`	`222`	`if let Some(msg) = panic {`
`223`		`- panic!(msg);`
	`223`	`+ panic!("{}", msg);`
`224`	`224`	`}`
`225`	`225`
`226`	`226`	`item`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ pub enum EnvConfig {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`impl Default for EnvConfig {`
`36`		`- fn default() -> Self {EnvConfig::Generic}`
	`36`	`+ fn default() -> Self { EnvConfig::Generic }`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`pub trait Print: Name {`
`@@ -97,7 +97,7 @@ pub type TypeIdIdx = u8;`
`97`	`97`	`pub struct DetectItemMap {`
`98`	`98`	`next: TypeIdIdx,`
`99`	`99`	`map: FnvHashMap<TypeId, TypeIdIdx>,`
`100`		`- store: Vec<Box<dyn DetectItem>>`
	`100`	`+ store: Vec<Box<dyn DetectItem>>,`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`impl DetectItemMap {`