Permalink
Browse files

skl012 bug testing code

  • Loading branch information...
daveti committed Dec 15, 2016
1 parent 5176a99 commit 373c9e6f3d0d70a172cf5315dce15151fa4271e1
Showing with 221 additions and 3 deletions.
  1. +82 −3 App/App.cpp
  2. +120 −0 Enclave/Enclave.cpp
  3. +6 −0 Enclave/Enclave.edl
  4. +13 −0 README.md
View
@@ -126,6 +126,35 @@ static sgx_errlist_t sgx_errlist[] = {
},
};
/* Copied from the enclave code */
/*
* Sensitive Ins covered by UMIP
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register
*/
#define SEN_INS_SGDT 0
#define SEN_INS_SIDT 1
#define SEN_INS_SLDT 2
#define SEN_INS_SMSW 3
#define SEN_INS_STR 4
/* Def for x86_64 descriptor */
typedef struct {
unsigned long limit : 16;
unsigned long base : 64;
} __attribute__((packed)) dt_x86_64;
/* Global vars in the enclave */
static dt_x86_64 gdt = {0, 0};
static dt_x86_64 idt = {0, 0};
static unsigned long ldt = -1;
static unsigned long tr = -1;
static unsigned long msw = -1;
/* Check error conditions for loading enclave */
void print_error_message(sgx_status_t ret)
{
@@ -307,8 +336,8 @@ int query_sgx_status()
/* Application entry */
int SGX_CDECL main(int argc, char *argv[])
{
(void)(argc);
(void)(argv);
int idx = -1;
sgx_status_t ret;
#if defined(_MSC_VER)
if (query_sgx_status() < 0) {
@@ -317,7 +346,16 @@ int SGX_CDECL main(int argc, char *argv[])
getchar();
return -1;
}
#endif
#endif
if (argc != 2) {
printf("Only 1 parameter is expected ...\n");
return -1;
}
/* Get the sensitive instruction idx */
idx = strtol(argv[1], NULL, 10);
printf("Got senstive instruction idx: %d\n", idx);
/* Initialize the enclave */
if(initialize_enclave() < 0){
@@ -337,6 +375,47 @@ int SGX_CDECL main(int argc, char *argv[])
ecall_libcxx_functions();
ecall_thread_functions();
printf("Start sensitive instruction testing...\n");
/* Time to play cool stuffs */
switch (idx) {
case SEN_INS_SGDT:
if (do_sensitive_ins(global_eid, &ret, idx, sizeof(gdt), (char *)&gdt) != SGX_SUCCESS)
printf("do_sensitive_ins failed for SGDT instruction\n");
else
printf("GDT: limit=%04d, base=%016lx\n", gdt.limit, gdt.base);
break;
case SEN_INS_SIDT:
if (do_sensitive_ins(global_eid, &ret, idx, sizeof(idt), (char *)&idt) != SGX_SUCCESS)
printf("do_sensitive_ins failed for SIDT instruction\n");
else
printf("IDT: limit=%04d, base=%016lx\n", idt.limit, idt.base);
break;
case SEN_INS_SLDT:
if (do_sensitive_ins(global_eid, &ret, idx, sizeof(ldt), (char *)&ldt) != SGX_SUCCESS)
printf("do_sensitive_ins failed for SLDT instruction\n");
else
printf("LDT: %04lx\n", ldt);
break;
case SEN_INS_SMSW:
if (do_sensitive_ins(global_eid, &ret, idx, sizeof(msw), (char *)&msw) != SGX_SUCCESS)
printf("do_sensitive_ins failed for SMSW instruction\n");
else
printf("MSW: %04lx\n", msw);
break;
case SEN_INS_STR:
if (do_sensitive_ins(global_eid, &ret, idx, sizeof(tr), (char *)&tr) != SGX_SUCCESS)
printf("do_sensitive_ins failed for STR instruction\n");
else
printf("TR: %04lx\n", tr);
break;
default:
printf("Unsupported sensitive instruction idx: %d\n", idx);
break;
}
printf("Sensitive instruction testing done...\n");
/* Destroy the enclave */
sgx_destroy_enclave(global_eid);
View
@@ -23,10 +23,130 @@
#include <stdarg.h>
#include <stdio.h> /* vsnprintf */
#include <string.h> /* memcpy */
#include "sgx_status.h"
#include "Enclave.h"
#include "Enclave_t.h" /* print_string */
/*
* Sensitive Ins covered by UMIP
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register
*/
#define SEN_INS_SGDT 0
#define SEN_INS_SIDT 1
#define SEN_INS_SLDT 2
#define SEN_INS_SMSW 3
#define SEN_INS_STR 4
/* Def for x86_64 descriptor */
typedef struct {
unsigned long limit : 16;
unsigned long base : 64;
} __attribute__((packed)) dt_x86_64;
/* Global vars in the enclave */
static dt_x86_64 gdt = {0, 0};
static dt_x86_64 idt = {0, 0};
static unsigned long ldt = -1;
static unsigned long tr = -1;
static unsigned long msw = -1;
/*
* Wrappers for all inlines asms
*/
static void get_gdt(void)
{
asm volatile( "sgdt %0" : "=m"(gdt) );
}
static void get_idt(void)
{
asm volatile( "sidt %0" : "=m"(idt) );
}
static void get_ldt(void)
{
asm volatile( "sldt %0" : "=m"(ldt) );
}
static void get_msw(void)
{
asm volatile( "smsw %0" : "=m"(msw) );
}
static void get_tr(void)
{
asm volatile( "str %0" : "=m"(tr) );
}
/*
* do_sensitive_ins:
* Invokes ECALL to do inline asm using sensitive instructions.
* NOTE: since we could not call set_cpu_affinity inside the enclave,
* there is no way to guarantee that the GDT/IDT/LDT/MSW/STR are from
* the same CPU core.
*/
sgx_status_t do_sensitive_ins(int idx, int len, char *buf)
{
sgx_status_t rtn;
rtn = SGX_SUCCESS;
switch (idx) {
case SEN_INS_SGDT:
if (len != sizeof(dt_x86_64)) {
rtn = SGX_ERROR_INVALID_PARAMETER;
break;
}
get_gdt();
memcpy(buf, &gdt, len);
break;
case SEN_INS_SIDT:
if (len != sizeof(dt_x86_64)) {
rtn = SGX_ERROR_INVALID_PARAMETER;
break;
}
get_idt();
memcpy(buf, &idt, len);
break;
case SEN_INS_SLDT:
if (len != sizeof(unsigned long)) {
rtn = SGX_ERROR_INVALID_PARAMETER;
break;
}
get_ldt();
memcpy(buf, &ldt, len);
break;
case SEN_INS_SMSW:
if (len != sizeof(unsigned long)) {
rtn = SGX_ERROR_INVALID_PARAMETER;
break;
}
get_msw();
memcpy(buf, &msw, len);
break;
case SEN_INS_STR:
if (len != sizeof(unsigned long)) {
rtn = SGX_ERROR_INVALID_PARAMETER;
break;
}
get_tr();
memcpy(buf, &tr, len);
break;
default:
rtn = SGX_ERROR_UNEXPECTED;
break;
}
return rtn;
}
/*
* printf:
* Invokes OCALL to display the enclave buffer to the terminal.
View
@@ -1,6 +1,12 @@
/* Enclave.edl - Top EDL file. */
enclave {
include "sgx_status.h"
trusted {
public sgx_status_t do_sensitive_ins(int idx, int len, [out,size=len] char *buf);
};
include "user_types.h" /* buffer_t */
View
@@ -0,0 +1,13 @@
sgxbug
PoC of the SGX CPU bug SKL012
The code is based on the SampleEnclave provided by the Intel SGX SDK for Linux
./app 0~4
Dec 9, 2016
root@davejingtian.org
http://davejingtian.org

0 comments on commit 373c9e6

Please sign in to comment.