Add readv and writev syscalls for SGX

[lkatalin]

This is a draft. In particular, it needs some help with casting pointers in a safe and correct way.

Resolves #375 and resolves #376

[npmccallum]

Suggested change

	let iovec = unsafe { from_raw_parts_mut(iovec as *mut Iovec, iovcnt) }; // ???
	let mut bufsize: usize = 0;
	for i in 0..iovcnt {
	bufsize += iovec[i].size;
	}
	let bufsize = trusted.iter().fold(0, |a, e| a + e.size);

[npmccallum]

Suggested change

	let size = bufsize + size_of::<Iovec>() * iovcnt;
	let size = bufsize + size_of::<Iovec>() * trusted.len();

[npmccallum]

Suggested change

	let map = unsafe { from_raw_parts_mut(map as *mut Iovec, iovcnt) };
	let untrusted = unsafe { from_raw_parts_mut(map as *mut Iovec, iovcnt) };

[npmccallum]

The general strategy with my naming here is to always communicate to future readers whether the types are trusted or not. We want to avoid accidents...

[npmccallum]

I'm not sure I understand the question here.

[lkatalin]

I was thinking of whether I'm allowed to do map.as_ptr() due to: "The memory referenced by the returned slice must not be accessed through any other pointer (not derived from the return value) for the duration of lifetime 'a. Both read and write accesses are forbidden." from https://doc.rust-lang.org/core/slice/fn.from_raw_parts_mut.html. But since the pointer is derived from the original 'map', maybe it's okay.

[npmccallum]

@lkatalin What it means in this case is don't access the memory in this region. You can still use the base pointer to calculate a new pointer to memory after the region without harm.

[lkatalin]

@npmccallum Ah okay, thanks as usual for the insights.

[npmccallum]

Suggested change

	for i in 0..iovcnt {
	for (t, u) in trusted.iter().zip(untrusted.iter()) {

[npmccallum]

Suggested change

	map[i].base = chunk as *mut u8;
	chunk = chunk + iovec[i].size;
	u.base = chunk;
	u.size = t.size;
	chunk = chunk.add(t.size);

[npmccallum]

Don't free this until after you are done copying it...

[lkatalin]

You mean after copy_nonoverlapping, right? I was confused about this because in read() the ufree is called immediately after the syscall, which I didn't understand.

[npmccallum]

@lkatalin You probably don't understand it because it probably doesn't work. I was a bad boy and didn't test read() obviously... :)

[lkatalin]

Fair enough!

[npmccallum]

Iterate over the slice rather than using an index. However, keep in mind that we handed the whole array of iovecs to the untrusted host. That means that we need to validate that the values haven't been manipulated. For example, the host might replace iovec[0].base with a pointer to enclave memory in order to trick us into copying encrypted memory somewhere else. So, like we did when initializing the array, we need to iterate over both slices. Validate that the untrusted iovec hasn't been modified (and trigger attacked() if it has; that is suspicious behavior). Then do the copy.

Alternatively, we could take advantage of the contiguousness of the map buffer to bypass the untrusted array altogether. This would probably be fewer instructions. However, we'd bypass an opportunity to detect malicious behavior. So I'd prefer to be slightly slower and more security conscious.

[lkatalin]

For example, the host might replace iovec[0].base with a pointer to enclave memory ... Validate that the untrusted iovec hasn't been modified

@npmccallum For now, I'm assuming this validation means to check that none of the base pointers refer to something inside enclave memory. If there are other checks that should be done here, please let me know. I'll also continue to think on it.

I'm fine with doing the slower and more security-conscious version.

[npmccallum]

Testing that the base pointers (and base+size pointers) aren't inside the enclave is a weaker version of the testing I had in mind. I wanted to recreate the exact expected base and size that it should be and validate that the results haven't been tampered with in any way.

[npmccallum]

Suggested change

	let iovec = self.aex.gpr.rsi as *mut u8;
	let iovcnt = self.aex.gpr.rdx as usize;
	let trusted = unsafe {
	from_raw_parts_mut(
	self.aex.gpr.rsi as *mut Iovec,
	self.aex.gpr.rdx as usize
	);
	};

[npmccallum]

@lkatalin Also note that clippy is giving you really good feedback here.

[npmccallum]

I'm not at all a fan of casting a pointer through an integer to get rid of the alignment warning. All that does it hide the problem.

I think a better strategy here is to convert the map to a byte slice immediately. Then use split_at_mut to divide the slice into the iovec prefix and the buffer suffix. Then use align_to_mut to convert the prefix from a byte slice into an iovec slice.

[lkatalin]

@npmccallum Good point; I've tried to do it better here without casting through an integer.

[npmccallum]

Suggested change

	let (pre, untrusted, suf) = unsafe { uiovec.align_to_mut::<Iovec>() };
	if pre != [] || suf != [] {
	self.attacked();
	}
	let (_, untrusted, _) = unsafe { uiovec.align_to_mut::<Iovec>() };
	if untrusted.len() != trusted.len() {
	self.attacked();
	}

[lkatalin]

This does make way more sense as a method of checking the same thing. Thank you.

[npmccallum]

Instead of converting the ubuffer to a pointer and then doing pointer math, instead track the offset and convert a subslice to a pointer. That will remove the untrusted code block.

[npmccallum]

Same as above.

[npmccallum]

Suggested change

	self.ufree(map.as_ptr() as *mut u8, size as u64);
	}
	ret
	}
	self.ufree(map.as_ptr() as *mut u8, size as u64);
	ret

[lkatalin]

This also makes lots more sense.

[lkatalin]

However, I can't move this because ret is known only within the unsafe block.

[npmccallum]

Suggested change

	let ret = self.syscall(
	SysCall::READV,
	fd,
	untrusted.as_ptr() as _,
	trusted.len() as u64,
	0,
	0,
	0,
	);
	let ret = unsafe {
	self.syscall(
	SysCall::READV,
	fd,
	untrusted.as_ptr() as _,
	trusted.len() as u64,
	0,
	0,
	0,
	)
	};

[npmccallum]

That enables you to reduce the size of the unsafe block significantly.

[lkatalin]

Right! Yes, I should have done this.

[npmccallum]

This cast doesn't do what you think it does. It converts the byte at offset to a *const u8.

[npmccallum]

Use the slice method copy_from_slice() instead.

[lkatalin]

Since u.base is a *mut u8, would I not have to turn it into a slice with the unsafe core::slice::from_raw_parts_mut in order to use that method? That would result in the same number unsafe lines here (1). Is there a better way?

[npmccallum]

You know the offset into the ubuffer, which is already a slice.

[npmccallum]

prefix = sizeof * len

[npmccallum]

Suggested change

	trusted.len() as u64,
	untrusted.len() as u64,

These values are the same. But I think this is slightly more readable.

[npmccallum]

This struct probably belongs in nolibc.

[lkatalin]

@npmccallum I put the Iovec into nolibc. I hope I used the lifetimes correctly. There is probably some room for improvement there.

I also went ahead and included the writev call as well.

I am pretty sure since a Rust slice is a wrapper for a pointer that the way I copy them after converting to a slice from Iovec should work to update the memory pointed to without any further assignments, but it is worth double checking (ex. ln 308).

[npmccallum]

impl AsRef<[u8]> and impl AsMut<[u8]>

[npmccallum]

Suggested change

	/// Buffer used by readv() and writev() syscalls
	#[repr(C)]
	pub struct Iovec<'a, T: 'a> {
	/// Buffer start address
	pub base: *mut T,
	/// Number of bytes to transfer
	pub size: usize,
	phantom: core::marker::PhantomData<&'a T>,
	}
	/// Buffer used by readv() and writev() syscalls
	#[repr(C)]
	pub struct Iovec<'a> {
	/// Buffer start address
	pub base: *mut u8,
	/// Number of bytes to transfer
	pub size: usize,
	phantom: core::marker::PhantomData<&'a T>,
	}

That doesn't do what you think it does.

[lkatalin]

I need to learn more about this, obviously. I thought it would tie the lifetime to the base. For now, Rust won't let me compile it without the T in the struct parameters: pub struct Iovec<'a, T> since it's required in PhantomData. I changed the T in the base to a u8.

[npmccallum]

We don't need two loops in this case. Also, we can drop the attacked check.

[npmccallum]

Move this to immediately after the syscall.

[npmccallum]

This mostly looks good. We're almost there!

[npmccallum]

Suggested change

	#[repr(C)]
	pub struct Iovec<'a, T> {
	/// Buffer start address
	pub base: *mut u8,
	/// Number of bytes to transfer
	pub size: usize,
	phantom: core::marker::PhantomData<&'a T>,
	}
	#[repr(C)]
	pub struct Iovec<'a> {
	/// Buffer start address
	pub base: *mut u8,
	/// Number of bytes to transfer
	pub size: usize,
	phantom: core::marker::PhantomData<&'a ()>,
	}

[lkatalin]

I didn't realize one could do this. Seems much better!

[npmccallum]

Suggested change

	t.as_mut().copy_from_slice(u.as_mut());
	t.as_mut().copy_from_slice(u.as_ref());

[npmccallum]

Properly wrap the paragraph.

[npmccallum]

Suggested change

	u.as_mut().copy_from_slice(t.as_mut());
	u.as_mut().copy_from_slice(t.as_ref());