#165 Abort hanged enclave thread by SIGUSR1

fortanix · Jul 4, 2023 · 51ef300 · 51ef300
1 parent cdaabde
commit 51ef300
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/intel-sgx/enclave-runner/src/usercalls/mod.rs b/intel-sgx/enclave-runner/src/usercalls/mod.rs
@@ -14,6 +14,8 @@ use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
 use std::sync::Arc;
 use std::task::{Context, Poll, Waker};
 use std::thread::{self, JoinHandle};
+#[cfg(unix)]
+use std::os::unix::thread::JoinHandleExt;
 use std::time::{self, Duration};
 use std::{cmp, fmt, str};
 
@@ -993,6 +995,8 @@ impl EnclaveState {
             EnclaveState::syscall_loop(enclave.clone(), io_queue_receive, io_queue_send, work_sender);
 
         for handler in join_handlers {
+            #[cfg(unix)]
+            unsafe { libc::pthread_kill(handler.as_pthread_t(), signal::SIGUSR1 as _); }
             let _ = handler.join();
         }
         return main_result;
@@ -1027,7 +1031,7 @@ impl EnclaveState {
             entry: CoEntry::Initial(main.tcs, argv as _, argc as _, 0, 0, 0),
         };
 
-        let num_of_worker_threads = num_cpus::get();
+        let num_of_worker_threads = if num_cpus::get() == 1 {2} else {num_cpus::get()};
 
         let kind = EnclaveKind::Command(Command {
             panic_reason: Mutex::new(PanicReason {

diff --git a/intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs b/intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs
@@ -21,7 +21,8 @@ use nix::sys::signal;
 use sgxs_loaders::isgx::Device as IsgxDevice;
 #[cfg(windows)]
 use sgxs_loaders::enclaveapi::Sgx as IsgxDevice;
-
+#[cfg(unix)]
+use libc::{ucontext_t, REG_RIP};
 use clap::{App, Arg};
 
 arg_enum!{
@@ -47,6 +48,31 @@ fn catch_sigbus() {
     }
 }
 
+#[cfg(unix)]
+fn catch_sigusr1() {
+    unsafe {
+        extern "C" fn handle_sigusr1(_signo: c_int, _info: *mut siginfo_t, _context: *mut c_void) {
+            eprintln!("SIGUSR1 triggered, thread_id: {:?}", std::thread::current().id());
+            let instruction_ptr = unsafe { (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RIP as usize] as *const u8};
+            const ENCLU: [u8; 3] = [0x0f, 0x01, 0xd7];
+            let is_enclu = ENCLU.iter().enumerate().all(|(idx, v)| {
+                unsafe { *instruction_ptr.offset(idx as isize) == *v }
+            });
+            let _ = stderr().flush();
+            if is_enclu {
+                // At enclu instruction - force IP to the next instruction after enclu
+                unsafe { (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RIP as usize] += 3 }
+                eprintln!("Enclave thread {:?} hanged and aboarted by the signal", std::thread::current().id());
+            }
+        }
+
+        // POC: Need to think about what signal to send & hook
+        let hdl = signal::SigHandler::SigAction(handle_sigusr1);
+        let sig_action = signal::SigAction::new(hdl, signal::SaFlags::empty(), signal::SigSet::empty());
+        signal::sigaction(signal::SIGUSR1, &sig_action).unwrap();
+    }
+}
+
 fn main() -> Result<(), Error> {
     let args = App::new("ftxsgx-runner")
         .arg(
@@ -88,6 +114,7 @@ fn main() -> Result<(), Error> {
     let enclave = enclave_builder.build(&mut device).context("While loading SGX enclave")?;
 
     #[cfg(unix)] catch_sigbus();
+    #[cfg(unix)] catch_sigusr1();
 
     enclave.run().map_err(|e| {
         eprintln!("Error while executing SGX enclave.\n{}", e);