-
Notifications
You must be signed in to change notification settings - Fork 180
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[PAL/Linux-SGX] Cross-verify SW signals vs HW exceptions
Previously, our trusted exception handler was lax with reported-by-host SW signals vs reported-by-SGX HW exceptions. The old code did not verify that the (untrusted) SW signal corresponds to the (trusted) HW exception. This could lead to cases where the host e.g. injects SIGILL (PAL_EVENT_ILLEGAL) whereas no corresponding #UD happened in the enclave, and this malicious SIGILL is delivered to the app. This commit hardens cross-verification of SW signals vs HW exceptions. To add such functionality, the SGX asm code is modified to forward both the trusted EXITINFO value and the untrusted external-event value to the `_PalExceptionHandler()` function. As part of this commit, two additional bugs are fixed: - When enabled, the SGX EXINFO feature forces the CPU core to report #PF exceptions to the SGX enclave (in the EXITINFO/EXINFO SSA fields) whenever #PFs occur in the hardware, even if these #PFs are benign. By benign page faults we mean the ones that are handled completely by the host Linux kernel (more specifically, by the Linux SGX kernel driver). Such benign #PF exceptions should be considered spurious -- they are reported to the SGX enclave (when `sgx.use_exinfo = true`), but they are completely resolved by the host Linux kernel and must be ignored by Gramine. - Previously, EXINFO information and `has_hw_fault_address` applied only to #PF hardware exception. However, this info must be set on #GP exceptions too. Otherwise Gramine may fail with "Tried to handle a memory fault with no faulting address ..." message on a #GP (and if the manifest contains `sgx.use_exinfo = true`). The vulnerability of mismatching SW signals vs HW exceptions was also independently found and reported to the Gramine team on 29. Nov 2023 by a team from ETH Zürich: Supraja Sridhara, Benedict Schlueter, Mark Kuhne, Andrin Bertschi and Shweta Shinde (emails: firstname.lastname@inf.ethz.ch). Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
- Loading branch information
Showing
3 changed files
with
147 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters