32-bit support for SGX-Step

[JagoGyselinck]

This pull request adds support for 32-bit enclaves to SGX-Step.
When targeting 64-bit, there should be no changes to the build process.

I've made temporary/rough build instructions, which are added below. When everything
has been verified to work, they can be rewritten and added to README.md or maybe a specific build
document so as to not bother people who do not care about 32-bit support.

32-bit SGX-Step

Requirements:

• SGX-Enabled platform
• Unmodified linux-sgx
• Unmodified linux-sgx-driver
• SGX-Step with 32-bit compatibility
• Precompiled 64-bit PSW installation package

Building & Running

01 Install the unmodified Linux-sgx driver.

02 Follow the steps in the SGX-Step readme to clone the linux-sgx repo.

03 Apply the patches to the SGX-SDK:

cd linux-sgx
patch -p1 < ../0000-32bit-compatibility-fixes.patch
patch -p1 < ../0001-Support-to-reconfigure-Asynchronous-Exit-Pointer-AEP.patch
patch -p1 < ../0002-Add-support-to-retrieve-most-recently-used-TCS-point.patch
patch -p1 < ../0003-Support-to-set-enclave-load-location.patch

• While the Linux SGX-SDK is equipped to produce a 32-bit SDK installation
  package, there are some small errors an warnings that need to be surpressed
  for it to build. The 0000 patch fixes these.

• The 0001, 0002 patches are the existing patches for SGX-Step

• The 0003 patch adds an extra modification to the urts library so that
  the load address of an enclave can be suggested by the attacker.

04 Build the SGX-SDK installation package

32-bit enclaves require a 32-bit SDK to function.
The requirements to build are the same as described
in the linux-sgx repo, but should be adapted to 32-bit:

Unless already installed, you will need to install gcc-multilib as well
as g++-multilib:

sudo apt install gcc-multilib g++-multilib

You will also need 32-bit versions of the required libraries
mentioned in the linux-sgx repo:

sudo apt install libssl-dev:i386 libcurl4-openssl-dev:i386 protobuf-compiler:i386 libprotobuf-dev:i386

You can then build the SGX-SDK install package with:

make sdk_install_pkg ARCH=x86

05 Install the SGX-SDK installation package

The location of the installer will be shown at the end of the
compilation in the previous step.

Install the SDK to some location that is preferably not /opt/intel

06 Install the PSW package

Download and install the unmodified 64-bit PSW installation package.
If you have the newest PSW installed already, there is no need
to modify your installation.

07 Build libsgx_urts.so and libsgx_uae_service.so

The build requirements are the same as for the 32-bit SDK. We will
not be building a full psw install package, we just need the
two mentioned libraries.

cd psw/urts/linux
make all ARCH=x86

After the build ends, the required libraries are in the following directories:

psw/urts/linux/libsgx_urts.so
psw/uae_service/linux/libsgx_uae_service.so

To make sure the linker finds the libraries when compiling the applications in
app/, move the uae_service library to the urts library location:

cd ../../../ 
mv psw/uae_service/linux/libsgx_uae_service.so psw/urts/linux

If your SDK installation patch was not /opt/intel, then the makefiles for the sgx-step apps will find the libraries automatically. Otherwise, you can either move the libraries to /usr/lib, or set up your environment variables to point to a directory containing the libraries.

08 Load the SGX-Step kernel module

(identical to SGX-Step readme).

09 Build and run the aep_redirect or bench app

To build a 64-bit version, make sure your environment
is configured for the 64-bit SGX-SDK and 64-bit libraries.
In this case the build instructions are not changed.

To build a 32-bit version, make sure your environment
is configured for the 32-bit SGX-SDK and 32-bit libraries.
To build 32-bit version of the apps, pass the M32 variable
explicitly, or set it in your environment:

e.g explicit:

cd app/bench
make parse MICROBENCH=1 M32=1

e.g implicit:

export M32=1
cd app/bench
make parse MICROBENCH=1

In either case, make sure the SGX_LIBS / SGX_INCLUDE etc environment
variables point to the correct directories (!).

[jovanbulck]

Thanks a lot for the contribution! 👍 As we discussed earlier, I will review the changes next week and get back to you with potential further steps [<-- no pun intended ;) ]

[jovanbulck]

Hi Jago,

Thanks again for the fixes! I finally found time to go through them and they look good 👍

Before merging your branch upstream, I propose you do as follows if feasible:

1. move the above 32-bit specific SDK installation guidelines 03-07 to a new file 'README-m32.md'
2. add an explanatory 'Note (32 bit support).' with a pointer to README-m32.md in section 1 of README.md
3. add an M32=1 code comment to section 3 of README.md
4. maybe parameterize the 'patch_sdk.sh' script to first apply your 0000 patch based on the M32 shell environment variable. Your 0003 patch is actually useful for 64-bit enclaves as well, and can thus be applied unconditionally.

As an additional question, did you successfully achieve (32 and/or 64-bit) single-stepping on another CPU than the ones listed here? If so, it would make sense to also extend the table with the CPU model and the single-stepping APIC timer interval you used?

[JagoGyselinck]

Hi Jo,

Apologies for the delay, I have brought the pull request up to date and incorporated the changes you requested. 64/32 bit versions were tested to be working on my machine. Please let me know if there's anything that should be changed !

I've added my CPU model to the README.md and config.has well. However, I have left libsgxstep/Makefile.config untouched for now as I wasn't certain about adding an extra environment variable for my specific machine.

Cheers 😃

[jovanbulck]

Jago, thanks a lot again for the contributions! 👍 I finally found time to review and merge them upstream.