Clear xstates on enclave entry to prevent ABI poisoning

Simon Leet · Simon Leet · commit ad57b943be8f · 2020-07-13T22:22:14.000Z
- Refactor oe_cleanup_xstates() out of exception.c as a macro in asmcommon.inc - Remove workaround for #144 - Add OE_XSAVE_INITIAL_STATE definition in new asmdefs.c file - oe_cleanup_xstates now does an xrstor to OE_XSAVE_INITIAL_STATE - oe_enter now also calls oe_cleanup_xstates as part of .call_function - Remove workaround for #144 Signed-off-by: Simon Leet <simon.leet@microsoft.com>
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
@@ -78,6 +78,7 @@ if (OE_SGX)
     ../../common/sgx/endorsements.c
     ../../common/sgx/rand.S
     sgx/arena.c
+    sgx/asmdefs.c
     sgx/backtrace.c
     sgx/calls.c
     sgx/cpuid.c
diff --git a/enclave/core/sgx/asmcommon.inc b/enclave/core/sgx/asmcommon.inc
@@ -6,31 +6,56 @@
 
 //==============================================================================
 //
-// This macro is used to cleanup the enclave Registers. Following registers will be scrubbed:
-// 1. General Purpose registers excluding RAX, RBX, RCX, RDI, RSI, RBP, and RSP
-//     RAX and RBX are input registers of EEXIT.
-//     RCX is output register of EEXIT.
-//     RDI and RSI is output parameters defined by SDK.
-//     RBP and RSP will be set to host rbp and rsp right before EEXIT is executed.
+// This macro is used to reset all XSAVE supported state components to a
+// clean initial state. This includes:
+//
+//  - The legacy SSE state:
+//    - Initializes the FPU control word to ABI-specified value 0x037F
+//    - Initializes MXCSR to ABI-specified value 0x1F80 and MXCSR_MASK to 0xFFFF
+//    - Clears FPU Status, Tag, OpCode, and FIP words
+//    - Clears all FDP bits
+//    - Clears all MMX/FPU registers
+//    - Clears all XMM registers
+//
+//  - The extended XSAVE state components:
+//    - Clears all XSTATE_BV bits
+//    - Sets XCOMP_BV bit-63 to support compaction mode
+//    - Clears all other XCOMP_BV bits
+//
+//==============================================================================
+.macro oe_cleanup_xstates
+    // Preserve registers being used
+    push %rax
+    push %rdx
+
+    // Set the XSAVE_MASK
+    mov $0xFFFFFFFF, %eax
+    mov $0xFFFFFFFF, %edx
+
+    // Restore initial enclave XSAVE state
+    xrstor64 OE_XSAVE_INITIAL_STATE(%rip)
+
+    // Restore the registers
+    pop %rdx
+    pop %rax
+.endm
+
+//==============================================================================
+//
+// This macro is used to clean up the enclave registers in addition to the
+// extended states (see oe_cleanup_xstates).
+//
+// It scrubs all general purpose registers excluding:
+//  - RAX and RBX, which are used as input registers of EEXIT.
+//  - RCX, which is used as the output register of EEXIT.
+//  - RDI and RSI, which are used as output parameters defined by SDK.
+//  - RBP and RSP, which will be set to host values of RBP & RSP right before
+//      EEXIT is executed.
 //
-// 2. Legacy SSE.
-// 3. Extended XState components.
 //==============================================================================
 .macro oe_cleanup_registers
     // Scrub both Legacy SSE and extended XSTATEs.
-    // Save the rax, rcx, rdi and rsi.
-    mov %rax, %r12
-    mov %rcx, %r13
-    mov %rdi, %r14
-    mov %rsi, %r15
-
-    call oe_cleanup_xstates
-
-    // Restore the rax, rcx, rdi and rsi.
-    mov %r12, %rax
-    mov %r13, %rcx
-    mov %r14, %rdi
-    mov %r15, %rsi
+    oe_cleanup_xstates
 
     // Zero out GPRs.
     // Retain r11 since it is used as a reference to the td structure.
diff --git a/enclave/core/sgx/asmdefs.c b/enclave/core/sgx/asmdefs.c
@@ -0,0 +1,45 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/bits/types.h>
+#include <openenclave/internal/constants_x64.h>
+
+/*
+ * Initialization state for XSAVE area in the enclave.
+ */
+/* clang-format off */
+OE_ALIGNED(XSAVE_ALIGNMENT) const uint32_t
+OE_XSAVE_INITIAL_STATE[MINIMAL_XSTATE_AREA_LENGTH/sizeof(uint32_t)] = {
+
+    /* LEGACY_XSAVE_AREA */
+    /* Set FPU Control Word to ABI init value of 0x037F,
+     * clear Status, Tag, OpCode, FIP words */
+    0x037F, 0, 0, 0,
+
+    /* Clear FDP bits, set MXCSR to ABI init value of 0x1F80
+     * and MXCSR_MASK to all bits (0XFFFF) */
+    0, 0, 0x1F80, 0xFFFF,
+
+    /* Clear ST/MM0-7 */
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+    /* Clear XMM0-15 */
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+    /* Reserved bits up to end of LEGACY_XSAVE_AREA */
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0,
+
+    /* XSAVE Header */
+    /* Clear XSTATE_BV, set XCOMP_BV[63] = 1 to support compaction mode;
+     * SGX-capable systems should support it */
+    0, 0, 0, 0x80000000,
+
+    /* Reserved XSAVE header bits */
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+};
+/* clang-format on */
diff --git a/enclave/core/sgx/enter.S b/enclave/core/sgx/enter.S
@@ -133,18 +133,6 @@ oe_enter:
     mov %rsp, %rbp
 
 .call_function:
-    // Set the MXCSR according to the Linux x86_64 ABI
-    mov $ABI_MXCSR_INIT, %r10
-    push %r10
-    ldmxcsr (%rsp)
-    pop %r10
-
-    // Set the FPU Control Word according to the Linux x86_64 ABI
-    mov $ABI_FPUCW_INIT, %r10
-    push %r10
-    fldcw (%rsp)
-    pop %r10
-
     // Initialize the RFLAGS prior to calling enclave functions
     // This only clears the DF and state flag bits since
     // the system flags and reserved bits are not writable here
@@ -189,6 +177,9 @@ oe_enter:
     // Save reference to the td structure to enclave stack.
     mov %r11, OM_ENC_TD
 
+    // Clear the XSTATE so that enclave has clean legacy SSE and extended states
+    oe_cleanup_xstates
+
     // Call __oe_handle_main(ARG1=RDI, ARG2=RSI, CSSA=RDX, TCS=RCX, OUTPUTARG1=R8, OUTPUTARG2=R9)
     mov %rax, %rdx
     mov %rbx, %rcx
diff --git a/enclave/core/sgx/exception.c b/enclave/core/sgx/exception.c
@@ -3,18 +3,10 @@
 
 #include <openenclave/bits/sgx/sgxtypes.h>
 #include <openenclave/enclave.h>
-#include <openenclave/internal/calls.h>
-#include <openenclave/internal/constants_x64.h>
 #include <openenclave/internal/context.h>
 #include <openenclave/internal/cpuid.h>
-#include <openenclave/internal/fault.h>
-#include <openenclave/internal/globals.h>
-#include <openenclave/internal/jump.h>
-#include <openenclave/internal/safecrt.h>
 #include <openenclave/internal/sgx/td.h>
 #include <openenclave/internal/thread.h>
-#include <openenclave/internal/trace.h>
-#include "asmdefs.h"
 #include "cpuid.h"
 #include "init.h"
 #include "td.h"
@@ -386,38 +378,3 @@ void oe_virtual_exception_dispatcher(
     *arg_out = OE_EXCEPTION_CONTINUE_EXECUTION;
     return;
 }
-
-/*
-**==============================================================================
-**
-** void oe_cleanup_xstates(void)
-**
-**  Cleanup all XSTATE registers that include both legacy registers and extended
-**  registers.
-**
-**==============================================================================
-*/
-
-void oe_cleanup_xstates(void)
-{
-    // Temporary workaround for #144 xrstor64 fault with optimized builds as
-    // reserved guard pages
-    // are incorrectly accessed. Xsave area is increased from 0x240 to 0x1000.
-    // Making these static
-    OE_ALIGNED(XSAVE_ALIGNMENT)
-    static uint8_t
-        xsave_area[MINIMAL_XSTATE_AREA_LENGTH]; //#144 Making this static
-//__builtin_ia32_xrstor64 has different argument types in clang and gcc
-#ifdef __clang__
-    uint64_t restore_mask = ~((uint64_t)0x0);
-#else
-    int64_t restore_mask = ~(0x0);
-#endif
-
-    // The legacy registers(F87, SSE) values will be loaded from the
-    // LEGACY_XSAVE_AREA that at beginning of xsave_area.The extended registers
-    // will be initialized to their default values.
-    __builtin_ia32_xrstor64(xsave_area, restore_mask);
-
-    return;
-}
diff --git a/include/openenclave/internal/constants_x64.h b/include/openenclave/internal/constants_x64.h
@@ -60,9 +60,7 @@
 #define XSAVE_ALIGNMENT 0x40
 #define LEGACY_XSAVE_AREA 0X200
 #define XSAVE_HEADER_LENGTH 0X40
-//#define MINIMAL_XSTATE_AREA_LENGTH  (LEGACY_XSAVE_AREA + XSAVE_HEADER_LENGTH)
-// Workaround for #144 xrstor64 fault - Increasing from 0x240 to 0x1000
-#define MINIMAL_XSTATE_AREA_LENGTH 0x1000
+#define MINIMAL_XSTATE_AREA_LENGTH (LEGACY_XSAVE_AREA + XSAVE_HEADER_LENGTH)
 
 //
 //  AMD64 ABI related constants.
@@ -71,10 +69,4 @@
 //  AMD64 ABI needs a 128 bytes red zone.
 #define ABI_REDZONE_BYTE_SIZE 0x80
 
-// MXCSR initialization value for Linux x86_64 ABI in enclave
-#define ABI_MXCSR_INIT 0x1F80
-
-// x87 FPU control word initialization value for Linux x86_64 ABI in enclave
-#define ABI_FPUCW_INIT 0x037F
-
 #endif /* _OE_INTERNAL_CONSTANTS_X64_H */
