selftests/sgx: Make data measurement for an enclave segment optional

For a heap makes sense to leave its contents "unmeasured" in the SGX
enclave build process, meaning that they won't contribute to the
cryptographic signature (a RSA-3072 signed SHA56 hash) of the enclave.

Enclaves are signed blobs where the signature is calculated both from
page data and also from "structural properties" of the pages.  For
instance a page offset of *every* page added to the enclave is hashed.

For data, this is optional, not least because hashing a page has a
significant contribution to the enclave load time. Thus, where there is
no reason to hash, do not. The SGX ioctl interface supports this with
SGX_PAGE_MEASURE flag. Only when the flag is *set*, data is measured.

Add seg->measure boolean flag to struct encl_segment. Only when the
flag is set, include the segment data to the signature (represented
by SIGSTRUCT architectural structure).

Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/625b6fe28fed76275e9238ec4e15ec3c0d87de81.1636997631.git.reinette.chatre@intel.com

diff --git a/tools/testing/selftests/sgx/load.c b/tools/testing/selftests/sgx/load.c
index 5605474aab73e07deec24d3ad495b5699c59f60b..f1be78984c501690d753971ad5e5200a3f01f657 100644 (file)
--- a/tools/testing/selftests/sgx/load.c
+++ b/tools/testing/selftests/sgx/load.c
@@ -111,7 +111,10 @@ static bool encl_ioc_add_pages(struct encl *encl, struct encl_segment *seg)
        ioc.offset = seg->offset;
        ioc.length = seg->size;
        ioc.secinfo = (unsigned long)&secinfo;
-       ioc.flags = SGX_PAGE_MEASURE;
+       if (seg->measure)
+               ioc.flags = SGX_PAGE_MEASURE;
+       else
+               ioc.flags = 0;
 
        rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc);
        if (rc < 0) {
@@ -230,6 +233,7 @@ bool encl_load(const char *path, struct encl *encl)
                seg->offset = (phdr->p_offset & PAGE_MASK) - src_offset;
                seg->size = (phdr->p_filesz + PAGE_SIZE - 1) & PAGE_MASK;
                seg->src = encl->src + seg->offset;
+               seg->measure = true;
 
                j++;
        }

diff --git a/tools/testing/selftests/sgx/main.h b/tools/testing/selftests/sgx/main.h
index 452d11dc4889d9c1dbdac219d343181be7bf05b2..aebc69e7cdc84d14a9833bd79dcc812e5380b26f 100644 (file)
--- a/tools/testing/selftests/sgx/main.h
+++ b/tools/testing/selftests/sgx/main.h
@@ -12,6 +12,7 @@ struct encl_segment {
        size_t size;
        unsigned int prot;
        unsigned int flags;
+       bool measure;
 };
 
 struct encl {

diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c
index 202a96fd81bf8ea3cc4d69c7daa5bf25db79b65e..50c5ab1aa6fa1a3918546e84df23682c9f846153 100644 (file)
--- a/tools/testing/selftests/sgx/sigstruct.c
+++ b/tools/testing/selftests/sgx/sigstruct.c
@@ -296,8 +296,10 @@ static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
                if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags))
                        return false;
 
-               if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
-                       return false;
+               if (seg->measure) {
+                       if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
+                               return false;
+               }
        }
 
        return true;