YDkZKxEg

1INTERNALS
2
3self tests on sgx2 system with patches: self tests
4run make
5then run self test binary
6
73 ioctls in kernel interface. expects ptrs to types as u64s. these aren't public interfaces in kernel. so we have to use internal kernel types. look at make file lines 36 and 37.
8
9look at x86 calling conv. order of functions passed into registers.
10
11encl_body copies from rdi to rsi. thus output will be same as input.
12
13pages to create an enclave:
14SECS page
15each thread has a TCS page; requires other pages to build this, but they are implicit in TCS page
16SIGSTRUCT page (transient, used to contain signature and ID info about enclave)
17
18page = 4096 bytes (4k)
19
20.tcs section above that (lines 10-24 in enclave_bootstrap.S)
21contains encl_entry: when you jump in using this tcs structure, it will start executing at this encl_entry function (technically a named address).
22
23.text section of binary = code and data
24
25EENTER will always start execution at encl_entry
26
27NSSA = number of SSAs. not modified by running.
28CSSA is current SSA. this is incremented / decremented.
29
30xsave_area = ??
31
32
33asynch exit vs. eexit.
34one of them changes the SSA area, the other doesn't.
35
36stack grows in opp direction of everything else.
37code in .c file is appended after the stack.
38
39this enclave_boostrap.S + encl.c (with linking script. encl.lds determining layout of ELF binary) = ELF binary
40
41--> look at encl.elf file (output as final binary before it's signed) with readelf.
42this requires kernel patches.
43copy nixOS config. modify slightly for our usage. then do install using that config. = fully fledges.
44alternative: send PR to n's config to add user account adding own ssh key.
45
46--------------------------- 
47
48EXTERNALS
49
50our use case: we'll pull in components are runtime, reassemble, tool to sign it.
51
52make enclave:
531. create (SECS page)
542. add pages (mult times maybe) (TCS and TEXT pages must be done separately)
553. init
56
57sgxsign.c simulates this (eadd and eextend are two steps of add pages). code to measure binary is mimicking kernel API for creating enclave. result is structure SIGSTRUCT = signing info, internal kernel structure but is documented as part of hw interface by intel.
58
59sgx/arch.h
60sgx_sigstruct header and body defined
61this is one of the structures we need to port to rust, then generate this by signing a binary, able to pass it using same mem rep to kernel.
62
63convert 3 sigstruct structures to rust.
64
65#[repr(c)] means mem layout must be same as it would be in C.
66packed means fields aren't aligned.
67
68possible constructors:
69load from file, give hash of binary into mrenclave.
70
71ON THIS HEADER:
72asm/sgx.h
73call bindgen, which should resolve the macros. then fix it because it is ugly, so we clean up by hand.
74
75IOCTLS take only one argument, so we must bundle into struct.
76
77for add_pages, kernel is going through one at a time of pages we put in bundle. EADD then EEXTEND (16 times) are happening behind page. kernel interface simplifies this.
78
79go one struct at a time.
80SECS, TECS, SIGINFO, SIGSTRUCT pages.
81create a repo and merge them one struct at a time.
82
83assembly of enclave currently done at compile time, this is how we are able to run static binary is that we do assembly at runtime intstead.
84static binary will be .c file and stuff in .s file will be broken in to components: TCS dynamically constructed at runtime, same for SSAs (one array of SSA per TCS). all the stuff from .s file we'll instead take in as input and dynamically generate. create enclave, measure, load at runtime.