Detect possible ABI change issues in the runner

raoulstrackx · raoulstrackx · commit ca2b679429ec · 2024-12-13T15:34:18.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/intel-sgx/enclave-runner/src/loader.rs b/intel-sgx/enclave-runner/src/loader.rs
@@ -278,6 +278,10 @@ impl<'a> EnclaveBuilder<'a> {
         self
     }
 
+    pub fn forced_insecure_time_usercalls(&self) -> bool {
+        self.force_time_usercalls
+    }
+
     fn initialized_args_mut(&mut self) -> &mut Vec<Vec<u8>> {
         self.cmd_args.get_or_insert_with(|| vec![b"enclave".to_vec()])
     }
diff --git a/intel-sgx/fortanix-sgx-tools/Cargo.toml b/intel-sgx/fortanix-sgx-tools/Cargo.toml
@@ -20,6 +20,7 @@ edition = "2018"
 [dependencies]
 # Project dependencies
 aesm-client = { version = "0.6.0", path = "../aesm-client", features = ["sgxs"] }
+insecure-time = { version = "0.1.0", path = "../insecure-time" }
 sgxs-loaders = { version = "0.4.0", path = "../sgxs-loaders" }
 enclave-runner = { version = "0.6.0", path = "../enclave-runner" }
 sgxs = { version = "0.8.0", path = "../sgxs" }
diff --git a/intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs b/intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs
@@ -13,6 +13,7 @@ use std::io::{stderr, Write};
 use aesm_client::AesmClient;
 use enclave_runner::EnclaveBuilder;
 use anyhow::Context;
+use insecure_time::Rdtscp;
 #[cfg(unix)]
 use libc::{c_int, c_void, siginfo_t};
 #[cfg(unix)]
@@ -77,6 +78,7 @@ fn main() -> Result<(), anyhow::Error> {
         .build();
 
     let mut enclave_builder = EnclaveBuilder::new(file.as_ref());
+    let forced_insecure_time_usercalls = enclave_builder.forced_insecure_time_usercalls();
 
     match args.value_of("signature").map(|v| v.parse().expect("validated")) {
         Some(Signature::coresident) => { enclave_builder.coresident_signature().context("While loading coresident signature")?; }
@@ -94,6 +96,12 @@ fn main() -> Result<(), anyhow::Error> {
 
     enclave.run().map_err(|e| {
         eprintln!("Error while executing SGX enclave.\n{}", e);
+        if !forced_insecure_time_usercalls && Rdtscp::is_supported() && e.to_string() == "Enclave panicked: fatal runtime error: assertion failed: usercall_retval.1 == 0\n" {
+            eprintln!("This might be due to an ABI change related to insecure time in the enclave. If so, this can be resolved by:");
+            eprintln!("  - recompiling the enclave with a newer toolchain, or");
+            eprintln!("  - downgrading the enclave runner, or");
+            eprintln!("  - using a custom enclave runner can calling `EnclaveBuilder::force_insecure_time_usercalls(true)` when building the enclave");
+        }
         std::process::exit(-1)
     })
 }

Original file line number	Diff line number	Diff line change
`@@ -278,6 +278,10 @@ impl<'a> EnclaveBuilder<'a> {`
`278`	`278`	`self`
`279`	`279`	`}`
`280`	`280`
	`281`	`+ pub fn forced_insecure_time_usercalls(&self) -> bool {`
	`282`	`+ self.force_time_usercalls`
	`283`	`+ }`
	`284`	`+`
`281`	`285`	`fn initialized_args_mut(&mut self) -> &mut Vec<Vec<u8>> {`
`282`	`286`	`self.cmd_args.get_or_insert_with(\|\| vec![b"enclave".to_vec()])`
`283`	`287`	`}`