Access to peripherals from enclaves

examples/CMakeLists.txt

@@ -35,3 +35,4 @@ add_subdirectory(hello)
 add_subdirectory(hello-native)
 add_subdirectory(attestation)
 add_subdirectory(tests)
+add_subdirectory(devshare)

examples/devshare/CMakeLists.txt

@@ -0,0 +1,36 @@
+set(eapp_bin devshare)
+set(eapp_src eapp/devshare.c)
+set(host_bin devshare-runner)
+set(host_src host/host.cpp)
+set(package_name "devshare.ke")
+set(package_script "./devshare-runner devshare eyrie-rt loader.bin")
+set(eyrie_plugins "freemem io_syscall linux_syscall env_setup")
+
+# eapp
+
+add_executable(${eapp_bin} ${eapp_src})
+target_link_libraries(${eapp_bin} "-static" ${KEYSTONE_LIB_EAPP})
+
+# host
+
+add_executable(${host_bin} ${host_src})
+target_link_libraries(${host_bin} ${KEYSTONE_LIB_HOST} ${KEYSTONE_LIB_EDGE})
+
+# add target for Eyrie runtime (see keystone.cmake)
+
+set(eyrie_files_to_copy .options_log eyrie-rt loader.bin)
+add_eyrie_runtime(${eapp_bin}-eyrie
+  ${eyrie_plugins}
+  ${eyrie_files_to_copy})
+
+# add target for packaging (see keystone.cmake)
+
+add_keystone_package(${eapp_bin}-package
+  ${package_name}
+  ${package_script}
+  ${eyrie_files_to_copy} ${eapp_bin} ${host_bin})
+
+add_dependencies(${eapp_bin}-package ${eapp_bin}-eyrie)
+
+# add package to the top-level target
+add_dependencies(examples ${eapp_bin}-package)

examples/devshare/eapp/devshare.c

@@ -0,0 +1,38 @@
+#include <stdio.h>
+#include <string.h>
+
+#include "app/syscall.h"
+
+#define SECURE_DEVICE  "uart@10001000"
+
+int main()
+{
+  int ret, fd, i;
+  ret = claim_mmio(SECURE_DEVICE,
+                   strlen(SECURE_DEVICE));
+  if(ret < 0) {
+    printf("Failed to claim " SECURE_DEVICE "\n");
+    return -1;
+  }
+
+  fd = openat(-2, "uart8250", 0, 0);
+  if(fd < 0) {
+    printf("Failed to get fd for device\n");
+    return -1;
+  }
+
+  for(i = 0; i < 1000; i++) {
+    fprintf(fd, "Writing to UART: %i!\n", i);
+    fflush(fd);
+  }
+
+  // todo do something with the device
+
+  ret = release_mmio(SECURE_DEVICE,
+                     strlen(SECURE_DEVICE));
+  if(ret < 0) {
+    printf("Failed to release " SECURE_DEVICE "\n");
+  }
+
+  return 0;
+}

examples/devshare/host/host.cpp

@@ -0,0 +1,22 @@
+
+#include "edge/edge_call.h"
+#include "host/keystone.h"
+
+using namespace Keystone;
+
+int main(int argc, char **argv) {
+  Enclave enclave;
+  Params params;
+
+  params.setFreeMemSize(1024 * 1024);
+  params.setUntrustedSize(1024 * 1024);
+
+  enclave.init(argv[1], argv[2], argv[3], params);
+
+  enclave.registerOcallDispatch(incoming_call_dispatch);
+  edge_call_init_internals(
+      (uintptr_t)enclave.getSharedBuffer(), enclave.getSharedBufferSize());
+
+  enclave.run();
+  return 0;
+}

mkutils/plat/generic/run.mk

@@ -9,8 +9,7 @@ QEMU_DEBUG      := -gdb tcp::$(QEMU_DBG_PORT) -S
 QEMU_MEM        ?= 2G
 QEMU_SMP        ?= 4
 
-
-QEMU_FLAGS := -m $(QEMU_MEM) -smp $(QEMU_SMP) -nographic \
+QEMU_FLAGS := -m $(QEMU_MEM) -smp $(QEMU_SMP) -display none \
                 -machine virt,rom=$(BUILDROOT_BUILDDIR)/images/bootrom.bin \
                 -bios $(BUILDROOT_BUILDDIR)/images/fw_jump.elf \
                 -kernel $(BUILDROOT_BUILDDIR)/images/Image \
@@ -20,6 +19,7 @@ QEMU_FLAGS := -m $(QEMU_MEM) -smp $(QEMU_SMP) -nographic \
                 -netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::$(QEMU_PORT)-:22 \
                 -device virtio-net-device,netdev=net0 \
                 -device virtio-rng-pci \
+                -serial mon:stdio -serial file:/tmp/serial.out
 
 ifneq ($(KEYSTONE_DEBUG),)
         QEMU_FLAGS += $(QEMU_DEBUG)

overlays/keystone/boot/hss/0001-integrate-sm.patch

@@ -1,5 +1,5 @@
 diff --git a/application/crt.S b/application/crt.S
-index 1475373..80f8c58 100644
+index 1475373..b47fa95 100644
 --- a/application/crt.S
 +++ b/application/crt.S
 @@ -158,6 +158,7 @@ _start_hang:
@@ -11,9 +11,9 @@ index 1475373..80f8c58 100644
  	// Swap TP and MSCRATCH
  	csrrw	tp, CSR_MSCRATCH, tp
 @@ -305,6 +306,52 @@ _trap_handler_all_mode:
-
+ 
  	mret
-
+ 
 +_trap_exit:
 +        /* Restore all general regisers except A0 and T0 */
 +        REG_L   ra, SBI_TRAP_REGS_OFFSET(ra)(a0)
@@ -87,9 +87,9 @@ diff --git a/services/opensbi/Makefile b/services/opensbi/Makefile
 index 829c28a..acf19fd 100644
 --- a/services/opensbi/Makefile
 +++ b/services/opensbi/Makefile
-@@ -92,6 +92,27 @@ services/opensbi/opensbi_ecall_exts.c: $(OPENSBI_SRC_DIR)/lib/sbi/sbi_ecall_exts
- 	echo " CARRAY    $<"
- 	$(OPENSBI_SRC_DIR)/scripts/carray.sh -i $< -l "$(carray-sbi_ecall_exts-y)" > $@
+@@ -72,6 +72,27 @@ SRCS-$(CONFIG_SERVICE_OPENSBI) += \
+ 	thirdparty/opensbi/lib/utils/timer/aclint_mtimer.c \
+ 	thirdparty/opensbi/lib/utils/ipi/aclint_mswi.c \
 
 +ifneq ($(KEYSTONE_SM),)
 +
@@ -115,7 +115,7 @@ index 829c28a..acf19fd 100644
  ifdef CONFIG_USE_IHC
  SRCS-$(CONFIG_SERVICE_OPENSBI_IHC) += \
  	services/opensbi/opensbi_ihc_ecall.c \
-@@ -128,7 +149,7 @@ endif
+@@ -108,7 +129,7 @@ endif
 
  services/opensbi/opensbi_service.o: CFLAGS=$(CFLAGS_GCCEXT)
  services/opensbi/opensbi_ihc_ecall.o: CFLAGS=$(CFLAGS_GCCEXT)
@@ -131,31 +131,37 @@ index f8bb9f0..e72dba5 100644
 @@ -84,6 +84,8 @@ static void opensbi_scratch_setup(enum HSSHartId hartid)
      pScratches[hartid].scratch.fw_start = (unsigned long)&_hss_start;
      pScratches[hartid].scratch.fw_size = (unsigned long)&_hss_end - (unsigned long)&_hss_start;
-
+ 
 +    extern void _trap_exit(const struct sbi_trap_regs *regs);
 +    pScratches[hartid].scratch.trap_exit = (unsigned long) &_trap_exit;
      sbi_hsm_set_device(&mpfs_hsm);
  }
-
+ 
 diff --git a/services/opensbi/platform.c b/services/opensbi/platform.c
-index c31fe12..33ca22d 100644
+index b03f878..161b449 100644
 --- a/services/opensbi/platform.c
 +++ b/services/opensbi/platform.c
 @@ -69,6 +69,8 @@
  #include "reboot_service.h"
  #include "clocks/hw_mss_clks.h"    // LIBERO_SETTING_MSS_RTC_TOGGLE_CLK
-
+ 
 +#include "sm.h"
 +
  #define MPFS_HART_COUNT            5
  #define MPFS_HART_STACK_SIZE       8192
-
-@@ -197,6 +199,8 @@ static int mpfs_early_init(bool cold_boot)
-
+ 
+@@ -197,11 +199,13 @@ static int mpfs_early_init(bool cold_boot)
+ 
  static int mpfs_final_init(bool cold_boot)
  {
-+    sm_init(cold_boot);
++    void *fdt = sbi_scratch_thishart_arg1_ptr();
++    sm_init(cold_boot, fdt);
 +
      if (!cold_boot) {
          return 0;
      }
+
+-    void *fdt = sbi_scratch_thishart_arg1_ptr();
+     if (fdt) {
+         mpfs_modify_dt(fdt);
+     }

overlays/keystone/patches/qemu/0002-qemu-add-uarts.patch

@@ -0,0 +1,112 @@
+diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
+index a5bc7353b4..f61a6423b6 100644
+--- a/hw/riscv/virt.c
++++ b/hw/riscv/virt.c
+@@ -85,7 +85,8 @@ static const MemMapEntry virt_memmap[] = {
+     [VIRT_APLIC_M] =      {  0xc000000, APLIC_SIZE(VIRT_CPUS_MAX) },
+     [VIRT_APLIC_S] =      {  0xd000000, APLIC_SIZE(VIRT_CPUS_MAX) },
+     [VIRT_UART0] =        { 0x10000000,         0x100 },
+-    [VIRT_VIRTIO] =       { 0x10001000,        0x1000 },
++    [VIRT_UART1] =        { 0x10001000,         0x100 },
++    [VIRT_VIRTIO] =       { 0x10002000,        0x1000 },
+     [VIRT_FW_CFG] =       { 0x10100000,          0x18 },
+     [VIRT_FLASH] =        { 0x20000000,     0x4000000 },
+     [VIRT_IMSIC_M] =      { 0x24000000, VIRT_IMSIC_MAX_SIZE },
+@@ -95,6 +96,11 @@ static const MemMapEntry virt_memmap[] = {
+     [VIRT_DRAM] =         { 0x80000000,           0x0 },
+ };
+
++static const int uart_irqs[] = {
++    [VIRT_UART0] = UART0_IRQ,
++    [VIRT_UART1] = UART1_IRQ
++};
++
+ /* PCIe high mmio is fixed for RV32 */
+ #define VIRT32_HIGH_PCIE_MMIO_BASE  0x300000000ULL
+ #define VIRT32_HIGH_PCIE_MMIO_SIZE  (4 * GiB)
+@@ -921,27 +927,36 @@ static void create_fdt_reset(RISCVVirtState *s, const MemMapEntry *memmap,
+ }
+
+ static void create_fdt_uart(RISCVVirtState *s, const MemMapEntry *memmap,
+-                            uint32_t irq_mmio_phandle)
++                            uint32_t irq_mmio_phandle, int uart)
+ {
+     char *name;
+     MachineState *mc = MACHINE(s);
+
+-    name = g_strdup_printf("/soc/serial@%lx", (long)memmap[VIRT_UART0].base);
++    name = g_strdup_printf("/soc/serial@%lx", (long)memmap[uart].base);
+     qemu_fdt_add_subnode(mc->fdt, name);
+     qemu_fdt_setprop_string(mc->fdt, name, "compatible", "ns16550a");
++
++    if(uart == VIRT_UART1) {
++        qemu_fdt_setprop_string(mc->fdt, name, "status", "disabled");
++        qemu_fdt_setprop_string(mc->fdt, name, "secure-status", "okay");
++    }
++
+     qemu_fdt_setprop_cells(mc->fdt, name, "reg",
+-        0x0, memmap[VIRT_UART0].base,
+-        0x0, memmap[VIRT_UART0].size);
++        0x0, memmap[uart].base,
++        0x0, memmap[uart].size);
+     qemu_fdt_setprop_cell(mc->fdt, name, "clock-frequency", 3686400);
+     qemu_fdt_setprop_cell(mc->fdt, name, "interrupt-parent", irq_mmio_phandle);
+     if (s->aia_type == VIRT_AIA_TYPE_NONE) {
+-        qemu_fdt_setprop_cell(mc->fdt, name, "interrupts", UART0_IRQ);
++        qemu_fdt_setprop_cell(mc->fdt, name, "interrupts", uart_irqs[uart]);
+     } else {
+-        qemu_fdt_setprop_cells(mc->fdt, name, "interrupts", UART0_IRQ, 0x4);
++        qemu_fdt_setprop_cells(mc->fdt, name, "interrupts", uart_irqs[uart], 0x4);
++    }
++
++    if(uart == VIRT_UART0) {
++        qemu_fdt_add_subnode(mc->fdt, "/chosen");
++        qemu_fdt_setprop_string(mc->fdt, "/chosen", "stdout-path", name);
+     }
+
+-    qemu_fdt_add_subnode(mc->fdt, "/chosen");
+-    qemu_fdt_setprop_string(mc->fdt, "/chosen", "stdout-path", name);
+     g_free(name);
+ }
+
+@@ -1045,7 +1060,8 @@ static void create_fdt(RISCVVirtState *s, const MemMapEntry *memmap,
+
+     create_fdt_reset(s, memmap, &phandle);
+
+-    create_fdt_uart(s, memmap, irq_mmio_phandle);
++    create_fdt_uart(s, memmap, irq_mmio_phandle, VIRT_UART0);
++    create_fdt_uart(s, memmap, irq_mmio_phandle, VIRT_UART1);
+
+     create_fdt_rtc(s, memmap, irq_mmio_phandle);
+
+@@ -1510,6 +1526,10 @@ static void virt_machine_init(MachineState *machine)
+         0, qdev_get_gpio_in(DEVICE(mmio_irqchip), UART0_IRQ), 399193,
+         serial_hd(0), DEVICE_LITTLE_ENDIAN);
+
++    serial_mm_init(system_memory, memmap[VIRT_UART1].base,
++        0, qdev_get_gpio_in(DEVICE(mmio_irqchip), UART1_IRQ), 399193,
++        serial_hd(1), DEVICE_LITTLE_ENDIAN);
++
+     sysbus_create_simple("goldfish_rtc", memmap[VIRT_RTC].base,
+         qdev_get_gpio_in(DEVICE(mmio_irqchip), RTC_IRQ));
+
+diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
+index be4ab8fe7f..8a01dab7fc 100644
+--- a/include/hw/riscv/virt.h
++++ b/include/hw/riscv/virt.h
+@@ -69,6 +69,7 @@ enum {
+     VIRT_APLIC_M,
+     VIRT_APLIC_S,
+     VIRT_UART0,
++    VIRT_UART1,
+     VIRT_VIRTIO,
+     VIRT_FW_CFG,
+     VIRT_IMSIC_M,
+@@ -83,6 +84,7 @@ enum {
+
+ enum {
+     UART0_IRQ = 10,
++    UART1_IRQ = 9,
+     RTC_IRQ = 11,
+     VIRTIO_IRQ = 1, /* 1 to 8 */
+     VIRTIO_COUNT = 8,

runtime/CMakeLists.txt

@@ -37,6 +37,9 @@ rt_option(NET_SYSCALL "Wrap Linux net syscalls" OFF)
 # System options
 rt_option(ENV_SETUP "Set up stack environments like glibc expects" OFF)
 
+# Driver options
+rt_option(DRIVERS "Include support for hardware drivers" OFF)
+
 # Debugging options
 rt_option(INTERNAL_STRACE "Debug syscalls" OFF)
 rt_option(DEBUG "Enable debugging" OFF)
@@ -61,6 +64,7 @@ add_compile_options(-Wall -Werror -fno-builtin -static -mcmodel=medany -std=c11
 # Generate all the library targets
 add_subdirectory(call)
 add_subdirectory(crypto)
+add_subdirectory(drivers)
 add_subdirectory(loader)
 add_subdirectory(mm)
 add_subdirectory(tmplib)

runtime/call/linux_wrap.c

@@ -138,21 +138,9 @@ uintptr_t syscall_mmap(void *addr, size_t length, int prot, int flags,
   }
 
   // Start looking at EYRIE_ANON_REGION_START for VA space
-  uintptr_t starting_vpn = vpn(EYRIE_ANON_REGION_START);
-  uintptr_t valid_pages;
-  while((starting_vpn + req_pages) <= EYRIE_ANON_REGION_END){
-    valid_pages = test_va_range(starting_vpn, req_pages);
-
-    if(req_pages == valid_pages){
-      // Set a successful value if we allocate
-      // TODO free partial allocation on failure
-      if(alloc_pages(starting_vpn, req_pages, pte_flags) == req_pages){
-        ret = starting_vpn << RISCV_PAGE_BITS;
-      }
-      break;
-    }
-    else
-      starting_vpn += valid_pages + 1;
+  uintptr_t vpn = find_va_range(req_pages);
+  if(vpn && alloc_pages(vpn, req_pages, pte_flags) == req_pages) {
+    ret = vpn << RISCV_PAGE_BITS;
   }
 
  done:

runtime/call/sbi.c

@@ -76,3 +76,13 @@ uintptr_t
 sbi_get_sealing_key(uintptr_t key_struct, uintptr_t key_ident, uintptr_t len) {
   return SBI_CALL_3(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, SBI_SM_GET_SEALING_KEY, key_struct, key_ident, len);
 }
+
+uintptr_t
+sbi_claim_mmio(uintptr_t dev_string) {
+  return SBI_CALL_1(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, SBI_SM_CLAIM_MMIO, dev_string);
+}
+
+uintptr_t
+sbi_release_mmio(uintptr_t dev_string) {
+  return SBI_CALL_1(SBI_EXT_EXPERIMENTAL_KEYSTONE_ENCLAVE, SBI_SM_RELEASE_MMIO, dev_string);
+}