Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate stale data reads on SGX platform #100383

Merged
merged 2 commits into from
Aug 20, 2022
Merged

Mitigate stale data reads on SGX platform #100383

merged 2 commits into from
Aug 20, 2022

Conversation

raoulstrackx
Copy link
Contributor

Intel disclosed the Stale Data Read vulnerability yesterday. In order to mitigate this issue completely, reading userspace from an SGX enclave must be aligned and in 8-bytes chunks. This PR implements this mitigation

References:

cc: @jethrogb

@rustbot rustbot added the T-libs Relevant to the library team, which will review and decide on the PR/issue. label Aug 10, 2022
@rustbot
Copy link
Collaborator

rustbot commented Aug 10, 2022

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

  • Stabilizing library features
  • Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
  • Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
  • Changing public documentation in ways that create new stability guarantees
  • Changing observable runtime behavior of library APIs

@rust-highfive
Copy link
Collaborator

r? @Mark-Simulacrum

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Aug 10, 2022
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@raoulstrackx raoulstrackx force-pushed the raoul/aepic_leak_mitigation branch from 50066f9 to 34d7310 Compare August 11, 2022 07:26
@Mark-Simulacrum
Copy link
Member

r? @cuviper, perhaps

cuviper
cuviper reviewed Aug 15, 2022
View reviewed changes
library/std/src/sys/sgx/abi/usercalls/alloc.rs Outdated Show resolved Hide resolved
library/std/src/sys/sgx/abi/usercalls/alloc.rs Outdated Show resolved Hide resolved
library/std/src/sys/sgx/abi/usercalls/alloc.rs Show resolved Hide resolved
library/std/src/sys/sgx/abi/usercalls/alloc.rs Outdated
debug_assert!(len < 8);
debug_assert_eq!(aligned_src as usize % 8, 0);
debug_assert_eq!(aligned_len % 8, 0);
debug_assert!(aligned_len < 16);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two asserts also support that aligned_len can only be 0 or 8.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See discussion above.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then this should check aligned_len <= 16, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. Good catch! I've updated the commit.

I would've imagined that the test_copy_from_userspace_function would've tripped this. Aren't these debug_assert statements evaluated during those tests?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK, CI isn't running any SGX tests, since it's a tier-2 target. If you tried those tests yourself, the debug-asserts may have been compiled out since std is usually compiled in release mode. Is it worth turning these into full-time asserts? LLVM might optimize them out anyway if it can statically prove them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did run these tests locally. It must indeed be because stdlib was build in release mode. That's good to know! I don't think it's worth turning these debug_asserts into asserts and pay the performance penalty.

@raoulstrackx raoulstrackx force-pushed the raoul/aepic_leak_mitigation branch from 34d7310 to a6383be Compare August 16, 2022 09:33
@raoulstrackx raoulstrackx force-pushed the raoul/aepic_leak_mitigation branch from a6383be to c012f13 Compare August 16, 2022 13:03
@raoulstrackx raoulstrackx force-pushed the raoul/aepic_leak_mitigation branch from c012f13 to 2a23d08 Compare August 17, 2022 07:51
@cuviper
Copy link
Member

cuviper commented Aug 18, 2022

@bors r+ rollup

@bors
Copy link
Contributor

bors commented Aug 18, 2022

📌 Commit 2a23d08 has been approved by cuviper

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 18, 2022
ChrisDenton added a commit to ChrisDenton/rust that referenced this pull request Aug 20, 2022
@ChrisDenton
Rollup merge of rust-lang#100383 - fortanix:raoul/aepic_leak_mitigati…
f577300 
…on, r=cuviper

Mitigate stale data reads on SGX platform

Intel disclosed the Stale Data Read vulnerability yesterday. In order to mitigate this issue completely, reading userspace from an SGX enclave must be aligned and in 8-bytes chunks. This PR implements this mitigation

References:
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html
 - https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/stale-data-read-from-xapic.html

cc: `@jethrogb`
@ChrisDenton ChrisDenton mentioned this pull request Aug 20, 2022
Closed
@matthiaskrgr matthiaskrgr mentioned this pull request Aug 20, 2022
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request Aug 20, 2022
@bors
Auto merge of rust-lang#100793 - matthiaskrgr:rollup-dy7rfdh, r=matth…
36e530c 
…iaskrgr

Rollup of 10 pull requests

Successful merges:

 - rust-lang#100186 (Mention `as_mut` alongside `as_ref` in borrowck error message)
 - rust-lang#100383 (Mitigate stale data reads on SGX platform)
 - rust-lang#100507 (suggest `once_cell::Lazy` for non-const statics)
 - rust-lang#100617 (Suggest the right help message for as_ref)
 - rust-lang#100667 (Migrate "invalid variable declaration" errors to SessionDiagnostic)
 - rust-lang#100709 (Migrate typeck's `used` expected symbol diagnostic to `SessionDiagnostic`)
 - rust-lang#100723 (Add the diagnostic translation lints to crates that don't emit them)
 - rust-lang#100729 (Avoid zeroing a 1kb stack buffer on every call to `std::sys::windows::fill_utf16_buf`)
 - rust-lang#100750 (improved diagnostic for function defined with `def`, `fun`, `func`, or `function` instead of `fn`)
 - rust-lang#100763 (triagebot: Autolabel `A-rustdoc-json`)

Failed merges:

r? `@ghost`
`@rustbot` modify labels: rollup
@bors bors merged commit 368f08a into rust-lang:master Aug 20, 2022
@rustbot rustbot added this to the 1.65.0 milestone Aug 20, 2022
@jethrogb jethrogb mentioned this pull request Aug 29, 2022
Merged
@workingjubilee workingjubilee added the O-SGX Target: SGX label Jul 30, 2023
bors added a commit to rust-lang-ci/rust that referenced this pull request Oct 6, 2023
@bors
Auto merge of rust-lang#101150 - jethrogb:jb/cleanup-sgx-user-memory-…
579be69 
…copies, r=workingjubilee

Clean up SGX user memory copies

Follow-up on rust-lang#98126 and rust-lang#100383

r? `@cuviper`
cc `@raoulstrackx`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cuviper cuviper cuviper left review comments

Assignees

@cuviper cuviper

Labels
O-SGX Target: SGX S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
1.65.0
Development

Successfully merging this pull request may close these issues.
8 participants
@raoulstrackx @rustbot @rust-highfive @rust-log-analyzer @Mark-Simulacrum @cuviper @bors @workingjubilee