-
Notifications
You must be signed in to change notification settings - Fork 193
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[LibOS,PAL] Add flexible device-specific IOCTL support
The newly added `ioctl()` syscall emulation on device-backed file descriptors is pass-through. It is insecure by itself since the emulation only passes the arguments to and from the untrusted memory: - IOCTL arguments are passed as-is from the app to the untrusted host, which may lead to leaks of secret data; - untrusted host can change IOCTL arguments as it wishes when passing them from Gramine to the device and back. It is the responsibility of the app developer to correctly use IOCTLs, with security implications in mind. In most cases, IOCTL arguments should be encrypted or integrity-protected with a key pre-shared between Gramine and the device. On the Linux-SGX PAL, a set of IOCTL requests must be explicitly allowed in the manifest via the new option `sgx.allowed_ioctls`. Also, the allowed IOCTLs' arguments (typically pointers to complex nested objects) must be explicitly described in the manifest via the new option `sgx.ioctl_structs.[identifier]` and a corresponding reference in `sgx.allowed_ioctls`; see docs for explanation of the IOCTL struct format. This commit adds three new LibOS tests to verify the flexible IOCTL logic against Gramine dummy device `/dev/gramine_test_dev`. This device is located in companion repo `gramineproject/device-testing-tools`. One test checks IOCTL data passing, second test checks that Gramine forbids unknown IOCTLs, third test checks that Gramine IOCTL parser fails on incorrectly defined IOCTL structs. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
- Loading branch information
Showing
23 changed files
with
1,441 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.