This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-website.git
The following commit(s) were added to refs/heads/master by this push:
new 74243ac Add document section of Teaclave SGX SDK
74243ac is described below
commit 74243acc6b564c1a5921960695b0f67cb48b0d2b
Author: Mingshen Sun <[email protected]>
AuthorDate: Thu Oct 22 16:59:02 2020 -0700
Add document section of Teaclave SGX SDK
---
site/.vuepress/config.js | 149 ++++++++++++---------
site/.vuepress/theme/components/DropdownLink.vue | 11 +-
site/sgx-sdk-docs/README.md | 9 ++
.../sgx-sdk-docs/everything-about-cve-2020-5499.md | 68 ++++++++++
4 files changed, 172 insertions(+), 65 deletions(-)
diff --git a/site/.vuepress/config.js b/site/.vuepress/config.js
index 1902dfe..505547b 100644
--- a/site/.vuepress/config.js
+++ b/site/.vuepress/config.js
@@ -13,7 +13,14 @@ module.exports = {
{ text: 'Community', link: '/community/' },
{ text: 'Download', link: '/download/' },
{ text: 'Contributors', link: '/contributors/' },
- { text: 'Documentation', link: '/docs/' },
+ {
+ text: 'Documentation',
+ link: '/docs/',
+ items: [
+ { text: 'Teaclave', link: '/docs/' },
+ { text: 'Teaclave SGX SDK', link: '/sgx-sdk-docs/' },
+ ]
+ },
{ text: 'Blog', link: '/blog/' },
{
text: 'API Docs',
@@ -26,6 +33,7 @@ module.exports = {
},
{
text: 'Repository',
+ link: 'https://github.com/apache/incubator-teaclave',
items: [
{ text: 'Teaclave', link:
'https://github.com/apache/incubator-teaclave'},
{ text: 'Teaclave SGX SDK', link:
'https://github.com/apache/incubator-teaclave-sgx-sdk'},
@@ -45,69 +53,82 @@ module.exports = {
]
}
],
- sidebar: [
- {
- title: 'Try',
- collapsable: false,
- sidebarDepth: 0,
- children: [
- '/teaclave/docs/my-first-function',
- '/teaclave/docs/functions-in-python',
- '/teaclave/docs/builtin-functions',
- ],
- },
- {
- title: 'Design',
- collapsable: false,
- sidebarDepth: 0,
- children: [
- '/teaclave/docs/threat-model',
- '/teaclave/docs/mutual-attestation',
- '/teaclave/docs/access-control',
- '/teaclave/docs/build-system',
- '/teaclave/docs/service-internals',
- '/teaclave/docs/papers-talks',
- ],
- },
- {
- title: 'Contribute',
- collapsable: false,
- sidebarDepth: 0,
- children: [
- '/teaclave/docs/development-tips',
- '/teaclave/docs/rust-guideline',
- ],
- },
- {
- title: 'Codebase',
- collapsable: false,
- sidebarDepth: 0,
- children: [
- '/teaclave/attestation/',
- '/teaclave/binder/',
- '/teaclave/cli/',
- '/teaclave/common/',
- '/teaclave/config/',
- '/teaclave/crypto/',
- '/teaclave/dcap/',
- '/teaclave/docker/',
- '/teaclave/examples/',
- '/teaclave/executor/',
- '/teaclave/file_agent/',
- '/teaclave/function/',
- '/teaclave/keys/',
- '/teaclave/rpc/',
- '/teaclave/runtime/',
- '/teaclave/sdk/',
- '/teaclave/services/',
- '/teaclave/tests/',
- '/teaclave/third_party/',
- '/teaclave/tool/',
- '/teaclave/types/',
- '/teaclave/worker/',
- ],
- },
- ]
+ sidebar: {
+ '/teaclave/docs/':
+ [
+ {
+ title: 'Try',
+ collapsable: false,
+ sidebarDepth: 0,
+ children: [
+ '/teaclave/docs/my-first-function',
+ '/teaclave/docs/functions-in-python',
+ '/teaclave/docs/builtin-functions',
+ ],
+ },
+ {
+ title: 'Design',
+ collapsable: false,
+ sidebarDepth: 0,
+ children: [
+ '/teaclave/docs/threat-model',
+ '/teaclave/docs/mutual-attestation',
+ '/teaclave/docs/access-control',
+ '/teaclave/docs/build-system',
+ '/teaclave/docs/service-internals',
+ '/teaclave/docs/papers-talks',
+ ],
+ },
+ {
+ title: 'Contribute',
+ collapsable: false,
+ sidebarDepth: 0,
+ children: [
+ '/teaclave/docs/development-tips',
+ '/teaclave/docs/rust-guideline',
+ ],
+ },
+ {
+ title: 'Codebase',
+ collapsable: false,
+ sidebarDepth: 0,
+ children: [
+ '/teaclave/attestation/',
+ '/teaclave/binder/',
+ '/teaclave/cli/',
+ '/teaclave/common/',
+ '/teaclave/config/',
+ '/teaclave/crypto/',
+ '/teaclave/dcap/',
+ '/teaclave/docker/',
+ '/teaclave/examples/',
+ '/teaclave/executor/',
+ '/teaclave/file_agent/',
+ '/teaclave/function/',
+ '/teaclave/keys/',
+ '/teaclave/rpc/',
+ '/teaclave/runtime/',
+ '/teaclave/sdk/',
+ '/teaclave/services/',
+ '/teaclave/tests/',
+ '/teaclave/third_party/',
+ '/teaclave/tool/',
+ '/teaclave/types/',
+ '/teaclave/worker/',
+ ],
+ },
+ ],
+ '/sgx-sdk-docs/': [
+ {
+ title: 'Security',
+ collapsable: false,
+ sidebarDepth: 0,
+ children: [
+ '/sgx-sdk-docs/everything-about-cve-2020-5499',
+ ],
+ },
+ ]
+ }
},
plugins: [
'@vuepress/plugin-back-to-top',
diff --git a/site/.vuepress/theme/components/DropdownLink.vue
b/site/.vuepress/theme/components/DropdownLink.vue
index 0ca7137..0c1d77b 100644
--- a/site/.vuepress/theme/components/DropdownLink.vue
+++ b/site/.vuepress/theme/components/DropdownLink.vue
@@ -7,7 +7,7 @@
class="dropdown-title"
type="button"
:aria-label="dropdownAriaLabel"
- @click="setOpen(!open)"
+ @click="buttonOnClick(item.link)"
>
<span class="title">{{ item.text }}</span>
<span
@@ -65,6 +65,7 @@
import NavLink from '@theme/components/NavLink.vue'
import DropdownTransition from '@theme/components/DropdownTransition.vue'
import last from 'lodash/last'
+import { isExternal, isMailto, isTel, ensureExt } from '../util'
export default {
name: 'DropdownLink',
@@ -105,6 +106,14 @@ export default {
isLastItemOfArray (item, array) {
return last(array) === item
+ },
+
+ buttonOnClick (link) {
+ if (isExternal(link)) {
+ window.location.href = link
+ } else {
+ this.$router.push(link)
+ }
}
}
}
diff --git a/site/sgx-sdk-docs/README.md b/site/sgx-sdk-docs/README.md
new file mode 100644
index 0000000..9b67397
--- /dev/null
+++ b/site/sgx-sdk-docs/README.md
@@ -0,0 +1,9 @@
+---
+permalink: /sgx-sdk-docs
+---
+
+# Teaclave SGX SDK Documentation
+
+## Security
+
+* [Everything about
CVE-2020-5499](/sgx-sdk-docs/everything-about-cve-2020-5499/)
diff --git a/site/sgx-sdk-docs/everything-about-cve-2020-5499.md
b/site/sgx-sdk-docs/everything-about-cve-2020-5499.md
new file mode 100644
index 0000000..1d6c815
--- /dev/null
+++ b/site/sgx-sdk-docs/everything-about-cve-2020-5499.md
@@ -0,0 +1,68 @@
+---
+permalink: /sgx-sdk-docs/everything-about-cve-2020-5499
+---
+
+# Everything about CVE-2020-5499
+
+## The Story
+
+[CVE-2020-5499](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5499)
+reported an enclave ID racing problem. We received the report on Nov 1st, 2019
+and fixed it on Nov 5th, 2019 with commit
+[f29f4e71896589908cd4b43ed70a623a81eda0e5](https://github.com/apache/incubator-teaclave-sgx-sdk/commit/f29f4e71896589908cd4b43ed70a623a81eda0e5).
+
+## Analysis and Fix
+
+The global data "enclave ID" was designed to hold the eid of the enclave
+instance, and to be used for later provided `thread::spawn` feature. In v1.0.8,
+we didn't have `thread::spawn`. So the data racing is true, but it can hardly
+harm the enclave.
+
+To be more clear, let's look at the patch:
+
+```diff
+diff --git a/sgx_tstd/src/rt.rs b/sgx_tstd/src/rt.rs
+index fcfd0a42..3f738a53 100644
+--- a/sgx_tstd/src/rt.rs
++++ b/sgx_tstd/src/rt.rs
+@@ -36,6 +36,9 @@ use core::str;
+ pub use crate::panicking::{begin_panic, begin_panic_fmt, update_panic_count};
+ pub use crate::sys_common::at_exit;
+ use crate::sys_common::cleanup;
++use crate::sync::Once;
++
++static INIT: Once = Once::new();
+
+ #[no_mangle]
+ pub extern "C" fn t_global_exit_ecall() {
+@@ -43,13 +46,14 @@ pub extern "C" fn t_global_exit_ecall() {
+
+ #[no_mangle]
+ pub extern "C" fn t_global_init_ecall(id: u64, path: * const u8, len: usize) {
+-
+- enclave::set_enclave_id(id as sgx_enclave_id_t);
+- let s = unsafe {
+- let str_slice = slice::from_raw_parts(path, len);
+- str::from_utf8_unchecked(str_slice)
+- };
+- enclave::set_enclave_path(s);
++ INIT.call_once(|| {
++ enclave::set_enclave_id(id as sgx_enclave_id_t);
++ let s = unsafe {
++ let str_slice = slice::from_raw_parts(path, len);
++ str::from_utf8_unchecked(str_slice)
++ };
++ enclave::set_enclave_path(s);
++ });
+ }
+
+ global_dtors_object! {
+```
+
+Basically, the initiation here should be an atomic operation. To be more safe,
+we marked it as `Once`, which means that it can only be triggered once.
+
+Overall, we think the threat is subtle. One of the necessary condition is that
+the enclave should be started with an undocumented feature of urts:
+`global_init`. Also the enclave should depend on enclave ID on critical paths.
+It's really rare.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
