[incubator-teaclave-java-tee-sdk] 20/48: [Enc]Hacking graalvm's feature system to disable original features

Thu, 10 Nov 2022 21:17:51 -0800 

This is an automated email from the ASF dual-hosted git repository.

shaojunwang pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git

commit d0a0d95440e4fa8ee2a3cadb2cf05d3cdd5f5764
Author: cengfeng.lzy <[email protected]>
AuthorDate: Mon Jun 27 11:06:09 2022 +0800

    [Enc]Hacking graalvm's feature system to disable original features
    
    Summary: As GraalVM rejected the DisableFeatures option PR
    https://github.com/oracle/graal/pull/4488, we have to implement the
    similar function here to disable the features that are incompatible with
    enclave features.
    
    Test Plan: all tests pass
    
    Reviewers: lei.yul, jeffery.wsj, sanhong.lsh
    
    Issue: https://aone.alibaba-inc.com/task/42819869
    
    CR:
    https://code.aone.alibaba-inc.com/java-tee/JavaEnclave/codereview/9170024
---
 .../enclave/EnclavePlatFormSettings.java           | 55 ++++++++++++++++++++++
 .../enclave/EnclaveRandomFeature.java              | 14 ++++++
 .../enclave/system/EnclaveMemoryFeature.java       | 15 +++++-
 .../enclave/ConfigMemTest.java                     |  1 -
 .../enclave/NativeImageTest.java                   |  2 -
 5 files changed, 83 insertions(+), 4 deletions(-)

diff --git 
a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
 
b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
new file mode 100644
index 0000000..a06ae77
--- /dev/null
+++ 
b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
@@ -0,0 +1,55 @@
+package com.alibaba.confidentialcomputing.enclave;
+
+import com.oracle.graal.pointsto.util.AnalysisError;
+import com.oracle.svm.core.util.VMError;
+import com.oracle.svm.hosted.FeatureHandler;
+import com.oracle.svm.hosted.ImageSingletonsSupportImpl;
+import org.graalvm.nativeimage.hosted.Feature;
+
+import java.lang.reflect.Field;
+import java.util.List;
+import java.util.Map;
+
+public class EnclavePlatFormSettings {
+    private static final DummyFeature DUMMY_FEATURE = new DummyFeature();
+
+    private static final Field configObjectsField;
+
+    static {
+        try {
+            configObjectsField = 
ImageSingletonsSupportImpl.HostedManagement.class.getDeclaredField("configObjects");
+            configObjectsField.setAccessible(true);
+        } catch (NoSuchFieldException e) {
+            throw VMError.shouldNotReachHere(e);
+        }
+    }
+
+    static class DummyFeature implements Feature {
+    }
+
+    public static void disableFeatures(FeatureHandler featureHandler, 
String... featureNames) {
+        List<String> disabledFeatures = List.of(featureNames);
+        try {
+            Field featureInstancesField = 
featureHandler.getClass().getDeclaredField("featureInstances");
+            featureInstancesField.setAccessible(true);
+            List<Feature> allFeatures = (List<Feature>) 
featureInstancesField.get(featureHandler);
+            for (int i = 0; i < allFeatures.size(); i++) {
+                Feature featureInstance = allFeatures.get(i);
+                if (disabledFeatures.stream().anyMatch(f -> 
f.equals(featureInstance.getClass().getName()))) {
+                    allFeatures.set(i, DUMMY_FEATURE);
+                }
+            }
+        } catch (ReflectiveOperationException e) {
+            AnalysisError.shouldNotReachHere("Can't disable features.", e);
+        }
+    }
+
+    public static void replaceImageSingletonEntry(Class<?> key, Object 
newValue) {
+        try {
+            Map<Class<?>, Object> configObjects = (Map<Class<?>, Object>) 
configObjectsField.get(ImageSingletonsSupportImpl.HostedManagement.get());
+            configObjects.put(key, newValue);
+        } catch (ReflectiveOperationException e) {
+            VMError.shouldNotReachHere(e);
+        }
+    }
+}
diff --git 
a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
 
b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
new file mode 100644
index 0000000..400228e
--- /dev/null
+++ 
b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
@@ -0,0 +1,14 @@
+package com.alibaba.confidentialcomputing.enclave;
+
+import com.oracle.svm.hosted.FeatureHandler;
+import com.oracle.svm.hosted.FeatureImpl;
+import org.graalvm.nativeimage.hosted.Feature;
+
+public class EnclaveRandomFeature implements Feature {
+    @Override
+    public void afterRegistration(Feature.AfterRegistrationAccess access) {
+        FeatureImpl.AfterRegistrationAccessImpl a = 
(FeatureImpl.AfterRegistrationAccessImpl) access;
+        FeatureHandler featureHandler = a.getFeatureHandler();
+        EnclavePlatFormSettings.disableFeatures(featureHandler, 
"com.oracle.svm.core.posix.NativeSecureRandomFilesCloser");
+    }
+}
diff --git 
a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
 
b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
index efc5109..0ad76c9 100644
--- 
a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
+++ 
b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
@@ -1,13 +1,17 @@
 package com.alibaba.confidentialcomputing.enclave.system;
 
+import com.alibaba.confidentialcomputing.enclave.EnclavePlatFormSettings;
 import com.alibaba.confidentialcomputing.enclave.c.EnclaveEnvironment;
 import 
com.alibaba.confidentialcomputing.enclave.system.EnclavePhysicalMemory.PhysicalMemorySupportImpl;
 import com.oracle.svm.core.annotate.AutomaticFeature;
 import com.oracle.svm.core.os.VirtualMemoryProvider;
+import com.oracle.svm.core.util.VMError;
 import org.graalvm.nativeimage.ImageSingletons;
 import org.graalvm.nativeimage.hosted.Feature;
 import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
 
+import java.util.List;
+
 /**
  * Native image queries the memory page size and heap pages number at runtime 
with {@code sysconf(_SC_PHYS_PAGES)} and
  * {@code sysconf(_SC_PAGESIZE)}, just as POSIX defined. However, such 
operations are not supported by some enclave SDKs,
@@ -22,12 +26,21 @@ import 
org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
  */
 @AutomaticFeature
 public class EnclaveMemoryFeature implements Feature {
+    @Override
+    public List<Class<? extends Feature>> getRequiredFeatures() {
+        try {
+            Class<? extends Feature> physicalMemClass = (Class<? extends 
Feature>) 
Class.forName("com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature");
+            return List.of(physicalMemClass);
+        } catch (ClassNotFoundException e) {
+            throw VMError.shouldNotReachHere(e);
+        }
+    }
 
     @Override
     public void afterRegistration(AfterRegistrationAccess access) {
         RuntimeClassInitializationSupport rci = 
ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
         
rci.initializeAtBuildTime("com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider",
 "Native Image classes are always initialized at build time");
-        
ImageSingletons.add(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), 
new PhysicalMemorySupportImpl());
+        
EnclavePlatFormSettings.replaceImageSingletonEntry(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(),
 new PhysicalMemorySupportImpl());
         ImageSingletons.add(VirtualMemoryProvider.class, new 
EnclaveVirtualMemoryProvider());
     }
 }
diff --git 
a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
 
b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
index 32a781e..8632751 100644
--- 
a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
+++ 
b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
@@ -8,7 +8,6 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import java.util.Collection;
-import java.util.Collections;
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git 
a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
 
b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
index 99296d9..89b5817 100644
--- 
a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
+++ 
b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
@@ -171,8 +171,6 @@ public abstract class NativeImageTest implements 
NativeImageTestable {
         command.add("-H:+ReportExceptionStackTraces");
         command.add("-H:Name=lib" + SVM_ENCLAVE_LIB);
         command.add("-H:-DeleteLocalSymbols");
-        
command.add("-H:DisableFeatures=com.oracle.svm.core.posix.NativeSecureRandomFilesCloser,"
 +
-                
"com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature");
         List<String> extraOptions = extraSVMOptions();
         if (extraOptions != null && !extraOptions.isEmpty()) {
             command.addAll(extraOptions);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to