| Age | Commit message (Collapse) | Author | Lines |
|---|
|
|
|
|
|
|
|
Some data-independent timing vector instructions may have subtle data-dependent
timing due to MXCSR configuration; dependent on (potentially secret) data
instruction retirement may be delayed by one cycle.
|
|
* advance
* aligned
* borrowed
* calculate
* debugable
* debuggable
* declarations
* desugaring
* documentation
* enclave
* ignorable
* initialized
* iterator
* kaboom
* monomorphization
* nonexistent
* optimizer
* panicking
* process
* reentrant
* rustonomicon
* the
* uninitialized
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
|
|
|
|
|
|
Refactor some `std` code that works with pointer offstes
This PR replaces `pointer::offset` in standard library with `pointer::add` and `pointer::sub`, [re]moving some casts and using `.addr()` while we are at it.
This is a more complicated refactor than all other sibling PRs, so take a closer look when reviewing, please 😃 (though I've checked this multiple times and it looks fine).
r? ````@scottmcm````
_split off from #100746, continuation of #100822_
|
|
|
|
`library/std/src/sys/sgx/abi/usercalls/alloc.rs` nicer
- Use `.addr()` instead of `as`-cast
- Use `add` instead of `offset` and remove some `as isize` casts by doing that
- Remove some casts
|
|
Use pointer `is_aligned*` methods
This PR replaces some manual alignment checks with calls to `pointer::{is_aligned, is_aligned_to}` and removes a useless pointer cast.
r? `@scottmcm`
_split off from #100746_
|
|
Replace most uses of `pointer::offset` with `add` and `sub`
As PR title says, it replaces `pointer::offset` in compiler and standard library with `pointer::add` and `pointer::sub`. This generally makes code cleaner, easier to grasp and removes (or, well, hides) integer casts.
This is generally trivially correct, `.offset(-constant)` is just `.sub(constant)`, `.offset(usized as isize)` is just `.add(usized)`, etc. However in some cases we need to be careful with signs of things.
r? ````@scottmcm````
_split off from #100746_
|
|
|
|
|
|
r=Mark-Simulacrum
Update fortanix-sgx-abi and export some useful SGX usercall traits
Update `fortanix-sgx-abi` to 0.5.0 to add support for cancel queue (see https://github.com/fortanix/rust-sgx/pull/405 and https://github.com/fortanix/rust-sgx/pull/404).
Export some useful traits for processing SGX usercall. This is needed for https://github.com/fortanix/rust-sgx/pull/404 to avoid duplication.
cc `@raoulstrackx` and `@jethrogb`
|
|
In order to mitigate the Stale Data Read for xAPIC vulnerability completely, reading userspace from an SGX enclave must be aligned and in 8-bytes chunks.
References:
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html
- https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/stale-data-read-from-xapic.html
|
|
Update fortanix-sgx-abi to 0.5.0 to add support for cancel queue (see
https://github.com/fortanix/rust-sgx/pull/405 and
https://github.com/fortanix/rust-sgx/pull/404).
Export some useful traits for processing SGX usercall. This is needed
for https://github.com/fortanix/rust-sgx/pull/404 to avoid duplication.
|
|
|
|
|
|
|
|
|
|
|
|
Intel Security Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
|
|
|
|
|
|
|
|
This updates the standard library's documentation to use the new syntax. The
documentation is worthwhile to update as it should be more idiomatic
(particularly for features like this, which are nice for users to get acquainted
with). The general codebase is likely more hassle than benefit to update: it'll
hurt git blame, and generally updates can be done by folks updating the code if
(and when) that makes things more readable with the new format.
A few places in the compiler and library code are updated (mostly just due to
already having been done when this commit was first authored).
|
|
They are also removed from the prelude as per the decision in
https://github.com/rust-lang/rust/issues/87228.
stdarch and compiler-builtins are updated to work with the new, stable
asm! and global_asm! macros.
|
|
Revert SGX inline asm syntax
This was erroneously changed in #83387
|
|
On x86, the default syntax is also switched to Intel to match asm!
|
|
This was erroneously changed in #83387
|
|
In #75979 several inlined modules were split out into multiple files.
This PR keeps the multiple files but moves a few things around to
organize things in a coherent way.
|
|
|
|
|
|
|
|
Add is_enclave_range/is_user_range overflow checks
Fixes #76343.
This adds overflow checking to `is_enclave_range` and `is_user_range` in `sgx::os::fortanix_sgx::mem` in order to mitigate possible security issues with enclave code. It also accounts for an edge case where the memory range provided ends exactly at the end of the address space, where calculating `p + len` would overflow back to zero despite the range potentially being valid.
|
|
|
|
|
|
`#[deny(unsafe_op_in_unsafe_fn)]` in sys/sgx
This is part of #73904.
Enclose unsafe operations in unsafe blocks in `libstd/sys/sgx`.
|
|
Run `./x.py` fmt
Add reference link
Fix reference link
Apply review suggestions.
|
|
|
|
Functions such as `is_enclave_range` and `is_user_range` in
`sgx::os::fortanix_sgx::mem` are often used to make sure memory ranges
passed to an enclave from untrusted code or passed to other trusted code
functions are safe to use for their intended purpose. Currently, these
functions do not perform any checks to make sure the range provided
doesn't overflow when adding the range length to the base address. While
debug builds will panic if overflow occurs, release builds will simply
wrap the result, leading to false positive results for either function.
The burden is placed on application authors to know to perform overflow
checks on their own before calling these functions, which can easily
lead to security vulnerabilities if omitted. Additionally, since such
checks are performed in the Intel SGX SDK versions of these functions,
developers migrating from Intel SGX SDK code may expect these functions
to operate the same.
This commit adds explicit overflow checking to `is_enclave_range` and
`is_user_range`, returning `false` if overflow occurs in order to
prevent misuse of invalid memory ranges. It also alters the checks to
account for ranges that lie exactly at the end of the address space,
where calculating `p + len` would overflow despite the range being
valid.
|
|
Also doing fmt inplace as requested.
|
|
|
