You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by sh...@apache.org on 2022/11/11 05:18:00 UTC
[incubator-teaclave-java-tee-sdk] 20/48: [Enc]Hacking graalvm's feature system to disable original features
This is an automated email from the ASF dual-hosted git repository.
shaojunwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git
commit d0a0d95440e4fa8ee2a3cadb2cf05d3cdd5f5764
Author: cengfeng.lzy <ce...@alibaba-inc.com>
AuthorDate: Mon Jun 27 11:06:09 2022 +0800
[Enc]Hacking graalvm's feature system to disable original features
Summary: As GraalVM rejected the DisableFeatures option PR
https://github.com/oracle/graal/pull/4488, we have to implement the
similar function here to disable the features that are incompatible with
enclave features.
Test Plan: all tests pass
Reviewers: lei.yul, jeffery.wsj, sanhong.lsh
Issue: https://aone.alibaba-inc.com/task/42819869
CR:
https://code.aone.alibaba-inc.com/java-tee/JavaEnclave/codereview/9170024
---
.../enclave/EnclavePlatFormSettings.java | 55 ++++++++++++++++++++++
.../enclave/EnclaveRandomFeature.java | 14 ++++++
.../enclave/system/EnclaveMemoryFeature.java | 15 +++++-
.../enclave/ConfigMemTest.java | 1 -
.../enclave/NativeImageTest.java | 2 -
5 files changed, 83 insertions(+), 4 deletions(-)
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
new file mode 100644
index 0000000..a06ae77
--- /dev/null
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
@@ -0,0 +1,55 @@
+package com.alibaba.confidentialcomputing.enclave;
+
+import com.oracle.graal.pointsto.util.AnalysisError;
+import com.oracle.svm.core.util.VMError;
+import com.oracle.svm.hosted.FeatureHandler;
+import com.oracle.svm.hosted.ImageSingletonsSupportImpl;
+import org.graalvm.nativeimage.hosted.Feature;
+
+import java.lang.reflect.Field;
+import java.util.List;
+import java.util.Map;
+
+public class EnclavePlatFormSettings {
+ private static final DummyFeature DUMMY_FEATURE = new DummyFeature();
+
+ private static final Field configObjectsField;
+
+ static {
+ try {
+ configObjectsField = ImageSingletonsSupportImpl.HostedManagement.class.getDeclaredField("configObjects");
+ configObjectsField.setAccessible(true);
+ } catch (NoSuchFieldException e) {
+ throw VMError.shouldNotReachHere(e);
+ }
+ }
+
+ static class DummyFeature implements Feature {
+ }
+
+ public static void disableFeatures(FeatureHandler featureHandler, String... featureNames) {
+ List<String> disabledFeatures = List.of(featureNames);
+ try {
+ Field featureInstancesField = featureHandler.getClass().getDeclaredField("featureInstances");
+ featureInstancesField.setAccessible(true);
+ List<Feature> allFeatures = (List<Feature>) featureInstancesField.get(featureHandler);
+ for (int i = 0; i < allFeatures.size(); i++) {
+ Feature featureInstance = allFeatures.get(i);
+ if (disabledFeatures.stream().anyMatch(f -> f.equals(featureInstance.getClass().getName()))) {
+ allFeatures.set(i, DUMMY_FEATURE);
+ }
+ }
+ } catch (ReflectiveOperationException e) {
+ AnalysisError.shouldNotReachHere("Can't disable features.", e);
+ }
+ }
+
+ public static void replaceImageSingletonEntry(Class<?> key, Object newValue) {
+ try {
+ Map<Class<?>, Object> configObjects = (Map<Class<?>, Object>) configObjectsField.get(ImageSingletonsSupportImpl.HostedManagement.get());
+ configObjects.put(key, newValue);
+ } catch (ReflectiveOperationException e) {
+ VMError.shouldNotReachHere(e);
+ }
+ }
+}
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
new file mode 100644
index 0000000..400228e
--- /dev/null
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
@@ -0,0 +1,14 @@
+package com.alibaba.confidentialcomputing.enclave;
+
+import com.oracle.svm.hosted.FeatureHandler;
+import com.oracle.svm.hosted.FeatureImpl;
+import org.graalvm.nativeimage.hosted.Feature;
+
+public class EnclaveRandomFeature implements Feature {
+ @Override
+ public void afterRegistration(Feature.AfterRegistrationAccess access) {
+ FeatureImpl.AfterRegistrationAccessImpl a = (FeatureImpl.AfterRegistrationAccessImpl) access;
+ FeatureHandler featureHandler = a.getFeatureHandler();
+ EnclavePlatFormSettings.disableFeatures(featureHandler, "com.oracle.svm.core.posix.NativeSecureRandomFilesCloser");
+ }
+}
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
index efc5109..0ad76c9 100644
--- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
@@ -1,13 +1,17 @@
package com.alibaba.confidentialcomputing.enclave.system;
+import com.alibaba.confidentialcomputing.enclave.EnclavePlatFormSettings;
import com.alibaba.confidentialcomputing.enclave.c.EnclaveEnvironment;
import com.alibaba.confidentialcomputing.enclave.system.EnclavePhysicalMemory.PhysicalMemorySupportImpl;
import com.oracle.svm.core.annotate.AutomaticFeature;
import com.oracle.svm.core.os.VirtualMemoryProvider;
+import com.oracle.svm.core.util.VMError;
import org.graalvm.nativeimage.ImageSingletons;
import org.graalvm.nativeimage.hosted.Feature;
import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
+import java.util.List;
+
/**
* Native image queries the memory page size and heap pages number at runtime with {@code sysconf(_SC_PHYS_PAGES)} and
* {@code sysconf(_SC_PAGESIZE)}, just as POSIX defined. However, such operations are not supported by some enclave SDKs,
@@ -22,12 +26,21 @@ import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
*/
@AutomaticFeature
public class EnclaveMemoryFeature implements Feature {
+ @Override
+ public List<Class<? extends Feature>> getRequiredFeatures() {
+ try {
+ Class<? extends Feature> physicalMemClass = (Class<? extends Feature>) Class.forName("com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature");
+ return List.of(physicalMemClass);
+ } catch (ClassNotFoundException e) {
+ throw VMError.shouldNotReachHere(e);
+ }
+ }
@Override
public void afterRegistration(AfterRegistrationAccess access) {
RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
rci.initializeAtBuildTime("com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider", "Native Image classes are always initialized at build time");
- ImageSingletons.add(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), new PhysicalMemorySupportImpl());
+ EnclavePlatFormSettings.replaceImageSingletonEntry(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), new PhysicalMemorySupportImpl());
ImageSingletons.add(VirtualMemoryProvider.class, new EnclaveVirtualMemoryProvider());
}
}
diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
index 32a781e..8632751 100644
--- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
+++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
@@ -8,7 +8,6 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import java.util.Collection;
-import java.util.Collections;
import java.util.List;
import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
index 99296d9..89b5817 100644
--- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
+++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
@@ -171,8 +171,6 @@ public abstract class NativeImageTest implements NativeImageTestable {
command.add("-H:+ReportExceptionStackTraces");
command.add("-H:Name=lib" + SVM_ENCLAVE_LIB);
command.add("-H:-DeleteLocalSymbols");
- command.add("-H:DisableFeatures=com.oracle.svm.core.posix.NativeSecureRandomFilesCloser," +
- "com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature");
List<String> extraOptions = extraSVMOptions();
if (extraOptions != null && !extraOptions.isEmpty()) {
command.addAll(extraOptions);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org