You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by sh...@apache.org on 2022/11/11 05:18:00 UTC
[incubator-teaclave-java-tee-sdk] 20/48: [Enc]Hacking graalvm's feature system to disable original features

This is an automated email from the ASF dual-hosted git repository.

shaojunwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git

commit d0a0d95440e4fa8ee2a3cadb2cf05d3cdd5f5764
Author: cengfeng.lzy <ce...@alibaba-inc.com>
AuthorDate: Mon Jun 27 11:06:09 2022 +0800

    [Enc]Hacking graalvm's feature system to disable original features
    
    Summary: As GraalVM rejected the DisableFeatures option PR
    https://github.com/oracle/graal/pull/4488, we have to implement the
    similar function here to disable the features that are incompatible with
    enclave features.
    
    Test Plan: all tests pass
    
    Reviewers: lei.yul, jeffery.wsj, sanhong.lsh
    
    Issue: https://aone.alibaba-inc.com/task/42819869
    
    CR:
    https://code.aone.alibaba-inc.com/java-tee/JavaEnclave/codereview/9170024
---
 .../enclave/EnclavePlatFormSettings.java           | 55 ++++++++++++++++++++++
 .../enclave/EnclaveRandomFeature.java              | 14 ++++++
 .../enclave/system/EnclaveMemoryFeature.java       | 15 +++++-
 .../enclave/ConfigMemTest.java                     |  1 -
 .../enclave/NativeImageTest.java                   |  2 -
 5 files changed, 83 insertions(+), 4 deletions(-)

diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
new file mode 100644
index 0000000..a06ae77
--- /dev/null
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclavePlatFormSettings.java
@@ -0,0 +1,55 @@
+package com.alibaba.confidentialcomputing.enclave;
+
+import com.oracle.graal.pointsto.util.AnalysisError;
+import com.oracle.svm.core.util.VMError;
+import com.oracle.svm.hosted.FeatureHandler;
+import com.oracle.svm.hosted.ImageSingletonsSupportImpl;
+import org.graalvm.nativeimage.hosted.Feature;
+
+import java.lang.reflect.Field;
+import java.util.List;
+import java.util.Map;
+
+public class EnclavePlatFormSettings {
+    private static final DummyFeature DUMMY_FEATURE = new DummyFeature();
+
+    private static final Field configObjectsField;
+
+    static {
+        try {
+            configObjectsField = ImageSingletonsSupportImpl.HostedManagement.class.getDeclaredField("configObjects");
+            configObjectsField.setAccessible(true);
+        } catch (NoSuchFieldException e) {
+            throw VMError.shouldNotReachHere(e);
+        }
+    }
+
+    static class DummyFeature implements Feature {
+    }
+
+    public static void disableFeatures(FeatureHandler featureHandler, String... featureNames) {
+        List<String> disabledFeatures = List.of(featureNames);
+        try {
+            Field featureInstancesField = featureHandler.getClass().getDeclaredField("featureInstances");
+            featureInstancesField.setAccessible(true);
+            List<Feature> allFeatures = (List<Feature>) featureInstancesField.get(featureHandler);
+            for (int i = 0; i < allFeatures.size(); i++) {
+                Feature featureInstance = allFeatures.get(i);
+                if (disabledFeatures.stream().anyMatch(f -> f.equals(featureInstance.getClass().getName()))) {
+                    allFeatures.set(i, DUMMY_FEATURE);
+                }
+            }
+        } catch (ReflectiveOperationException e) {
+            AnalysisError.shouldNotReachHere("Can't disable features.", e);
+        }
+    }
+
+    public static void replaceImageSingletonEntry(Class<?> key, Object newValue) {
+        try {
+            Map<Class<?>, Object> configObjects = (Map<Class<?>, Object>) configObjectsField.get(ImageSingletonsSupportImpl.HostedManagement.get());
+            configObjects.put(key, newValue);
+        } catch (ReflectiveOperationException e) {
+            VMError.shouldNotReachHere(e);
+        }
+    }
+}
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
new file mode 100644
index 0000000..400228e
--- /dev/null
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java
@@ -0,0 +1,14 @@
+package com.alibaba.confidentialcomputing.enclave;
+
+import com.oracle.svm.hosted.FeatureHandler;
+import com.oracle.svm.hosted.FeatureImpl;
+import org.graalvm.nativeimage.hosted.Feature;
+
+public class EnclaveRandomFeature implements Feature {
+    @Override
+    public void afterRegistration(Feature.AfterRegistrationAccess access) {
+        FeatureImpl.AfterRegistrationAccessImpl a = (FeatureImpl.AfterRegistrationAccessImpl) access;
+        FeatureHandler featureHandler = a.getFeatureHandler();
+        EnclavePlatFormSettings.disableFeatures(featureHandler, "com.oracle.svm.core.posix.NativeSecureRandomFilesCloser");
+    }
+}
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
index efc5109..0ad76c9 100644
--- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java
@@ -1,13 +1,17 @@
 package com.alibaba.confidentialcomputing.enclave.system;
 
+import com.alibaba.confidentialcomputing.enclave.EnclavePlatFormSettings;
 import com.alibaba.confidentialcomputing.enclave.c.EnclaveEnvironment;
 import com.alibaba.confidentialcomputing.enclave.system.EnclavePhysicalMemory.PhysicalMemorySupportImpl;
 import com.oracle.svm.core.annotate.AutomaticFeature;
 import com.oracle.svm.core.os.VirtualMemoryProvider;
+import com.oracle.svm.core.util.VMError;
 import org.graalvm.nativeimage.ImageSingletons;
 import org.graalvm.nativeimage.hosted.Feature;
 import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
 
+import java.util.List;
+
 /**
  * Native image queries the memory page size and heap pages number at runtime with {@code sysconf(_SC_PHYS_PAGES)} and
  * {@code sysconf(_SC_PAGESIZE)}, just as POSIX defined. However, such operations are not supported by some enclave SDKs,
@@ -22,12 +26,21 @@ import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
  */
 @AutomaticFeature
 public class EnclaveMemoryFeature implements Feature {
+    @Override
+    public List<Class<? extends Feature>> getRequiredFeatures() {
+        try {
+            Class<? extends Feature> physicalMemClass = (Class<? extends Feature>) Class.forName("com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature");
+            return List.of(physicalMemClass);
+        } catch (ClassNotFoundException e) {
+            throw VMError.shouldNotReachHere(e);
+        }
+    }
 
     @Override
     public void afterRegistration(AfterRegistrationAccess access) {
         RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
         rci.initializeAtBuildTime("com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider", "Native Image classes are always initialized at build time");
-        ImageSingletons.add(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), new PhysicalMemorySupportImpl());
+        EnclavePlatFormSettings.replaceImageSingletonEntry(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), new PhysicalMemorySupportImpl());
         ImageSingletons.add(VirtualMemoryProvider.class, new EnclaveVirtualMemoryProvider());
     }
 }
diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
index 32a781e..8632751 100644
--- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
+++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
@@ -8,7 +8,6 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import java.util.Collection;
-import java.util.Collections;
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
index 99296d9..89b5817 100644
--- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
+++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/NativeImageTest.java
@@ -171,8 +171,6 @@ public abstract class NativeImageTest implements NativeImageTestable {
         command.add("-H:+ReportExceptionStackTraces");
         command.add("-H:Name=lib" + SVM_ENCLAVE_LIB);
         command.add("-H:-DeleteLocalSymbols");
-        command.add("-H:DisableFeatures=com.oracle.svm.core.posix.NativeSecureRandomFilesCloser," +
-                "com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature");
         List<String> extraOptions = extraSVMOptions();
         if (extraOptions != null && !extraOptions.isEmpty()) {
             command.addAll(extraOptions);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org