Almost builds

build.sbt

@@ -217,7 +217,7 @@ buildFlatbuffersTask := {
   if (gen.isEmpty || fbsLastMod > gen.map(_.lastModified).max) {
     for (fbs <- flatbuffers) {
       streams.value.log.info(s"Generating flatbuffers for ${fbs}")
-      if (Seq(flatc.getPath, "--cpp", "-o", flatbuffersGenCppDir.value.getPath, fbs.getPath).! != 0
+      if (Seq(flatc.getPath, "--cpp", "--gen-mutable", "-o", flatbuffersGenCppDir.value.getPath, fbs.getPath).! != 0
         || Seq(flatc.getPath, "--java", "-o", javaOutDir.getPath, fbs.getPath).! != 0) {
         sys.error("Flatbuffers build failed.")
       }

src/enclave/Enclave/Enclave.cpp

@@ -20,7 +20,7 @@
 #include <mbedtls/pk.h>
 #include <mbedtls/rsa.h>
 #include <mbedtls/sha256.h>
-#include "EnclaveContext.h"
+// #include "EnclaveContext.h"
 #include "IntegrityUtils.h"
 
 // This file contains definitions of the ecalls declared in Enclave.edl. Errors originating within
@@ -152,7 +152,7 @@ void ecall_partition_for_sort(uint8_t *sort_order, size_t sort_order_length,
                        output_partitions, output_partition_lengths);
     // Assert that there are num_partitions log_macs in EnclaveContext
     // TODO: Iterate over &output_partitions[i] for i in num_partitions
-    for (int i = 0; i < num_partitions; i++) {
+    for (uint32_t i = 0; i < num_partitions; i++) {
         complete_encrypted_blocks(output_partitions[i]);
     }
     EnclaveContext::getInstance().finish_ecall();
@@ -325,13 +325,15 @@ void ecall_compute_num_rows_per_partition(uint32_t limit,
   }
 }
 
-void ecall_local_limit(uint8_t *input_rows, size_t input_rows_length,
+void ecall_local_limit(uint32_t limit,
+                       uint8_t *input_rows, size_t input_rows_length,
                        uint8_t **output_rows, size_t *output_rows_length) {
   assert(oe_is_outside_enclave(input_rows, input_rows_length) == 1);
   __builtin_ia32_lfence();
 
   try {
-    limit_return_rows(input_rows, input_rows_length,
+    limit_return_rows(limit,
+                      input_rows, input_rows_length,
                       output_rows, output_rows_length);
     complete_encrypted_blocks(*output_rows);
     EnclaveContext::getInstance().finish_ecall();
@@ -341,15 +343,17 @@ void ecall_local_limit(uint8_t *input_rows, size_t input_rows_length,
   }
 }
 
-void ecall_limit_return_rows(uint8_t *limits, size_t limits_length,
+void ecall_limit_return_rows(uint64_t partition_id,
+                             uint8_t *limits, size_t limits_length,
                              uint8_t *input_rows, size_t input_rows_length,
                              uint8_t **output_rows, size_t *output_rows_length) {
   assert(oe_is_outside_enclave(limits, limits_length) == 1);
   assert(oe_is_outside_enclave(input_rows, input_rows_length) == 1);
   __builtin_ia32_lfence();
 
   try {
-    limit_return_rows(limits, limits_length,
+    limit_return_rows(partition_id,
+                      limits, limits_length,
                       input_rows, input_rows_length,
                       output_rows, output_rows_length);
     complete_encrypted_blocks(*output_rows);
@@ -375,7 +379,6 @@ void ecall_finish_attestation(uint8_t *shared_key_msg_input,
     }
 
     set_shared_key(shared_key_plaintext, shared_key_plaintext_size);
-    EnclaveContext::getInstance().reset_pid_jobid_map();
   } catch (const std::runtime_error &e) {
     ocall_throw(e.what());
   }

src/enclave/Enclave/EnclaveContext.h

@@ -13,6 +13,7 @@ struct Crumb {
   int ecall; // ecall executed
   uint8_t log_mac[OE_HMAC_SIZE]; // LogEntryChain MAC for this output
   uint8_t all_outputs_mac[OE_HMAC_SIZE]; 
+  // FIXME: change this to num_input_log_macs
   int num_input_macs; // Num MACS in the below vector
   std::vector<uint8_t> input_log_macs;
 
@@ -22,8 +23,6 @@ struct Crumb {
       if (this->ecall != c.ecall) {
           return false;
       }
-      bool log_macs_match = true;
-      bool all_outputs_mac_match = true;
 
       // Check whether the log_mac and the all_outputs_mac are the same
       for (int i = 0; i < OE_HMAC_SIZE; i++) {
@@ -41,7 +40,7 @@ struct Crumb {
       }
 
       // Check whether the input_log_macs themselves are the same
-      for (int i = 0; i < this->input_log_macs.size(); i++) {
+      for (uint32_t i = 0; i < this->input_log_macs.size(); i++) {
           if (this->input_log_macs[i] != c.input_log_macs[i]) {
               return false;
           }
@@ -55,7 +54,7 @@ class CrumbHashFunction {
     // Example taken from https://www.geeksforgeeks.org/how-to-create-an-unordered_set-of-user-defined-class-or-struct-in-c/ 
     size_t operator()(const Crumb& c) const
     { 
-        return (std::hash<int>()(c.ecall)) ^ (std::hash<uint8_t*>()(c.log_mac)) ^ (std::hash<uint8_t*>()(c.all_outputs_mac)) ^ (std::hash<int>()(c.num_input_macs)) ^ (std::hash<uint8_t*>()(c.input_log_macs.data())); 
+        return (std::hash<int>()(c.ecall)) ^ (std::hash<uint8_t*>()((uint8_t*) c.log_mac)) ^ (std::hash<uint8_t*>()((uint8_t*) c.all_outputs_mac)) ^ (std::hash<int>()(c.num_input_macs)) ^ (std::hash<uint8_t*>()((uint8_t*) c.input_log_macs.data())); 
     } 
 };
 
@@ -64,7 +63,7 @@ static Crypto mcrypto;
 class EnclaveContext {
   private:
     std::unordered_set<Crumb, CrumbHashFunction> crumbs;
-    std::vector<std::vector<uint8_t>> input_macs;
+    std::vector<uint8_t> input_macs;
     int num_input_macs;
 
     // Contiguous array of log_macs: log_mac_1 || log_mac_2 || ...
@@ -138,16 +137,20 @@ class EnclaveContext {
       return append_mac;
     }
 
-    void append_crumb(int ecall, uint8_t log_mac[OE_HMAC_SIZE], uint8_t all_outputs_mac[OE_HMAC_SIZE], int num_input_macs, std::vector<uint8_t> input_log_macs) {
+    // FIXME: make the arrays here const?
+    void append_crumb(int ecall, const uint8_t log_mac[OE_HMAC_SIZE], const uint8_t all_outputs_mac[OE_HMAC_SIZE], int num_input_macs, std::vector<uint8_t> input_log_macs) {
+      // FIXME: for some reason, compiler thinks the following two arguments are unused
+      (void) log_mac;
+      (void) all_outputs_mac;
       Crumb new_crumb;
 
       new_crumb.ecall = ecall;
       memcpy(new_crumb.log_mac, (const uint8_t*) log_mac, OE_HMAC_SIZE);
-      memcpy(new_crumb.all_outputs_mac, (const uint8_t* all_outputs_mac), OE_HMAC_SIZE);
+      memcpy(new_crumb.all_outputs_mac, (const uint8_t*) all_outputs_mac, OE_HMAC_SIZE);
       new_crumb.num_input_macs = num_input_macs;
 
       // Copy over input_log_macs
-      for (int i = 0; i < input_log_macs.size(); i++) {
+      for (uint32_t i = 0; i < input_log_macs.size(); i++) {
           new_crumb.input_log_macs.push_back(input_log_macs[i]);
       }
       crumbs.insert(new_crumb);
@@ -159,7 +162,7 @@ class EnclaveContext {
     }
 
     void append_input_mac(std::vector<uint8_t> input_mac) {
-        for (int i = 0; i < input_mac.size(); i++) {
+        for (uint32_t i = 0; i < input_mac.size(); i++) {
             input_macs.push_back(input_mac[i]);
         }
         num_input_macs++;

src/enclave/Enclave/FlatbuffersWriters.cpp

@@ -174,7 +174,7 @@ flatbuffers::Offset<tuix::EncryptedBlocks> RowWriter::finish_blocks(std::string
         curr_ecall_id,
         num_macs,
         enc_block_builder.CreateVector(mac_lst_ptr.get(), num_macs * SGX_AESGCM_MAC_SIZE),
-        enc_block_builder.CreateVector(mac_lst_mac_ptr.get(), OE_HMAC_SIZE)
+        enc_block_builder.CreateVector(mac_lst_mac_ptr.get(), OE_HMAC_SIZE),
         enc_block_builder.CreateVector(input_macs_ptr.get(), num_input_macs * OE_HMAC_SIZE),
         num_input_macs);
 
@@ -188,9 +188,9 @@ flatbuffers::Offset<tuix::EncryptedBlocks> RowWriter::finish_blocks(std::string
         int crumb_ecall = crumb.ecall;
 
         // FIXME: do these need to be memcpy'ed
-        std::vector<uint8_t> crumb_input_macs = crumb.input_macs;
+        std::vector<uint8_t> crumb_input_macs = crumb.input_log_macs;
         uint8_t* crumb_all_outputs_mac = crumb.all_outputs_mac;
-        uint8_t* crumb_log_mac = crumb.log_mac
+        uint8_t* crumb_log_mac = crumb.log_mac;
 
         // Copy crumb input macs to untrusted memory
         uint8_t* untrusted_crumb_input_macs = nullptr;
@@ -213,7 +213,7 @@ flatbuffers::Offset<tuix::EncryptedBlocks> RowWriter::finish_blocks(std::string
             &ocall_free);
         memcpy(crumb_log_mac_ptr.get(), crumb_log_mac, OE_HMAC_SIZE);
 
-        auto serialized_crumb = tuix::CreateLogEntry(enc_block_builder,
+        auto serialized_crumb = tuix::CreateCrumb(enc_block_builder,
           enc_block_builder.CreateVector(crumb_input_macs_ptr.get(), crumb_num_input_macs * OE_HMAC_SIZE),
           num_input_macs,
           enc_block_builder.CreateVector(crumb_all_outputs_mac_ptr.get(), OE_HMAC_SIZE),
@@ -239,18 +239,19 @@ flatbuffers::Offset<tuix::EncryptedBlocks> RowWriter::finish_blocks(std::string
     int log_entry_num_bytes_to_mac = 3 * sizeof(int) + OE_HMAC_SIZE + num_input_macs * OE_HMAC_SIZE;
 
     int num_bytes_in_crumbs_list = 0;
-    for (int k = 0; k < crumbs.size(); k++) {
+    for (uint32_t k = 0; k < crumbs.size(); k++) {
         int num_bytes_in_crumb = 2 * sizeof(int) + 2 * OE_HMAC_SIZE + OE_HMAC_SIZE * crumbs[k].num_input_macs; 
-        num_bytes_in_crumbs_list += num_byte_in_crumb;
+        num_bytes_in_crumbs_list += num_bytes_in_crumb;
     } 
 
     // Below, we add sizeof(int) to include the num_past_entries entry that is part of LogEntryChain 
-    int num_bytes_to_mac = log_entry_num_byte_to_mac + num_bytes_in_crumbs_list + sizeof(int);
+    int num_bytes_to_mac = log_entry_num_bytes_to_mac + num_bytes_in_crumbs_list + sizeof(int);
+    // FIXME: VLA
     uint8_t to_mac[num_bytes_to_mac];
 
     uint8_t log_mac[OE_HMAC_SIZE];
-    mac_log_entry_chain(num_bytes_to_mac, to_mac, mac_lst_mac, curr_ecall_id, num_macs, num_input_macs,
-            mac_lst_mac, input_macs, num_past_entries, crumbs, 0, num_past_entries, log_mac); 
+    mac_log_entry_chain(num_bytes_to_mac, to_mac, curr_ecall_id, num_macs, num_input_macs,
+            mac_lst_mac, input_macs, num_crumbs, crumbs, 0, num_crumbs, log_mac); 
 
     // Copy the log_mac to untrusted memory
     uint8_t* untrusted_log_mac = nullptr;
@@ -261,12 +262,8 @@ flatbuffers::Offset<tuix::EncryptedBlocks> RowWriter::finish_blocks(std::string
         enc_block_builder.CreateVector(log_mac_ptr.get(), OE_HMAC_SIZE));
     log_mac_vector.push_back(log_mac_offset);
 
-    // TODO: store the log mac in Enclave so that we can later compute all_outputs_mac over it
     EnclaveContext::getInstance().append_log_mac(log_mac);
 
-    // Temporarily store 32 0's as the all_outputs_mac 
-    uint8_t tmp_all_outputs_mac[OE_HMAC_SIZE] = {0};
-
     // Clear log entry state
     EnclaveContext::getInstance().reset_log_entry();
   } 

src/enclave/Enclave/IntegrityUtils.cpp

@@ -20,13 +20,13 @@ void init_log(const tuix::EncryptedBlocks *encrypted_blocks) {
     EnclaveContext::getInstance().append_crumb(crumb_ecall, crumb_log_mac, crumb_all_outputs_mac, crumb_num_input_macs, crumb_vector_input_macs);
 
     // Initialize crumb for LogEntryChain MAC verification
-    Crumb crumb;
-    crumb.ecall = crumb_ecall;
-    crumb.log_mac = crumb_log_mac;
-    crumb.all_outputs_mac = crumb_all_outputs_mac;
-    crumb.num_input_macs = crumb_num_input_macs;
-    crumb.input_log_macs = crumb_vector_input_macs;
-    crumbs.push_back(crumb);
+    Crumb new_crumb;
+    new_crumb.ecall = crumb_ecall;
+    memcpy(new_crumb.log_mac, crumb_log_mac, OE_HMAC_SIZE);
+    memcpy(new_crumb.all_outputs_mac, crumb_all_outputs_mac, OE_HMAC_SIZE);
+    new_crumb.num_input_macs = crumb_num_input_macs;
+    new_crumb.input_log_macs = crumb_vector_input_macs;
+    crumbs.push_back(new_crumb);
   }
 
   if (curr_entries_vec->size() > 0) {
@@ -75,9 +75,9 @@ void init_log(const tuix::EncryptedBlocks *encrypted_blocks) {
     std::vector<uint8_t> vector_prev_input_macs(prev_input_macs, prev_input_macs + num_prev_input_macs * OE_HMAC_SIZE);
 
     // Create new crumb given recently received EncryptedBlocks
-    uint8_t* mac_input = encrypted_blocks->all_outputs_mac()->Get(i)->mac()->data(); 
+    const uint8_t* mac_input = encrypted_blocks->all_outputs_mac()->Get(i)->mac()->data(); 
     EnclaveContext::getInstance().append_crumb(
-        ecall, encrypted_blocks->log_mac()->Get(i)->mac()->data(), 
+        logged_ecall, encrypted_blocks->log_mac()->Get(i)->mac()->data(), 
         mac_input, num_prev_input_macs, vector_prev_input_macs);
 
     std::vector<uint8_t> mac_input_vector(mac_input, mac_input + OE_HMAC_SIZE);
@@ -160,7 +160,7 @@ void verify_log(const tuix::EncryptedBlocks *encrypted_blocks,
       // MAC the data
       uint8_t actual_mac[OE_HMAC_SIZE];
       mac_log_entry_chain(total_bytes_to_mac, to_mac, curr_ecall, num_macs, num_input_macs, 
-              curr_log_entry->mac_lst_mac()->data(), curr_log_entry->input_macs()->data(),
+              (uint8_t*) curr_log_entry->mac_lst_mac()->data(), (uint8_t*) curr_log_entry->input_macs()->data(),
               num_past_entries, crumbs, past_entries_seen,
               past_entries_seen + num_past_entries, actual_mac);
 
@@ -198,13 +198,13 @@ void mac_log_entry_chain(int num_bytes_to_mac, uint8_t* to_mac, int curr_ecall,
     auto crumb = crumbs[i];
     int past_ecall = crumb.ecall;
     int num_input_macs = crumb.num_input_macs;
-    std::vector<uint8_t> input_macs = crumb.input_macs;
+    std::vector<uint8_t> input_log_macs = crumb.input_log_macs;
     uint8_t* all_outputs_mac = crumb.all_outputs_mac;
     uint8_t* log_mac = crumb.log_mac;
 
     memcpy(tmp_ptr, &past_ecall, sizeof(int));
     memcpy(tmp_ptr + sizeof(int), &num_input_macs, sizeof(int));
-    memcpy(tmp_ptr + 2 * sizeof(int), input_macs.data(), num_input_macs * OE_HMAC_SIZE);
+    memcpy(tmp_ptr + 2 * sizeof(int), input_log_macs.data(), num_input_macs * OE_HMAC_SIZE);
     memcpy(tmp_ptr + 2 * sizeof(int) + num_input_macs * OE_HMAC_SIZE, all_outputs_mac, OE_HMAC_SIZE);
     memcpy(tmp_ptr + 2 * sizeof(int) + (num_input_macs + 1) * OE_HMAC_SIZE, log_mac, OE_HMAC_SIZE);
 
@@ -216,18 +216,20 @@ void mac_log_entry_chain(int num_bytes_to_mac, uint8_t* to_mac, int curr_ecall,
 }
 
 // Replace dummy all_outputs_mac in output EncryptedBlocks with actual all_outputs_mac
-void complete_encrypted_blocks(const tuix::EncryptedBlocks* encrypted_blocks) {
+void complete_encrypted_blocks(uint8_t* encrypted_blocks) {
     uint8_t all_outputs_mac[32];
     generate_all_outputs_mac(all_outputs_mac);
     // Perform in-place flatbuffers mutation to modify EncryptedBlocks with updated all_outputs_mac
     auto blocks = tuix::GetMutableEncryptedBlocks(encrypted_blocks);
-    for (int i = 0; i < OE_HMAC_SIZE; i+) {
+    for (int i = 0; i < OE_HMAC_SIZE; i++) {
         blocks->mutable_all_outputs_mac()->mutable_mac()->Mutate(i, all_outputs_mac[i]);
     }
     // TODO: check that buffer was indeed modified
 }
 
 void generate_all_outputs_mac(uint8_t all_outputs_mac[32]) {
+    // FIXME: for some reason compiler thinks the parameter is unused
+    (void) all_outputs_mac;
     std::vector<uint8_t> log_macs_vector = EnclaveContext::getInstance().get_log_macs();
     int num_log_macs = EnclaveContext::getInstance().get_num_log_macs();
     uint8_t* log_macs = log_macs_vector.data();

src/enclave/Enclave/IntegrityUtils.h

@@ -13,6 +13,6 @@ void mac_log_entry_chain(int num_bytes_to_mac, uint8_t* to_mac, int curr_ecall,
     int num_past_entries, std::vector<Crumb> crumbs, int first_crumb_index, 
     int last_crumb_index, uint8_t* ret_hmac);
 
-void complete_encrypted_blocks(const tuix::EncryptedBlocks* encrypted_blocks);
+void complete_encrypted_blocks(uint8_t* encrypted_blocks);
 
-void generate_all_outputs_mac(uint8_t all_outputs_mac[32]) {
+void generate_all_outputs_mac(uint8_t all_outputs_mac[32]);