fortanix · raoulstrackx · Nov 22, 2024 · Nov 21, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/intel-sgx/enclave-runner/src/loader.rs b/intel-sgx/enclave-runner/src/loader.rs
@@ -146,7 +146,7 @@ impl<'a> EnclaveBuilder<'a> {
             load_and_sign: None,
             hash_enclave: None,
             forward_panics: false,
-            force_time_usercalls: true, // By default, keep the old behavior of always doing a usercall on an insecure_time call
+            force_time_usercalls: false,
             cmd_args: None,
         };
 
@@ -278,6 +278,10 @@ impl<'a> EnclaveBuilder<'a> {
         self
     }
 
+    pub fn forced_insecure_time_usercalls(&self) -> bool {
+        self.force_time_usercalls
+    }
+
     fn initialized_args_mut(&mut self) -> &mut Vec<Vec<u8>> {
         self.cmd_args.get_or_insert_with(|| vec![b"enclave".to_vec()])
     }

diff --git a/intel-sgx/fortanix-sgx-tools/Cargo.toml b/intel-sgx/fortanix-sgx-tools/Cargo.toml
@@ -20,6 +20,7 @@ edition = "2018"
 [dependencies]
 # Project dependencies
 aesm-client = { version = "0.6.0", path = "../aesm-client", features = ["sgxs"] }
+insecure-time = { version = "0.1.0", path = "../insecure-time" }
 sgxs-loaders = { version = "0.4.0", path = "../sgxs-loaders" }
 enclave-runner = { version = "0.6.0", path = "../enclave-runner" }
 sgxs = { version = "0.8.0", path = "../sgxs" }

diff --git a/intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs b/intel-sgx/fortanix-sgx-tools/src/bin/ftxsgx-runner.rs
@@ -13,6 +13,7 @@ use std::io::{stderr, Write};
 use aesm_client::AesmClient;
 use enclave_runner::EnclaveBuilder;
 use anyhow::Context;
+use insecure_time::Rdtscp;
 #[cfg(unix)]
 use libc::{c_int, c_void, siginfo_t};
 #[cfg(unix)]
@@ -77,6 +78,7 @@ fn main() -> Result<(), anyhow::Error> {
         .build();
 
     let mut enclave_builder = EnclaveBuilder::new(file.as_ref());
+    let forced_insecure_time_usercalls = enclave_builder.forced_insecure_time_usercalls();
 
     match args.value_of("signature").map(|v| v.parse().expect("validated")) {
         Some(Signature::coresident) => { enclave_builder.coresident_signature().context("While loading coresident signature")?; }
@@ -94,6 +96,12 @@ fn main() -> Result<(), anyhow::Error> {
 
     enclave.run().map_err(|e| {
         eprintln!("Error while executing SGX enclave.\n{}", e);
+        if !forced_insecure_time_usercalls && Rdtscp::is_supported() && e.to_string() == "Enclave panicked: fatal runtime error: assertion failed: usercall_retval.1 == 0\n" {
+            eprintln!("This might be due to an ABI change related to insecure time in the enclave. If so, this can be resolved by:");
+            eprintln!("  - recompiling the enclave with a newer toolchain, or");
+            eprintln!("  - downgrading the enclave runner, or");
+            eprintln!("  - using a custom enclave runner can calling `EnclaveBuilder::force_insecure_time_usercalls(true)` when building the enclave");
+        }
         std::process::exit(-1)
     })
 }