Add shared memory checks

[wintersteiger]

This adds a number of checks that ensure pointers into shared memory from the host don't point into enclave memory.

Also adds a check to ensure the enclave is initialized only once.

[wintersteiger]

Also fixes #732.

[bodzhang]

virtio_dev structure conains many pointers to sub structures, which also contain pointers to sub structures. Are those pointers suppoed to point to buffers outside of enclave? How to check and how to make sure a malicious host can't modify the pointers after the check?

[wintersteiger]

Even a friendly host will necessarily have to change the contents - that's what the shared memory is for. We will have to add checks on every memory access to any of those pointers in the lkl submodule.

[davidchisnall]

We should check the LKL virtio drivers do this. This is the same use as CVMs, so if they don't then we have a fairly simple attack via VirtIO on Linux on SEV and similar technologies (e.g. Google's recent offering). We may need to add something at the bus layer for hooks that the drivers use to check that memory is the correct kind. All of the descriptors that we use should be SWIOTLB-owned memory.

[bodzhang]

Relevant dicussion at #745

[davidchisnall]

We should check the LKL virtio drivers do this. This is the same use as CVMs, so if they don't then we have a fairly simple attack via VirtIO on Linux on SEV and similar technologies (e.g. Google's recent offering). We may need to add something at the bus layer for hooks that the drivers use to check that memory is the correct kind. All of the descriptors that we use should be SWIOTLB-owned memory.

[bodzhang]

host points to a sgxlkl_shared_memory_t structure copied into the enclave memory by OE. It's safe to access the structure inside the enclave directly, without worring about TOCTOU. Once all a check passes, the field from the sgxlkl_shared_memory_t structure pointed by host can be copied to sgxlkl_enclave_state.shared_memory directly, without using the volatile copy. If a shadow copy of a buffer pointed to by a pointer inside the sgxlkl_shared_memory_t structure is used, the correspnding pointer in sgxlkl_enclave_state.shared_memory can be handled differently.

[wintersteiger]

OE only copies the outermost layer, it doesn't deep-copy. If something goes wrong here, we may end up with a partially initialized data structure, which may or may not be a security problem. I prefer to be conservative here and keep the copy. Since this runs once, it's also not a performance concern.

[bodzhang]

Pointer chain here is unnecessarily complex. uint64_t enclave_evt_channel, uint64_t host_evt_channel, uint32_t qidx all shoud be in the share memory. Defining enc_dec_config as below should simplify the memory check in enclave.

{
    uint8_t dev_id;
    evt_t *enc_evt_channel;
    evt_t *host_evt_channel;
    uint32_t *qidx_p
}
```

[wintersteiger]

This brings a lot of complications in other parts of the code (e.g. during setup on the host side and host_evt_channel and enclave_evt_channel would have to be a evt_t**) and I'm not sure those parts are even correct. @prp @davidchisnall: is it intended and correct that host_dev_event_channel_init (here) allocates evt_channel_num many enc_evt_channel_ts for each event channel with number evt_channel_num? Are these essentially (n^2)/2 communication links?

[wintersteiger]

I think this one's ready to be merged. @SeanTAllen is working on the virtio refactoring, but that will be a separate PR.