`Tcs` should not be a `NonNull` pointer

[joboet]

TCSs may be located at logical address zero. Defining Tcs to be NonNull leads to bugs and even soundness issues that may be exposed to attackers. For instance, the internal abi::thread::current() function in the Rust standard library does not check for zero pointers and unconditionally returns a NonNull. If the TCS address is null, this leads to immediate undefined behaviour.

[jethrogb]

Not sure I agree? It's always possible to place things at address zero, but we generally adhere to the convention to not do that so that we can use null as a niche or sentinel value.

[joboet]

Ok. Then this is simply a bug in std (it should really check for null pointers here). Thanks!

[jethrogb]

Not sure if it's necessary to do the check in std either, we can just define that TCSes are never placed at address 0?

[joboet]

No, since EENTER does not check if the address is null, only that it is well-aligned. Unconditionally casting the address to a NonNull (which is what std currently does) allows attackers to cause undefined behaviour within the enclave.

[jethrogb]

See discussion at rust-lang/rust#98391 (comment)