From 77a17c7300fa6b39bdd531bb7ab7b24d58d76a61 Mon Sep 17 00:00:00 2001 From: Bruno Vavala Date: Sat, 19 Oct 2024 00:38:40 +0000 Subject: [PATCH] integrate use of attestation api in eservice enclave Signed-off-by: Bruno Vavala --- build/cmake/SGX.cmake | 2 +- common/cmake/CommonVariables.cmake | 5 +++ eservice/lib/libpdo_enclave/enclave.edl | 1 + eservice/lib/libpdo_enclave/signup.edl | 5 +++ .../lib/libpdo_enclave/signup_enclave.cpp | 26 +++++++++++++ eservice/lib/libpdo_enclave/signup_enclave.h | 5 +++ .../pdo/eservice/enclave/enclave/enclave.h | 2 +- .../pdo/eservice/enclave/enclave/signup.cpp | 37 +++++++++++++++++++ eservice/setup.py | 3 +- 9 files changed, 83 insertions(+), 3 deletions(-) diff --git a/build/cmake/SGX.cmake b/build/cmake/SGX.cmake index 73447aae..370a1cc0 100644 --- a/build/cmake/SGX.cmake +++ b/build/cmake/SGX.cmake @@ -110,7 +110,7 @@ ENDIF() SET(SGX_TRUSTED_LIBS sgx_tstdc sgx_tcxx sgx_tcrypto ${SERVICE_LIBRARY_NAME}) SET(SGX_UNTRUSTED_LIBS ${URTS_LIBRARY_NAME} pthread) -SET(SGX_SEARCH_PATH "${SGX_SDK}/include:${SGX_SSL}/include") +SET(SGX_SEARCH_PATH "${SGX_SDK}/include:${SGX_SSL}/include:$ENV{PDO_SOURCE_ROOT}/common") SET(SGX_TRUSTED_INCLUDE_DIRS "${SGX_SDK}/include" "${SGX_SDK}/include/tlibc" diff --git a/common/cmake/CommonVariables.cmake b/common/cmake/CommonVariables.cmake index 7cbd95a5..1b54dce6 100644 --- a/common/cmake/CommonVariables.cmake +++ b/common/cmake/CommonVariables.cmake @@ -29,6 +29,9 @@ SET(C_COMMON_LIB_NAME cpdo-common) SET(U_COMMON_LIB_NAME updo-common) SET(T_COMMON_LIB_NAME tpdo-common) +# import attestation lib variables U_ONE_ATTESTATION_LIB_NAME, T_ONE_ATTESTATION_LIB_NAME +INCLUDE("${COMMON_SOURCE_DIR}/crypto/attestation-api/CMakeVariables.txt") + SET(INTERPRETER_LIB_NAME pdo-contract) # Block store library does not depend on sgx at all @@ -78,6 +81,7 @@ LIST(APPEND COMMON_CLIENT_LIBS pthread lmdb) LIST(APPEND COMMON_UNTRUSTED_LIBS ${U_COMMON_LIB_NAME}) LIST(APPEND COMMON_UNTRUSTED_LIBS ${U_CRYPTO_LIB_NAME}) LIST(APPEND COMMON_UNTRUSTED_LIBS ${BLOCK_STORE_LIB_NAME}) +LIST(APPEND COMMON_UNTRUSTED_LIBS ${U_ONE_ATTESTATION_LIB_NAME}) LIST(APPEND COMMON_UNTRUSTED_LIBS pthread lmdb) # ----------------------------------------------------------------- @@ -88,4 +92,5 @@ LIST(APPEND COMMON_TRUSTED_LIBS ${T_COMMON_LIB_NAME}) LIST(APPEND COMMON_TRUSTED_LIBS ${T_CRYPTO_LIB_NAME}) LIST(APPEND COMMON_TRUSTED_LIBS ${BLOCK_STORE_LIB_NAME}) LIST(APPEND COMMON_TRUSTED_LIBS ${COMMON_INTERPRETER_LIBRARIES}) +LIST(APPEND COMMON_TRUSTED_LIBS ${T_ONE_ATTESTATION_LIB_NAME}) LIST(APPEND COMMON_TRUSTED_LIBS lmdb) diff --git a/eservice/lib/libpdo_enclave/enclave.edl b/eservice/lib/libpdo_enclave/enclave.edl index 34801b39..4fe6338c 100644 --- a/eservice/lib/libpdo_enclave/enclave.edl +++ b/eservice/lib/libpdo_enclave/enclave.edl @@ -20,4 +20,5 @@ enclave { from "signup.edl" import *; from "contract.edl" import *; from "block_store.edl" import *; + from "crypto/attestation-api/ocalls/attestation-ocalls.edl" import *; }; diff --git a/eservice/lib/libpdo_enclave/signup.edl b/eservice/lib/libpdo_enclave/signup.edl index 31a43210..cc867f50 100644 --- a/eservice/lib/libpdo_enclave/signup.edl +++ b/eservice/lib/libpdo_enclave/signup.edl @@ -30,6 +30,11 @@ enclave { public pdo_err_t ecall_CreateEnclaveData( [in] const sgx_target_info_t* inTargetInfo, [in, string] const char* inOriginatorPublicKeyHash, + [in, size=inAttestationParamsSize] uint8_t* inAttestationParams, + size_t inAttestationParamsSize, + [out, size=inAllocatedAttestationSize] uint8_t* outAttestation, + size_t inAllocatedAttestationSize, + [out] size_t* outAttestationSize, [out, size=inAllocatedPublicEnclaveDataSize] char* outPublicEnclaveData, size_t inAllocatedPublicEnclaveDataSize, [out] size_t* outPublicEnclaveDataSize, diff --git a/eservice/lib/libpdo_enclave/signup_enclave.cpp b/eservice/lib/libpdo_enclave/signup_enclave.cpp index 00fd3880..186b2893 100644 --- a/eservice/lib/libpdo_enclave/signup_enclave.cpp +++ b/eservice/lib/libpdo_enclave/signup_enclave.cpp @@ -40,6 +40,8 @@ #include "enclave_utils.h" #include "signup_enclave.h" +#include "attestation-api/include/attestation.h" + // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX // XX Declaration of static helper functions XX // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX @@ -109,6 +111,11 @@ pdo_err_t ecall_CalculatePublicEnclaveDataSize(size_t* pPublicEnclaveDataSize) // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo, const char* inOriginatorPublicKeyHash, + uint8_t* inAttestationParams, + size_t inAttestationParamsSize, + uint8_t* outAttestation, + size_t inAllocatedAttestationSize, + size_t* outAttestationSize, char* outPublicEnclaveData, size_t inAllocatedPublicEnclaveDataSize, size_t* outPublicEnclaveDataSize, @@ -158,6 +165,16 @@ pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo, sgx_report_data_t reportData = {0}; CreateSignupReportData(inOriginatorPublicKeyHash, enclaveData, &reportData); + // get serialized statement (which will be later hashed to create report data) + std::string hashString; + hashString.append(enclaveData.get_serialized_signing_key()); + hashString.append(enclaveData.get_serialized_encryption_key()); + std::transform(inOriginatorPublicKeyHash, + inOriginatorPublicKeyHash + strlen(inOriginatorPublicKeyHash), std::back_inserter(hashString), + [](char c) { + return c; // do nothing + }); + sgx_status_t ret = sgx_create_report(inTargetInfo, &reportData, outEnclaveReport); pdo::error::ThrowSgxError(ret, "Failed to create enclave report"); @@ -187,6 +204,15 @@ pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo, strncpy_s(outPublicEnclaveData, inAllocatedPublicEnclaveDataSize, enclaveData.get_public_data().c_str(), enclaveData.get_public_data_size()); + + bool b = init_attestation(inAttestationParams, inAttestationParamsSize); + pdo::error::ThrowIf(b == false, "Error in init attestation"); + + uint32_t as; + b = get_attestation((uint8_t*)hashString.c_str(), hashString.length(), outAttestation, inAllocatedAttestationSize, &as); + *outAttestationSize = (size_t)as; + pdo::error::ThrowIf(b == false, "Error in attestation"); + } catch (pdo::error::Error& e) { diff --git a/eservice/lib/libpdo_enclave/signup_enclave.h b/eservice/lib/libpdo_enclave/signup_enclave.h index 8dcabbc1..e37314ae 100644 --- a/eservice/lib/libpdo_enclave/signup_enclave.h +++ b/eservice/lib/libpdo_enclave/signup_enclave.h @@ -29,6 +29,11 @@ extern pdo_err_t ecall_CalculatePublicEnclaveDataSize(size_t* pPublicEnclaveData // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX extern pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo, const char* inOriginatorPublicKeyHash, + uint8_t* inAttestationParams, + size_t inAttestationParamsSize, + uint8_t* outAttestation, + size_t inAllocatedAttestationSize, + size_t* outAttestationSize, char* outPublicEnclaveData, size_t inAllocatedPublicEnclaveDataSize, size_t* outPublicEnclaveDataSize, diff --git a/eservice/pdo/eservice/enclave/enclave/enclave.h b/eservice/pdo/eservice/enclave/enclave/enclave.h index 0ce063a3..86272e84 100644 --- a/eservice/pdo/eservice/enclave/enclave/enclave.h +++ b/eservice/pdo/eservice/enclave/enclave/enclave.h @@ -103,6 +103,7 @@ namespace pdo { { return this->threadId; } + sgx_spid_t spid; protected: void LoadEnclave(); @@ -116,7 +117,6 @@ namespace pdo { size_t sealedSignupDataSize; std::string signatureRevocationList; - sgx_spid_t spid; sgx_target_info_t reportTargetInfo; sgx_epid_group_id_t epidGroupId; diff --git a/eservice/pdo/eservice/enclave/enclave/signup.cpp b/eservice/pdo/eservice/enclave/enclave/signup.cpp index c79b8438..d8f25ec0 100644 --- a/eservice/pdo/eservice/enclave/enclave/signup.cpp +++ b/eservice/pdo/eservice/enclave/enclave/signup.cpp @@ -26,6 +26,8 @@ #include "pdo_error.h" #include "types.h" #include "zero.h" +#include "jsonvalue.h" +#include "hex_string.h" #include "enclave/enclave.h" #include "enclave/base.h" @@ -134,11 +136,24 @@ pdo_err_t pdo::enclave_api::enclave_data::CreateEnclaveData( size_t computed_public_enclave_data_size; size_t computed_sealed_enclave_data_size; + std::string hex_spid = BinaryToHexString(g_Enclave[0].spid.id, 16); + std::string attestation_params = + std::string("{\"attestation_type\": \"epid-linkable\", \"hex_spid\": \"") + + hex_spid + + std::string("\", \"sig_rl\": \"\"}") + ; + ByteArray attestation; + attestation.resize(1 << 12); + size_t attestation_size; + sresult = g_Enclave[0].CallSgx( [enclaveid, &presult, target_info, inOriginatorPublicKeyHash, + &attestation_params, + &attestation, + &attestation_size, &outPublicEnclaveData, &computed_public_enclave_data_size, &sealed_enclave_data_buffer, @@ -150,6 +165,11 @@ pdo_err_t pdo::enclave_api::enclave_data::CreateEnclaveData( &presult, &target_info, inOriginatorPublicKeyHash.c_str(), + (uint8_t*)(attestation_params.c_str()), + attestation_params.length(), + attestation.data(), + attestation.size(), + &attestation_size, outPublicEnclaveData.data(), outPublicEnclaveData.size(), &computed_public_enclave_data_size, @@ -175,6 +195,23 @@ pdo_err_t pdo::enclave_api::enclave_data::CreateEnclaveData( g_Enclave[0].CreateQuoteFromReport(&enclave_report, enclave_quote_buffer); outEnclaveQuote = ByteArrayToBase64EncodedString(enclave_quote_buffer); + + { + const char* pvalue = nullptr; + std::string a(attestation.begin(), attestation.end()); + + JsonValue parsed(json_parse_string(a.c_str())); + pdo::error::ThrowIfNull(parsed.value, "failed to parse serialized attestation; badly formed JSON"); + + JSON_Object* data_object = json_value_get_object(parsed); + pdo::error::ThrowIfNull(data_object, "invalid serialized attestation; missing root object"); + + pvalue = json_object_dotget_string(data_object, "attestation"); + pdo::error::ThrowIfNull(pvalue, "invalid serialized attestation; missing attestation"); + + outEnclaveQuote.assign(pvalue); + } + } catch (pdo::error::Error& e) { pdo::enclave_api::base::SetLastError(e.what()); result = e.error_code(); diff --git a/eservice/setup.py b/eservice/setup.py index 96768840..c5505a1e 100644 --- a/eservice/setup.py +++ b/eservice/setup.py @@ -100,6 +100,7 @@ libraries = [ 'updo-common', + 'u-one-attestation', 'pdo-lmdb-block-store', 'lmdb' ] @@ -109,7 +110,7 @@ else : libraries += ['sgx_urts', 'sgx_uae_service'] -libraries += ['sgx_usgxssl'] +libraries += ['sgx_usgxssl', 'sgx_dcap_ql'] module_files = [ os.path.join(module_src_path, 'pdo_enclave_internal.i'),