feat(rtc_auth_enclave): add stub for save_access_key ECALL

PiDelport · PiDelport · commit 20fd5ed42d0e · 2021-06-21T15:09:43.000+02:00
diff --git a/codegen/auth_enclave/bindings.h b/codegen/auth_enclave/bindings.h
@@ -18,6 +18,88 @@
 
 #define SET_ACCESS_KEY_RESPONSE_SIZE 1
 
+typedef uint8_t RecommendedAesGcmIv[12];
+
+typedef struct SetAccessKeyEncryptedResponse {
+  sgx_aes_gcm_128bit_tag_t tag;
+  uint8_t ciphertext[SET_ACCESS_KEY_RESPONSE_SIZE];
+  uint8_t aad[0];
+  RecommendedAesGcmIv nonce;
+} SetAccessKeyEncryptedResponse;
+
+/**
+ * Failed to acquire session / protected channel.
+ *
+ * See: `rtc_tenclave::dh::sessions::DhSessions`
+ */
+typedef enum AcquireSessionError_Tag {
+  /**
+   * This should generally be treated as an unrecoverable error.
+   */
+  ACQUIRE_SESSION_ERROR_CHANNEL_MUTEX_POISONED,
+  ACQUIRE_SESSION_ERROR_NO_ACTIVE_SESSION,
+  ACQUIRE_SESSION_ERROR_SGX,
+} AcquireSessionError_Tag;
+
+typedef struct AcquireSessionError {
+  AcquireSessionError_Tag tag;
+  union {
+    struct {
+      sgx_enclave_id_t no_active_session;
+    };
+    struct {
+      sgx_status_t sgx;
+    };
+  };
+} AcquireSessionError;
+
+typedef enum SealingError_Tag {
+  SEALING_ERROR_CHANNEL_NOT_FOUND,
+  SEALING_ERROR_RKYV_BUFFER_SERIALIZER_ERROR,
+  SEALING_ERROR_SGX,
+} SealingError_Tag;
+
+typedef struct SealingError {
+  SealingError_Tag tag;
+  union {
+    struct {
+      struct AcquireSessionError channel_not_found;
+    };
+    struct {
+      sgx_status_t sgx;
+    };
+  };
+} SealingError;
+
+/**
+ * FFI safe result type that can be converted to and from a rust result.
+ */
+typedef enum EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag {
+  ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_OK_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR,
+  ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_ERR_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR,
+} EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag;
+
+typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError {
+  EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag tag;
+  union {
+    struct {
+      struct SetAccessKeyEncryptedResponse ok;
+    };
+    struct {
+      struct SealingError err;
+    };
+  };
+} EcallResult_SetAccessKeyEncryptedResponse__SealingError;
+
+typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError SetAccessKeyResult;
+
+typedef struct SetAccessKeyEncryptedRequest {
+  sgx_aes_gcm_128bit_tag_t tag;
+  uint8_t ciphertext[SET_ACCESS_KEY_REQUEST_SIZE];
+  uint8_t aad[ARCHIVED_ENCLAVE_ID_SIZE];
+  RecommendedAesGcmIv nonce;
+} SetAccessKeyEncryptedRequest;
+
 /**
  * FFI safe result type that can be converted to and from a rust result.
  */
diff --git a/rtc_auth_enclave/src/ecalls/mod.rs b/rtc_auth_enclave/src/ecalls/mod.rs
@@ -0,0 +1,6 @@
+//! ECALL definitions
+
+mod save_access_key;
+mod save_access_key_impl;
+
+pub use save_access_key::save_access_key;
diff --git a/rtc_auth_enclave/src/ecalls/save_access_key.rs b/rtc_auth_enclave/src/ecalls/save_access_key.rs
@@ -0,0 +1,59 @@
+//! ECALL definition: [`save_access_key`]
+
+use rtc_tenclave::dh::{sealing, ProtectedChannel};
+use rtc_types::enclave_messages::{ffi_set_access_key, set_access_key};
+use sgx_types::sgx_enclave_id_t;
+
+use crate::ecalls::save_access_key_impl::save_access_key_impl;
+use crate::DhSessions;
+
+/// FFI wrapper.
+///
+/// This takes care of converting between the [`ffi_set_access_key`] and [`set_access_key`] types.
+#[no_mangle]
+pub unsafe extern "C" fn save_access_key(
+    encrypted_request: ffi_set_access_key::SetAccessKeyEncryptedRequest,
+) -> ffi_set_access_key::SetAccessKeyResult {
+    let encrypted_request: set_access_key::EncryptedRequest = encrypted_request.into();
+    let result: set_access_key::SetAccessKeyResult =
+        unsafe { save_access_key_acquiring_channel(encrypted_request) };
+    result.into()
+}
+
+/// This takes care of acquiring the sending enclave's channel.
+unsafe fn save_access_key_acquiring_channel(
+    encrypted_request: set_access_key::EncryptedRequest,
+) -> set_access_key::SetAccessKeyResult {
+    let &claimed_sending_enclave_id = unsafe {
+        sealing::rkyv_peek_associated::<set_access_key::Request, sgx_enclave_id_t>(
+            &encrypted_request,
+        )
+    };
+
+    let sessions: &DhSessions<_, _> = crate::dh_sessions();
+    let result = sessions
+        .with_acquire_established(claimed_sending_enclave_id, |channel| unsafe {
+            save_access_key_sealing(channel, encrypted_request)
+        })?;
+    result
+}
+
+/// This takes care of the sealing and unsealing.
+unsafe fn save_access_key_sealing(
+    channel: &mut ProtectedChannel,
+    encrypted_request: set_access_key::EncryptedRequest,
+) -> set_access_key::SetAccessKeyResult {
+    // Unseal the request
+    let (request, _sending_enclave_id) = unsafe {
+        sealing::rkyv_unseal_associated::<set_access_key::Request, sgx_enclave_id_t>(
+            channel,
+            encrypted_request,
+        )
+    }?;
+
+    let response = &save_access_key_impl(request);
+
+    // Seal the response
+    let sealed_response = sealing::rkyv_seal(channel, response)?;
+    Ok(sealed_response)
+}
diff --git a/rtc_auth_enclave/src/ecalls/save_access_key_impl.rs b/rtc_auth_enclave/src/ecalls/save_access_key_impl.rs
@@ -0,0 +1,10 @@
+//! Implementation for [`crate::ecalls::save_access_key`]
+
+use std::println;
+
+use rtc_types::enclave_messages::set_access_key;
+
+pub(crate) fn save_access_key_impl(request: set_access_key::Request) -> set_access_key::Response {
+    println!("TODO: save_access_key_impl({:?})", request);
+    set_access_key::Response { success: false }
+}
diff --git a/rtc_auth_enclave/src/lib.rs b/rtc_auth_enclave/src/lib.rs
@@ -3,6 +3,8 @@
 #![deny(unsafe_op_in_unsafe_fn)]
 #![deny(clippy::mem_forget)]
 
+mod ecalls;
+
 #[cfg(not(target_env = "sgx"))]
 extern crate sgx_tstd as std;
 
