WIP: save_access_key ECALL plumbing

Author: PiDelport

codegen/auth_enclave/bindings.h

@@ -12,6 +12,26 @@
  */
 #define DATA_UPLOAD_RESPONSE_LEN (16 + (24 + 16))
 
+#define REQUEST_SIZE 40
+
+#define RESPONSE_SIZE 1
+
+typedef uint8_t RecommendedAesGcmIv[12];
+
+typedef struct EncryptedResponse {
+  sgx_aes_gcm_128bit_tag_t tag;
+  uint8_t ciphertext[RESPONSE_SIZE];
+  uint8_t aad[0];
+  RecommendedAesGcmIv nonce;
+} EncryptedResponse;
+
+typedef struct EncryptedRequest {
+  sgx_aes_gcm_128bit_tag_t tag;
+  uint8_t ciphertext[REQUEST_SIZE];
+  uint8_t aad[0];
+  RecommendedAesGcmIv nonce;
+} EncryptedRequest;
+
 /**
  * FFI safe result type that can be converted to and from a rust result.
  */

codegen/auth_enclave/rtc_auth_t.c

@@ -34,6 +34,11 @@ typedef struct ms_enclave_create_report_t {
 	sgx_report_t* ms_p_report;
 } ms_enclave_create_report_t;
 
+typedef struct ms_save_access_key_t {
+	EncryptedResponse ms_retval;
+	EncryptedRequest ms_encrypted_request;
+} ms_save_access_key_t;
+
 typedef struct ms_t_global_init_ecall_t {
 	uint64_t ms_id;
 	const uint8_t* ms_path;
@@ -580,6 +585,24 @@ static sgx_status_t SGX_CDECL sgx_enclave_create_report(void* pms)
 	return status;
 }
 
+static sgx_status_t SGX_CDECL sgx_save_access_key(void* pms)
+{
+	CHECK_REF_POINTER(pms, sizeof(ms_save_access_key_t));
+	//
+	// fence after pointer checks
+	//
+	sgx_lfence();
+	ms_save_access_key_t* ms = SGX_CAST(ms_save_access_key_t*, pms);
+	sgx_status_t status = SGX_SUCCESS;
+
+
+
+	ms->ms_retval = save_access_key(ms->ms_encrypted_request);
+
+
+	return status;
+}
+
 static sgx_status_t SGX_CDECL sgx_t_global_init_ecall(void* pms)
 {
 	CHECK_REF_POINTER(pms, sizeof(ms_t_global_init_ecall_t));
@@ -714,11 +737,12 @@ static sgx_status_t SGX_CDECL sgx_end_session(void* pms)
 
 SGX_EXTERNC const struct {
 	size_t nr_ecall;
-	struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[6];
+	struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[7];
 } g_ecall_table = {
-	6,
+	7,
 	{
 		{(void*)(uintptr_t)sgx_enclave_create_report, 0, 0},
+		{(void*)(uintptr_t)sgx_save_access_key, 0, 0},
 		{(void*)(uintptr_t)sgx_t_global_init_ecall, 0, 0},
 		{(void*)(uintptr_t)sgx_t_global_exit_ecall, 0, 0},
 		{(void*)(uintptr_t)sgx_session_request, 0, 0},
@@ -729,73 +753,73 @@ SGX_EXTERNC const struct {
 
 SGX_EXTERNC const struct {
 	size_t nr_ocall;
-	uint8_t entry_table[63][6];
+	uint8_t entry_table[63][7];
 } g_dyn_entry_table = {
 	63,
 	{
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
-		{0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
+		{0, 0, 0, 0, 0, 0, 0, },
 	}
 };
 

codegen/auth_enclave/rtc_auth_t.h

@@ -26,6 +26,7 @@ extern "C" {
 #endif
 
 CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report);
+EncryptedResponse save_access_key(EncryptedRequest encrypted_request);
 void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len);
 void t_global_exit_ecall(void);
 SessionRequestResult session_request(sgx_enclave_id_t src_enclave_id);

codegen/auth_enclave/rtc_auth_u.c

@@ -8,6 +8,11 @@ typedef struct ms_enclave_create_report_t {
 	sgx_report_t* ms_p_report;
 } ms_enclave_create_report_t;
 
+typedef struct ms_save_access_key_t {
+	EncryptedResponse ms_retval;
+	EncryptedRequest ms_encrypted_request;
+} ms_save_access_key_t;
+
 typedef struct ms_t_global_init_ecall_t {
 	uint64_t ms_id;
 	const uint8_t* ms_path;
@@ -1062,21 +1067,31 @@ sgx_status_t rtc_auth_enclave_create_report(sgx_enclave_id_t eid, CreateReportRe
 	return status;
 }
 
+sgx_status_t rtc_auth_save_access_key(sgx_enclave_id_t eid, EncryptedResponse* retval, EncryptedRequest encrypted_request)
+{
+	sgx_status_t status;
+	ms_save_access_key_t ms;
+	ms.ms_encrypted_request = encrypted_request;
+	status = sgx_ecall(eid, 1, &ocall_table_rtc_auth, &ms);
+	if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
+	return status;
+}
+
 sgx_status_t rtc_auth_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len)
 {
 	sgx_status_t status;
 	ms_t_global_init_ecall_t ms;
 	ms.ms_id = id;
 	ms.ms_path = path;
 	ms.ms_len = len;
-	status = sgx_ecall(eid, 1, &ocall_table_rtc_auth, &ms);
+	status = sgx_ecall(eid, 2, &ocall_table_rtc_auth, &ms);
 	return status;
 }
 
 sgx_status_t rtc_auth_t_global_exit_ecall(sgx_enclave_id_t eid)
 {
 	sgx_status_t status;
-	status = sgx_ecall(eid, 2, &ocall_table_rtc_auth, NULL);
+	status = sgx_ecall(eid, 3, &ocall_table_rtc_auth, NULL);
 	return status;
 }
 
@@ -1085,7 +1100,7 @@ sgx_status_t rtc_auth_session_request(sgx_enclave_id_t eid, SessionRequestResult
 	sgx_status_t status;
 	ms_session_request_t ms;
 	ms.ms_src_enclave_id = src_enclave_id;
-	status = sgx_ecall(eid, 3, &ocall_table_rtc_auth, &ms);
+	status = sgx_ecall(eid, 4, &ocall_table_rtc_auth, &ms);
 	if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
 	return status;
 }
@@ -1096,7 +1111,7 @@ sgx_status_t rtc_auth_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult
 	ms_exchange_report_t ms;
 	ms.ms_src_enclave_id = src_enclave_id;
 	ms.ms_dh_msg2 = dh_msg2;
-	status = sgx_ecall(eid, 4, &ocall_table_rtc_auth, &ms);
+	status = sgx_ecall(eid, 5, &ocall_table_rtc_auth, &ms);
 	if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
 	return status;
 }
@@ -1106,7 +1121,7 @@ sgx_status_t rtc_auth_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sg
 	sgx_status_t status;
 	ms_end_session_t ms;
 	ms.ms_src_enclave_id = src_enclave_id;
-	status = sgx_ecall(eid, 5, &ocall_table_rtc_auth, &ms);
+	status = sgx_ecall(eid, 6, &ocall_table_rtc_auth, &ms);
 	if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
 	return status;
 }

codegen/auth_enclave/rtc_auth_u.h

@@ -280,6 +280,7 @@ int SGX_UBRIDGE(SGX_CDECL, sgx_thread_set_multiple_untrusted_events_ocall, (cons
 #endif
 
 sgx_status_t rtc_auth_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report);
+sgx_status_t rtc_auth_save_access_key(sgx_enclave_id_t eid, EncryptedResponse* retval, EncryptedRequest encrypted_request);
 sgx_status_t rtc_auth_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len);
 sgx_status_t rtc_auth_t_global_exit_ecall(sgx_enclave_id_t eid);
 sgx_status_t rtc_auth_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id);

codegen/data_enclave/bindings.h

@@ -12,6 +12,10 @@
  */
 #define DATA_UPLOAD_RESPONSE_LEN (16 + (24 + 16))
 
+#define REQUEST_SIZE 40
+
+#define RESPONSE_SIZE 1
+
 typedef struct DataUploadResponse {
   uint8_t ciphertext[DATA_UPLOAD_RESPONSE_LEN];
   uint8_t nonce[24];

codegen/exec_enclave/bindings.h

@@ -12,6 +12,10 @@
  */
 #define DATA_UPLOAD_RESPONSE_LEN (16 + (24 + 16))
 
+#define REQUEST_SIZE 40
+
+#define RESPONSE_SIZE 1
+
 /**
  * FFI safe result type that can be converted to and from a rust result.
  */

rtc_auth_enclave/rtc_auth.edl

@@ -12,5 +12,7 @@ enclave {
         public CreateReportResult enclave_create_report([in]const sgx_target_info_t* p_qe3_target,
                                               [out, isary]EnclaveHeldData enclave_data,
                                               [out]sgx_report_t* p_report);
+
+        public EncryptedResponse save_access_key(EncryptedRequest encrypted_request);
     };
 };

rtc_auth_enclave/src/ecalls/mod.rs

@@ -0,0 +1,5 @@
+//! ECALL definitions
+
+mod save_access_key;
+
+pub use save_access_key::save_access_key;

rtc_auth_enclave/src/ecalls/save_access_key.rs

@@ -0,0 +1,32 @@
+//! ECALL definition: [`save_access_key`]
+
+use rtc_types::enclave_messages::ng_set_access_key;
+use rtc_types::enclave_messages::set_access_key::{EncryptedRequest, EncryptedResponse};
+
+/// FFI wrapper for [`save_access_key_impl`].
+///
+/// This takes care of converting the [`ng_set_access_key`] types.
+#[no_mangle]
+pub extern "C" fn save_access_key(
+    encrypted_request: ng_set_access_key::EncryptedRequest,
+) -> ng_set_access_key::EncryptedResponse {
+    let encrypted_request: EncryptedRequest = encrypted_request.into();
+    let encrypted_response: EncryptedResponse = save_access_key_impl(encrypted_request);
+    encrypted_response.into()
+}
+
+/// Implementation for [`save_access_key`].
+fn save_access_key_impl(encrypted_request: EncryptedRequest) -> EncryptedResponse {
+    dbg!(
+        encrypted_request.tag,
+        encrypted_request.ciphertext,
+        encrypted_request.aad,
+        encrypted_request.nonce,
+    );
+    EncryptedResponse {
+        tag: Default::default(),
+        ciphertext: Default::default(),
+        aad: Default::default(),
+        nonce: Default::default(),
+    }
+}

rtc_auth_enclave/src/lib.rs

@@ -4,8 +4,13 @@
 #![deny(clippy::mem_forget)]
 
 #[cfg(not(target_env = "sgx"))]
+#[macro_use]
 extern crate sgx_tstd as std;
 
+pub mod ecalls;
+
 pub use rtc_tenclave::dh::*;
 #[allow(unused_imports)] // for ECALL linking
 use rtc_tenclave::enclave::enclave_create_report;
+
+pub use ecalls::*;