Skip to content
This repository was archived by the owner on May 9, 2022. It is now read-only.

feat: save data access keys #87

Draft
wants to merge 7 commits into
base: feat-token-store-access-key
Choose a base branch
from
Draft

feat: save data access keys #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ee4a148
feat(rtc_auth_enclave): add stub for save_access_key ECALL
PiDelport Jun 3, 2021
678676e
feat(rtc_uenclave): add rtc_types::enclave_messages::ffi_set_access_k…
PiDelport Jun 16, 2021
d8caa3d
feat(rtc_auth_enclave): add save_access_key ECALL to EDL
PiDelport Jun 3, 2021
313ce81
feat(rtc_uenclave::enclaves::rtc_auth): expose the save_access_key ECALL
PiDelport Jun 3, 2021
4a65406
test(rtc_data_service): add smoke test for save_access_key ECALL
PiDelport Jun 3, 2021
afa7cf4
feat(rtc_types::enclave_messages::set_access_key) add Request::unseal…
PiDelport Jun 24, 2021
ee5cce1
feat(ecalls::save_access_key_impl): use token_store::save_access_key
PiDelport Jul 6, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 83 additions & 1 deletion codegen/auth_enclave/bindings.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

#define ARCHIVED_ENCLAVE_ID_SIZE 8

#define SET_ACCESS_KEY_REQUEST_SIZE 40
#define SET_ACCESS_KEY_REQUEST_SIZE 48

#define SET_ACCESS_KEY_RESPONSE_SIZE 1

Expand Down Expand Up @@ -55,6 +55,88 @@ typedef struct ExecReqMetadata {
Nonce nonce;
} ExecReqMetadata;

typedef uint8_t RecommendedAesGcmIv[12];

typedef struct SetAccessKeyEncryptedResponse {
sgx_aes_gcm_128bit_tag_t tag;
uint8_t ciphertext[SET_ACCESS_KEY_RESPONSE_SIZE];
uint8_t aad[0];
RecommendedAesGcmIv nonce;
} SetAccessKeyEncryptedResponse;

/**
* Failed to acquire session / protected channel.
*
* See: `rtc_tenclave::dh::sessions::DhSessions`
*/
typedef enum AcquireSessionError_Tag {
/**
* This should generally be treated as an unrecoverable error.
*/
ACQUIRE_SESSION_ERROR_CHANNEL_MUTEX_POISONED,
ACQUIRE_SESSION_ERROR_NO_ACTIVE_SESSION,
ACQUIRE_SESSION_ERROR_SGX,
} AcquireSessionError_Tag;

typedef struct AcquireSessionError {
AcquireSessionError_Tag tag;
union {
struct {
sgx_enclave_id_t no_active_session;
};
struct {
sgx_status_t sgx;
};
};
} AcquireSessionError;

typedef enum SealingError_Tag {
SEALING_ERROR_CHANNEL_NOT_FOUND,
SEALING_ERROR_RKYV_BUFFER_SERIALIZER_ERROR,
SEALING_ERROR_SGX,
} SealingError_Tag;

typedef struct SealingError {
SealingError_Tag tag;
union {
struct {
struct AcquireSessionError channel_not_found;
};
struct {
sgx_status_t sgx;
};
};
} SealingError;

/**
* FFI safe result type that can be converted to and from a rust result.
*/
typedef enum EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag {
ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_OK_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR,
ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_ERR_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR,
} EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag;

typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError {
EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag tag;
union {
struct {
struct SetAccessKeyEncryptedResponse ok;
};
struct {
struct SealingError err;
};
};
} EcallResult_SetAccessKeyEncryptedResponse__SealingError;

typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError SetAccessKeyResult;

typedef struct SetAccessKeyEncryptedRequest {
sgx_aes_gcm_128bit_tag_t tag;
uint8_t ciphertext[SET_ACCESS_KEY_REQUEST_SIZE];
uint8_t aad[ARCHIVED_ENCLAVE_ID_SIZE];
RecommendedAesGcmIv nonce;
} SetAccessKeyEncryptedRequest;

/**
* FFI safe result type that can be converted to and from a rust result.
*/
Expand Down
176 changes: 100 additions & 76 deletions codegen/auth_enclave/rtc_auth_t.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ typedef struct ms_enclave_create_report_t {
sgx_report_t* ms_p_report;
} ms_enclave_create_report_t;

typedef struct ms_save_access_key_t {
SetAccessKeyResult ms_retval;
SetAccessKeyEncryptedRequest ms_encrypted_request;
} ms_save_access_key_t;

typedef struct ms_issue_execution_token_t {
IssueTokenResult ms_retval;
const uint8_t* ms_payload_ptr;
Expand Down Expand Up @@ -653,6 +658,24 @@ static sgx_status_t SGX_CDECL sgx_enclave_create_report(void* pms)
return status;
}

static sgx_status_t SGX_CDECL sgx_save_access_key(void* pms)
{
CHECK_REF_POINTER(pms, sizeof(ms_save_access_key_t));
//
// fence after pointer checks
//
sgx_lfence();
ms_save_access_key_t* ms = SGX_CAST(ms_save_access_key_t*, pms);
sgx_status_t status = SGX_SUCCESS;



ms->ms_retval = save_access_key(ms->ms_encrypted_request);


return status;
}

static sgx_status_t SGX_CDECL sgx_issue_execution_token(void* pms)
{
CHECK_REF_POINTER(pms, sizeof(ms_issue_execution_token_t));
Expand Down Expand Up @@ -911,11 +934,12 @@ static sgx_status_t SGX_CDECL sgx_end_session(void* pms)

SGX_EXTERNC const struct {
size_t nr_ecall;
struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[7];
struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[8];
} g_ecall_table = {
7,
8,
{
{(void*)(uintptr_t)sgx_enclave_create_report, 0, 0},
{(void*)(uintptr_t)sgx_save_access_key, 0, 0},
{(void*)(uintptr_t)sgx_issue_execution_token, 0, 0},
{(void*)(uintptr_t)sgx_t_global_init_ecall, 0, 0},
{(void*)(uintptr_t)sgx_t_global_exit_ecall, 0, 0},
Expand All @@ -927,83 +951,83 @@ SGX_EXTERNC const struct {

SGX_EXTERNC const struct {
size_t nr_ocall;
uint8_t entry_table[73][7];
uint8_t entry_table[73][8];
} g_dyn_entry_table = {
73,
{
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
{0, 0, 0, 0, 0, 0, 0, 0, },
}
};

Expand Down
1 change: 1 addition & 0 deletions codegen/auth_enclave/rtc_auth_t.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ extern "C" {
#endif

CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report);
SetAccessKeyResult save_access_key(SetAccessKeyEncryptedRequest encrypted_request);
IssueTokenResult issue_execution_token(const uint8_t* payload_ptr, size_t payload_len, const ExecReqMetadata* metadata, uint8_t* out_token_ptr, size_t out_token_capacity, size_t* out_token_used);
void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len);
void t_global_exit_ecall(void);
Expand Down
27 changes: 21 additions & 6 deletions codegen/auth_enclave/rtc_auth_u.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ typedef struct ms_enclave_create_report_t {
sgx_report_t* ms_p_report;
} ms_enclave_create_report_t;

typedef struct ms_save_access_key_t {
SetAccessKeyResult ms_retval;
SetAccessKeyEncryptedRequest ms_encrypted_request;
} ms_save_access_key_t;

typedef struct ms_issue_execution_token_t {
IssueTokenResult ms_retval;
const uint8_t* ms_payload_ptr;
Expand Down Expand Up @@ -1225,6 +1230,16 @@ sgx_status_t rtc_auth_enclave_create_report(sgx_enclave_id_t eid, CreateReportRe
return status;
}

sgx_status_t rtc_auth_save_access_key(sgx_enclave_id_t eid, SetAccessKeyResult* retval, SetAccessKeyEncryptedRequest encrypted_request)
{
sgx_status_t status;
ms_save_access_key_t ms;
ms.ms_encrypted_request = encrypted_request;
status = sgx_ecall(eid, 1, &ocall_table_rtc_auth, &ms);
if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
return status;
}

sgx_status_t rtc_auth_issue_execution_token(sgx_enclave_id_t eid, IssueTokenResult* retval, const uint8_t* payload_ptr, size_t payload_len, const ExecReqMetadata* metadata, uint8_t* out_token_ptr, size_t out_token_capacity, size_t* out_token_used)
{
sgx_status_t status;
Expand All @@ -1235,7 +1250,7 @@ sgx_status_t rtc_auth_issue_execution_token(sgx_enclave_id_t eid, IssueTokenResu
ms.ms_out_token_ptr = out_token_ptr;
ms.ms_out_token_capacity = out_token_capacity;
ms.ms_out_token_used = out_token_used;
status = sgx_ecall(eid, 1, &ocall_table_rtc_auth, &ms);
status = sgx_ecall(eid, 2, &ocall_table_rtc_auth, &ms);
if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
return status;
}
Expand All @@ -1247,14 +1262,14 @@ sgx_status_t rtc_auth_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, con
ms.ms_id = id;
ms.ms_path = path;
ms.ms_len = len;
status = sgx_ecall(eid, 2, &ocall_table_rtc_auth, &ms);
status = sgx_ecall(eid, 3, &ocall_table_rtc_auth, &ms);
return status;
}

sgx_status_t rtc_auth_t_global_exit_ecall(sgx_enclave_id_t eid)
{
sgx_status_t status;
status = sgx_ecall(eid, 3, &ocall_table_rtc_auth, NULL);
status = sgx_ecall(eid, 4, &ocall_table_rtc_auth, NULL);
return status;
}

Expand All @@ -1263,7 +1278,7 @@ sgx_status_t rtc_auth_session_request(sgx_enclave_id_t eid, SessionRequestResult
sgx_status_t status;
ms_session_request_t ms;
ms.ms_src_enclave_id = src_enclave_id;
status = sgx_ecall(eid, 4, &ocall_table_rtc_auth, &ms);
status = sgx_ecall(eid, 5, &ocall_table_rtc_auth, &ms);
if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
return status;
}
Expand All @@ -1274,7 +1289,7 @@ sgx_status_t rtc_auth_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult
ms_exchange_report_t ms;
ms.ms_src_enclave_id = src_enclave_id;
ms.ms_dh_msg2 = dh_msg2;
status = sgx_ecall(eid, 5, &ocall_table_rtc_auth, &ms);
status = sgx_ecall(eid, 6, &ocall_table_rtc_auth, &ms);
if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
return status;
}
Expand All @@ -1284,7 +1299,7 @@ sgx_status_t rtc_auth_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sg
sgx_status_t status;
ms_end_session_t ms;
ms.ms_src_enclave_id = src_enclave_id;
status = sgx_ecall(eid, 6, &ocall_table_rtc_auth, &ms);
status = sgx_ecall(eid, 7, &ocall_table_rtc_auth, &ms);
if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval;
return status;
}
Expand Down
Loading