mrenclave sealing through occlum /dev/sgx
This commit is contained in:
parent
e963c25bf6
commit
540578dcf7
GPG Key ID:
F1AB995E20FEADC5
@ -5,7 +5,7 @@ fn main() {
|
||||
let text = "sealed text";
|
||||
let additional_text = "additional";
|
||||
let sealed_data =
|
||||
SgxSealedData::seal_data(additional_text.as_bytes(), text.as_bytes()).unwrap();
|
||||
SgxSealedData::<[u8]>::seal_data(additional_text.as_bytes(), text.as_bytes()).unwrap();
|
||||
let unsealed_data = SgxSealedData::unseal_data(&sealed_data).unwrap();
|
||||
let text: &str = unsealed_data.get_decrypt_text();
|
||||
println!("Unsealed text: {}", text);
|
||||
|
||||
@ -1951,23 +1951,24 @@ const _: () = {
|
||||
[::std::mem::offset_of!(_tee_supp_data_descriptor_t, p_data) - 8usize];
|
||||
};
|
||||
pub type tee_supp_data_descriptor_t = _tee_supp_data_descriptor_t;
|
||||
pub type int8_t = i8;
|
||||
pub type int16_t = i16;
|
||||
pub type int32_t = i32;
|
||||
pub type int64_t = i64;
|
||||
pub type uint8_t = u8;
|
||||
pub type uint16_t = u16;
|
||||
pub type uint32_t = u32;
|
||||
pub type uint64_t = u64;
|
||||
pub type size_t = usize;
|
||||
extern "C" {
|
||||
pub fn dcap_quote_open() -> *mut ::std::os::raw::c_void;
|
||||
}
|
||||
extern "C" {
|
||||
pub fn dcap_get_quote_size(handle: *mut ::std::os::raw::c_void) -> u32;
|
||||
}
|
||||
extern "C" {
|
||||
pub fn dcap_generate_quote(
|
||||
handle: *mut ::std::os::raw::c_void,
|
||||
quote_buf: *mut u8,
|
||||
report_data: *const sgx_report_data_t,
|
||||
) -> i32;
|
||||
}
|
||||
extern "C" {
|
||||
pub fn dcap_get_supplemental_data_size(handle: *mut ::std::os::raw::c_void) -> u32;
|
||||
}
|
||||
extern "C" {
|
||||
pub fn dcap_verify_quote(
|
||||
handle: *mut ::std::os::raw::c_void,
|
||||
quote_buf: *const u8,
|
||||
@ -1977,8 +1978,11 @@ extern "C" {
|
||||
supplemental_data_size: u32,
|
||||
supplemental_data: *mut u8,
|
||||
) -> i32;
|
||||
}
|
||||
extern "C" {
|
||||
pub fn dcap_generate_key(
|
||||
handle: *mut ::std::os::raw::c_void,
|
||||
key: *mut sgx_key_128bit_t,
|
||||
key_request: *const sgx_key_request_t,
|
||||
) -> i32;
|
||||
pub fn dcap_quote_close(handle: *mut ::std::os::raw::c_void);
|
||||
}
|
||||
#[repr(C)]
|
||||
|
||||
96
src/quote.rs
96
src/quote.rs
@ -7,6 +7,50 @@ use std::ops::Deref;
|
||||
use std::sync::Mutex;
|
||||
use std::time::Instant;
|
||||
|
||||
pub const SGX_FLAGS_INITTED: uint64_t = 0x0000_0000_0000_0001; //If set, then the enclave is initialized
|
||||
pub const SGX_FLAGS_DEBUG: uint64_t = 0x0000_0000_0000_0002; //If set, then the enclave is debug
|
||||
pub const SGX_FLAGS_MODE64BIT: uint64_t = 0x0000_0000_0000_0004; //If set, then the enclave is 64 bit
|
||||
pub const SGX_FLAGS_PROVISION_KEY: uint64_t = 0x0000_0000_0000_0010; //If set, then the enclave has access to provision key
|
||||
pub const SGX_FLAGS_EINITTOKEN_KEY: uint64_t = 0x0000_0000_0000_0020; //If set, then the enclave has access to EINITTOKEN key
|
||||
pub const SGX_FLAGS_KSS: uint64_t = 0x0000_0000_0000_0080; //If set enclave uses KSS
|
||||
pub const SGX_FLAGS_AEX_NOTIFY: uint64_t = 0x0000_0000_0000_0400; //If set, then the enclave enables AEX Notify
|
||||
pub const FLAGS_NON_SECURITY_BITS: uint64_t = 0x00FF_FFFF_FFFF_FFC0
|
||||
| SGX_FLAGS_MODE64BIT
|
||||
| SGX_FLAGS_PROVISION_KEY
|
||||
| SGX_FLAGS_EINITTOKEN_KEY;
|
||||
pub const TSEAL_DEFAULT_FLAGSMASK: uint64_t = !FLAGS_NON_SECURITY_BITS;
|
||||
pub const FLAGS_SECURITY_BITS_RESERVED: uint64_t =
|
||||
!(FLAGS_NON_SECURITY_BITS | SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG | SGX_FLAGS_KSS);
|
||||
pub const MISC_NON_SECURITY_BITS: uint32_t = 0x0FFF_FFFF;
|
||||
pub const TSEAL_DEFAULT_MISCMASK: uint32_t = !MISC_NON_SECURITY_BITS;
|
||||
|
||||
// TODO Intel sgx sdk 2.4
|
||||
pub const SGX_KEYSELECT_LICENSE: uint16_t = 0x0000;
|
||||
pub const SGX_KEYSELECT_PROVISION: uint16_t = 0x0001;
|
||||
pub const SGX_KEYSELECT_PROVISION_SEAL: uint16_t = 0x0002;
|
||||
pub const SGX_KEYSELECT_REPORT: uint16_t = 0x0003;
|
||||
pub const SGX_KEYSELECT_SEAL: uint16_t = 0x0004;
|
||||
|
||||
// Key Policy
|
||||
pub const SGX_KEYPOLICY_MRENCLAVE: uint16_t = 0x0001; /* Derive key using the enclave's ENCLAVE measurement register */
|
||||
pub const SGX_KEYPOLICY_MRSIGNER: uint16_t = 0x0002; /* Derive key using the enclave's SINGER measurement register */
|
||||
pub const SGX_KEYPOLICY_NOISVPRODID: uint16_t = 0x0004; /* Derive key without the enclave's ISVPRODID */
|
||||
pub const SGX_KEYPOLICY_CONFIGID: uint16_t = 0x0008; /* Derive key with the enclave's CONFIGID */
|
||||
pub const SGX_KEYPOLICY_ISVFAMILYID: uint16_t = 0x0010; /* Derive key with the enclave's ISVFAMILYID */
|
||||
pub const SGX_KEYPOLICY_ISVEXTPRODID: uint16_t = 0x0020; /* Derive key with the enclave's ISVEXTPRODID */
|
||||
|
||||
pub const SGX_KEYID_SIZE: size_t = 32;
|
||||
pub const SGX_CPUSVN_SIZE: size_t = 16;
|
||||
pub const SGX_CONFIGID_SIZE: size_t = 64;
|
||||
pub const SGX_KEY_REQUEST_RESERVED2_BYTES: size_t = 434;
|
||||
|
||||
pub enum SealingKeyPolicy {
|
||||
MrSigner,
|
||||
MrEnclave,
|
||||
}
|
||||
|
||||
pub type Sgx128BitKey = sgx_key_128bit_t;
|
||||
|
||||
pub struct Quote {
|
||||
buf: Vec<u8>,
|
||||
report_body: *const sgx_report_body_t,
|
||||
@ -277,6 +321,58 @@ impl IoctlClient {
|
||||
|
||||
Ok(result.into())
|
||||
}
|
||||
|
||||
/// Generate a sealing key for the given policy and SGX report
|
||||
/// The sealing key is used to encrypt/decrypt data in the enclave
|
||||
/// The quote must be previously generated using the `generate_quote`
|
||||
fn generate_sealing_key(
|
||||
&mut self,
|
||||
quote: &Quote,
|
||||
policy: SealingKeyPolicy,
|
||||
) -> Result<Sgx128BitKey, RaTlsError> {
|
||||
let report_body = unsafe { *quote.report_body };
|
||||
let mut key_policy = match policy {
|
||||
SealingKeyPolicy::MrSigner => SGX_KEYPOLICY_MRSIGNER,
|
||||
SealingKeyPolicy::MrEnclave => SGX_KEYPOLICY_MRENCLAVE,
|
||||
};
|
||||
|
||||
if (report_body.attributes.flags & SGX_FLAGS_KSS) != 0 {
|
||||
const KEY_POLICY_KSS: uint16_t =
|
||||
SGX_KEYPOLICY_CONFIGID | SGX_KEYPOLICY_ISVFAMILYID | SGX_KEYPOLICY_ISVEXTPRODID;
|
||||
key_policy = key_policy | KEY_POLICY_KSS;
|
||||
}
|
||||
|
||||
// Intel sgx sdk 1.8
|
||||
let attribute_mask = sgx_attributes_t {
|
||||
flags: TSEAL_DEFAULT_FLAGSMASK,
|
||||
xfrm: 0,
|
||||
};
|
||||
|
||||
let misc_mask: sgx_misc_select_t = TSEAL_DEFAULT_MISCMASK;
|
||||
|
||||
let mut key = sgx_key_128bit_t::default();
|
||||
let key_request = sgx_key_request_t {
|
||||
key_name: SGX_KEYSELECT_SEAL,
|
||||
key_policy,
|
||||
isv_svn: report_body.isv_svn,
|
||||
reserved1: 0_u16,
|
||||
cpu_svn: report_body.cpu_svn,
|
||||
attribute_mask,
|
||||
key_id,
|
||||
misc_mask,
|
||||
config_svn: report_body.config_svn,
|
||||
reserved2: [0_u8; SGX_KEY_REQUEST_RESERVED2_BYTES],
|
||||
};
|
||||
|
||||
let ret_code = unsafe { dcap_generate_key(self.handle()?, &mut key, &key_request) };
|
||||
if ret_code < 0 {
|
||||
return Err(RaTlsError::DcapError(
|
||||
"Failed to generate DCAP sealing key".to_string(),
|
||||
));
|
||||
}
|
||||
|
||||
Ok(key)
|
||||
}
|
||||
}
|
||||
|
||||
impl Drop for IoctlClient {
|
||||
|
||||
2
src/sealing.rs
Normal file
2
src/sealing.rs
Normal file
@ -0,0 +1,2 @@
|
||||
#[cfg(feature = "occlum")]
|
||||
use crate::quote::{Quote, STATIC_QUOTE};
|
||||
Loading…
Reference in New Issue
Block a user