# Occlum SGX Remote Attestation integrated in TLS connection

The MRSIGNER of the `example/signing_key.pem` is hardcoded in the enclave code:

```
83E8A0C3ED045D9747ADE06C3BFC70FCA661A4A65FF79A800223621162A88B76
```

You can generate your own signing key. Just use the following command:

```
openssl genrsa -3 -out signing_key.pem 3072
```

To get the MRSIGNER of the key, compile [this project](https://github.com/intel/sgx-ra-sample)
and use the following command:

```
./mrsigner signing_key.pem
# For the example/signing_key.pem the output is:
6871A831CED408CD99F0ED31587CC2B5C728C99D4A0A1ADF2F0C5574EBBB00DC
# FIXME: Which is different from the real MRSIGNER by Occlum:
83E8A0C3ED045D9747ADE06C3BFC70FCA661A4A65FF79A800223621162A88B76
```

## Docker installation

To run the project in Docker, you need to install the docker first.
On Ubuntu, you can use the following commands:

```bash
# Add docker official GPG key
sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add docker repository to apt sources
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update

# Install docker packages
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# Add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
```

## Occlum docker instance

### On the build host (without SGX)

Run the occlum image in the docker environment:

```bash
# Notice that there is no SGX device mounted
docker run --rm -it -v /path/to/occlum-ratls:/root/occlum-ratls occlum/occlum:latest-ubuntu20.04
# Inside the docker container do env preparation to build the image
rustup install stable-x86_64-unknown-linux-gnu
rustup default stable
rustup target add x86_64-unknown-linux-musl

# Build the server and the client
cd occlum-ratls
./build_server.sh grpcs
./build_client.sh grpcs
```

This will produce 2 signed bundles, `server_instance/server.tar.gz` and `client_instance/client.tar.gz`.

### On the run host (with SGX)

```bash
docker run --rm -it --device /dev/sgx/enclave --device /dev/sgx/provision -v /path/to/tars:/root/run occlum/occlum:latest-ubuntu20.04
# IMPORTANT, edit /etc/sgx_default_qcnl.conf, so that the PCCS URL is set correctly
# "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"

# Unpack the server and the client
cd run
tar -xzvf server.tar.gz
tar -xzvf client.tar.gz

# Run the server and the client (in two different terminals)
cd server && occlum run /bin/mratls_grpcs_server
cd client && occlum run /bin/mratls_grpcs_client
```

## Running Examples on the SGX host (locally)

Before running make sure you have installed the Occlum and the SGX driver.
You should also have the Occlum Rust toolchain installed to get `occlum-cargo`.
To test the project just run client and server scripts in different terminals:

```

./build_server.sh grpcs --run
./build_client.sh grpcs --run

```

## Mutual RATLS examples

Examples show how to use the mRATLS (Mutual Remote Attestation TLS) in different situations:

* The first example shows how to create mRATLS HTTPS server and client
* The second example shows how to create mRATLS GRPCs server and client

Both the server and the client must be running inside the enclave.
So during the remote attestation peers, acquire their RA certificates.
And during the TLS handshake, they verify each other's RA certificates.
The config allows to whitelist MRENCLAVE, MRSIGNER, PRODID, SVN of the peer.

## RATLS examples

Example shows how to create RATLS HTTPS server and client.
The server must be running inside the enclave.
The client can be running anywhere.
The server config allows to whitelist the public ec25519 key of the client.
The client config allows to whitelist MRENCLAVE, MRSIGNER, PRODID, SVN of the server.

## Dependencies

When running, the server process has following connected shared objects

```
/usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
/usr/lib/x86_64-linux-gnu/libhx509.so.5.0.0
/usr/lib/x86_64-linux-gnu/libheimbase.so.1.0.0
/usr/lib/x86_64-linux-gnu/libwind.so.0.0.0
/usr/lib/x86_64-linux-gnu/libffi.so.7.1.0
/usr/lib/x86_64-linux-gnu/libroken.so.18.1.0
/usr/lib/x86_64-linux-gnu/libhcrypto.so.4.1.0
/usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0
/usr/lib/x86_64-linux-gnu/libkrb5.so.26.0.0
/usr/lib/x86_64-linux-gnu/libheimntlm.so.0.1.0
/usr/lib/x86_64-linux-gnu/libkeyutils.so.1.8
/usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
/usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.0.7
/usr/lib/x86_64-linux-gnu/libgssapi.so.3.0.0
/usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
/usr/lib/x86_64-linux-gnu/libresolv-2.31.so
/usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
/usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
/usr/lib/x86_64-linux-gnu/libgmp.so.10.4.0
/usr/lib/x86_64-linux-gnu/libnettle.so.7.0
/usr/lib/x86_64-linux-gnu/libgnutls.so.30.27.0
/usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/usr/lib/x86_64-linux-gnu/libhogweed.so.5.0
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.10.12
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
/usr/lib/x86_64-linux-gnu/libssh.so.4.8.4
/usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
/usr/lib/x86_64-linux-gnu/libcom_err.so.2.1
/usr/lib/x86_64-linux-gnu/libbrotlidec.so.1.0.7
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.12
/usr/lib/x86_64-linux-gnu/librtmp.so.1
/usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1.13.104.4
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.6
/usr/lib/x86_64-linux-gnu/libnghttp2.so.14.19.0
/usr/lib/x86_64-linux-gnu/libcurl.so.4.6.0
/usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so.1.13.104.4
/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so
/usr/lib/x86_64-linux-gnu/libsgx_urts.so.2.0.103.4
/usr/lib/x86_64-linux-gnu/libm-2.31.so
/usr/lib/x86_64-linux-gnu/libsgx_pce_logic.so.1.14.104.4
/usr/lib/x86_64-linux-gnu/libsgx_qe3_logic.so
/usr/lib/x86_64-linux-gnu/libgcc_s.so.1
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
/usr/lib/x86_64-linux-gnu/libsgx_dcap_quoteverify.so.1.12.104.4
/usr/lib/x86_64-linux-gnu/libsgx_dcap_ql.so.1.11.104.4
/usr/lib/x86_64-linux-gnu/libdl-2.31.so
/usr/lib/x86_64-linux-gnu/libsgx_enclave_common.so.1.2.103.4
/usr/lib/x86_64-linux-gnu/libsgx_uae_service.so.2.3.219.4
/usr/lib/x86_64-linux-gnu/libpthread-2.31.so
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/root/run/server/build/lib/libocclum-pal.so.0.30.1
/usr/lib/x86_64-linux-gnu/ld-2.31.so
```