general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update dcap demo using prebuilt dcap lib

Browse Source
This commit is contained in:
Zheng, Qi 2022-02-09 14:48:36 +08:00 committed by Zongmin.Gu
parent ea3135fa3d
commit 04a357021c
11 changed files with 17 additions and 482 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
demos/remote_attestation/dcap/README.md
View File

@ -1,4 +1,4 @@
# SGX DCAP Remote Attestation Demo in Rust
# SGX DCAP Remote Attestation Demo
This project demonstrates how to do Intel SGX DCAP (Datacenter Attestation
Primitives) remote attestation on Occlum. Occlum provides SGX capabilities to
@ -18,7 +18,7 @@ applications through ioctls on device `/dev/sgx`.
## Run this demo on Occlum
You can run the DCAP quote generation and verification demo, including dcap library build, rust test demo and C test demo on Occlum via
You can run the DCAP quote generation and verification demo, including rust test demo and C test demo on Occlum via
```
./run_dcap_quote_on_occlum.sh
```

5
demos/remote_attestation/dcap/c_app/Makefile
View File

@ -1,13 +1,14 @@
CC ?= gcc
LD ?= ld
LIBPATH ?= ../dcap_lib/target/debug
LIBPATH ?= /opt/occlum/toolchains/dcap_lib/glibc
INCPATH ?= /opt/occlum/toolchains/dcap_lib/inc
.PHONY: all clean
all: dcap_c_test
dcap_c_test: dcap_c_test.c
$(CC) $^ -fPIE -pie -o $@ -L $(LIBPATH) -ldcap_quote -I /opt/intel/sgxsdk/include
$(CC) $^ -fPIE -pie -o $@ -L $(LIBPATH) -locclum_dcap -I /opt/intel/sgxsdk/include -I $(INCPATH)
clean:
rm -rf dcap_c_test

5
demos/remote_attestation/dcap/c_app/dcap_c_test.c
View File

@ -3,8 +3,11 @@
#include <string.h>
#include "sgx_quote_3.h"
#include "dcap_quote.h"
#include "sgx_urts.h"
#include "sgx_pce.h"
#include "sgx_error.h"
#include "occlum_dcap.h"
void dump_quote_info(sgx_quote3_t *p_quote)
{

37
demos/remote_attestation/dcap/c_app/dcap_quote.h
View File

@ -1,37 +0,0 @@
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include "sgx_urts.h"
#include "sgx_report.h"
#include "sgx_qve_header.h"
#include "sgx_pce.h"
#include "sgx_error.h"
#ifdef __cplusplus
extern "C" {
#endif
void *dcap_quote_open(void);
uint32_t dcap_get_quote_size(void *handle);
int32_t dcap_generate_quote(void *handle, uint8_t *quote_buf, const sgx_report_data_t *report_data);
uint32_t dcap_get_supplemental_data_size(void *handle);
int32_t dcap_verify_quote(void *handle,
const uint8_t *quote_buf,
uint32_t quote_size,
uint32_t *collateral_expiration_status,
sgx_ql_qv_result_t *quote_verification_result,
uint32_t supplemental_data_size,
uint8_t *supplemental_data);
void dcap_quote_close(void *handle);
#ifdef __cplusplus
}
#endif

4
demos/remote_attestation/dcap/dcap-musl.yaml
View File

@ -6,11 +6,11 @@ targets:
- target: /bin
copy:
- files:
- ../dcap_lib/target/x86_64-unknown-linux-musl/release/examples/dcap_test
- /opt/occlum/toolchains/dcap_lib/musl/dcap_test
- ../c_app/dcap_c_test
# copy lib
- target: /lib
copy:
- files:
- ../dcap_lib/target/x86_64-unknown-linux-musl/release/libdcap_quote.so
- /opt/occlum/toolchains/dcap_lib/musl/libocclum_dcap.so

4
demos/remote_attestation/dcap/dcap.yaml
View File

@ -6,11 +6,11 @@ targets:
- target: /bin
copy:
- files:
- ../dcap_lib/target/release/examples/dcap_test
- /opt/occlum/toolchains/dcap_lib/glibc/dcap_test
- ../c_app/dcap_c_test
# copy lib
- target: /opt/occlum/glibc/lib
copy:
- files:
- ../dcap_lib/target/release/libdcap_quote.so
- /opt/occlum/toolchains/dcap_lib/glibc/libocclum_dcap.so

15
demos/remote_attestation/dcap/dcap_lib/Cargo.toml
View File

@ -1,15 +0,0 @@
[package]
name = "dcap_quote"
version = "0.1.0"
authors = ["Zheng, Qi <huaiqing.zq@antgroup.com>"]
edition = "2018"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
sgx_types = { path = "../../../../deps/rust-sgx-sdk/sgx_types" }
libc = "0.2"
cfg-if = "1.0.0"
[lib]
crate-type = ["cdylib", "rlib", "staticlib"]

172
demos/remote_attestation/dcap/dcap_lib/examples/dcap_test.rs
View File

@ -1,172 +0,0 @@
extern crate dcap_quote;
use std::str;
use std::io::Result;
use std::convert::TryFrom;
use dcap_quote::*;
use sgx_types::{
sgx_quote_header_t, sgx_report_data_t, sgx_ql_qv_result_t, sgx_report_body_t
};
struct DcapDemo {
dcap_quote: DcapQuote,
quote_size: u32,
quote_buf: Vec<u8>,
req_data: sgx_report_data_t,
supplemental_size: u32,
suppl_buf: Vec<u8>
}
impl DcapDemo {
pub fn new(report_data: &str) -> Self {
let mut dcap = DcapQuote::new();
let quote_size = dcap.get_quote_size();
let supplemental_size = dcap.get_supplemental_data_size();
let quote_buf: Vec<u8> = vec![0; quote_size as usize];
let suppl_buf: Vec<u8> = vec![0; supplemental_size as usize];
let mut req_data = sgx_report_data_t::default();
//fill in the report data array
for (pos, val) in report_data.as_bytes().iter().enumerate() {
req_data.d[pos] = *val;
}
Self {
dcap_quote: dcap,
quote_size: quote_size,
quote_buf: quote_buf,
req_data: req_data,
supplemental_size: supplemental_size,
suppl_buf: suppl_buf
}
}
fn dcap_quote_gen(&mut self) -> Result<i32> {
self.dcap_quote.generate_quote(self.quote_buf.as_mut_ptr(), &mut self.req_data).unwrap();
println!("DCAP generate quote successfully");
Ok( 0 )
}
// Quote has type `sgx_quote3_t` and is structured as
// pub struct sgx_quote3_t {
// pub header: sgx_quote_header_t,
// pub report_body: sgx_report_body_t,
// pub signature_data_len: uint32_t,
// pub signature_data: [uint8_t; 0],
// }
fn dcap_quote_get_report_body(&mut self) -> Result<*const sgx_report_body_t> {
let report_body_offset = std::mem::size_of::<sgx_quote_header_t>();
let report_body: *const sgx_report_body_t
= (self.quote_buf[report_body_offset..]).as_ptr() as _;
Ok(report_body)
}
fn dcap_quote_get_report_data(&mut self) -> Result<*const sgx_report_data_t> {
let report_body_ptr = self.dcap_quote_get_report_body().unwrap();
let report_data_ptr = unsafe { &(*report_body_ptr).report_data };
Ok(report_data_ptr)
}
fn dcap_quote_ver(&mut self) -> Result<sgx_ql_qv_result_t> {
let mut quote_verification_result = sgx_ql_qv_result_t::SGX_QL_QV_RESULT_UNSPECIFIED;
let mut status = 1;
let mut verify_arg = IoctlVerDCAPQuoteArg {
quote_buf: self.quote_buf.as_mut_ptr(),
quote_size: self.quote_size,
collateral_expiration_status: &mut status,
quote_verification_result: &mut quote_verification_result,
supplemental_data_size: self.supplemental_size,
supplemental_data: self.suppl_buf.as_mut_ptr(),
};
self.dcap_quote.verify_quote(&mut verify_arg).unwrap();
println!("DCAP verify quote successfully");
Ok( quote_verification_result )
}
fn dcap_dump_quote_info(&mut self) {
let report_body_ptr = self.dcap_quote_get_report_body().unwrap();
// Dump ISV FAMILY ID
let family_id = unsafe { (*report_body_ptr).isv_family_id };
let (fam_id_l, fam_id_h) = family_id.split_at(8);
let fam_id_l = <&[u8; 8]>::try_from(fam_id_l).unwrap();
let fam_id_l = u64::from_le_bytes(*fam_id_l);
let fam_id_h = <&[u8; 8]>::try_from(fam_id_h).unwrap();
let fam_id_h = u64::from_le_bytes(*fam_id_h);
println!("\nSGX ISV Family ID:");
println!("\t Low 8 bytes: 0x{:016x?}\t", fam_id_l);
println!("\t high 8 bytes: 0x{:016x?}\t", fam_id_h);
// Dump ISV EXT Product ID
let prod_id = unsafe { (*report_body_ptr).isv_ext_prod_id };
let (prod_id_l, prod_id_h) = prod_id.split_at(8);
let prod_id_l = <&[u8; 8]>::try_from(prod_id_l).unwrap();
let prod_id_l = u64::from_le_bytes(*prod_id_l);
let prod_id_h = <&[u8; 8]>::try_from(prod_id_h).unwrap();
let prod_id_h = u64::from_le_bytes(*prod_id_h);
println!("\nSGX ISV EXT Product ID:");
println!("\t Low 8 bytes: 0x{:016x?}\t", prod_id_l);
println!("\t high 8 bytes: 0x{:016x?}\t", prod_id_h);
// Dump CONFIG ID
let conf_id = unsafe { (*report_body_ptr).config_id };
println!("\nSGX CONFIG ID:");
println!("\t{:02x?}", &conf_id[..16]);
println!("\t{:02x?}", &conf_id[16..32]);
println!("\t{:02x?}", &conf_id[32..48]);
println!("\t{:02x?}", &conf_id[48..]);
// Dump CONFIG SVN
let conf_svn = unsafe { (*report_body_ptr).config_svn };
println!("\nSGX CONFIG SVN:\t {:04x?}", conf_svn);
}
}
impl Drop for DcapDemo {
fn drop(&mut self) {
self.dcap_quote.close();
}
}
fn main() {
let report_str = "Dcap demo sample";
let mut dcap_demo = DcapDemo::new(report_str);
println!("Generate quote with report data : {}", report_str);
dcap_demo.dcap_quote_gen().unwrap();
// compare the report data in quote buffer
let report_data_ptr = dcap_demo.dcap_quote_get_report_data().unwrap();
let string = str::from_utf8( unsafe { &(*report_data_ptr).d } ).unwrap();
if report_str == &string[..report_str.len()] {
println!("Report data from Quote: '{}' exactly matches.", string);
} else {
println!("Report data from Quote: '{}' doesn't match !!!", string);
}
dcap_demo.dcap_dump_quote_info();
let result = dcap_demo.dcap_quote_ver().unwrap();
match result {
sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK => {
println!("Succeed to verify the quote!");
},
sgx_ql_qv_result_t::SGX_QL_QV_RESULT_CONFIG_NEEDED |
sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OUT_OF_DATE |
sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED |
sgx_ql_qv_result_t::SGX_QL_QV_RESULT_SW_HARDENING_NEEDED |
sgx_ql_qv_result_t::SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED => {
println!("WARN: App: Verification completed with Non-terminal result: {}", result);
},
_ => println!("Error: App: Verification completed with Terminal result: {}", result),
}
}

132
demos/remote_attestation/dcap/dcap_lib/src/dcap_quote.rs
View File

@ -1,132 +0,0 @@
use libc::*;
use std::ffi::CString;
use sgx_types::{
sgx_report_data_t, sgx_ql_qv_result_t
};
const SGXIOC_GET_DCAP_QUOTE_SIZE: u64 = 0x80047307;
const SGXIOC_GEN_DCAP_QUOTE: u64 = 0xc0187308;
const SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = 0x80047309;
const SGXIOC_VER_DCAP_QUOTE: u64 = 0xc030730a;
cfg_if::cfg_if! {
if #[cfg(target_env = "musl")] {
const IOCTL_GET_DCAP_QUOTE_SIZE: i32 = SGXIOC_GET_DCAP_QUOTE_SIZE as i32;
const IOCTL_GEN_DCAP_QUOTE: i32 = SGXIOC_GEN_DCAP_QUOTE as i32;
const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: i32 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE as i32;
const IOCTL_VER_DCAP_QUOTE: i32 = SGXIOC_VER_DCAP_QUOTE as i32;
} else {
const IOCTL_GET_DCAP_QUOTE_SIZE: u64 = SGXIOC_GET_DCAP_QUOTE_SIZE;
const IOCTL_GEN_DCAP_QUOTE: u64 = SGXIOC_GEN_DCAP_QUOTE;
const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE;
const IOCTL_VER_DCAP_QUOTE: u64 = SGXIOC_VER_DCAP_QUOTE;
}
}
// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
//#[allow(dead_code)]
#[repr(C)]
pub struct IoctlGenDCAPQuoteArg {
pub report_data: *const sgx_report_data_t, // Input
pub quote_size: *mut u32, // Input/output
pub quote_buf: *mut u8, // Output
}
// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
//#[allow(dead_code)]
#[repr(C)]
pub struct IoctlVerDCAPQuoteArg {
pub quote_buf: *const u8, // Input
pub quote_size: u32, // Input
pub collateral_expiration_status: *mut u32, // Output
pub quote_verification_result: *mut sgx_ql_qv_result_t, // Output
pub supplemental_data_size: u32, // Input (optional)
pub supplemental_data: *mut u8, // Output (optional)
}
pub struct DcapQuote {
fd: c_int,
quote_size: u32,
supplemental_size: u32,
}
impl DcapQuote {
pub fn new() -> Self {
println!("DcapQuote: new");
let path = CString::new("/dev/sgx").unwrap();
let fd = unsafe { libc::open(path.as_ptr(), O_RDONLY) };
if fd > 0 {
Self {
fd: fd,
quote_size: 0,
supplemental_size: 0,
}
} else {
panic!("Open /dev/sgx failed")
}
}
pub fn get_quote_size(&mut self) -> u32 {
println!("DcapQuote: get_quote_size");
let size: u32 = 0;
let ret = unsafe { libc::ioctl(self.fd, IOCTL_GET_DCAP_QUOTE_SIZE, &size) };
if ret < 0 {
panic!("IOCTRL IOCTL_GET_DCAP_QUOTE_SIZE failed");
} else {
self.quote_size = size;
size
}
}
pub fn generate_quote(&mut self, quote_buf: *mut u8, report_data: *const sgx_report_data_t) -> Result<i32, &'static str> {
println!("DcapQuote: generate_quote");
let quote_arg: IoctlGenDCAPQuoteArg = IoctlGenDCAPQuoteArg {
report_data: report_data,
quote_size: &mut self.quote_size,
quote_buf: quote_buf,
};
let ret = unsafe { libc::ioctl(self.fd, IOCTL_GEN_DCAP_QUOTE, &quote_arg) };
if ret < 0 {
Err("IOCTRL IOCTL_GEN_DCAP_QUOTE failed")
} else {
Ok( 0 )
}
}
pub fn get_supplemental_data_size(&mut self) -> u32 {
println!("DcapQuote: get_supplemental_data_size");
let size: u32 = 0;
let ret = unsafe { libc::ioctl(self.fd, IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE, &size) };
if ret < 0 {
panic!("IOCTRL IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE failed");
} else {
self.supplemental_size = size;
size
}
}
pub fn verify_quote(&mut self, verify_arg: *mut IoctlVerDCAPQuoteArg) -> Result<i32, &'static str> {
println!("DcapQuote: verify_quote");
let ret = unsafe { libc::ioctl(self.fd, IOCTL_VER_DCAP_QUOTE, verify_arg) };
if ret < 0 {
println!("ret = {}", ret);
Err("IOCTRL IOCTL_VER_DCAP_QUOTE failed")
} else {
Ok( 0 )
}
}
pub fn close(&mut self) {
println!("DcapQuote: close");
unsafe { libc::close(self.fd) };
}
}

109
demos/remote_attestation/dcap/dcap_lib/src/lib.rs
View File

@ -1,109 +0,0 @@
use std::boxed::Box;
use libc::{c_void};
use sgx_types::{
sgx_report_data_t, sgx_ql_qv_result_t
};
mod dcap_quote;
pub use crate::dcap_quote::*;
#[no_mangle]
pub extern "C" fn dcap_quote_open() -> *mut c_void {
Box::into_raw(Box::new(DcapQuote::new())) as *mut c_void
}
#[no_mangle]
pub extern "C" fn dcap_get_quote_size(handle: *mut c_void) -> u32 {
if handle.is_null() {
return 0
}
let dcap = unsafe {
&mut *(handle as *mut DcapQuote)
};
dcap.get_quote_size()
}
#[no_mangle]
pub extern "C" fn dcap_generate_quote(
handle: *mut c_void,
quote_buf: *mut u8,
report_data: *const sgx_report_data_t) -> i32
{
if handle.is_null() {
return -1
}
let dcap = unsafe {
&mut *(handle as *mut DcapQuote)
};
dcap.generate_quote(quote_buf, report_data).unwrap();
0
}
#[no_mangle]
pub extern "C" fn dcap_get_supplemental_data_size(handle: *mut c_void) -> u32 {
if handle.is_null() {
return 0
}
let dcap = unsafe {
&mut *(handle as *mut DcapQuote)
};
dcap.get_supplemental_data_size()
}
#[no_mangle]
pub extern "C" fn dcap_verify_quote(
handle: *mut c_void,
quote_buf: *const u8,
quote_size: u32,
collateral_expiration_status: *mut u32,
quote_verification_result: *mut sgx_ql_qv_result_t,
supplemental_data_size: u32,
supplemental_data: *mut u8) -> i32
{
if handle.is_null() {
return -1
}
let dcap = unsafe {
&mut *(handle as *mut DcapQuote)
};
let mut verify_arg = IoctlVerDCAPQuoteArg {
quote_buf: quote_buf,
quote_size: quote_size,
collateral_expiration_status: collateral_expiration_status,
quote_verification_result: quote_verification_result,
supplemental_data_size: supplemental_data_size,
supplemental_data: supplemental_data,
};
dcap.verify_quote(&mut verify_arg).unwrap();
0
}
#[no_mangle]
pub extern "C" fn dcap_quote_close(handle: *mut c_void) {
if handle.is_null() {
return
}
let dcap = unsafe {
&mut *(handle as *mut DcapQuote)
};
dcap.close();
unsafe {
Box::from_raw(handle);
}
}

12
demos/remote_attestation/dcap/run_dcap_quote_on_occlum.sh
View File

@ -10,23 +10,19 @@ if [[ $1 == "musl" ]]; then
bomfile="../dcap-musl.yaml"
CC=occlum-gcc
LD=occlum-ld
CARGO=occlum-cargo
LIBPATH="../dcap_lib/target/x86_64-unknown-linux-musl/release"
LIBPATH="/opt/occlum/toolchains/dcap_lib/musl"
else
echo "*** Build and run glibc dcap demo ***"
bomfile="../dcap.yaml"
CC=gcc
LD=ld
CARGO=cargo
LIBPATH="../dcap_lib/target/release"
LIBPATH="/opt/occlum/toolchains/dcap_lib/glibc"
fi
pushd dcap_lib
$CARGO build --all-targets --release
popd
INCPATH="/opt/occlum/toolchains/dcap_lib/inc"
CC=$CC LD=$LD LIBPATH=$LIBPATH make -C c_app clean
CC=$CC LD=$LD LIBPATH=$LIBPATH make -C c_app
CC=$CC LD=$LD LIBPATH=$LIBPATH INCPATH=$INCPATH make -C c_app
rm -rf ${INSTANCE_DIR} && occlum new ${INSTANCE_DIR}
cd ${INSTANCE_DIR}