From 7de4a2b3cd8a7f0d352be4bdab835c1576419594 Mon Sep 17 00:00:00 2001 From: "Zheng, Qi" Date: Tue, 3 Jan 2023 14:31:42 +0800 Subject: [PATCH] [libos] Add sgx_get_key ioctl command --- src/libos/src/fs/dev_fs/dev_sgx/consts.rs | 8 +++++ src/libos/src/fs/dev_fs/dev_sgx/mod.rs | 24 +++++++++++++++ src/libos/src/util/sgx/mod.rs | 2 ++ src/libos/src/util/sgx/sgx_key.rs | 16 ++++++++++ test/ioctl/main.c | 37 +++++++++++++++++++++++ 5 files changed, 87 insertions(+) create mode 100644 src/libos/src/util/sgx/sgx_key.rs diff --git a/src/libos/src/fs/dev_fs/dev_sgx/consts.rs b/src/libos/src/fs/dev_fs/dev_sgx/consts.rs index a5a94322..114d62f1 100644 --- a/src/libos/src/fs/dev_fs/dev_sgx/consts.rs +++ b/src/libos/src/fs/dev_fs/dev_sgx/consts.rs @@ -70,5 +70,13 @@ pub const SGX_CMD_NUM_VER_DCAP_QUOTE: u32 = StructuredIoctlNum::new::( + 11, + SGX_MAGIC_CHAR, + StructuredIoctlArgType::InputOutput, +) +.as_u32(); + /// A magical number that distinguishes SGX ioctls for other ioctls const SGX_MAGIC_CHAR: u8 = 's' as u8; diff --git a/src/libos/src/fs/dev_fs/dev_sgx/mod.rs b/src/libos/src/fs/dev_fs/dev_sgx/mod.rs index f9cc939b..b1153f70 100644 --- a/src/libos/src/fs/dev_fs/dev_sgx/mod.rs +++ b/src/libos/src/fs/dev_fs/dev_sgx/mod.rs @@ -246,6 +246,24 @@ impl DevSgx { slice.copy_from_slice(&supplemental_data); } } + SGX_CMD_NUM_KEY => { + // Prepare the arguments + let arg = nonbuiltin_cmd.arg_mut::()?; + let key_request = { + if arg.key_request.is_null() { + return_errno!(EINVAL, "key_request must not be null"); + } + unsafe { &*arg.key_request } + }; + + let key = { + if arg.key.is_null() { + return_errno!(EINVAL, "output pointer for key must not be null"); + } + unsafe { &mut *arg.key } + }; + *key = get_key(key_request)?; + } _ => { return_errno!(ENOSYS, "unknown ioctl cmd for /dev/sgx"); } @@ -304,3 +322,9 @@ struct IoctlVerDCAPQuoteArg { supplemental_data_size: u32, // Input (optional) supplemental_data: *mut u8, // Output (optional) } + +#[repr(C)] +struct IoctlGetKeyArg { + key_request: *const sgx_key_request_t, // Input + key: *mut sgx_key_128bit_t, // Output +} diff --git a/src/libos/src/util/sgx/mod.rs b/src/libos/src/util/sgx/mod.rs index 78350749..934343af 100644 --- a/src/libos/src/util/sgx/mod.rs +++ b/src/libos/src/util/sgx/mod.rs @@ -8,6 +8,7 @@ use sgx_types::*; #[cfg(feature = "dcap")] mod dcap; mod epid; +mod sgx_key; mod sgx_report; pub use sgx_types::{ @@ -20,6 +21,7 @@ pub use self::dcap::{ QuoteGenerator as SgxDCAPQuoteGenerator, QuoteVerifier as SgxDCAPQuoteVerifier, }; pub use self::epid::AttestationAgent as SgxEPIDAttestationAgent; +pub use self::sgx_key::get_key; pub use self::sgx_report::{create_report, get_self_target, verify_report}; pub fn allow_debug() -> bool { diff --git a/src/libos/src/util/sgx/sgx_key.rs b/src/libos/src/util/sgx/sgx_key.rs new file mode 100644 index 00000000..8c9bb74a --- /dev/null +++ b/src/libos/src/util/sgx/sgx_key.rs @@ -0,0 +1,16 @@ +use super::*; + +use std::ptr; + +pub fn get_key(key_request: &sgx_key_request_t) -> Result { + let mut key = sgx_key_128bit_t::default(); + let sgx_status = unsafe { sgx_get_key(key_request, &mut key as *mut sgx_key_128bit_t) }; + match sgx_status { + sgx_status_t::SGX_SUCCESS => Ok(key), + sgx_status_t::SGX_ERROR_INVALID_PARAMETER => return_errno!(EINVAL, "invalid paramters"), + _ => { + error!("sgx_get_key return {:?}", sgx_status); + return_errno!(EINVAL, "unexpected SGX error") + } + } +} diff --git a/test/ioctl/main.c b/test/ioctl/main.c index 6e247501..bb4f0e59 100644 --- a/test/ioctl/main.c +++ b/test/ioctl/main.c @@ -15,6 +15,7 @@ #include #include #include +#include #ifndef OCCLUM_DISABLE_DCAP #include #include @@ -142,6 +143,11 @@ typedef struct { sgx_report_t *report; // output } sgxioc_create_report_arg_t; +typedef struct { + const sgx_key_request_t *key_request; // Input + sgx_key_128bit_t *key; // Output +} sgxioc_get_key_arg_t; + #ifndef OCCLUM_DISABLE_DCAP typedef struct { sgx_report_data_t *report_data; // input @@ -174,6 +180,8 @@ typedef struct { #define SGXIOC_VER_DCAP_QUOTE _IOWR('s', 10, sgxioc_ver_dcap_quote_arg_t) #endif +#define SGXIOC_GET_KEY _IOWR('s', 11, sgxioc_get_key_arg_t) + // The max number of retries if ioctl returns EBUSY #define IOCTL_MAX_RETRIES 20 @@ -311,6 +319,30 @@ static int do_SGXIOC_CREATE_AND_VERIFY_REPORT(int sgx_fd) { return 0; } +static int do_SGXIOC_GET_KEY(int sgx_fd) { + sgx_key_request_t key_request = { 0 }; + sgx_key_128bit_t key = { 0 }; + + key_request.key_name = SGX_KEYSELECT_SEAL; // SGX_KEYSELECT_REPORT + key_request.key_policy = SGX_KEYPOLICY_MRENCLAVE; // SGX_KEYPOLICY_MRSIGNER + + sgxioc_get_key_arg_t args = { + .key_request = (const sgx_key_request_t *) &key_request, + .key = &key, + }; + if (ioctl(sgx_fd, SGXIOC_GET_KEY, &args) < 0) { + THROW_ERROR("failed to ioctl /dev/sgx"); + } + + printf("key: \n"); + for (int i = 0; i < 16; i++) { + printf("%x ", key[i]); + } + printf("\n"); + + return 0; +} + #ifndef OCCLUM_DISABLE_DCAP #define REPORT_BODY_OFFSET 48 static int generate_and_verify_dcap_quote(int sgx_fd) { @@ -464,6 +496,10 @@ int test_sgx_ioctl_SGXIOC_CREATE_AND_VERIFY_REPORT(void) { return do_sgx_ioctl_test(do_SGXIOC_CREATE_AND_VERIFY_REPORT); } +int test_sgx_ioctl_SGXIOC_GET_KEY(void) { + return do_sgx_ioctl_test(do_SGXIOC_GET_KEY); +} + #define CONFIG_SIZE 512 int test_ioctl_SIOCGIFCONF(void) { struct ifreq *req; @@ -627,6 +663,7 @@ static test_case_t test_cases[] = { TEST_CASE(test_sgx_ioctl_SGXIOC_GEN_EPID_QUOTE), TEST_CASE(test_sgx_ioctl_SGXIOC_SELF_TARGET), TEST_CASE(test_sgx_ioctl_SGXIOC_CREATE_AND_VERIFY_REPORT), + TEST_CASE(test_sgx_ioctl_SGXIOC_GET_KEY), #ifndef OCCLUM_DISABLE_DCAP TEST_CASE(test_sgx_ioctl_SGXIOC_GENERATE_AND_VERIFY_DCAP_QUOTE), #endif