[libos] Add sgx_get_key ioctl command

src/libos/src/fs/dev_fs/dev_sgx/consts.rs

@@ -70,5 +70,13 @@ pub const SGX_CMD_NUM_VER_DCAP_QUOTE: u32 = StructuredIoctlNum::new::<IoctlVerDC
 )
 .as_u32();
 
+/// Ioctl to get the key of the current enclave
+pub const SGX_CMD_NUM_KEY: u32 = StructuredIoctlNum::new::<IoctlGetKeyArg>(
+    11,
+    SGX_MAGIC_CHAR,
+    StructuredIoctlArgType::InputOutput,
+)
+.as_u32();
+
 /// A magical number that distinguishes SGX ioctls for other ioctls
 const SGX_MAGIC_CHAR: u8 = 's' as u8;

src/libos/src/fs/dev_fs/dev_sgx/mod.rs

@@ -246,6 +246,24 @@ impl DevSgx {
                     slice.copy_from_slice(&supplemental_data);
                 }
             }
+            SGX_CMD_NUM_KEY => {
+                // Prepare the arguments
+                let arg = nonbuiltin_cmd.arg_mut::<IoctlGetKeyArg>()?;
+                let key_request = {
+                    if arg.key_request.is_null() {
+                        return_errno!(EINVAL, "key_request must not be null");
+                    }
+                    unsafe { &*arg.key_request }
+                };
+
+                let key = {
+                    if arg.key.is_null() {
+                        return_errno!(EINVAL, "output pointer for key must not be null");
+                    }
+                    unsafe { &mut *arg.key }
+                };
+                *key = get_key(key_request)?;
+            }
             _ => {
                 return_errno!(ENOSYS, "unknown ioctl cmd for /dev/sgx");
             }
@@ -304,3 +322,9 @@ struct IoctlVerDCAPQuoteArg {
     supplemental_data_size: u32,                        // Input (optional)
     supplemental_data: *mut u8,                         // Output (optional)
 }
+
+#[repr(C)]
+struct IoctlGetKeyArg {
+    key_request: *const sgx_key_request_t, // Input
+    key: *mut sgx_key_128bit_t,            // Output
+}

src/libos/src/util/sgx/mod.rs

@@ -8,6 +8,7 @@ use sgx_types::*;
 #[cfg(feature = "dcap")]
 mod dcap;
 mod epid;
+mod sgx_key;
 mod sgx_report;
 
 pub use sgx_types::{
@@ -20,6 +21,7 @@ pub use self::dcap::{
     QuoteGenerator as SgxDCAPQuoteGenerator, QuoteVerifier as SgxDCAPQuoteVerifier,
 };
 pub use self::epid::AttestationAgent as SgxEPIDAttestationAgent;
+pub use self::sgx_key::get_key;
 pub use self::sgx_report::{create_report, get_self_target, verify_report};
 
 pub fn allow_debug() -> bool {

src/libos/src/util/sgx/sgx_key.rs

@@ -0,0 +1,16 @@
+use super::*;
+
+use std::ptr;
+
+pub fn get_key(key_request: &sgx_key_request_t) -> Result<sgx_key_128bit_t> {
+    let mut key = sgx_key_128bit_t::default();
+    let sgx_status = unsafe { sgx_get_key(key_request, &mut key as *mut sgx_key_128bit_t) };
+    match sgx_status {
+        sgx_status_t::SGX_SUCCESS => Ok(key),
+        sgx_status_t::SGX_ERROR_INVALID_PARAMETER => return_errno!(EINVAL, "invalid paramters"),
+        _ => {
+            error!("sgx_get_key return {:?}", sgx_status);
+            return_errno!(EINVAL, "unexpected SGX error")
+        }
+    }
+}

test/ioctl/main.c

@@ -15,6 +15,7 @@
 #include <sys/wait.h>
 #include <sgx_report.h>
 #include <sgx_quote.h>
+#include <sgx_key.h>
 #ifndef OCCLUM_DISABLE_DCAP
 #include <sgx_ql_quote.h>
 #include <sgx_qve_header.h>
@@ -142,6 +143,11 @@ typedef struct {
     sgx_report_t               *report;             // output
 } sgxioc_create_report_arg_t;
 
+typedef struct {
+    const sgx_key_request_t    *key_request;       // Input
+    sgx_key_128bit_t           *key;              // Output
+} sgxioc_get_key_arg_t;
+
 #ifndef OCCLUM_DISABLE_DCAP
 typedef struct {
     sgx_report_data_t      *report_data; // input
@@ -174,6 +180,8 @@ typedef struct {
 #define SGXIOC_VER_DCAP_QUOTE             _IOWR('s', 10, sgxioc_ver_dcap_quote_arg_t)
 #endif
 
+#define SGXIOC_GET_KEY                    _IOWR('s', 11, sgxioc_get_key_arg_t)
+
 // The max number of retries if ioctl returns EBUSY
 #define IOCTL_MAX_RETRIES       20
 
@@ -311,6 +319,30 @@ static int do_SGXIOC_CREATE_AND_VERIFY_REPORT(int sgx_fd) {
     return 0;
 }
 
+static int do_SGXIOC_GET_KEY(int sgx_fd) {
+    sgx_key_request_t key_request = { 0 };
+    sgx_key_128bit_t key = { 0 };
+
+    key_request.key_name = SGX_KEYSELECT_SEAL; // SGX_KEYSELECT_REPORT
+    key_request.key_policy = SGX_KEYPOLICY_MRENCLAVE; // SGX_KEYPOLICY_MRSIGNER
+
+    sgxioc_get_key_arg_t args = {
+        .key_request = (const sgx_key_request_t *) &key_request,
+        .key = &key,
+    };
+    if (ioctl(sgx_fd, SGXIOC_GET_KEY, &args) < 0) {
+        THROW_ERROR("failed to ioctl /dev/sgx");
+    }
+
+    printf("key: \n");
+    for (int i = 0; i < 16; i++) {
+        printf("%x ", key[i]);
+    }
+    printf("\n");
+
+    return 0;
+}
+
 #ifndef OCCLUM_DISABLE_DCAP
 #define REPORT_BODY_OFFSET 48
 static int generate_and_verify_dcap_quote(int sgx_fd) {
@@ -464,6 +496,10 @@ int test_sgx_ioctl_SGXIOC_CREATE_AND_VERIFY_REPORT(void) {
     return do_sgx_ioctl_test(do_SGXIOC_CREATE_AND_VERIFY_REPORT);
 }
 
+int test_sgx_ioctl_SGXIOC_GET_KEY(void) {
+    return do_sgx_ioctl_test(do_SGXIOC_GET_KEY);
+}
+
 #define CONFIG_SIZE  512
 int test_ioctl_SIOCGIFCONF(void) {
     struct ifreq *req;
@@ -627,6 +663,7 @@ static test_case_t test_cases[] = {
     TEST_CASE(test_sgx_ioctl_SGXIOC_GEN_EPID_QUOTE),
     TEST_CASE(test_sgx_ioctl_SGXIOC_SELF_TARGET),
     TEST_CASE(test_sgx_ioctl_SGXIOC_CREATE_AND_VERIFY_REPORT),
+    TEST_CASE(test_sgx_ioctl_SGXIOC_GET_KEY),
 #ifndef OCCLUM_DISABLE_DCAP
     TEST_CASE(test_sgx_ioctl_SGXIOC_GENERATE_AND_VERIFY_DCAP_QUOTE),
 #endif