From b5f6d5f9b90f49bfa0c7c521770bc1b77944809b Mon Sep 17 00:00:00 2001
From: Valentyn Faychuk <valy@detee.ltd>
Date: Sat, 19 Oct 2024 04:59:54 +0300
Subject: [PATCH] sealing key generation

---
 .gitignore                                   |  6 ++++
 README.md                                    | 24 +++++++++++++++
 tools/toolchains/dcap_lib/inc/occlum_dcap.h  |  1 +
 tools/toolchains/dcap_lib/src/lib.rs         | 32 ++++++++++++++++----
 tools/toolchains/dcap_lib/src/occlum_dcap.rs | 22 ++++++++++++++
 tools/toolchains/dcap_lib/src/prelude.rs     |  2 +-
 6 files changed, 80 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 3b430ee4..806e919b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,9 @@ build/
 .DS_Store
 src/libos/target/
 tools/toolchains/dcap_lib/target/
+
+# Added by DeTEE
+**/target
+**/Cargo.lock
+.idea
+
diff --git a/README.md b/README.md
index ec73122d..9cdaeb77 100644
--- a/README.md
+++ b/README.md
@@ -64,3 +64,27 @@ Thanks go to [all these wonderful contributors to this project](CONTRIBUTORS.md)
 ## License
 
 Occlum is released under BSD License. See the copyright information [here](LICENSE).
+
+## DeTEE
+
+Occlum is a part of the DeTEE project. DeTEE is a research project that aims to provide a secure and efficient computing environment for data-intensive applications.
+
+```bash
+# Run the occlum ubuntu 20.04 docker container
+docker run --device /dev/sgx/enclave --device /dev/sgx/provision --rm --name valytest -it -v /home/vfaychuk:/root/vfaychuk occlum/occlum:latest-ubuntu20.04
+# inside the container run the following commands
+apt update && apt install -y ssh-client
+mkdir -p /root/.ssh && vim /root/.ssh/config
+#Host gitea.detee.cloud
+#     IdentityFile ~/.ssh/gitea_ed25519
+vim /root/.ssh/gitea_ed25519
+# put the server private key to download the repo
+chown -R root:root /root/.ssh
+chmod 600 /root/.ssh/gitea_ed25519
+ssh-keyscan -H gitea.detee.cloud > ~/.ssh/known_hosts
+git clone git@gitea.detee.cloud:vfaychuk/occlum.git
+cd occlum && make submodule
+cd tools/toolchains/dcap_lib/
+# following command also installs the dcap library
+./build.sh
+```
\ No newline at end of file
diff --git a/tools/toolchains/dcap_lib/inc/occlum_dcap.h b/tools/toolchains/dcap_lib/inc/occlum_dcap.h
index 33a2026c..00dfd999 100644
--- a/tools/toolchains/dcap_lib/inc/occlum_dcap.h
+++ b/tools/toolchains/dcap_lib/inc/occlum_dcap.h
@@ -27,6 +27,7 @@ int32_t dcap_verify_quote(void *handle,
                           uint32_t supplemental_data_size,
                           uint8_t *supplemental_data);
 
+int32_t dcap_generate_key(void *handle, sgx_key_128bit_t *key, const sgx_key_request_t *key_request);
 
 void dcap_quote_close(void *handle);
 
diff --git a/tools/toolchains/dcap_lib/src/lib.rs b/tools/toolchains/dcap_lib/src/lib.rs
index 7def24a8..3eef58a0 100644
--- a/tools/toolchains/dcap_lib/src/lib.rs
+++ b/tools/toolchains/dcap_lib/src/lib.rs
@@ -67,17 +67,37 @@ pub extern "C" fn dcap_verify_quote(
     let dcap = unsafe { &mut *(handle as *mut DcapQuote) };
 
     let mut verify_arg = IoctlVerDCAPQuoteArg {
-        quote_buf: quote_buf,
-        quote_size: quote_size,
-        collateral_expiration_status: collateral_expiration_status,
-        quote_verification_result: quote_verification_result,
-        supplemental_data_size: supplemental_data_size,
-        supplemental_data: supplemental_data,
+        quote_buf,
+        quote_size,
+        collateral_expiration_status,
+        quote_verification_result,
+        supplemental_data_size,
+        supplemental_data,
     };
 
     dcap.verify_quote(&mut verify_arg).unwrap_or(-1)
 }
 
+#[no_mangle]
+pub extern "C" fn dcap_generate_key(
+    handle: *mut c_void,
+    key: *mut sgx_key_128bit_t,
+    key_request: *const sgx_key_request_t,
+) -> i32 {
+    if handle.is_null() {
+        return -1;
+    }
+
+    let dcap = unsafe { &mut *(handle as *mut DcapQuote) };
+
+    let mut key_arg = IoctlGetKeyArg {
+        key_request,
+        key
+    };
+
+    dcap.generate_key(&mut key_arg).unwrap_or(-1)
+}
+
 #[no_mangle]
 pub extern "C" fn dcap_quote_close(handle: *mut c_void) {
     if handle.is_null() {
diff --git a/tools/toolchains/dcap_lib/src/occlum_dcap.rs b/tools/toolchains/dcap_lib/src/occlum_dcap.rs
index 9969e1b4..63d60d97 100644
--- a/tools/toolchains/dcap_lib/src/occlum_dcap.rs
+++ b/tools/toolchains/dcap_lib/src/occlum_dcap.rs
@@ -5,6 +5,7 @@ const SGXIOC_GET_DCAP_QUOTE_SIZE: u64 = 0x80047307;
 const SGXIOC_GEN_DCAP_QUOTE: u64 = 0xc0187308;
 const SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = 0x80047309;
 const SGXIOC_VER_DCAP_QUOTE: u64 = 0xc030730a;
+const SGXIOC_CMD_NUM_KEY: u64 = 0xc010730b;
 
 cfg_if::cfg_if! {
     if #[cfg(target_env = "musl")] {
@@ -12,11 +13,13 @@ cfg_if::cfg_if! {
         const IOCTL_GEN_DCAP_QUOTE: i32 = SGXIOC_GEN_DCAP_QUOTE as i32;
         const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: i32 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE as i32;
         const IOCTL_VER_DCAP_QUOTE: i32 = SGXIOC_VER_DCAP_QUOTE as i32;
+        const IOCTL_CMD_NUM_KEY: i32 = SGXIOC_CMD_NUM_KEY as i32;
     } else {
         const IOCTL_GET_DCAP_QUOTE_SIZE: u64 = SGXIOC_GET_DCAP_QUOTE_SIZE;
         const IOCTL_GEN_DCAP_QUOTE: u64 = SGXIOC_GEN_DCAP_QUOTE;
         const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE;
         const IOCTL_VER_DCAP_QUOTE: u64 = SGXIOC_VER_DCAP_QUOTE;
+        const IOCTL_CMD_NUM_KEY: u64 = SGXIOC_CMD_NUM_KEY;
     }
 }
 
@@ -41,6 +44,14 @@ pub struct IoctlVerDCAPQuoteArg {
     pub supplemental_data: *mut u8,                         // Output (optional)
 }
 
+// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
+//#[allow(dead_code)]
+#[repr(C)]
+pub struct IoctlGetKeyArg {
+    pub key_request: *const sgx_key_request_t, // Input
+    pub key: *mut sgx_key_128bit_t,            // Output
+}
+
 pub struct DcapQuote {
     fd: c_int,
     quote_size: u32,
@@ -122,6 +133,17 @@ impl DcapQuote {
         }
     }
 
+    pub fn generate_key(&mut self, key_arg: *mut IoctlGetKeyArg) -> Result<i32, Error> {
+        let ret = unsafe { libc::ioctl(self.fd, IOCTL_CMD_NUM_KEY, key_arg) };
+        if ret < 0 {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        } else {
+            Ok(0)
+        }
+    }
+
     pub fn close(&mut self) {
         unsafe { libc::close(self.fd) };
     }
diff --git a/tools/toolchains/dcap_lib/src/prelude.rs b/tools/toolchains/dcap_lib/src/prelude.rs
index 00e5c531..75747df2 100644
--- a/tools/toolchains/dcap_lib/src/prelude.rs
+++ b/tools/toolchains/dcap_lib/src/prelude.rs
@@ -4,5 +4,5 @@ pub use std::io::Error;
 
 // Defined in "occlum/deps/rust-sgx-sdk/sgx_types"
 pub use sgx_types::{
-    sgx_ql_qv_result_t, sgx_quote3_t, sgx_quote_header_t, sgx_report_body_t, sgx_report_data_t,
+    sgx_ql_qv_result_t, sgx_quote3_t, sgx_quote_header_t, sgx_report_body_t, sgx_report_data_t, sgx_key_request_t, sgx_key_128bit_t,
 };