[Assignment-7] Flake + App base

- Add Assignment-7 to flake.nix
- Implement basic framework of app
- Implement proxy subcommand (mostly)
- Implement basics of intermediary subcommand

7-SGX_Hands-on/Makefile

@@ -8,7 +8,7 @@
 
 # Compiler
 CC = clang
-CFLAGS = -Wall -Wextra -Werror
+CFLAGS = -Wall -Wextra -Werror -I$(ENCLAVE_DIR) -I$(APP_DIR)
 LDFLAGS = 
 
 # Directories

7-SGX_Hands-on/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1719838683,
+        "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

7-SGX_Hands-on/flake.nix

@@ -0,0 +1,47 @@
+{
+    inputs = {
+        nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    };
+
+    outputs = { self, nixpkgs, ... }: 
+    let
+        lastModifiedDate = self.lastModifiedDate or self.lastModified or "19700101";
+        version = builtins.substring 0 8 lastModifiedDate;
+
+        nixpkgsFor = system: import nixpkgs { inherit system; overlays = [ self.overlay ]; };
+    in
+    {
+        overlay = final: prev: with final; {
+            signatureProxy = stdenv.mkDerivation {
+                pname = "SignatureProxy";
+                inherit version;
+
+                buildScript = ''
+                    make
+                '';
+
+                installScript = ''
+                    mkdir -p $out/bin
+                    cp app $out/bin
+                    cp enclave.so $out/bin
+                '';
+
+                nativeBuildInputs = with pkgs; [
+                    clang
+                    glibc
+                    sgx-sdk
+                    gmp.dev
+                    openssl.dev
+                    pkg-config
+                ];
+
+                env = {
+                    SGX_SDK = pkgs.sgx-sdk;
+                    SGX_MODE = "SIM";
+                };
+            };
+        };
+
+        defaultPackage."x86_64-linux" = (nixpkgsFor "x86_64-linux").signatureProxy;
+    };
+}

7-SGX_Hands-on/src/app/intermediary.c

@@ -0,0 +1,153 @@
+#include <errno.h>
+#include <sgx_urts.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "enclave.h"
+#include "intermediary.h"
+#include "util.h"
+
+#define HASH_BYTES 32
+#define HASH_CHUNK_BYTES 32
+#define KEY_BYTES 32
+
+struct IntermediaryArgs {
+    char* firmware_path;
+    char* key_path;
+    char* output_path;
+};
+
+char* intermediary_syntax(void) {
+    return 
+        "intermediary    mock up implementation of the employee binary\n"
+        "    -f <path>   file path to Firmware file\n"
+        "    -k <path>   key file path\n"
+        "    -o <path>   output file path\n";
+}
+
+int handle_intermediary(int argc, char** argv) {
+    struct IntermediaryArgs args = {
+        NULL,
+        NULL,
+        NULL
+    };
+    FILE* firmware_file;
+    FILE* key_file;
+    FILE* output_file;
+    //uint8_t firmware_hash[HASH_BYTES];
+    uint8_t firmware_chunk[HASH_CHUNK_BYTES];
+    uint8_t key[KEY_BYTES];
+    //EVP_MD_CTX *mdctx;
+    //const EVP_MD *md;
+    //unsigned char md_value[EVP_MAX_MD_SIZE];
+    //unsigned int md_len;
+
+    int i = 0;
+    while(i < argc) {
+        if(strcmp(argv[i], "-f")==0 && argc-i >=2){
+            args.firmware_path = argv[i+1];
+            i += 2;
+        }else if(strcmp(argv[i], "-k")==0 && argc-i >=2){
+            args.key_path = argv[i+1];
+            i += 2;
+        }else if(strcmp(argv[i], "-o")==0 && argc-i >=2){
+            args.output_path = argv[i+1];
+            i += 2;
+        }else
+            syntax_exit();
+    }
+
+    if(args.firmware_path == NULL || args.key_path == NULL || args.output_path == NULL)
+        syntax_exit();
+
+    firmware_file = fopen(args.firmware_path, "r");
+    if(firmware_file == NULL){
+        perror("Error opening firmware file");
+        exit(1);
+    }
+
+    /*
+    md = EVP_sha3_256();
+    mdctx = EVP_MD_CTX_new();
+    if (!EVP_DigestSignInit(mdctx, NULL, md, NULL, key)) {
+        fprintf(stderr, "Message digest initialization failed.\n");
+        EVP_MD_CTX_free(mdctx);
+        exit(1);
+    }
+    */
+
+    size_t chunk_len = HASH_CHUNK_BYTES;
+    while(chunk_len==HASH_CHUNK_BYTES) {
+        chunk_len = fread(&firmware_chunk, HASH_CHUNK_BYTES, 1, firmware_file);
+        if(chunk_len!=HASH_CHUNK_BYTES&&ferror(firmware_file)!=0){
+            perror("Failed to read firmware file");
+            exit(1);
+        }
+
+        /*
+        if (!EVP_DigestSignUpdate(mdctx, firmware_chunk, chunk_len)) {
+            printf("Message digest update failed.\n");
+            EVP_MD_CTX_free(mdctx);
+            exit(1);
+        }
+        */
+    }
+
+    /*
+    if (!EVP_DigestSignFinal_ex(mdctx, md_value, &md_len)) {
+        printf("Message digest finalization failed.\n");
+        EVP_MD_CTX_free(mdctx);
+        exit(1);
+    }
+    EVP_MD_CTX_free(mdctx);
+
+    printf("Digest is: ");
+    for (i = 0; i < md_len; i++)
+        printf("%02x", md_value[i]);
+    printf("\n");
+    */
+
+    key_file = fopen(args.key_path, "r");
+    if(key_file == NULL){
+        perror("Error opening key file");
+        exit(1);
+    }
+
+    size_t key_len = fread(&key, 1, KEY_BYTES, key_file);
+    if(ferror(key_file)!=0){
+        perror("Failed to read key");
+        exit(1);
+    }
+    if(key_len != KEY_BYTES){
+        fprintf(stderr, "invalid key length\n");
+        exit(1);
+    }
+
+    //eckey = EC_KEY_new_by_curve_name(NID_secp256r1);
+    //if(eckey == NULL) {
+    //    fprintf(stderr, "failed to initialize SECP256R1 key\n");
+    //    exit(1);
+    //}
+
+    //if (!EC_KEY_generate_key(eckey)) {
+    //    fprintf(stderr, "failed to generate key\n");
+    //    exit(1);
+    //}
+
+    //sig = ECDSA_do_sign(md_value, md_len, eckey);
+    //if (sig == NULL){
+    //    fprintf(stderr, "failed to sign firmware hash\n");
+    //    exit(1);
+    //}
+
+    output_file = fopen(args.output_path, "w");
+    if(output_file == NULL){
+        perror("Error opening output file");
+        exit(1);
+    }
+
+    printf("intermediary %s %s %s", args.firmware_path, args.key_path, args.output_path);
+    exit(0);
+}

7-SGX_Hands-on/src/app/intermediary.h

@@ -0,0 +1,23 @@
+#ifndef _APP_INTERMEDIARY_H_
+#define _APP_INTERMEDIARY_H_
+
+
+/*
+ * @brief getter for intermediary subcommand syntax string
+ *
+ * @returns null-terminated syntax string
+ */
+char* intermediary_syntax(void);
+
+/*
+ * @brief CLI implementation for the "intermediary" subcommand
+ *
+ * @param argc number of arguments with command and subcommand stripped
+ * @param argv arguments with command and subcommand stripped
+ *
+ * @returns 0 on success, else error with output on stderr
+ */
+int handle_intermediary(int argc, char** argv);
+
+
+#endif

7-SGX_Hands-on/src/app/main.c

@@ -0,0 +1,24 @@
+#include <errno.h>
+#include <string.h>
+
+#include "intermediary.h"
+#include "proxy.h"
+#include "util.h"
+
+
+int main(int argc, char** argv) {
+    if(argc < 1)
+        syntax_exit();
+    BIN_NAME = argv[0];
+    if(argc < 2)
+        syntax_exit();
+
+    char* command = argv[1];
+
+    if(strcmp(command, "intermediary")==0)
+        handle_intermediary(argc-2, argv+2);
+    else if (strcmp(command, "proxy")==0)
+        handle_proxy(argc-2, argv+2);
+    else
+        syntax_exit();
+}

7-SGX_Hands-on/src/app/proxy.c

@@ -0,0 +1,235 @@
+#include <errno.h>
+#include <sgx_urts.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "enclave.h"
+#include "proxy.h"
+#include "util.h"
+
+sgx_enclave_id_t global_eid = 0;
+
+struct ProxyArgs {
+    char* input_path;
+    char* output_path;
+    char* sealed_key_file_path;
+    char* sgx_token_path;
+};
+
+typedef struct _sgx_errlist_t {
+    sgx_status_t err;
+    const char *msg;
+    const char *sug; /* Suggestion */
+} sgx_errlist_t;
+
+/* Error code returned by sgx_create_enclave */
+static sgx_errlist_t sgx_errlist[] = {
+    {
+        SGX_ERROR_UNEXPECTED,
+        "Unexpected error occurred.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_PARAMETER,
+        "Invalid parameter.",
+        NULL
+    },
+    {
+        SGX_ERROR_OUT_OF_MEMORY,
+        "Out of memory.",
+        NULL
+    },
+    {
+        SGX_ERROR_ENCLAVE_LOST,
+        "Power transition occurred.",
+        "Please refer to the sample \"PowerTransition\" for details."
+    },
+    {
+        SGX_ERROR_INVALID_ENCLAVE,
+        "Invalid enclave image.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_ENCLAVE_ID,
+        "Invalid enclave identification.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_SIGNATURE,
+        "Invalid enclave signature.",
+        NULL
+    },
+    {
+        SGX_ERROR_OUT_OF_EPC,
+        "Out of EPC memory.",
+        NULL
+    },
+    {
+        SGX_ERROR_NO_DEVICE,
+        "Invalid SGX device.",
+        "Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards."
+    },
+    {
+        SGX_ERROR_MEMORY_MAP_CONFLICT,
+        "Memory map conflicted.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_METADATA,
+        "Invalid enclave metadata.",
+        NULL
+    },
+    {
+        SGX_ERROR_DEVICE_BUSY,
+        "SGX device was busy.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_VERSION,
+        "Enclave version was invalid.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_ATTRIBUTE,
+        "Enclave was not authorized.",
+        NULL
+    },
+    {
+        SGX_ERROR_ENCLAVE_FILE_ACCESS,
+        "Can't open enclave file.",
+        NULL
+    },
+};
+
+/* Check error conditions for loading enclave */
+static void print_error_message(sgx_status_t ret)
+{
+    size_t idx = 0;
+    size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
+
+    for (idx = 0; idx < ttl; idx++) {
+        if(ret == sgx_errlist[idx].err) {
+            if(NULL != sgx_errlist[idx].sug)
+                printf("Info: %s\n", sgx_errlist[idx].sug);
+            printf("Error: %s\n", sgx_errlist[idx].msg);
+            break;
+        }
+    }
+    
+    if (idx == ttl)
+    	printf("Error code is 0x%X. Please refer to the \"Intel SGX SDK Developer Reference\" for more details.\n", ret);
+}
+
+static int initialize_enclave(char* token_path) {
+    FILE* sgx_token_file;
+    sgx_launch_token_t token = {0};
+    sgx_status_t ret;
+    int updated = 0;
+
+    sgx_token_file = fopen(token_path, "r");
+    if(sgx_token_file == NULL){
+        perror("Error opening sgx token file");
+        exit(1);
+    }
+
+    size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), sgx_token_file);
+    if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {
+        fprintf(stderr, "sgx token file is corrupted");
+        return (1);
+    }
+
+   ret = sgx_create_enclave("enclave.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
+    if (ret != SGX_SUCCESS) {
+        print_error_message(ret);
+        return (1);
+    }
+
+    if (updated) {
+        sgx_token_file = freopen(token_path, "w", sgx_token_file);
+        if(sgx_token_file == NULL){
+            perror("Error opening sgx token file");
+            return (1);
+        }
+        size_t write_num = fwrite(token, 1, sizeof(sgx_launch_token_t), sgx_token_file);
+        if (write_num != sizeof(sgx_launch_token_t)){
+            fprintf(stderr,"Warning: Failed to save launch token to \"%s\".\n", token_path);
+            return (1);
+        }
+    }
+    return (0);
+}
+
+char* proxy_syntax(void) {
+    return
+        "proxy           implementation of the enclave-powered SignatureProxy\n"
+        "    -i <path>   file path to the intermediary output(signature of firmware)\n"
+        "    -o <path>   output path of the signature\n"
+        "    -s <path>   file path of the sealed proxy key\n"
+        "    -t <path>   file path of the sgx token\n";
+}
+
+int handle_proxy(int argc, char** argv) {
+    struct ProxyArgs args = {
+        NULL,
+        NULL,
+        NULL,
+        NULL
+    };
+    FILE* input_file;
+    FILE* output_file;
+    FILE* sealed_key_file;
+
+    int i = 0;
+    while(i < argc) {
+        if(strcmp(argv[i], "-i")==0 && argc-i >=2){
+            args.input_path = argv[i+1];
+            i += 2;
+        }else if(strcmp(argv[i], "-o")==0 && argc-i >=2){
+            args.output_path = argv[i+1];
+            i += 2;
+        }else if(strcmp(argv[i], "-s")==0 && argc-i >=2){
+            args.sealed_key_file_path = argv[i+1];
+            i += 2;
+        }else if(strcmp(argv[i], "-t")==0 && argc-i >=2){
+            args.sgx_token_path = argv[i+1];
+            i += 2;
+        }else
+            syntax_exit();
+    }
+
+    if(args.input_path == NULL || args.output_path == NULL || args.sealed_key_file_path == NULL || args.sgx_token_path == NULL)
+        syntax_exit();
+
+    input_file = fopen(args.input_path, "r");
+    if(input_file == NULL){
+        perror("Error opening input file");
+        exit(1);
+    }
+
+    output_file = fopen(args.output_path, "w");
+    if(output_file == NULL){
+        perror("Error opening output file");
+        exit(1);
+    }
+
+    //TODO read input -> calculate size of input (ECDSA of SHA3-256 of Firmware File, generated by intermediary)
+    //TODO read sealed key -> calculate size or dynamic alloc
+
+    sealed_key_file = fopen(args.sealed_key_file_path, "w");
+    if(sealed_key_file == NULL){
+        perror("Error opening sealed_key_file file");
+        exit(1);
+    }
+
+    if (initialize_enclave(args.sgx_token_path) != 0)
+        exit(1);
+
+    //TODO call enclave -> refactor interface to do verify and sign in one call to avoid trip through "untrusted" land.
+
+    //TODO store sealed key if changed
+    //TODO write output
+
+    printf("proxy %s %s", args.input_path, args.output_path);
+    exit(0);
+}

7-SGX_Hands-on/src/app/proxy.h

@@ -0,0 +1,23 @@
+#ifndef _APP_PROXY_H_
+#define _APP_PROXY_H_
+
+
+/*
+ * @brief getter for proxy subcommand syntax string
+ *
+ * @returns null-terminated syntax string
+ */
+char* proxy_syntax(void);
+
+/*
+ * @brief CLI implementation for the "proxy" subcommand
+ *
+ * @param argc number of arguments with command and subcommand stripped
+ * @param argv arguments with command and subcommand stripped
+ *
+ * @returns 0 on success, else error with output on stderr
+ */
+int handle_proxy(int argc, char** argv);
+
+
+#endif

7-SGX_Hands-on/src/app/test.c

@@ -0,0 +1,3 @@
+int main() {
+    return (0);
+}

7-SGX_Hands-on/src/app/util.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "util.h"
+#include "proxy.h"
+#include "intermediary.h"
+
+
+char* BIN_NAME = "SignatureProxy";
+
+void syntax_exit(void) {
+    char* syntax =
+        "SignatureProxy Version 0.0.0\n"
+        "Syntax: %s <command> <arguments>\n"
+        "\n"
+        "Commands:\n"
+        "%s"
+        "\n"
+        "%s";
+
+    printf(syntax, BIN_NAME, intermediary_syntax(), proxy_syntax());
+    exit(1);
+}

7-SGX_Hands-on/src/app/util.h

@@ -0,0 +1,13 @@
+#ifndef _APP_UTIL_H_
+#define _APP_UTIL_H_
+
+
+char* BIN_NAME;
+
+/*
+ * @brief prints the command syntax and exits with EXIT_FAILURE
+ */
+void syntax_exit(void);
+
+
+#endif

7-SGX_Hands-on/src/enclave/enclave.c

@@ -263,4 +263,4 @@ sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint
     // close handle and return result
     sgx_ecc256_close_context(ecc_handle);
     return result;
-}
+}

Assignment 7 - SGX Hands-on/src/app/main.c

@@ -1,7 +0,0 @@
-
-#include <stdio.h>
-
-int main() {
-  printf("Hello World");
-}
-

flake.nix

@@ -25,6 +25,11 @@
     texPackages = pkgs: pkgs.texlive.combine {
         inherit (pkgs.texlive) scheme-full latex-bin latexmk;
       };
+
+    lastModifiedDate = self.lastModifiedDate or self.lastModified or "19700101";
+    version = builtins.substring 0 8 lastModifiedDate;
+
+    nixpkgsFor = system: import nixpkgs { inherit system; overlays = [ self.overlay ]; };
   in rec {
     packages = forAllSystems({system, pkgs}: forAllAssignments(assignment: let
       tex = texPackages pkgs;
@@ -48,7 +53,9 @@
       };
     in document) // {
       default = packages.${system}.${pkgs.lib.last assignments};
-    });
+    }) // {
+        "x86_64-linux"."Assignment 7" = (nixpkgsFor "x86_64-linux").signatureProxy;
+    };
 
     devShells = forAllSystems({pkgs, ...}: let
       tex = texPackages pkgs;
@@ -58,7 +65,41 @@
       };
     });
 
+    overlay = final: prev: with final; {
+        signatureProxy = stdenv.mkDerivation {
+            pname = "SignatureProxy";
+            inherit version;
+
+            src = ./7-SGX_Hands-on;
+
+            buildScript = ''
+                make
+            '';
+
+            installScript = ''
+                mkdir -p $out/bin
+                cp app $out/bin
+                cp enclave.so $out/bin
+            '';
+
+            nativeBuildInputs = with pkgs; [
+                clang
+                glibc
+                sgx-sdk
+                gmp.dev
+                openssl.dev
+                pkg-config
+            ];
+
+            env = {
+                SGX_SDK = pkgs.sgx-sdk;
+                SGX_MODE = "SIM";
+            };
+        };
+    };
+
     hydraJobs = packages;
   };
+
 }