RubNoobs/Systemsicherheit
RubNoobs/Systemsicherheit
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: RubNoobs:0bde67b1d1e5ea2c647eed3a652a48a940bd5d81
Branches Tags
RubNoobs:master
RubNoobs:Assignment-7
RubNoobs:Assignment-7-sgximpl
RubNoobs:Assignment-6
RubNoobs:Assignment-5
RubNoobs:citest
...
compare: RubNoobs:daec66f6a86b3664a09e9fddf81c254bfb29bdc1
Branches Tags
RubNoobs:master
RubNoobs:Assignment-7
RubNoobs:Assignment-7-sgximpl
RubNoobs:Assignment-6
RubNoobs:Assignment-5
RubNoobs:citest

5 commits
0bde67b1d1 ... daec66f6a8

Author SHA1 Message Date
Sascha Tommasone
daec66f6a8
[Assignment-7] update verify_firmware
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 1m4s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m1s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Successful in 59s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 31s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 9s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (pull_request) Successful in 8s
 2024-07-03 17:03:16 +02:00
Sascha Tommasone
a08e4614c6
[Assignment-7] update sign_firmware 2024-07-03 17:00:36 +02:00
Sascha Tommasone
cb9917f7b4
[Assignment-7] new function 'static sgx_status_t verify_signature' 2024-07-03 16:57:53 +02:00
Sascha Tommasone
1a9db0a0f3
[Assignment-7] (un)seal_key_pair now static functions 2024-07-03 16:57:08 +02:00
Sascha Tommasone
0c6d015cf5
[Assignment-7] authorized public keys 2024-07-03 16:56:09 +02:00
1 changed files with 80 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

112
7-SGX_Hands-on/src/enclave/enclave.c
View file

@ -53,6 +53,17 @@
#define SI_SIZE 2*SK_SIZE #define SI_SIZE 2*SK_SIZE
#endif #endif
const sgx_ec256_public_t authorized[2] = {
{
0,
0
},
{
0,
0
}
};
int get_sealed_size() { int get_sealed_size() {
return sgx_calc_sealed_data_size(PK_SIZE, SK_SIZE); return sgx_calc_sealed_data_size(PK_SIZE, SK_SIZE);
} }
@ -69,7 +80,7 @@ int get_private_key_size() {
return SK_SIZE; return SK_SIZE;
} }
sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *public, uint8_t **sealed, uint32_t sealed_size) { static sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *public, uint8_t **sealed, uint32_t sealed_size) {
// invalid parameter handling // invalid parameter handling
if((private == NULL) || (public == NULL)) if((private == NULL) || (public == NULL))
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
@ -92,7 +103,7 @@ sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *pub
return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, size, (sgx_sealed_data_t *) *sealed); return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, size, (sgx_sealed_data_t *) *sealed);
} }
sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) { static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) {
// invalid parameter handling // invalid parameter handling
if(sealed == NULL) { if(sealed == NULL) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
@ -150,15 +161,62 @@ sgx_status_t get_public_key(const uint8_t *sealed, uint32_t sealed_size, uint8_t
return status; return status;
} }
sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *signature, uint32_t signature_size) { static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_size, const sgx_ec256_public_t *public, const sgx_ec256_signature_t* ecc_signature) {
// invalid parameter handling
if((data == NULL) || (data_size == 0)) {
return SGX_ERROR_INVALID_PARAMETER;
} else if(public == NULL) {
return SGX_ERROR_INVALID_PARAMETER;
} else if(ecc_signature == NULL) {
return SGX_ERROR_INVALID_PARAMETER;
}
// declare needed structure
sgx_ecc_state_handle_t ecc_handle;
// open ecc handle
sgx_status_t status;
if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) {
return status;
}
// verify signature
uint8_t result;
sgx_status_t verification_status = sgx_ecdsa_verify(data, data_size, public, ecc_signature, &result, ecc_handle);
// handle failed verification process
if(verification_status != SGX_SUCCESS) {
result = verification_status;
}
// close context and return valid signature
sgx_ecc256_close_context(ecc_handle);
return result;
}
sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, uint8_t *signature, uint32_t signature_size) {
// invalid parameter handling // invalid parameter handling
if((data == NULL) || (data_size == 0)) { if((data == NULL) || (data_size == 0)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} else if((sealed == NULL) || (sealed_size == 0)) { } else if((sealed == NULL) || (sealed_size == 0)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} else if((public_key == NULL) || (public_key_size != PK_SIZE)) {
return SGX_ERROR_INVALID_PARAMETER;
} }
// verify public key
for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) {
if(memcmp(public_key, authorized[i].gx, PK_SIZE) != 0) {
continue;
}
goto sign;
}
return SGX_ERROR_UNEXPECTED;
sign: ;
// declare need structures // declare need structures
sgx_ec256_signature_t ecc_signature;
sgx_ecc_state_handle_t ecc_handle; sgx_ecc_state_handle_t ecc_handle;
sgx_ec256_private_t private; sgx_ec256_private_t private;
sgx_ec256_public_t public; sgx_ec256_public_t public;
@ -169,6 +227,13 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea
return status; return status;
} }
// verify request
/*
if((status = verify_signature(data, data_size, (const sgx_ec256_public_t *)public_key, (const sgx_ec256_signature_t *)signature)) != SGX_EC_VALID) {
sgx_ecc256_close_context(ecc_handle);
return status;
}*/
// try unseal keypair // try unseal keypair
sgx_status_t seal_status; sgx_status_t seal_status;
if(seal_status = unseal_key_pair(sealed, &private, NULL) != SGX_SUCCESS) { if(seal_status = unseal_key_pair(sealed, &private, NULL) != SGX_SUCCESS) {
@ -179,7 +244,6 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea
} }
// create signature // create signature
sgx_ec256_signature_t ecc_signature;
if((status = sgx_ecdsa_sign(data, data_size, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) { if((status = sgx_ecdsa_sign(data, data_size, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) {
sgx_ecc256_close_context(ecc_handle); sgx_ecc256_close_context(ecc_handle);
return status; return status;
@ -215,25 +279,15 @@ sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
// declare need structures // declare needed structures
sgx_ec256_signature_t ecc_signature;
sgx_ecc_state_handle_t ecc_handle;
sgx_ec256_public_t public; sgx_ec256_public_t public;
sgx_status_t status;
// invalid signature // invalid signature
if(signature_size > SI_SIZE) { if(signature_size > SI_SIZE) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
// open ecc handle
sgx_status_t status;
if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) {
return status;
}
// copy signature into struct
memcpy(ecc_signature.x, signature, SI_SIZE);
// verify signature from staff or enclave // verify signature from staff or enclave
if(public_key != NULL) { if(public_key != NULL) {
// invalid public key // invalid public key
@ -241,26 +295,20 @@ sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
// verification only with authorized public keys
for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) {
}
// copy public key into struct // copy public key into struct
memcpy(public.gx, public_key, PK_SIZE); memcpy(public.gx, public_key, PK_SIZE);
} else { } else {
// unseal public key // unseal public key
if(unseal_key_pair(sealed, NULL, &public) != SGX_SUCCESS) { if((status = unseal_key_pair(sealed, NULL, &public)) != SGX_SUCCESS) {
sgx_ecc256_close_context(ecc_handle); return status;
return SGX_ERROR_UNEXPECTED;
} }
} }
// verify signature // verify signature and return result
uint8_t result; return verify_signature(data, data_size, &public, (const sgx_ec256_signature_t *)signature);
sgx_status_t verification_status = sgx_ecdsa_verify((const uint8_t *)data, data_size, (const sgx_ec256_public_t *)&public, (const sgx_ec256_signature_t *)&ecc_signature, &result, ecc_handle); }
// handle failed verification process
if(verification_status != SGX_SUCCESS) {
result = verification_status;
}
// close handle and return result
sgx_ecc256_close_context(ecc_handle);
return result;
}