From 0c6d015cf510ae66a5b4090855bb851db844ae59 Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Wed, 3 Jul 2024 16:56:09 +0200 Subject: [PATCH 1/5] [Assignment-7] authorized public keys --- 7-SGX_Hands-on/src/enclave/enclave.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/7-SGX_Hands-on/src/enclave/enclave.c b/7-SGX_Hands-on/src/enclave/enclave.c index 14f6a8a..2c62e70 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.c +++ b/7-SGX_Hands-on/src/enclave/enclave.c @@ -53,6 +53,17 @@ #define SI_SIZE 2*SK_SIZE #endif +const sgx_ec256_public_t authorized[2] = { + { + 0, + 0 + }, + { + 0, + 0 + } +}; + int get_sealed_size() { return sgx_calc_sealed_data_size(PK_SIZE, SK_SIZE); } From 1a9db0a0f313c7e212e3e4a3d418089708c50fc8 Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Wed, 3 Jul 2024 16:57:08 +0200 Subject: [PATCH 2/5] [Assignment-7] (un)seal_key_pair now static functions --- 7-SGX_Hands-on/src/enclave/enclave.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/7-SGX_Hands-on/src/enclave/enclave.c b/7-SGX_Hands-on/src/enclave/enclave.c index 2c62e70..08cdee1 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.c +++ b/7-SGX_Hands-on/src/enclave/enclave.c @@ -80,7 +80,7 @@ int get_private_key_size() { return SK_SIZE; } -sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *public, uint8_t **sealed, uint32_t sealed_size) { +static sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *public, uint8_t **sealed, uint32_t sealed_size) { // invalid parameter handling if((private == NULL) || (public == NULL)) return SGX_ERROR_INVALID_PARAMETER; @@ -103,7 +103,7 @@ sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *pub return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, size, (sgx_sealed_data_t *) *sealed); } -sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) { +static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) { // invalid parameter handling if(sealed == NULL) { return SGX_ERROR_INVALID_PARAMETER; From cb9917f7b40256b936c7b59511a9f14741055d90 Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Wed, 3 Jul 2024 16:57:53 +0200 Subject: [PATCH 3/5] [Assignment-7] new function 'static sgx_status_t verify_signature' --- 7-SGX_Hands-on/src/enclave/enclave.c | 33 ++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/7-SGX_Hands-on/src/enclave/enclave.c b/7-SGX_Hands-on/src/enclave/enclave.c index 08cdee1..50bb056 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.c +++ b/7-SGX_Hands-on/src/enclave/enclave.c @@ -161,6 +161,39 @@ sgx_status_t get_public_key(const uint8_t *sealed, uint32_t sealed_size, uint8_t return status; } +static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_size, const sgx_ec256_public_t *public, const sgx_ec256_signature_t* ecc_signature) { + // invalid parameter handling + if((data == NULL) || (data_size == 0)) { + return SGX_ERROR_INVALID_PARAMETER; + } else if(public == NULL) { + return SGX_ERROR_INVALID_PARAMETER; + } else if(ecc_signature == NULL) { + return SGX_ERROR_INVALID_PARAMETER; + } + + // declare needed structure + sgx_ecc_state_handle_t ecc_handle; + + // open ecc handle + sgx_status_t status; + if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) { + return status; + } + + // verify signature + uint8_t result; + sgx_status_t verification_status = sgx_ecdsa_verify(data, data_size, public, ecc_signature, &result, ecc_handle); + + // handle failed verification process + if(verification_status != SGX_SUCCESS) { + result = verification_status; + } + + // close context and return valid signature + sgx_ecc256_close_context(ecc_handle); + return result; +} + sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *signature, uint32_t signature_size) { // invalid parameter handling if((data == NULL) || (data_size == 0)) { From a08e4614c6a4cf1871fba14e832146e8bfc860cd Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Wed, 3 Jul 2024 17:00:36 +0200 Subject: [PATCH 4/5] [Assignment-7] update sign_firmware --- 7-SGX_Hands-on/src/enclave/enclave.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/7-SGX_Hands-on/src/enclave/enclave.c b/7-SGX_Hands-on/src/enclave/enclave.c index 50bb056..9db5931 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.c +++ b/7-SGX_Hands-on/src/enclave/enclave.c @@ -194,15 +194,29 @@ static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_si return result; } -sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *signature, uint32_t signature_size) { +sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, uint8_t *signature, uint32_t signature_size) { // invalid parameter handling if((data == NULL) || (data_size == 0)) { return SGX_ERROR_INVALID_PARAMETER; } else if((sealed == NULL) || (sealed_size == 0)) { return SGX_ERROR_INVALID_PARAMETER; + } else if((public_key == NULL) || (public_key_size != PK_SIZE)) { + return SGX_ERROR_INVALID_PARAMETER; } + + // verify public key + for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) { + if(memcmp(public_key, authorized[i].gx, PK_SIZE) != 0) { + continue; + } + goto sign; + } + return SGX_ERROR_UNEXPECTED; + sign: ; + // declare need structures + sgx_ec256_signature_t ecc_signature; sgx_ecc_state_handle_t ecc_handle; sgx_ec256_private_t private; sgx_ec256_public_t public; @@ -213,6 +227,13 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea return status; } + // verify request + /* + if((status = verify_signature(data, data_size, (const sgx_ec256_public_t *)public_key, (const sgx_ec256_signature_t *)signature)) != SGX_EC_VALID) { + sgx_ecc256_close_context(ecc_handle); + return status; + }*/ + // try unseal keypair sgx_status_t seal_status; if(seal_status = unseal_key_pair(sealed, &private, NULL) != SGX_SUCCESS) { @@ -223,7 +244,6 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea } // create signature - sgx_ec256_signature_t ecc_signature; if((status = sgx_ecdsa_sign(data, data_size, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) { sgx_ecc256_close_context(ecc_handle); return status; From daec66f6a86b3664a09e9fddf81c254bfb29bdc1 Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Wed, 3 Jul 2024 17:03:16 +0200 Subject: [PATCH 5/5] [Assignment-7] update verify_firmware --- 7-SGX_Hands-on/src/enclave/enclave.c | 40 +++++++++------------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/7-SGX_Hands-on/src/enclave/enclave.c b/7-SGX_Hands-on/src/enclave/enclave.c index 9db5931..db96ec4 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.c +++ b/7-SGX_Hands-on/src/enclave/enclave.c @@ -279,25 +279,15 @@ sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint return SGX_ERROR_INVALID_PARAMETER; } - // declare need structures - sgx_ec256_signature_t ecc_signature; - sgx_ecc_state_handle_t ecc_handle; + // declare needed structures sgx_ec256_public_t public; + sgx_status_t status; // invalid signature if(signature_size > SI_SIZE) { return SGX_ERROR_INVALID_PARAMETER; } - // open ecc handle - sgx_status_t status; - if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) { - return status; - } - - // copy signature into struct - memcpy(ecc_signature.x, signature, SI_SIZE); - // verify signature from staff or enclave if(public_key != NULL) { // invalid public key @@ -305,26 +295,20 @@ sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint return SGX_ERROR_INVALID_PARAMETER; } + // verification only with authorized public keys + for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) { + + } + // copy public key into struct memcpy(public.gx, public_key, PK_SIZE); } else { // unseal public key - if(unseal_key_pair(sealed, NULL, &public) != SGX_SUCCESS) { - sgx_ecc256_close_context(ecc_handle); - return SGX_ERROR_UNEXPECTED; + if((status = unseal_key_pair(sealed, NULL, &public)) != SGX_SUCCESS) { + return status; } } - // verify signature - uint8_t result; - sgx_status_t verification_status = sgx_ecdsa_verify((const uint8_t *)data, data_size, (const sgx_ec256_public_t *)&public, (const sgx_ec256_signature_t *)&ecc_signature, &result, ecc_handle); - - // handle failed verification process - if(verification_status != SGX_SUCCESS) { - result = verification_status; - } - - // close handle and return result - sgx_ecc256_close_context(ecc_handle); - return result; -} + // verify signature and return result + return verify_signature(data, data_size, &public, (const sgx_ec256_signature_t *)signature); +} \ No newline at end of file