Assignment 7 #4
7 changed files with 182 additions and 155 deletions
|
@ -74,8 +74,8 @@ else
|
||||||
Urts_Library_Name := sgx_urts
|
Urts_Library_Name := sgx_urts
|
||||||
endif
|
endif
|
||||||
|
|
||||||
App_C_Files := App/App.c
|
App_C_Files := app/main.c app/proxy.c app/intermediary.c app/util.c
|
||||||
App_Include_Paths := -IInclude -IApp -I$(SGX_SDK)/include
|
App_Include_Paths := -IInclude -Iapp -I$(SGX_SDK)/include
|
||||||
|
|
||||||
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
|
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
|
||||||
|
|
||||||
|
@ -91,7 +91,8 @@ else
|
||||||
App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
|
App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
|
||||||
endif
|
endif
|
||||||
|
|
||||||
App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
|
Openssl_Link_Flags = `pkg-config --libs openssl`
|
||||||
|
App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread $(Openssl_Link_Flags)
|
||||||
|
|
||||||
ifneq ($(SGX_MODE), HW)
|
ifneq ($(SGX_MODE), HW)
|
||||||
App_Link_Flags += -lsgx_uae_service_sim
|
App_Link_Flags += -lsgx_uae_service_sim
|
||||||
|
@ -101,7 +102,7 @@ endif
|
||||||
|
|
||||||
App_C_Objects := $(App_C_Files:.c=.o)
|
App_C_Objects := $(App_C_Files:.c=.o)
|
||||||
|
|
||||||
App_Name := app
|
App_Name := signatureproxy
|
||||||
|
|
||||||
|
|
||||||
######## Enclave Settings ########
|
######## Enclave Settings ########
|
||||||
|
@ -115,8 +116,8 @@ else
|
||||||
endif
|
endif
|
||||||
Crypto_Library_Name := sgx_tcrypto
|
Crypto_Library_Name := sgx_tcrypto
|
||||||
|
|
||||||
Enclave_C_Files := Enclave/Enclave.c
|
Enclave_C_Files := enclave/enclave.c
|
||||||
Enclave_Include_Paths := -IInclude -IEnclave -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx
|
Enclave_Include_Paths := -IInclude -Ienclave -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx
|
||||||
|
|
||||||
CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
|
CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
|
||||||
ifeq ($(CC_BELOW_4_9), 1)
|
ifeq ($(CC_BELOW_4_9), 1)
|
||||||
|
@ -141,13 +142,13 @@ Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefau
|
||||||
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
|
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
|
||||||
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
|
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
|
||||||
-Wl,--defsym,__ImageBase=0 -Wl,--gc-sections \
|
-Wl,--defsym,__ImageBase=0 -Wl,--gc-sections \
|
||||||
-Wl,--version-script=Enclave/Enclave.lds \
|
-Wl,--version-script=enclave/enclave.lds \
|
||||||
|
|
||||||
Enclave_C_Objects := $(Enclave_C_Files:.c=.o)
|
Enclave_C_Objects := $(Enclave_C_Files:.c=.o)
|
||||||
|
|
||||||
Enclave_Name := enclave.so
|
Enclave_Name := enclave.so
|
||||||
Signed_Enclave_Name := enclave.signed.so
|
Signed_Enclave_Name := enclave.signed.so
|
||||||
Enclave_Config_File := Enclave/Enclave.config.xml
|
Enclave_Config_File := enclave/enclave.config.xml
|
||||||
|
|
||||||
ifeq ($(SGX_MODE), HW)
|
ifeq ($(SGX_MODE), HW)
|
||||||
ifeq ($(SGX_DEBUG), 1)
|
ifeq ($(SGX_DEBUG), 1)
|
||||||
|
@ -200,49 +201,49 @@ endif
|
||||||
|
|
||||||
######## App Objects ########
|
######## App Objects ########
|
||||||
|
|
||||||
App/Enclave_u.c: $(SGX_EDGER8R) Enclave/Enclave.edl
|
app/enclave_u.c: $(SGX_EDGER8R) enclave/enclave.edl
|
||||||
@cd App && $(SGX_EDGER8R) --untrusted ../Enclave/Enclave.edl --search-path ../Enclave --search-path $(SGX_SDK)/include
|
@cd app && $(SGX_EDGER8R) --untrusted ../enclave/enclave.edl --search-path ../enclave --search-path $(SGX_SDK)/include
|
||||||
@echo "GEN => $@"
|
@echo "GEN => $@"
|
||||||
|
|
||||||
App/Enclave_u.o: App/Enclave_u.c
|
app/enclave_u.o: app/enclave_u.c
|
||||||
@$(CC) $(App_C_Flags) -c $< -o $@
|
@$(CC) $(App_C_Flags) -c $< -o $@
|
||||||
@echo "CC <= $<"
|
@echo "CC <= $<"
|
||||||
|
|
||||||
App/%.o: App/%.c
|
app/%.o: app/%.c
|
||||||
@$(CC) $(App_C_Flags) -c $< -o $@
|
@$(CC) $(app_C_Flags) -c $< -o $@
|
||||||
@echo "CC <= $<"
|
@echo "CC <= $<"
|
||||||
|
|
||||||
$(App_Name): App/Enclave_u.o $(App_C_Objects)
|
$(App_Name): app/enclave_u.o $(App_C_Objects)
|
||||||
@$(CC) $^ -o $@ $(App_Link_Flags)
|
@$(CC) $^ -o $@ $(App_Link_Flags)
|
||||||
@echo "LINK => $@"
|
@echo "LINK => $@"
|
||||||
|
|
||||||
.config_$(Build_Mode)_$(SGX_ARCH):
|
.config_$(Build_Mode)_$(SGX_ARCH):
|
||||||
@rm -f .config_* $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_C_Objects) App/Enclave_u.* $(Enclave_C_Objects) Enclave/Enclave_t.*
|
@rm -f .config_* $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_C_Objects) app/enclave_u.* $(Enclave_C_Objects) enclave/enclave_t.*
|
||||||
@touch .config_$(Build_Mode)_$(SGX_ARCH)
|
@touch .config_$(Build_Mode)_$(SGX_ARCH)
|
||||||
|
|
||||||
######## Enclave Objects ########
|
######## Enclave Objects ########
|
||||||
|
|
||||||
Enclave/Enclave_t.c: $(SGX_EDGER8R) Enclave/Enclave.edl
|
enclave/enclave_t.c: $(SGX_EDGER8R) enclave/enclave.edl
|
||||||
@cd Enclave && $(SGX_EDGER8R) --trusted ../Enclave/Enclave.edl --search-path ../Enclave --search-path $(SGX_SDK)/include
|
@cd enclave && $(SGX_EDGER8R) --trusted ../enclave/enclave.edl --search-path ../enclave --search-path $(SGX_SDK)/include
|
||||||
@echo "GEN => $@"
|
@echo "GEN => $@"
|
||||||
|
|
||||||
Enclave/Enclave_t.o: Enclave/Enclave_t.c
|
enclave/enclave_t.o: enclave/enclave_t.c
|
||||||
@$(CC) $(Enclave_C_Flags) -c $< -o $@
|
@$(CC) $(Enclave_C_Flags) -c $< -o $@
|
||||||
@echo "CC <= $<"
|
@echo "CC <= $<"
|
||||||
|
|
||||||
Enclave/%.o: Enclave/%.c
|
enclave/%.o: enclave/%.c
|
||||||
@$(CC) $(Enclave_C_Flags) -c $< -o $@
|
@$(CC) $(Enclave_C_Flags) -c $< -o $@
|
||||||
@echo "CC <= $<"
|
@echo "CC <= $<"
|
||||||
|
|
||||||
$(Enclave_Name): Enclave/Enclave_t.o $(Enclave_C_Objects)
|
$(Enclave_Name): enclave/enclave_t.o $(Enclave_C_Objects)
|
||||||
@$(CC) $^ -o $@ $(Enclave_Link_Flags)
|
@$(CC) $^ -o $@ $(Enclave_Link_Flags)
|
||||||
@echo "LINK => $@"
|
@echo "LINK => $@"
|
||||||
|
|
||||||
$(Signed_Enclave_Name): $(Enclave_Name)
|
$(Signed_Enclave_Name): $(Enclave_Name)
|
||||||
@$(SGX_ENCLAVE_SIGNER) sign -key Enclave/Enclave_private.pem -enclave $(Enclave_Name) -out $@ -config $(Enclave_Config_File)
|
@$(SGX_ENCLAVE_SIGNER) sign -key enclave/enclave_private.pem -enclave $(Enclave_Name) -out $@ -config $(Enclave_Config_File)
|
||||||
@echo "SIGN => $@"
|
@echo "SIGN => $@"
|
||||||
|
|
||||||
.PHONY: clean
|
.PHONY: clean
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
@rm -f .config_* $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_C_Objects) App/Enclave_u.* $(Enclave_C_Objects) Enclave/Enclave_t.*
|
@rm -f .config_* $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_C_Objects) app/enclave_u.* $(Enclave_C_Objects) enclave/enclave_t.*
|
||||||
|
|
|
@ -5,149 +5,155 @@
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
#include "enclave.h"
|
|
||||||
#include "intermediary.h"
|
#include "intermediary.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
|
||||||
#define HASH_BYTES 32
|
#define HASH_BYTES 32
|
||||||
#define HASH_CHUNK_BYTES 32
|
#define HASH_CHUNK_BYTES 32
|
||||||
#define KEY_BYTES 32
|
#define KEY_BYTES 32
|
||||||
|
|
||||||
struct IntermediaryArgs {
|
struct IntermediaryArgs {
|
||||||
char* firmware_path;
|
|
||||||
char* key_path;
|
char* key_path;
|
||||||
char* output_path;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
static int generate_key(EVP_PKEY** key) {
|
||||||
|
OSSL_PARAM key_params[2];
|
||||||
|
EVP_PKEY_CTX* gctx;
|
||||||
|
|
||||||
|
gctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||||
|
if (gctx == NULL)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
if (EVP_PKEY_keygen_init(gctx) != 1)
|
||||||
|
return (2);
|
||||||
|
|
||||||
|
key_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, "prime256v1", 0);
|
||||||
|
key_params[1] = OSSL_PARAM_construct_end();
|
||||||
|
|
||||||
|
if (EVP_PKEY_CTX_set_params(gctx, key_params) != 1)
|
||||||
|
return (3);
|
||||||
|
|
||||||
|
if(EVP_PKEY_generate(gctx, key) != 1)
|
||||||
|
return (4);
|
||||||
|
|
||||||
|
EVP_PKEY_CTX_free(gctx);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
char* intermediary_syntax(void) {
|
char* intermediary_syntax(void) {
|
||||||
return
|
return
|
||||||
"intermediary mock up implementation of the employee binary\n"
|
"intermediary mock up implementation of the employee binary\n"
|
||||||
" -f <path> file path to Firmware file\n"
|
" expects firmware on stdin\n"
|
||||||
" -k <path> key file path\n"
|
" outputs signature on stdout\n"
|
||||||
" -o <path> output file path\n";
|
" -k <path> key file path\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
int handle_intermediary(int argc, char** argv) {
|
int handle_intermediary(int argc, char** argv) {
|
||||||
struct IntermediaryArgs args = {
|
struct IntermediaryArgs args = {
|
||||||
NULL,
|
|
||||||
NULL,
|
|
||||||
NULL
|
NULL
|
||||||
};
|
};
|
||||||
FILE* firmware_file;
|
|
||||||
FILE* key_file;
|
FILE* key_file;
|
||||||
FILE* output_file;
|
|
||||||
//uint8_t firmware_hash[HASH_BYTES];
|
|
||||||
uint8_t firmware_chunk[HASH_CHUNK_BYTES];
|
uint8_t firmware_chunk[HASH_CHUNK_BYTES];
|
||||||
uint8_t key[KEY_BYTES];
|
EVP_PKEY* key;
|
||||||
//EVP_MD_CTX *mdctx;
|
OSSL_PARAM key_params[2];
|
||||||
//const EVP_MD *md;
|
EVP_PKEY_CTX* gctx;
|
||||||
//unsigned char md_value[EVP_MAX_MD_SIZE];
|
EVP_MD_CTX *mdctx;
|
||||||
//unsigned int md_len;
|
size_t sig_len;
|
||||||
|
unsigned char* sig;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse Input
|
||||||
|
*/
|
||||||
|
|
||||||
int i = 0;
|
int i = 0;
|
||||||
while(i < argc) {
|
while(i < argc) {
|
||||||
if(strcmp(argv[i], "-f")==0 && argc-i >=2){
|
if(strcmp(argv[i], "-k")==0 && argc-i >=2){
|
||||||
args.firmware_path = argv[i+1];
|
|
||||||
i += 2;
|
|
||||||
}else if(strcmp(argv[i], "-k")==0 && argc-i >=2){
|
|
||||||
args.key_path = argv[i+1];
|
args.key_path = argv[i+1];
|
||||||
i += 2;
|
i += 2;
|
||||||
}else if(strcmp(argv[i], "-o")==0 && argc-i >=2){
|
|
||||||
args.output_path = argv[i+1];
|
|
||||||
i += 2;
|
|
||||||
}else
|
}else
|
||||||
syntax_exit();
|
syntax_exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
if(args.firmware_path == NULL || args.key_path == NULL || args.output_path == NULL)
|
if(args.key_path == NULL)
|
||||||
syntax_exit();
|
syntax_exit();
|
||||||
|
|
||||||
firmware_file = fopen(args.firmware_path, "r");
|
|
||||||
if(firmware_file == NULL){
|
|
||||||
perror("Error opening firmware file");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
md = EVP_sha3_256();
|
* Load Signing Key
|
||||||
mdctx = EVP_MD_CTX_new();
|
|
||||||
if (!EVP_DigestSignInit(mdctx, NULL, md, NULL, key)) {
|
|
||||||
fprintf(stderr, "Message digest initialization failed.\n");
|
|
||||||
EVP_MD_CTX_free(mdctx);
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
size_t chunk_len = HASH_CHUNK_BYTES;
|
key_file = fopen(args.key_path, "rb");
|
||||||
while(chunk_len==HASH_CHUNK_BYTES) {
|
|
||||||
chunk_len = fread(&firmware_chunk, HASH_CHUNK_BYTES, 1, firmware_file);
|
|
||||||
if(chunk_len!=HASH_CHUNK_BYTES&&ferror(firmware_file)!=0){
|
|
||||||
perror("Failed to read firmware file");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
if (!EVP_DigestSignUpdate(mdctx, firmware_chunk, chunk_len)) {
|
|
||||||
printf("Message digest update failed.\n");
|
|
||||||
EVP_MD_CTX_free(mdctx);
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
if (!EVP_DigestSignFinal_ex(mdctx, md_value, &md_len)) {
|
|
||||||
printf("Message digest finalization failed.\n");
|
|
||||||
EVP_MD_CTX_free(mdctx);
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
EVP_MD_CTX_free(mdctx);
|
|
||||||
|
|
||||||
printf("Digest is: ");
|
|
||||||
for (i = 0; i < md_len; i++)
|
|
||||||
printf("%02x", md_value[i]);
|
|
||||||
printf("\n");
|
|
||||||
*/
|
|
||||||
|
|
||||||
key_file = fopen(args.key_path, "r");
|
|
||||||
if(key_file == NULL){
|
if(key_file == NULL){
|
||||||
perror("Error opening key file");
|
perror("Error opening key file");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
key = PEM_read_PrivateKey(key_file, &key, NULL, NULL);
|
||||||
size_t key_len = fread(&key, 1, KEY_BYTES, key_file);
|
if(key == NULL) {
|
||||||
if(ferror(key_file)!=0){
|
fprintf(stderr, "failed to read key");
|
||||||
perror("Failed to read key");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
if(key_len != KEY_BYTES){
|
|
||||||
fprintf(stderr, "invalid key length\n");
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
//eckey = EC_KEY_new_by_curve_name(NID_secp256r1);
|
/*
|
||||||
//if(eckey == NULL) {
|
* Sign Firmware
|
||||||
// fprintf(stderr, "failed to initialize SECP256R1 key\n");
|
*/
|
||||||
// exit(1);
|
|
||||||
//}
|
|
||||||
|
|
||||||
//if (!EC_KEY_generate_key(eckey)) {
|
|
||||||
// fprintf(stderr, "failed to generate key\n");
|
|
||||||
// exit(1);
|
|
||||||
//}
|
|
||||||
|
|
||||||
//sig = ECDSA_do_sign(md_value, md_len, eckey);
|
mdctx = EVP_MD_CTX_new();
|
||||||
//if (sig == NULL){
|
if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, key) != 1) {
|
||||||
// fprintf(stderr, "failed to sign firmware hash\n");
|
fprintf(stderr, "Message digest initialization failed.\n");
|
||||||
// exit(1);
|
EVP_MD_CTX_free(mdctx);
|
||||||
//}
|
|
||||||
|
|
||||||
output_file = fopen(args.output_path, "w");
|
|
||||||
if(output_file == NULL){
|
|
||||||
perror("Error opening output file");
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
printf("intermediary %s %s %s", args.firmware_path, args.key_path, args.output_path);
|
size_t chunk_len = HASH_CHUNK_BYTES;
|
||||||
|
while(chunk_len==HASH_CHUNK_BYTES) {
|
||||||
|
chunk_len = fread(&firmware_chunk, HASH_CHUNK_BYTES, 1, stdin);
|
||||||
|
if(chunk_len!=HASH_CHUNK_BYTES&&ferror(stdin)!=0){
|
||||||
|
perror("Failed to read firmware file");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (EVP_DigestSignUpdate(mdctx, firmware_chunk, chunk_len) != 1) {
|
||||||
|
printf("Message digest update failed.\n");
|
||||||
|
EVP_MD_CTX_free(mdctx);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// call with empty sig to get length
|
||||||
|
if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) != 1) {
|
||||||
|
printf("Message digest finalization failed.\n");
|
||||||
|
EVP_MD_CTX_free(mdctx);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
// allocate signature buffer
|
||||||
|
sig = malloc(sizeof(unsigned char) * sig_len);
|
||||||
|
if(sig == NULL){
|
||||||
|
perror("could not initialize digest buffer");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
// load signature into buffer
|
||||||
|
if (EVP_DigestSignFinal(mdctx, sig, &sig_len) != 1) {
|
||||||
|
printf("Message digest finalization failed.\n");
|
||||||
|
EVP_MD_CTX_free(mdctx);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
EVP_MD_CTX_free(mdctx);
|
||||||
|
|
||||||
|
for (unsigned int i = 0; i < sig_len; i++)
|
||||||
|
printf("%02x", sig[i]);
|
||||||
|
printf("\n");
|
||||||
|
|
||||||
|
|
||||||
|
EVP_PKEY_free(key);
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
5
7-SGX_Hands-on/src/app/intermediary_key.pem
Normal file
5
7-SGX_Hands-on/src/app/intermediary_key.pem
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIH0KXxaw/nRzJU5evlEJQrciYUtfJ16PILWtlA5KKh/koAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAEduVQXmH1K+ocSSnv0l9PKdC2+xxPQrVyABAYGk+jlo2hugpH8aWk
|
||||||
|
nfR9cTTOLy6T7ASx3a22S6DftcTz+aZYsg==
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -9,7 +9,7 @@
|
||||||
int main(int argc, char** argv) {
|
int main(int argc, char** argv) {
|
||||||
if(argc < 1)
|
if(argc < 1)
|
||||||
syntax_exit();
|
syntax_exit();
|
||||||
BIN_NAME = argv[0];
|
set_bin_name(argv[0]);
|
||||||
if(argc < 2)
|
if(argc < 2)
|
||||||
syntax_exit();
|
syntax_exit();
|
||||||
|
|
||||||
|
|
|
@ -4,15 +4,13 @@
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
#include "enclave.h"
|
#include "../enclave/enclave.h"
|
||||||
#include "proxy.h"
|
#include "proxy.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
sgx_enclave_id_t global_eid = 0;
|
sgx_enclave_id_t global_eid = 0;
|
||||||
|
|
||||||
struct ProxyArgs {
|
struct ProxyArgs {
|
||||||
char* input_path;
|
|
||||||
char* output_path;
|
|
||||||
char* sealed_key_file_path;
|
char* sealed_key_file_path;
|
||||||
char* sgx_token_path;
|
char* sgx_token_path;
|
||||||
};
|
};
|
||||||
|
@ -127,26 +125,28 @@ static int initialize_enclave(char* token_path) {
|
||||||
sgx_status_t ret;
|
sgx_status_t ret;
|
||||||
int updated = 0;
|
int updated = 0;
|
||||||
|
|
||||||
sgx_token_file = fopen(token_path, "r");
|
sgx_token_file = fopen(token_path, "rb");
|
||||||
if(sgx_token_file == NULL){
|
if(sgx_token_file == NULL){
|
||||||
perror("Error opening sgx token file");
|
perror("Error opening sgx token file");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//TODO create new on error / ignore missing token file
|
||||||
|
|
||||||
size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), sgx_token_file);
|
size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), sgx_token_file);
|
||||||
if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {
|
if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {
|
||||||
fprintf(stderr, "sgx token file is corrupted");
|
fprintf(stderr, "sgx token file is corrupted");
|
||||||
return (1);
|
return (1);
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = sgx_create_enclave("enclave.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
|
ret = sgx_create_enclave("enclave.signed.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
|
||||||
if (ret != SGX_SUCCESS) {
|
if (ret != SGX_SUCCESS) {
|
||||||
print_error_message(ret);
|
print_error_message(ret);
|
||||||
return (1);
|
return (1);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (updated) {
|
if (updated) {
|
||||||
sgx_token_file = freopen(token_path, "w", sgx_token_file);
|
sgx_token_file = freopen(token_path, "wb", sgx_token_file);
|
||||||
if(sgx_token_file == NULL){
|
if(sgx_token_file == NULL){
|
||||||
perror("Error opening sgx token file");
|
perror("Error opening sgx token file");
|
||||||
return (1);
|
return (1);
|
||||||
|
@ -163,32 +163,32 @@ static int initialize_enclave(char* token_path) {
|
||||||
char* proxy_syntax(void) {
|
char* proxy_syntax(void) {
|
||||||
return
|
return
|
||||||
"proxy implementation of the enclave-powered SignatureProxy\n"
|
"proxy implementation of the enclave-powered SignatureProxy\n"
|
||||||
" -i <path> file path to the intermediary output(signature of firmware)\n"
|
" expects intermediary signature on stdin\n"
|
||||||
" -o <path> output path of the signature\n"
|
" outputs proxied signature on stdout\n"
|
||||||
" -s <path> file path of the sealed proxy key\n"
|
" -s <path> file path of the sealed proxy key\n"
|
||||||
" -t <path> file path of the sgx token\n";
|
" -t <path> file path of the sgx token\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
int handle_proxy(int argc, char** argv) {
|
int handle_proxy(int argc, char** argv) {
|
||||||
struct ProxyArgs args = {
|
struct ProxyArgs args = {
|
||||||
NULL,
|
|
||||||
NULL,
|
|
||||||
NULL,
|
NULL,
|
||||||
NULL
|
NULL
|
||||||
};
|
};
|
||||||
FILE* input_file;
|
FILE* input_file = stdin;
|
||||||
FILE* output_file;
|
FILE* output_file = stdout;
|
||||||
FILE* sealed_key_file;
|
FILE* sealed_key_file;
|
||||||
|
uint8_t *sealed;
|
||||||
|
uint32_t sealed_size;
|
||||||
|
char line[141];
|
||||||
|
uint8_t signature[70];
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse Input
|
||||||
|
*/
|
||||||
|
|
||||||
int i = 0;
|
int i = 0;
|
||||||
while(i < argc) {
|
while(i < argc) {
|
||||||
if(strcmp(argv[i], "-i")==0 && argc-i >=2){
|
if(strcmp(argv[i], "-s")==0 && argc-i >=2){
|
||||||
args.input_path = argv[i+1];
|
|
||||||
i += 2;
|
|
||||||
}else if(strcmp(argv[i], "-o")==0 && argc-i >=2){
|
|
||||||
args.output_path = argv[i+1];
|
|
||||||
i += 2;
|
|
||||||
}else if(strcmp(argv[i], "-s")==0 && argc-i >=2){
|
|
||||||
args.sealed_key_file_path = argv[i+1];
|
args.sealed_key_file_path = argv[i+1];
|
||||||
i += 2;
|
i += 2;
|
||||||
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){
|
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){
|
||||||
|
@ -198,25 +198,28 @@ int handle_proxy(int argc, char** argv) {
|
||||||
syntax_exit();
|
syntax_exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
if(args.input_path == NULL || args.output_path == NULL || args.sealed_key_file_path == NULL || args.sgx_token_path == NULL)
|
if(args.sealed_key_file_path == NULL || args.sgx_token_path == NULL)
|
||||||
syntax_exit();
|
syntax_exit();
|
||||||
|
|
||||||
input_file = fopen(args.input_path, "r");
|
if(fgets(line, 141, stdin) == NULL) {
|
||||||
if(input_file == NULL){
|
fprintf(stderr, "failed to read signature from stdin");
|
||||||
perror("Error opening input file");
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
output_file = fopen(args.output_path, "w");
|
if(line[140] != '\0') {
|
||||||
if(output_file == NULL){
|
fprintf(stderr, "invalid input");
|
||||||
perror("Error opening output file");
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
//TODO read input -> calculate size of input (ECDSA of SHA3-256 of Firmware File, generated by intermediary)
|
for (i = 0; i < 70; i++) {
|
||||||
//TODO read sealed key -> calculate size or dynamic alloc
|
sscanf(line+2*i, "%02x", &signature[i]);
|
||||||
|
}
|
||||||
|
|
||||||
sealed_key_file = fopen(args.sealed_key_file_path, "w");
|
/*
|
||||||
|
* Initialize SGX Enclave
|
||||||
|
*/
|
||||||
|
|
||||||
|
sealed_key_file = fopen(args.sealed_key_file_path, "rb");
|
||||||
if(sealed_key_file == NULL){
|
if(sealed_key_file == NULL){
|
||||||
perror("Error opening sealed_key_file file");
|
perror("Error opening sealed_key_file file");
|
||||||
exit(1);
|
exit(1);
|
||||||
|
@ -225,11 +228,20 @@ int handle_proxy(int argc, char** argv) {
|
||||||
if (initialize_enclave(args.sgx_token_path) != 0)
|
if (initialize_enclave(args.sgx_token_path) != 0)
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
||||||
//TODO call enclave -> refactor interface to do verify and sign in one call to avoid trip through "untrusted" land.
|
sealed_size = get_sealed_size();
|
||||||
|
sealed = malloc(sizeof(uint8_t)*sealed_size);
|
||||||
|
if (sealed == NULL) {
|
||||||
|
fprintf(stderr, "failed to allocate for sealed key");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
//TODO load sealed (what to do when missing?)
|
||||||
|
|
||||||
|
//TODO call enclave
|
||||||
|
|
||||||
//TODO store sealed key if changed
|
//TODO store sealed key if changed
|
||||||
//TODO write output
|
//TODO write output
|
||||||
|
//TODO enclave teardown
|
||||||
|
|
||||||
printf("proxy %s %s", args.input_path, args.output_path);
|
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
#include "intermediary.h"
|
#include "intermediary.h"
|
||||||
|
|
||||||
|
|
||||||
char* BIN_NAME = "SignatureProxy";
|
static char* BIN_NAME = "SignatureProxy";
|
||||||
|
|
||||||
void syntax_exit(void) {
|
void syntax_exit(void) {
|
||||||
char* syntax =
|
char* syntax =
|
||||||
|
@ -21,3 +21,7 @@ void syntax_exit(void) {
|
||||||
printf(syntax, BIN_NAME, intermediary_syntax(), proxy_syntax());
|
printf(syntax, BIN_NAME, intermediary_syntax(), proxy_syntax());
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void set_bin_name(char* bin_name) {
|
||||||
|
BIN_NAME = bin_name;
|
||||||
|
}
|
||||||
|
|
|
@ -2,12 +2,11 @@
|
||||||
#define _APP_UTIL_H_
|
#define _APP_UTIL_H_
|
||||||
|
|
||||||
|
|
||||||
char* BIN_NAME;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* @brief prints the command syntax and exits with EXIT_FAILURE
|
* @brief prints the command syntax and exits with EXIT_FAILURE
|
||||||
*/
|
*/
|
||||||
void syntax_exit(void);
|
void syntax_exit(void);
|
||||||
|
|
||||||
|
void set_bin_name(char* bin_name);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue