Systemsicherheit/Assignment 7 - SGX Hands-on
Sascha Tommasone 005d529757
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 1m4s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m3s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Successful in 1m1s
[Assignment-7] remove redundant code
2024-07-08 12:44:02 +02:00
..
doc master: abgabe 7 wrong curve mentioned 2024-07-08 12:42:17 +02:00
employee_keys [Assignmnt-7] rename directory 2024-07-08 11:19:48 +02:00
src [Assignment-7] remove redundant code 2024-07-08 12:44:02 +02:00
flake.lock [Assignmnt-7] rename directory 2024-07-08 11:19:48 +02:00
flake.nix [Assignmnt-7] rename directory 2024-07-08 11:19:48 +02:00
LICENSE [Assignmnt-7] rename directory 2024-07-08 11:19:48 +02:00
README.md [Assignment-7] fix README.md 2024-07-08 12:34:37 +02:00

Signature Relay for firmware

Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum. This is a program, that uses a TEE to build a signature relay to sign firmware with a master key. For more informationm, read the project description.

We recommend viewing the repository we worked on together at.

Requirements

You will need the latest version of OpenSSL. Execute the following command inside the src directory to automatically meet all requirements.

$ ./setup

Compiling

This project can be compiled for simulation environments or directly on the hardware.

  1. Simulated environment

In the src directory type the command

$ make SGX_MODE=SIM
  1. Hardware

In the src directory type the command

$ make

That creates all the necessary objects and binaries to execute. The executable binary will be src/signatureproxy.

Running

Running story

To execute an example usage of the project, execute ./simulate in src directory. Note, that this will only work, if you sucessfully compiled the project.

Manual Usage

Setup

Go to the src directory.

Initialize the Enclave keypair by executing: ./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>

Sign

  1. Create employee signature using ./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der> This step can also be done using OpenSSL: openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>
  2. Use the signature proxy to resign the firmware using ./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der> The enclave verifies the employee signature and signs the firmware if the signature is valid.
  3. Verify signature using cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem> This step can also be done using OpenSSL: openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>

License

Everything we did ourselves is licensed under the GNU GPLv3 License

Contributors

  • Benjamin Haschka
  • Sascha Tommasone
  • Paul Zinselmeyer