.. | ||
doc | ||
employee_keys | ||
src | ||
flake.lock | ||
flake.nix | ||
LICENSE | ||
README.md |
Signature Relay for firmware
Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum. This is a program, that uses a TEE to build a signature relay to sign firmware with a master key. For more informationm, read the project description.
We recommend viewing the [repository]("https://git.pfzetto.de/RubNoobs/Systemsicherheit/src/branch/master/Assignment 7 - SGX Hands-on") we worked on together at.
Requirements
You will need the latest version of OpenSSL. Execute the following command inside the src directory to automatically meet all requirements.
$ ./setup
Compiling
This project can be compiled for simulation environments or directly on the hardware.
- Simulated environment
In the src directory type the command
$ make SGX_MODE=SIM
- Hardware
In the src directory type the command
$ make
That creates all the necessary objects and binaries to execute.
The executable binary will be src/signatureproxy
.
Running
Running story
To execute an example usage of the project, execute ./simulate
in src directory.
Note, that this will only work, if you sucessfully compiled the project.
Manual Usage
Setup
Go to the src
directory.
Initialize the Enclave keypair by executing:
./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>
Sign
- Create employee signature using
./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>
This step can also be done using OpenSSL:openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>
- Use the signature proxy to resign the firmware using
./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>
The enclave verifies the employee signature and signs the firmware if the signature is valid. - Verify signature using
cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>
This step can also be done using OpenSSL:openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>
License
Everything we did ourselves is licensed under the GNU GPLv3 License
Contributors
- Benjamin Haschka
- Sascha Tommasone
- Paul Zinselmeyer