Systemsicherheit/7-SGX_Hands-on
2024-07-08 11:19:48 +02:00
..
doc Assignment 7: abgabe neue formulierung 2024-07-07 22:13:20 +02:00
employee_keys [Assignment-7] add keys of Bob and Oskar 2024-07-08 11:19:48 +02:00
src [Assignment-7] final 2024-07-08 11:19:48 +02:00
.gitkeep [Assignment-7] Flake + App base 2024-07-08 11:19:48 +02:00
flake.lock [Assignment-7] Flake + App base 2024-07-08 11:19:48 +02:00
flake.nix [Assignment-7] update flake and add missing enclave files 2024-07-08 11:19:48 +02:00
LICENSE Assignment 7 sgximpl: GNU GPLv3 License 2024-07-08 11:19:48 +02:00
README.md Assignment 7 sgximpl: README update 2024-07-08 11:19:48 +02:00

Signature Relay for firmware

Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum. This is a program, that uses a TEE to build a signature relay to sign firmware with a master key. For more informationm, read the project description.

We recommend viewing the repository we worked on together at.

Compiling

This project can be compiled for simulation environments or directly on the hardware.

  1. Simulated environment

At project root type the command

$ make SGX_MODE=SIM
  1. Hardware

At project root type the command

$ make

This creates the following directory tree:

out
├── bin <- here is the executable binary file
└── obj <- here are the object files generated by the compiling process

Usage

Setup

Initialize the Enclave keypair by executing: ./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>

Sign

  1. Create employee signature using ./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der> This step can also be done using OpenSSL: openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>
  2. Use the signature proxy to resign the firmware using ./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der> The enclave verifies the employee signature and signs the firmware if the signature is valid.
  3. Verify signature using cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem> This step can also be done using OpenSSL: openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>

License

Everything we did ourselves is licensed under the GNU GPLv3 License

Contributors

  • Benjamin Haschka
  • Sascha Tommasone
  • Paul Zinselmeyer