Systemsicherheit/7-SGX_Hands-on/README.md
Sascha Tommasone df441cfe30
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 1m3s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m1s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Successful in 1m1s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 32s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 10s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (pull_request) Successful in 9s
[Assignment-7] fixed README.md
2024-07-08 11:01:19 +02:00

2.4 KiB

Signature Relay for firmware

Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum. This is a program, that uses a TEE to build a signature relay to sign firmware with a master key. For more informationm, read the project description.

We recommend viewing the [repository](https://git.pfzetto.de/RubNoobs/Systemsicherheit/src/branch/master/Assignment 7 - SGX Hands-on) we worked on together at.

Requirements

You will need the latest version of OpenSSL. Execute the following command inside the src directory to automatically meet all requirements.

$ ./setup

Compiling

This project can be compiled for simulation environments or directly on the hardware.

  1. Simulated environment

In the src directory type the command

$ make SGX_MODE=SIM
  1. Hardware

In the src directory type the command

$ make

That creates all the necessary objects and binaries to execute. The executable binary will be src/signatureproxy.

Running

Running story

To execute an example usage of the project, execute ./simulate in src directory. Note, that this will only work, if you sucessfully compiled the project.

Manual Usage

Setup

Go to the src directory.

Initialize the Enclave keypair by executing: ./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>

Sign

  1. Create employee signature using ./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der> This step can also be done using OpenSSL: openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>
  2. Use the signature proxy to resign the firmware using ./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der> The enclave verifies the employee signature and signs the firmware if the signature is valid.
  3. Verify signature using cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem> This step can also be done using OpenSSL: openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>

License

Everything we did ourselves is licensed under the GNU GPLv3 License

Contributors

  • Benjamin Haschka
  • Sascha Tommasone
  • Paul Zinselmeyer