ee1b66a24b
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 1m5s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m4s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Successful in 1m1s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 33s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 8s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (pull_request) Successful in 6s
75 lines
2.3 KiB
Markdown
75 lines
2.3 KiB
Markdown
# Signature Relay for firmware
|
|
|
|
Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum.
|
|
This is a program, that uses a TEE to build a signature relay to sign firmware with a master key.
|
|
For more informationm, read the [project description](doc/abgabe.pdf).
|
|
|
|
We recommend viewing the [repository](https://git.pfzetto.de/RubNoobs/Systemsicherheit/src/branch/Assignment-7-sgximpl/7-SGX_Hands-on) we worked on together at.
|
|
|
|
## Requirements
|
|
|
|
You will need the latest version of OpenSSL.
|
|
Execute the following command to automatically meet all requirements.
|
|
|
|
```bash
|
|
$ ./src/setup
|
|
```
|
|
|
|
|
|
## Compiling
|
|
|
|
This project can be compiled for simulation environments or directly on the hardware.
|
|
|
|
1. **Simulated environment**
|
|
|
|
At project root type the command
|
|
|
|
```bash
|
|
$ make SGX_MODE=SIM
|
|
```
|
|
|
|
2. **Hardware**
|
|
|
|
At project root type the command
|
|
|
|
```bash
|
|
$ make
|
|
```
|
|
|
|
That creates all the necessary objects and binaries to execute.
|
|
The executable binary will be `src/signatureproxy`.
|
|
|
|
## Running
|
|
|
|
## Running story
|
|
|
|
To execute an example usage of the project, execute `./src/simulate`.
|
|
Note, that this will only work, if you sucessfully compiled the project.
|
|
|
|
## Manual Usage
|
|
|
|
### Setup
|
|
|
|
Go to the `src` directory.
|
|
|
|
Initialize the Enclave keypair by executing:
|
|
`./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>`
|
|
|
|
### Sign
|
|
1. Create employee signature using `./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>`
|
|
This step can also be done using OpenSSL: `openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>`
|
|
2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>`
|
|
The enclave verifies the employee signature and signs the firmware if the signature is valid.
|
|
3. Verify signature using `cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>`
|
|
This step can also be done using OpenSSL: `openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>`
|
|
|
|
|
|
## License
|
|
|
|
Everything we did ourselves is licensed under the [GNU GPLv3 License](./LICENSE)
|
|
|
|
## Contributors
|
|
|
|
- Benjamin Haschka
|
|
- Sascha Tommasone
|
|
- Paul Zinselmeyer
|