Skip to content
This repository has been archived by the owner on Jan 7, 2023. It is now read-only.

Commit

Permalink
Add MRENCLAVE verification
Browse files Browse the repository at this point in the history 
Related issue: #64
  • Loading branch information
@sbellem
sbellem committed Feb 11, 2021
1 parent e82c1cd commit a6a43e5
Show file tree
Hide file tree
Showing 11 changed files with 164 additions and 82 deletions.
16 changes: 9 additions & 7 deletions Makefile.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ CLEANFILES = Enclave_u.c Enclave_u.h Enclave.edl Enclave.signed.so \

server: sp

bin_PROGRAMS = client sp mrsigner
bin_PROGRAMS = client sp sigstruct

## You can't use $(wildcard ...) with automake so all source files
## have to be explicitly listed.
Expand All @@ -90,18 +90,20 @@ if AGENT_CURL
sp_SOURCES += agent_curl.cpp
endif

## mrsigner (helper app)
## sigstruct (helper app)

mrsigner_SOURCES = mrsigner.cpp crypto.c hexutil.c
sigstruct_SOURCES = sigstruct.cpp crypto.c hexutil.c

## Extract the enclave SIGSTRUCT and use it to calculate MRSIGNER
policy: mrsigner policy.in Enclave.signed.so
policy: sigstruct policy.in Enclave.signed.so
$(SGX_SIGN) dump -cssfile enclave_sigstruct_raw -dumpfile /dev/null -enclave Enclave.signed.so
sed -e "s^@MRSIGNER@^`./mrsigner.sh enclave_sigstruct_raw`^" policy.in > policy
sed -e "s^@MRSIGNER@^`./sigstruct.sh --mrsigner enclave_sigstruct_raw`^" \
-e "s^@MRENCLAVE@^`./sigstruct.sh --mrenclave enclave_sigstruct_raw`^" \
policy.in > policy
rm -f enclave_sigstruct_raw

sp_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@ @CURL_LDFLAGS@
mrsigner_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
sigstruct_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@

## Library flags. At minimum, an Intel SGX application will need:
##
Expand All @@ -113,7 +115,7 @@ mrsigner_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
client_LDADD=-l$(SGX_URTS_LIB) -lsgx_ukey_exchange -lcrypto \
-l:libsgx_capable.a -lpthread -ldl

mrsigner_LDADD=-lcrypto
sigstruct_LDADD=-lcrypto

sp_LDADD=-lcrypto @CURL_LIBS@

44 changes: 23 additions & 21 deletions Makefile.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
bin_PROGRAMS = client$(EXEEXT) sp$(EXEEXT) mrsigner$(EXEEXT)
bin_PROGRAMS = client$(EXEEXT) sp$(EXEEXT) sigstruct$(EXEEXT)
@AGENT_CURL_TRUE@am__append_1 = agent_curl.cpp
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
Expand All @@ -100,7 +100,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = config.h
CONFIG_CLEAN_FILES = mrsigner.sh run-server run-client
CONFIG_CLEAN_FILES = sigstruct.sh run-server run-client
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
Expand All @@ -114,12 +114,12 @@ client_OBJECTS = $(am_client_OBJECTS) $(nodist_client_OBJECTS)
client_DEPENDENCIES =
client_LINK = $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) $(client_LDFLAGS) \
$(LDFLAGS) -o $@
am_mrsigner_OBJECTS = mrsigner.$(OBJEXT) crypto.$(OBJEXT) \
am_sigstruct_OBJECTS = sigstruct.$(OBJEXT) crypto.$(OBJEXT) \
hexutil.$(OBJEXT)
mrsigner_OBJECTS = $(am_mrsigner_OBJECTS)
mrsigner_DEPENDENCIES =
mrsigner_LINK = $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) \
$(mrsigner_LDFLAGS) $(LDFLAGS) -o $@
sigstruct_OBJECTS = $(am_sigstruct_OBJECTS)
sigstruct_DEPENDENCIES =
sigstruct_LINK = $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) \
$(sigstruct_LDFLAGS) $(LDFLAGS) -o $@
am__sp_SOURCES_DIST = sp.cpp agent_wget.cpp iasrequest.cpp \
enclave_verify.c byteorder.c common.cpp crypto.c hexutil.c \
fileio.c base64.c msgio.cpp logfile.c agent_curl.cpp
Expand Down Expand Up @@ -172,8 +172,8 @@ am__v_CXXLD_ = $(am__v_CXXLD_@AM_DEFAULT_V@)
am__v_CXXLD_0 = @echo " CXXLD " $@;
am__v_CXXLD_1 =
SOURCES = $(client_SOURCES) $(nodist_client_SOURCES) \
$(mrsigner_SOURCES) $(sp_SOURCES)
DIST_SOURCES = $(client_SOURCES) $(mrsigner_SOURCES) \
$(sigstruct_SOURCES) $(sp_SOURCES)
DIST_SOURCES = $(client_SOURCES) $(sigstruct_SOURCES) \
$(am__sp_SOURCES_DIST)
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
Expand Down Expand Up @@ -219,7 +219,7 @@ CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(srcdir)/mrsigner.sh.in $(srcdir)/run.in \
$(srcdir)/sigstruct.sh.in $(srcdir)/run.in \
$(top_srcdir)/build-aux/sgx_app.am compile depcomp install-sh \
missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
Expand Down Expand Up @@ -415,13 +415,13 @@ client_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
sp_SOURCES = sp.cpp agent_wget.cpp iasrequest.cpp enclave_verify.c \
$(common) $(am__append_1)
EXTRA_sp_DEPENDENCIES = Enclave.signed.so
mrsigner_SOURCES = mrsigner.cpp crypto.c hexutil.c
sigstruct_SOURCES = sigstruct.cpp crypto.c hexutil.c
sp_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@ @CURL_LDFLAGS@
mrsigner_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
sigstruct_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
client_LDADD = -l$(SGX_URTS_LIB) -lsgx_ukey_exchange -lcrypto \
-l:libsgx_capable.a -lpthread -ldl

mrsigner_LDADD = -lcrypto
sigstruct_LDADD = -lcrypto
sp_LDADD = -lcrypto @CURL_LIBS@
all: $(BUILT_SOURCES) config.h
$(MAKE) $(AM_MAKEFLAGS) all-recursive
Expand Down Expand Up @@ -477,7 +477,7 @@ $(srcdir)/config.h.in: $(am__configure_deps)

distclean-hdr:
-rm -f config.h stamp-h1
mrsigner.sh: $(top_builddir)/config.status $(srcdir)/mrsigner.sh.in
sigstruct.sh: $(top_builddir)/config.status $(srcdir)/sigstruct.sh.in
cd $(top_builddir) && $(SHELL) ./config.status $@
run-server: $(top_builddir)/config.status $(srcdir)/run.in
cd $(top_builddir) && $(SHELL) ./config.status $@
Expand Down Expand Up @@ -526,13 +526,13 @@ uninstall-binPROGRAMS:
clean-binPROGRAMS:
-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)

client$(EXEEXT): $(client_OBJECTS) $(client_DEPENDENCIES) $(EXTRA_client_DEPENDENCIES)
client$(EXEEXT): $(client_OBJECTS) $(client_DEPENDENCIES) $(EXTRA_client_DEPENDENCIES)
@rm -f client$(EXEEXT)
$(AM_V_CXXLD)$(client_LINK) $(client_OBJECTS) $(client_LDADD) $(LIBS)

mrsigner$(EXEEXT): $(mrsigner_OBJECTS) $(mrsigner_DEPENDENCIES) $(EXTRA_mrsigner_DEPENDENCIES)
@rm -f mrsigner$(EXEEXT)
$(AM_V_CXXLD)$(mrsigner_LINK) $(mrsigner_OBJECTS) $(mrsigner_LDADD) $(LIBS)
sigstruct$(EXEEXT): $(sigstruct_OBJECTS) $(sigstruct_DEPENDENCIES) $(EXTRA_sigstruct_DEPENDENCIES)
@rm -f sigstruct$(EXEEXT)
$(AM_V_CXXLD)$(sigstruct_LINK) $(sigstruct_OBJECTS) $(sigstruct_LDADD) $(LIBS)

sp$(EXEEXT): $(sp_OBJECTS) $(sp_DEPENDENCIES) $(EXTRA_sp_DEPENDENCIES)
@rm -f sp$(EXEEXT)
Expand All @@ -557,7 +557,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hexutil.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iasrequest.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/logfile.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mrsigner.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sigstruct.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/msgio.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/quote_size.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sgx_detect_linux.Po@am__quote@
Expand Down Expand Up @@ -1039,9 +1039,11 @@ Enclave/Enclave.signed.so:

server: sp

policy: mrsigner policy.in Enclave.signed.so
policy: sigstruct policy.in Enclave.signed.so
$(SGX_SIGN) dump -cssfile enclave_sigstruct_raw -dumpfile /dev/null -enclave Enclave.signed.so
sed -e "s^@MRSIGNER@^`./mrsigner.sh enclave_sigstruct_raw`^" policy.in > policy
sed -e "s^@MRSIGNER@^`./sigstruct.sh --mrsigner enclave_sigstruct_raw`^" \
-e "s^@MRENCLAVE@^`./sigstruct.sh --mrenclave enclave_sigstruct_raw`^" \
policy.in > policy
rm -f enclave_sigstruct_raw

# Tell versions [3.59,3.63) of GNU make to not export all variables.
Expand Down
14 changes: 7 additions & 7 deletions configure
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5323,7 +5323,7 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
ac_config_files="$ac_config_files mrsigner.sh run-server:run.in run-client:run.in Makefile Enclave/Makefile"
ac_config_files="$ac_config_files sigstruct.sh run-server:run.in run-client:run.in Makefile Enclave/Makefile"
cat >confcache <<\_ACEOF
Expand Down Expand Up @@ -6073,7 +6073,7 @@ do
case $ac_config_target in
"depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
"config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
"mrsigner.sh") CONFIG_FILES="$CONFIG_FILES mrsigner.sh" ;;
"sigstruct.sh") CONFIG_FILES="$CONFIG_FILES sigstruct.sh" ;;
"run-server") CONFIG_FILES="$CONFIG_FILES run-server:run.in" ;;
"run-client") CONFIG_FILES="$CONFIG_FILES run-client:run.in" ;;
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
Expand Down Expand Up @@ -6766,11 +6766,11 @@ $as_echo X"$file" |
done
}
;;
"mrsigner.sh":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"run-server":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"run-client":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"Makefile":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"Enclave/Makefile":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"sigstruct.sh":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"run-server":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"run-client":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"Makefile":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"Enclave/Makefile":F) chmod -f 755 run-client run-server sigstruct.sh ;;
esac
done # for ac_tag
Expand Down
4 changes: 2 additions & 2 deletions configure.ac
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,12 @@ AC_DEFINE_UNQUOTED([DEFAULT_CA_BUNDLE_AUTO], ["$ac_cv_default_ca_bundle_auto"],
dnl Write our configuration
dnl ----------------------------------------------------------------------
AC_CONFIG_FILES([
mrsigner.sh
sigstruct.sh
run-server:run.in
run-client:run.in
Makefile
Enclave/Makefile
],[chmod -f 755 run-client run-server mrsigner.sh])
],[chmod -f 755 run-client run-server sigstruct.sh])

AC_OUTPUT

22 changes: 16 additions & 6 deletions enclave_verify.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,17 @@ static int _init= 0;

extern int verbose;

int verify_enclave_identity(sgx_measurement_t req_mr_signer,
sgx_prod_id_t req_isv_product_id, sgx_isv_svn_t min_isvsvn,
int allow_debug, sgx_report_body_t *report)
int verify_enclave_identity(sgx_measurement_t req_mr_enclave,
sgx_measurement_t req_mr_signer, sgx_prod_id_t req_isv_product_id,
sgx_isv_svn_t min_isvsvn, int allow_debug, sgx_report_body_t *report)
{
if ( verbose ) {
edividerWithText("Client enclave Identity");
eprintf("Enclave MRSIGNER = %s\n",
eprintf("Enclave MRSIGNER = %s\n",
hexstring((const char *) &report->mr_signer,
sizeof(sgx_measurement_t))
);
eprintf("Enclave MRENCLAVE = %s\n",
eprintf("Enclave MRENCLAVE = %s\n",
hexstring((const char *) &report->mr_enclave,
sizeof(sgx_measurement_t))
);
Expand Down Expand Up @@ -88,14 +88,24 @@ int verify_enclave_identity(sgx_measurement_t req_mr_signer,

// Does the MRSIGNER match?

if ( memcmp((const void *) &report->mr_signer,
if ( memcmp((const void *) &report->mr_signer,
(const void *) &req_mr_signer, sizeof(sgx_measurement_t) ) ) {

eprintf("MRSIGNER mismatch\n");

return 0;
}

// Does the MRENCLAVE match?

if ( memcmp((const void *) &report->mr_enclave,
(const void *) &req_mr_enclave, sizeof(sgx_measurement_t) ) ) {

eprintf("MRENCLAVE mismatch\n");

return 0;
}

return 1;
}

5 changes: 3 additions & 2 deletions enclave_verify.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@
extern "C" {
#endif

int verify_enclave_identity(sgx_measurement_t mrsigner, sgx_prod_id_t prodid,
sgx_isv_svn_t min_isvsvn, int allow_debug, sgx_report_body_t *report);
int verify_enclave_identity(sgx_measurement_t mrenclave,
sgx_measurement_t mrsigner, sgx_prod_id_t prodid,
sgx_isv_svn_t min_isvsvn, int allow_debug, sgx_report_body_t *report);

#ifdef __cplusplus
};
Expand Down
7 changes: 6 additions & 1 deletion policy.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,15 @@
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

# This hex string should match the signer of the enclave. This is used to
# prevents unauthorized enclaves (those from unrecognized ISVs/developers)
# prevent unauthorized enclaves (those from unrecognized ISVs/developers)
# from using the remote service.
MRSIGNER=@MRSIGNER@

# This hex string should match the measurement of the enclave code, also
# know as the enclave hash. This is used to prevent unauthorized enclaves
# (those with a different hash) from using the remote service.
MRENCLAVE=@MRENCLAVE@

# The product ID for the enclave. This must match the ProdId in the
# enclave confgiruation file.
PRODID=0
Expand Down
1 change: 1 addition & 0 deletions run.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ then
-i $IAS_PRIMARY_SUBSCRIPTION_KEY \
-j $IAS_SECONDARY_SUBSCRIPTION_KEY \
-A "$IAS_REPORT_SIGNING_CA_FILE" \
-M $MRENCLAVE \
-N $MRSIGNER \
-V $MIN_ISVSVN \
-R $PRODID \
Expand Down

0 comments on commit a6a43e5

Please sign in to comment.