Skip to content
This repository has been archived by the owner on Jan 7, 2023. It is now read-only.

Add MRENCLAVE verification #65

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add MRENCLAVE verification #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 9 additions & 7 deletions Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ CLEANFILES = Enclave_u.c Enclave_u.h Enclave.edl Enclave.signed.so \

server: sp

bin_PROGRAMS = client sp mrsigner
bin_PROGRAMS = client sp sigstruct

## You can't use $(wildcard ...) with automake so all source files
## have to be explicitly listed.
Expand All @@ -90,18 +90,20 @@ if AGENT_CURL
sp_SOURCES += agent_curl.cpp
endif

## mrsigner (helper app)
## sigstruct (helper app)

mrsigner_SOURCES = mrsigner.cpp crypto.c hexutil.c
sigstruct_SOURCES = sigstruct.cpp crypto.c hexutil.c

## Extract the enclave SIGSTRUCT and use it to calculate MRSIGNER
policy: mrsigner policy.in Enclave.signed.so
policy: sigstruct policy.in Enclave.signed.so
$(SGX_SIGN) dump -cssfile enclave_sigstruct_raw -dumpfile /dev/null -enclave Enclave.signed.so
sed -e "s^@MRSIGNER@^`./mrsigner.sh enclave_sigstruct_raw`^" policy.in > policy
sed -e "s^@MRSIGNER@^`./sigstruct.sh --mrsigner enclave_sigstruct_raw`^" \
-e "s^@MRENCLAVE@^`./sigstruct.sh --mrenclave enclave_sigstruct_raw`^" \
policy.in > policy
rm -f enclave_sigstruct_raw

sp_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@ @CURL_LDFLAGS@
mrsigner_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
sigstruct_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@

## Library flags. At minimum, an Intel SGX application will need:
##
Expand All @@ -113,7 +115,7 @@ mrsigner_LDFLAGS= $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
client_LDADD=-l$(SGX_URTS_LIB) -lsgx_ukey_exchange -lcrypto \
-l:libsgx_capable.a -lpthread -ldl

mrsigner_LDADD=-lcrypto
sigstruct_LDADD=-lcrypto

sp_LDADD=-lcrypto @CURL_LIBS@

44 changes: 23 additions & 21 deletions Makefile.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
bin_PROGRAMS = client$(EXEEXT) sp$(EXEEXT) mrsigner$(EXEEXT)
bin_PROGRAMS = client$(EXEEXT) sp$(EXEEXT) sigstruct$(EXEEXT)
@AGENT_CURL_TRUE@am__append_1 = agent_curl.cpp
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
Expand All @@ -100,7 +100,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = config.h
CONFIG_CLEAN_FILES = mrsigner.sh run-server run-client
CONFIG_CLEAN_FILES = sigstruct.sh run-server run-client
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
Expand All @@ -114,12 +114,12 @@ client_OBJECTS = $(am_client_OBJECTS) $(nodist_client_OBJECTS)
client_DEPENDENCIES =
client_LINK = $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) $(client_LDFLAGS) \
$(LDFLAGS) -o $@
am_mrsigner_OBJECTS = mrsigner.$(OBJEXT) crypto.$(OBJEXT) \
am_sigstruct_OBJECTS = sigstruct.$(OBJEXT) crypto.$(OBJEXT) \
hexutil.$(OBJEXT)
mrsigner_OBJECTS = $(am_mrsigner_OBJECTS)
mrsigner_DEPENDENCIES =
mrsigner_LINK = $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) \
$(mrsigner_LDFLAGS) $(LDFLAGS) -o $@
sigstruct_OBJECTS = $(am_sigstruct_OBJECTS)
sigstruct_DEPENDENCIES =
sigstruct_LINK = $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) \
$(sigstruct_LDFLAGS) $(LDFLAGS) -o $@
am__sp_SOURCES_DIST = sp.cpp agent_wget.cpp iasrequest.cpp \
enclave_verify.c byteorder.c common.cpp crypto.c hexutil.c \
fileio.c base64.c msgio.cpp logfile.c agent_curl.cpp
Expand Down Expand Up @@ -172,8 +172,8 @@ am__v_CXXLD_ = $(am__v_CXXLD_@AM_DEFAULT_V@)
am__v_CXXLD_0 = @echo " CXXLD " $@;
am__v_CXXLD_1 =
SOURCES = $(client_SOURCES) $(nodist_client_SOURCES) \
$(mrsigner_SOURCES) $(sp_SOURCES)
DIST_SOURCES = $(client_SOURCES) $(mrsigner_SOURCES) \
$(sigstruct_SOURCES) $(sp_SOURCES)
DIST_SOURCES = $(client_SOURCES) $(sigstruct_SOURCES) \
$(am__sp_SOURCES_DIST)
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
Expand Down Expand Up @@ -219,7 +219,7 @@ CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(srcdir)/mrsigner.sh.in $(srcdir)/run.in \
$(srcdir)/sigstruct.sh.in $(srcdir)/run.in \
$(top_srcdir)/build-aux/sgx_app.am compile depcomp install-sh \
missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
Expand Down Expand Up @@ -415,13 +415,13 @@ client_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
sp_SOURCES = sp.cpp agent_wget.cpp iasrequest.cpp enclave_verify.c \
$(common) $(am__append_1)
EXTRA_sp_DEPENDENCIES = Enclave.signed.so
mrsigner_SOURCES = mrsigner.cpp crypto.c hexutil.c
sigstruct_SOURCES = sigstruct.cpp crypto.c hexutil.c
sp_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@ @CURL_LDFLAGS@
mrsigner_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
sigstruct_LDFLAGS = $(AM_LDFLAGS) @OPENSSL_LDFLAGS@
client_LDADD = -l$(SGX_URTS_LIB) -lsgx_ukey_exchange -lcrypto \
-l:libsgx_capable.a -lpthread -ldl

mrsigner_LDADD = -lcrypto
sigstruct_LDADD = -lcrypto
sp_LDADD = -lcrypto @CURL_LIBS@
all: $(BUILT_SOURCES) config.h
$(MAKE) $(AM_MAKEFLAGS) all-recursive
Expand Down Expand Up @@ -477,7 +477,7 @@ $(srcdir)/config.h.in: $(am__configure_deps)

distclean-hdr:
-rm -f config.h stamp-h1
mrsigner.sh: $(top_builddir)/config.status $(srcdir)/mrsigner.sh.in
sigstruct.sh: $(top_builddir)/config.status $(srcdir)/sigstruct.sh.in
cd $(top_builddir) && $(SHELL) ./config.status $@
run-server: $(top_builddir)/config.status $(srcdir)/run.in
cd $(top_builddir) && $(SHELL) ./config.status $@
Expand Down Expand Up @@ -526,13 +526,13 @@ uninstall-binPROGRAMS:
clean-binPROGRAMS:
-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)

client$(EXEEXT): $(client_OBJECTS) $(client_DEPENDENCIES) $(EXTRA_client_DEPENDENCIES)
client$(EXEEXT): $(client_OBJECTS) $(client_DEPENDENCIES) $(EXTRA_client_DEPENDENCIES)
@rm -f client$(EXEEXT)
$(AM_V_CXXLD)$(client_LINK) $(client_OBJECTS) $(client_LDADD) $(LIBS)

mrsigner$(EXEEXT): $(mrsigner_OBJECTS) $(mrsigner_DEPENDENCIES) $(EXTRA_mrsigner_DEPENDENCIES)
@rm -f mrsigner$(EXEEXT)
$(AM_V_CXXLD)$(mrsigner_LINK) $(mrsigner_OBJECTS) $(mrsigner_LDADD) $(LIBS)
sigstruct$(EXEEXT): $(sigstruct_OBJECTS) $(sigstruct_DEPENDENCIES) $(EXTRA_sigstruct_DEPENDENCIES)
@rm -f sigstruct$(EXEEXT)
$(AM_V_CXXLD)$(sigstruct_LINK) $(sigstruct_OBJECTS) $(sigstruct_LDADD) $(LIBS)

sp$(EXEEXT): $(sp_OBJECTS) $(sp_DEPENDENCIES) $(EXTRA_sp_DEPENDENCIES)
@rm -f sp$(EXEEXT)
Expand All @@ -557,7 +557,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hexutil.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iasrequest.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/logfile.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mrsigner.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sigstruct.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/msgio.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/quote_size.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sgx_detect_linux.Po@am__quote@
Expand Down Expand Up @@ -1039,9 +1039,11 @@ Enclave/Enclave.signed.so:

server: sp

policy: mrsigner policy.in Enclave.signed.so
policy: sigstruct policy.in Enclave.signed.so
$(SGX_SIGN) dump -cssfile enclave_sigstruct_raw -dumpfile /dev/null -enclave Enclave.signed.so
sed -e "s^@MRSIGNER@^`./mrsigner.sh enclave_sigstruct_raw`^" policy.in > policy
sed -e "s^@MRSIGNER@^`./sigstruct.sh --mrsigner enclave_sigstruct_raw`^" \
-e "s^@MRENCLAVE@^`./sigstruct.sh --mrenclave enclave_sigstruct_raw`^" \
policy.in > policy
rm -f enclave_sigstruct_raw

# Tell versions [3.59,3.63) of GNU make to not export all variables.
Expand Down
14 changes: 7 additions & 7 deletions configure
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5323,7 +5323,7 @@ cat >>confdefs.h <<_ACEOF
_ACEOF


ac_config_files="$ac_config_files mrsigner.sh run-server:run.in run-client:run.in Makefile Enclave/Makefile"
ac_config_files="$ac_config_files sigstruct.sh run-server:run.in run-client:run.in Makefile Enclave/Makefile"


cat >confcache <<\_ACEOF
Expand Down Expand Up @@ -6073,7 +6073,7 @@ do
case $ac_config_target in
"depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
"config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
"mrsigner.sh") CONFIG_FILES="$CONFIG_FILES mrsigner.sh" ;;
"sigstruct.sh") CONFIG_FILES="$CONFIG_FILES sigstruct.sh" ;;
"run-server") CONFIG_FILES="$CONFIG_FILES run-server:run.in" ;;
"run-client") CONFIG_FILES="$CONFIG_FILES run-client:run.in" ;;
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
Expand Down Expand Up @@ -6766,11 +6766,11 @@ $as_echo X"$file" |
done
}
;;
"mrsigner.sh":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"run-server":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"run-client":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"Makefile":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"Enclave/Makefile":F) chmod -f 755 run-client run-server mrsigner.sh ;;
"sigstruct.sh":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"run-server":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"run-client":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"Makefile":F) chmod -f 755 run-client run-server sigstruct.sh ;;
"Enclave/Makefile":F) chmod -f 755 run-client run-server sigstruct.sh ;;

esac
done # for ac_tag
Expand Down
4 changes: 2 additions & 2 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,12 @@ AC_DEFINE_UNQUOTED([DEFAULT_CA_BUNDLE_AUTO], ["$ac_cv_default_ca_bundle_auto"],
dnl Write our configuration
dnl ----------------------------------------------------------------------
AC_CONFIG_FILES([
mrsigner.sh
sigstruct.sh
run-server:run.in
run-client:run.in
Makefile
Enclave/Makefile
],[chmod -f 755 run-client run-server mrsigner.sh])
],[chmod -f 755 run-client run-server sigstruct.sh])

AC_OUTPUT

22 changes: 16 additions & 6 deletions enclave_verify.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,17 @@ static int _init= 0;

extern int verbose;

int verify_enclave_identity(sgx_measurement_t req_mr_signer,
sgx_prod_id_t req_isv_product_id, sgx_isv_svn_t min_isvsvn,
int allow_debug, sgx_report_body_t *report)
int verify_enclave_identity(sgx_measurement_t req_mr_enclave,
sgx_measurement_t req_mr_signer, sgx_prod_id_t req_isv_product_id,
sgx_isv_svn_t min_isvsvn, int allow_debug, sgx_report_body_t *report)
{
if ( verbose ) {
edividerWithText("Client enclave Identity");
eprintf("Enclave MRSIGNER = %s\n",
eprintf("Enclave MRSIGNER = %s\n",
hexstring((const char *) &report->mr_signer,
sizeof(sgx_measurement_t))
);
eprintf("Enclave MRENCLAVE = %s\n",
eprintf("Enclave MRENCLAVE = %s\n",
hexstring((const char *) &report->mr_enclave,
sizeof(sgx_measurement_t))
);
Expand Down Expand Up @@ -88,14 +88,24 @@ int verify_enclave_identity(sgx_measurement_t req_mr_signer,

// Does the MRSIGNER match?

if ( memcmp((const void *) &report->mr_signer,
if ( memcmp((const void *) &report->mr_signer,
(const void *) &req_mr_signer, sizeof(sgx_measurement_t) ) ) {

eprintf("MRSIGNER mismatch\n");

return 0;
}

// Does the MRENCLAVE match?

if ( memcmp((const void *) &report->mr_enclave,
(const void *) &req_mr_enclave, sizeof(sgx_measurement_t) ) ) {

eprintf("MRENCLAVE mismatch\n");

return 0;
}

return 1;
}

5 changes: 3 additions & 2 deletions enclave_verify.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@
extern "C" {
#endif

int verify_enclave_identity(sgx_measurement_t mrsigner, sgx_prod_id_t prodid,
sgx_isv_svn_t min_isvsvn, int allow_debug, sgx_report_body_t *report);
int verify_enclave_identity(sgx_measurement_t mrenclave,
sgx_measurement_t mrsigner, sgx_prod_id_t prodid,
sgx_isv_svn_t min_isvsvn, int allow_debug, sgx_report_body_t *report);

#ifdef __cplusplus
};
Expand Down
7 changes: 6 additions & 1 deletion policy.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,15 @@
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

# This hex string should match the signer of the enclave. This is used to
# prevents unauthorized enclaves (those from unrecognized ISVs/developers)
# prevent unauthorized enclaves (those from unrecognized ISVs/developers)
# from using the remote service.
MRSIGNER=@MRSIGNER@

# This hex string should match the measurement of the enclave code, also
# know as the enclave hash. This is used to prevent unauthorized enclaves
# (those with a different hash) from using the remote service.
MRENCLAVE=@MRENCLAVE@

# The product ID for the enclave. This must match the ProdId in the
# enclave confgiruation file.
PRODID=0
Expand Down
1 change: 1 addition & 0 deletions run.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ then
-i $IAS_PRIMARY_SUBSCRIPTION_KEY \
-j $IAS_SECONDARY_SUBSCRIPTION_KEY \
-A "$IAS_REPORT_SIGNING_CA_FILE" \
-M $MRENCLAVE \
-N $MRSIGNER \
-V $MIN_ISVSVN \
-R $PRODID \
Expand Down