Skip to content
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
36 lines (29 sloc) 1.81 KB
enclave {
include "pwenclave.h"
trusted {
/* Set up a new region. region_key contains a good quality cryptographic key that should be kept offline.
* During this call, write_region_data will be called to store the sealed region key. */
public uint32_t pw_region_enroll([in, size=rklen] const uint8_t *region_key, uint32_t rklen);
/* Generate a fresh salt, and then generate a password hash using pbkdf2.
* Then use SGX sealing to store the salt and correct hash for later use by pw_check.
* On success, up to bloblen_in bytes at blob are written to, and the number of bytes
* written is stored at bloblen_out. */
public uint32_t pw_setup([in, size=pwlen] const uint8_t *password, uint32_t pwlen,
[out, size=bloblen_in] uint8_t *blob, uint32_t bloblen_in, [out] uint32_t *bloblen_out);
/* Using a sealed salt+hash from pw_setup, check the given password.
* This returns PW_OK if the password is correct, or PW_BAD_GUESS if not.
* It will return PW_BLOB_INVALID if the sealed blob is somehow invalid. */
public uint32_t pw_check([in, size=pwlen] const uint8_t *password, size_t pwlen,
[in, size=bloblen] const uint8_t *blob, uint32_t bloblen);
untrusted {
/* Emit debugging from enclave to outside. Obviously, this must not contain any
* sensitive data! */
void emit_debug([string,in] const char *str);
/* Write sealed region key to disk. This is called only during pw_region_enroll. */
uint32_t write_region_data([in, size=bloblen] const uint8_t *blob, uint32_t bloblen);
/* Read sealed region key from disk. This is called as needed, and the result is cached. */
uint32_t read_region_data([out, size=bloblen_in] uint8_t *blob, uint32_t bloblen_in, [out] uint32_t *bloblen_out);
You can’t perform that action at this time.