-
Notifications
You must be signed in to change notification settings - Fork 180
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[python] Rework graminelibos python library
This commit introduces new python APIs for managing manifests and SGX sigstructs, including MRENCLAVE generation, signing and token generation. This required a couple of rewrites, which hopefuly resulted in cleaner code. Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
- Loading branch information
1 parent
6f002ec
commit 9a4fd15
Showing
27 changed files
with
714 additions
and
643 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
.. program:: gramine-sgx-get-token | ||
.. _gramine-sgx-get-token: | ||
|
||
=============================================================== | ||
:program:`gramine-sgx-get-token` -- Gramine SGX token generator | ||
=============================================================== | ||
|
||
Synopsis | ||
======== | ||
|
||
:command:`gramine-sgx-get-token` [*OPTION*]... --sig sigstruct_file | ||
--output token_file | ||
|
||
Description | ||
=========== | ||
|
||
:program:`gramine-sgx-get-token` is used to generate the SGX token file for | ||
given SIGSTRUCT (".sig" file). | ||
|
||
Command line arguments | ||
====================== | ||
|
||
.. option:: --sig sigstruct_file, -s sigstruct_file | ||
|
||
Path to the input file containing SIGSTRUCT. | ||
|
||
.. option:: --output token_file, -o token_file | ||
|
||
Path to the output token file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
.. program:: gramine-sgx-sign | ||
.. _gramine-sgx-sign: | ||
|
||
========================================================== | ||
:program:`gramine-sgx-sign` -- Gramine SIGSTRUCT generator | ||
========================================================== | ||
|
||
Synopsis | ||
======== | ||
|
||
:command:`gramine-sgx-sign` [*OPTION*]... --output output_manifest | ||
--key key_file --manifest manifest_file | ||
|
||
Description | ||
=========== | ||
|
||
:program:`gramine-sgx-sign` is used to expand Trusted Files and generate | ||
signature file for given input manifest and libpal file (main Gramine binary). | ||
|
||
Command line arguments | ||
====================== | ||
|
||
.. option:: --output output_manifest, -o output_manifest | ||
|
||
Path to the output manifest file (with Trusted Files expanded). | ||
|
||
.. option:: --key key_file, -k key_file | ||
|
||
Path to the private key used for signing. | ||
|
||
.. option:: --manifest manifest_file, -m manifest_file | ||
|
||
Input manifest file. | ||
|
||
.. option:: --libpal libpal_path, -l libpal_path | ||
|
||
Path to libpal file (main Gramine binary). | ||
|
||
.. option:: --sigfile sigfile, -s sigfile | ||
|
||
Path to the output file containing SIGSTRUCT. If not provided, | ||
`manifest_file` will be used with ".manifest" (if present) removed from | ||
the end and with ".sig" appended. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/usr/bin/env python3 | ||
# SPDX-License-Identifier: LGPL-3.0-or-later | ||
# Copyright (c) 2021 Intel Corporation | ||
# Borys Popławski <borysp@invisiblethingslab.com> | ||
|
||
import os | ||
|
||
import click | ||
|
||
from graminelibos import Manifest, _CONFIG_PKGLIBDIR | ||
|
||
@click.command() | ||
@click.option('--manifest', '-m', 'manifest_file', type=click.File('r', encoding='utf-8'), | ||
required=True, help='Input .manifest file') | ||
@click.option('--libpal', '-l', type=click.Path(exists=True, dir_okay=False), | ||
default=os.path.join(_CONFIG_PKGLIBDIR, 'sgx/libpal.so'), help='Input libpal file', | ||
show_default=True) | ||
@click.option('--output', '-o', type=click.File('w', encoding='utf-8'), required=True, | ||
help='Output .manifest.d file') | ||
def main(manifest_file, libpal, output): | ||
manifest = Manifest.load(manifest_file) | ||
|
||
dependencies = manifest.get_dependencies() | ||
dependencies.add(libpal) | ||
|
||
output.write(f'{manifest_file.name}:') | ||
for filename in dependencies: | ||
output.write(f' \\\n\t{filename}') | ||
output.write('\n') | ||
|
||
if __name__ == '__main__': | ||
main() # pylint: disable=no-value-for-parameter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,33 @@ | ||
#!/usr/bin/env python3 | ||
# SPDX-License-Identifier: LGPL-3.0-or-later | ||
# Copyright (c) 2021 Intel Corporation | ||
# Borys Popławski <borysp@invisiblethingslab.com> | ||
|
||
import sys | ||
from graminelibos.manifest import main | ||
sys.exit(main()) | ||
import click | ||
|
||
from graminelibos import Manifest | ||
|
||
def validate_define(_ctx, _param, values): | ||
ret = {} | ||
for value in values: | ||
try: | ||
k, v = value.split('=', 1) | ||
except ValueError: | ||
k, v = value, True | ||
ret[k] = v | ||
return ret | ||
|
||
@click.command() | ||
@click.option('--string', '-c') | ||
@click.option('--define', '-D', multiple=True, callback=validate_define) | ||
@click.argument('infile', type=click.File('r'), required=False) | ||
@click.argument('outfile', type=click.File('w'), default='-') | ||
def main(string, define, infile, outfile): | ||
if not bool(string) ^ bool(infile): | ||
click.get_current_context().fail('specify exactly one of (infile, -c)') | ||
template = infile.read() if infile else string | ||
manifest = Manifest.from_template(template, define) | ||
manifest.dump(outfile) | ||
|
||
if __name__ == '__main__': | ||
main() # pylint: disable=no-value-for-parameter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,19 @@ | ||
#!/usr/bin/env python3 | ||
# SPDX-License-Identifier: LGPL-3.0-or-later | ||
# Copyright (c) 2021 Intel Corporation | ||
# Borys Popławski <borysp@invisiblethingslab.com> | ||
|
||
import sys | ||
from graminelibos.sgx_get_token import main | ||
sys.exit(main()) | ||
import click | ||
|
||
from graminelibos import Sigstruct, get_token | ||
|
||
@click.command() | ||
@click.option('--sig', '-s', type=click.File('rb'), required=True, help='sigstruct file') | ||
@click.option('--output', '-o', type=click.File('wb'), required=True, help='Output token file') | ||
def main(sig, output): | ||
sig = Sigstruct.from_bytes(sig.read()) | ||
token = get_token(sig) | ||
output.write(token) | ||
|
||
if __name__ == '__main__': | ||
main() # pylint: disable=no-value-for-parameter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,45 @@ | ||
#!/usr/bin/env python3 | ||
# SPDX-License-Identifier: LGPL-3.0-or-later | ||
# Copyright (c) 2021 Intel Corporation | ||
# Borys Popławski <borysp@invisiblethingslab.com> | ||
|
||
import sys | ||
from graminelibos.sgx_sign import main | ||
sys.exit(main()) | ||
import datetime | ||
|
||
import click | ||
|
||
from graminelibos import Manifest, get_tbssigstruct, sign_with_local_key | ||
|
||
@click.command() | ||
@click.option('--output', '-o', type=click.Path(), required=True, | ||
help='Output .manifest.sgx file (manifest augmented with autogenerated fields)') | ||
@click.option('--libpal', '-l', type=click.Path(exists=True, dir_okay=False), | ||
help='Input libpal file') | ||
@click.option('--key', '-k', type=click.Path(exists=True, dir_okay=False), required=True, | ||
help='specify signing key (.pem) file') | ||
@click.option('--manifest', '-m', 'manifest_file', type=click.File('r', encoding='utf-8'), | ||
required=True, help='Input .manifest file') | ||
@click.option('--sigfile', '-s', help='Output .sig file') | ||
def main(output, libpal, key, manifest_file, sigfile): | ||
manifest = Manifest.load(manifest_file) | ||
|
||
manifest.expand_all_trusted_files() | ||
|
||
with open(output, 'w', encoding='utf-8') as f: | ||
manifest.dump(f) | ||
|
||
if not sigfile: | ||
if manifest_file.name.endswith('.manifest'): | ||
sigfile = manifest_file.name[:-len('.manifest')] | ||
else: | ||
sigfile = manifest_file.name | ||
sigfile += '.sig' | ||
|
||
today = datetime.date.today() | ||
sigstruct = get_tbssigstruct(output, today, libpal) | ||
sigstruct.sign(sign_with_local_key, key) | ||
|
||
with open(sigfile, 'wb') as f: | ||
f.write(sigstruct.to_bytes()) | ||
|
||
if __name__ == '__main__': | ||
main() # pylint: disable=no-value-for-parameter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.