Update PDO TP with more sgx attestation checks.

This commit adds the sgx debug flag to the TP policy, dependent on PDO_DEBUG_BUILD. Inside the TP, it adds the 64-bit flag check, and it checks that that debug flag matches the one in registered TP policy. Signed-off-by: Bruno Vavala <bruno.vavala@intel.com>
hyperledger-labs · May 13, 2024 · b6e54a8 · b6e54a8
1 parent 0a9ab12
commit b6e54a8
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 14 deletions.
diff --git a/eservice/bin/register-with-ledger.sh b/eservice/bin/register-with-ledger.sh
@@ -78,16 +78,23 @@ function Register {
     else
         VAR_MRENCLAVE=$(grep -o 'MRENCLAVE:.*' ${eservice_enclave_info_file} | cut -f2- -d:)
         VAR_BASENAME=$(grep -o 'BASENAME:.*' ${eservice_enclave_info_file} | cut -f2- -d:)
+        SGX_DEBUG_FLAG=${PDO_DEBUG_BUILD:-0}
 
         : "${PDO_LEDGER_URL:?Registration failed! PDO_LEDGER_URL environment variable not set}"
         : "IAS_KEY_PEM" "${IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
 
         if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then
-            yell Register enclave with CCF ledger: mrenclave=${VAR_MRENCLAVE} basename=${VAR_BASENAME}
+            yell Register enclave with CCF ledger: \
+                sgx_debug_flag=${SGX_DEBUG_FLAG} \
+                mrenclave=${VAR_MRENCLAVE} \
+                basename=${VAR_BASENAME}
             source ${PDO_INSTALL_ROOT}/bin/activate
             try ${PDO_INSTALL_ROOT}/bin/ccf_set_expected_sgx_measurements \
-                --logfile __screen__ --loglevel INFO --mrenclave ${VAR_MRENCLAVE} \
-                --basename  ${VAR_BASENAME} --ias-public-key "$(cat $IAS_KEY_PEM)"
+                --logfile __screen__ --loglevel INFO \
+                --mrenclave ${VAR_MRENCLAVE} \
+                --basename  ${VAR_BASENAME} \
+                --sgx-debug-flag "${SGX_DEBUG_FLAG}" \
+                --ias-public-key "$(cat $IAS_KEY_PEM)"
         else
             die unsupported ledger ${PDO_LEDGER_TYPE}
         fi

diff --git a/ledgers/ccf/pdo/ledgers/ccf/scripts/set_expected_sgx_measurements.py b/ledgers/ccf/pdo/ledgers/ccf/scripts/set_expected_sgx_measurements.py
@@ -30,6 +30,7 @@ def set_contract_enclave_expected_sgx_measurements(client, options):
     params['mrenclave'] = options.mrenclave
     params['basename'] = options.basename
     params['ias_public_key'] = options.ias_public_key
+    params['sgx_debug_flag'] = options.sgx_debug_flag
 
     r = client.post("/app/set_contract_enclave_expected_sgx_measurements", params)
     if r.status_code != http.HTTPStatus.OK.value:
@@ -50,10 +51,14 @@ def Main() :
     parser.add_argument('--basename', help="PDO enclave basename", type=str)
     parser.add_argument('--ias-public-key', 
                         help="IAS public key derived from cert used to verify report signatures", type=str)
+    parser.add_argument('--sgx-debug-flag', help="PDO enclave sgx debug flag", type=str)
 
     local_options = parser.parse_args(unprocessed_args)
 
-    if (not local_options.mrenclave) or (not local_options.basename) or (not local_options.ias_public_key):
+    if (not local_options.mrenclave) or \
+            (not local_options.basename) or \
+            (not local_options.ias_public_key) or \
+            (not local_options.sgx_debug_flag):
         parser.print_help()
         sys.exit(-1)
 

diff --git a/ledgers/ccf/transaction_processor/enclave_registry.h b/ledgers/ccf/transaction_processor/enclave_registry.h
@@ -31,13 +31,15 @@ namespace ccf
     string mrenclave;
     string basename;
     string ias_public_key;
+    string sgx_debug_flag;
   };
 
   DECLARE_JSON_TYPE(ContractEnclaveExpectedSGXMeasurements);
   DECLARE_JSON_REQUIRED_FIELDS(ContractEnclaveExpectedSGXMeasurements,
     mrenclave,
     basename,
-    ias_public_key);
+    ias_public_key,
+    sgx_debug_flag);
 
 
   struct ProofData{
@@ -134,6 +136,7 @@ namespace ccf
       string mrenclave;
       string basename;
       string ias_public_key;
+      string sgx_debug_flag;
     };
   };
 
@@ -152,6 +155,6 @@ namespace ccf
   DECLARE_JSON_REQUIRED_FIELDS(RegisterContractEnclaveAttestionCheckFlag::In, check_attestation);
 
   DECLARE_JSON_TYPE(RegisterContractEnclaveExpectedSGXMeasurements::In);
-  DECLARE_JSON_REQUIRED_FIELDS(RegisterContractEnclaveExpectedSGXMeasurements::In, mrenclave, basename, ias_public_key);
+  DECLARE_JSON_REQUIRED_FIELDS(RegisterContractEnclaveExpectedSGXMeasurements::In, mrenclave, basename, ias_public_key, sgx_debug_flag);
 
 }
diff --git a/ledgers/ccf/transaction_processor/pdo_tp.cpp b/ledgers/ccf/transaction_processor/pdo_tp.cpp
@@ -116,6 +116,13 @@ namespace ccfapp
             expected_sgx_measurements.mrenclave = in.mrenclave;
             expected_sgx_measurements.basename = in.basename;
             expected_sgx_measurements.ias_public_key = in.ias_public_key;
+            expected_sgx_measurements.sgx_debug_flag = in.sgx_debug_flag;
+
+            // post assignment checks
+            if(expected_sgx_measurements.sgx_debug_flag.length() != 1)
+                return ccf::make_error(
+                    HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput,
+                    "Invalid sgx debug flag length: " + to_string(expected_sgx_measurements.sgx_debug_flag.length()));
 
             //store the data
             contract_enclave_expected_sgx_measurements_view->put(PDO_ENCLAVE_EXPECTED_SGX_MEASUREMENTS, expected_sgx_measurements);
@@ -246,15 +253,14 @@ namespace ccfapp
                 5. nonce
                 6. basename
                 7. user report data
+                8. 64-bit flag
+                9. sgx debug flag
 
-		Note that we do not currently verify whether the enclave debug
-		flag is turned on or not. In order to ensure that the enclave is
-		run in a mode that supports enhanced-confidentiality and
-		execution integrity, the debug flag (SGX_FLAGS_DEBUG /
-		0x0000000000000002ULL in the report's attribute) should be set
-		to 0. For additional details on how we plan to support this
-		check, please see
-		https://github.com/hyperledger-labs/private-data-objects/issues/195.
+                Note that we do not currently verify whether the TCB version of the enclave.
+                This must be implemented to ensure that the enclave does not run using an old
+                superseded TCB.
+                For additional details on how we plan to support this check, please see
+                https://github.com/hyperledger-labs/private-data-objects/issues/195.
 
                 */
 
@@ -364,6 +370,18 @@ namespace ccfapp
                         HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput, "Enclave attestation report verification Failed. Invalid user report data");
                 }
 
+                // Verify 64-bit enclave
+                if((reportBody->attributes.flags & SGX_FLAGS_MODE64BIT) == 0)
+                    return ccf::make_error(HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput,
+                        "Enclave attestation report verification Failed. Enclave is not 64-bit");
+
+                // Verify SGX debug flag
+                std::string flag = std::to_string((reportBody->attributes.flags & SGX_FLAGS_DEBUG) > 0);
+                if(flag != expected_sgx_measurements.sgx_debug_flag)
+                    return ccf::make_error(HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput,
+                        "Enclave attestation report verification Failed. Enclave debug flag " + flag + 
+                        " does not match policy " + expected_sgx_measurements.sgx_debug_flag);
+
             }