orc tool: support for signing SGXS binaries #1056
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #1056 +/- ##
=======================================
Coverage 68.14% 68.14%
=======================================
Files 128 128
Lines 11061 11061
=======================================
Hits 7537 7537
Misses 3492 3492
Partials 32 32 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Yawning
approved these changes
Jul 22, 2022
ptrus
force-pushed
the
ptrus/features/orctool-sgx-signing
branch
9 times, most recently
from
d6bda44
to
381bf28
Compare
Yawning
reviewed
Jul 27, 2022
kostko
reviewed
Jul 28, 2022
kostko
force-pushed
the
ptrus/features/orctool-sgx-signing
branch
from
381bf28
to
d7a2812
Compare
kostko
approved these changes
Aug 3, 2022
tjanez
pushed a commit
to oasisprotocol/cli
that referenced
this pull request
Sep 20, 2022
tjanez
pushed a commit
to oasisprotocol/cli
that referenced
this pull request
Oct 11, 2022
tjanez
pushed a commit
to oasisprotocol/cli
that referenced
this pull request
Oct 11, 2022
tjanez
pushed a commit
to oasisprotocol/cli
that referenced
this pull request
Oct 11, 2022
tjanez
pushed a commit
to oasisprotocol/cli
that referenced
this pull request
Oct 11, 2022
tjanez
pushed a commit
to oasisprotocol/cli
that referenced
this pull request
Oct 11, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for offline singing of SGX enclaves, removing the need for https://github.com/oasislabs/rust-sgx/tree/ravenac95/sgxs-sign-support-offline-sign
Changes:
orc sgx-sign-data <bundle.orc>subcommand is added which constructs the SIGSTRUCT and outputs the hash to be signed (this replaces thesgx-sign gendatafrom the rust-sgx tool).orc sgx-set-sig <bundle.orc> <signature.sig> <public_key.pub>is updated so that it accepts the signature (of the SIGSTRUCT hash) and the signing public key. It then constructs the signed SIGSTRUCT and inserts it into the manifest (this replaces the two-step process from before, which used:sgx-sign catsigandorc sgx-set-sig)At the moment the command flags for configuring the SIGSTRUCT fileds matches arguments in the rust-sgx tool: https://github.com/oasislabs/rust-sgx/blob/79ceb56714234f30576d8ccb61548828cfd934c4/sgxs-tools/src/bin/sgxs-sign.rs#L110-L121
NOTE: The above code says that:
"ATTRIBUTES.XFRM and inverse ATTRIBUTEMASK.XFRM fields (default: 0x3/0)", but due to a bug theATTRIBUTEMASK.XFRMactually defaults to0x3(the command ignores the flag) and it uses the default defined here: https://github.com/oasislabs/rust-sgx/blob/79ceb56714234f30576d8ccb61548828cfd934c4/sgxs/src/sigstruct.rs#L80-L84TODO:
orc sgx-sign-datashould match thesgx-sign gendata)