Skip to content

Commit

Permalink
Use deep-copy in the attestation sample
Browse files Browse the repository at this point in the history 
Signed-off-by: Ming-Wei Shih <[email protected]>
  • Loading branch information
@mingweishih
mingweishih committed Feb 16, 2022
1 parent c1f3caf commit b43012c
Show file tree
Hide file tree
Showing 9 changed files with 161 additions and 202 deletions.
15 changes: 5 additions & 10 deletions samples/attestation/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,12 +97,9 @@ The host does the following in this sample:
get_evidence_with_public_key(enclave_a,
&ret,
format_id,
format_settings,
format_settings_size,
&format_settings,
&pem_key,
&pem_key_size,
&evidence,
&evidence_size);
&evidence);
```

Where:
Expand All @@ -117,11 +114,9 @@ The host does the following in this sample:
```c
verify_evidence_and_set_public_key(enclave_a,
&ret,
format_id,
pem_key,
pem_key_size,
evidence,
evidence_size);
&format_id,
&pem_key,
&evidence);
```

In the enclave_b's implementation of `verify_evidence_and_set_public_key()`, it calls `oe_verify_evidence()`, which will be described in the enclave section to handle all the platform-specfic evidence validation operations. If successful the public key in `pem_key` will be stored inside the enclave for future use.
Expand Down
48 changes: 32 additions & 16 deletions samples/attestation/attestation.edl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,39 +6,55 @@ enclave {
from "openenclave/edl/syscall.edl" import *;
from "platform.edl" import *;

struct format_settings_t
{
[size=size] uint8_t* buffer;
size_t size;
};

struct pem_key_t
{
[size=size] uint8_t* buffer;
size_t size;
};

struct evidence_t
{
[size=size] uint8_t* buffer;
size_t size;
};

struct message_t
{
[size=size] uint8_t* data;
size_t size;
};

trusted {
public int get_enclave_format_settings(
[in] const oe_uuid_t* format_id,
[out] uint8_t** format_settings,
[out] size_t* format_settings_size);
[out] format_settings_t* format_settings);

// Return the public key of this enclave along with the enclave's evidence.
// Another enclave can use the evidence to attest the enclave and verify
// the integrity of the public key.
public int get_evidence_with_public_key(
[in] const oe_uuid_t* format_id,
[in, size=format_settings_size] uint8_t* format_settings_buffer,
size_t format_settings_size,
[out] uint8_t **pem_key,
[out] size_t *pem_key_size,
[out] uint8_t **evidence_buffer,
[out] size_t *evidence_buffer_size);
[in] format_settings_t* format_settings,
[out] pem_key_t *pem_key,
[out] evidence_t *evidence_buffer);

// Attest and store the public key of another enclave
public int verify_evidence_and_set_public_key(
[in] const oe_uuid_t* format_id,
[in, count=pem_key_size] uint8_t *pem_key,
size_t pem_key_size,
[in, count=evidence_size] uint8_t *evidence,
size_t evidence_size);
[in] pem_key_t *pem_key,
[in] evidence_t *evidence);

// Encrypt message for another enclave using the public key stored for it
public int generate_encrypted_message( [out] uint8_t** data,
[out] size_t* size);
public int generate_encrypted_message([out] message_t* message);

// Process encrypted message
public int process_encrypted_message( [in, count=size] uint8_t* data,
size_t size);
public int process_encrypted_message([in] message_t* message);
};

//untrusted {
Expand Down
5 changes: 3 additions & 2 deletions samples/attestation/common/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,6 @@ target_compile_definitions(common PUBLIC OE_API_VERSION=2)
target_link_libraries(
common PUBLIC openenclave::oeenclave openenclave::oecrypto${OE_CRYPTO_LIB}
openenclave::oelibcxx)
target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR}
${CMAKE_BINARY_DIR})
target_include_directories(
common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR}
${CMAKE_CURRENT_BINARY_DIR})
2 changes: 2 additions & 0 deletions samples/attestation/common/attestation.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@
#define OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H

#include <openenclave/enclave.h>
#include "attestation_args.h"
#include "crypto.h"

#define ENCLAVE_SECRET_DATA_SIZE 16

class Attestation
{
private:
Expand Down
128 changes: 62 additions & 66 deletions samples/attestation/common/dispatcher.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,9 @@ bool ecall_dispatcher::initialize(const char* name)

int ecall_dispatcher::get_enclave_format_settings(
const oe_uuid_t* format_id,
uint8_t** format_settings_buffer,
size_t* format_settings_buffer_size)
format_settings_t* format_settings)
{
uint8_t* format_settings = nullptr;
uint8_t* format_settings_buffer = nullptr;
size_t format_settings_size = 0;
int ret = 1;

Expand All @@ -79,33 +78,32 @@ int ecall_dispatcher::get_enclave_format_settings(
// settings can attest this enclave.
TRACE_ENCLAVE("get_enclave_format_settings");
if (m_attestation->get_format_settings(
format_id, &format_settings, &format_settings_size) == false)
format_id, &format_settings_buffer, &format_settings_size) == false)
{
TRACE_ENCLAVE("get_enclave_format_settings failed");
goto exit;
}

if (format_settings && format_settings_size)
if (format_settings_buffer && format_settings_size)
{
// Allocate memory on the host and copy the format settings over.
// TODO: the following code is not TEE-agnostic, as it assumes the
// enclave can directly write into host memory
*format_settings_buffer =
(uint8_t*)oe_host_malloc(format_settings_size);
if (*format_settings_buffer == nullptr)
format_settings->buffer = (uint8_t*)malloc(format_settings_size);
if (format_settings->buffer == nullptr)
{
ret = OE_OUT_OF_MEMORY;
TRACE_ENCLAVE("copying format_settings failed, out of memory");
goto exit;
}
memcpy(*format_settings_buffer, format_settings, format_settings_size);
*format_settings_buffer_size = format_settings_size;
oe_verifier_free_format_settings(format_settings);
memcpy(
format_settings->buffer,
format_settings_buffer,
format_settings_size);
format_settings->size = format_settings_size;
oe_verifier_free_format_settings(format_settings_buffer);
}
else
{
*format_settings_buffer = nullptr;
*format_settings_buffer_size = 0;
format_settings->buffer = nullptr;
format_settings->size = 0;
}
ret = 0;

Expand All @@ -123,17 +121,13 @@ int ecall_dispatcher::get_enclave_format_settings(
*/
int ecall_dispatcher::get_evidence_with_public_key(
const oe_uuid_t* format_id,
uint8_t* format_settings,
size_t format_settings_size,
uint8_t** pem_key,
size_t* pem_key_size,
uint8_t** evidence_buffer,
size_t* evidence_buffer_size)
format_settings_t* format_settings,
pem_key_t* pem_key,
evidence_t* evidence)
{
uint8_t pem_public_key[512];
uint8_t* evidence = nullptr;
uint8_t* evidence_buffer = nullptr;
size_t evidence_size = 0;
uint8_t* key_buffer = nullptr;
int ret = 1;

TRACE_ENCLAVE("get_evidence_with_public_key");
Expand All @@ -149,65 +143,64 @@ int ecall_dispatcher::get_evidence_with_public_key(
// receives the key can attest this enclave.
if (m_attestation->generate_attestation_evidence(
format_id,
format_settings,
format_settings_size,
format_settings->buffer,
format_settings->size,
pem_public_key,
sizeof(pem_public_key),
&evidence,
&evidence_buffer,
&evidence_size) == false)
{
TRACE_ENCLAVE("get_evidence_with_public_key failed");
goto exit;
}

// Allocate memory on the host and copy the evidence over.
// TODO: the following code is not TEE-agnostic, as it assumes the
// enclave can directly write into host memory
*evidence_buffer = (uint8_t*)oe_host_malloc(evidence_size);
if (*evidence_buffer == nullptr)
evidence->buffer = (uint8_t*)malloc(evidence_size);
if (evidence->buffer == nullptr)
{
ret = OE_OUT_OF_MEMORY;
TRACE_ENCLAVE("copying evidence_buffer failed, out of memory");
goto exit;
}
memcpy(*evidence_buffer, evidence, evidence_size);
*evidence_buffer_size = evidence_size;
oe_free_evidence(evidence);
memcpy(evidence->buffer, evidence_buffer, evidence_size);
evidence->size = evidence_size;
oe_free_evidence(evidence_buffer);

key_buffer = (uint8_t*)oe_host_malloc(512);
if (key_buffer == nullptr)
pem_key->buffer = (uint8_t*)malloc(sizeof(pem_public_key));
if (pem_key->buffer == nullptr)
{
ret = OE_OUT_OF_MEMORY;
TRACE_ENCLAVE("copying key_buffer failed, out of memory");
goto exit;
}
memcpy(key_buffer, pem_public_key, sizeof(pem_public_key));

*pem_key = key_buffer;
*pem_key_size = sizeof(pem_public_key);
memcpy(pem_key->buffer, pem_public_key, sizeof(pem_public_key));
pem_key->size = sizeof(pem_public_key);

ret = 0;
TRACE_ENCLAVE("get_evidence_with_public_key succeeded");

exit:
if (ret != 0)
{
if (evidence_buffer)
oe_free_evidence(evidence_buffer);
if (pem_key)
{
free(pem_key->buffer);
pem_key->size = 0;
}
if (evidence)
oe_free_evidence(evidence);
if (key_buffer)
oe_host_free(key_buffer);
if (*evidence_buffer)
oe_host_free(*evidence_buffer);
{
free(evidence->buffer);
evidence->size = 0;
}
}
return ret;
}

int ecall_dispatcher::verify_evidence_and_set_public_key(
const oe_uuid_t* format_id,
uint8_t* pem_key,
size_t pem_key_size,
uint8_t* evidence,
size_t evidence_size)
pem_key_t* pem_key,
evidence_t* evidence)
{
int ret = 1;

Expand All @@ -219,13 +212,20 @@ int ecall_dispatcher::verify_evidence_and_set_public_key(

// Attest the evidence and accompanying key.
if (m_attestation->attest_attestation_evidence(
format_id, evidence, evidence_size, pem_key, pem_key_size) == false)
format_id,
evidence->buffer,
evidence->size,
pem_key->buffer,
pem_key->size) == false)
{
TRACE_ENCLAVE("verify_evidence_and_set_public_key failed.");
goto exit;
}

memcpy(m_crypto->get_the_other_enclave_public_key(), pem_key, pem_key_size);
memcpy(
m_crypto->get_the_other_enclave_public_key(),
pem_key->buffer,
pem_key->size);

ret = 0;
TRACE_ENCLAVE("verify_evidence_and_set_public_key succeeded.");
Expand All @@ -234,11 +234,11 @@ int ecall_dispatcher::verify_evidence_and_set_public_key(
return ret;
}

int ecall_dispatcher::generate_encrypted_message(uint8_t** data, size_t* size)
int ecall_dispatcher::generate_encrypted_message(message_t* message)
{
uint8_t encrypted_data_buffer[1024];
size_t encrypted_data_size;
uint8_t* host_buffer;
uint8_t* buffer;
int ret = 1;

if (m_initialized == false)
Expand All @@ -259,30 +259,27 @@ int ecall_dispatcher::generate_encrypted_message(uint8_t** data, size_t* size)
goto exit;
}

// TODO: the following code is not TEE-agnostic, as it assumes the
// enclave can directly write into host memory
host_buffer = (uint8_t*)oe_host_malloc(encrypted_data_size);
if (host_buffer == nullptr)
buffer = (uint8_t*)malloc(encrypted_data_size);
if (buffer == nullptr)
{
ret = OE_OUT_OF_MEMORY;
TRACE_ENCLAVE("copying host_buffer failed, out of memory");
goto exit;
}
memcpy(host_buffer, encrypted_data_buffer, encrypted_data_size);
memcpy(buffer, encrypted_data_buffer, encrypted_data_size);
TRACE_ENCLAVE(
"enclave: generate_encrypted_message: encrypted_data_size = %ld",
encrypted_data_size);
*data = host_buffer;
*size = encrypted_data_size;

message->data = buffer;
message->size = encrypted_data_size;

ret = 0;
exit:
return ret;
}

int ecall_dispatcher::process_encrypted_message(
uint8_t* encrypted_data,
size_t encrypted_data_size)
int ecall_dispatcher::process_encrypted_message(message_t* message)
{
uint8_t data[1024];
size_t data_size = 0;
Expand All @@ -295,8 +292,7 @@ int ecall_dispatcher::process_encrypted_message(
}

data_size = sizeof(data);
if (m_crypto->decrypt(
encrypted_data, encrypted_data_size, data, &data_size))
if (m_crypto->decrypt(message->data, message->size, data, &data_size))
{
// This is where the business logic for verifying the data should be.
// In this sample, both enclaves start with identical data in
Expand Down
Loading

0 comments on commit b43012c

Please sign in to comment.