From b57b7f5726f6c980b33fe185cc336821bd85d8b4 Mon Sep 17 00:00:00 2001 From: zhiminghufighting Date: Thu, 3 Mar 2022 09:43:37 +0800 Subject: [PATCH] out-of-tree attester/verifier instances support Fixes: #24 Signed-off-by: zhiminghufighting --- src/attesters/api/enclave_attester_register.c | 20 ----- src/attesters/nullattester/main.c | 1 + src/attesters/sev-snp/main.c | 2 + src/attesters/sev-snp/sev_snp.h | 2 + src/attesters/sgx-ecdsa/collect_evidence.c | 4 +- src/attesters/sgx-ecdsa/main.c | 2 + src/attesters/sgx-ecdsa/sgx_ecdsa.h | 4 +- src/attesters/sgx-la/collect_evidence.c | 4 +- src/attesters/sgx-la/main.c | 2 + src/attesters/sgx-la/sgx_la.h | 2 + src/attesters/tdx-ecdsa/cleanup.c | 2 +- src/attesters/tdx-ecdsa/collect_evidence.c | 8 +- src/attesters/tdx-ecdsa/init.c | 2 +- src/attesters/tdx-ecdsa/main.c | 2 + .../tdx-ecdsa/tdx_ecdsa.h} | 1 + src/crypto_wrappers/openssl/gen_cert.c | 32 ++++---- src/include/rats-tls/attester.h | 2 + src/include/rats-tls/cert.h | 24 +----- src/include/rats-tls/oid.h | 4 - src/include/rats-tls/verifier.h | 1 + src/sgx/untrust/sgx_ecdsa_ocall.c | 6 +- src/sgx/untrust/sgx_la_ocall.c | 4 +- src/tls_wrappers/openssl/un_negotiate.c | 64 ++++++++------- src/verifiers/nullverifier/main.c | 1 + src/verifiers/sev-snp/main.c | 2 + src/verifiers/sev-snp/sev_snp.h | 79 +++++++++++++++++++ src/verifiers/sev-snp/verify_evidence.c | 2 +- src/verifiers/sgx-ecdsa-qve/main.c | 2 + src/verifiers/sgx-ecdsa/main.c | 2 + src/verifiers/sgx-ecdsa/sgx_ecdsa.h | 4 +- src/verifiers/sgx-ecdsa/verify_evidence.c | 8 +- src/verifiers/sgx-la/main.c | 2 + src/verifiers/sgx-la/sgx_la.h | 2 + src/verifiers/tdx-ecdsa/cleanup.c | 2 +- src/verifiers/tdx-ecdsa/init.c | 2 +- src/verifiers/tdx-ecdsa/main.c | 2 + src/verifiers/tdx-ecdsa/tdx_ecdsa.h | 52 ++++++++++++ src/verifiers/tdx-ecdsa/verify_evidence.c | 6 +- 38 files changed, 248 insertions(+), 115 deletions(-) rename src/{verifiers/tdx-ecdsa/tdx-ecdsa.h => attesters/tdx-ecdsa/tdx_ecdsa.h} (96%) create mode 100644 src/verifiers/sev-snp/sev_snp.h create mode 100644 src/verifiers/tdx-ecdsa/tdx_ecdsa.h diff --git a/src/attesters/api/enclave_attester_register.c b/src/attesters/api/enclave_attester_register.c index e5c9188..a445cf3 100644 --- a/src/attesters/api/enclave_attester_register.c +++ b/src/attesters/api/enclave_attester_register.c @@ -18,26 +18,6 @@ enclave_attester_err_t enclave_attester_register(const enclave_attester_opts_t * RTLS_DEBUG("registering the enclave attester '%s' ...\n", opts->name); - if (opts->flags & ENCLAVE_ATTESTER_OPTS_FLAGS_TDX_GUEST) { - if (!is_tdguest_supported()) { - // clang-format off - RTLS_DEBUG("failed to register the attester '%s' due to lack of TDX Guest capability\n", - opts->type); - // clang-format on - return -ENCLAVE_ATTESTER_ERR_CPU_UNSUPPORTED; - } - } - - if (opts->flags & ENCLAVE_ATTESTER_OPTS_FLAGS_SNP_GUEST) { - if (!is_snpguest_supported()) { - // clang-format off - RTLS_DEBUG("failed to register the attester '%s' due to lack of SNP Guest capability\n", - opts->type); - // clang-format on - return -ENCLAVE_ATTESTER_ERR_CPU_UNSUPPORTED; - } - } - enclave_attester_opts_t *new_opts = (enclave_attester_opts_t *)malloc(sizeof(*new_opts)); if (!new_opts) return -ENCLAVE_ATTESTER_ERR_NO_MEM; diff --git a/src/attesters/nullattester/main.c b/src/attesters/nullattester/main.c index 2cf99f4..0cb51da 100644 --- a/src/attesters/nullattester/main.c +++ b/src/attesters/nullattester/main.c @@ -24,6 +24,7 @@ static enclave_attester_opts_t nullattester_opts = { .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, .flags = ENCLAVE_ATTESTER_FLAGS_DEFAULT, .name = "nullattester", + .oid = "", .priority = 0, .pre_init = nullattester_pre_init, .init = nullattester_init, diff --git a/src/attesters/sev-snp/main.c b/src/attesters/sev-snp/main.c index 6ba823c..2e32b8e 100644 --- a/src/attesters/sev-snp/main.c +++ b/src/attesters/sev-snp/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sev_snp.h" extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); extern enclave_attester_err_t sev_snp_attester_pre_init(void); @@ -22,6 +23,7 @@ static enclave_attester_opts_t sev_snp_attester_opts = { .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SNP_GUEST, .name = "sev_snp", + .oid = SNP_REPORT_OID, .priority = 42, .pre_init = sev_snp_attester_pre_init, .init = sev_snp_attester_init, diff --git a/src/attesters/sev-snp/sev_snp.h b/src/attesters/sev-snp/sev_snp.h index e144caa..db8e452 100644 --- a/src/attesters/sev-snp/sev_snp.h +++ b/src/attesters/sev-snp/sev_snp.h @@ -15,6 +15,8 @@ * https://www.amd.com/system/files/TechDocs/56860.pdf for details. */ +#define SNP_REPORT_OID "1.2.840.113741.1337.20" + /* 2.2 TCB Version * A version string that represents the version of the firmware */ diff --git a/src/attesters/sgx-ecdsa/collect_evidence.c b/src/attesters/sgx-ecdsa/collect_evidence.c index 413e384..00dab9d 100644 --- a/src/attesters/sgx-ecdsa/collect_evidence.c +++ b/src/attesters/sgx-ecdsa/collect_evidence.c @@ -115,7 +115,7 @@ enclave_attester_err_t sgx_ecdsa_collect_evidence(enclave_attester_ctx_t *ctx, return SGX_ECDSA_ATTESTER_ERR_CODE((int)qe3_ret); } - sgx_status = ocall_qe_get_quote(&qe3_ret, &app_report, quote_size, evidence->ecdsa.quote); + sgx_status = ocall_qe_get_quote(&qe3_ret, &app_report, quote_size, evidence->evidence.report); if (SGX_SUCCESS != sgx_status || ENCLAVE_ATTESTER_ERR_NONE != qe3_ret) { RTLS_ERR("sgx_qe_get_quote(): 0x%04x, 0x%04x\n", sgx_status, qe3_ret); return SGX_ECDSA_ATTESTER_ERR_CODE((int)qe3_ret); @@ -128,7 +128,7 @@ enclave_attester_err_t sgx_ecdsa_collect_evidence(enclave_attester_ctx_t *ctx, * format of quote as sgx_ecdsa. */ snprintf(evidence->type, sizeof(evidence->type), "%s", "sgx_ecdsa"); - evidence->ecdsa.quote_len = quote_size; + evidence->evidence.report_len = quote_size; return ENCLAVE_ATTESTER_ERR_NONE; } diff --git a/src/attesters/sgx-ecdsa/main.c b/src/attesters/sgx-ecdsa/main.c index 2213f06..f4b6df7 100644 --- a/src/attesters/sgx-ecdsa/main.c +++ b/src/attesters/sgx-ecdsa/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sgx_ecdsa.h" extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); extern enclave_attester_err_t sgx_ecdsa_attester_pre_init(void); @@ -24,6 +25,7 @@ static enclave_attester_opts_t sgx_ecdsa_attester_opts = { .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SGX_ENCLAVE, .name = "sgx_ecdsa", + .oid = ECDSA_QUOTE_OID, .priority = 52, .pre_init = sgx_ecdsa_attester_pre_init, .init = sgx_ecdsa_attester_init, diff --git a/src/attesters/sgx-ecdsa/sgx_ecdsa.h b/src/attesters/sgx-ecdsa/sgx_ecdsa.h index 81745fe..aed1620 100644 --- a/src/attesters/sgx-ecdsa/sgx_ecdsa.h +++ b/src/attesters/sgx-ecdsa/sgx_ecdsa.h @@ -9,8 +9,10 @@ #include +#define ECDSA_QUOTE_OID "1.2.840.113741.1337.6" + typedef struct { sgx_enclave_id_t eid; } sgx_ecdsa_ctx_t; -#endif \ No newline at end of file +#endif diff --git a/src/attesters/sgx-la/collect_evidence.c b/src/attesters/sgx-la/collect_evidence.c index 6dbb39c..b923180 100644 --- a/src/attesters/sgx-la/collect_evidence.c +++ b/src/attesters/sgx-la/collect_evidence.c @@ -37,8 +37,8 @@ enclave_attester_err_t sgx_la_collect_evidence(enclave_attester_ctx_t *ctx, return SGX_LA_ATTESTER_ERR_CODE((int)generate_evidence_ret); } - memcpy(evidence->la.report, &isv_report, sizeof(isv_report)); - evidence->la.report_len = sizeof(isv_report); + memcpy(evidence->evidence.report, &isv_report, sizeof(isv_report)); + evidence->evidence.report_len = sizeof(isv_report); snprintf(evidence->type, sizeof(evidence->type), "%s", "sgx_la"); diff --git a/src/attesters/sgx-la/main.c b/src/attesters/sgx-la/main.c index 3aaba89..a3c117a 100644 --- a/src/attesters/sgx-la/main.c +++ b/src/attesters/sgx-la/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sgx_la.h" extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *); extern enclave_attester_err_t sgx_la_attester_pre_init(void); @@ -22,6 +23,7 @@ static enclave_attester_opts_t sgx_la_attester_opts = { .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SGX_ENCLAVE, .name = "sgx_la", + .oid = LA_REPORT_OID, .priority = 15, .pre_init = sgx_la_attester_pre_init, .init = sgx_la_attester_init, diff --git a/src/attesters/sgx-la/sgx_la.h b/src/attesters/sgx-la/sgx_la.h index 0d9b661..4da311b 100644 --- a/src/attesters/sgx-la/sgx_la.h +++ b/src/attesters/sgx-la/sgx_la.h @@ -9,6 +9,8 @@ #include "sgx_eid.h" +#define LA_REPORT_OID "1.2.840.113741.1337.14" + typedef struct { sgx_enclave_id_t eid; } sgx_la_ctx_t; diff --git a/src/attesters/tdx-ecdsa/cleanup.c b/src/attesters/tdx-ecdsa/cleanup.c index 9607c5b..9cb7c29 100644 --- a/src/attesters/tdx-ecdsa/cleanup.c +++ b/src/attesters/tdx-ecdsa/cleanup.c @@ -6,7 +6,7 @@ #include #include -#include "../../verifiers/tdx-ecdsa/tdx-ecdsa.h" +#include "../../verifiers/tdx-ecdsa/tdx_ecdsa.h" enclave_attester_err_t tdx_ecdsa_attester_cleanup(enclave_attester_ctx_t *ctx) { diff --git a/src/attesters/tdx-ecdsa/collect_evidence.c b/src/attesters/tdx-ecdsa/collect_evidence.c index 7c5a8ba..99791d6 100644 --- a/src/attesters/tdx-ecdsa/collect_evidence.c +++ b/src/attesters/tdx-ecdsa/collect_evidence.c @@ -10,7 +10,7 @@ #include #include #include -#include "../../verifiers/tdx-ecdsa/tdx-ecdsa.h" +#include "../../verifiers/tdx-ecdsa/tdx_ecdsa.h" #define VSOCK @@ -88,8 +88,8 @@ enclave_attester_err_t tdx_ecdsa_collect_evidence(enclave_attester_ctx_t *ctx, { RTLS_DEBUG("ctx %p, evidence %p, algo %d, hash %p\n", ctx, evidence, algo, hash); - evidence->tdx.quote_len = sizeof(evidence->tdx.quote); - if (tdx_gen_quote(hash, evidence->tdx.quote, &evidence->tdx.quote_len)) { + evidence->evidence.report_len = sizeof(evidence->evidence.report); + if (tdx_gen_quote(hash, evidence->evidence.report, &evidence->evidence.report_len)) { RTLS_ERR("failed to generate quote\n"); return -ENCLAVE_ATTESTER_ERR_INVALID; } @@ -101,7 +101,7 @@ enclave_attester_err_t tdx_ecdsa_collect_evidence(enclave_attester_ctx_t *ctx, */ snprintf(evidence->type, sizeof(evidence->type), "tdx_ecdsa"); - RTLS_DEBUG("ctx %p, evidence %p, quote_size %d\n", ctx, evidence, evidence->tdx.quote_len); + RTLS_DEBUG("ctx %p, evidence %p, quote_size %d\n", ctx, evidence, evidence->evidence.report_len); return ENCLAVE_ATTESTER_ERR_NONE; } diff --git a/src/attesters/tdx-ecdsa/init.c b/src/attesters/tdx-ecdsa/init.c index 4051829..4fc13f2 100644 --- a/src/attesters/tdx-ecdsa/init.c +++ b/src/attesters/tdx-ecdsa/init.c @@ -7,7 +7,7 @@ #include #include #include -#include "../../verifiers/tdx-ecdsa/tdx-ecdsa.h" +#include "../../verifiers/tdx-ecdsa/tdx_ecdsa.h" enclave_attester_err_t tdx_ecdsa_attester_init(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo) diff --git a/src/attesters/tdx-ecdsa/main.c b/src/attesters/tdx-ecdsa/main.c index 092852f..8194760 100644 --- a/src/attesters/tdx-ecdsa/main.c +++ b/src/attesters/tdx-ecdsa/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "tdx_ecdsa.h" extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); extern enclave_attester_err_t tdx_ecdsa_attester_pre_init(void); @@ -22,6 +23,7 @@ static enclave_attester_opts_t tdx_ecdsa_attester_opts = { .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_TDX_GUEST, .name = "tdx_ecdsa", + .oid = TDX_QUOTE_OID, .priority = 42, .pre_init = tdx_ecdsa_attester_pre_init, .init = tdx_ecdsa_attester_init, diff --git a/src/verifiers/tdx-ecdsa/tdx-ecdsa.h b/src/attesters/tdx-ecdsa/tdx_ecdsa.h similarity index 96% rename from src/verifiers/tdx-ecdsa/tdx-ecdsa.h rename to src/attesters/tdx-ecdsa/tdx_ecdsa.h index c50de27..c4614f8 100644 --- a/src/verifiers/tdx-ecdsa/tdx-ecdsa.h +++ b/src/attesters/tdx-ecdsa/tdx_ecdsa.h @@ -10,6 +10,7 @@ #include #define TDX_NUM_RTMRS 4 +#define TDX_QUOTE_OID "1.2.840.113741.1337.8" typedef struct { uint8_t mrowner[SHA384_HASH_SIZE]; diff --git a/src/crypto_wrappers/openssl/gen_cert.c b/src/crypto_wrappers/openssl/gen_cert.c index bdfa48a..acfef40 100644 --- a/src/crypto_wrappers/openssl/gen_cert.c +++ b/src/crypto_wrappers/openssl/gen_cert.c @@ -8,7 +8,9 @@ #include #include #include +#include #include "openssl.h" +#include "internal/attester.h" #define CERT_SERIAL_NUMBER 9527 @@ -145,26 +147,22 @@ crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_tls_cert_a if (!x509_extension_add(cert, ias_report_signature_oid, epid->ias_report_signature, epid->ias_report_signature_len)) goto err; - } else if (!strcmp(cert_info->evidence.type, "sgx_ecdsa")) { - ecdsa_attestation_evidence_t *ecdsa = &cert_info->evidence.ecdsa; - - if (!x509_extension_add(cert, ecdsa_quote_oid, ecdsa->quote, ecdsa->quote_len)) - goto err; - } else if (!strcmp(cert_info->evidence.type, "sgx_la")) { - la_attestation_evidence_t *la = &cert_info->evidence.la; - - if (!x509_extension_add(cert, la_report_oid, la->report, la->report_len)) - goto err; - } else if (!strcmp(cert_info->evidence.type, "tdx_ecdsa")) { - tdx_attestation_evidence_t *tdx = &cert_info->evidence.tdx; + } - if (!x509_extension_add(cert, tdx_quote_oid, tdx->quote, tdx->quote_len)) + enclave_attester_opts_t *opts = NULL; + for(int i = 0; i < registerd_enclave_attester_nums; ++i) { + opts = enclave_attesters_opts[i]; + if (!opts) { + RTLS_DEBUG("registerd enclave_attesters_opts is null.\n"); goto err; - } else if (!strcmp(cert_info->evidence.type, "sev_snp")) { - snp_attestation_evidence_t *snp = &cert_info->evidence.snp; + } - if (!x509_extension_add(cert, snp_report_oid, snp->report, snp->report_len)) - goto err; + if (!strcmp(cert_info->evidence.type, opts->name)) { + tee_attestation_evidence_t *evidence = &cert_info->evidence.evidence; + if (!x509_extension_add(cert, opts->oid, evidence->report, evidence->report_len)) + goto err; + break; + } } ret = -CRYPTO_WRAPPER_ERR_CERT; diff --git a/src/include/rats-tls/attester.h b/src/include/rats-tls/attester.h index b01b68f..7886a7d 100644 --- a/src/include/rats-tls/attester.h +++ b/src/include/rats-tls/attester.h @@ -32,6 +32,7 @@ typedef struct { uint8_t api_version; unsigned long flags; const char name[ENCLAVE_ATTESTER_TYPE_NAME_SIZE]; + const char oid[OID_LENGTH]; /* Different attester instances may generate the same format of attester, * e.g, sgx_ecdsa and sgx_ecdsa_qve both generate the format "sgx_ecdsa". * By default, the value of type equals to name. @@ -42,6 +43,7 @@ typedef struct { /* Optional */ enclave_attester_err_t (*pre_init)(void); enclave_attester_err_t (*init)(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo); + enclave_attester_err_t (*tee_aware)(void); enclave_attester_err_t (*extend_cert)(enclave_attester_ctx_t *ctx, const rats_tls_cert_info_t *cert_info); enclave_attester_err_t (*collect_evidence)(enclave_attester_ctx_t *ctx, diff --git a/src/include/rats-tls/cert.h b/src/include/rats-tls/cert.h index 7981a91..16f7625 100644 --- a/src/include/rats-tls/cert.h +++ b/src/include/rats-tls/cert.h @@ -7,6 +7,8 @@ #ifndef _ENCLAVE_CERT_H #define _ENCLAVE_CERT_H +#define OID_LENGTH 64 + typedef struct { const unsigned char *organization; const unsigned char *organization_unit; @@ -24,34 +26,16 @@ typedef struct { uint32_t ias_report_signature_len; } attestation_verification_report_t; -typedef struct { - uint8_t quote[8192]; - uint32_t quote_len; -} ecdsa_attestation_evidence_t; - -typedef struct { - uint8_t report[8192]; - uint32_t report_len; -} la_attestation_evidence_t; - -typedef struct { - uint8_t quote[8192]; - uint32_t quote_len; -} tdx_attestation_evidence_t; - typedef struct { uint8_t report[8192]; uint32_t report_len; -} snp_attestation_evidence_t; +} tee_attestation_evidence_t; typedef struct { char type[ENCLAVE_ATTESTER_TYPE_NAME_SIZE]; union { attestation_verification_report_t epid; - ecdsa_attestation_evidence_t ecdsa; - la_attestation_evidence_t la; - tdx_attestation_evidence_t tdx; - snp_attestation_evidence_t snp; + tee_attestation_evidence_t evidence; }; } attestation_evidence_t; diff --git a/src/include/rats-tls/oid.h b/src/include/rats-tls/oid.h index 49c354e..8899ef1 100644 --- a/src/include/rats-tls/oid.h +++ b/src/include/rats-tls/oid.h @@ -10,9 +10,5 @@ #define ias_root_cert_oid "1.2.840.113741.1337.3" #define ias_leaf_cert_oid "1.2.840.113741.1337.4" #define ias_report_signature_oid "1.2.840.113741.1337.5" -#define ecdsa_quote_oid "1.2.840.113741.1337.6" -#define la_report_oid "1.2.840.113741.1337.14" -#define tdx_quote_oid "1.2.840.113741.1337.8" -#define snp_report_oid "1.2.840.113741.1337.20" #endif diff --git a/src/include/rats-tls/verifier.h b/src/include/rats-tls/verifier.h index ce79e98..f37d2b4 100644 --- a/src/include/rats-tls/verifier.h +++ b/src/include/rats-tls/verifier.h @@ -31,6 +31,7 @@ typedef struct { uint8_t api_version; unsigned long flags; const char name[ENCLAVE_VERIFIER_TYPE_NAME_SIZE]; + const char oid[OID_LENGTH]; /* Different attester instances may generate the same format of verifier, * e.g, sgx_ecdsa and sgx_ecdsa_qve both generate the format "sgx_ecdsa". * By default, the value of type equals to name. diff --git a/src/sgx/untrust/sgx_ecdsa_ocall.c b/src/sgx/untrust/sgx_ecdsa_ocall.c index afc67b5..79105e6 100644 --- a/src/sgx/untrust/sgx_ecdsa_ocall.c +++ b/src/sgx/untrust/sgx_ecdsa_ocall.c @@ -77,7 +77,7 @@ enclave_verifier_err_t ocall_ecdsa_verify_evidence(__attribute__((unused)) return -ENCLAVE_VERIFIER_ERR_NO_MEM; } - memcpy(pquote, evidence->ecdsa.quote, evidence->ecdsa.quote_len); + memcpy(pquote, evidence->evidence.report, evidence->evidence.report_len); uint32_t quote_size = (uint32_t)sizeof(sgx_quote3_t) + pquote->signature_data_len; RTLS_DEBUG("quote size is %d, quote signature_data_len is %d\n", quote_size, @@ -141,7 +141,7 @@ enclave_verifier_err_t ocall_ecdsa_verify_evidence(__attribute__((unused)) current_time = time(NULL); - dcap_ret = sgx_qv_verify_quote(evidence->ecdsa.quote, (uint32_t)quote_size, NULL, + dcap_ret = sgx_qv_verify_quote(evidence->evidence.report, (uint32_t)quote_size, NULL, current_time, &collateral_expiration_status, "e_verification_result, qve_report_info, supplemental_data_size, p_supplemental_data); @@ -155,7 +155,7 @@ enclave_verifier_err_t ocall_ecdsa_verify_evidence(__attribute__((unused)) if (!strcmp(name, "sgx_ecdsa_qve")) { sgx_ret = sgx_tvl_verify_qve_report_and_identity( - enclave_id, &verify_qveid_ret, evidence->ecdsa.quote, (uint32_t)quote_size, + enclave_id, &verify_qveid_ret, evidence->evidence.report, (uint32_t)quote_size, qve_report_info, current_time, collateral_expiration_status, quote_verification_result, p_supplemental_data, supplemental_data_size, qve_isvsvn_threshold); diff --git a/src/sgx/untrust/sgx_la_ocall.c b/src/sgx/untrust/sgx_la_ocall.c index bfe9279..bdab161 100644 --- a/src/sgx/untrust/sgx_la_ocall.c +++ b/src/sgx/untrust/sgx_la_ocall.c @@ -26,7 +26,7 @@ enclave_verifier_err_t ocall_la_verify_evidence(enclave_verifier_ctx_t *ctx, RTLS_DEBUG("ctx %p, evidence %p, hash %p\n", ctx, evidence, hash); /* Firstly verify hash value */ - sgx_report_t *lreport = (sgx_report_t *)evidence->la.report; + sgx_report_t *lreport = (sgx_report_t *)evidence->evidence.report; if (memcmp(hash, lreport->body.report_data.d, hash_len) != 0) { RTLS_ERR("unmatched hash value in evidence\n"); @@ -45,7 +45,7 @@ enclave_verifier_err_t ocall_la_verify_evidence(enclave_verifier_ctx_t *ctx, return SGX_LA_VERIFIER_ERR_CODE((int)qe3_ret); } - qe3_ret = sgx_qe_get_quote((sgx_report_t *)evidence->la.report, quote_size, quote); + qe3_ret = sgx_qe_get_quote((sgx_report_t *)evidence->evidence.report, quote_size, quote); if (SGX_QL_SUCCESS != qe3_ret) { RTLS_ERR("failed to get quote %04x\n", qe3_ret); return SGX_LA_VERIFIER_ERR_CODE((int)qe3_ret); diff --git a/src/tls_wrappers/openssl/un_negotiate.c b/src/tls_wrappers/openssl/un_negotiate.c index ac3f237..fff65a7 100644 --- a/src/tls_wrappers/openssl/un_negotiate.c +++ b/src/tls_wrappers/openssl/un_negotiate.c @@ -12,10 +12,12 @@ #include #include #include +#include #include "sgx_report.h" #include "sgx_quote_3.h" #include "per_thread.h" #include "openssl.h" +#include "internal/attester.h" static int rtls_memcpy_s(void *dst, uint32_t dst_size, const void *src, uint32_t num_bytes) { @@ -259,23 +261,25 @@ int openssl_extract_x509_extensions(X509 *crt, attestation_evidence_t *evidence) evidence->epid.ias_report_signature, &evidence->epid.ias_report_signature_len); return rc; - } else if (!strcmp(evidence->type, "sgx_ecdsa")) { - evidence->ecdsa.quote_len = sizeof(evidence->ecdsa.quote); - return find_extension_from_cert(crt, ecdsa_quote_oid, evidence->ecdsa.quote, - &evidence->ecdsa.quote_len); - } else if (!strcmp(evidence->type, "tdx_ecdsa")) { - evidence->tdx.quote_len = sizeof(evidence->tdx.quote); - return find_extension_from_cert(crt, tdx_quote_oid, evidence->tdx.quote, - &evidence->tdx.quote_len); - } else if (!strcmp(evidence->type, "sgx_la")) { - evidence->la.report_len = sizeof(evidence->la.report); - return find_extension_from_cert(crt, la_report_oid, evidence->la.report, - &evidence->la.report_len); - } else if (!strcmp(evidence->type, "sev_snp")) { - evidence->snp.report_len = sizeof(evidence->snp.report); - return find_extension_from_cert(crt, snp_report_oid, evidence->snp.report, - &evidence->snp.report_len); - } else + } + + enclave_attester_opts_t *opts = NULL; + unsigned int i = 0; + for (i = 0; i < registerd_enclave_attester_nums; ++i) { + opts = enclave_attesters_opts[i]; + if (!opts) { + RTLS_DEBUG("registerd enclave_attesters_opts is invalid.\n"); + break; + } + + if (!strcmp(evidence->type, opts->name)) { + evidence->evidence.report_len = sizeof(evidence->evidence.report); + return find_extension_from_cert(crt, opts->oid, evidence->evidence.report, + &evidence->evidence.report_len); + } + } + + if ((i == registerd_enclave_attester_nums) || (opts == NULL)) RTLS_WARN("Unhandled evidence type %s\n", evidence->type); return SSL_SUCCESS; @@ -362,16 +366,22 @@ int verify_certificate(int preverify, X509_STORE_CTX *ctx) * extension and parse it into evidence */ attestation_evidence_t evidence; + enclave_attester_opts_t *opts = NULL; + unsigned int i = 0; + for (i = 0; i < registerd_enclave_attester_nums; ++i) { + opts = enclave_attesters_opts[i]; + if (!opts) { + RTLS_DEBUG("registerd enclave_attesters_opts is null.\n"); + break; + } + + if (find_oid(cert, (const char *)opts->oid) == SSL_SUCCESS) { + snprintf(evidence.type, sizeof(evidence.type), "%s", opts->name); + break; + } + } - if (find_oid(cert, (const char *)ecdsa_quote_oid) == SSL_SUCCESS) - snprintf(evidence.type, sizeof(evidence.type), "%s", "sgx_ecdsa"); - else if (find_oid(cert, (const char *)tdx_quote_oid) == SSL_SUCCESS) - snprintf(evidence.type, sizeof(evidence.type), "tdx_ecdsa"); - else if (find_oid(cert, (const char *)la_report_oid) == SSL_SUCCESS) - snprintf(evidence.type, sizeof(evidence.type), "%s", "sgx_la"); - else if (find_oid(cert, (const char *)snp_report_oid) == SSL_SUCCESS) - snprintf(evidence.type, sizeof(evidence.type), "%s", "sev_snp"); - else + if (i == registerd_enclave_attester_nums || opts == NULL) snprintf(evidence.type, sizeof(evidence.type), "%s", "nullverifier"); int rc = openssl_extract_x509_extensions(cert, &evidence); @@ -389,7 +399,7 @@ int verify_certificate(int preverify, X509_STORE_CTX *ctx) if (!strncmp(evidence.type, "sgx_ecdsa", sizeof(evidence.type))) { rtls_evidence_t ev; - sgx_quote3_t *quote3 = (sgx_quote3_t *)evidence.ecdsa.quote; + sgx_quote3_t *quote3 = (sgx_quote3_t *)evidence.evidence.report; ev.sgx.mr_enclave = (char *)quote3->report_body.mr_enclave.m; ev.sgx.mr_signer = quote3->report_body.mr_signer.m; diff --git a/src/verifiers/nullverifier/main.c b/src/verifiers/nullverifier/main.c index 438096f..c4368af 100644 --- a/src/verifiers/nullverifier/main.c +++ b/src/verifiers/nullverifier/main.c @@ -21,6 +21,7 @@ static enclave_verifier_opts_t nullverifier_opts = { .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, .name = "nullverifier", + .oid = "", .priority = 0, .pre_init = nullverifier_pre_init, .init = nullverifier_init, diff --git a/src/verifiers/sev-snp/main.c b/src/verifiers/sev-snp/main.c index 4a6b608..4b7263c 100644 --- a/src/verifiers/sev-snp/main.c +++ b/src/verifiers/sev-snp/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sev_snp.h" extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); extern enclave_verifier_err_t sev_snp_verifier_pre_init(void); @@ -21,6 +22,7 @@ static enclave_verifier_opts_t sev_snp_verifier_opts = { .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_SNP, .name = "sev_snp", + .oid = SNP_REPORT_OID, .priority = 42, .pre_init = sev_snp_verifier_pre_init, .init = sev_snp_verifier_init, diff --git a/src/verifiers/sev-snp/sev_snp.h b/src/verifiers/sev-snp/sev_snp.h new file mode 100644 index 0000000..db8e452 --- /dev/null +++ b/src/verifiers/sev-snp/sev_snp.h @@ -0,0 +1,79 @@ +/* Copyright (c) 2022 Intel Corporation + * Copyright (c) 2020-2022 Alibaba Cloud + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef _SEV_SNP_H +#define _SEV_SNP_H + +#include +#include +#include + +/* The following structures are defined by AMD, please refer to + * https://www.amd.com/system/files/TechDocs/56860.pdf for details. + */ + +#define SNP_REPORT_OID "1.2.840.113741.1337.20" + +/* 2.2 TCB Version + * A version string that represents the version of the firmware + */ +typedef union snp_tcb_version { + struct { + /* SVN of PSP bootloader */ + uint8_t boot_loader; + /* SVN of PSP operating system */ + uint8_t tee; + uint8_t reserved[4]; + /* SVN of PSP firmware */ + uint8_t snp; + /* Lowest current patch level of all the cores */ + uint8_t microcode; + } __attribute__((packed)) f; + uint64_t val; +} __attribute__((packed)) snp_tcb_version_t; + +typedef struct signature { + uint8_t r[72]; + uint8_t s[72]; + uint8_t reserved[368]; +} __attribute__((packed)) signature_t; + +/* Table 21. ATTESTATION_REPORT Structure */ +typedef struct snp_attestation_report { + uint32_t version; /* 0x000 */ + uint32_t guest_svn; /* 0x004 */ + uint64_t policy; /* 0x008 */ + uint8_t family_id[16]; /* 0x010 */ + uint8_t image_id[16]; /* 0x020 */ + uint32_t vmpl; /* 0x030 */ + uint32_t signature_algo; /* 0x034 */ + snp_tcb_version_t platform_version; /* 0x038 */ + uint64_t platform_info; /* 0x040 */ + uint32_t flags; /* 0x048 */ + uint32_t reserved0; /* 0x04C */ + uint8_t report_data[64]; /* 0x050 */ + uint8_t measurement[48]; /* 0x090 */ + uint8_t host_data[32]; /* 0x0C0 */ + uint8_t id_key_digest[48]; /* 0x0E0 */ + uint8_t author_key_digest[48]; /* 0x110 */ + uint8_t report_id[32]; /* 0x140 */ + uint8_t report_id_ma[32]; /* 0x160 */ + snp_tcb_version_t reported_tcb; /* 0x180 */ + uint8_t reserved1[24]; /* 0x188 */ + uint8_t chip_id[64]; /* 0x1A0 */ + uint8_t reserved2[192]; /* 0x1E0 */ + signature_t signature; /* 0x2A0 */ +} __attribute__((packed)) snp_attestation_report_t; + +/* Table 23. MSG_REPORT_RSP Message Structure */ +typedef struct snp_msg_report_rsp { + uint32_t status; + uint32_t report_size; + uint8_t reserved[0x20 - 0x08]; + snp_attestation_report_t report; +} __attribute__((packed)) snp_msg_report_rsp_t; + +#endif /* _SEV_SNP_H */ diff --git a/src/verifiers/sev-snp/verify_evidence.c b/src/verifiers/sev-snp/verify_evidence.c index 34d0130..2d8358f 100644 --- a/src/verifiers/sev-snp/verify_evidence.c +++ b/src/verifiers/sev-snp/verify_evidence.c @@ -216,7 +216,7 @@ enclave_verifier_err_t sev_snp_verify_evidence(enclave_verifier_ctx_t *ctx, RTLS_DEBUG("ctx %p, evidence %p, hash %p\n", ctx, evidence, hash); enclave_verifier_err_t err = -ENCLAVE_VERIFIER_ERR_UNKNOWN; - snp_attestation_report_t *snp_report = (snp_attestation_report_t *)(evidence->snp.report); + snp_attestation_report_t *snp_report = (snp_attestation_report_t *)(evidence->evidence.report); /* Generate ARK, ASK and VCEK pem files */ int ret = generate_vcek_pem(snp_report->chip_id, sizeof(snp_report->chip_id), diff --git a/src/verifiers/sgx-ecdsa-qve/main.c b/src/verifiers/sgx-ecdsa-qve/main.c index 71bf53f..8bf7067 100644 --- a/src/verifiers/sgx-ecdsa-qve/main.c +++ b/src/verifiers/sgx-ecdsa-qve/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sgx_ecdsa.h" extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); extern enclave_verifier_err_t sgx_ecdsa_verifier_pre_init(void); @@ -21,6 +22,7 @@ static enclave_verifier_opts_t sgx_ecdsa_qve_opts = { .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, .name = "sgx_ecdsa_qve", + .oid = ECDSA_QUOTE_OID, .type = "sgx_ecdsa", .priority = 53, .pre_init = sgx_ecdsa_verifier_pre_init, diff --git a/src/verifiers/sgx-ecdsa/main.c b/src/verifiers/sgx-ecdsa/main.c index 072e488..5ebe50e 100644 --- a/src/verifiers/sgx-ecdsa/main.c +++ b/src/verifiers/sgx-ecdsa/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sgx_ecdsa.h" extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); extern enclave_verifier_err_t sgx_ecdsa_verifier_pre_init(void); @@ -21,6 +22,7 @@ static enclave_verifier_opts_t sgx_ecdsa_verifier_opts = { .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, .name = "sgx_ecdsa", + .oid = ECDSA_QUOTE_OID, .priority = 52, .pre_init = sgx_ecdsa_verifier_pre_init, .init = sgx_ecdsa_verifier_init, diff --git a/src/verifiers/sgx-ecdsa/sgx_ecdsa.h b/src/verifiers/sgx-ecdsa/sgx_ecdsa.h index 81745fe..aed1620 100644 --- a/src/verifiers/sgx-ecdsa/sgx_ecdsa.h +++ b/src/verifiers/sgx-ecdsa/sgx_ecdsa.h @@ -9,8 +9,10 @@ #include +#define ECDSA_QUOTE_OID "1.2.840.113741.1337.6" + typedef struct { sgx_enclave_id_t eid; } sgx_ecdsa_ctx_t; -#endif \ No newline at end of file +#endif diff --git a/src/verifiers/sgx-ecdsa/verify_evidence.c b/src/verifiers/sgx-ecdsa/verify_evidence.c index 0410b00..645f470 100644 --- a/src/verifiers/sgx-ecdsa/verify_evidence.c +++ b/src/verifiers/sgx-ecdsa/verify_evidence.c @@ -51,7 +51,7 @@ enclave_verifier_err_t ecdsa_verify_evidence(__attribute__((unused)) enclave_ver return -ENCLAVE_VERIFIER_ERR_NO_MEM; } - memcpy(pquote, evidence->ecdsa.quote, evidence->ecdsa.quote_len); + memcpy(pquote, evidence->evidence.report, evidence->evidence.report_len); uint32_t quote_size = (uint32_t)sizeof(sgx_quote3_t) + pquote->signature_data_len; RTLS_DEBUG("quote size is %d, quote signature_data_len is %d\n", quote_size, @@ -81,7 +81,7 @@ enclave_verifier_err_t ecdsa_verify_evidence(__attribute__((unused)) enclave_ver current_time = time(NULL); - dcap_ret = sgx_qv_verify_quote(evidence->ecdsa.quote, (uint32_t)quote_size, NULL, + dcap_ret = sgx_qv_verify_quote(evidence->evidence.report, (uint32_t)quote_size, NULL, current_time, &collateral_expiration_status, "e_verification_result, qve_report_info, supplemental_data_size, p_supplemental_data); @@ -162,8 +162,8 @@ enclave_verifier_err_t sgx_ecdsa_verify_evidence(enclave_verifier_ctx_t *ctx, memset(p_supplemental_data, 0, supplemental_data_size); sgxioc_ver_dcap_quote_arg_t ver_quote_arg = { - .quote_buf = evidence->ecdsa.quote, - .quote_size = evidence->ecdsa.quote_len, + .quote_buf = evidence->evidence.report, + .quote_size = evidence->evidence.report_len, .collateral_expiration_status = &collateral_expiration_status, .quote_verification_result = "e_verification_result, .supplemental_data_size = supplemental_data_size, diff --git a/src/verifiers/sgx-la/main.c b/src/verifiers/sgx-la/main.c index a110ded..64befaa 100644 --- a/src/verifiers/sgx-la/main.c +++ b/src/verifiers/sgx-la/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "sgx_la.h" extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *); extern enclave_verifier_err_t sgx_la_verifier_pre_init(void); @@ -21,6 +22,7 @@ static enclave_verifier_opts_t sgx_la_verifier_opts = { .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, .name = "sgx_la", + .oid = LA_REPORT_OID, .priority = 15, .pre_init = sgx_la_verifier_pre_init, .init = sgx_la_verifier_init, diff --git a/src/verifiers/sgx-la/sgx_la.h b/src/verifiers/sgx-la/sgx_la.h index 0d9b661..4da311b 100644 --- a/src/verifiers/sgx-la/sgx_la.h +++ b/src/verifiers/sgx-la/sgx_la.h @@ -9,6 +9,8 @@ #include "sgx_eid.h" +#define LA_REPORT_OID "1.2.840.113741.1337.14" + typedef struct { sgx_enclave_id_t eid; } sgx_la_ctx_t; diff --git a/src/verifiers/tdx-ecdsa/cleanup.c b/src/verifiers/tdx-ecdsa/cleanup.c index b3a8e8a..7eb349f 100644 --- a/src/verifiers/tdx-ecdsa/cleanup.c +++ b/src/verifiers/tdx-ecdsa/cleanup.c @@ -4,7 +4,7 @@ * SPDX-License-Identifier: Apache-2.0 */ -#include "tdx-ecdsa.h" +#include "tdx_ecdsa.h" #include #include diff --git a/src/verifiers/tdx-ecdsa/init.c b/src/verifiers/tdx-ecdsa/init.c index b1f57d1..2c6da4b 100644 --- a/src/verifiers/tdx-ecdsa/init.c +++ b/src/verifiers/tdx-ecdsa/init.c @@ -7,7 +7,7 @@ #include #include #include -#include "tdx-ecdsa.h" +#include "tdx_ecdsa.h" enclave_verifier_err_t tdx_ecdsa_verifier_init(enclave_verifier_ctx_t *ctx, rats_tls_cert_algo_t algo) diff --git a/src/verifiers/tdx-ecdsa/main.c b/src/verifiers/tdx-ecdsa/main.c index ba24b81..c4df7e4 100644 --- a/src/verifiers/tdx-ecdsa/main.c +++ b/src/verifiers/tdx-ecdsa/main.c @@ -7,6 +7,7 @@ #include #include #include +#include "tdx_ecdsa.h" extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); extern enclave_verifier_err_t tdx_ecdsa_verifier_pre_init(void); @@ -21,6 +22,7 @@ static enclave_verifier_opts_t tdx_ecdsa_verifier_opts = { .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_TDX, .name = "tdx_ecdsa", + .oid = TDX_QUOTE_OID, .priority = 42, .pre_init = tdx_ecdsa_verifier_pre_init, .init = tdx_ecdsa_verifier_init, diff --git a/src/verifiers/tdx-ecdsa/tdx_ecdsa.h b/src/verifiers/tdx-ecdsa/tdx_ecdsa.h new file mode 100644 index 0000000..c4614f8 --- /dev/null +++ b/src/verifiers/tdx-ecdsa/tdx_ecdsa.h @@ -0,0 +1,52 @@ +/* Copyright (c) 2021 Intel Corporation + * Copyright (c) 2020-2021 Alibaba Cloud + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef _TDX_ECDSA_H +#define _TDX_ECDSA_H + +#include + +#define TDX_NUM_RTMRS 4 +#define TDX_QUOTE_OID "1.2.840.113741.1337.8" + +typedef struct { + uint8_t mrowner[SHA384_HASH_SIZE]; +} tdx_ctx_t; + +/* TDX attestation specification */ + +typedef struct { + uint16_t version; + uint16_t attestation_key_type; + uint32_t tee_type; + uint16_t qe_svn; + uint16_t pce_svn; + uint8_t qe_vendor_id[16]; + uint8_t user_data[20]; +} __attribute__((packed)) tdx_quote_header_t; + +typedef struct { + uint8_t tee_tcb_svn[16]; + uint8_t mrseam[SHA384_HASH_SIZE]; + uint8_t mrsigner_seam[SHA384_HASH_SIZE]; + uint8_t seam_attributes[8]; + uint8_t td_attributes[8]; + uint8_t xfam[8]; + uint8_t mrtd[SHA384_HASH_SIZE]; + uint8_t mrconfig_id[SHA384_HASH_SIZE]; + uint8_t mrowner[SHA384_HASH_SIZE]; + uint8_t mrowner_config[SHA384_HASH_SIZE]; + uint8_t rtmr[TDX_NUM_RTMRS][SHA384_HASH_SIZE]; + uint8_t report_data[64]; +} __attribute__((packed)) tdx_report_body_t; + +/* FIXME: currently we only care about report data */ +typedef struct { + tdx_quote_header_t header; + tdx_report_body_t report_body; +} __attribute__((__packed__)) tdx_quote_t; + +#endif /* _TDX_ECDSA_H */ diff --git a/src/verifiers/tdx-ecdsa/verify_evidence.c b/src/verifiers/tdx-ecdsa/verify_evidence.c index 5390fa4..9349252 100644 --- a/src/verifiers/tdx-ecdsa/verify_evidence.c +++ b/src/verifiers/tdx-ecdsa/verify_evidence.c @@ -8,7 +8,7 @@ #include #include #include -#include "tdx-ecdsa.h" +#include "tdx_ecdsa.h" enclave_verifier_err_t ecdsa_verify_evidence(__attribute__((unused)) enclave_verifier_ctx_t *ctx, const char *name, attestation_evidence_t *evidence, @@ -18,7 +18,7 @@ enclave_verifier_err_t ecdsa_verify_evidence(__attribute__((unused)) enclave_ver enclave_verifier_err_t err = -ENCLAVE_VERIFIER_ERR_UNKNOWN; /* Verify the hash value */ - if (memcmp(hash, ((tdx_quote_t *)(evidence->tdx.quote))->report_body.report_data, + if (memcmp(hash, ((tdx_quote_t *)(evidence->evidence.report))->report_body.report_data, hash_len) != 0) { RTLS_ERR("unmatched hash value in evidence.\n"); return -ENCLAVE_VERIFIER_ERR_INVALID; @@ -45,7 +45,7 @@ enclave_verifier_err_t ecdsa_verify_evidence(__attribute__((unused)) enclave_ver time_t current_time = time(NULL); sgx_ql_qv_result_t quote_verification_result = SGX_QL_QV_RESULT_UNSPECIFIED; uint32_t collateral_expiration_status = 1; - dcap_ret = tdx_qv_verify_quote(evidence->tdx.quote, (uint32_t)(evidence->tdx.quote_len), + dcap_ret = tdx_qv_verify_quote(evidence->evidence.report, (uint32_t)(evidence->evidence.report_len), NULL, current_time, &collateral_expiration_status, "e_verification_result, NULL, supplemental_data_size, p_supplemental_data);