diff --git a/cbindgen_enclaves.toml b/cbindgen_enclaves.toml new file mode 100644 index 00000000..31de9d70 --- /dev/null +++ b/cbindgen_enclaves.toml @@ -0,0 +1,35 @@ +# cbindgen config for the enclave bindings.h files +# +# These binding files should include all the types referenced by +# the functions declared in our EDL files. +# +# Docs: + +language = "C" + +# No C standard imports for enclaves. +no_includes = true + +[export] + +# Don't generate items for functions (sgx_edger8r will). +item_types = [ + "constants", + "globals", + "enums", + "structs", + "unions", + "typedefs", + "opaque", + # "functions", +] + +[enum] +# Use qualified enum variant names: some of our enum types conflict, otherwise. +rename_variants = "QualifiedScreamingSnakeCase" + +# Also generate items for our local enclaves libraries. +[parse] +parse_deps = true +include = ["rtc_types", "rtc_tenclave"] +extra_bindings = ["rtc_types", "rtc_tenclave"] diff --git a/codegen/auth_enclave/bindings.h b/codegen/auth_enclave/bindings.h index 9820e422..949ef402 100644 --- a/codegen/auth_enclave/bindings.h +++ b/codegen/auth_enclave/bindings.h @@ -22,8 +22,8 @@ * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag { - Ok_sgx_dh_msg1_t__sgx_status_t, - Err_sgx_dh_msg1_t__sgx_status_t, + ECALL_RESULT_SGX_DH_MSG1_T_SGX_STATUS_T_OK_SGX_DH_MSG1_T_SGX_STATUS_T, + ECALL_RESULT_SGX_DH_MSG1_T_SGX_STATUS_T_ERR_SGX_DH_MSG1_T_SGX_STATUS_T, } EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag; typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t { @@ -44,8 +44,8 @@ typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t SessionRequestResult; * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag { - Ok_sgx_dh_msg3_t__sgx_status_t, - Err_sgx_dh_msg3_t__sgx_status_t, + ECALL_RESULT_SGX_DH_MSG3_T_SGX_STATUS_T_OK_SGX_DH_MSG3_T_SGX_STATUS_T, + ECALL_RESULT_SGX_DH_MSG3_T_SGX_STATUS_T_ERR_SGX_DH_MSG3_T_SGX_STATUS_T, } EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag; typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { @@ -63,10 +63,10 @@ typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t ExchangeReportResult; typedef enum CreateReportResult_Tag { - Success, - Sgx, - FailedToGetPublicKey, - FailedEncodePublicKey, + CREATE_REPORT_RESULT_SUCCESS, + CREATE_REPORT_RESULT_SGX, + CREATE_REPORT_RESULT_FAILED_TO_GET_PUBLIC_KEY, + CREATE_REPORT_RESULT_FAILED_ENCODE_PUBLIC_KEY, } CreateReportResult_Tag; typedef struct CreateReportResult { diff --git a/codegen/data_enclave/bindings.h b/codegen/data_enclave/bindings.h index 63570f99..f84efde4 100644 --- a/codegen/data_enclave/bindings.h +++ b/codegen/data_enclave/bindings.h @@ -24,8 +24,8 @@ typedef struct DataUploadResponse { } DataUploadResponse; typedef enum CryptoError_Tag { - Rand, - Unknown, + CRYPTO_ERROR_RAND, + CRYPTO_ERROR_UNKNOWN, } CryptoError_Tag; typedef struct CryptoError { @@ -38,9 +38,9 @@ typedef struct CryptoError { } CryptoError; typedef enum DataUploadError_Tag { - Validation, - Sealing, - Crypto, + DATA_UPLOAD_ERROR_VALIDATION, + DATA_UPLOAD_ERROR_SEALING, + DATA_UPLOAD_ERROR_CRYPTO, } DataUploadError_Tag; typedef struct DataUploadError { @@ -59,8 +59,8 @@ typedef struct DataUploadError { * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_DataUploadResponse__DataUploadError_Tag { - Ok_DataUploadResponse__DataUploadError, - Err_DataUploadResponse__DataUploadError, + ECALL_RESULT_DATA_UPLOAD_RESPONSE_DATA_UPLOAD_ERROR_OK_DATA_UPLOAD_RESPONSE_DATA_UPLOAD_ERROR, + ECALL_RESULT_DATA_UPLOAD_RESPONSE_DATA_UPLOAD_ERROR_ERR_DATA_UPLOAD_RESPONSE_DATA_UPLOAD_ERROR, } EcallResult_DataUploadResponse__DataUploadError_Tag; typedef struct EcallResult_DataUploadResponse__DataUploadError { @@ -86,8 +86,8 @@ typedef struct UploadMetadata { * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag { - Ok_sgx_dh_msg1_t__sgx_status_t, - Err_sgx_dh_msg1_t__sgx_status_t, + ECALL_RESULT_SGX_DH_MSG1_T_SGX_STATUS_T_OK_SGX_DH_MSG1_T_SGX_STATUS_T, + ECALL_RESULT_SGX_DH_MSG1_T_SGX_STATUS_T_ERR_SGX_DH_MSG1_T_SGX_STATUS_T, } EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag; typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t { @@ -108,8 +108,8 @@ typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t SessionRequestResult; * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag { - Ok_sgx_dh_msg3_t__sgx_status_t, - Err_sgx_dh_msg3_t__sgx_status_t, + ECALL_RESULT_SGX_DH_MSG3_T_SGX_STATUS_T_OK_SGX_DH_MSG3_T_SGX_STATUS_T, + ECALL_RESULT_SGX_DH_MSG3_T_SGX_STATUS_T_ERR_SGX_DH_MSG3_T_SGX_STATUS_T, } EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag; typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { @@ -127,10 +127,10 @@ typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t ExchangeReportResult; typedef enum CreateReportResult_Tag { - Success, - Sgx, - FailedToGetPublicKey, - FailedEncodePublicKey, + CREATE_REPORT_RESULT_SUCCESS, + CREATE_REPORT_RESULT_SGX, + CREATE_REPORT_RESULT_FAILED_TO_GET_PUBLIC_KEY, + CREATE_REPORT_RESULT_FAILED_ENCODE_PUBLIC_KEY, } CreateReportResult_Tag; typedef struct CreateReportResult { diff --git a/codegen/exec_enclave/bindings.h b/codegen/exec_enclave/bindings.h index 9820e422..949ef402 100644 --- a/codegen/exec_enclave/bindings.h +++ b/codegen/exec_enclave/bindings.h @@ -22,8 +22,8 @@ * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag { - Ok_sgx_dh_msg1_t__sgx_status_t, - Err_sgx_dh_msg1_t__sgx_status_t, + ECALL_RESULT_SGX_DH_MSG1_T_SGX_STATUS_T_OK_SGX_DH_MSG1_T_SGX_STATUS_T, + ECALL_RESULT_SGX_DH_MSG1_T_SGX_STATUS_T_ERR_SGX_DH_MSG1_T_SGX_STATUS_T, } EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag; typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t { @@ -44,8 +44,8 @@ typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t SessionRequestResult; * FFI safe result type that can be converted to and from a rust result. */ typedef enum EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag { - Ok_sgx_dh_msg3_t__sgx_status_t, - Err_sgx_dh_msg3_t__sgx_status_t, + ECALL_RESULT_SGX_DH_MSG3_T_SGX_STATUS_T_OK_SGX_DH_MSG3_T_SGX_STATUS_T, + ECALL_RESULT_SGX_DH_MSG3_T_SGX_STATUS_T_ERR_SGX_DH_MSG3_T_SGX_STATUS_T, } EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag; typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { @@ -63,10 +63,10 @@ typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t ExchangeReportResult; typedef enum CreateReportResult_Tag { - Success, - Sgx, - FailedToGetPublicKey, - FailedEncodePublicKey, + CREATE_REPORT_RESULT_SUCCESS, + CREATE_REPORT_RESULT_SGX, + CREATE_REPORT_RESULT_FAILED_TO_GET_PUBLIC_KEY, + CREATE_REPORT_RESULT_FAILED_ENCODE_PUBLIC_KEY, } CreateReportResult_Tag; typedef struct CreateReportResult { diff --git a/rtc_auth_enclave/build.rs b/rtc_auth_enclave/build.rs index e80bd391..eb805f5c 100644 --- a/rtc_auth_enclave/build.rs +++ b/rtc_auth_enclave/build.rs @@ -1,13 +1,14 @@ extern crate cbindgen; extern crate cc; -use cbindgen::{Config, ExportConfig, ItemType}; use std::env; fn main() { println!("cargo:rerun-if-changed=rtc_auth.edl"); println!("cargo:rerun-if-changed=src"); + let cbindgen_config_file = "../cbindgen_enclaves.toml"; + println!("cargo:rerun-if-changed={}", cbindgen_config_file); // Also rebuild if we delete bindings.h println!("cargo:rerun-if-changed=../codegen/auth_enclave/bindings.h"); @@ -16,29 +17,11 @@ fn main() { let _sgx_rust = String::from("/root/sgx-rust"); let crate_dir = env::var("CARGO_MANIFEST_DIR").unwrap(); + let cbindgen_config = cbindgen::Config::from_file(cbindgen_config_file).unwrap(); cbindgen::Builder::new() - .with_config(Config { - export: ExportConfig { - item_types: vec![ - ItemType::Constants, - ItemType::Globals, - ItemType::Enums, - ItemType::Structs, - ItemType::Unions, - ItemType::Typedefs, - ItemType::OpaqueItems, - ], - ..Default::default() - }, - ..Default::default() - }) + .with_config(cbindgen_config) .with_crate(crate_dir) .with_std_types(false) - .with_language(cbindgen::Language::C) - .with_no_includes() - .with_parse_deps(true) - .with_parse_include(&["rtc_types", "rtc_tenclave"]) - .with_parse_extra_bindings(&["rtc_types", "rtc_tenclave"]) .generate() .expect("Unable to generate bindings") .write_to_file("../codegen/auth_enclave/bindings.h"); diff --git a/rtc_data_enclave/build.rs b/rtc_data_enclave/build.rs index c631f4bf..d7abb87c 100644 --- a/rtc_data_enclave/build.rs +++ b/rtc_data_enclave/build.rs @@ -1,13 +1,14 @@ extern crate cbindgen; extern crate cc; -use cbindgen::{Config, ExportConfig, ItemType}; use std::env; fn main() { println!("cargo:rerun-if-changed=rtc_data.edl"); println!("cargo:rerun-if-changed=src"); + let cbindgen_config_file = "../cbindgen_enclaves.toml"; + println!("cargo:rerun-if-changed={}", cbindgen_config_file); // Also rebuild if we delete bindings.h println!("cargo:rerun-if-changed=../codegen/data_enclave/bindings.h"); @@ -16,29 +17,11 @@ fn main() { let _sgx_rust = String::from("/root/sgx-rust"); let crate_dir = env::var("CARGO_MANIFEST_DIR").unwrap(); + let cbindgen_config = cbindgen::Config::from_file(cbindgen_config_file).unwrap(); cbindgen::Builder::new() - .with_config(Config { - export: ExportConfig { - item_types: vec![ - ItemType::Constants, - ItemType::Globals, - ItemType::Enums, - ItemType::Structs, - ItemType::Unions, - ItemType::Typedefs, - ItemType::OpaqueItems, - ], - ..Default::default() - }, - ..Default::default() - }) + .with_config(cbindgen_config) .with_crate(crate_dir) .with_std_types(false) - .with_language(cbindgen::Language::C) - .with_no_includes() - .with_parse_deps(true) - .with_parse_include(&["rtc_types", "rtc_tenclave"]) - .with_parse_extra_bindings(&["rtc_types", "rtc_tenclave"]) .generate() .expect("Unable to generate bindings") .write_to_file("../codegen/data_enclave/bindings.h"); diff --git a/rtc_exec_enclave/build.rs b/rtc_exec_enclave/build.rs index 17dd943f..d7978042 100644 --- a/rtc_exec_enclave/build.rs +++ b/rtc_exec_enclave/build.rs @@ -1,13 +1,14 @@ extern crate cbindgen; extern crate cc; -use cbindgen::{Config, ExportConfig, ItemType}; use std::env; fn main() { println!("cargo:rerun-if-changed=rtc_exec.edl"); println!("cargo:rerun-if-changed=src"); + let cbindgen_config_file = "../cbindgen_enclaves.toml"; + println!("cargo:rerun-if-changed={}", cbindgen_config_file); // Also rebuild if we delete bindings.h println!("cargo:rerun-if-changed=../codegen/exec_enclave/bindings.h"); @@ -16,29 +17,11 @@ fn main() { let _sgx_rust = String::from("/root/sgx-rust"); let crate_dir = env::var("CARGO_MANIFEST_DIR").unwrap(); + let cbindgen_config = cbindgen::Config::from_file(cbindgen_config_file).unwrap(); cbindgen::Builder::new() - .with_config(Config { - export: ExportConfig { - item_types: vec![ - ItemType::Constants, - ItemType::Globals, - ItemType::Enums, - ItemType::Structs, - ItemType::Unions, - ItemType::Typedefs, - ItemType::OpaqueItems, - ], - ..Default::default() - }, - ..Default::default() - }) + .with_config(cbindgen_config) .with_crate(crate_dir) .with_std_types(false) - .with_language(cbindgen::Language::C) - .with_no_includes() - .with_parse_deps(true) - .with_parse_include(&["rtc_types", "rtc_tenclave"]) - .with_parse_extra_bindings(&["rtc_types", "rtc_tenclave"]) .generate() .expect("Unable to generate bindings") .write_to_file("../codegen/exec_enclave/bindings.h"); diff --git a/rtc_tenclave/src/dh/sealing.rs b/rtc_tenclave/src/dh/sealing.rs index 2e5ec6c4..4375b08f 100644 --- a/rtc_tenclave/src/dh/sealing.rs +++ b/rtc_tenclave/src/dh/sealing.rs @@ -2,11 +2,11 @@ use core::mem::size_of; -use rkyv::ser::serializers::{BufferSerializer, BufferSerializerError}; +use rkyv::ser::serializers::BufferSerializer; use rkyv::{Aligned, Archive, Deserialize, Infallible, Serialize}; use rtc_types::byte_formats::rkyv_format; +use rtc_types::enclave_messages::errors::SealingError; use rtc_types::enclave_messages::EncryptedEnclaveMessage; -use sgx_types::sgx_status_t; use crate::dh::ProtectedChannel; @@ -107,24 +107,6 @@ where unsafe { rkyv_format::view_array::(&sealed.aad) } } -#[derive(Debug)] -pub enum SealingError { - Rkyv(BufferSerializerError), - Sgx(sgx_status_t), -} - -impl From for SealingError { - fn from(error: BufferSerializerError) -> Self { - SealingError::Rkyv(error) - } -} - -impl From for SealingError { - fn from(status: sgx_status_t) -> Self { - SealingError::Sgx(status) - } -} - #[cfg(test)] mod tests { use proptest::prelude::*; diff --git a/rtc_types/src/enclave_messages/errors.rs b/rtc_types/src/enclave_messages/errors.rs index 8d269c85..71553c74 100644 --- a/rtc_types/src/enclave_messages/errors.rs +++ b/rtc_types/src/enclave_messages/errors.rs @@ -2,6 +2,7 @@ use std::sync::PoisonError; +use rkyv::ser::serializers::BufferSerializerError; use sgx_types::{sgx_enclave_id_t, sgx_status_t}; use thiserror::Error; @@ -10,6 +11,7 @@ use thiserror::Error; /// See: `rtc_tenclave::dh::sessions::DhSessions` #[derive(Debug, PartialEq)] // core #[derive(Error)] // thiserror +#[repr(C)] pub enum AcquireSessionError { /// This should generally be treated as an unrecoverable error. #[error("Channel mutex poisoned")] @@ -36,3 +38,30 @@ impl From for AcquireSessionError { AcquireSessionError::Sgx(err) } } + +#[derive(Debug)] // core +#[derive(Error)] // thiserror +#[repr(C)] +pub enum SealingError { + #[error("Failed to acquire ProtectedChannel: {0}")] + ChannelNotFound(#[from] AcquireSessionError), + + #[error("Failed to rkyv-serialize message (BufferSerializerError omitted)")] + RkyvBufferSerializerError, // see impl From + + #[error("SGX error: {0:?}")] + Sgx(sgx_status_t), +} + +/// BufferSerializerError is not FFI-safe: ignore it, for now. +impl From for SealingError { + fn from(_: BufferSerializerError) -> Self { + SealingError::RkyvBufferSerializerError + } +} + +impl From for SealingError { + fn from(status: sgx_status_t) -> Self { + SealingError::Sgx(status) + } +} diff --git a/rtc_types/src/enclave_messages/ffi_set_access_key.rs b/rtc_types/src/enclave_messages/ffi_set_access_key.rs index aed70674..2b445587 100644 --- a/rtc_types/src/enclave_messages/ffi_set_access_key.rs +++ b/rtc_types/src/enclave_messages/ffi_set_access_key.rs @@ -9,9 +9,11 @@ //! (The Rust compiler should report an error if these don't line up: //! this can be used to update these if `set_access_key` changes.) -use sgx_types::sgx_aes_gcm_128bit_tag_t; +use sgx_types::{sgx_aes_gcm_128bit_tag_t, sgx_status_t}; use super::{set_access_key, RecommendedAesGcmIv}; +use crate::enclave_messages::errors::SealingError; +use crate::EcallResult; // See enclave_messages::ARCHIVED_ENCLAVE_ID_SIZE pub const ARCHIVED_ENCLAVE_ID_SIZE: usize = 8; @@ -44,8 +46,17 @@ pub struct SetAccessKeyEncryptedResponse { pub nonce: RecommendedAesGcmIv, } +// FFI type: SetAccessKeyResult +pub type SetAccessKeyResult = EcallResult; + // End FFI types +impl Default for SetAccessKeyResult { + fn default() -> Self { + EcallResult::Err(SealingError::Sgx(sgx_status_t::SGX_ERROR_UNEXPECTED)) + } +} + // Boilerplate From implementations: impl From for SetAccessKeyEncryptedRequest { @@ -57,12 +68,12 @@ impl From for SetAccessKeyEncryptedRequest { nonce, }: set_access_key::EncryptedRequest, ) -> Self { - return SetAccessKeyEncryptedRequest { + SetAccessKeyEncryptedRequest { tag, ciphertext, aad, nonce, - }; + } } } @@ -75,12 +86,12 @@ impl From for set_access_key::EncryptedRequest { nonce, }: SetAccessKeyEncryptedRequest, ) -> Self { - return set_access_key::EncryptedRequest { + set_access_key::EncryptedRequest { tag, ciphertext, aad, nonce, - }; + } } } @@ -93,12 +104,12 @@ impl From for SetAccessKeyEncryptedResponse { nonce, }: set_access_key::EncryptedResponse, ) -> Self { - return SetAccessKeyEncryptedResponse { + SetAccessKeyEncryptedResponse { tag, ciphertext, aad, nonce, - }; + } } } @@ -111,11 +122,23 @@ impl From for set_access_key::EncryptedResponse { nonce, }: SetAccessKeyEncryptedResponse, ) -> Self { - return set_access_key::EncryptedResponse { + set_access_key::EncryptedResponse { tag, ciphertext, aad, nonce, - }; + } + } +} + +impl From for SetAccessKeyResult { + fn from(result: set_access_key::SetAccessKeyResult) -> Self { + Self::from(result.map(SetAccessKeyEncryptedResponse::from)) + } +} + +impl From for set_access_key::SetAccessKeyResult { + fn from(result: SetAccessKeyResult) -> Self { + Self::from(result.map(set_access_key::EncryptedResponse::from)) } } diff --git a/rtc_types/src/enclave_messages/set_access_key.rs b/rtc_types/src/enclave_messages/set_access_key.rs index 544e2935..dbd1215d 100644 --- a/rtc_types/src/enclave_messages/set_access_key.rs +++ b/rtc_types/src/enclave_messages/set_access_key.rs @@ -2,6 +2,7 @@ use core::mem; use rkyv::{Archive, Deserialize, Serialize}; +use crate::enclave_messages::errors::SealingError; use crate::enclave_messages::{EncryptedEnclaveMessage, ARCHIVED_ENCLAVE_ID_SIZE}; #[derive(Archive, Deserialize, Serialize, Debug, PartialEq, Clone)] @@ -32,6 +33,9 @@ pub const RESPONSE_SIZE: usize = mem::size_of::(); // FFI type: EncryptedResponse pub type EncryptedResponse = EncryptedEnclaveMessage; +// FFI type: SetAccessKeyResult +pub type SetAccessKeyResult = Result; + // End FFI types #[cfg(test)]