sgx: Fix hsm-tool CLI parsing, increase key generation timeout window, add IntelWhitelistFormInstructions.md

2024-12-28 00:38:55 +00:00 · 2017-06-15 15:11:46 +01:00 · 2017-06-15 15:11:46 +01:00 · 39942b9ce2
commit 39942b9ce2
parent c8c8c8eb66
4 changed files with 91 additions and 7 deletions
--- a/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt
+++ b/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt
@ -21,8 +21,8 @@ data class ToolConfig(val config: Config) {
        val sourcePathArg = parser.accepts("source").withRequiredArg()
        val configPathArg = parser.accepts("config").withRequiredArg()
        val profileArg = parser.accepts("profile").withRequiredArg().defaultsTo("dev")
-        val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg().defaultsTo("./pubkey.pem")
-        val signatureOutputPathArg = parser.accepts("signature").withRequiredArg().defaultsTo("./signature.sha256")
+        val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg()
+        val signatureOutputPathArg = parser.accepts("signature").withRequiredArg()
        val deviceArg = parser.accepts("device").withRequiredArg()
        val keyNameArg = parser.accepts("keyName").withRequiredArg()
        val keyGroupArg = parser.accepts("keyGroup").withRequiredArg()
--- a/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt
+++ b/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt
@ -91,7 +91,12 @@ fun connectAndAuthenticate(config: ToolConfig, block: (CryptoServerProvider) ->
        }
        block(provider)
    } finally {
-        provider.logoff()
+        try {
+            provider.logoff()
+        } catch (throwable: Throwable) {
+            println("WARNING Exception while logging off")
+            throwable.printStackTrace(System.out)
+        }
    }
 }

@ -133,8 +138,8 @@ private fun createProvider(device: String, keyGroup: String, keySpecifier: Strin
    val cfgBuffer = ByteArrayOutputStream()
    val writer = cfgBuffer.writer(Charsets.UTF_8)
    writer.write("Device = $device\n")
-    writer.write("ConnectionTimeout = 3000\n")
-    writer.write("Timeout = 30000\n")
+    writer.write("ConnectionTimeout = 30000\n")
+    writer.write("Timeout = 60000\n")
    writer.write("EndSessionOnShutdown = 1\n")
    writer.write("KeepSessionAlive = 0\n")
    writer.write("KeyGroup = $keyGroup\n")
--- a/sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md
+++ b/sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md
@ -0,0 +1,75 @@
+This is a small guide on how to generate the required files for Intel's
+Whitelisting form.
+
+To generate the production key
+===
+
+At this point the HSM should be set up with the appropriate groups and
+permissions.
+
+This step should be done on a separate clean machine, with no internet
+connection, only connected to the HSM. The hsm-tool should be used directly,
+this way the only dependency is a working JDK.
+
+To generate the key:
+
+`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod`
+
+
+This will require two separate smartcard authentications. The generation
+will fail if there is already an existing production key in the HSM.
+
+
+To generate a production enclave signature
+===
+
+This may be done from a dev machine with an SGX device.
+
+To generate the signature and related files:
+
+```
+make clean
+make sigstruct-hsm PROFILE=prod
+```
+
+This will require two separate smartcard authentications.
+
+Running the above will produce the following files in `build/`:
+
+* `noop_enclave.unsigned.so`: The unsigned enclave
+
+* `noop_enclave_blob_to_sign.bin`: The unsigned SIGSTRUCT blob to sign.
+
+* `noop_enclave.signed.hsm.so`: The signed enclave(= the unsigned enclave + signed blob).
+
+* `noop_enclave.sigstruct.hsm.bin`: The signed SIGSTRUCT blob extracted from the signed enclave.
+
+* `noop_enclave.sigstruct-pretty.hsm.txt`: The pretty printed SIGSTRUCT.
+
+To sanity check the signed enclave:
+
+```
+make noop_test
+./build/noop_test ./build/noop_enclave.signed.hsm.so
+```
+
+The above should return cleanly.
+
+Intel's whitelisting form requires the MRSIGNER value in hexadecimal
+from `noop_enclave.sigstruct-pretty.hsm.txt`, furthermore we need to attach
+`noop_enclave.sigstruct.hsm.bin`.
+
+
+
+To overwrite the production key
+===
+
+*WARNING* THIS STEP SHOULD NOT BE INVOKED, UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING
+---
+
+SECOND WARNING: Even in the case of disaster recovery consider
+resetting the HSM completely instead!
+
+To overwrite the production key:
+
+`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod --overwriteKey # God help you`
--- a/sgx-jvm/noop-enclave/README.md
+++ b/sgx-jvm/noop-enclave/README.md
@ -1,12 +1,12 @@
 What is this?
-=============
+===

 This project contains a noop enclave with a single ECALL that does
 nothing. Its purpose is to demonstrate our ability to create a signed
 enclave and to test the signature process through an HSM.

 How to run
-==========
+===

 The following Makefile targets execute different steps in the signing process and output into build/

@ -35,3 +35,7 @@ The following targets use the HSM. They require an extra `PROFILE=[dev|prod]` ar
  `./build/noop_test ./build/noop_enclave.signed.openssl.so`

  will run the noop ECALL using the openssl signed enclave.
+
+
+See IntelWhitelistFormInstructions.md for details on how to use this
+project to fill the enclave specific parts of Intel's whitelisting form.