From 39942b9ce247c81ade53c1b290ae104861ed673f Mon Sep 17 00:00:00 2001 From: Andras Slemmer Date: Thu, 15 Jun 2017 15:11:46 +0100 Subject: [PATCH] sgx: Fix hsm-tool CLI parsing, increase key generation timeout window, add IntelWhitelistFormInstructions.md --- .../kotlin/com/r3cev/sgx/config/ToolConfig.kt | 4 +- .../main/kotlin/com/r3cev/sgx/hsmtool/Main.kt | 11 ++- .../IntelWhitelistFormInstructions.md | 75 +++++++++++++++++++ sgx-jvm/noop-enclave/README.md | 8 +- 4 files changed, 91 insertions(+), 7 deletions(-) create mode 100644 sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md diff --git a/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt b/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt index 75571ca9ee..d3ffdc601b 100644 --- a/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt +++ b/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt @@ -21,8 +21,8 @@ data class ToolConfig(val config: Config) { val sourcePathArg = parser.accepts("source").withRequiredArg() val configPathArg = parser.accepts("config").withRequiredArg() val profileArg = parser.accepts("profile").withRequiredArg().defaultsTo("dev") - val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg().defaultsTo("./pubkey.pem") - val signatureOutputPathArg = parser.accepts("signature").withRequiredArg().defaultsTo("./signature.sha256") + val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg() + val signatureOutputPathArg = parser.accepts("signature").withRequiredArg() val deviceArg = parser.accepts("device").withRequiredArg() val keyNameArg = parser.accepts("keyName").withRequiredArg() val keyGroupArg = parser.accepts("keyGroup").withRequiredArg() diff --git a/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt b/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt index c1428f5f69..c4b5415c63 100644 --- a/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt +++ b/sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt @@ -91,7 +91,12 @@ fun connectAndAuthenticate(config: ToolConfig, block: (CryptoServerProvider) -> } block(provider) } finally { - provider.logoff() + try { + provider.logoff() + } catch (throwable: Throwable) { + println("WARNING Exception while logging off") + throwable.printStackTrace(System.out) + } } } @@ -133,8 +138,8 @@ private fun createProvider(device: String, keyGroup: String, keySpecifier: Strin val cfgBuffer = ByteArrayOutputStream() val writer = cfgBuffer.writer(Charsets.UTF_8) writer.write("Device = $device\n") - writer.write("ConnectionTimeout = 3000\n") - writer.write("Timeout = 30000\n") + writer.write("ConnectionTimeout = 30000\n") + writer.write("Timeout = 60000\n") writer.write("EndSessionOnShutdown = 1\n") writer.write("KeepSessionAlive = 0\n") writer.write("KeyGroup = $keyGroup\n") diff --git a/sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md b/sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md new file mode 100644 index 0000000000..f37771c6fd --- /dev/null +++ b/sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md @@ -0,0 +1,75 @@ +This is a small guide on how to generate the required files for Intel's +Whitelisting form. + +To generate the production key +=== + +At this point the HSM should be set up with the appropriate groups and +permissions. + +This step should be done on a separate clean machine, with no internet +connection, only connected to the HSM. The hsm-tool should be used directly, +this way the only dependency is a working JDK. + +To generate the key: + +`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod` + + +This will require two separate smartcard authentications. The generation +will fail if there is already an existing production key in the HSM. + + +To generate a production enclave signature +=== + +This may be done from a dev machine with an SGX device. + +To generate the signature and related files: + +``` +make clean +make sigstruct-hsm PROFILE=prod +``` + +This will require two separate smartcard authentications. + +Running the above will produce the following files in `build/`: + +* `noop_enclave.unsigned.so`: The unsigned enclave + +* `noop_enclave_blob_to_sign.bin`: The unsigned SIGSTRUCT blob to sign. + +* `noop_enclave.signed.hsm.so`: The signed enclave(= the unsigned enclave + signed blob). + +* `noop_enclave.sigstruct.hsm.bin`: The signed SIGSTRUCT blob extracted from the signed enclave. + +* `noop_enclave.sigstruct-pretty.hsm.txt`: The pretty printed SIGSTRUCT. + +To sanity check the signed enclave: + +``` +make noop_test +./build/noop_test ./build/noop_enclave.signed.hsm.so +``` + +The above should return cleanly. + +Intel's whitelisting form requires the MRSIGNER value in hexadecimal +from `noop_enclave.sigstruct-pretty.hsm.txt`, furthermore we need to attach +`noop_enclave.sigstruct.hsm.bin`. + + + +To overwrite the production key +=== + +*WARNING* THIS STEP SHOULD NOT BE INVOKED, UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING +--- + +SECOND WARNING: Even in the case of disaster recovery consider +resetting the HSM completely instead! + +To overwrite the production key: + +`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod --overwriteKey # God help you` \ No newline at end of file diff --git a/sgx-jvm/noop-enclave/README.md b/sgx-jvm/noop-enclave/README.md index c13cacf7cd..87574cdb9a 100644 --- a/sgx-jvm/noop-enclave/README.md +++ b/sgx-jvm/noop-enclave/README.md @@ -1,12 +1,12 @@ What is this? -============= +=== This project contains a noop enclave with a single ECALL that does nothing. Its purpose is to demonstrate our ability to create a signed enclave and to test the signature process through an HSM. How to run -========== +=== The following Makefile targets execute different steps in the signing process and output into build/ @@ -35,3 +35,7 @@ The following targets use the HSM. They require an extra `PROFILE=[dev|prod]` ar `./build/noop_test ./build/noop_enclave.signed.openssl.so` will run the noop ECALL using the openssl signed enclave. + + +See IntelWhitelistFormInstructions.md for details on how to use this +project to fill the enclave specific parts of Intel's whitelisting form.