sgx: Fix hsm-tool CLI parsing, increase key generation timeout window, add IntelWhitelistFormInstructions.md

This commit is contained in:
Andras Slemmer 2017-06-15 15:11:46 +01:00
parent c8c8c8eb66
commit 39942b9ce2
4 changed files with 91 additions and 7 deletions

View File

@ -21,8 +21,8 @@ data class ToolConfig(val config: Config) {
val sourcePathArg = parser.accepts("source").withRequiredArg() val sourcePathArg = parser.accepts("source").withRequiredArg()
val configPathArg = parser.accepts("config").withRequiredArg() val configPathArg = parser.accepts("config").withRequiredArg()
val profileArg = parser.accepts("profile").withRequiredArg().defaultsTo("dev") val profileArg = parser.accepts("profile").withRequiredArg().defaultsTo("dev")
val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg().defaultsTo("./pubkey.pem") val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg()
val signatureOutputPathArg = parser.accepts("signature").withRequiredArg().defaultsTo("./signature.sha256") val signatureOutputPathArg = parser.accepts("signature").withRequiredArg()
val deviceArg = parser.accepts("device").withRequiredArg() val deviceArg = parser.accepts("device").withRequiredArg()
val keyNameArg = parser.accepts("keyName").withRequiredArg() val keyNameArg = parser.accepts("keyName").withRequiredArg()
val keyGroupArg = parser.accepts("keyGroup").withRequiredArg() val keyGroupArg = parser.accepts("keyGroup").withRequiredArg()

View File

@ -91,7 +91,12 @@ fun connectAndAuthenticate(config: ToolConfig, block: (CryptoServerProvider) ->
} }
block(provider) block(provider)
} finally { } finally {
provider.logoff() try {
provider.logoff()
} catch (throwable: Throwable) {
println("WARNING Exception while logging off")
throwable.printStackTrace(System.out)
}
} }
} }
@ -133,8 +138,8 @@ private fun createProvider(device: String, keyGroup: String, keySpecifier: Strin
val cfgBuffer = ByteArrayOutputStream() val cfgBuffer = ByteArrayOutputStream()
val writer = cfgBuffer.writer(Charsets.UTF_8) val writer = cfgBuffer.writer(Charsets.UTF_8)
writer.write("Device = $device\n") writer.write("Device = $device\n")
writer.write("ConnectionTimeout = 3000\n") writer.write("ConnectionTimeout = 30000\n")
writer.write("Timeout = 30000\n") writer.write("Timeout = 60000\n")
writer.write("EndSessionOnShutdown = 1\n") writer.write("EndSessionOnShutdown = 1\n")
writer.write("KeepSessionAlive = 0\n") writer.write("KeepSessionAlive = 0\n")
writer.write("KeyGroup = $keyGroup\n") writer.write("KeyGroup = $keyGroup\n")

View File

@ -0,0 +1,75 @@
This is a small guide on how to generate the required files for Intel's
Whitelisting form.
To generate the production key
===
At this point the HSM should be set up with the appropriate groups and
permissions.
This step should be done on a separate clean machine, with no internet
connection, only connected to the HSM. The hsm-tool should be used directly,
this way the only dependency is a working JDK.
To generate the key:
`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod`
This will require two separate smartcard authentications. The generation
will fail if there is already an existing production key in the HSM.
To generate a production enclave signature
===
This may be done from a dev machine with an SGX device.
To generate the signature and related files:
```
make clean
make sigstruct-hsm PROFILE=prod
```
This will require two separate smartcard authentications.
Running the above will produce the following files in `build/`:
* `noop_enclave.unsigned.so`: The unsigned enclave
* `noop_enclave_blob_to_sign.bin`: The unsigned SIGSTRUCT blob to sign.
* `noop_enclave.signed.hsm.so`: The signed enclave(= the unsigned enclave + signed blob).
* `noop_enclave.sigstruct.hsm.bin`: The signed SIGSTRUCT blob extracted from the signed enclave.
* `noop_enclave.sigstruct-pretty.hsm.txt`: The pretty printed SIGSTRUCT.
To sanity check the signed enclave:
```
make noop_test
./build/noop_test ./build/noop_enclave.signed.hsm.so
```
The above should return cleanly.
Intel's whitelisting form requires the MRSIGNER value in hexadecimal
from `noop_enclave.sigstruct-pretty.hsm.txt`, furthermore we need to attach
`noop_enclave.sigstruct.hsm.bin`.
To overwrite the production key
===
*WARNING* THIS STEP SHOULD NOT BE INVOKED, UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING
---
SECOND WARNING: Even in the case of disaster recovery consider
resetting the HSM completely instead!
To overwrite the production key:
`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod --overwriteKey # God help you`

View File

@ -1,12 +1,12 @@
What is this? What is this?
============= ===
This project contains a noop enclave with a single ECALL that does This project contains a noop enclave with a single ECALL that does
nothing. Its purpose is to demonstrate our ability to create a signed nothing. Its purpose is to demonstrate our ability to create a signed
enclave and to test the signature process through an HSM. enclave and to test the signature process through an HSM.
How to run How to run
========== ===
The following Makefile targets execute different steps in the signing process and output into build/ The following Makefile targets execute different steps in the signing process and output into build/
@ -35,3 +35,7 @@ The following targets use the HSM. They require an extra `PROFILE=[dev|prod]` ar
`./build/noop_test ./build/noop_enclave.signed.openssl.so` `./build/noop_test ./build/noop_enclave.signed.openssl.so`
will run the noop ECALL using the openssl signed enclave. will run the noop ECALL using the openssl signed enclave.
See IntelWhitelistFormInstructions.md for details on how to use this
project to fill the enclave specific parts of Intel's whitelisting form.