mirror of
https://github.com/corda/corda.git
synced 2025-01-17 02:09:50 +00:00
sgx: Fix hsm-tool CLI parsing, increase key generation timeout window, add IntelWhitelistFormInstructions.md
This commit is contained in:
parent
c8c8c8eb66
commit
39942b9ce2
@ -21,8 +21,8 @@ data class ToolConfig(val config: Config) {
|
|||||||
val sourcePathArg = parser.accepts("source").withRequiredArg()
|
val sourcePathArg = parser.accepts("source").withRequiredArg()
|
||||||
val configPathArg = parser.accepts("config").withRequiredArg()
|
val configPathArg = parser.accepts("config").withRequiredArg()
|
||||||
val profileArg = parser.accepts("profile").withRequiredArg().defaultsTo("dev")
|
val profileArg = parser.accepts("profile").withRequiredArg().defaultsTo("dev")
|
||||||
val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg().defaultsTo("./pubkey.pem")
|
val publicKeyOutputPathArg = parser.accepts("pubkey").withRequiredArg()
|
||||||
val signatureOutputPathArg = parser.accepts("signature").withRequiredArg().defaultsTo("./signature.sha256")
|
val signatureOutputPathArg = parser.accepts("signature").withRequiredArg()
|
||||||
val deviceArg = parser.accepts("device").withRequiredArg()
|
val deviceArg = parser.accepts("device").withRequiredArg()
|
||||||
val keyNameArg = parser.accepts("keyName").withRequiredArg()
|
val keyNameArg = parser.accepts("keyName").withRequiredArg()
|
||||||
val keyGroupArg = parser.accepts("keyGroup").withRequiredArg()
|
val keyGroupArg = parser.accepts("keyGroup").withRequiredArg()
|
||||||
|
@ -91,7 +91,12 @@ fun connectAndAuthenticate(config: ToolConfig, block: (CryptoServerProvider) ->
|
|||||||
}
|
}
|
||||||
block(provider)
|
block(provider)
|
||||||
} finally {
|
} finally {
|
||||||
provider.logoff()
|
try {
|
||||||
|
provider.logoff()
|
||||||
|
} catch (throwable: Throwable) {
|
||||||
|
println("WARNING Exception while logging off")
|
||||||
|
throwable.printStackTrace(System.out)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -133,8 +138,8 @@ private fun createProvider(device: String, keyGroup: String, keySpecifier: Strin
|
|||||||
val cfgBuffer = ByteArrayOutputStream()
|
val cfgBuffer = ByteArrayOutputStream()
|
||||||
val writer = cfgBuffer.writer(Charsets.UTF_8)
|
val writer = cfgBuffer.writer(Charsets.UTF_8)
|
||||||
writer.write("Device = $device\n")
|
writer.write("Device = $device\n")
|
||||||
writer.write("ConnectionTimeout = 3000\n")
|
writer.write("ConnectionTimeout = 30000\n")
|
||||||
writer.write("Timeout = 30000\n")
|
writer.write("Timeout = 60000\n")
|
||||||
writer.write("EndSessionOnShutdown = 1\n")
|
writer.write("EndSessionOnShutdown = 1\n")
|
||||||
writer.write("KeepSessionAlive = 0\n")
|
writer.write("KeepSessionAlive = 0\n")
|
||||||
writer.write("KeyGroup = $keyGroup\n")
|
writer.write("KeyGroup = $keyGroup\n")
|
||||||
|
75
sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md
Normal file
75
sgx-jvm/noop-enclave/IntelWhitelistFormInstructions.md
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
This is a small guide on how to generate the required files for Intel's
|
||||||
|
Whitelisting form.
|
||||||
|
|
||||||
|
To generate the production key
|
||||||
|
===
|
||||||
|
|
||||||
|
At this point the HSM should be set up with the appropriate groups and
|
||||||
|
permissions.
|
||||||
|
|
||||||
|
This step should be done on a separate clean machine, with no internet
|
||||||
|
connection, only connected to the HSM. The hsm-tool should be used directly,
|
||||||
|
this way the only dependency is a working JDK.
|
||||||
|
|
||||||
|
To generate the key:
|
||||||
|
|
||||||
|
`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod`
|
||||||
|
|
||||||
|
|
||||||
|
This will require two separate smartcard authentications. The generation
|
||||||
|
will fail if there is already an existing production key in the HSM.
|
||||||
|
|
||||||
|
|
||||||
|
To generate a production enclave signature
|
||||||
|
===
|
||||||
|
|
||||||
|
This may be done from a dev machine with an SGX device.
|
||||||
|
|
||||||
|
To generate the signature and related files:
|
||||||
|
|
||||||
|
```
|
||||||
|
make clean
|
||||||
|
make sigstruct-hsm PROFILE=prod
|
||||||
|
```
|
||||||
|
|
||||||
|
This will require two separate smartcard authentications.
|
||||||
|
|
||||||
|
Running the above will produce the following files in `build/`:
|
||||||
|
|
||||||
|
* `noop_enclave.unsigned.so`: The unsigned enclave
|
||||||
|
|
||||||
|
* `noop_enclave_blob_to_sign.bin`: The unsigned SIGSTRUCT blob to sign.
|
||||||
|
|
||||||
|
* `noop_enclave.signed.hsm.so`: The signed enclave(= the unsigned enclave + signed blob).
|
||||||
|
|
||||||
|
* `noop_enclave.sigstruct.hsm.bin`: The signed SIGSTRUCT blob extracted from the signed enclave.
|
||||||
|
|
||||||
|
* `noop_enclave.sigstruct-pretty.hsm.txt`: The pretty printed SIGSTRUCT.
|
||||||
|
|
||||||
|
To sanity check the signed enclave:
|
||||||
|
|
||||||
|
```
|
||||||
|
make noop_test
|
||||||
|
./build/noop_test ./build/noop_enclave.signed.hsm.so
|
||||||
|
```
|
||||||
|
|
||||||
|
The above should return cleanly.
|
||||||
|
|
||||||
|
Intel's whitelisting form requires the MRSIGNER value in hexadecimal
|
||||||
|
from `noop_enclave.sigstruct-pretty.hsm.txt`, furthermore we need to attach
|
||||||
|
`noop_enclave.sigstruct.hsm.bin`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
To overwrite the production key
|
||||||
|
===
|
||||||
|
|
||||||
|
*WARNING* THIS STEP SHOULD NOT BE INVOKED, UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING
|
||||||
|
---
|
||||||
|
|
||||||
|
SECOND WARNING: Even in the case of disaster recovery consider
|
||||||
|
resetting the HSM completely instead!
|
||||||
|
|
||||||
|
To overwrite the production key:
|
||||||
|
|
||||||
|
`java -jar hsm-tool.jar --mode=GenerateKey --profile=prod --overwriteKey # God help you`
|
@ -1,12 +1,12 @@
|
|||||||
What is this?
|
What is this?
|
||||||
=============
|
===
|
||||||
|
|
||||||
This project contains a noop enclave with a single ECALL that does
|
This project contains a noop enclave with a single ECALL that does
|
||||||
nothing. Its purpose is to demonstrate our ability to create a signed
|
nothing. Its purpose is to demonstrate our ability to create a signed
|
||||||
enclave and to test the signature process through an HSM.
|
enclave and to test the signature process through an HSM.
|
||||||
|
|
||||||
How to run
|
How to run
|
||||||
==========
|
===
|
||||||
|
|
||||||
The following Makefile targets execute different steps in the signing process and output into build/
|
The following Makefile targets execute different steps in the signing process and output into build/
|
||||||
|
|
||||||
@ -35,3 +35,7 @@ The following targets use the HSM. They require an extra `PROFILE=[dev|prod]` ar
|
|||||||
`./build/noop_test ./build/noop_enclave.signed.openssl.so`
|
`./build/noop_test ./build/noop_enclave.signed.openssl.so`
|
||||||
|
|
||||||
will run the noop ECALL using the openssl signed enclave.
|
will run the noop ECALL using the openssl signed enclave.
|
||||||
|
|
||||||
|
|
||||||
|
See IntelWhitelistFormInstructions.md for details on how to use this
|
||||||
|
project to fill the enclave specific parts of Intel's whitelisting form.
|
||||||
|
Loading…
Reference in New Issue
Block a user