mirror of
https://github.com/corda/corda.git
synced 2025-01-26 22:29:28 +00:00
ENT-319 Enclave to help test Intel signing key (#76)
* ENT-319 Enclave to help test Intel signing key * Update build files to allow for release builds * Strip debug information from release binaries * Move sign_helper and update references * Remove paragraph from README * Two dev modes (simulation and HSM) * Update make files to take mode and single build directory * Update reference to self-sign key * Build script: from_clean.sh * Fix bad ref to docker-minimal
This commit is contained in:
parent
ea612246c9
commit
c3f5ca41e1
2
.gitignore
vendored
2
.gitignore
vendored
@ -107,4 +107,4 @@ TODO
|
||||
/sgx-jvm/jdk8u/
|
||||
/sgx-jvm/avian/
|
||||
/sgx-jvm/linux-sgx/
|
||||
/sgx-jvm/jvm-enclave/proguard.jar
|
||||
/sgx-jvm/jvm-enclave/proguard.jar
|
||||
|
@ -1,11 +1,18 @@
|
||||
profile = "dev"
|
||||
dev : {
|
||||
profile = "dev_sim"
|
||||
dev_sim : {
|
||||
device = "3001@127.0.0.1"
|
||||
keyName = "DEV_SGX"
|
||||
keyGroup = "DEV.SGX"
|
||||
keySpecifier = "1"
|
||||
}
|
||||
|
||||
dev_hsm : {
|
||||
device = "TCP:192.168.118.19"
|
||||
keyName = "DEV_SGX"
|
||||
keyGroup = "DEV.SGX"
|
||||
keySpecifier = "1"
|
||||
}
|
||||
|
||||
prod : {
|
||||
device = "TCP:192.168.118.11"
|
||||
keyName = "PROD_SGX"
|
||||
|
@ -1,8 +1,21 @@
|
||||
cmake_minimum_required(VERSION 3.5)
|
||||
|
||||
if(NOT CMAKE_BUILD_TYPE)
|
||||
set(CMAKE_BUILD_TYPE Debug ... FORCE)
|
||||
endif()
|
||||
|
||||
if(CMAKE_BUILD_TYPE MATCHES Debug)
|
||||
set(ENCLAVE_CONFIG enclave-debug.xml)
|
||||
elseif(CMAKE_BUILD_TYPE MATCHES Release)
|
||||
set(ENCLAVE_CONFIG enclave-release.xml)
|
||||
else()
|
||||
message(FATAL_ERRORO "No build type")
|
||||
endif()
|
||||
|
||||
set(SGX_SDK ${CMAKE_CURRENT_SOURCE_DIR}/../linux-sgx)
|
||||
set(SGX_LIBRARY_PATH ${SGX_SDK}/build/linux)
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fvisibility=hidden -fpie -fstack-protector")
|
||||
set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -fvisibility=hidden -fpie -fstack-protector")
|
||||
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fvisibility=hidden -fpie -fstack-protector -s -DNDEBUG")
|
||||
set(SGX_SIGN_TOOL ${SGX_SDK}/build/linux/sgx_sign)
|
||||
set(ENCLAVE_UNSIGNED noop_enclave.unsigned.so)
|
||||
set(ENCLAVE_BLOB_TO_SIGN noop_enclave_blob_to_sign.bin)
|
||||
@ -14,13 +27,13 @@ set(ENCLAVE_SIGSTRUCT_OPENSSL noop_enclave.sigstruct.openssl.bin)
|
||||
set(ENCLAVE_SIGSTRUCT_HSM noop_enclave.sigstruct.hsm.bin)
|
||||
set(ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL noop_enclave.sigstruct-pretty.openssl.txt)
|
||||
set(ENCLAVE_SIGSTRUCT_PRETTY_HSM noop_enclave.sigstruct-pretty.hsm.txt)
|
||||
set(PRIVATE_KEY_NAME_OPENSSL selfsigning.pem)
|
||||
set(PRIVATE_KEY_NAME_OPENSSL ../sign_helper/selfsigning.pem)
|
||||
set(PUBLIC_KEY_NAME_OPENSSL selfsigning.public.pem)
|
||||
set(PUBLIC_KEY_NAME_HSM hsm.public.pem)
|
||||
set(HSM_SGX_TOOL ${PROJECT_SOURCE_DIR}/../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar)
|
||||
set(DEPENDENCIES_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../dependencies/root)
|
||||
set(DEPENDENCIES_LIBRARY_PATH ${DEPENDENCIES_ROOT_DIR}/usr/lib/x86_64-linux-gnu CACHE STRING "")
|
||||
set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/sign_helper/sign_helper)
|
||||
set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/../sign_helper/sign_helper)
|
||||
|
||||
set(NOOP_ENCLAVE noop_enclave_objects)
|
||||
set(SGX_SDK_INCLUDE ${SGX_SDK}/common/inc)
|
||||
@ -96,7 +109,7 @@ set_target_properties(sgx_sign PROPERTIES IMPORTED_LOCATION ${SGX_SIGN_TOOL})
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
||||
COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/enclave.xml
|
||||
COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED}
|
||||
)
|
||||
|
||||
@ -117,7 +130,7 @@ add_custom_command(
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
||||
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/enclave.xml -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
||||
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
||||
)
|
||||
|
||||
@ -141,7 +154,7 @@ add_custom_command(
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
||||
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/enclave.xml -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
||||
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM}
|
||||
)
|
||||
|
||||
@ -151,11 +164,19 @@ add_custom_target(signed-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNE
|
||||
# HSM KEY
|
||||
add_custom_command(
|
||||
OUTPUT __generate-key-hsm-dummy__
|
||||
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} \$\(shell bash -c '[[ \${OVERWRITE} = "true" ]] && echo "--overwriteKey"' \)
|
||||
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE}
|
||||
)
|
||||
add_custom_target(generate-key-hsm DEPENDS __generate-key-hsm-dummy__)
|
||||
# /HSM KEY
|
||||
|
||||
# HSM KEY OVERWRITE
|
||||
add_custom_command(
|
||||
OUTPUT __generate-key-hsm-overwrite-dummy__
|
||||
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} --overwriteKey
|
||||
)
|
||||
add_custom_target(generate-key-hsm-overwrite DEPENDS __generate-key-hsm-overwrite-dummy__)
|
||||
# /HSM KEY OVERWRITE
|
||||
|
||||
# OPENSSL SIGSTRUCT
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
||||
|
@ -1,4 +1,7 @@
|
||||
.PHONY: all
|
||||
MODE ?= Debug # or Release
|
||||
|
||||
.PHONY: all clean
|
||||
|
||||
all: build/Makefile
|
||||
$(MAKE) -C $(<D) help
|
||||
exit 1
|
||||
@ -7,7 +10,7 @@ build:
|
||||
mkdir -p build
|
||||
|
||||
build/Makefile: | build
|
||||
cd build/ && cmake ..
|
||||
cd build/ && cmake -DCMAKE_BUILD_TYPE=$(MODE) ..
|
||||
|
||||
%: build/Makefile
|
||||
$(MAKE) -C $(<D) $@
|
||||
|
12
sgx-jvm/noop-enclave/enclave-release.xml
Normal file
12
sgx-jvm/noop-enclave/enclave-release.xml
Normal file
@ -0,0 +1,12 @@
|
||||
<EnclaveConfiguration>
|
||||
<ProdID>0</ProdID>
|
||||
<ISVSVN>0</ISVSVN>
|
||||
<StackMaxSize>0x280000</StackMaxSize>
|
||||
<HeapMaxSize>0xFF00000</HeapMaxSize>
|
||||
<HeapExecutable>1</HeapExecutable>
|
||||
<TCSNum>10</TCSNum>
|
||||
<TCSPolicy>1</TCSPolicy>
|
||||
<DisableDebug>1</DisableDebug>
|
||||
<MiscSelect>0</MiscSelect>
|
||||
<MiscMask>0xFFFFFFFF</MiscMask>
|
||||
</EnclaveConfiguration>
|
219
sgx-jvm/simple-enclave/CMakeLists.txt
Normal file
219
sgx-jvm/simple-enclave/CMakeLists.txt
Normal file
@ -0,0 +1,219 @@
|
||||
cmake_minimum_required(VERSION 3.5)
|
||||
|
||||
if(NOT CMAKE_BUILD_TYPE)
|
||||
set(CMAKE_BUILD_TYPE Debug ... FORCE)
|
||||
endif()
|
||||
|
||||
if(CMAKE_BUILD_TYPE MATCHES Debug)
|
||||
set(ENCLAVE_CONFIG enclave-debug.xml)
|
||||
elseif(CMAKE_BUILD_TYPE MATCHES Release)
|
||||
set(ENCLAVE_CONFIG enclave-release.xml)
|
||||
else()
|
||||
message(FATAL_ERRORO "No build type")
|
||||
endif()
|
||||
|
||||
set(SGX_SDK ${CMAKE_CURRENT_SOURCE_DIR}/../linux-sgx)
|
||||
set(SGX_LIBRARY_PATH ${SGX_SDK}/build/linux)
|
||||
set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -fvisibility=hidden -fpie -fstack-protector")
|
||||
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fvisibility=hidden -fpie -fstack-protector -s -DNDEBUG")
|
||||
set(SGX_SIGN_TOOL ${SGX_SDK}/build/linux/sgx_sign)
|
||||
set(ENCLAVE_UNSIGNED simple_enclave.unsigned.so)
|
||||
set(ENCLAVE_BLOB_TO_SIGN simple_enclave_blob_to_sign.bin)
|
||||
set(ENCLAVE_SIGNED_OPENSSL simple_enclave.signed.openssl.so)
|
||||
set(ENCLAVE_SIGNED_HSM simple_enclave.signed.hsm.so)
|
||||
set(ENCLAVE_SIGNATURE_OPENSSL simple_enclave.signature.openssl.sha256)
|
||||
set(ENCLAVE_SIGNATURE_HSM simple_enclave.signature.hsm.sha256)
|
||||
set(ENCLAVE_SIGSTRUCT_OPENSSL simple_enclave.sigstruct.openssl.bin)
|
||||
set(ENCLAVE_SIGSTRUCT_HSM simple_enclave.sigstruct.hsm.bin)
|
||||
set(ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL simple_enclave.sigstruct-pretty.openssl.txt)
|
||||
set(ENCLAVE_SIGSTRUCT_PRETTY_HSM simple_enclave.sigstruct-pretty.hsm.txt)
|
||||
set(PRIVATE_KEY_NAME_OPENSSL ../sign_helper/selfsigning.pem)
|
||||
set(PUBLIC_KEY_NAME_OPENSSL selfsigning.public.pem)
|
||||
set(PUBLIC_KEY_NAME_HSM hsm.public.pem)
|
||||
set(HSM_SGX_TOOL ${PROJECT_SOURCE_DIR}/../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar)
|
||||
set(DEPENDENCIES_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../dependencies/root)
|
||||
set(DEPENDENCIES_LIBRARY_PATH ${DEPENDENCIES_ROOT_DIR}/usr/lib/x86_64-linux-gnu CACHE STRING "")
|
||||
set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/../sign_helper/sign_helper)
|
||||
|
||||
set(SIMPLE_ENCLAVE simple_enclave_objects)
|
||||
set(SGX_SDK_INCLUDE ${SGX_SDK}/common/inc)
|
||||
set(GENERATED_RPC_DIR ${CMAKE_CURRENT_BINARY_DIR}/rpc)
|
||||
|
||||
set(GENERATED_EDL_FILES ${GENERATED_RPC_DIR}/simple_t.c ${GENERATED_RPC_DIR}/simple_t.h ${GENERATED_RPC_DIR}/simple_u.c ${GENERATED_RPC_DIR}/simple_u.h)
|
||||
add_custom_command(
|
||||
OUTPUT ${GENERATED_EDL_FILES}
|
||||
COMMAND edger8r --search-path ${CMAKE_CURRENT_SOURCE_DIR}/src --search-path ${SGX_SDK_INCLUDE} --trusted-dir ${GENERATED_RPC_DIR} --untrusted-dir ${GENERATED_RPC_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/src/simple.edl
|
||||
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/src/simple.edl ${SGX_LIBRARY_PATH}/sgx_edger8r ${SGX_SDK_INCLUDE}
|
||||
)
|
||||
set_source_files_properties(${GENERATED_EDL_FILES} PROPERTIES GENERATED TRUE)
|
||||
add_custom_target(
|
||||
GENERATED_EDL
|
||||
DEPENDS ${GENERATED_EDL_FILES}
|
||||
)
|
||||
|
||||
add_library(${SIMPLE_ENCLAVE} ${CMAKE_CURRENT_SOURCE_DIR}/src/simple_enclave.cpp ${GENERATED_RPC_DIR}/simple_t.c)
|
||||
add_dependencies(${SIMPLE_ENCLAVE} GENERATED_EDL)
|
||||
set_property(TARGET ${SIMPLE_ENCLAVE} PROPERTY POSITION_INDEPENDENT_CODE ON)
|
||||
target_include_directories(${SIMPLE_ENCLAVE} PUBLIC ${SGX_SDK_INCLUDE} ${SGX_SDK_INCLUDE}/tlibc ${GENERATED_RPC_DIR})
|
||||
target_compile_options(${SIMPLE_ENCLAVE} PUBLIC -nostdinc)
|
||||
|
||||
add_executable(edger8r IMPORTED)
|
||||
set_target_properties(edger8r PROPERTIES IMPORTED_LOCATION ${SGX_LIBRARY_PATH}/sgx_edger8r)
|
||||
|
||||
set(SGX_USE_HARDWARE TRUE)
|
||||
|
||||
if(SGX_USE_HARDWARE)
|
||||
set(URTS_LIB "sgx_urts")
|
||||
set(TRTS_LIB "sgx_trts")
|
||||
set(SGX_SERVICE_LIB "sgx_tservice")
|
||||
else()
|
||||
set(URTS_LIB "sgx_urts_sim")
|
||||
set(TRTS_LIB "sgx_trts_sim")
|
||||
set(SGX_SERVICE_LIB "sgx_tservice_sim")
|
||||
endif()
|
||||
|
||||
set(ENCLAVE_LINKER_FLAGS
|
||||
"-Wl,--no-undefined"
|
||||
"-nostdlib"
|
||||
"-nodefaultlibs"
|
||||
"-nostartfiles"
|
||||
"-L${SGX_LIBRARY_PATH}"
|
||||
"-Wl,--whole-archive"
|
||||
"-l${TRTS_LIB}"
|
||||
"-Wl,--no-whole-archive"
|
||||
"-Wl,--start-group"
|
||||
"lib${SIMPLE_ENCLAVE}.a"
|
||||
"-lsgx_tstdc"
|
||||
"-lsgx_tstdcxx"
|
||||
"-lsgx_tcrypto"
|
||||
"-l${SGX_SERVICE_LIB}"
|
||||
"-Wl,--end-group"
|
||||
"-Wl,-Bstatic"
|
||||
"-Wl,-Bsymbolic"
|
||||
"-Wl,--no-undefined"
|
||||
"-Wl,-pie,-eenclave_entry"
|
||||
"-Wl,--export-dynamic"
|
||||
"-Wl,--defsym,__ImageBase=0"
|
||||
"-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/linkerscript.lds"
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED}
|
||||
COMMAND ${CMAKE_CXX_COMPILER} -o ${ENCLAVE_UNSIGNED} ${ENCLAVE_LINKER_FLAGS}
|
||||
DEPENDS ${SIMPLE_ENCLAVE} ${SGX_LIBRARY_PATH}
|
||||
)
|
||||
|
||||
|
||||
add_executable(sgx_sign IMPORTED)
|
||||
set_target_properties(sgx_sign PROPERTIES IMPORTED_LOCATION ${SGX_SIGN_TOOL})
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
||||
COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED}
|
||||
)
|
||||
|
||||
# outputs the unsigned enclave and the blob to sign
|
||||
add_custom_target(unsigned DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN})
|
||||
|
||||
# OPENSSL ENCLAVE
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
||||
COMMAND openssl rsa -in ${CMAKE_CURRENT_SOURCE_DIR}/${PRIVATE_KEY_NAME_OPENSSL} -pubout -out ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL}
|
||||
COMMAND openssl dgst -sha256 -sign ${CMAKE_CURRENT_SOURCE_DIR}/${PRIVATE_KEY_NAME_OPENSSL} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
||||
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
||||
)
|
||||
|
||||
add_custom_target(signed-openssl DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL})
|
||||
# /OPENSSL ENCLAVE
|
||||
|
||||
|
||||
# HSM ENCLAVE
|
||||
add_custom_command(
|
||||
OUTPUT ${HSM_SGX_TOOL}
|
||||
COMMAND ./gradlew sgx-jvm/hsm-tool:jar
|
||||
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../..
|
||||
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../hsm-tool/src
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM}
|
||||
COMMAND java -jar ${HSM_SGX_TOOL} --mode=Sign --source=${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} --pubkey=${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} --signature=${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} --profile=\${PROFILE}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} ${HSM_SGX_TOOL}
|
||||
)
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
||||
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM}
|
||||
)
|
||||
|
||||
add_custom_target(signed-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM})
|
||||
# /HSM ENCLAVE
|
||||
|
||||
# HSM KEY
|
||||
add_custom_command(
|
||||
OUTPUT __generate-key-hsm-dummy__
|
||||
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE}
|
||||
)
|
||||
add_custom_target(generate-key-hsm DEPENDS __generate-key-hsm-dummy__)
|
||||
# /HSM KEY
|
||||
|
||||
# HSM KEY OVERWRITE
|
||||
add_custom_command(
|
||||
OUTPUT __generate-key-hsm-overwrite-dummy__
|
||||
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} --overwriteKey
|
||||
)
|
||||
add_custom_target(generate-key-hsm-overwrite DEPENDS __generate-key-hsm-overwrite-dummy__)
|
||||
# /HSM KEY OVERWRITE
|
||||
|
||||
# OPENSSL SIGSTRUCT
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
||||
COMMAND ${SIGN_HELPER} get-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
||||
)
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL}
|
||||
COMMAND ${SIGN_HELPER} print-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} > ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
||||
)
|
||||
add_custom_target(sigstruct-openssl DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL})
|
||||
# /OPENSSL SIGSTRUCT
|
||||
|
||||
# HSM SIGSTRUCT
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM}
|
||||
COMMAND ${SIGN_HELPER} get-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
||||
)
|
||||
add_custom_command(
|
||||
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM}
|
||||
COMMAND ${SIGN_HELPER} print-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} > ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM}
|
||||
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM}
|
||||
)
|
||||
add_custom_target(sigstruct-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM})
|
||||
# /HSM SIGSTRUCT
|
||||
|
||||
# test
|
||||
add_library(urtslib SHARED IMPORTED)
|
||||
set_target_properties(urtslib PROPERTIES IMPORTED_LOCATION ${SGX_LIBRARY_PATH}/lib${URTS_LIB}.so)
|
||||
|
||||
set(THREADS_PREFER_PTHREAD_FLAG ON)
|
||||
find_package(Threads REQUIRED)
|
||||
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -g")
|
||||
link_directories(${DEPENDENCIES_LIBRARY_PATH})
|
||||
add_executable(simple_test src/test.cpp ${GENERATED_RPC_DIR}/simple_u.c)
|
||||
target_include_directories(simple_test PUBLIC ${SGX_SDK_INCLUDE} ${GENERATED_RPC_DIR})
|
||||
target_link_libraries(simple_test urtslib Threads::Threads)
|
19
sgx-jvm/simple-enclave/Makefile
Normal file
19
sgx-jvm/simple-enclave/Makefile
Normal file
@ -0,0 +1,19 @@
|
||||
MODE ?= Debug # or Release
|
||||
|
||||
.PHONY: all clean
|
||||
|
||||
all: build/Makefile
|
||||
$(MAKE) -C $(<D) help
|
||||
exit 1
|
||||
|
||||
build:
|
||||
mkdir -p build
|
||||
|
||||
build/Makefile: | build
|
||||
cd build/ && cmake -DCMAKE_BUILD_TYPE=$(MODE) ..
|
||||
|
||||
%: build/Makefile
|
||||
$(MAKE) -C $(<D) $@
|
||||
|
||||
clean:
|
||||
rm -rf build
|
6
sgx-jvm/simple-enclave/README.md
Normal file
6
sgx-jvm/simple-enclave/README.md
Normal file
@ -0,0 +1,6 @@
|
||||
What is this?
|
||||
===
|
||||
|
||||
This project contains a simple enclave with an ECALL and an OCALL. The former
|
||||
returns an integer, and the latter allows the enclave to print a string to
|
||||
STDOUT. Very basic stuff.
|
12
sgx-jvm/simple-enclave/enclave-debug.xml
Normal file
12
sgx-jvm/simple-enclave/enclave-debug.xml
Normal file
@ -0,0 +1,12 @@
|
||||
<EnclaveConfiguration>
|
||||
<ProdID>0</ProdID>
|
||||
<ISVSVN>0</ISVSVN>
|
||||
<StackMaxSize>0x280000</StackMaxSize>
|
||||
<HeapMaxSize>0xFF00000</HeapMaxSize>
|
||||
<HeapExecutable>1</HeapExecutable>
|
||||
<TCSNum>10</TCSNum>
|
||||
<TCSPolicy>1</TCSPolicy>
|
||||
<DisableDebug>0</DisableDebug>
|
||||
<MiscSelect>0</MiscSelect>
|
||||
<MiscMask>0xFFFFFFFF</MiscMask>
|
||||
</EnclaveConfiguration>
|
12
sgx-jvm/simple-enclave/enclave-release.xml
Normal file
12
sgx-jvm/simple-enclave/enclave-release.xml
Normal file
@ -0,0 +1,12 @@
|
||||
<EnclaveConfiguration>
|
||||
<ProdID>0</ProdID>
|
||||
<ISVSVN>0</ISVSVN>
|
||||
<StackMaxSize>0x280000</StackMaxSize>
|
||||
<HeapMaxSize>0xFF00000</HeapMaxSize>
|
||||
<HeapExecutable>1</HeapExecutable>
|
||||
<TCSNum>10</TCSNum>
|
||||
<TCSPolicy>1</TCSPolicy>
|
||||
<DisableDebug>1</DisableDebug>
|
||||
<MiscSelect>0</MiscSelect>
|
||||
<MiscMask>0xFFFFFFFF</MiscMask>
|
||||
</EnclaveConfiguration>
|
23
sgx-jvm/simple-enclave/from_clean.sh
Normal file
23
sgx-jvm/simple-enclave/from_clean.sh
Normal file
@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -xeuo
|
||||
|
||||
docker rm $(docker ps -a -q) || true
|
||||
docker rmi $(docker images -a -q) || true
|
||||
docker build -t minimal ../dependencies/docker-minimal
|
||||
|
||||
bash ../run_in_image.sh minimal make -C sgx-jvm linux-sgx/build/linux/aesm_service
|
||||
#bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave MODE=Debug unsigned
|
||||
bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave MODE=Release unsigned
|
||||
bash ../run_in_image.sh minimal ./gradlew sgx-jvm/hsm-tool:jar
|
||||
ke
|
||||
java -jar ../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar --mode=Sign --source=build/simple_enclave_blob_to_sign.bin --signature=build/simple_enclave.signature.hsm.sha256 --pubkey=build/hsm.public.pem --profile=dev_hsm
|
||||
|
||||
bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave sigstruct-hsm
|
||||
bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave simple_test
|
||||
bash ../with_isgx.sh bash ../with_aesmd.sh bash ../with_ld_library_path.sh simple-enclave/build/simple_test simple-enclave/build/simple_enclave.signed.hsm.so
|
||||
|
||||
# Dev Cards:
|
||||
# ADMIN_CARD
|
||||
# SGX_CARD_A
|
||||
# SGX_CARD_B
|
9
sgx-jvm/simple-enclave/linkerscript.lds
Normal file
9
sgx-jvm/simple-enclave/linkerscript.lds
Normal file
@ -0,0 +1,9 @@
|
||||
simple_enclave.so
|
||||
{
|
||||
global:
|
||||
g_global_data_sim;
|
||||
g_global_data;
|
||||
enclave_entry;
|
||||
local:
|
||||
*;
|
||||
};
|
89
sgx-jvm/simple-enclave/src/sgx_error_list.h
Normal file
89
sgx-jvm/simple-enclave/src/sgx_error_list.h
Normal file
@ -0,0 +1,89 @@
|
||||
#ifndef __SGX_ERROR_LIST_H__
|
||||
#define __SGX_ERROR_LIST_H__
|
||||
|
||||
typedef struct {
|
||||
sgx_status_t err;
|
||||
const char *message;
|
||||
const char *suggestion;
|
||||
} sgx_errlist_t;
|
||||
|
||||
/* Error code returned by sgx_create_enclave */
|
||||
static sgx_errlist_t sgx_errlist[] = {
|
||||
{
|
||||
SGX_ERROR_UNEXPECTED,
|
||||
"Unexpected error occurred.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_PARAMETER,
|
||||
"Invalid parameter.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_OUT_OF_MEMORY,
|
||||
"Out of memory.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_ENCLAVE_LOST,
|
||||
"Power transition occurred.",
|
||||
"Please refer to the sample \"PowerTransition\" for details."
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_ENCLAVE,
|
||||
"Invalid enclave image.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_ENCLAVE_ID,
|
||||
"Invalid enclave identification.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_SIGNATURE,
|
||||
"Invalid enclave signature.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_OUT_OF_EPC,
|
||||
"Out of EPC memory.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_NO_DEVICE,
|
||||
"Invalid SGX device.",
|
||||
"Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards."
|
||||
},
|
||||
{
|
||||
SGX_ERROR_MEMORY_MAP_CONFLICT,
|
||||
"Memory map conflicted.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_METADATA,
|
||||
"Invalid enclave metadata.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_DEVICE_BUSY,
|
||||
"SGX device was busy.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_VERSION,
|
||||
"Enclave version was invalid.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_INVALID_ATTRIBUTE,
|
||||
"Enclave was not authorized.",
|
||||
NULL
|
||||
},
|
||||
{
|
||||
SGX_ERROR_ENCLAVE_FILE_ACCESS,
|
||||
"Can't open enclave file.",
|
||||
NULL
|
||||
},
|
||||
};
|
||||
|
||||
#endif /* __SGX_ERROR_LIST_H__ */
|
9
sgx-jvm/simple-enclave/src/simple.edl
Normal file
9
sgx-jvm/simple-enclave/src/simple.edl
Normal file
@ -0,0 +1,9 @@
|
||||
enclave {
|
||||
trusted {
|
||||
public int get_number(void);
|
||||
};
|
||||
|
||||
untrusted {
|
||||
void ocall_print([in, string]const char* str);
|
||||
};
|
||||
};
|
8
sgx-jvm/simple-enclave/src/simple_enclave.cpp
Normal file
8
sgx-jvm/simple-enclave/src/simple_enclave.cpp
Normal file
@ -0,0 +1,8 @@
|
||||
#include "simple_t.h"
|
||||
|
||||
extern "C" {
|
||||
int get_number() {
|
||||
ocall_print("message from enclave");
|
||||
return 12345;
|
||||
}
|
||||
}
|
76
sgx-jvm/simple-enclave/src/test.cpp
Normal file
76
sgx-jvm/simple-enclave/src/test.cpp
Normal file
@ -0,0 +1,76 @@
|
||||
#include "simple_u.h"
|
||||
|
||||
#include <sgx_urts.h>
|
||||
#include <sgx.h>
|
||||
|
||||
#include <cstdlib>
|
||||
#include <cstdio>
|
||||
|
||||
#include "sgx_error_list.h"
|
||||
|
||||
/* Check error conditions for loading enclave */
|
||||
void print_error_message(sgx_status_t ret)
|
||||
{
|
||||
size_t idx = 0;
|
||||
size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
|
||||
|
||||
for (idx = 0; idx < ttl; idx++) {
|
||||
if (ret == sgx_errlist[idx].err) {
|
||||
if (NULL != sgx_errlist[idx].suggestion)
|
||||
printf("Info: %s\n", sgx_errlist[idx].suggestion);
|
||||
printf("Error: %s\n", sgx_errlist[idx].message);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (idx == ttl)
|
||||
printf("Error: Unexpected error occurred.\n");
|
||||
}
|
||||
|
||||
inline bool check_sgx_return_value(sgx_status_t ret)
|
||||
{
|
||||
if (ret == SGX_SUCCESS)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
print_error_message(ret);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
void ocall_print(const char* str)
|
||||
{
|
||||
printf("ENCLAVE: %s\n", str);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
printf("SGX_DEBUG_FLAG = %d\n", SGX_DEBUG_FLAG);
|
||||
|
||||
if (argc != 2)
|
||||
{
|
||||
puts("Usage: <binary> <signed.enclave.so>");
|
||||
return 1;
|
||||
}
|
||||
|
||||
const char *enclave_path = argv[1];
|
||||
sgx_launch_token_t token = {0};
|
||||
sgx_enclave_id_t enclave_id = {0};
|
||||
int updated = 0;
|
||||
int returned_int = 0;
|
||||
|
||||
if (false == check_sgx_return_value(sgx_create_enclave(enclave_path, SGX_DEBUG_FLAG, &token, &updated, &enclave_id, NULL))) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (false == check_sgx_return_value(get_number(enclave_id, &returned_int))) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
printf("get_number() = %d\n", returned_int);
|
||||
puts("Enclave ran successfully!");
|
||||
|
||||
return 0;
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user