From c3f5ca41e1889f570804dcc8cf8e520727b4c3db Mon Sep 17 00:00:00 2001 From: Tommy Lillehagen Date: Mon, 30 Oct 2017 14:20:01 +0000 Subject: [PATCH] ENT-319 Enclave to help test Intel signing key (#76) * ENT-319 Enclave to help test Intel signing key * Update build files to allow for release builds * Strip debug information from release binaries * Move sign_helper and update references * Remove paragraph from README * Two dev modes (simulation and HSM) * Update make files to take mode and single build directory * Update reference to self-sign key * Build script: from_clean.sh * Fix bad ref to docker-minimal --- .gitignore | 2 +- .../com/r3cev/sgx/config/sgxtool.cfg | 11 +- sgx-jvm/noop-enclave/CMakeLists.txt | 35 ++- sgx-jvm/noop-enclave/Makefile | 7 +- .../{enclave.xml => enclave-debug.xml} | 0 sgx-jvm/noop-enclave/enclave-release.xml | 12 + .../selfsigning.pem | 0 .../sign_helper/sign_helper | Bin sgx-jvm/simple-enclave/CMakeLists.txt | 219 ++++++++++++++++++ sgx-jvm/simple-enclave/Makefile | 19 ++ sgx-jvm/simple-enclave/README.md | 6 + sgx-jvm/simple-enclave/enclave-debug.xml | 12 + sgx-jvm/simple-enclave/enclave-release.xml | 12 + sgx-jvm/simple-enclave/from_clean.sh | 23 ++ sgx-jvm/simple-enclave/linkerscript.lds | 9 + sgx-jvm/simple-enclave/src/sgx_error_list.h | 89 +++++++ sgx-jvm/simple-enclave/src/simple.edl | 9 + sgx-jvm/simple-enclave/src/simple_enclave.cpp | 8 + sgx-jvm/simple-enclave/src/test.cpp | 76 ++++++ 19 files changed, 537 insertions(+), 12 deletions(-) rename sgx-jvm/noop-enclave/{enclave.xml => enclave-debug.xml} (100%) create mode 100644 sgx-jvm/noop-enclave/enclave-release.xml rename sgx-jvm/{noop-enclave => sign_helper}/selfsigning.pem (100%) rename sgx-jvm/{noop-enclave => }/sign_helper/sign_helper (100%) create mode 100644 sgx-jvm/simple-enclave/CMakeLists.txt create mode 100644 sgx-jvm/simple-enclave/Makefile create mode 100644 sgx-jvm/simple-enclave/README.md create mode 100644 sgx-jvm/simple-enclave/enclave-debug.xml create mode 100644 sgx-jvm/simple-enclave/enclave-release.xml create mode 100644 sgx-jvm/simple-enclave/from_clean.sh create mode 100644 sgx-jvm/simple-enclave/linkerscript.lds create mode 100644 sgx-jvm/simple-enclave/src/sgx_error_list.h create mode 100644 sgx-jvm/simple-enclave/src/simple.edl create mode 100644 sgx-jvm/simple-enclave/src/simple_enclave.cpp create mode 100644 sgx-jvm/simple-enclave/src/test.cpp diff --git a/.gitignore b/.gitignore index e65f7f96f5..4a74543f4c 100644 --- a/.gitignore +++ b/.gitignore @@ -107,4 +107,4 @@ TODO /sgx-jvm/jdk8u/ /sgx-jvm/avian/ /sgx-jvm/linux-sgx/ -/sgx-jvm/jvm-enclave/proguard.jar \ No newline at end of file +/sgx-jvm/jvm-enclave/proguard.jar diff --git a/sgx-jvm/hsm-tool/src/main/resources/com/r3cev/sgx/config/sgxtool.cfg b/sgx-jvm/hsm-tool/src/main/resources/com/r3cev/sgx/config/sgxtool.cfg index 25ca05fea9..aab292232f 100644 --- a/sgx-jvm/hsm-tool/src/main/resources/com/r3cev/sgx/config/sgxtool.cfg +++ b/sgx-jvm/hsm-tool/src/main/resources/com/r3cev/sgx/config/sgxtool.cfg @@ -1,11 +1,18 @@ -profile = "dev" -dev : { +profile = "dev_sim" +dev_sim : { device = "3001@127.0.0.1" keyName = "DEV_SGX" keyGroup = "DEV.SGX" keySpecifier = "1" } +dev_hsm : { + device = "TCP:192.168.118.19" + keyName = "DEV_SGX" + keyGroup = "DEV.SGX" + keySpecifier = "1" +} + prod : { device = "TCP:192.168.118.11" keyName = "PROD_SGX" diff --git a/sgx-jvm/noop-enclave/CMakeLists.txt b/sgx-jvm/noop-enclave/CMakeLists.txt index 55294febc2..b4bf1d6e24 100644 --- a/sgx-jvm/noop-enclave/CMakeLists.txt +++ b/sgx-jvm/noop-enclave/CMakeLists.txt @@ -1,8 +1,21 @@ cmake_minimum_required(VERSION 3.5) +if(NOT CMAKE_BUILD_TYPE) + set(CMAKE_BUILD_TYPE Debug ... FORCE) +endif() + +if(CMAKE_BUILD_TYPE MATCHES Debug) + set(ENCLAVE_CONFIG enclave-debug.xml) +elseif(CMAKE_BUILD_TYPE MATCHES Release) + set(ENCLAVE_CONFIG enclave-release.xml) +else() + message(FATAL_ERRORO "No build type") +endif() + set(SGX_SDK ${CMAKE_CURRENT_SOURCE_DIR}/../linux-sgx) set(SGX_LIBRARY_PATH ${SGX_SDK}/build/linux) -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fvisibility=hidden -fpie -fstack-protector") +set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -fvisibility=hidden -fpie -fstack-protector") +set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fvisibility=hidden -fpie -fstack-protector -s -DNDEBUG") set(SGX_SIGN_TOOL ${SGX_SDK}/build/linux/sgx_sign) set(ENCLAVE_UNSIGNED noop_enclave.unsigned.so) set(ENCLAVE_BLOB_TO_SIGN noop_enclave_blob_to_sign.bin) @@ -14,13 +27,13 @@ set(ENCLAVE_SIGSTRUCT_OPENSSL noop_enclave.sigstruct.openssl.bin) set(ENCLAVE_SIGSTRUCT_HSM noop_enclave.sigstruct.hsm.bin) set(ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL noop_enclave.sigstruct-pretty.openssl.txt) set(ENCLAVE_SIGSTRUCT_PRETTY_HSM noop_enclave.sigstruct-pretty.hsm.txt) -set(PRIVATE_KEY_NAME_OPENSSL selfsigning.pem) +set(PRIVATE_KEY_NAME_OPENSSL ../sign_helper/selfsigning.pem) set(PUBLIC_KEY_NAME_OPENSSL selfsigning.public.pem) set(PUBLIC_KEY_NAME_HSM hsm.public.pem) set(HSM_SGX_TOOL ${PROJECT_SOURCE_DIR}/../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar) set(DEPENDENCIES_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../dependencies/root) set(DEPENDENCIES_LIBRARY_PATH ${DEPENDENCIES_ROOT_DIR}/usr/lib/x86_64-linux-gnu CACHE STRING "") -set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/sign_helper/sign_helper) +set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/../sign_helper/sign_helper) set(NOOP_ENCLAVE noop_enclave_objects) set(SGX_SDK_INCLUDE ${SGX_SDK}/common/inc) @@ -96,7 +109,7 @@ set_target_properties(sgx_sign PROPERTIES IMPORTED_LOCATION ${SGX_SIGN_TOOL}) add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} - COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/enclave.xml + COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} ) @@ -117,7 +130,7 @@ add_custom_command( add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} - COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/enclave.xml -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} + COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} ) @@ -141,7 +154,7 @@ add_custom_command( add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} - COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/enclave.xml -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} + COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} ) @@ -151,11 +164,19 @@ add_custom_target(signed-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNE # HSM KEY add_custom_command( OUTPUT __generate-key-hsm-dummy__ - COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} \$\(shell bash -c '[[ \${OVERWRITE} = "true" ]] && echo "--overwriteKey"' \) + COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} ) add_custom_target(generate-key-hsm DEPENDS __generate-key-hsm-dummy__) # /HSM KEY +# HSM KEY OVERWRITE +add_custom_command( + OUTPUT __generate-key-hsm-overwrite-dummy__ + COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} --overwriteKey +) +add_custom_target(generate-key-hsm-overwrite DEPENDS __generate-key-hsm-overwrite-dummy__) +# /HSM KEY OVERWRITE + # OPENSSL SIGSTRUCT add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} diff --git a/sgx-jvm/noop-enclave/Makefile b/sgx-jvm/noop-enclave/Makefile index 90896ffbe1..697f5fa981 100644 --- a/sgx-jvm/noop-enclave/Makefile +++ b/sgx-jvm/noop-enclave/Makefile @@ -1,4 +1,7 @@ -.PHONY: all +MODE ?= Debug # or Release + +.PHONY: all clean + all: build/Makefile $(MAKE) -C $( + 0 + 0 + 0x280000 + 0xFF00000 + 1 + 10 + 1 + 1 + 0 + 0xFFFFFFFF + diff --git a/sgx-jvm/noop-enclave/selfsigning.pem b/sgx-jvm/sign_helper/selfsigning.pem similarity index 100% rename from sgx-jvm/noop-enclave/selfsigning.pem rename to sgx-jvm/sign_helper/selfsigning.pem diff --git a/sgx-jvm/noop-enclave/sign_helper/sign_helper b/sgx-jvm/sign_helper/sign_helper similarity index 100% rename from sgx-jvm/noop-enclave/sign_helper/sign_helper rename to sgx-jvm/sign_helper/sign_helper diff --git a/sgx-jvm/simple-enclave/CMakeLists.txt b/sgx-jvm/simple-enclave/CMakeLists.txt new file mode 100644 index 0000000000..235cdeff8c --- /dev/null +++ b/sgx-jvm/simple-enclave/CMakeLists.txt @@ -0,0 +1,219 @@ +cmake_minimum_required(VERSION 3.5) + +if(NOT CMAKE_BUILD_TYPE) + set(CMAKE_BUILD_TYPE Debug ... FORCE) +endif() + +if(CMAKE_BUILD_TYPE MATCHES Debug) + set(ENCLAVE_CONFIG enclave-debug.xml) +elseif(CMAKE_BUILD_TYPE MATCHES Release) + set(ENCLAVE_CONFIG enclave-release.xml) +else() + message(FATAL_ERRORO "No build type") +endif() + +set(SGX_SDK ${CMAKE_CURRENT_SOURCE_DIR}/../linux-sgx) +set(SGX_LIBRARY_PATH ${SGX_SDK}/build/linux) +set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -fvisibility=hidden -fpie -fstack-protector") +set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fvisibility=hidden -fpie -fstack-protector -s -DNDEBUG") +set(SGX_SIGN_TOOL ${SGX_SDK}/build/linux/sgx_sign) +set(ENCLAVE_UNSIGNED simple_enclave.unsigned.so) +set(ENCLAVE_BLOB_TO_SIGN simple_enclave_blob_to_sign.bin) +set(ENCLAVE_SIGNED_OPENSSL simple_enclave.signed.openssl.so) +set(ENCLAVE_SIGNED_HSM simple_enclave.signed.hsm.so) +set(ENCLAVE_SIGNATURE_OPENSSL simple_enclave.signature.openssl.sha256) +set(ENCLAVE_SIGNATURE_HSM simple_enclave.signature.hsm.sha256) +set(ENCLAVE_SIGSTRUCT_OPENSSL simple_enclave.sigstruct.openssl.bin) +set(ENCLAVE_SIGSTRUCT_HSM simple_enclave.sigstruct.hsm.bin) +set(ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL simple_enclave.sigstruct-pretty.openssl.txt) +set(ENCLAVE_SIGSTRUCT_PRETTY_HSM simple_enclave.sigstruct-pretty.hsm.txt) +set(PRIVATE_KEY_NAME_OPENSSL ../sign_helper/selfsigning.pem) +set(PUBLIC_KEY_NAME_OPENSSL selfsigning.public.pem) +set(PUBLIC_KEY_NAME_HSM hsm.public.pem) +set(HSM_SGX_TOOL ${PROJECT_SOURCE_DIR}/../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar) +set(DEPENDENCIES_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../dependencies/root) +set(DEPENDENCIES_LIBRARY_PATH ${DEPENDENCIES_ROOT_DIR}/usr/lib/x86_64-linux-gnu CACHE STRING "") +set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/../sign_helper/sign_helper) + +set(SIMPLE_ENCLAVE simple_enclave_objects) +set(SGX_SDK_INCLUDE ${SGX_SDK}/common/inc) +set(GENERATED_RPC_DIR ${CMAKE_CURRENT_BINARY_DIR}/rpc) + +set(GENERATED_EDL_FILES ${GENERATED_RPC_DIR}/simple_t.c ${GENERATED_RPC_DIR}/simple_t.h ${GENERATED_RPC_DIR}/simple_u.c ${GENERATED_RPC_DIR}/simple_u.h) +add_custom_command( + OUTPUT ${GENERATED_EDL_FILES} + COMMAND edger8r --search-path ${CMAKE_CURRENT_SOURCE_DIR}/src --search-path ${SGX_SDK_INCLUDE} --trusted-dir ${GENERATED_RPC_DIR} --untrusted-dir ${GENERATED_RPC_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/src/simple.edl + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/src/simple.edl ${SGX_LIBRARY_PATH}/sgx_edger8r ${SGX_SDK_INCLUDE} +) +set_source_files_properties(${GENERATED_EDL_FILES} PROPERTIES GENERATED TRUE) +add_custom_target( + GENERATED_EDL + DEPENDS ${GENERATED_EDL_FILES} +) + +add_library(${SIMPLE_ENCLAVE} ${CMAKE_CURRENT_SOURCE_DIR}/src/simple_enclave.cpp ${GENERATED_RPC_DIR}/simple_t.c) +add_dependencies(${SIMPLE_ENCLAVE} GENERATED_EDL) +set_property(TARGET ${SIMPLE_ENCLAVE} PROPERTY POSITION_INDEPENDENT_CODE ON) +target_include_directories(${SIMPLE_ENCLAVE} PUBLIC ${SGX_SDK_INCLUDE} ${SGX_SDK_INCLUDE}/tlibc ${GENERATED_RPC_DIR}) +target_compile_options(${SIMPLE_ENCLAVE} PUBLIC -nostdinc) + +add_executable(edger8r IMPORTED) +set_target_properties(edger8r PROPERTIES IMPORTED_LOCATION ${SGX_LIBRARY_PATH}/sgx_edger8r) + +set(SGX_USE_HARDWARE TRUE) + +if(SGX_USE_HARDWARE) + set(URTS_LIB "sgx_urts") + set(TRTS_LIB "sgx_trts") + set(SGX_SERVICE_LIB "sgx_tservice") +else() + set(URTS_LIB "sgx_urts_sim") + set(TRTS_LIB "sgx_trts_sim") + set(SGX_SERVICE_LIB "sgx_tservice_sim") +endif() + +set(ENCLAVE_LINKER_FLAGS + "-Wl,--no-undefined" + "-nostdlib" + "-nodefaultlibs" + "-nostartfiles" + "-L${SGX_LIBRARY_PATH}" + "-Wl,--whole-archive" + "-l${TRTS_LIB}" + "-Wl,--no-whole-archive" + "-Wl,--start-group" + "lib${SIMPLE_ENCLAVE}.a" + "-lsgx_tstdc" + "-lsgx_tstdcxx" + "-lsgx_tcrypto" + "-l${SGX_SERVICE_LIB}" + "-Wl,--end-group" + "-Wl,-Bstatic" + "-Wl,-Bsymbolic" + "-Wl,--no-undefined" + "-Wl,-pie,-eenclave_entry" + "-Wl,--export-dynamic" + "-Wl,--defsym,__ImageBase=0" + "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/linkerscript.lds" +) + +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} + COMMAND ${CMAKE_CXX_COMPILER} -o ${ENCLAVE_UNSIGNED} ${ENCLAVE_LINKER_FLAGS} + DEPENDS ${SIMPLE_ENCLAVE} ${SGX_LIBRARY_PATH} +) + + +add_executable(sgx_sign IMPORTED) +set_target_properties(sgx_sign PROPERTIES IMPORTED_LOCATION ${SGX_SIGN_TOOL}) + +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} + COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} +) + +# outputs the unsigned enclave and the blob to sign +add_custom_target(unsigned DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}) + +# OPENSSL ENCLAVE +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} + COMMAND openssl rsa -in ${CMAKE_CURRENT_SOURCE_DIR}/${PRIVATE_KEY_NAME_OPENSSL} -pubout -out ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} +) + +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} + COMMAND openssl dgst -sha256 -sign ${CMAKE_CURRENT_SOURCE_DIR}/${PRIVATE_KEY_NAME_OPENSSL} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} +) + +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} + COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} +) + +add_custom_target(signed-openssl DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}) +# /OPENSSL ENCLAVE + + +# HSM ENCLAVE +add_custom_command( + OUTPUT ${HSM_SGX_TOOL} + COMMAND ./gradlew sgx-jvm/hsm-tool:jar + WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../.. + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../hsm-tool/src +) + +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} + COMMAND java -jar ${HSM_SGX_TOOL} --mode=Sign --source=${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} --pubkey=${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} --signature=${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} --profile=\${PROFILE} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} ${HSM_SGX_TOOL} +) + +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} + COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} +) + +add_custom_target(signed-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}) +# /HSM ENCLAVE + +# HSM KEY +add_custom_command( + OUTPUT __generate-key-hsm-dummy__ + COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} +) +add_custom_target(generate-key-hsm DEPENDS __generate-key-hsm-dummy__) +# /HSM KEY + +# HSM KEY OVERWRITE +add_custom_command( + OUTPUT __generate-key-hsm-overwrite-dummy__ + COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} --overwriteKey +) +add_custom_target(generate-key-hsm-overwrite DEPENDS __generate-key-hsm-overwrite-dummy__) +# /HSM KEY OVERWRITE + +# OPENSSL SIGSTRUCT +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} + COMMAND ${SIGN_HELPER} get-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} +) +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL} + COMMAND ${SIGN_HELPER} print-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} > ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} +) +add_custom_target(sigstruct-openssl DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL}) +# /OPENSSL SIGSTRUCT + +# HSM SIGSTRUCT +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} + COMMAND ${SIGN_HELPER} get-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} +) +add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM} + COMMAND ${SIGN_HELPER} print-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} > ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM} + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} +) +add_custom_target(sigstruct-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM}) +# /HSM SIGSTRUCT + +# test +add_library(urtslib SHARED IMPORTED) +set_target_properties(urtslib PROPERTIES IMPORTED_LOCATION ${SGX_LIBRARY_PATH}/lib${URTS_LIB}.so) + +set(THREADS_PREFER_PTHREAD_FLAG ON) +find_package(Threads REQUIRED) + +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -g") +link_directories(${DEPENDENCIES_LIBRARY_PATH}) +add_executable(simple_test src/test.cpp ${GENERATED_RPC_DIR}/simple_u.c) +target_include_directories(simple_test PUBLIC ${SGX_SDK_INCLUDE} ${GENERATED_RPC_DIR}) +target_link_libraries(simple_test urtslib Threads::Threads) diff --git a/sgx-jvm/simple-enclave/Makefile b/sgx-jvm/simple-enclave/Makefile new file mode 100644 index 0000000000..697f5fa981 --- /dev/null +++ b/sgx-jvm/simple-enclave/Makefile @@ -0,0 +1,19 @@ +MODE ?= Debug # or Release + +.PHONY: all clean + +all: build/Makefile + $(MAKE) -C $( + 0 + 0 + 0x280000 + 0xFF00000 + 1 + 10 + 1 + 0 + 0 + 0xFFFFFFFF + diff --git a/sgx-jvm/simple-enclave/enclave-release.xml b/sgx-jvm/simple-enclave/enclave-release.xml new file mode 100644 index 0000000000..5fbaa80071 --- /dev/null +++ b/sgx-jvm/simple-enclave/enclave-release.xml @@ -0,0 +1,12 @@ + + 0 + 0 + 0x280000 + 0xFF00000 + 1 + 10 + 1 + 1 + 0 + 0xFFFFFFFF + diff --git a/sgx-jvm/simple-enclave/from_clean.sh b/sgx-jvm/simple-enclave/from_clean.sh new file mode 100644 index 0000000000..33a78631f9 --- /dev/null +++ b/sgx-jvm/simple-enclave/from_clean.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -xeuo + +docker rm $(docker ps -a -q) || true +docker rmi $(docker images -a -q) || true +docker build -t minimal ../dependencies/docker-minimal + +bash ../run_in_image.sh minimal make -C sgx-jvm linux-sgx/build/linux/aesm_service +#bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave MODE=Debug unsigned +bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave MODE=Release unsigned +bash ../run_in_image.sh minimal ./gradlew sgx-jvm/hsm-tool:jar +ke +java -jar ../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar --mode=Sign --source=build/simple_enclave_blob_to_sign.bin --signature=build/simple_enclave.signature.hsm.sha256 --pubkey=build/hsm.public.pem --profile=dev_hsm + +bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave sigstruct-hsm +bash ../run_in_image.sh minimal make -C sgx-jvm/simple-enclave simple_test +bash ../with_isgx.sh bash ../with_aesmd.sh bash ../with_ld_library_path.sh simple-enclave/build/simple_test simple-enclave/build/simple_enclave.signed.hsm.so + +# Dev Cards: +# ADMIN_CARD +# SGX_CARD_A +# SGX_CARD_B diff --git a/sgx-jvm/simple-enclave/linkerscript.lds b/sgx-jvm/simple-enclave/linkerscript.lds new file mode 100644 index 0000000000..70a49decdf --- /dev/null +++ b/sgx-jvm/simple-enclave/linkerscript.lds @@ -0,0 +1,9 @@ +simple_enclave.so +{ + global: + g_global_data_sim; + g_global_data; + enclave_entry; + local: + *; +}; diff --git a/sgx-jvm/simple-enclave/src/sgx_error_list.h b/sgx-jvm/simple-enclave/src/sgx_error_list.h new file mode 100644 index 0000000000..85ff1309dd --- /dev/null +++ b/sgx-jvm/simple-enclave/src/sgx_error_list.h @@ -0,0 +1,89 @@ +#ifndef __SGX_ERROR_LIST_H__ +#define __SGX_ERROR_LIST_H__ + +typedef struct { + sgx_status_t err; + const char *message; + const char *suggestion; +} sgx_errlist_t; + +/* Error code returned by sgx_create_enclave */ +static sgx_errlist_t sgx_errlist[] = { + { + SGX_ERROR_UNEXPECTED, + "Unexpected error occurred.", + NULL + }, + { + SGX_ERROR_INVALID_PARAMETER, + "Invalid parameter.", + NULL + }, + { + SGX_ERROR_OUT_OF_MEMORY, + "Out of memory.", + NULL + }, + { + SGX_ERROR_ENCLAVE_LOST, + "Power transition occurred.", + "Please refer to the sample \"PowerTransition\" for details." + }, + { + SGX_ERROR_INVALID_ENCLAVE, + "Invalid enclave image.", + NULL + }, + { + SGX_ERROR_INVALID_ENCLAVE_ID, + "Invalid enclave identification.", + NULL + }, + { + SGX_ERROR_INVALID_SIGNATURE, + "Invalid enclave signature.", + NULL + }, + { + SGX_ERROR_OUT_OF_EPC, + "Out of EPC memory.", + NULL + }, + { + SGX_ERROR_NO_DEVICE, + "Invalid SGX device.", + "Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards." + }, + { + SGX_ERROR_MEMORY_MAP_CONFLICT, + "Memory map conflicted.", + NULL + }, + { + SGX_ERROR_INVALID_METADATA, + "Invalid enclave metadata.", + NULL + }, + { + SGX_ERROR_DEVICE_BUSY, + "SGX device was busy.", + NULL + }, + { + SGX_ERROR_INVALID_VERSION, + "Enclave version was invalid.", + NULL + }, + { + SGX_ERROR_INVALID_ATTRIBUTE, + "Enclave was not authorized.", + NULL + }, + { + SGX_ERROR_ENCLAVE_FILE_ACCESS, + "Can't open enclave file.", + NULL + }, +}; + +#endif /* __SGX_ERROR_LIST_H__ */ diff --git a/sgx-jvm/simple-enclave/src/simple.edl b/sgx-jvm/simple-enclave/src/simple.edl new file mode 100644 index 0000000000..ca642162d9 --- /dev/null +++ b/sgx-jvm/simple-enclave/src/simple.edl @@ -0,0 +1,9 @@ +enclave { + trusted { + public int get_number(void); + }; + + untrusted { + void ocall_print([in, string]const char* str); + }; +}; diff --git a/sgx-jvm/simple-enclave/src/simple_enclave.cpp b/sgx-jvm/simple-enclave/src/simple_enclave.cpp new file mode 100644 index 0000000000..6666bd09fa --- /dev/null +++ b/sgx-jvm/simple-enclave/src/simple_enclave.cpp @@ -0,0 +1,8 @@ +#include "simple_t.h" + +extern "C" { + int get_number() { + ocall_print("message from enclave"); + return 12345; + } +} diff --git a/sgx-jvm/simple-enclave/src/test.cpp b/sgx-jvm/simple-enclave/src/test.cpp new file mode 100644 index 0000000000..cfdb9e03ba --- /dev/null +++ b/sgx-jvm/simple-enclave/src/test.cpp @@ -0,0 +1,76 @@ +#include "simple_u.h" + +#include +#include + +#include +#include + +#include "sgx_error_list.h" + +/* Check error conditions for loading enclave */ +void print_error_message(sgx_status_t ret) +{ + size_t idx = 0; + size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0]; + + for (idx = 0; idx < ttl; idx++) { + if (ret == sgx_errlist[idx].err) { + if (NULL != sgx_errlist[idx].suggestion) + printf("Info: %s\n", sgx_errlist[idx].suggestion); + printf("Error: %s\n", sgx_errlist[idx].message); + break; + } + } + + if (idx == ttl) + printf("Error: Unexpected error occurred.\n"); +} + +inline bool check_sgx_return_value(sgx_status_t ret) +{ + if (ret == SGX_SUCCESS) + { + return true; + } + else + { + print_error_message(ret); + return false; + } +} + +void ocall_print(const char* str) +{ + printf("ENCLAVE: %s\n", str); +} + +int main(int argc, char **argv) +{ + printf("SGX_DEBUG_FLAG = %d\n", SGX_DEBUG_FLAG); + + if (argc != 2) + { + puts("Usage: "); + return 1; + } + + const char *enclave_path = argv[1]; + sgx_launch_token_t token = {0}; + sgx_enclave_id_t enclave_id = {0}; + int updated = 0; + int returned_int = 0; + + if (false == check_sgx_return_value(sgx_create_enclave(enclave_path, SGX_DEBUG_FLAG, &token, &updated, &enclave_id, NULL))) { + return 1; + } + + if (false == check_sgx_return_value(get_number(enclave_id, &returned_int))) { + return 1; + } + + printf("get_number() = %d\n", returned_int); + puts("Enclave ran successfully!"); + + return 0; +}