mirror of
https://github.com/corda/corda.git
synced 2024-12-30 17:57:02 +00:00
c545a58c1d
* Initial host server skeleton. * Create IASProxy project, and skeleton for attestation host. * Fix up tests * Extend attestation host skeleton, and make test ports configurable. * Enhance MockIAS to make pseManifestStatus optional. * Make IASProxy endpoints asynchronous. * Add sub-modules for challenger and for common code. * Create integration test for host's provisioning endpoint. * Flesh out attestation challenger WAR. * Package refactoring, to be more Java9 friendly. * Refactor more messages into attestation-common. * Remove our private key from the repository. * Declare an empty PSE Manifest to be invalid. * Fix basic integration test issues for challenger and host. * Integrate keystore scripts into the build properly. * Name keystore targets explicitly for Gradle. * Allow HTTP conversation between Challenger, Host and ISV using session ID. * Add MockHost for challenger's integration tests. * Reconcile HTTP port numbers between Phase1 and Phase2 components. * Remove elements that can be inherited from root project. * Add placeholder README. * Add convenient extension functions to ObjectMapper. * Extend integration test coverage for challenger/host/isv. * Catch IOException from HttpClient for challenger. * Integrate host sub-module with remote-attestation project. * Begin integrating host/enclave code from Phase I. * Rename challenger's HTTP endpoint. * Generate keystore for challenger "on the fly". * Add native JNI code for accessing the SGX enclave. * Point Gradle to the correct enclave object. * Fixes for generating a Quote for this enclave. * Return the IAS report to the challenger for verification. * Begin populating the challenger's AttestationResponse message. * Enable the challenger to pass encrypted secrets into the enclave. * Align challenger, host and isv ports. * Refactor challenger as a fat-jar application. * AttestationResponse is not shared, so refactor into challenger. * Move HttpClientContext objects into HttpClient blocks. * Remove unused Message2 and Message3 objects. * Add realistic dummy value for reportID from IAS. * Small tidy-up on attestation host. * First set of review comments. * Add missing exception message. * Update location of environment file. * Use empty mock revocation lists by default. * Improve logging and add "happy path" test for provisioning secrets. * Update Gradle files so that we can run attestation-host from IntelliJ. * The platformInfo field from IAS can be null, so allow this. Also protect other JNI pointer parameters from NPE. * Allow Gradle to build hardware enclave.
108 lines
2.7 KiB
Markdown
108 lines
2.7 KiB
Markdown
Remote Attestation Phase 2
|
|
==========================
|
|
|
|
Phase 2 contains the following components:
|
|
- `ias-proxy`: This is the ISV, and is an authorised client of the Intel Attestation Service (IAS).
|
|
- `attestation-host`: This is a WAR running on an SGX-capable host with an enclave, and a client of `ias-proxy`.
|
|
- `attestation-challenger`: This is an executable JAR, and client of `attestation-host`.
|
|
|
|
Building Instructions
|
|
---------------------
|
|
|
|
- Ensure that your user ID belongs to the `docker` group. This will enable you to run Docker as an unprivileged user.
|
|
|
|
- Source the `environment` file:
|
|
```bash
|
|
$ . sgx-jvm/environment
|
|
```
|
|
|
|
- Build the Docker container:
|
|
```bash
|
|
$ cd sgx-jvm/containers/core
|
|
$ make
|
|
```
|
|
|
|
- Build the SGX SDK:
|
|
```bash
|
|
$ sx build linux-sgx clean all
|
|
```
|
|
|
|
- Build the SGX enclave:
|
|
```bash
|
|
$ sx build [-hp] remote-attestation/enclave clean all
|
|
```
|
|
Add the `-hp` options to build in "pre-release" mode for SGX hardware.
|
|
|
|
- Build the Attestation Host WAR:
|
|
```bash
|
|
$ sx build remote-attestation/attestation-host
|
|
```
|
|
|
|
- Build the JNI library for the Attestation Host:
|
|
```bash
|
|
$ sx build [-hp] remote-attestation/attestation-host/native clean all
|
|
```
|
|
Add the `-hp` options to build in "pre-release" mode for SGX hardware. This setting
|
|
must match the setting used to build the SGX enclave, or they will be incompatible
|
|
at runtime.
|
|
|
|
- Install our private key for Mutual-TLS with IAS:
|
|
```bash
|
|
$ cp client.key sgx-jvm/remote-attestation/ias-proxy/src/main/ssl/intel-ssl
|
|
```
|
|
|
|
- Build the IAS Proxy:
|
|
```bash
|
|
$ cd sgx-jvm/remote-attestation
|
|
$ gradlew ias-proxy:build
|
|
```
|
|
|
|
- Build the Attestation Challenger:
|
|
```bash
|
|
$ cd sgx-jvm/remote-attestation
|
|
$ gradlew attestation-challenger:installDist
|
|
```
|
|
|
|
Execution Instructions
|
|
----------------------
|
|
|
|
- To launch the Attestation Host:
|
|
```bash
|
|
$ sx exec
|
|
$ cd sgx-jvm/remote-attestation/attestation-host
|
|
$ nohup ../gradlew [-Phardware=true] startHost >& OUT &
|
|
$ tail -f build/logs/attestation-host.log
|
|
```
|
|
This can be shutdown again using:
|
|
```bash
|
|
$ ../gradlew stopHost
|
|
```
|
|
|
|
- To launch the IAS Proxy:
|
|
```bash
|
|
$ cd sgx-jvm/remote-attestation/ias-proxy
|
|
$ nohup ../gradlew startISV >& OUT &
|
|
$ tail -f build/logs/ias-proxy.log
|
|
```
|
|
This can be shutdown again using:
|
|
```bash
|
|
$ ../gradlew stopISV
|
|
```
|
|
|
|
- To execute the Attestation Challenger:
|
|
```bash
|
|
$ cd sgx-jvm/remote-attestation/attestation-challenger/build/install/attestation-challenger
|
|
$ bin/attestation-challenger
|
|
```
|
|
Use this executable's `--help` option for more information.
|
|
|
|
When all of the components are working correctly, you should expect the challenger
|
|
to output something like:
|
|
```bash
|
|
$ bin/attestation-challenger
|
|
Report ID: 197283916372863387388037565359257649452
|
|
Quote Status: OK
|
|
Timestamp: 2017-12-20T15:06:37.222956
|
|
Secret provisioned successfully.
|
|
```
|