ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2024-12-26 16:11:12 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
e3c792c93d
corda/sgx-jvm/remote-attestation/README-Phase2.md
Chris Rankin c545a58c1d
Remote Attestation Phase 2 (#235) 
* Initial host server skeleton.
* Create IASProxy project, and skeleton for attestation host.
* Fix up tests
* Extend attestation host skeleton, and make test ports configurable.
* Enhance MockIAS to make pseManifestStatus optional.
* Make IASProxy endpoints asynchronous.
* Add sub-modules for challenger and for common code.
* Create integration test for host's provisioning endpoint.
* Flesh out attestation challenger WAR.
* Package refactoring, to be more Java9 friendly.
* Refactor more messages into attestation-common.
* Remove our private key from the repository.
* Declare an empty PSE Manifest to be invalid.
* Fix basic integration test issues for challenger and host.
* Integrate keystore scripts into the build properly.
* Name keystore targets explicitly for Gradle.
* Allow HTTP conversation between Challenger, Host and ISV using session ID.
* Add MockHost for challenger's integration tests.
* Reconcile HTTP port numbers between Phase1 and Phase2 components.
* Remove elements that can be inherited from root project.
* Add placeholder README.
* Add convenient extension functions to ObjectMapper.
* Extend integration test coverage for challenger/host/isv.
* Catch IOException from HttpClient for challenger.
* Integrate host sub-module with remote-attestation project.
* Begin integrating host/enclave code from Phase I.
* Rename challenger's HTTP endpoint.
* Generate keystore for challenger "on the fly".
* Add native JNI code for accessing the SGX enclave.
* Point Gradle to the correct enclave object.
* Fixes for generating a Quote for this enclave.
* Return the IAS report to the challenger for verification.
* Begin populating the challenger's AttestationResponse message.
* Enable the challenger to pass encrypted secrets into the enclave.
* Align challenger, host and isv ports.
* Refactor challenger as a fat-jar application.
* AttestationResponse is not shared, so refactor into challenger.
* Move HttpClientContext objects into HttpClient blocks.
* Remove unused Message2 and Message3 objects.
* Add realistic dummy value for reportID from IAS.
* Small tidy-up on attestation host.
* First set of review comments.
* Add missing exception message.
* Update location of environment file.
* Use empty mock revocation lists by default.
* Improve logging and add "happy path" test for provisioning secrets.
* Update Gradle files so that we can run attestation-host from IntelliJ.
* The platformInfo field from IAS can be null, so allow this.
Also protect other JNI pointer parameters from NPE.
* Allow Gradle to build hardware enclave.
2017-12-22 14:42:42 +00:00

2.7 KiB
Raw Blame History

Remote Attestation Phase 2

Phase 2 contains the following components:

  • ias-proxy: This is the ISV, and is an authorised client of the Intel Attestation Service (IAS).
  • attestation-host: This is a WAR running on an SGX-capable host with an enclave, and a client of ias-proxy.
  • attestation-challenger: This is an executable JAR, and client of attestation-host.

Building Instructions

  • Ensure that your user ID belongs to the docker group. This will enable you to run Docker as an unprivileged user.

  • Source the environment file:

$ . sgx-jvm/environment
  • Build the Docker container:
$ cd sgx-jvm/containers/core
$ make
  • Build the SGX SDK:
$ sx build linux-sgx clean all
  • Build the SGX enclave:
$ sx build [-hp] remote-attestation/enclave clean all

Add the -hp options to build in "pre-release" mode for SGX hardware.

  • Build the Attestation Host WAR:
$ sx build remote-attestation/attestation-host
  • Build the JNI library for the Attestation Host:
$ sx build [-hp] remote-attestation/attestation-host/native clean all

Add the -hp options to build in "pre-release" mode for SGX hardware. This setting must match the setting used to build the SGX enclave, or they will be incompatible at runtime.

  • Install our private key for Mutual-TLS with IAS:
$ cp client.key sgx-jvm/remote-attestation/ias-proxy/src/main/ssl/intel-ssl
  • Build the IAS Proxy:
$ cd sgx-jvm/remote-attestation
$ gradlew ias-proxy:build
  • Build the Attestation Challenger:
$ cd sgx-jvm/remote-attestation
$ gradlew attestation-challenger:installDist

Execution Instructions

  • To launch the Attestation Host:
$ sx exec
$ cd sgx-jvm/remote-attestation/attestation-host
$ nohup ../gradlew [-Phardware=true] startHost >& OUT &
$ tail -f build/logs/attestation-host.log

This can be shutdown again using:

$ ../gradlew stopHost
  • To launch the IAS Proxy:
$ cd sgx-jvm/remote-attestation/ias-proxy
$ nohup ../gradlew startISV >& OUT &
$ tail -f build/logs/ias-proxy.log

This can be shutdown again using:

$ ../gradlew stopISV
  • To execute the Attestation Challenger:
$ cd sgx-jvm/remote-attestation/attestation-challenger/build/install/attestation-challenger
$ bin/attestation-challenger

Use this executable's --help option for more information.

When all of the components are working correctly, you should expect the challenger to output something like:

$ bin/attestation-challenger
Report ID:    197283916372863387388037565359257649452
Quote Status: OK
Timestamp:    2017-12-20T15:06:37.222956
Secret provisioned successfully.