Systemsicherheit/7-SGX_Hands-on/README.md

# Signature Relay for firmware

Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum.
This is a program, that uses a TEE to build a signature relay to sign firmware with a master key.
For more informationm, read the [project description](doc/abgabe.pdf).

We recommend viewing the [repository](https://git.pfzetto.de/RubNoobs/Systemsicherheit/src/branch/Assignment-7-sgximpl/7-SGX_Hands-on) we worked on together at.

## Compiling

This project can be compiled for simulation environments or directly on the hardware.

1. **Simulated environment**

At project root type the command

```bash
$ make SGX_MODE=SIM
```

2. **Hardware**

At project root type the command

```bash
$ make
```

This creates the following directory tree:

```
out
├── bin <- here is the executable binary file
└── obj <- here are the object files generated by the compiling process
``` 

# Usage
## Setup
Initialize the Enclave keypair by executing:
`./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>` 

## Sign
1. Create employee signature using `./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>`
   This step can also be done using OpenSSL: `openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>`
2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>`
   The enclave verifies the employee signature and signs the firmware if the signature is valid.
3. Verify signature using `cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>` 
   This step can also be done using OpenSSL: `openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>`


## License

Everything we did ourselves is licensed under the [GNU GPLv3 License](./LICENSE)

## Contributors

- Benjamin Haschka
- Sascha Tommasone
- Paul Zinselmeyer
Assignment 7 sgximpl: README.md compiling 2024-07-06 16:02:28 +02:00			`# Signature Relay for firmware`

Assignment 7 sgximpl: README update 2024-07-07 22:37:40 +02:00			`Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum.`
			`This is a program, that uses a TEE to build a signature relay to sign firmware with a master key.`
			`For more informationm, read the [project description](doc/abgabe.pdf).`

			`We recommend viewing the [repository](https://git.pfzetto.de/RubNoobs/Systemsicherheit/src/branch/Assignment-7-sgximpl/7-SGX_Hands-on) we worked on together at.`
Assignment 7 sgximpl: README.md compiling 2024-07-06 16:02:28 +02:00
			`## Compiling`

			`This project can be compiled for simulation environments or directly on the hardware.`

			`1. Simulated environment`

			`At project root type the command`

			```bash
			`$ make SGX_MODE=SIM`
			```

			`2. Hardware`

			`At project root type the command`

			```bash
			`$ make`
			```

			`This creates the following directory tree:`

			```
			`out`
			`├── bin <- here is the executable binary file`
			`└── obj <- here are the object files generated by the compiling process`
			```

Assignment 7 sgximpl: readme compilation hint 2024-07-07 17:11:55 +02:00			`# Usage`
			`## Setup`
			`Initialize the Enclave keypair by executing:`
			`./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>`
Assignment 7 sgximpl: README.md compiling 2024-07-06 16:02:28 +02:00
Assignment 7 sgximpl: readme compilation hint 2024-07-07 17:11:55 +02:00			`## Sign`
			1. Create employee signature using `./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>`
			This step can also be done using OpenSSL: `openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>`
			2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>`
			`The enclave verifies the employee signature and signs the firmware if the signature is valid.`
			3. Verify signature using `cat <proxy_signature.der> \| ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>`
			This step can also be done using OpenSSL: `openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>`
Assignment 7 sgximpl: README update 2024-07-07 22:37:40 +02:00

			`## License`

			`Everything we did ourselves is licensed under the [GNU GPLv3 License](./LICENSE)`

			`## Contributors`

			`- Benjamin Haschka`
			`- Sascha Tommasone`
			`- Paul Zinselmeyer`