2024-07-06 16:02:28 +02:00
# Signature Relay for firmware
2024-07-07 22:37:40 +02:00
Documentation of the Assignment 7 in Systems Security at Ruhr-Universität Bochum.
This is a program, that uses a TEE to build a signature relay to sign firmware with a master key.
For more informationm, read the [project description ](doc/abgabe.pdf ).
2024-07-08 12:34:37 +02:00
We recommend viewing the [repository ](https://git.pfzetto.de/RubNoobs/Systemsicherheit/src/branch/master/Assignment%207%20-%20SGX%20Hands-on ) we worked on together at.
2024-07-06 16:02:28 +02:00
2024-07-07 23:03:15 +02:00
## Requirements
You will need the latest version of OpenSSL.
2024-07-08 11:01:19 +02:00
Execute the following command inside the src directory to automatically meet all requirements.
2024-07-07 23:03:15 +02:00
```bash
2024-07-08 11:01:19 +02:00
$ ./setup
2024-07-07 23:03:15 +02:00
```
2024-07-06 16:02:28 +02:00
## Compiling
This project can be compiled for simulation environments or directly on the hardware.
1. **Simulated environment**
2024-07-08 11:01:19 +02:00
In the src directory type the command
2024-07-06 16:02:28 +02:00
```bash
$ make SGX_MODE=SIM
```
2. **Hardware**
2024-07-08 11:01:19 +02:00
In the src directory type the command
2024-07-06 16:02:28 +02:00
```bash
$ make
```
2024-07-07 23:03:15 +02:00
That creates all the necessary objects and binaries to execute.
The executable binary will be `src/signatureproxy` .
2024-07-06 16:02:28 +02:00
2024-07-07 23:03:15 +02:00
## Running
## Running story
2024-07-08 11:01:19 +02:00
To execute an example usage of the project, execute `./simulate` in src directory.
2024-07-07 23:03:15 +02:00
Note, that this will only work, if you sucessfully compiled the project.
## Manual Usage
### Setup
Go to the `src` directory.
2024-07-06 16:02:28 +02:00
2024-07-07 17:11:55 +02:00
Initialize the Enclave keypair by executing:
`./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>`
2024-07-06 16:02:28 +02:00
2024-07-07 23:03:15 +02:00
### Sign
2024-07-07 17:11:55 +02:00
1. Create employee signature using `./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>`
This step can also be done using OpenSSL: `openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>`
2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>`
The enclave verifies the employee signature and signs the firmware if the signature is valid.
3. Verify signature using `cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>`
This step can also be done using OpenSSL: `openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>`
2024-07-07 22:37:40 +02:00
## License
Everything we did ourselves is licensed under the [GNU GPLv3 License ](./LICENSE )
## Contributors
- Benjamin Haschka
- Sascha Tommasone
- Paul Zinselmeyer