RubNoobs/Systemsicherheit
RubNoobs/Systemsicherheit
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Systemsicherheit/7-SGX_Hands-on/src/app/proxy.c

236 lines
6.1 KiB
C
Raw Normal View History

[Assignment-7] Flake + App base - Add Assignment-7 to flake.nix - Implement basic framework of app - Implement proxy subcommand (mostly) - Implement basics of intermediary subcommand
2024-07-03 16:16:24 +02:00
#include <errno.h>
#include <sgx_urts.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "enclave.h"
#include "proxy.h"
#include "util.h"
sgx_enclave_id_t global_eid = 0;
struct ProxyArgs {
char* input_path;
char* output_path;
char* sealed_key_file_path;
char* sgx_token_path;
};
typedef struct _sgx_errlist_t {
sgx_status_t err;
const char *msg;
const char *sug; /* Suggestion */
} sgx_errlist_t;
/* Error code returned by sgx_create_enclave */
static sgx_errlist_t sgx_errlist[] = {
{
SGX_ERROR_UNEXPECTED,
"Unexpected error occurred.",
NULL
},
{
SGX_ERROR_INVALID_PARAMETER,
"Invalid parameter.",
NULL
},
{
SGX_ERROR_OUT_OF_MEMORY,
"Out of memory.",
NULL
},
{
SGX_ERROR_ENCLAVE_LOST,
"Power transition occurred.",
"Please refer to the sample \"PowerTransition\" for details."
},
{
SGX_ERROR_INVALID_ENCLAVE,
"Invalid enclave image.",
NULL
},
{
SGX_ERROR_INVALID_ENCLAVE_ID,
"Invalid enclave identification.",
NULL
},
{
SGX_ERROR_INVALID_SIGNATURE,
"Invalid enclave signature.",
NULL
},
{
SGX_ERROR_OUT_OF_EPC,
"Out of EPC memory.",
NULL
},
{
SGX_ERROR_NO_DEVICE,
"Invalid SGX device.",
"Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards."
},
{
SGX_ERROR_MEMORY_MAP_CONFLICT,
"Memory map conflicted.",
NULL
},
{
SGX_ERROR_INVALID_METADATA,
"Invalid enclave metadata.",
NULL
},
{
SGX_ERROR_DEVICE_BUSY,
"SGX device was busy.",
NULL
},
{
SGX_ERROR_INVALID_VERSION,
"Enclave version was invalid.",
NULL
},
{
SGX_ERROR_INVALID_ATTRIBUTE,
"Enclave was not authorized.",
NULL
},
{
SGX_ERROR_ENCLAVE_FILE_ACCESS,
"Can't open enclave file.",
NULL
},
};
/* Check error conditions for loading enclave */
static void print_error_message(sgx_status_t ret)
{
size_t idx = 0;
size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
for (idx = 0; idx < ttl; idx++) {
if(ret == sgx_errlist[idx].err) {
if(NULL != sgx_errlist[idx].sug)
printf("Info: %s\n", sgx_errlist[idx].sug);
printf("Error: %s\n", sgx_errlist[idx].msg);
break;
}
}
if (idx == ttl)
printf("Error code is 0x%X. Please refer to the \"Intel SGX SDK Developer Reference\" for more details.\n", ret);
}
static int initialize_enclave(char* token_path) {
FILE* sgx_token_file;
sgx_launch_token_t token = {0};
sgx_status_t ret;
int updated = 0;
sgx_token_file = fopen(token_path, "r");
if(sgx_token_file == NULL){
perror("Error opening sgx token file");
exit(1);
}
size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), sgx_token_file);
if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {
fprintf(stderr, "sgx token file is corrupted");
return (1);
}
ret = sgx_create_enclave("enclave.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
if (ret != SGX_SUCCESS) {
print_error_message(ret);
return (1);
}
if (updated) {
sgx_token_file = freopen(token_path, "w", sgx_token_file);
if(sgx_token_file == NULL){
perror("Error opening sgx token file");
return (1);
}
size_t write_num = fwrite(token, 1, sizeof(sgx_launch_token_t), sgx_token_file);
if (write_num != sizeof(sgx_launch_token_t)){
fprintf(stderr,"Warning: Failed to save launch token to \"%s\".\n", token_path);
return (1);
}
}
return (0);
}
char* proxy_syntax(void) {
return
"proxy implementation of the enclave-powered SignatureProxy\n"
" -i <path> file path to the intermediary output(signature of firmware)\n"
" -o <path> output path of the signature\n"
" -s <path> file path of the sealed proxy key\n"
" -t <path> file path of the sgx token\n";
}
int handle_proxy(int argc, char** argv) {
struct ProxyArgs args = {
NULL,
NULL,
NULL,
NULL
};
FILE* input_file;
FILE* output_file;
FILE* sealed_key_file;
int i = 0;
while(i < argc) {
if(strcmp(argv[i], "-i")==0 && argc-i >=2){
args.input_path = argv[i+1];
i += 2;
}else if(strcmp(argv[i], "-o")==0 && argc-i >=2){
args.output_path = argv[i+1];
i += 2;
}else if(strcmp(argv[i], "-s")==0 && argc-i >=2){
args.sealed_key_file_path = argv[i+1];
i += 2;
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){
args.sgx_token_path = argv[i+1];
i += 2;
}else
syntax_exit();
}
if(args.input_path == NULL || args.output_path == NULL || args.sealed_key_file_path == NULL || args.sgx_token_path == NULL)
syntax_exit();
input_file = fopen(args.input_path, "r");
if(input_file == NULL){
perror("Error opening input file");
exit(1);
}
output_file = fopen(args.output_path, "w");
if(output_file == NULL){
perror("Error opening output file");
exit(1);
}
//TODO read input -> calculate size of input (ECDSA of SHA3-256 of Firmware File, generated by intermediary)
//TODO read sealed key -> calculate size or dynamic alloc
sealed_key_file = fopen(args.sealed_key_file_path, "w");
if(sealed_key_file == NULL){
perror("Error opening sealed_key_file file");
exit(1);
}
if (initialize_enclave(args.sgx_token_path) != 0)
exit(1);
//TODO call enclave -> refactor interface to do verify and sign in one call to avoid trip through "untrusted" land.
//TODO store sealed key if changed
//TODO write output
printf("proxy %s %s", args.input_path, args.output_path);
exit(0);
}
Reference in a new issue Copy permalink