-
Notifications
You must be signed in to change notification settings - Fork 202
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Python,CI,Docs] Support SGX extended product ID
KSS is a new feature that introduces additional fields to identify enclave in build time: ISVEXTPRODID and ISVFAMILYID. These fields are defined the the developer and signed in SIGSTRUCT. Add new fields to the manifest to add support, and support in SGX signing tool. Add a hello world example with KSS enabled: Product ID fields are configured in the manifest and the enclave prints them. This example must be built with remote attestation. At this point SGX loader is not updated and there are no sanity checks prior to enclave load. Therefore, if an enclave with KSS is loaded on an unsupported platform, it might crash. Signed-off-by: Lavi, Nir <nir.lavi@intel.com>
- Loading branch information
Showing
13 changed files
with
227 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
/kss-helloworld | ||
/*.o | ||
/OUTPUT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
GRAMINEDIR ?= ../.. | ||
RA_TYPE ?= dcap | ||
|
||
CFLAGS = -Wall -Wextra -I$(GRAMINEDIR)/pal/src/host/linux-sgx | ||
|
||
ifeq ($(DEBUG),1) | ||
GRAMINE_LOG_LEVEL = debug | ||
CFLAGS += -g | ||
else | ||
GRAMINE_LOG_LEVEL = error | ||
CFLAGS += -O3 | ||
endif | ||
|
||
.PHONY: all | ||
all: kss-helloworld.manifest.sgx kss-helloworld.sig kss-helloworld.token | ||
|
||
kss-helloworld: kss-helloworld.o | ||
|
||
kss-helloworld.o: kss-helloworld.c | ||
|
||
kss-helloworld.manifest: kss-helloworld.manifest.template | ||
gramine-manifest \ | ||
-Dlog_level=$(GRAMINE_LOG_LEVEL) \ | ||
-Dra_type=$(RA_TYPE) \ | ||
$< $@ | ||
|
||
# gramine-sgx-sign generates both a .sig file and a .manifest.sgx file. This is somewhat | ||
# hard to express properly in Make. The simple solution would be to use | ||
# "Rules with Grouped Targets" (`&:`), however make on Ubuntu <= 20.04 doesn't support it. | ||
# | ||
# Simply using a normal rule with "two targets" is equivalent to creating separate rules | ||
# for each of the targets, and when using `make -j`, this might cause two instances | ||
# of gramine-sgx-sign to get launched simultaneously, potentially breaking the build. | ||
# | ||
# As a workaround, we use a dummy intermediate target, and mark both files as depending on it, to | ||
# get the dependency graph we want. We mark this dummy target as .INTERMEDIATE, which means | ||
# that make will consider the source tree up-to-date even if the sgx_sign file doesn't exist, | ||
# as long as the other dependencies check out. This is in contrast to .PHONY, which would | ||
# be rebuilt on every invocation of make. | ||
kss-helloworld.sig kss-helloworld.manifest.sgx: sgx_sign | ||
@: | ||
|
||
.INTERMEDIATE: sgx_sign | ||
sgx_sign: kss-helloworld.manifest kss-helloworld | ||
gramine-sgx-sign \ | ||
--manifest $< \ | ||
--output $<.sgx | ||
|
||
kss-helloworld.token: kss-helloworld.sig | ||
gramine-sgx-get-token \ | ||
--output $@ --sig $< | ||
|
||
GRAMINE = gramine-sgx | ||
|
||
.PHONY: check | ||
check: all | ||
$(GRAMINE) kss-helloworld | ||
|
||
.PHONY: clean | ||
clean: | ||
$(RM) *.token *.sig *.manifest.sgx *.manifest kss-helloworld.o kss-helloworld OUTPUT | ||
|
||
.PHONY: distclean | ||
distclean: clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# KSS Hello World | ||
|
||
This directory contains a Makefile and a manifest template for running a simple | ||
"Hello World" program with KSS in Gramine. It is built with KSS support and non-zero | ||
values for `isvextprodid` and `isvfamilyid`, which are printed by the enclave. | ||
report. | ||
|
||
This example is SGX-specific. | ||
|
||
# Build | ||
|
||
Run `make` (non-debug) or `make DEBUG=1` (debug) in the directory. | ||
|
||
Remote attestation must be supported to run this test. Default attestation type is `dcap`. | ||
It can be modified with the `RA_TYPE` flag in make. For example: `make RA_TYPE=epid`. | ||
|
||
# Run | ||
|
||
```sh | ||
gramine-sgx ./kss-helloworld | ||
``` | ||
|
||
Note that a platform with KSS support must be used, otherwise this example will not work. | ||
Use `is-sgx-available` tool to determine if the platform supports KSS. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
#include <stdio.h> | ||
#include <stddef.h> | ||
#include <stdint.h> | ||
#include <string.h> | ||
#include "sgx_arch.h" | ||
|
||
#define MAX_DIGITS (256ULL) // Should be more than enough to contain all buffers | ||
|
||
static void blob2hex(const void* input, size_t len, char* output) { | ||
static const char digits[] = "0123456789abcdef"; | ||
for(size_t i=0;i<len;i++) { | ||
uint8_t byte = *((uint8_t *) input + i); | ||
output[2*i] = digits[byte >> 4]; | ||
output[2*i+1] = digits[byte & 0xf]; | ||
} | ||
output[2*len + 1] = 0; | ||
} | ||
|
||
int main(void) { | ||
char print_buffer[MAX_DIGITS]; | ||
FILE* attestation_type_fd = NULL; | ||
FILE* report_fd = NULL; | ||
sgx_report_t report; | ||
|
||
attestation_type_fd = fopen("/dev/attestation/attestation_type", "rb"); | ||
if(attestation_type_fd == NULL) { | ||
fprintf(stderr, "Failed to open attestation type handle\n"); | ||
return 1; | ||
} | ||
if(fread(print_buffer, 1, sizeof(print_buffer), attestation_type_fd) < 0) { | ||
fprintf(stderr, "Failed to read attestation type\n"); | ||
return 2; | ||
} | ||
// Report handles are loaded only if remote attestation is enabled | ||
if(strcmp(print_buffer, "none") == 0) { | ||
fprintf(stderr, "Must be built with remote attestation\n"); | ||
return 3; | ||
} | ||
fclose(attestation_type_fd); | ||
|
||
// We only care about this enclave's attributes, so we omit report data and target info | ||
report_fd = fopen("/dev/attestation/report", "rb"); | ||
if(report_fd == NULL) { | ||
fprintf(stderr, "Failed to open report handle\n"); | ||
return 4; | ||
} | ||
if(fread(&report, sizeof(report), 1, report_fd) <= 0) { | ||
fprintf(stderr, "Failed to read report\n"); | ||
return 5; | ||
} | ||
fclose(report_fd); | ||
|
||
printf("isvprodid = %04x\n", report.body.isv_prod_id); | ||
printf("isvsvn = %d\n", report.body.isv_svn); | ||
blob2hex(report.body.isv_ext_prod_id, sizeof(report.body.isv_ext_prod_id), print_buffer); | ||
printf("isvextprodid = %s\n", print_buffer); | ||
blob2hex(report.body.isv_family_id, sizeof(report.body.isv_family_id), print_buffer); | ||
printf("isvfamilyid = %s\n", print_buffer); | ||
blob2hex(report.body.config_id.data, sizeof(report.body.config_id.data), print_buffer); | ||
printf("configid = %s\n", print_buffer); | ||
printf("configsvn = %d\n", report.body.config_svn); | ||
return 0; | ||
} |
29 changes: 29 additions & 0 deletions
29
CI-Examples/kss-helloworld/kss-helloworld.manifest.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Hello World manifest file example | ||
|
||
loader.entrypoint = "file:{{ gramine.libos }}" | ||
libos.entrypoint = "/kss-helloworld" | ||
loader.log_level = "{{ log_level }}" | ||
|
||
loader.env.LD_LIBRARY_PATH = "/lib" | ||
|
||
fs.mounts = [ | ||
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, | ||
{ path = "/kss-helloworld", uri = "file:kss-helloworld" }, | ||
] | ||
|
||
sgx.debug = true | ||
sgx.nonpie_binary = true | ||
|
||
sgx.remote_attestation = "{{ ra_type }}" | ||
|
||
sgx.kss = true | ||
sgx.isvprodid = 5 | ||
sgx.isvsvn = 2 | ||
sgx.isvfamilyid = "0x00112233445566778899aabbccddeeff" | ||
sgx.isvextprodid = "0xcafef00dcafef00df00dcafef00dcafe" | ||
|
||
sgx.trusted_files = [ | ||
"file:{{ gramine.libos }}", | ||
"file:kss-helloworld", | ||
"file:{{ gramine.runtimedir() }}/", | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
if test -n "$SGX" | ||
then | ||
GRAMINE=gramine-sgx | ||
else | ||
GRAMINE=gramine-direct | ||
fi | ||
|
||
echo -e "\n\nRunning kss-helloworld" | ||
$GRAMINE ./kss-helloworld > OUTPUT | ||
grep -q 'isvprodid = 0005' OUTPUT && echo '[ Success 1/4 ]' | ||
grep -q 'isvsvn = 2' OUTPUT && echo '[ Success 2/4 ]' | ||
grep -q 'isvextprodid = 00112233445566778899aabbccddeeff' OUTPUT && echo '[ Success 3/4 ]' | ||
grep -q 'isvfamilyid = cafef00dcafef00df00dcafef00dcafe' OUTPUT && echo '[ Success 4/4 ]' | ||
rm OUTPUT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters