Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL FIPS provider support #262

Merged
merged 27 commits into from
Dec 27, 2024
Merged

OpenSSL FIPS provider support #262

merged 27 commits into from
Dec 27, 2024

Conversation

jbdelcuv
Copy link
Contributor

Add support to the SGX-SSL library to have crypto algorithms run in the FIPS provider embedded in enclave images.

Instructions for building/testing, assuming you have an updated SGX SDK/PSW toolchain available:

$ cd Linux
$ make all FIPS=1
$ [sudo] make install
$ make test FIPS=1
$ make fips_test FIPS=1

Instructions for cleaning up:

$ sudo make uninstall
$ make clean

jinghe-INTC and others added 20 commits November 26, 2024 12:06
@jbdelcuv
update for OpenSSL 3.1.x (intel#187)
4586516 
Signed-off-by: He, Jing J <jing.j.he@intel.com>
@jbdelcuv
Create FIPS support branch based on OpenSSL 3.1 with a separate FIPS
87bad5c 
build option.

Co-authored-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
Signed-off-by: Jing He <jing.j.he@intel.com>
Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Improve the patch.
4432ab9 
Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Fix the keygen tests and other updates.
3b8f1bf 
Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Workaround the failure of ec_d2i_publickey_test.
98b359b 
Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Workaround the failure of the EC test cases.
f0f1bb8 
Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Fix DH and AES-GCM test cases.
b3df72b 
Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Add another ECDSA test case.
4e9380d
@jbdelcuv
Minor update to AES-GCM test case.
1c55967
@jbdelcuv
Minor update to the test enclave.
13c5f33
@jbdelcuv
Support loading fipsmodule.cnf included in openssl.cnf
2aaf6ee
@jbdelcuv
Add suport for getpid and time functions to solve the issue where the
b403dd5 
self-test was failing due to the additional reseeding caused by using
the RDTSC instruction.

Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
avoid fflush()
12bfa07 
Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Removed unused functionality from this file.
d9f61e9 
"make all FIPS=1; make test FIPS=1" shows the OpenSSL FIP provider working inside an enclave.

Signed-off-by: Jing He <jing.j.he@intel.com>
@jbdelcuv
Build the FIPS provider in its own Makefile.
1353a3c 
The new Makefile provides the standard targets: all, clean, install and
uninstall that the main Mafile calls when the option FIPS is set.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Don't build the test app by default in FIPS mode since it depends on
be5eb51 
the FIPS provider.
Execute the install target first.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Add a simple test program demonstrating how to load the OpenSSL FIPS
de2ac50 
provider inside an enclave.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Replace error code so that OpenSSL 3.1.2 builds without changes,
cdb5bba 
although it isn't currently supported.
It appears that RAND_R_INVALID_PROPERTY_QUERY was added to randerr.h in
OpenSSL 3.1.6.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Document limitation regarding the location of the OpenSSL configuration
9258c91 
file in CONF_modules_load_file_ex.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Don't send the output of tar to the console.
fc21415 
Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv jbdelcuv requested a review from lzha101 November 27, 2024 22:59
@jbdelcuv jbdelcuv self-assigned this Dec 5, 2024
@fchinchilla
Copy link

Looks good to me

lzha101
lzha101 reviewed Dec 9, 2024
View reviewed changes
.github/workflows/c-cpp.yml Outdated Show resolved Hide resolved
jbdelcuv
jbdelcuv commented Dec 9, 2024
View reviewed changes
.github/workflows/c-cpp.yml Outdated Show resolved Hide resolved
@jbdelcuv
Point back to the main branch.
e0bd79b 
Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Update to version 3.1.6, which is what we intend to support.
a3b9f47 
Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv
Rename API following update in the SDK.
3ead21b 
Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv jbdelcuv linked an issue Dec 17, 2024 that may be closed by this pull request
Possibilities of supporting FIPS mode #143
Closed
@jbdelcuv
Generate an OpenSSL configuration file at build time.
7d10ac4 
Both sample apps include a template from which an OpenSSL configuration
file is generated rather than copying one from the SGX SDK.
@jbdelcuv
Revert "Generate an OpenSSL configuration file at build time."
c0b43e4 
This reverts commit 7d10ac4.
@jbdelcuv
Generate an OpenSSL configuration file at build time.
4b83850 
Both sample apps include a template from which an OpenSSL configuration
file is be generated rather than copying one from the SGX SDK.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
@jbdelcuv jbdelcuv merged commit 366b098 into intel:main Dec 27, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lzha101 lzha101 lzha101 left review comments

@binxing binxing Awaiting requested review from binxing

@andyzyb andyzyb Awaiting requested review from andyzyb

@fchinchilla fchinchilla Awaiting requested review from fchinchilla

Assignees

@jbdelcuv jbdelcuv

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Possibilities of supporting FIPS mode
3 participants
@jbdelcuv @fchinchilla @lzha101