From 253c3d0d6d3474325cb213d9cb7ae2b340f17f36 Mon Sep 17 00:00:00 2001 From: Jun Kimura Date: Thu, 24 Aug 2023 14:17:08 +0900 Subject: [PATCH] types: remove sgx feature Signed-off-by: Jun Kimura --- Cargo.lock | 2 +- .../src/enclave_manage/attestation.rs | 7 +++---- enclave-modules/remote-attestation/Cargo.toml | 2 +- .../remote-attestation/src/report.rs | 19 +++++++++++++------ enclave/Cargo.lock | 1 - .../attestation-report/src/verification.rs | 6 ++++-- modules/ecall-commands/src/commands.rs | 10 ++++++++-- modules/enclave-api/Cargo.toml | 1 + modules/enclave-api/src/api/primitive.rs | 6 ++++-- modules/types/Cargo.toml | 4 ---- modules/types/src/time.rs | 7 ------- 11 files changed, 35 insertions(+), 30 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 82fabf79..b203bb81 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1338,6 +1338,7 @@ dependencies = [ "host", "keymanager", "lcp-proto", + "lcp-types", "log 0.4.17", "rsa", "sgx_types", @@ -2653,7 +2654,6 @@ dependencies = [ "prost", "serde", "serde_json", - "sgx_tstd", "sgx_types", "tendermint 0.29.0", ] diff --git a/enclave-modules/ecall-handler/src/enclave_manage/attestation.rs b/enclave-modules/ecall-handler/src/enclave_manage/attestation.rs index c3a1451d..3b707916 100644 --- a/enclave-modules/ecall-handler/src/enclave_manage/attestation.rs +++ b/enclave-modules/ecall-handler/src/enclave_manage/attestation.rs @@ -6,7 +6,6 @@ use ecall_commands::{CommandContext, IASRemoteAttestationInput, IASRemoteAttesta use enclave_remote_attestation::{ attestation::create_attestation_report, report::validate_quote_status, }; -use lcp_types::Time; use sgx_types::{sgx_quote_sign_type_t, sgx_spid_t}; pub(crate) fn ias_remote_attestation( @@ -24,10 +23,10 @@ pub(crate) fn ias_remote_attestation( spid, &input.ias_key, )?; - verify_report(&report, Time::now())?; + verify_report(cctx.current_timestamp, &report)?; report }; - validate_quote_status(&report.get_avr()?)?; + validate_quote_status(cctx.current_timestamp, &report.get_avr()?)?; Ok(IASRemoteAttestationResult { report }) } @@ -45,7 +44,7 @@ pub(crate) fn simulate_remote_attestation( input.advisory_ids, input.isv_enclave_quote_status, )?; - validate_quote_status(&avr)?; + validate_quote_status(cctx.current_timestamp, &avr)?; Ok(ecall_commands::SimulateRemoteAttestationResult { avr }) } diff --git a/enclave-modules/remote-attestation/Cargo.toml b/enclave-modules/remote-attestation/Cargo.toml index 805ea11b..f7f38a06 100644 --- a/enclave-modules/remote-attestation/Cargo.toml +++ b/enclave-modules/remote-attestation/Cargo.toml @@ -22,7 +22,7 @@ rustls = { git = "https://github.com/mesalock-linux/rustls", branch = "mesalock_ host-api = { path = "../host-api" } -lcp-types = { path = "../../modules/types", default-features = false, features = ["sgx"] } +lcp-types = { path = "../../modules/types", default-features = false } crypto = { path = "../../modules/crypto", default-features = false } attestation-report = { path = "../../modules/attestation-report", default-features = false } ocall-commands = { path = "../../modules/ocall-commands", default-features = false } diff --git a/enclave-modules/remote-attestation/src/report.rs b/enclave-modules/remote-attestation/src/report.rs index 5ff81fb5..9b493679 100644 --- a/enclave-modules/remote-attestation/src/report.rs +++ b/enclave-modules/remote-attestation/src/report.rs @@ -8,19 +8,26 @@ use log::*; use ocall_commands::{GetReportAttestationStatusInput, GetReportAttestationStatusResult}; use sgx_types::{sgx_platform_info_t, sgx_status_t}; -pub fn validate_quote_status(avr: &AttestationVerificationReport) -> Result { +pub fn validate_quote_status( + current_timestamp: Time, + avr: &AttestationVerificationReport, +) -> Result { // 1. Verify quote body let quote = avr.parse_quote().map_err(Error::attestation_report)?; // 2. Check quote's timestamp is within 24H - let now = Time::now(); info!( - "Time: now={:?} quote_timestamp={:?}", - now, quote.attestation_time + "Time: current_timestamp={:?} quote_timestamp={:?}", + current_timestamp, quote.attestation_time ); - if now >= (quote.attestation_time + Duration::from_secs(60 * 60 * 24)).map_err(Error::time)? { - return Err(Error::too_old_report_timestamp(now, quote.attestation_time)); + if current_timestamp + >= (quote.attestation_time + Duration::from_secs(60 * 60 * 24)).map_err(Error::time)? + { + return Err(Error::too_old_report_timestamp( + current_timestamp, + quote.attestation_time, + )); } // 3. Verify quote status (mandatory field) diff --git a/enclave/Cargo.lock b/enclave/Cargo.lock index 94c5b717..d2ccd23f 100644 --- a/enclave/Cargo.lock +++ b/enclave/Cargo.lock @@ -871,7 +871,6 @@ dependencies = [ "prost", "serde", "serde_json", - "sgx_tstd", "sgx_types", "tendermint", ] diff --git a/modules/attestation-report/src/verification.rs b/modules/attestation-report/src/verification.rs index 0fbd6844..e0685bf1 100644 --- a/modules/attestation-report/src/verification.rs +++ b/modules/attestation-report/src/verification.rs @@ -26,10 +26,12 @@ static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[ ]; pub fn verify_report( + current_timestamp: Time, report: &EndorsedAttestationVerificationReport, - current_time: Time, ) -> Result<(), Error> { - let current_unix_timestamp = current_time.duration_since(TmTime::unix_epoch()).unwrap(); + let current_unix_timestamp = current_timestamp + .duration_since(TmTime::unix_epoch()) + .unwrap(); // NOTE: Currently, webpki::Time's constructor only accepts seconds as unix timestamp. // Therefore, the current time are rounded up conservatively. let secs = if current_unix_timestamp.subsec_nanos() > 0 { diff --git a/modules/ecall-commands/src/commands.rs b/modules/ecall-commands/src/commands.rs index 006a6222..d7cd1846 100644 --- a/modules/ecall-commands/src/commands.rs +++ b/modules/ecall-commands/src/commands.rs @@ -3,6 +3,7 @@ use crate::{ LightClientResult, }; use crypto::SealedEnclaveKey; +use lcp_types::Time; use serde::{Deserialize, Serialize}; use store::TxId; @@ -20,13 +21,18 @@ impl ECallCommand { #[derive(Serialize, Deserialize, Debug)] pub struct CommandContext { + pub current_timestamp: Time, pub sealed_ek: Option, pub tx_id: TxId, } impl CommandContext { - pub fn new(sealed_ek: Option, tx_id: TxId) -> Self { - Self { sealed_ek, tx_id } + pub fn new(current_timestamp: Time, sealed_ek: Option, tx_id: TxId) -> Self { + Self { + current_timestamp, + sealed_ek, + tx_id, + } } } diff --git a/modules/enclave-api/Cargo.toml b/modules/enclave-api/Cargo.toml index 12e19079..18b4c572 100644 --- a/modules/enclave-api/Cargo.toml +++ b/modules/enclave-api/Cargo.toml @@ -12,6 +12,7 @@ flex-error = { version = "0.4.4" } rsa = { version = "0.9.2", features = ["pem"], optional = true } sha2 = { version = "0.10.6", default-features = false, features = ["oid"], optional = true } +lcp-types = { path = "../types" } commitments = { path = "../commitments" } ecall-commands = { path = "../ecall-commands", features = ["std"] } keymanager = { path = "../keymanager" } diff --git a/modules/enclave-api/src/api/primitive.rs b/modules/enclave-api/src/api/primitive.rs index ad82f80d..4d75ad72 100644 --- a/modules/enclave-api/src/api/primitive.rs +++ b/modules/enclave-api/src/api/primitive.rs @@ -3,6 +3,7 @@ use crate::{ ffi, Error, Result, }; use ecall_commands::{Command, CommandContext, CommandResult, ECallCommand, EnclaveKeySelector}; +use lcp_types::Time; use log::*; use sgx_types::{sgx_enclave_id_t, sgx_status_t}; use store::transaction::{CommitStore, Tx}; @@ -14,14 +15,15 @@ pub trait EnclavePrimitiveAPI: EnclaveInfo + HostStoreTxManager< "prepare command: inner={:?} update_key={:?}", cmd, update_key ); + let current_timestamp = Time::now(); let tx = self.begin_tx(update_key)?; let cctx = match cmd.get_enclave_key() { Some(addr) => { let ski = self.get_key_manager().load(addr)?; - CommandContext::new(Some(ski.sealed_ek), tx.get_id()) + CommandContext::new(current_timestamp, Some(ski.sealed_ek), tx.get_id()) } - None => CommandContext::new(None, tx.get_id()), + None => CommandContext::new(current_timestamp, None, tx.get_id()), }; let ecmd = ECallCommand::new(cctx, cmd); diff --git a/modules/types/Cargo.toml b/modules/types/Cargo.toml index 014cf08c..e99e9b06 100644 --- a/modules/types/Cargo.toml +++ b/modules/types/Cargo.toml @@ -5,7 +5,6 @@ edition = "2021" [dependencies] sgx_types = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" } -sgx_tstd = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk", features = ["untrusted_time"], optional = true } prost = { version = "0.11", default-features = false } ibc = { version = "0.29.0", default-features = false, features = ["serde"], optional = true } lcp-proto = { path = "../../proto", default-features = false } @@ -24,9 +23,6 @@ default = ["std"] std = [ "flex-error/std" ] -sgx = [ - "sgx_tstd", -] ibc = [ "dep:ibc" ] diff --git a/modules/types/src/time.rs b/modules/types/src/time.rs index 3a946b66..c336681e 100644 --- a/modules/types/src/time.rs +++ b/modules/types/src/time.rs @@ -23,13 +23,6 @@ impl Time { Time(TmTime::from_unix_timestamp(now.as_secs() as i64, now.subsec_nanos()).unwrap()) } - #[cfg(all(feature = "sgx", not(feature = "std")))] - pub fn now() -> Self { - use sgx_tstd::time::{SystemTime, UNIX_EPOCH}; - let now = SystemTime::now().duration_since(UNIX_EPOCH).unwrap(); - Time(TmTime::from_unix_timestamp(now.as_secs() as i64, now.subsec_nanos()).unwrap()) - } - pub fn unix_epoch() -> Self { Time(TmTime::unix_epoch()) }