Skip to content

Commit

Permalink
feat: configuration for attestation
Browse files Browse the repository at this point in the history
Co-authored-by: Roman Volosatovs <roman@profian.com>
Signed-off-by: Richard Zak <richard@profian.com>
  • Loading branch information
rjzak and rvolosatovs committed Dec 4, 2022
1 parent a102dd8 commit 8450b88
Show file tree
Hide file tree
Showing 15 changed files with 962 additions and 140 deletions.
42 changes: 42 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ anyhow = { version = "^1.0.66", default-features = false }
base64 = { version = "^0.13.1", default-features = false }
mime = { version = "^0.3.16", default-features = false }
confargs = { version = "^0.1.3", default-features = false }
serde = { version = "1.0", features = ["derive"], default-features = false }
toml = { version = "0.5", default-features = false }

[target.'cfg(not(target_os = "wasi"))'.dependencies]
tokio = { version = "^1.21.2", features = ["rt-multi-thread", "macros"], default-features = false }
Expand All @@ -51,7 +53,8 @@ strip = true
[workspace]
resolver = '2'
members = [
'crates/cryptography',
'crates/sgx_validation',
'crates/snp_validation',
'crates/cryptography',
'crates/validation_common',
]
1 change: 1 addition & 0 deletions crates/cryptography/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ rand = { version = "0.8", features = ["std"], default-features = false }
rsa = {version = "0.7.2", features = ["std"], default-features = false }
rustls-pemfile = {version = "1.0.1", default-features = false }
sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
serde = { version = "1.0", features = ["derive", "std"], default-features = false }
sha2 = { version = "^0.10.2", default-features = false }
signature = {version = "1.6", default-features = false }
spki = { version = "0.6", default-features = false }
Expand Down
3 changes: 3 additions & 0 deletions crates/sgx_validation/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,12 @@ description = "Intel SGX Attestation validation library for Steward"

[dependencies]
cryptography = { path = "../cryptography" }
validation_common = { path = "../validation_common" }
anyhow = { version = "^1.0.55", default-features = false }
der = { version = "0.6", features = ["std"], default-features = false }
serde = { version = "1.0", features = ["derive", "std"], default-features = false }
sgx = { version = "0.6.0", default-features = false }

[dev-dependencies]
testaso = { version = "0.1", default-features = false }
toml = { version = "0.5", default-features = false }
117 changes: 117 additions & 0 deletions crates/sgx_validation/src/config.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
// SPDX-FileCopyrightText: 2022 Profian Inc. <opensource@profian.com>
// SPDX-License-Identifier: AGPL-3.0-only

use serde::{Deserialize, Deserializer, Serialize};
use sgx::parameters::Features;
use validation_common::Measurements;

#[derive(Clone, Deserialize, Debug, Serialize)]
pub enum SgxFeatures {
CET,
Debug,
EIntKey,
KSS,
ProvisioningKey,
}

#[derive(Clone, Deserialize, Debug, Default)]
pub struct Config {
/// Values for `mrsigner` in the report body, as `Measurements::signer()`
/// This is the list of public keys which have signed the Enarx binary.
/// Values for `mrenclave` in the report body, as `Measurements::hash()`
/// This is the hash of the Enclave environment after the Enarx binary is loaded
/// but before any workload is loaded, so this is a hash of the Enarx binary
/// in memory.
#[serde(default, flatten)]
pub measurements: Measurements<32>,

/// Values for `features`.
#[serde(default)]
#[serde(deserialize_with = "from_features")]
pub features: u64,

/// Minimum value for `isv_svn`.
pub enclave_security_version: Option<u16>,

/// Value for `isv_prodid`, do not allow versions below this.
pub enclave_product_id: Option<u16>,
}

fn from_features<'de, D>(deserializer: D) -> Result<u64, D::Error>
where
D: Deserializer<'de>,
{
let s: Vec<SgxFeatures> = Deserialize::deserialize(deserializer)?;

let mut flags = Features::empty();

// Must be set according to Intel SGX documentation, this indicates permission
// to create SGX enclaves.
flags |= Features::INIT;

// Required by Enarx, as Wasmtime requires 64-bit, and modern systems are all 64-bit anyway
flags |= Features::MODE64BIT;

for flag in s {
match flag {
SgxFeatures::CET => {
flags |= Features::CET;
}
SgxFeatures::Debug => {
flags |= Features::DEBUG;
}
SgxFeatures::EIntKey => {
flags |= Features::EINIT_KEY;
}
SgxFeatures::KSS => {
flags |= Features::KSS;
}
SgxFeatures::ProvisioningKey => {
flags |= Features::PROVISIONING_KEY;
}
}
}

Ok(flags.bits())
}

#[cfg(test)]
mod tests {
use super::*;
use validation_common::Digest;

#[test]
fn empty_config() {
assert!(toml::from_str::<Config>("").is_err());
}

#[test]
fn list_of_hashes() {
const SIGNER: &str = r#"enarx_signer = ["2eba0f494f428e799c22d6f12778aebea4dc8d991f9e63fd3cddd57ac6eb5dd9"]"#;
let signer = Digest([
0x2e, 0xba, 0x0f, 0x49, 0x4f, 0x42, 0x8e, 0x79, 0x9c, 0x22, 0xd6, 0xf1, 0x27, 0x78,
0xae, 0xbe, 0xa4, 0xdc, 0x8d, 0x99, 0x1f, 0x9e, 0x63, 0xfd, 0x3c, 0xdd, 0xd5, 0x7a,
0xc6, 0xeb, 0x5d, 0xd9,
]);

let config: Config = toml::from_str(&format!(
r#"
{SIGNER}
"#,
))
.expect("Couldn't deserialize");

assert_eq!(config.measurements.signer.len(), 1);
assert!(config.measurements.signer.contains(&signer));
}

#[test]
fn too_short() {
let config: Result<Config, toml::de::Error> = toml::from_str(
r#"
enarx_signer = ["41c179d5c0d5bc4915752ccf9bbd2baa574716832235ef5bb998fadcda1e46"]
"#,
);
assert!(config.is_err());
}
}
Binary file added crates/sgx_validation/src/icelake.signed.csr
Binary file not shown.
Loading

0 comments on commit 8450b88

Please sign in to comment.