KME Replication at trusted layer

Implementation of workorder targetted for KME (primary/replica)
- state-uid
- state-request
- get-state
- set-state

Signed-off-by: Rajeev Ranjan <[email protected]>

tc/sgx/trusted_worker_manager/enclave/enclave_data.cpp

@@ -79,7 +79,7 @@ EnclaveData::EnclaveData(const uint8_t* inSealedData) {
         nullptr, 0, &decrypted_data[0], &decrypted_size);
     tcf::error::ThrowSgxError(ret, "Failed to unseal  data");
     std::string decrypted_data_string(reinterpret_cast<const char*>(&decrypted_data[0]));
-    DeserializeSealedData(decrypted_data_string);
+    DeserializePrivateData(decrypted_data_string);
     // Clear local variable storing secret(s)
     decrypted_data.clear();
     decrypted_data_string.clear();
@@ -92,7 +92,7 @@ EnclaveData::EnclaveData(const uint8_t* inSealedData) {
 }
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-void EnclaveData::DeserializeSealedData(const std::string& inSerializedEnclaveData) {
+void EnclaveData::DeserializePrivateData(const std::string& inSerializedEnclaveData) {
     std::string svalue;
     const char* pvalue = nullptr;
     size_t pvalue_len = 0;

tc/sgx/trusted_worker_manager/enclave/enclave_data.h

@@ -64,7 +64,7 @@ class EnclaveData {
 protected:
     void SerializePrivateData(void);
     void SerializePublicData(void);
-    void DeserializeSealedData(const std::string& inSerializedEnclaveData);
+    void DeserializePrivateData(const std::string& inSerializedEnclaveData);
 
     tcf::crypto::sig::PublicKey public_signing_key_;
     tcf::crypto::sig::PrivateKey private_signing_key_;
@@ -79,7 +79,18 @@ class EnclaveData {
     std::string serialized_public_data_;
 
 public:
-     static EnclaveData* getInstance(const uint8_t* inSealedData=nullptr) {
+    void updateEnclaveData(std::string decrypted_private_data) {
+        DeserializePrivateData(decrypted_private_data);
+        // Clear local variable storing secret(s)
+        decrypted_private_data.clear();
+
+        // Create encryption key signature
+        generate_encryption_key_signature();
+
+        SerializePrivateData();
+        SerializePublicData();
+    }
+    static EnclaveData* getInstance(const uint8_t* inSealedData=nullptr) {
         if(!instance) {
             if(inSealedData != nullptr)
                 instance = new EnclaveData(inSealedData);
@@ -150,4 +161,16 @@ class EnclaveData {
         size_t sdsize = sgx_calc_sealed_data_size(0, get_private_data_size());
         return sdsize;
     }
+
+    void get_sealed_data(uint8_t* outSealedEnclaveData) const {
+        sgx_attributes_t attribute_mask = {0xfffffffffffffff3, 0};
+        sgx_seal_data_ex(SGX_KEYPOLICY_MRENCLAVE, attribute_mask,
+            0,        // misc_mask
+            0,        // additional mac text length
+            nullptr,  // additional mac text
+            get_private_data_size(),
+            reinterpret_cast<const uint8_t*>(get_private_data().c_str()),
+            static_cast<uint32_t>(get_sealed_data_size()),
+            reinterpret_cast<sgx_sealed_data_t*>(outSealedEnclaveData));
+    }
 };

tc/sgx/trusted_worker_manager/enclave/kme/ext_work_order_info_kme.h

@@ -32,6 +32,14 @@ enum KmeRegistrationStatus {
     ERR_UNIQUE_ID_NOT_MATCH = 7 /// WPE unique id didn't match
 };
 
+enum KmeReplicationReturnCode { /// KME Replication operation(state-uid, state-request, get-state, set-state) status
+    KME_REPL_OP_SUCCESS = 0, /// Operation successful
+    KME_REPL_OP_FAILED = 1, /// Operation failure
+    ERR_KME_REPL_UID_MISMATCH = 2, /// State UID did not match for requesting Replica KME
+    ERR_KME_REPL_NONCE_MISMATCH = 3, /// Nonce did not match for requesting Replica KME
+    ERR_KME_REPL_SIG_VERIF_FAILED = 4 /// State UID+Nonce signature mismatch
+};
+
 enum KmePreProcessStatus {
     ERR_WPE_MAX_WO_COUNT_REACHED = 1
 };