Skip to content

Commit

Permalink
Merge branch 'master' into testnet
Browse files Browse the repository at this point in the history
  • Loading branch information
valdok committed May 14, 2024
2 parents c63d853 + ba3fc98 commit 2eddc33
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 31 deletions.
12 changes: 10 additions & 2 deletions cosmwasm/enclaves/execute/src/registration/attestation.rs
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,8 @@ pub fn validate_enclave_version(
let _result = ecc_handle.close();

if verify_ra_cert(&cert_der, None, true).is_err() {
sgx_status_t::SGX_ERROR_UNEXPECTED
error!("Error verifying report.");
return Err(sgx_status_t::SGX_ERROR_UNEXPECTED);
}

Ok(())
Expand Down Expand Up @@ -437,7 +438,7 @@ pub fn get_quote_ecdsa(_pub_k: &[u8; 32]) -> Result<(Vec<u8>, Vec<u8>), sgx_stat
}

#[cfg(feature = "SGX_MODE_HW")]
pub fn get_quote_ecdsa(pub_k: &[u8; 32]) -> Result<(Vec<u8>, Vec<u8>), sgx_status_t> {
pub fn get_quote_ecdsa_untested(pub_k: &[u8; 32]) -> Result<(Vec<u8>, Vec<u8>), sgx_status_t> {
let mut qe_target_info = sgx_target_info_t::default();
let mut quote_size: u32 = 0;
let mut rt: sgx_status_t = sgx_status_t::default();
Expand Down Expand Up @@ -526,6 +527,13 @@ pub fn get_quote_ecdsa(pub_k: &[u8; 32]) -> Result<(Vec<u8>, Vec<u8>), sgx_statu
}
}

Ok((vec_quote, vec_coll))
}

#[cfg(feature = "SGX_MODE_HW")]
pub fn get_quote_ecdsa(pub_k: &[u8; 32]) -> Result<(Vec<u8>, Vec<u8>), sgx_status_t> {
let (vec_quote, vec_coll) = get_quote_ecdsa_untested(pub_k)?;

// test self
match verify_quote_ecdsa(&vec_quote, &vec_coll, 0) {
Ok(r) => {
Expand Down
99 changes: 71 additions & 28 deletions cosmwasm/enclaves/execute/src/registration/check_patch_level.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,16 @@ use crate::registration::attestation::create_attestation_report;
use crate::registration::cert::verify_quote_status;

#[cfg(feature = "SGX_MODE_HW")]
use crate::registration::offchain::get_attestation_report_dcap;
use crate::registration::attestation::get_quote_ecdsa_untested;

#[cfg(feature = "SGX_MODE_HW")]
use crate::registration::attestation::verify_quote_ecdsa;

#[cfg(feature = "SGX_MODE_HW")]
use enclave_utils::storage::write_to_untrusted;

#[cfg(feature = "SGX_MODE_HW")]
use crate::sgx_types::sgx_ql_qv_result_t;

#[cfg(not(feature = "epid_whitelist_disabled"))]
use crate::registration::cert::check_epid_gid_is_whitelisted;
Expand All @@ -35,11 +44,37 @@ pub unsafe extern "C" fn ecall_check_patch_level(
panic!("unimplemented")
}

/// # Safety
/// Don't forget to check the input length of api_key_len
#[no_mangle]
#[cfg(feature = "SGX_MODE_HW")]
pub unsafe extern "C" fn ecall_check_patch_level(
unsafe fn check_patch_level_dcap(pub_k: &[u8; 32]) -> NodeAuthResult {
match get_quote_ecdsa_untested(pub_k) {
Ok((vec_quote, vec_coll)) => {
match verify_quote_ecdsa(&vec_quote, &vec_coll, 0) {
Ok(r) => {
if r.1 != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
println!("WARNING: {}", r.1);
}

println!("DCAP attestation obtained and verified ok");
return NodeAuthResult::Success;
}
Err(e) => {
println!("DCAP quote obtained, but failed to verify it: {}", e);

let _ = write_to_untrusted(&vec_quote, "dcap_quote.bin");
let _ = write_to_untrusted(&vec_coll, "dcap_collateral.bin");
}
};
}
Err(e) => {
println!("Failed to obtain DCAP attestation: {}", e);
}
}
NodeAuthResult::InvalidCert
}

#[cfg(feature = "SGX_MODE_HW")]
unsafe fn check_patch_level_epid(
pub_k: &[u8; 32],
api_key: *const u8,
api_key_len: u32,
) -> NodeAuthResult {
Expand All @@ -51,29 +86,14 @@ pub unsafe extern "C" fn ecall_check_patch_level(

let api_key_slice = slice::from_raw_parts(api_key, api_key_len as usize);

// CREATE THE ATTESTATION REPORT
// generate temporary key for attestation
let temp_key_result = enclave_crypto::KeyPair::new().unwrap();

let res_dcap = unsafe { get_attestation_report_dcap(&temp_key_result) };
if res_dcap.is_ok() {
println!("DCAP attestation ok");
return NodeAuthResult::Success;
}

let signed_report = match create_attestation_report(
&temp_key_result.get_pubkey(),
SIGNATURE_TYPE,
api_key_slice,
None,
true,
) {
Ok(r) => r,
Err(_e) => {
error!("Error creating attestation report");
return NodeAuthResult::InvalidCert;
}
};
let signed_report =
match create_attestation_report(pub_k, SIGNATURE_TYPE, api_key_slice, None, true) {
Ok(r) => r,
Err(_e) => {
error!("Error creating attestation report");
return NodeAuthResult::InvalidCert;
}
};

let payload: String = serde_json::to_string(&signed_report)
.map_err(|_| {
Expand Down Expand Up @@ -151,3 +171,26 @@ pub unsafe extern "C" fn ecall_check_patch_level(
_ => NodeAuthResult::Success,
}
}

/// # Safety
/// Don't forget to check the input length of api_key_len
#[no_mangle]
#[cfg(feature = "SGX_MODE_HW")]
pub unsafe extern "C" fn ecall_check_patch_level(
api_key: *const u8,
api_key_len: u32,
) -> NodeAuthResult {
let temp_key_result = enclave_crypto::KeyPair::new().unwrap();

let res1 = check_patch_level_dcap(&temp_key_result.get_pubkey());
let res2 = check_patch_level_epid(&temp_key_result.get_pubkey(), api_key, api_key_len);

println!("DCAP attestation: {}", res1);
println!("EPID attestation: {}", res2);

if NodeAuthResult::Success == res1 {
return res1;
}

res2
}
2 changes: 1 addition & 1 deletion deployment/dockerfiles/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ WORKDIR /go/src/github.com/enigmampc/SecretNetwork/

COPY check-hw check-hw

RUN STORAGE_PATH=`echo ${VERSION} | sed -e 's/\.//g' | head -c 2` \
RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \
&& wget -O check-hw/check_hw_enclave.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/librust_cosmwasm_enclave.signed.so
COPY --from=compile-secretd /go/src/github.com/enigmampc/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so check-hw/check_hw_enclave_testnet.so

Expand Down

0 comments on commit 2eddc33

Please sign in to comment.