From 4e516859de8834a2e0fbf60c20c9487e566a2430 Mon Sep 17 00:00:00 2001 From: valdok Date: Mon, 6 May 2024 09:16:51 +0000 Subject: [PATCH 1/3] validate_enclave_version - misc --- .../execute/src/registration/attestation.rs | 39 +------------------ 1 file changed, 2 insertions(+), 37 deletions(-) diff --git a/cosmwasm/enclaves/execute/src/registration/attestation.rs b/cosmwasm/enclaves/execute/src/registration/attestation.rs index 81d301a43..1c2157154 100644 --- a/cosmwasm/enclaves/execute/src/registration/attestation.rs +++ b/cosmwasm/enclaves/execute/src/registration/attestation.rs @@ -166,46 +166,11 @@ pub fn validate_enclave_version( sgx_status_t::SGX_ERROR_UNEXPECTED })?; - // let timestamp = crate::registration::report::AttestationReport::from_cert(&cert_der) - // .map_err(|_| sgx_status_t::SGX_ERROR_UNEXPECTED)? - // .timestamp; - - // if result.is_err() && in_grace_period(timestamp) { - // let ecc_handle = SgxEccHandle::new(); - // let _result = ecc_handle.open(); - // - // // use ephemeral key - // let (prv_k, pub_k) = ecc_handle.create_key_pair().unwrap(); - // - // // call create_report using the secp256k1 public key, and __not__ the P256 one - // let signed_report = - // match create_attestation_report(&kp.get_pubkey(), sign_type, api_key, challenge, false) - // { - // Ok(r) => r, - // Err(e) => { - // error!("Error creating attestation report"); - // return Err(e); - // } - // }; - // - // let payload: String = serde_json::to_string(&signed_report).map_err(|_| { - // error!("Error serializing report. May be malformed, or badly encoded"); - // sgx_status_t::SGX_ERROR_UNEXPECTED - // })?; - // let (_key_der, cert_der) = super::cert::gen_ecc_cert(payload, &prv_k, &pub_k, &ecc_handle)?; - // let _result = ecc_handle.close(); - // - // let verify_result = verify_ra_cert(&cert_der, None, false); - // if verify_result.is_err() { - // #[cfg(all(feature = "SGX_MODE_HW", feature = "production"))] - // remove_all_keys(); - // } - // } else - let (_key_der, cert_der) = super::cert::gen_ecc_cert(payload, &prv_k, &pub_k, &ecc_handle)?; let _result = ecc_handle.close(); + if verify_ra_cert(&cert_der, None, true).is_err() { - remove_all_keys(); + sgx_status_t::SGX_ERROR_UNEXPECTED } Ok(()) From da9266e014c2df0aef978679e3bbb2720bf4a335 Mon Sep 17 00:00:00 2001 From: valdok Date: Mon, 6 May 2024 11:25:12 +0000 Subject: [PATCH 2/3] moved dcap-related ocalls to attestation_dcap.rs --- cosmwasm/packages/sgx-vm/src/attestation.rs | 370 +---------------- .../packages/sgx-vm/src/attestation_dcap.rs | 390 ++++++++++++++++++ cosmwasm/packages/sgx-vm/src/lib.rs | 1 + 3 files changed, 393 insertions(+), 368 deletions(-) create mode 100644 cosmwasm/packages/sgx-vm/src/attestation_dcap.rs diff --git a/cosmwasm/packages/sgx-vm/src/attestation.rs b/cosmwasm/packages/sgx-vm/src/attestation.rs index 92e209a12..c5eefc595 100644 --- a/cosmwasm/packages/sgx-vm/src/attestation.rs +++ b/cosmwasm/packages/sgx-vm/src/attestation.rs @@ -1,14 +1,11 @@ -use core::mem; use std::net::{SocketAddr, TcpStream}; use std::os::unix::io::IntoRawFd; -use std::ptr::null_mut; -use std::time::{SystemTime, UNIX_EPOCH}; -use std::{self, ptr}; +use std::{self}; use log::*; use sgx_types::*; -use sgx_types::{sgx_ql_qve_collateral_t, sgx_status_t, SgxResult}; +use sgx_types::{sgx_status_t, SgxResult}; use enclave_ffi_types::{NodeAuthResult, OUTPUT_ENCRYPTED_SEED_SIZE, SINGLE_ENCRYPTED_SEED_SIZE}; @@ -141,317 +138,6 @@ pub extern "C" fn ocall_get_quote( ret } -#[cfg(not(test))] -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa_params( - p_qe_info: *mut sgx_target_info_t, - p_quote_size: *mut u32, -) -> sgx_status_t { - let mut ret = unsafe { sgx_qe_get_target_info(p_qe_info) }; - if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { - trace!("sgx_qe_get_target_info returned {}", ret); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - } - - ret = unsafe { sgx_qe_get_quote_size(p_quote_size) }; - if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { - trace!("sgx_qe_get_quote_size returned {}", ret); - return sgx_status_t::SGX_ERROR_BUSY; - } - - unsafe { - trace!("*QuoteSize = {}", *p_quote_size); - } - - sgx_status_t::SGX_SUCCESS -} - -#[cfg(not(test))] -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa( - p_report: *const sgx_report_t, - p_quote: *mut u8, - n_quote: u32, -) -> sgx_status_t -{ - trace!("Entering ocall_get_quote_ecdsa"); - - //let mut qe_target_info: sgx_target_info_t; - //sgx_qe_get_target_info(&qe_target_info); - - let mut n_quote_act: u32 = 0; - let mut ret = unsafe { sgx_qe_get_quote_size(&mut n_quote_act) }; - if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { - trace!("sgx_qe_get_quote_size returned {}", ret); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - } - - if n_quote_act > n_quote { - return sgx_status_t::SGX_ERROR_UNEXPECTED; - } - - ret = unsafe { sgx_qe_get_quote(p_report, n_quote, p_quote) }; - if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { - trace!("sgx_qe_get_quote returned {}", ret); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - } - - sgx_status_t::SGX_SUCCESS -} - -pub struct QlQveCollateral { - pub tee_type: u32, // 0x00000000: SGX or 0x00000081: TDX - pub pck_crl_issuer_chain_size: u32, - pub root_ca_crl_size: u32, - pub pck_crl_size: u32, - pub tcb_info_issuer_chain_size: u32, - pub tcb_info_size: u32, - pub qe_identity_issuer_chain_size: u32, - pub qe_identity_size: u32 -} - -fn sgx_ql_qve_collateral_serialize( - p_col: *const u8, - n_col: u32, - p_res: *mut u8, - n_res: u32, -) -> u32 -{ - if n_col < mem::size_of::() as u32 { - return 0; - } - - unsafe { - let p_ql_col = p_col as *const sgx_ql_qve_collateral_t; - - let size_extra = - (*p_ql_col).pck_crl_issuer_chain_size + - (*p_ql_col).root_ca_crl_size + - (*p_ql_col).pck_crl_size + - (*p_ql_col).tcb_info_issuer_chain_size + - (*p_ql_col).tcb_info_size + - (*p_ql_col).qe_identity_issuer_chain_size + - (*p_ql_col).qe_identity_size - ; - - if n_col < mem::size_of::() as u32 + size_extra { - return 0; - } - - let out_size: u32 = mem::size_of::() as u32 + size_extra; - - if n_res >= out_size { - - let x = QlQveCollateral { - tee_type : (*p_ql_col).tee_type, - pck_crl_issuer_chain_size : (*p_ql_col).pck_crl_issuer_chain_size, - root_ca_crl_size : (*p_ql_col).root_ca_crl_size, - pck_crl_size : (*p_ql_col).pck_crl_size, - tcb_info_issuer_chain_size : (*p_ql_col).tcb_info_issuer_chain_size, - tcb_info_size : (*p_ql_col).tcb_info_size, - qe_identity_issuer_chain_size : (*p_ql_col).qe_identity_issuer_chain_size, - qe_identity_size : (*p_ql_col).qe_identity_size - }; - - ptr::copy_nonoverlapping(&x as *const QlQveCollateral as *const u8, p_res, mem::size_of::()); - let mut offs = mem::size_of::(); - - ptr::copy_nonoverlapping((*p_ql_col).pck_crl_issuer_chain as *const u8, p_res.add(offs), x.pck_crl_issuer_chain_size as usize); - offs += x.pck_crl_issuer_chain_size as usize; - - ptr::copy_nonoverlapping((*p_ql_col).root_ca_crl as *const u8, p_res.add(offs), x.root_ca_crl_size as usize); - offs += x.root_ca_crl_size as usize; - - ptr::copy_nonoverlapping((*p_ql_col).pck_crl as *const u8, p_res.add(offs), x.pck_crl_size as usize); - offs += x.pck_crl_size as usize; - - ptr::copy_nonoverlapping((*p_ql_col).tcb_info_issuer_chain as *const u8, p_res.add(offs), x.tcb_info_issuer_chain_size as usize); - offs += x.tcb_info_issuer_chain_size as usize; - - ptr::copy_nonoverlapping((*p_ql_col).tcb_info as *const u8, p_res.add(offs), x.tcb_info_size as usize); - offs += x.tcb_info_size as usize; - - ptr::copy_nonoverlapping((*p_ql_col).qe_identity_issuer_chain as *const u8, p_res.add(offs), x.qe_identity_issuer_chain_size as usize); - offs += x.qe_identity_issuer_chain_size as usize; - - ptr::copy_nonoverlapping((*p_ql_col).qe_identity as *const u8, p_res.add(offs), x.qe_identity_size as usize); - } - - return out_size; - }; -} - - -fn sgx_ql_qve_collateral_deserialize(p_ser: *const u8, n_ser: u32) -> sgx_ql_qve_collateral_t { - let mut res = sgx_ql_qve_collateral_t { - version: 0, - tee_type: 0, - pck_crl_issuer_chain: null_mut(), - pck_crl_issuer_chain_size: 0, - root_ca_crl: null_mut(), - root_ca_crl_size: 0, - pck_crl: null_mut(), - pck_crl_size: 0, - tcb_info_issuer_chain: null_mut(), - tcb_info_issuer_chain_size: 0, - tcb_info: null_mut(), - tcb_info_size: 0, - qe_identity_issuer_chain: null_mut(), - qe_identity_issuer_chain_size: 0, - qe_identity: null_mut(), - qe_identity_size: 0 - }; - - if n_ser >= mem::size_of::() as u32 { - - unsafe { - let p_ql_col = p_ser as *const QlQveCollateral; - let size_extra = - (*p_ql_col).pck_crl_issuer_chain_size + - (*p_ql_col).root_ca_crl_size + - (*p_ql_col).pck_crl_size + - (*p_ql_col).tcb_info_issuer_chain_size + - (*p_ql_col).tcb_info_size + - (*p_ql_col).qe_identity_issuer_chain_size + - (*p_ql_col).qe_identity_size - ; - - if n_ser >= mem::size_of::() as u32 + size_extra { - - res.version = 1; // PCK Cert chain is in the Quote. - res.tee_type = (*p_ql_col).tee_type; - res.pck_crl_issuer_chain_size = (*p_ql_col).pck_crl_issuer_chain_size; - res.root_ca_crl_size = (*p_ql_col).root_ca_crl_size; - res.pck_crl_size = (*p_ql_col).pck_crl_size; - res.tcb_info_issuer_chain_size = (*p_ql_col).tcb_info_issuer_chain_size; - res.tcb_info_size = (*p_ql_col).tcb_info_size; - res.qe_identity_issuer_chain_size = (*p_ql_col).qe_identity_issuer_chain_size; - res.qe_identity_size = (*p_ql_col).qe_identity_size; - - let mut offs = mem::size_of::(); - - res.pck_crl_issuer_chain = p_ser.add(offs) as *mut i8; - offs += res.pck_crl_issuer_chain_size as usize; - - res.root_ca_crl = p_ser.add(offs) as *mut i8; - offs += res.root_ca_crl_size as usize; - - res.pck_crl = p_ser.add(offs) as *mut i8; - offs += res.pck_crl_size as usize; - - res.tcb_info_issuer_chain = p_ser.add(offs) as *mut i8; - offs += res.tcb_info_issuer_chain_size as usize; - - res.tcb_info = p_ser.add(offs) as *mut i8; - offs += res.tcb_info_size as usize; - - res.qe_identity_issuer_chain = p_ser.add(offs) as *mut i8; - offs += res.qe_identity_issuer_chain_size as usize; - - res.qe_identity = p_ser.add(offs) as *mut i8; - } - } - }; - - return res; // unreachable -} - -#[cfg(not(test))] -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa_collateral( - p_quote: *const u8, - n_quote: u32, - p_col: *mut u8, - n_col: u32, - p_col_size: *mut u32 -) -> sgx_status_t -{ - let mut p_col_my : *mut u8 = 0 as *mut u8; - let mut n_col_my : u32 = 0; - - let ret = unsafe { tee_qv_get_collateral(p_quote, n_quote, &mut p_col_my, &mut n_col_my) }; - - if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { - trace!("tee_qv_get_collateral returned {}", ret); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - } - - unsafe { - - *p_col_size = sgx_ql_qve_collateral_serialize(p_col_my, n_col_my, p_col, n_col); - - tee_qv_free_collateral(p_col_my); - }; - - sgx_status_t::SGX_SUCCESS -} - -#[cfg(not(test))] -#[no_mangle] -pub extern "C" fn ocall_verify_quote_ecdsa( - p_quote: *const u8, - n_quote: u32, - p_col: *const u8, - n_col: u32, - p_target_info: *const sgx_target_info_t, - time_s: i64, - p_qve_report_info: *mut sgx_ql_qe_report_info_t, - p_supp_data: *mut u8, - n_supp_data: u32, - p_supp_data_size: *mut u32, - p_time_s: *mut i64, - p_collateral_expiration_status: *mut u32, - p_qv_result: *mut sgx_ql_qv_result_t, -) -> sgx_status_t { - let mut time_use_s: time_t = time_s; - if time_s == 0 { - time_use_s = SystemTime::now() - .duration_since(UNIX_EPOCH) - .unwrap() - .as_secs() as time_t; - } - - unsafe { - let res0 = sgx_qv_set_enclave_load_policy(sgx_ql_request_policy_t::SGX_QL_PERSISTENT); - if sgx_quote3_error_t::SGX_QL_SUCCESS != res0 { - warn!("sgx_qv_set_enclave_load_policy: {}", res0); - } - - let res1 = sgx_qv_get_quote_supplemental_data_size(p_supp_data_size); - if sgx_quote3_error_t::SGX_QL_SUCCESS != res1 { - warn!("sgx_qv_get_quote_supplemental_data_size: {}", res1); - } - - if *p_supp_data_size > n_supp_data { - warn!("supp data buf required: {}", *p_supp_data_size); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - } - - (*p_qve_report_info).app_enclave_target_info = *p_target_info; - - let my_col = sgx_ql_qve_collateral_deserialize(p_col, n_col); - - let res2 = sgx_qv_verify_quote( - p_quote, - n_quote, - &my_col, - time_use_s, - p_collateral_expiration_status, - p_qv_result, - p_qve_report_info, - *p_supp_data_size, - p_supp_data, - ); - if sgx_quote3_error_t::SGX_QL_SUCCESS != res2 { - warn!("sgx_qv_verify_quote: {}", res2); - } - - *p_time_s = time_use_s; - }; - - sgx_status_t::SGX_SUCCESS -} - #[cfg(test)] #[no_mangle] pub extern "C" fn ocall_get_quote( @@ -469,58 +155,6 @@ pub extern "C" fn ocall_get_quote( sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE } -#[cfg(test)] -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa_params( - _p_qe_info: *mut sgx_target_info_t, - _p_quote_size: *mut u32, -) -> sgx_status_t { - sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE -} - -#[cfg(test)] -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa( - _p_report: *const sgx_report_t, - _p_quote: *mut u8, - _n_quote: u32, -) -> sgx_status_t { - sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE -} - -#[cfg(test)] -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa_collateral( - _p_quote: *const u8, - _n_quote: u32, - _p_col: *mut u8, - _n_col: u32, - _p_col_size: *mut u32, -) -> sgx_status_t { - sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE -} - -#[cfg(test)] -#[no_mangle] -pub extern "C" fn ocall_verify_quote_ecdsa( - _p_quote: *const u8, - _n_quote: u32, - _p_col: *const u8, - _n_col: u32, - _p_target_info: *const sgx_target_info_t, - _time_s: i64, - _p_qve_report_info: *mut sgx_ql_qe_report_info_t, - _p_supp_data: *mut u8, - _n_supp_data: u32, - _p_supp_data_size: *mut u32, - _p_time_s: *mut i64, - _p_collateral_expiration_status: *mut u32, - _p_qv_result: *mut sgx_ql_qv_result_t, -) -> sgx_status_t { - sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE -} - - #[no_mangle] pub extern "C" fn ocall_get_update_info( platform_blob: *const sgx_platform_info_t, diff --git a/cosmwasm/packages/sgx-vm/src/attestation_dcap.rs b/cosmwasm/packages/sgx-vm/src/attestation_dcap.rs new file mode 100644 index 000000000..b98bdcdfb --- /dev/null +++ b/cosmwasm/packages/sgx-vm/src/attestation_dcap.rs @@ -0,0 +1,390 @@ +use core::mem; + +use std::ptr::null_mut; +use std::time::{SystemTime, UNIX_EPOCH}; +use std::{self, ptr}; + +use log::*; +use sgx_types::*; + +#[cfg(not(test))] +#[no_mangle] +pub extern "C" fn ocall_get_quote_ecdsa_params( + p_qe_info: *mut sgx_target_info_t, + p_quote_size: *mut u32, +) -> sgx_status_t { + let mut ret = unsafe { sgx_qe_get_target_info(p_qe_info) }; + if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { + trace!("sgx_qe_get_target_info returned {}", ret); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + } + + ret = unsafe { sgx_qe_get_quote_size(p_quote_size) }; + if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { + trace!("sgx_qe_get_quote_size returned {}", ret); + return sgx_status_t::SGX_ERROR_BUSY; + } + + unsafe { + trace!("*QuoteSize = {}", *p_quote_size); + } + + sgx_status_t::SGX_SUCCESS +} + +#[cfg(not(test))] +#[no_mangle] +pub extern "C" fn ocall_get_quote_ecdsa( + p_report: *const sgx_report_t, + p_quote: *mut u8, + n_quote: u32, +) -> sgx_status_t { + trace!("Entering ocall_get_quote_ecdsa"); + + //let mut qe_target_info: sgx_target_info_t; + //sgx_qe_get_target_info(&qe_target_info); + + let mut n_quote_act: u32 = 0; + let mut ret = unsafe { sgx_qe_get_quote_size(&mut n_quote_act) }; + if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { + trace!("sgx_qe_get_quote_size returned {}", ret); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + } + + if n_quote_act > n_quote { + return sgx_status_t::SGX_ERROR_UNEXPECTED; + } + + ret = unsafe { sgx_qe_get_quote(p_report, n_quote, p_quote) }; + if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { + trace!("sgx_qe_get_quote returned {}", ret); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + } + + sgx_status_t::SGX_SUCCESS +} + +pub struct QlQveCollateral { + pub tee_type: u32, // 0x00000000: SGX or 0x00000081: TDX + pub pck_crl_issuer_chain_size: u32, + pub root_ca_crl_size: u32, + pub pck_crl_size: u32, + pub tcb_info_issuer_chain_size: u32, + pub tcb_info_size: u32, + pub qe_identity_issuer_chain_size: u32, + pub qe_identity_size: u32, +} + +fn sgx_ql_qve_collateral_serialize( + p_col: *const u8, + n_col: u32, + p_res: *mut u8, + n_res: u32, +) -> u32 { + if n_col < mem::size_of::() as u32 { + return 0; + } + + unsafe { + let p_ql_col = p_col as *const sgx_ql_qve_collateral_t; + + let size_extra = (*p_ql_col).pck_crl_issuer_chain_size + + (*p_ql_col).root_ca_crl_size + + (*p_ql_col).pck_crl_size + + (*p_ql_col).tcb_info_issuer_chain_size + + (*p_ql_col).tcb_info_size + + (*p_ql_col).qe_identity_issuer_chain_size + + (*p_ql_col).qe_identity_size; + + if n_col < mem::size_of::() as u32 + size_extra { + return 0; + } + + let out_size: u32 = mem::size_of::() as u32 + size_extra; + + if n_res >= out_size { + let x = QlQveCollateral { + tee_type: (*p_ql_col).tee_type, + pck_crl_issuer_chain_size: (*p_ql_col).pck_crl_issuer_chain_size, + root_ca_crl_size: (*p_ql_col).root_ca_crl_size, + pck_crl_size: (*p_ql_col).pck_crl_size, + tcb_info_issuer_chain_size: (*p_ql_col).tcb_info_issuer_chain_size, + tcb_info_size: (*p_ql_col).tcb_info_size, + qe_identity_issuer_chain_size: (*p_ql_col).qe_identity_issuer_chain_size, + qe_identity_size: (*p_ql_col).qe_identity_size, + }; + + ptr::copy_nonoverlapping( + &x as *const QlQveCollateral as *const u8, + p_res, + mem::size_of::(), + ); + let mut offs = mem::size_of::(); + + ptr::copy_nonoverlapping( + (*p_ql_col).pck_crl_issuer_chain as *const u8, + p_res.add(offs), + x.pck_crl_issuer_chain_size as usize, + ); + offs += x.pck_crl_issuer_chain_size as usize; + + ptr::copy_nonoverlapping( + (*p_ql_col).root_ca_crl as *const u8, + p_res.add(offs), + x.root_ca_crl_size as usize, + ); + offs += x.root_ca_crl_size as usize; + + ptr::copy_nonoverlapping( + (*p_ql_col).pck_crl as *const u8, + p_res.add(offs), + x.pck_crl_size as usize, + ); + offs += x.pck_crl_size as usize; + + ptr::copy_nonoverlapping( + (*p_ql_col).tcb_info_issuer_chain as *const u8, + p_res.add(offs), + x.tcb_info_issuer_chain_size as usize, + ); + offs += x.tcb_info_issuer_chain_size as usize; + + ptr::copy_nonoverlapping( + (*p_ql_col).tcb_info as *const u8, + p_res.add(offs), + x.tcb_info_size as usize, + ); + offs += x.tcb_info_size as usize; + + ptr::copy_nonoverlapping( + (*p_ql_col).qe_identity_issuer_chain as *const u8, + p_res.add(offs), + x.qe_identity_issuer_chain_size as usize, + ); + offs += x.qe_identity_issuer_chain_size as usize; + + ptr::copy_nonoverlapping( + (*p_ql_col).qe_identity as *const u8, + p_res.add(offs), + x.qe_identity_size as usize, + ); + } + + return out_size; + }; +} + +fn sgx_ql_qve_collateral_deserialize(p_ser: *const u8, n_ser: u32) -> sgx_ql_qve_collateral_t { + let mut res = sgx_ql_qve_collateral_t { + version: 0, + tee_type: 0, + pck_crl_issuer_chain: null_mut(), + pck_crl_issuer_chain_size: 0, + root_ca_crl: null_mut(), + root_ca_crl_size: 0, + pck_crl: null_mut(), + pck_crl_size: 0, + tcb_info_issuer_chain: null_mut(), + tcb_info_issuer_chain_size: 0, + tcb_info: null_mut(), + tcb_info_size: 0, + qe_identity_issuer_chain: null_mut(), + qe_identity_issuer_chain_size: 0, + qe_identity: null_mut(), + qe_identity_size: 0, + }; + + if n_ser >= mem::size_of::() as u32 { + unsafe { + let p_ql_col = p_ser as *const QlQveCollateral; + let size_extra = (*p_ql_col).pck_crl_issuer_chain_size + + (*p_ql_col).root_ca_crl_size + + (*p_ql_col).pck_crl_size + + (*p_ql_col).tcb_info_issuer_chain_size + + (*p_ql_col).tcb_info_size + + (*p_ql_col).qe_identity_issuer_chain_size + + (*p_ql_col).qe_identity_size; + + if n_ser >= mem::size_of::() as u32 + size_extra { + res.version = 1; // PCK Cert chain is in the Quote. + res.tee_type = (*p_ql_col).tee_type; + res.pck_crl_issuer_chain_size = (*p_ql_col).pck_crl_issuer_chain_size; + res.root_ca_crl_size = (*p_ql_col).root_ca_crl_size; + res.pck_crl_size = (*p_ql_col).pck_crl_size; + res.tcb_info_issuer_chain_size = (*p_ql_col).tcb_info_issuer_chain_size; + res.tcb_info_size = (*p_ql_col).tcb_info_size; + res.qe_identity_issuer_chain_size = (*p_ql_col).qe_identity_issuer_chain_size; + res.qe_identity_size = (*p_ql_col).qe_identity_size; + + let mut offs = mem::size_of::(); + + res.pck_crl_issuer_chain = p_ser.add(offs) as *mut i8; + offs += res.pck_crl_issuer_chain_size as usize; + + res.root_ca_crl = p_ser.add(offs) as *mut i8; + offs += res.root_ca_crl_size as usize; + + res.pck_crl = p_ser.add(offs) as *mut i8; + offs += res.pck_crl_size as usize; + + res.tcb_info_issuer_chain = p_ser.add(offs) as *mut i8; + offs += res.tcb_info_issuer_chain_size as usize; + + res.tcb_info = p_ser.add(offs) as *mut i8; + offs += res.tcb_info_size as usize; + + res.qe_identity_issuer_chain = p_ser.add(offs) as *mut i8; + offs += res.qe_identity_issuer_chain_size as usize; + + res.qe_identity = p_ser.add(offs) as *mut i8; + } + } + }; + + return res; // unreachable +} + +#[cfg(not(test))] +#[no_mangle] +pub extern "C" fn ocall_get_quote_ecdsa_collateral( + p_quote: *const u8, + n_quote: u32, + p_col: *mut u8, + n_col: u32, + p_col_size: *mut u32, +) -> sgx_status_t { + let mut p_col_my: *mut u8 = 0 as *mut u8; + let mut n_col_my: u32 = 0; + + let ret = unsafe { tee_qv_get_collateral(p_quote, n_quote, &mut p_col_my, &mut n_col_my) }; + + if ret != sgx_quote3_error_t::SGX_QL_SUCCESS { + trace!("tee_qv_get_collateral returned {}", ret); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + } + + unsafe { + *p_col_size = sgx_ql_qve_collateral_serialize(p_col_my, n_col_my, p_col, n_col); + + tee_qv_free_collateral(p_col_my); + }; + + sgx_status_t::SGX_SUCCESS +} + +#[cfg(not(test))] +#[no_mangle] +pub extern "C" fn ocall_verify_quote_ecdsa( + p_quote: *const u8, + n_quote: u32, + p_col: *const u8, + n_col: u32, + p_target_info: *const sgx_target_info_t, + time_s: i64, + p_qve_report_info: *mut sgx_ql_qe_report_info_t, + p_supp_data: *mut u8, + n_supp_data: u32, + p_supp_data_size: *mut u32, + p_time_s: *mut i64, + p_collateral_expiration_status: *mut u32, + p_qv_result: *mut sgx_ql_qv_result_t, +) -> sgx_status_t { + let mut time_use_s: time_t = time_s; + if time_s == 0 { + time_use_s = SystemTime::now() + .duration_since(UNIX_EPOCH) + .unwrap() + .as_secs() as time_t; + } + + unsafe { + let res0 = sgx_qv_set_enclave_load_policy(sgx_ql_request_policy_t::SGX_QL_PERSISTENT); + if sgx_quote3_error_t::SGX_QL_SUCCESS != res0 { + warn!("sgx_qv_set_enclave_load_policy: {}", res0); + } + + let res1 = sgx_qv_get_quote_supplemental_data_size(p_supp_data_size); + if sgx_quote3_error_t::SGX_QL_SUCCESS != res1 { + warn!("sgx_qv_get_quote_supplemental_data_size: {}", res1); + } + + if *p_supp_data_size > n_supp_data { + warn!("supp data buf required: {}", *p_supp_data_size); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + } + + (*p_qve_report_info).app_enclave_target_info = *p_target_info; + + let my_col = sgx_ql_qve_collateral_deserialize(p_col, n_col); + + let res2 = sgx_qv_verify_quote( + p_quote, + n_quote, + &my_col, + time_use_s, + p_collateral_expiration_status, + p_qv_result, + p_qve_report_info, + *p_supp_data_size, + p_supp_data, + ); + if sgx_quote3_error_t::SGX_QL_SUCCESS != res2 { + warn!("sgx_qv_verify_quote: {}", res2); + } + + *p_time_s = time_use_s; + }; + + sgx_status_t::SGX_SUCCESS +} + +#[cfg(test)] +#[no_mangle] +pub extern "C" fn ocall_get_quote_ecdsa_params( + _p_qe_info: *mut sgx_target_info_t, + _p_quote_size: *mut u32, +) -> sgx_status_t { + sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE +} + +#[cfg(test)] +#[no_mangle] +pub extern "C" fn ocall_get_quote_ecdsa( + _p_report: *const sgx_report_t, + _p_quote: *mut u8, + _n_quote: u32, +) -> sgx_status_t { + sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE +} + +#[cfg(test)] +#[no_mangle] +pub extern "C" fn ocall_get_quote_ecdsa_collateral( + _p_quote: *const u8, + _n_quote: u32, + _p_col: *mut u8, + _n_col: u32, + _p_col_size: *mut u32, +) -> sgx_status_t { + sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE +} + +#[cfg(test)] +#[no_mangle] +pub extern "C" fn ocall_verify_quote_ecdsa( + _p_quote: *const u8, + _n_quote: u32, + _p_col: *const u8, + _n_col: u32, + _p_target_info: *const sgx_target_info_t, + _time_s: i64, + _p_qve_report_info: *mut sgx_ql_qe_report_info_t, + _p_supp_data: *mut u8, + _n_supp_data: u32, + _p_supp_data_size: *mut u32, + _p_time_s: *mut i64, + _p_collateral_expiration_status: *mut u32, + _p_qv_result: *mut sgx_ql_qv_result_t, +) -> sgx_status_t { + sgx_status_t::SGX_ERROR_SERVICE_UNAVAILABLE +} diff --git a/cosmwasm/packages/sgx-vm/src/lib.rs b/cosmwasm/packages/sgx-vm/src/lib.rs index 384f29075..b5975c07a 100644 --- a/cosmwasm/packages/sgx-vm/src/lib.rs +++ b/cosmwasm/packages/sgx-vm/src/lib.rs @@ -19,6 +19,7 @@ mod traits; // Secret Network specific modules mod attestation; +mod attestation_dcap; mod enclave; mod enclave_config; mod seed; From 3f497f73efd32e0e0b655d42625f7a36208e9de9 Mon Sep 17 00:00:00 2001 From: valdok Date: Mon, 6 May 2024 12:03:32 +0000 Subject: [PATCH 3/3] check_hw - support for diagnosing DCAP --- check-hw/Cargo.lock | 1 + check-hw/Cargo.toml | 1 + check-hw/build.rs | 3 ++ check-hw/src/enclave_api.rs | 52 +------------------ .../src/registration/check_patch_level.rs | 9 ++++ 5 files changed, 16 insertions(+), 50 deletions(-) diff --git a/check-hw/Cargo.lock b/check-hw/Cargo.lock index 7361771ae..2ac29d110 100644 --- a/check-hw/Cargo.lock +++ b/check-hw/Cargo.lock @@ -64,6 +64,7 @@ dependencies = [ "clap", "enclave-ffi-types", "lazy_static", + "log", "parking_lot", "sgx_types", "sgx_urts", diff --git a/check-hw/Cargo.toml b/check-hw/Cargo.toml index 64d09a432..e23064245 100644 --- a/check-hw/Cargo.toml +++ b/check-hw/Cargo.toml @@ -23,3 +23,4 @@ enclave-ffi-types = { path = "../cosmwasm/enclaves/ffi-types", features = [ clap = "2.33" parking_lot = "0.11" lazy_static = "1.4" +log = "0.4.17" diff --git a/check-hw/build.rs b/check-hw/build.rs index 70a2a01cd..267a76afc 100644 --- a/check-hw/build.rs +++ b/check-hw/build.rs @@ -11,4 +11,7 @@ fn main() { println!("cargo:rustc-link-lib=static=sgx_ukey_exchange"); println!("cargo:rustc-link-lib=dylib=sgx_urts"); println!("cargo:rustc-link-lib=dylib=sgx_uae_service"); + + println!("cargo:rustc-link-lib=dylib=sgx_dcap_ql"); + println!("cargo:rustc-link-lib=dylib=sgx_dcap_quoteverify"); } diff --git a/check-hw/src/enclave_api.rs b/check-hw/src/enclave_api.rs index feed3eb8b..ac3169fd6 100644 --- a/check-hw/src/enclave_api.rs +++ b/check-hw/src/enclave_api.rs @@ -13,6 +13,8 @@ use sgx_types::{ sgx_report_t, sgx_spid_t, sgx_status_t, sgx_target_info_t, sgx_update_info_bit_t, }; +include!("../../cosmwasm/packages/sgx-vm/src/attestation_dcap.rs"); + // ecalls extern "C" { @@ -186,53 +188,3 @@ pub extern "C" fn ocall_read_db( pub extern "C" fn ocall_allocate(_buffer: *const u8, _length: usize) -> UserSpaceBuffer { unimplemented!() } - -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa_params( - ret_val: *mut sgx_status_t, - p_qe_info: *mut sgx_target_info_t, - p_quote_size: *mut u32, -) -> sgx_status_t { - unimplemented!() -} -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa( - ret_val: *mut sgx_status_t, - p_report: *const sgx_report_t, - p_quote: *mut u8, - n_quote: u32, -) -> sgx_status_t { - unimplemented!() -} - -#[no_mangle] -pub extern "C" fn ocall_get_quote_ecdsa_collateral( - ret_val: *mut sgx_status_t, - p_quote: *const u8, - n_quote: u32, - p_col: *mut u8, - n_col: u32, - p_col_out: *mut u32, -) -> sgx_status_t { - unimplemented!() -} - -#[no_mangle] -pub extern "C" fn ocall_verify_quote_ecdsa( - ret_val: *mut sgx_status_t, - p_quote: *const u8, - n_quote: u32, - p_col: *const u8, - n_col: u32, - p_target_info: *const sgx_target_info_t, - time_s: i64, - p_qve_report_info: *mut sgx_ql_qe_report_info_t, - p_supp_data: *mut u8, - n_supp_data: u32, - p_supp_data_size: *mut u32, - p_time_s: *mut i64, - p_collateral_expiration_status: *mut u32, - p_qv_result: *mut sgx_ql_qv_result_t, -) -> sgx_status_t { - unimplemented!() -} diff --git a/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs b/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs index 3df2c7839..83d0a4a46 100644 --- a/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs +++ b/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs @@ -14,6 +14,9 @@ use crate::registration::attestation::create_attestation_report; #[cfg(feature = "SGX_MODE_HW")] use crate::registration::cert::verify_quote_status; +#[cfg(feature = "SGX_MODE_HW")] +use crate::registration::offchain::get_attestation_report_dcap; + #[cfg(not(feature = "epid_whitelist_disabled"))] use crate::registration::cert::check_epid_gid_is_whitelisted; @@ -52,6 +55,12 @@ pub unsafe extern "C" fn ecall_check_patch_level( // generate temporary key for attestation let temp_key_result = enclave_crypto::KeyPair::new().unwrap(); + let res_dcap = unsafe { get_attestation_report_dcap(&temp_key_result) }; + if res_dcap.is_ok() { + println!("DCAP attestation ok"); + return NodeAuthResult::Success; + } + let signed_report = match create_attestation_report( &temp_key_result.get_pubkey(), SIGNATURE_TYPE,