From abe026768051af66e636001198709f08bf216bac Mon Sep 17 00:00:00 2001 From: Herman Date: Fri, 14 May 2021 11:24:47 +0200 Subject: [PATCH 01/31] feat(attestation): add functions for local dh --- rtc_auth_enclave/Cargo.lock | 23 ++++++- rtc_data_enclave/Cargo.lock | 23 ++++++- rtc_tenclave/Cargo.lock | 23 ++++++- rtc_tenclave/Cargo.toml | 5 +- rtc_tenclave/src/dh/mod.rs | 116 +++++++++++++++++++++++++++++++++++ rtc_tenclave/src/dh/types.rs | 20 ++++++ rtc_tenclave/src/lib.rs | 2 + 7 files changed, 207 insertions(+), 5 deletions(-) create mode 100644 rtc_tenclave/src/dh/mod.rs create mode 100644 rtc_tenclave/src/dh/types.rs diff --git a/rtc_auth_enclave/Cargo.lock b/rtc_auth_enclave/Cargo.lock index 93f5811c..1fa30c80 100644 --- a/rtc_auth_enclave/Cargo.lock +++ b/rtc_auth_enclave/Cargo.lock @@ -209,6 +209,14 @@ dependencies = [ "cfg-if 1.0.0", ] +[[package]] +name = "once_cell" +version = "1.4.0" +source = "git+https://github.com/mesalock-linux/once_cell-sgx.git#cefcaa03fed4d85276b3235d875f1b45d399cc3c" +dependencies = [ + "sgx_tstd", +] + [[package]] name = "once_cell" version = "1.7.2" @@ -340,7 +348,7 @@ checksum = "55ae9a4d2975bdd8254d7bcdd2261be62b42b8920f903ec682b08cdc11b87af2" dependencies = [ "cc", "libc", - "once_cell", + "once_cell 1.7.2", "spin", "untrusted", "web-sys", @@ -365,6 +373,7 @@ version = "0.1.0" dependencies = [ "cfg-if 1.0.0", "hex", + "once_cell 1.4.0", "rand 0.7.3", "ring", "rtc_types", @@ -372,6 +381,7 @@ dependencies = [ "serde 1.0.118", "serde_json 1.0.60", "sgx_tcrypto", + "sgx_tdh", "sgx_tse", "sgx_tstd", "sgx_types", @@ -496,6 +506,17 @@ dependencies = [ "sgx_types", ] +[[package]] +name = "sgx_tdh" +version = "1.1.3" +source = "git+https://github.com/apache/incubator-teaclave-sgx-sdk.git?rev=b9d1bda#b9d1bda674564668f8cf2e1ee202d08533fde46f" +dependencies = [ + "sgx_tcrypto", + "sgx_trts", + "sgx_tse", + "sgx_types", +] + [[package]] name = "sgx_tprotected_fs" version = "1.1.3" diff --git a/rtc_data_enclave/Cargo.lock b/rtc_data_enclave/Cargo.lock index 8f95a9f9..e3d52c96 100644 --- a/rtc_data_enclave/Cargo.lock +++ b/rtc_data_enclave/Cargo.lock @@ -288,6 +288,14 @@ dependencies = [ "sgx_tstd", ] +[[package]] +name = "once_cell" +version = "1.4.0" +source = "git+https://github.com/mesalock-linux/once_cell-sgx.git#cefcaa03fed4d85276b3235d875f1b45d399cc3c" +dependencies = [ + "sgx_tstd", +] + [[package]] name = "once_cell" version = "1.7.2" @@ -419,7 +427,7 @@ checksum = "4fd28ff5eda53903a8406cae62b02b29b2bd1b29410221ddc41581933355496d" dependencies = [ "cc", "libc", - "once_cell", + "once_cell 1.7.2", "spin", "untrusted", "web-sys", @@ -462,6 +470,7 @@ version = "0.1.0" dependencies = [ "cfg-if 1.0.0", "hex", + "once_cell 1.4.0", "rand 0.7.3", "ring", "rtc_types", @@ -469,6 +478,7 @@ dependencies = [ "serde 1.0.118", "serde_json 1.0.60", "sgx_tcrypto", + "sgx_tdh", "sgx_tse", "sgx_tstd", "sgx_types", @@ -635,6 +645,17 @@ dependencies = [ "sgx_crypto_helper", ] +[[package]] +name = "sgx_tdh" +version = "1.1.3" +source = "git+https://github.com/apache/incubator-teaclave-sgx-sdk.git?rev=b9d1bda#b9d1bda674564668f8cf2e1ee202d08533fde46f" +dependencies = [ + "sgx_tcrypto", + "sgx_trts", + "sgx_tse", + "sgx_types", +] + [[package]] name = "sgx_tprotected_fs" version = "1.1.3" diff --git a/rtc_tenclave/Cargo.lock b/rtc_tenclave/Cargo.lock index 342482de..c10a6a4b 100644 --- a/rtc_tenclave/Cargo.lock +++ b/rtc_tenclave/Cargo.lock @@ -168,6 +168,14 @@ dependencies = [ "autocfg", ] +[[package]] +name = "once_cell" +version = "1.4.0" +source = "git+https://github.com/mesalock-linux/once_cell-sgx.git#cefcaa03fed4d85276b3235d875f1b45d399cc3c" +dependencies = [ + "sgx_tstd", +] + [[package]] name = "once_cell" version = "1.7.2" @@ -411,7 +419,7 @@ checksum = "55ae9a4d2975bdd8254d7bcdd2261be62b42b8920f903ec682b08cdc11b87af2" dependencies = [ "cc", "libc", - "once_cell", + "once_cell 1.7.2", "spin", "untrusted", "web-sys", @@ -424,6 +432,7 @@ version = "0.1.0" dependencies = [ "cfg-if 1.0.0", "hex", + "once_cell 1.4.0", "proptest", "rand 0.7.3 (git+https://github.com/mesalock-linux/rand-sgx?tag=v0.7.3_sgx1.1.3)", "rand 0.7.3 (registry+https://github.com/rust-lang/crates.io-index)", @@ -435,6 +444,7 @@ dependencies = [ "serde_json 1.0.60", "serde_json 1.0.64", "sgx_tcrypto", + "sgx_tdh", "sgx_tse", "sgx_tstd", "sgx_types", @@ -560,6 +570,17 @@ dependencies = [ "sgx_types", ] +[[package]] +name = "sgx_tdh" +version = "1.1.3" +source = "git+https://github.com/apache/incubator-teaclave-sgx-sdk.git?rev=b9d1bda#b9d1bda674564668f8cf2e1ee202d08533fde46f" +dependencies = [ + "sgx_tcrypto", + "sgx_trts", + "sgx_tse", + "sgx_types", +] + [[package]] name = "sgx_tprotected_fs" version = "1.1.3" diff --git a/rtc_tenclave/Cargo.toml b/rtc_tenclave/Cargo.toml index 8f42450c..25c4ca07 100644 --- a/rtc_tenclave/Cargo.toml +++ b/rtc_tenclave/Cargo.toml @@ -11,7 +11,7 @@ doctest = false crate-type = ["lib"] [features] -default = ["sgx_tstd", "sgx_tse", "rtc_types/teaclave_sgx", "rand", "thiserror", "sgx_tcrypto", "serde", "serde_json"] +default = ["sgx_tstd", "sgx_tse", "rtc_types/teaclave_sgx", "rand", "thiserror", "sgx_tcrypto", "sgx_tdh", "once_cell", "serde", "serde_json"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html @@ -23,6 +23,8 @@ sgx_tse = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", re rand = { git = "https://github.com/mesalock-linux/rand-sgx", tag = "v0.7.3_sgx1.1.3", optional = true } thiserror = { git = "https://github.com/mesalock-linux/thiserror-sgx.git", optional = true } sgx_tcrypto = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", optional = true } +sgx_tdh = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", optional = true } +once_cell = { git = "https://github.com/mesalock-linux/once_cell-sgx.git", optional = true } # XXX: Work around serde-json-sgx / Cargo version handling issue # @@ -62,7 +64,6 @@ sodalite = { version = "0.4.0", default-features = false } cfg-if = "1.0.0" hex = { version = "0.4.3", default-features = false, features = ["alloc"] } - [dev-dependencies] thiserror_std = { package = "thiserror", version = "1.0.9" } rand_std = { package = "rand", version = "0.7.3" } diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs new file mode 100644 index 00000000..0dc13e9f --- /dev/null +++ b/rtc_tenclave/src/dh/mod.rs @@ -0,0 +1,116 @@ +mod types; + +use once_cell::sync::Lazy; +use sgx_tdh::{SgxDhInitiator, SgxDhMsg1, SgxDhMsg2, SgxDhMsg3, SgxDhResponder}; +use sgx_tstd::{collections::HashMap, enclave, sync::SgxRwLock}; +use sgx_types::*; +use types::*; + +#[no_mangle] +pub unsafe extern "C" fn test_dh() { + init_initiator(enclave::get_enclave_id()); +} + +// NOTE: Something similar can be done in the OCALL library +// (by storing pointers to data inside the enclave) +// TODO: Figure out session timeouts +static DH_SESSIONS: Lazy>> = + Lazy::new(|| SgxRwLock::new(HashMap::new())); + +pub fn init_initiator(dest_enclave_id: sgx_enclave_id_t) -> Result<(), sgx_status_t> { + let this_enclave_id = enclave::get_enclave_id(); + let mut initiator: SgxDhInitiator = SgxDhInitiator::init_session(); + + let dh_msg1 = init_responder(this_enclave_id)?; + + let mut dh_msg2 = SgxDhMsg2::default(); + initiator.proc_msg1(&dh_msg1, &mut dh_msg2)?; + let dh_msg3 = exchange_report(this_enclave_id, &dh_msg2)?; + + let mut aek = sgx_align_key_128bit_t::default(); // Session Key + let mut responder_identity = sgx_dh_session_enclave_identity_t::default(); + + // TODO: Verify identity + initiator.proc_msg3(&dh_msg3, &mut aek.key, &mut responder_identity)?; + println!("{:?}", aek); + + match DH_SESSIONS.write() { + Ok(mut sessions) => { + sessions.insert( + dest_enclave_id, + DhSession { + session_status: DhSessionStatus::Active(aek), + ..Default::default() + }, + ); + Ok(()) + } + Err(_) => { + // TODO: error that terminates enclave + return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER); + } + } +} + +pub fn init_responder(src_enclave_id: sgx_enclave_id_t) -> Result { + let mut responder = SgxDhResponder::init_session(); + + let mut dh_msg1 = SgxDhMsg1::default(); + + responder.gen_msg1(&mut dh_msg1)?; + + match DH_SESSIONS.write() { + Ok(mut sessions) => { + sessions.insert( + src_enclave_id, + DhSession { + session_status: DhSessionStatus::InProgress(responder), + ..Default::default() + }, + ); + + println!("msg1 {:?}", dh_msg1); + Ok(dh_msg1) + } + Err(_) => { + // TODO: Poisoned lock is pretty bad in this context, we should probably stop the + // enclave and start with clean state. + Err(sgx_status_t::SGX_ERROR_UNEXPECTED) + } + } +} + +pub fn exchange_report( + src_enclave_id: sgx_enclave_id_t, + dh_msg2: &sgx_dh_msg2_t, +) -> Result { + // Acquire write lock for the whole function since we need to mutate the session value + let mut sessions = DH_SESSIONS + .write() + .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED))?; + + // TODO: Custom error type + let mut responder_session = sessions + .get_mut(&src_enclave_id) + .ok_or(sgx_status_t::SGX_ERROR_INVALID_PARAMETER)?; + + let (dh_msg3, aek) = match responder_session.session_status { + DhSessionStatus::InProgress(mut responder) => { + let mut msg3 = SgxDhMsg3::default(); + let mut aek = sgx_align_key_128bit_t::default(); // Session Key + let mut initiator_identity = sgx_dh_session_enclave_identity_t::default(); + + responder.proc_msg2(dh_msg2, &mut msg3, &mut aek.key, &mut initiator_identity)?; + + // TODO: Verify initiator_identity + (msg3, aek) + } + // TODO: Custom error type + _ => return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER), + }; + + println!("{:?}", aek); + + responder_session.session_status = DhSessionStatus::Active(aek); + Ok(dh_msg3) +} diff --git a/rtc_tenclave/src/dh/types.rs b/rtc_tenclave/src/dh/types.rs new file mode 100644 index 00000000..23d1e7b4 --- /dev/null +++ b/rtc_tenclave/src/dh/types.rs @@ -0,0 +1,20 @@ +use sgx_tdh::SgxDhResponder; +use sgx_types::sgx_align_key_128bit_t; + +pub enum DhSessionStatus { + Closed, + InProgress(SgxDhResponder), + Active(sgx_align_key_128bit_t), +} + +impl Default for DhSessionStatus { + fn default() -> DhSessionStatus { + DhSessionStatus::Closed + } +} + +#[derive(Default)] +pub struct DhSession { + pub session_id: u32, + pub session_status: DhSessionStatus, +} diff --git a/rtc_tenclave/src/lib.rs b/rtc_tenclave/src/lib.rs index 4cfb33f7..08a1c22a 100644 --- a/rtc_tenclave/src/lib.rs +++ b/rtc_tenclave/src/lib.rs @@ -22,6 +22,8 @@ cfg_if::cfg_if! { } pub mod crypto; +pub mod dh; pub mod enclave; pub mod kv_store; +// pub mod local_attestation; pub mod util; From 1b8df41db9d9a2666964f97a7cf25df4a18458f3 Mon Sep 17 00:00:00 2001 From: Herman Date: Fri, 14 May 2021 19:32:43 +0200 Subject: [PATCH 02/31] feat: rework local attest state and add basic crypto funcs --- rtc_tenclave/src/dh/mod.rs | 260 +++++++++++++++-------- rtc_tenclave/src/dh/protected_channel.rs | 101 +++++++++ rtc_tenclave/src/dh/types.rs | 20 -- rtc_tenclave/src/lib.rs | 1 - 4 files changed, 268 insertions(+), 114 deletions(-) create mode 100644 rtc_tenclave/src/dh/protected_channel.rs delete mode 100644 rtc_tenclave/src/dh/types.rs diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 0dc13e9f..567fe654 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -1,116 +1,190 @@ -mod types; +mod protected_channel; -use once_cell::sync::Lazy; +use once_cell::sync::OnceCell; use sgx_tdh::{SgxDhInitiator, SgxDhMsg1, SgxDhMsg2, SgxDhMsg3, SgxDhResponder}; -use sgx_tstd::{collections::HashMap, enclave, sync::SgxRwLock}; + +use sgx_tstd::{ + collections::HashMap, + enclave, + sync::{Arc, SgxMutex, SgxRwLock, SgxRwLockWriteGuard}, +}; use sgx_types::*; -use types::*; +use std::ops::Deref; + +use protected_channel::ProtectedChannel; #[no_mangle] pub unsafe extern "C" fn test_dh() { - init_initiator(enclave::get_enclave_id()); + dh_sessions() + .establish_new(&enclave::get_enclave_id()) + .expect("test failed"); } -// NOTE: Something similar can be done in the OCALL library -// (by storing pointers to data inside the enclave) -// TODO: Figure out session timeouts -static DH_SESSIONS: Lazy>> = - Lazy::new(|| SgxRwLock::new(HashMap::new())); - -pub fn init_initiator(dest_enclave_id: sgx_enclave_id_t) -> Result<(), sgx_status_t> { - let this_enclave_id = enclave::get_enclave_id(); - let mut initiator: SgxDhInitiator = SgxDhInitiator::init_session(); - - let dh_msg1 = init_responder(this_enclave_id)?; - - let mut dh_msg2 = SgxDhMsg2::default(); - initiator.proc_msg1(&dh_msg1, &mut dh_msg2)?; - let dh_msg3 = exchange_report(this_enclave_id, &dh_msg2)?; - - let mut aek = sgx_align_key_128bit_t::default(); // Session Key - let mut responder_identity = sgx_dh_session_enclave_identity_t::default(); - - // TODO: Verify identity - initiator.proc_msg3(&dh_msg3, &mut aek.key, &mut responder_identity)?; - println!("{:?}", aek); - - match DH_SESSIONS.write() { - Ok(mut sessions) => { - sessions.insert( - dest_enclave_id, - DhSession { - session_status: DhSessionStatus::Active(aek), - ..Default::default() - }, - ); - Ok(()) - } - Err(_) => { - // TODO: error that terminates enclave - return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER); - } - } +enum AtomicSession { + // TODO: Add session closing mechanism + Closed, + InProgress(SgxDhResponder), + Active(Arc>), } -pub fn init_responder(src_enclave_id: sgx_enclave_id_t) -> Result { - let mut responder = SgxDhResponder::init_session(); +pub struct DhSessions { + sessions: SgxRwLock>>, +} - let mut dh_msg1 = SgxDhMsg1::default(); +impl DhSessions { + fn get(&self, id: &u64) -> Option> { + self.sessions + .read() + .expect("RwLock poisoned") + .get(id) + .map(Clone::clone) + } + + fn lock_write(&self) -> SgxRwLockWriteGuard>> { + self.sessions.write().expect("RwLock poisoned") + } - responder.gen_msg1(&mut dh_msg1)?; + pub fn get_active(&self, id: &u64) -> Option>> { + match self.get(id)?.as_ref() { + AtomicSession::Active(x) => Some(x.clone()), + _ => None, + } + } - match DH_SESSIONS.write() { - Ok(mut sessions) => { - sessions.insert( - src_enclave_id, - DhSession { - session_status: DhSessionStatus::InProgress(responder), - ..Default::default() - }, - ); + pub fn take_in_progress(&self, id: &u64) -> Option { + let mut sessions = self.lock_write(); - println!("msg1 {:?}", dh_msg1); - Ok(dh_msg1) + if matches!(sessions.get(id)?.as_ref(), AtomicSession::InProgress(_)) { + match sessions.remove(id)?.deref() { + AtomicSession::InProgress(responder) => Some(*responder), + _ => unreachable!(), + } + } else { + None } - Err(_) => { - // TODO: Poisoned lock is pretty bad in this context, we should probably stop the - // enclave and start with clean state. - Err(sgx_status_t::SGX_ERROR_UNEXPECTED) + } + + // TODO: rewrite invariants that will be upheld seperately for responder and initiator + + fn set_active(&self, id: &u64, key: sgx_key_128bit_t) -> Result<(), sgx_status_t> { + let result = self.lock_write().insert( + *id, + Arc::new(AtomicSession::Active(Arc::new(SgxMutex::new( + ProtectedChannel::init(key), + )))), + ); + + match result { + // None -> Active = Ok + None => Ok(()), + // Closed -> Active = Ok (new session after closing) + Some(x) if matches!(x.as_ref(), AtomicSession::Closed) => Ok(()), + // InProgress -> Active = Err + // (since the only way to do this is by borrowing the in-progress value as a + // responder, which is not a valid op) + // TODO: There is a special case here if we go from + // Responder -> Initiator (the handshake dropped). We should check that + Some(_) => Err(sgx_status_t::SGX_ERROR_UNEXPECTED), + // Active -> Active = Err (Session should be closed to prevent resetting nonce-counter with same key) } } + + fn set_in_progress(&self, id: &u64, responder: SgxDhResponder) -> Result<(), sgx_status_t> { + let _result = self + .lock_write() + .insert(*id, Arc::new(AtomicSession::InProgress(responder))); + + // InProgress -> InProgress = ok (new session started by initiator that is being responded to) + // Closed -> InProgress = Ok (new session after closing) + // Active -> In Progress = Ok if keying material differs (the caller might need to uphold this) + // TODO: ^ + Ok(()) + } + + pub fn establish_new(&self, dest_enclave_id: &sgx_enclave_id_t) -> Result<(), sgx_status_t> { + let this_enclave_id = enclave::get_enclave_id(); + let mut initiator: SgxDhInitiator = SgxDhInitiator::init_session(); + + let dh_msg1 = init_responder_ocall(&this_enclave_id)?; + + let mut dh_msg2 = SgxDhMsg2::default(); + initiator.proc_msg1(&dh_msg1, &mut dh_msg2)?; + let dh_msg3 = exchange_report_ocall(&this_enclave_id, &dh_msg2)?; + + let mut aek = sgx_align_key_128bit_t::default(); // Session Key + let mut responder_identity = sgx_dh_session_enclave_identity_t::default(); + + // TODO: Verify identity + initiator.proc_msg3(&dh_msg3, &mut aek.key, &mut responder_identity)?; + + // TODO: REMOVE + println!("{:?}", aek); + + self.set_active(dest_enclave_id, aek.key) + } + + pub fn initiate_response( + &self, + src_enclave_id: &sgx_enclave_id_t, + ) -> Result { + let mut responder = SgxDhResponder::init_session(); + + let mut dh_msg1 = SgxDhMsg1::default(); + + responder.gen_msg1(&mut dh_msg1)?; + + self.set_in_progress(src_enclave_id, responder)?; + + println!("msg1 {:?}", dh_msg1); + Ok(dh_msg1) + } + + pub fn exchange_report( + &self, + src_enclave_id: &sgx_enclave_id_t, + dh_msg2: &sgx_dh_msg2_t, + ) -> Result { + let mut responder = self + .take_in_progress(&src_enclave_id) + // TODO: custom error + .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED)?; + + let mut msg3 = SgxDhMsg3::default(); + let mut aek = sgx_align_key_128bit_t::default(); // Session Key + let mut initiator_identity = sgx_dh_session_enclave_identity_t::default(); + + responder.proc_msg2(dh_msg2, &mut msg3, &mut aek.key, &mut initiator_identity)?; + + // TODO: Verify initiator_identity + + // TODO: REMOVE + println!("{:?}", aek); + + self.set_active(src_enclave_id, aek.key)?; + + Ok(msg3) + } } -pub fn exchange_report( - src_enclave_id: sgx_enclave_id_t, +fn init_responder_ocall(this_enclave_id: &u64) -> Result { + dh_sessions().initiate_response(this_enclave_id) + // TODO: this should call the ocall to the peer enclave. +} + +fn exchange_report_ocall( + this_enclave_id: &u64, dh_msg2: &sgx_dh_msg2_t, ) -> Result { - // Acquire write lock for the whole function since we need to mutate the session value - let mut sessions = DH_SESSIONS - .write() - .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED))?; - - // TODO: Custom error type - let mut responder_session = sessions - .get_mut(&src_enclave_id) - .ok_or(sgx_status_t::SGX_ERROR_INVALID_PARAMETER)?; - - let (dh_msg3, aek) = match responder_session.session_status { - DhSessionStatus::InProgress(mut responder) => { - let mut msg3 = SgxDhMsg3::default(); - let mut aek = sgx_align_key_128bit_t::default(); // Session Key - let mut initiator_identity = sgx_dh_session_enclave_identity_t::default(); - - responder.proc_msg2(dh_msg2, &mut msg3, &mut aek.key, &mut initiator_identity)?; - - // TODO: Verify initiator_identity - (msg3, aek) - } - // TODO: Custom error type - _ => return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER), - }; - - println!("{:?}", aek); + dh_sessions().exchange_report(this_enclave_id, dh_msg2) + // TODO: this should call the ocall to the peer enclave. +} - responder_session.session_status = DhSessionStatus::Active(aek); - Ok(dh_msg3) +pub fn dh_sessions() -> &'static DhSessions { + // NOTE: Something similar can be done in the OCALL library + // (by storing pointers to data inside the enclave, outside of the enclave) + // TODO: Figure out session timeouts + static DH_SESSIONS: OnceCell = OnceCell::new(); + DH_SESSIONS.get_or_init(|| DhSessions { + sessions: SgxRwLock::new(HashMap::new()), + }) } diff --git a/rtc_tenclave/src/dh/protected_channel.rs b/rtc_tenclave/src/dh/protected_channel.rs new file mode 100644 index 00000000..84f206b1 --- /dev/null +++ b/rtc_tenclave/src/dh/protected_channel.rs @@ -0,0 +1,101 @@ +use secrecy::{ExposeSecret, Secret}; +use sgx_tcrypto::{rsgx_rijndael128GCM_decrypt, rsgx_rijndael128GCM_encrypt}; +use sgx_tstd::enclave; +use sgx_types::*; +use std::{convert::TryInto, u32}; + +// NIST AES-GCM recommended IV size +type GcmNonce = [u8; 12]; + +pub struct ProtectedChannel { + counter: u32, + key: Secret, +} + +impl ProtectedChannel { + pub fn init(key: sgx_key_128bit_t) -> Self { + Self { + counter: 1, + key: Secret::new(key), + } + } + + pub fn encrypt_message( + &mut self, + plaintext: [u8; MESSAGE_SIZE], + aad: [u8; AAD_SIZE], + ) -> Result, sgx_status_t> { + let nonce = self.gen_nonce(); + let mut dst = [0_u8; MESSAGE_SIZE]; + let mut mac = sgx_aes_gcm_128bit_tag_t::default(); + rsgx_rijndael128GCM_encrypt( + self.key.expose_secret(), + &plaintext, + &nonce, + &aad, + &mut dst, + &mut mac, + )?; + + Ok(EncryptedEnclaveMessage { + tag: mac, + ciphertext: dst, + aad, + nonce, + }) + } + + pub fn decrypt_message( + &self, + message: EncryptedEnclaveMessage, + ) -> Result<[u8; MESSAGE_SIZE], sgx_status_t> { + let mut dst = [0_u8; MESSAGE_SIZE]; + rsgx_rijndael128GCM_decrypt( + self.key.expose_secret(), + &message.ciphertext, + &message.nonce, + &message.aad, + &message.tag, + &mut dst, + )?; + Ok(dst) + } + + fn gen_nonce(&mut self) -> GcmNonce { + self.counter = self.counter + 1; + let counter_bytes = self.counter.to_ne_bytes(); + // TODO: Verify all parameters used here is valid for the local attestation context + // Constructing the iv (nonce) using a counter and value unique to the running + // enclave (for the purposes of local attestation). + // See: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf + [ + enclave::get_enclave_id().to_ne_bytes().as_ref(), // 8 bytes unique to this enclave + counter_bytes.as_ref(), // 4 bytes incrementing on access + ] + .concat() + .try_into() + .unwrap() + } +} + +pub struct EncryptedEnclaveMessage { + tag: sgx_aes_gcm_128bit_tag_t, + ciphertext: [u8; MESSAGE_SIZE], + aad: [u8; AAD_SIZE], + nonce: GcmNonce, +} + +// impl EncryptedEnclaveMessage { +// // IV should contain 64 random bits, and 32 counter bits +// fn encrypt_ecall( +// key: Secret, +// plaintext: [u8; MESSAGE_SIZE], +// ) -> Result { +// } + +// fn decrypt_ecall(&self, key: Secret) -> Result {} +// } + +// fn encrypt_ecall(key: Secret) -> Result {} + +// fn decrypt_ecall(key: Secret) -> Result {} diff --git a/rtc_tenclave/src/dh/types.rs b/rtc_tenclave/src/dh/types.rs deleted file mode 100644 index 23d1e7b4..00000000 --- a/rtc_tenclave/src/dh/types.rs +++ /dev/null @@ -1,20 +0,0 @@ -use sgx_tdh::SgxDhResponder; -use sgx_types::sgx_align_key_128bit_t; - -pub enum DhSessionStatus { - Closed, - InProgress(SgxDhResponder), - Active(sgx_align_key_128bit_t), -} - -impl Default for DhSessionStatus { - fn default() -> DhSessionStatus { - DhSessionStatus::Closed - } -} - -#[derive(Default)] -pub struct DhSession { - pub session_id: u32, - pub session_status: DhSessionStatus, -} diff --git a/rtc_tenclave/src/lib.rs b/rtc_tenclave/src/lib.rs index 08a1c22a..30c9bad9 100644 --- a/rtc_tenclave/src/lib.rs +++ b/rtc_tenclave/src/lib.rs @@ -25,5 +25,4 @@ pub mod crypto; pub mod dh; pub mod enclave; pub mod kv_store; -// pub mod local_attestation; pub mod util; From 8274833a5e799d6e29e50e52f15cb0830616cc85 Mon Sep 17 00:00:00 2001 From: Herman Date: Sat, 15 May 2021 12:23:55 +0200 Subject: [PATCH 03/31] feat(dh): add session closing --- rtc_tenclave/src/dh/mod.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 567fe654..7ced4d2d 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -21,7 +21,6 @@ pub unsafe extern "C" fn test_dh() { } enum AtomicSession { - // TODO: Add session closing mechanism Closed, InProgress(SgxDhResponder), Active(Arc>), @@ -51,7 +50,7 @@ impl DhSessions { } } - pub fn take_in_progress(&self, id: &u64) -> Option { + fn take_in_progress(&self, id: &u64) -> Option { let mut sessions = self.lock_write(); if matches!(sessions.get(id)?.as_ref(), AtomicSession::InProgress(_)) { @@ -65,6 +64,11 @@ impl DhSessions { } // TODO: rewrite invariants that will be upheld seperately for responder and initiator + pub fn close_session(&self, id: &u64) -> () { + let mut sessions = self.lock_write(); + sessions.insert(*id, Arc::new(AtomicSession::Closed)); + () + } fn set_active(&self, id: &u64, key: sgx_key_128bit_t) -> Result<(), sgx_status_t> { let result = self.lock_write().insert( From ae93ab633d986fb7dfd2731f217c94e414e361a8 Mon Sep 17 00:00:00 2001 From: Herman Date: Sat, 15 May 2021 12:24:29 +0200 Subject: [PATCH 04/31] feat(dh): update comments and invariant checking --- rtc_tenclave/src/dh/mod.rs | 39 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 7ced4d2d..4d08052a 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -63,45 +63,44 @@ impl DhSessions { } } - // TODO: rewrite invariants that will be upheld seperately for responder and initiator pub fn close_session(&self, id: &u64) -> () { let mut sessions = self.lock_write(); sessions.insert(*id, Arc::new(AtomicSession::Closed)); () } + /// Creates and sets an active session between this enclave and the enclave with `id` using + /// the `key`. + /// + /// # Valid Operations (It is the responsibility of the caller to ensure these hold) + /// None -> Active = Ok + /// Closed -> Active = Ok + /// InProgress -> Active = Err if it is the same session + /// - In progress value needs to be removed from the map before using it to finalize a session + /// Active -> Active = Err + /// - A session should be closed and then recreated to prevent resetting the nonce counter + /// with the same key. fn set_active(&self, id: &u64, key: sgx_key_128bit_t) -> Result<(), sgx_status_t> { - let result = self.lock_write().insert( + self.lock_write().insert( *id, Arc::new(AtomicSession::Active(Arc::new(SgxMutex::new( ProtectedChannel::init(key), )))), ); - - match result { - // None -> Active = Ok - None => Ok(()), - // Closed -> Active = Ok (new session after closing) - Some(x) if matches!(x.as_ref(), AtomicSession::Closed) => Ok(()), - // InProgress -> Active = Err - // (since the only way to do this is by borrowing the in-progress value as a - // responder, which is not a valid op) - // TODO: There is a special case here if we go from - // Responder -> Initiator (the handshake dropped). We should check that - Some(_) => Err(sgx_status_t::SGX_ERROR_UNEXPECTED), - // Active -> Active = Err (Session should be closed to prevent resetting nonce-counter with same key) - } + Ok(()) } + /// Sets an in_progress session for a responding enclave linked to the provided enclave. + /// + /// # Valid Operations (It is the responsibility of the caller to ensure these hold) + /// InProgress -> InProgress = Ok + /// Closed -> InProgress = Ok + /// Active -> In Progress = Ok if keying material differs fn set_in_progress(&self, id: &u64, responder: SgxDhResponder) -> Result<(), sgx_status_t> { let _result = self .lock_write() .insert(*id, Arc::new(AtomicSession::InProgress(responder))); - // InProgress -> InProgress = ok (new session started by initiator that is being responded to) - // Closed -> InProgress = Ok (new session after closing) - // Active -> In Progress = Ok if keying material differs (the caller might need to uphold this) - // TODO: ^ Ok(()) } From 1d87d93f49b2221ddc770bfef75f1f07ad232b1f Mon Sep 17 00:00:00 2001 From: Herman Date: Sat, 15 May 2021 12:33:01 +0200 Subject: [PATCH 05/31] feat(dh): return channel from channel creation functions --- rtc_tenclave/src/dh/mod.rs | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 4d08052a..ed857f43 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -80,14 +80,15 @@ impl DhSessions { /// Active -> Active = Err /// - A session should be closed and then recreated to prevent resetting the nonce counter /// with the same key. - fn set_active(&self, id: &u64, key: sgx_key_128bit_t) -> Result<(), sgx_status_t> { - self.lock_write().insert( - *id, - Arc::new(AtomicSession::Active(Arc::new(SgxMutex::new( - ProtectedChannel::init(key), - )))), - ); - Ok(()) + fn set_active( + &self, + id: &u64, + key: sgx_key_128bit_t, + ) -> Result>, sgx_status_t> { + let channel = Arc::new(SgxMutex::new(ProtectedChannel::init(key))); + self.lock_write() + .insert(*id, Arc::new(AtomicSession::Active(channel.clone()))); + Ok(channel) } /// Sets an in_progress session for a responding enclave linked to the provided enclave. @@ -104,7 +105,10 @@ impl DhSessions { Ok(()) } - pub fn establish_new(&self, dest_enclave_id: &sgx_enclave_id_t) -> Result<(), sgx_status_t> { + pub fn establish_new( + &self, + dest_enclave_id: &sgx_enclave_id_t, + ) -> Result>, sgx_status_t> { let this_enclave_id = enclave::get_enclave_id(); let mut initiator: SgxDhInitiator = SgxDhInitiator::init_session(); @@ -167,6 +171,17 @@ impl DhSessions { Ok(msg3) } + + pub fn get_or_create_session( + &self, + dest_enclave_id: &u64, + ) -> Result>, sgx_status_t> { + if let Some(channel) = self.get_active(dest_enclave_id) { + Ok(channel) + } else { + self.establish_new(dest_enclave_id) + } + } } fn init_responder_ocall(this_enclave_id: &u64) -> Result { From ff2c32b2b3387a84f3f2b63ad35f90f63b3d73f4 Mon Sep 17 00:00:00 2001 From: Herman Date: Sat, 15 May 2021 13:34:25 +0200 Subject: [PATCH 06/31] feat(dh): add function to be used for verifying trust --- rtc_tenclave/src/dh/mod.rs | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index ed857f43..d74c01a4 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -197,6 +197,29 @@ fn exchange_report_ocall( // TODO: this should call the ocall to the peer enclave. } +// TODO: Integrate using function reference with similar signature or a config obj +fn verify_peer_enclave_trust(peer_identity: &sgx_dh_session_enclave_identity_t) -> Result<(), ()> { + let required_flags = SGX_FLAGS_INITTED; + let denied_flags = SGX_FLAGS_DEBUG; + let expected_mrenclave = [0_u8; SGX_HASH_SIZE]; + let expected_mrsigner = [0_u8; SGX_HASH_SIZE]; + + if peer_identity.attributes.flags & required_flags == required_flags { + return Err(()); + } + if peer_identity.attributes.flags & denied_flags != 0 { + return Err(()); + } + if peer_identity.mr_enclave.m != expected_mrenclave { + return Err(()); + } + if peer_identity.mr_signer.m != expected_mrsigner { + return Err(()); + } + + return Ok(()); +} + pub fn dh_sessions() -> &'static DhSessions { // NOTE: Something similar can be done in the OCALL library // (by storing pointers to data inside the enclave, outside of the enclave) From a3ad1edbf13d1b6a634d5ec8eeed69258165652e Mon Sep 17 00:00:00 2001 From: Herman Date: Sat, 15 May 2021 15:20:47 +0200 Subject: [PATCH 07/31] feat(dh): add ecalls and ocall handlers --- rtc_tenclave/src/dh/mod.rs | 108 +++++++++++++++++++++++++++++++------ rtc_types/src/dh.rs | 17 ++++++ rtc_types/src/lib.rs | 1 + 3 files changed, 110 insertions(+), 16 deletions(-) create mode 100644 rtc_types/src/dh.rs diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index d74c01a4..771136be 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -1,6 +1,7 @@ mod protected_channel; use once_cell::sync::OnceCell; +use rtc_types::dh::{ExchangeReportResult, SessionRequestResult}; use sgx_tdh::{SgxDhInitiator, SgxDhMsg1, SgxDhMsg2, SgxDhMsg3, SgxDhResponder}; use sgx_tstd::{ @@ -9,14 +10,33 @@ use sgx_tstd::{ sync::{Arc, SgxMutex, SgxRwLock, SgxRwLockWriteGuard}, }; use sgx_types::*; -use std::ops::Deref; +use std::{mem, ops::Deref}; use protected_channel::ProtectedChannel; +extern "C" { + pub fn rtc_session_request_u( + ret: *mut SessionRequestResult, + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; + pub fn rtc_exchange_report_u( + ret: *mut ExchangeReportResult, + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + dh_msg2: *const sgx_dh_msg2_t, + ) -> sgx_status_t; + pub fn rtc_end_session_u( + ret: *mut sgx_status_t, + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; +} + #[no_mangle] pub unsafe extern "C" fn test_dh() { dh_sessions() - .establish_new(&enclave::get_enclave_id()) + .establish_new(enclave::get_enclave_id()) .expect("test failed"); } @@ -82,12 +102,12 @@ impl DhSessions { /// with the same key. fn set_active( &self, - id: &u64, + id: u64, key: sgx_key_128bit_t, ) -> Result>, sgx_status_t> { let channel = Arc::new(SgxMutex::new(ProtectedChannel::init(key))); self.lock_write() - .insert(*id, Arc::new(AtomicSession::Active(channel.clone()))); + .insert(id, Arc::new(AtomicSession::Active(channel.clone()))); Ok(channel) } @@ -107,16 +127,16 @@ impl DhSessions { pub fn establish_new( &self, - dest_enclave_id: &sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, ) -> Result>, sgx_status_t> { let this_enclave_id = enclave::get_enclave_id(); let mut initiator: SgxDhInitiator = SgxDhInitiator::init_session(); - let dh_msg1 = init_responder_ocall(&this_enclave_id)?; + let dh_msg1 = init_responder_ocall(this_enclave_id, dest_enclave_id)?; let mut dh_msg2 = SgxDhMsg2::default(); initiator.proc_msg1(&dh_msg1, &mut dh_msg2)?; - let dh_msg3 = exchange_report_ocall(&this_enclave_id, &dh_msg2)?; + let dh_msg3 = exchange_report_ocall(this_enclave_id, dest_enclave_id, &dh_msg2)?; let mut aek = sgx_align_key_128bit_t::default(); // Session Key let mut responder_identity = sgx_dh_session_enclave_identity_t::default(); @@ -148,7 +168,7 @@ impl DhSessions { pub fn exchange_report( &self, - src_enclave_id: &sgx_enclave_id_t, + src_enclave_id: sgx_enclave_id_t, dh_msg2: &sgx_dh_msg2_t, ) -> Result { let mut responder = self @@ -174,9 +194,9 @@ impl DhSessions { pub fn get_or_create_session( &self, - dest_enclave_id: &u64, + dest_enclave_id: u64, ) -> Result>, sgx_status_t> { - if let Some(channel) = self.get_active(dest_enclave_id) { + if let Some(channel) = self.get_active(&dest_enclave_id) { Ok(channel) } else { self.establish_new(dest_enclave_id) @@ -184,17 +204,73 @@ impl DhSessions { } } -fn init_responder_ocall(this_enclave_id: &u64) -> Result { - dh_sessions().initiate_response(this_enclave_id) - // TODO: this should call the ocall to the peer enclave. +fn init_responder_ocall( + this_enclave_id: u64, + dest_enclave_id: u64, +) -> Result { + let mut ret = SessionRequestResult::default(); + + // TODO: Safety + let ocall_res = unsafe { rtc_session_request_u(&mut ret, this_enclave_id, dest_enclave_id) }; + + match ocall_res { + sgx_status_t::SGX_SUCCESS => ret.into(), + err => Err(err), + } + + // dh_sessions().initiate_response(this_enclave_id) } fn exchange_report_ocall( - this_enclave_id: &u64, + this_enclave_id: u64, + dest_enclave_id: u64, dh_msg2: &sgx_dh_msg2_t, ) -> Result { - dh_sessions().exchange_report(this_enclave_id, dh_msg2) - // TODO: this should call the ocall to the peer enclave. + let mut ret = ExchangeReportResult::default(); + + // TODO: Safety + let ocall_res = + unsafe { rtc_exchange_report_u(&mut ret, this_enclave_id, dest_enclave_id, dh_msg2) }; + + match ocall_res { + sgx_status_t::SGX_SUCCESS => { + let res: Result = ret.into(); + let mut msg3_raw = res?; + + let raw_len = + mem::size_of::() as u32 + msg3_raw.msg3_body.additional_prop_length; + + // TODO: Safety + unsafe { SgxDhMsg3::from_raw_dh_msg3_t(&mut msg3_raw, raw_len) } + .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED) + } + err => Err(err), + } + + // dh_sessions().exchange_report(this_enclave_id, dh_msg2) +} + +#[no_mangle] +pub extern "C" fn rtc_session_request(src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { + dh_sessions().initiate_response(&src_enclave_id).into() +} + +#[no_mangle] +pub unsafe extern "C" fn rtc_exchange_report( + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, +) -> ExchangeReportResult { + // TODO: Safety + let dh_msg2 = unsafe { &*dh_msg2_ptr }; + + dh_sessions() + .exchange_report(src_enclave_id, dh_msg2) + .map(|msg3| { + let mut msg3_raw = sgx_dh_msg3_t::default(); + unsafe { msg3.to_raw_dh_msg3_t(&mut msg3_raw, msg3.calc_raw_sealed_data_size()) }; + msg3_raw + }) + .into() } // TODO: Integrate using function reference with similar signature or a config obj diff --git a/rtc_types/src/dh.rs b/rtc_types/src/dh.rs new file mode 100644 index 00000000..d0890a74 --- /dev/null +++ b/rtc_types/src/dh.rs @@ -0,0 +1,17 @@ +use crate::EcallResult; +use sgx_types::*; + +pub type SessionRequestResult = EcallResult; +pub type ExchangeReportResult = EcallResult; + +impl Default for SessionRequestResult { + fn default() -> Self { + Self::Err(sgx_status_t::SGX_SUCCESS) + } +} + +impl Default for ExchangeReportResult { + fn default() -> Self { + Self::Err(sgx_status_t::SGX_SUCCESS) + } +} diff --git a/rtc_types/src/lib.rs b/rtc_types/src/lib.rs index 50ad8a6b..7a5f7892 100644 --- a/rtc_types/src/lib.rs +++ b/rtc_types/src/lib.rs @@ -16,6 +16,7 @@ use sgx_types::*; use std::boxed::Box; mod data_upload; +pub mod dh; pub use data_upload::*; mod exec_token; From 7555bb8069014735111672d18c13793c7df53ec4 Mon Sep 17 00:00:00 2001 From: Herman Date: Sat, 15 May 2021 16:38:01 +0200 Subject: [PATCH 08/31] feat(dh): update data and auth enclave codegen --- buildenv.mk | 3 + codegen/auth_enclave/Enclave_t.c | 564 +++++++++++++++++++++++++++---- codegen/auth_enclave/Enclave_t.h | 14 + codegen/auth_enclave/Enclave_u.c | 170 +++++++++- codegen/auth_enclave/Enclave_u.h | 38 +++ codegen/auth_enclave/bindings.h | 44 +++ codegen/data_enclave/Enclave_t.c | 373 ++++++++++++++++---- codegen/data_enclave/Enclave_t.h | 9 + codegen/data_enclave/Enclave_u.c | 97 +++++- codegen/data_enclave/Enclave_u.h | 18 + codegen/data_enclave/bindings.h | 44 +++ edl/rtc_tenclave.edl | 21 ++ rtc_auth_enclave/Enclave.edl | 2 + rtc_auth_enclave/Makefile | 2 +- rtc_data_enclave/Enclave.edl | 2 + rtc_data_enclave/Makefile | 2 +- rtc_tenclave/src/dh/mod.rs | 7 + 17 files changed, 1270 insertions(+), 140 deletions(-) create mode 100644 edl/rtc_tenclave.edl diff --git a/buildenv.mk b/buildenv.mk index 9e8d85a5..d3e963e6 100644 --- a/buildenv.mk +++ b/buildenv.mk @@ -166,4 +166,7 @@ ENCLAVE_LDFLAGS = $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefi ENCLAVE_CFLAGS += $(MITIGATION_CFLAGS) ENCLAVE_ASFLAGS = $(MITIGATION_ASFLAGS) +# RTC SPECIFIC +RTC_EDL_PATH = /root/rtc-data/edl + diff --git a/codegen/auth_enclave/Enclave_t.c b/codegen/auth_enclave/Enclave_t.c index ad4fcbee..4c058fe5 100644 --- a/codegen/auth_enclave/Enclave_t.c +++ b/codegen/auth_enclave/Enclave_t.c @@ -40,6 +40,22 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; +typedef struct ms_rtc_session_request_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_session_request_t; + +typedef struct ms_rtc_exchange_report_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_t; + +typedef struct ms_rtc_end_session_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_end_session_t; + typedef struct ms_u_thread_set_event_ocall_t { int ms_retval; int* ms_error; @@ -438,6 +454,53 @@ typedef struct ms_u_fstatat64_ocall_t { int ms_flags; } ms_u_fstatat64_ocall_t; +typedef struct ms_rtc_session_request_u_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_session_request_u_t; + +typedef struct ms_rtc_exchange_report_u_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_u_t; + +typedef struct ms_rtc_end_session_u_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_end_session_u_t; + +typedef struct ms_sgx_oc_cpuidex_t { + int* ms_cpuinfo; + int ms_leaf; + int ms_subleaf; +} ms_sgx_oc_cpuidex_t; + +typedef struct ms_sgx_thread_wait_untrusted_event_ocall_t { + int ms_retval; + const void* ms_self; +} ms_sgx_thread_wait_untrusted_event_ocall_t; + +typedef struct ms_sgx_thread_set_untrusted_event_ocall_t { + int ms_retval; + const void* ms_waiter; +} ms_sgx_thread_set_untrusted_event_ocall_t; + +typedef struct ms_sgx_thread_setwait_untrusted_events_ocall_t { + int ms_retval; + const void* ms_waiter; + const void* ms_self; +} ms_sgx_thread_setwait_untrusted_events_ocall_t; + +typedef struct ms_sgx_thread_set_multiple_untrusted_events_ocall_t { + int ms_retval; + const void** ms_waiters; + size_t ms_total; +} ms_sgx_thread_set_multiple_untrusted_events_ocall_t; + static sgx_status_t SGX_CDECL sgx_enclave_create_report(void* pms) { CHECK_REF_POINTER(pms, sizeof(ms_enclave_create_report_t)); @@ -572,79 +635,167 @@ static sgx_status_t SGX_CDECL sgx_t_global_exit_ecall(void* pms) return status; } +static sgx_status_t SGX_CDECL sgx_rtc_session_request(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_rtc_session_request_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_rtc_session_request_t* ms = SGX_CAST(ms_rtc_session_request_t*, pms); + sgx_status_t status = SGX_SUCCESS; + + + + ms->ms_retval = rtc_session_request(ms->ms_src_enclave_id); + + + return status; +} + +static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_rtc_exchange_report_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_rtc_exchange_report_t* ms = SGX_CAST(ms_rtc_exchange_report_t*, pms); + sgx_status_t status = SGX_SUCCESS; + sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; + size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); + sgx_dh_msg2_t* _in_dh_msg2 = NULL; + + CHECK_UNIQUE_POINTER(_tmp_dh_msg2, _len_dh_msg2); + + // + // fence after pointer checks + // + sgx_lfence(); + + if (_tmp_dh_msg2 != NULL && _len_dh_msg2 != 0) { + _in_dh_msg2 = (sgx_dh_msg2_t*)malloc(_len_dh_msg2); + if (_in_dh_msg2 == NULL) { + status = SGX_ERROR_OUT_OF_MEMORY; + goto err; + } + + if (memcpy_s(_in_dh_msg2, _len_dh_msg2, _tmp_dh_msg2, _len_dh_msg2)) { + status = SGX_ERROR_UNEXPECTED; + goto err; + } + + } + + ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, _in_dh_msg2); + +err: + if (_in_dh_msg2) free(_in_dh_msg2); + return status; +} + +static sgx_status_t SGX_CDECL sgx_rtc_end_session(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_rtc_end_session_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_rtc_end_session_t* ms = SGX_CAST(ms_rtc_end_session_t*, pms); + sgx_status_t status = SGX_SUCCESS; + + + + ms->ms_retval = rtc_end_session(ms->ms_src_enclave_id); + + + return status; +} + SGX_EXTERNC const struct { size_t nr_ecall; - struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[3]; + struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[6]; } g_ecall_table = { - 3, + 6, { {(void*)(uintptr_t)sgx_enclave_create_report, 0, 0}, {(void*)(uintptr_t)sgx_t_global_init_ecall, 0, 0}, {(void*)(uintptr_t)sgx_t_global_exit_ecall, 0, 0}, + {(void*)(uintptr_t)sgx_rtc_session_request, 0, 0}, + {(void*)(uintptr_t)sgx_rtc_exchange_report, 0, 0}, + {(void*)(uintptr_t)sgx_rtc_end_session, 0, 0}, } }; SGX_EXTERNC const struct { size_t nr_ocall; - uint8_t entry_table[55][3]; + uint8_t entry_table[63][6]; } g_dyn_entry_table = { - 55, + 63, { - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, - {0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, }, } }; @@ -4477,3 +4628,298 @@ sgx_status_t SGX_CDECL u_fstatat64_ocall(int* retval, int* error, int dirfd, con return status; } +sgx_status_t SGX_CDECL rtc_session_request_u(SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_rtc_session_request_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_session_request_u_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_session_request_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_session_request_u_t)); + ocalloc_size -= sizeof(ms_rtc_session_request_u_t); + + ms->ms_src_enclave_id = src_enclave_id; + ms->ms_dest_enclave_id = dest_enclave_id; + status = sgx_ocall(55, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL rtc_exchange_report_u(ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, sgx_dh_msg2_t* dh_msg2) +{ + sgx_status_t status = SGX_SUCCESS; + size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); + + ms_rtc_exchange_report_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_exchange_report_u_t); + void *__tmp = NULL; + + + CHECK_ENCLAVE_POINTER(dh_msg2, _len_dh_msg2); + + if (ADD_ASSIGN_OVERFLOW(ocalloc_size, (dh_msg2 != NULL) ? _len_dh_msg2 : 0)) + return SGX_ERROR_INVALID_PARAMETER; + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_exchange_report_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_exchange_report_u_t)); + ocalloc_size -= sizeof(ms_rtc_exchange_report_u_t); + + ms->ms_src_enclave_id = src_enclave_id; + ms->ms_dest_enclave_id = dest_enclave_id; + if (dh_msg2 != NULL) { + ms->ms_dh_msg2 = (sgx_dh_msg2_t*)__tmp; + if (memcpy_s(__tmp, ocalloc_size, dh_msg2, _len_dh_msg2)) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + __tmp = (void *)((size_t)__tmp + _len_dh_msg2); + ocalloc_size -= _len_dh_msg2; + } else { + ms->ms_dh_msg2 = NULL; + } + + status = sgx_ocall(56, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL rtc_end_session_u(sgx_status_t* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_rtc_end_session_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_end_session_u_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_end_session_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_end_session_u_t)); + ocalloc_size -= sizeof(ms_rtc_end_session_u_t); + + ms->ms_src_enclave_id = src_enclave_id; + ms->ms_dest_enclave_id = dest_enclave_id; + status = sgx_ocall(57, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL sgx_oc_cpuidex(int cpuinfo[4], int leaf, int subleaf) +{ + sgx_status_t status = SGX_SUCCESS; + size_t _len_cpuinfo = 4 * sizeof(int); + + ms_sgx_oc_cpuidex_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_sgx_oc_cpuidex_t); + void *__tmp = NULL; + + void *__tmp_cpuinfo = NULL; + + CHECK_ENCLAVE_POINTER(cpuinfo, _len_cpuinfo); + + if (ADD_ASSIGN_OVERFLOW(ocalloc_size, (cpuinfo != NULL) ? _len_cpuinfo : 0)) + return SGX_ERROR_INVALID_PARAMETER; + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_sgx_oc_cpuidex_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_sgx_oc_cpuidex_t)); + ocalloc_size -= sizeof(ms_sgx_oc_cpuidex_t); + + if (cpuinfo != NULL) { + ms->ms_cpuinfo = (int*)__tmp; + __tmp_cpuinfo = __tmp; + if (_len_cpuinfo % sizeof(*cpuinfo) != 0) { + sgx_ocfree(); + return SGX_ERROR_INVALID_PARAMETER; + } + memset(__tmp_cpuinfo, 0, _len_cpuinfo); + __tmp = (void *)((size_t)__tmp + _len_cpuinfo); + ocalloc_size -= _len_cpuinfo; + } else { + ms->ms_cpuinfo = NULL; + } + + ms->ms_leaf = leaf; + ms->ms_subleaf = subleaf; + status = sgx_ocall(58, ms); + + if (status == SGX_SUCCESS) { + if (cpuinfo) { + if (memcpy_s((void*)cpuinfo, _len_cpuinfo, __tmp_cpuinfo, _len_cpuinfo)) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + } + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL sgx_thread_wait_untrusted_event_ocall(int* retval, const void* self) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_sgx_thread_wait_untrusted_event_ocall_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_sgx_thread_wait_untrusted_event_ocall_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_sgx_thread_wait_untrusted_event_ocall_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_sgx_thread_wait_untrusted_event_ocall_t)); + ocalloc_size -= sizeof(ms_sgx_thread_wait_untrusted_event_ocall_t); + + ms->ms_self = self; + status = sgx_ocall(59, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL sgx_thread_set_untrusted_event_ocall(int* retval, const void* waiter) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_sgx_thread_set_untrusted_event_ocall_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_sgx_thread_set_untrusted_event_ocall_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_sgx_thread_set_untrusted_event_ocall_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_sgx_thread_set_untrusted_event_ocall_t)); + ocalloc_size -= sizeof(ms_sgx_thread_set_untrusted_event_ocall_t); + + ms->ms_waiter = waiter; + status = sgx_ocall(60, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL sgx_thread_setwait_untrusted_events_ocall(int* retval, const void* waiter, const void* self) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_sgx_thread_setwait_untrusted_events_ocall_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_sgx_thread_setwait_untrusted_events_ocall_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_sgx_thread_setwait_untrusted_events_ocall_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_sgx_thread_setwait_untrusted_events_ocall_t)); + ocalloc_size -= sizeof(ms_sgx_thread_setwait_untrusted_events_ocall_t); + + ms->ms_waiter = waiter; + ms->ms_self = self; + status = sgx_ocall(61, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL sgx_thread_set_multiple_untrusted_events_ocall(int* retval, const void** waiters, size_t total) +{ + sgx_status_t status = SGX_SUCCESS; + size_t _len_waiters = total * sizeof(void*); + + ms_sgx_thread_set_multiple_untrusted_events_ocall_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_sgx_thread_set_multiple_untrusted_events_ocall_t); + void *__tmp = NULL; + + + CHECK_ENCLAVE_POINTER(waiters, _len_waiters); + + if (ADD_ASSIGN_OVERFLOW(ocalloc_size, (waiters != NULL) ? _len_waiters : 0)) + return SGX_ERROR_INVALID_PARAMETER; + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_sgx_thread_set_multiple_untrusted_events_ocall_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_sgx_thread_set_multiple_untrusted_events_ocall_t)); + ocalloc_size -= sizeof(ms_sgx_thread_set_multiple_untrusted_events_ocall_t); + + if (waiters != NULL) { + ms->ms_waiters = (const void**)__tmp; + if (_len_waiters % sizeof(*waiters) != 0) { + sgx_ocfree(); + return SGX_ERROR_INVALID_PARAMETER; + } + if (memcpy_s(__tmp, ocalloc_size, waiters, _len_waiters)) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + __tmp = (void *)((size_t)__tmp + _len_waiters); + ocalloc_size -= _len_waiters; + } else { + ms->ms_waiters = NULL; + } + + ms->ms_total = total; + status = sgx_ocall(62, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + diff --git a/codegen/auth_enclave/Enclave_t.h b/codegen/auth_enclave/Enclave_t.h index bbad0429..e4ab773c 100644 --- a/codegen/auth_enclave/Enclave_t.h +++ b/codegen/auth_enclave/Enclave_t.h @@ -7,12 +7,15 @@ #include "sgx_edger8r.h" /* for sgx_ocall etc. */ #include "sgx_report.h" +#include "sgx_dh.h" #include "bindings.h" #include "time.h" #include "inc/stat.h" #include "sys/uio.h" #include "inc/stat.h" #include "inc/dirent.h" +#include "sgx_eid.h" +#include "sgx_dh.h" #include /* for size_t */ @@ -25,6 +28,9 @@ extern "C" { CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); +SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); +ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); sgx_status_t SGX_CDECL u_thread_wait_event_ocall(int* retval, int* error, const void* tcs, const struct timespec* timeout); @@ -81,6 +87,14 @@ sgx_status_t SGX_CDECL u_readdir64_r_ocall(int* retval, void* dirp, struct diren sgx_status_t SGX_CDECL u_closedir_ocall(int* retval, int* error, void* dirp); sgx_status_t SGX_CDECL u_dirfd_ocall(int* retval, int* error, void* dirp); sgx_status_t SGX_CDECL u_fstatat64_ocall(int* retval, int* error, int dirfd, const char* pathname, struct stat64_t* buf, int flags); +sgx_status_t SGX_CDECL rtc_session_request_u(SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id); +sgx_status_t SGX_CDECL rtc_exchange_report_u(ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t SGX_CDECL rtc_end_session_u(sgx_status_t* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id); +sgx_status_t SGX_CDECL sgx_oc_cpuidex(int cpuinfo[4], int leaf, int subleaf); +sgx_status_t SGX_CDECL sgx_thread_wait_untrusted_event_ocall(int* retval, const void* self); +sgx_status_t SGX_CDECL sgx_thread_set_untrusted_event_ocall(int* retval, const void* waiter); +sgx_status_t SGX_CDECL sgx_thread_setwait_untrusted_events_ocall(int* retval, const void* waiter, const void* self); +sgx_status_t SGX_CDECL sgx_thread_set_multiple_untrusted_events_ocall(int* retval, const void** waiters, size_t total); #ifdef __cplusplus } diff --git a/codegen/auth_enclave/Enclave_u.c b/codegen/auth_enclave/Enclave_u.c index 991533ef..52ce7b43 100644 --- a/codegen/auth_enclave/Enclave_u.c +++ b/codegen/auth_enclave/Enclave_u.c @@ -14,6 +14,22 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; +typedef struct ms_rtc_session_request_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_session_request_t; + +typedef struct ms_rtc_exchange_report_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_t; + +typedef struct ms_rtc_end_session_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_end_session_t; + typedef struct ms_u_thread_set_event_ocall_t { int ms_retval; int* ms_error; @@ -412,6 +428,53 @@ typedef struct ms_u_fstatat64_ocall_t { int ms_flags; } ms_u_fstatat64_ocall_t; +typedef struct ms_rtc_session_request_u_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_session_request_u_t; + +typedef struct ms_rtc_exchange_report_u_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_u_t; + +typedef struct ms_rtc_end_session_u_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_end_session_u_t; + +typedef struct ms_sgx_oc_cpuidex_t { + int* ms_cpuinfo; + int ms_leaf; + int ms_subleaf; +} ms_sgx_oc_cpuidex_t; + +typedef struct ms_sgx_thread_wait_untrusted_event_ocall_t { + int ms_retval; + const void* ms_self; +} ms_sgx_thread_wait_untrusted_event_ocall_t; + +typedef struct ms_sgx_thread_set_untrusted_event_ocall_t { + int ms_retval; + const void* ms_waiter; +} ms_sgx_thread_set_untrusted_event_ocall_t; + +typedef struct ms_sgx_thread_setwait_untrusted_events_ocall_t { + int ms_retval; + const void* ms_waiter; + const void* ms_self; +} ms_sgx_thread_setwait_untrusted_events_ocall_t; + +typedef struct ms_sgx_thread_set_multiple_untrusted_events_ocall_t { + int ms_retval; + const void** ms_waiters; + size_t ms_total; +} ms_sgx_thread_set_multiple_untrusted_events_ocall_t; + static sgx_status_t SGX_CDECL Enclave_u_thread_set_event_ocall(void* pms) { ms_u_thread_set_event_ocall_t* ms = SGX_CAST(ms_u_thread_set_event_ocall_t*, pms); @@ -852,11 +915,75 @@ static sgx_status_t SGX_CDECL Enclave_u_fstatat64_ocall(void* pms) return SGX_SUCCESS; } +static sgx_status_t SGX_CDECL Enclave_rtc_session_request_u(void* pms) +{ + ms_rtc_session_request_u_t* ms = SGX_CAST(ms_rtc_session_request_u_t*, pms); + ms->ms_retval = rtc_session_request_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_rtc_exchange_report_u(void* pms) +{ + ms_rtc_exchange_report_u_t* ms = SGX_CAST(ms_rtc_exchange_report_u_t*, pms); + ms->ms_retval = rtc_exchange_report_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id, ms->ms_dh_msg2); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_rtc_end_session_u(void* pms) +{ + ms_rtc_end_session_u_t* ms = SGX_CAST(ms_rtc_end_session_u_t*, pms); + ms->ms_retval = rtc_end_session_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_sgx_oc_cpuidex(void* pms) +{ + ms_sgx_oc_cpuidex_t* ms = SGX_CAST(ms_sgx_oc_cpuidex_t*, pms); + sgx_oc_cpuidex(ms->ms_cpuinfo, ms->ms_leaf, ms->ms_subleaf); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_sgx_thread_wait_untrusted_event_ocall(void* pms) +{ + ms_sgx_thread_wait_untrusted_event_ocall_t* ms = SGX_CAST(ms_sgx_thread_wait_untrusted_event_ocall_t*, pms); + ms->ms_retval = sgx_thread_wait_untrusted_event_ocall(ms->ms_self); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_untrusted_event_ocall(void* pms) +{ + ms_sgx_thread_set_untrusted_event_ocall_t* ms = SGX_CAST(ms_sgx_thread_set_untrusted_event_ocall_t*, pms); + ms->ms_retval = sgx_thread_set_untrusted_event_ocall(ms->ms_waiter); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_sgx_thread_setwait_untrusted_events_ocall(void* pms) +{ + ms_sgx_thread_setwait_untrusted_events_ocall_t* ms = SGX_CAST(ms_sgx_thread_setwait_untrusted_events_ocall_t*, pms); + ms->ms_retval = sgx_thread_setwait_untrusted_events_ocall(ms->ms_waiter, ms->ms_self); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_multiple_untrusted_events_ocall(void* pms) +{ + ms_sgx_thread_set_multiple_untrusted_events_ocall_t* ms = SGX_CAST(ms_sgx_thread_set_multiple_untrusted_events_ocall_t*, pms); + ms->ms_retval = sgx_thread_set_multiple_untrusted_events_ocall(ms->ms_waiters, ms->ms_total); + + return SGX_SUCCESS; +} + static const struct { size_t nr_ocall; - void * table[55]; + void * table[63]; } ocall_table_Enclave = { - 55, + 63, { (void*)Enclave_u_thread_set_event_ocall, (void*)Enclave_u_thread_wait_event_ocall, @@ -913,6 +1040,14 @@ static const struct { (void*)Enclave_u_closedir_ocall, (void*)Enclave_u_dirfd_ocall, (void*)Enclave_u_fstatat64_ocall, + (void*)Enclave_rtc_session_request_u, + (void*)Enclave_rtc_exchange_report_u, + (void*)Enclave_rtc_end_session_u, + (void*)Enclave_sgx_oc_cpuidex, + (void*)Enclave_sgx_thread_wait_untrusted_event_ocall, + (void*)Enclave_sgx_thread_set_untrusted_event_ocall, + (void*)Enclave_sgx_thread_setwait_untrusted_events_ocall, + (void*)Enclave_sgx_thread_set_multiple_untrusted_events_ocall, } }; sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report) @@ -945,3 +1080,34 @@ sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid) return status; } +sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id) +{ + sgx_status_t status; + ms_rtc_session_request_t ms; + ms.ms_src_enclave_id = src_enclave_id; + status = sgx_ecall(eid, 3, &ocall_table_Enclave, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2) +{ + sgx_status_t status; + ms_rtc_exchange_report_t ms; + ms.ms_src_enclave_id = src_enclave_id; + ms.ms_dh_msg2 = dh_msg2; + status = sgx_ecall(eid, 4, &ocall_table_Enclave, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + +sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id) +{ + sgx_status_t status; + ms_rtc_end_session_t ms; + ms.ms_src_enclave_id = src_enclave_id; + status = sgx_ecall(eid, 5, &ocall_table_Enclave, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + diff --git a/codegen/auth_enclave/Enclave_u.h b/codegen/auth_enclave/Enclave_u.h index a72eb278..4047065a 100644 --- a/codegen/auth_enclave/Enclave_u.h +++ b/codegen/auth_enclave/Enclave_u.h @@ -8,12 +8,15 @@ #include "sgx_edger8r.h" /* for sgx_status_t etc. */ #include "sgx_report.h" +#include "sgx_dh.h" #include "bindings.h" #include "time.h" #include "inc/stat.h" #include "sys/uio.h" #include "inc/stat.h" #include "inc/dirent.h" +#include "sgx_eid.h" +#include "sgx_dh.h" #include /* for size_t */ @@ -243,10 +246,45 @@ int SGX_UBRIDGE(SGX_NOCONVENTION, u_dirfd_ocall, (int* error, void* dirp)); #define U_FSTATAT64_OCALL_DEFINED__ int SGX_UBRIDGE(SGX_NOCONVENTION, u_fstatat64_ocall, (int* error, int dirfd, const char* pathname, struct stat64_t* buf, int flags)); #endif +#ifndef RTC_SESSION_REQUEST_U_DEFINED__ +#define RTC_SESSION_REQUEST_U_DEFINED__ +SessionRequestResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_session_request_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id)); +#endif +#ifndef RTC_EXCHANGE_REPORT_U_DEFINED__ +#define RTC_EXCHANGE_REPORT_U_DEFINED__ +ExchangeReportResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_exchange_report_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, sgx_dh_msg2_t* dh_msg2)); +#endif +#ifndef RTC_END_SESSION_U_DEFINED__ +#define RTC_END_SESSION_U_DEFINED__ +sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_end_session_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id)); +#endif +#ifndef SGX_OC_CPUIDEX_DEFINED__ +#define SGX_OC_CPUIDEX_DEFINED__ +void SGX_UBRIDGE(SGX_CDECL, sgx_oc_cpuidex, (int cpuinfo[4], int leaf, int subleaf)); +#endif +#ifndef SGX_THREAD_WAIT_UNTRUSTED_EVENT_OCALL_DEFINED__ +#define SGX_THREAD_WAIT_UNTRUSTED_EVENT_OCALL_DEFINED__ +int SGX_UBRIDGE(SGX_CDECL, sgx_thread_wait_untrusted_event_ocall, (const void* self)); +#endif +#ifndef SGX_THREAD_SET_UNTRUSTED_EVENT_OCALL_DEFINED__ +#define SGX_THREAD_SET_UNTRUSTED_EVENT_OCALL_DEFINED__ +int SGX_UBRIDGE(SGX_CDECL, sgx_thread_set_untrusted_event_ocall, (const void* waiter)); +#endif +#ifndef SGX_THREAD_SETWAIT_UNTRUSTED_EVENTS_OCALL_DEFINED__ +#define SGX_THREAD_SETWAIT_UNTRUSTED_EVENTS_OCALL_DEFINED__ +int SGX_UBRIDGE(SGX_CDECL, sgx_thread_setwait_untrusted_events_ocall, (const void* waiter, const void* self)); +#endif +#ifndef SGX_THREAD_SET_MULTIPLE_UNTRUSTED_EVENTS_OCALL_DEFINED__ +#define SGX_THREAD_SET_MULTIPLE_UNTRUSTED_EVENTS_OCALL_DEFINED__ +int SGX_UBRIDGE(SGX_CDECL, sgx_thread_set_multiple_untrusted_events_ocall, (const void** waiters, size_t total)); +#endif sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid); +sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); #ifdef __cplusplus } diff --git a/codegen/auth_enclave/bindings.h b/codegen/auth_enclave/bindings.h index ee2b5e93..37c06b97 100644 --- a/codegen/auth_enclave/bindings.h +++ b/codegen/auth_enclave/bindings.h @@ -12,6 +12,50 @@ */ #define DATA_UPLOAD_RESPONSE_LEN (16 + (24 + 16)) +/** + * FFI safe result type that can be converted to and from a rust result. + */ +typedef enum EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag { + Ok_sgx_dh_msg1_t__sgx_status_t, + Err_sgx_dh_msg1_t__sgx_status_t, +} EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag; + +typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t { + EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag tag; + union { + struct { + sgx_dh_msg1_t ok; + }; + struct { + sgx_status_t err; + }; + }; +} EcallResult_sgx_dh_msg1_t__sgx_status_t; + +typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t SessionRequestResult; + +/** + * FFI safe result type that can be converted to and from a rust result. + */ +typedef enum EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag { + Ok_sgx_dh_msg3_t__sgx_status_t, + Err_sgx_dh_msg3_t__sgx_status_t, +} EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag; + +typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { + EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag tag; + union { + struct { + sgx_dh_msg3_t ok; + }; + struct { + sgx_status_t err; + }; + }; +} EcallResult_sgx_dh_msg3_t__sgx_status_t; + +typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t ExchangeReportResult; + typedef enum CreateReportResult_Tag { Success, Sgx, diff --git a/codegen/data_enclave/Enclave_t.c b/codegen/data_enclave/Enclave_t.c index 34ae19c8..bf28736f 100644 --- a/codegen/data_enclave/Enclave_t.c +++ b/codegen/data_enclave/Enclave_t.c @@ -47,6 +47,22 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; +typedef struct ms_rtc_session_request_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_session_request_t; + +typedef struct ms_rtc_exchange_report_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_t; + +typedef struct ms_rtc_end_session_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_end_session_t; + typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; const uint8_t* ms_blob_ptr; @@ -543,6 +559,25 @@ typedef struct ms_u_sgxprotectedfs_do_file_recovery_t { uint32_t ms_node_size; } ms_u_sgxprotectedfs_do_file_recovery_t; +typedef struct ms_rtc_session_request_u_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_session_request_u_t; + +typedef struct ms_rtc_exchange_report_u_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_u_t; + +typedef struct ms_rtc_end_session_u_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_end_session_u_t; + static sgx_status_t SGX_CDECL sgx_enclave_create_report(void* pms) { CHECK_REF_POINTER(pms, sizeof(ms_enclave_create_report_t)); @@ -729,96 +764,179 @@ static sgx_status_t SGX_CDECL sgx_t_global_exit_ecall(void* pms) return status; } +static sgx_status_t SGX_CDECL sgx_rtc_session_request(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_rtc_session_request_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_rtc_session_request_t* ms = SGX_CAST(ms_rtc_session_request_t*, pms); + sgx_status_t status = SGX_SUCCESS; + + + + ms->ms_retval = rtc_session_request(ms->ms_src_enclave_id); + + + return status; +} + +static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_rtc_exchange_report_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_rtc_exchange_report_t* ms = SGX_CAST(ms_rtc_exchange_report_t*, pms); + sgx_status_t status = SGX_SUCCESS; + sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; + size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); + sgx_dh_msg2_t* _in_dh_msg2 = NULL; + + CHECK_UNIQUE_POINTER(_tmp_dh_msg2, _len_dh_msg2); + + // + // fence after pointer checks + // + sgx_lfence(); + + if (_tmp_dh_msg2 != NULL && _len_dh_msg2 != 0) { + _in_dh_msg2 = (sgx_dh_msg2_t*)malloc(_len_dh_msg2); + if (_in_dh_msg2 == NULL) { + status = SGX_ERROR_OUT_OF_MEMORY; + goto err; + } + + if (memcpy_s(_in_dh_msg2, _len_dh_msg2, _tmp_dh_msg2, _len_dh_msg2)) { + status = SGX_ERROR_UNEXPECTED; + goto err; + } + + } + + ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, _in_dh_msg2); + +err: + if (_in_dh_msg2) free(_in_dh_msg2); + return status; +} + +static sgx_status_t SGX_CDECL sgx_rtc_end_session(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_rtc_end_session_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_rtc_end_session_t* ms = SGX_CAST(ms_rtc_end_session_t*, pms); + sgx_status_t status = SGX_SUCCESS; + + + + ms->ms_retval = rtc_end_session(ms->ms_src_enclave_id); + + + return status; +} + SGX_EXTERNC const struct { size_t nr_ecall; - struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[4]; + struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[7]; } g_ecall_table = { - 4, + 7, { {(void*)(uintptr_t)sgx_enclave_create_report, 0, 0}, {(void*)(uintptr_t)sgx_rtc_validate_and_save, 0, 0}, {(void*)(uintptr_t)sgx_t_global_init_ecall, 0, 0}, {(void*)(uintptr_t)sgx_t_global_exit_ecall, 0, 0}, + {(void*)(uintptr_t)sgx_rtc_session_request, 0, 0}, + {(void*)(uintptr_t)sgx_rtc_exchange_report, 0, 0}, + {(void*)(uintptr_t)sgx_rtc_end_session, 0, 0}, } }; SGX_EXTERNC const struct { size_t nr_ocall; - uint8_t entry_table[71][4]; + uint8_t entry_table[74][7]; } g_dyn_entry_table = { - 71, + 74, { - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, - {0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, }, } }; @@ -5444,3 +5562,108 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_do_file_recovery(int32_t* retval, const return status; } +sgx_status_t SGX_CDECL rtc_session_request_u(SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_rtc_session_request_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_session_request_u_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_session_request_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_session_request_u_t)); + ocalloc_size -= sizeof(ms_rtc_session_request_u_t); + + ms->ms_src_enclave_id = src_enclave_id; + ms->ms_dest_enclave_id = dest_enclave_id; + status = sgx_ocall(71, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL rtc_exchange_report_u(ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, sgx_dh_msg2_t* dh_msg2) +{ + sgx_status_t status = SGX_SUCCESS; + size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); + + ms_rtc_exchange_report_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_exchange_report_u_t); + void *__tmp = NULL; + + + CHECK_ENCLAVE_POINTER(dh_msg2, _len_dh_msg2); + + if (ADD_ASSIGN_OVERFLOW(ocalloc_size, (dh_msg2 != NULL) ? _len_dh_msg2 : 0)) + return SGX_ERROR_INVALID_PARAMETER; + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_exchange_report_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_exchange_report_u_t)); + ocalloc_size -= sizeof(ms_rtc_exchange_report_u_t); + + ms->ms_src_enclave_id = src_enclave_id; + ms->ms_dest_enclave_id = dest_enclave_id; + if (dh_msg2 != NULL) { + ms->ms_dh_msg2 = (sgx_dh_msg2_t*)__tmp; + if (memcpy_s(__tmp, ocalloc_size, dh_msg2, _len_dh_msg2)) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + __tmp = (void *)((size_t)__tmp + _len_dh_msg2); + ocalloc_size -= _len_dh_msg2; + } else { + ms->ms_dh_msg2 = NULL; + } + + status = sgx_ocall(72, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + +sgx_status_t SGX_CDECL rtc_end_session_u(sgx_status_t* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_rtc_end_session_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_end_session_u_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_end_session_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_end_session_u_t)); + ocalloc_size -= sizeof(ms_rtc_end_session_u_t); + + ms->ms_src_enclave_id = src_enclave_id; + ms->ms_dest_enclave_id = dest_enclave_id; + status = sgx_ocall(73, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + diff --git a/codegen/data_enclave/Enclave_t.h b/codegen/data_enclave/Enclave_t.h index 7edb9ff6..750bd2f7 100644 --- a/codegen/data_enclave/Enclave_t.h +++ b/codegen/data_enclave/Enclave_t.h @@ -8,12 +8,15 @@ #include "sgx_tprotected_fs.h" #include "sgx_report.h" +#include "sgx_dh.h" #include "bindings.h" #include "time.h" #include "inc/stat.h" #include "sys/uio.h" #include "inc/stat.h" #include "inc/dirent.h" +#include "sgx_eid.h" +#include "sgx_dh.h" #include /* for size_t */ @@ -27,6 +30,9 @@ CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, DataUploadResult rtc_validate_and_save(const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); +SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); +ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); @@ -99,6 +105,9 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_remove(int32_t* retval, const char* file sgx_status_t SGX_CDECL u_sgxprotectedfs_recovery_file_open(void** retval, const char* filename); sgx_status_t SGX_CDECL u_sgxprotectedfs_fwrite_recovery_node(uint8_t* retval, void* f, uint8_t* data, uint32_t data_length); sgx_status_t SGX_CDECL u_sgxprotectedfs_do_file_recovery(int32_t* retval, const char* filename, const char* recovery_filename, uint32_t node_size); +sgx_status_t SGX_CDECL rtc_session_request_u(SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id); +sgx_status_t SGX_CDECL rtc_exchange_report_u(ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t SGX_CDECL rtc_end_session_u(sgx_status_t* retval, sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id); #ifdef __cplusplus } diff --git a/codegen/data_enclave/Enclave_u.c b/codegen/data_enclave/Enclave_u.c index 98a415eb..7d03c139 100644 --- a/codegen/data_enclave/Enclave_u.c +++ b/codegen/data_enclave/Enclave_u.c @@ -21,6 +21,22 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; +typedef struct ms_rtc_session_request_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_session_request_t; + +typedef struct ms_rtc_exchange_report_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_t; + +typedef struct ms_rtc_end_session_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; +} ms_rtc_end_session_t; + typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; const uint8_t* ms_blob_ptr; @@ -517,6 +533,25 @@ typedef struct ms_u_sgxprotectedfs_do_file_recovery_t { uint32_t ms_node_size; } ms_u_sgxprotectedfs_do_file_recovery_t; +typedef struct ms_rtc_session_request_u_t { + SessionRequestResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_session_request_u_t; + +typedef struct ms_rtc_exchange_report_u_t { + ExchangeReportResult ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; + sgx_dh_msg2_t* ms_dh_msg2; +} ms_rtc_exchange_report_u_t; + +typedef struct ms_rtc_end_session_u_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_src_enclave_id; + sgx_enclave_id_t ms_dest_enclave_id; +} ms_rtc_end_session_u_t; + static sgx_status_t SGX_CDECL Enclave_rtc_save_sealed_blob_u(void* pms) { ms_rtc_save_sealed_blob_u_t* ms = SGX_CAST(ms_rtc_save_sealed_blob_u_t*, pms); @@ -1085,11 +1120,35 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_do_file_recovery(void* pm return SGX_SUCCESS; } +static sgx_status_t SGX_CDECL Enclave_rtc_session_request_u(void* pms) +{ + ms_rtc_session_request_u_t* ms = SGX_CAST(ms_rtc_session_request_u_t*, pms); + ms->ms_retval = rtc_session_request_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_rtc_exchange_report_u(void* pms) +{ + ms_rtc_exchange_report_u_t* ms = SGX_CAST(ms_rtc_exchange_report_u_t*, pms); + ms->ms_retval = rtc_exchange_report_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id, ms->ms_dh_msg2); + + return SGX_SUCCESS; +} + +static sgx_status_t SGX_CDECL Enclave_rtc_end_session_u(void* pms) +{ + ms_rtc_end_session_u_t* ms = SGX_CAST(ms_rtc_end_session_u_t*, pms); + ms->ms_retval = rtc_end_session_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); + + return SGX_SUCCESS; +} + static const struct { size_t nr_ocall; - void * table[71]; + void * table[74]; } ocall_table_Enclave = { - 71, + 74, { (void*)Enclave_rtc_save_sealed_blob_u, (void*)Enclave_u_thread_set_event_ocall, @@ -1162,6 +1221,9 @@ static const struct { (void*)Enclave_u_sgxprotectedfs_recovery_file_open, (void*)Enclave_u_sgxprotectedfs_fwrite_recovery_node, (void*)Enclave_u_sgxprotectedfs_do_file_recovery, + (void*)Enclave_rtc_session_request_u, + (void*)Enclave_rtc_exchange_report_u, + (void*)Enclave_rtc_end_session_u, } }; sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report) @@ -1206,3 +1268,34 @@ sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid) return status; } +sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id) +{ + sgx_status_t status; + ms_rtc_session_request_t ms; + ms.ms_src_enclave_id = src_enclave_id; + status = sgx_ecall(eid, 4, &ocall_table_Enclave, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2) +{ + sgx_status_t status; + ms_rtc_exchange_report_t ms; + ms.ms_src_enclave_id = src_enclave_id; + ms.ms_dh_msg2 = dh_msg2; + status = sgx_ecall(eid, 5, &ocall_table_Enclave, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + +sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id) +{ + sgx_status_t status; + ms_rtc_end_session_t ms; + ms.ms_src_enclave_id = src_enclave_id; + status = sgx_ecall(eid, 6, &ocall_table_Enclave, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + diff --git a/codegen/data_enclave/Enclave_u.h b/codegen/data_enclave/Enclave_u.h index 690742f1..af2a3f50 100644 --- a/codegen/data_enclave/Enclave_u.h +++ b/codegen/data_enclave/Enclave_u.h @@ -9,12 +9,15 @@ #include "sgx_tprotected_fs.h" #include "sgx_report.h" +#include "sgx_dh.h" #include "bindings.h" #include "time.h" #include "inc/stat.h" #include "sys/uio.h" #include "inc/stat.h" #include "inc/dirent.h" +#include "sgx_eid.h" +#include "sgx_dh.h" #include /* for size_t */ @@ -308,11 +311,26 @@ uint8_t SGX_UBRIDGE(SGX_NOCONVENTION, u_sgxprotectedfs_fwrite_recovery_node, (vo #define U_SGXPROTECTEDFS_DO_FILE_RECOVERY_DEFINED__ int32_t SGX_UBRIDGE(SGX_NOCONVENTION, u_sgxprotectedfs_do_file_recovery, (const char* filename, const char* recovery_filename, uint32_t node_size)); #endif +#ifndef RTC_SESSION_REQUEST_U_DEFINED__ +#define RTC_SESSION_REQUEST_U_DEFINED__ +SessionRequestResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_session_request_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id)); +#endif +#ifndef RTC_EXCHANGE_REPORT_U_DEFINED__ +#define RTC_EXCHANGE_REPORT_U_DEFINED__ +ExchangeReportResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_exchange_report_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, sgx_dh_msg2_t* dh_msg2)); +#endif +#ifndef RTC_END_SESSION_U_DEFINED__ +#define RTC_END_SESSION_U_DEFINED__ +sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_end_session_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id)); +#endif sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); sgx_status_t rtc_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid); +sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); #ifdef __cplusplus } diff --git a/codegen/data_enclave/bindings.h b/codegen/data_enclave/bindings.h index 8234ced6..0e25e5dc 100644 --- a/codegen/data_enclave/bindings.h +++ b/codegen/data_enclave/bindings.h @@ -76,6 +76,50 @@ typedef struct UploadMetadata { uint8_t nonce[24]; } UploadMetadata; +/** + * FFI safe result type that can be converted to and from a rust result. + */ +typedef enum EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag { + Ok_sgx_dh_msg1_t__sgx_status_t, + Err_sgx_dh_msg1_t__sgx_status_t, +} EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag; + +typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t { + EcallResult_sgx_dh_msg1_t__sgx_status_t_Tag tag; + union { + struct { + sgx_dh_msg1_t ok; + }; + struct { + sgx_status_t err; + }; + }; +} EcallResult_sgx_dh_msg1_t__sgx_status_t; + +typedef struct EcallResult_sgx_dh_msg1_t__sgx_status_t SessionRequestResult; + +/** + * FFI safe result type that can be converted to and from a rust result. + */ +typedef enum EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag { + Ok_sgx_dh_msg3_t__sgx_status_t, + Err_sgx_dh_msg3_t__sgx_status_t, +} EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag; + +typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t { + EcallResult_sgx_dh_msg3_t__sgx_status_t_Tag tag; + union { + struct { + sgx_dh_msg3_t ok; + }; + struct { + sgx_status_t err; + }; + }; +} EcallResult_sgx_dh_msg3_t__sgx_status_t; + +typedef struct EcallResult_sgx_dh_msg3_t__sgx_status_t ExchangeReportResult; + typedef enum CreateReportResult_Tag { Success, Sgx, diff --git a/edl/rtc_tenclave.edl b/edl/rtc_tenclave.edl new file mode 100644 index 00000000..a37e2000 --- /dev/null +++ b/edl/rtc_tenclave.edl @@ -0,0 +1,21 @@ +enclave { + from "sgx_tstd.edl" import *; + from "sgx_stdio.edl" import *; + from "sgx_backtrace.edl" import *; + from "sgx_tstdc.edl" import *; + + include "sgx_eid.h" + include "sgx_dh.h" + + trusted{ + public SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); + public ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, [in]sgx_dh_msg2_t *dh_msg2); + public sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); + }; + + untrusted{ + SessionRequestResult rtc_session_request_u(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id); + ExchangeReportResult rtc_exchange_report_u(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id, [in]sgx_dh_msg2_t *dh_msg2); + sgx_status_t rtc_end_session_u(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id); + }; +}; \ No newline at end of file diff --git a/rtc_auth_enclave/Enclave.edl b/rtc_auth_enclave/Enclave.edl index a8caf4c3..e9b93860 100644 --- a/rtc_auth_enclave/Enclave.edl +++ b/rtc_auth_enclave/Enclave.edl @@ -1,8 +1,10 @@ enclave { from "sgx_tstd.edl" import *; from "sgx_backtrace.edl" import *; + from "rtc_tenclave.edl" import *; include "sgx_report.h" + include "sgx_dh.h" include "bindings.h" trusted { diff --git a/rtc_auth_enclave/Makefile b/rtc_auth_enclave/Makefile index 794eb9f0..8b5fcb10 100644 --- a/rtc_auth_enclave/Makefile +++ b/rtc_auth_enclave/Makefile @@ -98,7 +98,7 @@ $(Out_StaticLib) $(Out_Bindings): $(Crate_Files) cargo build --release $(Out_CodegenFiles): $(SGX_EDGER8R) ./Enclave.edl $(Out_Bindings) | $(CODEGEN_PATH) - $(SGX_EDGER8R) ./Enclave.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) + $(SGX_EDGER8R) ./Enclave.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) @echo "GEN => $(Enclave_EDL_Files)" $(Out_EdgeObject): $(Out_CodegenFiles) | $(CODEGEN_PATH) $(CUSTOM_LIBRARY_PATH) diff --git a/rtc_data_enclave/Enclave.edl b/rtc_data_enclave/Enclave.edl index acde7d5a..3c47e758 100644 --- a/rtc_data_enclave/Enclave.edl +++ b/rtc_data_enclave/Enclave.edl @@ -6,9 +6,11 @@ enclave { from "sgx_tprotected_fs.edl" import *; from "sgx_fs.edl" import *; from "sgx_file.edl" import *; + from "rtc_tenclave.edl" import *; include "sgx_tprotected_fs.h" include "sgx_report.h" + include "sgx_dh.h" include "bindings.h" trusted { diff --git a/rtc_data_enclave/Makefile b/rtc_data_enclave/Makefile index 408764cc..1d0c5588 100644 --- a/rtc_data_enclave/Makefile +++ b/rtc_data_enclave/Makefile @@ -98,7 +98,7 @@ $(Out_StaticLib) $(Out_Bindings): $(Crate_Files) cargo build --release $(Out_CodegenFiles): $(SGX_EDGER8R) ./Enclave.edl $(Out_Bindings) | $(CODEGEN_PATH) - $(SGX_EDGER8R) ./Enclave.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) + $(SGX_EDGER8R) ./Enclave.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) @echo "GEN => $(Enclave_EDL_Files)" $(Out_EdgeObject): $(Out_CodegenFiles) | $(CODEGEN_PATH) $(CUSTOM_LIBRARY_PATH) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 771136be..dff82570 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -255,6 +255,13 @@ pub extern "C" fn rtc_session_request(src_enclave_id: sgx_enclave_id_t) -> Sessi dh_sessions().initiate_response(&src_enclave_id).into() } +#[no_mangle] +pub extern "C" fn rtc_end_session(src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { + // TODO: Ensure sessions close on both ends? + dh_sessions().close_session(&src_enclave_id); + sgx_status_t::SGX_SUCCESS +} + #[no_mangle] pub unsafe extern "C" fn rtc_exchange_report( src_enclave_id: sgx_enclave_id_t, From 7854508ad58359bd11e5dccd3f8f6186a121320a Mon Sep 17 00:00:00 2001 From: Herman Date: Mon, 17 May 2021 10:51:36 +0200 Subject: [PATCH 09/31] feat(dh): update codegen to const pointer for msg2 --- codegen/auth_enclave/Enclave_t.c | 6 +++--- codegen/auth_enclave/Enclave_t.h | 2 +- codegen/auth_enclave/Enclave_u.c | 4 ++-- codegen/auth_enclave/Enclave_u.h | 2 +- codegen/data_enclave/Enclave_t.c | 6 +++--- codegen/data_enclave/Enclave_t.h | 2 +- codegen/data_enclave/Enclave_u.c | 4 ++-- codegen/data_enclave/Enclave_u.h | 2 +- edl/rtc_tenclave.edl | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/codegen/auth_enclave/Enclave_t.c b/codegen/auth_enclave/Enclave_t.c index 4c058fe5..b5272a5a 100644 --- a/codegen/auth_enclave/Enclave_t.c +++ b/codegen/auth_enclave/Enclave_t.c @@ -48,7 +48,7 @@ typedef struct ms_rtc_session_request_t { typedef struct ms_rtc_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; - sgx_dh_msg2_t* ms_dh_msg2; + const sgx_dh_msg2_t* ms_dh_msg2; } ms_rtc_exchange_report_t; typedef struct ms_rtc_end_session_t { @@ -662,7 +662,7 @@ static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) sgx_lfence(); ms_rtc_exchange_report_t* ms = SGX_CAST(ms_rtc_exchange_report_t*, pms); sgx_status_t status = SGX_SUCCESS; - sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; + const sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); sgx_dh_msg2_t* _in_dh_msg2 = NULL; @@ -687,7 +687,7 @@ static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) } - ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, _in_dh_msg2); + ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, (const sgx_dh_msg2_t*)_in_dh_msg2); err: if (_in_dh_msg2) free(_in_dh_msg2); diff --git a/codegen/auth_enclave/Enclave_t.h b/codegen/auth_enclave/Enclave_t.h index e4ab773c..fd9604bb 100644 --- a/codegen/auth_enclave/Enclave_t.h +++ b/codegen/auth_enclave/Enclave_t.h @@ -29,7 +29,7 @@ CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); -ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); diff --git a/codegen/auth_enclave/Enclave_u.c b/codegen/auth_enclave/Enclave_u.c index 52ce7b43..742afef2 100644 --- a/codegen/auth_enclave/Enclave_u.c +++ b/codegen/auth_enclave/Enclave_u.c @@ -22,7 +22,7 @@ typedef struct ms_rtc_session_request_t { typedef struct ms_rtc_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; - sgx_dh_msg2_t* ms_dh_msg2; + const sgx_dh_msg2_t* ms_dh_msg2; } ms_rtc_exchange_report_t; typedef struct ms_rtc_end_session_t { @@ -1090,7 +1090,7 @@ sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* ret return status; } -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2) +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2) { sgx_status_t status; ms_rtc_exchange_report_t ms; diff --git a/codegen/auth_enclave/Enclave_u.h b/codegen/auth_enclave/Enclave_u.h index 4047065a..2eea7e7c 100644 --- a/codegen/auth_enclave/Enclave_u.h +++ b/codegen/auth_enclave/Enclave_u.h @@ -283,7 +283,7 @@ sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* ret sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid); sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); #ifdef __cplusplus diff --git a/codegen/data_enclave/Enclave_t.c b/codegen/data_enclave/Enclave_t.c index bf28736f..e4cc3028 100644 --- a/codegen/data_enclave/Enclave_t.c +++ b/codegen/data_enclave/Enclave_t.c @@ -55,7 +55,7 @@ typedef struct ms_rtc_session_request_t { typedef struct ms_rtc_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; - sgx_dh_msg2_t* ms_dh_msg2; + const sgx_dh_msg2_t* ms_dh_msg2; } ms_rtc_exchange_report_t; typedef struct ms_rtc_end_session_t { @@ -791,7 +791,7 @@ static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) sgx_lfence(); ms_rtc_exchange_report_t* ms = SGX_CAST(ms_rtc_exchange_report_t*, pms); sgx_status_t status = SGX_SUCCESS; - sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; + const sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); sgx_dh_msg2_t* _in_dh_msg2 = NULL; @@ -816,7 +816,7 @@ static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) } - ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, _in_dh_msg2); + ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, (const sgx_dh_msg2_t*)_in_dh_msg2); err: if (_in_dh_msg2) free(_in_dh_msg2); diff --git a/codegen/data_enclave/Enclave_t.h b/codegen/data_enclave/Enclave_t.h index 750bd2f7..0f85e494 100644 --- a/codegen/data_enclave/Enclave_t.h +++ b/codegen/data_enclave/Enclave_t.h @@ -31,7 +31,7 @@ DataUploadResult rtc_validate_and_save(const uint8_t* payload_ptr, size_t payloa void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); -ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]); diff --git a/codegen/data_enclave/Enclave_u.c b/codegen/data_enclave/Enclave_u.c index 7d03c139..ca6ace9b 100644 --- a/codegen/data_enclave/Enclave_u.c +++ b/codegen/data_enclave/Enclave_u.c @@ -29,7 +29,7 @@ typedef struct ms_rtc_session_request_t { typedef struct ms_rtc_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; - sgx_dh_msg2_t* ms_dh_msg2; + const sgx_dh_msg2_t* ms_dh_msg2; } ms_rtc_exchange_report_t; typedef struct ms_rtc_end_session_t { @@ -1278,7 +1278,7 @@ sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* ret return status; } -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2) +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2) { sgx_status_t status; ms_rtc_exchange_report_t ms; diff --git a/codegen/data_enclave/Enclave_u.h b/codegen/data_enclave/Enclave_u.h index af2a3f50..26189ce9 100644 --- a/codegen/data_enclave/Enclave_u.h +++ b/codegen/data_enclave/Enclave_u.h @@ -329,7 +329,7 @@ sgx_status_t rtc_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retva sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid); sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); #ifdef __cplusplus diff --git a/edl/rtc_tenclave.edl b/edl/rtc_tenclave.edl index a37e2000..f2e2ac73 100644 --- a/edl/rtc_tenclave.edl +++ b/edl/rtc_tenclave.edl @@ -9,7 +9,7 @@ enclave { trusted{ public SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); - public ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, [in]sgx_dh_msg2_t *dh_msg2); + public ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, [in]const sgx_dh_msg2_t *dh_msg2); public sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); }; From 75be1facdfe3df45e4091b567657d28844215e60 Mon Sep 17 00:00:00 2001 From: Herman Date: Mon, 17 May 2021 10:55:54 +0200 Subject: [PATCH 10/31] feat(dh): add sys bindings and lib for app side dh attestation --- Cargo.lock | 12 ++++ Cargo.toml | 1 + rtc_udh/Cargo.toml | 13 ++++ rtc_udh/src/lib.rs | 105 +++++++++++++++++++++++++++++++ rtc_udh/src/responder.rs | 89 ++++++++++++++++++++++++++ rtc_uenclave/auth-sys/Cargo.toml | 1 + rtc_uenclave/auth-sys/build.rs | 3 + rtc_uenclave/auth-sys/src/lib.rs | 32 ++++++++++ rtc_uenclave/data-sys/Cargo.toml | 1 + rtc_uenclave/data-sys/build.rs | 3 + rtc_uenclave/data-sys/src/lib.rs | 32 ++++++++++ 11 files changed, 292 insertions(+) create mode 100644 rtc_udh/Cargo.toml create mode 100644 rtc_udh/src/lib.rs create mode 100644 rtc_udh/src/responder.rs diff --git a/Cargo.lock b/Cargo.lock index 6b353e33..595fd87f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -319,6 +319,7 @@ dependencies = [ "cc", "rtc-ecalls", "rtc_types", + "rtc_udh", "sgx_types", "sgx_urts", ] @@ -629,6 +630,7 @@ dependencies = [ "data-ocalls", "rtc-ecalls", "rtc_types", + "rtc_udh", "sgx_types", "sgx_urts", ] @@ -1676,6 +1678,16 @@ dependencies = [ "thiserror 1.0.9", ] +[[package]] +name = "rtc_udh" +version = "0.1.0" +dependencies = [ + "mockall", + "once_cell", + "rtc_types", + "sgx_types", +] + [[package]] name = "rtc_uenclave" version = "0.1.0" diff --git a/Cargo.toml b/Cargo.toml index 29c08f46..6df0048d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,6 +8,7 @@ members = [ "rtc_uenclave/data-sys", "rtc_uenclave/auth-sys", "rtc_uenclave/rtc-ecalls", + "rtc_udh", ] # TODO: Look at creating a seperate workspace for enclave code to share lockfile? exclude = [ diff --git a/rtc_udh/Cargo.toml b/rtc_udh/Cargo.toml new file mode 100644 index 00000000..91d270ec --- /dev/null +++ b/rtc_udh/Cargo.toml @@ -0,0 +1,13 @@ +[package] +name = "rtc_udh" +version = "0.1.0" +authors = ["Herman "] +edition = "2018" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +sgx_types = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", features = ["extra_traits"] } +rtc_types = { path = "../rtc_types" } +mockall = { version = "0.9.1", features = ["nightly"] } +once_cell = "1.7.2" diff --git a/rtc_udh/src/lib.rs b/rtc_udh/src/lib.rs new file mode 100644 index 00000000..a479160c --- /dev/null +++ b/rtc_udh/src/lib.rs @@ -0,0 +1,105 @@ +mod responder; + +use std::{ + collections::HashMap, + marker::PhantomData, + sync::{Arc, Mutex, RwLock}, +}; + +use once_cell::sync::OnceCell; +use responder::Responder; +pub use responder::ResponderSys; +use rtc_types::{ + dh::{ExchangeReportResult, SessionRequestResult}, + EcallResult, +}; +use sgx_types::*; + +type SyncSendResponder = Arc>; + +type DhResponders = HashMap; + +fn dh_responders() -> &'static RwLock { + static DH_RESPONDERS: OnceCell> = OnceCell::new(); + DH_RESPONDERS.get_or_init(|| RwLock::new(HashMap::new())) +} + +pub fn set_responder( + enclave_id: u64, + responder: Box<(dyn ResponderSys + 'static)>, +) -> Result<(), sgx_status_t> { + match dh_responders().write() { + Ok(mut resp_map) => { + resp_map.insert( + enclave_id, + Arc::new(Mutex::new(Responder::new(enclave_id, responder))), + ); + Ok(()) + } + Err(_) => Err(sgx_status_t::SGX_ERROR_UNEXPECTED), + } +} + +fn get_responder(id: &u64) -> Result { + dh_responders() + .read() + .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED))? + .get(id) + .ok_or(sgx_status_t::SGX_ERROR_INVALID_ENCLAVE_ID) + .map(Clone::clone) +} + +#[no_mangle] +pub extern "C" fn rtc_session_request_u( + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, +) -> SessionRequestResult { + // TODO: Refactor our duplicated code here, this is tricky because of variable + // scoping when working with locks + match get_responder(&dest_enclave_id) { + Ok(res) => res + .lock() + .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED)) + .and_then(|resp| resp.session_request(src_enclave_id).into()) + .into(), + Err(err) => EcallResult::Err(err), + } +} + +#[no_mangle] +extern "C" fn rtc_exchange_report_u( + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + dh_msg2: *const sgx_dh_msg2_t, +) -> ExchangeReportResult { + match get_responder(&dest_enclave_id) { + Ok(res) => res + .lock() + .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED)) + .and_then(|resp| resp.exchange_report(src_enclave_id, dh_msg2).into()) + .into(), + Err(err) => EcallResult::Err(err), + } +} + +#[no_mangle] +extern "C" fn rtc_end_session_u( + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, +) -> sgx_status_t { + match get_responder(&dest_enclave_id) { + Ok(res) => res + .lock() + .map_or(sgx_status_t::SGX_ERROR_UNEXPECTED, |resp| { + resp.end_session(src_enclave_id) + }), + Err(err) => err, + } +} +#[cfg(test)] +mod tests { + #[test] + fn it_works() { + assert_eq!(2 + 2, 4); + } +} diff --git a/rtc_udh/src/responder.rs b/rtc_udh/src/responder.rs new file mode 100644 index 00000000..0629d337 --- /dev/null +++ b/rtc_udh/src/responder.rs @@ -0,0 +1,89 @@ +use rtc_types::{ + dh::{ExchangeReportResult, SessionRequestResult}, + EcallResult, +}; +use sgx_types::*; + +pub trait ResponderSys: Send { + unsafe fn rtc_session_request( + &self, + eid: sgx_enclave_id_t, + retval: *mut SessionRequestResult, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; + + unsafe fn rtc_exchange_report( + &self, + eid: sgx_enclave_id_t, + retval: *mut ExchangeReportResult, + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, + ) -> sgx_status_t; + + unsafe fn rtc_end_session( + &self, + eid: sgx_enclave_id_t, + retval: *mut sgx_status_t, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; +} + +pub(crate) struct Responder { + eid: sgx_enclave_id_t, + sys: Box, +} + +// TODO: Unsafe comments +impl Responder { + pub fn new(eid: sgx_enclave_id_t, sys: Box) -> Self { + Self { eid, sys } + } + + pub fn session_request(&self, src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { + let mut retval = SessionRequestResult::default(); + let ecall_res = unsafe { + self.sys + .rtc_session_request(self.eid, &mut retval, src_enclave_id) + }; + if ecall_res == sgx_status_t::SGX_SUCCESS { + retval + } else { + println!("Session request ecall failed for enclave: {}", self.eid); + EcallResult::Err(ecall_res) + } + } + + pub fn exchange_report( + &self, + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, + ) -> ExchangeReportResult { + let mut retval = ExchangeReportResult::default(); + let ecall_res = unsafe { + self.sys + .rtc_exchange_report(self.eid, &mut retval, src_enclave_id, dh_msg2_ptr) + }; + + if ecall_res == sgx_status_t::SGX_SUCCESS { + retval + } else { + println!("Exchange report ecall failed for enclave: {}", self.eid); + EcallResult::Err(ecall_res) + } + } + + pub fn end_session(&self, src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { + let mut retval = sgx_status_t::SGX_SUCCESS; + let ecall_res = unsafe { + self.sys + .rtc_end_session(self.eid, &mut retval, src_enclave_id) + }; + + if ecall_res == sgx_status_t::SGX_SUCCESS { + retval + } else { + println!("End session ecall failed for enclave: {}", self.eid); + ecall_res + } + } +} diff --git a/rtc_uenclave/auth-sys/Cargo.toml b/rtc_uenclave/auth-sys/Cargo.toml index 2a8a4dc5..9b5b25eb 100644 --- a/rtc_uenclave/auth-sys/Cargo.toml +++ b/rtc_uenclave/auth-sys/Cargo.toml @@ -13,6 +13,7 @@ sgx_urts = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", r rtc_types = { path = "../../rtc_types" } rtc-ecalls = { path = "../rtc-ecalls" } +rtc_udh = { path = "../../rtc_udh" } [build-dependencies] cc = "1.0.67" diff --git a/rtc_uenclave/auth-sys/build.rs b/rtc_uenclave/auth-sys/build.rs index bd5f3735..3ff57d2c 100644 --- a/rtc_uenclave/auth-sys/build.rs +++ b/rtc_uenclave/auth-sys/build.rs @@ -54,6 +54,9 @@ fn main() { .array_pointers_in_arguments(true) // TODO: see if there is a way to include functions using globbing .allowlist_function("enclave_create_report") + .allowlist_function("rtc_session_request") + .allowlist_function("rtc_exchange_report") + .allowlist_function("rtc_end_session") .clang_args(&inc_args) .generate() .expect("Unable to generate bindings") diff --git a/rtc_uenclave/auth-sys/src/lib.rs b/rtc_uenclave/auth-sys/src/lib.rs index aa0e073a..123c42e2 100644 --- a/rtc_uenclave/auth-sys/src/lib.rs +++ b/rtc_uenclave/auth-sys/src/lib.rs @@ -2,7 +2,9 @@ use sgx_urts; use rtc_ecalls::RtcEnclaveEcalls; +use rtc_types::dh::*; use rtc_types::*; +use rtc_udh; use sgx_types::*; pub mod ffi { @@ -25,3 +27,33 @@ impl RtcEnclaveEcalls for AuthSys { ffi::enclave_create_report(eid, retval, p_qe3_target, enclave_data, p_report) } } + +impl rtc_udh::ResponderSys for AuthSys { + unsafe fn rtc_session_request( + &self, + eid: sgx_enclave_id_t, + retval: *mut SessionRequestResult, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t { + ffi::rtc_session_request(eid, retval, src_enclave_id) + } + + unsafe fn rtc_exchange_report( + &self, + eid: sgx_enclave_id_t, + retval: *mut ExchangeReportResult, + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, + ) -> sgx_status_t { + ffi::rtc_exchange_report(eid, retval, src_enclave_id, dh_msg2_ptr) + } + + unsafe fn rtc_end_session( + &self, + eid: sgx_enclave_id_t, + retval: *mut sgx_status_t, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t { + ffi::rtc_end_session(eid, retval, src_enclave_id) + } +} diff --git a/rtc_uenclave/data-sys/Cargo.toml b/rtc_uenclave/data-sys/Cargo.toml index 88211271..d591da73 100644 --- a/rtc_uenclave/data-sys/Cargo.toml +++ b/rtc_uenclave/data-sys/Cargo.toml @@ -15,6 +15,7 @@ sgx_urts = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", r rtc_types = { path = "../../rtc_types" } data-ocalls = { path = "../data-ocalls" } rtc-ecalls = { path = "../rtc-ecalls" } +rtc_udh = { path = "../../rtc_udh" } [build-dependencies] cc = "1.0.67" diff --git a/rtc_uenclave/data-sys/build.rs b/rtc_uenclave/data-sys/build.rs index b90edecc..1cdf9dfc 100644 --- a/rtc_uenclave/data-sys/build.rs +++ b/rtc_uenclave/data-sys/build.rs @@ -55,6 +55,9 @@ fn main() { // TODO: see if there is a way to include functions using globbing .allowlist_function("enclave_create_report") .allowlist_function("rtc_validate_and_save") + .allowlist_function("rtc_session_request") + .allowlist_function("rtc_exchange_report") + .allowlist_function("rtc_end_session") .clang_args(&inc_args) .generate() .expect("Unable to generate bindings") diff --git a/rtc_uenclave/data-sys/src/lib.rs b/rtc_uenclave/data-sys/src/lib.rs index 12c4e1f1..b89598f8 100644 --- a/rtc_uenclave/data-sys/src/lib.rs +++ b/rtc_uenclave/data-sys/src/lib.rs @@ -8,7 +8,9 @@ use data_ocalls; use sgx_urts; use rtc_ecalls::RtcEnclaveEcalls; +use rtc_types::dh::*; use rtc_types::*; +use rtc_udh; use sgx_types::*; pub mod ffi { @@ -31,3 +33,33 @@ impl RtcEnclaveEcalls for DataSys { ffi::enclave_create_report(eid, retval, p_qe3_target, enclave_data, p_report) } } + +impl rtc_udh::ResponderSys for DataSys { + unsafe fn rtc_session_request( + &self, + eid: sgx_enclave_id_t, + retval: *mut SessionRequestResult, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t { + ffi::rtc_session_request(eid, retval, src_enclave_id) + } + + unsafe fn rtc_exchange_report( + &self, + eid: sgx_enclave_id_t, + retval: *mut ExchangeReportResult, + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, + ) -> sgx_status_t { + ffi::rtc_exchange_report(eid, retval, src_enclave_id, dh_msg2_ptr) + } + + unsafe fn rtc_end_session( + &self, + eid: sgx_enclave_id_t, + retval: *mut sgx_status_t, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t { + ffi::rtc_end_session(eid, retval, src_enclave_id) + } +} From 322793f072b0589b5cea35af6e77bea10522ca0f Mon Sep 17 00:00:00 2001 From: Herman Date: Mon, 17 May 2021 17:53:05 +0200 Subject: [PATCH 11/31] refactor(dh): prefix enclave functions from edl --- .../{Enclave_t.c => rtc_auth_t.c} | 44 +-- .../{Enclave_t.h => rtc_auth_t.h} | 10 +- .../{Enclave_u.c => rtc_auth_u.c} | 298 +++++++------- .../{Enclave_u.h => rtc_auth_u.h} | 16 +- .../{Enclave_t.c => rtc_data_t.c} | 236 ++++++----- .../{Enclave_t.h => rtc_data_t.h} | 13 +- .../{Enclave_u.c => rtc_data_u.c} | 367 +++++++++--------- .../{Enclave_u.h => rtc_data_u.h} | 19 +- edl/rtc_tenclave.edl | 6 +- rtc_auth_enclave/Makefile | 10 +- .../{Enclave.edl => rtc_auth.edl} | 0 rtc_data_enclave/Makefile | 10 +- .../{Enclave.edl => rtc_data.edl} | 3 +- rtc_data_enclave/src/lib.rs | 13 +- rtc_tenclave/Cargo.toml | 2 +- rtc_tenclave/src/dh/mod.rs | 6 +- rtc_uenclave/auth-sys/Cargo.toml | 4 + rtc_uenclave/auth-sys/build.rs | 11 +- rtc_uenclave/auth-sys/src/lib.rs | 10 +- rtc_uenclave/auth-sys/wrapper.h | 2 +- rtc_uenclave/data-sys/Cargo.toml | 5 +- rtc_uenclave/data-sys/build.rs | 12 +- rtc_uenclave/data-sys/src/lib.rs | 8 +- rtc_uenclave/data-sys/wrapper.h | 2 +- rtc_uenclave/src/enclaves/rtc_data.rs | 8 +- 25 files changed, 587 insertions(+), 528 deletions(-) rename codegen/auth_enclave/{Enclave_t.c => rtc_auth_t.c} (99%) rename codegen/auth_enclave/{Enclave_t.h => rtc_auth_t.h} (96%) rename codegen/auth_enclave/{Enclave_u.c => rtc_auth_u.c} (73%) rename codegen/auth_enclave/{Enclave_u.h => rtc_auth_u.h} (93%) rename codegen/data_enclave/{Enclave_t.c => rtc_data_t.c} (97%) rename codegen/data_enclave/{Enclave_t.h => rtc_data_t.h} (94%) rename codegen/data_enclave/{Enclave_u.c => rtc_data_u.c} (72%) rename codegen/data_enclave/{Enclave_u.h => rtc_data_u.h} (93%) rename rtc_auth_enclave/{Enclave.edl => rtc_auth.edl} (100%) rename rtc_data_enclave/{Enclave.edl => rtc_data.edl} (79%) diff --git a/codegen/auth_enclave/Enclave_t.c b/codegen/auth_enclave/rtc_auth_t.c similarity index 99% rename from codegen/auth_enclave/Enclave_t.c rename to codegen/auth_enclave/rtc_auth_t.c index b5272a5a..81ff0a4b 100644 --- a/codegen/auth_enclave/Enclave_t.c +++ b/codegen/auth_enclave/rtc_auth_t.c @@ -1,4 +1,4 @@ -#include "Enclave_t.h" +#include "rtc_auth_t.h" #include "sgx_trts.h" /* for sgx_ocalloc, sgx_is_outside_enclave */ #include "sgx_lfence.h" /* for sgx_lfence */ @@ -40,21 +40,21 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; -typedef struct ms_rtc_session_request_t { +typedef struct ms_session_request_t { SessionRequestResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_session_request_t; +} ms_session_request_t; -typedef struct ms_rtc_exchange_report_t { +typedef struct ms_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; const sgx_dh_msg2_t* ms_dh_msg2; -} ms_rtc_exchange_report_t; +} ms_exchange_report_t; -typedef struct ms_rtc_end_session_t { +typedef struct ms_end_session_t { sgx_status_t ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_end_session_t; +} ms_end_session_t; typedef struct ms_u_thread_set_event_ocall_t { int ms_retval; @@ -635,32 +635,32 @@ static sgx_status_t SGX_CDECL sgx_t_global_exit_ecall(void* pms) return status; } -static sgx_status_t SGX_CDECL sgx_rtc_session_request(void* pms) +static sgx_status_t SGX_CDECL sgx_session_request(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_session_request_t)); + CHECK_REF_POINTER(pms, sizeof(ms_session_request_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_session_request_t* ms = SGX_CAST(ms_rtc_session_request_t*, pms); + ms_session_request_t* ms = SGX_CAST(ms_session_request_t*, pms); sgx_status_t status = SGX_SUCCESS; - ms->ms_retval = rtc_session_request(ms->ms_src_enclave_id); + ms->ms_retval = session_request(ms->ms_src_enclave_id); return status; } -static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) +static sgx_status_t SGX_CDECL sgx_exchange_report(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_exchange_report_t)); + CHECK_REF_POINTER(pms, sizeof(ms_exchange_report_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_exchange_report_t* ms = SGX_CAST(ms_rtc_exchange_report_t*, pms); + ms_exchange_report_t* ms = SGX_CAST(ms_exchange_report_t*, pms); sgx_status_t status = SGX_SUCCESS; const sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); @@ -687,26 +687,26 @@ static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) } - ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, (const sgx_dh_msg2_t*)_in_dh_msg2); + ms->ms_retval = exchange_report(ms->ms_src_enclave_id, (const sgx_dh_msg2_t*)_in_dh_msg2); err: if (_in_dh_msg2) free(_in_dh_msg2); return status; } -static sgx_status_t SGX_CDECL sgx_rtc_end_session(void* pms) +static sgx_status_t SGX_CDECL sgx_end_session(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_end_session_t)); + CHECK_REF_POINTER(pms, sizeof(ms_end_session_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_end_session_t* ms = SGX_CAST(ms_rtc_end_session_t*, pms); + ms_end_session_t* ms = SGX_CAST(ms_end_session_t*, pms); sgx_status_t status = SGX_SUCCESS; - ms->ms_retval = rtc_end_session(ms->ms_src_enclave_id); + ms->ms_retval = end_session(ms->ms_src_enclave_id); return status; @@ -721,9 +721,9 @@ SGX_EXTERNC const struct { {(void*)(uintptr_t)sgx_enclave_create_report, 0, 0}, {(void*)(uintptr_t)sgx_t_global_init_ecall, 0, 0}, {(void*)(uintptr_t)sgx_t_global_exit_ecall, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_session_request, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_exchange_report, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_end_session, 0, 0}, + {(void*)(uintptr_t)sgx_session_request, 0, 0}, + {(void*)(uintptr_t)sgx_exchange_report, 0, 0}, + {(void*)(uintptr_t)sgx_end_session, 0, 0}, } }; diff --git a/codegen/auth_enclave/Enclave_t.h b/codegen/auth_enclave/rtc_auth_t.h similarity index 96% rename from codegen/auth_enclave/Enclave_t.h rename to codegen/auth_enclave/rtc_auth_t.h index fd9604bb..d69a044b 100644 --- a/codegen/auth_enclave/Enclave_t.h +++ b/codegen/auth_enclave/rtc_auth_t.h @@ -1,5 +1,5 @@ -#ifndef ENCLAVE_T_H__ -#define ENCLAVE_T_H__ +#ifndef RTC_AUTH_T_H__ +#define RTC_AUTH_T_H__ #include #include @@ -28,9 +28,9 @@ extern "C" { CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); -SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); -ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); -sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); +SessionRequestResult session_request(sgx_enclave_id_t src_enclave_id); +ExchangeReportResult exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); +sgx_status_t end_session(sgx_enclave_id_t src_enclave_id); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); sgx_status_t SGX_CDECL u_thread_wait_event_ocall(int* retval, int* error, const void* tcs, const struct timespec* timeout); diff --git a/codegen/auth_enclave/Enclave_u.c b/codegen/auth_enclave/rtc_auth_u.c similarity index 73% rename from codegen/auth_enclave/Enclave_u.c rename to codegen/auth_enclave/rtc_auth_u.c index 742afef2..35caa9bf 100644 --- a/codegen/auth_enclave/Enclave_u.c +++ b/codegen/auth_enclave/rtc_auth_u.c @@ -1,4 +1,4 @@ -#include "Enclave_u.h" +#include "rtc_auth_u.h" #include typedef struct ms_enclave_create_report_t { @@ -14,21 +14,21 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; -typedef struct ms_rtc_session_request_t { +typedef struct ms_session_request_t { SessionRequestResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_session_request_t; +} ms_session_request_t; -typedef struct ms_rtc_exchange_report_t { +typedef struct ms_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; const sgx_dh_msg2_t* ms_dh_msg2; -} ms_rtc_exchange_report_t; +} ms_exchange_report_t; -typedef struct ms_rtc_end_session_t { +typedef struct ms_end_session_t { sgx_status_t ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_end_session_t; +} ms_end_session_t; typedef struct ms_u_thread_set_event_ocall_t { int ms_retval; @@ -475,7 +475,7 @@ typedef struct ms_sgx_thread_set_multiple_untrusted_events_ocall_t { size_t ms_total; } ms_sgx_thread_set_multiple_untrusted_events_ocall_t; -static sgx_status_t SGX_CDECL Enclave_u_thread_set_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_thread_set_event_ocall(void* pms) { ms_u_thread_set_event_ocall_t* ms = SGX_CAST(ms_u_thread_set_event_ocall_t*, pms); ms->ms_retval = u_thread_set_event_ocall(ms->ms_error, ms->ms_tcs); @@ -483,7 +483,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_set_event_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_wait_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_thread_wait_event_ocall(void* pms) { ms_u_thread_wait_event_ocall_t* ms = SGX_CAST(ms_u_thread_wait_event_ocall_t*, pms); ms->ms_retval = u_thread_wait_event_ocall(ms->ms_error, ms->ms_tcs, ms->ms_timeout); @@ -491,7 +491,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_wait_event_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_set_multiple_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_thread_set_multiple_events_ocall(void* pms) { ms_u_thread_set_multiple_events_ocall_t* ms = SGX_CAST(ms_u_thread_set_multiple_events_ocall_t*, pms); ms->ms_retval = u_thread_set_multiple_events_ocall(ms->ms_error, ms->ms_tcss, ms->ms_total); @@ -499,7 +499,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_set_multiple_events_ocall(void* p return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_setwait_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_thread_setwait_events_ocall(void* pms) { ms_u_thread_setwait_events_ocall_t* ms = SGX_CAST(ms_u_thread_setwait_events_ocall_t*, pms); ms->ms_retval = u_thread_setwait_events_ocall(ms->ms_error, ms->ms_waiter_tcs, ms->ms_self_tcs, ms->ms_timeout); @@ -507,7 +507,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_setwait_events_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_clock_gettime_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_clock_gettime_ocall(void* pms) { ms_u_clock_gettime_ocall_t* ms = SGX_CAST(ms_u_clock_gettime_ocall_t*, pms); ms->ms_retval = u_clock_gettime_ocall(ms->ms_error, ms->ms_clk_id, ms->ms_tp); @@ -515,7 +515,7 @@ static sgx_status_t SGX_CDECL Enclave_u_clock_gettime_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_read_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_read_ocall(void* pms) { ms_u_read_ocall_t* ms = SGX_CAST(ms_u_read_ocall_t*, pms); ms->ms_retval = u_read_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count); @@ -523,7 +523,7 @@ static sgx_status_t SGX_CDECL Enclave_u_read_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_pread64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_pread64_ocall(void* pms) { ms_u_pread64_ocall_t* ms = SGX_CAST(ms_u_pread64_ocall_t*, pms); ms->ms_retval = u_pread64_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count, ms->ms_offset); @@ -531,7 +531,7 @@ static sgx_status_t SGX_CDECL Enclave_u_pread64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_readv_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_readv_ocall(void* pms) { ms_u_readv_ocall_t* ms = SGX_CAST(ms_u_readv_ocall_t*, pms); ms->ms_retval = u_readv_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt); @@ -539,7 +539,7 @@ static sgx_status_t SGX_CDECL Enclave_u_readv_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_preadv64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_preadv64_ocall(void* pms) { ms_u_preadv64_ocall_t* ms = SGX_CAST(ms_u_preadv64_ocall_t*, pms); ms->ms_retval = u_preadv64_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt, ms->ms_offset); @@ -547,7 +547,7 @@ static sgx_status_t SGX_CDECL Enclave_u_preadv64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_write_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_write_ocall(void* pms) { ms_u_write_ocall_t* ms = SGX_CAST(ms_u_write_ocall_t*, pms); ms->ms_retval = u_write_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count); @@ -555,7 +555,7 @@ static sgx_status_t SGX_CDECL Enclave_u_write_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_pwrite64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_pwrite64_ocall(void* pms) { ms_u_pwrite64_ocall_t* ms = SGX_CAST(ms_u_pwrite64_ocall_t*, pms); ms->ms_retval = u_pwrite64_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count, ms->ms_offset); @@ -563,7 +563,7 @@ static sgx_status_t SGX_CDECL Enclave_u_pwrite64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_writev_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_writev_ocall(void* pms) { ms_u_writev_ocall_t* ms = SGX_CAST(ms_u_writev_ocall_t*, pms); ms->ms_retval = u_writev_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt); @@ -571,7 +571,7 @@ static sgx_status_t SGX_CDECL Enclave_u_writev_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_pwritev64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_pwritev64_ocall(void* pms) { ms_u_pwritev64_ocall_t* ms = SGX_CAST(ms_u_pwritev64_ocall_t*, pms); ms->ms_retval = u_pwritev64_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt, ms->ms_offset); @@ -579,7 +579,7 @@ static sgx_status_t SGX_CDECL Enclave_u_pwritev64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg0_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fcntl_arg0_ocall(void* pms) { ms_u_fcntl_arg0_ocall_t* ms = SGX_CAST(ms_u_fcntl_arg0_ocall_t*, pms); ms->ms_retval = u_fcntl_arg0_ocall(ms->ms_error, ms->ms_fd, ms->ms_cmd); @@ -587,7 +587,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg0_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg1_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fcntl_arg1_ocall(void* pms) { ms_u_fcntl_arg1_ocall_t* ms = SGX_CAST(ms_u_fcntl_arg1_ocall_t*, pms); ms->ms_retval = u_fcntl_arg1_ocall(ms->ms_error, ms->ms_fd, ms->ms_cmd, ms->ms_arg); @@ -595,7 +595,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg1_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg0_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_ioctl_arg0_ocall(void* pms) { ms_u_ioctl_arg0_ocall_t* ms = SGX_CAST(ms_u_ioctl_arg0_ocall_t*, pms); ms->ms_retval = u_ioctl_arg0_ocall(ms->ms_error, ms->ms_fd, ms->ms_request); @@ -603,7 +603,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg0_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg1_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_ioctl_arg1_ocall(void* pms) { ms_u_ioctl_arg1_ocall_t* ms = SGX_CAST(ms_u_ioctl_arg1_ocall_t*, pms); ms->ms_retval = u_ioctl_arg1_ocall(ms->ms_error, ms->ms_fd, ms->ms_request, ms->ms_arg); @@ -611,7 +611,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg1_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_close_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_close_ocall(void* pms) { ms_u_close_ocall_t* ms = SGX_CAST(ms_u_close_ocall_t*, pms); ms->ms_retval = u_close_ocall(ms->ms_error, ms->ms_fd); @@ -619,7 +619,7 @@ static sgx_status_t SGX_CDECL Enclave_u_close_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_malloc_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_malloc_ocall(void* pms) { ms_u_malloc_ocall_t* ms = SGX_CAST(ms_u_malloc_ocall_t*, pms); ms->ms_retval = u_malloc_ocall(ms->ms_error, ms->ms_size); @@ -627,7 +627,7 @@ static sgx_status_t SGX_CDECL Enclave_u_malloc_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_free_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_free_ocall(void* pms) { ms_u_free_ocall_t* ms = SGX_CAST(ms_u_free_ocall_t*, pms); u_free_ocall(ms->ms_p); @@ -635,7 +635,7 @@ static sgx_status_t SGX_CDECL Enclave_u_free_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_mmap_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_mmap_ocall(void* pms) { ms_u_mmap_ocall_t* ms = SGX_CAST(ms_u_mmap_ocall_t*, pms); ms->ms_retval = u_mmap_ocall(ms->ms_error, ms->ms_start, ms->ms_length, ms->ms_prot, ms->ms_flags, ms->ms_fd, ms->ms_offset); @@ -643,7 +643,7 @@ static sgx_status_t SGX_CDECL Enclave_u_mmap_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_munmap_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_munmap_ocall(void* pms) { ms_u_munmap_ocall_t* ms = SGX_CAST(ms_u_munmap_ocall_t*, pms); ms->ms_retval = u_munmap_ocall(ms->ms_error, ms->ms_start, ms->ms_length); @@ -651,7 +651,7 @@ static sgx_status_t SGX_CDECL Enclave_u_munmap_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_msync_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_msync_ocall(void* pms) { ms_u_msync_ocall_t* ms = SGX_CAST(ms_u_msync_ocall_t*, pms); ms->ms_retval = u_msync_ocall(ms->ms_error, ms->ms_addr, ms->ms_length, ms->ms_flags); @@ -659,7 +659,7 @@ static sgx_status_t SGX_CDECL Enclave_u_msync_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_mprotect_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_mprotect_ocall(void* pms) { ms_u_mprotect_ocall_t* ms = SGX_CAST(ms_u_mprotect_ocall_t*, pms); ms->ms_retval = u_mprotect_ocall(ms->ms_error, ms->ms_addr, ms->ms_length, ms->ms_prot); @@ -667,7 +667,7 @@ static sgx_status_t SGX_CDECL Enclave_u_mprotect_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_open_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_open_ocall(void* pms) { ms_u_open_ocall_t* ms = SGX_CAST(ms_u_open_ocall_t*, pms); ms->ms_retval = u_open_ocall(ms->ms_error, ms->ms_pathname, ms->ms_flags); @@ -675,7 +675,7 @@ static sgx_status_t SGX_CDECL Enclave_u_open_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_open64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_open64_ocall(void* pms) { ms_u_open64_ocall_t* ms = SGX_CAST(ms_u_open64_ocall_t*, pms); ms->ms_retval = u_open64_ocall(ms->ms_error, ms->ms_path, ms->ms_oflag, ms->ms_mode); @@ -683,7 +683,7 @@ static sgx_status_t SGX_CDECL Enclave_u_open64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fstat_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fstat_ocall(void* pms) { ms_u_fstat_ocall_t* ms = SGX_CAST(ms_u_fstat_ocall_t*, pms); ms->ms_retval = u_fstat_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf); @@ -691,7 +691,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fstat_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fstat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fstat64_ocall(void* pms) { ms_u_fstat64_ocall_t* ms = SGX_CAST(ms_u_fstat64_ocall_t*, pms); ms->ms_retval = u_fstat64_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf); @@ -699,7 +699,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fstat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_stat_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_stat_ocall(void* pms) { ms_u_stat_ocall_t* ms = SGX_CAST(ms_u_stat_ocall_t*, pms); ms->ms_retval = u_stat_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -707,7 +707,7 @@ static sgx_status_t SGX_CDECL Enclave_u_stat_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_stat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_stat64_ocall(void* pms) { ms_u_stat64_ocall_t* ms = SGX_CAST(ms_u_stat64_ocall_t*, pms); ms->ms_retval = u_stat64_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -715,7 +715,7 @@ static sgx_status_t SGX_CDECL Enclave_u_stat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lstat_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_lstat_ocall(void* pms) { ms_u_lstat_ocall_t* ms = SGX_CAST(ms_u_lstat_ocall_t*, pms); ms->ms_retval = u_lstat_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -723,7 +723,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lstat_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lstat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_lstat64_ocall(void* pms) { ms_u_lstat64_ocall_t* ms = SGX_CAST(ms_u_lstat64_ocall_t*, pms); ms->ms_retval = u_lstat64_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -731,7 +731,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lstat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lseek_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_lseek_ocall(void* pms) { ms_u_lseek_ocall_t* ms = SGX_CAST(ms_u_lseek_ocall_t*, pms); ms->ms_retval = u_lseek_ocall(ms->ms_error, ms->ms_fd, ms->ms_offset, ms->ms_whence); @@ -739,7 +739,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lseek_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lseek64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_lseek64_ocall(void* pms) { ms_u_lseek64_ocall_t* ms = SGX_CAST(ms_u_lseek64_ocall_t*, pms); ms->ms_retval = u_lseek64_ocall(ms->ms_error, ms->ms_fd, ms->ms_offset, ms->ms_whence); @@ -747,7 +747,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lseek64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ftruncate_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_ftruncate_ocall(void* pms) { ms_u_ftruncate_ocall_t* ms = SGX_CAST(ms_u_ftruncate_ocall_t*, pms); ms->ms_retval = u_ftruncate_ocall(ms->ms_error, ms->ms_fd, ms->ms_length); @@ -755,7 +755,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ftruncate_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ftruncate64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_ftruncate64_ocall(void* pms) { ms_u_ftruncate64_ocall_t* ms = SGX_CAST(ms_u_ftruncate64_ocall_t*, pms); ms->ms_retval = u_ftruncate64_ocall(ms->ms_error, ms->ms_fd, ms->ms_length); @@ -763,7 +763,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ftruncate64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_truncate_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_truncate_ocall(void* pms) { ms_u_truncate_ocall_t* ms = SGX_CAST(ms_u_truncate_ocall_t*, pms); ms->ms_retval = u_truncate_ocall(ms->ms_error, ms->ms_path, ms->ms_length); @@ -771,7 +771,7 @@ static sgx_status_t SGX_CDECL Enclave_u_truncate_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_truncate64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_truncate64_ocall(void* pms) { ms_u_truncate64_ocall_t* ms = SGX_CAST(ms_u_truncate64_ocall_t*, pms); ms->ms_retval = u_truncate64_ocall(ms->ms_error, ms->ms_path, ms->ms_length); @@ -779,7 +779,7 @@ static sgx_status_t SGX_CDECL Enclave_u_truncate64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fsync_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fsync_ocall(void* pms) { ms_u_fsync_ocall_t* ms = SGX_CAST(ms_u_fsync_ocall_t*, pms); ms->ms_retval = u_fsync_ocall(ms->ms_error, ms->ms_fd); @@ -787,7 +787,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fsync_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fdatasync_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fdatasync_ocall(void* pms) { ms_u_fdatasync_ocall_t* ms = SGX_CAST(ms_u_fdatasync_ocall_t*, pms); ms->ms_retval = u_fdatasync_ocall(ms->ms_error, ms->ms_fd); @@ -795,7 +795,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fdatasync_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fchmod_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fchmod_ocall(void* pms) { ms_u_fchmod_ocall_t* ms = SGX_CAST(ms_u_fchmod_ocall_t*, pms); ms->ms_retval = u_fchmod_ocall(ms->ms_error, ms->ms_fd, ms->ms_mode); @@ -803,7 +803,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fchmod_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_unlink_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_unlink_ocall(void* pms) { ms_u_unlink_ocall_t* ms = SGX_CAST(ms_u_unlink_ocall_t*, pms); ms->ms_retval = u_unlink_ocall(ms->ms_error, ms->ms_pathname); @@ -811,7 +811,7 @@ static sgx_status_t SGX_CDECL Enclave_u_unlink_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_link_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_link_ocall(void* pms) { ms_u_link_ocall_t* ms = SGX_CAST(ms_u_link_ocall_t*, pms); ms->ms_retval = u_link_ocall(ms->ms_error, ms->ms_oldpath, ms->ms_newpath); @@ -819,7 +819,7 @@ static sgx_status_t SGX_CDECL Enclave_u_link_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_rename_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_rename_ocall(void* pms) { ms_u_rename_ocall_t* ms = SGX_CAST(ms_u_rename_ocall_t*, pms); ms->ms_retval = u_rename_ocall(ms->ms_error, ms->ms_oldpath, ms->ms_newpath); @@ -827,7 +827,7 @@ static sgx_status_t SGX_CDECL Enclave_u_rename_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_chmod_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_chmod_ocall(void* pms) { ms_u_chmod_ocall_t* ms = SGX_CAST(ms_u_chmod_ocall_t*, pms); ms->ms_retval = u_chmod_ocall(ms->ms_error, ms->ms_path, ms->ms_mode); @@ -835,7 +835,7 @@ static sgx_status_t SGX_CDECL Enclave_u_chmod_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_readlink_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_readlink_ocall(void* pms) { ms_u_readlink_ocall_t* ms = SGX_CAST(ms_u_readlink_ocall_t*, pms); ms->ms_retval = u_readlink_ocall(ms->ms_error, ms->ms_path, ms->ms_buf, ms->ms_bufsz); @@ -843,7 +843,7 @@ static sgx_status_t SGX_CDECL Enclave_u_readlink_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_symlink_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_symlink_ocall(void* pms) { ms_u_symlink_ocall_t* ms = SGX_CAST(ms_u_symlink_ocall_t*, pms); ms->ms_retval = u_symlink_ocall(ms->ms_error, ms->ms_path1, ms->ms_path2); @@ -851,7 +851,7 @@ static sgx_status_t SGX_CDECL Enclave_u_symlink_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_realpath_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_realpath_ocall(void* pms) { ms_u_realpath_ocall_t* ms = SGX_CAST(ms_u_realpath_ocall_t*, pms); ms->ms_retval = u_realpath_ocall(ms->ms_error, ms->ms_pathname); @@ -859,7 +859,7 @@ static sgx_status_t SGX_CDECL Enclave_u_realpath_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_mkdir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_mkdir_ocall(void* pms) { ms_u_mkdir_ocall_t* ms = SGX_CAST(ms_u_mkdir_ocall_t*, pms); ms->ms_retval = u_mkdir_ocall(ms->ms_error, ms->ms_pathname, ms->ms_mode); @@ -867,7 +867,7 @@ static sgx_status_t SGX_CDECL Enclave_u_mkdir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_rmdir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_rmdir_ocall(void* pms) { ms_u_rmdir_ocall_t* ms = SGX_CAST(ms_u_rmdir_ocall_t*, pms); ms->ms_retval = u_rmdir_ocall(ms->ms_error, ms->ms_pathname); @@ -875,7 +875,7 @@ static sgx_status_t SGX_CDECL Enclave_u_rmdir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_opendir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_opendir_ocall(void* pms) { ms_u_opendir_ocall_t* ms = SGX_CAST(ms_u_opendir_ocall_t*, pms); ms->ms_retval = u_opendir_ocall(ms->ms_error, ms->ms_pathname); @@ -883,7 +883,7 @@ static sgx_status_t SGX_CDECL Enclave_u_opendir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_readdir64_r_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_readdir64_r_ocall(void* pms) { ms_u_readdir64_r_ocall_t* ms = SGX_CAST(ms_u_readdir64_r_ocall_t*, pms); ms->ms_retval = u_readdir64_r_ocall(ms->ms_dirp, ms->ms_entry, ms->ms_result); @@ -891,7 +891,7 @@ static sgx_status_t SGX_CDECL Enclave_u_readdir64_r_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_closedir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_closedir_ocall(void* pms) { ms_u_closedir_ocall_t* ms = SGX_CAST(ms_u_closedir_ocall_t*, pms); ms->ms_retval = u_closedir_ocall(ms->ms_error, ms->ms_dirp); @@ -899,7 +899,7 @@ static sgx_status_t SGX_CDECL Enclave_u_closedir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_dirfd_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_dirfd_ocall(void* pms) { ms_u_dirfd_ocall_t* ms = SGX_CAST(ms_u_dirfd_ocall_t*, pms); ms->ms_retval = u_dirfd_ocall(ms->ms_error, ms->ms_dirp); @@ -907,7 +907,7 @@ static sgx_status_t SGX_CDECL Enclave_u_dirfd_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fstatat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_u_fstatat64_ocall(void* pms) { ms_u_fstatat64_ocall_t* ms = SGX_CAST(ms_u_fstatat64_ocall_t*, pms); ms->ms_retval = u_fstatat64_ocall(ms->ms_error, ms->ms_dirfd, ms->ms_pathname, ms->ms_buf, ms->ms_flags); @@ -915,7 +915,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fstatat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_rtc_session_request_u(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_rtc_session_request_u(void* pms) { ms_rtc_session_request_u_t* ms = SGX_CAST(ms_rtc_session_request_u_t*, pms); ms->ms_retval = rtc_session_request_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); @@ -923,7 +923,7 @@ static sgx_status_t SGX_CDECL Enclave_rtc_session_request_u(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_rtc_exchange_report_u(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_rtc_exchange_report_u(void* pms) { ms_rtc_exchange_report_u_t* ms = SGX_CAST(ms_rtc_exchange_report_u_t*, pms); ms->ms_retval = rtc_exchange_report_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id, ms->ms_dh_msg2); @@ -931,7 +931,7 @@ static sgx_status_t SGX_CDECL Enclave_rtc_exchange_report_u(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_rtc_end_session_u(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_rtc_end_session_u(void* pms) { ms_rtc_end_session_u_t* ms = SGX_CAST(ms_rtc_end_session_u_t*, pms); ms->ms_retval = rtc_end_session_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); @@ -939,7 +939,7 @@ static sgx_status_t SGX_CDECL Enclave_rtc_end_session_u(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_oc_cpuidex(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_sgx_oc_cpuidex(void* pms) { ms_sgx_oc_cpuidex_t* ms = SGX_CAST(ms_sgx_oc_cpuidex_t*, pms); sgx_oc_cpuidex(ms->ms_cpuinfo, ms->ms_leaf, ms->ms_subleaf); @@ -947,7 +947,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_oc_cpuidex(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_wait_untrusted_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_sgx_thread_wait_untrusted_event_ocall(void* pms) { ms_sgx_thread_wait_untrusted_event_ocall_t* ms = SGX_CAST(ms_sgx_thread_wait_untrusted_event_ocall_t*, pms); ms->ms_retval = sgx_thread_wait_untrusted_event_ocall(ms->ms_self); @@ -955,7 +955,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_wait_untrusted_event_ocall(void return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_untrusted_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_sgx_thread_set_untrusted_event_ocall(void* pms) { ms_sgx_thread_set_untrusted_event_ocall_t* ms = SGX_CAST(ms_sgx_thread_set_untrusted_event_ocall_t*, pms); ms->ms_retval = sgx_thread_set_untrusted_event_ocall(ms->ms_waiter); @@ -963,7 +963,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_untrusted_event_ocall(void* return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_setwait_untrusted_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_sgx_thread_setwait_untrusted_events_ocall(void* pms) { ms_sgx_thread_setwait_untrusted_events_ocall_t* ms = SGX_CAST(ms_sgx_thread_setwait_untrusted_events_ocall_t*, pms); ms->ms_retval = sgx_thread_setwait_untrusted_events_ocall(ms->ms_waiter, ms->ms_self); @@ -971,7 +971,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_setwait_untrusted_events_ocall( return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_multiple_untrusted_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_auth_sgx_thread_set_multiple_untrusted_events_ocall(void* pms) { ms_sgx_thread_set_multiple_untrusted_events_ocall_t* ms = SGX_CAST(ms_sgx_thread_set_multiple_untrusted_events_ocall_t*, pms); ms->ms_retval = sgx_thread_set_multiple_untrusted_events_ocall(ms->ms_waiters, ms->ms_total); @@ -982,131 +982,131 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_multiple_untrusted_events_o static const struct { size_t nr_ocall; void * table[63]; -} ocall_table_Enclave = { +} ocall_table_rtc_auth = { 63, { - (void*)Enclave_u_thread_set_event_ocall, - (void*)Enclave_u_thread_wait_event_ocall, - (void*)Enclave_u_thread_set_multiple_events_ocall, - (void*)Enclave_u_thread_setwait_events_ocall, - (void*)Enclave_u_clock_gettime_ocall, - (void*)Enclave_u_read_ocall, - (void*)Enclave_u_pread64_ocall, - (void*)Enclave_u_readv_ocall, - (void*)Enclave_u_preadv64_ocall, - (void*)Enclave_u_write_ocall, - (void*)Enclave_u_pwrite64_ocall, - (void*)Enclave_u_writev_ocall, - (void*)Enclave_u_pwritev64_ocall, - (void*)Enclave_u_fcntl_arg0_ocall, - (void*)Enclave_u_fcntl_arg1_ocall, - (void*)Enclave_u_ioctl_arg0_ocall, - (void*)Enclave_u_ioctl_arg1_ocall, - (void*)Enclave_u_close_ocall, - (void*)Enclave_u_malloc_ocall, - (void*)Enclave_u_free_ocall, - (void*)Enclave_u_mmap_ocall, - (void*)Enclave_u_munmap_ocall, - (void*)Enclave_u_msync_ocall, - (void*)Enclave_u_mprotect_ocall, - (void*)Enclave_u_open_ocall, - (void*)Enclave_u_open64_ocall, - (void*)Enclave_u_fstat_ocall, - (void*)Enclave_u_fstat64_ocall, - (void*)Enclave_u_stat_ocall, - (void*)Enclave_u_stat64_ocall, - (void*)Enclave_u_lstat_ocall, - (void*)Enclave_u_lstat64_ocall, - (void*)Enclave_u_lseek_ocall, - (void*)Enclave_u_lseek64_ocall, - (void*)Enclave_u_ftruncate_ocall, - (void*)Enclave_u_ftruncate64_ocall, - (void*)Enclave_u_truncate_ocall, - (void*)Enclave_u_truncate64_ocall, - (void*)Enclave_u_fsync_ocall, - (void*)Enclave_u_fdatasync_ocall, - (void*)Enclave_u_fchmod_ocall, - (void*)Enclave_u_unlink_ocall, - (void*)Enclave_u_link_ocall, - (void*)Enclave_u_rename_ocall, - (void*)Enclave_u_chmod_ocall, - (void*)Enclave_u_readlink_ocall, - (void*)Enclave_u_symlink_ocall, - (void*)Enclave_u_realpath_ocall, - (void*)Enclave_u_mkdir_ocall, - (void*)Enclave_u_rmdir_ocall, - (void*)Enclave_u_opendir_ocall, - (void*)Enclave_u_readdir64_r_ocall, - (void*)Enclave_u_closedir_ocall, - (void*)Enclave_u_dirfd_ocall, - (void*)Enclave_u_fstatat64_ocall, - (void*)Enclave_rtc_session_request_u, - (void*)Enclave_rtc_exchange_report_u, - (void*)Enclave_rtc_end_session_u, - (void*)Enclave_sgx_oc_cpuidex, - (void*)Enclave_sgx_thread_wait_untrusted_event_ocall, - (void*)Enclave_sgx_thread_set_untrusted_event_ocall, - (void*)Enclave_sgx_thread_setwait_untrusted_events_ocall, - (void*)Enclave_sgx_thread_set_multiple_untrusted_events_ocall, + (void*)rtc_auth_u_thread_set_event_ocall, + (void*)rtc_auth_u_thread_wait_event_ocall, + (void*)rtc_auth_u_thread_set_multiple_events_ocall, + (void*)rtc_auth_u_thread_setwait_events_ocall, + (void*)rtc_auth_u_clock_gettime_ocall, + (void*)rtc_auth_u_read_ocall, + (void*)rtc_auth_u_pread64_ocall, + (void*)rtc_auth_u_readv_ocall, + (void*)rtc_auth_u_preadv64_ocall, + (void*)rtc_auth_u_write_ocall, + (void*)rtc_auth_u_pwrite64_ocall, + (void*)rtc_auth_u_writev_ocall, + (void*)rtc_auth_u_pwritev64_ocall, + (void*)rtc_auth_u_fcntl_arg0_ocall, + (void*)rtc_auth_u_fcntl_arg1_ocall, + (void*)rtc_auth_u_ioctl_arg0_ocall, + (void*)rtc_auth_u_ioctl_arg1_ocall, + (void*)rtc_auth_u_close_ocall, + (void*)rtc_auth_u_malloc_ocall, + (void*)rtc_auth_u_free_ocall, + (void*)rtc_auth_u_mmap_ocall, + (void*)rtc_auth_u_munmap_ocall, + (void*)rtc_auth_u_msync_ocall, + (void*)rtc_auth_u_mprotect_ocall, + (void*)rtc_auth_u_open_ocall, + (void*)rtc_auth_u_open64_ocall, + (void*)rtc_auth_u_fstat_ocall, + (void*)rtc_auth_u_fstat64_ocall, + (void*)rtc_auth_u_stat_ocall, + (void*)rtc_auth_u_stat64_ocall, + (void*)rtc_auth_u_lstat_ocall, + (void*)rtc_auth_u_lstat64_ocall, + (void*)rtc_auth_u_lseek_ocall, + (void*)rtc_auth_u_lseek64_ocall, + (void*)rtc_auth_u_ftruncate_ocall, + (void*)rtc_auth_u_ftruncate64_ocall, + (void*)rtc_auth_u_truncate_ocall, + (void*)rtc_auth_u_truncate64_ocall, + (void*)rtc_auth_u_fsync_ocall, + (void*)rtc_auth_u_fdatasync_ocall, + (void*)rtc_auth_u_fchmod_ocall, + (void*)rtc_auth_u_unlink_ocall, + (void*)rtc_auth_u_link_ocall, + (void*)rtc_auth_u_rename_ocall, + (void*)rtc_auth_u_chmod_ocall, + (void*)rtc_auth_u_readlink_ocall, + (void*)rtc_auth_u_symlink_ocall, + (void*)rtc_auth_u_realpath_ocall, + (void*)rtc_auth_u_mkdir_ocall, + (void*)rtc_auth_u_rmdir_ocall, + (void*)rtc_auth_u_opendir_ocall, + (void*)rtc_auth_u_readdir64_r_ocall, + (void*)rtc_auth_u_closedir_ocall, + (void*)rtc_auth_u_dirfd_ocall, + (void*)rtc_auth_u_fstatat64_ocall, + (void*)rtc_auth_rtc_session_request_u, + (void*)rtc_auth_rtc_exchange_report_u, + (void*)rtc_auth_rtc_end_session_u, + (void*)rtc_auth_sgx_oc_cpuidex, + (void*)rtc_auth_sgx_thread_wait_untrusted_event_ocall, + (void*)rtc_auth_sgx_thread_set_untrusted_event_ocall, + (void*)rtc_auth_sgx_thread_setwait_untrusted_events_ocall, + (void*)rtc_auth_sgx_thread_set_multiple_untrusted_events_ocall, } }; -sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report) +sgx_status_t rtc_auth_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report) { sgx_status_t status; ms_enclave_create_report_t ms; ms.ms_p_qe3_target = p_qe3_target; ms.ms_enclave_data = (EnclaveHeldData *)&enclave_data[0]; ms.ms_p_report = p_report; - status = sgx_ecall(eid, 0, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 0, &ocall_table_rtc_auth, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len) +sgx_status_t rtc_auth_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len) { sgx_status_t status; ms_t_global_init_ecall_t ms; ms.ms_id = id; ms.ms_path = path; ms.ms_len = len; - status = sgx_ecall(eid, 1, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 1, &ocall_table_rtc_auth, &ms); return status; } -sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid) +sgx_status_t rtc_auth_t_global_exit_ecall(sgx_enclave_id_t eid) { sgx_status_t status; - status = sgx_ecall(eid, 2, &ocall_table_Enclave, NULL); + status = sgx_ecall(eid, 2, &ocall_table_rtc_auth, NULL); return status; } -sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id) +sgx_status_t rtc_auth_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id) { sgx_status_t status; - ms_rtc_session_request_t ms; + ms_session_request_t ms; ms.ms_src_enclave_id = src_enclave_id; - status = sgx_ecall(eid, 3, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 3, &ocall_table_rtc_auth, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2) +sgx_status_t rtc_auth_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2) { sgx_status_t status; - ms_rtc_exchange_report_t ms; + ms_exchange_report_t ms; ms.ms_src_enclave_id = src_enclave_id; ms.ms_dh_msg2 = dh_msg2; - status = sgx_ecall(eid, 4, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 4, &ocall_table_rtc_auth, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id) +sgx_status_t rtc_auth_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id) { sgx_status_t status; - ms_rtc_end_session_t ms; + ms_end_session_t ms; ms.ms_src_enclave_id = src_enclave_id; - status = sgx_ecall(eid, 5, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 5, &ocall_table_rtc_auth, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } diff --git a/codegen/auth_enclave/Enclave_u.h b/codegen/auth_enclave/rtc_auth_u.h similarity index 93% rename from codegen/auth_enclave/Enclave_u.h rename to codegen/auth_enclave/rtc_auth_u.h index 2eea7e7c..c3a5bcec 100644 --- a/codegen/auth_enclave/Enclave_u.h +++ b/codegen/auth_enclave/rtc_auth_u.h @@ -1,5 +1,5 @@ -#ifndef ENCLAVE_U_H__ -#define ENCLAVE_U_H__ +#ifndef RTC_AUTH_U_H__ +#define RTC_AUTH_U_H__ #include #include @@ -279,12 +279,12 @@ int SGX_UBRIDGE(SGX_CDECL, sgx_thread_setwait_untrusted_events_ocall, (const voi int SGX_UBRIDGE(SGX_CDECL, sgx_thread_set_multiple_untrusted_events_ocall, (const void** waiters, size_t total)); #endif -sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); -sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid); -sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); -sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); +sgx_status_t rtc_auth_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); +sgx_status_t rtc_auth_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); +sgx_status_t rtc_auth_t_global_exit_ecall(sgx_enclave_id_t eid); +sgx_status_t rtc_auth_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); +sgx_status_t rtc_auth_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_auth_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); #ifdef __cplusplus } diff --git a/codegen/data_enclave/Enclave_t.c b/codegen/data_enclave/rtc_data_t.c similarity index 97% rename from codegen/data_enclave/Enclave_t.c rename to codegen/data_enclave/rtc_data_t.c index e4cc3028..ed7493cd 100644 --- a/codegen/data_enclave/Enclave_t.c +++ b/codegen/data_enclave/rtc_data_t.c @@ -1,4 +1,4 @@ -#include "Enclave_t.h" +#include "rtc_data_t.h" #include "sgx_trts.h" /* for sgx_ocalloc, sgx_is_outside_enclave */ #include "sgx_lfence.h" /* for sgx_lfence */ @@ -34,12 +34,17 @@ typedef struct ms_enclave_create_report_t { sgx_report_t* ms_p_report; } ms_enclave_create_report_t; -typedef struct ms_rtc_validate_and_save_t { +typedef struct ms_validate_and_save_t { DataUploadResult ms_retval; const uint8_t* ms_payload_ptr; size_t ms_payload_len; UploadMetadata ms_metadata; -} ms_rtc_validate_and_save_t; +} ms_validate_and_save_t; + +typedef struct ms_local_attestation_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_rtc_local_attestation; +} ms_local_attestation_t; typedef struct ms_t_global_init_ecall_t { uint64_t ms_id; @@ -47,21 +52,21 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; -typedef struct ms_rtc_session_request_t { +typedef struct ms_session_request_t { SessionRequestResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_session_request_t; +} ms_session_request_t; -typedef struct ms_rtc_exchange_report_t { +typedef struct ms_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; const sgx_dh_msg2_t* ms_dh_msg2; -} ms_rtc_exchange_report_t; +} ms_exchange_report_t; -typedef struct ms_rtc_end_session_t { +typedef struct ms_end_session_t { sgx_status_t ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_end_session_t; +} ms_end_session_t; typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; @@ -657,14 +662,14 @@ static sgx_status_t SGX_CDECL sgx_enclave_create_report(void* pms) return status; } -static sgx_status_t SGX_CDECL sgx_rtc_validate_and_save(void* pms) +static sgx_status_t SGX_CDECL sgx_validate_and_save(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_validate_and_save_t)); + CHECK_REF_POINTER(pms, sizeof(ms_validate_and_save_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_validate_and_save_t* ms = SGX_CAST(ms_rtc_validate_and_save_t*, pms); + ms_validate_and_save_t* ms = SGX_CAST(ms_validate_and_save_t*, pms); sgx_status_t status = SGX_SUCCESS; const uint8_t* _tmp_payload_ptr = ms->ms_payload_ptr; size_t _tmp_payload_len = ms->ms_payload_len; @@ -702,13 +707,31 @@ static sgx_status_t SGX_CDECL sgx_rtc_validate_and_save(void* pms) } - ms->ms_retval = rtc_validate_and_save((const uint8_t*)_in_payload_ptr, _tmp_payload_len, ms->ms_metadata); + ms->ms_retval = validate_and_save((const uint8_t*)_in_payload_ptr, _tmp_payload_len, ms->ms_metadata); err: if (_in_payload_ptr) free(_in_payload_ptr); return status; } +static sgx_status_t SGX_CDECL sgx_local_attestation(void* pms) +{ + CHECK_REF_POINTER(pms, sizeof(ms_local_attestation_t)); + // + // fence after pointer checks + // + sgx_lfence(); + ms_local_attestation_t* ms = SGX_CAST(ms_local_attestation_t*, pms); + sgx_status_t status = SGX_SUCCESS; + + + + ms->ms_retval = local_attestation(ms->ms_rtc_local_attestation); + + + return status; +} + static sgx_status_t SGX_CDECL sgx_t_global_init_ecall(void* pms) { CHECK_REF_POINTER(pms, sizeof(ms_t_global_init_ecall_t)); @@ -764,32 +787,32 @@ static sgx_status_t SGX_CDECL sgx_t_global_exit_ecall(void* pms) return status; } -static sgx_status_t SGX_CDECL sgx_rtc_session_request(void* pms) +static sgx_status_t SGX_CDECL sgx_session_request(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_session_request_t)); + CHECK_REF_POINTER(pms, sizeof(ms_session_request_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_session_request_t* ms = SGX_CAST(ms_rtc_session_request_t*, pms); + ms_session_request_t* ms = SGX_CAST(ms_session_request_t*, pms); sgx_status_t status = SGX_SUCCESS; - ms->ms_retval = rtc_session_request(ms->ms_src_enclave_id); + ms->ms_retval = session_request(ms->ms_src_enclave_id); return status; } -static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) +static sgx_status_t SGX_CDECL sgx_exchange_report(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_exchange_report_t)); + CHECK_REF_POINTER(pms, sizeof(ms_exchange_report_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_exchange_report_t* ms = SGX_CAST(ms_rtc_exchange_report_t*, pms); + ms_exchange_report_t* ms = SGX_CAST(ms_exchange_report_t*, pms); sgx_status_t status = SGX_SUCCESS; const sgx_dh_msg2_t* _tmp_dh_msg2 = ms->ms_dh_msg2; size_t _len_dh_msg2 = sizeof(sgx_dh_msg2_t); @@ -816,26 +839,26 @@ static sgx_status_t SGX_CDECL sgx_rtc_exchange_report(void* pms) } - ms->ms_retval = rtc_exchange_report(ms->ms_src_enclave_id, (const sgx_dh_msg2_t*)_in_dh_msg2); + ms->ms_retval = exchange_report(ms->ms_src_enclave_id, (const sgx_dh_msg2_t*)_in_dh_msg2); err: if (_in_dh_msg2) free(_in_dh_msg2); return status; } -static sgx_status_t SGX_CDECL sgx_rtc_end_session(void* pms) +static sgx_status_t SGX_CDECL sgx_end_session(void* pms) { - CHECK_REF_POINTER(pms, sizeof(ms_rtc_end_session_t)); + CHECK_REF_POINTER(pms, sizeof(ms_end_session_t)); // // fence after pointer checks // sgx_lfence(); - ms_rtc_end_session_t* ms = SGX_CAST(ms_rtc_end_session_t*, pms); + ms_end_session_t* ms = SGX_CAST(ms_end_session_t*, pms); sgx_status_t status = SGX_SUCCESS; - ms->ms_retval = rtc_end_session(ms->ms_src_enclave_id); + ms->ms_retval = end_session(ms->ms_src_enclave_id); return status; @@ -843,100 +866,101 @@ static sgx_status_t SGX_CDECL sgx_rtc_end_session(void* pms) SGX_EXTERNC const struct { size_t nr_ecall; - struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[7]; + struct {void* ecall_addr; uint8_t is_priv; uint8_t is_switchless;} ecall_table[8]; } g_ecall_table = { - 7, + 8, { {(void*)(uintptr_t)sgx_enclave_create_report, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_validate_and_save, 0, 0}, + {(void*)(uintptr_t)sgx_validate_and_save, 0, 0}, + {(void*)(uintptr_t)sgx_local_attestation, 0, 0}, {(void*)(uintptr_t)sgx_t_global_init_ecall, 0, 0}, {(void*)(uintptr_t)sgx_t_global_exit_ecall, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_session_request, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_exchange_report, 0, 0}, - {(void*)(uintptr_t)sgx_rtc_end_session, 0, 0}, + {(void*)(uintptr_t)sgx_session_request, 0, 0}, + {(void*)(uintptr_t)sgx_exchange_report, 0, 0}, + {(void*)(uintptr_t)sgx_end_session, 0, 0}, } }; SGX_EXTERNC const struct { size_t nr_ocall; - uint8_t entry_table[74][7]; + uint8_t entry_table[74][8]; } g_dyn_entry_table = { 74, { - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, - {0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, } }; diff --git a/codegen/data_enclave/Enclave_t.h b/codegen/data_enclave/rtc_data_t.h similarity index 94% rename from codegen/data_enclave/Enclave_t.h rename to codegen/data_enclave/rtc_data_t.h index 0f85e494..775e5bb3 100644 --- a/codegen/data_enclave/Enclave_t.h +++ b/codegen/data_enclave/rtc_data_t.h @@ -1,5 +1,5 @@ -#ifndef ENCLAVE_T_H__ -#define ENCLAVE_T_H__ +#ifndef RTC_DATA_T_H__ +#define RTC_DATA_T_H__ #include #include @@ -27,12 +27,13 @@ extern "C" { #endif CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -DataUploadResult rtc_validate_and_save(const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +DataUploadResult validate_and_save(const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +sgx_status_t local_attestation(sgx_enclave_id_t rtc_local_attestation); void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); -SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); -ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); -sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); +SessionRequestResult session_request(sgx_enclave_id_t src_enclave_id); +ExchangeReportResult exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); +sgx_status_t end_session(sgx_enclave_id_t src_enclave_id); sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); diff --git a/codegen/data_enclave/Enclave_u.c b/codegen/data_enclave/rtc_data_u.c similarity index 72% rename from codegen/data_enclave/Enclave_u.c rename to codegen/data_enclave/rtc_data_u.c index ca6ace9b..17d281bd 100644 --- a/codegen/data_enclave/Enclave_u.c +++ b/codegen/data_enclave/rtc_data_u.c @@ -1,4 +1,4 @@ -#include "Enclave_u.h" +#include "rtc_data_u.h" #include typedef struct ms_enclave_create_report_t { @@ -8,12 +8,17 @@ typedef struct ms_enclave_create_report_t { sgx_report_t* ms_p_report; } ms_enclave_create_report_t; -typedef struct ms_rtc_validate_and_save_t { +typedef struct ms_validate_and_save_t { DataUploadResult ms_retval; const uint8_t* ms_payload_ptr; size_t ms_payload_len; UploadMetadata ms_metadata; -} ms_rtc_validate_and_save_t; +} ms_validate_and_save_t; + +typedef struct ms_local_attestation_t { + sgx_status_t ms_retval; + sgx_enclave_id_t ms_rtc_local_attestation; +} ms_local_attestation_t; typedef struct ms_t_global_init_ecall_t { uint64_t ms_id; @@ -21,21 +26,21 @@ typedef struct ms_t_global_init_ecall_t { size_t ms_len; } ms_t_global_init_ecall_t; -typedef struct ms_rtc_session_request_t { +typedef struct ms_session_request_t { SessionRequestResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_session_request_t; +} ms_session_request_t; -typedef struct ms_rtc_exchange_report_t { +typedef struct ms_exchange_report_t { ExchangeReportResult ms_retval; sgx_enclave_id_t ms_src_enclave_id; const sgx_dh_msg2_t* ms_dh_msg2; -} ms_rtc_exchange_report_t; +} ms_exchange_report_t; -typedef struct ms_rtc_end_session_t { +typedef struct ms_end_session_t { sgx_status_t ms_retval; sgx_enclave_id_t ms_src_enclave_id; -} ms_rtc_end_session_t; +} ms_end_session_t; typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; @@ -552,7 +557,7 @@ typedef struct ms_rtc_end_session_u_t { sgx_enclave_id_t ms_dest_enclave_id; } ms_rtc_end_session_u_t; -static sgx_status_t SGX_CDECL Enclave_rtc_save_sealed_blob_u(void* pms) +static sgx_status_t SGX_CDECL rtc_data_rtc_save_sealed_blob_u(void* pms) { ms_rtc_save_sealed_blob_u_t* ms = SGX_CAST(ms_rtc_save_sealed_blob_u_t*, pms); ms->ms_retval = rtc_save_sealed_blob_u(ms->ms_blob_ptr, ms->ms_blob_len, ms->ms_uuid); @@ -560,7 +565,7 @@ static sgx_status_t SGX_CDECL Enclave_rtc_save_sealed_blob_u(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_set_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_thread_set_event_ocall(void* pms) { ms_u_thread_set_event_ocall_t* ms = SGX_CAST(ms_u_thread_set_event_ocall_t*, pms); ms->ms_retval = u_thread_set_event_ocall(ms->ms_error, ms->ms_tcs); @@ -568,7 +573,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_set_event_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_wait_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_thread_wait_event_ocall(void* pms) { ms_u_thread_wait_event_ocall_t* ms = SGX_CAST(ms_u_thread_wait_event_ocall_t*, pms); ms->ms_retval = u_thread_wait_event_ocall(ms->ms_error, ms->ms_tcs, ms->ms_timeout); @@ -576,7 +581,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_wait_event_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_set_multiple_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_thread_set_multiple_events_ocall(void* pms) { ms_u_thread_set_multiple_events_ocall_t* ms = SGX_CAST(ms_u_thread_set_multiple_events_ocall_t*, pms); ms->ms_retval = u_thread_set_multiple_events_ocall(ms->ms_error, ms->ms_tcss, ms->ms_total); @@ -584,7 +589,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_set_multiple_events_ocall(void* p return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_thread_setwait_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_thread_setwait_events_ocall(void* pms) { ms_u_thread_setwait_events_ocall_t* ms = SGX_CAST(ms_u_thread_setwait_events_ocall_t*, pms); ms->ms_retval = u_thread_setwait_events_ocall(ms->ms_error, ms->ms_waiter_tcs, ms->ms_self_tcs, ms->ms_timeout); @@ -592,7 +597,7 @@ static sgx_status_t SGX_CDECL Enclave_u_thread_setwait_events_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_clock_gettime_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_clock_gettime_ocall(void* pms) { ms_u_clock_gettime_ocall_t* ms = SGX_CAST(ms_u_clock_gettime_ocall_t*, pms); ms->ms_retval = u_clock_gettime_ocall(ms->ms_error, ms->ms_clk_id, ms->ms_tp); @@ -600,7 +605,7 @@ static sgx_status_t SGX_CDECL Enclave_u_clock_gettime_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_read_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_read_ocall(void* pms) { ms_u_read_ocall_t* ms = SGX_CAST(ms_u_read_ocall_t*, pms); ms->ms_retval = u_read_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count); @@ -608,7 +613,7 @@ static sgx_status_t SGX_CDECL Enclave_u_read_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_pread64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_pread64_ocall(void* pms) { ms_u_pread64_ocall_t* ms = SGX_CAST(ms_u_pread64_ocall_t*, pms); ms->ms_retval = u_pread64_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count, ms->ms_offset); @@ -616,7 +621,7 @@ static sgx_status_t SGX_CDECL Enclave_u_pread64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_readv_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_readv_ocall(void* pms) { ms_u_readv_ocall_t* ms = SGX_CAST(ms_u_readv_ocall_t*, pms); ms->ms_retval = u_readv_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt); @@ -624,7 +629,7 @@ static sgx_status_t SGX_CDECL Enclave_u_readv_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_preadv64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_preadv64_ocall(void* pms) { ms_u_preadv64_ocall_t* ms = SGX_CAST(ms_u_preadv64_ocall_t*, pms); ms->ms_retval = u_preadv64_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt, ms->ms_offset); @@ -632,7 +637,7 @@ static sgx_status_t SGX_CDECL Enclave_u_preadv64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_write_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_write_ocall(void* pms) { ms_u_write_ocall_t* ms = SGX_CAST(ms_u_write_ocall_t*, pms); ms->ms_retval = u_write_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count); @@ -640,7 +645,7 @@ static sgx_status_t SGX_CDECL Enclave_u_write_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_pwrite64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_pwrite64_ocall(void* pms) { ms_u_pwrite64_ocall_t* ms = SGX_CAST(ms_u_pwrite64_ocall_t*, pms); ms->ms_retval = u_pwrite64_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf, ms->ms_count, ms->ms_offset); @@ -648,7 +653,7 @@ static sgx_status_t SGX_CDECL Enclave_u_pwrite64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_writev_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_writev_ocall(void* pms) { ms_u_writev_ocall_t* ms = SGX_CAST(ms_u_writev_ocall_t*, pms); ms->ms_retval = u_writev_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt); @@ -656,7 +661,7 @@ static sgx_status_t SGX_CDECL Enclave_u_writev_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_pwritev64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_pwritev64_ocall(void* pms) { ms_u_pwritev64_ocall_t* ms = SGX_CAST(ms_u_pwritev64_ocall_t*, pms); ms->ms_retval = u_pwritev64_ocall(ms->ms_error, ms->ms_fd, ms->ms_iov, ms->ms_iovcnt, ms->ms_offset); @@ -664,7 +669,7 @@ static sgx_status_t SGX_CDECL Enclave_u_pwritev64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg0_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fcntl_arg0_ocall(void* pms) { ms_u_fcntl_arg0_ocall_t* ms = SGX_CAST(ms_u_fcntl_arg0_ocall_t*, pms); ms->ms_retval = u_fcntl_arg0_ocall(ms->ms_error, ms->ms_fd, ms->ms_cmd); @@ -672,7 +677,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg0_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg1_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fcntl_arg1_ocall(void* pms) { ms_u_fcntl_arg1_ocall_t* ms = SGX_CAST(ms_u_fcntl_arg1_ocall_t*, pms); ms->ms_retval = u_fcntl_arg1_ocall(ms->ms_error, ms->ms_fd, ms->ms_cmd, ms->ms_arg); @@ -680,7 +685,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fcntl_arg1_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg0_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_ioctl_arg0_ocall(void* pms) { ms_u_ioctl_arg0_ocall_t* ms = SGX_CAST(ms_u_ioctl_arg0_ocall_t*, pms); ms->ms_retval = u_ioctl_arg0_ocall(ms->ms_error, ms->ms_fd, ms->ms_request); @@ -688,7 +693,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg0_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg1_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_ioctl_arg1_ocall(void* pms) { ms_u_ioctl_arg1_ocall_t* ms = SGX_CAST(ms_u_ioctl_arg1_ocall_t*, pms); ms->ms_retval = u_ioctl_arg1_ocall(ms->ms_error, ms->ms_fd, ms->ms_request, ms->ms_arg); @@ -696,7 +701,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ioctl_arg1_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_close_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_close_ocall(void* pms) { ms_u_close_ocall_t* ms = SGX_CAST(ms_u_close_ocall_t*, pms); ms->ms_retval = u_close_ocall(ms->ms_error, ms->ms_fd); @@ -704,7 +709,7 @@ static sgx_status_t SGX_CDECL Enclave_u_close_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_malloc_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_malloc_ocall(void* pms) { ms_u_malloc_ocall_t* ms = SGX_CAST(ms_u_malloc_ocall_t*, pms); ms->ms_retval = u_malloc_ocall(ms->ms_error, ms->ms_size); @@ -712,7 +717,7 @@ static sgx_status_t SGX_CDECL Enclave_u_malloc_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_free_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_free_ocall(void* pms) { ms_u_free_ocall_t* ms = SGX_CAST(ms_u_free_ocall_t*, pms); u_free_ocall(ms->ms_p); @@ -720,7 +725,7 @@ static sgx_status_t SGX_CDECL Enclave_u_free_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_mmap_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_mmap_ocall(void* pms) { ms_u_mmap_ocall_t* ms = SGX_CAST(ms_u_mmap_ocall_t*, pms); ms->ms_retval = u_mmap_ocall(ms->ms_error, ms->ms_start, ms->ms_length, ms->ms_prot, ms->ms_flags, ms->ms_fd, ms->ms_offset); @@ -728,7 +733,7 @@ static sgx_status_t SGX_CDECL Enclave_u_mmap_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_munmap_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_munmap_ocall(void* pms) { ms_u_munmap_ocall_t* ms = SGX_CAST(ms_u_munmap_ocall_t*, pms); ms->ms_retval = u_munmap_ocall(ms->ms_error, ms->ms_start, ms->ms_length); @@ -736,7 +741,7 @@ static sgx_status_t SGX_CDECL Enclave_u_munmap_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_msync_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_msync_ocall(void* pms) { ms_u_msync_ocall_t* ms = SGX_CAST(ms_u_msync_ocall_t*, pms); ms->ms_retval = u_msync_ocall(ms->ms_error, ms->ms_addr, ms->ms_length, ms->ms_flags); @@ -744,7 +749,7 @@ static sgx_status_t SGX_CDECL Enclave_u_msync_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_mprotect_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_mprotect_ocall(void* pms) { ms_u_mprotect_ocall_t* ms = SGX_CAST(ms_u_mprotect_ocall_t*, pms); ms->ms_retval = u_mprotect_ocall(ms->ms_error, ms->ms_addr, ms->ms_length, ms->ms_prot); @@ -752,7 +757,7 @@ static sgx_status_t SGX_CDECL Enclave_u_mprotect_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_open_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_open_ocall(void* pms) { ms_u_open_ocall_t* ms = SGX_CAST(ms_u_open_ocall_t*, pms); ms->ms_retval = u_open_ocall(ms->ms_error, ms->ms_pathname, ms->ms_flags); @@ -760,7 +765,7 @@ static sgx_status_t SGX_CDECL Enclave_u_open_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_open64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_open64_ocall(void* pms) { ms_u_open64_ocall_t* ms = SGX_CAST(ms_u_open64_ocall_t*, pms); ms->ms_retval = u_open64_ocall(ms->ms_error, ms->ms_path, ms->ms_oflag, ms->ms_mode); @@ -768,7 +773,7 @@ static sgx_status_t SGX_CDECL Enclave_u_open64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fstat_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fstat_ocall(void* pms) { ms_u_fstat_ocall_t* ms = SGX_CAST(ms_u_fstat_ocall_t*, pms); ms->ms_retval = u_fstat_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf); @@ -776,7 +781,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fstat_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fstat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fstat64_ocall(void* pms) { ms_u_fstat64_ocall_t* ms = SGX_CAST(ms_u_fstat64_ocall_t*, pms); ms->ms_retval = u_fstat64_ocall(ms->ms_error, ms->ms_fd, ms->ms_buf); @@ -784,7 +789,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fstat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_stat_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_stat_ocall(void* pms) { ms_u_stat_ocall_t* ms = SGX_CAST(ms_u_stat_ocall_t*, pms); ms->ms_retval = u_stat_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -792,7 +797,7 @@ static sgx_status_t SGX_CDECL Enclave_u_stat_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_stat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_stat64_ocall(void* pms) { ms_u_stat64_ocall_t* ms = SGX_CAST(ms_u_stat64_ocall_t*, pms); ms->ms_retval = u_stat64_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -800,7 +805,7 @@ static sgx_status_t SGX_CDECL Enclave_u_stat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lstat_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_lstat_ocall(void* pms) { ms_u_lstat_ocall_t* ms = SGX_CAST(ms_u_lstat_ocall_t*, pms); ms->ms_retval = u_lstat_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -808,7 +813,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lstat_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lstat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_lstat64_ocall(void* pms) { ms_u_lstat64_ocall_t* ms = SGX_CAST(ms_u_lstat64_ocall_t*, pms); ms->ms_retval = u_lstat64_ocall(ms->ms_error, ms->ms_path, ms->ms_buf); @@ -816,7 +821,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lstat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lseek_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_lseek_ocall(void* pms) { ms_u_lseek_ocall_t* ms = SGX_CAST(ms_u_lseek_ocall_t*, pms); ms->ms_retval = u_lseek_ocall(ms->ms_error, ms->ms_fd, ms->ms_offset, ms->ms_whence); @@ -824,7 +829,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lseek_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_lseek64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_lseek64_ocall(void* pms) { ms_u_lseek64_ocall_t* ms = SGX_CAST(ms_u_lseek64_ocall_t*, pms); ms->ms_retval = u_lseek64_ocall(ms->ms_error, ms->ms_fd, ms->ms_offset, ms->ms_whence); @@ -832,7 +837,7 @@ static sgx_status_t SGX_CDECL Enclave_u_lseek64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ftruncate_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_ftruncate_ocall(void* pms) { ms_u_ftruncate_ocall_t* ms = SGX_CAST(ms_u_ftruncate_ocall_t*, pms); ms->ms_retval = u_ftruncate_ocall(ms->ms_error, ms->ms_fd, ms->ms_length); @@ -840,7 +845,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ftruncate_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_ftruncate64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_ftruncate64_ocall(void* pms) { ms_u_ftruncate64_ocall_t* ms = SGX_CAST(ms_u_ftruncate64_ocall_t*, pms); ms->ms_retval = u_ftruncate64_ocall(ms->ms_error, ms->ms_fd, ms->ms_length); @@ -848,7 +853,7 @@ static sgx_status_t SGX_CDECL Enclave_u_ftruncate64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_truncate_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_truncate_ocall(void* pms) { ms_u_truncate_ocall_t* ms = SGX_CAST(ms_u_truncate_ocall_t*, pms); ms->ms_retval = u_truncate_ocall(ms->ms_error, ms->ms_path, ms->ms_length); @@ -856,7 +861,7 @@ static sgx_status_t SGX_CDECL Enclave_u_truncate_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_truncate64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_truncate64_ocall(void* pms) { ms_u_truncate64_ocall_t* ms = SGX_CAST(ms_u_truncate64_ocall_t*, pms); ms->ms_retval = u_truncate64_ocall(ms->ms_error, ms->ms_path, ms->ms_length); @@ -864,7 +869,7 @@ static sgx_status_t SGX_CDECL Enclave_u_truncate64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fsync_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fsync_ocall(void* pms) { ms_u_fsync_ocall_t* ms = SGX_CAST(ms_u_fsync_ocall_t*, pms); ms->ms_retval = u_fsync_ocall(ms->ms_error, ms->ms_fd); @@ -872,7 +877,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fsync_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fdatasync_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fdatasync_ocall(void* pms) { ms_u_fdatasync_ocall_t* ms = SGX_CAST(ms_u_fdatasync_ocall_t*, pms); ms->ms_retval = u_fdatasync_ocall(ms->ms_error, ms->ms_fd); @@ -880,7 +885,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fdatasync_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fchmod_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fchmod_ocall(void* pms) { ms_u_fchmod_ocall_t* ms = SGX_CAST(ms_u_fchmod_ocall_t*, pms); ms->ms_retval = u_fchmod_ocall(ms->ms_error, ms->ms_fd, ms->ms_mode); @@ -888,7 +893,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fchmod_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_unlink_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_unlink_ocall(void* pms) { ms_u_unlink_ocall_t* ms = SGX_CAST(ms_u_unlink_ocall_t*, pms); ms->ms_retval = u_unlink_ocall(ms->ms_error, ms->ms_pathname); @@ -896,7 +901,7 @@ static sgx_status_t SGX_CDECL Enclave_u_unlink_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_link_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_link_ocall(void* pms) { ms_u_link_ocall_t* ms = SGX_CAST(ms_u_link_ocall_t*, pms); ms->ms_retval = u_link_ocall(ms->ms_error, ms->ms_oldpath, ms->ms_newpath); @@ -904,7 +909,7 @@ static sgx_status_t SGX_CDECL Enclave_u_link_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_rename_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_rename_ocall(void* pms) { ms_u_rename_ocall_t* ms = SGX_CAST(ms_u_rename_ocall_t*, pms); ms->ms_retval = u_rename_ocall(ms->ms_error, ms->ms_oldpath, ms->ms_newpath); @@ -912,7 +917,7 @@ static sgx_status_t SGX_CDECL Enclave_u_rename_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_chmod_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_chmod_ocall(void* pms) { ms_u_chmod_ocall_t* ms = SGX_CAST(ms_u_chmod_ocall_t*, pms); ms->ms_retval = u_chmod_ocall(ms->ms_error, ms->ms_path, ms->ms_mode); @@ -920,7 +925,7 @@ static sgx_status_t SGX_CDECL Enclave_u_chmod_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_readlink_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_readlink_ocall(void* pms) { ms_u_readlink_ocall_t* ms = SGX_CAST(ms_u_readlink_ocall_t*, pms); ms->ms_retval = u_readlink_ocall(ms->ms_error, ms->ms_path, ms->ms_buf, ms->ms_bufsz); @@ -928,7 +933,7 @@ static sgx_status_t SGX_CDECL Enclave_u_readlink_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_symlink_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_symlink_ocall(void* pms) { ms_u_symlink_ocall_t* ms = SGX_CAST(ms_u_symlink_ocall_t*, pms); ms->ms_retval = u_symlink_ocall(ms->ms_error, ms->ms_path1, ms->ms_path2); @@ -936,7 +941,7 @@ static sgx_status_t SGX_CDECL Enclave_u_symlink_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_realpath_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_realpath_ocall(void* pms) { ms_u_realpath_ocall_t* ms = SGX_CAST(ms_u_realpath_ocall_t*, pms); ms->ms_retval = u_realpath_ocall(ms->ms_error, ms->ms_pathname); @@ -944,7 +949,7 @@ static sgx_status_t SGX_CDECL Enclave_u_realpath_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_mkdir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_mkdir_ocall(void* pms) { ms_u_mkdir_ocall_t* ms = SGX_CAST(ms_u_mkdir_ocall_t*, pms); ms->ms_retval = u_mkdir_ocall(ms->ms_error, ms->ms_pathname, ms->ms_mode); @@ -952,7 +957,7 @@ static sgx_status_t SGX_CDECL Enclave_u_mkdir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_rmdir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_rmdir_ocall(void* pms) { ms_u_rmdir_ocall_t* ms = SGX_CAST(ms_u_rmdir_ocall_t*, pms); ms->ms_retval = u_rmdir_ocall(ms->ms_error, ms->ms_pathname); @@ -960,7 +965,7 @@ static sgx_status_t SGX_CDECL Enclave_u_rmdir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_opendir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_opendir_ocall(void* pms) { ms_u_opendir_ocall_t* ms = SGX_CAST(ms_u_opendir_ocall_t*, pms); ms->ms_retval = u_opendir_ocall(ms->ms_error, ms->ms_pathname); @@ -968,7 +973,7 @@ static sgx_status_t SGX_CDECL Enclave_u_opendir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_readdir64_r_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_readdir64_r_ocall(void* pms) { ms_u_readdir64_r_ocall_t* ms = SGX_CAST(ms_u_readdir64_r_ocall_t*, pms); ms->ms_retval = u_readdir64_r_ocall(ms->ms_dirp, ms->ms_entry, ms->ms_result); @@ -976,7 +981,7 @@ static sgx_status_t SGX_CDECL Enclave_u_readdir64_r_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_closedir_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_closedir_ocall(void* pms) { ms_u_closedir_ocall_t* ms = SGX_CAST(ms_u_closedir_ocall_t*, pms); ms->ms_retval = u_closedir_ocall(ms->ms_error, ms->ms_dirp); @@ -984,7 +989,7 @@ static sgx_status_t SGX_CDECL Enclave_u_closedir_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_dirfd_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_dirfd_ocall(void* pms) { ms_u_dirfd_ocall_t* ms = SGX_CAST(ms_u_dirfd_ocall_t*, pms); ms->ms_retval = u_dirfd_ocall(ms->ms_error, ms->ms_dirp); @@ -992,7 +997,7 @@ static sgx_status_t SGX_CDECL Enclave_u_dirfd_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_fstatat64_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_fstatat64_ocall(void* pms) { ms_u_fstatat64_ocall_t* ms = SGX_CAST(ms_u_fstatat64_ocall_t*, pms); ms->ms_retval = u_fstatat64_ocall(ms->ms_error, ms->ms_dirfd, ms->ms_pathname, ms->ms_buf, ms->ms_flags); @@ -1000,7 +1005,7 @@ static sgx_status_t SGX_CDECL Enclave_u_fstatat64_ocall(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_oc_cpuidex(void* pms) +static sgx_status_t SGX_CDECL rtc_data_sgx_oc_cpuidex(void* pms) { ms_sgx_oc_cpuidex_t* ms = SGX_CAST(ms_sgx_oc_cpuidex_t*, pms); sgx_oc_cpuidex(ms->ms_cpuinfo, ms->ms_leaf, ms->ms_subleaf); @@ -1008,7 +1013,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_oc_cpuidex(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_wait_untrusted_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_sgx_thread_wait_untrusted_event_ocall(void* pms) { ms_sgx_thread_wait_untrusted_event_ocall_t* ms = SGX_CAST(ms_sgx_thread_wait_untrusted_event_ocall_t*, pms); ms->ms_retval = sgx_thread_wait_untrusted_event_ocall(ms->ms_self); @@ -1016,7 +1021,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_wait_untrusted_event_ocall(void return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_untrusted_event_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_sgx_thread_set_untrusted_event_ocall(void* pms) { ms_sgx_thread_set_untrusted_event_ocall_t* ms = SGX_CAST(ms_sgx_thread_set_untrusted_event_ocall_t*, pms); ms->ms_retval = sgx_thread_set_untrusted_event_ocall(ms->ms_waiter); @@ -1024,7 +1029,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_untrusted_event_ocall(void* return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_setwait_untrusted_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_sgx_thread_setwait_untrusted_events_ocall(void* pms) { ms_sgx_thread_setwait_untrusted_events_ocall_t* ms = SGX_CAST(ms_sgx_thread_setwait_untrusted_events_ocall_t*, pms); ms->ms_retval = sgx_thread_setwait_untrusted_events_ocall(ms->ms_waiter, ms->ms_self); @@ -1032,7 +1037,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_setwait_untrusted_events_ocall( return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_multiple_untrusted_events_ocall(void* pms) +static sgx_status_t SGX_CDECL rtc_data_sgx_thread_set_multiple_untrusted_events_ocall(void* pms) { ms_sgx_thread_set_multiple_untrusted_events_ocall_t* ms = SGX_CAST(ms_sgx_thread_set_multiple_untrusted_events_ocall_t*, pms); ms->ms_retval = sgx_thread_set_multiple_untrusted_events_ocall(ms->ms_waiters, ms->ms_total); @@ -1040,7 +1045,7 @@ static sgx_status_t SGX_CDECL Enclave_sgx_thread_set_multiple_untrusted_events_o return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_exclusive_file_open(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_exclusive_file_open(void* pms) { ms_u_sgxprotectedfs_exclusive_file_open_t* ms = SGX_CAST(ms_u_sgxprotectedfs_exclusive_file_open_t*, pms); ms->ms_retval = u_sgxprotectedfs_exclusive_file_open(ms->ms_filename, ms->ms_read_only, ms->ms_file_size, ms->ms_error_code); @@ -1048,7 +1053,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_exclusive_file_open(void* return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_check_if_file_exists(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_check_if_file_exists(void* pms) { ms_u_sgxprotectedfs_check_if_file_exists_t* ms = SGX_CAST(ms_u_sgxprotectedfs_check_if_file_exists_t*, pms); ms->ms_retval = u_sgxprotectedfs_check_if_file_exists(ms->ms_filename); @@ -1056,7 +1061,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_check_if_file_exists(void return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fread_node(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_fread_node(void* pms) { ms_u_sgxprotectedfs_fread_node_t* ms = SGX_CAST(ms_u_sgxprotectedfs_fread_node_t*, pms); ms->ms_retval = u_sgxprotectedfs_fread_node(ms->ms_f, ms->ms_node_number, ms->ms_buffer, ms->ms_node_size); @@ -1064,7 +1069,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fread_node(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fwrite_node(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_fwrite_node(void* pms) { ms_u_sgxprotectedfs_fwrite_node_t* ms = SGX_CAST(ms_u_sgxprotectedfs_fwrite_node_t*, pms); ms->ms_retval = u_sgxprotectedfs_fwrite_node(ms->ms_f, ms->ms_node_number, ms->ms_buffer, ms->ms_node_size); @@ -1072,7 +1077,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fwrite_node(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fclose(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_fclose(void* pms) { ms_u_sgxprotectedfs_fclose_t* ms = SGX_CAST(ms_u_sgxprotectedfs_fclose_t*, pms); ms->ms_retval = u_sgxprotectedfs_fclose(ms->ms_f); @@ -1080,7 +1085,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fclose(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fflush(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_fflush(void* pms) { ms_u_sgxprotectedfs_fflush_t* ms = SGX_CAST(ms_u_sgxprotectedfs_fflush_t*, pms); ms->ms_retval = u_sgxprotectedfs_fflush(ms->ms_f); @@ -1088,7 +1093,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fflush(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_remove(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_remove(void* pms) { ms_u_sgxprotectedfs_remove_t* ms = SGX_CAST(ms_u_sgxprotectedfs_remove_t*, pms); ms->ms_retval = u_sgxprotectedfs_remove(ms->ms_filename); @@ -1096,7 +1101,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_remove(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_recovery_file_open(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_recovery_file_open(void* pms) { ms_u_sgxprotectedfs_recovery_file_open_t* ms = SGX_CAST(ms_u_sgxprotectedfs_recovery_file_open_t*, pms); ms->ms_retval = u_sgxprotectedfs_recovery_file_open(ms->ms_filename); @@ -1104,7 +1109,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_recovery_file_open(void* return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fwrite_recovery_node(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_fwrite_recovery_node(void* pms) { ms_u_sgxprotectedfs_fwrite_recovery_node_t* ms = SGX_CAST(ms_u_sgxprotectedfs_fwrite_recovery_node_t*, pms); ms->ms_retval = u_sgxprotectedfs_fwrite_recovery_node(ms->ms_f, ms->ms_data, ms->ms_data_length); @@ -1112,7 +1117,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_fwrite_recovery_node(void return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_do_file_recovery(void* pms) +static sgx_status_t SGX_CDECL rtc_data_u_sgxprotectedfs_do_file_recovery(void* pms) { ms_u_sgxprotectedfs_do_file_recovery_t* ms = SGX_CAST(ms_u_sgxprotectedfs_do_file_recovery_t*, pms); ms->ms_retval = u_sgxprotectedfs_do_file_recovery(ms->ms_filename, ms->ms_recovery_filename, ms->ms_node_size); @@ -1120,7 +1125,7 @@ static sgx_status_t SGX_CDECL Enclave_u_sgxprotectedfs_do_file_recovery(void* pm return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_rtc_session_request_u(void* pms) +static sgx_status_t SGX_CDECL rtc_data_rtc_session_request_u(void* pms) { ms_rtc_session_request_u_t* ms = SGX_CAST(ms_rtc_session_request_u_t*, pms); ms->ms_retval = rtc_session_request_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); @@ -1128,7 +1133,7 @@ static sgx_status_t SGX_CDECL Enclave_rtc_session_request_u(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_rtc_exchange_report_u(void* pms) +static sgx_status_t SGX_CDECL rtc_data_rtc_exchange_report_u(void* pms) { ms_rtc_exchange_report_u_t* ms = SGX_CAST(ms_rtc_exchange_report_u_t*, pms); ms->ms_retval = rtc_exchange_report_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id, ms->ms_dh_msg2); @@ -1136,7 +1141,7 @@ static sgx_status_t SGX_CDECL Enclave_rtc_exchange_report_u(void* pms) return SGX_SUCCESS; } -static sgx_status_t SGX_CDECL Enclave_rtc_end_session_u(void* pms) +static sgx_status_t SGX_CDECL rtc_data_rtc_end_session_u(void* pms) { ms_rtc_end_session_u_t* ms = SGX_CAST(ms_rtc_end_session_u_t*, pms); ms->ms_retval = rtc_end_session_u(ms->ms_src_enclave_id, ms->ms_dest_enclave_id); @@ -1147,154 +1152,164 @@ static sgx_status_t SGX_CDECL Enclave_rtc_end_session_u(void* pms) static const struct { size_t nr_ocall; void * table[74]; -} ocall_table_Enclave = { +} ocall_table_rtc_data = { 74, { - (void*)Enclave_rtc_save_sealed_blob_u, - (void*)Enclave_u_thread_set_event_ocall, - (void*)Enclave_u_thread_wait_event_ocall, - (void*)Enclave_u_thread_set_multiple_events_ocall, - (void*)Enclave_u_thread_setwait_events_ocall, - (void*)Enclave_u_clock_gettime_ocall, - (void*)Enclave_u_read_ocall, - (void*)Enclave_u_pread64_ocall, - (void*)Enclave_u_readv_ocall, - (void*)Enclave_u_preadv64_ocall, - (void*)Enclave_u_write_ocall, - (void*)Enclave_u_pwrite64_ocall, - (void*)Enclave_u_writev_ocall, - (void*)Enclave_u_pwritev64_ocall, - (void*)Enclave_u_fcntl_arg0_ocall, - (void*)Enclave_u_fcntl_arg1_ocall, - (void*)Enclave_u_ioctl_arg0_ocall, - (void*)Enclave_u_ioctl_arg1_ocall, - (void*)Enclave_u_close_ocall, - (void*)Enclave_u_malloc_ocall, - (void*)Enclave_u_free_ocall, - (void*)Enclave_u_mmap_ocall, - (void*)Enclave_u_munmap_ocall, - (void*)Enclave_u_msync_ocall, - (void*)Enclave_u_mprotect_ocall, - (void*)Enclave_u_open_ocall, - (void*)Enclave_u_open64_ocall, - (void*)Enclave_u_fstat_ocall, - (void*)Enclave_u_fstat64_ocall, - (void*)Enclave_u_stat_ocall, - (void*)Enclave_u_stat64_ocall, - (void*)Enclave_u_lstat_ocall, - (void*)Enclave_u_lstat64_ocall, - (void*)Enclave_u_lseek_ocall, - (void*)Enclave_u_lseek64_ocall, - (void*)Enclave_u_ftruncate_ocall, - (void*)Enclave_u_ftruncate64_ocall, - (void*)Enclave_u_truncate_ocall, - (void*)Enclave_u_truncate64_ocall, - (void*)Enclave_u_fsync_ocall, - (void*)Enclave_u_fdatasync_ocall, - (void*)Enclave_u_fchmod_ocall, - (void*)Enclave_u_unlink_ocall, - (void*)Enclave_u_link_ocall, - (void*)Enclave_u_rename_ocall, - (void*)Enclave_u_chmod_ocall, - (void*)Enclave_u_readlink_ocall, - (void*)Enclave_u_symlink_ocall, - (void*)Enclave_u_realpath_ocall, - (void*)Enclave_u_mkdir_ocall, - (void*)Enclave_u_rmdir_ocall, - (void*)Enclave_u_opendir_ocall, - (void*)Enclave_u_readdir64_r_ocall, - (void*)Enclave_u_closedir_ocall, - (void*)Enclave_u_dirfd_ocall, - (void*)Enclave_u_fstatat64_ocall, - (void*)Enclave_sgx_oc_cpuidex, - (void*)Enclave_sgx_thread_wait_untrusted_event_ocall, - (void*)Enclave_sgx_thread_set_untrusted_event_ocall, - (void*)Enclave_sgx_thread_setwait_untrusted_events_ocall, - (void*)Enclave_sgx_thread_set_multiple_untrusted_events_ocall, - (void*)Enclave_u_sgxprotectedfs_exclusive_file_open, - (void*)Enclave_u_sgxprotectedfs_check_if_file_exists, - (void*)Enclave_u_sgxprotectedfs_fread_node, - (void*)Enclave_u_sgxprotectedfs_fwrite_node, - (void*)Enclave_u_sgxprotectedfs_fclose, - (void*)Enclave_u_sgxprotectedfs_fflush, - (void*)Enclave_u_sgxprotectedfs_remove, - (void*)Enclave_u_sgxprotectedfs_recovery_file_open, - (void*)Enclave_u_sgxprotectedfs_fwrite_recovery_node, - (void*)Enclave_u_sgxprotectedfs_do_file_recovery, - (void*)Enclave_rtc_session_request_u, - (void*)Enclave_rtc_exchange_report_u, - (void*)Enclave_rtc_end_session_u, + (void*)rtc_data_rtc_save_sealed_blob_u, + (void*)rtc_data_u_thread_set_event_ocall, + (void*)rtc_data_u_thread_wait_event_ocall, + (void*)rtc_data_u_thread_set_multiple_events_ocall, + (void*)rtc_data_u_thread_setwait_events_ocall, + (void*)rtc_data_u_clock_gettime_ocall, + (void*)rtc_data_u_read_ocall, + (void*)rtc_data_u_pread64_ocall, + (void*)rtc_data_u_readv_ocall, + (void*)rtc_data_u_preadv64_ocall, + (void*)rtc_data_u_write_ocall, + (void*)rtc_data_u_pwrite64_ocall, + (void*)rtc_data_u_writev_ocall, + (void*)rtc_data_u_pwritev64_ocall, + (void*)rtc_data_u_fcntl_arg0_ocall, + (void*)rtc_data_u_fcntl_arg1_ocall, + (void*)rtc_data_u_ioctl_arg0_ocall, + (void*)rtc_data_u_ioctl_arg1_ocall, + (void*)rtc_data_u_close_ocall, + (void*)rtc_data_u_malloc_ocall, + (void*)rtc_data_u_free_ocall, + (void*)rtc_data_u_mmap_ocall, + (void*)rtc_data_u_munmap_ocall, + (void*)rtc_data_u_msync_ocall, + (void*)rtc_data_u_mprotect_ocall, + (void*)rtc_data_u_open_ocall, + (void*)rtc_data_u_open64_ocall, + (void*)rtc_data_u_fstat_ocall, + (void*)rtc_data_u_fstat64_ocall, + (void*)rtc_data_u_stat_ocall, + (void*)rtc_data_u_stat64_ocall, + (void*)rtc_data_u_lstat_ocall, + (void*)rtc_data_u_lstat64_ocall, + (void*)rtc_data_u_lseek_ocall, + (void*)rtc_data_u_lseek64_ocall, + (void*)rtc_data_u_ftruncate_ocall, + (void*)rtc_data_u_ftruncate64_ocall, + (void*)rtc_data_u_truncate_ocall, + (void*)rtc_data_u_truncate64_ocall, + (void*)rtc_data_u_fsync_ocall, + (void*)rtc_data_u_fdatasync_ocall, + (void*)rtc_data_u_fchmod_ocall, + (void*)rtc_data_u_unlink_ocall, + (void*)rtc_data_u_link_ocall, + (void*)rtc_data_u_rename_ocall, + (void*)rtc_data_u_chmod_ocall, + (void*)rtc_data_u_readlink_ocall, + (void*)rtc_data_u_symlink_ocall, + (void*)rtc_data_u_realpath_ocall, + (void*)rtc_data_u_mkdir_ocall, + (void*)rtc_data_u_rmdir_ocall, + (void*)rtc_data_u_opendir_ocall, + (void*)rtc_data_u_readdir64_r_ocall, + (void*)rtc_data_u_closedir_ocall, + (void*)rtc_data_u_dirfd_ocall, + (void*)rtc_data_u_fstatat64_ocall, + (void*)rtc_data_sgx_oc_cpuidex, + (void*)rtc_data_sgx_thread_wait_untrusted_event_ocall, + (void*)rtc_data_sgx_thread_set_untrusted_event_ocall, + (void*)rtc_data_sgx_thread_setwait_untrusted_events_ocall, + (void*)rtc_data_sgx_thread_set_multiple_untrusted_events_ocall, + (void*)rtc_data_u_sgxprotectedfs_exclusive_file_open, + (void*)rtc_data_u_sgxprotectedfs_check_if_file_exists, + (void*)rtc_data_u_sgxprotectedfs_fread_node, + (void*)rtc_data_u_sgxprotectedfs_fwrite_node, + (void*)rtc_data_u_sgxprotectedfs_fclose, + (void*)rtc_data_u_sgxprotectedfs_fflush, + (void*)rtc_data_u_sgxprotectedfs_remove, + (void*)rtc_data_u_sgxprotectedfs_recovery_file_open, + (void*)rtc_data_u_sgxprotectedfs_fwrite_recovery_node, + (void*)rtc_data_u_sgxprotectedfs_do_file_recovery, + (void*)rtc_data_rtc_session_request_u, + (void*)rtc_data_rtc_exchange_report_u, + (void*)rtc_data_rtc_end_session_u, } }; -sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report) +sgx_status_t rtc_data_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report) { sgx_status_t status; ms_enclave_create_report_t ms; ms.ms_p_qe3_target = p_qe3_target; ms.ms_enclave_data = (EnclaveHeldData *)&enclave_data[0]; ms.ms_p_report = p_report; - status = sgx_ecall(eid, 0, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 0, &ocall_table_rtc_data, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t rtc_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata) +sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata) { sgx_status_t status; - ms_rtc_validate_and_save_t ms; + ms_validate_and_save_t ms; ms.ms_payload_ptr = payload_ptr; ms.ms_payload_len = payload_len; ms.ms_metadata = metadata; - status = sgx_ecall(eid, 1, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 1, &ocall_table_rtc_data, &ms); + if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; + return status; +} + +sgx_status_t rtc_data_local_attestation(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t rtc_local_attestation) +{ + sgx_status_t status; + ms_local_attestation_t ms; + ms.ms_rtc_local_attestation = rtc_local_attestation; + status = sgx_ecall(eid, 2, &ocall_table_rtc_data, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len) +sgx_status_t rtc_data_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len) { sgx_status_t status; ms_t_global_init_ecall_t ms; ms.ms_id = id; ms.ms_path = path; ms.ms_len = len; - status = sgx_ecall(eid, 2, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 3, &ocall_table_rtc_data, &ms); return status; } -sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid) +sgx_status_t rtc_data_t_global_exit_ecall(sgx_enclave_id_t eid) { sgx_status_t status; - status = sgx_ecall(eid, 3, &ocall_table_Enclave, NULL); + status = sgx_ecall(eid, 4, &ocall_table_rtc_data, NULL); return status; } -sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id) +sgx_status_t rtc_data_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id) { sgx_status_t status; - ms_rtc_session_request_t ms; + ms_session_request_t ms; ms.ms_src_enclave_id = src_enclave_id; - status = sgx_ecall(eid, 4, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 5, &ocall_table_rtc_data, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2) +sgx_status_t rtc_data_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2) { sgx_status_t status; - ms_rtc_exchange_report_t ms; + ms_exchange_report_t ms; ms.ms_src_enclave_id = src_enclave_id; ms.ms_dh_msg2 = dh_msg2; - status = sgx_ecall(eid, 5, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 6, &ocall_table_rtc_data, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } -sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id) +sgx_status_t rtc_data_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id) { sgx_status_t status; - ms_rtc_end_session_t ms; + ms_end_session_t ms; ms.ms_src_enclave_id = src_enclave_id; - status = sgx_ecall(eid, 6, &ocall_table_Enclave, &ms); + status = sgx_ecall(eid, 7, &ocall_table_rtc_data, &ms); if (status == SGX_SUCCESS && retval) *retval = ms.ms_retval; return status; } diff --git a/codegen/data_enclave/Enclave_u.h b/codegen/data_enclave/rtc_data_u.h similarity index 93% rename from codegen/data_enclave/Enclave_u.h rename to codegen/data_enclave/rtc_data_u.h index 26189ce9..5468e32d 100644 --- a/codegen/data_enclave/Enclave_u.h +++ b/codegen/data_enclave/rtc_data_u.h @@ -1,5 +1,5 @@ -#ifndef ENCLAVE_U_H__ -#define ENCLAVE_U_H__ +#ifndef RTC_DATA_U_H__ +#define RTC_DATA_U_H__ #include #include @@ -324,13 +324,14 @@ ExchangeReportResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_exchange_report_u, (sgx_e sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_end_session_u, (sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id)); #endif -sgx_status_t enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -sgx_status_t rtc_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); -sgx_status_t t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); -sgx_status_t t_global_exit_ecall(sgx_enclave_id_t eid); -sgx_status_t rtc_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); -sgx_status_t rtc_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); -sgx_status_t rtc_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); +sgx_status_t rtc_data_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); +sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +sgx_status_t rtc_data_local_attestation(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t rtc_local_attestation); +sgx_status_t rtc_data_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); +sgx_status_t rtc_data_t_global_exit_ecall(sgx_enclave_id_t eid); +sgx_status_t rtc_data_session_request(sgx_enclave_id_t eid, SessionRequestResult* retval, sgx_enclave_id_t src_enclave_id); +sgx_status_t rtc_data_exchange_report(sgx_enclave_id_t eid, ExchangeReportResult* retval, sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); +sgx_status_t rtc_data_end_session(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t src_enclave_id); #ifdef __cplusplus } diff --git a/edl/rtc_tenclave.edl b/edl/rtc_tenclave.edl index f2e2ac73..c57d0329 100644 --- a/edl/rtc_tenclave.edl +++ b/edl/rtc_tenclave.edl @@ -8,9 +8,9 @@ enclave { include "sgx_dh.h" trusted{ - public SessionRequestResult rtc_session_request(sgx_enclave_id_t src_enclave_id); - public ExchangeReportResult rtc_exchange_report(sgx_enclave_id_t src_enclave_id, [in]const sgx_dh_msg2_t *dh_msg2); - public sgx_status_t rtc_end_session(sgx_enclave_id_t src_enclave_id); + public SessionRequestResult session_request(sgx_enclave_id_t src_enclave_id); + public ExchangeReportResult exchange_report(sgx_enclave_id_t src_enclave_id, [in]const sgx_dh_msg2_t *dh_msg2); + public sgx_status_t end_session(sgx_enclave_id_t src_enclave_id); }; untrusted{ diff --git a/rtc_auth_enclave/Makefile b/rtc_auth_enclave/Makefile index 8b5fcb10..d448af9e 100644 --- a/rtc_auth_enclave/Makefile +++ b/rtc_auth_enclave/Makefile @@ -36,11 +36,11 @@ Crate_Files := $(wildcard src/*.rs ../rtc_tenclave/src/*.rs) Out_StaticLib := $(CRATE_BUILD_PATH)/lib$(CRATE_LIB_NAME).a Out_Bindings := $(CODEGEN_PATH)/bindings.h -Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/Enclave_t.o +Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/rtc_auth_t.o Out_Dylib := $(CUSTOM_LIBRARY_PATH)/enclave.so Out_SignedDylib := $(CUSTOM_BIN_PATH)/enclave.signed.so -Out_CodegenFiles := $(CODEGEN_PATH)/Enclave_t.c $(CODEGEN_PATH)/Enclave_t.h $(CODEGEN_PATH)/Enclave_u.c $(CODEGEN_PATH)/Enclave_u.h +Out_CodegenFiles := $(CODEGEN_PATH)/rtc_auth_t.c $(CODEGEN_PATH)/rtc_auth_t.h $(CODEGEN_PATH)/rtc_auth_u.c $(CODEGEN_PATH)/rtc_auth_u.h .PHONY: all @@ -97,12 +97,12 @@ $(Out_StaticLib) $(Out_Bindings): $(Crate_Files) @rm -f $(Out_StaticLib) $(Out_Bindings) cargo build --release -$(Out_CodegenFiles): $(SGX_EDGER8R) ./Enclave.edl $(Out_Bindings) | $(CODEGEN_PATH) - $(SGX_EDGER8R) ./Enclave.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) +$(Out_CodegenFiles): $(SGX_EDGER8R) ./rtc_auth.edl $(Out_Bindings) | $(CODEGEN_PATH) + $(SGX_EDGER8R) --use-prefix ./rtc_auth.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) @echo "GEN => $(Enclave_EDL_Files)" $(Out_EdgeObject): $(Out_CodegenFiles) | $(CODEGEN_PATH) $(CUSTOM_LIBRARY_PATH) - @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/Enclave_t.c -o $@ + @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/rtc_auth_t.c -o $@ @echo "CC <= $<" $(Out_Dylib): $(Out_StaticLib) $(Out_EdgeObject) | $(CUSTOM_LIBRARY_PATH) diff --git a/rtc_auth_enclave/Enclave.edl b/rtc_auth_enclave/rtc_auth.edl similarity index 100% rename from rtc_auth_enclave/Enclave.edl rename to rtc_auth_enclave/rtc_auth.edl diff --git a/rtc_data_enclave/Makefile b/rtc_data_enclave/Makefile index 1d0c5588..875ce85b 100644 --- a/rtc_data_enclave/Makefile +++ b/rtc_data_enclave/Makefile @@ -36,11 +36,11 @@ Crate_Files := $(wildcard src/*.rs ../rtc_tenclave/src/*.rs) Out_StaticLib := $(CRATE_BUILD_PATH)/lib$(CRATE_LIB_NAME).a Out_Bindings := $(CODEGEN_PATH)/bindings.h -Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/Enclave_t.o +Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/rtc_data_t.o Out_Dylib := $(CUSTOM_LIBRARY_PATH)/enclave.so Out_SignedDylib := $(CUSTOM_BIN_PATH)/enclave.signed.so -Out_CodegenFiles := $(CODEGEN_PATH)/Enclave_t.c $(CODEGEN_PATH)/Enclave_t.h $(CODEGEN_PATH)/Enclave_u.c $(CODEGEN_PATH)/Enclave_u.h +Out_CodegenFiles := $(CODEGEN_PATH)/rtc_data_t.c $(CODEGEN_PATH)/rtc_data_t.h $(CODEGEN_PATH)/rtc_data_u.c $(CODEGEN_PATH)/rtc_data_u.h .PHONY: all @@ -97,12 +97,12 @@ $(Out_StaticLib) $(Out_Bindings): $(Crate_Files) @rm -f $(Out_StaticLib) $(Out_Bindings) cargo build --release -$(Out_CodegenFiles): $(SGX_EDGER8R) ./Enclave.edl $(Out_Bindings) | $(CODEGEN_PATH) - $(SGX_EDGER8R) ./Enclave.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) +$(Out_CodegenFiles): $(SGX_EDGER8R) ./rtc_data.edl $(Out_Bindings) | $(CODEGEN_PATH) + $(SGX_EDGER8R) --use-prefix ./rtc_data.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) @echo "GEN => $(Enclave_EDL_Files)" $(Out_EdgeObject): $(Out_CodegenFiles) | $(CODEGEN_PATH) $(CUSTOM_LIBRARY_PATH) - @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/Enclave_t.c -o $@ + @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/rtc_data_t.c -o $@ @echo "CC <= $<" $(Out_Dylib): $(Out_StaticLib) $(Out_EdgeObject) | $(CUSTOM_LIBRARY_PATH) diff --git a/rtc_data_enclave/Enclave.edl b/rtc_data_enclave/rtc_data.edl similarity index 79% rename from rtc_data_enclave/Enclave.edl rename to rtc_data_enclave/rtc_data.edl index 3c47e758..e1360f4d 100644 --- a/rtc_data_enclave/Enclave.edl +++ b/rtc_data_enclave/rtc_data.edl @@ -19,7 +19,8 @@ enclave { [out, isary]EnclaveHeldData enclave_data, [out]sgx_report_t* p_report); - public DataUploadResult rtc_validate_and_save([in, count=payload_len]const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); + public DataUploadResult validate_and_save([in, count=payload_len]const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); + public sgx_status_t local_attestation(sgx_enclave_id_t rtc_local_attestation); }; untrusted { diff --git a/rtc_data_enclave/src/lib.rs b/rtc_data_enclave/src/lib.rs index cae96304..a4261dd5 100644 --- a/rtc_data_enclave/src/lib.rs +++ b/rtc_data_enclave/src/lib.rs @@ -37,7 +37,7 @@ use rtc_tenclave::enclave::*; /// The caller (SGX) should ensure that `payload_ptr` is valid for a slice of /// length `payload_len` #[no_mangle] -pub unsafe extern "C" fn rtc_validate_and_save( +pub unsafe extern "C" fn validate_and_save( payload_ptr: *const u8, payload_len: usize, metadata: UploadMetadata, @@ -55,3 +55,14 @@ pub unsafe extern "C" fn rtc_validate_and_save( (err) => EcallResult::Err(DataUploadError::Sealing(err)), } } + +/// Tries to perform local attestation to an enclave at dest_enclave_id. The enclave needs to be +/// initialized as a `ResponderSys` in rtc_udh' +#[no_mangle] +pub unsafe extern "C" fn local_attestation(dest_enclave_id: sgx_enclave_id_t) -> sgx_status_t { + let res = rtc_tenclave::dh::dh_sessions().establish_new(dest_enclave_id); + match res { + Ok(_) => sgx_status_t::SGX_SUCCESS, + Err(err) => err, + } +} diff --git a/rtc_tenclave/Cargo.toml b/rtc_tenclave/Cargo.toml index 25c4ca07..6bf35c52 100644 --- a/rtc_tenclave/Cargo.toml +++ b/rtc_tenclave/Cargo.toml @@ -23,7 +23,7 @@ sgx_tse = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", re rand = { git = "https://github.com/mesalock-linux/rand-sgx", tag = "v0.7.3_sgx1.1.3", optional = true } thiserror = { git = "https://github.com/mesalock-linux/thiserror-sgx.git", optional = true } sgx_tcrypto = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", optional = true } -sgx_tdh = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", optional = true } +sgx_tdh = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", features = ["use_lav2"], optional = true } once_cell = { git = "https://github.com/mesalock-linux/once_cell-sgx.git", optional = true } # XXX: Work around serde-json-sgx / Cargo version handling issue diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index dff82570..5c2f74c3 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -251,19 +251,19 @@ fn exchange_report_ocall( } #[no_mangle] -pub extern "C" fn rtc_session_request(src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { +pub extern "C" fn session_request(src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { dh_sessions().initiate_response(&src_enclave_id).into() } #[no_mangle] -pub extern "C" fn rtc_end_session(src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { +pub extern "C" fn end_session(src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { // TODO: Ensure sessions close on both ends? dh_sessions().close_session(&src_enclave_id); sgx_status_t::SGX_SUCCESS } #[no_mangle] -pub unsafe extern "C" fn rtc_exchange_report( +pub unsafe extern "C" fn exchange_report( src_enclave_id: sgx_enclave_id_t, dh_msg2_ptr: *const sgx_dh_msg2_t, ) -> ExchangeReportResult { diff --git a/rtc_uenclave/auth-sys/Cargo.toml b/rtc_uenclave/auth-sys/Cargo.toml index 9b5b25eb..6db8cf3d 100644 --- a/rtc_uenclave/auth-sys/Cargo.toml +++ b/rtc_uenclave/auth-sys/Cargo.toml @@ -3,6 +3,10 @@ name = "auth-sys" version = "0.1.0" authors = ["Herman "] edition = "2018" +links = "rtc_auth_u" + +[lib] +crate-type = ["rlib"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/rtc_uenclave/auth-sys/build.rs b/rtc_uenclave/auth-sys/build.rs index 3ff57d2c..bc8e540a 100644 --- a/rtc_uenclave/auth-sys/build.rs +++ b/rtc_uenclave/auth-sys/build.rs @@ -18,7 +18,7 @@ fn main() { println!("cargo:rustc-link-search=native={}/lib64", sdk_dir); let mut base_u = cc::Build::new() - .file(enclave_gen.join("Enclave_u.c")) + .file(enclave_gen.join("rtc_auth_u.c")) .no_default_flags(true) .includes(&includes) .flag("-fstack-protector") @@ -30,9 +30,9 @@ fn main() { .to_owned(); if profile == "release" { - base_u.flag("-O2").compile("Enclave_u"); + base_u.flag("-O2").compile("rtc_auth_u"); } else { - base_u.flag("-O0").flag("-g").compile("Enclave_u"); + base_u.flag("-O0").flag("-g").compile("rtc_auth_u"); } println!("cargo:rerun-if-changed=wrapper.h"); @@ -53,10 +53,7 @@ fn main() { .allowlist_recursively(false) .array_pointers_in_arguments(true) // TODO: see if there is a way to include functions using globbing - .allowlist_function("enclave_create_report") - .allowlist_function("rtc_session_request") - .allowlist_function("rtc_exchange_report") - .allowlist_function("rtc_end_session") + .allowlist_function("rtc_auth_.*") .clang_args(&inc_args) .generate() .expect("Unable to generate bindings") diff --git a/rtc_uenclave/auth-sys/src/lib.rs b/rtc_uenclave/auth-sys/src/lib.rs index 123c42e2..1b9ceca6 100644 --- a/rtc_uenclave/auth-sys/src/lib.rs +++ b/rtc_uenclave/auth-sys/src/lib.rs @@ -1,5 +1,5 @@ #[allow(unused_imports)] -use sgx_urts; +pub use sgx_urts; use rtc_ecalls::RtcEnclaveEcalls; use rtc_types::dh::*; @@ -24,7 +24,7 @@ impl RtcEnclaveEcalls for AuthSys { enclave_data: *mut EnclaveHeldData, p_report: *mut sgx_report_t, ) -> sgx_status_t { - ffi::enclave_create_report(eid, retval, p_qe3_target, enclave_data, p_report) + ffi::rtc_auth_enclave_create_report(eid, retval, p_qe3_target, enclave_data, p_report) } } @@ -35,7 +35,7 @@ impl rtc_udh::ResponderSys for AuthSys { retval: *mut SessionRequestResult, src_enclave_id: sgx_enclave_id_t, ) -> sgx_status_t { - ffi::rtc_session_request(eid, retval, src_enclave_id) + ffi::rtc_auth_session_request(eid, retval, src_enclave_id) } unsafe fn rtc_exchange_report( @@ -45,7 +45,7 @@ impl rtc_udh::ResponderSys for AuthSys { src_enclave_id: sgx_enclave_id_t, dh_msg2_ptr: *const sgx_dh_msg2_t, ) -> sgx_status_t { - ffi::rtc_exchange_report(eid, retval, src_enclave_id, dh_msg2_ptr) + ffi::rtc_auth_exchange_report(eid, retval, src_enclave_id, dh_msg2_ptr) } unsafe fn rtc_end_session( @@ -54,6 +54,6 @@ impl rtc_udh::ResponderSys for AuthSys { retval: *mut sgx_status_t, src_enclave_id: sgx_enclave_id_t, ) -> sgx_status_t { - ffi::rtc_end_session(eid, retval, src_enclave_id) + ffi::rtc_auth_end_session(eid, retval, src_enclave_id) } } diff --git a/rtc_uenclave/auth-sys/wrapper.h b/rtc_uenclave/auth-sys/wrapper.h index b8489bea..2af0cf09 100644 --- a/rtc_uenclave/auth-sys/wrapper.h +++ b/rtc_uenclave/auth-sys/wrapper.h @@ -1 +1 @@ -#include "../../codegen/auth_enclave/Enclave_u.h" +#include "../../codegen/auth_enclave/rtc_auth_u.h" diff --git a/rtc_uenclave/data-sys/Cargo.toml b/rtc_uenclave/data-sys/Cargo.toml index d591da73..ef68cac4 100644 --- a/rtc_uenclave/data-sys/Cargo.toml +++ b/rtc_uenclave/data-sys/Cargo.toml @@ -3,7 +3,10 @@ name = "data-sys" version = "0.1.0" authors = ["Herman "] edition = "2018" -links = "Enclave_u" +links = "Enclave_data_u" + +[lib] +crate-type = ["rlib"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/rtc_uenclave/data-sys/build.rs b/rtc_uenclave/data-sys/build.rs index 1cdf9dfc..1aa431b9 100644 --- a/rtc_uenclave/data-sys/build.rs +++ b/rtc_uenclave/data-sys/build.rs @@ -18,7 +18,7 @@ fn main() { println!("cargo:rustc-link-search=native={}/lib64", sdk_dir); let mut base_u = cc::Build::new() - .file(enclave_gen.join("Enclave_u.c")) + .file(enclave_gen.join("rtc_data_u.c")) .no_default_flags(true) .includes(&includes) .flag("-fstack-protector") @@ -30,9 +30,9 @@ fn main() { .to_owned(); if profile == "release" { - base_u.flag("-O2").compile("Enclave_u"); + base_u.flag("-O2").compile("rtc_data_u"); } else { - base_u.flag("-O0").flag("-g").compile("Enclave_u"); + base_u.flag("-O0").flag("-g").compile("rtc_data_u"); } println!("cargo:rerun-if-changed=wrapper.h"); @@ -53,11 +53,7 @@ fn main() { .allowlist_recursively(false) .array_pointers_in_arguments(true) // TODO: see if there is a way to include functions using globbing - .allowlist_function("enclave_create_report") - .allowlist_function("rtc_validate_and_save") - .allowlist_function("rtc_session_request") - .allowlist_function("rtc_exchange_report") - .allowlist_function("rtc_end_session") + .allowlist_function("rtc_data_.*") .clang_args(&inc_args) .generate() .expect("Unable to generate bindings") diff --git a/rtc_uenclave/data-sys/src/lib.rs b/rtc_uenclave/data-sys/src/lib.rs index b89598f8..16c7d563 100644 --- a/rtc_uenclave/data-sys/src/lib.rs +++ b/rtc_uenclave/data-sys/src/lib.rs @@ -30,7 +30,7 @@ impl RtcEnclaveEcalls for DataSys { enclave_data: *mut EnclaveHeldData, p_report: *mut sgx_report_t, ) -> sgx_status_t { - ffi::enclave_create_report(eid, retval, p_qe3_target, enclave_data, p_report) + ffi::rtc_data_enclave_create_report(eid, retval, p_qe3_target, enclave_data, p_report) } } @@ -41,7 +41,7 @@ impl rtc_udh::ResponderSys for DataSys { retval: *mut SessionRequestResult, src_enclave_id: sgx_enclave_id_t, ) -> sgx_status_t { - ffi::rtc_session_request(eid, retval, src_enclave_id) + ffi::rtc_data_session_request(eid, retval, src_enclave_id) } unsafe fn rtc_exchange_report( @@ -51,7 +51,7 @@ impl rtc_udh::ResponderSys for DataSys { src_enclave_id: sgx_enclave_id_t, dh_msg2_ptr: *const sgx_dh_msg2_t, ) -> sgx_status_t { - ffi::rtc_exchange_report(eid, retval, src_enclave_id, dh_msg2_ptr) + ffi::rtc_data_exchange_report(eid, retval, src_enclave_id, dh_msg2_ptr) } unsafe fn rtc_end_session( @@ -60,6 +60,6 @@ impl rtc_udh::ResponderSys for DataSys { retval: *mut sgx_status_t, src_enclave_id: sgx_enclave_id_t, ) -> sgx_status_t { - ffi::rtc_end_session(eid, retval, src_enclave_id) + ffi::rtc_data_end_session(eid, retval, src_enclave_id) } } diff --git a/rtc_uenclave/data-sys/wrapper.h b/rtc_uenclave/data-sys/wrapper.h index d3786b57..0c0a6247 100644 --- a/rtc_uenclave/data-sys/wrapper.h +++ b/rtc_uenclave/data-sys/wrapper.h @@ -1 +1 @@ -#include "../../codegen/data_enclave/Enclave_u.h" +#include "../../codegen/data_enclave/rtc_data_u.h" diff --git a/rtc_uenclave/src/enclaves/rtc_data.rs b/rtc_uenclave/src/enclaves/rtc_data.rs index 4555ff75..ebc66f71 100644 --- a/rtc_uenclave/src/enclaves/rtc_data.rs +++ b/rtc_uenclave/src/enclaves/rtc_data.rs @@ -79,7 +79,13 @@ pub mod ecalls { let mut retval = DataUploadResult::default(); // TODO: Safety let res = unsafe { - ffi::rtc_validate_and_save(eid, &mut retval, payload.as_ptr(), payload.len(), metadata) + ffi::rtc_data_validate_and_save( + eid, + &mut retval, + payload.as_ptr(), + payload.len(), + metadata, + ) }; retval.to_ecall_err(res).into() } From 18af0c92cd8118d415eae06f6326dc75043efab6 Mon Sep 17 00:00:00 2001 From: Herman Date: Tue, 18 May 2021 13:41:50 +0200 Subject: [PATCH 12/31] feat(dh): add to uenclave and basic integration test --- Cargo.lock | 1 + rtc_auth_enclave/src/lib.rs | 9 +++++---- rtc_data_service/tests/exec_token.rs | 24 ++++++++++++++++++++++++ rtc_udh/src/lib.rs | 1 - rtc_uenclave/Cargo.toml | 1 + rtc_uenclave/src/enclaves/rtc_auth.rs | 8 ++++++-- rtc_uenclave/src/enclaves/rtc_data.rs | 26 ++++++++++++++++++++++++++ rtc_uenclave/src/rtc_enclave.rs | 17 +++++++++++++---- 8 files changed, 76 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 595fd87f..2b2c1275 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1704,6 +1704,7 @@ dependencies = [ "rsa", "rtc-ecalls", "rtc_types", + "rtc_udh", "serde 1.0.125", "serde_json", "sgx_types", diff --git a/rtc_auth_enclave/src/lib.rs b/rtc_auth_enclave/src/lib.rs index 5e7ea09b..39cc52b1 100644 --- a/rtc_auth_enclave/src/lib.rs +++ b/rtc_auth_enclave/src/lib.rs @@ -4,8 +4,9 @@ #![deny(unsafe_op_in_unsafe_fn)] #![deny(clippy::mem_forget)] -use sgx_types::{sgx_report_t, sgx_status_t, sgx_target_info_t}; +#[cfg(not(target_env = "sgx"))] +#[macro_use] +extern crate sgx_tstd as std; -use rtc_types::{CreateReportResult, EnclaveHeldData}; - -use rtc_tenclave::enclave::*; +pub use rtc_tenclave::dh::*; +pub use rtc_tenclave::enclave::*; diff --git a/rtc_data_service/tests/exec_token.rs b/rtc_data_service/tests/exec_token.rs index bbd60bd0..96c3ce5f 100644 --- a/rtc_data_service/tests/exec_token.rs +++ b/rtc_data_service/tests/exec_token.rs @@ -9,6 +9,8 @@ use actix_web::{http, test}; use rtc_data_service::data_enclave_actor::DataEnclaveActor; use rtc_data_service::exec_token; +use rtc_uenclave::EnclaveConfig; +use sgx_types::sgx_status_t; #[actix_rt::test] async fn data_service_exec_token_ok() { @@ -65,3 +67,25 @@ async fn data_service_exec_token_ok() { }; assert_eq!(expected, actual) } + +#[test] +fn test_local_attestation_success() { + let auth_enclave = rtc_uenclave::RtcAuthEnclave::init(EnclaveConfig { + lib_path: "/root/rtc-data/rtc_auth_enclave/build/bin/enclave.signed.so".to_string(), + ..Default::default() + }) + .unwrap(); + + let data_enclave = rtc_uenclave::RtcDataEnclave::init(EnclaveConfig { + lib_path: "/root/rtc-data/rtc_data_enclave/build/bin/enclave.signed.so".to_string(), + ..Default::default() + }) + .unwrap(); + + let res = data_enclave.local_attestation(auth_enclave.geteid()); + assert_eq!(res, sgx_status_t::SGX_SUCCESS); + + // TODO: Integration test for message sending + // We should consider moving the integration tests for enclave interaction into rtc_uenclave + // since these tests does not need anything from the data_service +} diff --git a/rtc_udh/src/lib.rs b/rtc_udh/src/lib.rs index a479160c..bba43649 100644 --- a/rtc_udh/src/lib.rs +++ b/rtc_udh/src/lib.rs @@ -2,7 +2,6 @@ mod responder; use std::{ collections::HashMap, - marker::PhantomData, sync::{Arc, Mutex, RwLock}, }; diff --git a/rtc_uenclave/Cargo.toml b/rtc_uenclave/Cargo.toml index 4052350e..0770435c 100644 --- a/rtc_uenclave/Cargo.toml +++ b/rtc_uenclave/Cargo.toml @@ -28,6 +28,7 @@ serde_json = "1.0.64" data-sys = { path = "./data-sys", optional = true } auth-sys = { path = "./auth-sys", optional = true } rtc-ecalls = { path = "./rtc-ecalls" } +rtc_udh = { path = "../rtc_udh" } [dev-dependencies] rand = "0.7.3" diff --git a/rtc_uenclave/src/enclaves/rtc_auth.rs b/rtc_uenclave/src/enclaves/rtc_auth.rs index 018cf8c1..8a65ee3d 100644 --- a/rtc_uenclave/src/enclaves/rtc_auth.rs +++ b/rtc_uenclave/src/enclaves/rtc_auth.rs @@ -1,10 +1,9 @@ use std::borrow::Borrow; +use crate::{AttestationError, EnclaveConfig, EnclaveReportResult, RtcEnclave}; use auth_sys::AuthSys; use sgx_types::*; -use crate::{AttestationError, EnclaveConfig, EnclaveReportResult, RtcEnclave}; - /// Wraps all the functionality for interacting with the auth enclave pub struct RtcAuthEnclave(RtcEnclave) where @@ -43,4 +42,9 @@ where pub fn is_initialized(&self) -> bool { self.0.is_initialized() } + + /// Get the id of this enclave instance + pub fn geteid(&self) -> sgx_enclave_id_t { + self.0.geteid() + } } diff --git a/rtc_uenclave/src/enclaves/rtc_data.rs b/rtc_uenclave/src/enclaves/rtc_data.rs index ebc66f71..32809e7d 100644 --- a/rtc_uenclave/src/enclaves/rtc_data.rs +++ b/rtc_uenclave/src/enclaves/rtc_data.rs @@ -55,6 +55,11 @@ where }) } + /// Performs local attestation to the destination enclave + pub fn local_attestation(&self, dest_enclave_id: sgx_enclave_id_t) -> sgx_status_t { + ecalls::local_attestation(self.0.geteid(), dest_enclave_id) + } + /// Take ownership of self and drop resources pub fn destroy(self) { // Take ownership of self and drop @@ -64,6 +69,11 @@ where pub fn is_initialized(&self) -> bool { self.0.is_initialized() } + + /// Get the id of this enclave instance + pub fn geteid(&self) -> sgx_enclave_id_t { + self.0.geteid() + } } pub mod ecalls { @@ -89,4 +99,20 @@ pub mod ecalls { }; retval.to_ecall_err(res).into() } + + pub fn local_attestation( + eid: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t { + let mut retval = sgx_status_t::SGX_SUCCESS; + let res = unsafe { ffi::rtc_data_local_attestation(eid, &mut retval, dest_enclave_id) }; + + match res { + sgx_status_t::SGX_SUCCESS => res, + err => { + println!("local_attestation err, ecall failed: {:?}", err); + err + } + } + } } diff --git a/rtc_uenclave/src/rtc_enclave.rs b/rtc_uenclave/src/rtc_enclave.rs index 416d4202..c20dc6f5 100644 --- a/rtc_uenclave/src/rtc_enclave.rs +++ b/rtc_uenclave/src/rtc_enclave.rs @@ -9,7 +9,7 @@ use mockall::predicate::*; #[cfg(test)] use mockall::*; use mockall_double::double; -use rtc_types::{ExecTokenError, ExecTokenResponse}; +use rtc_udh::{self, ResponderSys}; use serde::Deserialize; use sgx_types::*; use thiserror::Error; @@ -52,7 +52,10 @@ pub struct EnclaveConfig { /// /// This struct contains the basic functionality required from all RTC enclaves #[cfg_attr(not(test), derive(Debug))] -pub(crate) struct RtcEnclave, TEcalls: RtcEcalls> { +pub(crate) struct RtcEnclave< + TCfg: Borrow, + TEcalls: RtcEcalls + ResponderSys + 'static, +> { pub(crate) base_enclave: SgxEnclave, pub(crate) quoting_enclave: QuotingEnclave, pub(crate) attestation_client: AzureAttestationClient, @@ -60,13 +63,19 @@ pub(crate) struct RtcEnclave, TEcalls: RtcEcalls> { ecalls: TEcalls, } -impl, TEcalls: RtcEcalls> RtcEnclave { +impl, TEcalls: RtcEcalls + ResponderSys + 'static> + RtcEnclave +{ /// Creates a new enclave instance with the provided configuration pub fn init(cfg: TCfg) -> Result { + let base_enclave = Self::init_base_enclave(cfg.borrow())?; + rtc_udh::set_responder(base_enclave.geteid(), Box::new(TEcalls::default())) + .expect("Failed to register enclave as dh responder"); + Ok(RtcEnclave { attestation_client: Self::init_attestation_client(), quoting_enclave: Self::init_quoting_enclave(), - base_enclave: Self::init_base_enclave(cfg.borrow())?, + base_enclave, config: cfg, ecalls: TEcalls::default(), }) From ea71a55a8cda4600d5a3a7a16b68ab5fa0b8c952 Mon Sep 17 00:00:00 2001 From: Herman Date: Tue, 18 May 2021 13:49:37 +0200 Subject: [PATCH 13/31] cleanup(dh): remove debug printlines --- rtc_tenclave/src/dh/mod.rs | 7 ------- 1 file changed, 7 deletions(-) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 5c2f74c3..c4b7e89f 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -144,9 +144,6 @@ impl DhSessions { // TODO: Verify identity initiator.proc_msg3(&dh_msg3, &mut aek.key, &mut responder_identity)?; - // TODO: REMOVE - println!("{:?}", aek); - self.set_active(dest_enclave_id, aek.key) } @@ -162,7 +159,6 @@ impl DhSessions { self.set_in_progress(src_enclave_id, responder)?; - println!("msg1 {:?}", dh_msg1); Ok(dh_msg1) } @@ -184,9 +180,6 @@ impl DhSessions { // TODO: Verify initiator_identity - // TODO: REMOVE - println!("{:?}", aek); - self.set_active(src_enclave_id, aek.key)?; Ok(msg3) From 3074594cc6d3e4bd48a9dfcea8eb7ea003b0446c Mon Sep 17 00:00:00 2001 From: Herman Date: Tue, 18 May 2021 14:08:34 +0200 Subject: [PATCH 14/31] feat(dh): fix uenclave tests --- rtc_uenclave/src/ecalls.rs | 13 +++-- rtc_uenclave/src/rtc_enclave.rs | 92 ++++++++++++++++++++++----------- 2 files changed, 73 insertions(+), 32 deletions(-) diff --git a/rtc_uenclave/src/ecalls.rs b/rtc_uenclave/src/ecalls.rs index b86db653..8090d259 100644 --- a/rtc_uenclave/src/ecalls.rs +++ b/rtc_uenclave/src/ecalls.rs @@ -20,7 +20,16 @@ pub struct EnclaveReportResult { /// Error returned when the enclave fails to create a report pub type CreateReportError = EcallError; -pub trait RtcEcalls: RtcEnclaveEcalls { + +pub trait RtcEcalls { + fn create_report( + &self, + eid: sgx_enclave_id_t, + qe_target_info: &sgx_target_info_t, + ) -> Result; +} + +impl RtcEcalls for T { fn create_report( &self, eid: sgx_enclave_id_t, @@ -57,8 +66,6 @@ pub trait RtcEcalls: RtcEnclaveEcalls { } } -impl RtcEcalls for T {} - #[cfg(test)] mod test { use super::*; diff --git a/rtc_uenclave/src/rtc_enclave.rs b/rtc_uenclave/src/rtc_enclave.rs index c20dc6f5..4ed6f99d 100644 --- a/rtc_uenclave/src/rtc_enclave.rs +++ b/rtc_uenclave/src/rtc_enclave.rs @@ -52,10 +52,11 @@ pub struct EnclaveConfig { /// /// This struct contains the basic functionality required from all RTC enclaves #[cfg_attr(not(test), derive(Debug))] -pub(crate) struct RtcEnclave< +pub(crate) struct RtcEnclave +where TCfg: Borrow, - TEcalls: RtcEcalls + ResponderSys + 'static, -> { + TEcalls: RtcEcalls + Default + ResponderSys + 'static, +{ pub(crate) base_enclave: SgxEnclave, pub(crate) quoting_enclave: QuotingEnclave, pub(crate) attestation_client: AzureAttestationClient, @@ -63,8 +64,10 @@ pub(crate) struct RtcEnclave< ecalls: TEcalls, } -impl, TEcalls: RtcEcalls + ResponderSys + 'static> - RtcEnclave +impl RtcEnclave +where + TCfg: Borrow, + TEcalls: RtcEcalls + Default + ResponderSys + 'static, { /// Creates a new enclave instance with the provided configuration pub fn init(cfg: TCfg) -> Result { @@ -210,12 +213,49 @@ mod tests { use proptest::collection::size_range; use proptest::prelude::*; use rtc_ecalls::MockRtcEnclaveEcalls; + use rtc_types::dh::{ExchangeReportResult, SessionRequestResult}; use rtc_types::CreateReportResult; use rtc_types::EnclaveHeldData; use rtc_types::{ENCLAVE_HELD_DATA_SIZE, RSA3072_PKCS8_DER_SIZE}; use simple_asn1::{to_der, ASN1Block, BigInt, BigUint, OID}; use std::convert::TryInto; + mock! { + TEcalls {} + + impl RtcEcalls for TEcalls { + fn create_report( + &self, + eid: sgx_enclave_id_t, + qe_target_info: &sgx_target_info_t, + ) -> Result; + } + + impl ResponderSys for TEcalls { + unsafe fn rtc_session_request( + &self, + eid: sgx_enclave_id_t, + retval: *mut SessionRequestResult, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; + + unsafe fn rtc_exchange_report( + &self, + eid: sgx_enclave_id_t, + retval: *mut ExchangeReportResult, + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, + ) -> sgx_status_t; + + unsafe fn rtc_end_session( + &self, + eid: sgx_enclave_id_t, + retval: *mut sgx_status_t, + src_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; + } + } + #[test] fn dcap_azure_attestation_works() { let sut = { @@ -242,24 +282,21 @@ mod tests { let qe_target_info = sgx_target_info_t::default(); let ehd = [2; ENCLAVE_HELD_DATA_SIZE]; let report = sgx_report_t::default(); - let mut sys_mock = MockRtcEnclaveEcalls::default(); - sys_mock - .expect_enclave_create_report() - .returning(move |_, ret, _, key, rep| { - unsafe { - *rep = report; - (*key).copy_from_slice(&ehd); - *ret = CreateReportResult::Success; - } - sgx_status_t::SGX_SUCCESS - }); + + let mut tecalls_mock = MockTEcalls::default(); + tecalls_mock + .expect_create_report() + .return_const(Ok(EnclaveReportResult { + enclave_report: report, + enclave_held_data: ehd, + })); RtcEnclave { base_enclave: mock_be, quoting_enclave: mock_qe, attestation_client: mock_aa_client, config: EnclaveConfig::default(), - ecalls: sys_mock, + ecalls: tecalls_mock, } }; @@ -360,24 +397,21 @@ mod tests { let eid = 12u64; let qe_target_info = sgx_target_info_t::default(); - let mut sys_mock = MockRtcEnclaveEcalls::default(); - sys_mock - .expect_enclave_create_report() - .returning(move |_, ret, _, key, rep| { - unsafe { - *rep = report; - (*key).copy_from_slice(&ehd); - *ret = CreateReportResult::Success; - } - sgx_status_t::SGX_SUCCESS - }); + + let mut tecalls_mock = MockTEcalls::default(); + tecalls_mock + .expect_create_report() + .return_const(Ok(EnclaveReportResult { + enclave_report: report, + enclave_held_data: ehd, + })); let sut = RtcEnclave{ base_enclave: mock, quoting_enclave: QuotingEnclave::default(), attestation_client: AzureAttestationClient::::default(), config: EnclaveConfig::default(), - ecalls: sys_mock, + ecalls: tecalls_mock, }; let res = sut.create_report(&qe_ti).unwrap(); From acf43b934f6bb9485bcb9e8152c1412894310177 Mon Sep 17 00:00:00 2001 From: Herman Date: Tue, 18 May 2021 14:15:23 +0200 Subject: [PATCH 15/31] test(dh): fix tenclave unit tests by ignoring the dh mod --- rtc_tenclave/src/lib.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rtc_tenclave/src/lib.rs b/rtc_tenclave/src/lib.rs index 30c9bad9..6cd46cf1 100644 --- a/rtc_tenclave/src/lib.rs +++ b/rtc_tenclave/src/lib.rs @@ -21,8 +21,11 @@ cfg_if::cfg_if! { } } -pub mod crypto; +// TODO: Refactor dh module to allow us to test with it enabled +#[cfg(not(test))] pub mod dh; + +pub mod crypto; pub mod enclave; pub mod kv_store; pub mod util; From f83f6669689b5ba74428b4d825f9843c224e7def Mon Sep 17 00:00:00 2001 From: Herman Date: Tue, 18 May 2021 20:12:34 +0200 Subject: [PATCH 16/31] feat(dh): support testing and cleanup module structure --- rtc_tenclave/Cargo.lock | 123 +++++++++ rtc_tenclave/Cargo.toml | 2 + rtc_tenclave/src/dh/mod.rs | 309 +-------------------- rtc_tenclave/src/dh/protected_channel.rs | 21 +- rtc_tenclave/src/dh/sessions.rs | 328 +++++++++++++++++++++++ rtc_tenclave/src/dh/types.rs | 145 ++++++++++ rtc_tenclave/src/lib.rs | 3 +- 7 files changed, 618 insertions(+), 313 deletions(-) create mode 100644 rtc_tenclave/src/dh/sessions.rs create mode 100644 rtc_tenclave/src/dh/types.rs diff --git a/rtc_tenclave/Cargo.lock b/rtc_tenclave/Cargo.lock index c10a6a4b..efd28d0f 100644 --- a/rtc_tenclave/Cargo.lock +++ b/rtc_tenclave/Cargo.lock @@ -2,6 +2,15 @@ # It is not intended for manual editing. version = 3 +[[package]] +name = "aho-corasick" +version = "0.7.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" +dependencies = [ + "memchr", +] + [[package]] name = "autocfg" version = "1.0.1" @@ -59,12 +68,39 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +[[package]] +name = "difference" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "524cbf6897b527295dff137cec09ecf3a05f4fddffd7dfcd1585403449e74198" + +[[package]] +name = "downcast" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4bb454f0228b18c7f4c3b0ebbee346ed9c52e7443b0999cd543ff3571205701d" + +[[package]] +name = "float-cmp" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e1267f4ac4f343772758f7b1bdcbe767c218bbab93bb432acbf5162bbf85a6c4" +dependencies = [ + "num-traits", +] + [[package]] name = "fnv" version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "fragile" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69a039c3498dc930fe810151a34ba0c1c70b02b8625035592e74432f678591f2" + [[package]] name = "getrandom" version = "0.1.14" @@ -159,6 +195,45 @@ dependencies = [ "cfg-if 1.0.0", ] +[[package]] +name = "memchr" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b16bd47d9e329435e309c58469fe0791c2d0d1ba96ec0954152a5ae2b04387dc" + +[[package]] +name = "mockall" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "18d614ad23f9bb59119b8b5670a85c7ba92c5e9adf4385c81ea00c51c8be33d5" +dependencies = [ + "cfg-if 1.0.0", + "downcast", + "fragile", + "lazy_static", + "mockall_derive", + "predicates", + "predicates-tree", +] + +[[package]] +name = "mockall_derive" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5dd4234635bca06fc96c7368d038061e0aae1b00a764dc817e900dc974e3deea" +dependencies = [ + "cfg-if 1.0.0", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "normalize-line-endings" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be" + [[package]] name = "num-traits" version = "0.2.14" @@ -193,6 +268,35 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" +[[package]] +name = "predicates" +version = "1.0.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f49cfaf7fdaa3bfacc6fa3e7054e65148878354a5cfddcf661df4c851f8021df" +dependencies = [ + "difference", + "float-cmp", + "normalize-line-endings", + "predicates-core", + "regex", +] + +[[package]] +name = "predicates-core" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "57e35a3326b75e49aa85f5dc6ec15b41108cf5aee58eabb1f274dd18b73c2451" + +[[package]] +name = "predicates-tree" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15f553275e5721409451eb85e15fd9a860a6e5ab4496eb215987502b5f5391f2" +dependencies = [ + "predicates-core", + "treeline", +] + [[package]] name = "proc-macro2" version = "1.0.26" @@ -396,6 +500,17 @@ dependencies = [ "bitflags", ] +[[package]] +name = "regex" +version = "1.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + [[package]] name = "regex-syntax" version = "0.6.25" @@ -432,7 +547,9 @@ version = "0.1.0" dependencies = [ "cfg-if 1.0.0", "hex", + "mockall", "once_cell 1.4.0", + "once_cell 1.7.2", "proptest", "rand 0.7.3 (git+https://github.com/mesalock-linux/rand-sgx?tag=v0.7.3_sgx1.1.3)", "rand 0.7.3 (registry+https://github.com/rust-lang/crates.io-index)", @@ -726,6 +843,12 @@ dependencies = [ "syn", ] +[[package]] +name = "treeline" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7f741b240f1a48843f9b8e0444fb55fb2a4ff67293b50a9179dfd5ea67f8d41" + [[package]] name = "unicode-xid" version = "0.2.2" diff --git a/rtc_tenclave/Cargo.toml b/rtc_tenclave/Cargo.toml index 6bf35c52..b6ab5c74 100644 --- a/rtc_tenclave/Cargo.toml +++ b/rtc_tenclave/Cargo.toml @@ -70,10 +70,12 @@ rand_std = { package = "rand", version = "0.7.3" } sgx_ucrypto = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda" } serde_std = { package = "serde", version = "1.0.0" } serde_json_std = { package = "serde_json", version = "1.0.0" } +once_cell_std = { package = "once_cell", version="1.7.2" } # Test-only dependencies proptest = "1.0.0" tempfile = "3.2.0" +mockall = { version = "0.9.1", features = ["nightly"] } [patch."https://github.com/apache/teaclave-sgx-sdk.git"] sgx_tstd = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda" } diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index c4b7e89f..89f66004 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -1,307 +1,12 @@ mod protected_channel; +mod sessions; +mod types; -use once_cell::sync::OnceCell; -use rtc_types::dh::{ExchangeReportResult, SessionRequestResult}; -use sgx_tdh::{SgxDhInitiator, SgxDhMsg1, SgxDhMsg2, SgxDhMsg3, SgxDhResponder}; +pub use sessions::*; -use sgx_tstd::{ - collections::HashMap, - enclave, - sync::{Arc, SgxMutex, SgxRwLock, SgxRwLockWriteGuard}, -}; -use sgx_types::*; -use std::{mem, ops::Deref}; - -use protected_channel::ProtectedChannel; - -extern "C" { - pub fn rtc_session_request_u( - ret: *mut SessionRequestResult, - src_enclave_id: sgx_enclave_id_t, - dest_enclave_id: sgx_enclave_id_t, - ) -> sgx_status_t; - pub fn rtc_exchange_report_u( - ret: *mut ExchangeReportResult, - src_enclave_id: sgx_enclave_id_t, - dest_enclave_id: sgx_enclave_id_t, - dh_msg2: *const sgx_dh_msg2_t, - ) -> sgx_status_t; - pub fn rtc_end_session_u( - ret: *mut sgx_status_t, - src_enclave_id: sgx_enclave_id_t, - dest_enclave_id: sgx_enclave_id_t, - ) -> sgx_status_t; -} - -#[no_mangle] -pub unsafe extern "C" fn test_dh() { - dh_sessions() - .establish_new(enclave::get_enclave_id()) - .expect("test failed"); -} - -enum AtomicSession { - Closed, - InProgress(SgxDhResponder), - Active(Arc>), -} - -pub struct DhSessions { - sessions: SgxRwLock>>, -} - -impl DhSessions { - fn get(&self, id: &u64) -> Option> { - self.sessions - .read() - .expect("RwLock poisoned") - .get(id) - .map(Clone::clone) +#[cfg(test)] +mod enclave { + pub fn get_enclave_id() -> u64 { + 78 } - - fn lock_write(&self) -> SgxRwLockWriteGuard>> { - self.sessions.write().expect("RwLock poisoned") - } - - pub fn get_active(&self, id: &u64) -> Option>> { - match self.get(id)?.as_ref() { - AtomicSession::Active(x) => Some(x.clone()), - _ => None, - } - } - - fn take_in_progress(&self, id: &u64) -> Option { - let mut sessions = self.lock_write(); - - if matches!(sessions.get(id)?.as_ref(), AtomicSession::InProgress(_)) { - match sessions.remove(id)?.deref() { - AtomicSession::InProgress(responder) => Some(*responder), - _ => unreachable!(), - } - } else { - None - } - } - - pub fn close_session(&self, id: &u64) -> () { - let mut sessions = self.lock_write(); - sessions.insert(*id, Arc::new(AtomicSession::Closed)); - () - } - - /// Creates and sets an active session between this enclave and the enclave with `id` using - /// the `key`. - /// - /// # Valid Operations (It is the responsibility of the caller to ensure these hold) - /// None -> Active = Ok - /// Closed -> Active = Ok - /// InProgress -> Active = Err if it is the same session - /// - In progress value needs to be removed from the map before using it to finalize a session - /// Active -> Active = Err - /// - A session should be closed and then recreated to prevent resetting the nonce counter - /// with the same key. - fn set_active( - &self, - id: u64, - key: sgx_key_128bit_t, - ) -> Result>, sgx_status_t> { - let channel = Arc::new(SgxMutex::new(ProtectedChannel::init(key))); - self.lock_write() - .insert(id, Arc::new(AtomicSession::Active(channel.clone()))); - Ok(channel) - } - - /// Sets an in_progress session for a responding enclave linked to the provided enclave. - /// - /// # Valid Operations (It is the responsibility of the caller to ensure these hold) - /// InProgress -> InProgress = Ok - /// Closed -> InProgress = Ok - /// Active -> In Progress = Ok if keying material differs - fn set_in_progress(&self, id: &u64, responder: SgxDhResponder) -> Result<(), sgx_status_t> { - let _result = self - .lock_write() - .insert(*id, Arc::new(AtomicSession::InProgress(responder))); - - Ok(()) - } - - pub fn establish_new( - &self, - dest_enclave_id: sgx_enclave_id_t, - ) -> Result>, sgx_status_t> { - let this_enclave_id = enclave::get_enclave_id(); - let mut initiator: SgxDhInitiator = SgxDhInitiator::init_session(); - - let dh_msg1 = init_responder_ocall(this_enclave_id, dest_enclave_id)?; - - let mut dh_msg2 = SgxDhMsg2::default(); - initiator.proc_msg1(&dh_msg1, &mut dh_msg2)?; - let dh_msg3 = exchange_report_ocall(this_enclave_id, dest_enclave_id, &dh_msg2)?; - - let mut aek = sgx_align_key_128bit_t::default(); // Session Key - let mut responder_identity = sgx_dh_session_enclave_identity_t::default(); - - // TODO: Verify identity - initiator.proc_msg3(&dh_msg3, &mut aek.key, &mut responder_identity)?; - - self.set_active(dest_enclave_id, aek.key) - } - - pub fn initiate_response( - &self, - src_enclave_id: &sgx_enclave_id_t, - ) -> Result { - let mut responder = SgxDhResponder::init_session(); - - let mut dh_msg1 = SgxDhMsg1::default(); - - responder.gen_msg1(&mut dh_msg1)?; - - self.set_in_progress(src_enclave_id, responder)?; - - Ok(dh_msg1) - } - - pub fn exchange_report( - &self, - src_enclave_id: sgx_enclave_id_t, - dh_msg2: &sgx_dh_msg2_t, - ) -> Result { - let mut responder = self - .take_in_progress(&src_enclave_id) - // TODO: custom error - .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED)?; - - let mut msg3 = SgxDhMsg3::default(); - let mut aek = sgx_align_key_128bit_t::default(); // Session Key - let mut initiator_identity = sgx_dh_session_enclave_identity_t::default(); - - responder.proc_msg2(dh_msg2, &mut msg3, &mut aek.key, &mut initiator_identity)?; - - // TODO: Verify initiator_identity - - self.set_active(src_enclave_id, aek.key)?; - - Ok(msg3) - } - - pub fn get_or_create_session( - &self, - dest_enclave_id: u64, - ) -> Result>, sgx_status_t> { - if let Some(channel) = self.get_active(&dest_enclave_id) { - Ok(channel) - } else { - self.establish_new(dest_enclave_id) - } - } -} - -fn init_responder_ocall( - this_enclave_id: u64, - dest_enclave_id: u64, -) -> Result { - let mut ret = SessionRequestResult::default(); - - // TODO: Safety - let ocall_res = unsafe { rtc_session_request_u(&mut ret, this_enclave_id, dest_enclave_id) }; - - match ocall_res { - sgx_status_t::SGX_SUCCESS => ret.into(), - err => Err(err), - } - - // dh_sessions().initiate_response(this_enclave_id) -} - -fn exchange_report_ocall( - this_enclave_id: u64, - dest_enclave_id: u64, - dh_msg2: &sgx_dh_msg2_t, -) -> Result { - let mut ret = ExchangeReportResult::default(); - - // TODO: Safety - let ocall_res = - unsafe { rtc_exchange_report_u(&mut ret, this_enclave_id, dest_enclave_id, dh_msg2) }; - - match ocall_res { - sgx_status_t::SGX_SUCCESS => { - let res: Result = ret.into(); - let mut msg3_raw = res?; - - let raw_len = - mem::size_of::() as u32 + msg3_raw.msg3_body.additional_prop_length; - - // TODO: Safety - unsafe { SgxDhMsg3::from_raw_dh_msg3_t(&mut msg3_raw, raw_len) } - .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED) - } - err => Err(err), - } - - // dh_sessions().exchange_report(this_enclave_id, dh_msg2) -} - -#[no_mangle] -pub extern "C" fn session_request(src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { - dh_sessions().initiate_response(&src_enclave_id).into() -} - -#[no_mangle] -pub extern "C" fn end_session(src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { - // TODO: Ensure sessions close on both ends? - dh_sessions().close_session(&src_enclave_id); - sgx_status_t::SGX_SUCCESS -} - -#[no_mangle] -pub unsafe extern "C" fn exchange_report( - src_enclave_id: sgx_enclave_id_t, - dh_msg2_ptr: *const sgx_dh_msg2_t, -) -> ExchangeReportResult { - // TODO: Safety - let dh_msg2 = unsafe { &*dh_msg2_ptr }; - - dh_sessions() - .exchange_report(src_enclave_id, dh_msg2) - .map(|msg3| { - let mut msg3_raw = sgx_dh_msg3_t::default(); - unsafe { msg3.to_raw_dh_msg3_t(&mut msg3_raw, msg3.calc_raw_sealed_data_size()) }; - msg3_raw - }) - .into() -} - -// TODO: Integrate using function reference with similar signature or a config obj -fn verify_peer_enclave_trust(peer_identity: &sgx_dh_session_enclave_identity_t) -> Result<(), ()> { - let required_flags = SGX_FLAGS_INITTED; - let denied_flags = SGX_FLAGS_DEBUG; - let expected_mrenclave = [0_u8; SGX_HASH_SIZE]; - let expected_mrsigner = [0_u8; SGX_HASH_SIZE]; - - if peer_identity.attributes.flags & required_flags == required_flags { - return Err(()); - } - if peer_identity.attributes.flags & denied_flags != 0 { - return Err(()); - } - if peer_identity.mr_enclave.m != expected_mrenclave { - return Err(()); - } - if peer_identity.mr_signer.m != expected_mrsigner { - return Err(()); - } - - return Ok(()); -} - -pub fn dh_sessions() -> &'static DhSessions { - // NOTE: Something similar can be done in the OCALL library - // (by storing pointers to data inside the enclave, outside of the enclave) - // TODO: Figure out session timeouts - static DH_SESSIONS: OnceCell = OnceCell::new(); - DH_SESSIONS.get_or_init(|| DhSessions { - sessions: SgxRwLock::new(HashMap::new()), - }) } diff --git a/rtc_tenclave/src/dh/protected_channel.rs b/rtc_tenclave/src/dh/protected_channel.rs index 84f206b1..1eab6b98 100644 --- a/rtc_tenclave/src/dh/protected_channel.rs +++ b/rtc_tenclave/src/dh/protected_channel.rs @@ -1,23 +1,26 @@ use secrecy::{ExposeSecret, Secret}; use sgx_tcrypto::{rsgx_rijndael128GCM_decrypt, rsgx_rijndael128GCM_encrypt}; -use sgx_tstd::enclave; use sgx_types::*; use std::{convert::TryInto, u32}; +use super::types::AlignedKey; + +#[cfg(test)] +use super::enclave; +#[cfg(not(test))] +use sgx_tstd::enclave; + // NIST AES-GCM recommended IV size type GcmNonce = [u8; 12]; pub struct ProtectedChannel { counter: u32, - key: Secret, + key: Secret, } impl ProtectedChannel { - pub fn init(key: sgx_key_128bit_t) -> Self { - Self { - counter: 1, - key: Secret::new(key), - } + pub fn init(key: Secret) -> Self { + Self { counter: 1, key } } pub fn encrypt_message( @@ -29,7 +32,7 @@ impl ProtectedChannel { let mut dst = [0_u8; MESSAGE_SIZE]; let mut mac = sgx_aes_gcm_128bit_tag_t::default(); rsgx_rijndael128GCM_encrypt( - self.key.expose_secret(), + self.key.expose_secret().key(), &plaintext, &nonce, &aad, @@ -51,7 +54,7 @@ impl ProtectedChannel { ) -> Result<[u8; MESSAGE_SIZE], sgx_status_t> { let mut dst = [0_u8; MESSAGE_SIZE]; rsgx_rijndael128GCM_decrypt( - self.key.expose_secret(), + self.key.expose_secret().key(), &message.ciphertext, &message.nonce, &message.aad, diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs new file mode 100644 index 00000000..048fb5f8 --- /dev/null +++ b/rtc_tenclave/src/dh/sessions.rs @@ -0,0 +1,328 @@ +use std::collections::HashMap; +use std::marker::PhantomData; +use std::prelude::v1::*; +use std::sync::Arc; + +use once_cell::sync::OnceCell; +use rtc_types::dh::{ExchangeReportResult, SessionRequestResult}; +use secrecy::Secret; +use sgx_types::*; + +use super::protected_channel::ProtectedChannel; +use super::types::{AlignedKey, RtcDhInitiator, RtcDhResponder}; + +#[cfg(not(test))] +use sgx_tstd::enclave; +#[cfg(not(test))] +use sgx_tstd::sync::{ + SgxMutex as Mutex, SgxRwLock as RwLock, SgxRwLockWriteGuard as RwLockWriteGuard, +}; + +#[cfg(test)] +use super::enclave; +#[cfg(test)] +use std::sync::{Mutex, RwLock, RwLockWriteGuard}; + +extern "C" { + pub fn rtc_session_request_u( + ret: *mut SessionRequestResult, + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; + pub fn rtc_exchange_report_u( + ret: *mut ExchangeReportResult, + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + dh_msg2: *const sgx_dh_msg2_t, + ) -> sgx_status_t; + pub fn rtc_end_session_u( + ret: *mut sgx_status_t, + src_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, + ) -> sgx_status_t; +} + +enum AtomicSession +where + TResp: RtcDhResponder, +{ + Closed, + InProgress(TResp), + Active(Arc>), +} + +pub struct DhSessions +where + TResp: RtcDhResponder, + TInit: RtcDhInitiator, +{ + sessions: RwLock>>>, + _phantom_init: PhantomData, +} + +impl DhSessions +where + TResp: RtcDhResponder, + TInit: RtcDhInitiator, +{ + fn get(&self, id: &u64) -> Option>> { + self.sessions + .read() + .expect("RwLock poisoned") + .get(id) + .map(Clone::clone) + } + + fn lock_write(&self) -> RwLockWriteGuard>>> { + self.sessions.write().expect("RwLock poisoned") + } + + pub fn get_active(&self, id: &u64) -> Option>> { + match self.get(id)?.as_ref() { + AtomicSession::Active(x) => Some(x.clone()), + _ => None, + } + } + + fn take_in_progress(&self, id: &u64) -> Option { + let mut sessions = self.lock_write(); + + if matches!(sessions.get(id)?.as_ref(), AtomicSession::InProgress(_)) { + match Arc::try_unwrap(sessions.remove(id)?) { + Ok(AtomicSession::InProgress(resp)) => Some(resp), + Ok(_) => unreachable!(), + Err(_) => None, + } + } else { + None + } + } + + pub fn close_session(&self, id: &u64) -> () { + let mut sessions = self.lock_write(); + sessions.insert(*id, Arc::new(AtomicSession::Closed)); + () + } + + /// Creates and sets an active session between this enclave and the enclave with `id` using + /// the `key`. + /// + /// # Valid Operations (It is the responsibility of the caller to ensure these hold) + /// None -> Active = Ok + /// Closed -> Active = Ok + /// InProgress -> Active = Err if it is the same session + /// - In progress value needs to be removed from the map before using it to finalize a session + /// Active -> Active = Err + /// - A session should be closed and then recreated to prevent resetting the nonce counter + /// with the same key. + fn set_active( + &self, + id: u64, + key: Secret, + ) -> Result>, sgx_status_t> { + let channel = Arc::new(Mutex::new(ProtectedChannel::init(key))); + self.lock_write() + .insert(id, Arc::new(AtomicSession::Active(channel.clone()))); + Ok(channel) + } + + /// Sets an in_progress session for a responding enclave linked to the provided enclave. + /// + /// # Valid Operations (It is the responsibility of the caller to ensure these hold) + /// InProgress -> InProgress = Ok + /// Closed -> InProgress = Ok + /// Active -> In Progress = Ok if keying material differs + fn set_in_progress(&self, id: &u64, responder: TResp) -> Result<(), sgx_status_t> { + let _result = self + .lock_write() + .insert(*id, Arc::new(AtomicSession::InProgress(responder))); + + Ok(()) + } + + pub fn establish_new( + &self, + dest_enclave_id: sgx_enclave_id_t, + ) -> Result>, sgx_status_t> { + let this_enclave_id = enclave::get_enclave_id(); + let mut initiator = TInit::init_session(); + + let dh_msg1 = init_responder_ocall(this_enclave_id, dest_enclave_id)?; + + let dh_msg2 = initiator.proc_msg1(&dh_msg1)?; + let mut dh_msg3 = exchange_report_ocall(this_enclave_id, dest_enclave_id, &dh_msg2)?; + + // TODO: Verify identity + let dh_values = initiator.proc_msg3(&mut dh_msg3)?; + + self.set_active(dest_enclave_id, dh_values.session_key) + } + + pub fn initiate_response( + &self, + src_enclave_id: &sgx_enclave_id_t, + ) -> Result { + let mut responder = TResp::init_session(); + + let dh_msg1 = responder.gen_msg1()?; + + self.set_in_progress(src_enclave_id, responder)?; + + Ok(dh_msg1) + } + + pub fn exchange_report( + &self, + src_enclave_id: sgx_enclave_id_t, + dh_msg2: &sgx_dh_msg2_t, + ) -> Result { + let mut responder = self + .take_in_progress(&src_enclave_id) + // TODO: custom error + .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED)?; + + let (msg3, dh_values) = responder.proc_msg2(dh_msg2)?; + + // TODO: Verify initiator_identity + + self.set_active(src_enclave_id, dh_values.session_key)?; + + Ok(msg3) + } + + pub fn get_or_create_session( + &self, + dest_enclave_id: u64, + ) -> Result>, sgx_status_t> { + if let Some(channel) = self.get_active(&dest_enclave_id) { + Ok(channel) + } else { + self.establish_new(dest_enclave_id) + } + } +} + +fn init_responder_ocall( + this_enclave_id: u64, + dest_enclave_id: u64, +) -> Result { + let mut ret = SessionRequestResult::default(); + + // TODO: Safety + let ocall_res = unsafe { rtc_session_request_u(&mut ret, this_enclave_id, dest_enclave_id) }; + + match ocall_res { + sgx_status_t::SGX_SUCCESS => ret.into(), + err => Err(err), + } + + // dh_sessions().initiate_response(this_enclave_id) +} + +fn exchange_report_ocall( + this_enclave_id: u64, + dest_enclave_id: u64, + dh_msg2: &sgx_dh_msg2_t, +) -> Result { + let mut ret = ExchangeReportResult::default(); + + // TODO: Safety + let ocall_res = + unsafe { rtc_exchange_report_u(&mut ret, this_enclave_id, dest_enclave_id, dh_msg2) }; + + match ocall_res { + sgx_status_t::SGX_SUCCESS => ret.into(), + err => Err(err), + } + + // dh_sessions().exchange_report(this_enclave_id, dh_msg2) +} + +#[no_mangle] +pub extern "C" fn session_request(src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { + dh_sessions().initiate_response(&src_enclave_id).into() +} + +#[no_mangle] +pub extern "C" fn end_session(src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { + // TODO: Ensure sessions close on both ends? + dh_sessions().close_session(&src_enclave_id); + sgx_status_t::SGX_SUCCESS +} + +#[no_mangle] +pub unsafe extern "C" fn exchange_report( + src_enclave_id: sgx_enclave_id_t, + dh_msg2_ptr: *const sgx_dh_msg2_t, +) -> ExchangeReportResult { + // TODO: Safety + let dh_msg2 = unsafe { &*dh_msg2_ptr }; + + dh_sessions() + .exchange_report(src_enclave_id, dh_msg2) + .into() +} + +// TODO: Integrate using function reference with similar signature or a config obj +fn verify_peer_enclave_trust(peer_identity: &sgx_dh_session_enclave_identity_t) -> Result<(), ()> { + let required_flags = SGX_FLAGS_INITTED; + let denied_flags = SGX_FLAGS_DEBUG; + let expected_mrenclave = [0_u8; SGX_HASH_SIZE]; + let expected_mrsigner = [0_u8; SGX_HASH_SIZE]; + + if peer_identity.attributes.flags & required_flags == required_flags { + return Err(()); + } + if peer_identity.attributes.flags & denied_flags != 0 { + return Err(()); + } + if peer_identity.mr_enclave.m != expected_mrenclave { + return Err(()); + } + if peer_identity.mr_signer.m != expected_mrsigner { + return Err(()); + } + + return Ok(()); +} + +#[cfg(not(test))] +pub use sgx_impl::dh_sessions; + +#[cfg(test)] +pub use test::dh_sessions; + +#[cfg(not(test))] +mod sgx_impl { + use super::*; + use sgx_tdh::{SgxDhInitiator, SgxDhResponder}; + + pub fn dh_sessions() -> &'static DhSessions { + // NOTE: Something similar can be done in the OCALL library + // (by storing pointers to data inside the enclave, outside of the enclave) + // TODO: Figure out session timeouts + static DH_SESSIONS: OnceCell> = OnceCell::new(); + DH_SESSIONS.get_or_init(|| DhSessions { + sessions: RwLock::new(HashMap::new()), + _phantom_init: PhantomData::default(), + }) + } +} + +#[cfg(test)] +mod test { + use super::super::types::*; + use super::*; + + pub fn dh_sessions() -> &'static DhSessions { + // NOTE: Something similar can be done in the OCALL library + // (by storing pointers to data inside the enclave, outside of the enclave) + // TODO: Figure out session timeouts + static DH_SESSIONS: OnceCell> = + OnceCell::new(); + DH_SESSIONS.get_or_init(|| DhSessions { + sessions: RwLock::new(HashMap::new()), + _phantom_init: PhantomData::default(), + }) + } +} diff --git a/rtc_tenclave/src/dh/types.rs b/rtc_tenclave/src/dh/types.rs new file mode 100644 index 00000000..e10fd547 --- /dev/null +++ b/rtc_tenclave/src/dh/types.rs @@ -0,0 +1,145 @@ +use secrecy::{Secret, Zeroize}; +use sgx_types::*; + +#[cfg(test)] +use mockall::automock; + +pub struct AlignedKey(sgx_align_key_128bit_t); + +impl AlignedKey { + pub fn new(key: sgx_align_key_128bit_t) -> Secret { + Secret::new(Self(key)) + } + pub fn key(&self) -> &sgx_key_128bit_t { + &self.0.key + } +} + +impl Zeroize for AlignedKey { + fn zeroize(&mut self) { + self.0.key.zeroize() + } +} + +pub struct DhValues { + pub(crate) session_key: Secret, + pub(crate) peer_identity: sgx_dh_session_enclave_identity_t, +} + +#[cfg_attr(test, automock)] +pub trait RtcDhInitiator { + fn init_session() -> Self; + fn proc_msg1(&mut self, msg1: &sgx_dh_msg1_t) -> Result; + + /// Process msg3 and return the DhValues for the session + /// + /// We currently allow no additional prop data, and will return an error + /// if `msg3.msg3_body.additional_prop_length` is greater than 0. This can be changed + /// to a well known constant size in the future if the additional prop needs to be used. + fn proc_msg3(&mut self, msg3: &mut sgx_dh_msg3_t) -> Result; +} +#[cfg_attr(test, automock)] +pub trait RtcDhResponder { + fn init_session() -> Self; + fn gen_msg1(&mut self) -> Result; + + /// Process msg3 and return the DhValues for the session + fn proc_msg2( + &mut self, + msg2: &sgx_dh_msg2_t, + ) -> Result<(sgx_dh_msg3_t, DhValues), sgx_status_t>; +} + +#[cfg(not(test))] +pub mod impl_sgx { + use super::*; + use sgx_tdh::{SgxDhInitiator, SgxDhMsg3, SgxDhResponder}; + use sgx_tstd::mem; + + impl RtcDhInitiator for SgxDhInitiator { + fn init_session() -> Self { + SgxDhInitiator::init_session() + } + + fn proc_msg1(&mut self, msg1: &sgx_dh_msg1_t) -> Result { + let mut msg2 = sgx_dh_msg2_t::default(); + SgxDhInitiator::proc_msg1(self, msg1, &mut msg2)?; + Ok(msg2) + } + + fn proc_msg3(&mut self, msg3: &mut sgx_dh_msg3_t) -> Result { + // Only allow msg3 values with no additional prop data + if msg3.msg3_body.additional_prop_length > 0 { + return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER); + } + let mut aek = sgx_align_key_128bit_t::default(); + let mut peer_identity = sgx_dh_session_enclave_identity_t::default(); + + // Safety: + // This should be safe since we don't allow additional prop data, so we don't have to + // worry about memory allocations + let msg3_full = unsafe { + SgxDhMsg3::from_raw_dh_msg3_t(msg3, mem::size_of::() as u32) + } + .ok_or(sgx_status_t::SGX_ERROR_INVALID_PARAMETER)?; + + SgxDhInitiator::proc_msg3(self, &msg3_full, &mut aek.key, &mut peer_identity)?; + Ok(DhValues { + session_key: AlignedKey::new(aek), + peer_identity, + }) + } + } + + impl RtcDhResponder for SgxDhResponder { + fn init_session() -> Self { + SgxDhResponder::init_session() + } + + fn gen_msg1(&mut self) -> Result { + let mut msg1 = sgx_dh_msg1_t::default(); + SgxDhResponder::gen_msg1(self, &mut msg1)?; + Ok(msg1) + } + + fn proc_msg2( + &mut self, + msg2: &sgx_dh_msg2_t, + ) -> Result<(sgx_dh_msg3_t, DhValues), sgx_status_t> { + let mut msg3 = SgxDhMsg3::new(); + let mut aek = sgx_align_key_128bit_t::default(); + let mut peer_identity = sgx_dh_session_enclave_identity_t::default(); + + SgxDhResponder::proc_msg2(self, msg2, &mut msg3, &mut aek.key, &mut peer_identity)?; + + let msg3_len = msg3.calc_raw_sealed_data_size(); + + // Only allow messages with 0 additional prop size + if msg3_len == (mem::size_of::() as u32) { + // This branch should never be reached since we don't use additional prop + // -- + // Normally unreachable code should panic but since this will open up a trivial + // way for untrusted code to trigger a panic (and potentially UB if we unwind over + // the ffi boundary) we should return with an `Err` instead. + return Err(sgx_status_t::SGX_ERROR_UNEXPECTED); + } + + let mut msg3_raw = sgx_dh_msg3_t::default(); + + // Safety: + // This function should be safe since we don't allow additional prop data, so we don't have + // to worry about memory allocations. We also guard against cases where this does not uphold + // to prevent UB. + unsafe { msg3.to_raw_dh_msg3_t(&mut msg3_raw, msg3_len) } + .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED)?; + + Ok(( + msg3_raw, + DhValues { + session_key: AlignedKey::new(aek), + peer_identity, + }, + )) + } + } +} diff --git a/rtc_tenclave/src/lib.rs b/rtc_tenclave/src/lib.rs index 6cd46cf1..ed21c268 100644 --- a/rtc_tenclave/src/lib.rs +++ b/rtc_tenclave/src/lib.rs @@ -18,11 +18,10 @@ cfg_if::cfg_if! { extern crate sgx_ucrypto as sgx_tcrypto; extern crate serde_std as serde; extern crate serde_json_std as serde_json; + extern crate once_cell_std as once_cell; } } -// TODO: Refactor dh module to allow us to test with it enabled -#[cfg(not(test))] pub mod dh; pub mod crypto; From d23df5c69105dd96132bb667774423b871f5e34b Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 27 May 2021 15:02:34 +0200 Subject: [PATCH 17/31] deps(rtc_tenclave): specify sgx_1.1.3 tag for once_cell-sgx This will avoid pulling in post-sgx_1.1.3 revisions unexpectedly. --- rtc_auth_enclave/Cargo.lock | 2 +- rtc_data_enclave/Cargo.lock | 2 +- rtc_tenclave/Cargo.lock | 2 +- rtc_tenclave/Cargo.toml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rtc_auth_enclave/Cargo.lock b/rtc_auth_enclave/Cargo.lock index 1fa30c80..25ed8007 100644 --- a/rtc_auth_enclave/Cargo.lock +++ b/rtc_auth_enclave/Cargo.lock @@ -212,7 +212,7 @@ dependencies = [ [[package]] name = "once_cell" version = "1.4.0" -source = "git+https://github.com/mesalock-linux/once_cell-sgx.git#cefcaa03fed4d85276b3235d875f1b45d399cc3c" +source = "git+https://github.com/mesalock-linux/once_cell-sgx.git?tag=sgx_1.1.3#cefcaa03fed4d85276b3235d875f1b45d399cc3c" dependencies = [ "sgx_tstd", ] diff --git a/rtc_data_enclave/Cargo.lock b/rtc_data_enclave/Cargo.lock index e3d52c96..5fe94351 100644 --- a/rtc_data_enclave/Cargo.lock +++ b/rtc_data_enclave/Cargo.lock @@ -291,7 +291,7 @@ dependencies = [ [[package]] name = "once_cell" version = "1.4.0" -source = "git+https://github.com/mesalock-linux/once_cell-sgx.git#cefcaa03fed4d85276b3235d875f1b45d399cc3c" +source = "git+https://github.com/mesalock-linux/once_cell-sgx.git?tag=sgx_1.1.3#cefcaa03fed4d85276b3235d875f1b45d399cc3c" dependencies = [ "sgx_tstd", ] diff --git a/rtc_tenclave/Cargo.lock b/rtc_tenclave/Cargo.lock index efd28d0f..d0b9fd95 100644 --- a/rtc_tenclave/Cargo.lock +++ b/rtc_tenclave/Cargo.lock @@ -246,7 +246,7 @@ dependencies = [ [[package]] name = "once_cell" version = "1.4.0" -source = "git+https://github.com/mesalock-linux/once_cell-sgx.git#cefcaa03fed4d85276b3235d875f1b45d399cc3c" +source = "git+https://github.com/mesalock-linux/once_cell-sgx.git?tag=sgx_1.1.3#cefcaa03fed4d85276b3235d875f1b45d399cc3c" dependencies = [ "sgx_tstd", ] diff --git a/rtc_tenclave/Cargo.toml b/rtc_tenclave/Cargo.toml index b6ab5c74..cbfa8e4c 100644 --- a/rtc_tenclave/Cargo.toml +++ b/rtc_tenclave/Cargo.toml @@ -24,7 +24,7 @@ rand = { git = "https://github.com/mesalock-linux/rand-sgx", tag = "v0.7.3_sgx1. thiserror = { git = "https://github.com/mesalock-linux/thiserror-sgx.git", optional = true } sgx_tcrypto = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", optional = true } sgx_tdh = { git = "https://github.com/apache/incubator-teaclave-sgx-sdk.git", rev = "b9d1bda", features = ["use_lav2"], optional = true } -once_cell = { git = "https://github.com/mesalock-linux/once_cell-sgx.git", optional = true } +once_cell = { git = "https://github.com/mesalock-linux/once_cell-sgx.git", tag = "sgx_1.1.3", optional = true } # XXX: Work around serde-json-sgx / Cargo version handling issue # From 1a908241ed610e3d9fc16e57b9f6487b841d9863 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 12:21:13 +0200 Subject: [PATCH 18/31] docs(HACKING): add section: Aligned memory allocation for secret values --- HACKING.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/HACKING.md b/HACKING.md index 8eeeb2f5..089eab14 100644 --- a/HACKING.md +++ b/HACKING.md @@ -29,3 +29,33 @@ However, also note that Cargo currently has this limitation: This prevents patching a repository reference to a different revision in the same repository, which makes some SGX-patched packages (such as `serde-sgx` and `serde-json-sgx`) tricky to deal with. + + +## Aligned memory allocation for secret values + +In enclave code, all memory allocations for sensitive secret values (such as cryptographic keys) +must be padded and aligned to protect against certain cache timing side-channel attacks, +as detailed in the Intel's INTEL-SA-00219 Developer Guidance. + +The Rust SGX SDK [provides primitives] (`AlignBox` and `sgx_align_*`) to help implement this guidance, +but other enclave secrets must also be allocated similarly. + +[provides primitives]: https://github.com/apache/incubator-teaclave-sgx-sdk/wiki/Mitigation-of-Intel-SA-00219-in-Rust-SGX#rust-sgx-provided-primitive + +In particular, care must be taken to allocate aligned memory _before_ initialising secrets in it, +rather than initialising secrets in unaligned memory and then moving them to aligned memory. + +In this codebase, also see the `AlignedKey` type in the `rtc_tenclave::dh::types` module. + +Background: + +* [CVE-2019-0117](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0117) +* [Intel SGX SDK Developer Guidance INTEL-SA-00219](https://software.intel.com/content/www/us/en/develop/download/intel-sgx-sdk-developer-guidance-intel-sa-00219.html) + ([PDF](https://software.intel.com/content/dam/develop/public/us/en/documents/intel-sgx-sdk-developer-guidance-intel-sa-00219.pdf)) + + +Rust SGX SDK: + +* [v1.1.0 release notes](https://github.com/apache/incubator-teaclave-sgx-sdk/blob/v1.1.0/release_notes.md#rust-sgx-sdk-v110) +* [Mitigation of Intel SA 00219 in Rust SGX](https://github.com/apache/incubator-teaclave-sgx-sdk/wiki/Mitigation-of-Intel-SA-00219-in-Rust-SGX) + From d6619da16046c13ffc6f688bd9208a8290a97e08 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 12:47:21 +0200 Subject: [PATCH 19/31] docs(auth-sys,data-sys): remove resolved TODO --- rtc_uenclave/auth-sys/build.rs | 1 - rtc_uenclave/data-sys/build.rs | 1 - 2 files changed, 2 deletions(-) diff --git a/rtc_uenclave/auth-sys/build.rs b/rtc_uenclave/auth-sys/build.rs index bc8e540a..358c1d42 100644 --- a/rtc_uenclave/auth-sys/build.rs +++ b/rtc_uenclave/auth-sys/build.rs @@ -52,7 +52,6 @@ fn main() { .with_codegen_config(CodegenConfig::FUNCTIONS | CodegenConfig::TYPES) .allowlist_recursively(false) .array_pointers_in_arguments(true) - // TODO: see if there is a way to include functions using globbing .allowlist_function("rtc_auth_.*") .clang_args(&inc_args) .generate() diff --git a/rtc_uenclave/data-sys/build.rs b/rtc_uenclave/data-sys/build.rs index 1aa431b9..34bef178 100644 --- a/rtc_uenclave/data-sys/build.rs +++ b/rtc_uenclave/data-sys/build.rs @@ -52,7 +52,6 @@ fn main() { .with_codegen_config(CodegenConfig::FUNCTIONS | CodegenConfig::TYPES) .allowlist_recursively(false) .array_pointers_in_arguments(true) - // TODO: see if there is a way to include functions using globbing .allowlist_function("rtc_data_.*") .clang_args(&inc_args) .generate() From 6e0f8be7592bd0dfca0e38570be47bc14fcd2c84 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:13:04 +0200 Subject: [PATCH 20/31] refactor(rtc_udh): get_responder: take enclave id by value, not reference This is more consistent with the surrounding code. --- rtc_udh/src/lib.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rtc_udh/src/lib.rs b/rtc_udh/src/lib.rs index bba43649..b6a62b80 100644 --- a/rtc_udh/src/lib.rs +++ b/rtc_udh/src/lib.rs @@ -39,11 +39,11 @@ pub fn set_responder( } } -fn get_responder(id: &u64) -> Result { +fn get_responder(id: u64) -> Result { dh_responders() .read() .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED))? - .get(id) + .get(&id) .ok_or(sgx_status_t::SGX_ERROR_INVALID_ENCLAVE_ID) .map(Clone::clone) } @@ -55,7 +55,7 @@ pub extern "C" fn rtc_session_request_u( ) -> SessionRequestResult { // TODO: Refactor our duplicated code here, this is tricky because of variable // scoping when working with locks - match get_responder(&dest_enclave_id) { + match get_responder(dest_enclave_id) { Ok(res) => res .lock() .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED)) @@ -71,7 +71,7 @@ extern "C" fn rtc_exchange_report_u( dest_enclave_id: sgx_enclave_id_t, dh_msg2: *const sgx_dh_msg2_t, ) -> ExchangeReportResult { - match get_responder(&dest_enclave_id) { + match get_responder(dest_enclave_id) { Ok(res) => res .lock() .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED)) @@ -86,7 +86,7 @@ extern "C" fn rtc_end_session_u( src_enclave_id: sgx_enclave_id_t, dest_enclave_id: sgx_enclave_id_t, ) -> sgx_status_t { - match get_responder(&dest_enclave_id) { + match get_responder(dest_enclave_id) { Ok(res) => res .lock() .map_or(sgx_status_t::SGX_ERROR_UNEXPECTED, |resp| { From 0d2bfdeaa5ef0ea9b80341817d71f35666017e1e Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:21:07 +0200 Subject: [PATCH 21/31] test(rtc_tenclave): use sgx_enclave_id_t return type for stub --- rtc_tenclave/src/dh/mod.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 89f66004..7239ece9 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -6,7 +6,9 @@ pub use sessions::*; #[cfg(test)] mod enclave { - pub fn get_enclave_id() -> u64 { + use sgx_types::sgx_enclave_id_t; + + pub fn get_enclave_id() -> sgx_enclave_id_t { 78 } } From d62f352df17b1eb5822eaa8fa78e0d81d097260b Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:22:11 +0200 Subject: [PATCH 22/31] refactor(rtc_udh): use "enclave_id: sgx_enclave_id_t" parameter convention --- rtc_udh/src/lib.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rtc_udh/src/lib.rs b/rtc_udh/src/lib.rs index b6a62b80..00552991 100644 --- a/rtc_udh/src/lib.rs +++ b/rtc_udh/src/lib.rs @@ -24,7 +24,7 @@ fn dh_responders() -> &'static RwLock { } pub fn set_responder( - enclave_id: u64, + enclave_id: sgx_enclave_id_t, responder: Box<(dyn ResponderSys + 'static)>, ) -> Result<(), sgx_status_t> { match dh_responders().write() { @@ -39,11 +39,11 @@ pub fn set_responder( } } -fn get_responder(id: u64) -> Result { +fn get_responder(enclave_id: sgx_enclave_id_t) -> Result { dh_responders() .read() .or(Err(sgx_status_t::SGX_ERROR_UNEXPECTED))? - .get(&id) + .get(&enclave_id) .ok_or(sgx_status_t::SGX_ERROR_INVALID_ENCLAVE_ID) .map(Clone::clone) } From 8b3d486a79154db989c817a8028dc504c303f3f4 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:23:33 +0200 Subject: [PATCH 23/31] refactor(rtc_tenclave,dh): use sgx_enclave_id_t type for DhResponders map --- rtc_tenclave/src/dh/sessions.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs index 048fb5f8..d9780d2a 100644 --- a/rtc_tenclave/src/dh/sessions.rs +++ b/rtc_tenclave/src/dh/sessions.rs @@ -56,7 +56,7 @@ where TResp: RtcDhResponder, TInit: RtcDhInitiator, { - sessions: RwLock>>>, + sessions: RwLock>>>, _phantom_init: PhantomData, } From 9c2d49bfc1d7a341ded43ed982bfca88a3421a21 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:23:42 +0200 Subject: [PATCH 24/31] refactor(rtc_tenclave,dh): use "enclave_id: sgx_enclave_id_t" parameter convention --- rtc_tenclave/src/dh/sessions.rs | 48 ++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs index d9780d2a..76332ffb 100644 --- a/rtc_tenclave/src/dh/sessions.rs +++ b/rtc_tenclave/src/dh/sessions.rs @@ -65,30 +65,36 @@ where TResp: RtcDhResponder, TInit: RtcDhInitiator, { - fn get(&self, id: &u64) -> Option>> { + fn get(&self, enclave_id: &sgx_enclave_id_t) -> Option>> { self.sessions .read() .expect("RwLock poisoned") - .get(id) + .get(enclave_id) .map(Clone::clone) } - fn lock_write(&self) -> RwLockWriteGuard>>> { + fn lock_write(&self) -> RwLockWriteGuard>>> { self.sessions.write().expect("RwLock poisoned") } - pub fn get_active(&self, id: &u64) -> Option>> { - match self.get(id)?.as_ref() { + pub fn get_active( + &self, + enclave_id: &sgx_enclave_id_t, + ) -> Option>> { + match self.get(enclave_id)?.as_ref() { AtomicSession::Active(x) => Some(x.clone()), _ => None, } } - fn take_in_progress(&self, id: &u64) -> Option { + fn take_in_progress(&self, enclave_id: &sgx_enclave_id_t) -> Option { let mut sessions = self.lock_write(); - if matches!(sessions.get(id)?.as_ref(), AtomicSession::InProgress(_)) { - match Arc::try_unwrap(sessions.remove(id)?) { + if matches!( + sessions.get(enclave_id)?.as_ref(), + AtomicSession::InProgress(_) + ) { + match Arc::try_unwrap(sessions.remove(enclave_id)?) { Ok(AtomicSession::InProgress(resp)) => Some(resp), Ok(_) => unreachable!(), Err(_) => None, @@ -98,9 +104,9 @@ where } } - pub fn close_session(&self, id: &u64) -> () { + pub fn close_session(&self, enclave_id: &sgx_enclave_id_t) -> () { let mut sessions = self.lock_write(); - sessions.insert(*id, Arc::new(AtomicSession::Closed)); + sessions.insert(*enclave_id, Arc::new(AtomicSession::Closed)); () } @@ -117,12 +123,12 @@ where /// with the same key. fn set_active( &self, - id: u64, + enclave_id: sgx_enclave_id_t, key: Secret, ) -> Result>, sgx_status_t> { let channel = Arc::new(Mutex::new(ProtectedChannel::init(key))); self.lock_write() - .insert(id, Arc::new(AtomicSession::Active(channel.clone()))); + .insert(enclave_id, Arc::new(AtomicSession::Active(channel.clone()))); Ok(channel) } @@ -132,10 +138,14 @@ where /// InProgress -> InProgress = Ok /// Closed -> InProgress = Ok /// Active -> In Progress = Ok if keying material differs - fn set_in_progress(&self, id: &u64, responder: TResp) -> Result<(), sgx_status_t> { + fn set_in_progress( + &self, + enclave_id: &sgx_enclave_id_t, + responder: TResp, + ) -> Result<(), sgx_status_t> { let _result = self .lock_write() - .insert(*id, Arc::new(AtomicSession::InProgress(responder))); + .insert(*enclave_id, Arc::new(AtomicSession::InProgress(responder))); Ok(()) } @@ -192,7 +202,7 @@ where pub fn get_or_create_session( &self, - dest_enclave_id: u64, + dest_enclave_id: sgx_enclave_id_t, ) -> Result>, sgx_status_t> { if let Some(channel) = self.get_active(&dest_enclave_id) { Ok(channel) @@ -203,8 +213,8 @@ where } fn init_responder_ocall( - this_enclave_id: u64, - dest_enclave_id: u64, + this_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, ) -> Result { let mut ret = SessionRequestResult::default(); @@ -220,8 +230,8 @@ fn init_responder_ocall( } fn exchange_report_ocall( - this_enclave_id: u64, - dest_enclave_id: u64, + this_enclave_id: sgx_enclave_id_t, + dest_enclave_id: sgx_enclave_id_t, dh_msg2: &sgx_dh_msg2_t, ) -> Result { let mut ret = ExchangeReportResult::default(); From d050e110404021d26b94c47f188bee94c00dc931 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:31:33 +0200 Subject: [PATCH 25/31] refactor(rtc_tenclave,dh): default to passing sgx_enclave_id_t by value --- rtc_tenclave/src/dh/sessions.rs | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs index 76332ffb..44ffa1ef 100644 --- a/rtc_tenclave/src/dh/sessions.rs +++ b/rtc_tenclave/src/dh/sessions.rs @@ -65,11 +65,11 @@ where TResp: RtcDhResponder, TInit: RtcDhInitiator, { - fn get(&self, enclave_id: &sgx_enclave_id_t) -> Option>> { + fn get(&self, enclave_id: sgx_enclave_id_t) -> Option>> { self.sessions .read() .expect("RwLock poisoned") - .get(enclave_id) + .get(&enclave_id) .map(Clone::clone) } @@ -77,24 +77,21 @@ where self.sessions.write().expect("RwLock poisoned") } - pub fn get_active( - &self, - enclave_id: &sgx_enclave_id_t, - ) -> Option>> { + pub fn get_active(&self, enclave_id: sgx_enclave_id_t) -> Option>> { match self.get(enclave_id)?.as_ref() { AtomicSession::Active(x) => Some(x.clone()), _ => None, } } - fn take_in_progress(&self, enclave_id: &sgx_enclave_id_t) -> Option { + fn take_in_progress(&self, enclave_id: sgx_enclave_id_t) -> Option { let mut sessions = self.lock_write(); if matches!( - sessions.get(enclave_id)?.as_ref(), + sessions.get(&enclave_id)?.as_ref(), AtomicSession::InProgress(_) ) { - match Arc::try_unwrap(sessions.remove(enclave_id)?) { + match Arc::try_unwrap(sessions.remove(&enclave_id)?) { Ok(AtomicSession::InProgress(resp)) => Some(resp), Ok(_) => unreachable!(), Err(_) => None, @@ -104,9 +101,9 @@ where } } - pub fn close_session(&self, enclave_id: &sgx_enclave_id_t) -> () { + pub fn close_session(&self, enclave_id: sgx_enclave_id_t) -> () { let mut sessions = self.lock_write(); - sessions.insert(*enclave_id, Arc::new(AtomicSession::Closed)); + sessions.insert(enclave_id, Arc::new(AtomicSession::Closed)); () } @@ -140,12 +137,12 @@ where /// Active -> In Progress = Ok if keying material differs fn set_in_progress( &self, - enclave_id: &sgx_enclave_id_t, + enclave_id: sgx_enclave_id_t, responder: TResp, ) -> Result<(), sgx_status_t> { let _result = self .lock_write() - .insert(*enclave_id, Arc::new(AtomicSession::InProgress(responder))); + .insert(enclave_id, Arc::new(AtomicSession::InProgress(responder))); Ok(()) } @@ -170,7 +167,7 @@ where pub fn initiate_response( &self, - src_enclave_id: &sgx_enclave_id_t, + src_enclave_id: sgx_enclave_id_t, ) -> Result { let mut responder = TResp::init_session(); @@ -187,7 +184,7 @@ where dh_msg2: &sgx_dh_msg2_t, ) -> Result { let mut responder = self - .take_in_progress(&src_enclave_id) + .take_in_progress(src_enclave_id) // TODO: custom error .ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED)?; @@ -204,7 +201,7 @@ where &self, dest_enclave_id: sgx_enclave_id_t, ) -> Result>, sgx_status_t> { - if let Some(channel) = self.get_active(&dest_enclave_id) { + if let Some(channel) = self.get_active(dest_enclave_id) { Ok(channel) } else { self.establish_new(dest_enclave_id) @@ -250,13 +247,13 @@ fn exchange_report_ocall( #[no_mangle] pub extern "C" fn session_request(src_enclave_id: sgx_enclave_id_t) -> SessionRequestResult { - dh_sessions().initiate_response(&src_enclave_id).into() + dh_sessions().initiate_response(src_enclave_id).into() } #[no_mangle] pub extern "C" fn end_session(src_enclave_id: sgx_enclave_id_t) -> sgx_status_t { // TODO: Ensure sessions close on both ends? - dh_sessions().close_session(&src_enclave_id); + dh_sessions().close_session(src_enclave_id); sgx_status_t::SGX_SUCCESS } From 9cefdbb3149ef8156a40808d8462a8163e3726cc Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:39:07 +0200 Subject: [PATCH 26/31] chore(rtc_udh): remove stray test code --- rtc_udh/src/lib.rs | 7 ------- 1 file changed, 7 deletions(-) diff --git a/rtc_udh/src/lib.rs b/rtc_udh/src/lib.rs index 00552991..4597ff8a 100644 --- a/rtc_udh/src/lib.rs +++ b/rtc_udh/src/lib.rs @@ -95,10 +95,3 @@ extern "C" fn rtc_end_session_u( Err(err) => err, } } -#[cfg(test)] -mod tests { - #[test] - fn it_works() { - assert_eq!(2 + 2, 4); - } -} From 8de36cffeb2008407da95e65d6ec616b123f3643 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:40:14 +0200 Subject: [PATCH 27/31] chore(rtc_tenclave): remove commented code --- rtc_tenclave/src/dh/sessions.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs index 44ffa1ef..7a4f1389 100644 --- a/rtc_tenclave/src/dh/sessions.rs +++ b/rtc_tenclave/src/dh/sessions.rs @@ -222,8 +222,6 @@ fn init_responder_ocall( sgx_status_t::SGX_SUCCESS => ret.into(), err => Err(err), } - - // dh_sessions().initiate_response(this_enclave_id) } fn exchange_report_ocall( From b348f813920114416434a3a101db1a835d9dd343 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:49:00 +0200 Subject: [PATCH 28/31] chore(rtc_tenclave,dh): remove commented code --- rtc_tenclave/src/dh/protected_channel.rs | 15 --------------- rtc_tenclave/src/dh/sessions.rs | 2 -- 2 files changed, 17 deletions(-) diff --git a/rtc_tenclave/src/dh/protected_channel.rs b/rtc_tenclave/src/dh/protected_channel.rs index 1eab6b98..7a71baed 100644 --- a/rtc_tenclave/src/dh/protected_channel.rs +++ b/rtc_tenclave/src/dh/protected_channel.rs @@ -87,18 +87,3 @@ pub struct EncryptedEnclaveMessage EncryptedEnclaveMessage { -// // IV should contain 64 random bits, and 32 counter bits -// fn encrypt_ecall( -// key: Secret, -// plaintext: [u8; MESSAGE_SIZE], -// ) -> Result { -// } - -// fn decrypt_ecall(&self, key: Secret) -> Result {} -// } - -// fn encrypt_ecall(key: Secret) -> Result {} - -// fn decrypt_ecall(key: Secret) -> Result {} diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs index 7a4f1389..40addc4c 100644 --- a/rtc_tenclave/src/dh/sessions.rs +++ b/rtc_tenclave/src/dh/sessions.rs @@ -239,8 +239,6 @@ fn exchange_report_ocall( sgx_status_t::SGX_SUCCESS => ret.into(), err => Err(err), } - - // dh_sessions().exchange_report(this_enclave_id, dh_msg2) } #[no_mangle] From 035359defe546d3e79860111363a0a062cb742b9 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 15:54:37 +0200 Subject: [PATCH 29/31] docs: add & update rustdoc comments --- rtc_data_enclave/src/lib.rs | 5 +++-- rtc_tenclave/src/dh/mod.rs | 4 ++++ rtc_tenclave/src/dh/protected_channel.rs | 2 ++ rtc_tenclave/src/dh/sessions.rs | 3 +++ rtc_udh/src/lib.rs | 2 ++ 5 files changed, 14 insertions(+), 2 deletions(-) diff --git a/rtc_data_enclave/src/lib.rs b/rtc_data_enclave/src/lib.rs index a4261dd5..bca13ca9 100644 --- a/rtc_data_enclave/src/lib.rs +++ b/rtc_data_enclave/src/lib.rs @@ -56,8 +56,9 @@ pub unsafe extern "C" fn validate_and_save( } } -/// Tries to perform local attestation to an enclave at dest_enclave_id. The enclave needs to be -/// initialized as a `ResponderSys` in rtc_udh' +/// Tries to perform local attestation to an enclave at dest_enclave_id. +/// +/// See: [`DhSessions::establish_new`] #[no_mangle] pub unsafe extern "C" fn local_attestation(dest_enclave_id: sgx_enclave_id_t) -> sgx_status_t { let res = rtc_tenclave::dh::dh_sessions().establish_new(dest_enclave_id); diff --git a/rtc_tenclave/src/dh/mod.rs b/rtc_tenclave/src/dh/mod.rs index 7239ece9..5e481e8f 100644 --- a/rtc_tenclave/src/dh/mod.rs +++ b/rtc_tenclave/src/dh/mod.rs @@ -1,3 +1,5 @@ +//! Support for establishing secure local inter-enclave sessions using [`sgx_tdh`]. + mod protected_channel; mod sessions; mod types; @@ -6,6 +8,8 @@ pub use sessions::*; #[cfg(test)] mod enclave { + //! Stub [`sgx_tstd::enclave`] for testing. + use sgx_types::sgx_enclave_id_t; pub fn get_enclave_id() -> sgx_enclave_id_t { diff --git a/rtc_tenclave/src/dh/protected_channel.rs b/rtc_tenclave/src/dh/protected_channel.rs index 7a71baed..2fd95fe1 100644 --- a/rtc_tenclave/src/dh/protected_channel.rs +++ b/rtc_tenclave/src/dh/protected_channel.rs @@ -1,3 +1,5 @@ +//! Secure symmetric communication channels based on [`sgx_tcrypto`]'s AES-GCM. + use secrecy::{ExposeSecret, Secret}; use sgx_tcrypto::{rsgx_rijndael128GCM_decrypt, rsgx_rijndael128GCM_encrypt}; use sgx_types::*; diff --git a/rtc_tenclave/src/dh/sessions.rs b/rtc_tenclave/src/dh/sessions.rs index 40addc4c..9e23a62d 100644 --- a/rtc_tenclave/src/dh/sessions.rs +++ b/rtc_tenclave/src/dh/sessions.rs @@ -147,6 +147,9 @@ where Ok(()) } + /// Attest and establish a new active session between this enclave and `dest_enclave_id`. + /// + /// The responding enclave must be registered using [`rtc_udh::set_responder`]. pub fn establish_new( &self, dest_enclave_id: sgx_enclave_id_t, diff --git a/rtc_udh/src/lib.rs b/rtc_udh/src/lib.rs index 4597ff8a..6bcf5fd2 100644 --- a/rtc_udh/src/lib.rs +++ b/rtc_udh/src/lib.rs @@ -23,6 +23,7 @@ fn dh_responders() -> &'static RwLock { DH_RESPONDERS.get_or_init(|| RwLock::new(HashMap::new())) } +/// Register enclave as a DH responder. pub fn set_responder( enclave_id: sgx_enclave_id_t, responder: Box<(dyn ResponderSys + 'static)>, @@ -39,6 +40,7 @@ pub fn set_responder( } } +/// Retrieve enclave's registered responder. fn get_responder(enclave_id: sgx_enclave_id_t) -> Result { dh_responders() .read() From 5b6f3d5d8dd2bec5f02c13bbad26c180d1ce668f Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 16:18:28 +0200 Subject: [PATCH 30/31] build(rtc_auth_enclave,rtc_data_enclave): factor out ENCLAVE_NAME --- rtc_auth_enclave/Makefile | 11 ++++++----- rtc_data_enclave/Makefile | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/rtc_auth_enclave/Makefile b/rtc_auth_enclave/Makefile index d448af9e..d583bf39 100644 --- a/rtc_auth_enclave/Makefile +++ b/rtc_auth_enclave/Makefile @@ -24,6 +24,7 @@ else ifeq ($(MITIGATION-CVE-2020-0551), CF) export MITIGATION_CVE_2020_0551=CF endif +ENCLAVE_NAME = rtc_auth CRATE_LIB_NAME := enclave CRATE_BUILD_PATH := ./target/release CODEGEN_PATH = /root/rtc-data/codegen/auth_enclave @@ -36,11 +37,11 @@ Crate_Files := $(wildcard src/*.rs ../rtc_tenclave/src/*.rs) Out_StaticLib := $(CRATE_BUILD_PATH)/lib$(CRATE_LIB_NAME).a Out_Bindings := $(CODEGEN_PATH)/bindings.h -Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/rtc_auth_t.o +Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/$(ENCLAVE_NAME)_t.o Out_Dylib := $(CUSTOM_LIBRARY_PATH)/enclave.so Out_SignedDylib := $(CUSTOM_BIN_PATH)/enclave.signed.so -Out_CodegenFiles := $(CODEGEN_PATH)/rtc_auth_t.c $(CODEGEN_PATH)/rtc_auth_t.h $(CODEGEN_PATH)/rtc_auth_u.c $(CODEGEN_PATH)/rtc_auth_u.h +Out_CodegenFiles := $(CODEGEN_PATH)/$(ENCLAVE_NAME)_t.c $(CODEGEN_PATH)/$(ENCLAVE_NAME)_t.h $(CODEGEN_PATH)/$(ENCLAVE_NAME)_u.c $(CODEGEN_PATH)/$(ENCLAVE_NAME)_u.h .PHONY: all @@ -97,12 +98,12 @@ $(Out_StaticLib) $(Out_Bindings): $(Crate_Files) @rm -f $(Out_StaticLib) $(Out_Bindings) cargo build --release -$(Out_CodegenFiles): $(SGX_EDGER8R) ./rtc_auth.edl $(Out_Bindings) | $(CODEGEN_PATH) - $(SGX_EDGER8R) --use-prefix ./rtc_auth.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) +$(Out_CodegenFiles): $(SGX_EDGER8R) ./$(ENCLAVE_NAME).edl $(Out_Bindings) | $(CODEGEN_PATH) + $(SGX_EDGER8R) --use-prefix ./$(ENCLAVE_NAME).edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) @echo "GEN => $(Enclave_EDL_Files)" $(Out_EdgeObject): $(Out_CodegenFiles) | $(CODEGEN_PATH) $(CUSTOM_LIBRARY_PATH) - @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/rtc_auth_t.c -o $@ + @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/$(ENCLAVE_NAME)_t.c -o $@ @echo "CC <= $<" $(Out_Dylib): $(Out_StaticLib) $(Out_EdgeObject) | $(CUSTOM_LIBRARY_PATH) diff --git a/rtc_data_enclave/Makefile b/rtc_data_enclave/Makefile index 875ce85b..1757a291 100644 --- a/rtc_data_enclave/Makefile +++ b/rtc_data_enclave/Makefile @@ -24,6 +24,7 @@ else ifeq ($(MITIGATION-CVE-2020-0551), CF) export MITIGATION_CVE_2020_0551=CF endif +ENCLAVE_NAME = rtc_data CRATE_LIB_NAME := enclave CRATE_BUILD_PATH := ./target/release CODEGEN_PATH = /root/rtc-data/codegen/data_enclave @@ -36,11 +37,11 @@ Crate_Files := $(wildcard src/*.rs ../rtc_tenclave/src/*.rs) Out_StaticLib := $(CRATE_BUILD_PATH)/lib$(CRATE_LIB_NAME).a Out_Bindings := $(CODEGEN_PATH)/bindings.h -Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/rtc_data_t.o +Out_EdgeObject := $(CUSTOM_LIBRARY_PATH)/$(ENCLAVE_NAME)_t.o Out_Dylib := $(CUSTOM_LIBRARY_PATH)/enclave.so Out_SignedDylib := $(CUSTOM_BIN_PATH)/enclave.signed.so -Out_CodegenFiles := $(CODEGEN_PATH)/rtc_data_t.c $(CODEGEN_PATH)/rtc_data_t.h $(CODEGEN_PATH)/rtc_data_u.c $(CODEGEN_PATH)/rtc_data_u.h +Out_CodegenFiles := $(CODEGEN_PATH)/$(ENCLAVE_NAME)_t.c $(CODEGEN_PATH)/$(ENCLAVE_NAME)_t.h $(CODEGEN_PATH)/$(ENCLAVE_NAME)_u.c $(CODEGEN_PATH)/$(ENCLAVE_NAME)_u.h .PHONY: all @@ -97,12 +98,12 @@ $(Out_StaticLib) $(Out_Bindings): $(Crate_Files) @rm -f $(Out_StaticLib) $(Out_Bindings) cargo build --release -$(Out_CodegenFiles): $(SGX_EDGER8R) ./rtc_data.edl $(Out_Bindings) | $(CODEGEN_PATH) - $(SGX_EDGER8R) --use-prefix ./rtc_data.edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) +$(Out_CodegenFiles): $(SGX_EDGER8R) ./$(ENCLAVE_NAME).edl $(Out_Bindings) | $(CODEGEN_PATH) + $(SGX_EDGER8R) --use-prefix ./$(ENCLAVE_NAME).edl --search-path $(SGX_SDK)/include --search-path $(RUST_EDL_PATH) --search-path $(RTC_EDL_PATH) --trusted-dir $(CODEGEN_PATH) --untrusted-dir $(CODEGEN_PATH) @echo "GEN => $(Enclave_EDL_Files)" $(Out_EdgeObject): $(Out_CodegenFiles) | $(CODEGEN_PATH) $(CUSTOM_LIBRARY_PATH) - @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/rtc_data_t.c -o $@ + @$(CC) $(RustEnclave_Compile_Flags) -c $(CODEGEN_PATH)/$(ENCLAVE_NAME)_t.c -o $@ @echo "CC <= $<" $(Out_Dylib): $(Out_StaticLib) $(Out_EdgeObject) | $(CUSTOM_LIBRARY_PATH) From 2741ebe864e1306c87b39e635d7b0579c4e4e360 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Fri, 28 May 2021 18:01:38 +0200 Subject: [PATCH 31/31] refactor(rtc_tenclave,protected_channel): factor out DeterministicAesGcmIvConstructor Also add additional documentation and context around the IV construction. --- rtc_tenclave/src/dh/protected_channel.rs | 75 +++++++++++++++++------- 1 file changed, 53 insertions(+), 22 deletions(-) diff --git a/rtc_tenclave/src/dh/protected_channel.rs b/rtc_tenclave/src/dh/protected_channel.rs index 2fd95fe1..07a264fd 100644 --- a/rtc_tenclave/src/dh/protected_channel.rs +++ b/rtc_tenclave/src/dh/protected_channel.rs @@ -3,9 +3,9 @@ use secrecy::{ExposeSecret, Secret}; use sgx_tcrypto::{rsgx_rijndael128GCM_decrypt, rsgx_rijndael128GCM_encrypt}; use sgx_types::*; -use std::{convert::TryInto, u32}; use super::types::AlignedKey; +use crate::util::concat_u8; #[cfg(test)] use super::enclave; @@ -13,16 +13,19 @@ use super::enclave; use sgx_tstd::enclave; // NIST AES-GCM recommended IV size -type GcmNonce = [u8; 12]; +type RecommendedAesGcmIv = [u8; 12]; pub struct ProtectedChannel { - counter: u32, + iv_constructor: DeterministicAesGcmIvConstructor, key: Secret, } impl ProtectedChannel { pub fn init(key: Secret) -> Self { - Self { counter: 1, key } + Self { + iv_constructor: DeterministicAesGcmIvConstructor::for_current_enclave(), + key, + } } pub fn encrypt_message( @@ -30,7 +33,7 @@ impl ProtectedChannel { plaintext: [u8; MESSAGE_SIZE], aad: [u8; AAD_SIZE], ) -> Result, sgx_status_t> { - let nonce = self.gen_nonce(); + let nonce = self.iv_constructor.next(); let mut dst = [0_u8; MESSAGE_SIZE]; let mut mac = sgx_aes_gcm_128bit_tag_t::default(); rsgx_rijndael128GCM_encrypt( @@ -65,27 +68,55 @@ impl ProtectedChannel { )?; Ok(dst) } - - fn gen_nonce(&mut self) -> GcmNonce { - self.counter = self.counter + 1; - let counter_bytes = self.counter.to_ne_bytes(); - // TODO: Verify all parameters used here is valid for the local attestation context - // Constructing the iv (nonce) using a counter and value unique to the running - // enclave (for the purposes of local attestation). - // See: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf - [ - enclave::get_enclave_id().to_ne_bytes().as_ref(), // 8 bytes unique to this enclave - counter_bytes.as_ref(), // 4 bytes incrementing on access - ] - .concat() - .try_into() - .unwrap() - } } pub struct EncryptedEnclaveMessage { tag: sgx_aes_gcm_128bit_tag_t, ciphertext: [u8; MESSAGE_SIZE], aad: [u8; AAD_SIZE], - nonce: GcmNonce, + nonce: RecommendedAesGcmIv, +} + +/// Implement the deterministic construction of AES-GCM IVs, as described in section 8.2.1 of [NIST SP 800-38D], +/// "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC". +/// +/// In this construction, the IV is the concatenation of two fields: +/// +/// 1. The **fixed** field, unique between each device using a given secret key. +/// This implementation uses a 64-bit enclave identifier. +/// +/// 2. The **invocation** field, unique for each device message. +/// This implementation uses a 32-bit counter. +/// +/// Note that _NIST SP 800-38D_ recommends a 32-bit fixed field and 64-bit invocation field, +/// but this implementation swaps the sizes around, to match the enclave identifier size. +/// +/// [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf +struct DeterministicAesGcmIvConstructor { + fixed: [u8; 8], + invocation_counter: u32, +} + +impl DeterministicAesGcmIvConstructor { + /// Initialise a new instance based on [`sgx_tstd::enclave::get_enclave_id`]. + fn for_current_enclave() -> Self { + DeterministicAesGcmIvConstructor { + fixed: enclave::get_enclave_id().to_ne_bytes(), + invocation_counter: Default::default(), + } + } + + /// Return the next constructed IV. + /// + /// # Panics + /// + /// This will panic if the 32-bit invocation counter overflows. + /// This should not happen during normal use, as a given secret key should not be used for more than 2^32 invocations. + fn next(&mut self) -> RecommendedAesGcmIv { + self.invocation_counter = self.invocation_counter.checked_add(1).expect( + "DeterministicAesGcmIvConstructor: invocation counter overflow, unsafe to proceed", + ); + + concat_u8(&self.fixed, &self.invocation_counter.to_ne_bytes()) + } }