You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by ms...@apache.org on 2020/06/04 20:17:22 UTC
[incubator-teaclave] branch master updated: [attestation] Fix
mutual attestation (#338)
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
The following commit(s) were added to refs/heads/master by this push:
new 6d0f19f [attestation] Fix mutual attestation (#338)
6d0f19f is described below
commit 6d0f19fe958fa751215d907020b10c4b60758750
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Thu Jun 4 13:17:12 2020 -0700
[attestation] Fix mutual attestation (#338)
---
.drone.yml | 28 +++++++++++++------------
cmake/UtilTargets.cmake | 5 +++--
cmake/scripts/test.sh | 1 +
services/execution/enclave/src/lib.rs | 12 ++++++++---
services/frontend/enclave/src/lib.rs | 9 +++++---
services/management/enclave/src/lib.rs | 16 +++++++-------
services/scheduler/enclave/src/lib.rs | 16 +++++++-------
services/utils/service_enclave_utils/src/lib.rs | 20 +++++++++++-------
8 files changed, 64 insertions(+), 43 deletions(-)
diff --git a/.drone.yml b/.drone.yml
index ad3b531..679c23c 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -128,7 +128,7 @@ steps:
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- mkdir -p build
- - cd build && cmake -DTEST_MODE=ON ..
+ - cd build && cmake -DCMAKE_BUILD_TYPE=Release -DTEST_MODE=OFF ..
- name: check
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
@@ -138,12 +138,7 @@ steps:
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && cmake -DTEST_MODE=OFF .. && make VERBOSE=1 -j2
-- name: compile-test-mode
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
- commands:
- - . /root/.cargo/env
- - cd build && cmake -DTEST_MODE=ON .. && make VERBOSE=1 -j2
+ - cd build && make VERBOSE=1 -j2
- name: test
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
privileged: true
@@ -161,7 +156,7 @@ steps:
path: /var/run/aesmd/aesm.socket
commands:
- . /root/.cargo/env
- - cd build && make run-tests
+ - cd build && make run-examples
volumes:
- name: isgx
@@ -186,7 +181,7 @@ steps:
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- mkdir -p build
- - cd build && cmake -DTEST_MODE=ON ..
+ - cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON -DTEST_MODE=ON ..
- name: check
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
@@ -196,9 +191,16 @@ steps:
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2
+ - cd build && make VERBOSE=1 -j2
- name: test
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
+ environment:
+ AS_ALGO: sgx_epid
+ AS_URL: https://api.trustedservices.intel.com:443
+ AS_KEY:
+ from_secret: V5_KEY
+ AS_SPID:
+ from_secret: V5_SPID
commands:
- . /root/.cargo/env
- cd build && make run-tests
@@ -218,7 +220,7 @@ steps:
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- mkdir -p build
- - cd build && cmake -DTEST_MODE=YES ..
+ - cd build && cmake -DCMAKE_BUILD_TYPE=Release -DSGX_SIM_MODE=ON -DTEST_MODE=OFF ..
- name: check
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
@@ -228,12 +230,12 @@ steps:
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && cmake -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2
+ - cd build && make VERBOSE=1 -j2
- name: test
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && make run-tests
+ - cd build && make run-examples
node:
instance: mesatee-sgx
diff --git a/cmake/UtilTargets.cmake b/cmake/UtilTargets.cmake
index e53b32e..5de4258 100644
--- a/cmake/UtilTargets.cmake
+++ b/cmake/UtilTargets.cmake
@@ -38,8 +38,6 @@ if(TEST_MODE)
add_custom_target(
run-functional-tests COMMAND ${TEACLAVE_COMMON_ENVS}
${MT_SCRIPT_DIR}/test.sh functional)
- add_custom_target(run-examples COMMAND ${TEACLAVE_COMMON_ENVS}
- ${MT_SCRIPT_DIR}/test.sh example)
else()
add_custom_target(
run-tests
@@ -49,6 +47,9 @@ else()
)
endif()
+add_custom_target(run-examples COMMAND ${TEACLAVE_COMMON_ENVS}
+ ${MT_SCRIPT_DIR}/test.sh example)
+
add_custom_target(cov COMMAND ${TEACLAVE_COMMON_ENVS}
${MT_SCRIPT_DIR}/gen_cov.sh)
diff --git a/cmake/scripts/test.sh b/cmake/scripts/test.sh
index c2b2fa9..64859a0 100755
--- a/cmake/scripts/test.sh
+++ b/cmake/scripts/test.sh
@@ -137,6 +137,7 @@ run_examples() {
trap cleanup INT TERM ERR
echo_title "examples"
+ mkdir -p /tmp/fusion_data
pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
./teaclave_authentication_service &
./teaclave_storage_service &
diff --git a/services/execution/enclave/src/lib.rs b/services/execution/enclave/src/lib.rs
index 77487d3..3d46869 100644
--- a/services/execution/enclave/src/lib.rs
+++ b/services/execution/enclave/src/lib.rs
@@ -24,9 +24,9 @@ extern crate sgx_tstd as std;
use std::prelude::v1::*;
use std::untrusted::path::PathEx;
-use anyhow::{ensure, Result};
+use anyhow::{anyhow, ensure, Result};
-use teaclave_attestation::verifier;
+use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
use teaclave_binder::proto::{
ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput,
StartServiceInput, StartServiceOutput,
@@ -43,6 +43,11 @@ mod service;
mod task_file_manager;
fn start_service(config: &RuntimeConfig) -> Result<()> {
+ let attestation_config = AttestationConfig::from_teaclave_config(&config)?;
+ let attested_tls_config = RemoteAttestation::new(attestation_config)
+ .generate_and_endorse()?
+ .attested_tls_config()
+ .ok_or_else(|| anyhow!("cannot get attested TLS config"))?;
let enclave_info = EnclaveInfo::verify_and_new(
&config.audit.enclave_info_bytes,
AUDITOR_PUBLIC_KEYS,
@@ -54,7 +59,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let fusion_base = config.mount.fusion_base_dir.clone();
diff --git a/services/frontend/enclave/src/lib.rs b/services/frontend/enclave/src/lib.rs
index 12ce802..53990bb 100644
--- a/services/frontend/enclave/src/lib.rs
+++ b/services/frontend/enclave/src/lib.rs
@@ -53,7 +53,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
.generate_and_endorse()?
.attested_tls_config()
.ok_or_else(|| anyhow!("cannot get attested TLS config"))?;
- let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?;
+ let server_config =
+ SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?;
let mut server = SgxTrustedTlsServer::<TeaclaveFrontendResponse, TeaclaveFrontendRequest>::new(
listen_address,
@@ -66,14 +67,16 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config.clone(),
+ )?;
let management_service_endpoint = create_trusted_management_endpoint(
&config.internal_endpoints.management.advertised_address,
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let service = service::TeaclaveFrontendService::new(
authentication_service_endpoint,
diff --git a/services/management/enclave/src/lib.rs b/services/management/enclave/src/lib.rs
index a5dbc11..f4deec4 100644
--- a/services/management/enclave/src/lib.rs
+++ b/services/management/enclave/src/lib.rs
@@ -63,12 +63,13 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
None => Err(anyhow!("cannot get enclave attribute of {}", service)),
})
.collect::<Result<_>>()?;
- let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?
- .attestation_report_verifier(
- accepted_enclave_attrs,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )?;
+ let server_config =
+ SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )?;
let mut server =
SgxTrustedTlsServer::<TeaclaveManagementResponse, TeaclaveManagementRequest>::new(
listen_address,
@@ -80,7 +81,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let service = service::TeaclaveManagementService::new(storage_service_endpoint)?;
match server.start(service) {
diff --git a/services/scheduler/enclave/src/lib.rs b/services/scheduler/enclave/src/lib.rs
index 93b5943..9cd60de 100644
--- a/services/scheduler/enclave/src/lib.rs
+++ b/services/scheduler/enclave/src/lib.rs
@@ -66,12 +66,13 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
None => Err(anyhow!("cannot get enclave attribute of {}", service)),
})
.collect::<Result<_>>()?;
- let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?
- .attestation_report_verifier(
- accepted_enclave_attrs,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )?;
+ let server_config =
+ SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )?;
let mut server =
SgxTrustedTlsServer::<TeaclaveSchedulerResponse, TeaclaveSchedulerRequest>::new(
@@ -85,7 +86,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> {
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let service = service::TeaclaveSchedulerService::new(storage_service_endpoint)?;
match server.start(service) {
diff --git a/services/utils/service_enclave_utils/src/lib.rs b/services/utils/service_enclave_utils/src/lib.rs
index 51e9fa1..0faba96 100644
--- a/services/utils/service_enclave_utils/src/lib.rs
+++ b/services/utils/service_enclave_utils/src/lib.rs
@@ -23,7 +23,9 @@ extern crate sgx_tstd as std;
use log::debug;
use log::error;
use std::backtrace;
+use std::sync::{Arc, SgxRwLock as RwLock};
use teaclave_attestation::verifier::AttestationReportVerificationFn;
+use teaclave_attestation::AttestedTlsConfig;
use teaclave_rpc::config::SgxTrustedTlsClientConfig;
use teaclave_rpc::endpoint::Endpoint;
use teaclave_types::EnclaveInfo;
@@ -77,19 +79,21 @@ macro_rules! impl_create_trusted_endpoint_fn {
enclave_info: &EnclaveInfo,
as_root_ca_cert: &[u8],
verifier: AttestationReportVerificationFn,
- ) -> Endpoint {
+ attested_tls_config: Arc<RwLock<AttestedTlsConfig>>,
+ ) -> anyhow::Result<Endpoint> {
let service_enclave_attrs = enclave_info
.get_enclave_attr($enclave_attr)
.expect("enclave_info");
- let service_client_config = SgxTrustedTlsClientConfig::new()
- .attestation_report_verifier(
- vec![service_enclave_attrs],
- as_root_ca_cert,
- verifier,
- );
+ let service_client_config =
+ SgxTrustedTlsClientConfig::from_attested_tls_config(attested_tls_config)?
+ .attestation_report_verifier(
+ vec![service_enclave_attrs],
+ as_root_ca_cert,
+ verifier,
+ );
let service_address = &advertised_address;
- Endpoint::new(service_address).config(service_client_config)
+ Ok(Endpoint::new(service_address).config(service_client_config))
}
};
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org