You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by di...@apache.org on 2020/06/22 01:56:01 UTC
[incubator-teaclave-sgx-sdk] branch dcap-retrieve updated: rewrite
qpl
This is an automated email from the ASF dual-hosted git repository.
dingyu pushed a commit to branch dcap-retrieve
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-sgx-sdk.git
The following commit(s) were added to refs/heads/dcap-retrieve by this push:
new fce6a15 rewrite qpl
fce6a15 is described below
commit fce6a15c2483a169ba778e34e049cd49c8d4be1f
Author: Yu Ding <di...@gmail.com>
AuthorDate: Sun Jun 21 18:55:46 2020 -0700
rewrite qpl
---
samplecode/dcap-pckretrieval/Makefile | 16 ++-
samplecode/dcap-pckretrieval/qpl/Cargo.toml | 15 +++
samplecode/dcap-pckretrieval/qpl/src/lib.rs | 146 ++++++++++++++++++++++++++++
3 files changed, 175 insertions(+), 2 deletions(-)
diff --git a/samplecode/dcap-pckretrieval/Makefile b/samplecode/dcap-pckretrieval/Makefile
index bb3f6dd..8209afd 100644
--- a/samplecode/dcap-pckretrieval/Makefile
+++ b/samplecode/dcap-pckretrieval/Makefile
@@ -78,6 +78,13 @@ App_Rust_Path := ./app/target/release
App_Enclave_u_Object :=app/libEnclave_u.a
App_Name := bin/PCKIDRetrievalTool
+Qpl_Rust_Flags := --release
+Qpl_SRC_Files := $(shell find qpl/ -type f -name '*.rs') $(shell find qpl/ -type f -name 'Cargo.toml')
+Qpl_Path := ./qpl
+Qpl_Target_Path := $(Qpl_Path)/target/release
+Qpl_Obj := $(Qpl_Target_Path)/libqpl.so
+Qpl_Name := ./bin/libdcap_quoteprov.so.1
+
######## Enclave Settings ########
ifneq ($(SGX_MODE), HW)
@@ -126,11 +133,16 @@ $(App_Enclave_u_Object): app/Enclave_u.o
$(AR) rcsD $@ $^
cp $(App_Enclave_u_Object) ./lib
-$(App_Name): $(App_Enclave_u_Object) $(App_SRC_Files)
+$(App_Name): $(App_Enclave_u_Object) $(App_SRC_Files) $(Qpl_Name)
@cd app && SGX_SDK=$(SGX_SDK) cargo build $(App_Rust_Flags)
@echo "Cargo => $@"
mkdir -p bin
cp $(App_Rust_Path)/PCKIDRetrievalTool ./bin
+ cp $(Qpl_Obj) $(Qpl_Name)
+
+$(Qpl_Name): $(Qpl_SRC_Files)
+ @cd $(Qpl_Path) && cargo build $(Qpl_Rust_Flags)
+ @echo "Cargo => $@"
######## Enclave Objects ########
@@ -154,6 +166,6 @@ enclave:
.PHONY: clean
clean:
- @rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
+ @rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(Qpl_Name) enclave/*_t.* app/*_u.* lib/*.a
@cd enclave && cargo clean && rm -f Cargo.lock
@cd app && cargo clean && rm -f Cargo.lock
diff --git a/samplecode/dcap-pckretrieval/qpl/Cargo.toml b/samplecode/dcap-pckretrieval/qpl/Cargo.toml
new file mode 100644
index 0000000..06b3fc5
--- /dev/null
+++ b/samplecode/dcap-pckretrieval/qpl/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "Qpl"
+version = "1.0.0"
+authors = ["The Teaclave Authors"]
+
+[dependencies]
+sgx_types = { git = "https://github.com/apache/teaclave-sgx-sdk.git" }
+lazy_static = { version = "*", default-features = false }
+
+[lib]
+name = "qpl"
+crate-type = ["dylib"]
+
+[patch.'https://github.com/apache/teaclave-sgx-sdk.git']
+sgx_types = { path = "../../../sgx_types" }
diff --git a/samplecode/dcap-pckretrieval/qpl/src/lib.rs b/samplecode/dcap-pckretrieval/qpl/src/lib.rs
new file mode 100644
index 0000000..c41bdce
--- /dev/null
+++ b/samplecode/dcap-pckretrieval/qpl/src/lib.rs
@@ -0,0 +1,146 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License..
+
+#![allow(non_snake_case)]
+
+extern crate sgx_types;
+#[macro_use]
+extern crate lazy_static;
+use std::sync::Mutex;
+use sgx_types::*;
+
+//const MAX_URL_LENGTH: usize = 2083;
+const QE3_ID_SIZE: usize = 16;
+const ENC_PPID_SIZE: usize = 384;
+const CPUSVN_SIZE: usize = 16;
+const PCESVN_SIZE: usize = 2;
+const PCEID_SIZE: usize = 2;
+//const FMSPC_SIZE: usize = 6;
+const MIN_CERT_DATA_SIZE: usize = 500;
+
+#[no_mangle]
+pub extern "C" fn sgx_ql_free_quote_config(
+ p_quote_config: *mut sgx_ql_config_t,
+) -> sgx_quote3_error_t {
+ //println!("sgx_ql_free_quote_config: free {:p}", p_quote_config);
+ if !p_quote_config.is_null() {
+ let p_cert_data = unsafe { (*p_quote_config).p_cert_data };
+ if !p_cert_data.is_null() {
+ let _s = unsafe { std::slice::from_raw_parts(p_cert_data, (*p_quote_config).cert_data_size as usize) };
+ drop(_s);// this is done implicitly. the explicit drop here is just for demon purpose
+ }
+ let _b: Box<sgx_ql_config_t> = unsafe { Box::from_raw(p_quote_config) };
+ drop(_b);// this is done implicitly. the explicit drop here is just for demon purpose
+ }
+ sgx_quote3_error_t::SGX_QL_SUCCESS
+}
+
+// The original sgx_ql_get_quote_config is not mt-safe. It writes to a global mutable array
+// `encrypted_ppid` and read from it later.
+// In this impl, we use a Mutex to guard the global `encrypted_ppid`.
+// The calling sequence is
+
+lazy_static! {
+ static ref ENCRYPTED_PPID: Mutex<[u8;ENC_PPID_SIZE]> = Mutex::new([0;ENC_PPID_SIZE]);
+}
+
+#[no_mangle]
+pub extern "C" fn sgx_ql_get_quote_config(
+ p_cert_id: *const sgx_ql_pck_cert_id_t,
+ pp_quote_config: *mut *mut sgx_ql_config_t,
+) -> sgx_quote3_error_t {
+ //println!("sgx_ql_get_quote_config: {:p}", p_cert_id);
+
+ if p_cert_id.is_null() || pp_quote_config.is_null() {
+ return sgx_quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER;
+ }
+
+ if unsafe { (*p_cert_id).p_qe3_id }.is_null()
+ || unsafe { (*p_cert_id).qe3_id_size } != QE3_ID_SIZE as u32
+ || unsafe { (*p_cert_id).p_platform_cpu_svn }.is_null()
+ || unsafe { (*p_cert_id).p_platform_pce_isv_svn }.is_null()
+ || unsafe { (*p_cert_id).crypto_suite } != PCE_ALG_RSA_OAEP_3072
+ {
+ return sgx_quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER;
+ }
+
+ let encrypted_ppid: [u8; ENC_PPID_SIZE] = if !unsafe { (*p_cert_id).p_encrypted_ppid }.is_null()
+ {
+ if unsafe { (*p_cert_id).encrypted_ppid_size } != ENC_PPID_SIZE as u32 {
+ return sgx_quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER;
+ } else {
+ let mut eppid = [0; ENC_PPID_SIZE];
+ unsafe {
+ let p: *const u8 = (*p_cert_id).p_encrypted_ppid as *const u8;
+ p.copy_to_nonoverlapping(eppid.as_mut_ptr(), ENC_PPID_SIZE);
+ }
+
+ if let Ok(mut l) = ENCRYPTED_PPID.lock() {
+ *l = eppid;
+ }
+
+ eppid
+ }
+ } else {
+ *ENCRYPTED_PPID.lock().unwrap()
+ };
+
+ let version:sgx_ql_config_version_t = sgx_ql_config_version_t::SGX_QL_CONFIG_VERSION_1;
+ let cert_cpu_svn:sgx_cpu_svn_t = unsafe { *(*p_cert_id).p_platform_cpu_svn };
+ let cert_pce_isv_svn: sgx_isv_svn_t = unsafe { *(*p_cert_id).p_platform_pce_isv_svn};
+ // previously we asserted enc_ppid_size = ENC_PPID_SIZE, qe3_id_size = QE3_ID_SIZE
+ // so the sum here is smaller than MIN_CERT_DATA_SIZE. cert_data_size is MIN_CERT_DATA_SIZE
+ let cert_data_size: uint32_t = std::cmp::max(
+ ENC_PPID_SIZE + QE3_ID_SIZE + PCEID_SIZE + CPUSVN_SIZE + PCESVN_SIZE,
+ MIN_CERT_DATA_SIZE) as u32;
+ assert_eq!(cert_data_size as usize, MIN_CERT_DATA_SIZE);
+
+ // cert data is:
+ // ENC_PPID || PCEID || CPUSVN || PCESVN || QEID || 0x00...
+ let pce_id: [u8;PCEID_SIZE] = unsafe { (*p_cert_id).pce_id }.to_le_bytes();
+ let cpu_svn: [u8; CPUSVN_SIZE] = unsafe { *(*p_cert_id).p_platform_cpu_svn }.svn;
+ let pce_svn: [u8; PCESVN_SIZE] = unsafe { *(*p_cert_id).p_platform_pce_isv_svn}.to_le_bytes();
+ let qe_id: &[u8] = unsafe { std::slice::from_raw_parts((*p_cert_id).p_qe3_id, QE3_ID_SIZE) };
+
+ let mut cert_data_vec: Vec<u8> = encrypted_ppid.to_vec();
+ cert_data_vec.extend_from_slice(&pce_id[..]);
+ cert_data_vec.extend_from_slice(&cpu_svn[..]);
+ cert_data_vec.extend_from_slice(&pce_svn[..]);
+ cert_data_vec.extend_from_slice(qe_id);
+
+ // we asserted QE3_ID
+ cert_data_vec.resize_with(cert_data_size as usize, Default::default);
+ let mut b = cert_data_vec.into_boxed_slice();
+ let p_cert_data = b.as_mut_ptr();
+ let _ = Box::into_raw(b); // memory leak here.
+
+ let ql_config = sgx_ql_config_t {
+ version: version,
+ cert_cpu_svn: cert_cpu_svn,
+ cert_pce_isv_svn: cert_pce_isv_svn,
+ cert_data_size: cert_data_size,
+ p_cert_data: p_cert_data,
+ };
+
+ let p_ret_ql_config = Box::into_raw(Box::new(ql_config));
+
+ unsafe {
+ *pp_quote_config = p_ret_ql_config;
+ }
+
+ sgx_quote3_error_t::SGX_QL_SUCCESS
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org