You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by di...@apache.org on 2020/06/22 01:56:01 UTC

[incubator-teaclave-sgx-sdk] branch dcap-retrieve updated: rewrite qpl

This is an automated email from the ASF dual-hosted git repository.

dingyu pushed a commit to branch dcap-retrieve
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-sgx-sdk.git


The following commit(s) were added to refs/heads/dcap-retrieve by this push:
     new fce6a15  rewrite qpl
fce6a15 is described below

commit fce6a15c2483a169ba778e34e049cd49c8d4be1f
Author: Yu Ding <di...@gmail.com>
AuthorDate: Sun Jun 21 18:55:46 2020 -0700

    rewrite qpl
---
 samplecode/dcap-pckretrieval/Makefile       |  16 ++-
 samplecode/dcap-pckretrieval/qpl/Cargo.toml |  15 +++
 samplecode/dcap-pckretrieval/qpl/src/lib.rs | 146 ++++++++++++++++++++++++++++
 3 files changed, 175 insertions(+), 2 deletions(-)

diff --git a/samplecode/dcap-pckretrieval/Makefile b/samplecode/dcap-pckretrieval/Makefile
index bb3f6dd..8209afd 100644
--- a/samplecode/dcap-pckretrieval/Makefile
+++ b/samplecode/dcap-pckretrieval/Makefile
@@ -78,6 +78,13 @@ App_Rust_Path := ./app/target/release
 App_Enclave_u_Object :=app/libEnclave_u.a
 App_Name := bin/PCKIDRetrievalTool
 
+Qpl_Rust_Flags := --release
+Qpl_SRC_Files := $(shell find qpl/ -type f -name '*.rs') $(shell find qpl/ -type f -name 'Cargo.toml')
+Qpl_Path := ./qpl
+Qpl_Target_Path := $(Qpl_Path)/target/release
+Qpl_Obj := $(Qpl_Target_Path)/libqpl.so
+Qpl_Name := ./bin/libdcap_quoteprov.so.1
+
 ######## Enclave Settings ########
 
 ifneq ($(SGX_MODE), HW)
@@ -126,11 +133,16 @@ $(App_Enclave_u_Object): app/Enclave_u.o
 	$(AR) rcsD $@ $^
 	cp $(App_Enclave_u_Object) ./lib
 
-$(App_Name): $(App_Enclave_u_Object) $(App_SRC_Files)
+$(App_Name): $(App_Enclave_u_Object) $(App_SRC_Files) $(Qpl_Name)
 	@cd app && SGX_SDK=$(SGX_SDK) cargo build $(App_Rust_Flags)
 	@echo "Cargo  =>  $@"
 	mkdir -p bin
 	cp $(App_Rust_Path)/PCKIDRetrievalTool ./bin
+	cp $(Qpl_Obj) $(Qpl_Name)
+
+$(Qpl_Name): $(Qpl_SRC_Files)
+	@cd $(Qpl_Path) && cargo build $(Qpl_Rust_Flags)
+	@echo "Cargo  =>  $@"
 
 ######## Enclave Objects ########
 
@@ -154,6 +166,6 @@ enclave:
 
 .PHONY: clean
 clean:
-	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
+	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(Qpl_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
diff --git a/samplecode/dcap-pckretrieval/qpl/Cargo.toml b/samplecode/dcap-pckretrieval/qpl/Cargo.toml
new file mode 100644
index 0000000..06b3fc5
--- /dev/null
+++ b/samplecode/dcap-pckretrieval/qpl/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "Qpl"
+version = "1.0.0"
+authors = ["The Teaclave Authors"]
+
+[dependencies]
+sgx_types = { git = "https://github.com/apache/teaclave-sgx-sdk.git" }
+lazy_static = { version = "*", default-features = false }
+
+[lib]
+name = "qpl"
+crate-type = ["dylib"]
+
+[patch.'https://github.com/apache/teaclave-sgx-sdk.git']
+sgx_types = { path = "../../../sgx_types" }
diff --git a/samplecode/dcap-pckretrieval/qpl/src/lib.rs b/samplecode/dcap-pckretrieval/qpl/src/lib.rs
new file mode 100644
index 0000000..c41bdce
--- /dev/null
+++ b/samplecode/dcap-pckretrieval/qpl/src/lib.rs
@@ -0,0 +1,146 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License..
+
+#![allow(non_snake_case)]
+
+extern crate sgx_types;
+#[macro_use]
+extern crate lazy_static;
+use std::sync::Mutex;
+use sgx_types::*;
+
+//const MAX_URL_LENGTH: usize = 2083;
+const QE3_ID_SIZE: usize = 16;
+const ENC_PPID_SIZE: usize = 384;
+const CPUSVN_SIZE: usize = 16;
+const PCESVN_SIZE: usize = 2;
+const PCEID_SIZE: usize = 2;
+//const FMSPC_SIZE: usize = 6;
+const MIN_CERT_DATA_SIZE: usize = 500;
+
+#[no_mangle]
+pub extern "C" fn sgx_ql_free_quote_config(
+    p_quote_config: *mut sgx_ql_config_t,
+) -> sgx_quote3_error_t {
+    //println!("sgx_ql_free_quote_config: free {:p}", p_quote_config);
+    if !p_quote_config.is_null() {
+        let p_cert_data = unsafe { (*p_quote_config).p_cert_data };
+        if !p_cert_data.is_null() {
+            let _s = unsafe { std::slice::from_raw_parts(p_cert_data, (*p_quote_config).cert_data_size as usize) };
+            drop(_s);// this is done implicitly. the explicit drop here is just for demon purpose
+        }
+        let _b: Box<sgx_ql_config_t> = unsafe { Box::from_raw(p_quote_config) };
+        drop(_b);// this is done implicitly. the explicit drop here is just for demon purpose
+    }
+    sgx_quote3_error_t::SGX_QL_SUCCESS
+}
+
+// The original sgx_ql_get_quote_config is not mt-safe. It writes to a global mutable array
+// `encrypted_ppid` and read from it later.
+// In this impl, we use a Mutex to guard the global `encrypted_ppid`.
+// The calling sequence is 
+
+lazy_static! {
+    static ref ENCRYPTED_PPID: Mutex<[u8;ENC_PPID_SIZE]> = Mutex::new([0;ENC_PPID_SIZE]);
+}
+
+#[no_mangle]
+pub extern "C" fn sgx_ql_get_quote_config(
+    p_cert_id: *const sgx_ql_pck_cert_id_t,
+    pp_quote_config: *mut *mut sgx_ql_config_t,
+) -> sgx_quote3_error_t {
+    //println!("sgx_ql_get_quote_config: {:p}", p_cert_id);
+
+    if p_cert_id.is_null() || pp_quote_config.is_null() {
+        return sgx_quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER;
+    }
+
+    if unsafe { (*p_cert_id).p_qe3_id }.is_null()
+        || unsafe { (*p_cert_id).qe3_id_size } != QE3_ID_SIZE as u32
+        || unsafe { (*p_cert_id).p_platform_cpu_svn }.is_null()
+        || unsafe { (*p_cert_id).p_platform_pce_isv_svn }.is_null()
+        || unsafe { (*p_cert_id).crypto_suite } != PCE_ALG_RSA_OAEP_3072
+    {
+        return sgx_quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER;
+    }
+
+    let encrypted_ppid: [u8; ENC_PPID_SIZE] = if !unsafe { (*p_cert_id).p_encrypted_ppid }.is_null()
+    {
+        if unsafe { (*p_cert_id).encrypted_ppid_size } != ENC_PPID_SIZE as u32 {
+            return sgx_quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER;
+        } else {
+            let mut eppid = [0; ENC_PPID_SIZE];
+            unsafe {
+                let p: *const u8 = (*p_cert_id).p_encrypted_ppid as *const u8;
+                p.copy_to_nonoverlapping(eppid.as_mut_ptr(), ENC_PPID_SIZE);
+            }
+
+            if let Ok(mut l) = ENCRYPTED_PPID.lock() {
+                *l = eppid;
+            }
+
+            eppid
+        }
+    } else {
+        *ENCRYPTED_PPID.lock().unwrap()
+    };
+
+    let version:sgx_ql_config_version_t = sgx_ql_config_version_t::SGX_QL_CONFIG_VERSION_1;
+    let cert_cpu_svn:sgx_cpu_svn_t = unsafe { *(*p_cert_id).p_platform_cpu_svn };
+    let cert_pce_isv_svn: sgx_isv_svn_t = unsafe { *(*p_cert_id).p_platform_pce_isv_svn};
+    // previously we asserted enc_ppid_size = ENC_PPID_SIZE, qe3_id_size = QE3_ID_SIZE
+    // so the sum here is smaller than MIN_CERT_DATA_SIZE. cert_data_size is MIN_CERT_DATA_SIZE
+    let cert_data_size: uint32_t = std::cmp::max(
+        ENC_PPID_SIZE + QE3_ID_SIZE + PCEID_SIZE + CPUSVN_SIZE + PCESVN_SIZE,
+        MIN_CERT_DATA_SIZE) as u32;
+    assert_eq!(cert_data_size as usize, MIN_CERT_DATA_SIZE);
+
+    // cert data is:
+    // ENC_PPID || PCEID || CPUSVN || PCESVN || QEID || 0x00...
+    let pce_id: [u8;PCEID_SIZE] = unsafe { (*p_cert_id).pce_id }.to_le_bytes();
+    let cpu_svn: [u8; CPUSVN_SIZE] = unsafe { *(*p_cert_id).p_platform_cpu_svn }.svn;
+    let pce_svn: [u8; PCESVN_SIZE] = unsafe { *(*p_cert_id).p_platform_pce_isv_svn}.to_le_bytes();
+    let qe_id: &[u8] = unsafe { std::slice::from_raw_parts((*p_cert_id).p_qe3_id, QE3_ID_SIZE) };
+
+    let mut cert_data_vec: Vec<u8> = encrypted_ppid.to_vec();
+    cert_data_vec.extend_from_slice(&pce_id[..]);
+    cert_data_vec.extend_from_slice(&cpu_svn[..]);
+    cert_data_vec.extend_from_slice(&pce_svn[..]);
+    cert_data_vec.extend_from_slice(qe_id);
+
+    // we asserted QE3_ID
+    cert_data_vec.resize_with(cert_data_size as usize, Default::default);
+    let mut b = cert_data_vec.into_boxed_slice();
+    let p_cert_data = b.as_mut_ptr();
+    let _ = Box::into_raw(b); // memory leak here.
+
+    let ql_config = sgx_ql_config_t {
+        version: version,
+        cert_cpu_svn: cert_cpu_svn,
+        cert_pce_isv_svn: cert_pce_isv_svn,
+        cert_data_size: cert_data_size,
+        p_cert_data: p_cert_data,
+    };
+
+    let p_ret_ql_config = Box::into_raw(Box::new(ql_config));
+
+    unsafe {
+        *pp_quote_config = p_ret_ql_config;
+    }
+
+    sgx_quote3_error_t::SGX_QL_SUCCESS
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org