You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesatee.apache.org by ms...@apache.org on 2019/11/23 01:12:04 UTC
[incubator-mesatee] branch master updated: Use environment variable
to configure IAS SPID/KEY (#86)
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-mesatee.git
The following commit(s) were added to refs/heads/master by this push:
new b3cedf1 Use environment variable to configure IAS SPID/KEY (#86)
b3cedf1 is described below
commit b3cedf1f2375e4bfaa6d6280f929d57365b5ec6d
Author: Yu Ding <di...@gmail.com>
AuthorDate: Fri Nov 22 17:11:54 2019 -0800
Use environment variable to configure IAS SPID/KEY (#86)
---
.drone.yml | 61 +++++++++++++++++++++++-------------
cmake/scripts/sgx_test.sh | 5 ++-
config.toml | 8 ++---
docs/faq.md | 6 ++--
docs/how_to_run.md | 12 +++++--
mesatee_config/src/runtime_config.rs | 50 +++++++++++++++++++----------
mesatee_core/src/rpc/sgx/ra.rs | 31 +++++++++---------
mesatee_core/src/utils.rs | 10 +++---
8 files changed, 108 insertions(+), 75 deletions(-)
diff --git a/.drone.yml b/.drone.yml
index 4b8dd5e..c6b83a2 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -6,16 +6,9 @@ steps:
image: mesalocklinux/build-mesatee:0.1.5
commands:
- mkdir -p bin
- - echo $V5_SPID > bin/ias_spid.txt
- - echo $V5_KEY > bin/ias_key.txt
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake ..
- environment:
- V5_KEY:
- from_secret: V5_KEY
- V5_SPID:
- from_secret: V5_SPID
- name: check
image: mesalocklinux/build-mesatee:0.1.5
commands:
@@ -30,6 +23,11 @@ steps:
- name: sgx-test
image: mesalocklinux/build-mesatee:0.1.5
privileged: true
+ environment:
+ IAS_KEY:
+ from_secret: V5_KEY
+ IAS_SPID:
+ from_secret: V5_SPID
volumes:
- name: isgx
path: /dev/isgx
@@ -86,16 +84,9 @@ steps:
image: mesalocklinux/build-mesatee:0.1.5
commands:
- mkdir -p bin
- - echo $V5_SPID > bin/ias_spid.txt
- - echo $V5_KEY > bin/ias_key.txt
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..
- environment:
- V5_KEY:
- from_secret: V5_KEY
- V5_SPID:
- from_secret: V5_SPID
- name: check
image: mesalocklinux/build-mesatee:0.1.5
commands:
@@ -109,6 +100,11 @@ steps:
- cd build && make VERBOSE=1 -j2
- name: sgx-test
image: mesalocklinux/build-mesatee:0.1.5
+ environment:
+ IAS_KEY:
+ from_secret: V5_KEY
+ IAS_SPID:
+ from_secret: V5_SPID
privileged: true
volumes:
- name: isgx
@@ -142,9 +138,6 @@ steps:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake ..
- environment:
- V5_SPID:
- from_secret: V5_SPID
- name: check
image: mesalocklinux/build-mesatee:0.1.5
commands:
@@ -157,10 +150,24 @@ steps:
- cd build && cmake -DRUSTFLAGS="-D warnings" -DSGX_MODE=SW .. && make VERBOSE=1 -j2
- name: sgx-test
image: mesalocklinux/build-mesatee:0.1.5
- privileged: true
commands:
- . /root/.cargo/env
- cd build && make sgx-test
+ privileged: true
+ volumes:
+ - name: isgx
+ path: /dev/isgx
+ - name: aesmd
+ path: /var/run/aesmd/aesm.socket
+
+volumes:
+- name: isgx
+ host:
+ path: /dev/isgx
+- name: aesmd
+ host:
+ path: /var/run/aesmd/aesm.socket
+
node:
instance: mesatee-sgx
@@ -177,9 +184,6 @@ steps:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake ..
- environment:
- V5_SPID:
- from_secret: V5_SPID
- name: check
image: mesalocklinux/build-mesatee:0.1.5
commands:
@@ -192,10 +196,23 @@ steps:
- cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DRUSTFLAGS="-D warnings" -DSGX_MODE=SW .. && make VERBOSE=1 -j2
- name: sgx-test
image: mesalocklinux/build-mesatee:0.1.5
- privileged: true
commands:
- . /root/.cargo/env
- cd build && make sgx-test
+ privileged: true
+ volumes:
+ - name: isgx
+ path: /dev/isgx
+ - name: aesmd
+ path: /var/run/aesmd/aesm.socket
+
+volumes:
+- name: isgx
+ host:
+ path: /dev/isgx
+- name: aesmd
+ host:
+ path: /var/run/aesmd/aesm.socket
node:
instance: mesatee-sgx
diff --git a/cmake/scripts/sgx_test.sh b/cmake/scripts/sgx_test.sh
index 0930f12..3135bad 100755
--- a/cmake/scripts/sgx_test.sh
+++ b/cmake/scripts/sgx_test.sh
@@ -8,9 +8,8 @@ fi
source ${SGX_SDK}/environment
if [ "${SGX_MODE}" = "HW" ]; then
- if [ ! -f ${MESATEE_BIN_DIR}/ias_spid.txt ] || [ ! -f ${MESATEE_BIN_DIR}/ias_key.txt ] ; then
- echo "Please follow \"How to Run (SGX)\" in README to obtain \
-ias_spid.txt and ias_key.txt, and put in the bin";
+ if [ -z ${IAS_SPID} ] || [ -z ${IAS_KEY} ] ; then
+ echo "SGX launch check failed: Env var for IAS SPID or IAS KEY does NOT exist. Please follow \"How to Run (SGX)\" in README to obtain, and specify the value in environment variables and put the names of environment variables in config.toml. The default variables are IAS_SPID and IAS_KEY."
exit 1;
fi
fi
diff --git a/config.toml b/config.toml
index 552dfb4..ee7dddd 100644
--- a/config.toml
+++ b/config.toml
@@ -51,12 +51,12 @@ kms = { listen_ip = "0.0.0.0", connect_ip = "127.0.0.1", port = 6016 }
acs = { listen_ip = "0.0.0.0", connect_ip = "127.0.0.1", port = 5077 }
-# This section configures the location of certificate/private key used to
-# connect to IntelĀ® Attestation Service (IAS).
+# This section configures the IAS API key/spid which are used to connect to
+# IntelĀ® Attestation Service (IAS).
# This is a required section.
[ias_client_config]
-spid = { path = "bin/ias_spid.txt" }
-key = { path = "bin/ias_key.txt" }
+spid = { env = "IAS_SPID" }
+key = { env = "IAS_KEY" }
# This section configures the auditors.
diff --git a/docs/faq.md b/docs/faq.md
index e47a285..7c5ecda 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -1,13 +1,13 @@
# FAQs in Build and Run
-## Why did I see ``SGX launch check failed: ias_spid.txt or ias_key.txt does NOT exist``?
+## Why did I see ``SGX launch check failed: Env var for IAS SPID or IAS KEY does NOT exist.``
Because the Intel Attestation Service (IAS) requires mutual authentication in
TLS communications. So if you have followed [build
prerequisite](how_to_build.md#prerequisite) document for Intel Attestation
Service (IAS) registration, you should be able to obtain the SPID, Primary Key,
-and Secondary Key . Please configure their paths in the ``ias_client_config``
-section of [config.toml](../config.toml) accordingly.
+and Secondary Key . Please set them as environment variables, e.g. `export IAS_KEY=...`, and then configure them in the ``ias_client_config`` section of
+[config.toml](../config.toml) accordingly.
MesaTEE uses the most recent [Intel IAS API version 5](https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf).
It no longer requires certificate from IAS client. Instead, it requires a **Subscription Key** for access. Please read the [manual](https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf) and [build prerequisite](how_to_build.md#prerequisite) for details.
diff --git a/docs/how_to_run.md b/docs/how_to_run.md
index fe66c0e..2362355 100644
--- a/docs/how_to_run.md
+++ b/docs/how_to_run.md
@@ -13,9 +13,15 @@ The ``api_endpoints`` and ``internal_endpoints`` of
services. Please configure them accordingly.
Then, please set SPID and key (either primary or secondary) from Intel Trusted
-Service API portal by ``cat YOUR_SPID > ./bin/ias_spid.txt && cat YOUR_KEY > ./bin/ias_key.txt``.
-Note that the default paths for `ias_spid.txt` and `ias_key.txt` is under the `./bin` directory,
-but can be configured in the `config.toml` file.
+Service API portal by ``export IAS_KEY=YOUR_SPID && export IAS_SPID=YOUR_KEY``.
+Next, please edit [config.toml](../config.toml) to tell MesaTEE where to find
+IAS API key and SPID:
+
+```toml
+[ias_client_config]
+spid = { env = "IAS_SPID" }
+key = { env = "IAS_KEY" }
+```
Afterwards, you can launch MesaTEE services as background daemons by running:
``./service.sh {start|stop|restart}``
diff --git a/mesatee_config/src/runtime_config.rs b/mesatee_config/src/runtime_config.rs
index 6ef8c80..8a3ab2a 100644
--- a/mesatee_config/src/runtime_config.rs
+++ b/mesatee_config/src/runtime_config.rs
@@ -41,7 +41,7 @@ use std::net::IpAddr;
pub struct MesateeConfigToml {
pub api_endpoints: BTreeMap<String, ApiEndpoint>,
pub internal_endpoints: BTreeMap<String, InternalEndpoint>,
- pub ias_client_config: BTreeMap<String, PathValue>,
+ pub ias_client_config: BTreeMap<String, EnvValue>,
pub audited_enclave_config: BTreeMap<String, PathValue>,
}
@@ -65,6 +65,11 @@ pub struct PathValue {
pub path: PathBuf,
}
+#[derive(Debug, Deserialize)]
+pub struct EnvValue {
+ pub env: String,
+}
+
impl MesateeConfigToml {
fn is_valid(&self) -> Result<()> {
let api_endpoints = &self.api_endpoints;
@@ -95,18 +100,26 @@ impl MesateeConfigToml {
return Err(err("[api_endpoint]: missing `acs`"));
}
+ let ias_client_config = &self.ias_client_config;
+ if !ias_client_config.contains_key("spid") {
+ return Err(err("[ias_client_config]: missing `spid`"));
+ }
+ if !ias_client_config.contains_key("key") {
+ return Err(err("[ias_client_config]: missing `key`"));
+ }
+
let audited_enclave_config = &self.audited_enclave_config;
if !audited_enclave_config.contains_key("enclave_info") {
- return Err(err("[ias_client_config]: missing `enclave_info`"));
+ return Err(err("[audited_enclave_config]: missing `enclave_info`"));
}
if !audited_enclave_config.contains_key("signature_a") {
- return Err(err("[ias_client_config]: missing `signature_a`"));
+ return Err(err("[audited_enclave_config]: missing `signature_a`"));
}
if !audited_enclave_config.contains_key("signature_b") {
- return Err(err("[ias_client_config]: missing `signature_b`"));
+ return Err(err("[audited_enclave_config]: missing `signature_b`"));
}
if !audited_enclave_config.contains_key("signature_c") {
- return Err(err("[ias_client_config]: missing `signature_c`"));
+ return Err(err("[audited_enclave_config]: missing `signature_c`"));
}
Ok(())
@@ -126,7 +139,15 @@ lazy_static! {
#[inline]
fn get_mesatee_cfg_dir() -> String {
- env::var(&MESATEE_CFG_DIR_ENV).expect("Please set $MESATEE_CFG_DIR")
+ match env::var(&MESATEE_CFG_DIR_ENV) {
+ Ok(p) => p,
+ Err(_) => {
+ #[cfg(feature = "mesalock_sgx")]
+ use std::println;
+ println!("Missing environment variable MESATEE_CFG_DIR. Using \".\"");
+ ".".to_string()
+ }
+ }
}
#[inline]
@@ -176,8 +197,8 @@ pub struct MesateeConfig {
pub fns_external_connect_addr: IpAddr, // for TMS to return to users
pub fns_external_port: u16,
- pub ias_client_spid_path: PathBuf,
- pub ias_client_key_path: PathBuf,
+ pub ias_client_spid_envvar: String,
+ pub ias_client_key_envvar: String,
pub audited_enclave_info_path: PathBuf,
pub auditor_a_signature_path: PathBuf,
@@ -202,13 +223,8 @@ lazy_static! {
.to_path_buf()
.join(&MESATEE_CONFIG_TOML.audited_enclave_config["signature_c"].path);
- let ias_client_spid_path = Path::new(&mesatee_cfg_dir)
- .to_path_buf()
- .join(&MESATEE_CONFIG_TOML.ias_client_config["spid"].path);
-
- let ias_client_key_path = Path::new(&mesatee_cfg_dir)
- .to_path_buf()
- .join(&MESATEE_CONFIG_TOML.ias_client_config["key"].path);
+ let ias_client_spid_envvar = env::var(&MESATEE_CONFIG_TOML.ias_client_config["spid"].env).unwrap_or_else(|_| "".into());
+ let ias_client_key_envvar = env::var(&MESATEE_CONFIG_TOML.ias_client_config["key"].env).unwrap_or_else(|_| "".into());
MesateeConfig {
tms_external_listen_addr: MESATEE_CONFIG_TOML.api_endpoints["tms"].listen_ip,
@@ -237,8 +253,8 @@ lazy_static! {
fns_external_connect_addr: MESATEE_CONFIG_TOML.api_endpoints["fns"].connect_ip.unwrap(),
fns_external_port: MESATEE_CONFIG_TOML.api_endpoints["fns"].port,
- ias_client_spid_path: ias_client_spid_path,
- ias_client_key_path: ias_client_key_path,
+ ias_client_spid_envvar: ias_client_spid_envvar,
+ ias_client_key_envvar: ias_client_key_envvar,
audited_enclave_info_path: audited_enclave_info_path,
auditor_a_signature_path: auditor_a_signature_path,
diff --git a/mesatee_core/src/rpc/sgx/ra.rs b/mesatee_core/src/rpc/sgx/ra.rs
index aa91df0..8b21e1b 100644
--- a/mesatee_core/src/rpc/sgx/ra.rs
+++ b/mesatee_core/src/rpc/sgx/ra.rs
@@ -35,11 +35,9 @@ use sgx_types::*;
use std::io::{Read, Write};
use std::net::TcpStream;
-use std::path::Path;
use std::ptr;
use std::sync::{Arc, SgxRwLock};
use std::time::*;
-use std::untrusted::fs;
use std::untrusted::time::SystemTimeEx;
use lazy_static::lazy_static;
@@ -263,7 +261,7 @@ fn talk_to_intel_ias(fd: c_int, req: String) -> Result<Vec<u8>> {
}
fn get_sigrl_from_intel(fd: c_int, gid: u32) -> Result<Vec<u8>> {
- let ias_key = load_ias_key(&MESATEE_CONFIG.ias_client_key_path)?;
+ let ias_key = load_ias_key(&MESATEE_CONFIG.ias_client_key_envvar)?;
let req = format!(
"GET {}{:08x} HTTP/1.1\r\nHOST: {}\r\nOcp-Apim-Subscription-Key: {}\r\nConnection: Close\r\n\r\n",
@@ -279,7 +277,7 @@ fn get_sigrl_from_intel(fd: c_int, gid: u32) -> Result<Vec<u8>> {
// TODO: support pse
fn get_report_from_intel(fd: c_int, quote: Vec<u8>) -> Result<AttnReport> {
- let ias_key = load_ias_key(&MESATEE_CONFIG.ias_client_key_path)?;
+ let ias_key = load_ias_key(&MESATEE_CONFIG.ias_client_key_envvar)?;
let encoded_quote = base64::encode("e[..]);
let encoded_json = format!("{{\"isvEnclaveQuote\":\"{}\"}}\r\n", encoded_quote);
@@ -409,7 +407,8 @@ fn create_attestation_report(pub_k: &sgx_ec256_public_t) -> Result<AttnReport> {
let p_report = &rep as *const sgx_report_t;
let quote_type = sgx_quote_sign_type_t::SGX_LINKABLE_SIGNATURE;
- let spid_vec = load_spid(&MESATEE_CONFIG.ias_client_spid_path)?;
+ let spid_vec = load_spid(&MESATEE_CONFIG.ias_client_spid_envvar)?;
+
let spid_str = std::str::from_utf8(&spid_vec)?;
let spid: sgx_spid_t = decode_spid(spid_str)?;
@@ -478,21 +477,19 @@ fn create_attestation_report(pub_k: &sgx_ec256_public_t) -> Result<AttnReport> {
get_report_from_intel(ias_sock, quote_vec)
}
-fn load_ias_key(filename: &Path) -> Result<String> {
- mayfail! {
- mut keyfile =<< fs::File::open(filename);
- let mut result_string = String::new();
- _ =<< keyfile.read_to_string(&mut result_string);
- ret result_string
+fn load_ias_key(envvar: &str) -> Result<String> {
+ if envvar.len() == 32 {
+ Ok(envvar.into())
+ } else {
+ Err(Error::from(ErrorKind::RAInternalError))
}
}
-fn load_spid(filename: &Path) -> Result<Vec<u8>> {
- mayfail! {
- mut spidfile =<< fs::File::open(filename);
- let mut result_vec = Vec::new();
- _ =<< spidfile.read_to_end(&mut result_vec);
- ret result_vec
+fn load_spid(envvar: &str) -> Result<Vec<u8>> {
+ if envvar.len() == 32 {
+ Ok(envvar.as_bytes().into())
+ } else {
+ Err(Error::from(ErrorKind::RAInternalError))
}
}
diff --git a/mesatee_core/src/utils.rs b/mesatee_core/src/utils.rs
index 8ad2542..469e164 100644
--- a/mesatee_core/src/utils.rs
+++ b/mesatee_core/src/utils.rs
@@ -14,18 +14,16 @@
use crate::error::{ErrorKind, Result};
use mesatee_config::MESATEE_CONFIG;
-use std::path::Path;
// check prerequisites to make the launching process smoother
// the launching may still fail even after passing the check
pub fn sgx_launch_check() -> Result<()> {
- // check the existence of ias_spid.txt and ias_key.txt
+ // check the existence of env var specified in config.toml
if !cfg!(sgx_sim)
- && (!Path::new(&MESATEE_CONFIG.ias_client_spid_path).is_file()
- || !Path::new(&MESATEE_CONFIG.ias_client_key_path).is_file())
+ && (std::env::var(&MESATEE_CONFIG.ias_client_spid_envvar).is_ok()
+ || std::env::var(&MESATEE_CONFIG.ias_client_key_envvar).is_ok())
{
- error!("SGX launch check failed: {} or {} does NOT exist. Please follow \"How to Run (SGX)\" in README to obtain.",
- "ias_spid.txt", "ias_key.txt");
+ error!("SGX launch check failed: Env var for IAS SPID or IAS KEY does NOT exist. Please follow \"How to Run (SGX)\" in README to obtain, and specify the value in environment variables and put the names of environment variables in config.toml.");
return Err(ErrorKind::IASClientKeyCertError.into());
}
Ok(())
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@mesatee.apache.org
For additional commands, e-mail: commits-help@mesatee.apache.org