From 22a1560a74f6d7c98aa1ff6bd35f5e1cf76764d0 Mon Sep 17 00:00:00 2001 From: Simon Ott Date: Mon, 25 Mar 2024 13:26:34 +0100 Subject: [PATCH] treewide: sgx setup and documentation fixes Signed-off-by: Simon Ott --- doc/Architecture.md | 13 +++++++------ doc/manual-setup.md | 19 +++++++++++++++---- example-setup/enclave.json | 4 ++-- testtool/Makefile | 2 +- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/doc/Architecture.md b/doc/Architecture.md index 6f4a61cc..638fb809 100644 --- a/doc/Architecture.md +++ b/doc/Architecture.md @@ -57,23 +57,24 @@ Platform Configuration Registers (PCRs) during the *Measured Boot* and to genera which can be used to verify the platform state. Furthermore, the *tpmdriver* can use the *ima* package interfacing with the kernel's Integrity Measurement Architecture (IMA) for obtaining detailed measurement lists of the kernel modules, firmware and optionally further components -running on the platform. The *tpmdriver* can therefore act as *Measurement* as well as as -*Signer* interface. +running on the platform. __snpdriver:__ The *snpdriver* interfaces with the AMD SEV-SNP SP. It retrieves SNP measurements in the form of an SNP attestation report as well as the certificate chain for this attestation report from the -respective AMD servers. Currently, it can only act as *Measurement* interface. +respective AMD servers. __sgxdriver:__ -The *sgxdriver* interfaces with the Intel SGX CPU. It retrieves SGX measurements in the form of an SGX attestation report signed by the SGX quoting enclave. It implements a small caching mechanism to fetch and store the certificate chain used for report verification from the Intel SGX API. Currently, the driver only acts as a *Measurement* interface. +The *sgxdriver* interfaces with the Intel SGX CPU. It retrieves SGX measurements in the form of an +SGX attestation report signed by the SGX quoting enclave. It implements a small caching mechanism to +fetch and store the certificate chain used for report verification from the Intel SGX API. __tdxdriver:__ *Will be implemented as soon as Intel TDX hardware is available.* __swdriver:__ -The *swdriver* simply creates keys in software for testing purposes and can be used as *Signer* -interface. **Note**: This should mainly be used for testing purposes. +The *swdriver* simply creates keys in software for testing purposes. Currently, it does not implement +a measurement functionality. **Note**: This should mainly be used for testing purposes. __estserver:__ During provisioning, the cmcd requires interaction with a provisioning server (*estserver*). The diff --git a/doc/manual-setup.md b/doc/manual-setup.md index a212582d..badb8bc1 100644 --- a/doc/manual-setup.md +++ b/doc/manual-setup.md @@ -5,11 +5,14 @@ platform and run and test the tools. It was tested on Ubuntu 22.04 LTS. ## Install Prerequisites +Install utilities for building and setting up the PKI: ```sh -# Install utils sudo apt install moreutils golang-cfssl build-essential +``` -# Install tpm-pcr-tools for calculating/parsing TPM PCR values for TPM-based attestation +### TPM-specific Setup +Install tpm-pcr-tools for calculating/parsing TPM PCR values for TPM-based attestation: +```sh sudo apt install -y build-essential zlib1g-dev libssl-dev git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git cd tpm-pcr-tools @@ -17,6 +20,14 @@ make sudo make install # Or launch from individual folders ``` +### Intel SGX-specific Setup + +Install the Intel SGX DCAP libraries and utilities according to the Intel +[manual](https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html). + +Install the [EGo framework](https://github.com/edgelesssys/ego). + + ## Build and Install the CMC and Tools ```sh @@ -151,8 +162,8 @@ tbd The reference values for Intel SGX consist of a fingerprint of the Intel Root CA certificate, the TCB Info and QE Identity structures, the enclave product ID (ISV Prod ID), the security version of the enclave (ISVSVN), expected enclave attributes (e.g. DEBUG, Mode64Bit, etc.), a hash of the enclave measurement (MRENCLAVE) and a hash of the enclave signing key (MRSIGNER). -The Root CA certificate, TCB Info and QE Identity structures can be retrieved from the [Intel API](https://api.portal.trustedservices.intel.com/content/documentation.html). ISV SVN and ISV Prod ID are assigned by the enclave author. The EGo framework sets these values to 1 by default. -The MRENCLAVE and MRSIGNER values for an enclave can be retrieved via the EGo CLI tool with the commands ```ego uniqueid $ENCLAVE_PROGRAM``` and ```ego signerid $ENCLAVE_PROGRAM```. +The Root CA certificate, TCB Info and QE Identity structures can be retrieved from the [Intel API](https://api.portal.trustedservices.intel.com/content/documentation.html). ISV SVN and ISV Prod ID are assigned by the enclave author. The EGo framework sets these values to 1 by default. +The MRENCLAVE and MRSIGNER values for an enclave can be retrieved via the EGo CLI tool with the commands ```ego uniqueid $ENCLAVE_PROGRAM``` and ```ego signerid $ENCLAVE_PROGRAM```. ### 4. Sign the metadata diff --git a/example-setup/enclave.json b/example-setup/enclave.json index 3c793491..bc712e80 100644 --- a/example-setup/enclave.json +++ b/example-setup/enclave.json @@ -1,5 +1,5 @@ { - "exe": "testtool", + "exe": "../testtool/testtool", "key": "private.pem", "debug": false, "heapSize": 512, @@ -16,4 +16,4 @@ ], "env": null, "files": null -} \ No newline at end of file +} diff --git a/testtool/Makefile b/testtool/Makefile index cd12cd48..76a75816 100644 --- a/testtool/Makefile +++ b/testtool/Makefile @@ -8,6 +8,6 @@ all: go build egocmc: - CGO_CFLAGS=-D_FORTIFY_SOURCE=0 ego-go build && ego sign testtool + CGO_CFLAGS=-D_FORTIFY_SOURCE=0 ego-go build && ego sign ../example-setup/enclave.json