Skip to content

Commit

Permalink
updated sgx example setup
Browse files Browse the repository at this point in the history
  • Loading branch information
cdotsh authored and smo4201 committed Apr 24, 2024
1 parent 9cab05d commit 4b0c609
Show file tree
Hide file tree
Showing 6 changed files with 74 additions and 12 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ est/estserver/estserver
**/attestation-result.json
tools/cmc-signing-tool/cmc-signing-tool
tools/cmc-converter/cmc-converter
tools/fmspc-retrieval-tool/fmspc-retrieval-tool
tpm/test_encrypted_ak.json
example-setup/data-cmc/
example-setup/**/*.cbor
Expand Down
5 changes: 3 additions & 2 deletions doc/build.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,9 @@ Since SGX enclaves are designed to execute only one process inside an isolated e

Once you have developed your application and integrated the cmc library following the instructions provided in the [integration documentation](integration.md), compile, sign and run it like this:
```
CGO_CFLAGS=-D_FORTIFY_SOURCE=0 ego-go build && ego sign $CMC_ROOT/cmc-data/enclave.json
ego run testtool
CGO_CFLAGS=-D_FORTIFY_SOURCE=0 ego-go build && ego sign ../example-setup/enclave.json # or create custom enclave.json
sudo ego run testtool -mode generate -config cmc-data/libapi-sgx-config.json # run generate example
sudo ego run testtool -mode verify -config cmc-data/libapi-sgx-config.json # run verify example
```

Additional information for the enclave such as heapSize, mount points, security version (ISV SVN) and enclave product ID (ISV Prod ID) can be specified in the enclave.json file.
Expand Down
2 changes: 1 addition & 1 deletion example-setup/enclave.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"exe": "../testtool/testtool",
"key": "private.pem",
"key": "../../cmc-data/private.pem",
"debug": false,
"heapSize": 512,
"executableHeap": false,
Expand Down
2 changes: 1 addition & 1 deletion example-setup/libapi-sgx-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"sgx"
],
"metadata": [
"file://./cmc-data/metadata-signed"
"file://cmc-data/metadata-signed"
],
"storage": "cmc-data/testtool-internal",
"cache": "cmc-data/testtool-cache"
Expand Down
20 changes: 12 additions & 8 deletions example-setup/sgx-setup-sample
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,15 @@ abs_path() {
fi
}

if [[ "$#" -ne 5 ]]; then
echo "Usage: ./setup-full-simple <cmc-folder> <data-folder> <cbor|json> <mrenclave> <mrsigner>"
if [[ "$#" -ne 3 ]]; then
echo "Usage: ./setup-full-simple <cmc-folder> <data-folder> <cbor|json>"
exit
fi


cmc="$(abs_path "${1}")"
data="$(abs_path "${2}")"
ser="${3}"
mrenclave="${4}"
mrsigner="${5}"

if [[ ! -d "$cmc" ]]; then
echo "cmc directory does not exist. Did you clone the repository? Abort.."
Expand All @@ -36,7 +34,6 @@ fi
echo "Using cmc: ${cmc}"
echo "Using $data as directory for local data"


# Install dependencies
sudo apt install -y moreutils golang-cfssl build-essential zlib1g-dev libssl-dev jq openssl

Expand All @@ -49,6 +46,14 @@ go build ./...
echo "Installing cmc"
go install ./...

# Build testtool enclave
cd "${cmc}/testtool"
make egocmc

# Get MRENCLAVE and MRSIGNER
mrenclave=$(echo "$(ego uniqueid testtool)" | awk 'NR==1')
mrsigner=$(echo "$(ego signerid testtool)" | awk 'NR==1')

# Copy metadata templates
cp -r "${cmc}/example-setup/"* "${data}"

Expand All @@ -67,8 +72,7 @@ pcesvn="$(echo "${pckid_retrieval}" | cut -d ',' -f4)"
rm -f pckid_retrieval.csv

# GET PCK Certificate and extract FMSPC
pck_cert="$(curl -s -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid=$encrypted_ppid&cpusvn=$cpusvn&pceid=$pceid&pcesvn=$pcesvn")"
FMSPC="$(openssl asn1parse -inform PEM -in <(echo -n "$pck_cert") -strparse 626 | grep -oP '427:d=2.*' | awk -F: '/HEX DUMP/{print $NF}')"
fmspc="$(fmspc-retrieval-tool -encrypted_ppid "${encrypted_ppid}" -pceid "${pceid}" -cpusvn "${cpusvn}" -pcesvn "${pcesvn}")"

# GET root CA certificate fingerprint
cert_chain=$(curl -I -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid=$encrypted_ppid&cpusvn=$cpusvn&pceid=$pceid&pcesvn=$pcesvn" | grep 'SGX-PCK-Certificate-Issuer-Chain')
Expand All @@ -77,7 +81,7 @@ root_ca=$(echo -e "$decoded" | sed -n '/-----END CERTIFICATE-----/,$p' | sed '1d
ca_fingerprint=$(openssl x509 -in <(echo "$root_ca") -noout -sha256 -fingerprint | awk -F= '{print $2}' | tr -d ': ' | tr '[:upper:]' '[:lower:]')

# GET TCB Info
tcb_info="$(curl -s -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=$FMSPC" | jq -c .)"
tcb_info="$(curl -s -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=$fmspc" | jq -c .)"
echo "$tcb_info" > "${data}/metadata-raw/tcb_info.json"

# GET Quoting Enclave Identity
Expand Down
56 changes: 56 additions & 0 deletions tools/fmspc-retrieval-tool/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
package main

import (
"encoding/hex"
"flag"
"fmt"
"io"
"net/http"

"github.com/Fraunhofer-AISEC/cmc/attestationreport"
"github.com/Fraunhofer-AISEC/cmc/internal"
)

var (
pckCertUrl = "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid=%s&cpusvn=%s&pceid=%s&pcesvn=%s"
)

func main() {
encrypted_ppid := flag.String("encrypted_ppid", "", "Encrypted PPID string")
pceid := flag.String("pceid", "", "PCEID string")
cpusvn := flag.String("cpusvn", "", "CPUSVN string")
pcesvn := flag.String("pcesvn", "", "PCESVN string")
flag.Parse()

if encrypted_ppid == nil || pceid == nil || cpusvn == nil || pcesvn == nil {
return
}

pckCertUrl = fmt.Sprintf(pckCertUrl, *encrypted_ppid, *cpusvn, *pceid, *pcesvn)

resp, err := http.Get(pckCertUrl)
if err != nil {
fmt.Println("failed to retrieve PCK certificate")
return
}

defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
fmt.Println("failed to read response body")
return
}

cert, err := internal.ParseCertsPem(body)
if err != nil {
fmt.Println("failed to parse PEM certificate")
return
}

sgxExtensions, err := attestationreport.ParseSGXExtensions(cert[0].Extensions[attestationreport.SGX_EXTENSION_INDEX].Value[4:])
if err != nil {
fmt.Println("failed to parse SGX extensions")
return
}
fmt.Print(hex.EncodeToString(sgxExtensions.Fmspc.Value))
}

0 comments on commit 4b0c609

Please sign in to comment.