forked from sslab-gatech/opensgx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
97 lines (82 loc) · 3.32 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
OPENSGX USER-LEVEL DESIGN
# Start-up process
a. Init : Reserve memory for EPC pages
QEMU init
Stack init
b. Create Launch Enclave : syscall_create_enclave()
0. Enclave measurements
- Perform the same steps as step 1 - 3.
- Compute the measurements (enclave identiy).
- Clear the allocated epc pages.
1. ECREATE (in alloc_secs)
- allocate secs
- set secs (base addr, enclave size)
Note: base addr is equal to the secs addr by design.
- set secinfo
- set pageinfo
- call ECREATE
2. Add TCS Page
- set up tcs.
- Use EADD to add the page.
3. Add REG Pages
- Add REG pages with entry point provided.
- Use EADD to add pages.
4. Add stack frames
- Add stack frames (REG pages)
- Use EADD to add pages. (allocate epc pages)
c. Current settings
- Total epc size:
- Default enclave size:
- Total stack size:
- Stack per thread size:
d. ECP Memory layout
- Consider the case of adding one enclave.
=========================================
EPC Addr Begin
=========================================
Launch Enclave SECS Page(s)
TCS Page(s)
REG Page(s)
Stack Frames
=========================================
Enclave 1 SECS Page(s)
TCS Page(s)
REG Page(s)
Stack Frames
=========================================
Free EPC Pages
=========================================
EPC Addr End
=========================================
e. Enclave design
- Enclave size: secs->size
- Baseaddr: secs->baseaddr
- Measurement: secs->mrEnclave
- Signature: secs->mrSigner
- Control entry point: tcs->oentry (relative to baseaddr)
- SSA Offet: tcs->ossa (relative to baseaddr)
- FS section: tcs->ofsbasgx ~ tcs->obsbasgx + tcs->fslimit (relative to baseaddr)
- GS section: tcs->ogsbasgx ~ tcs->ogsbasgx + tcs->gslimit (relative to baseaddr)
f. Security features
- Enclave signature: sigstruct.signature == secs.mrsigner
- Signature generated from sigstruct
- Signed field: HEADER, VENDOR, DATE, HEADER2, SWDEFINFO,
RESERVED, MISCSELECT*, MISCMASK*, RESERVED2,
ATTRIBUTE, ATTRIBUTEMASK, ENCLAVEHASH, RESERVED3,
ISVPROID, ISVSVN
- Enclave measurement: sigstruct.enclavehash == secs.mrenclave
- Before execute EINIT, EEXTEND is used to measure enclave and update the
sec.mrenclave vaule.
g. Customized ssl library
- Based on openssl
- Changing standard library calls into sgx ABI calls to put and run them inside the enclave
- Library repackaging
$ cd user/openssl
$ ./config no-comp no-asm no-shared no-hw no-engines no-threads no-dso
$ make
- After get libcrypto.a (customized openssl for sgx), compile and use ssl library functions
(See tp/README or tor/README)
h. local attestation
- Based on polarssl (modified polarssl, user/polarssl_sgx)
- Changing standard library calls into sgx ABI calls to put and run them inside the enclave
- For execution, see test/simple-challenger, test/simple-quotingEnclave, and test/simple-targetEnclave.