packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!44 同步openeuler/secgear补丁

Browse Source 
From: @chenmaodong
Reviewed-by: @blue0613
Signed-off-by: @blue0613
This commit is contained in:
openeuler-ci-bot 2021-05-21 15:21:17 +08:00 committed by Gitee
commit 6b315cc253
25 changed files with 4830 additions and 344 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch Normal file
View File

@ -0,0 +1,43 @@
From ca6b3ab02bd3d1853a88d637b38daf45c737e15e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=AB=A0=E6=9F=B3=E7=87=95?= <zhangliuyan@huawei.com>
Date: Thu, 4 Mar 2021 11:16:05 +0800
Subject: [PATCH 1/1] =?UTF-8?q?=E4=BF=AE=E6=94=B9cmake=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: root <root@localhost.localdomain>
---
src/enclave_src/CMakeLists.txt | 2 +-
tools/codegener/CMakeLists.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt
index cb09b5c..66a36ea 100644
--- a/src/enclave_src/CMakeLists.txt
+++ b/src/enclave_src/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-project(secgear_tee)
+project(secgear_tee C)
set(target_lib secgear_tee)
set(LIBRARY_INSTALL /lib64)
diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt
index c5fd618..0f8b5af 100644
--- a/tools/codegener/CMakeLists.txt
+++ b/tools/codegener/CMakeLists.txt
@@ -10,7 +10,7 @@
include(ExternalProject)
-project(CodeGen)
+project(CodeGen C)
find_program(DUNE dune)
--
2.27.0

0
0009-fix-sgxssl-edl.patch → 0010-fix-sgxssl-edl.patch
View File

0
0010-update-docs-build_install.md.patch → 0011-update-docs-build_install.md.patch
View File

0
0011-modify-the-prompt-information.patch → 0012-modify-the-prompt-information.patch
View File

0
0012-parse-new-error-code-and-del-redundant-print.patch → 0013-parse-new-error-code-and-del-redundant-print.patch
View File

0
0013-fix-error-print.patch → 0014-fix-error-print.patch
View File

0
0014-set-umask-in-sign_tool.sh.patch → 0015-set-umask-in-sign_tool.sh.patch
View File

0
0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch → 0016-1.fix-the-race-of-ecall-and-enclave-destroy.patch
View File

0
0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch → 0017-fix-wrong-spelling-and-null-pointer-dereference-issu.patch
View File

50
0018-update-sign_tool.doc.patch Normal file
View File

@ -0,0 +1,50 @@
From 8a586fc5fa249ced59ae495357c64baa7c6201f0 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Thu, 25 Mar 2021 15:27:32 +0800
Subject: [PATCH 01/14] update sign_tool.doc
---
docs/sign_tool.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index 3a49d5b..26805bd 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave.
## The sign_tool.sh
-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_too.py' for signing the trustzone enclave.
+The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave.
The tool supports the following two modes:
@@ -13,21 +13,21 @@ The tool supports the following two modes:
For example:
- `$ ./signtool.sh d sign x trustzone i test.enclave -m manifest.txt e device_pubkey.pem o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i test.enclave -m manifest.txt e device_pubkey.pem o signed.enclave `
- two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform.
For example:
(1) generate the digest value.
- `$ ./signtool.sh d digest x trustzone i input -m manifest.txt e device_pubkey.pem o digest.data `
+ `$ ./sign_tool.sh d digest x trustzone i input -m manifest.txt e device_pubkey.pem o digest.data `
For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated.
(2) send the digest.data to the signing organization or platform and get the signature.
(3) use the signature to generate the signed enclave.
- `$ ./signtool.sh d sign x trustzone i input -m manifest.txt p pub.pem e device_pubkey.pem s signature o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i input -m manifest.txt p pub.pem e device_pubkey.pem s signature o signed.enclave `
## sign_tool.sh parameter
--
2.27.0

157
0019-normalized-codegen-from-arm-and-x86.patch Normal file
View File

@ -0,0 +1,157 @@
From 3b7651a53017e41726b80b24fc1757c06cf73ba7 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Mon, 12 Apr 2021 10:33:17 +0800
Subject: [PATCH 02/14] normalized codegen from arm and x86
---
README.en.md | 3 +--
README.md | 5 ++---
docs/codegener.md | 14 +++++---------
examples/helloworld/CMakeLists.txt | 3 +--
examples/seal_data/CMakeLists.txt | 3 +--
tools/codegener/CMakeLists.txt | 8 +-------
6 files changed, 11 insertions(+), 25 deletions(-)
diff --git a/README.en.md b/README.en.md
index fa47d03..909358f 100644
--- a/README.en.md
+++ b/README.en.md
@@ -50,16 +50,15 @@ Then save as test.edl
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
set(SECGEAR_INSTALL_PATH /lib64/)
+ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
diff --git a/README.md b/README.md
index 54c32e3..fafe3f9 100644
--- a/README.md
+++ b/README.md
@@ -42,16 +42,15 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
set(SECGEAR_INSTALL_PATH /lib64/)
+ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
diff --git a/docs/codegener.md b/docs/codegener.md
index cc20013..85fc6a0 100644
--- a/docs/codegener.md
+++ b/docs/codegener.md
@@ -1,19 +1,15 @@
-# Getting started with the codegen_x86_64/codegen_arm64
+# Getting started with the codegen
-The codegen_x86_64/codegen_arm64 helps to define these special functions through the `edl` files and assist user to using enclave.
+The codegen helps to define these special functions through the `edl` files and assist user to using enclave.
-## The codegen_x86_64/codegen_arm64
+## The codegen
-The codegen_x86_64/codegen_arm64 is based on the 'edger8r' tool in SGX SDK.
+The codegen is based on the 'edger8r' tool in SGX SDK.
- For example
```
$ codegen_arm64 --trustzone test.edl
```
-OR
-```
-$ codegen_x86_64 --sgx test.edl
-```
-**Note**: using the `codegen_x86_64/codegen_arm64 --help` to get more details.
+**Note**: using the `codegen --help` to get more details.
## EDL format
- For SGX(x86)
diff --git a/examples/helloworld/CMakeLists.txt b/examples/helloworld/CMakeLists.txt
index a758f1c..5da2a6b 100644
--- a/examples/helloworld/CMakeLists.txt
+++ b/examples/helloworld/CMakeLists.txt
@@ -16,10 +16,10 @@ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
#set edl name
set(EDL_FILE helloworld.edl)
+set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
@@ -27,7 +27,6 @@ endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt
index 20e2fd5..503fe0d 100644
--- a/examples/seal_data/CMakeLists.txt
+++ b/examples/seal_data/CMakeLists.txt
@@ -17,10 +17,10 @@ set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE seal_data.edl)
+set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r
OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
@@ -29,7 +29,6 @@ endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/seal_data.signed.so")
endif()
diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt
index 0f8b5af..e52d894 100644
--- a/tools/codegener/CMakeLists.txt
+++ b/tools/codegener/CMakeLists.txt
@@ -18,13 +18,7 @@ if(NOT DUNE)
message(FATAL_ERROR "Please check your dune installation")
endif()
-if(CC_SGX)
- set(code codegen_x86_64)
-endif()
-
-if(CC_GP)
- set(code codegen_arm64)
-endif()
+set(code codegen)
ExternalProject_Add(codegen
SOURCE_DIR ${LOCAL_ROOT_PATH}/tools/codegener
--
2.27.0

353
0017-update-signtool-codegen.patch → 0020-rm-e-parameter-normalize-c-parameter.patch
View File

@ -1,75 +1,26 @@
From ace83320ad722deae65672e9801b1e58c62f7a81 Mon Sep 17 00:00:00 2001
From f7995d756490c966659976153630403ba9941c18 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Wed, 12 May 2021 10:44:12 +0800
Subject: [PATCH] patch
Date: Mon, 12 Apr 2021 11:17:16 +0800
Subject: [PATCH 03/14] rm -e parameter, normalize -c parameter
---
CMakeLists.txt | 2 +-
README.en.md | 21 ++++--------
README.md | 15 +++------
docs/build_install.md | 4 +++
docs/codegener.md | 14 +++-----
docs/sign_tool.md | 14 ++++----
examples/helloworld/CMakeLists.txt | 3 +-
examples/helloworld/enclave/CMakeLists.txt | 6 ++--
examples/helloworld/host/main.c | 18 +++++++++-
examples/seal_data/CMakeLists.txt | 5 ++-
examples/seal_data/enclave/CMakeLists.txt | 7 ++--
src/enclave_src/CMakeLists.txt | 2 +-
tools/codegener/CMakeLists.txt | 10 ++----
tools/sign_tool/sign_tool.sh | 39 ++++++++--------------
14 files changed, 69 insertions(+), 91 deletions(-)
README.en.md | 12 ++----
README.md | 10 ++---
docs/sign_tool.md | 12 +++---
examples/helloworld/enclave/CMakeLists.txt | 6 +--
examples/seal_data/enclave/CMakeLists.txt | 7 +---
.../enclave/rsa_public_key_cloud.pem | 11 ------
.../sign_tool}/rsa_public_key_cloud.pem | 0
tools/sign_tool/sign_tool.sh | 39 +++++++------------
8 files changed, 29 insertions(+), 68 deletions(-)
delete mode 100644 examples/seal_data/enclave/rsa_public_key_cloud.pem
rename {examples/helloworld/enclave => tools/sign_tool}/rsa_public_key_cloud.pem (100%)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 98862a3..edb7d80 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(secGear C)
set(CMAKE_C_STANDARD 99)
diff --git a/README.en.md b/README.en.md
index fa47d03..aa8c4a8 100644
index fa47d03..0acc4f8 100644
--- a/README.en.md
+++ b/README.en.md
@@ -1,4 +1,4 @@
-<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
+<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
secGear
============================
@@ -43,23 +43,22 @@ Then save as test.edl
### 2 Write the top-level CMakeLists.txt
- cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(TEST C)
set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
set(SECGEAR_INSTALL_PATH /lib64/)
+ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
@@ -254,8 +253,6 @@ Set sign tool and the security side log printing level
@@ -254,8 +254,6 @@ Set sign tool and the security side log printing level
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
@ -78,7 +29,7 @@ index fa47d03..aa8c4a8 100644
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_1 /vendor/bin/secgear_test)
@@ -270,8 +267,7 @@ Set sign tool and the security side log printing level
@@ -270,8 +268,7 @@ Set sign tool and the security side log printing level
WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image,
and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths.
@ -88,7 +39,7 @@ index fa47d03..aa8c4a8 100644
generate auxiliary code.
if(CC_SGX)
@@ -339,8 +335,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in
@@ -339,8 +336,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in
add_custom_command(TARGET ${PREFIX}
POST_BUILD
@ -99,7 +50,7 @@ index fa47d03..aa8c4a8 100644
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
DESTINATION /data
@@ -425,9 +421,6 @@ configuration file. For details, please refer to the official development docum
@@ -425,9 +422,6 @@ configuration file. For details, please refer to the official development docum
Write itrustee related configuration files
The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated,
and the other configuration items can refer to the itrustee development document.
@ -109,44 +60,11 @@ index fa47d03..aa8c4a8 100644
### 5 build and install test
@@ -509,5 +502,5 @@ secGear introduce the signing tool to sign the enclave.
Milestone
---------
-<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
+<img src="docs/milestone_en.png" alt="secGear" style="zoom:80%;" />
diff --git a/README.md b/README.md
index 54c32e3..a90450b 100644
index 54c32e3..77bebd6 100644
--- a/README.md
+++ b/README.md
@@ -35,23 +35,22 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在
### 2 编写最外层CMakeLists.txt文件
- cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(TEST C)
set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
set(SECGEAR_INSTALL_PATH /lib64/)
+ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
@@ -236,8 +235,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
@@ -236,8 +236,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
@ -155,7 +73,7 @@ index 54c32e3..a90450b 100644
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_1 /vendor/bin/secgear_test)
@@ -252,7 +249,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
@@ -252,7 +250,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
WHITE_LIST_x为设置iTrustee的二进制白名单只有这里定义的白名单在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。
WHITE_LIST_OWNER为设置运行二进制的用户只有该用户才可以调用安全侧动态库。
@ -163,7 +81,7 @@ index 54c32e3..a90450b 100644
AUTO_FILES由edl文件生成的安全侧二进制文件
if(CC_SGX)
@@ -319,8 +315,8 @@ AUTO_FILES由edl文件生成的安全侧二进制文件
@@ -319,8 +316,8 @@ AUTO_FILES由edl文件生成的安全侧二进制文件
add_custom_command(TARGET ${PREFIX}
POST_BUILD
@ -174,7 +92,7 @@ index 54c32e3..a90450b 100644
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
DESTINATION /data
@@ -391,7 +387,6 @@ itrustee需要链接secgear_tee动态库提供seal接口等。
@@ -391,7 +388,6 @@ itrustee需要链接secgear_tee动态库提供seal接口等。
编写itrustee enclave相关配置文件
mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。
@ -182,75 +100,15 @@ index 54c32e3..a90450b 100644
#### 5 构建 安装
@@ -451,4 +446,4 @@ secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具c
里程碑
---------
-<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
\ No newline at end of file
+<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
diff --git a/docs/build_install.md b/docs/build_install.md
index 482e8c2..760ceaa 100644
--- a/docs/build_install.md
+++ b/docs/build_install.md
@@ -13,6 +13,10 @@ openEuler x86
3. source environment && mkdir debug && cd debug
&& cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" .. && make && sudo make install
+4. To run example tls_enclave, refer to https://gitee.com/src-openeuler/intel-sgx-ssl
+ download and install intel-sgx-ssl firstly.
+ source environment && mkdir debug && cd debug && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path"
+ && -DENCLAVE_SSL="sgxssl path" .. && make && sudo make install
openEuler arm
diff --git a/docs/codegener.md b/docs/codegener.md
index cc20013..85fc6a0 100644
--- a/docs/codegener.md
+++ b/docs/codegener.md
@@ -1,19 +1,15 @@
-# Getting started with the codegen_x86_64/codegen_arm64
+# Getting started with the codegen
-The codegen_x86_64/codegen_arm64 helps to define these special functions through the `edl` files and assist user to using enclave.
+The codegen helps to define these special functions through the `edl` files and assist user to using enclave.
-## The codegen_x86_64/codegen_arm64
+## The codegen
-The codegen_x86_64/codegen_arm64 is based on the 'edger8r' tool in SGX SDK.
+The codegen is based on the 'edger8r' tool in SGX SDK.
- For example
```
$ codegen_arm64 --trustzone test.edl
```
-OR
-```
-$ codegen_x86_64 --sgx test.edl
-```
-**Note**: using the `codegen_x86_64/codegen_arm64 --help` to get more details.
+**Note**: using the `codegen --help` to get more details.
## EDL format
- For SGX(x86)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index 3a49d5b..ccaa2e6 100644
index 26805bd..ccaa2e6 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave.
## The sign_tool.sh
-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_too.py' for signing the trustzone enclave.
+The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave.
The tool supports the following two modes:
@@ -13,36 +13,34 @@ The tool supports the following two modes:
For example:
- `$ ./signtool.sh d sign x trustzone i test.enclave -m manifest.txt e device_pubkey.pem o signed.enclave `
- `$ ./sign_tool.sh d sign x trustzone i test.enclave -m manifest.txt e device_pubkey.pem o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i test.enclave -c manifest.txt o signed.enclave `
@ -258,7 +116,7 @@ index 3a49d5b..ccaa2e6 100644
For example:
(1) generate the digest value.
- `$ ./signtool.sh d digest x trustzone i input -m manifest.txt e device_pubkey.pem o digest.data `
- `$ ./sign_tool.sh d digest x trustzone i input -m manifest.txt e device_pubkey.pem o digest.data `
+ `$ ./sign_tool.sh d digest x trustzone i input -c manifest.txt o digest.data `
For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated.
@ -266,7 +124,7 @@ index 3a49d5b..ccaa2e6 100644
(2) send the digest.data to the signing organization or platform and get the signature.
(3) use the signature to generate the signed enclave.
- `$ ./signtool.sh d sign x trustzone i input -m manifest.txt p pub.pem e device_pubkey.pem s signature o signed.enclave `
- `$ ./sign_tool.sh d sign x trustzone i input -m manifest.txt p pub.pem e device_pubkey.pem s signature o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i input -c manifest.txt p pub.pem s signature o signed.enclave `
## sign_tool.sh parameter
@ -288,30 +146,6 @@ index 3a49d5b..ccaa2e6 100644
-o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs digest value.
-p <file> signing server public key certificate, required for two-step method.
-s <file> the signed digest value required for two-step method, this parameter is empty to indicate single-step method.
diff --git a/examples/helloworld/CMakeLists.txt b/examples/helloworld/CMakeLists.txt
index a758f1c..5da2a6b 100644
--- a/examples/helloworld/CMakeLists.txt
+++ b/examples/helloworld/CMakeLists.txt
@@ -16,10 +16,10 @@ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
#set edl name
set(EDL_FILE helloworld.edl)
+set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
@@ -27,7 +27,6 @@ endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt
index c1638f8..0aefdae 100644
--- a/examples/helloworld/enclave/CMakeLists.txt
@ -336,75 +170,6 @@ index c1638f8..0aefdae 100644
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c
index e4c4ec4..51993ce 100644
--- a/examples/helloworld/host/main.c
+++ b/examples/helloworld/host/main.c
@@ -11,6 +11,8 @@
*/
#include <stdio.h>
+#include <unistd.h>
+#include <linux/limits.h>
#include "enclave.h"
#include "helloworld_u.h"
@@ -26,7 +28,21 @@ int main()
printf("Create secgear enclave\n");
- res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ char real_p[PATH_MAX];
+ /* check file exists, if not exist then use absolute path */
+ if (realpath(path, real_p) == NULL) {
+ if (getcwd(real_p, sizeof(real_p)) == NULL) {
+ printf("Cannot find enclave.sign.so");
+ return -1;
+ }
+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) {
+ printf("Failed to strcat enclave.sign.so path");
+ return -1;
+ }
+ (void)strcat(real_p, "/enclave.signed.so");
+ }
+
+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
if (res != CC_SUCCESS) {
printf("Create enclave error\n");
return res;
diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt
index 20e2fd5..3577301 100644
--- a/examples/seal_data/CMakeLists.txt
+++ b/examples/seal_data/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-cmake_minimum_required(VERSION 3.12)
+cmake_minimum_required(VERSION 3.10)
project(SealData C)
@@ -17,10 +17,10 @@ set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE seal_data.edl)
+set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r
OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
@@ -29,7 +29,6 @@ endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/seal_data.signed.so")
endif()
diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt
index 20851bd..0ddcbd5 100644
--- a/examples/seal_data/enclave/CMakeLists.txt
@ -430,47 +195,27 @@ index 20851bd..0ddcbd5 100644
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt
index cb09b5c..66a36ea 100644
--- a/src/enclave_src/CMakeLists.txt
+++ b/src/enclave_src/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-project(secgear_tee)
+project(secgear_tee C)
set(target_lib secgear_tee)
set(LIBRARY_INSTALL /lib64)
diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt
index c5fd618..e52d894 100644
--- a/tools/codegener/CMakeLists.txt
+++ b/tools/codegener/CMakeLists.txt
@@ -10,7 +10,7 @@
include(ExternalProject)
-project(CodeGen)
+project(CodeGen C)
find_program(DUNE dune)
@@ -18,13 +18,7 @@ if(NOT DUNE)
message(FATAL_ERROR "Please check your dune installation")
endif()
-if(CC_SGX)
- set(code codegen_x86_64)
-endif()
-
-if(CC_GP)
- set(code codegen_arm64)
-endif()
+set(code codegen)
ExternalProject_Add(codegen
SOURCE_DIR ${LOCAL_ROOT_PATH}/tools/codegener
diff --git a/examples/seal_data/enclave/rsa_public_key_cloud.pem b/examples/seal_data/enclave/rsa_public_key_cloud.pem
deleted file mode 100644
index a321f63..0000000
--- a/examples/seal_data/enclave/rsa_public_key_cloud.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzAPwbnbgBg7JgXERA9Bx
-p7GLI1S3e1zL83RMd2+GXb6kO4yMKUL3NUCE2HhA2BtQYmLyGovx59UUcKnU58is
-Xux++kH+A2shmOPjYvEFuX0Kt8tc19b8M9b/iHsY8ZmKykqia2a5U+IrECRFJo5p
-DWUnl7jrHVtq78BSR1c7iXG1frrEC0AYCuqKJo/fxfmOKL0Y9mENCB3nAwjn9unD
-BsO/OhkqvvB3nkeuMfNKPh4wCqtQPve13eTojbuxjX/3ePijplTI5X2Gr+n6Ximn
-fYRlytQmMgMl/db0ARSKNApq9bmwzVNrnGWWZWJksdRvf6iL7t17Gs4L9AApOuC9
-WkzxPvwp5ZUqjsGd4oJGWeC6ZE6BTw2vxE+xMFI9uAKHxq9pBKkcGMa0g4fANNNV
-+W+8JZGanxEXKB3y/M7BCyQAPCWOHC/RNjmRA1gczLYCPzC4pWu935UZdF1RR6zY
-CD3t+FoOGGET/g4CwWgyhb5qkp65Hs6ayYt/DUAqo+yBAgMBAAE=
------END PUBLIC KEY-----
diff --git a/examples/helloworld/enclave/rsa_public_key_cloud.pem b/tools/sign_tool/rsa_public_key_cloud.pem
similarity index 100%
rename from examples/helloworld/enclave/rsa_public_key_cloud.pem
rename to tools/sign_tool/rsa_public_key_cloud.pem
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 8f2189c..212db5d 100755
--- a/tools/sign_tool/sign_tool.sh

49
0021-example-use-absolute-path-to-find-enclave.sign.so.patch Normal file
View File

@ -0,0 +1,49 @@
From 19d48667d6220aaa150f052e66a1847e3ba8f8d4 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng68@huawei.com>
Date: Tue, 13 Apr 2021 06:40:43 +0000
Subject: [PATCH 04/14] example: use absolute path to find enclave.sign.so
Signed-off-by: Li Feng <lifeng68@huawei.com>
---
examples/helloworld/host/main.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c
index e4c4ec4..51993ce 100644
--- a/examples/helloworld/host/main.c
+++ b/examples/helloworld/host/main.c
@@ -11,6 +11,8 @@
*/
#include <stdio.h>
+#include <unistd.h>
+#include <linux/limits.h>
#include "enclave.h"
#include "helloworld_u.h"
@@ -26,7 +28,21 @@ int main()
printf("Create secgear enclave\n");
- res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ char real_p[PATH_MAX];
+ /* check file exists, if not exist then use absolute path */
+ if (realpath(path, real_p) == NULL) {
+ if (getcwd(real_p, sizeof(real_p)) == NULL) {
+ printf("Cannot find enclave.sign.so");
+ return -1;
+ }
+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) {
+ printf("Failed to strcat enclave.sign.so path");
+ return -1;
+ }
+ (void)strcat(real_p, "/enclave.signed.so");
+ }
+
+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
if (res != CC_SUCCESS) {
printf("Create enclave error\n");
return res;
--
2.27.0

942
0022-add-example-of-using-sgxssl-lib.patch Normal file
View File

@ -0,0 +1,942 @@
From 607634479a08e5150482990343c19e2e45efc583 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Fri, 19 Feb 2021 11:09:51 +0800
Subject: [PATCH 05/14] add example of using sgxssl lib
---
CMakeLists.txt | 1 +
docs/build_install.md | 4 +
examples/tls_enclave/CMakeLists.txt | 30 +++
examples/tls_enclave/client/CMakeLists.txt | 38 +++
examples/tls_enclave/client/tls_client.c | 100 +++++++
examples/tls_enclave/enclave/CMakeLists.txt | 96 +++++++
.../tls_enclave/enclave/Enclave.config.xml | 12 +
examples/tls_enclave/enclave/Enclave.lds | 11 +
examples/tls_enclave/enclave/enclave_server.c | 249 ++++++++++++++++++
examples/tls_enclave/host/CMakeLists.txt | 56 ++++
examples/tls_enclave/host/main.c | 179 +++++++++++++
examples/tls_enclave/tls_enclave.edl | 26 ++
examples/tls_enclave/tls_enclave.md | 17 ++
13 files changed, 819 insertions(+)
create mode 100644 examples/tls_enclave/CMakeLists.txt
create mode 100644 examples/tls_enclave/client/CMakeLists.txt
create mode 100644 examples/tls_enclave/client/tls_client.c
create mode 100644 examples/tls_enclave/enclave/CMakeLists.txt
create mode 100644 examples/tls_enclave/enclave/Enclave.config.xml
create mode 100644 examples/tls_enclave/enclave/Enclave.lds
create mode 100644 examples/tls_enclave/enclave/enclave_server.c
create mode 100644 examples/tls_enclave/host/CMakeLists.txt
create mode 100644 examples/tls_enclave/host/main.c
create mode 100644 examples/tls_enclave/tls_enclave.edl
create mode 100644 examples/tls_enclave/tls_enclave.md
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 98862a3..1653287 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,6 +57,7 @@ endif()
if(CC_SGX)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data)
+ add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave)
endif()
install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear
diff --git a/docs/build_install.md b/docs/build_install.md
index 9ba1adb..636df90 100644
--- a/docs/build_install.md
+++ b/docs/build_install.md
@@ -13,6 +13,10 @@ openEuler x86
3. source environment && mkdir debug && cd debug
&& cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" .. && make && sudo make install
+4. To run example tls_enclave, refer to https://gitee.com/src-openeuler/intel-sgx-ssl
+ download and install intel-sgx-ssl firstly.
+ source environment && mkdir debug && cd debug && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path"
+ && -DENCLAVE_SSL="sgxssl path" .. && make && sudo make install
openEuler arm
diff --git a/examples/tls_enclave/CMakeLists.txt b/examples/tls_enclave/CMakeLists.txt
new file mode 100644
index 0000000..5b1693a
--- /dev/null
+++ b/examples/tls_enclave/CMakeLists.txt
@@ -0,0 +1,30 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+project(TlsEnclave C)
+
+set(CMAKE_C_STANDARD 99)
+
+set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
+
+#set edl name
+set(EDL_FILE tls_enclave.edl)
+#set auto code prefix
+set(PREFIX tls_enclave)
+set(CODEGEN codegen)
+
+if(CC_SGX)
+ set(CODETYPE sgx)
+ add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
+endif()
+
+add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
+add_subdirectory(${CURRENT_ROOT_PATH}/host)
+add_subdirectory(${CURRENT_ROOT_PATH}/client)
diff --git a/examples/tls_enclave/client/CMakeLists.txt b/examples/tls_enclave/client/CMakeLists.txt
new file mode 100644
index 0000000..a83b5e3
--- /dev/null
+++ b/examples/tls_enclave/client/CMakeLists.txt
@@ -0,0 +1,38 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+set(OUTPUT tls_client)
+set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/tls_client.c)
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE")
+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+
+if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
+endif()
+
+add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+
+if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE
+ ${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
+endif()
+
+target_link_libraries(${OUTPUT} ssl crypto)
+
+set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE)
+
+if(CC_SGX)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION ${CMAKE_BINARY_DIR}/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+endif()
+
diff --git a/examples/tls_enclave/client/tls_client.c b/examples/tls_enclave/client/tls_client.c
new file mode 100644
index 0000000..e05425b
--- /dev/null
+++ b/examples/tls_enclave/client/tls_client.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include "openssl/evp.h"
+#include "openssl/x509.h"
+#include "openssl/pem.h"
+#include "openssl/ssl.h"
+
+#define BUF_LEN 1024
+
+int main(int argc, const char *argv[])
+{
+ struct sockaddr_in client_addr;
+ int fd = 0;
+ const SSL_METHOD *meth = NULL;
+ SSL_CTX *ctx = NULL;
+ SSL *ssl = NULL;
+ char buf[BUF_LEN] = {0};
+ int ret = -1;
+
+ if (argc != 3) {
+ printf("usage: %s port ca_file\n", argv[0]);
+ return -1;
+ }
+
+ SSL_load_error_strings();
+ SSLeay_add_ssl_algorithms();
+ meth = TLS_method();
+ if (meth == NULL) {
+ return -1;
+ }
+ ctx = SSL_CTX_new(meth);
+ if (ctx == NULL) {
+ return -1;
+ }
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ctx, argv[2], NULL) <= 0) {
+ goto end;
+ }
+ memset(&client_addr, 0, sizeof(client_addr));
+ client_addr.sin_family = AF_INET;
+ client_addr.sin_port = htons(atoi(argv[1]));
+ client_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+ if (fd < 0) {
+ goto end;
+ }
+ ret = connect(fd, (struct sockaddr *)&client_addr, sizeof(client_addr));
+ if (ret < 0) {
+ goto end;
+ }
+ ssl = SSL_new(ctx);
+ if (ssl == NULL) {
+ goto end;
+ }
+ SSL_set_fd(ssl, fd);
+ if (SSL_connect(ssl) <= 0) {
+ goto end;
+ }
+ if (SSL_write(ssl, "hello enclave!", sizeof("hello enclave!")) <= 0) {
+ goto end;
+ }
+ printf("send data: %s\n", "hello enclave!");
+ if (SSL_read(ssl, buf, BUF_LEN - 1) <= 0) {
+ goto end;
+ }
+ printf("receive data: %s\n", buf);
+ ret = 0;
+
+end:
+ if (ssl != NULL) {
+ SSL_shutdown(ssl);
+ SSL_free(ssl);
+ }
+ if (ctx != NULL) {
+ SSL_CTX_free(ctx);
+ }
+ if (fd > 0) {
+ close(fd);
+ }
+ return ret;
+}
diff --git a/examples/tls_enclave/enclave/CMakeLists.txt b/examples/tls_enclave/enclave/CMakeLists.txt
new file mode 100644
index 0000000..5002e1b
--- /dev/null
+++ b/examples/tls_enclave/enclave/CMakeLists.txt
@@ -0,0 +1,96 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+#set sign key
+set(PEM Enclave_private.pem)
+
+#set sign tool
+set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh)
+
+#set enclave src code
+set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/enclave_server.c)
+
+#set log level
+set(PRINT_LEVEL 3)
+add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
+
+if(NOT IS_DIRECTORY ${ENCLAVE_SSL})
+ message(FATAL_ERROR "Please provide the correct ENCLAVE_SSL path")
+endif()
+
+if(CC_SGX)
+ #set signed output
+ set(OUTPUT enclave.signed.so)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include --search-path ${ENCLAVE_SSL}/include)
+endif()
+
+set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \
+ -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \
+ -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \
+ -Wno-error=unused-but-set-variable -Wno-error=format-truncation=")
+
+set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
+
+if(CC_SGX)
+ set(SGX_MODE HW)
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden -include${ENCLAVE_SSL}/include/tsgxsslio.h")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+
+ if(${SGX_MODE} STREQUAL HW)
+ set(Trts_Library_Name sgx_trts)
+ set(Service_Library_Name sgx_tservice)
+ else()
+ set(Trts_Library_Name sgx_trts_sim)
+ set(Service_Library_Name sgx_tservice_sim)
+ endif()
+
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \
+ -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds")
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${ENCLAVE_SSL}/lib64
+ ${SGXSDK}/lib64
+ ${CMAKE_BINARY_DIR}/lib)
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories(${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${SGXSDK}/include/tlibc
+ ${SGXSDK}/include/libcxx
+ ${SGXSDK}/include
+ ${ENCLAVE_SSL}/include
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/sgx
+ )
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE
+ ${ENCLAVE_SSL}/lib64
+ ${SGXSDK}/lib64
+ ${CMAKE_BINARY_DIR}/lib)
+ endif()
+
+ target_link_libraries(${PREFIX} -lsecgear_tee -Wl,--whole-archive ${Trts_Library_Name} -lsgx_tsgxssl -Wl,--no-whole-archive -Wl,--start-group -lsgx_tsgxssl_ssl -lsgx_tsgxssl_crypto -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_pthread -l${Service_Library_Name} -Wl,--end-group)
+
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND umask 0177
+ COMMAND openssl genrsa -3 -out ${PEM} 3072
+ COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml)
+endif()
+
+set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE)
diff --git a/examples/tls_enclave/enclave/Enclave.config.xml b/examples/tls_enclave/enclave/Enclave.config.xml
new file mode 100644
index 0000000..e94c9bc
--- /dev/null
+++ b/examples/tls_enclave/enclave/Enclave.config.xml
@@ -0,0 +1,12 @@
+<EnclaveConfiguration>
+ <ProdID>0</ProdID>
+ <ISVSVN>0</ISVSVN>
+ <StackMaxSize>0x40000</StackMaxSize>
+ <HeapMaxSize>0x100000</HeapMaxSize>
+ <TCSNum>10</TCSNum>
+ <TCSPolicy>1</TCSPolicy>
+ <!-- Recommend changing 'DisableDebug' to 1 to make the enclave undebuggable for enclave release -->
+ <DisableDebug>0</DisableDebug>
+ <MiscSelect>0</MiscSelect>
+ <MiscMask>0xFFFFFFFF</MiscMask>
+</EnclaveConfiguration>
diff --git a/examples/tls_enclave/enclave/Enclave.lds b/examples/tls_enclave/enclave/Enclave.lds
new file mode 100644
index 0000000..ab77e64
--- /dev/null
+++ b/examples/tls_enclave/enclave/Enclave.lds
@@ -0,0 +1,11 @@
+enclave.so
+{
+ global:
+ g_global_data_sim;
+ g_global_data;
+ enclave_entry;
+ g_peak_heap_used;
+ local:
+ *;
+};
+
diff --git a/examples/tls_enclave/enclave/enclave_server.c b/examples/tls_enclave/enclave/enclave_server.c
new file mode 100644
index 0000000..848eb9c
--- /dev/null
+++ b/examples/tls_enclave/enclave/enclave_server.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdbool.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include "tls_enclave_t.h"
+#include "status.h"
+#include "secgear_dataseal.h"
+
+#define BUF_SIZE 1024
+#define MAX_ENC_KEY_LEN 4096
+#define ADD_DATA_RAW "add mac text"
+
+size_t seal_key(const char *file_name, size_t file_name_len, char *password, size_t pw_len,
+ char *enc_buf, size_t enc_buf_len)
+{
+ BIO *r_key = NULL;
+ BIO *r_prikey = NULL;
+ RSA *rsa_key = NULL;
+ uint8_t *buf = NULL;
+ uint32_t buf_len, sealed_data_len;
+ int res = 0;
+ int retval = CC_FAIL;
+
+ if (file_name == NULL || file_name_len == 0 || password == NULL || pw_len == 0 || enc_buf == NULL) {
+ return 0;
+ }
+ r_key = BIO_new_file(file_name, "r");
+ if (r_key == NULL) {
+ goto end;
+ };
+ rsa_key = PEM_read_bio_RSAPrivateKey(r_key, NULL, NULL, password);
+ if (rsa_key == NULL) {
+ goto end;
+ };
+ r_prikey = BIO_new(BIO_s_mem());
+ if (r_prikey == NULL) {
+ goto end;
+ }
+ if (!PEM_write_bio_RSAPrivateKey(r_prikey, rsa_key, NULL, NULL, 0, NULL, NULL)) {
+ goto end;
+ }
+ buf_len = BIO_ctrl_pending(r_prikey);
+ if (buf_len == 0) {
+ goto end;
+ }
+ buf = (uint8_t *)malloc(buf_len);
+ if (buf == NULL) {
+ goto end;
+ }
+ if ((size_t)BIO_read(r_prikey, buf, buf_len) != buf_len) {
+ goto end;
+ }
+ sealed_data_len = cc_enclave_get_sealed_data_size(buf_len, strlen((const char *)ADD_DATA_RAW));
+ if (sealed_data_len == UINT32_MAX || enc_buf_len < sealed_data_len) {
+ goto end;
+ }
+ retval = cc_enclave_seal_data((uint8_t *)buf, buf_len, (cc_enclave_sealed_data_t *)enc_buf, enc_buf_len,
+ (uint8_t*)ADD_DATA_RAW, strlen((const char*)ADD_DATA_RAW));
+ if (retval != CC_SUCCESS) {
+ goto end;
+ }
+ res = sealed_data_len;
+
+end:
+ BIO_free(r_key);
+ BIO_free(r_prikey);
+ RSA_free(rsa_key);
+ if (buf != NULL) {
+ memset(buf, 0, buf_len);
+ free(buf);
+ };
+ memset(password, 0, pw_len);
+ return res;
+}
+
+int unseal_enc_data(char **data_p, size_t *data_len_p, const char *enc_data)
+{
+ char *add_data = NULL;
+ char *data = NULL;
+ size_t add_len = 0;
+ size_t data_len = 0;
+ int retval = CC_FAIL;
+
+ add_len = cc_enclave_get_add_text_size((const cc_enclave_sealed_data_t *)enc_data);
+ data_len = cc_enclave_get_encrypted_text_size((const cc_enclave_sealed_data_t *)enc_data);
+ if (data_len == 0 || add_len != strlen((const char*)ADD_DATA_RAW)) {
+ return CC_FAIL;
+ }
+ data = malloc(data_len);
+ add_data = malloc(add_len);
+ if (data == NULL || add_data == NULL) {
+ goto end;
+ }
+ memset(data, 0, data_len);
+ retval = cc_enclave_unseal_data((cc_enclave_sealed_data_t *)enc_data, (uint8_t *)data, (uint32_t *)&data_len,
+ (uint8_t *)add_data, (uint32_t *)&add_len);
+ if (retval != CC_SUCCESS) {
+ goto end;
+ }
+ if (strncmp((const char *)add_data, (const char*)ADD_DATA_RAW, strlen((const char*)ADD_DATA_RAW)) != 0) {
+ retval = CC_FAIL;
+ goto end;
+ }
+ *data_p = data;
+ *data_len_p = data_len;
+ retval = CC_SUCCESS;
+
+end:
+ if (add_data != NULL) {
+ memset(add_data, 0, add_len);
+ free(add_data);
+ }
+ if (retval != CC_SUCCESS && data != NULL) {
+ memset(data, 0, data_len);
+ free(data);
+ }
+ return retval;
+}
+
+int set_ctx_key(SSL_CTX *ctx, const char *enc_key_file_name)
+{
+ BIO *in_bio = NULL;
+ EVP_PKEY *pkey = NULL;
+ char *raw_key = NULL;
+ size_t raw_key_len = 0;
+ BIO *key_bio = NULL;
+ char *enc_key = NULL;
+ int retval = CC_FAIL;
+ int res = CC_FAIL;
+
+ key_bio = BIO_new_file(enc_key_file_name, "r");
+ if (key_bio == NULL) {
+ goto end;
+ };
+ enc_key = (char *)malloc(MAX_ENC_KEY_LEN);
+ if (enc_key == NULL) {
+ goto end;
+ }
+ if (BIO_read(key_bio, enc_key, MAX_ENC_KEY_LEN) <= 0) {
+ goto end;
+ }
+ res = unseal_enc_data(&raw_key, &raw_key_len, enc_key);
+ if (res != CC_SUCCESS || raw_key_len == 0) {
+ goto end;
+ }
+ in_bio = BIO_new_mem_buf(raw_key, raw_key_len);
+ if (in_bio == NULL) {
+ goto end;
+ }
+ pkey = PEM_read_bio_PrivateKey(in_bio, NULL, NULL, NULL);
+ if (pkey == NULL) {
+ goto end;
+ }
+ if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
+ goto end;
+ }
+ retval = CC_SUCCESS;
+
+end:
+ EVP_PKEY_free(pkey);
+ BIO_free(in_bio);
+ BIO_free(key_bio);
+ if (enc_key != NULL) {
+ free(enc_key);
+ }
+ if (raw_key != NULL) {
+ memset(raw_key, 0, raw_key_len);
+ free(raw_key);
+ }
+ return retval;
+}
+
+int start_enclave_tls(int client_fd,const char *cert, size_t cert_len, const char *enc_key, size_t enc_key_len)
+{
+ char buf[BUF_SIZE] = {0};
+ const SSL_METHOD *meth = NULL;
+ SSL_CTX *ctx = NULL;
+ SSL *ssl = NULL;
+ int res = 0;
+ int retval = CC_FAIL;
+
+ if (client_fd <= 0 || cert == NULL || cert_len == 0 || enc_key == NULL || enc_key_len == 0) {
+ return CC_ERROR_BAD_PARAMETERS;
+ }
+ SSL_load_error_strings();
+ SSLeay_add_ssl_algorithms();
+ meth = TLS_method();
+ if (meth == NULL) {
+ return CC_FAIL;
+ }
+ ctx = SSL_CTX_new(meth);
+ if (ctx == NULL) {
+ return CC_FAIL;
+ }
+ if (SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM) <= 0) {
+ goto end;
+ }
+ if (set_ctx_key(ctx, enc_key) != CC_SUCCESS){
+ goto end;
+ }
+ if (!SSL_CTX_check_private_key(ctx)) {
+ goto end;
+ }
+ ssl = SSL_new(ctx);
+ if (ssl == NULL) {
+ goto end;
+ }
+ SSL_set_fd(ssl, client_fd);
+ if (SSL_set_cipher_list(ssl, "ECDHE-RSA-AES128-GCM-SHA256") != 1) {
+ goto end;
+ }
+ if (SSL_accept(ssl) <= 0) {
+ goto end;
+ }
+ res = SSL_read(ssl, buf, BUF_SIZE -1);
+ if (res <= 0) {
+ goto end;
+ }
+ if (SSL_write(ssl, buf, res) <= 0) {
+ goto end;
+ }
+ retval = CC_SUCCESS;
+
+end:
+ if (ssl != NULL) {
+ SSL_shutdown(ssl);
+ SSL_free(ssl);
+ }
+ if (ctx != NULL) {
+ SSL_CTX_free(ctx);
+ }
+ memset(buf, 0, BUF_SIZE);
+ return retval;
+}
diff --git a/examples/tls_enclave/host/CMakeLists.txt b/examples/tls_enclave/host/CMakeLists.txt
new file mode 100644
index 0000000..2f4c8ac
--- /dev/null
+++ b/examples/tls_enclave/host/CMakeLists.txt
@@ -0,0 +1,56 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+#set host exec name
+set(OUTPUT secgear_tls)
+#set host src code
+set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c)
+
+#set auto code
+if(CC_SGX)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include --search-path ${ENCLAVE_SSL}/include)
+endif()
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE")
+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+
+if(CC_SGX)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY} ${SGXSSL}/lib64)
+ endif()
+ set(SGX_MODE HW)
+ if(${SGX_MODE} STREQUAL HW)
+ set(Urts_Library_Name sgx_urts)
+ else()
+ set(Urts_Library_Name sgx_urts_sim)
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} ${ENCLAVE_SSL}/lib64)
+ endif()
+ target_link_libraries(${OUTPUT} secgear ${Urts_Library_Name} pthread ssl crypto sgx_usgxssl)
+endif()
+
+set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE)
+
+if(CC_SGX)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION ${CMAKE_BINARY_DIR}/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+endif()
+
diff --git a/examples/tls_enclave/host/main.c b/examples/tls_enclave/host/main.c
new file mode 100644
index 0000000..4407e64
--- /dev/null
+++ b/examples/tls_enclave/host/main.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <termios.h>
+#include "openssl/evp.h"
+#include "openssl/x509.h"
+#include "openssl/pem.h"
+#include "openssl/ssl.h"
+#include "tls_enclave_u.h"
+#include "enclave.h"
+
+#define BUF_LEN 1024
+#define MAX_LISTEN_FD 64
+#define PASS_MAX 32
+#define MAX_ENC_KEY_LEN 4096
+#define ENC_KEY_FILE_NAME "enc_key"
+
+int set_echo_mode(int fd, int option)
+{
+ struct termios term;
+ if (tcgetattr(fd, &term) != 0) {
+ return CC_FAIL;
+ }
+ if (option) {
+ term.c_lflag |= (ECHO | ECHOE | ECHOK | ECHONL);
+ } else {
+ term.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
+ }
+ if (tcsetattr(fd, TCSAFLUSH, &term) != 0) {
+ return CC_FAIL;
+ }
+ return CC_SUCCESS;
+}
+
+int get_password_and_seal_key(cc_enclave_t *context, const char *key_file_name, const char *enc_key_file_name)
+{
+ int res = CC_FAIL;
+ size_t retval = 0;
+ size_t pw_len = 0;
+ char password[PASS_MAX] = {0};
+ char *enc_key = NULL;
+ FILE *fp = NULL;
+
+ printf("Please input password:\n");
+ if (set_echo_mode(STDIN_FILENO, 0)) {
+ return CC_FAIL;
+ }
+ if (fgets((char *)password, PASS_MAX, stdin) == NULL) {
+ return CC_FAIL;
+ }
+ pw_len = strlen((const char *)password);
+ if (password[pw_len - 1] == '\n') {
+ password[pw_len-1] = 0;
+ pw_len--;
+ }
+ if (set_echo_mode(STDIN_FILENO, 1)) {
+ goto end;
+ }
+ enc_key = malloc(MAX_ENC_KEY_LEN);
+ if (enc_key == NULL) {
+ goto end;
+ }
+ res = seal_key(context, &retval, key_file_name, strlen(key_file_name) + 1, password, pw_len + 1,
+ enc_key, MAX_ENC_KEY_LEN);
+ if (res != CC_SUCCESS || retval == 0) {
+ res = CC_FAIL;
+ goto end;
+ }
+ fp = fopen(enc_key_file_name, "w+");
+ if (fp == NULL) {
+ res = CC_FAIL;
+ goto end;
+ }
+ if (fwrite(enc_key, sizeof(char), retval, fp) != retval) {
+ fclose(fp);
+ res = CC_FAIL;
+ goto end;
+ }
+ fclose(fp);
+ if (remove(key_file_name) == 0) {
+ printf("delete origin key file success!\n");
+ } else {
+ printf("delete origin key file error!\n");
+ res = CC_FAIL;
+ }
+
+end:
+ memset(password, 0, pw_len);
+ return res;
+}
+
+int start_server(int port)
+{
+ int server_fd = socket(AF_INET, SOCK_STREAM, 0);
+ struct sockaddr_in serv_addr;
+ memset(&serv_addr, 0, sizeof(serv_addr));
+ serv_addr.sin_family = AF_INET;
+ serv_addr.sin_port = htons(port);
+ serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
+ if (bind(server_fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
+ return -1;
+ }
+ listen(server_fd, MAX_LISTEN_FD);
+ return server_fd;
+}
+
+int main(int argc, const char *argv[])
+{
+ char *path = PATH;
+ cc_enclave_t *context = NULL;
+ struct sockaddr_in client_addr;
+ socklen_t client_len;
+ int server_fd = -1;
+ int tlsc_fd = -1;
+ cc_enclave_result_t res = CC_FAIL;
+ int retval = 0;
+
+ if (argc != 4) {
+ printf("usage: %s port cert_file key_file\n", argv[0]);
+ return CC_FAIL;
+ }
+
+ server_fd = start_server(atoi(argv[1]));
+ if (server_fd < 0) {
+ return CC_FAIL;
+ }
+ tlsc_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len);
+ if (tlsc_fd < 0) {
+ return CC_FAIL;
+ }
+ printf("Create secgear enclave\n");
+ res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ if (res != CC_SUCCESS) {
+ printf("Create enclave error\n");
+ goto end;
+ }
+ res = get_password_and_seal_key(context, argv[3], ENC_KEY_FILE_NAME);
+ if (res != CC_SUCCESS) {
+ printf("get_password_and_seal_key error\n");
+ goto end;
+ }
+ res = start_enclave_tls(context, &retval, tlsc_fd, argv[2], strlen(argv[2]) + 1, ENC_KEY_FILE_NAME,
+ strlen(ENC_KEY_FILE_NAME) + 1);
+ if (res != CC_SUCCESS || retval != CC_SUCCESS) {
+ printf("start_enclave_tls error\n");
+ goto end;
+ }
+
+ printf("enclve tls finish\n");
+
+end:
+ if (context != NULL) {
+ res = cc_enclave_destroy(context);
+ if(res != CC_SUCCESS) {
+ printf("Destroy enclave error\n");
+ }
+ }
+ close(tlsc_fd);
+ close(server_fd);
+ return res;
+}
diff --git a/examples/tls_enclave/tls_enclave.edl b/examples/tls_enclave/tls_enclave.edl
new file mode 100644
index 0000000..93e9a70
--- /dev/null
+++ b/examples/tls_enclave/tls_enclave.edl
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+enclave {
+ include "stdbool.h"
+ include "secgear_urts.h"
+ from "secgear_tstdc.edl" import *;
+ from "secgear_tssl.edl" import *;
+ trusted {
+ public size_t seal_key([in, size = file_name_len] const char *file_name, size_t file_name_len,
+ [in, size = pw_len] char *password, size_t pw_len,
+ [out, size = enc_buf_len] char *enc_buf, size_t enc_buf_len);
+ public int start_enclave_tls(int client_fd,
+ [in, size = cert_len] const char *cert, size_t cert_len,
+ [in, size = enc_key_len] const char *enc_key, size_t enc_key_len);
+ };
+};
diff --git a/examples/tls_enclave/tls_enclave.md b/examples/tls_enclave/tls_enclave.md
new file mode 100644
index 0000000..e81d70c
--- /dev/null
+++ b/examples/tls_enclave/tls_enclave.md
@@ -0,0 +1,17 @@
+#Getting started with the tls_enclave example
+
+In the scenario where a user already has a certificate and private on the host side, the tls_enclve provides an example how to protect the private key and how to estabilish a TLS connection with enclave in Linux SGX environment.
+
+1. Install secGear and intel-sgx-ssl(http://gitee.com/src-openEuler/intel-sgx-ssl).
+2. Enter the development directory ../secGear, source environment && mkdir debug && cd debug
+&& cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=on -DSGXSDK="sgx_sdk path" -DENCLAVE_SSL="sgxssl path" ..
+3. To run secgear_tls, the certificate and key used by the TLS server needs to be generated, the following example generate signed certificate only for testing.
+(1) generate RSA key:
+ openssl genrsa -f4 -aes256 -out server.key 3072
+ follow the screen instructions to enter the pass phrase for protecting private key, the pass phrase should meet certain complexity requirements.
+(2) generate self-signed certificate
+ openssl req -new -x509 -days 365 -key server.key -out server.pem -sha256 -subj "/C=CN/ST=GD/L=SZ/O=test/OU=test/CN=test"
+4. start secgear_tls, sudo debug/bin/secgear_tls 9090 server.pem server.key &
+ start tls_client, sudo debug/bin/tls_client 9090 server.pem
+ follow the screen instructions to enter the pass phrase to usee the private key.
+ After exectued successfully, the private key is deleted and only the key encrypted by enclave is saved.
--
2.27.0

25
0023-tls_enclave-is-not-compiled-by-default.patch Normal file
View File

@ -0,0 +1,25 @@
From 90df8d9c0ac4ee7cbe24971ed4a8c4c6ac86c3b1 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Thu, 15 Apr 2021 11:49:27 +0800
Subject: [PATCH 06/14] tls_enclave is not compiled by default
---
CMakeLists.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1653287..b1fe4a4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,7 +57,7 @@ endif()
if(CC_SGX)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data)
- add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave)
+# add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave)
endif()
install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear
--
2.27.0

68
0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch Normal file
View File

@ -0,0 +1,68 @@
From 20d6808fd639e4506fd1a383cf59094a17773775 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng68@huawei.com>
Date: Mon, 26 Apr 2021 09:26:46 +0000
Subject: [PATCH 07/14] Cmake: replace minial cmake from 3.12 to 3.10
Signed-off-by: Li Feng <lifeng68@huawei.com>
---
CMakeLists.txt | 2 +-
README.en.md | 2 +-
README.md | 2 +-
examples/seal_data/CMakeLists.txt | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b1fe4a4..a4d1668 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(secGear C)
set(CMAKE_C_STANDARD 99)
diff --git a/README.en.md b/README.en.md
index a33a50c..4df13b0 100644
--- a/README.en.md
+++ b/README.en.md
@@ -43,7 +43,7 @@ Then save as test.edl
### 2 Write the top-level CMakeLists.txt
- cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(TEST C)
set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
diff --git a/README.md b/README.md
index 971ddca..a90450b 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在
### 2 编写最外层CMakeLists.txt文件
- cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(TEST C)
set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt
index 503fe0d..3577301 100644
--- a/examples/seal_data/CMakeLists.txt
+++ b/examples/seal_data/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-cmake_minimum_required(VERSION 3.12)
+cmake_minimum_required(VERSION 3.10)
project(SealData C)
--
2.27.0

517
0025-example-add-example-for-LRT-long-running-task.patch Normal file
View File

@ -0,0 +1,517 @@
From d8d225ed834a9cfe63b305ccd2ce97f5b3ebdfb4 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng68@huawei.com>
Date: Mon, 26 Apr 2021 09:32:12 +0000
Subject: [PATCH 08/14] example: add example for LRT(long running task)
Signed-off-by: Li Feng <lifeng68@huawei.com>
---
CMakeLists.txt | 1 +
examples/lrt/CMakeLists.txt | 34 +++++
examples/lrt/enclave/CMakeLists.txt | 158 ++++++++++++++++++++++++
examples/lrt/enclave/Enclave.config.xml | 12 ++
examples/lrt/enclave/Enclave.lds | 11 ++
examples/lrt/enclave/lrt.c | 23 ++++
examples/lrt/enclave/manifest.txt.in | 8 ++
examples/lrt/host/CMakeLists.txt | 85 +++++++++++++
examples/lrt/host/main.c | 70 +++++++++++
examples/lrt/lrt.edl | 19 +++
10 files changed, 421 insertions(+)
create mode 100644 examples/lrt/CMakeLists.txt
create mode 100644 examples/lrt/enclave/CMakeLists.txt
create mode 100644 examples/lrt/enclave/Enclave.config.xml
create mode 100644 examples/lrt/enclave/Enclave.lds
create mode 100644 examples/lrt/enclave/lrt.c
create mode 100644 examples/lrt/enclave/manifest.txt.in
create mode 100644 examples/lrt/host/CMakeLists.txt
create mode 100644 examples/lrt/host/main.c
create mode 100644 examples/lrt/lrt.edl
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a4d1668..1d036ea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -58,6 +58,7 @@ if(CC_SGX)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data)
# add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave)
+# add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt)
endif()
install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear
diff --git a/examples/lrt/CMakeLists.txt b/examples/lrt/CMakeLists.txt
new file mode 100644
index 0000000..9059590
--- /dev/null
+++ b/examples/lrt/CMakeLists.txt
@@ -0,0 +1,34 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+project(HelloWorldLRT C)
+
+set(CMAKE_C_STANDARD 99)
+
+set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
+
+#set edl name
+set(EDL_FILE lrt.edl)
+set(CODEGEN codegen)
+
+if(CC_GP)
+ set(CODETYPE trustzone)
+ execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
+ string(REPLACE "\n" "" UUID ${UUID})
+ add_definitions(-DPATH="/data/${UUID}.sec")
+endif()
+
+if(CC_SGX)
+ set(CODETYPE sgx)
+ add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
+endif()
+
+add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
+add_subdirectory(${CURRENT_ROOT_PATH}/host)
diff --git a/examples/lrt/enclave/CMakeLists.txt b/examples/lrt/enclave/CMakeLists.txt
new file mode 100644
index 0000000..64494cc
--- /dev/null
+++ b/examples/lrt/enclave/CMakeLists.txt
@@ -0,0 +1,158 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+#set auto code prefix
+set(PREFIX lrt)
+
+#set sign key
+set(PEM Enclave_private.pem)
+
+#set sign tool
+set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh)
+
+#set enclave src code
+set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/lrt.c)
+
+#set log level
+set(PRINT_LEVEL 3)
+add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
+
+if(CC_GP)
+ #set signed output
+ set(OUTPUT ${UUID}.sec)
+ #set whilelist. default: /vendor/bin/teec_hello
+ set(WHITE_LIST_0 /vendor/bin/helloworld)
+ set(WHITE_LIST_OWNER root)
+ set(WHITE_LIST_1 /vendor/bin/secgear_helloworld)
+ set(WHITELIST WHITE_LIST_0 WHITE_LIST_1)
+
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
+endif()
+
+if(CC_SGX)
+ set(OUTPUT enclave.signed.so)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
+endif()
+
+set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \
+ -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \
+ -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \
+ -Wno-error=unused-but-set-variable -Wno-error=format-truncation=")
+
+set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
+
+if(CC_GP)
+ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt")
+
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC")
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s")
+
+ set(ITRUSTEE_TEEDIR ${iTrusteeSDK}/)
+ set(ITRUSTEE_LIBC ${iTrusteeSDK}/thirdparty/open_source/musl/libc)
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${CMAKE_BINARY_DIR}/lib/)
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories( ${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp
+ ${ITRUSTEE_TEEDIR}/include/TA
+ ${ITRUSTEE_TEEDIR}/include/TA/huawei_ext
+ ${ITRUSTEE_LIBC}/arch/aarch64
+ ${ITRUSTEE_LIBC}/
+ ${ITRUSTEE_LIBC}/arch/arm/bits
+ ${ITRUSTEE_LIBC}/arch/generic
+ ${ITRUSTEE_LIBC}/arch/arm
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee)
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE
+ ${CMAKE_BINARY_DIR}/lib/)
+ endif()
+
+ foreach(WHITE_LIST ${WHITELIST})
+ add_definitions(-D${WHITE_LIST}="${${WHITE_LIST}}")
+ endforeach(WHITE_LIST)
+ add_definitions(-DWHITE_LIST_OWNER="${WHITE_LIST_OWNER}")
+
+ target_link_libraries(${PREFIX} -lsecgear_tee)
+
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
+
+ install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
+ DESTINATION /data
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+endif()
+
+if(CC_SGX)
+ set(SGX_DIR ${SGXSDK})
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+ set(LINK_LIBRARY_PATH ${SGX_DIR}/lib64)
+
+ if(CC_SIM)
+ set(Trts_Library_Name sgx_trts_sim)
+ set(Service_Library_Name sgx_tservice_sim)
+ else()
+ set(Trts_Library_Name sgx_trts)
+ set(Service_Library_Name sgx_tservice)
+ endif()
+
+ set(Crypto_Library_Name sgx_tcrypto)
+
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \
+ -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds")
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${LINK_LIBRARY_PATH})
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories(${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${SGX_DIR}/include/tlibc
+ ${SGX_DIR}/include/libcxx
+ ${SGX_DIR}/include
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx)
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE
+ ${LINK_LIBRARY_PATH})
+ endif()
+
+ target_link_libraries(${PREFIX} -Wl,--whole-archive ${Trts_Library_Name} -Wl,--no-whole-archive
+ -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l${Crypto_Library_Name} -l${Service_Library_Name} -Wl,--end-group)
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND umask 0177
+ COMMAND openssl genrsa -3 -out ${PEM} 3072
+ COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml)
+endif()
+
+set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE)
diff --git a/examples/lrt/enclave/Enclave.config.xml b/examples/lrt/enclave/Enclave.config.xml
new file mode 100644
index 0000000..e94c9bc
--- /dev/null
+++ b/examples/lrt/enclave/Enclave.config.xml
@@ -0,0 +1,12 @@
+<EnclaveConfiguration>
+ <ProdID>0</ProdID>
+ <ISVSVN>0</ISVSVN>
+ <StackMaxSize>0x40000</StackMaxSize>
+ <HeapMaxSize>0x100000</HeapMaxSize>
+ <TCSNum>10</TCSNum>
+ <TCSPolicy>1</TCSPolicy>
+ <!-- Recommend changing 'DisableDebug' to 1 to make the enclave undebuggable for enclave release -->
+ <DisableDebug>0</DisableDebug>
+ <MiscSelect>0</MiscSelect>
+ <MiscMask>0xFFFFFFFF</MiscMask>
+</EnclaveConfiguration>
diff --git a/examples/lrt/enclave/Enclave.lds b/examples/lrt/enclave/Enclave.lds
new file mode 100644
index 0000000..ab77e64
--- /dev/null
+++ b/examples/lrt/enclave/Enclave.lds
@@ -0,0 +1,11 @@
+enclave.so
+{
+ global:
+ g_global_data_sim;
+ g_global_data;
+ enclave_entry;
+ g_peak_heap_used;
+ local:
+ *;
+};
+
diff --git a/examples/lrt/enclave/lrt.c b/examples/lrt/enclave/lrt.c
new file mode 100644
index 0000000..982e50c
--- /dev/null
+++ b/examples/lrt/enclave/lrt.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "lrt_t.h"
+
+#define TA_HELLO_WORLD "Secgear Long Running Task!"
+#define BUF_MAX 32
+int get_string(char *buf)
+{
+ strncpy(buf, TA_HELLO_WORLD, strlen(TA_HELLO_WORLD) + 1);
+ return 0;
+}
diff --git a/examples/lrt/enclave/manifest.txt.in b/examples/lrt/enclave/manifest.txt.in
new file mode 100644
index 0000000..7b8ecf5
--- /dev/null
+++ b/examples/lrt/enclave/manifest.txt.in
@@ -0,0 +1,8 @@
+gpd.ta.appID: @UUID@
+gpd.ta.service_name: test0108
+gpd.ta.singleInstance: true
+gpd.ta.multiSession: false
+gpd.ta.multiCommand: false
+gpd.ta.instanceKeepAlive: false
+gpd.ta.dataSize: 16384
+gpd.ta.stackSize: 20480
diff --git a/examples/lrt/host/CMakeLists.txt b/examples/lrt/host/CMakeLists.txt
new file mode 100644
index 0000000..13f891a
--- /dev/null
+++ b/examples/lrt/host/CMakeLists.txt
@@ -0,0 +1,85 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+#set auto code prefix
+set(PREFIX lrt)
+#set host exec name
+set(OUTPUT secgear_lrt)
+#set host src code
+set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c)
+
+#set auto code
+if(CC_GP)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
+endif()
+
+if(CC_SGX)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
+endif()
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE")
+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+
+if(CC_GP)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
+ endif()
+endif()
+
+if(CC_SGX)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
+ endif()
+endif()
+
+if(CC_SIM)
+ target_link_libraries(${OUTPUT} secgearsim)
+else()
+ target_link_libraries(${OUTPUT} secgear)
+endif()
+set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE)
+
+if(CC_GP)
+ #itrustee install whitelist /vender/bin/teec_hello
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION /vendor/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+endif()
+
+if(CC_SGX)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION ${CMAKE_BINARY_DIR}/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+endif()
+
diff --git a/examples/lrt/host/main.c b/examples/lrt/host/main.c
new file mode 100644
index 0000000..ba078c7
--- /dev/null
+++ b/examples/lrt/host/main.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <linux/limits.h>
+#include "enclave.h"
+#include "lrt_u.h"
+
+#define BUF_LEN 32
+
+int main()
+{
+ int retval = 0;
+ char *path = PATH;
+ char buf[BUF_LEN];
+ cc_enclave_t *context = NULL;
+ cc_enclave_result_t res;
+
+ printf("Create secgear enclave\n");
+
+ char real_p[PATH_MAX];
+ /* check file exists, if not exist then use absolute path */
+ if (realpath(path, real_p) == NULL) {
+ if (getcwd(real_p, sizeof(real_p)) == NULL) {
+ printf("Cannot find enclave.sign.so");
+ return -1;
+ }
+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) {
+ printf("Failed to strcat enclave.sign.so path");
+ return -1;
+ }
+ (void)strcat(real_p, "/enclave.signed.so");
+ }
+
+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ if (res != CC_SUCCESS) {
+ printf("Create enclave error\n");
+ return res;
+ }
+
+ while(true) {
+ res = get_string(context, &retval, buf);
+ if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) {
+ printf("Ecall enclave error\n");
+ goto out;
+ } else {
+ printf("%s\n", buf);
+ }
+ sleep(1);
+ }
+
+out:
+ if (context != NULL) {
+ res = cc_enclave_destroy(context);
+ if(res != CC_SUCCESS) {
+ printf("Destroy enclave error\n");
+ }
+ }
+ return res;
+}
diff --git a/examples/lrt/lrt.edl b/examples/lrt/lrt.edl
new file mode 100644
index 0000000..73dc375
--- /dev/null
+++ b/examples/lrt/lrt.edl
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+enclave {
+ include "secgear_urts.h"
+ from "secgear_tstdc.edl" import *;
+ trusted {
+ public int get_string([out, size=32]char *buf);
+ };
+};
--
2.27.0

172
0026-example-add-Dockerfile-to-build-lrt-example-image.patch Normal file
View File

@ -0,0 +1,172 @@
From 2f5b3b98d7c4705ef761e9898116b2206b7c6729 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng68@huawei.com>
Date: Tue, 13 Apr 2021 07:59:54 +0000
Subject: [PATCH 09/14] example: add Dockerfile to build lrt example image
Signed-off-by: Li Feng <lifeng68@huawei.com>
---
examples/lrt/Dockerfile | 33 +++++++++++++++++++
examples/lrt/device_plugin.yaml | 57 +++++++++++++++++++++++++++++++++
examples/lrt/enclave.yaml | 46 ++++++++++++++++++++++++++
3 files changed, 136 insertions(+)
create mode 100644 examples/lrt/Dockerfile
create mode 100644 examples/lrt/device_plugin.yaml
create mode 100644 examples/lrt/enclave.yaml
diff --git a/examples/lrt/Dockerfile b/examples/lrt/Dockerfile
new file mode 100644
index 0000000..dadf2b7
--- /dev/null
+++ b/examples/lrt/Dockerfile
@@ -0,0 +1,33 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+
+# steps to build example image:
+# 1. build the secGear project at host
+# # cd secGear/
+# # source environment
+# # source /opt/intel/sgxsdk/environment
+# # mkdir debug && cd debug
+# # cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK=/opt/intel/sgxsdk ..
+# # make
+# 2. build the example image
+# # cd ../examples/lrt/
+# # docker build -t secgear_hello -f ./Dockerfile ../../
+
+
+FROM hub.oepkgs.net/lifeng2221dd1/sgx_base_hw:latest
+
+COPY debug/lib/sgx/libsgx_0.so /lib64/
+COPY debug/lib/libsecgear.so /usr/lib/
+COPY debug/examples/lrt/host/secgear_lrt /home/
+COPY debug/examples/lrt/enclave/enclave.signed.so /home/
+
+WORKDIR /home
+
+ENTRYPOINT ["/home/secgear_lrt"]
diff --git a/examples/lrt/device_plugin.yaml b/examples/lrt/device_plugin.yaml
new file mode 100644
index 0000000..9a470da
--- /dev/null
+++ b/examples/lrt/device_plugin.yaml
@@ -0,0 +1,57 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+# steps to deploy device plugin:
+# # cd secGear/
+# # cd ./examples/lrt/
+# # kubectl apply -f ./device_plugin.yaml
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: sgx-device-plugin-ds
+ namespace: kube-system
+spec:
+ selector:
+ matchLabels:
+ k8s-app: sgx-device-plugin
+ template:
+ metadata:
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ labels:
+ k8s-app: sgx-device-plugin
+ spec:
+ containers:
+ - image: hub.oepkgs.net/lifeng2221dd1/hw-ali-device-plugin:devel
+ imagePullPolicy: IfNotPresent
+ name: sgx-device-plugin
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ volumeMounts:
+ - mountPath: /var/lib/kubelet/device-plugins
+ name: device-plugin
+ - mountPath: /dev
+ name: dev
+ tolerations:
+ - effect: NoSchedule
+ key: alibabacloud.com/sgx_epc_MiB
+ operator: Exists
+ volumes:
+ - hostPath:
+ path: /var/lib/kubelet/device-plugins
+ type: DirectoryOrCreate
+ name: device-plugin
+ - hostPath:
+ path: /dev
+ type: Directory
+ name: dev
diff --git a/examples/lrt/enclave.yaml b/examples/lrt/enclave.yaml
new file mode 100644
index 0000000..8efdada
--- /dev/null
+++ b/examples/lrt/enclave.yaml
@@ -0,0 +1,46 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+# steps to deploy device plugin:
+# # cd secGear/
+# # cd ./examples/lrt/
+# # kubectl apply -f ./enclave.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: hell_lifeng
+ image: secgear_hello
+ imagePullPolicy: IfNotPresent
+ name: helloworld
+ resources:
+ limits:
+ cpu: 250m
+ memory: 512Mi
+ alibabacloud.com/sgx_epc_MiB: 2
+ volumeMounts:
+ - mountPath: /var/run/aesmd/aesm.socket
+ name: aesmsocket
+ volumes:
+ - hostPath:
+ path: /var/run/aesmd/aesm.socket
+ type: Socket
+ name: aesmsocket
--
2.27.0

29
0027-Change-to-use-the-milestone-picture-with-English.patch Normal file
View File

@ -0,0 +1,29 @@
From 4fe112079e599cf779dacde08181f22ad62ede51 Mon Sep 17 00:00:00 2001
From: blue <jingood@yeah.net>
Date: Thu, 29 Apr 2021 20:53:21 +0800
Subject: [PATCH 10/14] Change to use the milestone picture with English
---
README.en.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.en.md b/README.en.md
index 4df13b0..aa8c4a8 100644
--- a/README.en.md
+++ b/README.en.md
@@ -1,4 +1,4 @@
-<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
+<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
secGear
============================
@@ -502,5 +502,5 @@ secGear introduce the signing tool to sign the enclave.
Milestone
---------
-<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
+<img src="docs/milestone_en.png" alt="secGear" style="zoom:80%;" />
--
2.27.0

73
0028-example-use-the-sgx-device-plugin-from-intel.patch Normal file
View File

@ -0,0 +1,73 @@
From 3af4a40bef20df36ece7f7f87c44eccf8a8b3a60 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng2221dd1@zoho.com.cn>
Date: Mon, 17 May 2021 10:21:32 +0800
Subject: [PATCH 11/14] example: use the sgx device plugin from intel
deployment:
1. kubectl apply -f ./examples/lrt/device_plugin.yaml
2. kubectl apply -f ./examples/lrt/enclave.yaml
3. kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default helloworld-d75bf5f9f-wgdf7 1/1 Running 0 36m
default helloworld-d75bf5f9f-xthkk 1/1 Running 0 36m
kube-system calico-kube-controllers-6d7b4db76c-7t8lv 1/1 Running 1 42h
kube-system calico-node-kcxd7 1/1 Running 1 42h
kube-system coredns-6d56c8448f-ctf7m 1/1 Running 1 42h
kube-system coredns-6d56c8448f-k7z5c 1/1 Running 1 42h
kube-system etcd-lifeng 1/1 Running 2 2d
kube-system kube-apiserver-lifeng 1/1 Running 4 2d
kube-system kube-controller-manager-lifeng 1/1 Running 2 2d
kube-system kube-proxy-xvvz5 1/1 Running 2 2d
kube-system kube-scheduler-lifeng 1/1 Running 2 2d
kube-system sgx-device-plugin-ds-4sbhk 1/1 Running 0 4m
Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
---
CMakeLists.txt | 2 +-
examples/lrt/device_plugin.yaml | 2 +-
examples/lrt/enclave.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1d036ea..3886316 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -58,7 +58,7 @@ if(CC_SGX)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld)
add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data)
# add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave)
-# add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt)
+ add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt)
endif()
install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear
diff --git a/examples/lrt/device_plugin.yaml b/examples/lrt/device_plugin.yaml
index 9a470da..ce8724d 100644
--- a/examples/lrt/device_plugin.yaml
+++ b/examples/lrt/device_plugin.yaml
@@ -29,7 +29,7 @@ spec:
k8s-app: sgx-device-plugin
spec:
containers:
- - image: hub.oepkgs.net/lifeng2221dd1/hw-ali-device-plugin:devel
+ - image: hub.oepkgs.net/lifeng2221dd1/intel-sgx-device-plugin-hw:isgx
imagePullPolicy: IfNotPresent
name: sgx-device-plugin
securityContext:
diff --git a/examples/lrt/enclave.yaml b/examples/lrt/enclave.yaml
index 8efdada..b1bc19b 100644
--- a/examples/lrt/enclave.yaml
+++ b/examples/lrt/enclave.yaml
@@ -35,7 +35,7 @@ spec:
limits:
cpu: 250m
memory: 512Mi
- alibabacloud.com/sgx_epc_MiB: 2
+ sgx.intel.com/huawei_sgx_epc_MiB: 2
volumeMounts:
- mountPath: /var/run/aesmd/aesm.socket
name: aesmsocket
--
2.27.0

2159
0029-some-adaptations-for-trustzone.patch Normal file
View File

File diff suppressed because it is too large Load Diff

234
0030-fix-sgx-two-step-mode-bug-add-dump-command.patch Normal file
View File

@ -0,0 +1,234 @@
From 583ac889ade73e8ffa96844dcc29a511e6c5a615 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Wed, 19 May 2021 15:45:24 +0800
Subject: [PATCH 13/14] fix sgx two-step mode bug, add dump command
---
docs/sign_tool.md | 49 +++++++++++++---------
examples/helloworld/enclave/CMakeLists.txt | 2 +-
examples/helloworld/host/CMakeLists.txt | 8 ++--
examples/seal_data/enclave/CMakeLists.txt | 2 +-
examples/seal_data/host/CMakeLists.txt | 8 ++--
tools/sign_tool/sign_tool.sh | 39 +++++++++--------
6 files changed, 62 insertions(+), 46 deletions(-)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index 399e4c5..e6c6e3b 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave.
## The sign_tool.sh
-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave.
+The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave.
The tool supports the following two modes:
@@ -19,33 +19,44 @@ The tool supports the following two modes:
- two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform.
For example:
- (1) generate the digest value.
- `$ ./sign_tool.sh d digest x trustzone i input -c manifest.txt -m config_cloud.ini o digest.data `
+ (1) generate the signing material.
+ `$ ./sign_tool.sh d digest x trustzone i input -c manifest.txt -m config_cloud.ini o signing.data `
For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated.
- (2) send the digest.data to the signing organization or platform and get the signature.
-
- (3) use the signature to generate the signed enclave.
- `$ ./sign_tool.sh d sign x trustzone i input -c manifest.txt -m config_cloud.ini s signature o signed.enclave `
+ (2) send the signing.data to the signing organization or platform and get the signature.
+ For trustzone, use rsautl command to sign the signing material.
+
+ `$ openssl rsautl -sign -inkey sign_key.pem -in signing.data -out signature `
+
+ For sgx, use dgst command to sign the signing material.
+
+ `$ openssl dgst -sha256 -sign sign_key.pem -keyform PEM -out signature signing.data `
+
+ (3) use the signature to generate the signed enclave.
+
+ `$ ./sign_tool.sh d sign x trustzone i input -c manifest.txt -m config_cloud.ini s signature o signed.enclave `
## sign_tool.sh parameter
```
-c <file> basic config file.
- -d <parameter> sign tool command, sign/digest.
+ -d <parameter> sign tool command, sign/digest/dump.
The sign command is used to generate a signed enclave.
- The digest command is used to generate a digest value.
- -i <file> enclave to be signed.
- -k <file> private key required for single-step method
- -m <file> additional config_cloud.ini for trustzone.
- -o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs
- digest value.
- -p <file> signing server public key certificate, required for two-step method.
- -s <file> the signed digest value required for two-step method, this parameter is empty to indicate
- single-step method.
- -x <parameter> enclave type, sgx or trustzone.
- -h printf help message.
+ The digest command is used to generate signing material.
+ The dump command is used to generate metadata for sgx signed enclave.
+ -i <file> input parameter, which is enclave to be signed for digest/sign command, and signed enclave for
+ dump command.
+ -k <file> private key required for single-step method.
+ -m <file> additional config_cloud.ini for trustzone.
+ -o <file> output parameter, the sign command outputs signed enclave, the digest command outputs signing
+ material, the dump command outputs data containing the SIGStruct metadata for the SGX signed
+ enclave, which is submitted to Intel for whitelisting.
+ -p <file> signing server public key certificate, required for sgx two-step method.
+ -s <file> the signature value required for two-step method, this parameter is empty to indicate
+ single-step method.
+ -x <parameter> enclave type, sgx or trustzone.
+ -h print help message.
```
**Note**:
Using the `./sign_tool.sh -h` to get help information.
diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt
index f7967ef..98f50ac 100644
--- a/examples/helloworld/enclave/CMakeLists.txt
+++ b/examples/helloworld/enclave/CMakeLists.txt
@@ -71,7 +71,7 @@ if(CC_GP)
target_include_directories( ${PREFIX} PRIVATE
${CMAKE_CURRENT_BINARY_DIR}
- ${LOCAL_ROOT_PATH}/debug/inc
+ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
${LOCAL_ROOT_PATH}/inc/host_inc
${LOCAL_ROOT_PATH}/inc/host_inc/gp
${LOCAL_ROOT_PATH}/inc/enclave_inc
diff --git a/examples/helloworld/host/CMakeLists.txt b/examples/helloworld/host/CMakeLists.txt
index 60173a9..c6f2166 100644
--- a/examples/helloworld/host/CMakeLists.txt
+++ b/examples/helloworld/host/CMakeLists.txt
@@ -39,10 +39,10 @@ if(CC_GP)
endif()
add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
target_include_directories(${OUTPUT} PRIVATE
- ${LOCAL_ROOT_PATH}/debug/inc
- ${LOCAL_ROOT_PATH}/inc/host_inc
- ${LOCAL_ROOT_PATH}/inc/host_inc/gp
- ${CMAKE_CURRENT_BINARY_DIR})
+ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${CMAKE_CURRENT_BINARY_DIR})
if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
endif()
diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt
index b24e498..542163e 100644
--- a/examples/seal_data/enclave/CMakeLists.txt
+++ b/examples/seal_data/enclave/CMakeLists.txt
@@ -66,7 +66,7 @@ if(CC_GP)
target_include_directories( ${PREFIX} PRIVATE
${CMAKE_CURRENT_BINARY_DIR}
- ${LOCAL_ROOT_PATH}/debug/inc
+ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
${LOCAL_ROOT_PATH}/inc/host_inc
${LOCAL_ROOT_PATH}/inc/host_inc/gp
${LOCAL_ROOT_PATH}/inc/enclave_inc
diff --git a/examples/seal_data/host/CMakeLists.txt b/examples/seal_data/host/CMakeLists.txt
index 691cd07..a0986d1 100644
--- a/examples/seal_data/host/CMakeLists.txt
+++ b/examples/seal_data/host/CMakeLists.txt
@@ -40,10 +40,10 @@ if(CC_GP)
endif()
add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
target_include_directories(${OUTPUT} PRIVATE
- ${LOCAL_ROOT_PATH}/debug/inc
- ${LOCAL_ROOT_PATH}/inc/host_inc
- ${LOCAL_ROOT_PATH}/inc/host_inc/gp
- ${CMAKE_CURRENT_BINARY_DIR})
+ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${CMAKE_CURRENT_BINARY_DIR})
if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
endif()
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 5fd7d5b..9906bff 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -20,19 +20,22 @@ print_help(){
echo "sign tool usage: ./sign_tool.sh [options] ..."
echo "[options]"
echo "-c <file> basic config file."
- echo "-d <parameter> sign tool command, sign/digest."
+ echo "-d <parameter> sign tool command, sign/digest/dump."
echo " The sign command is used to generate a signed enclave."
- echo " The digest command is used to generate a digest value."
- echo "-i <file> enclave to be signed."
- echo "-k <file> private key required for single-step method"
+ echo " The digest command is used to generate signing material."
+ echo " The dump command is used to generate metadata for sgx signed enclave."
+ echo "-i <file> input parameter, which is enclave to be signed for digest/sign command, and signed enclave for"
+ echo " dump command."
+ echo "-k <file> private key required for single-step method."
echo "-m <file> additional config_cloud.ini for trustzone."
- echo "-o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs"
- echo " digest value."
- echo "-p <file> signing server public key certificate, required for two-step method."
- echo "-s <file> the signed digest value required for two-step method, this parameter is empty to indicate"
+ echo "-o <file> output parameter, the sign command outputs signed enclave, the digest command outputs signing"
+ echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed"
+ echo " enclave, which is submitted to Intel for whitelisting."
+ echo "-p <file> signing server public key certificate, required for sgx two-step method."
+ echo "-s <file> the signature value required for two-step method, this parameter is empty to indicate"
echo " single-step method."
echo "-x <parameter> enclave type, sgx or trustzone."
- echo "-h printf help message."
+ echo "-h print help message."
}
@@ -164,12 +167,12 @@ sgx_start_sign(){
fi
SIGDATA_FILE="signdata"
if [ "${CMD}"x == "sign"x ]; then
- if [ -z $SIG_KEY ]; then
- echo "Error: missing sign key"
- exit -1
- fi
if [ -z $SIGNATURE ]; then
- if [ -z $CONFIG_FILE ]; then
+ if [ -z $SIG_KEY ]; then
+ echo "Error: missing sign key"
+ exit -1
+ fi
+ if [ -z $CONFIG_FILE ]; then
sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE}
else
sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} -config ${CONFIG_FILE}
@@ -180,9 +183,9 @@ sgx_start_sign(){
exit -1
fi
if [ -z $CONFIG_FILE ]; then
- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsignd ${SIGDATA_FILE} -out ${OUT_FILE}
+ sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE}
else
- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsignd ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE}
+ sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE}
fi
rm -rf ${SIGDATA_FILE}
fi
@@ -192,7 +195,9 @@ sgx_start_sign(){
else
sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE} -config ${CONFIG_FILE}
fi
- openssl dgst -sha256 -out ${OUT_FILE} ${SIGDATA_FILE}
+ cp ${SIGDATA_FILE} ${OUT_FILE}
+ elif [ "${CMD}"x == "dump"x ]; then
+ sgx_sign dump -enclave ${IN_ENCLAVE} -dumpfile ${OUT_FILE}
else
echo "Error: illegal command"
fi
--
2.27.0

166
0031-set-signtool_v3.py-path.patch Normal file
View File

@ -0,0 +1,166 @@
From 2d9a481617422a423612417835a48b0614716f2d Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Thu, 20 May 2021 10:40:25 +0800
Subject: [PATCH 14/14] set signtool_v3.py path
---
README.en.md | 2 +-
README.md | 2 +-
examples/helloworld/enclave/CMakeLists.txt | 2 +-
examples/helloworld/host/CMakeLists.txt | 2 +-
examples/seal_data/enclave/CMakeLists.txt | 2 +-
examples/seal_data/host/CMakeLists.txt | 2 +-
src/enclave_src/CMakeLists.txt | 2 +-
src/host_src/CMakeLists.txt | 2 +-
tools/sign_tool/sign_tool.sh | 13 +++++++++----
9 files changed, 17 insertions(+), 12 deletions(-)
diff --git a/README.en.md b/README.en.md
index 8aaa1b0..ec7ada0 100644
--- a/README.en.md
+++ b/README.en.md
@@ -49,7 +49,7 @@ Then save as test.edl
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
- set(SECGEAR_INSTALL_PATH /lib64/)
+ set(SECGEAR_INSTALL_PATH /usr/lib64/)
set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
diff --git a/README.md b/README.md
index b95dcc9..2d09831 100644
--- a/README.md
+++ b/README.md
@@ -41,7 +41,7 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
- set(SECGEAR_INSTALL_PATH /lib64/)
+ set(SECGEAR_INSTALL_PATH /usr/lib64/)
set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt
index 98f50ac..0546183 100644
--- a/examples/helloworld/enclave/CMakeLists.txt
+++ b/examples/helloworld/enclave/CMakeLists.txt
@@ -71,7 +71,7 @@ if(CC_GP)
target_include_directories( ${PREFIX} PRIVATE
${CMAKE_CURRENT_BINARY_DIR}
- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
+ ${CMAKE_BINARY_DIR}/inc
${LOCAL_ROOT_PATH}/inc/host_inc
${LOCAL_ROOT_PATH}/inc/host_inc/gp
${LOCAL_ROOT_PATH}/inc/enclave_inc
diff --git a/examples/helloworld/host/CMakeLists.txt b/examples/helloworld/host/CMakeLists.txt
index c6f2166..96985cb 100644
--- a/examples/helloworld/host/CMakeLists.txt
+++ b/examples/helloworld/host/CMakeLists.txt
@@ -39,7 +39,7 @@ if(CC_GP)
endif()
add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
target_include_directories(${OUTPUT} PRIVATE
- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
+ ${CMAKE_BINARY_DIR}/inc
${LOCAL_ROOT_PATH}/inc/host_inc
${LOCAL_ROOT_PATH}/inc/host_inc/gp
${CMAKE_CURRENT_BINARY_DIR})
diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt
index 542163e..f80efb8 100644
--- a/examples/seal_data/enclave/CMakeLists.txt
+++ b/examples/seal_data/enclave/CMakeLists.txt
@@ -66,7 +66,7 @@ if(CC_GP)
target_include_directories( ${PREFIX} PRIVATE
${CMAKE_CURRENT_BINARY_DIR}
- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
+ ${CMAKE_BINARY_DIR}/inc
${LOCAL_ROOT_PATH}/inc/host_inc
${LOCAL_ROOT_PATH}/inc/host_inc/gp
${LOCAL_ROOT_PATH}/inc/enclave_inc
diff --git a/examples/seal_data/host/CMakeLists.txt b/examples/seal_data/host/CMakeLists.txt
index a0986d1..19920b4 100644
--- a/examples/seal_data/host/CMakeLists.txt
+++ b/examples/seal_data/host/CMakeLists.txt
@@ -40,7 +40,7 @@ if(CC_GP)
endif()
add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
target_include_directories(${OUTPUT} PRIVATE
- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc
+ ${CMAKE_BINARY_DIR}/inc
${LOCAL_ROOT_PATH}/inc/host_inc
${LOCAL_ROOT_PATH}/inc/host_inc/gp
${CMAKE_CURRENT_BINARY_DIR})
diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt
index 66a36ea..f6d353c 100644
--- a/src/enclave_src/CMakeLists.txt
+++ b/src/enclave_src/CMakeLists.txt
@@ -11,7 +11,7 @@
project(secgear_tee C)
set(target_lib secgear_tee)
-set(LIBRARY_INSTALL /lib64)
+set(LIBRARY_INSTALL /usr/lib64)
set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
diff --git a/src/host_src/CMakeLists.txt b/src/host_src/CMakeLists.txt
index 25d245f..a545e27 100644
--- a/src/host_src/CMakeLists.txt
+++ b/src/host_src/CMakeLists.txt
@@ -10,7 +10,7 @@
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fvisibility=hidden -fPIC -Wno-stringop-overflow")
-set(LIBRARY_INSTALL /lib64)
+set(LIBRARY_INSTALL /usr/lib64)
include_directories(${LOCAL_ROOT_PATH}/inc/host_inc)
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 9906bff..5469f80 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -12,9 +12,14 @@
VERSION=3
API_LEVEL=2
ONE_STEP_MODE=1
-A_CONFIG_FILE="NULL"
localpath="$(cd "$(dirname "$0")"; pwd)"
+pypath="/lib/secGear"
+if [ -f ${localpath}/signtool_v3.py ]; then
+ signtoolpath=${localpath}
+else
+ signtoolpath=${pypath}
+fi
print_help(){
echo "sign tool usage: ./sign_tool.sh [options] ..."
@@ -139,10 +144,10 @@ itrustee_start_sign(){
echo "Error: missing enclave file"
exit -1
fi
- python ${localpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
+ python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
else
ONE_STEP_MODE=0
- python ${localpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}"
+ python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}"
fi
elif [ "${CMD}"x == "digest"x ]; then
ONE_STEP_MODE=0
@@ -154,7 +159,7 @@ itrustee_start_sign(){
echo "Error: missing enclave file"
exit -1
fi
- python ${localpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
+ python ${signtoolpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}"
else
echo "Error: illegal command"
fi
--
2.27.0

25
0032-del-size_to_aligned_size.patch Normal file
View File

@ -0,0 +1,25 @@
From f31970aac34d3e6fb6c50508ec5d5d4e07da0e0a Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Fri, 21 May 2021 11:14:06 +0800
Subject: [PATCH] del size_to_aligned_size
---
tools/codegener/Commonfunc.ml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/codegener/Commonfunc.ml b/tools/codegener/Commonfunc.ml
index 42d62c4..6f3966a 100644
--- a/tools/codegener/Commonfunc.ml
+++ b/tools/codegener/Commonfunc.ml
@@ -428,7 +428,7 @@ let set_in_memcpy (fd : func_decl) =
sprintf "for (int i = 0; i < %s; i++) {\n if((%s + i)->%s) {\n memcpy(in_buf + %s_p + tmp_size, (uint8_t *)(%s + i)->%s, %s);\n tmp_size += size_to_aligned_size(%s);\n }\n }\n tmp_size = 0;\n " (get_param_count pty) decl.identifier mem_decl.identifier mem_decl.identifier decl.identifier mem_decl.identifier (get_sizestr_2 (mem_pty, mem_decl) decl) (get_sizestr_2 (mem_pty, mem_decl) decl) in
[
"/* Copy in_params to in_buf*/";
- sprintf "memcpy(in_buf, &args_size, size_to_aligned_size(sizeof(%s_size_t)));" fd.fname;
+ sprintf "memcpy(in_buf, &args_size, sizeof(%s_size_t));" fd.fname;
if in_memcpy <> [] then
concat "\n " in_memcpy ^ "\n " ^
concat "\n "
--
2.27.0

112
secGear.spec
View File

@ -1,8 +1,8 @@
Name: secGear
Version: 0.1.0
Release: 13%{?dist}
Release: 14%{?dist}
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
ExclusiveArch: x86_64
Group: OS Security
License: Mulan PSL v2
@ -17,94 +17,123 @@ Patch4: 0005-delete-unnecessary-README.cn.md.patch
Patch5: 0006-fix-issues-about-double-create-destory.patch
Patch6: 0007-to-make-secGear-log-more-clear.patch
Patch7: 0008-modify-path-error.patch
Patch8: 0009-fix-sgxssl-edl.patch
Patch9: 0010-update-docs-build_install.md.patch
Patch10: 0011-modify-the-prompt-information.patch
Patch11: 0012-parse-new-error-code-and-del-redundant-print.patch
Patch12: 0013-fix-error-print.patch
Patch13: 0014-set-umask-in-sign_tool.sh.patch
Patch14: 0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch
Patch15: 0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch
Patch16: 0017-update-signtool-codegen.patch
Patch8: 0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch
Patch9: 0010-fix-sgxssl-edl.patch
Patch10: 0011-update-docs-build_install.md.patch
Patch11: 0012-modify-the-prompt-information.patch
Patch12: 0013-parse-new-error-code-and-del-redundant-print.patch
Patch13: 0014-fix-error-print.patch
Patch14: 0015-set-umask-in-sign_tool.sh.patch
Patch15: 0016-1.fix-the-race-of-ecall-and-enclave-destroy.patch
Patch16: 0017-fix-wrong-spelling-and-null-pointer-dereference-issu.patch
Patch17: 0018-update-sign_tool.doc.patch
Patch18: 0019-normalized-codegen-from-arm-and-x86.patch
Patch19: 0020-rm-e-parameter-normalize-c-parameter.patch
Patch20: 0021-example-use-absolute-path-to-find-enclave.sign.so.patch
Patch21: 0022-add-example-of-using-sgxssl-lib.patch
Patch22: 0023-tls_enclave-is-not-compiled-by-default.patch
Patch23: 0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch
Patch24: 0025-example-add-example-for-LRT-long-running-task.patch
Patch25: 0026-example-add-Dockerfile-to-build-lrt-example-image.patch
Patch26: 0027-Change-to-use-the-milestone-picture-with-English.patch
Patch27: 0028-example-use-the-sgx-device-plugin-from-intel.patch
Patch28: 0029-some-adaptations-for-trustzone.patch
Patch29: 0030-fix-sgx-two-step-mode-bug-add-dump-command.patch
Patch30: 0031-set-signtool_v3.py-path.patch
Patch31: 0032-del-size_to_aligned_size.patch
BuildRequires: gcc python3 automake autoconf libtool
BuildRequires: gcc python automake autoconf libtool
BUildRequires: glibc glibc-devel cmake ocaml-dune
%ifarch x86_64
BUildRequires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts
%else
BUildRequires: itrustee_sdk
%endif
Requires: rsyslog
Requires: rsyslog
%ifarch x86_64
Requires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts
Requires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts
%else
Requires: itrustee_sdk
%endif
%description
secGear is an SDK to develop confidential computing apps based on hardware enclave features
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?isa} = %{version}-%{release} cmake
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?isa} = %{version}-%{release} cmake
%description devel
The %{name}-devel is package contains Header file for developing applications that
The %{name}-devel is package contains Header file for developing applications that
us %{name}
%package sim
Summary: simulation package files for %{name}
Requires: %{name}%{?isa} = %{version}-%{release}
%description sim
%ifarch x86_64
%package sim
Summary: simulation package files for %{name}
Requires: %{name}%{?isa} = %{version}-%{release}
%description sim
The %{name}-sim is package contains simulation libraries for developing applications
%endif
%prep
%autosetup -n %{name} -p1
%build
source ./environment
%ifarch x86_64
source /opt/intel/sgxsdk/environment
cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=on -DSGXSDK=/opt/intel/sgxsdk
make
make
%else
#The itrustee OS is not released
cmake -DCMAKE_BUILD_TYPE=Debug -DCC_GP=on -DiTrusteeSDK=/opt/itrustee_sdk
make
%endif
%install
make install DESTDIR=%{buildroot}
install -d %{buildroot}/%{_datarootdir}/licenses/secGear
install -pm 644 License/Third_Party_Open_Source_Software_Notice.md %{buildroot}/%{_datarootdir}/licenses/secGear
install -d %{buildroot}/%{_includedir}/secGear
#install -pm 644 inc/host_inc/* %{buildroot}/%{_includedir}/secGear/host_inc
%ifarch x86_64
install -d %{buildroot}/%{_bindir}
install -pm 751 bin/codegen %{buildroot}/%{_bindir}
install -pm 751 tools/sign_tool/sign_tool.sh %{buildroot}/%{_bindir}
install -d %{buildroot}/%{_sysconfdir}/secGear/cloud
install -d %{buildroot}/lib/secGear/
install -pm 751 tools/sign_tool/*.py %{buildroot}/lib/secGear
install -pm 644 tools/sign_tool/cloud/rsa_public_key_cloud.pem %{buildroot}/%{_sysconfdir}/secGear/cloud
%ifarch x86_64
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/sgx/*.edl %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear
install -pm 751 bin/codegen %{buildroot}/%{_bindir}
install -pm 751 tools/sign_tool/sign_tool.sh %{buildroot}/%{_bindir}
%else
install -d %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/gp/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/gp/*.edl %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/gp/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/gp/itrustee/*.h %{buildroot}/%{_includedir}/secGear
%endif
pushd %{buildroot}
rm `find . -name secgear_helloworld` -rf
rm `find . -name secgear_seal_data` -rf
%ifarch aarch64
rm `find . -name libsecgearsim.so` -rf
%endif
popd
%files
%license License/LICENSE
%license License/Third_Party_Open_Source_Software_Notice.md
%defattr(-,root,root)
/%{_lib}/libsecgear_tee.a
/%{_lib}/libsecgear.so
%{_libdir}/libsecgear_tee.a
%{_libdir}/libsecgear.so
%ifarch x86_64
/%{_lib}/libsgx_0.so
%{_libdir}/libsgx_0.so
%else
#The itrustee OS is not released
%{_libdir}/libgp_0.so
%endif
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/rsyslog.d/secgear.conf
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/logrotate.d/secgear
@ -112,23 +141,26 @@ popd
%files devel
%{_bindir}/*
%{_includedir}/secGear/*
/lib/secGear/*
%{_sysconfdir}/secGear/cloud/rsa_public_key_cloud.pem
%ifarch x86_64
%files sim
%defattr(-,root,root)
%license License/LICENSE
/%{_lib}/libsecgearsim.so
%ifarch x86_64
/%{_lib}/libsgxsim_0.so
%else
#The itrustee OS is not released
%{_libdir}/libsecgearsim.so
%{_libdir}/libsgxsim_0.so
%endif
%changelog
* Thu May 20 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-14
- DESC: update some bugfix form openeuler secGear
* Wed May 12 2021 yanlu<yanlu14@huawei.com> - 0.1.0-13
- DESC: update signtool and codegen
* Thu Apr 27 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-12
- DESC: add licenses and thirdparty opensource notice
- DESC: add cmake to Requires
* Tue Apr 13 2021 wanghongzhe<wanghongzhe@huawei.com> - 0.1.0-11
- DESC: add licenses and thirdparty opensource notice