From 9e62fb9925b45ba18afe18d65303c11c01bf1bd4 Mon Sep 17 00:00:00 2001 From: chenmaodong Date: Thu, 20 May 2021 19:43:40 +0800 Subject: [PATCH] update some bugfixs and adaptations from openeuler secGear Signed-off-by: chenmaodong --- ...-error-of-missing-CMAKE_CXX_COMPILER.patch | 43 + ...ssl-edl.patch => 0010-fix-sgxssl-edl.patch | 0 ...=> 0011-update-docs-build_install.md.patch | 0 ...> 0012-modify-the-prompt-information.patch | 0 ...w-error-code-and-del-redundant-print.patch | 0 ...-print.patch => 0014-fix-error-print.patch | 0 ...ch => 0015-set-umask-in-sign_tool.sh.patch | 0 ...he-race-of-ecall-and-enclave-destroy.patch | 0 ...ng-and-null-pointer-dereference-issu.patch | 0 0018-update-sign_tool.doc.patch | 50 + ...-normalized-codegen-from-arm-and-x86.patch | 157 ++ ...rm-e-parameter-normalize-c-parameter.patch | 353 +-- ...bsolute-path-to-find-enclave.sign.so.patch | 49 + 0022-add-example-of-using-sgxssl-lib.patch | 942 +++++++ ...s_enclave-is-not-compiled-by-default.patch | 25 + ...place-minial-cmake-from-3.12-to-3.10.patch | 68 + ...dd-example-for-LRT-long-running-task.patch | 517 ++++ ...ockerfile-to-build-lrt-example-image.patch | 172 ++ ...e-the-milestone-picture-with-English.patch | 29 + ...use-the-sgx-device-plugin-from-intel.patch | 73 + 0029-some-adaptations-for-trustzone.patch | 2159 +++++++++++++++++ ...x-two-step-mode-bug-add-dump-command.patch | 234 ++ 0031-set-signtool_v3.py-path.patch | 166 ++ 0032-del-size_to_aligned_size.patch | 25 + secGear.spec | 112 +- 25 files changed, 4830 insertions(+), 344 deletions(-) create mode 100644 0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch rename 0009-fix-sgxssl-edl.patch => 0010-fix-sgxssl-edl.patch (100%) rename 0010-update-docs-build_install.md.patch => 0011-update-docs-build_install.md.patch (100%) rename 0011-modify-the-prompt-information.patch => 0012-modify-the-prompt-information.patch (100%) rename 0012-parse-new-error-code-and-del-redundant-print.patch => 0013-parse-new-error-code-and-del-redundant-print.patch (100%) rename 0013-fix-error-print.patch => 0014-fix-error-print.patch (100%) rename 0014-set-umask-in-sign_tool.sh.patch => 0015-set-umask-in-sign_tool.sh.patch (100%) rename 0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch => 0016-1.fix-the-race-of-ecall-and-enclave-destroy.patch (100%) rename 0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch => 0017-fix-wrong-spelling-and-null-pointer-dereference-issu.patch (100%) create mode 100644 0018-update-sign_tool.doc.patch create mode 100644 0019-normalized-codegen-from-arm-and-x86.patch rename 0017-update-signtool-codegen.patch => 0020-rm-e-parameter-normalize-c-parameter.patch (56%) create mode 100644 0021-example-use-absolute-path-to-find-enclave.sign.so.patch create mode 100644 0022-add-example-of-using-sgxssl-lib.patch create mode 100644 0023-tls_enclave-is-not-compiled-by-default.patch create mode 100644 0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch create mode 100644 0025-example-add-example-for-LRT-long-running-task.patch create mode 100644 0026-example-add-Dockerfile-to-build-lrt-example-image.patch create mode 100644 0027-Change-to-use-the-milestone-picture-with-English.patch create mode 100644 0028-example-use-the-sgx-device-plugin-from-intel.patch create mode 100644 0029-some-adaptations-for-trustzone.patch create mode 100644 0030-fix-sgx-two-step-mode-bug-add-dump-command.patch create mode 100644 0031-set-signtool_v3.py-path.patch create mode 100644 0032-del-size_to_aligned_size.patch diff --git a/0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch b/0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch new file mode 100644 index 0000000..78c9932 --- /dev/null +++ b/0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch @@ -0,0 +1,43 @@ +From ca6b3ab02bd3d1853a88d637b38daf45c737e15e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E7=AB=A0=E6=9F=B3=E7=87=95?= +Date: Thu, 4 Mar 2021 11:16:05 +0800 +Subject: [PATCH 1/1] =?UTF-8?q?=E4=BF=AE=E6=94=B9cmake=E9=94=99=E8=AF=AF?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: root +--- + src/enclave_src/CMakeLists.txt | 2 +- + tools/codegener/CMakeLists.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt +index cb09b5c..66a36ea 100644 +--- a/src/enclave_src/CMakeLists.txt ++++ b/src/enclave_src/CMakeLists.txt +@@ -8,7 +8,7 @@ + # PURPOSE. + # See the Mulan PSL v2 for more details. + +-project(secgear_tee) ++project(secgear_tee C) + + set(target_lib secgear_tee) + set(LIBRARY_INSTALL /lib64) +diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt +index c5fd618..0f8b5af 100644 +--- a/tools/codegener/CMakeLists.txt ++++ b/tools/codegener/CMakeLists.txt +@@ -10,7 +10,7 @@ + + include(ExternalProject) + +-project(CodeGen) ++project(CodeGen C) + + find_program(DUNE dune) + +-- +2.27.0 + diff --git a/0009-fix-sgxssl-edl.patch b/0010-fix-sgxssl-edl.patch similarity index 100% rename from 0009-fix-sgxssl-edl.patch rename to 0010-fix-sgxssl-edl.patch diff --git a/0010-update-docs-build_install.md.patch b/0011-update-docs-build_install.md.patch similarity index 100% rename from 0010-update-docs-build_install.md.patch rename to 0011-update-docs-build_install.md.patch diff --git a/0011-modify-the-prompt-information.patch b/0012-modify-the-prompt-information.patch similarity index 100% rename from 0011-modify-the-prompt-information.patch rename to 0012-modify-the-prompt-information.patch diff --git a/0012-parse-new-error-code-and-del-redundant-print.patch b/0013-parse-new-error-code-and-del-redundant-print.patch similarity index 100% rename from 0012-parse-new-error-code-and-del-redundant-print.patch rename to 0013-parse-new-error-code-and-del-redundant-print.patch diff --git a/0013-fix-error-print.patch b/0014-fix-error-print.patch similarity index 100% rename from 0013-fix-error-print.patch rename to 0014-fix-error-print.patch diff --git a/0014-set-umask-in-sign_tool.sh.patch b/0015-set-umask-in-sign_tool.sh.patch similarity index 100% rename from 0014-set-umask-in-sign_tool.sh.patch rename to 0015-set-umask-in-sign_tool.sh.patch diff --git a/0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch b/0016-1.fix-the-race-of-ecall-and-enclave-destroy.patch similarity index 100% rename from 0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch rename to 0016-1.fix-the-race-of-ecall-and-enclave-destroy.patch diff --git a/0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch b/0017-fix-wrong-spelling-and-null-pointer-dereference-issu.patch similarity index 100% rename from 0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch rename to 0017-fix-wrong-spelling-and-null-pointer-dereference-issu.patch diff --git a/0018-update-sign_tool.doc.patch b/0018-update-sign_tool.doc.patch new file mode 100644 index 0000000..d23f019 --- /dev/null +++ b/0018-update-sign_tool.doc.patch @@ -0,0 +1,50 @@ +From 8a586fc5fa249ced59ae495357c64baa7c6201f0 Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Thu, 25 Mar 2021 15:27:32 +0800 +Subject: [PATCH 01/14] update sign_tool.doc + +--- + docs/sign_tool.md | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index 3a49d5b..26805bd 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave. + + ## The sign_tool.sh + +-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_too.py' for signing the trustzone enclave. ++The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave. + + The tool supports the following two modes: + +@@ -13,21 +13,21 @@ The tool supports the following two modes: + + For example: + +- `$ ./signtool.sh –d sign –x trustzone –i test.enclave -m manifest.txt –e device_pubkey.pem –o signed.enclave ` ++ `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -m manifest.txt –e device_pubkey.pem –o signed.enclave ` + + + - two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform. + + For example: + (1) generate the digest value. +- `$ ./signtool.sh –d digest –x trustzone –i input -m manifest.txt –e device_pubkey.pem –o digest.data ` ++ `$ ./sign_tool.sh –d digest –x trustzone –i input -m manifest.txt –e device_pubkey.pem –o digest.data ` + + For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated. + + (2) send the digest.data to the signing organization or platform and get the signature. + + (3) use the signature to generate the signed enclave. +- `$ ./signtool.sh –d sign –x trustzone –i input -m manifest.txt –p pub.pem –e device_pubkey.pem –s signature –o signed.enclave ` ++ `$ ./sign_tool.sh –d sign –x trustzone –i input -m manifest.txt –p pub.pem –e device_pubkey.pem –s signature –o signed.enclave ` + + ## sign_tool.sh parameter + +-- +2.27.0 + diff --git a/0019-normalized-codegen-from-arm-and-x86.patch b/0019-normalized-codegen-from-arm-and-x86.patch new file mode 100644 index 0000000..923097c --- /dev/null +++ b/0019-normalized-codegen-from-arm-and-x86.patch @@ -0,0 +1,157 @@ +From 3b7651a53017e41726b80b24fc1757c06cf73ba7 Mon Sep 17 00:00:00 2001 +From: whzhe +Date: Mon, 12 Apr 2021 10:33:17 +0800 +Subject: [PATCH 02/14] normalized codegen from arm and x86 + +--- + README.en.md | 3 +-- + README.md | 5 ++--- + docs/codegener.md | 14 +++++--------- + examples/helloworld/CMakeLists.txt | 3 +-- + examples/seal_data/CMakeLists.txt | 3 +-- + tools/codegener/CMakeLists.txt | 8 +------- + 6 files changed, 11 insertions(+), 25 deletions(-) + +diff --git a/README.en.md b/README.en.md +index fa47d03..909358f 100644 +--- a/README.en.md ++++ b/README.en.md +@@ -50,16 +50,15 @@ Then save as test.edl + set(EDL_FILE test.edl) + set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") + set(SECGEAR_INSTALL_PATH /lib64/) ++ set(CODEGEN codegen) + if(CC_GP) + set(CODETYPE trustzone) +- set(CODEGEN codegen_arm64) + execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) + string(REPLACE "\n" "" UUID ${UUID}) + add_definitions(-DPATH="/data/${UUID}.sec") + endif() + if(CC_SGX) + set(CODETYPE sgx) +- set(CODEGEN codegen_x86_64) + add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") + endif() + add_subdirectory(${CURRENT_ROOT_PATH}/enclave) +diff --git a/README.md b/README.md +index 54c32e3..fafe3f9 100644 +--- a/README.md ++++ b/README.md +@@ -42,16 +42,15 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在 + set(EDL_FILE test.edl) + set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") + set(SECGEAR_INSTALL_PATH /lib64/) ++ set(CODEGEN codegen) + if(CC_GP) + set(CODETYPE trustzone) +- set(CODEGEN codegen_arm64) + execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) + string(REPLACE "\n" "" UUID ${UUID}) + add_definitions(-DPATH="/data/${UUID}.sec") + endif() + if(CC_SGX) + set(CODETYPE sgx) +- set(CODEGEN codegen_x86_64) + add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") + endif() + add_subdirectory(${CURRENT_ROOT_PATH}/enclave) +diff --git a/docs/codegener.md b/docs/codegener.md +index cc20013..85fc6a0 100644 +--- a/docs/codegener.md ++++ b/docs/codegener.md +@@ -1,19 +1,15 @@ +-# Getting started with the codegen_x86_64/codegen_arm64 ++# Getting started with the codegen + +-The codegen_x86_64/codegen_arm64 helps to define these special functions through the `edl` files and assist user to using enclave. ++The codegen helps to define these special functions through the `edl` files and assist user to using enclave. + +-## The codegen_x86_64/codegen_arm64 ++## The codegen + +-The codegen_x86_64/codegen_arm64 is based on the 'edger8r' tool in SGX SDK. ++The codegen is based on the 'edger8r' tool in SGX SDK. + - For example + ``` + $ codegen_arm64 --trustzone test.edl + ``` +-OR +-``` +-$ codegen_x86_64 --sgx test.edl +-``` +-**Note**: using the `codegen_x86_64/codegen_arm64 --help` to get more details. ++**Note**: using the `codegen --help` to get more details. + + ## EDL format + - For SGX(x86) +diff --git a/examples/helloworld/CMakeLists.txt b/examples/helloworld/CMakeLists.txt +index a758f1c..5da2a6b 100644 +--- a/examples/helloworld/CMakeLists.txt ++++ b/examples/helloworld/CMakeLists.txt +@@ -16,10 +16,10 @@ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) + + #set edl name + set(EDL_FILE helloworld.edl) ++set(CODEGEN codegen) + + if(CC_GP) + set(CODETYPE trustzone) +- set(CODEGEN codegen_arm64) + execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) + string(REPLACE "\n" "" UUID ${UUID}) + add_definitions(-DPATH="/data/${UUID}.sec") +@@ -27,7 +27,6 @@ endif() + + if(CC_SGX) + set(CODETYPE sgx) +- set(CODEGEN codegen_x86_64) + add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") + endif() + +diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt +index 20e2fd5..503fe0d 100644 +--- a/examples/seal_data/CMakeLists.txt ++++ b/examples/seal_data/CMakeLists.txt +@@ -17,10 +17,10 @@ set(CMAKE_C_STANDARD 99) + set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) + + set(EDL_FILE seal_data.edl) ++set(CODEGEN codegen) + + if(CC_GP) + set(CODETYPE trustzone) +- set(CODEGEN codegen_arm64) + execute_process(COMMAND uuidgen -r + OUTPUT_VARIABLE UUID) + string(REPLACE "\n" "" UUID ${UUID}) +@@ -29,7 +29,6 @@ endif() + + if(CC_SGX) + set(CODETYPE sgx) +- set(CODEGEN codegen_x86_64) + add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/seal_data.signed.so") + endif() + +diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt +index 0f8b5af..e52d894 100644 +--- a/tools/codegener/CMakeLists.txt ++++ b/tools/codegener/CMakeLists.txt +@@ -18,13 +18,7 @@ if(NOT DUNE) + message(FATAL_ERROR "Please check your dune installation") + endif() + +-if(CC_SGX) +- set(code codegen_x86_64) +-endif() +- +-if(CC_GP) +- set(code codegen_arm64) +-endif() ++set(code codegen) + + ExternalProject_Add(codegen + SOURCE_DIR ${LOCAL_ROOT_PATH}/tools/codegener +-- +2.27.0 + diff --git a/0017-update-signtool-codegen.patch b/0020-rm-e-parameter-normalize-c-parameter.patch similarity index 56% rename from 0017-update-signtool-codegen.patch rename to 0020-rm-e-parameter-normalize-c-parameter.patch index 22693f0..a856e33 100644 --- a/0017-update-signtool-codegen.patch +++ b/0020-rm-e-parameter-normalize-c-parameter.patch @@ -1,75 +1,26 @@ -From ace83320ad722deae65672e9801b1e58c62f7a81 Mon Sep 17 00:00:00 2001 +From f7995d756490c966659976153630403ba9941c18 Mon Sep 17 00:00:00 2001 From: yanlu -Date: Wed, 12 May 2021 10:44:12 +0800 -Subject: [PATCH] patch +Date: Mon, 12 Apr 2021 11:17:16 +0800 +Subject: [PATCH 03/14] rm -e parameter, normalize -c parameter --- - CMakeLists.txt | 2 +- - README.en.md | 21 ++++-------- - README.md | 15 +++------ - docs/build_install.md | 4 +++ - docs/codegener.md | 14 +++----- - docs/sign_tool.md | 14 ++++---- - examples/helloworld/CMakeLists.txt | 3 +- - examples/helloworld/enclave/CMakeLists.txt | 6 ++-- - examples/helloworld/host/main.c | 18 +++++++++- - examples/seal_data/CMakeLists.txt | 5 ++- - examples/seal_data/enclave/CMakeLists.txt | 7 ++-- - src/enclave_src/CMakeLists.txt | 2 +- - tools/codegener/CMakeLists.txt | 10 ++---- - tools/sign_tool/sign_tool.sh | 39 ++++++++-------------- - 14 files changed, 69 insertions(+), 91 deletions(-) + README.en.md | 12 ++---- + README.md | 10 ++--- + docs/sign_tool.md | 12 +++--- + examples/helloworld/enclave/CMakeLists.txt | 6 +-- + examples/seal_data/enclave/CMakeLists.txt | 7 +--- + .../enclave/rsa_public_key_cloud.pem | 11 ------ + .../sign_tool}/rsa_public_key_cloud.pem | 0 + tools/sign_tool/sign_tool.sh | 39 +++++++------------ + 8 files changed, 29 insertions(+), 68 deletions(-) + delete mode 100644 examples/seal_data/enclave/rsa_public_key_cloud.pem + rename {examples/helloworld/enclave => tools/sign_tool}/rsa_public_key_cloud.pem (100%) -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 98862a3..edb7d80 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -8,7 +8,7 @@ - # PURPOSE. - # See the Mulan PSL v2 for more details. - --cmake_minimum_required(VERSION 3.12 FATAL_ERROR) -+cmake_minimum_required(VERSION 3.10 FATAL_ERROR) - project(secGear C) - - set(CMAKE_C_STANDARD 99) diff --git a/README.en.md b/README.en.md -index fa47d03..aa8c4a8 100644 +index fa47d03..0acc4f8 100644 --- a/README.en.md +++ b/README.en.md -@@ -1,4 +1,4 @@ --secGear -+secGear - - secGear - ============================ -@@ -43,23 +43,22 @@ Then save as test.edl - - ### 2 Write the top-level CMakeLists.txt - -- cmake_minimum_required(VERSION 3.12 FATAL_ERROR) -+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR) - project(TEST C) - set(CMAKE_C_STANDARD 99) - set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) - set(EDL_FILE test.edl) - set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") - set(SECGEAR_INSTALL_PATH /lib64/) -+ set(CODEGEN codegen) - if(CC_GP) - set(CODETYPE trustzone) -- set(CODEGEN codegen_arm64) - execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) - string(REPLACE "\n" "" UUID ${UUID}) - add_definitions(-DPATH="/data/${UUID}.sec") - endif() - if(CC_SGX) - set(CODETYPE sgx) -- set(CODEGEN codegen_x86_64) - add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") - endif() - add_subdirectory(${CURRENT_ROOT_PATH}/enclave) -@@ -254,8 +253,6 @@ Set sign tool and the security side log printing level +@@ -254,8 +254,6 @@ Set sign tool and the security side log printing level if(CC_GP) #set signed output set(OUTPUT ${UUID}.sec) @@ -78,7 +29,7 @@ index fa47d03..aa8c4a8 100644 set(WHITE_LIST_0 /vendor/bin/helloworld) set(WHITE_LIST_1 /vendor/bin/secgear_test) -@@ -270,8 +267,7 @@ Set sign tool and the security side log printing level +@@ -270,8 +268,7 @@ Set sign tool and the security side log printing level WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image, and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths. @@ -88,7 +39,7 @@ index fa47d03..aa8c4a8 100644 generate auxiliary code. if(CC_SGX) -@@ -339,8 +335,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in +@@ -339,8 +336,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in add_custom_command(TARGET ${PREFIX} POST_BUILD @@ -99,7 +50,7 @@ index fa47d03..aa8c4a8 100644 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT} DESTINATION /data -@@ -425,9 +421,6 @@ configuration file. For details, please refer to the official development docum +@@ -425,9 +422,6 @@ configuration file. For details, please refer to the official development docum Write itrustee related configuration files The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated, and the other configuration items can refer to the itrustee development document. @@ -109,44 +60,11 @@ index fa47d03..aa8c4a8 100644 ### 5 build and install test -@@ -509,5 +502,5 @@ secGear introduce the signing tool to sign the enclave. - - Milestone - --------- --secGear -+secGear - diff --git a/README.md b/README.md -index 54c32e3..a90450b 100644 +index 54c32e3..77bebd6 100644 --- a/README.md +++ b/README.md -@@ -35,23 +35,22 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在 - - ### 2 编写最外层CMakeLists.txt文件 - -- cmake_minimum_required(VERSION 3.12 FATAL_ERROR) -+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR) - project(TEST C) - set(CMAKE_C_STANDARD 99) - set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) - set(EDL_FILE test.edl) - set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") - set(SECGEAR_INSTALL_PATH /lib64/) -+ set(CODEGEN codegen) - if(CC_GP) - set(CODETYPE trustzone) -- set(CODEGEN codegen_arm64) - execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) - string(REPLACE "\n" "" UUID ${UUID}) - add_definitions(-DPATH="/data/${UUID}.sec") - endif() - if(CC_SGX) - set(CODETYPE sgx) -- set(CODEGEN codegen_x86_64) - add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") - endif() - add_subdirectory(${CURRENT_ROOT_PATH}/enclave) -@@ -236,8 +235,6 @@ test_t.h:该头文件为自动生成代码工具codegen通过edl文件生成 +@@ -236,8 +236,6 @@ test_t.h:该头文件为自动生成代码工具codegen通过edl文件生成 if(CC_GP) #set signed output set(OUTPUT ${UUID}.sec) @@ -155,7 +73,7 @@ index 54c32e3..a90450b 100644 set(WHITE_LIST_0 /vendor/bin/helloworld) set(WHITE_LIST_1 /vendor/bin/secgear_test) -@@ -252,7 +249,6 @@ test_t.h:该头文件为自动生成代码工具codegen通过edl文件生成 +@@ -252,7 +250,6 @@ test_t.h:该头文件为自动生成代码工具codegen通过edl文件生成 WHITE_LIST_x:为设置iTrustee的二进制白名单,只有这里定义的白名单,在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。 WHITE_LIST_OWNER:为设置运行二进制的用户,只有该用户才可以调用安全侧动态库。 @@ -163,7 +81,7 @@ index 54c32e3..a90450b 100644 AUTO_FILES:由edl文件生成的安全侧二进制文件 if(CC_SGX) -@@ -319,8 +315,8 @@ AUTO_FILES:由edl文件生成的安全侧二进制文件 +@@ -319,8 +316,8 @@ AUTO_FILES:由edl文件生成的安全侧二进制文件 add_custom_command(TARGET ${PREFIX} POST_BUILD @@ -174,7 +92,7 @@ index 54c32e3..a90450b 100644 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT} DESTINATION /data -@@ -391,7 +387,6 @@ itrustee需要链接secgear_tee动态库,提供seal接口等。 +@@ -391,7 +388,6 @@ itrustee需要链接secgear_tee动态库,提供seal接口等。 编写itrustee enclave相关配置文件 mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。 @@ -182,75 +100,15 @@ index 54c32e3..a90450b 100644 #### 5 构建 安装 -@@ -451,4 +446,4 @@ secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具c - - 里程碑 - --------- --secGear -\ No newline at end of file -+secGear -diff --git a/docs/build_install.md b/docs/build_install.md -index 482e8c2..760ceaa 100644 ---- a/docs/build_install.md -+++ b/docs/build_install.md -@@ -13,6 +13,10 @@ openEuler x86 - 3. source environment && mkdir debug && cd debug - && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" .. && make && sudo make install - -+4. To run example tls_enclave, refer to https://gitee.com/src-openeuler/intel-sgx-ssl -+ download and install intel-sgx-ssl firstly. -+ source environment && mkdir debug && cd debug && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" -+ && -DENCLAVE_SSL="sgxssl path" .. && make && sudo make install - - openEuler arm - -diff --git a/docs/codegener.md b/docs/codegener.md -index cc20013..85fc6a0 100644 ---- a/docs/codegener.md -+++ b/docs/codegener.md -@@ -1,19 +1,15 @@ --# Getting started with the codegen_x86_64/codegen_arm64 -+# Getting started with the codegen - --The codegen_x86_64/codegen_arm64 helps to define these special functions through the `edl` files and assist user to using enclave. -+The codegen helps to define these special functions through the `edl` files and assist user to using enclave. - --## The codegen_x86_64/codegen_arm64 -+## The codegen - --The codegen_x86_64/codegen_arm64 is based on the 'edger8r' tool in SGX SDK. -+The codegen is based on the 'edger8r' tool in SGX SDK. - - For example - ``` - $ codegen_arm64 --trustzone test.edl - ``` --OR --``` --$ codegen_x86_64 --sgx test.edl --``` --**Note**: using the `codegen_x86_64/codegen_arm64 --help` to get more details. -+**Note**: using the `codegen --help` to get more details. - - ## EDL format - - For SGX(x86) diff --git a/docs/sign_tool.md b/docs/sign_tool.md -index 3a49d5b..ccaa2e6 100644 +index 26805bd..ccaa2e6 100644 --- a/docs/sign_tool.md +++ b/docs/sign_tool.md -@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave. - - ## The sign_tool.sh - --The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_too.py' for signing the trustzone enclave. -+The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave. - - The tool supports the following two modes: - @@ -13,36 +13,34 @@ The tool supports the following two modes: For example: -- `$ ./signtool.sh –d sign –x trustzone –i test.enclave -m manifest.txt –e device_pubkey.pem –o signed.enclave ` +- `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -m manifest.txt –e device_pubkey.pem –o signed.enclave ` + `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -c manifest.txt –o signed.enclave ` @@ -258,7 +116,7 @@ index 3a49d5b..ccaa2e6 100644 For example: (1) generate the digest value. -- `$ ./signtool.sh –d digest –x trustzone –i input -m manifest.txt –e device_pubkey.pem –o digest.data ` +- `$ ./sign_tool.sh –d digest –x trustzone –i input -m manifest.txt –e device_pubkey.pem –o digest.data ` + `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt –o digest.data ` For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated. @@ -266,7 +124,7 @@ index 3a49d5b..ccaa2e6 100644 (2) send the digest.data to the signing organization or platform and get the signature. (3) use the signature to generate the signed enclave. -- `$ ./signtool.sh –d sign –x trustzone –i input -m manifest.txt –p pub.pem –e device_pubkey.pem –s signature –o signed.enclave ` +- `$ ./sign_tool.sh –d sign –x trustzone –i input -m manifest.txt –p pub.pem –e device_pubkey.pem –s signature –o signed.enclave ` + `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt –p pub.pem –s signature –o signed.enclave ` ## sign_tool.sh parameter @@ -288,30 +146,6 @@ index 3a49d5b..ccaa2e6 100644 -o output parameters, the sign command outputs sigend enclave, the digest command outputs digest value. -p signing server public key certificate, required for two-step method. -s the signed digest value required for two-step method, this parameter is empty to indicate single-step method. -diff --git a/examples/helloworld/CMakeLists.txt b/examples/helloworld/CMakeLists.txt -index a758f1c..5da2a6b 100644 ---- a/examples/helloworld/CMakeLists.txt -+++ b/examples/helloworld/CMakeLists.txt -@@ -16,10 +16,10 @@ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) - - #set edl name - set(EDL_FILE helloworld.edl) -+set(CODEGEN codegen) - - if(CC_GP) - set(CODETYPE trustzone) -- set(CODEGEN codegen_arm64) - execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) - string(REPLACE "\n" "" UUID ${UUID}) - add_definitions(-DPATH="/data/${UUID}.sec") -@@ -27,7 +27,6 @@ endif() - - if(CC_SGX) - set(CODETYPE sgx) -- set(CODEGEN codegen_x86_64) - add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") - endif() - diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt index c1638f8..0aefdae 100644 --- a/examples/helloworld/enclave/CMakeLists.txt @@ -336,75 +170,6 @@ index c1638f8..0aefdae 100644 install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} DESTINATION /data -diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c -index e4c4ec4..51993ce 100644 ---- a/examples/helloworld/host/main.c -+++ b/examples/helloworld/host/main.c -@@ -11,6 +11,8 @@ - */ - - #include -+#include -+#include - #include "enclave.h" - #include "helloworld_u.h" - -@@ -26,7 +28,21 @@ int main() - - printf("Create secgear enclave\n"); - -- res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); -+ char real_p[PATH_MAX]; -+ /* check file exists, if not exist then use absolute path */ -+ if (realpath(path, real_p) == NULL) { -+ if (getcwd(real_p, sizeof(real_p)) == NULL) { -+ printf("Cannot find enclave.sign.so"); -+ return -1; -+ } -+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) { -+ printf("Failed to strcat enclave.sign.so path"); -+ return -1; -+ } -+ (void)strcat(real_p, "/enclave.signed.so"); -+ } -+ -+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); - if (res != CC_SUCCESS) { - printf("Create enclave error\n"); - return res; -diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt -index 20e2fd5..3577301 100644 ---- a/examples/seal_data/CMakeLists.txt -+++ b/examples/seal_data/CMakeLists.txt -@@ -8,7 +8,7 @@ - # PURPOSE. - # See the Mulan PSL v2 for more details. - --cmake_minimum_required(VERSION 3.12) -+cmake_minimum_required(VERSION 3.10) - - project(SealData C) - -@@ -17,10 +17,10 @@ set(CMAKE_C_STANDARD 99) - set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) - - set(EDL_FILE seal_data.edl) -+set(CODEGEN codegen) - - if(CC_GP) - set(CODETYPE trustzone) -- set(CODEGEN codegen_arm64) - execute_process(COMMAND uuidgen -r - OUTPUT_VARIABLE UUID) - string(REPLACE "\n" "" UUID ${UUID}) -@@ -29,7 +29,6 @@ endif() - - if(CC_SGX) - set(CODETYPE sgx) -- set(CODEGEN codegen_x86_64) - add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/seal_data.signed.so") - endif() - diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt index 20851bd..0ddcbd5 100644 --- a/examples/seal_data/enclave/CMakeLists.txt @@ -430,47 +195,27 @@ index 20851bd..0ddcbd5 100644 install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} DESTINATION /data -diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt -index cb09b5c..66a36ea 100644 ---- a/src/enclave_src/CMakeLists.txt -+++ b/src/enclave_src/CMakeLists.txt -@@ -8,7 +8,7 @@ - # PURPOSE. - # See the Mulan PSL v2 for more details. - --project(secgear_tee) -+project(secgear_tee C) - - set(target_lib secgear_tee) - set(LIBRARY_INSTALL /lib64) -diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt -index c5fd618..e52d894 100644 ---- a/tools/codegener/CMakeLists.txt -+++ b/tools/codegener/CMakeLists.txt -@@ -10,7 +10,7 @@ - - include(ExternalProject) - --project(CodeGen) -+project(CodeGen C) - - find_program(DUNE dune) - -@@ -18,13 +18,7 @@ if(NOT DUNE) - message(FATAL_ERROR "Please check your dune installation") - endif() - --if(CC_SGX) -- set(code codegen_x86_64) --endif() -- --if(CC_GP) -- set(code codegen_arm64) --endif() -+set(code codegen) - - ExternalProject_Add(codegen - SOURCE_DIR ${LOCAL_ROOT_PATH}/tools/codegener +diff --git a/examples/seal_data/enclave/rsa_public_key_cloud.pem b/examples/seal_data/enclave/rsa_public_key_cloud.pem +deleted file mode 100644 +index a321f63..0000000 +--- a/examples/seal_data/enclave/rsa_public_key_cloud.pem ++++ /dev/null +@@ -1,11 +0,0 @@ +------BEGIN PUBLIC KEY----- +-MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzAPwbnbgBg7JgXERA9Bx +-p7GLI1S3e1zL83RMd2+GXb6kO4yMKUL3NUCE2HhA2BtQYmLyGovx59UUcKnU58is +-Xux++kH+A2shmOPjYvEFuX0Kt8tc19b8M9b/iHsY8ZmKykqia2a5U+IrECRFJo5p +-DWUnl7jrHVtq78BSR1c7iXG1frrEC0AYCuqKJo/fxfmOKL0Y9mENCB3nAwjn9unD +-BsO/OhkqvvB3nkeuMfNKPh4wCqtQPve13eTojbuxjX/3ePijplTI5X2Gr+n6Ximn +-fYRlytQmMgMl/db0ARSKNApq9bmwzVNrnGWWZWJksdRvf6iL7t17Gs4L9AApOuC9 +-WkzxPvwp5ZUqjsGd4oJGWeC6ZE6BTw2vxE+xMFI9uAKHxq9pBKkcGMa0g4fANNNV +-+W+8JZGanxEXKB3y/M7BCyQAPCWOHC/RNjmRA1gczLYCPzC4pWu935UZdF1RR6zY +-CD3t+FoOGGET/g4CwWgyhb5qkp65Hs6ayYt/DUAqo+yBAgMBAAE= +------END PUBLIC KEY----- +diff --git a/examples/helloworld/enclave/rsa_public_key_cloud.pem b/tools/sign_tool/rsa_public_key_cloud.pem +similarity index 100% +rename from examples/helloworld/enclave/rsa_public_key_cloud.pem +rename to tools/sign_tool/rsa_public_key_cloud.pem diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh index 8f2189c..212db5d 100755 --- a/tools/sign_tool/sign_tool.sh diff --git a/0021-example-use-absolute-path-to-find-enclave.sign.so.patch b/0021-example-use-absolute-path-to-find-enclave.sign.so.patch new file mode 100644 index 0000000..6ed1a91 --- /dev/null +++ b/0021-example-use-absolute-path-to-find-enclave.sign.so.patch @@ -0,0 +1,49 @@ +From 19d48667d6220aaa150f052e66a1847e3ba8f8d4 Mon Sep 17 00:00:00 2001 +From: Li Feng +Date: Tue, 13 Apr 2021 06:40:43 +0000 +Subject: [PATCH 04/14] example: use absolute path to find enclave.sign.so + +Signed-off-by: Li Feng +--- + examples/helloworld/host/main.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c +index e4c4ec4..51993ce 100644 +--- a/examples/helloworld/host/main.c ++++ b/examples/helloworld/host/main.c +@@ -11,6 +11,8 @@ + */ + + #include ++#include ++#include + #include "enclave.h" + #include "helloworld_u.h" + +@@ -26,7 +28,21 @@ int main() + + printf("Create secgear enclave\n"); + +- res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); ++ char real_p[PATH_MAX]; ++ /* check file exists, if not exist then use absolute path */ ++ if (realpath(path, real_p) == NULL) { ++ if (getcwd(real_p, sizeof(real_p)) == NULL) { ++ printf("Cannot find enclave.sign.so"); ++ return -1; ++ } ++ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) { ++ printf("Failed to strcat enclave.sign.so path"); ++ return -1; ++ } ++ (void)strcat(real_p, "/enclave.signed.so"); ++ } ++ ++ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); + if (res != CC_SUCCESS) { + printf("Create enclave error\n"); + return res; +-- +2.27.0 + diff --git a/0022-add-example-of-using-sgxssl-lib.patch b/0022-add-example-of-using-sgxssl-lib.patch new file mode 100644 index 0000000..fd84a9d --- /dev/null +++ b/0022-add-example-of-using-sgxssl-lib.patch @@ -0,0 +1,942 @@ +From 607634479a08e5150482990343c19e2e45efc583 Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Fri, 19 Feb 2021 11:09:51 +0800 +Subject: [PATCH 05/14] add example of using sgxssl lib + +--- + CMakeLists.txt | 1 + + docs/build_install.md | 4 + + examples/tls_enclave/CMakeLists.txt | 30 +++ + examples/tls_enclave/client/CMakeLists.txt | 38 +++ + examples/tls_enclave/client/tls_client.c | 100 +++++++ + examples/tls_enclave/enclave/CMakeLists.txt | 96 +++++++ + .../tls_enclave/enclave/Enclave.config.xml | 12 + + examples/tls_enclave/enclave/Enclave.lds | 11 + + examples/tls_enclave/enclave/enclave_server.c | 249 ++++++++++++++++++ + examples/tls_enclave/host/CMakeLists.txt | 56 ++++ + examples/tls_enclave/host/main.c | 179 +++++++++++++ + examples/tls_enclave/tls_enclave.edl | 26 ++ + examples/tls_enclave/tls_enclave.md | 17 ++ + 13 files changed, 819 insertions(+) + create mode 100644 examples/tls_enclave/CMakeLists.txt + create mode 100644 examples/tls_enclave/client/CMakeLists.txt + create mode 100644 examples/tls_enclave/client/tls_client.c + create mode 100644 examples/tls_enclave/enclave/CMakeLists.txt + create mode 100644 examples/tls_enclave/enclave/Enclave.config.xml + create mode 100644 examples/tls_enclave/enclave/Enclave.lds + create mode 100644 examples/tls_enclave/enclave/enclave_server.c + create mode 100644 examples/tls_enclave/host/CMakeLists.txt + create mode 100644 examples/tls_enclave/host/main.c + create mode 100644 examples/tls_enclave/tls_enclave.edl + create mode 100644 examples/tls_enclave/tls_enclave.md + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 98862a3..1653287 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -57,6 +57,7 @@ endif() + if(CC_SGX) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data) ++ add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave) + endif() + + install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear +diff --git a/docs/build_install.md b/docs/build_install.md +index 9ba1adb..636df90 100644 +--- a/docs/build_install.md ++++ b/docs/build_install.md +@@ -13,6 +13,10 @@ openEuler x86 + 3. source environment && mkdir debug && cd debug + && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" .. && make && sudo make install + ++4. To run example tls_enclave, refer to https://gitee.com/src-openeuler/intel-sgx-ssl ++ download and install intel-sgx-ssl firstly. ++ source environment && mkdir debug && cd debug && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" ++ && -DENCLAVE_SSL="sgxssl path" .. && make && sudo make install + + openEuler arm + +diff --git a/examples/tls_enclave/CMakeLists.txt b/examples/tls_enclave/CMakeLists.txt +new file mode 100644 +index 0000000..5b1693a +--- /dev/null ++++ b/examples/tls_enclave/CMakeLists.txt +@@ -0,0 +1,30 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++project(TlsEnclave C) ++ ++set(CMAKE_C_STANDARD 99) ++ ++set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) ++ ++#set edl name ++set(EDL_FILE tls_enclave.edl) ++#set auto code prefix ++set(PREFIX tls_enclave) ++set(CODEGEN codegen) ++ ++if(CC_SGX) ++ set(CODETYPE sgx) ++ add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") ++endif() ++ ++add_subdirectory(${CURRENT_ROOT_PATH}/enclave) ++add_subdirectory(${CURRENT_ROOT_PATH}/host) ++add_subdirectory(${CURRENT_ROOT_PATH}/client) +diff --git a/examples/tls_enclave/client/CMakeLists.txt b/examples/tls_enclave/client/CMakeLists.txt +new file mode 100644 +index 0000000..a83b5e3 +--- /dev/null ++++ b/examples/tls_enclave/client/CMakeLists.txt +@@ -0,0 +1,38 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++set(OUTPUT tls_client) ++set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/tls_client.c) ++ ++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE") ++set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") ++ ++if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) ++endif() ++ ++add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) ++ ++if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${OUTPUT} PRIVATE ++ ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) ++endif() ++ ++target_link_libraries(${OUTPUT} ssl crypto) ++ ++set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE) ++ ++if(CC_SGX) ++ install(TARGETS ${OUTPUT} ++ RUNTIME ++ DESTINATION ${CMAKE_BINARY_DIR}/bin/ ++ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ) ++endif() ++ +diff --git a/examples/tls_enclave/client/tls_client.c b/examples/tls_enclave/client/tls_client.c +new file mode 100644 +index 0000000..e05425b +--- /dev/null ++++ b/examples/tls_enclave/client/tls_client.c +@@ -0,0 +1,100 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "openssl/evp.h" ++#include "openssl/x509.h" ++#include "openssl/pem.h" ++#include "openssl/ssl.h" ++ ++#define BUF_LEN 1024 ++ ++int main(int argc, const char *argv[]) ++{ ++ struct sockaddr_in client_addr; ++ int fd = 0; ++ const SSL_METHOD *meth = NULL; ++ SSL_CTX *ctx = NULL; ++ SSL *ssl = NULL; ++ char buf[BUF_LEN] = {0}; ++ int ret = -1; ++ ++ if (argc != 3) { ++ printf("usage: %s port ca_file\n", argv[0]); ++ return -1; ++ } ++ ++ SSL_load_error_strings(); ++ SSLeay_add_ssl_algorithms(); ++ meth = TLS_method(); ++ if (meth == NULL) { ++ return -1; ++ } ++ ctx = SSL_CTX_new(meth); ++ if (ctx == NULL) { ++ return -1; ++ } ++ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); ++ if (SSL_CTX_load_verify_locations(ctx, argv[2], NULL) <= 0) { ++ goto end; ++ } ++ memset(&client_addr, 0, sizeof(client_addr)); ++ client_addr.sin_family = AF_INET; ++ client_addr.sin_port = htons(atoi(argv[1])); ++ client_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); ++ fd = socket(AF_INET, SOCK_STREAM, 0); ++ if (fd < 0) { ++ goto end; ++ } ++ ret = connect(fd, (struct sockaddr *)&client_addr, sizeof(client_addr)); ++ if (ret < 0) { ++ goto end; ++ } ++ ssl = SSL_new(ctx); ++ if (ssl == NULL) { ++ goto end; ++ } ++ SSL_set_fd(ssl, fd); ++ if (SSL_connect(ssl) <= 0) { ++ goto end; ++ } ++ if (SSL_write(ssl, "hello enclave!", sizeof("hello enclave!")) <= 0) { ++ goto end; ++ } ++ printf("send data: %s\n", "hello enclave!"); ++ if (SSL_read(ssl, buf, BUF_LEN - 1) <= 0) { ++ goto end; ++ } ++ printf("receive data: %s\n", buf); ++ ret = 0; ++ ++end: ++ if (ssl != NULL) { ++ SSL_shutdown(ssl); ++ SSL_free(ssl); ++ } ++ if (ctx != NULL) { ++ SSL_CTX_free(ctx); ++ } ++ if (fd > 0) { ++ close(fd); ++ } ++ return ret; ++} +diff --git a/examples/tls_enclave/enclave/CMakeLists.txt b/examples/tls_enclave/enclave/CMakeLists.txt +new file mode 100644 +index 0000000..5002e1b +--- /dev/null ++++ b/examples/tls_enclave/enclave/CMakeLists.txt +@@ -0,0 +1,96 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++#set sign key ++set(PEM Enclave_private.pem) ++ ++#set sign tool ++set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh) ++ ++#set enclave src code ++set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/enclave_server.c) ++ ++#set log level ++set(PRINT_LEVEL 3) ++add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) ++ ++if(NOT IS_DIRECTORY ${ENCLAVE_SSL}) ++ message(FATAL_ERROR "Please provide the correct ENCLAVE_SSL path") ++endif() ++ ++if(CC_SGX) ++ #set signed output ++ set(OUTPUT enclave.signed.so) ++ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c) ++ add_custom_command(OUTPUT ${AUTO_FILES} ++ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} ++ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include --search-path ${ENCLAVE_SSL}/include) ++endif() ++ ++set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \ ++ -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \ ++ -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \ ++ -Wno-error=unused-but-set-variable -Wno-error=format-truncation=") ++ ++set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") ++ ++if(CC_SGX) ++ set(SGX_MODE HW) ++ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden -include${ENCLAVE_SSL}/include/tsgxsslio.h") ++ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") ++ ++ if(${SGX_MODE} STREQUAL HW) ++ set(Trts_Library_Name sgx_trts) ++ set(Service_Library_Name sgx_tservice) ++ else() ++ set(Trts_Library_Name sgx_trts_sim) ++ set(Service_Library_Name sgx_tservice_sim) ++ endif() ++ ++ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \ ++ -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds") ++ ++ if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${ENCLAVE_SSL}/lib64 ++ ${SGXSDK}/lib64 ++ ${CMAKE_BINARY_DIR}/lib) ++ endif() ++ ++ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES}) ++ ++ target_include_directories(${PREFIX} PRIVATE ++ ${CMAKE_CURRENT_BINARY_DIR} ++ ${SGXSDK}/include/tlibc ++ ${SGXSDK}/include/libcxx ++ ${SGXSDK}/include ++ ${ENCLAVE_SSL}/include ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx ++ ${LOCAL_ROOT_PATH}/inc/enclave_inc ++ ${LOCAL_ROOT_PATH}/inc/enclave_inc/sgx ++ ) ++ ++ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${PREFIX} PRIVATE ++ ${ENCLAVE_SSL}/lib64 ++ ${SGXSDK}/lib64 ++ ${CMAKE_BINARY_DIR}/lib) ++ endif() ++ ++ target_link_libraries(${PREFIX} -lsecgear_tee -Wl,--whole-archive ${Trts_Library_Name} -lsgx_tsgxssl -Wl,--no-whole-archive -Wl,--start-group -lsgx_tsgxssl_ssl -lsgx_tsgxssl_crypto -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_pthread -l${Service_Library_Name} -Wl,--end-group) ++ ++ add_custom_command(TARGET ${PREFIX} ++ POST_BUILD ++ COMMAND umask 0177 ++ COMMAND openssl genrsa -3 -out ${PEM} 3072 ++ COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml) ++endif() ++ ++set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE) +diff --git a/examples/tls_enclave/enclave/Enclave.config.xml b/examples/tls_enclave/enclave/Enclave.config.xml +new file mode 100644 +index 0000000..e94c9bc +--- /dev/null ++++ b/examples/tls_enclave/enclave/Enclave.config.xml +@@ -0,0 +1,12 @@ ++ ++ 0 ++ 0 ++ 0x40000 ++ 0x100000 ++ 10 ++ 1 ++ ++ 0 ++ 0 ++ 0xFFFFFFFF ++ +diff --git a/examples/tls_enclave/enclave/Enclave.lds b/examples/tls_enclave/enclave/Enclave.lds +new file mode 100644 +index 0000000..ab77e64 +--- /dev/null ++++ b/examples/tls_enclave/enclave/Enclave.lds +@@ -0,0 +1,11 @@ ++enclave.so ++{ ++ global: ++ g_global_data_sim; ++ g_global_data; ++ enclave_entry; ++ g_peak_heap_used; ++ local: ++ *; ++}; ++ +diff --git a/examples/tls_enclave/enclave/enclave_server.c b/examples/tls_enclave/enclave/enclave_server.c +new file mode 100644 +index 0000000..848eb9c +--- /dev/null ++++ b/examples/tls_enclave/enclave/enclave_server.c +@@ -0,0 +1,249 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "tls_enclave_t.h" ++#include "status.h" ++#include "secgear_dataseal.h" ++ ++#define BUF_SIZE 1024 ++#define MAX_ENC_KEY_LEN 4096 ++#define ADD_DATA_RAW "add mac text" ++ ++size_t seal_key(const char *file_name, size_t file_name_len, char *password, size_t pw_len, ++ char *enc_buf, size_t enc_buf_len) ++{ ++ BIO *r_key = NULL; ++ BIO *r_prikey = NULL; ++ RSA *rsa_key = NULL; ++ uint8_t *buf = NULL; ++ uint32_t buf_len, sealed_data_len; ++ int res = 0; ++ int retval = CC_FAIL; ++ ++ if (file_name == NULL || file_name_len == 0 || password == NULL || pw_len == 0 || enc_buf == NULL) { ++ return 0; ++ } ++ r_key = BIO_new_file(file_name, "r"); ++ if (r_key == NULL) { ++ goto end; ++ }; ++ rsa_key = PEM_read_bio_RSAPrivateKey(r_key, NULL, NULL, password); ++ if (rsa_key == NULL) { ++ goto end; ++ }; ++ r_prikey = BIO_new(BIO_s_mem()); ++ if (r_prikey == NULL) { ++ goto end; ++ } ++ if (!PEM_write_bio_RSAPrivateKey(r_prikey, rsa_key, NULL, NULL, 0, NULL, NULL)) { ++ goto end; ++ } ++ buf_len = BIO_ctrl_pending(r_prikey); ++ if (buf_len == 0) { ++ goto end; ++ } ++ buf = (uint8_t *)malloc(buf_len); ++ if (buf == NULL) { ++ goto end; ++ } ++ if ((size_t)BIO_read(r_prikey, buf, buf_len) != buf_len) { ++ goto end; ++ } ++ sealed_data_len = cc_enclave_get_sealed_data_size(buf_len, strlen((const char *)ADD_DATA_RAW)); ++ if (sealed_data_len == UINT32_MAX || enc_buf_len < sealed_data_len) { ++ goto end; ++ } ++ retval = cc_enclave_seal_data((uint8_t *)buf, buf_len, (cc_enclave_sealed_data_t *)enc_buf, enc_buf_len, ++ (uint8_t*)ADD_DATA_RAW, strlen((const char*)ADD_DATA_RAW)); ++ if (retval != CC_SUCCESS) { ++ goto end; ++ } ++ res = sealed_data_len; ++ ++end: ++ BIO_free(r_key); ++ BIO_free(r_prikey); ++ RSA_free(rsa_key); ++ if (buf != NULL) { ++ memset(buf, 0, buf_len); ++ free(buf); ++ }; ++ memset(password, 0, pw_len); ++ return res; ++} ++ ++int unseal_enc_data(char **data_p, size_t *data_len_p, const char *enc_data) ++{ ++ char *add_data = NULL; ++ char *data = NULL; ++ size_t add_len = 0; ++ size_t data_len = 0; ++ int retval = CC_FAIL; ++ ++ add_len = cc_enclave_get_add_text_size((const cc_enclave_sealed_data_t *)enc_data); ++ data_len = cc_enclave_get_encrypted_text_size((const cc_enclave_sealed_data_t *)enc_data); ++ if (data_len == 0 || add_len != strlen((const char*)ADD_DATA_RAW)) { ++ return CC_FAIL; ++ } ++ data = malloc(data_len); ++ add_data = malloc(add_len); ++ if (data == NULL || add_data == NULL) { ++ goto end; ++ } ++ memset(data, 0, data_len); ++ retval = cc_enclave_unseal_data((cc_enclave_sealed_data_t *)enc_data, (uint8_t *)data, (uint32_t *)&data_len, ++ (uint8_t *)add_data, (uint32_t *)&add_len); ++ if (retval != CC_SUCCESS) { ++ goto end; ++ } ++ if (strncmp((const char *)add_data, (const char*)ADD_DATA_RAW, strlen((const char*)ADD_DATA_RAW)) != 0) { ++ retval = CC_FAIL; ++ goto end; ++ } ++ *data_p = data; ++ *data_len_p = data_len; ++ retval = CC_SUCCESS; ++ ++end: ++ if (add_data != NULL) { ++ memset(add_data, 0, add_len); ++ free(add_data); ++ } ++ if (retval != CC_SUCCESS && data != NULL) { ++ memset(data, 0, data_len); ++ free(data); ++ } ++ return retval; ++} ++ ++int set_ctx_key(SSL_CTX *ctx, const char *enc_key_file_name) ++{ ++ BIO *in_bio = NULL; ++ EVP_PKEY *pkey = NULL; ++ char *raw_key = NULL; ++ size_t raw_key_len = 0; ++ BIO *key_bio = NULL; ++ char *enc_key = NULL; ++ int retval = CC_FAIL; ++ int res = CC_FAIL; ++ ++ key_bio = BIO_new_file(enc_key_file_name, "r"); ++ if (key_bio == NULL) { ++ goto end; ++ }; ++ enc_key = (char *)malloc(MAX_ENC_KEY_LEN); ++ if (enc_key == NULL) { ++ goto end; ++ } ++ if (BIO_read(key_bio, enc_key, MAX_ENC_KEY_LEN) <= 0) { ++ goto end; ++ } ++ res = unseal_enc_data(&raw_key, &raw_key_len, enc_key); ++ if (res != CC_SUCCESS || raw_key_len == 0) { ++ goto end; ++ } ++ in_bio = BIO_new_mem_buf(raw_key, raw_key_len); ++ if (in_bio == NULL) { ++ goto end; ++ } ++ pkey = PEM_read_bio_PrivateKey(in_bio, NULL, NULL, NULL); ++ if (pkey == NULL) { ++ goto end; ++ } ++ if (!SSL_CTX_use_PrivateKey(ctx, pkey)) { ++ goto end; ++ } ++ retval = CC_SUCCESS; ++ ++end: ++ EVP_PKEY_free(pkey); ++ BIO_free(in_bio); ++ BIO_free(key_bio); ++ if (enc_key != NULL) { ++ free(enc_key); ++ } ++ if (raw_key != NULL) { ++ memset(raw_key, 0, raw_key_len); ++ free(raw_key); ++ } ++ return retval; ++} ++ ++int start_enclave_tls(int client_fd,const char *cert, size_t cert_len, const char *enc_key, size_t enc_key_len) ++{ ++ char buf[BUF_SIZE] = {0}; ++ const SSL_METHOD *meth = NULL; ++ SSL_CTX *ctx = NULL; ++ SSL *ssl = NULL; ++ int res = 0; ++ int retval = CC_FAIL; ++ ++ if (client_fd <= 0 || cert == NULL || cert_len == 0 || enc_key == NULL || enc_key_len == 0) { ++ return CC_ERROR_BAD_PARAMETERS; ++ } ++ SSL_load_error_strings(); ++ SSLeay_add_ssl_algorithms(); ++ meth = TLS_method(); ++ if (meth == NULL) { ++ return CC_FAIL; ++ } ++ ctx = SSL_CTX_new(meth); ++ if (ctx == NULL) { ++ return CC_FAIL; ++ } ++ if (SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM) <= 0) { ++ goto end; ++ } ++ if (set_ctx_key(ctx, enc_key) != CC_SUCCESS){ ++ goto end; ++ } ++ if (!SSL_CTX_check_private_key(ctx)) { ++ goto end; ++ } ++ ssl = SSL_new(ctx); ++ if (ssl == NULL) { ++ goto end; ++ } ++ SSL_set_fd(ssl, client_fd); ++ if (SSL_set_cipher_list(ssl, "ECDHE-RSA-AES128-GCM-SHA256") != 1) { ++ goto end; ++ } ++ if (SSL_accept(ssl) <= 0) { ++ goto end; ++ } ++ res = SSL_read(ssl, buf, BUF_SIZE -1); ++ if (res <= 0) { ++ goto end; ++ } ++ if (SSL_write(ssl, buf, res) <= 0) { ++ goto end; ++ } ++ retval = CC_SUCCESS; ++ ++end: ++ if (ssl != NULL) { ++ SSL_shutdown(ssl); ++ SSL_free(ssl); ++ } ++ if (ctx != NULL) { ++ SSL_CTX_free(ctx); ++ } ++ memset(buf, 0, BUF_SIZE); ++ return retval; ++} +diff --git a/examples/tls_enclave/host/CMakeLists.txt b/examples/tls_enclave/host/CMakeLists.txt +new file mode 100644 +index 0000000..2f4c8ac +--- /dev/null ++++ b/examples/tls_enclave/host/CMakeLists.txt +@@ -0,0 +1,56 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++#set host exec name ++set(OUTPUT secgear_tls) ++#set host src code ++set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c) ++ ++#set auto code ++if(CC_SGX) ++ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c) ++ add_custom_command(OUTPUT ${AUTO_FILES} ++ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} ++ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include --search-path ${ENCLAVE_SSL}/include) ++endif() ++ ++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE") ++set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") ++ ++if(CC_SGX) ++ if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY} ${SGXSSL}/lib64) ++ endif() ++ set(SGX_MODE HW) ++ if(${SGX_MODE} STREQUAL HW) ++ set(Urts_Library_Name sgx_urts) ++ else() ++ set(Urts_Library_Name sgx_urts_sim) ++ endif() ++ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) ++ target_include_directories(${OUTPUT} PRIVATE ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx ++ ${CMAKE_CURRENT_BINARY_DIR}) ++ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} ${ENCLAVE_SSL}/lib64) ++ endif() ++ target_link_libraries(${OUTPUT} secgear ${Urts_Library_Name} pthread ssl crypto sgx_usgxssl) ++endif() ++ ++set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE) ++ ++if(CC_SGX) ++ install(TARGETS ${OUTPUT} ++ RUNTIME ++ DESTINATION ${CMAKE_BINARY_DIR}/bin/ ++ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ) ++endif() ++ +diff --git a/examples/tls_enclave/host/main.c b/examples/tls_enclave/host/main.c +new file mode 100644 +index 0000000..4407e64 +--- /dev/null ++++ b/examples/tls_enclave/host/main.c +@@ -0,0 +1,179 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "openssl/evp.h" ++#include "openssl/x509.h" ++#include "openssl/pem.h" ++#include "openssl/ssl.h" ++#include "tls_enclave_u.h" ++#include "enclave.h" ++ ++#define BUF_LEN 1024 ++#define MAX_LISTEN_FD 64 ++#define PASS_MAX 32 ++#define MAX_ENC_KEY_LEN 4096 ++#define ENC_KEY_FILE_NAME "enc_key" ++ ++int set_echo_mode(int fd, int option) ++{ ++ struct termios term; ++ if (tcgetattr(fd, &term) != 0) { ++ return CC_FAIL; ++ } ++ if (option) { ++ term.c_lflag |= (ECHO | ECHOE | ECHOK | ECHONL); ++ } else { ++ term.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL); ++ } ++ if (tcsetattr(fd, TCSAFLUSH, &term) != 0) { ++ return CC_FAIL; ++ } ++ return CC_SUCCESS; ++} ++ ++int get_password_and_seal_key(cc_enclave_t *context, const char *key_file_name, const char *enc_key_file_name) ++{ ++ int res = CC_FAIL; ++ size_t retval = 0; ++ size_t pw_len = 0; ++ char password[PASS_MAX] = {0}; ++ char *enc_key = NULL; ++ FILE *fp = NULL; ++ ++ printf("Please input password:\n"); ++ if (set_echo_mode(STDIN_FILENO, 0)) { ++ return CC_FAIL; ++ } ++ if (fgets((char *)password, PASS_MAX, stdin) == NULL) { ++ return CC_FAIL; ++ } ++ pw_len = strlen((const char *)password); ++ if (password[pw_len - 1] == '\n') { ++ password[pw_len-1] = 0; ++ pw_len--; ++ } ++ if (set_echo_mode(STDIN_FILENO, 1)) { ++ goto end; ++ } ++ enc_key = malloc(MAX_ENC_KEY_LEN); ++ if (enc_key == NULL) { ++ goto end; ++ } ++ res = seal_key(context, &retval, key_file_name, strlen(key_file_name) + 1, password, pw_len + 1, ++ enc_key, MAX_ENC_KEY_LEN); ++ if (res != CC_SUCCESS || retval == 0) { ++ res = CC_FAIL; ++ goto end; ++ } ++ fp = fopen(enc_key_file_name, "w+"); ++ if (fp == NULL) { ++ res = CC_FAIL; ++ goto end; ++ } ++ if (fwrite(enc_key, sizeof(char), retval, fp) != retval) { ++ fclose(fp); ++ res = CC_FAIL; ++ goto end; ++ } ++ fclose(fp); ++ if (remove(key_file_name) == 0) { ++ printf("delete origin key file success!\n"); ++ } else { ++ printf("delete origin key file error!\n"); ++ res = CC_FAIL; ++ } ++ ++end: ++ memset(password, 0, pw_len); ++ return res; ++} ++ ++int start_server(int port) ++{ ++ int server_fd = socket(AF_INET, SOCK_STREAM, 0); ++ struct sockaddr_in serv_addr; ++ memset(&serv_addr, 0, sizeof(serv_addr)); ++ serv_addr.sin_family = AF_INET; ++ serv_addr.sin_port = htons(port); ++ serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); ++ if (bind(server_fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { ++ return -1; ++ } ++ listen(server_fd, MAX_LISTEN_FD); ++ return server_fd; ++} ++ ++int main(int argc, const char *argv[]) ++{ ++ char *path = PATH; ++ cc_enclave_t *context = NULL; ++ struct sockaddr_in client_addr; ++ socklen_t client_len; ++ int server_fd = -1; ++ int tlsc_fd = -1; ++ cc_enclave_result_t res = CC_FAIL; ++ int retval = 0; ++ ++ if (argc != 4) { ++ printf("usage: %s port cert_file key_file\n", argv[0]); ++ return CC_FAIL; ++ } ++ ++ server_fd = start_server(atoi(argv[1])); ++ if (server_fd < 0) { ++ return CC_FAIL; ++ } ++ tlsc_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len); ++ if (tlsc_fd < 0) { ++ return CC_FAIL; ++ } ++ printf("Create secgear enclave\n"); ++ res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); ++ if (res != CC_SUCCESS) { ++ printf("Create enclave error\n"); ++ goto end; ++ } ++ res = get_password_and_seal_key(context, argv[3], ENC_KEY_FILE_NAME); ++ if (res != CC_SUCCESS) { ++ printf("get_password_and_seal_key error\n"); ++ goto end; ++ } ++ res = start_enclave_tls(context, &retval, tlsc_fd, argv[2], strlen(argv[2]) + 1, ENC_KEY_FILE_NAME, ++ strlen(ENC_KEY_FILE_NAME) + 1); ++ if (res != CC_SUCCESS || retval != CC_SUCCESS) { ++ printf("start_enclave_tls error\n"); ++ goto end; ++ } ++ ++ printf("enclve tls finish\n"); ++ ++end: ++ if (context != NULL) { ++ res = cc_enclave_destroy(context); ++ if(res != CC_SUCCESS) { ++ printf("Destroy enclave error\n"); ++ } ++ } ++ close(tlsc_fd); ++ close(server_fd); ++ return res; ++} +diff --git a/examples/tls_enclave/tls_enclave.edl b/examples/tls_enclave/tls_enclave.edl +new file mode 100644 +index 0000000..93e9a70 +--- /dev/null ++++ b/examples/tls_enclave/tls_enclave.edl +@@ -0,0 +1,26 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++enclave { ++ include "stdbool.h" ++ include "secgear_urts.h" ++ from "secgear_tstdc.edl" import *; ++ from "secgear_tssl.edl" import *; ++ trusted { ++ public size_t seal_key([in, size = file_name_len] const char *file_name, size_t file_name_len, ++ [in, size = pw_len] char *password, size_t pw_len, ++ [out, size = enc_buf_len] char *enc_buf, size_t enc_buf_len); ++ public int start_enclave_tls(int client_fd, ++ [in, size = cert_len] const char *cert, size_t cert_len, ++ [in, size = enc_key_len] const char *enc_key, size_t enc_key_len); ++ }; ++}; +diff --git a/examples/tls_enclave/tls_enclave.md b/examples/tls_enclave/tls_enclave.md +new file mode 100644 +index 0000000..e81d70c +--- /dev/null ++++ b/examples/tls_enclave/tls_enclave.md +@@ -0,0 +1,17 @@ ++#Getting started with the tls_enclave example ++ ++In the scenario where a user already has a certificate and private on the host side, the tls_enclve provides an example how to protect the private key and how to estabilish a TLS connection with enclave in Linux SGX environment. ++ ++1. Install secGear and intel-sgx-ssl(http://gitee.com/src-openEuler/intel-sgx-ssl). ++2. Enter the development directory ../secGear, source environment && mkdir debug && cd debug ++&& cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=on -DSGXSDK="sgx_sdk path" -DENCLAVE_SSL="sgxssl path" .. ++3. To run secgear_tls, the certificate and key used by the TLS server needs to be generated, the following example generate signed certificate only for testing. ++(1) generate RSA key: ++ openssl genrsa -f4 -aes256 -out server.key 3072 ++ follow the screen instructions to enter the pass phrase for protecting private key, the pass phrase should meet certain complexity requirements. ++(2) generate self-signed certificate ++ openssl req -new -x509 -days 365 -key server.key -out server.pem -sha256 -subj "/C=CN/ST=GD/L=SZ/O=test/OU=test/CN=test" ++4. start secgear_tls, sudo debug/bin/secgear_tls 9090 server.pem server.key & ++ start tls_client, sudo debug/bin/tls_client 9090 server.pem ++ follow the screen instructions to enter the pass phrase to usee the private key. ++ After exectued successfully, the private key is deleted and only the key encrypted by enclave is saved. +-- +2.27.0 + diff --git a/0023-tls_enclave-is-not-compiled-by-default.patch b/0023-tls_enclave-is-not-compiled-by-default.patch new file mode 100644 index 0000000..c2080de --- /dev/null +++ b/0023-tls_enclave-is-not-compiled-by-default.patch @@ -0,0 +1,25 @@ +From 90df8d9c0ac4ee7cbe24971ed4a8c4c6ac86c3b1 Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Thu, 15 Apr 2021 11:49:27 +0800 +Subject: [PATCH 06/14] tls_enclave is not compiled by default + +--- + CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 1653287..b1fe4a4 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -57,7 +57,7 @@ endif() + if(CC_SGX) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data) +- add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave) ++# add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave) + endif() + + install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear +-- +2.27.0 + diff --git a/0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch b/0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch new file mode 100644 index 0000000..67c822d --- /dev/null +++ b/0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch @@ -0,0 +1,68 @@ +From 20d6808fd639e4506fd1a383cf59094a17773775 Mon Sep 17 00:00:00 2001 +From: Li Feng +Date: Mon, 26 Apr 2021 09:26:46 +0000 +Subject: [PATCH 07/14] Cmake: replace minial cmake from 3.12 to 3.10 + +Signed-off-by: Li Feng +--- + CMakeLists.txt | 2 +- + README.en.md | 2 +- + README.md | 2 +- + examples/seal_data/CMakeLists.txt | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b1fe4a4..a4d1668 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -8,7 +8,7 @@ + # PURPOSE. + # See the Mulan PSL v2 for more details. + +-cmake_minimum_required(VERSION 3.12 FATAL_ERROR) ++cmake_minimum_required(VERSION 3.10 FATAL_ERROR) + project(secGear C) + + set(CMAKE_C_STANDARD 99) +diff --git a/README.en.md b/README.en.md +index a33a50c..4df13b0 100644 +--- a/README.en.md ++++ b/README.en.md +@@ -43,7 +43,7 @@ Then save as test.edl + + ### 2 Write the top-level CMakeLists.txt + +- cmake_minimum_required(VERSION 3.12 FATAL_ERROR) ++ cmake_minimum_required(VERSION 3.10 FATAL_ERROR) + project(TEST C) + set(CMAKE_C_STANDARD 99) + set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) +diff --git a/README.md b/README.md +index 971ddca..a90450b 100644 +--- a/README.md ++++ b/README.md +@@ -35,7 +35,7 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在 + + ### 2 编写最外层CMakeLists.txt文件 + +- cmake_minimum_required(VERSION 3.12 FATAL_ERROR) ++ cmake_minimum_required(VERSION 3.10 FATAL_ERROR) + project(TEST C) + set(CMAKE_C_STANDARD 99) + set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) +diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt +index 503fe0d..3577301 100644 +--- a/examples/seal_data/CMakeLists.txt ++++ b/examples/seal_data/CMakeLists.txt +@@ -8,7 +8,7 @@ + # PURPOSE. + # See the Mulan PSL v2 for more details. + +-cmake_minimum_required(VERSION 3.12) ++cmake_minimum_required(VERSION 3.10) + + project(SealData C) + +-- +2.27.0 + diff --git a/0025-example-add-example-for-LRT-long-running-task.patch b/0025-example-add-example-for-LRT-long-running-task.patch new file mode 100644 index 0000000..5ca148a --- /dev/null +++ b/0025-example-add-example-for-LRT-long-running-task.patch @@ -0,0 +1,517 @@ +From d8d225ed834a9cfe63b305ccd2ce97f5b3ebdfb4 Mon Sep 17 00:00:00 2001 +From: Li Feng +Date: Mon, 26 Apr 2021 09:32:12 +0000 +Subject: [PATCH 08/14] example: add example for LRT(long running task) + +Signed-off-by: Li Feng +--- + CMakeLists.txt | 1 + + examples/lrt/CMakeLists.txt | 34 +++++ + examples/lrt/enclave/CMakeLists.txt | 158 ++++++++++++++++++++++++ + examples/lrt/enclave/Enclave.config.xml | 12 ++ + examples/lrt/enclave/Enclave.lds | 11 ++ + examples/lrt/enclave/lrt.c | 23 ++++ + examples/lrt/enclave/manifest.txt.in | 8 ++ + examples/lrt/host/CMakeLists.txt | 85 +++++++++++++ + examples/lrt/host/main.c | 70 +++++++++++ + examples/lrt/lrt.edl | 19 +++ + 10 files changed, 421 insertions(+) + create mode 100644 examples/lrt/CMakeLists.txt + create mode 100644 examples/lrt/enclave/CMakeLists.txt + create mode 100644 examples/lrt/enclave/Enclave.config.xml + create mode 100644 examples/lrt/enclave/Enclave.lds + create mode 100644 examples/lrt/enclave/lrt.c + create mode 100644 examples/lrt/enclave/manifest.txt.in + create mode 100644 examples/lrt/host/CMakeLists.txt + create mode 100644 examples/lrt/host/main.c + create mode 100644 examples/lrt/lrt.edl + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index a4d1668..1d036ea 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -58,6 +58,7 @@ if(CC_SGX) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data) + # add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave) ++# add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt) + endif() + + install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear +diff --git a/examples/lrt/CMakeLists.txt b/examples/lrt/CMakeLists.txt +new file mode 100644 +index 0000000..9059590 +--- /dev/null ++++ b/examples/lrt/CMakeLists.txt +@@ -0,0 +1,34 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++project(HelloWorldLRT C) ++ ++set(CMAKE_C_STANDARD 99) ++ ++set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) ++ ++#set edl name ++set(EDL_FILE lrt.edl) ++set(CODEGEN codegen) ++ ++if(CC_GP) ++ set(CODETYPE trustzone) ++ execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) ++ string(REPLACE "\n" "" UUID ${UUID}) ++ add_definitions(-DPATH="/data/${UUID}.sec") ++endif() ++ ++if(CC_SGX) ++ set(CODETYPE sgx) ++ add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") ++endif() ++ ++add_subdirectory(${CURRENT_ROOT_PATH}/enclave) ++add_subdirectory(${CURRENT_ROOT_PATH}/host) +diff --git a/examples/lrt/enclave/CMakeLists.txt b/examples/lrt/enclave/CMakeLists.txt +new file mode 100644 +index 0000000..64494cc +--- /dev/null ++++ b/examples/lrt/enclave/CMakeLists.txt +@@ -0,0 +1,158 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++#set auto code prefix ++set(PREFIX lrt) ++ ++#set sign key ++set(PEM Enclave_private.pem) ++ ++#set sign tool ++set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh) ++ ++#set enclave src code ++set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/lrt.c) ++ ++#set log level ++set(PRINT_LEVEL 3) ++add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) ++ ++if(CC_GP) ++ #set signed output ++ set(OUTPUT ${UUID}.sec) ++ #set whilelist. default: /vendor/bin/teec_hello ++ set(WHITE_LIST_0 /vendor/bin/helloworld) ++ set(WHITE_LIST_OWNER root) ++ set(WHITE_LIST_1 /vendor/bin/secgear_helloworld) ++ set(WHITELIST WHITE_LIST_0 WHITE_LIST_1) ++ ++ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) ++ add_custom_command(OUTPUT ${AUTO_FILES} ++ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} ++ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp) ++endif() ++ ++if(CC_SGX) ++ set(OUTPUT enclave.signed.so) ++ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c) ++ add_custom_command(OUTPUT ${AUTO_FILES} ++ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} ++ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include) ++endif() ++ ++set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \ ++ -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \ ++ -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \ ++ -Wno-error=unused-but-set-variable -Wno-error=format-truncation=") ++ ++set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") ++ ++if(CC_GP) ++ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") ++ ++ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ") ++ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC") ++ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s") ++ ++ set(ITRUSTEE_TEEDIR ${iTrusteeSDK}/) ++ set(ITRUSTEE_LIBC ${iTrusteeSDK}/thirdparty/open_source/musl/libc) ++ ++ if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${CMAKE_BINARY_DIR}/lib/) ++ endif() ++ ++ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES}) ++ ++ target_include_directories( ${PREFIX} PRIVATE ++ ${CMAKE_CURRENT_BINARY_DIR} ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/gp ++ ${LOCAL_ROOT_PATH}/inc/enclave_inc ++ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp ++ ${ITRUSTEE_TEEDIR}/include/TA ++ ${ITRUSTEE_TEEDIR}/include/TA/huawei_ext ++ ${ITRUSTEE_LIBC}/arch/aarch64 ++ ${ITRUSTEE_LIBC}/ ++ ${ITRUSTEE_LIBC}/arch/arm/bits ++ ${ITRUSTEE_LIBC}/arch/generic ++ ${ITRUSTEE_LIBC}/arch/arm ++ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee) ++ ++ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${PREFIX} PRIVATE ++ ${CMAKE_BINARY_DIR}/lib/) ++ endif() ++ ++ foreach(WHITE_LIST ${WHITELIST}) ++ add_definitions(-D${WHITE_LIST}="${${WHITE_LIST}}") ++ endforeach(WHITE_LIST) ++ add_definitions(-DWHITE_LIST_OWNER="${WHITE_LIST_OWNER}") ++ ++ target_link_libraries(${PREFIX} -lsecgear_tee) ++ ++ add_custom_command(TARGET ${PREFIX} ++ POST_BUILD ++ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt ++ -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) ++ ++ install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} ++ DESTINATION /data ++ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) ++ ++endif() ++ ++if(CC_SGX) ++ set(SGX_DIR ${SGXSDK}) ++ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden") ++ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") ++ set(LINK_LIBRARY_PATH ${SGX_DIR}/lib64) ++ ++ if(CC_SIM) ++ set(Trts_Library_Name sgx_trts_sim) ++ set(Service_Library_Name sgx_tservice_sim) ++ else() ++ set(Trts_Library_Name sgx_trts) ++ set(Service_Library_Name sgx_tservice) ++ endif() ++ ++ set(Crypto_Library_Name sgx_tcrypto) ++ ++ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \ ++ -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds") ++ ++ if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${LINK_LIBRARY_PATH}) ++ endif() ++ ++ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES}) ++ ++ target_include_directories(${PREFIX} PRIVATE ++ ${CMAKE_CURRENT_BINARY_DIR} ++ ${SGX_DIR}/include/tlibc ++ ${SGX_DIR}/include/libcxx ++ ${SGX_DIR}/include ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx) ++ ++ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${PREFIX} PRIVATE ++ ${LINK_LIBRARY_PATH}) ++ endif() ++ ++ target_link_libraries(${PREFIX} -Wl,--whole-archive ${Trts_Library_Name} -Wl,--no-whole-archive ++ -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l${Crypto_Library_Name} -l${Service_Library_Name} -Wl,--end-group) ++ add_custom_command(TARGET ${PREFIX} ++ POST_BUILD ++ COMMAND umask 0177 ++ COMMAND openssl genrsa -3 -out ${PEM} 3072 ++ COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml) ++endif() ++ ++set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE) +diff --git a/examples/lrt/enclave/Enclave.config.xml b/examples/lrt/enclave/Enclave.config.xml +new file mode 100644 +index 0000000..e94c9bc +--- /dev/null ++++ b/examples/lrt/enclave/Enclave.config.xml +@@ -0,0 +1,12 @@ ++ ++ 0 ++ 0 ++ 0x40000 ++ 0x100000 ++ 10 ++ 1 ++ ++ 0 ++ 0 ++ 0xFFFFFFFF ++ +diff --git a/examples/lrt/enclave/Enclave.lds b/examples/lrt/enclave/Enclave.lds +new file mode 100644 +index 0000000..ab77e64 +--- /dev/null ++++ b/examples/lrt/enclave/Enclave.lds +@@ -0,0 +1,11 @@ ++enclave.so ++{ ++ global: ++ g_global_data_sim; ++ g_global_data; ++ enclave_entry; ++ g_peak_heap_used; ++ local: ++ *; ++}; ++ +diff --git a/examples/lrt/enclave/lrt.c b/examples/lrt/enclave/lrt.c +new file mode 100644 +index 0000000..982e50c +--- /dev/null ++++ b/examples/lrt/enclave/lrt.c +@@ -0,0 +1,23 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++#include ++#include ++#include "lrt_t.h" ++ ++#define TA_HELLO_WORLD "Secgear Long Running Task!" ++#define BUF_MAX 32 ++int get_string(char *buf) ++{ ++ strncpy(buf, TA_HELLO_WORLD, strlen(TA_HELLO_WORLD) + 1); ++ return 0; ++} +diff --git a/examples/lrt/enclave/manifest.txt.in b/examples/lrt/enclave/manifest.txt.in +new file mode 100644 +index 0000000..7b8ecf5 +--- /dev/null ++++ b/examples/lrt/enclave/manifest.txt.in +@@ -0,0 +1,8 @@ ++gpd.ta.appID: @UUID@ ++gpd.ta.service_name: test0108 ++gpd.ta.singleInstance: true ++gpd.ta.multiSession: false ++gpd.ta.multiCommand: false ++gpd.ta.instanceKeepAlive: false ++gpd.ta.dataSize: 16384 ++gpd.ta.stackSize: 20480 +diff --git a/examples/lrt/host/CMakeLists.txt b/examples/lrt/host/CMakeLists.txt +new file mode 100644 +index 0000000..13f891a +--- /dev/null ++++ b/examples/lrt/host/CMakeLists.txt +@@ -0,0 +1,85 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++#set auto code prefix ++set(PREFIX lrt) ++#set host exec name ++set(OUTPUT secgear_lrt) ++#set host src code ++set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c) ++ ++#set auto code ++if(CC_GP) ++ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) ++ add_custom_command(OUTPUT ${AUTO_FILES} ++ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} ++ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp) ++endif() ++ ++if(CC_SGX) ++ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c) ++ add_custom_command(OUTPUT ${AUTO_FILES} ++ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} ++ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include) ++endif() ++ ++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE") ++set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") ++ ++if(CC_GP) ++ if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) ++ endif() ++ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) ++ target_include_directories(${OUTPUT} PRIVATE ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/gp ++ ${CMAKE_CURRENT_BINARY_DIR}) ++ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) ++ endif() ++endif() ++ ++if(CC_SGX) ++ if(${CMAKE_VERSION} VERSION_LESS "3.13.0") ++ link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) ++ endif() ++ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) ++ target_include_directories(${OUTPUT} PRIVATE ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx ++ ${CMAKE_CURRENT_BINARY_DIR}) ++ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") ++ target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) ++ endif() ++endif() ++ ++if(CC_SIM) ++ target_link_libraries(${OUTPUT} secgearsim) ++else() ++ target_link_libraries(${OUTPUT} secgear) ++endif() ++set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE) ++ ++if(CC_GP) ++ #itrustee install whitelist /vender/bin/teec_hello ++ install(TARGETS ${OUTPUT} ++ RUNTIME ++ DESTINATION /vendor/bin/ ++ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ) ++endif() ++ ++if(CC_SGX) ++ install(TARGETS ${OUTPUT} ++ RUNTIME ++ DESTINATION ${CMAKE_BINARY_DIR}/bin/ ++ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ) ++endif() ++ +diff --git a/examples/lrt/host/main.c b/examples/lrt/host/main.c +new file mode 100644 +index 0000000..ba078c7 +--- /dev/null ++++ b/examples/lrt/host/main.c +@@ -0,0 +1,70 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++#include ++#include ++#include ++#include "enclave.h" ++#include "lrt_u.h" ++ ++#define BUF_LEN 32 ++ ++int main() ++{ ++ int retval = 0; ++ char *path = PATH; ++ char buf[BUF_LEN]; ++ cc_enclave_t *context = NULL; ++ cc_enclave_result_t res; ++ ++ printf("Create secgear enclave\n"); ++ ++ char real_p[PATH_MAX]; ++ /* check file exists, if not exist then use absolute path */ ++ if (realpath(path, real_p) == NULL) { ++ if (getcwd(real_p, sizeof(real_p)) == NULL) { ++ printf("Cannot find enclave.sign.so"); ++ return -1; ++ } ++ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) { ++ printf("Failed to strcat enclave.sign.so path"); ++ return -1; ++ } ++ (void)strcat(real_p, "/enclave.signed.so"); ++ } ++ ++ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); ++ if (res != CC_SUCCESS) { ++ printf("Create enclave error\n"); ++ return res; ++ } ++ ++ while(true) { ++ res = get_string(context, &retval, buf); ++ if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) { ++ printf("Ecall enclave error\n"); ++ goto out; ++ } else { ++ printf("%s\n", buf); ++ } ++ sleep(1); ++ } ++ ++out: ++ if (context != NULL) { ++ res = cc_enclave_destroy(context); ++ if(res != CC_SUCCESS) { ++ printf("Destroy enclave error\n"); ++ } ++ } ++ return res; ++} +diff --git a/examples/lrt/lrt.edl b/examples/lrt/lrt.edl +new file mode 100644 +index 0000000..73dc375 +--- /dev/null ++++ b/examples/lrt/lrt.edl +@@ -0,0 +1,19 @@ ++/* ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++ * secGear is licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ */ ++ ++enclave { ++ include "secgear_urts.h" ++ from "secgear_tstdc.edl" import *; ++ trusted { ++ public int get_string([out, size=32]char *buf); ++ }; ++}; +-- +2.27.0 + diff --git a/0026-example-add-Dockerfile-to-build-lrt-example-image.patch b/0026-example-add-Dockerfile-to-build-lrt-example-image.patch new file mode 100644 index 0000000..a2d9d96 --- /dev/null +++ b/0026-example-add-Dockerfile-to-build-lrt-example-image.patch @@ -0,0 +1,172 @@ +From 2f5b3b98d7c4705ef761e9898116b2206b7c6729 Mon Sep 17 00:00:00 2001 +From: Li Feng +Date: Tue, 13 Apr 2021 07:59:54 +0000 +Subject: [PATCH 09/14] example: add Dockerfile to build lrt example image + +Signed-off-by: Li Feng +--- + examples/lrt/Dockerfile | 33 +++++++++++++++++++ + examples/lrt/device_plugin.yaml | 57 +++++++++++++++++++++++++++++++++ + examples/lrt/enclave.yaml | 46 ++++++++++++++++++++++++++ + 3 files changed, 136 insertions(+) + create mode 100644 examples/lrt/Dockerfile + create mode 100644 examples/lrt/device_plugin.yaml + create mode 100644 examples/lrt/enclave.yaml + +diff --git a/examples/lrt/Dockerfile b/examples/lrt/Dockerfile +new file mode 100644 +index 0000000..dadf2b7 +--- /dev/null ++++ b/examples/lrt/Dockerfile +@@ -0,0 +1,33 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++ ++# steps to build example image: ++# 1. build the secGear project at host ++# # cd secGear/ ++# # source environment ++# # source /opt/intel/sgxsdk/environment ++# # mkdir debug && cd debug ++# # cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK=/opt/intel/sgxsdk .. ++# # make ++# 2. build the example image ++# # cd ../examples/lrt/ ++# # docker build -t secgear_hello -f ./Dockerfile ../../ ++ ++ ++FROM hub.oepkgs.net/lifeng2221dd1/sgx_base_hw:latest ++ ++COPY debug/lib/sgx/libsgx_0.so /lib64/ ++COPY debug/lib/libsecgear.so /usr/lib/ ++COPY debug/examples/lrt/host/secgear_lrt /home/ ++COPY debug/examples/lrt/enclave/enclave.signed.so /home/ ++ ++WORKDIR /home ++ ++ENTRYPOINT ["/home/secgear_lrt"] +diff --git a/examples/lrt/device_plugin.yaml b/examples/lrt/device_plugin.yaml +new file mode 100644 +index 0000000..9a470da +--- /dev/null ++++ b/examples/lrt/device_plugin.yaml +@@ -0,0 +1,57 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++# steps to deploy device plugin: ++# # cd secGear/ ++# # cd ./examples/lrt/ ++# # kubectl apply -f ./device_plugin.yaml ++ ++apiVersion: apps/v1 ++kind: DaemonSet ++metadata: ++ name: sgx-device-plugin-ds ++ namespace: kube-system ++spec: ++ selector: ++ matchLabels: ++ k8s-app: sgx-device-plugin ++ template: ++ metadata: ++ annotations: ++ scheduler.alpha.kubernetes.io/critical-pod: "" ++ labels: ++ k8s-app: sgx-device-plugin ++ spec: ++ containers: ++ - image: hub.oepkgs.net/lifeng2221dd1/hw-ali-device-plugin:devel ++ imagePullPolicy: IfNotPresent ++ name: sgx-device-plugin ++ securityContext: ++ allowPrivilegeEscalation: false ++ capabilities: ++ drop: ++ - ALL ++ volumeMounts: ++ - mountPath: /var/lib/kubelet/device-plugins ++ name: device-plugin ++ - mountPath: /dev ++ name: dev ++ tolerations: ++ - effect: NoSchedule ++ key: alibabacloud.com/sgx_epc_MiB ++ operator: Exists ++ volumes: ++ - hostPath: ++ path: /var/lib/kubelet/device-plugins ++ type: DirectoryOrCreate ++ name: device-plugin ++ - hostPath: ++ path: /dev ++ type: Directory ++ name: dev +diff --git a/examples/lrt/enclave.yaml b/examples/lrt/enclave.yaml +new file mode 100644 +index 0000000..8efdada +--- /dev/null ++++ b/examples/lrt/enclave.yaml +@@ -0,0 +1,46 @@ ++# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# secGear is licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# PURPOSE. ++# See the Mulan PSL v2 for more details. ++# steps to deploy device plugin: ++# # cd secGear/ ++# # cd ./examples/lrt/ ++# # kubectl apply -f ./enclave.yaml ++apiVersion: apps/v1 ++kind: Deployment ++metadata: ++ name: helloworld ++ namespace: default ++spec: ++ replicas: 2 ++ selector: ++ matchLabels: ++ app: helloworld ++ template: ++ metadata: ++ labels: ++ app: helloworld ++ spec: ++ containers: ++ - name: hell_lifeng ++ image: secgear_hello ++ imagePullPolicy: IfNotPresent ++ name: helloworld ++ resources: ++ limits: ++ cpu: 250m ++ memory: 512Mi ++ alibabacloud.com/sgx_epc_MiB: 2 ++ volumeMounts: ++ - mountPath: /var/run/aesmd/aesm.socket ++ name: aesmsocket ++ volumes: ++ - hostPath: ++ path: /var/run/aesmd/aesm.socket ++ type: Socket ++ name: aesmsocket +-- +2.27.0 + diff --git a/0027-Change-to-use-the-milestone-picture-with-English.patch b/0027-Change-to-use-the-milestone-picture-with-English.patch new file mode 100644 index 0000000..323a4ee --- /dev/null +++ b/0027-Change-to-use-the-milestone-picture-with-English.patch @@ -0,0 +1,29 @@ +From 4fe112079e599cf779dacde08181f22ad62ede51 Mon Sep 17 00:00:00 2001 +From: blue +Date: Thu, 29 Apr 2021 20:53:21 +0800 +Subject: [PATCH 10/14] Change to use the milestone picture with English + +--- + README.en.md | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/README.en.md b/README.en.md +index 4df13b0..aa8c4a8 100644 +--- a/README.en.md ++++ b/README.en.md +@@ -1,4 +1,4 @@ +-secGear ++secGear + + secGear + ============================ +@@ -502,5 +502,5 @@ secGear introduce the signing tool to sign the enclave. + + Milestone + --------- +-secGear ++secGear + +-- +2.27.0 + diff --git a/0028-example-use-the-sgx-device-plugin-from-intel.patch b/0028-example-use-the-sgx-device-plugin-from-intel.patch new file mode 100644 index 0000000..160f440 --- /dev/null +++ b/0028-example-use-the-sgx-device-plugin-from-intel.patch @@ -0,0 +1,73 @@ +From 3af4a40bef20df36ece7f7f87c44eccf8a8b3a60 Mon Sep 17 00:00:00 2001 +From: Li Feng +Date: Mon, 17 May 2021 10:21:32 +0800 +Subject: [PATCH 11/14] example: use the sgx device plugin from intel + +deployment: +1. kubectl apply -f ./examples/lrt/device_plugin.yaml +2. kubectl apply -f ./examples/lrt/enclave.yaml +3. kubectl get pods -A + +NAMESPACE NAME READY STATUS RESTARTS AGE +default helloworld-d75bf5f9f-wgdf7 1/1 Running 0 36m +default helloworld-d75bf5f9f-xthkk 1/1 Running 0 36m +kube-system calico-kube-controllers-6d7b4db76c-7t8lv 1/1 Running 1 42h +kube-system calico-node-kcxd7 1/1 Running 1 42h +kube-system coredns-6d56c8448f-ctf7m 1/1 Running 1 42h +kube-system coredns-6d56c8448f-k7z5c 1/1 Running 1 42h +kube-system etcd-lifeng 1/1 Running 2 2d +kube-system kube-apiserver-lifeng 1/1 Running 4 2d +kube-system kube-controller-manager-lifeng 1/1 Running 2 2d +kube-system kube-proxy-xvvz5 1/1 Running 2 2d +kube-system kube-scheduler-lifeng 1/1 Running 2 2d +kube-system sgx-device-plugin-ds-4sbhk 1/1 Running 0 4m + +Signed-off-by: Li Feng +--- + CMakeLists.txt | 2 +- + examples/lrt/device_plugin.yaml | 2 +- + examples/lrt/enclave.yaml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 1d036ea..3886316 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -58,7 +58,7 @@ if(CC_SGX) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld) + add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data) + # add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave) +-# add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt) ++ add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt) + endif() + + install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear +diff --git a/examples/lrt/device_plugin.yaml b/examples/lrt/device_plugin.yaml +index 9a470da..ce8724d 100644 +--- a/examples/lrt/device_plugin.yaml ++++ b/examples/lrt/device_plugin.yaml +@@ -29,7 +29,7 @@ spec: + k8s-app: sgx-device-plugin + spec: + containers: +- - image: hub.oepkgs.net/lifeng2221dd1/hw-ali-device-plugin:devel ++ - image: hub.oepkgs.net/lifeng2221dd1/intel-sgx-device-plugin-hw:isgx + imagePullPolicy: IfNotPresent + name: sgx-device-plugin + securityContext: +diff --git a/examples/lrt/enclave.yaml b/examples/lrt/enclave.yaml +index 8efdada..b1bc19b 100644 +--- a/examples/lrt/enclave.yaml ++++ b/examples/lrt/enclave.yaml +@@ -35,7 +35,7 @@ spec: + limits: + cpu: 250m + memory: 512Mi +- alibabacloud.com/sgx_epc_MiB: 2 ++ sgx.intel.com/huawei_sgx_epc_MiB: 2 + volumeMounts: + - mountPath: /var/run/aesmd/aesm.socket + name: aesmsocket +-- +2.27.0 + diff --git a/0029-some-adaptations-for-trustzone.patch b/0029-some-adaptations-for-trustzone.patch new file mode 100644 index 0000000..90b5113 --- /dev/null +++ b/0029-some-adaptations-for-trustzone.patch @@ -0,0 +1,2159 @@ +From 45cf3b4bb86d5dc9d149f5e6056e9b2cb27eff63 Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Tue, 18 May 2021 14:27:31 +0800 +Subject: [PATCH 12/14] some adaptations for trustzone + +--- + CMakeLists.txt | 11 +- + README.en.md | 2 +- + README.md | 2 +- + docs/sign_tool.md | 19 +- + examples/CMakeLists.txt | 28 ++ + examples/helloworld/CMakeLists.txt | 3 +- + examples/helloworld/enclave/CMakeLists.txt | 16 +- + examples/helloworld/enclave/config_cloud.ini | 49 ++ + examples/helloworld/enclave/manifest.txt | 7 + + examples/helloworld/enclave/manifest.txt.in | 8 - + examples/helloworld/host/CMakeLists.txt | 7 +- + examples/helloworld/host/main.c | 1 + + examples/seal_data/CMakeLists.txt | 4 +- + examples/seal_data/enclave/CMakeLists.txt | 19 +- + examples/seal_data/enclave/config_cloud.ini | 49 ++ + examples/seal_data/enclave/manifest.txt | 7 + + examples/seal_data/enclave/manifest.txt.in | 8 - + examples/seal_data/host/CMakeLists.txt | 1 + + .../gp/itrustee/itrustee_seal_data.c | 3 +- + src/host_src/gp/CMakeLists.txt | 4 +- + src/host_src/gp/gp_enclave.c | 4 +- + .../{ => cloud}/rsa_public_key_cloud.pem | 0 + tools/sign_tool/generate_signature.py | 56 +++ + tools/sign_tool/manifest.py | 170 ++++--- + tools/sign_tool/sign_tool.py | 471 ------------------ + tools/sign_tool/sign_tool.sh | 141 ++---- + tools/sign_tool/signtool_v3.py | 428 ++++++++++++++++ + 27 files changed, 802 insertions(+), 716 deletions(-) + create mode 100644 examples/CMakeLists.txt + create mode 100644 examples/helloworld/enclave/config_cloud.ini + create mode 100644 examples/helloworld/enclave/manifest.txt + delete mode 100644 examples/helloworld/enclave/manifest.txt.in + create mode 100644 examples/seal_data/enclave/config_cloud.ini + create mode 100644 examples/seal_data/enclave/manifest.txt + delete mode 100644 examples/seal_data/enclave/manifest.txt.in + rename tools/sign_tool/{ => cloud}/rsa_public_key_cloud.pem (100%) + create mode 100644 tools/sign_tool/generate_signature.py + delete mode 100644 tools/sign_tool/sign_tool.py + create mode 100644 tools/sign_tool/signtool_v3.py + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 3886316..b373328 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -49,17 +49,8 @@ add_subdirectory(src) + + execute_process(COMMAND mkdir ${LOCAL_ROOT_PATH}/bin) + +-if(CC_GP) +- add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data) +- add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld) +-endif() ++add_subdirectory(examples) + +-if(CC_SGX) +- add_subdirectory(${LOCAL_ROOT_PATH}/examples/helloworld) +- add_subdirectory(${LOCAL_ROOT_PATH}/examples/seal_data) +-# add_subdirectory(${LOCAL_ROOT_PATH}/examples/tls_enclave) +- add_subdirectory(${LOCAL_ROOT_PATH}/examples/lrt) +-endif() + + install(FILES ${LOCAL_ROOT_PATH}/conf/logrotate.d/secgear + DESTINATION /etc/logrotate.d/) +diff --git a/README.en.md b/README.en.md +index aa8c4a8..8aaa1b0 100644 +--- a/README.en.md ++++ b/README.en.md +@@ -335,7 +335,7 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in + + add_custom_command(TARGET ${PREFIX} + POST_BUILD +- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt ++ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini + -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}) + + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT} +diff --git a/README.md b/README.md +index a90450b..b95dcc9 100644 +--- a/README.md ++++ b/README.md +@@ -315,7 +315,7 @@ AUTO_FILES:由edl文件生成的安全侧二进制文件 + + add_custom_command(TARGET ${PREFIX} + POST_BUILD +- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt ++ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini + -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}) + + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT} +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index ccaa2e6..399e4c5 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -13,38 +13,37 @@ The tool supports the following two modes: + + For example: + +- `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -c manifest.txt –o signed.enclave ` ++ `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -c manifest.txt -m config_cloud.ini –o signed.enclave ` + + + - two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform. + + For example: + (1) generate the digest value. +- `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt –o digest.data ` ++ `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt -m config_cloud.ini –o digest.data ` + + For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated. + + (2) send the digest.data to the signing organization or platform and get the signature. + + (3) use the signature to generate the signed enclave. +- `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt –p pub.pem –s signature –o signed.enclave ` ++ `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt -m config_cloud.ini –s signature –o signed.enclave ` + + ## sign_tool.sh parameter + + ``` +- -a API_LEVEL, indicates trustzone GP API version, defalut is 1. + -c basic config file. + -d sign tool command, sign/digest. + The sign command is used to generate a signed enclave. + The digest command is used to generate a digest value. +- -f OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0. + -i enclave to be signed. +- -k private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx. +- -m additional config for trustzone when TA_TYPE is 2. +- -o output parameters, the sign command outputs sigend enclave, the digest command outputs digest value. ++ -k private key required for single-step method ++ -m additional config_cloud.ini for trustzone. ++ -o output parameters, the sign command outputs sigend enclave, the digest command outputs ++ digest value. + -p signing server public key certificate, required for two-step method. +- -s the signed digest value required for two-step method, this parameter is empty to indicate single-step method. +- -t trustzone TA_TYPE, default is 1. ++ -s the signed digest value required for two-step method, this parameter is empty to indicate ++ single-step method. + -x enclave type, sgx or trustzone. + -h printf help message. + ``` +diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt +new file mode 100644 +index 0000000..cfd0171 +--- /dev/null ++++ b/examples/CMakeLists.txt +@@ -0,0 +1,28 @@ ++add_custom_target(copy ALL ++ COMMAND mkdir -p ${CMAKE_BINARY_DIR}/inc/secGear ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/host_inc/*.h ${CMAKE_BINARY_DIR}/inc/secGear/ ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/enclave_inc/*.h ${CMAKE_BINARY_DIR}/inc/secGear/) ++ ++if(CC_GP) ++ add_custom_command(TARGET copy ++ POST_BUILD ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/host_inc/gp/*.edl ${CMAKE_BINARY_DIR}/inc/secGear/ ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/host_inc/gp/*.h ${CMAKE_BINARY_DIR}/inc/secGear/ ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/*.h ${CMAKE_BINARY_DIR}/inc/secGear/ ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee/*.h ${CMAKE_BINARY_DIR}/inc/secGear/) ++ add_subdirectory(seal_data) ++ add_subdirectory(helloworld) ++endif() ++ ++if(CC_SGX) ++ add_custom_command(TARGET copy ++ POST_BUILD ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/host_inc/sgx/*.h ${CMAKE_BINARY_DIR}/inc/secGear/ ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/host_inc/sgx/*.edl ${CMAKE_BINARY_DIR}/inc/secGear/ ++ COMMAND cp ${LOCAL_ROOT_PATH}/inc/enclave_inc/sgx/*.h ${CMAKE_BINARY_DIR}/inc/secGear/) ++ add_subdirectory(seal_data) ++ add_subdirectory(helloworld) ++ #add_subdirectory(tls_enclave) ++ #add_subdirectory(lrt) ++endif() ++ +diff --git a/examples/helloworld/CMakeLists.txt b/examples/helloworld/CMakeLists.txt +index 5da2a6b..843a573 100644 +--- a/examples/helloworld/CMakeLists.txt ++++ b/examples/helloworld/CMakeLists.txt +@@ -20,8 +20,7 @@ set(CODEGEN codegen) + + if(CC_GP) + set(CODETYPE trustzone) +- execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) +- string(REPLACE "\n" "" UUID ${UUID}) ++ set(UUID f68fd704-6eb1-4d14-b218-722850eb3ef0) + add_definitions(-DPATH="/data/${UUID}.sec") + endif() + +diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt +index 0aefdae..f7967ef 100644 +--- a/examples/helloworld/enclave/CMakeLists.txt ++++ b/examples/helloworld/enclave/CMakeLists.txt +@@ -55,7 +55,6 @@ set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer + set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") + + if(CC_GP) +- configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") + + set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ") + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC") +@@ -72,6 +71,7 @@ if(CC_GP) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} ++ ${LOCAL_ROOT_PATH}/debug/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc +@@ -97,14 +97,14 @@ if(CC_GP) + + target_link_libraries(${PREFIX} -lsecgear_tee) + +- add_custom_command(TARGET ${PREFIX} +- POST_BUILD +- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt +- -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) ++ #for trustzone compiling, you should connact us to get config and private_key.pem for test, so we will not sign and install binary in this example # ++ # add_custom_command(TARGET ${PREFIX} ++ # POST_BUILD ++ # COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) + +- install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} +- DESTINATION /data +- PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) ++ # install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} ++ # DESTINATION /data ++ # PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + + endif() + +diff --git a/examples/helloworld/enclave/config_cloud.ini b/examples/helloworld/enclave/config_cloud.ini +new file mode 100644 +index 0000000..552f59c +--- /dev/null ++++ b/examples/helloworld/enclave/config_cloud.ini +@@ -0,0 +1,49 @@ ++[config] ++;0 means debug ++;1 means release ++;[fixed value] ++releaseType = 1 ++;;; ++;0 means TA not installed by OTRP ++;1 means TA installed by OTRP ++otrpFlag = 0 ++;;; ++;server address for signing TA ++serverIp= ++;;; ++;public key for encrypt TA ++;[fixed value] ++encryptKey = cloud/rsa_public_key_cloud.pem ++;;; ++;public key length ++;[fixed value] ++encryptKeyLen = 3072 ++;;; ++;0 means not sign ++;1 means signed by local private ++;2 means signed using native sign tool; ++;3 means signed by CI ++;[fixed value] ++signType = 1 ++;;; ++;private key for signing TA ++;[private key owned by yourself] ++signKey = ../../examples/helloworld/enclave/cert/private_key.pem ++;;; ++;private key length for signing TA ++;[key length should be 4096 for security enhance] ++signKeyLen = 4096 ++;;; ++;0 means SHA256 hash type ++;1 means SHA512 hash type ++;[set value to 0 by default] ++hashType = 0 ++;;; ++;0 means padding type is pkcs1v15 ++;1 means padding type is PSS ++;[set value to 0 by default] ++paddingType = 0 ++;;; ++;config file ++;[signed config file by Huawei] ++configPath= ../../examples/helloworld/enclave/signed_config/config +diff --git a/examples/helloworld/enclave/manifest.txt b/examples/helloworld/enclave/manifest.txt +new file mode 100644 +index 0000000..d78354e +--- /dev/null ++++ b/examples/helloworld/enclave/manifest.txt +@@ -0,0 +1,7 @@ ++gpd.ta.appID: f68fd704-6eb1-4d14-b218-722850eb3ef0 ++gpd.ta.service_name: rsa-demo ++gpd.ta.singleInstance: true ++gpd.ta.multiSession: false ++gpd.ta.instanceKeepAlive: false ++gpd.ta.dataSize: 819200 ++gpd.ta.stackSize: 40960 +diff --git a/examples/helloworld/enclave/manifest.txt.in b/examples/helloworld/enclave/manifest.txt.in +deleted file mode 100644 +index 7b8ecf5..0000000 +--- a/examples/helloworld/enclave/manifest.txt.in ++++ /dev/null +@@ -1,8 +0,0 @@ +-gpd.ta.appID: @UUID@ +-gpd.ta.service_name: test0108 +-gpd.ta.singleInstance: true +-gpd.ta.multiSession: false +-gpd.ta.multiCommand: false +-gpd.ta.instanceKeepAlive: false +-gpd.ta.dataSize: 16384 +-gpd.ta.stackSize: 20480 +diff --git a/examples/helloworld/host/CMakeLists.txt b/examples/helloworld/host/CMakeLists.txt +index 1c96ffd..60173a9 100644 +--- a/examples/helloworld/host/CMakeLists.txt ++++ b/examples/helloworld/host/CMakeLists.txt +@@ -38,9 +38,10 @@ if(CC_GP) + link_directories(${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) +- target_include_directories(${OUTPUT} PRIVATE +- ${LOCAL_ROOT_PATH}/inc/host_inc +- ${LOCAL_ROOT_PATH}/inc/host_inc/gp ++ target_include_directories(${OUTPUT} PRIVATE ++ ${LOCAL_ROOT_PATH}/debug/inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) +diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c +index 51993ce..7213a5e 100644 +--- a/examples/helloworld/host/main.c ++++ b/examples/helloworld/host/main.c +@@ -15,6 +15,7 @@ + #include + #include "enclave.h" + #include "helloworld_u.h" ++#include "string.h" + + #define BUF_LEN 32 + +diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt +index 3577301..dce8b81 100644 +--- a/examples/seal_data/CMakeLists.txt ++++ b/examples/seal_data/CMakeLists.txt +@@ -21,9 +21,7 @@ set(CODEGEN codegen) + + if(CC_GP) + set(CODETYPE trustzone) +- execute_process(COMMAND uuidgen -r +- OUTPUT_VARIABLE UUID) +- string(REPLACE "\n" "" UUID ${UUID}) ++ set(UUID 9cb38838-2766-42be-8b7b-0d184a996066) + add_definitions(-DPATH="/data/${UUID}.sec") + endif() + +diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt +index 0ddcbd5..b24e498 100644 +--- a/examples/seal_data/enclave/CMakeLists.txt ++++ b/examples/seal_data/enclave/CMakeLists.txt +@@ -52,7 +52,6 @@ set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer + set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") + + if(CC_GP) +- configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") + set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ") + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") + set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s -fPIC") +@@ -67,6 +66,7 @@ if(CC_GP) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} ++ ${LOCAL_ROOT_PATH}/debug/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc +@@ -91,15 +91,14 @@ if(CC_GP) + endforeach(WHITE_LIST) + + target_link_libraries(${PREFIX} -lsecgear_tee) +- +- add_custom_command(TARGET ${PREFIX} +- POST_BUILD +- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt +- -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) +- +- install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} +- DESTINATION /data +- PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) ++ # for trustzone compiling, you should connact us to get config and private_key.pem for test, so we will not sign and install binary in this example # ++ # add_custom_command(TARGET ${PREFIX} ++ # POST_BUILD ++ # COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt -m ${CMAKE_CURRENT_SOURCE_DIR}/config_cloud.ini -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) ++ ++ # install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} ++ # DESTINATION /data ++ # PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + + endif() + +diff --git a/examples/seal_data/enclave/config_cloud.ini b/examples/seal_data/enclave/config_cloud.ini +new file mode 100644 +index 0000000..f0c0e39 +--- /dev/null ++++ b/examples/seal_data/enclave/config_cloud.ini +@@ -0,0 +1,49 @@ ++[config] ++;0 means debug ++;1 means release ++;[fixed value] ++releaseType = 1 ++;;; ++;0 means TA not installed by OTRP ++;1 means TA installed by OTRP ++otrpFlag = 0 ++;;; ++;server address for signing TA ++serverIp= ++;;; ++;public key for encrypt TA ++;[fixed value] ++encryptKey = cloud/rsa_public_key_cloud.pem ++;;; ++;public key length ++;[fixed value] ++encryptKeyLen = 3072 ++;;; ++;0 means not sign ++;1 means signed by local private ++;2 means signed using native sign tool; ++;3 means signed by CI ++;[fixed value] ++signType = 1 ++;;; ++;private key for signing TA ++;[private key owned by yourself] ++signKey = ../../examples/seal_data/enclave/cert/private_key.pem ++;;; ++;private key length for signing TA ++;[key length should be 4096 for security enhance] ++signKeyLen = 4096 ++;;; ++;0 means SHA256 hash type ++;1 means SHA512 hash type ++;[set value to 0 by default] ++hashType = 0 ++;;; ++;0 means padding type is pkcs1v15 ++;1 means padding type is PSS ++;[set value to 0 by default] ++paddingType = 0 ++;;; ++;config file ++;[signed config file by Huawei] ++configPath= ../../examples/seal_data/enclave/signed_config/config +diff --git a/examples/seal_data/enclave/manifest.txt b/examples/seal_data/enclave/manifest.txt +new file mode 100644 +index 0000000..e845fd7 +--- /dev/null ++++ b/examples/seal_data/enclave/manifest.txt +@@ -0,0 +1,7 @@ ++gpd.ta.appID: 9cb38838-2766-42be-8b7b-0d184a996066 ++gpd.ta.service_name: secstorage-demo ++gpd.ta.singleInstance: true ++gpd.ta.multiSession: false ++gpd.ta.instanceKeepAlive: False ++gpd.ta.dataSize: 819200 ++gpd.ta.stackSize: 40960 +diff --git a/examples/seal_data/enclave/manifest.txt.in b/examples/seal_data/enclave/manifest.txt.in +deleted file mode 100644 +index 749815a..0000000 +--- a/examples/seal_data/enclave/manifest.txt.in ++++ /dev/null +@@ -1,8 +0,0 @@ +-gpd.ta.appID: @UUID@ +-gpd.ta.service_name: seal_data +-gpd.ta.singleInstance: true +-gpd.ta.multiSession: false +-gpd.ta.multiCommand: false +-gpd.ta.instanceKeepAlive: false +-gpd.ta.dataSize: 4038400 +-gpd.ta.stackSize: 6048000 +diff --git a/examples/seal_data/host/CMakeLists.txt b/examples/seal_data/host/CMakeLists.txt +index 75b33f7..691cd07 100644 +--- a/examples/seal_data/host/CMakeLists.txt ++++ b/examples/seal_data/host/CMakeLists.txt +@@ -40,6 +40,7 @@ if(CC_GP) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) + target_include_directories(${OUTPUT} PRIVATE ++ ${LOCAL_ROOT_PATH}/debug/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) +diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +index 5b1676a..cf13bd9 100644 +--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c ++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c +@@ -221,12 +221,11 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint + SLogError("malloc key_buf failed\n"); + return TEE_ERROR_OUT_OF_MEMORY; + } +- result = TEE_EXT_DeriveTARootKey(salt, strlen(salt), key_buf, key_len); ++ result = TEE_EXT_DeriveTARootKey(salt, SEAL_KEY_SALT_LEN, key_buf, key_len); + if (result != TEE_SUCCESS) { + SLogError("DeriveTARootKey failed"); + goto done; + } +- + *decrypted_data_len = tmp_sealed_data->encrypted_data_len; + *mac_data_len = tmp_sealed_data->aad_len; + result = aes_seal_unseal_data(key_buf, key_len, (uint8_t *)&(tmp_sealed_data->nonce), SEAL_DATA_NONCE_LEN, +diff --git a/src/host_src/gp/CMakeLists.txt b/src/host_src/gp/CMakeLists.txt +index 37635ec..ca6d87f 100644 +--- a/src/host_src/gp/CMakeLists.txt ++++ b/src/host_src/gp/CMakeLists.txt +@@ -11,8 +11,6 @@ + set(gp_engine gp_0) + + # to do itrustee sdk Open Source +-set(itrustee_lib ) +- + set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib/gp) + + if(${CMAKE_VERSION} VERSION_LESS "3.13.0") +@@ -33,7 +31,7 @@ endif() + + set_target_properties(${gp_engine} PROPERTIES SKIP_BUILD_RPATH TRUE) + #link iTrustee teec lib +-target_link_libraries(${gp_engine} ${itrustee_lib} secgear pthread) ++target_link_libraries(${gp_engine} secgear pthread teec_adaptor) + + install(TARGETS ${gp_engine} + LIBRARY +diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c +index b185958..86ea941 100644 +--- a/src/host_src/gp/gp_enclave.c ++++ b/src/host_src/gp/gp_enclave.c +@@ -25,7 +25,7 @@ + + #define OCALL_AGENT_REGISTER_SUCCESS 0 + #define OCALL_AGENT_REGISTER_FAIL 1 +- ++#define SECGEAR_OCALL 0 + #define MAX_LEN 4096 + + static pthread_cond_t g_cond = PTHREAD_COND_INITIALIZER; +@@ -535,7 +535,7 @@ cc_enclave_result_t cc_enclave_call_function( + /* for ocall thread */ + ires = pthread_mutex_lock(&g_mtx_flag); + SECGEAR_CHECK_MUTEX_RES(ires); +- if (!(g_list_ops.pthread_flag)) { ++ if (g_list_ops.pthread_flag || SECGEAR_OCALL) { + param.agent_id = *(uint32_t *)ms; + param.num = ((ocall_enclave_table_t *)ocall_table)->num; + param.ocalls = ((ocall_enclave_table_t *)ocall_table)->ocalls; +diff --git a/tools/sign_tool/rsa_public_key_cloud.pem b/tools/sign_tool/cloud/rsa_public_key_cloud.pem +similarity index 100% +rename from tools/sign_tool/rsa_public_key_cloud.pem +rename to tools/sign_tool/cloud/rsa_public_key_cloud.pem +diff --git a/tools/sign_tool/generate_signature.py b/tools/sign_tool/generate_signature.py +new file mode 100644 +index 0000000..b3264ba +--- /dev/null ++++ b/tools/sign_tool/generate_signature.py +@@ -0,0 +1,56 @@ ++#!/usr/bin/env python ++# coding:utf-8 ++#---------------------------------------------------------------------------- ++# Copyright (c) Huawei Technologies Co., Ltd. 2020-2020. All rights reserved. ++# iTrustee licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan ++# PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY ++# KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ++# NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. ++# See the Mulan PSL v2 for more details. ++# Description: tools for generating a trusted application load image ++# Author: Li mingjuan ++# Create: 2020-10-27 ++#---------------------------------------------------------------------------- ++ ++import struct ++import os ++import hashlib ++import subprocess ++ ++HASH256 = 0 ++HASH512 = 1 ++ ++def gen_hash(hash_type, in_file_path, out_file_path): ++ in_file_size = os.path.getsize(in_file_path) ++ # Initialize a SHA256 object from the Python hash library ++ if int(hash_type) == HASH256: ++ hash_op = hashlib.sha256() ++ elif int(hash_type) == HASH512: ++ hash_op = hashlib.sha512() ++ # Set the input buffer and return the output digest ++ with open(in_file_path, 'rb') as in_file: ++ hash_op.update(in_file.read(in_file_size)) ++ ++ #-----hash file used for ras sign--- ++ with open(out_file_path, 'wb') as hash_fp: ++ # fixed hash prefix value ++ hash_fp.write(struct.pack('B'*19, 0x30, 0x31, 0x30, 0x0d, 0x06, \ ++ 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, \ ++ 0x05, 0x00, 0x04, 0x20)) ++ hash_fp.write(hash_op.digest()) ++ return ++ ++def gen_ta_signature(cfg, hash_file_path, out_file_path): ++ cmd = "openssl rsautl -sign -inkey {} -in {} -out {}".\ ++ format(cfg.sign_key, hash_file_path, out_file_path) ++ try: ++ subprocess.check_output(cmd.split(), shell=False) ++ except Exception: ++ print("sign operation failed") ++ raise RuntimeError ++ return ++ +diff --git a/tools/sign_tool/manifest.py b/tools/sign_tool/manifest.py +index 4de8407..9cc2360 100644 +--- a/tools/sign_tool/manifest.py ++++ b/tools/sign_tool/manifest.py +@@ -1,10 +1,20 @@ + #!/usr/bin/env python + # coding:utf-8 + #---------------------------------------------------------------------------- +-# Copyright @ Huawei Technologies Co., Ltd. 2018-2019. All rights reserved. +-# tools for generating a trusted application load image ++# Copyright (c) Huawei Technologies Co., Ltd. 2018-2020. All rights reserved. ++# iTrustee licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan ++# PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY ++# KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ++# NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. ++# See the Mulan PSL v2 for more details. ++# Description: tools for generating a trusted application load image ++# Author: Li mingjuan ++# Create: 2018-02-20 + #---------------------------------------------------------------------------- +- + import string + import struct + import uuid +@@ -14,31 +24,32 @@ PRODUCT_TA_IMAGE = 1 + PRODUCT_DYN_LIB = 2 + PRODUCT_SERVICE_IMAGE = 3 + +-class TEE_UUID: ++ ++class PackUuid: + # Structure object to align and package the TEE_UUID +- s = struct.Struct('IHH8b') ++ data = struct.Struct('IHH8b') + + def __init__(self, data): +- unpacked_data = (TEE_UUID.s).unpack(str.encode(data)) ++ unpacked_data = (PackUuid.data).unpack(str.encode(data)) + self.unpacked_data = unpacked_data +- self.timeLow = unpacked_data[0] +- self.timeMid = unpacked_data[1] +- self.timeHiAndVersion = unpacked_data[2] +- self.clockSeqAndNode = unpacked_data[3] ++ self.time_low = unpacked_data[0] ++ self.time_mid = unpacked_data[1] ++ self.time_hi_version = unpacked_data[2] ++ self.clock_seq_node = unpacked_data[3] + +- def printValues(self): ++ def print_values(self): + print("ATTRIBUTE / VALUE") + for attr, value in self.__dict__.items(): + print(attr, value) + +- def getPackedData(self): +- values = [self.timeLow, +- self.timeMid, +- self.timeHiAndVersion, +- self.clockSeqAndNode, ++ def get_pack_data(self): ++ values = [self.time_low, ++ self.time_mid, ++ self.time_hi_version, ++ self.clock_seq_node, + ] + +- return (TEE_UUID.s).pack(*values) ++ return (PackUuid.data).pack(*values) + + + #---------------------------------------------------------------------------- +@@ -47,10 +58,10 @@ class TEE_UUID: + class Manifest: + + # Structure object to align and package the Manifest +- s = struct.Struct('I' * 6) ++ data = struct.Struct('I' * 6) + + def __init__(self, data): +- unpacked_data = (Manifest.s).unpack(str.encode(data)) ++ unpacked_data = (Manifest.data).unpack(str.encode(data)) + self.unpacked_data = unpacked_data + self.single_instance = unpacked_data[0] + self.multi_session = unpacked_data[1] +@@ -59,12 +70,12 @@ class Manifest: + self.stack_size = unpacked_data[4] + self.instancekeepalive = unpacked_data[5] + +- def printValues(self): ++ def print_values(self): + print("ATTRIBUTE / VALUE") + for attr, value in self.__dict__.items(): + print(attr, value) + +- def getPackedData(self): ++ def get_pack_data(self): + values = [self.single_instance, + self.multi_session, + self.multi_command, +@@ -73,21 +84,22 @@ class Manifest: + self.instancekeepalive, + ] + +- return (Manifest.s).pack(*values) ++ return (Manifest.data).pack(*values) ++ + + #---------------------------------------------------------------------------- + # verify property name in manifest file + #---------------------------------------------------------------------------- +-def verify_property_name(strLine): ++def verify_property_name(str_line): + print('verify property name') + alphas = string.ascii_letters + string.digits + cont = "".join([alphas, '-', '_', '.']) +- if len(strLine) > 1: +- if strLine[0] not in alphas: ++ if len(str_line) > 1: ++ if str_line[0] not in alphas: + print('invalid first letter in property name') + return False + else: +- for otherchar in strLine[1:]: ++ for otherchar in str_line[1:]: + if otherchar not in cont: + print('invalid char in property name') + return False +@@ -97,35 +109,37 @@ def verify_property_name(strLine): + + return True + ++ + #---------------------------------------------------------------------------- + # verify property value in manifest file + #---------------------------------------------------------------------------- +-def verify_property_value(strLine): ++def verify_property_value(str_line): + print('verify property value') +- filt_letter = chr(0) + chr(10) +chr(13) +- for thechar in strLine: ++ filt_letter = chr(0) + chr(10) + chr(13) ++ for thechar in str_line: + if thechar in filt_letter: + print('invalid letter in prop value') + return False + return True + ++ + #---------------------------------------------------------------------------- + # remove tabs and space in property value + #---------------------------------------------------------------------------- +-def trailing_space_tabs(strLine): ++def trailing_space_tabs(str_line): + print('trailing space tabs in value head and trail') +- space_tabs = chr(9) + chr(32) +chr(160) +- space_tabs_newlines = space_tabs + chr(10) +chr(13) ++ space_tabs = chr(9) + chr(32) + chr(160) ++ space_tabs_newlines = space_tabs + chr(10) + chr(13) + print('tab: {}'.format(space_tabs)) + +- print('str in: {}'.format(strLine)) ++ print('str in: {}'.format(str_line)) + index = 0 +- for thechar in strLine: ++ for thechar in str_line: + if thechar in space_tabs: + index += 1 + else: + break +- headvalue = strLine[index:] ++ headvalue = str_line[index:] + + strlen = len(headvalue) + +@@ -137,21 +151,20 @@ def trailing_space_tabs(strLine): + else: + break + +- #print 'str len: '+str(strlen) +- strRet = headvalue[0:strlen+1] + chr(10) +- print('str ret: {}'.format(strRet)) ++ str_ret = headvalue[0:strlen+1] + chr(10) ++ print('str ret: {}'.format(str_ret)) ++ ++ return str_ret + +- return strRet + + #---------------------------------------------------------------------------- + # verify manifest file, parse manifest file, generate a new manfiest file + #---------------------------------------------------------------------------- +-def parserManifest(manifest, manifestDataPath, mani_ext): ++def parser_manifest(manifest, manifest_data_path, mani_ext): + print('verify manifest') +- targetType = PRODUCT_TA_IMAGE ++ target_type = PRODUCT_TA_IMAGE + +- uuid_val_flag = 1 +- uuid_val = TEE_UUID('\0' * 16) ++ uuid_val = PackUuid('\0' * 16) + + #manifest default + manifest_val = Manifest('\0'*24) +@@ -166,30 +179,29 @@ def parserManifest(manifest, manifestDataPath, mani_ext): + service_name = 'external_service' + + with open(manifest, 'r') as mani_fp, open(mani_ext, 'wb') as mani_ext_fp: +- for eachLine in mani_fp: +- print(eachLine) +- if eachLine.startswith("#") or not len(eachLine.strip()): ++ for each_line in mani_fp: ++ print(each_line) ++ if each_line.startswith("#") or not len(each_line.strip()): + continue +- index = eachLine.find(':', 1, len(eachLine)) +- #print 'index name : value is ' + str(index) ++ index = each_line.find(':', 1, len(each_line)) + +- prop_name = eachLine[0:index] #no ':' +- prop_name_t = eachLine[0:index+1] #with ':' +- prop_value_t = eachLine[index+1:] ++ prop_name = each_line[0:index] ++ prop_name_t = each_line[0:index+1] ++ prop_value_t = each_line[index+1:] + print('name is: {}; value is: {}'.format(prop_name, prop_value_t)) + + prop_value = trailing_space_tabs(prop_value_t) + prop_len = len(prop_value) +- prop_value_v = prop_value[0:prop_len-1]# mv last letter ++ prop_value_v = prop_value[0:prop_len-1] + print('prop value_v: {}'.format(prop_value_v)) + + if verify_property_name(prop_name) is False: + print('manifest format invalid, please check it') +- return (False, 0, 0, 0) ++ return (False, 0) + + if verify_property_value(prop_value_v) is False: + print('manifest format invalid, please check it') +- return (False, 0, 0, 0) ++ return (False, 0) + + # name:value to lowcase, and parse manifest + prop_name_low = prop_name.lower() +@@ -197,58 +209,54 @@ def parserManifest(manifest, manifestDataPath, mani_ext): + if 'gpd.ta.appid' == prop_name_low: + print("compare name is srv id") + uuid_val = uuid.UUID(prop_value_v) +- uuid_val_flag = 0 + print('uuid str {}'.format(uuid_val)) + print('val fields {}'.format(uuid_val.fields)) + + elif 'gpd.ta.singleinstance' == prop_name_low: + prop_value_low = prop_value_v.lower() + if 'true' == prop_value_low: +- manifest_val.single_instance = 1; ++ manifest_val.single_instance = 1 + elif 'false' == prop_value_low: +- manifest_val.single_instance = 0; ++ manifest_val.single_instance = 0 + else: + print('single_instance value error!') + + elif 'gpd.ta.multisession' == prop_name_low: + prop_value_low = prop_value_v.lower() + if 'true' == prop_value_low: +- manifest_val.multi_session = 1; ++ manifest_val.multi_session = 1 + elif 'false' == prop_value_low: +- manifest_val.multi_session = 0; ++ manifest_val.multi_session = 0 + else: + print('multi_session value error!') + + elif 'gpd.ta.multicommand' == prop_name_low: + prop_value_low = prop_value_v.lower() + if 'true' == prop_value_low: +- manifest_val.multi_command = 1; ++ manifest_val.multi_command = 1 + elif 'false' == prop_value_low: +- manifest_val.multi_command = 0; ++ manifest_val.multi_command = 0 + else: + print('multi_command value error!') + + elif 'gpd.ta.instancekeepalive' == prop_name_low: + prop_value_low = prop_value_v.lower() + if 'true' == prop_value_low: +- manifest_val.instancekeepalive = 1; ++ manifest_val.instancekeepalive = 1 + elif 'false' == prop_value_low: +- manifest_val.instancekeepalive = 0; ++ manifest_val.instancekeepalive = 0 + else: + print('instancekeepalive value error!') + + elif 'gpd.ta.datasize' == prop_name_low: +- #manifest_val.heap_size = prop_value_v.atoi() + manifest_val.heap_size = int(prop_value_v) + print('b') + + elif 'gpd.ta.stacksize' == prop_name_low: +- #manifest_val.stack_size = prop_value_v.atoi() + manifest_val.stack_size = int(prop_value_v) + print('b') + + elif 'gpd.ta.service_name' == prop_name_low: +- #manifest_val.stack_size = prop_value_v.atoi() + service_name = prop_value_v + print('b') + +@@ -260,11 +268,11 @@ def parserManifest(manifest, manifestDataPath, mani_ext): + if 'gpd.ta.is_tee_service' == prop_name_low: + prop_value_low = prop_value_v.lower() + if 'true' == prop_value_low: +- targetType = PRODUCT_SERVICE_IMAGE ++ target_type = PRODUCT_SERVICE_IMAGE + elif 'gpd.ta.is_lib' == prop_name_low: + prop_value_low = prop_value_v.lower() + if 'true' == prop_value_low: +- targetType = PRODUCT_DYN_LIB ++ target_type = PRODUCT_DYN_LIB + + #write the whole parsed manifest into sample.manifest file + +@@ -277,14 +285,11 @@ def parserManifest(manifest, manifestDataPath, mani_ext): + + # get manifest string file len + manifest_str_size = os.path.getsize(mani_ext) +- if manifest_str_size > 152: +- print("extra manifest string exceed MAX len 152") +- raise RuntimeError + print('manifest str size {}'.format(manifest_str_size)) + + # 2> manifest + service_name + print("bytes len {}".format(len(uuid_val.bytes_le))) +- print("bytes len {}".format(len(manifest_val.getPackedData()))) ++ print("bytes len {}".format(len(manifest_val.get_pack_data()))) + print("bytes len {}".format(len(service_name))) + + # 3> unparsed manifest, string manifest +@@ -294,23 +299,24 @@ def parserManifest(manifest, manifestDataPath, mani_ext): + print("manifest strint: {}".format(manifest_string_buf)) + + #---- write manifest parse context to manifest file +- with open(manifestDataPath, 'wb') as out_manifest_fp: ++ with open(manifest_data_path, 'wb') as out_manifest_fp: + out_manifest_fp.write(uuid_val.bytes_le) + out_manifest_fp.write(str.encode(service_name)) +- out_manifest_fp.write(manifest_val.getPackedData()) ++ out_manifest_fp.write(manifest_val.get_pack_data()) + +- productName = str(uuid_val) +- if targetType == PRODUCT_TA_IMAGE: ++ product_name = str(uuid_val) ++ if target_type == PRODUCT_TA_IMAGE: + print("product type is ta image") +- productName = "".join([productName, ".sec"]) +- elif targetType == PRODUCT_SERVICE_IMAGE: ++ product_name = "".join([product_name, ".sec"]) ++ elif target_type == PRODUCT_SERVICE_IMAGE: + print("product type is service") +- productName = "".join([productName, service_name, "_svr.sec"]) +- elif targetType == PRODUCT_DYN_LIB: ++ product_name = "".join([product_name, service_name, "_svr.sec"]) ++ elif target_type == PRODUCT_DYN_LIB: + print("product type is dyn lib") +- productName = "".join([productName, service_name, ".so.sec"]) ++ product_name = "".join([product_name, service_name, ".so.sec"]) + else: + print("invalid product type!") + raise RuntimeError + +- return (True, productName, uuid_val_flag) ++ return (True, product_name) ++ +diff --git a/tools/sign_tool/sign_tool.py b/tools/sign_tool/sign_tool.py +deleted file mode 100644 +index 1e6e37d..0000000 +--- a/tools/sign_tool/sign_tool.py ++++ /dev/null +@@ -1,471 +0,0 @@ +-#!/usr/bin/env python +-# coding:utf-8 +-#---------------------------------------------------------------------------- +-# Copyright @ Huawei Technologies Co., Ltd. 2018-2019. All rights reserved. +-# tools for generating a trusted application load image +-#---------------------------------------------------------------------------- +- +-import struct +-import sys +-import os +-import hashlib +-import binascii +-import subprocess +-import shutil +- +-from manifest import * +- +-DEBUG = 0 +-VERSION = 3 +-TA_VERSION = 3 +-# TA_TYPE 1 stand for v3.0 +-# TA_TYPE 2 stand for v3.1(with config and cert) +-TA_TYPE = 0 +- +-API_LEVEL = 1 +-PRODUCT_NAME = "" +- +-# OTRP_FLAG 1 stand for otrp sec, and only can load sec by otrp mode +-# OTRP_FLAG 0 stand for no-otrp sec, and only can load sec by tzdriver mode +-OTRP_FLAG = 0 +- +-MAGIC1 = 0xA5A55A5A +-MAGIC2 = 0x55AA +- +-# low 8 bits:key is derived from root key +-# high 8 bits:key len is 3072, if value is 0 or 1, then key len is 2048 +-KEY_VERSION = 0x0202 +- +-SIGN_ALG_V3 = 0x10002048 +-SIGN_ALG_V4 = 0x10004096 +- +-HASH256_LEN = 256 +-HASH512_LEN = 512 +- +-ENCRYPTED_KEYINFO_LEN =256 +-SIGNATURE_LEN_256 = 256 +-SIGNATURE_LEN_512 = 512 +- +-SUCCESS = 0 +- +-# ELF Definitions +-ELF_TYPE = 32 +-ELF_HDR_SIZE = 52 +-ELF_PHDR_SIZE = 32 +-ELF_INFO_MAGIC0_INDEX = 0 +-ELF_INFO_MAGIC1_INDEX = 1 +-ELF_INFO_MAGIC2_INDEX = 2 +-ELF_INFO_MAGIC3_INDEX = 3 +-ELF_INFO_MAGIC0 = 127 #'\x7f' +-ELF_INFO_MAGIC1 = 69 #'E' +-ELF_INFO_MAGIC2 = 76 #'L' +-ELF_INFO_MAGIC3 = 70 #'F' +-ELF_INFO_CLASS_INDEX = 4 +-ELF_INFO_CLASS = 1 #'\x01' +-ELF_INFO_VERSION_INDEX = 6 +-ELF_INFO_VERSION_CURRENT = 1 #'\x01' +-ELF_BLOCK_ALIGN = 0x1000 +-ELF_HEAD_FORMAT = '' +- +-#---------------------------------------------------------------------------- +-# ELF File Header Check +-#---------------------------------------------------------------------------- +-class Elf_Header: +- def __init__(self, data): +- # Algin data obj in ELF header +- if(ELF_TYPE == 64): +- self.s = struct.Struct('16sHHIQQQIHHHHHH') +- else: +- self.s = struct.Struct('16sHHIIIIIHHHHHH') +- +- unpacked_data = (self.s).unpack(data) +- self.unpacked_data = unpacked_data +- self.elf_ident = unpacked_data[0] +- self.elf_type = unpacked_data[1] +- self.elf_machine = unpacked_data[2] +- self.elf_version = unpacked_data[3] +- self.elf_entry = unpacked_data[4] +- self.elf_phoff = unpacked_data[5] +- self.elf_shoff = unpacked_data[6] +- self.elf_flags = unpacked_data[7] +- self.elf_ehsize = unpacked_data[8] +- self.elf_phentsize = unpacked_data[9] +- self.elf_phnum = unpacked_data[10] +- self.elf_shentsize = unpacked_data[11] +- self.elf_shnum = unpacked_data[12] +- self.elf_shstrndx = unpacked_data[13] +- +- def printValues(self): +- print("ATTRIBUTE / VALUE") +- for attr, value in self.__dict__.items(): +- print(attr, value) +- +- def getPackedData(self): +- values = [self.elf_ident, +- self.elf_type, +- self.elf_machine, +- self.elf_version, +- self.elf_entry, +- self.elf_phoff, +- self.elf_shoff, +- self.elf_flags, +- self.elf_ehsize, +- self.elf_phentsize, +- self.elf_phnum, +- self.elf_shentsize, +- self.elf_shnum, +- self.elf_shstrndx +- ] +- +- return (self.s).pack(*values) +- +-#---------------------------------------------------------------------------- +-# Verify ELF header contents from an input ELF file +-#---------------------------------------------------------------------------- +-def verify_elf_header(elf_header): +- s = struct.unpack('BBBBBBBBBBBBBBBB', elf_header.elf_ident) +- if (s[ELF_INFO_MAGIC0_INDEX] != ELF_INFO_MAGIC0) or \ +- (s[ELF_INFO_MAGIC1_INDEX] != ELF_INFO_MAGIC1) or \ +- (s[ELF_INFO_MAGIC2_INDEX] != ELF_INFO_MAGIC2) or \ +- (s[ELF_INFO_MAGIC3_INDEX] != ELF_INFO_MAGIC3) or \ +- (s[ELF_INFO_CLASS_INDEX] != ELF_INFO_CLASS) or \ +- (s[ELF_INFO_VERSION_INDEX] != ELF_INFO_VERSION_CURRENT): +- +- return False +- else: +- return True +- +-def get_elf_type(elfFile): +- EI_NIDENT = 16 +- global ELF_TYPE +- global ELF_HDR_SIZE +- global ELF_HEAD_FORMAT +- global ELF_INFO_CLASS +- +- elfFile.seek(0x0, 0) +- elf_ident = elfFile.read(EI_NIDENT) +- ''' check EI_CLASS, 32-bit or 64-bit''' +- elfStr = bytes.decode(elf_ident) +- s = struct.unpack('BBBBBBBBBBBBBBBB', elf_ident) +- if s[4] == 2: +- print("64 bit type") +- ELF_TYPE = 64 +- ELF_HDR_SIZE = 64 +- ELF_HEAD_FORMAT = "HHIQQQIHHHHHH" +- ELF_INFO_CLASS = 2 +- elif s[4] == 1: +- print("32 bit type") +- ELF_TYPE = 32 +- ELF_HDR_SIZE = 52 +- ELF_HEAD_FORMAT = "HHIIIIIHHHHHH" +- ELF_INFO_CLASS = 1 +- else: +- raise RuntimeError("Unknown ELF file type") +- return +- +-def generateHeader(contentLen): +- return struct.pack('IHHII', MAGIC1, MAGIC2, VERSION, contentLen, KEY_VERSION) +- +-def generateAesKeyInfo(ivFilePath, keyFilePath, outFilePath): +- # Aes key is randomly generated and temporarily stored in the file in plaintext, please ensure security. +- try: +- subprocess.check_output(["openssl", "rand", "-out", format(ivFilePath), "16"], shell=False) +- subprocess.check_output(["openssl", "rand", "-out", format(keyFilePath), "32"], shell=False) +- except: +- print("rand operation failed") +- raise RuntimeError +- +- with open(outFilePath, 'wb') as outFile: +- outFile.write(struct.pack('I', 32)) +- outFile.write(struct.pack('I', 16)) +- if DEBUG == 0 or TA_TYPE == 1: +- outFile.write(struct.pack('I', SIGN_ALG_V3)) +- elif TA_TYPE == 2: +- outFile.write(struct.pack('I', SIGN_ALG_V4)) +- else: +- print("target sign type is not supported: {}".format(TA_TYPE)) +- raise RuntimeError +- +- with open(keyFilePath, 'rb') as keyFile: +- outFile.write(keyFile.read(32)) +- +- with open(ivFilePath, 'rb') as ivFile: +- outFile.write(ivFile.read(16)) +- +- return +- +-def encryptAesKeyInfo(pubkeyFilePath, inFilePath, outFilePath): +- try: +- subprocess.check_output(["openssl", "rsautl", "-encrypt", "-pubin", "-oaep", \ +- "-inkey", format(pubkeyFilePath), "-in", format(inFilePath), "-out", format(outFilePath)], shell=False) +- except: +- print("RSA encrypt operation failed") +- raise RuntimeError +- return +- +-def generateHash(hashLen, inFilePath, outFilePath): +- inFileSize = os.path.getsize(inFilePath) +- # Initialize a SHA256 object from the Python hash library +- if hashLen == HASH256_LEN: +- hashOp = hashlib.sha256() +- elif hashLen == HASH512_LEN: +- hashOp = hashlib.sha512() +- # Set the input buffer and return the output digest +- with open(inFilePath, 'rb') as inFile: +- hashOp.update(inFile.read(inFileSize)) +- +- #-----hash file used for ras sign--- +- with open(outFilePath, 'wb') as hash_fp: +- # fixed hash prefix value +- hash_fp.write(struct.pack('B'*19, 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, +- 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20)) +- hash_fp.write(hashOp.digest()) +- return +- +-def generateSignature(priKeyPath, inFilePath, outFilePath): +- if TA_TYPE == 1: +- print("generate dummy signature for DEBUG version") +- with open(outFilePath, 'wb') as f: +- f.write(str.encode('\0'*256, encoding='utf-8')) +- elif TA_TYPE == 2: +- try: +- subprocess.check_output(["openssl", "rsautl", "-sign", "-inkey", format(priKeyPath), \ +- "-in", format(inFilePath), " -out", format(outFilePath)], shell=False) +- except: +- print("sign operation failed") +- raise RuntimeError +- return +- +-def checkSignature(rawDataHashPath, inSignature, serverPubKey): +- try: +- subprocess.check_output(["openssl", "pkeyutl", "-verify", "-in", format(rawDataHashPath), \ +- "-sigfile", format(inSignature), "-pubin", "-inkey", format(serverPubKey)], shell=False) +- except: +- print("check operation failed") +- raise RuntimeError +- return +- +-def generateRawData(manifestDataPath, manifestExtFilePath, elfFilePath, configFilePath, rawFilePath): +- manifestDataSize = os.path.getsize(manifestDataPath) +- manifestExtSize = os.path.getsize(manifestExtFilePath) +- elfFileSize = os.path.getsize(elfFilePath) +- configFileSize = 0 +- +- with open(rawFilePath, 'wb') as f: +- header = "" +- if TA_TYPE == 2: +- configFileSize = os.path.getsize(configFilePath) +- header = struct.pack('IIIII', TA_VERSION, manifestDataSize, manifestExtSize, elfFileSize, configFileSize) +- f.write(header) +- +- with open(manifestDataPath, 'rb') as manifestData: +- f.write(manifestData.read(manifestDataSize)) +- +- with open(manifestExtFilePath, 'rb') as manifestExt: +- f.write(manifestExt.read(manifestExtSize)) +- +- with open(elfFilePath, 'rb') as elfFile: +- get_elf_type(elfFile) +- elfFile.seek(0x0, 0) +- elfFileHaderBuf = elfFile.read(ELF_HDR_SIZE) +- elfFileHader = Elf_Header(elfFileHaderBuf) +- if verify_elf_header(elfFileHader) is False: +- print("verify elf header failed") +- raise RuntimeError +- elfFile.seek(0x0, 0) +- f.write(elfFile.read(elfFileSize)) +- +- if TA_TYPE == 2: +- with open(configFilePath, 'rb') as configFile: +- f.write(configFile.read(configFileSize)) +- return +- +-def aesEncrypt(keyPath, ivPath, inFilePath, outfilePath): +- keySize = os.path.getsize(keyPath) +- with open(keyPath, 'rb') as key: +- keyData = key.read(keySize) +- hexKeyStr = binascii.b2a_hex(keyData) +- +- ivSize = os.path.getsize(ivPath) +- with open(ivPath, 'rb') as iv: +- ivData = iv.read(ivSize) +- hexIvStr = binascii.b2a_hex(ivData) +- +- try: +- subprocess.check_output(["openssl", "enc", "-aes-256-cbc", "-in", format(inFilePath), \ +- "-out", format(outfilePath), "-K", format(bytes.decode(hexKeyStr)), \ +- "-iv", format(bytes.decode(hexIvStr))], shell=False) +- except: +- print("AES encrypt operation failed") +- raise RuntimeError +- +- return +- +-def updateManifestTaApiLevel(manifest): +- line = "\ngpd.ta.api_level:{}\n".format(API_LEVEL) +- with open(manifest, "w") as f: +- f.writelines(line) +- +-def updateManifestTaOtrpFlag(manifest): +- data = '' +- with open(manifest, 'r') as f: +- for line in f: +- if line.startswith("#") or not "gpd.ta.otrp_flag" in line: +- data += line +- line = "\ngpd.ta.otrp_flag:{}\n".format('true') +- data += line +- with open(manifest, "w") as f: +- f.writelines(data) +- +-def generateDataForSign(contentLen, key_info, raw_file, data_sign): +- keyInfoLen = os.path.getsize(key_info) +- rawFileLen = os.path.getsize(raw_file) +- +- with open(data_sign, 'wb') as data_fp, \ +- open(key_info, 'rb') as key_fp, open(raw_file, 'rb') as raw_fp: +- data_fp.write(generateHeader(contentLen)) +- data_fp.write(key_fp.read(keyInfoLen)) +- data_fp.write(raw_fp.read(rawFileLen)) +- +- +-def generateDigest(enclavePath, manifestPath, deviceKeyPath, configFilePath, rawDataHashPath, encKeyInfoFilePath, \ +- encRawFilePath): +- inPath = os.getcwd() +- ivFilePath = os.path.join(inPath, "iv.bin") +- keyFilePath = os.path.join(inPath, "aeskey.bin") +- keyInfoFilePath = os.path.join(inPath, "KeyInfo") +- rawFilePath = os.path.join(inPath, "rawData") +- manifestDataPath = os.path.join(inPath, "manifestData.bin") +- manifestExtPath = os.path.join(inPath, "manifestExt.bin") +- dataForSignPath = os.path.join(inPath, "dataForSign.bin") +- +- #mandentory input files +- manifestFilePath = manifestPath +- elfFilePath = enclavePath +- pubkeyFilePath = deviceKeyPath +- +- (ret, PRODUCT_NAME, flag) = parserManifest(manifestFilePath, manifestDataPath, manifestExtPath) +- updateManifestTaApiLevel(manifestExtPath) +- +- if OTRP_FLAG == 1: +- print("package otrp sec file\n") +- updateManifestTaOtrpFlag(manifestExtPath) +- +- generateRawData(manifestDataPath, manifestExtPath, elfFilePath, configFilePath, rawFilePath) +- +- #generate AES key info to encrypt raw data +- generateAesKeyInfo(ivFilePath, keyFilePath, keyInfoFilePath) +- encryptAesKeyInfo(pubkeyFilePath, keyInfoFilePath, encKeyInfoFilePath) +- +- aesEncrypt(keyFilePath, ivFilePath, rawFilePath, encRawFilePath) +- +- contentLen = 0 +- if DEBUG == 0 or TA_TYPE == 1: +- contentLen = os.path.getsize(encKeyInfoFilePath) + SIGNATURE_LEN_256 + os.path.getsize(encRawFilePath) +- elif TA_TYPE == 2: +- contentLen = os.path.getsize(encKeyInfoFilePath) + SIGNATURE_LEN_512 + os.path.getsize(encRawFilePath) +- else: +- print("target sign type is not supported: {}".format(TA_TYPE)) +- raise RuntimeError +- +- generateDataForSign(contentLen, keyInfoFilePath, rawFilePath, dataForSignPath) +- +- generateHash(HASH256_LEN, dataForSignPath, rawDataHashPath) +- +- #remove temp files +- os.remove(ivFilePath) +- os.remove(keyFilePath) +- os.remove(keyInfoFilePath) +- os.remove(rawFilePath) +- os.remove(manifestDataPath) +- os.remove(manifestExtPath) +- os.remove(dataForSignPath) +- return +- +-def generateSecEnclave(priKeyPath, rawDataHashPath, encKeyInfoFilePath, encRawFilePath, inSignature, serverPubKey, \ +- outFile): +- inPath = os.getcwd() +- signatureFilePath = inSignature +- if DEBUG == 1: +- signatureFilePath = os.path.join(inPath, "signature.bin") +- generateSignature(priKeyPath, rawDataHashPath, signatureFilePath) +- else: +- checkSignature(rawDataHashPath, inSignature, serverPubKey) +- +- contentLen = 0 +- if DEBUG == 0 or TA_TYPE == 1: +- contentLen = os.path.getsize(encKeyInfoFilePath) + SIGNATURE_LEN_256 + os.path.getsize(encRawFilePath) +- elif TA_TYPE == 2: +- contentLen = os.path.getsize(encKeyInfoFilePath) + SIGNATURE_LEN_512 + os.path.getsize(encRawFilePath) +- else: +- print("target sign type is not supported: {}".format(TA_TYPE)) +- raise RuntimeError +- +- # secImagePath = os.path.join(outPath, productName) +- secImagePath = outFile +- with open(secImagePath, 'wb') as secImage: +- # write to sec file [1.header info] +- secImage.write(generateHeader(contentLen)) +- # write to sec file [2.AES key info] +- encKeyInfoSize = os.path.getsize(encKeyInfoFilePath) +- with open(encKeyInfoFilePath, 'rb') as encKeyInfo: +- secImage.write(encKeyInfo.read(encKeyInfoSize)) +- # write to sec file [3.signature] +- signatureSize = os.path.getsize(signatureFilePath) +- with open(signatureFilePath, 'rb') as signatureFile: +- secImage.write(signatureFile.read(signatureSize)) +- # write to sec file [4.encrypted raw data] +- encRawDataSize = os.path.getsize(encRawFilePath) +- with open(encRawFilePath, 'rb') as encRawData: +- secImage.write(encRawData.read(encRawDataSize)) +- +- if DEBUG == 1: +- os.remove(signatureFilePath) +- +- print("=========================SUCCESS============================") +- print("generate TA(V3 format) load image success: ") +- print(secImagePath) +- print("============================================================") +- return +- +-if __name__ == '__main__': +- argvs = sys.argv +- priKeyPath = "" +- configFilePath = "" +- cmd = argvs[1] +- DEBUG = int(argvs[2]) +- enclavePath = argvs[3] +- outFile = argvs[4] +- manifestPath = argvs[5] +- OTRP_FLAG = int(argvs[6]) +- TA_TYPE = int(argvs[7]) +- API_LEVEL = int(argvs[8]) +- DEVICE_PUBKEY = argvs[9] +- configFilePath = argvs[10] +- +- os.umask(127) +- inPath = os.getcwd() +- encKeyInfoFilePath = os.path.join(inPath, "KeyInfo.enc") +- encRawFilePath = os.path.join(inPath, "rawData.enc") +- rawDataHashPath = os.path.join(inPath, "rawDataHash.bin") +- +- if cmd == "digest": +- generateDigest(enclavePath, manifestPath, DEVICE_PUBKEY, configFilePath, rawDataHashPath, encKeyInfoFilePath, \ +- encRawFilePath) +- shutil.copy(rawDataHashPath, outFile) +- elif cmd == "sign": +- if DEBUG == 0: +- inSignature = argvs[11] +- serverPubKey = argvs[12] +- else: +- if TA_TYPE == 2: +- priKeyPath = argvs[11] +- inSignature = "" +- serverPubKey = "" +- generateDigest(enclavePath, manifestPath, DEVICE_PUBKEY, configFilePath, rawDataHashPath, \ +- encKeyInfoFilePath, encRawFilePath) +- generateSecEnclave(priKeyPath, rawDataHashPath, encKeyInfoFilePath, encRawFilePath, inSignature, \ +- serverPubKey, outFile) +- os.remove(rawDataHashPath) +- os.remove(encKeyInfoFilePath) +- os.remove(encRawFilePath) +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 212db5d..5fd7d5b 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -10,39 +10,42 @@ + + #!/bin/bash + VERSION=3 +-TA_TYPE=1 +-OTRP_FLAG=0 +-API_LEVEL=1 +-DEBUG=0 ++API_LEVEL=2 ++ONE_STEP_MODE=1 ++A_CONFIG_FILE="NULL" + + localpath="$(cd "$(dirname "$0")"; pwd)" + + print_help(){ + echo "sign tool usage: ./sign_tool.sh [options] ..." + echo "[options]" +- echo "-a API_LEVEL, indicates trustzone GP API version, defalut is 1." + echo "-c basic config file." + echo "-d sign tool command, sign/digest." + echo " The sign command is used to generate a signed enclave." + echo " The digest command is used to generate a digest value." +- echo "-f OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0." + echo "-i enclave to be signed." +- echo "-k private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx." +- echo "-m additional config for trustzone when TA_TYPE is 2." ++ echo "-k private key required for single-step method" ++ echo "-m additional config_cloud.ini for trustzone." + echo "-o output parameters, the sign command outputs sigend enclave, the digest command outputs" + echo " digest value." + echo "-p signing server public key certificate, required for two-step method." + echo "-s the signed digest value required for two-step method, this parameter is empty to indicate" + echo " single-step method." +- echo "-t trustzone TA_TYPE, default is 1." + echo "-x enclave type, sgx or trustzone." + echo "-h printf help message." + + } + +-while getopts "d:i:x:m:a:f:t:c:k:p:s:o:h" opt ++while getopts "c:d:i:k:m:o:p:s:x:h" opt + do + case $opt in ++ c) ++ if [[ $OPTARG == -* ]]; then ++ echo "Error: parameter for -c is missing or incorrect" ++ exit -1 ++ fi ++ CONFIG_FILE=$OPTARG ++ ;; + d) + if [[ $OPTARG == -* ]]; then + echo "Error: parameter for -d is missing or incorrect" +@@ -58,13 +61,12 @@ do + fi + IN_ENCLAVE=$OPTARG + ;; +- x) ++ k) + if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -x is missing or incorrect" ++ echo "Error: parameter for -k is missing or incorrect" + exit -1 +- fi +- typeset -l ENCLAVE_TYPE +- ENCLAVE_TYPE=$OPTARG ++ fi ++ SIG_KEY=$OPTARG + ;; + m) + if [[ $OPTARG == -* ]]; then +@@ -73,55 +75,12 @@ do + fi + A_CONFIG_FILE=$OPTARG + ;; +- a) +- if [[ $OPTARG =~ ^[1-3]$ ]]; then +- API_LEVEL=$OPTARG +- else +- if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -a is missing or incorrect" +- exit -1 +- fi +- echo "Error: illegal API LEVEL" +- exit -1 +- fi +- ;; +- f) +- if [[ $OPTARG =~ ^[0-1]$ ]]; then +- OTRP_FLAG=$OPTARG +- else +- if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -f is missing or incorrect" +- exit -1 +- fi +- echo "Error: illegal OTRP FLAG" +- exit -1 +- fi +- ;; +- t) +- if [[ $OPTARG =~ ^[1-2]$ ]]; then +- TA_TYPE=$OPTARG +- else +- if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -t is missing or incorrect" +- exit -1 +- fi +- echo "Error: illegal TA TYPE" +- exit -1 +- fi +- ;; +- c) +- if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -c is missing or incorrect" +- exit -1 +- fi +- CONFIG_FILE=$OPTARG +- ;; +- k) ++ o) + if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -k is missing or incorrect" ++ echo "Error: parameter for -o is missing or incorrect" + exit -1 + fi +- SIG_KEY=$OPTARG ++ OUT_FILE=$OPTARG + ;; + p) + if [[ $OPTARG == -* ]]; then +@@ -137,12 +96,13 @@ do + fi + SIGNATURE=$OPTARG + ;; +- o) ++ x) + if [[ $OPTARG == -* ]]; then +- echo "Error: parameter for -o is missing or incorrect" ++ echo "Error: parameter for -x is missing or incorrect" + exit -1 +- fi +- OUT_FILE=$OPTARG ++ fi ++ typeset -l ENCLAVE_TYPE ++ ENCLAVE_TYPE=$OPTARG + ;; + h) + print_help +@@ -160,47 +120,48 @@ fi + + itrustee_start_sign(){ + # check_native_sign +- MANIFEST=$CONFIG_FILE +- if [ -z $MANIFEST ]; then ++ if [ -z $A_CONFIG_FILE ]; then + echo "Error: missing config file for signing iTrustee enclave" + exit -1 + fi + +- if [ ${TA_TYPE} == 2 ]; then +- if [ -z $A_CONFIG_FILE]; then +- echo "Error: TA TYPE = 2, missing additional config file for signing iTrustee enclave" +- exit -1 +- fi +- else +- A_CONFIG_FILE="NULL" +- fi +- DEVICE_PUBKEY=${localpath}/rsa_public_key_cloud.pem +- + if [ "${CMD}"x == "sign"x ]; then + if [ -z $SIGNATURE ]; then +- DEBUG=1 +- if [ -z $SIG_KEY ] && [ ${TA_TYPE} == 2 ]; then +- echo "missing the signature private key" ++ ONE_STEP_MODE=1 ++ if [ -z $CONFIG_FILE ]; then ++ echo "Error: missing config file for signing iTrustee enclave" + exit -1 + fi +- python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIG_KEY}" +- else +- DEBUG=0 +- if [ -z $SERVER_PUBKEY ]; then +- echo "Error: missing server public key for verifying signature" ++ if [ -z $IN_ENCLAVE ]; then ++ echo "Error: missing enclave file" + exit -1 + fi +- python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}" ++ python ${localpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" ++ else ++ ONE_STEP_MODE=0 ++ python ${localpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}" + fi + elif [ "${CMD}"x == "digest"x ]; then +- DEBUG=0 +- python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" ++ ONE_STEP_MODE=0 ++ if [ -z $CONFIG_FILE ]; then ++ echo "Error: missing config file for signing iTrustee enclave" ++ exit -1 ++ fi ++ if [ -z $IN_ENCLAVE ]; then ++ echo "Error: missing enclave file" ++ exit -1 ++ fi ++ python ${localpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" + else + echo "Error: illegal command" + fi + } + + sgx_start_sign(){ ++ if [ -z $IN_ENCLAVE ]; then ++ echo "Error: missing enclave file" ++ exit -1 ++ fi + SIGDATA_FILE="signdata" + if [ "${CMD}"x == "sign"x ]; then + if [ -z $SIG_KEY ]; then +@@ -246,10 +207,6 @@ if [ -z $ENCLAVE_TYPE ]; then + echo "Error: missing enclave type" + exit -1 + fi +-if [ -z $IN_ENCLAVE ]; then +- echo "Error: missing enclave file" +- exit -1 +-fi + if [ -z $OUT_FILE ]; then + echo "Error: missing out file" + exit -1 +diff --git a/tools/sign_tool/signtool_v3.py b/tools/sign_tool/signtool_v3.py +new file mode 100644 +index 0000000..dae036f +--- /dev/null ++++ b/tools/sign_tool/signtool_v3.py +@@ -0,0 +1,428 @@ ++#!/usr/bin/env python ++# coding:utf-8 ++#---------------------------------------------------------------------------- ++# Copyright (c) Huawei Technologies Co., Ltd. 2018-2020. All rights reserved. ++# iTrustee licensed under the Mulan PSL v2. ++# You can use this software according to the terms and conditions of the Mulan ++# PSL v2. ++# You may obtain a copy of Mulan PSL v2 at: ++# http://license.coscl.org.cn/MulanPSL2 ++# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY ++# KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ++# NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. ++# See the Mulan PSL v2 for more details. ++# Description: tools for generating a trusted application load image ++# Author: Li mingjuan ++# Create: 2018-02-20 ++#---------------------------------------------------------------------------- ++ ++import struct ++import os ++import sys ++import stat ++import hashlib ++import binascii ++import subprocess ++import shutil ++import getpass ++import argparse ++ ++try: ++ from configparser import SafeConfigParser ++except ImportError: ++ from ConfigParser import SafeConfigParser ++ ++from manifest import parser_manifest ++from generate_signature import gen_ta_signature ++from generate_signature import gen_hash ++ ++# fixed value, {1, 2} version are abandoned. ++VERSION = 3 ++TA_VERSION = 3 ++ ++MAX_EXT_PROP_LEN = 152 ++ ++MAGIC1 = 0xA5A55A5A ++MAGIC2 = 0x55AA ++ ++# ELF Definitions ++ELF_TYPE = 32 ++ELF_HDR_SIZE = 52 ++ELF_PHDR_SIZE = 32 ++ELF_INFO_MAGIC0_INDEX = 0 ++ELF_INFO_MAGIC1_INDEX = 1 ++ELF_INFO_MAGIC2_INDEX = 2 ++ELF_INFO_MAGIC3_INDEX = 3 ++#'\x7f' ++ELF_INFO_MAGIC0 = 127 ++#'E' ++ELF_INFO_MAGIC1 = 69 ++#'L' ++ELF_INFO_MAGIC2 = 76 ++#'F' ++ELF_INFO_MAGIC3 = 70 ++ELF_INFO_CLASS_INDEX = 4 ++ELF_INFO_CLASS_32 = 1 ++ELF_INFO_CLASS_64 = 2 ++ELF_INFO_VERSION_INDEX = 6 ++ELF_INFO_VERSION_CURRENT = 1 ++ELF_BLOCK_ALIGN = 0x1000 ++ ++ ++#---------------------------------------------------------------------------- ++# Verify ELF header contents from an input ELF file ++#---------------------------------------------------------------------------- ++def verify_elf_header(elf_path): ++ elf_type = 0 ++ with open(elf_path, 'rb') as elf: ++ elf_data = struct.unpack('B'*16, elf.read(16)) ++ elf_type = elf_data[4] ++ if ((elf_data[ELF_INFO_MAGIC0_INDEX] != ELF_INFO_MAGIC0) or \ ++ (elf_data[ELF_INFO_MAGIC1_INDEX] != ELF_INFO_MAGIC1) or \ ++ (elf_data[ELF_INFO_MAGIC2_INDEX] != ELF_INFO_MAGIC2) or \ ++ (elf_data[ELF_INFO_MAGIC3_INDEX] != ELF_INFO_MAGIC3) or \ ++ (elf_data[ELF_INFO_VERSION_INDEX] != \ ++ ELF_INFO_VERSION_CURRENT)): ++ print("invalid elf header info") ++ raise RuntimeError ++ ++ if ((elf_type == 1 and elf_data[ELF_INFO_CLASS_INDEX] != \ ++ ELF_INFO_CLASS_32) or \ ++ (elf_type == 2 and elf_data[ELF_INFO_CLASS_INDEX] != \ ++ ELF_INFO_CLASS_64) or \ ++ (elf_type != 1 and elf_type != 2)): ++ print("invliad elf format") ++ raise RuntimeError ++ return ++ ++ ++class Configuration: ++ release_type = 0 ++ otrp_flag = 0 ++ sign_type = 0 ++ public_key = "" ++ pub_key_len = 0 ++ server_ip = "" ++ config_path = "" ++ sign_key = "" ++ sign_key_len = 2048 ++ hash_type = 0 ++ padding_type = 0 ++ ++ def __init__(self, file_name): ++ parser = SafeConfigParser() ++ parser.read(file_name) ++ self.release_type = parser.get("config", "releaseType") ++ self.otrp_flag = parser.get("config", "otrpFlag") ++ self.sign_type = parser.get("config", "signType") ++ self.public_key = parser.get("config", "encryptKey") ++ self.pub_key_len = parser.get("config", "encryptKeyLen") ++ self.server_ip = parser.get("config", "serverIp") ++ self.config_path = parser.get("config", "configPath") ++ self.sign_key = parser.get("config", "signKey") ++ self.sign_key_len = parser.get("config", "signKeyLen") ++ self.hash_type = parser.get("config", "hashType") ++ self.padding_type = parser.get("config", "paddingType") ++ ++ ++def gen_header(content_len, key_version): ++ return struct.pack('IHHII', MAGIC1, MAGIC2, VERSION, content_len, \ ++ key_version) ++ ++ ++def gen_aes_key_info(cfg, iv_file_path, key_file_path, out_file_path): ++ rand_iv_cmd = "openssl rand -out {} 16".format(iv_file_path) ++ rand_key_cmd = "openssl rand -out {} 32".format(key_file_path) ++ try: ++ subprocess.check_output(rand_iv_cmd.split(), shell=False) ++ subprocess.check_output(rand_key_cmd.split(), shell=False) ++ except Exception: ++ print("rand operation failed") ++ raise RuntimeError ++ ++ os.chmod(iv_file_path, stat.S_IWUSR | stat.S_IRUSR) ++ os.chmod(key_file_path, stat.S_IWUSR | stat.S_IRUSR) ++ ++ sign_alg = 0 ++ sign_alg = sign_alg | (int(cfg.release_type) << 28) ++ sign_alg = sign_alg | (int(cfg.padding_type) << 27) ++ sign_alg = sign_alg | (int(cfg.hash_type) << 26) ++ if cfg.sign_key_len == "2048": ++ sign_alg = sign_alg | 0x00002048 ++ elif cfg.sign_key_len == "4096": ++ sign_alg = sign_alg | 0x00004096 ++ ++ print("sign_alg value is 0x%x" % sign_alg) ++ with open(out_file_path, 'wb') as out_file: ++ out_file.write(struct.pack('I', 32)) ++ out_file.write(struct.pack('I', 16)) ++ out_file.write(struct.pack('I', sign_alg)) ++ ++ with open(key_file_path, 'rb') as key_file: ++ out_file.write(key_file.read(32)) ++ ++ with open(iv_file_path, 'rb') as iv_file: ++ out_file.write(iv_file.read(16)) ++ ++ os.chmod(out_file_path, stat.S_IWUSR | stat.S_IRUSR) ++ return ++ ++ ++def encrypt_aes_key(pubkey_path, in_path, out_path): ++ cmd = "openssl rsautl -encrypt -pubin -oaep -inkey {} -in {} -out {}". \ ++ format(pubkey_path, in_path, out_path) ++ try: ++ subprocess.check_output(cmd.split(), shell=False) ++ except Exception: ++ print("RSA encrypt operation failed") ++ raise RuntimeError ++ os.chmod(out_path, stat.S_IWUSR | stat.S_IRUSR) ++ return ++ ++def gen_signature(cfg, uuid_str, raw_data_path, hash_file_path, out_file_path): ++ gen_ta_signature(cfg, uuid_str, raw_data_path, hash_file_path, out_file_path) ++ os.chmod(out_file_path, stat.S_IWUSR | stat.S_IRUSR) ++ return ++ ++def gen_raw_data(manifest_data_path, manifest_ext_path, elf_file_path, \ ++ config_path, raw_file_path): ++ manifest_size = os.path.getsize(manifest_data_path) ++ manifest_ext_size = os.path.getsize(manifest_ext_path) ++ elf_size = os.path.getsize(elf_file_path) ++ config_size = 0 ++ ++ if manifest_ext_size > MAX_EXT_PROP_LEN: ++ print("too much data in \"manifest.txt\" to be handled. \ ++ extra string len %d" \ ++ % manifest_ext_size) ++ raise RuntimeError ++ ++ verify_elf_header(elf_file_path) ++ ++ with open(raw_file_path, 'wb') as file_op: ++ header = "" ++ if os.path.isfile(config_path): ++ config_size = os.path.getsize(config_path) ++ header = struct.pack('IIIII', TA_VERSION, manifest_size, \ ++ manifest_ext_size, \ ++ elf_size, config_size) ++ file_op.write(header) ++ ++ with open(manifest_data_path, 'rb') as manifest_data: ++ file_op.write(manifest_data.read(manifest_size)) ++ ++ with open(manifest_ext_path, 'rb') as manifest_ext: ++ file_op.write(manifest_ext.read(manifest_ext_size)) ++ ++ with open(elf_file_path, 'rb') as elf: ++ file_op.write(elf.read(elf_size)) ++ if config_size != 0: ++ with open(config_path, 'rb') as config: ++ file_op.write(config.read(config_size)) ++ return ++ ++ ++def aes_encrypt(key_path, iv_path, in_file_path, out_file_path): ++ key_size = os.path.getsize(key_path) ++ with open(key_path, 'rb') as key_file: ++ key_data = key_file.read(key_size) ++ hex_key_str = binascii.b2a_hex(key_data) ++ ++ iv_size = os.path.getsize(iv_path) ++ with open(iv_path, 'rb') as iv_file: ++ iv_data = iv_file.read(iv_size) ++ hex_iv_str = binascii.b2a_hex(iv_data) ++ ++ cmd = "openssl enc -aes-256-cbc -in {} -out {} -K {} -iv {}".\ ++ format(in_file_path, out_file_path, \ ++ bytes.decode(hex_key_str), bytes.decode(hex_iv_str)) ++ try: ++ subprocess.check_output(cmd.split(), shell=False) ++ except Exception: ++ print("AES encrypt operation failed") ++ raise RuntimeError ++ ++ os.chmod(out_file_path, stat.S_IWUSR | stat.S_IRUSR) ++ return ++ ++def update_api_level(api_level, manifest): ++ data = '' ++ with open(manifest, 'r') as file_op: ++ for line in file_op: ++ if line.startswith("#") or not "gpd.ta.api_level" in line: ++ data += line ++ line = "\ngpd.ta.api_level:{}\n".format(api_level) ++ data += line ++ with open(manifest, "w") as file_op: ++ file_op.writelines(data) ++ ++ ++def update_otrp_flag(manifest): ++ data = '' ++ with open(manifest, 'r') as file_op: ++ for line in file_op: ++ if line.startswith("#") or not "gpd.ta.otrp_flag" in line: ++ data += line ++ line = "\ngpd.ta.otrp_flag:{}\n".format('true') ++ data += line ++ with open(manifest, "w") as file_op: ++ file_op.writelines(data) ++ ++ ++def gen_data_for_sign(header, key_info, raw_file, data_sign): ++ key_info_len = os.path.getsize(key_info) ++ raw_file_len = os.path.getsize(raw_file) ++ ++ with open(data_sign, 'wb') as data_fp, \ ++ open(key_info, 'rb') as key_fp, open(raw_file, 'rb') as raw_fp: ++ data_fp.write(header) ++ data_fp.write(key_fp.read(key_info_len)) ++ data_fp.write(raw_fp.read(raw_file_len)) ++ ++ ++def gen_key_version(cfg): ++ if cfg.pub_key_len == '3072': ++ return int(0x0202) ++ if cfg.pub_key_len == '2048': ++ return int(0x0002) ++ print("unhandled pulic key len %s" % cfg.pub_key_len) ++ raise RuntimeError ++ ++ ++def generate_digest(cfg, api_level, enclave_file, manifest_file, hash_path, enc_key_path, enc_raw_path): ++ # temporary files ++ in_path = os.path.dirname(os.path.abspath(manifest_file)) ++ temp_path = os.path.join(in_path, "temp") ++ shutil.rmtree(temp_path, ignore_errors=True) ++ os.mkdir(temp_path) ++ os.chmod(temp_path, stat.S_IRWXU) ++ iv_file_path = os.path.join(temp_path, "iv.bin") ++ key_file_path = os.path.join(temp_path, "aeskey.bin") ++ key_info_path = os.path.join(temp_path, "KeyInfo") ++ raw_file_path = os.path.join(temp_path, "rawData") ++ manifest_data_path = os.path.join(temp_path, "manifestData.bin") ++ manifest_ext_path = os.path.join(temp_path, "manifestExt.bin") ++ data_for_sign_path = os.path.join(temp_path, "dataForSign.bin") ++ signature_path = os.path.join(temp_path, "signature.bin") ++ ++ # mandentory input files ++ manifest_path = manifest_file ++ elf_file_path = enclave_file ++ ++ ret, product_name = parser_manifest(manifest_path, \ ++ manifest_data_path, manifest_ext_path) ++ if ret is False: ++ raise RuntimeError ++ ++ update_api_level(api_level, manifest_ext_path) ++ ++ if cfg.otrp_flag == 1: ++ print("package otrp sec file\n") ++ update_otrp_flag(manifest_ext_path) ++ ++ gen_raw_data(manifest_data_path, manifest_ext_path, elf_file_path, \ ++ cfg.config_path, raw_file_path) ++ ++ # generate AES key info to encrypt raw data ++ gen_aes_key_info(cfg, iv_file_path, key_file_path, key_info_path) ++ encrypt_aes_key(cfg.public_key, key_info_path, enc_key_path) ++ ++ aes_encrypt(key_file_path, iv_file_path, raw_file_path, enc_raw_path) ++ ++ # generate Main Header ++ content_len = os.path.getsize(enc_key_path) + \ ++ (int(cfg.sign_key_len) / 8) + \ ++ os.path.getsize(enc_raw_path) ++ key_version = gen_key_version(cfg) ++ header = gen_header(int(content_len), key_version) ++ ++ gen_data_for_sign(header, key_info_path, raw_file_path, data_for_sign_path) ++ ++ gen_hash(cfg.hash_type, data_for_sign_path, hash_path) ++ ++ #remove temp files ++ os.remove(iv_file_path) ++ os.remove(key_file_path) ++ os.remove(key_info_path) ++ os.remove(raw_file_path) ++ os.remove(manifest_data_path) ++ os.remove(manifest_ext_path) ++ os.remove(data_for_sign_path) ++ return ++ ++def gen_sec_image(cfg, enc_raw_path, enc_key_path, signature_path, out_file): ++ content_len = os.path.getsize(enc_key_path) + \ ++ (int(cfg.sign_key_len) / 8) + \ ++ os.path.getsize(enc_raw_path) ++ key_version = gen_key_version(cfg) ++ header = gen_header(int(content_len), key_version) ++ sec_img_path = out_file ++ with open(sec_img_path, 'wb') as sec_image: ++ # write to sec file [1.header info] ++ sec_image.write(header) ++ # write to sec file [2.AES key info] ++ enc_key_size = os.path.getsize(enc_key_path) ++ with open(enc_key_path, 'rb') as enc_key_info: ++ sec_image.write(enc_key_info.read(enc_key_size)) ++ # write to sec file [3.signature] ++ signature_size = os.path.getsize(signature_path) ++ with open(signature_path, 'rb') as signature_file: ++ sec_image.write(signature_file.read(signature_size)) ++ # write to sec file [4.encrypted raw data] ++ enc_raw_size = os.path.getsize(enc_raw_path) ++ with open(enc_raw_path, 'rb') as enc_raw_data: ++ sec_image.write(enc_raw_data.read(enc_raw_size)) ++ ++ print("=========================SUCCESS============================") ++ print("generate TA(V3 format) load image success: ") ++ print(sec_img_path) ++ print("============================================================") ++ ++ return ++ ++ ++def main(): ++ argvs = sys.argv ++ cmd = argvs[1] ++ one_step_mode = int(argvs[2]) ++ enclave_path = argvs[3] ++ out_file = argvs[4] ++ manifest_file = argvs[5] ++ cloud_config = argvs[6] ++ cfg = Configuration(cloud_config) ++ api_level = int(argvs[7]) ++ ++ os.umask(127) ++ ++ in_path = os.path.dirname(os.path.abspath(cloud_config)) ++ temp_path = os.path.join(in_path, "temp") ++ enc_key_path = os.path.join(temp_path, "KeyInfo.enc") ++ enc_raw_path = os.path.join(temp_path, "rawData.enc") ++ hash_path = os.path.join(temp_path, "rawDataHash.bin") ++ temp_signature = os.path.join(temp_path, "tempSignature") ++ ++ sign_tool_dir = os.path.dirname(os.path.abspath(__file__)) ++ os.chdir(sign_tool_dir) ++ if cmd == "digest": ++ generate_digest(cfg, api_level, enclave_path, manifest_file, hash_path, enc_key_path, enc_raw_path) ++ shutil.copy(hash_path, out_file) ++ elif cmd == "sign": ++ if one_step_mode == 0: ++ in_signature = argvs[8] ++ gen_sec_image(cfg, enc_raw_path, enc_key_path, in_signature, out_file) ++ else: ++ generate_digest(cfg, api_level, enclave_path, manifest_file, hash_path, enc_key_path, enc_raw_path) ++ gen_ta_signature(cfg, hash_path, temp_signature) ++ in_signature = temp_signature ++ gen_sec_image(cfg, enc_raw_path, enc_key_path, in_signature, out_file) ++ os.remove(temp_signature) ++ os.remove(enc_key_path) ++ os.remove(enc_raw_path) ++ os.remove(hash_path) ++ #remove temp files ++ shutil.rmtree(temp_path) ++ ++ ++if __name__ == '__main__': ++ main() ++ +-- +2.27.0 + diff --git a/0030-fix-sgx-two-step-mode-bug-add-dump-command.patch b/0030-fix-sgx-two-step-mode-bug-add-dump-command.patch new file mode 100644 index 0000000..d8b4647 --- /dev/null +++ b/0030-fix-sgx-two-step-mode-bug-add-dump-command.patch @@ -0,0 +1,234 @@ +From 583ac889ade73e8ffa96844dcc29a511e6c5a615 Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Wed, 19 May 2021 15:45:24 +0800 +Subject: [PATCH 13/14] fix sgx two-step mode bug, add dump command + +--- + docs/sign_tool.md | 49 +++++++++++++--------- + examples/helloworld/enclave/CMakeLists.txt | 2 +- + examples/helloworld/host/CMakeLists.txt | 8 ++-- + examples/seal_data/enclave/CMakeLists.txt | 2 +- + examples/seal_data/host/CMakeLists.txt | 8 ++-- + tools/sign_tool/sign_tool.sh | 39 +++++++++-------- + 6 files changed, 62 insertions(+), 46 deletions(-) + +diff --git a/docs/sign_tool.md b/docs/sign_tool.md +index 399e4c5..e6c6e3b 100644 +--- a/docs/sign_tool.md ++++ b/docs/sign_tool.md +@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave. + + ## The sign_tool.sh + +-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave. ++The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave. + + The tool supports the following two modes: + +@@ -19,33 +19,44 @@ The tool supports the following two modes: + - two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform. + + For example: +- (1) generate the digest value. +- `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt -m config_cloud.ini –o digest.data ` ++ (1) generate the signing material. ++ `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt -m config_cloud.ini –o signing.data ` + + For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated. + +- (2) send the digest.data to the signing organization or platform and get the signature. +- +- (3) use the signature to generate the signed enclave. +- `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt -m config_cloud.ini –s signature –o signed.enclave ` ++ (2) send the signing.data to the signing organization or platform and get the signature. ++ For trustzone, use rsautl command to sign the signing material. ++ ++ `$ openssl rsautl -sign -inkey sign_key.pem -in signing.data -out signature ` ++ ++ For sgx, use dgst command to sign the signing material. ++ ++ `$ openssl dgst -sha256 -sign sign_key.pem -keyform PEM -out signature signing.data ` ++ ++ (3) use the signature to generate the signed enclave. ++ ++ `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt -m config_cloud.ini –s signature –o signed.enclave ` + + ## sign_tool.sh parameter + + ``` + -c basic config file. +- -d sign tool command, sign/digest. ++ -d sign tool command, sign/digest/dump. + The sign command is used to generate a signed enclave. +- The digest command is used to generate a digest value. +- -i enclave to be signed. +- -k private key required for single-step method +- -m additional config_cloud.ini for trustzone. +- -o output parameters, the sign command outputs sigend enclave, the digest command outputs +- digest value. +- -p signing server public key certificate, required for two-step method. +- -s the signed digest value required for two-step method, this parameter is empty to indicate +- single-step method. +- -x enclave type, sgx or trustzone. +- -h printf help message. ++ The digest command is used to generate signing material. ++ The dump command is used to generate metadata for sgx signed enclave. ++ -i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for ++ dump command. ++ -k private key required for single-step method. ++ -m additional config_cloud.ini for trustzone. ++ -o output parameter, the sign command outputs signed enclave, the digest command outputs signing ++ material, the dump command outputs data containing the SIGStruct metadata for the SGX signed ++ enclave, which is submitted to Intel for whitelisting. ++ -p signing server public key certificate, required for sgx two-step method. ++ -s the signature value required for two-step method, this parameter is empty to indicate ++ single-step method. ++ -x enclave type, sgx or trustzone. ++ -h print help message. + ``` + **Note**: + Using the `./sign_tool.sh -h` to get help information. +diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt +index f7967ef..98f50ac 100644 +--- a/examples/helloworld/enclave/CMakeLists.txt ++++ b/examples/helloworld/enclave/CMakeLists.txt +@@ -71,7 +71,7 @@ if(CC_GP) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} +- ${LOCAL_ROOT_PATH}/debug/inc ++ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc +diff --git a/examples/helloworld/host/CMakeLists.txt b/examples/helloworld/host/CMakeLists.txt +index 60173a9..c6f2166 100644 +--- a/examples/helloworld/host/CMakeLists.txt ++++ b/examples/helloworld/host/CMakeLists.txt +@@ -39,10 +39,10 @@ if(CC_GP) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) + target_include_directories(${OUTPUT} PRIVATE +- ${LOCAL_ROOT_PATH}/debug/inc +- ${LOCAL_ROOT_PATH}/inc/host_inc +- ${LOCAL_ROOT_PATH}/inc/host_inc/gp +- ${CMAKE_CURRENT_BINARY_DIR}) ++ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/gp ++ ${CMAKE_CURRENT_BINARY_DIR}) + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) + endif() +diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt +index b24e498..542163e 100644 +--- a/examples/seal_data/enclave/CMakeLists.txt ++++ b/examples/seal_data/enclave/CMakeLists.txt +@@ -66,7 +66,7 @@ if(CC_GP) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} +- ${LOCAL_ROOT_PATH}/debug/inc ++ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc +diff --git a/examples/seal_data/host/CMakeLists.txt b/examples/seal_data/host/CMakeLists.txt +index 691cd07..a0986d1 100644 +--- a/examples/seal_data/host/CMakeLists.txt ++++ b/examples/seal_data/host/CMakeLists.txt +@@ -40,10 +40,10 @@ if(CC_GP) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) + target_include_directories(${OUTPUT} PRIVATE +- ${LOCAL_ROOT_PATH}/debug/inc +- ${LOCAL_ROOT_PATH}/inc/host_inc +- ${LOCAL_ROOT_PATH}/inc/host_inc/gp +- ${CMAKE_CURRENT_BINARY_DIR}) ++ ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc ++ ${LOCAL_ROOT_PATH}/inc/host_inc/gp ++ ${CMAKE_CURRENT_BINARY_DIR}) + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) + endif() +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 5fd7d5b..9906bff 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -20,19 +20,22 @@ print_help(){ + echo "sign tool usage: ./sign_tool.sh [options] ..." + echo "[options]" + echo "-c basic config file." +- echo "-d sign tool command, sign/digest." ++ echo "-d sign tool command, sign/digest/dump." + echo " The sign command is used to generate a signed enclave." +- echo " The digest command is used to generate a digest value." +- echo "-i enclave to be signed." +- echo "-k private key required for single-step method" ++ echo " The digest command is used to generate signing material." ++ echo " The dump command is used to generate metadata for sgx signed enclave." ++ echo "-i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for" ++ echo " dump command." ++ echo "-k private key required for single-step method." + echo "-m additional config_cloud.ini for trustzone." +- echo "-o output parameters, the sign command outputs sigend enclave, the digest command outputs" +- echo " digest value." +- echo "-p signing server public key certificate, required for two-step method." +- echo "-s the signed digest value required for two-step method, this parameter is empty to indicate" ++ echo "-o output parameter, the sign command outputs signed enclave, the digest command outputs signing" ++ echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed" ++ echo " enclave, which is submitted to Intel for whitelisting." ++ echo "-p signing server public key certificate, required for sgx two-step method." ++ echo "-s the signature value required for two-step method, this parameter is empty to indicate" + echo " single-step method." + echo "-x enclave type, sgx or trustzone." +- echo "-h printf help message." ++ echo "-h print help message." + + } + +@@ -164,12 +167,12 @@ sgx_start_sign(){ + fi + SIGDATA_FILE="signdata" + if [ "${CMD}"x == "sign"x ]; then +- if [ -z $SIG_KEY ]; then +- echo "Error: missing sign key" +- exit -1 +- fi + if [ -z $SIGNATURE ]; then +- if [ -z $CONFIG_FILE ]; then ++ if [ -z $SIG_KEY ]; then ++ echo "Error: missing sign key" ++ exit -1 ++ fi ++ if [ -z $CONFIG_FILE ]; then + sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} + else + sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} -config ${CONFIG_FILE} +@@ -180,9 +183,9 @@ sgx_start_sign(){ + exit -1 + fi + if [ -z $CONFIG_FILE ]; then +- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsignd ${SIGDATA_FILE} -out ${OUT_FILE} ++ sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} + else +- sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsignd ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE} ++ sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE} + fi + rm -rf ${SIGDATA_FILE} + fi +@@ -192,7 +195,9 @@ sgx_start_sign(){ + else + sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE} -config ${CONFIG_FILE} + fi +- openssl dgst -sha256 -out ${OUT_FILE} ${SIGDATA_FILE} ++ cp ${SIGDATA_FILE} ${OUT_FILE} ++ elif [ "${CMD}"x == "dump"x ]; then ++ sgx_sign dump -enclave ${IN_ENCLAVE} -dumpfile ${OUT_FILE} + else + echo "Error: illegal command" + fi +-- +2.27.0 + diff --git a/0031-set-signtool_v3.py-path.patch b/0031-set-signtool_v3.py-path.patch new file mode 100644 index 0000000..e031757 --- /dev/null +++ b/0031-set-signtool_v3.py-path.patch @@ -0,0 +1,166 @@ +From 2d9a481617422a423612417835a48b0614716f2d Mon Sep 17 00:00:00 2001 +From: yanlu +Date: Thu, 20 May 2021 10:40:25 +0800 +Subject: [PATCH 14/14] set signtool_v3.py path + +--- + README.en.md | 2 +- + README.md | 2 +- + examples/helloworld/enclave/CMakeLists.txt | 2 +- + examples/helloworld/host/CMakeLists.txt | 2 +- + examples/seal_data/enclave/CMakeLists.txt | 2 +- + examples/seal_data/host/CMakeLists.txt | 2 +- + src/enclave_src/CMakeLists.txt | 2 +- + src/host_src/CMakeLists.txt | 2 +- + tools/sign_tool/sign_tool.sh | 13 +++++++++---- + 9 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/README.en.md b/README.en.md +index 8aaa1b0..ec7ada0 100644 +--- a/README.en.md ++++ b/README.en.md +@@ -49,7 +49,7 @@ Then save as test.edl + set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) + set(EDL_FILE test.edl) + set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") +- set(SECGEAR_INSTALL_PATH /lib64/) ++ set(SECGEAR_INSTALL_PATH /usr/lib64/) + set(CODEGEN codegen) + if(CC_GP) + set(CODETYPE trustzone) +diff --git a/README.md b/README.md +index b95dcc9..2d09831 100644 +--- a/README.md ++++ b/README.md +@@ -41,7 +41,7 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在 + set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) + set(EDL_FILE test.edl) + set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") +- set(SECGEAR_INSTALL_PATH /lib64/) ++ set(SECGEAR_INSTALL_PATH /usr/lib64/) + set(CODEGEN codegen) + if(CC_GP) + set(CODETYPE trustzone) +diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt +index 98f50ac..0546183 100644 +--- a/examples/helloworld/enclave/CMakeLists.txt ++++ b/examples/helloworld/enclave/CMakeLists.txt +@@ -71,7 +71,7 @@ if(CC_GP) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} +- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ++ ${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc +diff --git a/examples/helloworld/host/CMakeLists.txt b/examples/helloworld/host/CMakeLists.txt +index c6f2166..96985cb 100644 +--- a/examples/helloworld/host/CMakeLists.txt ++++ b/examples/helloworld/host/CMakeLists.txt +@@ -39,7 +39,7 @@ if(CC_GP) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) + target_include_directories(${OUTPUT} PRIVATE +- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ++ ${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) +diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt +index 542163e..f80efb8 100644 +--- a/examples/seal_data/enclave/CMakeLists.txt ++++ b/examples/seal_data/enclave/CMakeLists.txt +@@ -66,7 +66,7 @@ if(CC_GP) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} +- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ++ ${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc +diff --git a/examples/seal_data/host/CMakeLists.txt b/examples/seal_data/host/CMakeLists.txt +index a0986d1..19920b4 100644 +--- a/examples/seal_data/host/CMakeLists.txt ++++ b/examples/seal_data/host/CMakeLists.txt +@@ -40,7 +40,7 @@ if(CC_GP) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) + target_include_directories(${OUTPUT} PRIVATE +- ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ++ ${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) +diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt +index 66a36ea..f6d353c 100644 +--- a/src/enclave_src/CMakeLists.txt ++++ b/src/enclave_src/CMakeLists.txt +@@ -11,7 +11,7 @@ + project(secgear_tee C) + + set(target_lib secgear_tee) +-set(LIBRARY_INSTALL /lib64) ++set(LIBRARY_INSTALL /usr/lib64) + + set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib) + +diff --git a/src/host_src/CMakeLists.txt b/src/host_src/CMakeLists.txt +index 25d245f..a545e27 100644 +--- a/src/host_src/CMakeLists.txt ++++ b/src/host_src/CMakeLists.txt +@@ -10,7 +10,7 @@ + + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fvisibility=hidden -fPIC -Wno-stringop-overflow") + +-set(LIBRARY_INSTALL /lib64) ++set(LIBRARY_INSTALL /usr/lib64) + + include_directories(${LOCAL_ROOT_PATH}/inc/host_inc) + +diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh +index 9906bff..5469f80 100755 +--- a/tools/sign_tool/sign_tool.sh ++++ b/tools/sign_tool/sign_tool.sh +@@ -12,9 +12,14 @@ + VERSION=3 + API_LEVEL=2 + ONE_STEP_MODE=1 +-A_CONFIG_FILE="NULL" + + localpath="$(cd "$(dirname "$0")"; pwd)" ++pypath="/lib/secGear" ++if [ -f ${localpath}/signtool_v3.py ]; then ++ signtoolpath=${localpath} ++else ++ signtoolpath=${pypath} ++fi + + print_help(){ + echo "sign tool usage: ./sign_tool.sh [options] ..." +@@ -139,10 +144,10 @@ itrustee_start_sign(){ + echo "Error: missing enclave file" + exit -1 + fi +- python ${localpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" ++ python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" + else + ONE_STEP_MODE=0 +- python ${localpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}" ++ python ${signtoolpath}/signtool_v3.py "sign" "${ONE_STEP_MODE}" "NULL" "${OUT_FILE}" "NULL" "${A_CONFIG_FILE}" "${API_LEVEL}" "${SIGNATURE}" + fi + elif [ "${CMD}"x == "digest"x ]; then + ONE_STEP_MODE=0 +@@ -154,7 +159,7 @@ itrustee_start_sign(){ + echo "Error: missing enclave file" + exit -1 + fi +- python ${localpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" ++ python ${signtoolpath}/signtool_v3.py "digest" "${ONE_STEP_MODE}" "${IN_ENCLAVE}" "${OUT_FILE}" "${CONFIG_FILE}" "${A_CONFIG_FILE}" "${API_LEVEL}" + else + echo "Error: illegal command" + fi +-- +2.27.0 + diff --git a/0032-del-size_to_aligned_size.patch b/0032-del-size_to_aligned_size.patch new file mode 100644 index 0000000..d0f3c33 --- /dev/null +++ b/0032-del-size_to_aligned_size.patch @@ -0,0 +1,25 @@ +From f31970aac34d3e6fb6c50508ec5d5d4e07da0e0a Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Fri, 21 May 2021 11:14:06 +0800 +Subject: [PATCH] del size_to_aligned_size + +--- + tools/codegener/Commonfunc.ml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/codegener/Commonfunc.ml b/tools/codegener/Commonfunc.ml +index 42d62c4..6f3966a 100644 +--- a/tools/codegener/Commonfunc.ml ++++ b/tools/codegener/Commonfunc.ml +@@ -428,7 +428,7 @@ let set_in_memcpy (fd : func_decl) = + sprintf "for (int i = 0; i < %s; i++) {\n if((%s + i)->%s) {\n memcpy(in_buf + %s_p + tmp_size, (uint8_t *)(%s + i)->%s, %s);\n tmp_size += size_to_aligned_size(%s);\n }\n }\n tmp_size = 0;\n " (get_param_count pty) decl.identifier mem_decl.identifier mem_decl.identifier decl.identifier mem_decl.identifier (get_sizestr_2 (mem_pty, mem_decl) decl) (get_sizestr_2 (mem_pty, mem_decl) decl) in + [ + "/* Copy in_params to in_buf*/"; +- sprintf "memcpy(in_buf, &args_size, size_to_aligned_size(sizeof(%s_size_t)));" fd.fname; ++ sprintf "memcpy(in_buf, &args_size, sizeof(%s_size_t));" fd.fname; + if in_memcpy <> [] then + concat "\n " in_memcpy ^ "\n " ^ + concat "\n " +-- +2.27.0 + diff --git a/secGear.spec b/secGear.spec index 60703ea..0478426 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,8 +1,8 @@ Name: secGear Version: 0.1.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features -ExclusiveArch: x86_64 + Group: OS Security License: Mulan PSL v2 @@ -17,94 +17,123 @@ Patch4: 0005-delete-unnecessary-README.cn.md.patch Patch5: 0006-fix-issues-about-double-create-destory.patch Patch6: 0007-to-make-secGear-log-more-clear.patch Patch7: 0008-modify-path-error.patch -Patch8: 0009-fix-sgxssl-edl.patch -Patch9: 0010-update-docs-build_install.md.patch -Patch10: 0011-modify-the-prompt-information.patch -Patch11: 0012-parse-new-error-code-and-del-redundant-print.patch -Patch12: 0013-fix-error-print.patch -Patch13: 0014-set-umask-in-sign_tool.sh.patch -Patch14: 0015-1.fix-the-race-of-ecall-and-enclave-destroy.patch -Patch15: 0016-fix-wrong-spelling-and-null-pointer-dereference-issu.patch -Patch16: 0017-update-signtool-codegen.patch +Patch8: 0009-fix-cmake-error-of-missing-CMAKE_CXX_COMPILER.patch +Patch9: 0010-fix-sgxssl-edl.patch +Patch10: 0011-update-docs-build_install.md.patch +Patch11: 0012-modify-the-prompt-information.patch +Patch12: 0013-parse-new-error-code-and-del-redundant-print.patch +Patch13: 0014-fix-error-print.patch +Patch14: 0015-set-umask-in-sign_tool.sh.patch +Patch15: 0016-1.fix-the-race-of-ecall-and-enclave-destroy.patch +Patch16: 0017-fix-wrong-spelling-and-null-pointer-dereference-issu.patch +Patch17: 0018-update-sign_tool.doc.patch +Patch18: 0019-normalized-codegen-from-arm-and-x86.patch +Patch19: 0020-rm-e-parameter-normalize-c-parameter.patch +Patch20: 0021-example-use-absolute-path-to-find-enclave.sign.so.patch +Patch21: 0022-add-example-of-using-sgxssl-lib.patch +Patch22: 0023-tls_enclave-is-not-compiled-by-default.patch +Patch23: 0024-Cmake-replace-minial-cmake-from-3.12-to-3.10.patch +Patch24: 0025-example-add-example-for-LRT-long-running-task.patch +Patch25: 0026-example-add-Dockerfile-to-build-lrt-example-image.patch +Patch26: 0027-Change-to-use-the-milestone-picture-with-English.patch +Patch27: 0028-example-use-the-sgx-device-plugin-from-intel.patch +Patch28: 0029-some-adaptations-for-trustzone.patch +Patch29: 0030-fix-sgx-two-step-mode-bug-add-dump-command.patch +Patch30: 0031-set-signtool_v3.py-path.patch +Patch31: 0032-del-size_to_aligned_size.patch -BuildRequires: gcc python3 automake autoconf libtool +BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune %ifarch x86_64 BUildRequires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts +%else +BUildRequires: itrustee_sdk %endif -Requires: rsyslog +Requires: rsyslog %ifarch x86_64 -Requires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts +Requires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts +%else +Requires: itrustee_sdk %endif + %description secGear is an SDK to develop confidential computing apps based on hardware enclave features -%package devel -Summary: Development files for %{name} -Requires: %{name}%{?isa} = %{version}-%{release} cmake +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?isa} = %{version}-%{release} cmake %description devel -The %{name}-devel is package contains Header file for developing applications that +The %{name}-devel is package contains Header file for developing applications that us %{name} -%package sim -Summary: simulation package files for %{name} -Requires: %{name}%{?isa} = %{version}-%{release} -%description sim +%ifarch x86_64 +%package sim +Summary: simulation package files for %{name} +Requires: %{name}%{?isa} = %{version}-%{release} +%description sim The %{name}-sim is package contains simulation libraries for developing applications +%endif %prep %autosetup -n %{name} -p1 - %build source ./environment %ifarch x86_64 source /opt/intel/sgxsdk/environment cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=on -DSGXSDK=/opt/intel/sgxsdk -make +make %else -#The itrustee OS is not released +cmake -DCMAKE_BUILD_TYPE=Debug -DCC_GP=on -DiTrusteeSDK=/opt/itrustee_sdk +make %endif - %install make install DESTDIR=%{buildroot} install -d %{buildroot}/%{_datarootdir}/licenses/secGear install -pm 644 License/Third_Party_Open_Source_Software_Notice.md %{buildroot}/%{_datarootdir}/licenses/secGear install -d %{buildroot}/%{_includedir}/secGear -#install -pm 644 inc/host_inc/* %{buildroot}/%{_includedir}/secGear/host_inc -%ifarch x86_64 install -d %{buildroot}/%{_bindir} +install -pm 751 bin/codegen %{buildroot}/%{_bindir} +install -pm 751 tools/sign_tool/sign_tool.sh %{buildroot}/%{_bindir} +install -d %{buildroot}/%{_sysconfdir}/secGear/cloud +install -d %{buildroot}/lib/secGear/ +install -pm 751 tools/sign_tool/*.py %{buildroot}/lib/secGear +install -pm 644 tools/sign_tool/cloud/rsa_public_key_cloud.pem %{buildroot}/%{_sysconfdir}/secGear/cloud +%ifarch x86_64 install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear install -pm 644 inc/host_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear install -pm 644 inc/host_inc/sgx/*.edl %{buildroot}/%{_includedir}/secGear install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear install -pm 644 inc/enclave_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear -install -pm 751 bin/codegen %{buildroot}/%{_bindir} -install -pm 751 tools/sign_tool/sign_tool.sh %{buildroot}/%{_bindir} %else install -d %{buildroot}/%{_includedir}/secGear install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear install -pm 644 inc/host_inc/gp/*.h %{buildroot}/%{_includedir}/secGear +install -pm 644 inc/host_inc/gp/*.edl %{buildroot}/%{_includedir}/secGear install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear install -pm 644 inc/enclave_inc/gp/*.h %{buildroot}/%{_includedir}/secGear +install -pm 644 inc/enclave_inc/gp/itrustee/*.h %{buildroot}/%{_includedir}/secGear %endif pushd %{buildroot} rm `find . -name secgear_helloworld` -rf rm `find . -name secgear_seal_data` -rf +%ifarch aarch64 +rm `find . -name libsecgearsim.so` -rf +%endif popd %files %license License/LICENSE %license License/Third_Party_Open_Source_Software_Notice.md %defattr(-,root,root) -/%{_lib}/libsecgear_tee.a -/%{_lib}/libsecgear.so +%{_libdir}/libsecgear_tee.a +%{_libdir}/libsecgear.so %ifarch x86_64 -/%{_lib}/libsgx_0.so +%{_libdir}/libsgx_0.so %else -#The itrustee OS is not released +%{_libdir}/libgp_0.so %endif %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/rsyslog.d/secgear.conf %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/logrotate.d/secgear @@ -112,23 +141,26 @@ popd %files devel %{_bindir}/* %{_includedir}/secGear/* +/lib/secGear/* +%{_sysconfdir}/secGear/cloud/rsa_public_key_cloud.pem +%ifarch x86_64 %files sim %defattr(-,root,root) %license License/LICENSE -/%{_lib}/libsecgearsim.so -%ifarch x86_64 -/%{_lib}/libsgxsim_0.so -%else -#The itrustee OS is not released +%{_libdir}/libsecgearsim.so +%{_libdir}/libsgxsim_0.so %endif %changelog +* Thu May 20 2021 chenmaodong - 0.1.0-14 +- DESC: update some bugfix form openeuler secGear + * Wed May 12 2021 yanlu - 0.1.0-13 - DESC: update signtool and codegen * Thu Apr 27 2021 chenmaodong - 0.1.0-12 -- DESC: add licenses and thirdparty opensource notice +- DESC: add cmake to Requires * Tue Apr 13 2021 wanghongzhe - 0.1.0-11 - DESC: add licenses and thirdparty opensource notice