packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!19 add codegen and sign_tool

Browse Source 
From: @zgzxx
Reviewed-by: @chenmaodong,@whzhe
Signed-off-by: @chenmaodong
This commit is contained in:
openeuler-ci-bot 2021-03-04 19:36:51 +08:00 committed by Gitee
commit c6ca3bad44
9 changed files with 2429 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
0001-add-README.cn.md.patch Normal file
View File

@ -0,0 +1,132 @@
From f42f4dd1b90309648077c3616587881004270019 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 4 Feb 2021 11:29:59 +0800
Subject: [PATCH 1/7] =?UTF-8?q?add=20README.cn.md.=20=E6=B7=BB=E5=8A=A0?=
=?UTF-8?q?=E4=B8=AD=E6=96=87=E5=A3=B0=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.cn.md | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 109 insertions(+)
create mode 100644 README.cn.md
diff --git a/README.cn.md b/README.cn.md
new file mode 100644
index 0000000..360632a
--- /dev/null
+++ b/README.cn.md
@@ -0,0 +1,109 @@
+<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
+
+secGear
+============================
+
+介绍
+-----------
+
+SecGear则是面向计算产业的机密计算安全应用开发套件。旨在方便开发者在不同的硬件设备上提供统一开发框架。目前secGear支持intel SGX硬件和Trustzone itrustee。
+
+构建、安装
+----------------
+
+- [详见 构建、安装](./docs/build_install.md)
+
+开发应用和编译
+------------------------------
+
+开发目录 .../secGear/examples/test/
+
+### 1 编写edl接口文件
+
+ enclave {
+ include "secgear_urts.h"
+ from "secgear_tstdc.edl" import *;
+ trusted {
+ public int get_string([out, size=32]char *buf);
+ };
+ };
+'include "secgear_urts.h" from "secgear_tstdc.edl" import *'是为了屏蔽SGX和iTrustee在调用libc库之间的差异。所以为了开发代码的一致性默认导入这两个文件。
+有关edl语法的详细信息请参阅SGX开发文档定义的EDL(Enclave Definition Language)语法部分。
+目前SGX和iTrustee在基本类型、指针类型和深拷贝方面是相互兼容的。对于user_check、private ecalls、switchless特性仅支持sgx硬件。
+
+保存文件名为test.edl
+
+### 2 编写最外层CMakeLists.txt文件
+
+ cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ project(TEST C)
+ set(CMAKE_C_STANDARD 99)
+ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
+ set(EDL_FILE test.edl)
+ set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
+ set(SECGEAR_INSTALL_PATH /lib64/)
+ if(CC_GP)
+ set(CODETYPE trustzone)
+ set(CODEGEN codegen_arm64)
+ execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
+ string(REPLACE "\n" "" UUID ${UUID})
+ add_definitions(-DPATH="/data/${UUID}.sec")
+ endif()
+ if(CC_SGX)
+ set(CODETYPE sgx)
+ set(CODEGEN codegen_x86_64)
+ add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
+ endif()
+ add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
+ add_subdirectory(${CURRENT_ROOT_PATH}/host)
+
+EDL_FILE、CODETYPE稍后自动构建的时候会用到这些属性。
+UUID在iTrustee中构建安全enclave动态库需要使用UUID命名这里由uuidgen命令自动生成。
+DPATH用于定义非安全侧使用安全侧动态库的绝对路径
+
+### 3 编写非安全侧代码和CMakeLists.txt文件
+
+#### 3.1 创建host目录和main.c文件
+
+ #include <stdio.h>
+ #include "enclave.h"
+ #include "test_u.h"
+
+ #define BUF_LEN 32
+
+ int main()
+ {
+ int retval = 0;
+ char *path = PATH;
+ char buf[BUF_LEN];
+ cc_enclave_t *context = NULL;
+ cc_enclave_result_t res;
+
+ res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ ...
+
+ res = get_string(context, &retval, buf);
+ if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) {
+ printf("Ecall enclave error\n");
+ } else {
+ printf("%s\n", buf);
+ }
+
+ if (context != NULL) {
+ res = cc_enclave_destroy(context);
+ ...
+ }
+ return res;
+ }
+
+enclave.h: secGear库头文件
+test_u.h: 根据edl文件自动生成的非安全侧头文件。
+cc_enclave_create: 用于创建enclave安全上下文。
+get_string: 根据edl中trusted定义的安全侧代理函数该代理函数用于进入到安全侧执行安全代码。
+cc_enclave_destroy: 用于销毁enclave安全上下文。
+
+注意这里调用的get_string函数与在edl中定义的get_string函数有些不同这里的参数比edl中定义的多了前两个参数分别是enclave安全上下文
+和retval参数。这是因为codegen自动生成代码工具通过edl生成的非安全侧代理函数其声明在test_u.h中。
+如果在edl中定义的函数无返回值时例如"public void get_string([out,size=32] char *buf);"则非安全侧代理函数为
+"res=get_string(context, buf)"(这里就不在有retval参数)
+
--
2.27.0

76
0002-it-is-better-to-define-enum-from-0-rather-than-1.patch Normal file
View File

@ -0,0 +1,76 @@
From c7464e2f6a492a84dd0c7c808ba43750961d5143 Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Thu, 4 Feb 2021 16:42:46 +0800
Subject: [PATCH 2/7] it is better to define enum from 0 rather than 1
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
inc/enclave_inc/gp/gp.h | 2 +-
inc/host_inc/enclave.h | 4 ++--
inc/host_inc/status.h | 1 -
src/host_src/gp/gp_enclave.h | 2 +-
4 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/inc/enclave_inc/gp/gp.h b/inc/enclave_inc/gp/gp.h
index 0662110..bed6afd 100644
--- a/inc/enclave_inc/gp/gp.h
+++ b/inc/enclave_inc/gp/gp.h
@@ -25,7 +25,7 @@
#define COUNT(ARR) (sizeof(ARR) / sizeof((ARR)[0]))
enum
{
- SECGEAR_ECALL_FUNCTION = 1,
+ SECGEAR_ECALL_FUNCTION = 0,
};
typedef cc_enclave_result_t (*cc_ecall_func_t)(
diff --git a/inc/host_inc/enclave.h b/inc/host_inc/enclave.h
index 9722ca3..b063ce9 100644
--- a/inc/host_inc/enclave.h
+++ b/inc/host_inc/enclave.h
@@ -34,7 +34,7 @@ extern "C" {
/*the enclave types supported by cloud enclave*/
typedef enum _enclave_type {
- SGX_ENCLAVE_TYPE = 1,
+ SGX_ENCLAVE_TYPE = 0,
GP_ENCLAVE_TYPE,
AUTO_ENCLAVE_TYPE,
ENCLAVE_TYPE_MAX
@@ -42,7 +42,7 @@ typedef enum _enclave_type {
/*the enclave types and version supported by cloud enclave*/
typedef enum _enclave_type_version {
- SGX_ENCLAVE_TYPE_0 = 1,
+ SGX_ENCLAVE_TYPE_0 = 0,
SGX_ENCLAVE_TYPE_MAX,
GP_ENCLAVE_TYPE_0,
GP_ENCLAVE_TYPE_MAX,
diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h
index 30f62d0..90f14a6 100644
--- a/inc/host_inc/status.h
+++ b/inc/host_inc/status.h
@@ -21,7 +21,6 @@ extern "C" {
#define NULL ((void *)0)
#endif
#define SECGEAR_ENUM_MAX 0xffffffff
-#define SGX_MK_ERROR(x) (0x00000000|(x))
typedef enum _enclave_result_t
{
diff --git a/src/host_src/gp/gp_enclave.h b/src/host_src/gp/gp_enclave.h
index 1764b99..52dc911 100644
--- a/src/host_src/gp/gp_enclave.h
+++ b/src/host_src/gp/gp_enclave.h
@@ -17,7 +17,7 @@
enum
{
- SECGEAR_ECALL_FUNCTION = 1,
+ SECGEAR_ECALL_FUNCTION = 0,
};
typedef struct _gp_context{
--
2.27.0

366
0003-update-README.cn.md.patch Normal file
View File

@ -0,0 +1,366 @@
From 2d59a27c4e2ca674ab976a793ea15de6183f8b13 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 4 Feb 2021 17:04:16 +0800
Subject: [PATCH 3/7] update README.cn.md.
---
README.cn.md | 345 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 345 insertions(+)
diff --git a/README.cn.md b/README.cn.md
index 360632a..274c70d 100644
--- a/README.cn.md
+++ b/README.cn.md
@@ -107,3 +107,348 @@ cc_enclave_destroy: 用于销毁enclave安全上下文。
如果在edl中定义的函数无返回值时例如"public void get_string([out,size=32] char *buf);"则非安全侧代理函数为
"res=get_string(context, buf)"(这里就不在有retval参数)
+#### 3.2 编写非安全侧CMakeLists.txt
+
+ #set auto code prefix
+ set(PREFIX test)
+ #set host exec name
+ set(OUTPUT secgear_test)
+ #set host src code
+ set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c)
+
+设置预备的基础变量
+
+ #set auto code
+ if(CC_GP)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
+ endif()
+
+ if(CC_SGX)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
+ endif()
+
+设置使用代码辅助生成工具根据edl文件生成辅助代码。CODEGEN和CODETYPE等变量定义在CMakeList.txt文件.--search-path用于搜索在edl文件中导入依赖的其他edl文件。
+当使用SGX时需要导入sgx提供的基础edl因此这里指定了SGXSDK的patch "--search-path ${SGXSDK}/include)"。
+
+ set(CMAKE_C_FLAGS "-fstack-protector-all -W -Wall -Werror -Wextra -Werror=array-bounds -D_FORTIFY_SOURCE=2 -O2 -ftrapv -fPIE")
+ set(CMAKE_EXE_LINKER_FLAGS "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack")
+
+设置编译选项和链接选项
+
+ if(CC_GP)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${SECGEAR_INSTALL_PATH})
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${SECGEAR_INSTALL_PATH})
+ endif()
+ endif()
+
+在iTrustee硬件环境上设置头文件的搜索路径及编译生成非安全侧二进制文件。
+
+ if(CC_SGX)
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${SECGEAR_INSTALL_PATH})
+ endif()
+ add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES})
+ target_include_directories(${OUTPUT} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx
+ ${CMAKE_CURRENT_BINARY_DIR})
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${OUTPUT} PRIVATE ${SECGEAR_INSTALL_PATH})
+ endif()
+ endif()
+
+在SGX硬件环境上设置头文件的搜索路径及编译生成非安全侧二进制文件。
+
+ if(CC_SIM)
+ target_link_libraries(${OUTPUT} secgearsim)
+ else()
+ target_link_libraries(${OUTPUT} secgear)
+ endif()
+ set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE)
+ if(CC_GP)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION /vendor/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+ endif()
+ if(CC_SGX)
+ install(TARGETS ${OUTPUT}
+ RUNTIME
+ DESTINATION ${CMAKE_BINARY_DIR}/bin/
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ)
+ endif()
+
+
+设置secGear链接库当指定模拟模式CC_SIM时链接libsecgearsim.so否则链接libsecgear.so。
+在iTrustee硬件环境上需指定安装固定的安全白名单。
+
+### 4 编写安全侧代码、CMakeList.txt及基础配置文件
+
+#### 4.1 创建enclave目录 编写hello.c
+
+ #include <stdio.h>
+ #include <string.h>
+ #include "test_t.h"
+
+ #define TA_HELLO_WORLD "secGear hello world!"
+ #define BUF_MAX 32
+ int get_string(char *buf)
+ {
+ strncpy(buf, TA_HELLO_WORLD, strlen(TA_HELLO_WORLD) + 1);
+ return 0;
+ }
+
+test_t.h该头文件为自动生成代码工具codegen通过edl文件生成的头文件。该头文件命名为edl文件名加"_t"。
+
+#### 4.2 编写CMakeList.txt文件
+
+ #set auto code prefix
+ set(PREFIX test)
+ #set sign key
+ set(PEM Enclave_private.pem)
+
+设置enclave签名私钥
+
+ #set sign tool
+ set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh)
+ #set enclave src code
+ set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/hello.c)
+ #set log level
+ set(PRINT_LEVEL 3)
+ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
+
+设置签名工具已经安全侧打印日志level
+
+ if(CC_GP)
+ #set signed output
+ set(OUTPUT ${UUID}.sec)
+ #set itrustee device key
+ set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
+
+ set(WHITE_LIST_0 /vendor/bin/helloworld)
+ set(WHITE_LIST_1 /vendor/bin/secgear_test)
+ set(WHITE_LIST_OWNER root)
+ set(WHITELIST WHITE_LIST_0 WHITE_LIST_1)
+
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp)
+ endif()
+
+WHITE_LIST_x为设置iTrustee的二进制白名单只有这里定义的白名单在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。
+WHITE_LIST_OWNER为设置运行二进制的用户只有该用户才可以调用安全侧动态库。
+DEVICEPEM该公钥用来动态生成aes秘钥
+AUTO_FILES由edl文件生成的安全侧二进制文件
+
+ if(CC_SGX)
+ set(OUTPUT enclave.signed.so)
+ set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c)
+ add_custom_command(OUTPUT ${AUTO_FILES}
+ DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE}
+ COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include)
+ endif()
+
+设置自动生成代码及签名动态库。
+
+ set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \
+ -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \
+ -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \
+ -Wno-error=unused-but-set-variable -Wno-error=format-truncation=")
+
+ set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
+
+设置安全侧便编译选项和链接选项。由于安全侧和非安全侧不同,非安全侧的标准动态库不能被安全侧链接。例如:"-nostdlib -nodefaultlibs -nostartfiles"
+
+
+ if(CC_GP)
+ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt")
+
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC")
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s")
+
+ set(ITRUSTEE_TEEDIR ${iTrusteeSDK}/)
+ set(ITRUSTEE_LIBC ${iTrusteeSDK}/thirdparty/open_source/musl/libc)
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${SECGEAR_INSTALL_PATH})
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories( ${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/gp
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp
+ ${ITRUSTEE_TEEDIR}/include/TA
+ ${ITRUSTEE_TEEDIR}/include/TA/huawei_ext
+ ${ITRUSTEE_LIBC}/arch/aarch64
+ ${ITRUSTEE_LIBC}/
+ ${ITRUSTEE_LIBC}/arch/arm/bits
+ ${ITRUSTEE_LIBC}/arch/generic
+ ${ITRUSTEE_LIBC}/arch/arm
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee)
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE ${SECGEAR_INSTALL_PATH})
+ endif()
+
+ foreach(WHITE_LIST ${WHITELIST})
+ add_definitions(-D${WHITE_LIST}="${${WHITE_LIST}}")
+ endforeach(WHITE_LIST)
+ add_definitions(-DWHITE_LIST_OWNER="${WHITE_LIST_OWNER}")
+
+ target_link_libraries(${PREFIX} -lsecgear_tee)
+
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
+
+ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
+ DESTINATION /data
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+ endif()
+
+manifest.txtitrustee安全侧配置文件后面对该文件进行详解
+指定itrustee特性编译选项设置引用头文件和动态库的路径。
+前面声明的白名单在这里定义。
+itrustee需要链接secgear_tee动态库提供seal接口等。
+
+ if(CC_SGX)
+ set(SGX_DIR ${SGXSDK})
+ set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden")
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
+ set(LINK_LIBRARY_PATH ${SGX_DIR}/lib64)
+
+ if(CC_SIM)
+ set(Trts_Library_Name sgx_trts_sim)
+ set(Service_Library_Name sgx_tservice_sim)
+ else()
+ set(Trts_Library_Name sgx_trts)
+ set(Service_Library_Name sgx_tservice)
+ endif()
+
+ set(Crypto_Library_Name sgx_tcrypto)
+
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \
+ -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds")
+
+ if(${CMAKE_VERSION} VERSION_LESS "3.13.0")
+ link_directories(${LINK_LIBRARY_PATH})
+ endif()
+
+ add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES})
+
+ target_include_directories(${PREFIX} PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}
+ ${SGX_DIR}/include/tlibc
+ ${SGX_DIR}/include/libcxx
+ ${SGX_DIR}/include
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/inc/host_inc/sgx)
+
+ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0")
+ target_link_directories(${PREFIX} PRIVATE
+ ${LINK_LIBRARY_PATH})
+ endif()
+
+ target_link_libraries(${PREFIX} -Wl,--whole-archive ${Trts_Library_Name} -Wl,--no-whole-archive
+ -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l${Crypto_Library_Name} -l${Service_Library_Name} -Wl,--end-group)
+ add_custom_command(TARGET ${PREFIX}
+ POST_BUILD
+ COMMAND openssl genrsa -3 -out ${PEM} 3072
+ COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml)
+ endif()
+
+
+在SGX硬件环境上指定一些与sgx相关的编译选项、链接选项。链接动态库时有所不同因为itrustee是一个具有更多功能的安全操作系统。提供如muslibc和openssl。在编译和链接itrustee时不用链接一些基本库但是sgx没有OS概念。所以要在安全侧调用这些基本库的接口都要以静态的形式在sgxsdk中给出。例如"sgx_trts"
+
+有关更多详细信息请参阅sgx示例的Makefile。最后用enclave配置文件完成签名稍后将进行介绍。secGear尚不支持远程身份验证。
+
+#### 4.3 编写安全侧配置文件
+
+编写与sgx enclave相关的配置文件中Enclave.config.xml文件及enclave.lds文件与官方sgx配置相同。详情参阅官方开发文档。
+
+编写itrustee enclave相关配置文件
+mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。
+
+rsa_public_key_cloud.pem文件请将其他examples的中的拷贝过来这里的设备公钥用于使用临时生成的aes密钥用于对enclave动态库进行加密。
+
+#### 5 构建 安装
+
+进入开发目录cd .../secGear/example/test/
+创建debug目录mkdir debug && cd debug
+cmake构建cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK=sgx_sdk path .. && make && sudo make install sgx硬件环境
+ cmake -DCMAKE_BUILD_TYPE=Debug -DCC_GP=ON -DiTrusteeSDK=gp_sdk path .. && make && sudo make install itrustee硬件环境
+
+Log
+---
+非安全侧日志记录:
+
+非安全侧是开发与普通开发环境一样,可使用通用打印日志接口。
+
+安全侧日志记录:
+
+由于各架构安全能力不同的限制为了像非安全侧一样开发使用日志打印功能因为我们提供了PrintInfo接口将安全端日志记录到syslog系统中。
+相关配置文件为 conf/logrotate.d/secgear和conf/rsyslog.d/secgear.conf文件安装时将安装在系统目录/etc/中。
+
+注意在itrustee上需要include secgear_log.h头文件但是sgx不需要sgx通过ocall功能实现的所以相关代码生成在辅助代码中。
+当文件安装成功后需要运行"systemctl restart rsyslog"使日志功能生效。
+
+日志等级:
+
+ PRINT_ERROR 0
+ PRINT_WARNING 1
+ PRINT_STRACE 2
+ PRINT_DEBUG 3
+
+使用ocall
+---------
+
+目前ocall仅在sgx平台支持itrustee尚不支持。
+
+seal, generate_random接口
+--------------------------------------
+
+接口定义在secgear_dataseal.h、secgear_random.h中。
+注意由于itrustee派生密钥的功能仍然不完善因此目前还没有与密封相关的接口在itrustee平台上支持。
+
+远程证明(尚不支持)
+--------------------------------------
+
+了解更多关于codegener
+--------------------------------------
+
+secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具codegener。edl与intel sgx定义兼容。
+
+
+- [了解更多关于codegener](./docs/codegener.md)
+
+了解更多关于sign_tool
+-----------------------------
+
+
+- [了解更多关于签名工具](./docs/sign_tool.md)
+
+Milestone
+---------
+<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
\ No newline at end of file
--
2.27.0

25
0004-update-README.cn.md.patch Normal file
View File

@ -0,0 +1,25 @@
From 87dfa76438300aa21a7a28cd794c4d7912c40425 Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 4 Feb 2021 17:05:14 +0800
Subject: [PATCH 4/7] update README.cn.md.
---
README.cn.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.cn.md b/README.cn.md
index 274c70d..54c32e3 100644
--- a/README.cn.md
+++ b/README.cn.md
@@ -449,6 +449,6 @@ secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具c
- [了解更多关于签名工具](./docs/sign_tool.md)
-Milestone
+里程碑
---------
<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
\ No newline at end of file
--
2.27.0

1521
0005-delete-unnecessary-README.cn.md.patch Normal file
View File

File diff suppressed because it is too large Load Diff

82
0006-fix-issues-about-double-create-destory.patch Normal file
View File

@ -0,0 +1,82 @@
From f1361d482b30dc651485b3ae0665a33148602786 Mon Sep 17 00:00:00 2001
From: liwei3013 <liwei3013@126.com>
Date: Wed, 24 Feb 2021 14:00:10 +0800
Subject: [PATCH 6/7] fix issues about double create/destory
Signed-off-by: liwei3013 <liwei3013@126.com>
---
src/host_src/enclave.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index 14f6aae..e3020d3 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -67,7 +67,6 @@ static void error_handle(cc_enclave_t **l_context, void *handle, p_tee_registere
if (path) {
free(path);
}
- path = NULL;
if (*l_context) {
free(*l_context);
@@ -110,8 +109,14 @@ done:
static bool check_flag(cc_enclave_result_t *res, const char *path, uint32_t flags, const enclave_features_t *features,
const uint32_t features_count, cc_enclave_t **enclave)
{
- if (!path || !enclave || (features_count > 0 && features == NULL)
- || (features_count == 0 && features != NULL) || (flags & SECGEAR_RESERVED_FLAG)) {
+ if (enclave == NULL || *enclave != NULL) {
+ *res = CC_ERROR_BAD_PARAMETERS;
+ print_error_term("Input context should not be NULL or context pointer should be set to NULL\n");
+ return false;
+ }
+
+ if (!path || (features_count > 0 && features == NULL) || (features_count == 0 && features != NULL)
+ || (flags & SECGEAR_RESERVED_FLAG)) {
*res = CC_ERROR_BAD_PARAMETERS;
print_error_term("Parameter error\n");
return false;
@@ -194,8 +199,12 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
}
SECGEAR_CHECK_RES_NO_LOG(res);
- if (!check_flag(&res, path, flags, features, features_count, enclave) || !check_transform_path(&res, path, &l_path)
- || !chose_engine_type(&res, type, version, &type_version)|| !allocate_context_memory(&res, &l_context)) {
+ if (!check_flag(&res, path, flags, features, features_count, enclave)) {
+ return res;
+ }
+
+ if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)
+ || !allocate_context_memory(&res, &l_context)) {
goto done;
}
@@ -267,7 +276,8 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
/* check context and enclave engine context */
if (!context || !context->list_ops_node) {
- print_error_goto("Function context parameter error\n");
+ print_error_term("Function context parameter error\n");
+ return CC_ERROR_BAD_PARAMETERS;
}
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
@@ -294,6 +304,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
pthread_mutex_unlock(&(g_list_ops.mutex_work));
print_error_goto("Close engine failure\n");
}
+ context->list_ops_node = NULL;
}
/* free enclave number resources */
g_list_ops.enclaveState.enclave_count--;
@@ -308,6 +319,5 @@ done:
if (context) {
free(context);
}
- context = NULL;
return res;
}
--
2.27.0

173
0007-to-make-secGear-log-more-clear.patch Normal file
View File

@ -0,0 +1,173 @@
From 956328150ae4a07b2f95cb2d4993b767c14b9e9b Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Fri, 26 Feb 2021 10:06:50 +0800
Subject: [PATCH 7/7] to make secGear log more clear
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
inc/host_inc/status.h | 23 ++++++++++++++++-------
src/host_src/enclave.c | 33 +++++++++++++++++++--------------
src/host_src/enclave_internal.c | 6 +++---
3 files changed, 38 insertions(+), 24 deletions(-)
diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h
index 90f14a6..84c092a 100644
--- a/inc/host_inc/status.h
+++ b/inc/host_inc/status.h
@@ -180,7 +180,7 @@ __attribute__((visibility("default"))) const char *cc_enclave_res2_str(cc_enclav
int32_t _res = (RES); \
if (_res != 0) { \
CCRES = CC_FAIL; \
- print_error_goto("Mutex acquisition or release error \n"); \
+ print_error_goto("%s Mutex acquisition or release error\n", cc_enclave_res2_str(CCRES)); \
} \
} while(0)
@@ -195,12 +195,21 @@ __attribute__((visibility("default"))) const char *cc_enclave_res2_str(cc_enclav
} while(0)
/* jump to done and log according to the type of res */
-#define SECGEAR_CHECK_RES(RES) \
- do { \
- cc_enclave_result_t _res = (RES); \
- if (_res != CC_SUCCESS) { \
- print_error_goto(":%s \n", cc_enclave_res2_str(_res)); \
- } \
+#define SECGEAR_CHECK_RES(RES) \
+ do { \
+ cc_enclave_result_t _res = (RES); \
+ if (_res != CC_SUCCESS) { \
+ print_error_goto("%s \n", cc_enclave_res2_str(_res)); \
+ } \
+ } while(0)
+
+#define SECGEAR_CHECK_RES_UNLOCK(RES) \
+ do { \
+ cc_enclave_result_t _res = (RES); \
+ if (_res != CC_SUCCESS) { \
+ pthread_mutex_unlock(&(g_list_ops.mutex_work)); \
+ print_error_goto("%s \n", cc_enclave_res2_str(_res)); \
+ } \
} while(0)
/* jump done, error log already printed in the previous error function */
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index e3020d3..dc8c5ed 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -110,15 +110,19 @@ static bool check_flag(cc_enclave_result_t *res, const char *path, uint32_t flag
const uint32_t features_count, cc_enclave_t **enclave)
{
if (enclave == NULL || *enclave != NULL) {
- *res = CC_ERROR_BAD_PARAMETERS;
- print_error_term("Input context should not be NULL or context pointer should be set to NULL\n");
+ *res = CC_ERROR_INVALID_ENCLAVE_ID;
return false;
}
-
- if (!path || (features_count > 0 && features == NULL) || (features_count == 0 && features != NULL)
- || (flags & SECGEAR_RESERVED_FLAG)) {
+ if (!path) {
+ *res = CC_ERROR_INVALID_PATH;
+ return false;
+ }
+ if ((features_count > 0 && features == NULL) || (features_count == 0 && features != NULL)) {
*res = CC_ERROR_BAD_PARAMETERS;
- print_error_term("Parameter error\n");
+ return false;
+ }
+ if (flags & SECGEAR_RESERVED_FLAG) {
+ *res = CC_ERROR_NOT_SUPPORTED;
return false;
}
return true;
@@ -197,9 +201,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
if (res == CC_ERROR_UNEXPECTED) {
check = false;
}
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
if (!check_flag(&res, path, flags, features, features_count, enclave)) {
+ print_error_term("%s\n", cc_enclave_res2_str(res));
return res;
}
@@ -239,13 +244,13 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
res = find_engine_open(type_version, &handle);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
res = find_engine_registered(handle, &registered_func, &unregistered_func);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
res = (*registered_func)(&l_context, handle);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
ires = pthread_mutex_unlock(&(g_list_ops.mutex_work));
SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
@@ -256,7 +261,7 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
if (l_context->list_ops_node != NULL && l_context->list_ops_node->ops_desc->ops->cc_create_enclave != NULL) {
/* failure of this function will not bring out additional memory that needs to be managed */
res = l_context->list_ops_node->ops_desc->ops->cc_create_enclave(enclave, features, features_count);
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
} else {
print_error_goto("Enclave type version %d no valid ops function", type_version);
}
@@ -282,21 +287,21 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context);
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
} else {
print_error_goto("Enclave context no valid ops function\n");
}
/* look up enclave engine unregistered */
res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc);
- SECGEAR_CHECK_RES_NO_LOG(res);
+ SECGEAR_CHECK_RES(res);
/* lock call unregistered func */
pthread_mutex_lock(&(g_list_ops.mutex_work));
SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
/* call enclave engine free node */
res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version);
- SECGEAR_CHECK_RES_NO_LOG_UNLOCK(res);
+ SECGEAR_CHECK_RES_UNLOCK(res);
if (context->list_ops_node->ops_desc->count == 0) {
ires = dlclose(context->list_ops_node->ops_desc->handle);
if (ires != 0) {
diff --git a/src/host_src/enclave_internal.c b/src/host_src/enclave_internal.c
index de51f2d..9a172bd 100644
--- a/src/host_src/enclave_internal.c
+++ b/src/host_src/enclave_internal.c
@@ -117,8 +117,8 @@ static err2str g_secgearerror [] =
{CC_ERROR_BAD_PARAMETERS, "Invalid parameter."},
{CC_ERROR_BAD_STATE, "Bad state."},
{CC_ERROR_ITEM_NOT_FOUND, "The requested item is not found."},
- {CC_ERROR_NOT_IMPLEMENTED, "opration is not implemented."},
- {CC_ERROR_NOT_SUPPORTED, "operation is not support."},
+ {CC_ERROR_NOT_IMPLEMENTED, "operation is not implemented."},
+ {CC_ERROR_NOT_SUPPORTED, "feature or type is not support."},
{CC_ERROR_NO_DATA, "There is no data."},
{CC_ERROR_OUT_OF_MEMORY, "Out of memory."},
{CC_ERROR_BUSY, "Busy system."},
@@ -231,7 +231,7 @@ cc_enclave_result_t find_engine_open(enclave_type_version_t type, void **handle)
}
if (!*handle) {
res = CC_ERROR_INVALID_HANDLE;
- print_error_goto("The dlopen failure: reason is %s\n", dlerror());
+ print_error_goto("%s\n", dlerror());
} else {
res = CC_SUCCESS;
}
--
2.27.0

25
0008-modify-path-error.patch Normal file
View File

@ -0,0 +1,25 @@
From 4ad45c9dfd22eb5e4193e5769227ad9ecedc8812 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Thu, 4 Mar 2021 11:10:06 +0800
Subject: [PATCH] modify path error
---
tools/codegener/Genheader.ml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/codegener/Genheader.ml b/tools/codegener/Genheader.ml
index 8c7391d..e683670 100644
--- a/tools/codegener/Genheader.ml
+++ b/tools/codegener/Genheader.ml
@@ -316,7 +316,7 @@ let generate_untrusted_header (ec: enclave_content) =
in
let hfile_end = "#endif\n" in
let hfile_include =
- sprintf "#include \"%s_args.h\"\n#include \"enclave_internal.h\"\n" ec.file_shortnm
+ sprintf "#include \"%s_args.h\"\n#include \"secGear/enclave_internal.h\"\n" ec.file_shortnm
in
let agent_id = "#ifndef TEE_SECE_AGENT_ID\n#define TEE_SECE_AGENT_ID 0x53656345\n#endif\n"
in
--
2.27.0

45
secGear.spec
View File

@ -1,6 +1,6 @@
Name: secGear
Version: 0.1.0
Release: 4%{?dist}
Release: 5%{?dist}
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
ExclusiveArch: x86_64
@ -9,6 +9,15 @@ License: Mulan PSL v2
URL: https://gitee.com/openeuler/secGear
Source0: https://gitee.com/openeuler/secGear/repository/archive/v%{version}.tar.gz
Patch0: 0001-add-README.cn.md.patch
Patch1: 0002-it-is-better-to-define-enum-from-0-rather-than-1.patch
Patch2: 0003-update-README.cn.md.patch
Patch3: 0004-update-README.cn.md.patch
Patch4: 0005-delete-unnecessary-README.cn.md.patch
Patch5: 0006-fix-issues-about-double-create-destory.patch
Patch6: 0007-to-make-secGear-log-more-clear.patch
Patch7: 0008-modify-path-error.patch
BuildRequires: gcc python3 automake autoconf libtool
BUildRequires: glibc glibc-devel
%ifarch x86_64
@ -37,7 +46,7 @@ Requires: %{name}%{?isa} = %{version}-%{release}
The %{name}-sim is package contains simulation libraries for developing applications
%prep
%setup -q -n secGear
%autosetup -n %{name} -p1
%build
@ -54,23 +63,22 @@ make
%install
make install DESTDIR=%{buildroot}
install -d %{buildroot}/%{_includedir}/secGear
install -d %{buildroot}/%{_includedir}/secGear/host_inc
install -d %{buildroot}/%{_includedir}/secGear/enclave_inc
#install -pm 644 inc/host_inc/* %{buildroot}/%{_includedir}/secGear/host_inc
%ifarch x86_64
install -d %{buildroot}/%{_includedir}/secGear/host_inc/sgx
install -d %{buildroot}/%{_includedir}/secGear/enclave_inc/sgx
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear/host_inc
install -pm 644 inc/host_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear/host_inc/sgx
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc
install -pm 644 inc/enclave_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc/sgx
install -d %{buildroot}/%{_bindir}
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/sgx/*.edl %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/sgx/*.h %{buildroot}/%{_includedir}/secGear
install -pm 751 bin/codegen_x86_64 %{buildroot}/%{_bindir}
install -pm 751 tools/sign_tool/sign_tool.sh %{buildroot}/%{_bindir}
%else
install -d %{buildroot}/%{_includedir}/secGear/host_inc/gp
install -d %{buildroot}/%{_includedir}/secGear/enclave_inc/gp
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear/host_inc
install -pm 644 inc/host_inc/gp/*.h %{buildroot}/%{_includedir}/secGear/host_inc/gp
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc
install -pm 644 inc/enclave_inc/gp/*.h %{buildroot}/%{_includedir}/secGear/enclave_inc/gp
install -d %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/host_inc/gp/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/*.h %{buildroot}/%{_includedir}/secGear
install -pm 644 inc/enclave_inc/gp/*.h %{buildroot}/%{_includedir}/secGear
%endif
rm %{buildroot}/home* -rf
@ -86,7 +94,9 @@ rm %{buildroot}/home* -rf
%endif
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/rsyslog.d/secgear.conf
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/logrotate.d/secgear
%files devel
%{_bindir}/*
%{_includedir}/secGear/*
%files sim
@ -99,6 +109,9 @@ rm %{buildroot}/home* -rf
%endif
%changelog
* Wed Mar 3 2021 zhangguangzhi<zhangguangzhi@huawei.com> - 0.1.0-5
- DESC: add codegen and sign_tool, modify file path and backport patch
* Mon Feb 22 2021 chenmaodong<chenmaodong@huawei.com> - 0.1.0-4
- DESC:delete unnecessary BuildRequires