From f7995d756490c966659976153630403ba9941c18 Mon Sep 17 00:00:00 2001 From: yanlu Date: Mon, 12 Apr 2021 11:17:16 +0800 Subject: [PATCH 03/14] rm -e parameter, normalize -c parameter --- README.en.md | 12 ++---- README.md | 10 ++--- docs/sign_tool.md | 12 +++--- examples/helloworld/enclave/CMakeLists.txt | 6 +-- examples/seal_data/enclave/CMakeLists.txt | 7 +--- .../enclave/rsa_public_key_cloud.pem | 11 ------ .../sign_tool}/rsa_public_key_cloud.pem | 0 tools/sign_tool/sign_tool.sh | 39 +++++++------------ 8 files changed, 29 insertions(+), 68 deletions(-) delete mode 100644 examples/seal_data/enclave/rsa_public_key_cloud.pem rename {examples/helloworld/enclave => tools/sign_tool}/rsa_public_key_cloud.pem (100%) diff --git a/README.en.md b/README.en.md index fa47d03..0acc4f8 100644 --- a/README.en.md +++ b/README.en.md @@ -254,8 +254,6 @@ Set sign tool and the security side log printing level if(CC_GP) #set signed output set(OUTPUT ${UUID}.sec) - #set itrustee device key - set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem) set(WHITE_LIST_0 /vendor/bin/helloworld) set(WHITE_LIST_1 /vendor/bin/secgear_test) @@ -270,8 +268,7 @@ Set sign tool and the security side log printing level WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image, and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths. -DEVICEPEM public key is used by itrustee and is used to encrypt the enclave image of the security side with the -dynamically generated aes key. Finally, set the name of the security side image after the final signature, and +Finally, set the name of the security side image after the final signature, and generate auxiliary code. if(CC_SGX) @@ -339,8 +336,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in add_custom_command(TARGET ${PREFIX} POST_BUILD - COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt - -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}) + COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt + -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}) install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT} DESTINATION /data @@ -425,9 +422,6 @@ configuration file. For details, please refer to the official development docum Write itrustee related configuration files The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated, and the other configuration items can refer to the itrustee development document. - -Copy the rsa_public_key_cloud.pem device public key from other examples in the project to the enclave directory. -The device public key here is used to encrypt the enclave image with the temporarily generated aes key. ### 5 build and install test diff --git a/README.md b/README.md index 54c32e3..77bebd6 100644 --- a/README.md +++ b/README.md @@ -236,8 +236,6 @@ test_t.h:该头文件为自动生成代码工具codegen通过edl文件生成 if(CC_GP) #set signed output set(OUTPUT ${UUID}.sec) - #set itrustee device key - set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem) set(WHITE_LIST_0 /vendor/bin/helloworld) set(WHITE_LIST_1 /vendor/bin/secgear_test) @@ -252,7 +250,6 @@ test_t.h:该头文件为自动生成代码工具codegen通过edl文件生成 WHITE_LIST_x:为设置iTrustee的二进制白名单,只有这里定义的白名单,在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。 WHITE_LIST_OWNER:为设置运行二进制的用户,只有该用户才可以调用安全侧动态库。 -DEVICEPEM:该公钥用来动态生成aes秘钥 AUTO_FILES:由edl文件生成的安全侧二进制文件 if(CC_SGX) @@ -319,8 +316,8 @@ AUTO_FILES:由edl文件生成的安全侧二进制文件 add_custom_command(TARGET ${PREFIX} POST_BUILD - COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt - -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}) + COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt + -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}) install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT} DESTINATION /data @@ -391,7 +388,6 @@ itrustee需要链接secgear_tee动态库,提供seal接口等。 编写itrustee enclave相关配置文件 mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。 -rsa_public_key_cloud.pem文件请将其他examples的中的拷贝过来,这里的设备公钥用于使用临时生成的aes密钥用于对enclave动态库进行加密。 #### 5 构建 安装 diff --git a/docs/sign_tool.md b/docs/sign_tool.md index 26805bd..ccaa2e6 100644 --- a/docs/sign_tool.md +++ b/docs/sign_tool.md @@ -13,36 +13,34 @@ The tool supports the following two modes: For example: - `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -m manifest.txt –e device_pubkey.pem –o signed.enclave ` + `$ ./sign_tool.sh –d sign –x trustzone –i test.enclave -c manifest.txt –o signed.enclave ` - two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform. For example: (1) generate the digest value. - `$ ./sign_tool.sh –d digest –x trustzone –i input -m manifest.txt –e device_pubkey.pem –o digest.data ` + `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt –o digest.data ` For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated. (2) send the digest.data to the signing organization or platform and get the signature. (3) use the signature to generate the signed enclave. - `$ ./sign_tool.sh –d sign –x trustzone –i input -m manifest.txt –p pub.pem –e device_pubkey.pem –s signature –o signed.enclave ` + `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt –p pub.pem –s signature –o signed.enclave ` ## sign_tool.sh parameter ``` -a API_LEVEL, indicates trustzone GP API version, defalut is 1. - -c config file. + -c basic config file. -d sign tool command, sign/digest. The sign command is used to generate a signed enclave. The digest command is used to generate a digest value. - -e the device's public key certificate, used to protect the AES key of the encrypted rawdata, - required by trustzone. -f OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0. -i enclave to be signed. -k private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx. - -m manifest file, required by trustzone. + -m additional config for trustzone when TA_TYPE is 2. -o output parameters, the sign command outputs sigend enclave, the digest command outputs digest value. -p signing server public key certificate, required for two-step method. -s the signed digest value required for two-step method, this parameter is empty to indicate single-step method. diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt index c1638f8..0aefdae 100644 --- a/examples/helloworld/enclave/CMakeLists.txt +++ b/examples/helloworld/enclave/CMakeLists.txt @@ -27,8 +27,6 @@ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) if(CC_GP) #set signed output set(OUTPUT ${UUID}.sec) - #set itrustee device key - set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem) #set whilelist. default: /vendor/bin/teec_hello set(WHITE_LIST_0 /vendor/bin/helloworld) set(WHITE_LIST_OWNER root) @@ -101,8 +99,8 @@ if(CC_GP) add_custom_command(TARGET ${PREFIX} POST_BUILD - COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt - -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) + COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt + -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} DESTINATION /data diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt index 20851bd..0ddcbd5 100644 --- a/examples/seal_data/enclave/CMakeLists.txt +++ b/examples/seal_data/enclave/CMakeLists.txt @@ -24,9 +24,6 @@ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) if(CC_GP) #set signed output set(OUTPUT ${UUID}.sec) - #set itrustee device key - set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem) - set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) #set whilelist. default: /vendor/bin/teec_hello set(WHITE_LIST_0 /vendor/bin/seal_data) @@ -97,8 +94,8 @@ if(CC_GP) add_custom_command(TARGET ${PREFIX} POST_BUILD - COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt - -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) + COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt + -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} DESTINATION /data diff --git a/examples/seal_data/enclave/rsa_public_key_cloud.pem b/examples/seal_data/enclave/rsa_public_key_cloud.pem deleted file mode 100644 index a321f63..0000000 --- a/examples/seal_data/enclave/rsa_public_key_cloud.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzAPwbnbgBg7JgXERA9Bx -p7GLI1S3e1zL83RMd2+GXb6kO4yMKUL3NUCE2HhA2BtQYmLyGovx59UUcKnU58is -Xux++kH+A2shmOPjYvEFuX0Kt8tc19b8M9b/iHsY8ZmKykqia2a5U+IrECRFJo5p -DWUnl7jrHVtq78BSR1c7iXG1frrEC0AYCuqKJo/fxfmOKL0Y9mENCB3nAwjn9unD -BsO/OhkqvvB3nkeuMfNKPh4wCqtQPve13eTojbuxjX/3ePijplTI5X2Gr+n6Ximn -fYRlytQmMgMl/db0ARSKNApq9bmwzVNrnGWWZWJksdRvf6iL7t17Gs4L9AApOuC9 -WkzxPvwp5ZUqjsGd4oJGWeC6ZE6BTw2vxE+xMFI9uAKHxq9pBKkcGMa0g4fANNNV -+W+8JZGanxEXKB3y/M7BCyQAPCWOHC/RNjmRA1gczLYCPzC4pWu935UZdF1RR6zY -CD3t+FoOGGET/g4CwWgyhb5qkp65Hs6ayYt/DUAqo+yBAgMBAAE= ------END PUBLIC KEY----- diff --git a/examples/helloworld/enclave/rsa_public_key_cloud.pem b/tools/sign_tool/rsa_public_key_cloud.pem similarity index 100% rename from examples/helloworld/enclave/rsa_public_key_cloud.pem rename to tools/sign_tool/rsa_public_key_cloud.pem diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh index 8f2189c..212db5d 100755 --- a/tools/sign_tool/sign_tool.sh +++ b/tools/sign_tool/sign_tool.sh @@ -21,16 +21,14 @@ print_help(){ echo "sign tool usage: ./sign_tool.sh [options] ..." echo "[options]" echo "-a API_LEVEL, indicates trustzone GP API version, defalut is 1." - echo "-c config file." + echo "-c basic config file." echo "-d sign tool command, sign/digest." echo " The sign command is used to generate a signed enclave." echo " The digest command is used to generate a digest value." - echo "-e the device's public key certificate, used to protect the AES key of the encrypted rawdata," - echo " required by trustzone." echo "-f OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0." echo "-i enclave to be signed." echo "-k private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx." - echo "-m manifest file, required by trustzone." + echo "-m additional config for trustzone when TA_TYPE is 2." echo "-o output parameters, the sign command outputs sigend enclave, the digest command outputs" echo " digest value." echo "-p signing server public key certificate, required for two-step method." @@ -42,7 +40,7 @@ print_help(){ } -while getopts "d:i:x:m:a:f:t:c:e:k:p:s:o:h" opt +while getopts "d:i:x:m:a:f:t:c:k:p:s:o:h" opt do case $opt in d) @@ -73,7 +71,7 @@ do echo "Error: parameter for -m is missing or incorrect" exit -1 fi - MANIFIST=$OPTARG + A_CONFIG_FILE=$OPTARG ;; a) if [[ $OPTARG =~ ^[1-3]$ ]]; then @@ -118,13 +116,6 @@ do fi CONFIG_FILE=$OPTARG ;; - e) - if [[ $OPTARG == -* ]]; then - echo "Error: parameter for -e is missing or incorrect" - exit -1 - fi - DEVICE_PUBKEY=$OPTARG - ;; k) if [[ $OPTARG == -* ]]; then echo "Error: parameter for -k is missing or incorrect" @@ -169,23 +160,21 @@ fi itrustee_start_sign(){ # check_native_sign - if [ -z $MANIFIST ]; then - echo "Error: missing manifest file for signing iTrustee enclave" - exit -1 - fi - if [ -z $DEVICE_PUBKEY ]; then - echo "Error: missing device pubkey for signing iTrustee enclave" + MANIFEST=$CONFIG_FILE + if [ -z $MANIFEST ]; then + echo "Error: missing config file for signing iTrustee enclave" exit -1 fi if [ ${TA_TYPE} == 2 ]; then - if [ -z $CONFIG_FILE]; then - echo "Error: TA TYPE = 2, missing config file for signing iTrustee enclave" + if [ -z $A_CONFIG_FILE]; then + echo "Error: TA TYPE = 2, missing additional config file for signing iTrustee enclave" exit -1 fi else - CONFIG_FILE="NULL" + A_CONFIG_FILE="NULL" fi + DEVICE_PUBKEY=${localpath}/rsa_public_key_cloud.pem if [ "${CMD}"x == "sign"x ]; then if [ -z $SIGNATURE ]; then @@ -194,18 +183,18 @@ itrustee_start_sign(){ echo "missing the signature private key" exit -1 fi - python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" "${SIG_KEY}" + python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIG_KEY}" else DEBUG=0 if [ -z $SERVER_PUBKEY ]; then echo "Error: missing server public key for verifying signature" exit -1 fi - python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}" + python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}" fi elif [ "${CMD}"x == "digest"x ]; then DEBUG=0 - python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" + python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" else echo "Error: illegal command" fi -- 2.27.0