From 583ac889ade73e8ffa96844dcc29a511e6c5a615 Mon Sep 17 00:00:00 2001 From: yanlu Date: Wed, 19 May 2021 15:45:24 +0800 Subject: [PATCH 13/14] fix sgx two-step mode bug, add dump command --- docs/sign_tool.md | 49 +++++++++++++--------- examples/helloworld/enclave/CMakeLists.txt | 2 +- examples/helloworld/host/CMakeLists.txt | 8 ++-- examples/seal_data/enclave/CMakeLists.txt | 2 +- examples/seal_data/host/CMakeLists.txt | 8 ++-- tools/sign_tool/sign_tool.sh | 39 +++++++++-------- 6 files changed, 62 insertions(+), 46 deletions(-) diff --git a/docs/sign_tool.md b/docs/sign_tool.md index 399e4c5..e6c6e3b 100644 --- a/docs/sign_tool.md +++ b/docs/sign_tool.md @@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave. ## The sign_tool.sh -The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave. +The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'signtool_v3.py' for signing the trustzone enclave. The tool supports the following two modes: @@ -19,33 +19,44 @@ The tool supports the following two modes: - two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform. For example: - (1) generate the digest value. - `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt -m config_cloud.ini –o digest.data ` + (1) generate the signing material. + `$ ./sign_tool.sh –d digest –x trustzone –i input -c manifest.txt -m config_cloud.ini –o signing.data ` For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated. - (2) send the digest.data to the signing organization or platform and get the signature. - - (3) use the signature to generate the signed enclave. - `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt -m config_cloud.ini –s signature –o signed.enclave ` + (2) send the signing.data to the signing organization or platform and get the signature. + For trustzone, use rsautl command to sign the signing material. + + `$ openssl rsautl -sign -inkey sign_key.pem -in signing.data -out signature ` + + For sgx, use dgst command to sign the signing material. + + `$ openssl dgst -sha256 -sign sign_key.pem -keyform PEM -out signature signing.data ` + + (3) use the signature to generate the signed enclave. + + `$ ./sign_tool.sh –d sign –x trustzone –i input -c manifest.txt -m config_cloud.ini –s signature –o signed.enclave ` ## sign_tool.sh parameter ``` -c basic config file. - -d sign tool command, sign/digest. + -d sign tool command, sign/digest/dump. The sign command is used to generate a signed enclave. - The digest command is used to generate a digest value. - -i enclave to be signed. - -k private key required for single-step method - -m additional config_cloud.ini for trustzone. - -o output parameters, the sign command outputs sigend enclave, the digest command outputs - digest value. - -p signing server public key certificate, required for two-step method. - -s the signed digest value required for two-step method, this parameter is empty to indicate - single-step method. - -x enclave type, sgx or trustzone. - -h printf help message. + The digest command is used to generate signing material. + The dump command is used to generate metadata for sgx signed enclave. + -i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for + dump command. + -k private key required for single-step method. + -m additional config_cloud.ini for trustzone. + -o output parameter, the sign command outputs signed enclave, the digest command outputs signing + material, the dump command outputs data containing the SIGStruct metadata for the SGX signed + enclave, which is submitted to Intel for whitelisting. + -p signing server public key certificate, required for sgx two-step method. + -s the signature value required for two-step method, this parameter is empty to indicate + single-step method. + -x enclave type, sgx or trustzone. + -h print help message. ``` **Note**: Using the `./sign_tool.sh -h` to get help information. diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt index f7967ef..98f50ac 100644 --- a/examples/helloworld/enclave/CMakeLists.txt +++ b/examples/helloworld/enclave/CMakeLists.txt @@ -71,7 +71,7 @@ if(CC_GP) target_include_directories( ${PREFIX} PRIVATE ${CMAKE_CURRENT_BINARY_DIR} - ${LOCAL_ROOT_PATH}/debug/inc + ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ${LOCAL_ROOT_PATH}/inc/host_inc ${LOCAL_ROOT_PATH}/inc/host_inc/gp ${LOCAL_ROOT_PATH}/inc/enclave_inc diff --git a/examples/helloworld/host/CMakeLists.txt b/examples/helloworld/host/CMakeLists.txt index 60173a9..c6f2166 100644 --- a/examples/helloworld/host/CMakeLists.txt +++ b/examples/helloworld/host/CMakeLists.txt @@ -39,10 +39,10 @@ if(CC_GP) endif() add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) target_include_directories(${OUTPUT} PRIVATE - ${LOCAL_ROOT_PATH}/debug/inc - ${LOCAL_ROOT_PATH}/inc/host_inc - ${LOCAL_ROOT_PATH}/inc/host_inc/gp - ${CMAKE_CURRENT_BINARY_DIR}) + ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) endif() diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt index b24e498..542163e 100644 --- a/examples/seal_data/enclave/CMakeLists.txt +++ b/examples/seal_data/enclave/CMakeLists.txt @@ -66,7 +66,7 @@ if(CC_GP) target_include_directories( ${PREFIX} PRIVATE ${CMAKE_CURRENT_BINARY_DIR} - ${LOCAL_ROOT_PATH}/debug/inc + ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc ${LOCAL_ROOT_PATH}/inc/host_inc ${LOCAL_ROOT_PATH}/inc/host_inc/gp ${LOCAL_ROOT_PATH}/inc/enclave_inc diff --git a/examples/seal_data/host/CMakeLists.txt b/examples/seal_data/host/CMakeLists.txt index 691cd07..a0986d1 100644 --- a/examples/seal_data/host/CMakeLists.txt +++ b/examples/seal_data/host/CMakeLists.txt @@ -40,10 +40,10 @@ if(CC_GP) endif() add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) target_include_directories(${OUTPUT} PRIVATE - ${LOCAL_ROOT_PATH}/debug/inc - ${LOCAL_ROOT_PATH}/inc/host_inc - ${LOCAL_ROOT_PATH}/inc/host_inc/gp - ${CMAKE_CURRENT_BINARY_DIR}) + ${LOCAL_ROOT_PATH}/${CMAKE_BINARY_DIR}/inc + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") target_link_directories(${OUTPUT} PRIVATE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}) endif() diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh index 5fd7d5b..9906bff 100755 --- a/tools/sign_tool/sign_tool.sh +++ b/tools/sign_tool/sign_tool.sh @@ -20,19 +20,22 @@ print_help(){ echo "sign tool usage: ./sign_tool.sh [options] ..." echo "[options]" echo "-c basic config file." - echo "-d sign tool command, sign/digest." + echo "-d sign tool command, sign/digest/dump." echo " The sign command is used to generate a signed enclave." - echo " The digest command is used to generate a digest value." - echo "-i enclave to be signed." - echo "-k private key required for single-step method" + echo " The digest command is used to generate signing material." + echo " The dump command is used to generate metadata for sgx signed enclave." + echo "-i input parameter, which is enclave to be signed for digest/sign command, and signed enclave for" + echo " dump command." + echo "-k private key required for single-step method." echo "-m additional config_cloud.ini for trustzone." - echo "-o output parameters, the sign command outputs sigend enclave, the digest command outputs" - echo " digest value." - echo "-p signing server public key certificate, required for two-step method." - echo "-s the signed digest value required for two-step method, this parameter is empty to indicate" + echo "-o output parameter, the sign command outputs signed enclave, the digest command outputs signing" + echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed" + echo " enclave, which is submitted to Intel for whitelisting." + echo "-p signing server public key certificate, required for sgx two-step method." + echo "-s the signature value required for two-step method, this parameter is empty to indicate" echo " single-step method." echo "-x enclave type, sgx or trustzone." - echo "-h printf help message." + echo "-h print help message." } @@ -164,12 +167,12 @@ sgx_start_sign(){ fi SIGDATA_FILE="signdata" if [ "${CMD}"x == "sign"x ]; then - if [ -z $SIG_KEY ]; then - echo "Error: missing sign key" - exit -1 - fi if [ -z $SIGNATURE ]; then - if [ -z $CONFIG_FILE ]; then + if [ -z $SIG_KEY ]; then + echo "Error: missing sign key" + exit -1 + fi + if [ -z $CONFIG_FILE ]; then sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} else sgx_sign sign -enclave ${IN_ENCLAVE} -key ${SIG_KEY} -out ${OUT_FILE} -config ${CONFIG_FILE} @@ -180,9 +183,9 @@ sgx_start_sign(){ exit -1 fi if [ -z $CONFIG_FILE ]; then - sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsignd ${SIGDATA_FILE} -out ${OUT_FILE} + sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} else - sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsignd ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE} + sgx_sign catsig -enclave ${IN_ENCLAVE} -key ${SERVER_PUBKEY} -sig ${SIGNATURE} -unsigned ${SIGDATA_FILE} -out ${OUT_FILE} -config ${CONFIG_FILE} fi rm -rf ${SIGDATA_FILE} fi @@ -192,7 +195,9 @@ sgx_start_sign(){ else sgx_sign gendata -enclave ${IN_ENCLAVE} -out ${SIGDATA_FILE} -config ${CONFIG_FILE} fi - openssl dgst -sha256 -out ${OUT_FILE} ${SIGDATA_FILE} + cp ${SIGDATA_FILE} ${OUT_FILE} + elif [ "${CMD}"x == "dump"x ]; then + sgx_sign dump -enclave ${IN_ENCLAVE} -dumpfile ${OUT_FILE} else echo "Error: illegal command" fi -- 2.27.0