From d866feaeb8476541025efa4325459fae3f7f3493 Mon Sep 17 00:00:00 2001 From: houmingyong Date: Mon, 29 May 2023 21:29:46 +0800 Subject: [PATCH] support local attest --- CMakeLists.txt | 9 +- component/CMakeLists.txt | 1 + component/local_attest/CMakeLists.txt | 60 +++++++ component/local_attest/gp_local_attest.c | 153 ++++++++++++++++++ component/local_attest/local_attest_agent.h | 28 ++++ component/local_attest/sg_local_attest.c | 22 +++ component/local_attest/sg_local_attest.h | 29 ++++ component/local_attest/sgx_local_attest.c | 20 +++ .../remote_attest/ra_report/CMakeLists.txt | 2 +- .../remote_attest/ra_report/gp_ra_report.c | 131 +-------------- .../ra_report/gp_report_helper.c | 121 ++++++++++++++ .../ra_report/gp_report_helper.h | 24 +++ .../client/secure_channel_client.c | 7 +- .../secure_channel/enclave/CMakeLists.txt | 3 - examples/secure_channel/basevalue.txt | 1 + examples/secure_channel/client/client.c | 9 +- .../client_with_recv_thread/client.c | 9 +- inc/host_inc/status.h | 2 + 18 files changed, 489 insertions(+), 142 deletions(-) create mode 100644 component/local_attest/CMakeLists.txt create mode 100644 component/local_attest/gp_local_attest.c create mode 100644 component/local_attest/local_attest_agent.h create mode 100644 component/local_attest/sg_local_attest.c create mode 100644 component/local_attest/sg_local_attest.h create mode 100644 component/local_attest/sgx_local_attest.c create mode 100644 component/remote_attest/ra_report/gp_report_helper.c create mode 100644 component/remote_attest/ra_report/gp_report_helper.h create mode 100644 examples/secure_channel/basevalue.txt diff --git a/CMakeLists.txt b/CMakeLists.txt index 079be3b..25e6381 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -17,9 +17,6 @@ set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib) set(LOCAL_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) - -set(SECGEAR_DEBUG_LEVEL SECGEAR_LOG_LEVEL_DEBUG) -add_definitions(-DSECGEAR_DEBUG_LEVEL=${SECGEAR_DEBUG_LEVEL}) message("=============cmake help info=======================") message("Example default cmd: cmake ..") message("same with default: cmake -DENCLAVE=SGX -DSDK_PATH=/opt/intel/sgxsdk -DSSL_PATH=/opt/intel/sgxssl ..") @@ -40,6 +37,12 @@ set(PL_SDK_DEFAULT_PATH /root/dev/sdk) if(CMAKE_BUILD_TYPE MATCHES "Debug") add_definitions(-DDEBUG_FILE_LINE) + #set enclave log level + set(PRINT_LEVEL 3) + add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) + #set host log level + set(SECGEAR_DEBUG_LEVEL SECGEAR_LOG_LEVEL_DEBUG) + add_definitions(-DSECGEAR_DEBUG_LEVEL=${SECGEAR_DEBUG_LEVEL}) endif() set(CMAKE_C_FLAGS "-fstack-protector-all -W -Wall -Werror -Wextra -Werror=array-bounds -D_FORTIFY_SOURCE=2 -O2 -ftrapv") set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") diff --git a/component/CMakeLists.txt b/component/CMakeLists.txt index 7442334..83aa4cd 100644 --- a/component/CMakeLists.txt +++ b/component/CMakeLists.txt @@ -13,6 +13,7 @@ set(LIBRARY_INSTALL ${LOCAL_ROOT_PATH_INSTALL}/usr/lib64) ADD_SUBDIRECTORY(secure_channel) ADD_SUBDIRECTORY(remote_attest) +ADD_SUBDIRECTORY(local_attest) diff --git a/component/local_attest/CMakeLists.txt b/component/local_attest/CMakeLists.txt new file mode 100644 index 0000000..45ebf82 --- /dev/null +++ b/component/local_attest/CMakeLists.txt @@ -0,0 +1,60 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +set(target_lib secgear_la) + +set(CMAKE_C_FLAGS "-W -Wall -fno-short-enums -fno-omit-frame-pointer -fstack-protector-strong -Wstack-protector \ + --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs -fno-peephole \ + -fno-peephole2 -Wno-main -Wno-error=unused-parameter -Wno-error=unused-but-set-variable \ + -Wno-error=format-truncation= -D_FORTIFY_SOURCE=2 -O2") +set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") + +set(SOURCE_FILES sg_local_attest.c) + +if(CC_SGX) + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS}") + add_definitions(-DSGX_ENCLAVE) + set(SOURCE_FILES ${SOURCE_FILES} sgx_local_attest.c) +endif() + +if(CC_GP) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=armv8-a -fPIC") + set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s") + add_definitions(-DGP_ENCLAVE) + aux_source_directory(${LOCAL_ROOT_PATH}/thirdparty/cjson/ CJSON_SRC) + FILE (GLOB_RECURSE BASE64_SRC "${LOCAL_ROOT_PATH}/thirdparty/base64url/*.c") + set(REPORT_HELPER ${LOCAL_ROOT_PATH}/component/remote_attest/ra_report/gp_report_helper.c) + set(SOURCE_FILES ${SOURCE_FILES} gp_local_attest.c ${CJSON_SRC} ${BASE64_SRC} ${REPORT_HELPER}) + set(INCLUDE_DIR ${SDK_PATH}/include/TA + ${SDK_PATH}/include/TA/huawei_ext + ${SDK_PATH}/thirdparty/open_source/musl/libc + ${SDK_PATH}/thirdparty/open_source/musl/libc/arch/aarch64 + ${SDK_PATH}/thirdparty/open_source/musl/libc/arch/generic + ${LOCAL_ROOT_PATH}/thirdparty/cjson + ${LOCAL_ROOT_PATH}/thirdparty/base64url + ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee) +endif() + +add_library(${target_lib} STATIC ${SOURCE_FILES}) + +target_include_directories(${target_lib} PRIVATE + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/component/remote_attest + ${LOCAL_ROOT_PATH}/component/remote_attest/ra_report + ${INCLUDE_DIR}) + +install(TARGETS ${target_lib} + ARCHIVE + DESTINATION ${LIBRARY_INSTALL} + PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + +file(GLOB LA_HEADERS sg_local_attest.h) +install(FILES ${LA_HEADERS} + DESTINATION /usr/include/secGear + PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) diff --git a/component/local_attest/gp_local_attest.c b/component/local_attest/gp_local_attest.c new file mode 100644 index 0000000..7f75147 --- /dev/null +++ b/component/local_attest/gp_local_attest.c @@ -0,0 +1,153 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +#include +#include +#include +#include "tee_ra_api.h" +#include "tee_crypto_api.h" +#include "base64url.h" +#include "cJSON.h" +#include "secgear_log.h" +#include "status.h" +#include "sg_report_st.h" +#include "local_attest_agent.h" +#include "gp_report_helper.h" + +#define CC_HASH_LEN 64 +typedef struct { + char *taid; + char *img_hash; + char *mem_hash; +} gp_basevalue_t; + +#define HEX_ONE_CHAR_BITS 4 +#define HEX_BYTE_MAX 0xf + +static void hex2str(const uint8_t *source, int source_len, char *dest) +{ + char *hexEncode = "0123456789abcdef"; + int i = 0, j = 0; + for (i = 0; i < source_len; i++) { + dest[j++] = hexEncode[(source[i] >> HEX_ONE_CHAR_BITS) & HEX_BYTE_MAX]; + dest[j++] = hexEncode[(source[i]) & HEX_BYTE_MAX]; + } +} + +static cc_enclave_result_t gp_compare_hash(gp_basevalue_t *basevalue, char *ta_img, char *ta_mem) +{ + size_t imglen = 0; + size_t memlen = 0; + uint8_t *decodedimg = kpsecl_base64urldecode(ta_img, strlen(ta_img), &imglen); + uint8_t *decodedmem = kpsecl_base64urldecode(ta_mem, strlen(ta_mem), &memlen); + + char heximg[CC_HASH_LEN + 1] = {0}; + char hexmem[CC_HASH_LEN + 1] = {0}; + hex2str(decodedimg, imglen, heximg); + hex2str(decodedmem, memlen, hexmem); + free(decodedimg); + free(decodedmem); + + PrintInfo(PRINT_STRACE, "heximg:%s, hexmem:%s", heximg, hexmem); + PrintInfo(PRINT_STRACE, "img_hash:%s, mem_hash:%s", basevalue->img_hash, basevalue->mem_hash); + + if (memcmp(heximg, basevalue->img_hash, strlen(basevalue->img_hash)) != 0 || + memcmp(hexmem, basevalue->mem_hash, strlen(basevalue->mem_hash)) != 0) { + PrintInfo(PRINT_ERROR, "verify local report hash failed!\n"); + return CC_ERROR_LOCAL_REPORT_HASH_MISMATCH; + } + return CC_SUCCESS; +} + +static cc_enclave_result_t gp_verify_local_report(gp_basevalue_t *basevalue, uint8_t *nonce, size_t nonce_len, + cc_ra_buf_t *report) +{ + char *b64_nonce = NULL; + size_t b64_nonce_len = 0; + cc_enclave_result_t ret = CC_ERROR_LOCAL_REPORT_INVALID; + + cJSON *cj_report = cJSON_ParseWithLength((char *)report->buf, report->len); + if (cj_report == NULL) { + PrintInfo(PRINT_ERROR, "report to json failed\n"); + return ret; + } + cJSON *cj_payload = cJSON_GetObjectItemCaseSensitive(cj_report, "payload"); + if (cj_payload == NULL) { + PrintInfo(PRINT_ERROR, "report payload failed!\n"); + goto end; + } + b64_nonce = kpsecl_base64urlencode(nonce, nonce_len, &b64_nonce_len); + cJSON *cj_b64_nonce = cJSON_GetObjectItemCaseSensitive(cj_payload, "nonce"); + if (cj_b64_nonce == NULL || strcmp(cj_b64_nonce->valuestring, b64_nonce)) { + PrintInfo(PRINT_ERROR, "check nonce value failed!\n"); + free(b64_nonce); + goto end; + } + free(b64_nonce); + + cJSON *cj_uuid = cJSON_GetObjectItemCaseSensitive(cj_payload, "uuid"); + if (cj_uuid == NULL || strcmp(cj_uuid->valuestring, basevalue->taid)) { + PrintInfo(PRINT_ERROR, "check uuid failed!\n"); + goto end; + } + cJSON *cj_ta_img = cJSON_GetObjectItemCaseSensitive(cj_payload, "ta_img"); + if (cj_ta_img == NULL) { + PrintInfo(PRINT_ERROR, "check ta_img failed!\n"); + goto end; + } + cJSON *cj_ta_mem = cJSON_GetObjectItemCaseSensitive(cj_payload, "ta_mem"); + if (cj_ta_mem == NULL) { + PrintInfo(PRINT_ERROR, "check ta_mem failed!\n"); + goto end; + } + + ret = gp_compare_hash(basevalue, cj_ta_img->valuestring, cj_ta_mem->valuestring); +end: + cJSON_Delete(cj_report); + + return ret; +} + +#define LOCAL_REPORT_OUT_LEN 0x3000 +#define LOCAL_REPORT_NONCE_LEN 32 +cc_enclave_result_t agent_local_attest(char *taid, char *img_hash, char *mem_hash) +{ + cc_get_ra_report_input_t ra_input = {0}; + ra_input.taid = (uint8_t *)taid; + ra_input.with_tcb = false; + + TEE_GenerateRandom(ra_input.nonce, LOCAL_REPORT_NONCE_LEN); + ra_input.nonce_len = LOCAL_REPORT_NONCE_LEN + 1; + + cc_ra_buf_t *in = NULL; + cc_enclave_result_t ret = gen_ra_report_in_buff(&ra_input, &in); + if (ret != CC_SUCCESS) { + PrintInfo(PRINT_ERROR, "gen ra report in buff error! ret:%x\n", ret); + return -1; + } + + uint8_t data[LOCAL_REPORT_OUT_LEN] = {0}; + cc_ra_buf_t report = {LOCAL_REPORT_OUT_LEN, data}; + + TEE_Result gp_ret = ra_local_report((struct ra_buffer_data *)in, (struct ra_buffer_data *)&report); + free_cc_ra_buf(in); + if (gp_ret != CC_SUCCESS) { + PrintInfo(PRINT_ERROR, "get ra report failed, ret:%x\n", gp_ret); + return CC_ERROR_RA_GET_REPORT; + } + + gp_basevalue_t basevalue = { + .taid = taid, + .img_hash = img_hash, + .mem_hash = mem_hash, + }; + return gp_verify_local_report(&basevalue, ra_input.nonce, ra_input.nonce_len, &report); +} diff --git a/component/local_attest/local_attest_agent.h b/component/local_attest/local_attest_agent.h new file mode 100644 index 0000000..c79bc03 --- /dev/null +++ b/component/local_attest/local_attest_agent.h @@ -0,0 +1,28 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ + +#ifndef SECGEAR_LOCAL_ATTEST_AGENT_H +#define SECGEAR_LOCAL_ATTEST_AGENT_H + +#include "status.h" + +#ifdef __cplusplus +extern "C" { +#endif + +cc_enclave_result_t agent_local_attest(char *taid, char *img_hash, char *mem_hash); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/component/local_attest/sg_local_attest.c b/component/local_attest/sg_local_attest.c new file mode 100644 index 0000000..f94473e --- /dev/null +++ b/component/local_attest/sg_local_attest.c @@ -0,0 +1,22 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +#include "sg_local_attest.h" +#include "local_attest_agent.h" + +cc_enclave_result_t cc_local_attest(char *taid, char *img_hash, char *mem_hash) +{ + if (taid == NULL || (img_hash == NULL && mem_hash == NULL)) { + return CC_ERROR_BAD_PARAMETERS; + } + + return agent_local_attest(taid, img_hash, mem_hash); +} diff --git a/component/local_attest/sg_local_attest.h b/component/local_attest/sg_local_attest.h new file mode 100644 index 0000000..97f31ef --- /dev/null +++ b/component/local_attest/sg_local_attest.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ + +#ifndef SECGEAR_LOCAL_ATTESTATION_H +#define SECGEAR_LOCAL_ATTESTATION_H + +#include "status.h" +#include "secgear_defs.h" + +#ifdef __cplusplus +extern "C" { +#endif + +CC_API_SPEC cc_enclave_result_t cc_local_attest(char *taid, char *img_hash, char *mem_hash); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/component/local_attest/sgx_local_attest.c b/component/local_attest/sgx_local_attest.c new file mode 100644 index 0000000..aa772b0 --- /dev/null +++ b/component/local_attest/sgx_local_attest.c @@ -0,0 +1,20 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +#include "local_attest_agent.h" + +cc_enclave_result_t agent_local_attest(char *taid, char *img_hash, char *mem_hash) +{ + (void)taid; + (void)img_hash; + (void)mem_hash; + return CC_SUCCESS; +} diff --git a/component/remote_attest/ra_report/CMakeLists.txt b/component/remote_attest/ra_report/CMakeLists.txt index 2f00dc7..4314f02 100644 --- a/component/remote_attest/ra_report/CMakeLists.txt +++ b/component/remote_attest/ra_report/CMakeLists.txt @@ -20,7 +20,7 @@ endif() if(CC_GP) aux_source_directory(${LOCAL_ROOT_PATH}/thirdparty/cjson/ CJSON_SRC) FILE (GLOB_RECURSE BASE64_SRC "${LOCAL_ROOT_PATH}/thirdparty/base64url/*.c") - set(SRC_FILES ${SRC_FILES} ${CJSON_SRC} ${BASE64_SRC} gp_ra_report.c) + set(SRC_FILES ${SRC_FILES} ${CJSON_SRC} ${BASE64_SRC} gp_ra_report.c gp_report_helper.c) set(INCLUDE_DIR ${SDK_PATH}/include/CA ${LOCAL_ROOT_PATH}/thirdparty/cjson ${LOCAL_ROOT_PATH}/thirdparty/libqca diff --git a/component/remote_attest/ra_report/gp_ra_report.c b/component/remote_attest/ra_report/gp_ra_report.c index 4625cd3..ca1fa03 100644 --- a/component/remote_attest/ra_report/gp_ra_report.c +++ b/component/remote_attest/ra_report/gp_ra_report.c @@ -13,136 +13,8 @@ #include #include "ra_client_api.h" #include "enclave_log.h" -#include "cJSON.h" -#include "base64url.h" - #include "uni_ree_agent.h" - -static void free_cc_ra_buf(cc_ra_buf_t *ra_buf) -{ - if (ra_buf == NULL) { - return; - } - if (ra_buf->buf != NULL) { - free(ra_buf->buf); - } - - free(ra_buf); - return; -} - -/* caller need to free (cc_ra_buf_t **in) */ -static cc_enclave_result_t gen_provision_no_as_in_buff(cc_ra_buf_t **in) -{ - if (in == NULL) { - return CC_ERROR_BAD_PARAMETERS; - } - cc_enclave_result_t ret = CC_SUCCESS; - cJSON *in_json = cJSON_CreateObject(); - cJSON_AddStringToObject(in_json, "handler", "provisioning-input"); - - cJSON *in_payload = cJSON_CreateObject(); - cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0"); - cJSON_AddStringToObject(in_payload, "scenario", "sce_no_as"); - cJSON_AddStringToObject(in_payload, "hash_alg", "HS256"); - - cJSON_AddItemToObject(in_json, "payload", in_payload); - - char *in_buf = cJSON_PrintUnformatted(in_json); - uint32_t in_buf_len = strlen(in_buf) + 1; - - cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t)); - if (tmp_ra_buf == NULL) { - ret = CC_ERROR_RA_MEMORY; - goto end; - } - tmp_ra_buf->buf = calloc(1, in_buf_len); - if (tmp_ra_buf->buf == NULL) { - ret = CC_ERROR_RA_MEMORY; - free(tmp_ra_buf); - goto end; - } - (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len); - tmp_ra_buf->len = in_buf_len; - - *in = tmp_ra_buf; -end: - cJSON_free(in_buf); - cJSON_Delete(in_json); - return ret; -} - -/* caller need to free (cc_ra_buf_t **in) */ -static cc_enclave_result_t gen_ra_report_in_buff(cc_get_ra_report_input_t *param, cc_ra_buf_t **json_buf) -{ - if (param == NULL || param->taid == NULL || json_buf == NULL) { - return CC_ERROR_BAD_PARAMETERS; - } - cc_enclave_result_t ret = CC_SUCCESS; - cJSON *in_json = cJSON_CreateObject(); - cJSON_AddStringToObject(in_json, "handler", "report-input"); - - size_t b64_nonce_len = 0; - char *b64_nonce = kpsecl_base64urlencode(param->nonce, param->nonce_len, &b64_nonce_len); - - cJSON *in_payload = cJSON_CreateObject(); - cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0"); - cJSON_AddStringToObject(in_payload, "nonce", b64_nonce); - free(b64_nonce); - cJSON_AddStringToObject(in_payload, "uuid", (char *)param->taid); - cJSON_AddStringToObject(in_payload, "hash_alg", "HS256"); - cJSON_AddBoolToObject(in_payload, "with_tcb", param->with_tcb); - if (param->req_key) { - cJSON_AddBoolToObject(in_payload, "request_key", param->req_key); - } - - cJSON_AddItemToObject(in_json, "payload", in_payload); - - char *in_buf = cJSON_PrintUnformatted(in_json); - uint32_t in_buf_len = strlen(in_buf) + 1; - - print_debug("get ra report input json buf:%s\n", in_buf); - - cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t)); - if (tmp_ra_buf == NULL) { - ret = CC_ERROR_RA_MEMORY; - goto end; - } - tmp_ra_buf->buf = calloc(1, in_buf_len); - if (tmp_ra_buf->buf == NULL) { - ret = CC_ERROR_RA_MEMORY; - free(tmp_ra_buf); - goto end; - } - (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len); - tmp_ra_buf->len = in_buf_len; - - *json_buf = (cc_ra_buf_t *)tmp_ra_buf; -end: - cJSON_free(in_buf); - cJSON_Delete(in_json); - return ret; -} - -static void print_ra_report(cc_ra_buf_t *report) -{ - if (report == NULL || report->buf == NULL) { - return; - } - cJSON *cj_report = cJSON_ParseWithLength((char *)report->buf, report->len); - if (cj_report == NULL) { - // print_debug("cjson parse report error!\n"); - return; - } - char *str_report = cJSON_Print(cj_report); - - print_debug("report:%s\n", str_report); - print_debug("report len:%u, str_len:%lu\n", report->len, strlen(str_report)); - - cJSON_free(str_report); - cJSON_Delete(cj_report); - return; -} +#include "gp_report_helper.h" #define PROVISION_OUT_LEN 0x3000 static cc_enclave_result_t gp_ra_provision_no_as() @@ -195,7 +67,6 @@ static cc_enclave_result_t gp_get_ra_report(cc_get_ra_report_input_t *in, cc_ra_ print_error_term("get ra report failed, ret:%x\n", gp_ret); return CC_ERROR_RA_GET_REPORT; } - print_ra_report(report); return CC_SUCCESS; } diff --git a/component/remote_attest/ra_report/gp_report_helper.c b/component/remote_attest/ra_report/gp_report_helper.c new file mode 100644 index 0000000..0a73745 --- /dev/null +++ b/component/remote_attest/ra_report/gp_report_helper.c @@ -0,0 +1,121 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +#include +#include +#include "cJSON.h" +#include "base64url.h" +#include "gp_report_helper.h" + +void free_cc_ra_buf(cc_ra_buf_t *ra_buf) +{ + if (ra_buf == NULL) { + return; + } + if (ra_buf->buf != NULL) { + free(ra_buf->buf); + } + + free(ra_buf); + return; +} + +/* caller need to free (cc_ra_buf_t **in) */ +cc_enclave_result_t gen_provision_no_as_in_buff(cc_ra_buf_t **in) +{ + if (in == NULL) { + return CC_ERROR_BAD_PARAMETERS; + } + cc_enclave_result_t ret = CC_SUCCESS; + cJSON *in_json = cJSON_CreateObject(); + cJSON_AddStringToObject(in_json, "handler", "provisioning-input"); + + cJSON *in_payload = cJSON_CreateObject(); + cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0"); + cJSON_AddStringToObject(in_payload, "scenario", "sce_no_as"); + cJSON_AddStringToObject(in_payload, "hash_alg", "HS256"); + + cJSON_AddItemToObject(in_json, "payload", in_payload); + + char *in_buf = cJSON_PrintUnformatted(in_json); + uint32_t in_buf_len = strlen(in_buf) + 1; + + cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t)); + if (tmp_ra_buf == NULL) { + ret = CC_ERROR_RA_MEMORY; + goto end; + } + tmp_ra_buf->buf = calloc(1, in_buf_len); + if (tmp_ra_buf->buf == NULL) { + ret = CC_ERROR_RA_MEMORY; + free(tmp_ra_buf); + goto end; + } + (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len); + tmp_ra_buf->len = in_buf_len; + + *in = tmp_ra_buf; +end: + cJSON_free(in_buf); + cJSON_Delete(in_json); + return ret; +} + +/* caller need to free (cc_ra_buf_t **in) */ +cc_enclave_result_t gen_ra_report_in_buff(cc_get_ra_report_input_t *param, cc_ra_buf_t **json_buf) +{ + if (param == NULL || param->taid == NULL || json_buf == NULL) { + return CC_ERROR_BAD_PARAMETERS; + } + cc_enclave_result_t ret = CC_SUCCESS; + cJSON *in_json = cJSON_CreateObject(); + cJSON_AddStringToObject(in_json, "handler", "report-input"); + + size_t b64_nonce_len = 0; + char *b64_nonce = kpsecl_base64urlencode(param->nonce, param->nonce_len, &b64_nonce_len); + + cJSON *in_payload = cJSON_CreateObject(); + cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0"); + cJSON_AddStringToObject(in_payload, "nonce", b64_nonce); + free(b64_nonce); + cJSON_AddStringToObject(in_payload, "uuid", (char *)param->taid); + cJSON_AddStringToObject(in_payload, "hash_alg", "HS256"); + cJSON_AddBoolToObject(in_payload, "with_tcb", param->with_tcb); + if (param->req_key) { + cJSON_AddBoolToObject(in_payload, "request_key", param->req_key); + } + + cJSON_AddItemToObject(in_json, "payload", in_payload); + + char *in_buf = cJSON_PrintUnformatted(in_json); + uint32_t in_buf_len = strlen(in_buf) + 1; + + cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t)); + if (tmp_ra_buf == NULL) { + ret = CC_ERROR_RA_MEMORY; + goto end; + } + tmp_ra_buf->buf = calloc(1, in_buf_len); + if (tmp_ra_buf->buf == NULL) { + ret = CC_ERROR_RA_MEMORY; + free(tmp_ra_buf); + goto end; + } + (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len); + tmp_ra_buf->len = in_buf_len; + + *json_buf = (cc_ra_buf_t *)tmp_ra_buf; +end: + cJSON_free(in_buf); + cJSON_Delete(in_json); + return ret; +} + diff --git a/component/remote_attest/ra_report/gp_report_helper.h b/component/remote_attest/ra_report/gp_report_helper.h new file mode 100644 index 0000000..58786d9 --- /dev/null +++ b/component/remote_attest/ra_report/gp_report_helper.h @@ -0,0 +1,24 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * secGear is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ + +#ifndef SECGEAR_GP_REPORT_HELPER_H +#define SECGEAR_GP_REPORT_HELPER_H + +#include "status.h" +#include "sg_report_st.h" + +cc_enclave_result_t gen_provision_no_as_in_buff(cc_ra_buf_t **in); +cc_enclave_result_t gen_ra_report_in_buff(cc_get_ra_report_input_t *param, cc_ra_buf_t **json_buf); +void free_cc_ra_buf(cc_ra_buf_t *ra_buf); + +#endif + diff --git a/component/secure_channel/client/secure_channel_client.c b/component/secure_channel/client/secure_channel_client.c index 27b0812..21067b1 100644 --- a/component/secure_channel/client/secure_channel_client.c +++ b/component/secure_channel/client/secure_channel_client.c @@ -191,10 +191,11 @@ static cc_enclave_result_t get_taid_from_file(char *file, char *taid) } int ret = fscanf(fp, "%s", taid); // only read taid from line - - printf("read ret:%d, taid:%s\n", ret, taid); - fclose(fp); + if (ret < 0) { + printf("secure channel init read taid and hash from file failed\n"); + return CC_ERROR_SEC_CHL_INIT_GET_TAID; + } return CC_SUCCESS; } diff --git a/component/secure_channel/enclave/CMakeLists.txt b/component/secure_channel/enclave/CMakeLists.txt index a84de8a..b2050fb 100644 --- a/component/secure_channel/enclave/CMakeLists.txt +++ b/component/secure_channel/enclave/CMakeLists.txt @@ -14,9 +14,6 @@ set(PREFIX secure_channel) set(SOURCE_FILES secure_channel_enclave.c ${CMAKE_CURRENT_SOURCE_DIR}/../secure_channel_common.c) FILE (GLOB_RECURSE BASE64_SRC "${LOCAL_ROOT_PATH}/thirdparty/base64url/*.c") -set(PRINT_LEVEL 3) -add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) - if(CC_GP) add_definitions(-DGP_ENCLAVE) set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) diff --git a/examples/secure_channel/basevalue.txt b/examples/secure_channel/basevalue.txt new file mode 100644 index 0000000..694c455 --- /dev/null +++ b/examples/secure_channel/basevalue.txt @@ -0,0 +1 @@ +7763a15a-0a9e-4e86-90cd-e4262583948a 8b7373be89840534eafc2836110b31c7fee5b96ebbab09a1db87c34be393afee 52bc57fb201ebd00fcc66059084dfb38e98c0e4d11d7131d29448bc6f7cb5939 diff --git a/examples/secure_channel/client/client.c b/examples/secure_channel/client/client.c index 08d2574..28b3695 100644 --- a/examples/secure_channel/client/client.c +++ b/examples/secure_channel/client/client.c @@ -49,6 +49,13 @@ int main(int argc, char **argv) cc_enclave_result_t ret; struct sockaddr_in svr_addr; + char *ta_basevalue_file = "../basevalue.txt"; + char basevalue_real_path[PATH_MAX] = {0}; + if (realpath(ta_basevalue_file, basevalue_real_path) == NULL) { + printf("ta basevalue file path error\n"); + return -1; + } + sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd == -1) { printf("create socket failed\n"); @@ -69,7 +76,7 @@ int main(int argc, char **argv) // step1: 初始化安全通道客户端,注册消息发送函数 g_ctx.conn_kit.send = (void *)socket_write_and_read; g_ctx.conn_kit.conn = &sockfd; - g_ctx.basevalue = "/vendor/bin/basevalue.txt"; // content format:taid image_hash mem_hash + g_ctx.basevalue = basevalue_real_path; // content format:taid image_hash mem_hash ret = cc_sec_chl_client_init(CC_SEC_CHL_ALGO_RSA_ECDH_AES_GCM, &g_ctx); if (ret != CC_SUCCESS) { printf("secure channel init failed:%u\n", ret); diff --git a/examples/secure_channel/client_with_recv_thread/client.c b/examples/secure_channel/client_with_recv_thread/client.c index db142bb..d492624 100644 --- a/examples/secure_channel/client_with_recv_thread/client.c +++ b/examples/secure_channel/client_with_recv_thread/client.c @@ -67,6 +67,13 @@ int main(int argc, char **argv) cc_enclave_result_t ret; struct sockaddr_in svr_addr; + char *ta_basevalue_file = "../basevalue.txt"; + char basevalue_real_path[PATH_MAX] = {0}; + if (realpath(ta_basevalue_file, basevalue_real_path) == NULL) { + printf("ta basevalue file path error\n"); + return -1; + } + sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd == -1) { printf("create socket failed\n"); @@ -87,7 +94,7 @@ int main(int argc, char **argv) // step1: 初始化安全通道客户端,注册消息发送函数 g_ctx.conn_kit.send = (void *)socket_write_adpt; g_ctx.conn_kit.conn = &sockfd; - g_ctx.basevalue = "/vendor/bin/basevalue.txt"; // content format:taid image_hash mem_hash + g_ctx.basevalue = basevalue_real_path; // content format:taid image_hash mem_hash // step2: 创建消息接收线程 pthread_t thread; diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h index 56f4da4..0ecb243 100644 --- a/inc/host_inc/status.h +++ b/inc/host_inc/status.h @@ -89,6 +89,8 @@ typedef enum _enclave_result_t CC_ERROR_REE_AGENT_NOT_INIT, CC_ERROR_RA_VERIFY_AGENT_NOT_INIT, + CC_ERROR_LOCAL_REPORT_INVALID, + CC_ERROR_LOCAL_REPORT_HASH_MISMATCH, /* secure channel */ CC_ERROR_SEC_CHL_INVALID_CONN, /* invalid connection */ CC_ERROR_SEC_CHL_LEN_NOT_ENOUGH, /* the buf length to store secure channle encrypt/decrypt is not enough */ -- 2.33.0