packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secGear/0064-support-local-attest.patch
qsw33 63198ecadf synchronous features
2023-09-18 11:13:44 +08:00

853 lines
32 KiB
Diff
Raw Blame History

From d866feaeb8476541025efa4325459fae3f7f3493 Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Mon, 29 May 2023 21:29:46 +0800
Subject: [PATCH] support local attest
---
CMakeLists.txt | 9 +-
component/CMakeLists.txt | 1 +
component/local_attest/CMakeLists.txt | 60 +++++++
component/local_attest/gp_local_attest.c | 153 ++++++++++++++++++
component/local_attest/local_attest_agent.h | 28 ++++
component/local_attest/sg_local_attest.c | 22 +++
component/local_attest/sg_local_attest.h | 29 ++++
component/local_attest/sgx_local_attest.c | 20 +++
.../remote_attest/ra_report/CMakeLists.txt | 2 +-
.../remote_attest/ra_report/gp_ra_report.c | 131 +--------------
.../ra_report/gp_report_helper.c | 121 ++++++++++++++
.../ra_report/gp_report_helper.h | 24 +++
.../client/secure_channel_client.c | 7 +-
.../secure_channel/enclave/CMakeLists.txt | 3 -
examples/secure_channel/basevalue.txt | 1 +
examples/secure_channel/client/client.c | 9 +-
.../client_with_recv_thread/client.c | 9 +-
inc/host_inc/status.h | 2 +
18 files changed, 489 insertions(+), 142 deletions(-)
create mode 100644 component/local_attest/CMakeLists.txt
create mode 100644 component/local_attest/gp_local_attest.c
create mode 100644 component/local_attest/local_attest_agent.h
create mode 100644 component/local_attest/sg_local_attest.c
create mode 100644 component/local_attest/sg_local_attest.h
create mode 100644 component/local_attest/sgx_local_attest.c
create mode 100644 component/remote_attest/ra_report/gp_report_helper.c
create mode 100644 component/remote_attest/ra_report/gp_report_helper.h
create mode 100644 examples/secure_channel/basevalue.txt
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 079be3b..25e6381 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -17,9 +17,6 @@ set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
set(LOCAL_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
-
-set(SECGEAR_DEBUG_LEVEL SECGEAR_LOG_LEVEL_DEBUG)
-add_definitions(-DSECGEAR_DEBUG_LEVEL=${SECGEAR_DEBUG_LEVEL})
message("=============cmake help info=======================")
message("Example default cmd: cmake ..")
message("same with default: cmake -DENCLAVE=SGX -DSDK_PATH=/opt/intel/sgxsdk -DSSL_PATH=/opt/intel/sgxssl ..")
@@ -40,6 +37,12 @@ set(PL_SDK_DEFAULT_PATH /root/dev/sdk)
if(CMAKE_BUILD_TYPE MATCHES "Debug")
add_definitions(-DDEBUG_FILE_LINE)
+ #set enclave log level
+ set(PRINT_LEVEL 3)
+ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
+ #set host log level
+ set(SECGEAR_DEBUG_LEVEL SECGEAR_LOG_LEVEL_DEBUG)
+ add_definitions(-DSECGEAR_DEBUG_LEVEL=${SECGEAR_DEBUG_LEVEL})
endif()
set(CMAKE_C_FLAGS "-fstack-protector-all -W -Wall -Werror -Wextra -Werror=array-bounds -D_FORTIFY_SOURCE=2 -O2 -ftrapv")
set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s")
diff --git a/component/CMakeLists.txt b/component/CMakeLists.txt
index 7442334..83aa4cd 100644
--- a/component/CMakeLists.txt
+++ b/component/CMakeLists.txt
@@ -13,6 +13,7 @@ set(LIBRARY_INSTALL ${LOCAL_ROOT_PATH_INSTALL}/usr/lib64)
ADD_SUBDIRECTORY(secure_channel)
ADD_SUBDIRECTORY(remote_attest)
+ADD_SUBDIRECTORY(local_attest)
diff --git a/component/local_attest/CMakeLists.txt b/component/local_attest/CMakeLists.txt
new file mode 100644
index 0000000..45ebf82
--- /dev/null
+++ b/component/local_attest/CMakeLists.txt
@@ -0,0 +1,60 @@
+# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# secGear is licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+set(target_lib secgear_la)
+
+set(CMAKE_C_FLAGS "-W -Wall -fno-short-enums -fno-omit-frame-pointer -fstack-protector-strong -Wstack-protector \
+ --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs -fno-peephole \
+ -fno-peephole2 -Wno-main -Wno-error=unused-parameter -Wno-error=unused-but-set-variable \
+ -Wno-error=format-truncation= -D_FORTIFY_SOURCE=2 -O2")
+set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles")
+
+set(SOURCE_FILES sg_local_attest.c)
+
+if(CC_SGX)
+ set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS}")
+ add_definitions(-DSGX_ENCLAVE)
+ set(SOURCE_FILES ${SOURCE_FILES} sgx_local_attest.c)
+endif()
+
+if(CC_GP)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=armv8-a -fPIC")
+ set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s")
+ add_definitions(-DGP_ENCLAVE)
+ aux_source_directory(${LOCAL_ROOT_PATH}/thirdparty/cjson/ CJSON_SRC)
+ FILE (GLOB_RECURSE BASE64_SRC "${LOCAL_ROOT_PATH}/thirdparty/base64url/*.c")
+ set(REPORT_HELPER ${LOCAL_ROOT_PATH}/component/remote_attest/ra_report/gp_report_helper.c)
+ set(SOURCE_FILES ${SOURCE_FILES} gp_local_attest.c ${CJSON_SRC} ${BASE64_SRC} ${REPORT_HELPER})
+ set(INCLUDE_DIR ${SDK_PATH}/include/TA
+ ${SDK_PATH}/include/TA/huawei_ext
+ ${SDK_PATH}/thirdparty/open_source/musl/libc
+ ${SDK_PATH}/thirdparty/open_source/musl/libc/arch/aarch64
+ ${SDK_PATH}/thirdparty/open_source/musl/libc/arch/generic
+ ${LOCAL_ROOT_PATH}/thirdparty/cjson
+ ${LOCAL_ROOT_PATH}/thirdparty/base64url
+ ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee)
+endif()
+
+add_library(${target_lib} STATIC ${SOURCE_FILES})
+
+target_include_directories(${target_lib} PRIVATE
+ ${LOCAL_ROOT_PATH}/inc/host_inc
+ ${LOCAL_ROOT_PATH}/component/remote_attest
+ ${LOCAL_ROOT_PATH}/component/remote_attest/ra_report
+ ${INCLUDE_DIR})
+
+install(TARGETS ${target_lib}
+ ARCHIVE
+ DESTINATION ${LIBRARY_INSTALL}
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+file(GLOB LA_HEADERS sg_local_attest.h)
+install(FILES ${LA_HEADERS}
+ DESTINATION /usr/include/secGear
+ PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ)
diff --git a/component/local_attest/gp_local_attest.c b/component/local_attest/gp_local_attest.c
new file mode 100644
index 0000000..7f75147
--- /dev/null
+++ b/component/local_attest/gp_local_attest.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include "tee_ra_api.h"
+#include "tee_crypto_api.h"
+#include "base64url.h"
+#include "cJSON.h"
+#include "secgear_log.h"
+#include "status.h"
+#include "sg_report_st.h"
+#include "local_attest_agent.h"
+#include "gp_report_helper.h"
+
+#define CC_HASH_LEN 64
+typedef struct {
+ char *taid;
+ char *img_hash;
+ char *mem_hash;
+} gp_basevalue_t;
+
+#define HEX_ONE_CHAR_BITS 4
+#define HEX_BYTE_MAX 0xf
+
+static void hex2str(const uint8_t *source, int source_len, char *dest)
+{
+ char *hexEncode = "0123456789abcdef";
+ int i = 0, j = 0;
+ for (i = 0; i < source_len; i++) {
+ dest[j++] = hexEncode[(source[i] >> HEX_ONE_CHAR_BITS) & HEX_BYTE_MAX];
+ dest[j++] = hexEncode[(source[i]) & HEX_BYTE_MAX];
+ }
+}
+
+static cc_enclave_result_t gp_compare_hash(gp_basevalue_t *basevalue, char *ta_img, char *ta_mem)
+{
+ size_t imglen = 0;
+ size_t memlen = 0;
+ uint8_t *decodedimg = kpsecl_base64urldecode(ta_img, strlen(ta_img), &imglen);
+ uint8_t *decodedmem = kpsecl_base64urldecode(ta_mem, strlen(ta_mem), &memlen);
+
+ char heximg[CC_HASH_LEN + 1] = {0};
+ char hexmem[CC_HASH_LEN + 1] = {0};
+ hex2str(decodedimg, imglen, heximg);
+ hex2str(decodedmem, memlen, hexmem);
+ free(decodedimg);
+ free(decodedmem);
+
+ PrintInfo(PRINT_STRACE, "heximg:%s, hexmem:%s", heximg, hexmem);
+ PrintInfo(PRINT_STRACE, "img_hash:%s, mem_hash:%s", basevalue->img_hash, basevalue->mem_hash);
+
+ if (memcmp(heximg, basevalue->img_hash, strlen(basevalue->img_hash)) != 0 ||
+ memcmp(hexmem, basevalue->mem_hash, strlen(basevalue->mem_hash)) != 0) {
+ PrintInfo(PRINT_ERROR, "verify local report hash failed!\n");
+ return CC_ERROR_LOCAL_REPORT_HASH_MISMATCH;
+ }
+ return CC_SUCCESS;
+}
+
+static cc_enclave_result_t gp_verify_local_report(gp_basevalue_t *basevalue, uint8_t *nonce, size_t nonce_len,
+ cc_ra_buf_t *report)
+{
+ char *b64_nonce = NULL;
+ size_t b64_nonce_len = 0;
+ cc_enclave_result_t ret = CC_ERROR_LOCAL_REPORT_INVALID;
+
+ cJSON *cj_report = cJSON_ParseWithLength((char *)report->buf, report->len);
+ if (cj_report == NULL) {
+ PrintInfo(PRINT_ERROR, "report to json failed\n");
+ return ret;
+ }
+ cJSON *cj_payload = cJSON_GetObjectItemCaseSensitive(cj_report, "payload");
+ if (cj_payload == NULL) {
+ PrintInfo(PRINT_ERROR, "report payload failed!\n");
+ goto end;
+ }
+ b64_nonce = kpsecl_base64urlencode(nonce, nonce_len, &b64_nonce_len);
+ cJSON *cj_b64_nonce = cJSON_GetObjectItemCaseSensitive(cj_payload, "nonce");
+ if (cj_b64_nonce == NULL || strcmp(cj_b64_nonce->valuestring, b64_nonce)) {
+ PrintInfo(PRINT_ERROR, "check nonce value failed!\n");
+ free(b64_nonce);
+ goto end;
+ }
+ free(b64_nonce);
+
+ cJSON *cj_uuid = cJSON_GetObjectItemCaseSensitive(cj_payload, "uuid");
+ if (cj_uuid == NULL || strcmp(cj_uuid->valuestring, basevalue->taid)) {
+ PrintInfo(PRINT_ERROR, "check uuid failed!\n");
+ goto end;
+ }
+ cJSON *cj_ta_img = cJSON_GetObjectItemCaseSensitive(cj_payload, "ta_img");
+ if (cj_ta_img == NULL) {
+ PrintInfo(PRINT_ERROR, "check ta_img failed!\n");
+ goto end;
+ }
+ cJSON *cj_ta_mem = cJSON_GetObjectItemCaseSensitive(cj_payload, "ta_mem");
+ if (cj_ta_mem == NULL) {
+ PrintInfo(PRINT_ERROR, "check ta_mem failed!\n");
+ goto end;
+ }
+
+ ret = gp_compare_hash(basevalue, cj_ta_img->valuestring, cj_ta_mem->valuestring);
+end:
+ cJSON_Delete(cj_report);
+
+ return ret;
+}
+
+#define LOCAL_REPORT_OUT_LEN 0x3000
+#define LOCAL_REPORT_NONCE_LEN 32
+cc_enclave_result_t agent_local_attest(char *taid, char *img_hash, char *mem_hash)
+{
+ cc_get_ra_report_input_t ra_input = {0};
+ ra_input.taid = (uint8_t *)taid;
+ ra_input.with_tcb = false;
+
+ TEE_GenerateRandom(ra_input.nonce, LOCAL_REPORT_NONCE_LEN);
+ ra_input.nonce_len = LOCAL_REPORT_NONCE_LEN + 1;
+
+ cc_ra_buf_t *in = NULL;
+ cc_enclave_result_t ret = gen_ra_report_in_buff(&ra_input, &in);
+ if (ret != CC_SUCCESS) {
+ PrintInfo(PRINT_ERROR, "gen ra report in buff error! ret:%x\n", ret);
+ return -1;
+ }
+
+ uint8_t data[LOCAL_REPORT_OUT_LEN] = {0};
+ cc_ra_buf_t report = {LOCAL_REPORT_OUT_LEN, data};
+
+ TEE_Result gp_ret = ra_local_report((struct ra_buffer_data *)in, (struct ra_buffer_data *)&report);
+ free_cc_ra_buf(in);
+ if (gp_ret != CC_SUCCESS) {
+ PrintInfo(PRINT_ERROR, "get ra report failed, ret:%x\n", gp_ret);
+ return CC_ERROR_RA_GET_REPORT;
+ }
+
+ gp_basevalue_t basevalue = {
+ .taid = taid,
+ .img_hash = img_hash,
+ .mem_hash = mem_hash,
+ };
+ return gp_verify_local_report(&basevalue, ra_input.nonce, ra_input.nonce_len, &report);
+}
diff --git a/component/local_attest/local_attest_agent.h b/component/local_attest/local_attest_agent.h
new file mode 100644
index 0000000..c79bc03
--- /dev/null
+++ b/component/local_attest/local_attest_agent.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#ifndef SECGEAR_LOCAL_ATTEST_AGENT_H
+#define SECGEAR_LOCAL_ATTEST_AGENT_H
+
+#include "status.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+cc_enclave_result_t agent_local_attest(char *taid, char *img_hash, char *mem_hash);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/component/local_attest/sg_local_attest.c b/component/local_attest/sg_local_attest.c
new file mode 100644
index 0000000..f94473e
--- /dev/null
+++ b/component/local_attest/sg_local_attest.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+#include "sg_local_attest.h"
+#include "local_attest_agent.h"
+
+cc_enclave_result_t cc_local_attest(char *taid, char *img_hash, char *mem_hash)
+{
+ if (taid == NULL || (img_hash == NULL && mem_hash == NULL)) {
+ return CC_ERROR_BAD_PARAMETERS;
+ }
+
+ return agent_local_attest(taid, img_hash, mem_hash);
+}
diff --git a/component/local_attest/sg_local_attest.h b/component/local_attest/sg_local_attest.h
new file mode 100644
index 0000000..97f31ef
--- /dev/null
+++ b/component/local_attest/sg_local_attest.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#ifndef SECGEAR_LOCAL_ATTESTATION_H
+#define SECGEAR_LOCAL_ATTESTATION_H
+
+#include "status.h"
+#include "secgear_defs.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+CC_API_SPEC cc_enclave_result_t cc_local_attest(char *taid, char *img_hash, char *mem_hash);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/component/local_attest/sgx_local_attest.c b/component/local_attest/sgx_local_attest.c
new file mode 100644
index 0000000..aa772b0
--- /dev/null
+++ b/component/local_attest/sgx_local_attest.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+#include "local_attest_agent.h"
+
+cc_enclave_result_t agent_local_attest(char *taid, char *img_hash, char *mem_hash)
+{
+ (void)taid;
+ (void)img_hash;
+ (void)mem_hash;
+ return CC_SUCCESS;
+}
diff --git a/component/remote_attest/ra_report/CMakeLists.txt b/component/remote_attest/ra_report/CMakeLists.txt
index 2f00dc7..4314f02 100644
--- a/component/remote_attest/ra_report/CMakeLists.txt
+++ b/component/remote_attest/ra_report/CMakeLists.txt
@@ -20,7 +20,7 @@ endif()
if(CC_GP)
aux_source_directory(${LOCAL_ROOT_PATH}/thirdparty/cjson/ CJSON_SRC)
FILE (GLOB_RECURSE BASE64_SRC "${LOCAL_ROOT_PATH}/thirdparty/base64url/*.c")
- set(SRC_FILES ${SRC_FILES} ${CJSON_SRC} ${BASE64_SRC} gp_ra_report.c)
+ set(SRC_FILES ${SRC_FILES} ${CJSON_SRC} ${BASE64_SRC} gp_ra_report.c gp_report_helper.c)
set(INCLUDE_DIR ${SDK_PATH}/include/CA
${LOCAL_ROOT_PATH}/thirdparty/cjson
${LOCAL_ROOT_PATH}/thirdparty/libqca
diff --git a/component/remote_attest/ra_report/gp_ra_report.c b/component/remote_attest/ra_report/gp_ra_report.c
index 4625cd3..ca1fa03 100644
--- a/component/remote_attest/ra_report/gp_ra_report.c
+++ b/component/remote_attest/ra_report/gp_ra_report.c
@@ -13,136 +13,8 @@
#include <string.h>
#include "ra_client_api.h"
#include "enclave_log.h"
-#include "cJSON.h"
-#include "base64url.h"
-
#include "uni_ree_agent.h"
-
-static void free_cc_ra_buf(cc_ra_buf_t *ra_buf)
-{
- if (ra_buf == NULL) {
- return;
- }
- if (ra_buf->buf != NULL) {
- free(ra_buf->buf);
- }
-
- free(ra_buf);
- return;
-}
-
-/* caller need to free (cc_ra_buf_t **in) */
-static cc_enclave_result_t gen_provision_no_as_in_buff(cc_ra_buf_t **in)
-{
- if (in == NULL) {
- return CC_ERROR_BAD_PARAMETERS;
- }
- cc_enclave_result_t ret = CC_SUCCESS;
- cJSON *in_json = cJSON_CreateObject();
- cJSON_AddStringToObject(in_json, "handler", "provisioning-input");
-
- cJSON *in_payload = cJSON_CreateObject();
- cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0");
- cJSON_AddStringToObject(in_payload, "scenario", "sce_no_as");
- cJSON_AddStringToObject(in_payload, "hash_alg", "HS256");
-
- cJSON_AddItemToObject(in_json, "payload", in_payload);
-
- char *in_buf = cJSON_PrintUnformatted(in_json);
- uint32_t in_buf_len = strlen(in_buf) + 1;
-
- cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t));
- if (tmp_ra_buf == NULL) {
- ret = CC_ERROR_RA_MEMORY;
- goto end;
- }
- tmp_ra_buf->buf = calloc(1, in_buf_len);
- if (tmp_ra_buf->buf == NULL) {
- ret = CC_ERROR_RA_MEMORY;
- free(tmp_ra_buf);
- goto end;
- }
- (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len);
- tmp_ra_buf->len = in_buf_len;
-
- *in = tmp_ra_buf;
-end:
- cJSON_free(in_buf);
- cJSON_Delete(in_json);
- return ret;
-}
-
-/* caller need to free (cc_ra_buf_t **in) */
-static cc_enclave_result_t gen_ra_report_in_buff(cc_get_ra_report_input_t *param, cc_ra_buf_t **json_buf)
-{
- if (param == NULL || param->taid == NULL || json_buf == NULL) {
- return CC_ERROR_BAD_PARAMETERS;
- }
- cc_enclave_result_t ret = CC_SUCCESS;
- cJSON *in_json = cJSON_CreateObject();
- cJSON_AddStringToObject(in_json, "handler", "report-input");
-
- size_t b64_nonce_len = 0;
- char *b64_nonce = kpsecl_base64urlencode(param->nonce, param->nonce_len, &b64_nonce_len);
-
- cJSON *in_payload = cJSON_CreateObject();
- cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0");
- cJSON_AddStringToObject(in_payload, "nonce", b64_nonce);
- free(b64_nonce);
- cJSON_AddStringToObject(in_payload, "uuid", (char *)param->taid);
- cJSON_AddStringToObject(in_payload, "hash_alg", "HS256");
- cJSON_AddBoolToObject(in_payload, "with_tcb", param->with_tcb);
- if (param->req_key) {
- cJSON_AddBoolToObject(in_payload, "request_key", param->req_key);
- }
-
- cJSON_AddItemToObject(in_json, "payload", in_payload);
-
- char *in_buf = cJSON_PrintUnformatted(in_json);
- uint32_t in_buf_len = strlen(in_buf) + 1;
-
- print_debug("get ra report input json buf:%s\n", in_buf);
-
- cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t));
- if (tmp_ra_buf == NULL) {
- ret = CC_ERROR_RA_MEMORY;
- goto end;
- }
- tmp_ra_buf->buf = calloc(1, in_buf_len);
- if (tmp_ra_buf->buf == NULL) {
- ret = CC_ERROR_RA_MEMORY;
- free(tmp_ra_buf);
- goto end;
- }
- (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len);
- tmp_ra_buf->len = in_buf_len;
-
- *json_buf = (cc_ra_buf_t *)tmp_ra_buf;
-end:
- cJSON_free(in_buf);
- cJSON_Delete(in_json);
- return ret;
-}
-
-static void print_ra_report(cc_ra_buf_t *report)
-{
- if (report == NULL || report->buf == NULL) {
- return;
- }
- cJSON *cj_report = cJSON_ParseWithLength((char *)report->buf, report->len);
- if (cj_report == NULL) {
- // print_debug("cjson parse report error!\n");
- return;
- }
- char *str_report = cJSON_Print(cj_report);
-
- print_debug("report:%s\n", str_report);
- print_debug("report len:%u, str_len:%lu\n", report->len, strlen(str_report));
-
- cJSON_free(str_report);
- cJSON_Delete(cj_report);
- return;
-}
+#include "gp_report_helper.h"
#define PROVISION_OUT_LEN 0x3000
static cc_enclave_result_t gp_ra_provision_no_as()
@@ -195,7 +67,6 @@ static cc_enclave_result_t gp_get_ra_report(cc_get_ra_report_input_t *in, cc_ra_
print_error_term("get ra report failed, ret:%x\n", gp_ret);
return CC_ERROR_RA_GET_REPORT;
}
- print_ra_report(report);
return CC_SUCCESS;
}
diff --git a/component/remote_attest/ra_report/gp_report_helper.c b/component/remote_attest/ra_report/gp_report_helper.c
new file mode 100644
index 0000000..0a73745
--- /dev/null
+++ b/component/remote_attest/ra_report/gp_report_helper.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+#include <stdlib.h>
+#include <string.h>
+#include "cJSON.h"
+#include "base64url.h"
+#include "gp_report_helper.h"
+
+void free_cc_ra_buf(cc_ra_buf_t *ra_buf)
+{
+ if (ra_buf == NULL) {
+ return;
+ }
+ if (ra_buf->buf != NULL) {
+ free(ra_buf->buf);
+ }
+
+ free(ra_buf);
+ return;
+}
+
+/* caller need to free (cc_ra_buf_t **in) */
+cc_enclave_result_t gen_provision_no_as_in_buff(cc_ra_buf_t **in)
+{
+ if (in == NULL) {
+ return CC_ERROR_BAD_PARAMETERS;
+ }
+ cc_enclave_result_t ret = CC_SUCCESS;
+ cJSON *in_json = cJSON_CreateObject();
+ cJSON_AddStringToObject(in_json, "handler", "provisioning-input");
+
+ cJSON *in_payload = cJSON_CreateObject();
+ cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0");
+ cJSON_AddStringToObject(in_payload, "scenario", "sce_no_as");
+ cJSON_AddStringToObject(in_payload, "hash_alg", "HS256");
+
+ cJSON_AddItemToObject(in_json, "payload", in_payload);
+
+ char *in_buf = cJSON_PrintUnformatted(in_json);
+ uint32_t in_buf_len = strlen(in_buf) + 1;
+
+ cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t));
+ if (tmp_ra_buf == NULL) {
+ ret = CC_ERROR_RA_MEMORY;
+ goto end;
+ }
+ tmp_ra_buf->buf = calloc(1, in_buf_len);
+ if (tmp_ra_buf->buf == NULL) {
+ ret = CC_ERROR_RA_MEMORY;
+ free(tmp_ra_buf);
+ goto end;
+ }
+ (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len);
+ tmp_ra_buf->len = in_buf_len;
+
+ *in = tmp_ra_buf;
+end:
+ cJSON_free(in_buf);
+ cJSON_Delete(in_json);
+ return ret;
+}
+
+/* caller need to free (cc_ra_buf_t **in) */
+cc_enclave_result_t gen_ra_report_in_buff(cc_get_ra_report_input_t *param, cc_ra_buf_t **json_buf)
+{
+ if (param == NULL || param->taid == NULL || json_buf == NULL) {
+ return CC_ERROR_BAD_PARAMETERS;
+ }
+ cc_enclave_result_t ret = CC_SUCCESS;
+ cJSON *in_json = cJSON_CreateObject();
+ cJSON_AddStringToObject(in_json, "handler", "report-input");
+
+ size_t b64_nonce_len = 0;
+ char *b64_nonce = kpsecl_base64urlencode(param->nonce, param->nonce_len, &b64_nonce_len);
+
+ cJSON *in_payload = cJSON_CreateObject();
+ cJSON_AddStringToObject(in_payload, "version", "TEE.RA.1.0");
+ cJSON_AddStringToObject(in_payload, "nonce", b64_nonce);
+ free(b64_nonce);
+ cJSON_AddStringToObject(in_payload, "uuid", (char *)param->taid);
+ cJSON_AddStringToObject(in_payload, "hash_alg", "HS256");
+ cJSON_AddBoolToObject(in_payload, "with_tcb", param->with_tcb);
+ if (param->req_key) {
+ cJSON_AddBoolToObject(in_payload, "request_key", param->req_key);
+ }
+
+ cJSON_AddItemToObject(in_json, "payload", in_payload);
+
+ char *in_buf = cJSON_PrintUnformatted(in_json);
+ uint32_t in_buf_len = strlen(in_buf) + 1;
+
+ cc_ra_buf_t *tmp_ra_buf = calloc(1, sizeof(cc_ra_buf_t));
+ if (tmp_ra_buf == NULL) {
+ ret = CC_ERROR_RA_MEMORY;
+ goto end;
+ }
+ tmp_ra_buf->buf = calloc(1, in_buf_len);
+ if (tmp_ra_buf->buf == NULL) {
+ ret = CC_ERROR_RA_MEMORY;
+ free(tmp_ra_buf);
+ goto end;
+ }
+ (void)memcpy(tmp_ra_buf->buf, in_buf, in_buf_len);
+ tmp_ra_buf->len = in_buf_len;
+
+ *json_buf = (cc_ra_buf_t *)tmp_ra_buf;
+end:
+ cJSON_free(in_buf);
+ cJSON_Delete(in_json);
+ return ret;
+}
+
diff --git a/component/remote_attest/ra_report/gp_report_helper.h b/component/remote_attest/ra_report/gp_report_helper.h
new file mode 100644
index 0000000..58786d9
--- /dev/null
+++ b/component/remote_attest/ra_report/gp_report_helper.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+ * secGear is licensed under the Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ * http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+ * PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+#ifndef SECGEAR_GP_REPORT_HELPER_H
+#define SECGEAR_GP_REPORT_HELPER_H
+
+#include "status.h"
+#include "sg_report_st.h"
+
+cc_enclave_result_t gen_provision_no_as_in_buff(cc_ra_buf_t **in);
+cc_enclave_result_t gen_ra_report_in_buff(cc_get_ra_report_input_t *param, cc_ra_buf_t **json_buf);
+void free_cc_ra_buf(cc_ra_buf_t *ra_buf);
+
+#endif
+
diff --git a/component/secure_channel/client/secure_channel_client.c b/component/secure_channel/client/secure_channel_client.c
index 27b0812..21067b1 100644
--- a/component/secure_channel/client/secure_channel_client.c
+++ b/component/secure_channel/client/secure_channel_client.c
@@ -191,10 +191,11 @@ static cc_enclave_result_t get_taid_from_file(char *file, char *taid)
}
int ret = fscanf(fp, "%s", taid); // only read taid from line
-
- printf("read ret:%d, taid:%s\n", ret, taid);
-
fclose(fp);
+ if (ret < 0) {
+ printf("secure channel init read taid and hash from file failed\n");
+ return CC_ERROR_SEC_CHL_INIT_GET_TAID;
+ }
return CC_SUCCESS;
}
diff --git a/component/secure_channel/enclave/CMakeLists.txt b/component/secure_channel/enclave/CMakeLists.txt
index a84de8a..b2050fb 100644
--- a/component/secure_channel/enclave/CMakeLists.txt
+++ b/component/secure_channel/enclave/CMakeLists.txt
@@ -14,9 +14,6 @@ set(PREFIX secure_channel)
set(SOURCE_FILES secure_channel_enclave.c ${CMAKE_CURRENT_SOURCE_DIR}/../secure_channel_common.c)
FILE (GLOB_RECURSE BASE64_SRC "${LOCAL_ROOT_PATH}/thirdparty/base64url/*.c")
-set(PRINT_LEVEL 3)
-add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
-
if(CC_GP)
add_definitions(-DGP_ENCLAVE)
set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
diff --git a/examples/secure_channel/basevalue.txt b/examples/secure_channel/basevalue.txt
new file mode 100644
index 0000000..694c455
--- /dev/null
+++ b/examples/secure_channel/basevalue.txt
@@ -0,0 +1 @@
+7763a15a-0a9e-4e86-90cd-e4262583948a 8b7373be89840534eafc2836110b31c7fee5b96ebbab09a1db87c34be393afee 52bc57fb201ebd00fcc66059084dfb38e98c0e4d11d7131d29448bc6f7cb5939
diff --git a/examples/secure_channel/client/client.c b/examples/secure_channel/client/client.c
index 08d2574..28b3695 100644
--- a/examples/secure_channel/client/client.c
+++ b/examples/secure_channel/client/client.c
@@ -49,6 +49,13 @@ int main(int argc, char **argv)
cc_enclave_result_t ret;
struct sockaddr_in svr_addr;
+ char *ta_basevalue_file = "../basevalue.txt";
+ char basevalue_real_path[PATH_MAX] = {0};
+ if (realpath(ta_basevalue_file, basevalue_real_path) == NULL) {
+ printf("ta basevalue file path error\n");
+ return -1;
+ }
+
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd == -1) {
printf("create socket failed\n");
@@ -69,7 +76,7 @@ int main(int argc, char **argv)
// step1: 初始化安全通道客户端,注册消息发送函数
g_ctx.conn_kit.send = (void *)socket_write_and_read;
g_ctx.conn_kit.conn = &sockfd;
- g_ctx.basevalue = "/vendor/bin/basevalue.txt"; // content format:taid image_hash mem_hash
+ g_ctx.basevalue = basevalue_real_path; // content format:taid image_hash mem_hash
ret = cc_sec_chl_client_init(CC_SEC_CHL_ALGO_RSA_ECDH_AES_GCM, &g_ctx);
if (ret != CC_SUCCESS) {
printf("secure channel init failed:%u\n", ret);
diff --git a/examples/secure_channel/client_with_recv_thread/client.c b/examples/secure_channel/client_with_recv_thread/client.c
index db142bb..d492624 100644
--- a/examples/secure_channel/client_with_recv_thread/client.c
+++ b/examples/secure_channel/client_with_recv_thread/client.c
@@ -67,6 +67,13 @@ int main(int argc, char **argv)
cc_enclave_result_t ret;
struct sockaddr_in svr_addr;
+ char *ta_basevalue_file = "../basevalue.txt";
+ char basevalue_real_path[PATH_MAX] = {0};
+ if (realpath(ta_basevalue_file, basevalue_real_path) == NULL) {
+ printf("ta basevalue file path error\n");
+ return -1;
+ }
+
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd == -1) {
printf("create socket failed\n");
@@ -87,7 +94,7 @@ int main(int argc, char **argv)
// step1: 初始化安全通道客户端,注册消息发送函数
g_ctx.conn_kit.send = (void *)socket_write_adpt;
g_ctx.conn_kit.conn = &sockfd;
- g_ctx.basevalue = "/vendor/bin/basevalue.txt"; // content format:taid image_hash mem_hash
+ g_ctx.basevalue = basevalue_real_path; // content format:taid image_hash mem_hash
// step2: 创建消息接收线程
pthread_t thread;
diff --git a/inc/host_inc/status.h b/inc/host_inc/status.h
index 56f4da4..0ecb243 100644
--- a/inc/host_inc/status.h
+++ b/inc/host_inc/status.h
@@ -89,6 +89,8 @@ typedef enum _enclave_result_t
CC_ERROR_REE_AGENT_NOT_INIT,
CC_ERROR_RA_VERIFY_AGENT_NOT_INIT,
+ CC_ERROR_LOCAL_REPORT_INVALID,
+ CC_ERROR_LOCAL_REPORT_HASH_MISMATCH,
/* secure channel */
CC_ERROR_SEC_CHL_INVALID_CONN, /* invalid connection */
CC_ERROR_SEC_CHL_LEN_NOT_ENOUGH, /* the buf length to store secure channle encrypt/decrypt is not enough */
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink