packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secGear/0020-rm-e-parameter-normalize-c-parameter.patch
chenmaodong 9e62fb9925 update some bugfixs and adaptations from openeuler secGear 
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
2021-05-21 14:25:55 +08:00

330 lines
17 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From f7995d756490c966659976153630403ba9941c18 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Mon, 12 Apr 2021 11:17:16 +0800
Subject: [PATCH 03/14] rm -e parameter, normalize -c parameter
---
README.en.md | 12 ++----
README.md | 10 ++---
docs/sign_tool.md | 12 +++---
examples/helloworld/enclave/CMakeLists.txt | 6 +--
examples/seal_data/enclave/CMakeLists.txt | 7 +---
.../enclave/rsa_public_key_cloud.pem | 11 ------
.../sign_tool}/rsa_public_key_cloud.pem | 0
tools/sign_tool/sign_tool.sh | 39 +++++++------------
8 files changed, 29 insertions(+), 68 deletions(-)
delete mode 100644 examples/seal_data/enclave/rsa_public_key_cloud.pem
rename {examples/helloworld/enclave => tools/sign_tool}/rsa_public_key_cloud.pem (100%)
diff --git a/README.en.md b/README.en.md
index fa47d03..0acc4f8 100644
--- a/README.en.md
+++ b/README.en.md
@@ -254,8 +254,6 @@ Set sign tool and the security side log printing level
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_1 /vendor/bin/secgear_test)
@@ -270,8 +268,7 @@ Set sign tool and the security side log printing level
WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image,
and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths.
-DEVICEPEM public key is used by itrustee and is used to encrypt the enclave image of the security side with the
-dynamically generated aes key. Finally, set the name of the security side image after the final signature, and
+Finally, set the name of the security side image after the final signature, and
generate auxiliary code.
if(CC_SGX)
@@ -339,8 +336,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
DESTINATION /data
@@ -425,9 +422,6 @@ configuration file. For details, please refer to the official development docum
Write itrustee related configuration files
The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated,
and the other configuration items can refer to the itrustee development document.
-
-Copy the rsa_public_key_cloud.pem device public key from other examples in the project to the enclave directory.
-The device public key here is used to encrypt the enclave image with the temporarily generated aes key.
### 5 build and install test
diff --git a/README.md b/README.md
index 54c32e3..77bebd6 100644
--- a/README.md
+++ b/README.md
@@ -236,8 +236,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_1 /vendor/bin/secgear_test)
@@ -252,7 +250,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
WHITE_LIST_x为设置iTrustee的二进制白名单只有这里定义的白名单在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。
WHITE_LIST_OWNER为设置运行二进制的用户只有该用户才可以调用安全侧动态库。
-DEVICEPEM该公钥用来动态生成aes秘钥
AUTO_FILES由edl文件生成的安全侧二进制文件
if(CC_SGX)
@@ -319,8 +316,8 @@ AUTO_FILES由edl文件生成的安全侧二进制文件
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
DESTINATION /data
@@ -391,7 +388,6 @@ itrustee需要链接secgear_tee动态库提供seal接口等。
编写itrustee enclave相关配置文件
mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。
-rsa_public_key_cloud.pem文件请将其他examples的中的拷贝过来这里的设备公钥用于使用临时生成的aes密钥用于对enclave动态库进行加密。
#### 5 构建 安装
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index 26805bd..ccaa2e6 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -13,36 +13,34 @@ The tool supports the following two modes:
For example:
- `$ ./sign_tool.sh d sign x trustzone i test.enclave -m manifest.txt e device_pubkey.pem o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i test.enclave -c manifest.txt o signed.enclave `
- two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform.
For example:
(1) generate the digest value.
- `$ ./sign_tool.sh d digest x trustzone i input -m manifest.txt e device_pubkey.pem o digest.data `
+ `$ ./sign_tool.sh d digest x trustzone i input -c manifest.txt o digest.data `
For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated.
(2) send the digest.data to the signing organization or platform and get the signature.
(3) use the signature to generate the signed enclave.
- `$ ./sign_tool.sh d sign x trustzone i input -m manifest.txt p pub.pem e device_pubkey.pem s signature o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i input -c manifest.txt p pub.pem s signature o signed.enclave `
## sign_tool.sh parameter
```
-a <parameter> API_LEVEL, indicates trustzone GP API version, defalut is 1.
- -c <file> config file.
+ -c <file> basic config file.
-d <parameter> sign tool command, sign/digest.
The sign command is used to generate a signed enclave.
The digest command is used to generate a digest value.
- -e <file> the device's public key certificate, used to protect the AES key of the encrypted rawdata,
- required by trustzone.
-f <parameter> OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0.
-i <file> enclave to be signed.
-k <file> private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx.
- -m <file> manifest file, required by trustzone.
+ -m <file> additional config for trustzone when TA_TYPE is 2.
-o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs digest value.
-p <file> signing server public key certificate, required for two-step method.
-s <file> the signed digest value required for two-step method, this parameter is empty to indicate single-step method.
diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt
index c1638f8..0aefdae 100644
--- a/examples/helloworld/enclave/CMakeLists.txt
+++ b/examples/helloworld/enclave/CMakeLists.txt
@@ -27,8 +27,6 @@ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
#set whilelist. default: /vendor/bin/teec_hello
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_OWNER root)
@@ -101,8 +99,8 @@ if(CC_GP)
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt
index 20851bd..0ddcbd5 100644
--- a/examples/seal_data/enclave/CMakeLists.txt
+++ b/examples/seal_data/enclave/CMakeLists.txt
@@ -24,9 +24,6 @@ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
-
set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
#set whilelist. default: /vendor/bin/teec_hello
set(WHITE_LIST_0 /vendor/bin/seal_data)
@@ -97,8 +94,8 @@ if(CC_GP)
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/examples/seal_data/enclave/rsa_public_key_cloud.pem b/examples/seal_data/enclave/rsa_public_key_cloud.pem
deleted file mode 100644
index a321f63..0000000
--- a/examples/seal_data/enclave/rsa_public_key_cloud.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzAPwbnbgBg7JgXERA9Bx
-p7GLI1S3e1zL83RMd2+GXb6kO4yMKUL3NUCE2HhA2BtQYmLyGovx59UUcKnU58is
-Xux++kH+A2shmOPjYvEFuX0Kt8tc19b8M9b/iHsY8ZmKykqia2a5U+IrECRFJo5p
-DWUnl7jrHVtq78BSR1c7iXG1frrEC0AYCuqKJo/fxfmOKL0Y9mENCB3nAwjn9unD
-BsO/OhkqvvB3nkeuMfNKPh4wCqtQPve13eTojbuxjX/3ePijplTI5X2Gr+n6Ximn
-fYRlytQmMgMl/db0ARSKNApq9bmwzVNrnGWWZWJksdRvf6iL7t17Gs4L9AApOuC9
-WkzxPvwp5ZUqjsGd4oJGWeC6ZE6BTw2vxE+xMFI9uAKHxq9pBKkcGMa0g4fANNNV
-+W+8JZGanxEXKB3y/M7BCyQAPCWOHC/RNjmRA1gczLYCPzC4pWu935UZdF1RR6zY
-CD3t+FoOGGET/g4CwWgyhb5qkp65Hs6ayYt/DUAqo+yBAgMBAAE=
------END PUBLIC KEY-----
diff --git a/examples/helloworld/enclave/rsa_public_key_cloud.pem b/tools/sign_tool/rsa_public_key_cloud.pem
similarity index 100%
rename from examples/helloworld/enclave/rsa_public_key_cloud.pem
rename to tools/sign_tool/rsa_public_key_cloud.pem
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 8f2189c..212db5d 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -21,16 +21,14 @@ print_help(){
echo "sign tool usage: ./sign_tool.sh [options] ..."
echo "[options]"
echo "-a <parameter> API_LEVEL, indicates trustzone GP API version, defalut is 1."
- echo "-c <file> config file."
+ echo "-c <file> basic config file."
echo "-d <parameter> sign tool command, sign/digest."
echo " The sign command is used to generate a signed enclave."
echo " The digest command is used to generate a digest value."
- echo "-e <file> the device's public key certificate, used to protect the AES key of the encrypted rawdata,"
- echo " required by trustzone."
echo "-f <parameter> OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0."
echo "-i <file> enclave to be signed."
echo "-k <file> private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx."
- echo "-m <file> manifest file, required by trustzone."
+ echo "-m <file> additional config for trustzone when TA_TYPE is 2."
echo "-o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs"
echo " digest value."
echo "-p <file> signing server public key certificate, required for two-step method."
@@ -42,7 +40,7 @@ print_help(){
}
-while getopts "d:i:x:m:a:f:t:c:e:k:p:s:o:h" opt
+while getopts "d:i:x:m:a:f:t:c:k:p:s:o:h" opt
do
case $opt in
d)
@@ -73,7 +71,7 @@ do
echo "Error: parameter for -m is missing or incorrect"
exit -1
fi
- MANIFIST=$OPTARG
+ A_CONFIG_FILE=$OPTARG
;;
a)
if [[ $OPTARG =~ ^[1-3]$ ]]; then
@@ -118,13 +116,6 @@ do
fi
CONFIG_FILE=$OPTARG
;;
- e)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -e is missing or incorrect"
- exit -1
- fi
- DEVICE_PUBKEY=$OPTARG
- ;;
k)
if [[ $OPTARG == -* ]]; then
echo "Error: parameter for -k is missing or incorrect"
@@ -169,23 +160,21 @@ fi
itrustee_start_sign(){
# check_native_sign
- if [ -z $MANIFIST ]; then
- echo "Error: missing manifest file for signing iTrustee enclave"
- exit -1
- fi
- if [ -z $DEVICE_PUBKEY ]; then
- echo "Error: missing device pubkey for signing iTrustee enclave"
+ MANIFEST=$CONFIG_FILE
+ if [ -z $MANIFEST ]; then
+ echo "Error: missing config file for signing iTrustee enclave"
exit -1
fi
if [ ${TA_TYPE} == 2 ]; then
- if [ -z $CONFIG_FILE]; then
- echo "Error: TA TYPE = 2, missing config file for signing iTrustee enclave"
+ if [ -z $A_CONFIG_FILE]; then
+ echo "Error: TA TYPE = 2, missing additional config file for signing iTrustee enclave"
exit -1
fi
else
- CONFIG_FILE="NULL"
+ A_CONFIG_FILE="NULL"
fi
+ DEVICE_PUBKEY=${localpath}/rsa_public_key_cloud.pem
if [ "${CMD}"x == "sign"x ]; then
if [ -z $SIGNATURE ]; then
@@ -194,18 +183,18 @@ itrustee_start_sign(){
echo "missing the signature private key"
exit -1
fi
- python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" "${SIG_KEY}"
+ python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIG_KEY}"
else
DEBUG=0
if [ -z $SERVER_PUBKEY ]; then
echo "Error: missing server public key for verifying signature"
exit -1
fi
- python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}"
+ python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}"
fi
elif [ "${CMD}"x == "digest"x ]; then
DEBUG=0
- python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}"
+ python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}"
else
echo "Error: illegal command"
fi
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink