├── .clang-format ├── .github ├── actions │ └── generate-random-port │ │ ├── action.yml │ │ └── generate_port.sh └── workflows │ ├── pr_basic_compilation_check.yml │ └── tee_check.yml ├── .gitignore ├── CMakeLists.txt ├── MAINTAINERS ├── Makefile ├── README.md ├── VERSION ├── asn1 └── rats-tls.asn1 ├── cmake ├── CMakeUninstall.cmake.in ├── CompilerOptions.cmake ├── CustomInstallDirs.cmake ├── FindRatsTls.cmake ├── FindSGX.cmake ├── FindSGXSSL.cmake ├── FindSgxDcapQuoteVerify.cmake ├── LibCBOR.cmake ├── SGXCommon.cmake └── SGXSSL.cmake ├── dist ├── Makefile ├── deb │ ├── build.sh │ └── debian │ │ ├── changelog.in │ │ ├── compat │ │ ├── control.in │ │ ├── rules.in │ │ └── source │ │ └── format └── rpm │ ├── rats-tls-filelist │ ├── rats-tls-sgx-filelist │ └── rats_tls.spec.in ├── docs ├── design │ ├── architecture.png │ ├── design-zh.md │ ├── design.md │ ├── endorsements-extension-for-rats-tls.md │ ├── initialization.png │ ├── mutual_attestation.png │ ├── rats_tls_cleanup.png │ ├── rats_tls_init.png │ ├── rats_tls_negotiate.png │ ├── rats_tls_transmite.png │ └── x509.png └── run_rats_tls_with_occlum.md ├── fuzz ├── CMakeLists.txt ├── README.md ├── tls_init │ ├── CMakeLists.txt │ └── fuzz_init.cc ├── tls_negotiate │ ├── CMakeLists.txt │ └── fuzz_negotiate.cc ├── tls_server │ ├── CMakeLists.txt │ └── fuzz_server.cc └── tls_transmit │ ├── CMakeLists.txt │ └── fuzz_transmit.cc ├── hacks ├── README.md ├── rats-tls-cert-openssl-sample.pem └── rats-tls-cert-sample.pem ├── samples ├── CMakeLists.txt ├── rats-tls-client │ ├── CMakeLists.txt │ └── client.c ├── rats-tls-server │ ├── CMakeLists.txt │ └── server.c └── sgx-stub-enclave │ ├── CMakeLists.txt │ ├── sgx_stub.edl │ ├── sgx_stub_ecall.c │ ├── sgx_stub_enclave.lds │ ├── sgx_stub_enclave.pem │ └── sgx_stub_enclave.xml └── src ├── CMakeLists.txt ├── api ├── rats_tls_callback.c ├── rats_tls_cleanup.c ├── rats_tls_init.c ├── rats_tls_negotiate.c ├── rats_tls_receive.c └── rats_tls_transmit.c ├── attesters ├── CMakeLists.txt ├── api │ └── enclave_attester_register.c ├── csv │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_evidence.c │ ├── csv_utils.c │ ├── csv_utils.h │ ├── init.c │ ├── main.c │ └── pre_init.c ├── internal │ ├── enclave_attester.c │ ├── rtls_enclave_attester_load_all.c │ ├── rtls_enclave_attester_load_single.c │ └── rtls_enclave_attester_select.c ├── nullattester │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_endorsements.c │ ├── collect_evidence.c │ ├── init.c │ ├── main.c │ └── pre_init.c ├── sev-snp │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_evidence.c │ ├── init.c │ ├── main.c │ ├── pre_init.c │ └── sev_snp.h ├── sev │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_evidence.c │ ├── init.c │ ├── main.c │ ├── pre_init.c │ ├── sev.h │ └── ttrpc │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── build.rs │ │ ├── rust-toolchain.toml │ │ └── src │ │ ├── lib.rs │ │ ├── protocols │ │ ├── mod.rs │ │ ├── proto │ │ │ └── aeb.proto │ │ └── sev │ │ │ └── mod.rs │ │ └── sev_evidence.rs ├── sgx-ecdsa │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_endorsements.c │ ├── collect_evidence.c │ ├── init.c │ ├── main.c │ ├── pre_init.c │ └── quote_generation.h ├── sgx-la │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_evidence.c │ ├── init.c │ ├── main.c │ └── pre_init.c └── tdx-ecdsa │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── collect_endorsements.c │ ├── collect_evidence.c │ ├── init.c │ ├── main.c │ └── pre_init.c ├── core ├── claim.c ├── cpu.c ├── dice.c ├── endorsement.c ├── main.c ├── rtls_common.c └── rtls_core_generate_certificate.c ├── crypto_wrappers ├── CMakeLists.txt ├── api │ └── crypto_wrapper_register.c ├── internal │ ├── crypto_wrapper.c │ ├── rtls_crypto_wrapper_load_all.c │ ├── rtls_crypto_wrapper_load_single.c │ └── rtls_crypto_wrapper_select.c ├── nullcrypto │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── gen_cert.c │ ├── gen_hash.c │ ├── gen_privkey.c │ ├── gen_pubkey_hash.c │ ├── init.c │ ├── main.c │ └── pre_init.c └── openssl │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── gen_cert.c │ ├── gen_hash.c │ ├── gen_privkey.c │ ├── gen_pubkey_hash.c │ ├── init.c │ ├── main.c │ ├── openssl.h │ └── pre_init.c ├── external └── sgx-ssl │ └── patch │ └── 0001-add-ssl-library-enclave-support.patch ├── include ├── edl │ ├── rtls.edl │ ├── rtls_socket.edl │ ├── rtls_socket.h │ ├── rtls_syscalls.edl │ ├── rtls_syscalls.h │ ├── sgx_dummy.edl │ ├── sgx_ecdsa.edl │ ├── sgx_la.edl │ └── sgx_tsgxssl.edl ├── internal │ ├── attester.h │ ├── core.h │ ├── cpu.h │ ├── crypto_wrapper.h │ ├── dice.h │ ├── tls_wrapper.h │ └── verifier.h └── rats-tls │ ├── api.h │ ├── attester.h │ ├── cert.h │ ├── claim.h │ ├── compilation.h │ ├── crypto_wrapper.h │ ├── csv.h │ ├── endorsement.h │ ├── err.h │ ├── hash.h │ ├── log.h │ ├── sgx.h │ ├── tls_wrapper.h │ └── verifier.h ├── sgx ├── CMakeLists.txt ├── trust │ ├── CMakeLists.txt │ ├── rtls_syscalls.c │ ├── sgx_dummy.c │ └── sgx_ecdsa_ecalls.c └── untrust │ ├── CMakeLists.txt │ ├── rtls_openssl_ocall.c │ ├── rtls_socket_ocall.c │ ├── rtls_syscalls_ocall.c │ ├── sgx_ecdsa_ocall.c │ └── sgx_la_ocall.c ├── tls_wrappers ├── CMakeLists.txt ├── api │ ├── tls_wrapper_register.c │ └── tls_wrapper_verify_certificate_extension.c ├── internal │ ├── rtls_tls_wrapper_load_all.c │ ├── rtls_tls_wrapper_load_single.c │ ├── rtls_tls_wrapper_select.c │ └── tls_wrapper.c ├── nulltls │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── init.c │ ├── main.c │ ├── negotiate.c │ ├── pre_init.c │ ├── receive.c │ ├── transmit.c │ ├── use_cert.c │ └── use_privkey.c └── openssl │ ├── CMakeLists.txt │ ├── cleanup.c │ ├── init.c │ ├── main.c │ ├── negotiate.c │ ├── openssl.h │ ├── pre_init.c │ ├── receive.c │ ├── transmit.c │ ├── un_negotiate.c │ ├── use_cert.c │ ├── use_privkey.c │ └── x509_openssl10x.c └── verifiers ├── CMakeLists.txt ├── api └── enclave_verifier_register.c ├── csv ├── CMakeLists.txt ├── cleanup.c ├── hygoncert.c ├── hygoncert.h ├── init.c ├── main.c ├── pre_init.c └── verify_evidence.c ├── internal ├── enclave_verifier.c ├── rtls_enclave_verifier_load_all.c ├── rtls_enclave_verifier_load_single.c └── rtls_enclave_verifier_select.c ├── nullverifier ├── CMakeLists.txt ├── cleanup.c ├── init.c ├── main.c ├── pre_init.c └── verify_evidence.c ├── sev-snp ├── CMakeLists.txt ├── cleanup.c ├── crypto.c ├── crypto.h ├── init.c ├── main.c ├── pre_init.c ├── sevapi.h ├── utils.c ├── utils.h ├── verify_evidence.c ├── x509cert.c └── x509cert.h ├── sev ├── CMakeLists.txt ├── amdcert.c ├── amdcert.h ├── cleanup.c ├── init.c ├── main.c ├── pre_init.c ├── sev_utils.c ├── sev_utils.h ├── sevcert.c ├── sevcert.h └── verify_evidence.c ├── sgx-ecdsa-qve ├── CMakeLists.txt ├── cleanup.c ├── init.c ├── main.c ├── pre_init.c └── verify_evidence.c ├── sgx-ecdsa ├── CMakeLists.txt ├── cleanup.c ├── init.c ├── main.c ├── pre_init.c ├── quote_verification.h └── verify_evidence.c ├── sgx-la ├── CMakeLists.txt ├── cleanup.c ├── init.c ├── main.c ├── pre_init.c └── verify_evidence.c └── tdx-ecdsa ├── CMakeLists.txt ├── cleanup.c ├── init.c ├── main.c ├── pre_init.c ├── tdx-ecdsa.h └── verify_evidence.c /.github/actions/generate-random-port/action.yml: -------------------------------------------------------------------------------- 1 | name: 'generate_port' 2 | description: 'generate_port' 3 | outputs: 4 | random-port: 5 | description: "Random port" 6 | value: ${{ steps.random-port-generator.outputs.random-port }} 7 | runs: 8 | using: "composite" 9 | steps: 10 | - id: random-port-generator 11 | run: echo "random-port=$(bash $GITHUB_WORKSPACE/.github/actions/generate-random-port/generate_port.sh)" >> $GITHUB_OUTPUT 12 | shell: bash -------------------------------------------------------------------------------- /.github/actions/generate-random-port/generate_port.sh: -------------------------------------------------------------------------------- 1 | port=$((RANDOM + 1024)) 2 | while true; 3 | do 4 | lsof -i:$port >/dev/null 5 | 6 | if [ $? -eq 1 ]; then 7 | echo $port 8 | break; 9 | else 10 | port=$((RANDOM + 1024)) 11 | echo $port 12 | fi 13 | done -------------------------------------------------------------------------------- /.github/workflows/pr_basic_compilation_check.yml: -------------------------------------------------------------------------------- 1 | name: Basic Compilation Check 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | basic_complication_check: 7 | # Run all steps in the compilation testing containers 8 | strategy: 9 | matrix: 10 | tag: [anolis8.6, ubuntu20.04] 11 | fail-fast: false 12 | 13 | container: runetest/compilation-testing:${{ matrix.tag }} 14 | 15 | runs-on: ubuntu-latest 16 | 17 | defaults: 18 | run: 19 | shell: bash 20 | working-directory: ${{ github.workspace }} 21 | 22 | steps: 23 | - name: Checkout code 24 | uses: actions/checkout@v2 25 | 26 | - name: Compile "rats-tls" host mode 27 | run: 28 | source /root/.bashrc && cmake -DBUILD_SAMPLES=on -H. -Bbuild && make -C build install && make -C build clean && rm -rf build 29 | env: 30 | HOME: /root 31 | 32 | - name: Compile "rats-tls" occlum mode 33 | run: 34 | source /root/.bashrc && cmake -DRATS_TLS_BUILD_MODE="occlum" -DBUILD_SAMPLES=on -H. -Bbuild && make -C build install && make -C build clean && rm -rf build 35 | env: 36 | HOME: /root 37 | 38 | - name: Compile "rats-tls" sgx mode 39 | run: 40 | source /root/.bashrc && cmake -DRATS_TLS_BUILD_MODE="sgx" -DBUILD_SAMPLES=on -H. -Bbuild && make -C build install && make -C build clean && rm -rf build 41 | env: 42 | HOME: /root 43 | 44 | - name: Compile "rats-tls" tdx mode 45 | run: 46 | source /root/.bashrc && cmake -DRATS_TLS_BUILD_MODE="tdx" -DBUILD_SAMPLES=on -H. -Bbuild && make -C build install && make -C build clean && rm -rf build 47 | env: 48 | HOME: /root 49 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.o 3 | *.a 4 | *.so* 5 | *_[ut].[ch] 6 | .vscode/ 7 | src/lib/.build/ 8 | build/ 9 | src/external/sgx-ssl/intel-sgx-ssl 10 | src/external/sgx-ssl/*.cmake 11 | src/external/sgx-ssl/*.sh 12 | dist/rpm/rats_tls.spec 13 | dist/deb/debian/changelog 14 | src/attesters/sev/ttrpc/src/protocols/sev/aeb.rs 15 | src/attesters/sev/ttrpc/src/protocols/sev/aeb_ttrpc.rs 16 | -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | YangLiang 2 | wangya 3 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Root directory of the project (absolute path). 2 | ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST)))) 3 | RATS_TLS_VERSION := $(shell cat $(ROOTDIR)/VERSION) 4 | RATS_TLS_MAINTAINER := $(shell head -1 $(ROOTDIR)/MAINTAINERS) 5 | Rats_Tls_Libdir := /usr/local/lib/rats-tls 6 | Rats_Tls_Incdir := /usr/local/include/rats-tls 7 | Rats_Tls_Bindir:= /usr/share/rats-tls 8 | 9 | all: 10 | cmake -DBUILD_SAMPLES=on -H. -Bbuild 11 | make -C build 12 | 13 | clean: 14 | @make -C build clean 15 | @rm -f dist/rpm/rats_tls.spec dist/deb/debian/changelog 16 | 17 | install: 18 | cmake -DBUILD_SAMPLES=on -H. -Bbuild 19 | make -C build install 20 | 21 | uninstall: 22 | @rm -rf $(Rats_Tls_Libdir) $(Rats_Tls_Incdir) $(Rats_Tls_Bindir) 23 | 24 | package: 25 | $(MAKE) -C dist package RATS_TLS_VERSION="$(RATS_TLS_VERSION)" RATS_TLS_MAINTAINER="$(RATS_TLS_MAINTAINER)" 26 | -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | 0.6.4 2 | -------------------------------------------------------------------------------- /cmake/CMakeUninstall.cmake.in: -------------------------------------------------------------------------------- 1 | if(NOT EXISTS "@CMAKE_BINARY_DIR@/install_manifest.txt") 2 | message(FATAL_ERROR "Cannot find install manifest: @CMAKE_BINARY_DIR@/install_manifest.txt") 3 | endif() 4 | 5 | file(READ "@CMAKE_BINARY_DIR@/install_manifest.txt" files) 6 | string(REGEX REPLACE "\n" ";" files "${files}") 7 | foreach(file ${files}) 8 | message(STATUS "Uninstalling $ENV{DESTDIR}${file}") 9 | if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}") 10 | exec_program( 11 | "@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\"" 12 | OUTPUT_VARIABLE rm_out 13 | RETURN_VALUE rm_retval 14 | ) 15 | if(NOT "${rm_retval}" STREQUAL 0) 16 | message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}") 17 | endif() 18 | else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}") 19 | message(STATUS "File $ENV{DESTDIR}${file} does not exist.") 20 | endif() 21 | endforeach() 22 | 23 | if(EXISTS "@RATS_TLS_INSTALL_LIB_PATH@") 24 | exec_program("rm" ARGS "-rf @RATS_TLS_INSTALL_LIB_PATH@" 25 | OUTPUT_VARIABLE rm_out 26 | RETURN_VALUE rm_retval 27 | ) 28 | if(NOT "${rm_retval}" STREQUAL 0) 29 | message(FATAL_ERROR "Problem when removing @RATS_TLS_INSTALL_LIB_PATH@") 30 | endif() 31 | endif() 32 | 33 | if(EXISTS "@RATS_TLS_INSTALL_INCLUDE_PATH@") 34 | exec_program("rm" ARGS "-rf @RATS_TLS_INSTALL_INCLUDE_PATH@" 35 | OUTPUT_VARIABLE rm_out 36 | RETURN_VALUE rm_retval 37 | ) 38 | if(NOT "${rm_retval}" STREQUAL 0) 39 | message(FATAL_ERROR "Problem when removing @RATS_TLS_INSTALL_INCLUDE_PATH@") 40 | endif() 41 | endif() 42 | 43 | -------------------------------------------------------------------------------- /cmake/CustomInstallDirs.cmake: -------------------------------------------------------------------------------- 1 | # /usr/local 2 | set(RATS_TLS_INSTALL_PATH "/usr/local") 3 | 4 | # lib/rats_tls 5 | set(RATS_TLS_INSTALL_LIB_PATH "${RATS_TLS_INSTALL_PATH}/lib/rats-tls") 6 | 7 | # rats_tls/crypto-wrappers 8 | set(RATS_TLS_INSTALL_LIBCW_PATH "${RATS_TLS_INSTALL_LIB_PATH}/crypto-wrappers") 9 | 10 | # rats_tls/attesters 11 | set(RATS_TLS_INSTALL_LIBA_PATH "${RATS_TLS_INSTALL_LIB_PATH}/attesters") 12 | 13 | # rats_tls/verifiers 14 | set(RATS_TLS_INSTALL_LIBV_PATH "${RATS_TLS_INSTALL_LIB_PATH}/verifiers") 15 | 16 | # rats_tls/tls-wrappers 17 | set(RATS_TLS_INSTALL_LIBTW_PATH "${RATS_TLS_INSTALL_LIB_PATH}/tls-wrappers") 18 | 19 | # include/rats_tls 20 | set(RATS_TLS_INSTALL_INCLUDE_PATH "${RATS_TLS_INSTALL_PATH}/include/rats-tls") 21 | 22 | # rats_tls/sample 23 | set(RATS_TLS_INSTALL_BIN_PATH "/usr/share/rats-tls/samples") 24 | 25 | # sgx sdk 26 | if(EXISTS $ENV{SGX_SDK}) 27 | set(SGXSDK_INSTALL_PATH "$ENV{SGX_SDK}") 28 | else() 29 | set(SGXSDK_INSTALL_PATH "/opt/intel/sgxsdk") 30 | endif() 31 | 32 | # sgx sdk library 33 | set(SGXSDK_INSTALL_LIB_PATH "${SGXSDK_INSTALL_PATH}/lib64") 34 | 35 | # sgx sdk include 36 | set(SGXSDK_INSTALL_INCLUDE_PATH "${SGXSDK_INSTALL_PATH}/include") 37 | -------------------------------------------------------------------------------- /cmake/FindRatsTls.cmake: -------------------------------------------------------------------------------- 1 | include(CustomInstallDirs) 2 | include(FindPackageHandleStandardArgs) 3 | 4 | set(RATS_TLS_INCLUDE_DIR ${RTLS_SRC_PATH}/src/include) 5 | 6 | # Handle the QUIETLY and REQUIRED arguments and set RATS_TLS_FOUND to TRUE if all listed variables are TRUE. 7 | find_package_handle_standard_args(RATS_TLS 8 | DEFAULT_MSG 9 | RATS_TLS_INCLUDE_DIR) 10 | 11 | if(RATS_TLS_FOUND) 12 | set(RATS_TLS_INCLUDES ${RATS_TLS_INCLUDE_DIR}) 13 | else() 14 | set(RATS_TLS_LIBRARIES) 15 | set(RATS_TLS_INCLUDES) 16 | endif() 17 | -------------------------------------------------------------------------------- /cmake/FindSGX.cmake: -------------------------------------------------------------------------------- 1 | include(FindPackageHandleStandardArgs) 2 | 3 | if(EXISTS SGX_DIR) 4 | set(SGX_PATH ${SGX_DIR}) 5 | elseif(EXISTS SGX_ROOT) 6 | set(SGX_PATH ${SGX_ROOT}) 7 | elseif(EXISTS $ENV{SGX_SDK}) 8 | set(SGX_PATH $ENV{SGX_SDK}) 9 | elseif(EXISTS $ENV{SGX_DIR}) 10 | set(SGX_PATH $ENV{SGX_DIR}) 11 | elseif(EXISTS $ENV{SGX_ROOT}) 12 | set(SGX_PATH $ENV{SGX_ROOT}) 13 | else() 14 | set(SGX_PATH "/opt/intel/sgxsdk") 15 | endif() 16 | 17 | if(CMAKE_SIZEOF_VOID_P EQUAL 4) 18 | set(SGX_COMMON_FLAGS -m32) 19 | set(SGX_LIBRARY_PATH ${SGX_PATH}/lib32) 20 | set(SGX_ENCLAVE_SIGNER ${SGX_PATH}/bin/x86/sgx_sign) 21 | set(SGX_EDGER8R ${SGX_PATH}/bin/x86/sgx_edger8r) 22 | else() 23 | set(SGX_COMMON_FLAGS -m64) 24 | set(SGX_LIBRARY_PATH ${SGX_PATH}/lib64) 25 | set(SGX_ENCLAVE_SIGNER ${SGX_PATH}/bin/x64/sgx_sign) 26 | set(SGX_EDGER8R ${SGX_PATH}/bin/x64/sgx_edger8r) 27 | endif() 28 | set(SGX_INCLUDE_PATH ${SGX_PATH}/include) 29 | 30 | # Look for the header file 31 | find_path(SGX_INCLUDE NAMES sgx.h PATHS ${SGX_INCLUDE_PATH}) 32 | 33 | # Look for the library 34 | find_library(SGX_LIBRARY_DIR NAMES sgx_urts PATHS ${SGX_LIBRARY_PATH}) 35 | 36 | # Handle the QUIETLY and REQUIRED arguments and set RATS_TLS_FOUND to TRUE if all listed variables are TRUE. 37 | find_package_handle_standard_args(SGX 38 | DEFAULT_MSG 39 | SGX_INCLUDE SGX_LIBRARY_DIR) 40 | 41 | if(SGX_FOUND) 42 | set(SGX_LIBRARY ${SGX_LIBRARY_PATH}) 43 | set(SGX_INCLUDE "${SGX_PATH}/include") 44 | set(SGX_TLIBC_INCLUDE "${SGX_INCLUDE}/tlibc") 45 | set(SGX_LIBCXX_INCLUDE "${SGX_INCLUDE}/libcxx") 46 | set(SGX_INCLUDES ${SGX_INCLUDE} ${SGX_TLIBC_INCLUDE} ${SGX_LIBCXX_INCLUDE}) 47 | else() 48 | set(SGX_LIBRARY) 49 | set(SGX_INCLUDE) 50 | set(SGX_TLIBC_INCLUDE) 51 | set(SGX_LIBCXX_INCLUDE) 52 | set(SGX_INCLUDES) 53 | endif() 54 | -------------------------------------------------------------------------------- /cmake/FindSGXSSL.cmake: -------------------------------------------------------------------------------- 1 | include(FindPackageHandleStandardArgs) 2 | 3 | set(INTEL_SGXSSL_ROOT ${RTLS_SRC_PATH}/src/external/sgx-ssl/intel-sgx-ssl) 4 | set(INTEL_SGXSSL_SRC ${INTEL_SGXSSL_ROOT}/src/intel-sgx-ssl) 5 | set(INTEL_SGXSSL_LIB ${INTEL_SGXSSL_SRC}/Linux/package/lib64) 6 | set(OPENSSL_DIR ${INTEL_SGXSSL_SRC}/openssl_source) 7 | set(INTEL_SGXSSL_LIB_PATH ${CMAKE_BINARY_DIR}/src/external/sgx-ssl/intel-sgx-ssl/src/intel-sgx-ssl/Linux/package/lib64) 8 | -------------------------------------------------------------------------------- /cmake/FindSgxDcapQuoteVerify.cmake: -------------------------------------------------------------------------------- 1 | include(FindPackageHandleStandardArgs) 2 | 3 | set(SGXDCAPQV_LIBRARY_PATH /usr/) 4 | find_library(SGXDCAPQV_LIBRARY_DIR NAMES sgx_dcap_quoteverify PATHS ${SGXDCAPQV_LIBRARY_PATH}) 5 | 6 | # Handle the QUIETLY and REQUIRED arguments and set SGXDCAPQV_FOUND to TRUE if all listed variables are TRUE. 7 | find_package_handle_standard_args(SGXDCAPQV 8 | DEFAULT_MSG 9 | SGXDCAPQV_LIBRARY_DIR) 10 | -------------------------------------------------------------------------------- /cmake/LibCBOR.cmake: -------------------------------------------------------------------------------- 1 | project(libcbor) 2 | 3 | include(ExternalProject) 4 | 5 | set(LIBCBOR_ROOT ${CMAKE_BINARY_DIR}/external/libcbor) 6 | set(LIBCBOR_SRC_PATH ${LIBCBOR_ROOT}/src/libcbor) 7 | set(LIBCBOR_LIB_PATH ${LIBCBOR_SRC_PATH}/lib) 8 | set(LIBCBOR_INC_PATH ${LIBCBOR_SRC_PATH}/include/) 9 | set(LIBCBOR_LIB_FILES ${LIBCBOR_LIB_PATH}/libcbor.a) 10 | 11 | set(LIBCBOR_URL https://github.com/PJK/libcbor.git) 12 | 13 | set(LIBCBOR_CONFIGURE cd ${LIBCBOR_SRC_PATH} && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_INSTALL_PREFIX=${LIBCBOR_SRC_PATH} -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCBOR_PRETTY_PRINTER=OFF -DWITH_EXAMPLES=OFF .) 14 | set(LIBCBOR_MAKE cd ${LIBCBOR_SRC_PATH} && make) 15 | set(LIBCBOR_INSTALL cd ${LIBCBOR_SRC_PATH} && make install) 16 | 17 | ExternalProject_Add(${PROJECT_NAME} 18 | GIT_REPOSITORY ${LIBCBOR_URL} 19 | GIT_TAG e87d5714e69214f187db225f23985aea51c52d28 20 | PREFIX ${LIBCBOR_ROOT} 21 | CONFIGURE_COMMAND ${LIBCBOR_CONFIGURE} 22 | BUILD_COMMAND ${LIBCBOR_MAKE} 23 | INSTALL_COMMAND ${LIBCBOR_INSTALL} 24 | ) 25 | -------------------------------------------------------------------------------- /dist/deb/debian/changelog.in: -------------------------------------------------------------------------------- 1 | rats-tls (0.6.2-1) unstable; urgency=low 2 | 3 | * update to version 0.6.2. 4 | 5 | -- Liang Yang Wed, 30 Jun 2021 14:30:55 +0000 6 | 7 | rats-tls (0.6.1-1) unstable; urgency=low 8 | 9 | * Package Init. 10 | 11 | -- Shirong Hao Tue, 27 Apr 2021 16:35:55 +0000 12 | -------------------------------------------------------------------------------- /dist/deb/debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /dist/deb/debian/control.in: -------------------------------------------------------------------------------- 1 | Source: rats-tls 2 | Section: devel 3 | Priority: extra 4 | Maintainer: shirong 5 | Build-Depends: debhelper (>=9), cmake, git, make, autoconf, libtool, gcc, g++, libsgx-dcap-quote-verify-dev, libsgx-dcap-ql-dev, libsgx-uae-service 6 | Standards-Version: 3.9.8 7 | Homepage: https://github.com/alibaba/inclavare-containers 8 | 9 | Package: rats-tls 10 | Architecture: amd64 11 | Depends: ${misc:Depends}, ${shlibs:Depends} 12 | Description: rats-tls is a protocol to establish secure and trusted channel by integrating enclave attestation with transport layer security. 13 | -------------------------------------------------------------------------------- /dist/deb/debian/rules.in: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | BUILD_ROOT := $(CURDIR)/debian/rats-tls-host 3 | 4 | %: 5 | dh $@ 6 | 7 | override_dh_auto_clean: 8 | 9 | override_dh_strip: 10 | dh_strip --exclude=rats-tls-server --exclude=rats-tls-client --exclude=librats_tls.so* --exclude=libtls_wrapper*.so* --exclude=libcrypto_wrapper*.so* --exclude=libattester*.so* --exclude=libverifier*.so* 11 | 12 | override_dh_auto_build: 13 | cmake -DBUILD_SAMPLES=on -H. -Bbuild 14 | 15 | override_dh_auto_install: 16 | make -C build DESTDIR=$(BUILD_ROOT) install 17 | 18 | override_dh_usrlocal: 19 | -------------------------------------------------------------------------------- /dist/deb/debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /dist/rpm/rats-tls-filelist: -------------------------------------------------------------------------------- 1 | /usr/share/rats-tls/samples/rats-tls-server 2 | /usr/share/rats-tls/samples/rats-tls-client 3 | /usr/local/include/rats-tls/*.h 4 | /usr/local/lib/rats-tls/librats_tls.so* 5 | /usr/local/lib/rats-tls/tls-wrappers/libtls_wrapper*.so* 6 | /usr/local/lib/rats-tls/crypto-wrappers/libcrypto_wrapper*.so* 7 | /usr/local/lib/rats-tls/attesters/libattester*.so* 8 | /usr/local/lib/rats-tls/verifiers/libverifier*.so* 9 | -------------------------------------------------------------------------------- /dist/rpm/rats-tls-sgx-filelist: -------------------------------------------------------------------------------- 1 | /usr/share/rats-tls/samples/rats-tls-server 2 | /usr/share/rats-tls/samples/rats-tls-client 3 | /usr/share/rats-tls/samples/sgx_stub_enclave.signed.so 4 | /usr/local/include/rats-tls/*.h 5 | /usr/local/lib/rats-tls/librats_tls.a 6 | /usr/local/lib/rats-tls/librtls_edl_t.a 7 | /usr/local/lib/rats-tls/librats_tls_u.a 8 | /usr/local/lib/rats-tls/tls-wrappers/libtls_wrapper*.a 9 | /usr/local/lib/rats-tls/crypto-wrappers/libcrypto_wrapper*.a 10 | /usr/local/lib/rats-tls/attesters/libattester*.a 11 | /usr/local/lib/rats-tls/verifiers/libverifier*.a 12 | -------------------------------------------------------------------------------- /docs/design/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/architecture.png -------------------------------------------------------------------------------- /docs/design/initialization.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/initialization.png -------------------------------------------------------------------------------- /docs/design/mutual_attestation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/mutual_attestation.png -------------------------------------------------------------------------------- /docs/design/rats_tls_cleanup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/rats_tls_cleanup.png -------------------------------------------------------------------------------- /docs/design/rats_tls_init.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/rats_tls_init.png -------------------------------------------------------------------------------- /docs/design/rats_tls_negotiate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/rats_tls_negotiate.png -------------------------------------------------------------------------------- /docs/design/rats_tls_transmite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/rats_tls_transmite.png -------------------------------------------------------------------------------- /docs/design/x509.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/inclavare-containers/rats-tls/6675532f41bf0507bcb91d2b88ddb174de90f61d/docs/design/x509.png -------------------------------------------------------------------------------- /fuzz/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(tls_init) 2 | add_subdirectory(tls_negotiate) 3 | add_subdirectory(tls_server) 4 | add_subdirectory(tls_transmit) -------------------------------------------------------------------------------- /fuzz/tls_init/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(fuzz_init CXX) 2 | 3 | set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) 4 | set(CMAKE_CXX_COMPILER "/usr/bin/clang++") 5 | set(CMAKE_CXX_FLAGS "-fsanitize=address,fuzzer -g ${CMAKE_CXX_FLAGS}") 6 | set(CMAKE_CXX_FLAGS "-fPIE ${CMAKE_CXX_FLAGS}") 7 | set(RATS_TLS_INSTALL_FUZZ_PATH /usr/share/rats-tls/fuzz) 8 | 9 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include 10 | ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl 11 | ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls 12 | ${RATS_TLS_INSTALL_INCLUDE_PATH} 13 | ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl 14 | ) 15 | set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) 16 | 17 | include_directories(${INCLUDE_DIRS}) 18 | link_directories(${LIBRARY_DIRS}) 19 | 20 | # Set source file 21 | set(SOURCES fuzz_init.cc) 22 | 23 | # Generate bin file 24 | add_executable(${PROJECT_NAME} ${SOURCES}) 25 | target_link_libraries(${PROJECT_NAME} rats_tls) 26 | 27 | install(TARGETS ${PROJECT_NAME} 28 | DESTINATION ${RATS_TLS_INSTALL_FUZZ_PATH}) 29 | -------------------------------------------------------------------------------- /fuzz/tls_negotiate/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(fuzz_negotiate CXX) 2 | 3 | set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) 4 | set(CMAKE_CXX_COMPILER "/usr/bin/clang++") 5 | set(CMAKE_CXX_FLAGS "-fsanitize=address,fuzzer -g ${CMAKE_CXX_FLAGS}") 6 | if(NOT SGX) 7 | set(CMAKE_CXX_FLAGS "-fPIE ${CMAKE_CXX_FLAGS}") 8 | endif() 9 | 10 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include 11 | ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls 12 | ${RATS_TLS_INSTALL_INCLUDE_PATH} 13 | ) 14 | set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) 15 | set(RATS_TLS_INSTALL_FUZZ_PATH /usr/share/rats-tls/fuzz) 16 | 17 | include_directories(${INCLUDE_DIRS}) 18 | link_directories(${LIBRARY_DIRS}) 19 | 20 | # Set source file 21 | set(SOURCES fuzz_negotiate.cc) 22 | 23 | # Generate bin file 24 | add_executable(${PROJECT_NAME} ${SOURCES}) 25 | target_link_libraries(${PROJECT_NAME} rats_tls) 26 | 27 | install(TARGETS ${PROJECT_NAME} 28 | DESTINATION ${RATS_TLS_INSTALL_FUZZ_PATH}) 29 | 30 | -------------------------------------------------------------------------------- /fuzz/tls_server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(fuzz_server CXX) 2 | 3 | set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) 4 | set(CMAKE_CXX_COMPILER "/usr/bin/clang++") 5 | set(CMAKE_CXX_FLAGS "-g ${CMAKE_CXX_FLAGS}") 6 | 7 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include 8 | ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls 9 | ${RATS_TLS_INSTALL_INCLUDE_PATH} 10 | ) 11 | set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) 12 | set(RATS_TLS_INSTALL_FUZZ_PATH /usr/share/rats-tls/fuzz) 13 | 14 | include_directories(${INCLUDE_DIRS}) 15 | link_directories(${LIBRARY_DIRS}) 16 | 17 | # Set source file 18 | set(SOURCES fuzz_server.cc) 19 | 20 | # Generate bin file 21 | add_executable(${PROJECT_NAME} ${SOURCES}) 22 | target_link_libraries(${PROJECT_NAME} rats_tls) 23 | 24 | install(TARGETS ${PROJECT_NAME} 25 | DESTINATION ${RATS_TLS_INSTALL_FUZZ_PATH}) 26 | 27 | -------------------------------------------------------------------------------- /fuzz/tls_transmit/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | project(fuzz_transmit CXX) 2 | 3 | set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) 4 | set(CMAKE_CXX_COMPILER "/usr/bin/clang++") 5 | set(CMAKE_CXX_FLAGS "-fsanitize=address,fuzzer -g -fPIE ${CMAKE_CXX_FLAGS}") 6 | 7 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include 8 | ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls 9 | ${RATS_TLS_INSTALL_INCLUDE_PATH} 10 | ) 11 | set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) 12 | set(RATS_TLS_INSTALL_FUZZ_PATH /usr/share/rats-tls/fuzz) 13 | 14 | include_directories(${INCLUDE_DIRS}) 15 | link_directories(${LIBRARY_DIRS}) 16 | 17 | # Set source file 18 | set(SOURCES fuzz_transmit.cc) 19 | 20 | # Generate bin file 21 | add_executable(${PROJECT_NAME} ${SOURCES}) 22 | target_link_libraries(${PROJECT_NAME} rats_tls) 23 | 24 | install(TARGETS ${PROJECT_NAME} 25 | DESTINATION ${RATS_TLS_INSTALL_FUZZ_PATH}) 26 | 27 | -------------------------------------------------------------------------------- /hacks/README.md: -------------------------------------------------------------------------------- 1 | This certificate is the sample file of rats-tls extension certificate. Please type `openssl asn1parse -in $sample_rats_tls_cert -i -dump` command to dump the contents of the certificate, where $sample_rats_tls_cert: 2 | - rats-tls-cert-sample.pem: generated by the tls wrapper instance wolfssl and the crypto wrapper instance wolfcrypt 3 | - rats-tls-cert-openssl-sample.pem: generated by the tls wrapper instance openssl and the crypto wrapper instance openssl 4 | -------------------------------------------------------------------------------- /samples/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(rats-tls-client) 2 | add_subdirectory(rats-tls-server) 3 | if(SGX) 4 | add_subdirectory(sgx-stub-enclave) 5 | endif() 6 | -------------------------------------------------------------------------------- /samples/sgx-stub-enclave/sgx_stub.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | include "rats-tls/api.h" 3 | include "internal/core.h" 4 | include "sgx_eid.h" 5 | 6 | from "../../src/include/edl/rtls.edl" import *; 7 | from "sgx_tsgxssl.edl" import *; 8 | 9 | trusted { 10 | public int ecall_rtls_server_startup(rats_tls_log_level_t log_level, 11 | [in, string] char *attester_type, 12 | [in, string] char *verifier_type, 13 | [in, string] char *tls_type, 14 | [in, string] char *crypto_type, 15 | unsigned long flags, 16 | uint32_t s_ip, 17 | uint16_t s_port); 18 | public int ecall_rtls_client_startup(rats_tls_log_level_t log_level, 19 | [in, string] char *attester_type, 20 | [in, string] char *verifier_type, 21 | [in, string] char *tls_type, 22 | [in, string] char *crypto_type, 23 | unsigned long flags, 24 | uint32_t s_ip, 25 | uint16_t s_port, 26 | bool verdictd); 27 | }; 28 | }; 29 | -------------------------------------------------------------------------------- /samples/sgx-stub-enclave/sgx_stub_enclave.lds: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | g_global_data_sim; 4 | g_global_data; 5 | local: 6 | *; 7 | }; 8 | -------------------------------------------------------------------------------- /samples/sgx-stub-enclave/sgx_stub_enclave.xml: -------------------------------------------------------------------------------- 1 | 2 | 0 3 | 0 4 | 0x400000 5 | 0x1000000 6 | 10 7 | 1 8 | 0 9 | 10 | -------------------------------------------------------------------------------- /src/api/rats_tls_callback.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include "internal/core.h" 9 | 10 | rats_tls_err_t rats_tls_set_verification_callback(rats_tls_handle *handle, rats_tls_callback_t cb) 11 | { 12 | RTLS_DEBUG("set user verification callback handle: %p, cb %p\n", handle, cb); 13 | 14 | (*handle)->user_callback = cb; 15 | 16 | return RATS_TLS_ERR_NONE; 17 | } 18 | -------------------------------------------------------------------------------- /src/api/rats_tls_cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include "internal/core.h" 13 | #include "internal/attester.h" 14 | #include "internal/verifier.h" 15 | #include "internal/tls_wrapper.h" 16 | 17 | rats_tls_err_t rats_tls_cleanup(rats_tls_handle handle) 18 | { 19 | rtls_core_context_t *ctx = (rtls_core_context_t *)handle; 20 | 21 | RTLS_DEBUG("handle %p\n", ctx); 22 | 23 | if (!handle || !handle->tls_wrapper || !handle->tls_wrapper->opts || 24 | !handle->tls_wrapper->opts->cleanup || !handle->attester || !handle->attester->opts || 25 | !handle->attester->opts->cleanup || !handle->verifier || !handle->verifier->opts || 26 | !handle->verifier->opts->cleanup) 27 | return -RATS_TLS_ERR_INVALID; 28 | 29 | if (ctx->config.custom_claims) { 30 | free_claims_list(ctx->config.custom_claims, ctx->config.custom_claims_length); 31 | } 32 | 33 | tls_wrapper_err_t err = handle->tls_wrapper->opts->cleanup(handle->tls_wrapper); 34 | if (err != TLS_WRAPPER_ERR_NONE) { 35 | RTLS_DEBUG("failed to clean up tls wrapper %#x\n", err); 36 | return err; 37 | } 38 | 39 | enclave_attester_err_t err_ea = handle->attester->opts->cleanup(handle->attester); 40 | if (err_ea != ENCLAVE_ATTESTER_ERR_NONE) { 41 | RTLS_DEBUG("failed to clean up attester %#x\n", err_ea); 42 | return -RATS_TLS_ERR_INVALID; 43 | } 44 | 45 | enclave_verifier_err_t err_ev = handle->verifier->opts->cleanup(handle->verifier); 46 | if (err_ev != ENCLAVE_VERIFIER_ERR_NONE) { 47 | RTLS_DEBUG("failed to clean up verifier %#x\n", err_ev); 48 | return -RATS_TLS_ERR_INVALID; 49 | } 50 | 51 | free(ctx); 52 | 53 | return RATS_TLS_ERR_NONE; 54 | } 55 | -------------------------------------------------------------------------------- /src/api/rats_tls_negotiate.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "internal/core.h" 10 | 11 | rats_tls_err_t rats_tls_negotiate(rats_tls_handle handle, int fd) 12 | { 13 | rtls_core_context_t *ctx = (rtls_core_context_t *)handle; 14 | 15 | RTLS_DEBUG("handle %p, fd %d\n", ctx, fd); 16 | 17 | if (!ctx || !ctx->tls_wrapper || !ctx->tls_wrapper->opts || 18 | !ctx->tls_wrapper->opts->negotiate || fd < 0) 19 | return -RATS_TLS_ERR_INVALID; 20 | 21 | tls_wrapper_err_t t_err = ctx->tls_wrapper->opts->negotiate(ctx->tls_wrapper, fd); 22 | if (t_err != TLS_WRAPPER_ERR_NONE) 23 | return t_err; 24 | 25 | ctx->tls_wrapper->fd = fd; 26 | 27 | return RATS_TLS_ERR_NONE; 28 | } 29 | -------------------------------------------------------------------------------- /src/api/rats_tls_receive.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | #include "internal/core.h" 11 | 12 | rats_tls_err_t rats_tls_receive(rats_tls_handle handle, void *buf, size_t *buf_size) 13 | { 14 | rtls_core_context_t *ctx = (rtls_core_context_t *)handle; 15 | 16 | RTLS_DEBUG("handle %p, buf %p, buf_size %p (%zu-byte)\n", ctx, buf, buf_size, *buf_size); 17 | 18 | if (!handle || !handle->tls_wrapper || !handle->tls_wrapper->opts || 19 | !handle->tls_wrapper->opts->receive || !buf || !buf_size) 20 | return -RATS_TLS_ERR_INVALID; 21 | 22 | tls_wrapper_err_t err = 23 | handle->tls_wrapper->opts->receive(handle->tls_wrapper, buf, buf_size); 24 | if (err != TLS_WRAPPER_ERR_NONE) 25 | return -RATS_TLS_ERR_INVALID; 26 | 27 | return RATS_TLS_ERR_NONE; 28 | } 29 | -------------------------------------------------------------------------------- /src/api/rats_tls_transmit.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | #include "internal/core.h" 11 | 12 | rats_tls_err_t rats_tls_transmit(rats_tls_handle handle, void *buf, size_t *buf_size) 13 | { 14 | rtls_core_context_t *ctx = (rtls_core_context_t *)handle; 15 | 16 | RTLS_DEBUG("handle %p, buf %p, buf_size %p (%zu-byte)\n", ctx, buf, buf_size, *buf_size); 17 | 18 | if (!handle || !handle->tls_wrapper || !handle->tls_wrapper->opts || 19 | !handle->tls_wrapper->opts->transmit || !buf || !buf_size) 20 | return -RATS_TLS_ERR_INVALID; 21 | 22 | tls_wrapper_err_t err = 23 | handle->tls_wrapper->opts->transmit(handle->tls_wrapper, buf, buf_size); 24 | if (err != TLS_WRAPPER_ERR_NONE) 25 | return -RATS_TLS_ERR_INVALID; 26 | 27 | return RATS_TLS_ERR_NONE; 28 | } 29 | -------------------------------------------------------------------------------- /src/attesters/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(nullattester) 2 | 3 | if(HOST) 4 | add_subdirectory(sev) 5 | if(EXISTS "/usr/include/linux/sev-guest.h") 6 | add_subdirectory(sev-snp) 7 | endif() 8 | add_subdirectory(csv) 9 | endif() 10 | 11 | if(TDX) 12 | add_subdirectory(tdx-ecdsa) 13 | endif() 14 | 15 | if(OCCLUM OR SGX) 16 | add_subdirectory(sgx-ecdsa) 17 | endif() 18 | 19 | if(SGX) 20 | add_subdirectory(sgx-la) 21 | endif() 22 | -------------------------------------------------------------------------------- /src/attesters/csv/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_csv) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ) 9 | include_directories(${INCLUDE_DIRS}) 10 | 11 | # Set dependency library directory 12 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 13 | ${RATS_TLS_INSTALL_LIB_PATH} 14 | ) 15 | link_directories(${LIBRARY_DIRS}) 16 | 17 | # Set source file 18 | set(SOURCES cleanup.c 19 | collect_evidence.c 20 | csv_utils.c 21 | init.c 22 | main.c 23 | pre_init.c 24 | ) 25 | 26 | # Generate library 27 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 28 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB} crypto curl) 29 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 30 | 31 | # Install library 32 | install(TARGETS ${PROJECT_NAME} 33 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 34 | -------------------------------------------------------------------------------- /src/attesters/csv/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t csv_attester_cleanup(enclave_attester_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/csv/csv_utils.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | void gen_random_bytes(void *buf, size_t len) 13 | { 14 | uint32_t i; 15 | uint8_t *buf_byte = (uint8_t *)buf; 16 | 17 | for (i = 0; i < len; i++) 18 | buf_byte[i] = rand() & 0xFF; 19 | } 20 | 21 | int sm3_hash(const unsigned char *data, size_t len, unsigned char *hash, size_t expected_hash_len) 22 | { 23 | EVP_MD_CTX *evp_md_ctx = EVP_MD_CTX_new(); 24 | const EVP_MD *evp_md = EVP_sm3(); 25 | int sm3_out_size = 0; 26 | int ret = -1; 27 | 28 | if (evp_md_ctx == NULL) 29 | return ret; 30 | 31 | if (!EVP_DigestInit_ex(evp_md_ctx, evp_md, NULL)) 32 | goto err_free_md_ctx; 33 | 34 | if (!EVP_DigestUpdate(evp_md_ctx, data, len)) 35 | goto err_free_md_ctx; 36 | 37 | if (!EVP_DigestFinal_ex(evp_md_ctx, hash, &sm3_out_size)) 38 | goto err_free_md_ctx; 39 | 40 | if (sm3_out_size != expected_hash_len) 41 | goto err_free_md_ctx; 42 | 43 | ret = 0; 44 | 45 | err_free_md_ctx: 46 | EVP_MD_CTX_free(evp_md_ctx); 47 | 48 | return ret; 49 | } 50 | 51 | int sm3_hmac(const char *key, size_t key_len, const unsigned char *data, size_t data_len, 52 | unsigned char *hmac, size_t expected_hmac_len) 53 | { 54 | HMAC_CTX *hmac_ctx = HMAC_CTX_new(); 55 | const EVP_MD *evp_md = EVP_sm3(); 56 | int sm3_hmac_out_size = 0; 57 | int ret = -1; 58 | 59 | if (hmac_ctx == NULL) 60 | return ret; 61 | 62 | if (!HMAC_Init_ex(hmac_ctx, key, key_len, evp_md, NULL)) 63 | goto err_free_hmac_ctx; 64 | 65 | if (!HMAC_Update(hmac_ctx, data, data_len)) 66 | goto err_free_hmac_ctx; 67 | 68 | if (!HMAC_Final(hmac_ctx, hmac, &sm3_hmac_out_size)) 69 | goto err_free_hmac_ctx; 70 | 71 | if (sm3_hmac_out_size != expected_hmac_len) 72 | goto err_free_hmac_ctx; 73 | 74 | ret = 0; 75 | 76 | err_free_hmac_ctx: 77 | HMAC_CTX_free(hmac_ctx); 78 | 79 | return ret; 80 | } 81 | -------------------------------------------------------------------------------- /src/attesters/csv/csv_utils.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | 9 | void gen_random_bytes(void *buf, size_t len); 10 | int sm3_hash(const unsigned char *data, size_t len, unsigned char *hash, size_t expected_hash_len); 11 | int sm3_hmac(const char *key, size_t key_len, const unsigned char *data, size_t data_len, 12 | unsigned char *hmac, size_t expected_hmac_len); 13 | -------------------------------------------------------------------------------- /src/attesters/csv/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_attester_err_t csv_attester_init(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->attester_private = &dummy_private; 17 | 18 | return ENCLAVE_ATTESTER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/attesters/csv/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); 12 | extern enclave_attester_err_t csv_attester_pre_init(void); 13 | extern enclave_attester_err_t csv_attester_init(enclave_attester_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_attester_err_t csv_collect_evidence(enclave_attester_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | rats_tls_cert_algo_t algo, uint8_t *hash, 18 | uint32_t hash_len); 19 | extern enclave_attester_err_t csv_attester_cleanup(enclave_attester_ctx_t *ctx); 20 | 21 | static enclave_attester_opts_t csv_attester_opts = { 22 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_CSV_GUEST, 24 | .name = "csv", 25 | .priority = 20, 26 | .pre_init = csv_attester_pre_init, 27 | .init = csv_attester_init, 28 | .collect_evidence = csv_collect_evidence, 29 | .cleanup = csv_attester_cleanup, 30 | }; 31 | 32 | void __attribute__((constructor)) libattester_csv_init(void) 33 | { 34 | RTLS_DEBUG("called\n"); 35 | 36 | enclave_attester_err_t err = enclave_attester_register(&csv_attester_opts); 37 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 38 | RTLS_DEBUG("failed to register the enclave register 'csv' %#x\n", err); 39 | } 40 | -------------------------------------------------------------------------------- /src/attesters/csv/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t csv_attester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | if (!system("wget -V >/dev/null 2>&1")) 15 | return ENCLAVE_ATTESTER_ERR_NONE; 16 | 17 | RTLS_ERR("Please install wget for csv attester\n"); 18 | 19 | return -ENCLAVE_ATTESTER_ERR_NO_TOOL; 20 | } 21 | -------------------------------------------------------------------------------- /src/attesters/internal/enclave_attester.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "internal/attester.h" 8 | 9 | enclave_attester_opts_t *enclave_attesters_opts[ENCLAVE_ATTESTER_TYPE_MAX]; 10 | unsigned int registerd_enclave_attester_nums; 11 | 12 | enclave_attester_ctx_t *enclave_attesters_ctx[ENCLAVE_ATTESTER_TYPE_MAX]; 13 | unsigned int enclave_attester_nums; 14 | -------------------------------------------------------------------------------- /src/attesters/nullattester/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_nullattester) 3 | 4 | include_directories(${INCLUDE_DIRS}) 5 | 6 | # Set dependency library directory 7 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 8 | ${RATS_TLS_INSTALL_LIB_PATH} 9 | ) 10 | link_directories(${LIBRARY_DIRS}) 11 | 12 | # Set source file 13 | set(SOURCES cleanup.c 14 | collect_evidence.c 15 | collect_endorsements.c 16 | init.c 17 | main.c 18 | pre_init.c 19 | ) 20 | 21 | # Generate library 22 | if(SGX) 23 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 24 | else() 25 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 26 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 27 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 28 | endif() 29 | 30 | # Install library 31 | install(TARGETS ${PROJECT_NAME} 32 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 33 | -------------------------------------------------------------------------------- /src/attesters/nullattester/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t nullattester_cleanup(__attribute__((unused)) enclave_attester_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/nullattester/collect_endorsements.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t nullattester_collect_endorsements(enclave_attester_ctx_t *ctx, 11 | attestation_evidence_t *evidence, 12 | attestation_endorsement_t *endorsements) 13 | { 14 | RTLS_DEBUG("ctx %p, evidence %p, endorsements %p\n", ctx, evidence, endorsements); 15 | 16 | return ENCLAVE_ATTESTER_ERR_NONE; 17 | } 18 | -------------------------------------------------------------------------------- /src/attesters/nullattester/collect_evidence.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t nullattester_collect_evidence(enclave_attester_ctx_t *ctx, 11 | attestation_evidence_t *evidence, 12 | rats_tls_cert_algo_t algo, uint8_t *hash, 13 | __attribute__((unused)) uint32_t hash_len) 14 | { 15 | RTLS_DEBUG("ctx %p, evidence %p, algo %d, hash %p\n", ctx, evidence, algo, hash); 16 | 17 | return ENCLAVE_ATTESTER_ERR_NONE; 18 | } 19 | -------------------------------------------------------------------------------- /src/attesters/nullattester/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_attester_err_t nullattester_init(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->attester_private = &dummy_private; 17 | 18 | return ENCLAVE_ATTESTER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/attesters/nullattester/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *); 12 | extern enclave_attester_err_t nullattester_pre_init(void); 13 | extern enclave_attester_err_t nullattester_init(enclave_attester_ctx_t *, 14 | rats_tls_cert_algo_t algo); 15 | //extern enclave_attester_err_t nullattester_extend_cert(enclave_attester_ctx_t *ctx, 16 | // const rats_tls_cert_info_t *cert_info); 17 | extern enclave_attester_err_t nullattester_collect_evidence(enclave_attester_ctx_t *, 18 | attestation_evidence_t *, 19 | rats_tls_cert_algo_t algo, uint8_t *, 20 | uint32_t hash_len); 21 | extern enclave_attester_err_t 22 | nullattester_collect_endorsements(enclave_attester_ctx_t *ctx, attestation_evidence_t *evidence, 23 | attestation_endorsement_t *endorsements); 24 | extern enclave_attester_err_t nullattester_cleanup(enclave_attester_ctx_t *); 25 | 26 | static enclave_attester_opts_t nullattester_opts = { 27 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 28 | .flags = ENCLAVE_ATTESTER_FLAGS_DEFAULT, 29 | .name = "nullattester", 30 | .priority = 0, 31 | .pre_init = nullattester_pre_init, 32 | .init = nullattester_init, 33 | //.extend_cert = nullattester_extend_cert, 34 | .collect_evidence = nullattester_collect_evidence, 35 | .collect_endorsements = nullattester_collect_endorsements, 36 | .cleanup = nullattester_cleanup, 37 | }; 38 | 39 | #ifdef SGX 40 | void libattester_null_init(void) 41 | #else 42 | void __attribute__((constructor)) libattester_null_init(void) 43 | #endif 44 | { 45 | RTLS_DEBUG("called\n"); 46 | 47 | enclave_attester_err_t err = enclave_attester_register(&nullattester_opts); 48 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 49 | RTLS_ERR("failed to register the enclave attester 'nullattester' %#x\n", err); 50 | } 51 | -------------------------------------------------------------------------------- /src/attesters/nullattester/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t nullattester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sev-snp/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_sev_snp) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ${CMAKE_CURRENT_SOURCE_DIR} 9 | /usr/include 10 | ) 11 | include_directories(${INCLUDE_DIRS}) 12 | 13 | # Set dependency library directory 14 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 15 | ${RATS_TLS_INSTALL_LIB_PATH} 16 | ) 17 | 18 | link_directories(${LIBRARY_DIRS}) 19 | 20 | # Set source file 21 | set(SOURCES cleanup.c 22 | collect_evidence.c 23 | init.c 24 | main.c 25 | pre_init.c 26 | ) 27 | 28 | # Generate library 29 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 30 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 31 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 32 | # Install library 33 | install(TARGETS ${PROJECT_NAME} 34 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 35 | -------------------------------------------------------------------------------- /src/attesters/sev-snp/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sev_snp_attester_cleanup(enclave_attester_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sev-snp/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_attester_err_t sev_snp_attester_init(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->attester_private = &dummy_private; 17 | 18 | return ENCLAVE_ATTESTER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/attesters/sev-snp/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); 12 | extern enclave_attester_err_t sev_snp_attester_pre_init(void); 13 | extern enclave_attester_err_t sev_snp_attester_init(enclave_attester_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_attester_err_t sev_snp_collect_evidence(enclave_attester_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | rats_tls_cert_algo_t algo, uint8_t *hash, 18 | uint32_t hash_len); 19 | extern enclave_attester_err_t sev_snp_attester_cleanup(enclave_attester_ctx_t *ctx); 20 | 21 | static enclave_attester_opts_t sev_snp_attester_opts = { 22 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SNP_GUEST, 24 | .name = "sev_snp", 25 | .priority = 42, 26 | .pre_init = sev_snp_attester_pre_init, 27 | .init = sev_snp_attester_init, 28 | .collect_evidence = sev_snp_collect_evidence, 29 | .cleanup = sev_snp_attester_cleanup, 30 | }; 31 | 32 | void __attribute__((constructor)) libattester_sev_snp_init(void) 33 | { 34 | RTLS_DEBUG("called\n"); 35 | 36 | enclave_attester_err_t err = enclave_attester_register(&sev_snp_attester_opts); 37 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 38 | RTLS_DEBUG("failed to register the enclave attester 'sev_snp' %#x\n", err); 39 | } 40 | -------------------------------------------------------------------------------- /src/attesters/sev-snp/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sev_snp_attester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sev/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_sev) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ) 9 | include_directories(${INCLUDE_DIRS}) 10 | 11 | # Set dependency library directory 12 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 13 | ${RATS_TLS_INSTALL_LIB_PATH} 14 | ) 15 | link_directories(${LIBRARY_DIRS}) 16 | 17 | # Set rpc interface library 18 | set(TTRPC_LIB libttrpc.so) 19 | 20 | # Set source file 21 | set(SOURCES cleanup.c 22 | collect_evidence.c 23 | init.c 24 | main.c 25 | pre_init.c 26 | ) 27 | 28 | add_custom_target(ttrpc_lib ALL 29 | COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR}/ttrpc && cargo build --release && cp -f target/release/${TTRPC_LIB} ${CMAKE_BINARY_DIR}/src) 30 | 31 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 32 | add_dependencies(${PROJECT_NAME} ttrpc_lib) 33 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB} ${TTRPC_LIB} crypto) 34 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 35 | 36 | # Install library 37 | install(TARGETS ${PROJECT_NAME} 38 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 39 | install(FILES ${CMAKE_BINARY_DIR}/src/${TTRPC_LIB} 40 | DESTINATION ${RATS_TLS_INSTALL_LIB_PATH}) 41 | -------------------------------------------------------------------------------- /src/attesters/sev/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sev_attester_cleanup(enclave_attester_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sev/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_attester_err_t sev_attester_init(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->attester_private = &dummy_private; 17 | 18 | return ENCLAVE_ATTESTER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/attesters/sev/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); 12 | extern enclave_attester_err_t sev_attester_pre_init(void); 13 | extern enclave_attester_err_t sev_attester_init(enclave_attester_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_attester_err_t sev_collect_evidence(enclave_attester_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | rats_tls_cert_algo_t algo, uint8_t *hash, 18 | uint32_t hash_len); 19 | extern enclave_attester_err_t sev_attester_cleanup(enclave_attester_ctx_t *ctx); 20 | 21 | static enclave_attester_opts_t sev_attester_opts = { 22 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SEV_GUEST, 24 | .name = "sev", 25 | .priority = 35, 26 | .pre_init = sev_attester_pre_init, 27 | .init = sev_attester_init, 28 | .collect_evidence = sev_collect_evidence, 29 | .cleanup = sev_attester_cleanup, 30 | }; 31 | 32 | void __attribute__((constructor)) libattester_sev_init(void) 33 | { 34 | RTLS_DEBUG("called\n"); 35 | 36 | enclave_attester_err_t err = enclave_attester_register(&sev_attester_opts); 37 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 38 | RTLS_DEBUG("failed to register the enclave attester 'sev' %#x\n", err); 39 | } 40 | -------------------------------------------------------------------------------- /src/attesters/sev/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sev_attester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | /src/protocols/sev/aeb 3 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ttrpc" 3 | version = "0.1.0" 4 | edition = "2018" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [lib] 9 | name = "ttrpc" 10 | crate-type = ["dylib"] 11 | 12 | [dependencies] 13 | protobuf = "2.8.0" 14 | ttrpc = { version = "0.5.2", features = ["async"] } 15 | sev = { git = "https://github.com/haosanzi/sev", branch= "main", features = ["openssl"]} 16 | serde = { version = "1.0", features = ["derive"] } 17 | serde_json = "1.0" 18 | libc = "0.2.107" 19 | anyhow = "1.0" 20 | log = "0.4.14" 21 | env_logger = "0.8.3" 22 | 23 | [build-dependencies] 24 | ttrpc-codegen = "0.2.0" 25 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/build.rs: -------------------------------------------------------------------------------- 1 | use ttrpc_codegen::Codegen; 2 | 3 | fn main() { 4 | let protos = vec!["src/protocols/proto/aeb.proto"]; 5 | 6 | Codegen::new() 7 | .out_dir("src/protocols/sev") 8 | .inputs(&protos) 9 | .include("src/protocols/proto") 10 | .rust_protobuf() 11 | .run() 12 | .expect("Generate code failed."); 13 | } 14 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/rust-toolchain.toml: -------------------------------------------------------------------------------- 1 | [toolchain] 2 | channel = "nightly-2024-04-10" -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/src/protocols/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod sev; 2 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/src/protocols/proto/aeb.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package aeb; 4 | 5 | message RetrieveAttestationEvidenceSizeRequest{ 6 | uint32 guest_handle = 1; 7 | } 8 | 9 | message RetrieveAttestationEvidenceRequest{ 10 | uint32 guest_handle = 1; 11 | uint32 evidence_size = 2; 12 | } 13 | 14 | message RetrieveAttestationEvidenceSizeResponse{ 15 | uint32 error_code = 1; 16 | uint32 evidence_size = 2; 17 | } 18 | 19 | message RetrieveAttestationEvidenceResponse{ 20 | uint32 error_code = 1; 21 | uint32 evidence_size = 2; 22 | bytes evidence = 3; 23 | } 24 | 25 | service AEB { 26 | rpc RetrieveAttestationEvidenceSize(RetrieveAttestationEvidenceSizeRequest) returns (RetrieveAttestationEvidenceSizeResponse); 27 | rpc RetrieveAttestationEvidence(RetrieveAttestationEvidenceRequest) returns (RetrieveAttestationEvidenceResponse); 28 | } 29 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/src/protocols/sev/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod aeb; 2 | pub mod aeb_ttrpc; 3 | -------------------------------------------------------------------------------- /src/attesters/sev/ttrpc/src/sev_evidence.rs: -------------------------------------------------------------------------------- 1 | use serde::{Deserialize, Serialize}; 2 | use sev::certs::sev::Certificate; 3 | use sev::firmware::AttestationReport; 4 | 5 | #[derive(Serialize, Deserialize, Debug, Copy, Clone)] 6 | #[repr(C, packed)] 7 | pub struct SevEvidence { 8 | pub report: AttestationReport, // The attestation report 9 | pub cek: Certificate, // The certificate for the CEK. 10 | pub pek: Certificate, // The certificate for the PEK. 11 | pub oca: Certificate, // The certificate for the OCA. 12 | pub device_type: DeviceType, // The SEV PSP device type 13 | } 14 | 15 | #[derive(Serialize, Deserialize, Debug, Eq, PartialEq, Clone, Copy)] 16 | pub enum DeviceType { 17 | AmdRome, 18 | AmdNaples, 19 | AmdMilan, 20 | Unknown, 21 | } 22 | -------------------------------------------------------------------------------- /src/attesters/sgx-ecdsa/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_sgx_ecdsa) 3 | 4 | # Set include directory 5 | list(APPEND INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} 6 | ${SGXSDK_INSTALL_INCLUDE_PATH} 7 | ) 8 | 9 | if(OCCLUM) 10 | list(APPEND INCLUDE_DIRS ${SGXSDK_INSTALL_INCLUDE_PATH}) 11 | endif() 12 | include_directories(${INCLUDE_DIRS}) 13 | 14 | # Set dependency library directory 15 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 16 | ${RATS_TLS_INSTALL_LIB_PATH} 17 | ) 18 | 19 | if(OCCLUM) 20 | list(APPEND LIBRARY_DIRS ${SGXSDK_INSTALL_LIB_PATH}) 21 | endif() 22 | link_directories(${LIBRARY_DIRS}) 23 | 24 | # Set extra link library 25 | if(OCCLUM) 26 | set(EXTRA_LINK_LIBRARY sgx_dcap_quoteverify) 27 | endif() 28 | 29 | # Set source file 30 | set(SOURCES cleanup.c 31 | collect_evidence.c 32 | collect_endorsements.c 33 | init.c 34 | main.c 35 | pre_init.c 36 | ) 37 | 38 | # Generate library 39 | if(SGX) 40 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 41 | add_dependencies(${PROJECT_NAME} rtls_edl_t) 42 | else() 43 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 44 | target_link_libraries(${PROJECT_NAME} ${EXTRA_LINK_LIBRARY} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 45 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 46 | endif() 47 | 48 | # Install library 49 | install(TARGETS ${PROJECT_NAME} 50 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 51 | -------------------------------------------------------------------------------- /src/attesters/sgx-ecdsa/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sgx_ecdsa_attester_cleanup(__attribute__((unused)) 11 | enclave_attester_ctx_t *ctx) 12 | { 13 | RTLS_DEBUG("called\n"); 14 | 15 | return ENCLAVE_ATTESTER_ERR_NONE; 16 | } 17 | -------------------------------------------------------------------------------- /src/attesters/sgx-ecdsa/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_attester_err_t sgx_ecdsa_attester_init(enclave_attester_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo) 14 | { 15 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 16 | 17 | ctx->attester_private = &dummy_private; 18 | 19 | return ENCLAVE_ATTESTER_ERR_NONE; 20 | } 21 | -------------------------------------------------------------------------------- /src/attesters/sgx-ecdsa/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); 12 | extern enclave_attester_err_t sgx_ecdsa_attester_pre_init(void); 13 | extern enclave_attester_err_t sgx_ecdsa_attester_init(enclave_attester_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | //extern enclave_attester_err_t null_extend_cert(enclave_attester_ctx_t *ctx, 16 | // const rats_tls_cert_info_t *cert_info); 17 | extern enclave_attester_err_t sgx_ecdsa_collect_evidence(enclave_attester_ctx_t *ctx, 18 | attestation_evidence_t *evidence, 19 | rats_tls_cert_algo_t algo, uint8_t *hash, 20 | uint32_t hash_len); 21 | extern enclave_attester_err_t 22 | sgx_ecdsa_collect_endorsements(enclave_attester_ctx_t *ctx, attestation_evidence_t *evidence, 23 | attestation_endorsement_t *endorsements); 24 | extern enclave_attester_err_t sgx_ecdsa_attester_cleanup(enclave_attester_ctx_t *ctx); 25 | 26 | static enclave_attester_opts_t sgx_ecdsa_attester_opts = { 27 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 28 | .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SGX_ENCLAVE, 29 | .name = "sgx_ecdsa", 30 | .priority = 52, 31 | .pre_init = sgx_ecdsa_attester_pre_init, 32 | .init = sgx_ecdsa_attester_init, 33 | //.extend_cert = null_extend_cert, 34 | .collect_evidence = sgx_ecdsa_collect_evidence, 35 | .collect_endorsements = sgx_ecdsa_collect_endorsements, 36 | .cleanup = sgx_ecdsa_attester_cleanup, 37 | }; 38 | 39 | #ifdef SGX 40 | void libattester_sgx_ecdsa_init(void) 41 | #else 42 | void __attribute__((constructor)) libattester_sgx_ecdsa_init(void) 43 | #endif 44 | { 45 | RTLS_DEBUG("called\n"); 46 | 47 | enclave_attester_err_t err = enclave_attester_register(&sgx_ecdsa_attester_opts); 48 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 49 | RTLS_DEBUG("failed to register the enclave attester 'sgx_ecdsa' %#x\n", err); 50 | } 51 | -------------------------------------------------------------------------------- /src/attesters/sgx-ecdsa/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sgx_ecdsa_attester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sgx-ecdsa/quote_generation.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef QUOTE_GENERATION_H_ 8 | #define QUOTE_GENERATION_H_ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | /** @struct sgxioc_gen_dcap_quote_arg_t 16 | * A structure for DCAP quote generation 17 | * 18 | * @var report_data 19 | * The input report data to be included in the quote. 20 | * @var quote_len 21 | * A value-result argument: the caller must initialize it to contain the 22 | * size (in bytes) of the buffer pointed to by quote_buf; on return it 23 | * will contain the actual size of the output quote. 24 | * @var quote_buf 25 | * A pointer to the buffer to store the output quote. 26 | */ 27 | typedef struct { 28 | sgx_report_data_t *report_data; 29 | uint32_t *quote_len; 30 | uint8_t *quote_buf; 31 | } sgxioc_gen_dcap_quote_arg_t; 32 | 33 | typedef struct { 34 | const sgx_target_info_t *target_info; // input (optinal) 35 | const sgx_report_data_t *report_data; // input (optional) 36 | sgx_report_t *report; // output 37 | } sgxioc_create_report_arg_t; 38 | 39 | #define SGXIOC_GET_DCAP_QUOTE_SIZE _IOR('s', 7, uint32_t) 40 | #define SGXIOC_GEN_DCAP_QUOTE _IOWR('s', 8, sgxioc_gen_dcap_quote_arg_t) 41 | #define SGXIOC_CREATE_REPORT _IOWR('s', 4, sgxioc_create_report_arg_t) 42 | 43 | int generate_quote(int sgx_fd, sgxioc_gen_dcap_quote_arg_t *gen_quote_arg); 44 | 45 | #endif //QUOTE_GENERATION_H_ 46 | -------------------------------------------------------------------------------- /src/attesters/sgx-la/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_sgx_la) 3 | 4 | if(SGX) 5 | # Set include directory 6 | list(APPEND INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}) 7 | include_directories(${INCLUDE_DIRS}) 8 | 9 | set(LIBRARY_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../ 10 | ${SGXSDK_INSTALL_LIB_PATH} 11 | ) 12 | link_directories(${LIBRARY_DIRS}) 13 | 14 | # Set source file 15 | set(SOURCES cleanup.c 16 | collect_evidence.c 17 | init.c 18 | main.c 19 | pre_init.c 20 | ) 21 | 22 | # Generate library 23 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 24 | 25 | # Install library 26 | install(TARGETS ${PROJECT_NAME} 27 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 28 | endif() 29 | -------------------------------------------------------------------------------- /src/attesters/sgx-la/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sgx_la_attester_cleanup(__attribute__((unused)) enclave_attester_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/sgx-la/collect_evidence.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | extern sgx_status_t sgx_generate_evidence(sgx_report_data_t *report_data, sgx_report_t *app_report); 14 | 15 | /* The local attestation requires to exchange the target info between ISV 16 | * enclaves as the prerequisite. This is out of scope in rats-tls because it 17 | * requires to establish a out of band channel to do that. Instead, introduce 18 | * QE as the intermediator. One ISV enclave as attester can request the local 19 | * reports signed by QE and the opposite end of ISV enclave as verifier can 20 | * check the validation of local report through calling sgx_qe_get_attester() 21 | * which verifies the signed local report. Once getting attester successfully, 22 | * it presents ISV enclave's local report has been fully verified. 23 | */ 24 | enclave_attester_err_t sgx_la_collect_evidence(enclave_attester_ctx_t *ctx, 25 | attestation_evidence_t *evidence, 26 | rats_tls_cert_algo_t algo, uint8_t *hash, 27 | uint32_t hash_len) 28 | { 29 | RTLS_DEBUG("ctx %p, evidence %p, algo %d, hash %p\n", ctx, evidence, algo, hash); 30 | 31 | sgx_report_data_t report_data; 32 | if (sizeof(report_data.d) < hash_len) { 33 | RTLS_ERR("hash_len(%zu) shall be smaller than user-data filed size (%zu)\n", 34 | hash_len, sizeof(report_data.d)); 35 | return ENCLAVE_ATTESTER_ERR_INVALID; 36 | } 37 | memset(&report_data, 0, sizeof(sgx_report_data_t)); 38 | memcpy(report_data.d, hash, hash_len); 39 | 40 | sgx_report_t isv_report; 41 | sgx_status_t generate_evidence_ret; 42 | generate_evidence_ret = sgx_generate_evidence(&report_data, &isv_report); 43 | if (generate_evidence_ret != SGX_SUCCESS) { 44 | RTLS_ERR("failed to generate evidence %#x\n", generate_evidence_ret); 45 | return SGX_LA_ATTESTER_ERR_CODE((int)generate_evidence_ret); 46 | } 47 | 48 | memcpy(evidence->la.report, &isv_report, sizeof(isv_report)); 49 | evidence->la.report_len = sizeof(isv_report); 50 | 51 | snprintf(evidence->type, sizeof(evidence->type), "%s", "sgx_la"); 52 | 53 | return ENCLAVE_ATTESTER_ERR_NONE; 54 | } 55 | -------------------------------------------------------------------------------- /src/attesters/sgx-la/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_attester_err_t sgx_la_attester_init(enclave_attester_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->attester_private = &dummy_private; 17 | 18 | return ENCLAVE_ATTESTER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/attesters/sgx-la/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *); 12 | extern enclave_attester_err_t sgx_la_attester_pre_init(void); 13 | extern enclave_attester_err_t sgx_la_attester_init(enclave_attester_ctx_t *, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_attester_err_t sgx_la_collect_evidence(enclave_attester_ctx_t *, 16 | attestation_evidence_t *, 17 | rats_tls_cert_algo_t algo, uint8_t *, 18 | uint32_t hash_len); 19 | extern enclave_attester_err_t sgx_la_attester_cleanup(enclave_attester_ctx_t *); 20 | 21 | static enclave_attester_opts_t sgx_la_attester_opts = { 22 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_SGX_ENCLAVE, 24 | .name = "sgx_la", 25 | .priority = 15, 26 | .pre_init = sgx_la_attester_pre_init, 27 | .init = sgx_la_attester_init, 28 | .collect_evidence = sgx_la_collect_evidence, 29 | .cleanup = sgx_la_attester_cleanup, 30 | }; 31 | 32 | #ifdef SGX 33 | void libattester_sgx_la_init(void) 34 | #else 35 | void __attribute__((constructor)) libattester_sgx_la_init(void) 36 | #endif 37 | { 38 | RTLS_DEBUG("called\n"); 39 | 40 | enclave_attester_err_t err = enclave_attester_register(&sgx_la_attester_opts); 41 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 42 | RTLS_ERR("failed to register the enclave attester 'sgx_la' %#x\n", err); 43 | } 44 | -------------------------------------------------------------------------------- /src/attesters/sgx-la/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t sgx_la_attester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/attesters/tdx-ecdsa/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(attester_tdx_ecdsa) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ${CMAKE_CURRENT_SOURCE_DIR} 9 | ${SGXSDK_INSTALL_INCLUDE_PATH} 10 | /usr/include 11 | ) 12 | include_directories(${INCLUDE_DIRS}) 13 | 14 | # Set dependency library directory 15 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 16 | ${RATS_TLS_INSTALL_LIB_PATH} 17 | ) 18 | 19 | link_directories(${LIBRARY_DIRS}) 20 | 21 | # Set extra link library 22 | set(EXTRA_LINK_LIBRARY tdx_attest 23 | sgx_dcap_quoteverify # for tee_qv_get_collateral 24 | ) 25 | 26 | # Set source file 27 | set(SOURCES cleanup.c 28 | collect_evidence.c 29 | collect_endorsements.c 30 | init.c 31 | main.c 32 | pre_init.c 33 | ) 34 | 35 | # Generate library 36 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 37 | target_link_libraries(${PROJECT_NAME} ${EXTRA_LINK_LIBRARY} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 38 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 39 | # Install library 40 | install(TARGETS ${PROJECT_NAME} 41 | DESTINATION ${RATS_TLS_INSTALL_LIBA_PATH}) 42 | -------------------------------------------------------------------------------- /src/attesters/tdx-ecdsa/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "../../verifiers/tdx-ecdsa/tdx-ecdsa.h" 10 | 11 | enclave_attester_err_t tdx_ecdsa_attester_cleanup(enclave_attester_ctx_t *ctx) 12 | { 13 | RTLS_DEBUG("called\n"); 14 | 15 | tdx_ctx_t *tdx_ctx = (tdx_ctx_t *)ctx->attester_private; 16 | 17 | free(tdx_ctx); 18 | 19 | return ENCLAVE_ATTESTER_ERR_NONE; 20 | } 21 | -------------------------------------------------------------------------------- /src/attesters/tdx-ecdsa/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "../../verifiers/tdx-ecdsa/tdx-ecdsa.h" 11 | 12 | enclave_attester_err_t tdx_ecdsa_attester_init(enclave_attester_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo) 14 | { 15 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 16 | 17 | tdx_ctx_t *tdx_ctx = calloc(1, sizeof(*tdx_ctx)); 18 | if (!tdx_ctx) 19 | return -ENCLAVE_ATTESTER_ERR_NO_MEM; 20 | 21 | memset(tdx_ctx->mrowner, 0, sizeof(tdx_ctx->mrowner)); 22 | ctx->attester_private = tdx_ctx; 23 | 24 | return ENCLAVE_ATTESTER_ERR_NONE; 25 | } 26 | -------------------------------------------------------------------------------- /src/attesters/tdx-ecdsa/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_attester_err_t enclave_attester_register(enclave_attester_opts_t *opts); 12 | extern enclave_attester_err_t tdx_ecdsa_attester_pre_init(void); 13 | extern enclave_attester_err_t tdx_ecdsa_attester_init(enclave_attester_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_attester_err_t tdx_ecdsa_collect_evidence(enclave_attester_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | rats_tls_cert_algo_t algo, uint8_t *hash, 18 | uint32_t hash_len); 19 | extern enclave_attester_err_t 20 | tdx_ecdsa_collect_endorsements(enclave_attester_ctx_t *ctx, attestation_evidence_t *evidence, 21 | attestation_endorsement_t *endorsements); 22 | extern enclave_attester_err_t tdx_ecdsa_attester_cleanup(enclave_attester_ctx_t *ctx); 23 | 24 | static enclave_attester_opts_t tdx_ecdsa_attester_opts = { 25 | .api_version = ENCLAVE_ATTESTER_API_VERSION_DEFAULT, 26 | .flags = ENCLAVE_ATTESTER_OPTS_FLAGS_TDX_GUEST, 27 | .name = "tdx_ecdsa", 28 | .priority = 42, 29 | .pre_init = tdx_ecdsa_attester_pre_init, 30 | .init = tdx_ecdsa_attester_init, 31 | .collect_evidence = tdx_ecdsa_collect_evidence, 32 | .collect_endorsements = tdx_ecdsa_collect_endorsements, 33 | .cleanup = tdx_ecdsa_attester_cleanup, 34 | }; 35 | 36 | void __attribute__((constructor)) libattester_tdx_ecdsa_init(void) 37 | { 38 | RTLS_DEBUG("called\n"); 39 | 40 | enclave_attester_err_t err = enclave_attester_register(&tdx_ecdsa_attester_opts); 41 | if (err != ENCLAVE_ATTESTER_ERR_NONE) 42 | RTLS_DEBUG("failed to register the enclave attester 'tdx_ecdsa' %#x\n", err); 43 | } 44 | -------------------------------------------------------------------------------- /src/attesters/tdx-ecdsa/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_attester_err_t tdx_ecdsa_attester_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_ATTESTER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/core/claim.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | static void _free_claim(claim_t *claim) 14 | { 15 | free(claim->name); 16 | free(claim->value); 17 | } 18 | 19 | void free_claims_list(claim_t *claims, size_t claims_length) 20 | { 21 | if (!claims) 22 | return; 23 | 24 | for (size_t j = 0; j < claims_length; j++) 25 | _free_claim(&claims[j]); 26 | 27 | free(claims); 28 | } 29 | 30 | int _add_claim(claim_t *claim, const void *name, size_t name_size, const void *value, 31 | size_t value_size) 32 | { 33 | claim->name = (char *)malloc(name_size); 34 | if (claim->name == NULL) 35 | return 1; 36 | memcpy(claim->name, name, name_size); 37 | 38 | claim->value = (uint8_t *)malloc(value_size); 39 | if (claim->value == NULL) { 40 | free(claim->name); 41 | claim->name = NULL; 42 | return 1; 43 | } 44 | memcpy(claim->value, value, value_size); 45 | claim->value_size = value_size; 46 | 47 | return 0; 48 | } 49 | 50 | claim_t *clone_claims_list(claim_t *claims, size_t claims_length) 51 | { 52 | if (!claims_length) 53 | return NULL; 54 | claim_t *claims_out = (claim_t *)malloc(claims_length * sizeof(claim_t)); 55 | if (!claims_out) 56 | return NULL; 57 | size_t i = 0; 58 | for (; i < claims_length; i++) { 59 | if (_add_claim(&claims_out[i], claims[i].name, strlen(claims[i].name) + 1, 60 | claims[i].value, claims[i].value_size)) { 61 | break; 62 | } 63 | } 64 | if (i != claims_length) { /* failed */ 65 | for (size_t j = 0; j < i; j++) { 66 | _free_claim(&claims_out[j]); 67 | } 68 | free(claims_out); 69 | return NULL; 70 | } 71 | return claims_out; 72 | } 73 | -------------------------------------------------------------------------------- /src/core/endorsement.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | void free_endorsements(const char *type, attestation_endorsement_t *endorsements) 14 | { 15 | if (!type || !endorsements) 16 | return; 17 | 18 | if (!strcmp(type, "sgx_ecdsa") || !strcmp(type, "tdx_ecdsa")) { 19 | if (endorsements->ecdsa.pck_crl_issuer_chain) { 20 | free(endorsements->ecdsa.pck_crl_issuer_chain); 21 | endorsements->ecdsa.pck_crl_issuer_chain = NULL; 22 | } 23 | if (endorsements->ecdsa.root_ca_crl) { 24 | free(endorsements->ecdsa.root_ca_crl); 25 | endorsements->ecdsa.root_ca_crl = NULL; 26 | } 27 | if (endorsements->ecdsa.pck_crl) { 28 | free(endorsements->ecdsa.pck_crl); 29 | endorsements->ecdsa.pck_crl = NULL; 30 | } 31 | if (endorsements->ecdsa.tcb_info_issuer_chain) { 32 | free(endorsements->ecdsa.tcb_info_issuer_chain); 33 | endorsements->ecdsa.tcb_info_issuer_chain = NULL; 34 | } 35 | if (endorsements->ecdsa.tcb_info) { 36 | free(endorsements->ecdsa.tcb_info); 37 | endorsements->ecdsa.tcb_info = NULL; 38 | } 39 | if (endorsements->ecdsa.qe_identity_issuer_chain) { 40 | free(endorsements->ecdsa.qe_identity_issuer_chain); 41 | endorsements->ecdsa.qe_identity_issuer_chain = NULL; 42 | } 43 | if (endorsements->ecdsa.qe_identity) { 44 | free(endorsements->ecdsa.qe_identity); 45 | endorsements->ecdsa.qe_identity = NULL; 46 | } 47 | } else { 48 | RTLS_WARN("Unable to free endorsements: unsupported evidence type: %s\n", type); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/crypto_wrappers/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(nullcrypto) 2 | add_subdirectory(openssl) 3 | -------------------------------------------------------------------------------- /src/crypto_wrappers/api/crypto_wrapper_register.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "internal/crypto_wrapper.h" 12 | 13 | crypto_wrapper_err_t crypto_wrapper_register(const crypto_wrapper_opts_t *opts) 14 | { 15 | if (!opts) 16 | return -CRYPTO_WRAPPER_ERR_INVALID; 17 | 18 | RTLS_DEBUG("registering the crypto wrapper '%s' ...\n", opts->name); 19 | 20 | crypto_wrapper_opts_t *new_opts = (crypto_wrapper_opts_t *)malloc(sizeof(*new_opts)); 21 | if (!new_opts) 22 | return -CRYPTO_WRAPPER_ERR_NO_MEM; 23 | 24 | memcpy(new_opts, opts, sizeof(*new_opts)); 25 | 26 | if (new_opts->name[0] == '\0') { 27 | RTLS_ERR("invalid crypto wrapper name\n"); 28 | goto err; 29 | } 30 | 31 | if (new_opts->api_version > CRYPTO_WRAPPER_API_VERSION_MAX) { 32 | RTLS_ERR("unsupported crypto wrapper api version %d > %d\n", new_opts->api_version, 33 | CRYPTO_WRAPPER_API_VERSION_MAX); 34 | goto err; 35 | } 36 | 37 | crypto_wrappers_opts[registerd_crypto_wrapper_nums++] = new_opts; 38 | 39 | RTLS_INFO("the crypto wrapper '%s' registered\n", opts->name); 40 | 41 | return CRYPTO_WRAPPER_ERR_NONE; 42 | 43 | err: 44 | free(new_opts); 45 | return -CRYPTO_WRAPPER_ERR_INVALID; 46 | } 47 | -------------------------------------------------------------------------------- /src/crypto_wrappers/internal/crypto_wrapper.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "internal/crypto_wrapper.h" 8 | 9 | crypto_wrapper_opts_t *crypto_wrappers_opts[CRYPTO_WRAPPER_TYPE_MAX]; 10 | unsigned int registerd_crypto_wrapper_nums; 11 | 12 | crypto_wrapper_ctx_t *crypto_wrappers_ctx[CRYPTO_WRAPPER_TYPE_MAX]; 13 | unsigned int crypto_wrappers_nums; 14 | -------------------------------------------------------------------------------- /src/crypto_wrappers/internal/rtls_crypto_wrapper_select.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "internal/core.h" 11 | #include "internal/crypto_wrapper.h" 12 | 13 | static rats_tls_err_t init_crypto_wrapper(crypto_wrapper_ctx_t *crypto_ctx) 14 | { 15 | crypto_wrapper_err_t err = crypto_ctx->opts->init(crypto_ctx); 16 | if (err != CRYPTO_WRAPPER_ERR_NONE) 17 | return err; 18 | 19 | if (!crypto_ctx->crypto_private) 20 | return -RATS_TLS_ERR_INIT; 21 | 22 | return RATS_TLS_ERR_NONE; 23 | } 24 | 25 | rats_tls_err_t rtls_crypto_wrapper_select(rtls_core_context_t *ctx, const char *name) 26 | { 27 | RTLS_DEBUG("selecting the crypto wrapper '%s' ...\n", name); 28 | 29 | crypto_wrapper_ctx_t *crypto_ctx = NULL; 30 | for (unsigned int i = 0; i < registerd_crypto_wrapper_nums; ++i) { 31 | if (name && strcmp(name, crypto_wrappers_ctx[i]->opts->name)) 32 | continue; 33 | 34 | crypto_ctx = malloc(sizeof(*crypto_ctx)); 35 | if (!crypto_ctx) 36 | return -RATS_TLS_ERR_NO_MEM; 37 | 38 | *crypto_ctx = *crypto_wrappers_ctx[i]; 39 | 40 | /* Set necessary configurations from rats_tls_init() to 41 | * make init() working correctly. 42 | */ 43 | crypto_ctx->conf_flags = ctx->config.flags; 44 | crypto_ctx->log_level = ctx->config.log_level; 45 | crypto_ctx->cert_algo = ctx->config.cert_algo; 46 | 47 | if (init_crypto_wrapper(crypto_ctx) == RATS_TLS_ERR_NONE) 48 | break; 49 | 50 | free(crypto_ctx); 51 | crypto_ctx = NULL; 52 | } 53 | 54 | if (!crypto_ctx) { 55 | if (!name) 56 | RTLS_ERR("failed to select a crypto wrapper\n"); 57 | else 58 | RTLS_ERR("failed to select the crypto wrapper '%s'\n", name); 59 | 60 | return -RATS_TLS_ERR_INIT; 61 | } 62 | 63 | ctx->crypto_wrapper = crypto_ctx; 64 | ctx->flags |= RATS_TLS_CTX_FLAGS_CRYPTO_INITIALIZED; 65 | 66 | RTLS_INFO("the crypto wrapper '%s' selected\n", crypto_ctx->opts->name); 67 | 68 | return RATS_TLS_ERR_NONE; 69 | } 70 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(crypto_wrapper_nullcrypto) 3 | 4 | # Set include directory 5 | include_directories(${INCLUDE_DIRS}) 6 | 7 | # Set dependency library directory 8 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 9 | ${RATS_TLS_INSTALL_LIB_PATH} 10 | ) 11 | link_directories(${LIBRARY_DIRS}) 12 | 13 | # Set source file 14 | set(SOURCES cleanup.c 15 | gen_cert.c 16 | gen_privkey.c 17 | gen_pubkey_hash.c 18 | gen_hash.c 19 | init.c 20 | main.c 21 | pre_init.c 22 | ) 23 | 24 | # Generate library 25 | if(SGX) 26 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 27 | else() 28 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 29 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 30 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 31 | endif() 32 | 33 | # Install library 34 | install(TARGETS ${PROJECT_NAME} 35 | DESTINATION ${RATS_TLS_INSTALL_LIBCW_PATH}) 36 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | crypto_wrapper_err_t nullcrypto_cleanup(crypto_wrapper_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("ctx %p\n", ctx); 13 | 14 | return CRYPTO_WRAPPER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/gen_cert.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | crypto_wrapper_err_t nullcrypto_gen_cert(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 12 | rats_tls_cert_info_t *cert_info) 13 | { 14 | RTLS_DEBUG("ctx %p, algo is %d, cert_info %p\n", ctx, algo, cert_info); 15 | 16 | return CRYPTO_WRAPPER_ERR_NONE; 17 | } 18 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/gen_hash.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | crypto_wrapper_err_t nullcrypto_gen_hash(crypto_wrapper_ctx_t *ctx, hash_algo_t hash_algo, 11 | const uint8_t *data, size_t size, uint8_t *hash) 12 | { 13 | RTLS_DEBUG("ctx %p, hash_algo %d, data %p, size %zu hash %p\n", ctx, hash_algo, data, size, 14 | hash); 15 | 16 | return CRYPTO_WRAPPER_ERR_NONE; 17 | } 18 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/gen_privkey.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | crypto_wrapper_err_t nullcrypto_gen_privkey(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 12 | uint8_t *privkey_buf, unsigned int *privkey_len) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d, privkey_buf %p, privkey_len %p\n", ctx, algo, privkey_buf, 15 | privkey_len); 16 | 17 | /* Indicate no private key generated */ 18 | *privkey_len = 0; 19 | 20 | return CRYPTO_WRAPPER_ERR_NONE; 21 | } 22 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/gen_pubkey_hash.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | crypto_wrapper_err_t nullcrypto_gen_pubkey_hash(crypto_wrapper_ctx_t *ctx, 11 | rats_tls_cert_algo_t algo, uint8_t *hash) 12 | { 13 | RTLS_DEBUG("ctx %p, algo %d, hash %p\n", ctx, algo, hash); 14 | 15 | return CRYPTO_WRAPPER_ERR_NONE; 16 | } -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | crypto_wrapper_err_t nullcrypto_init(crypto_wrapper_ctx_t *ctx) 13 | { 14 | RTLS_DEBUG("ctx %p\n", ctx); 15 | 16 | ctx->crypto_private = &dummy_private; 17 | 18 | return CRYPTO_WRAPPER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | extern crypto_wrapper_err_t nullcrypto_pre_init(void); 11 | extern crypto_wrapper_err_t nullcrypto_init(crypto_wrapper_ctx_t *); 12 | extern crypto_wrapper_err_t nullcrypto_gen_privkey(crypto_wrapper_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo, uint8_t *privkey_buf, 14 | unsigned int *privkey_len); 15 | extern crypto_wrapper_err_t nullcrypto_gen_pubkey_hash(crypto_wrapper_ctx_t *, rats_tls_cert_algo_t, 16 | uint8_t *); 17 | extern crypto_wrapper_err_t nullcrypto_gen_hash(crypto_wrapper_ctx_t *ctx, hash_algo_t hash_algo, 18 | const uint8_t *data, size_t size, uint8_t *hash); 19 | extern crypto_wrapper_err_t nullcrypto_gen_cert(crypto_wrapper_ctx_t *, rats_tls_cert_algo_t algo, 20 | rats_tls_cert_info_t *); 21 | extern crypto_wrapper_err_t nullcrypto_cleanup(crypto_wrapper_ctx_t *); 22 | 23 | static crypto_wrapper_opts_t nullcrypto_opts = { 24 | .api_version = CRYPTO_WRAPPER_API_VERSION_DEFAULT, 25 | .name = "nullcrypto", 26 | .priority = 0, 27 | .pre_init = nullcrypto_pre_init, 28 | .init = nullcrypto_init, 29 | .gen_privkey = nullcrypto_gen_privkey, 30 | .gen_pubkey_hash = nullcrypto_gen_pubkey_hash, 31 | .gen_hash = nullcrypto_gen_hash, 32 | .gen_cert = nullcrypto_gen_cert, 33 | .cleanup = nullcrypto_cleanup, 34 | }; 35 | 36 | #ifdef SGX 37 | void libcrypto_wrapper_nullcrypto_init(void) 38 | #else 39 | void __attribute__((constructor)) libcrypto_wrapper_nullcrypto_init(void) 40 | #endif 41 | { 42 | RTLS_DEBUG("called\n"); 43 | 44 | crypto_wrapper_err_t err = crypto_wrapper_register(&nullcrypto_opts); 45 | if (err != CRYPTO_WRAPPER_ERR_NONE) 46 | RTLS_ERR("failed to register the crypto wrapper 'nullcrypto' %#x\n", err); 47 | } 48 | -------------------------------------------------------------------------------- /src/crypto_wrappers/nullcrypto/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | crypto_wrapper_err_t nullcrypto_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return CRYPTO_WRAPPER_ERR_NONE; 15 | } -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(crypto_wrapper_openssl) 3 | 4 | # Set include directory 5 | include_directories(${INCLUDE_DIRS}) 6 | 7 | # Set dependency library directory 8 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 9 | ${RATS_TLS_INSTALL_LIB_PATH} 10 | ) 11 | if(SGX) 12 | list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/external/intel-sgx-ssl/lib) 13 | endif() 14 | link_directories(${LIBRARY_DIRS}) 15 | 16 | # Set source file 17 | set(SOURCES cleanup.c 18 | gen_cert.c 19 | gen_privkey.c 20 | gen_pubkey_hash.c 21 | gen_hash.c 22 | init.c 23 | main.c 24 | pre_init.c 25 | ) 26 | 27 | # Generate library 28 | if(SGX) 29 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 30 | add_dependencies(${PROJECT_NAME} intel-sgx-ssl) 31 | else() 32 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 33 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB} crypto.so) 34 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 35 | endif() 36 | 37 | # Install library 38 | install(TARGETS ${PROJECT_NAME} 39 | DESTINATION ${RATS_TLS_INSTALL_LIBCW_PATH}) 40 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "openssl.h" 11 | 12 | crypto_wrapper_err_t openssl_cleanup(crypto_wrapper_ctx_t *ctx) 13 | { 14 | RTLS_DEBUG("ctx %p\n", ctx); 15 | 16 | openssl_ctx *octx = ctx->crypto_private; 17 | 18 | /* octx->key has been freed by EVP_PKEY_free() */ 19 | free(octx); 20 | 21 | return CRYPTO_WRAPPER_ERR_NONE; 22 | } 23 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/gen_hash.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | crypto_wrapper_err_t openssl_gen_hash(crypto_wrapper_ctx_t *ctx, hash_algo_t hash_algo, 12 | const uint8_t *data, size_t size, uint8_t *hash) 13 | { 14 | RTLS_DEBUG("ctx %p, hash_algo %d, data %p, size %zu hash %p\n", ctx, hash_algo, data, size, 15 | hash); 16 | 17 | switch (hash_algo) { 18 | case HASH_ALGO_RESERVED: 19 | case HASH_ALGO_SHA256: 20 | SHA256(data, size, hash); 21 | break; 22 | case HASH_ALGO_SHA384: 23 | SHA384(data, size, hash); 24 | break; 25 | case HASH_ALGO_SHA512: 26 | SHA512(data, size, hash); 27 | break; 28 | default: 29 | return CRYPTO_WRAPPER_ERR_UNSUPPORTED_HASH_ALGO; 30 | } 31 | return CRYPTO_WRAPPER_ERR_NONE; 32 | } 33 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/gen_pubkey_hash.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | crypto_wrapper_err_t openssl_gen_pubkey_hash(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 12 | uint8_t *hash) 13 | { 14 | openssl_ctx *octx = NULL; 15 | 16 | RTLS_DEBUG("ctx %p, algo %d, hash %p\n", ctx, algo, hash); 17 | 18 | if (!ctx || !hash) 19 | return -CRYPTO_WRAPPER_ERR_INVALID; 20 | 21 | octx = ctx->crypto_private; 22 | 23 | /* Calculate hash of SubjectPublicKeyInfo object */ 24 | if (algo == RATS_TLS_CERT_ALGO_ECC_256_SHA256) { 25 | int len = i2d_EC_PUBKEY(octx->eckey, NULL); 26 | unsigned char buffer[len]; 27 | unsigned char *p = buffer; 28 | 29 | len = i2d_EC_PUBKEY(octx->eckey, &p); 30 | 31 | SHA256(buffer, len, hash); 32 | 33 | RTLS_DEBUG( 34 | "the sha256 of public key [%d] %02x%02x%02x%02x%02x%02x%02x%02x...%02x%02x%02x%02x\n", 35 | len, hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], 36 | hash[28], hash[29], hash[30], hash[31]); 37 | 38 | } else if (algo == RATS_TLS_CERT_ALGO_RSA_3072_SHA256) { 39 | int len = i2d_RSA_PUBKEY(octx->key, NULL); 40 | unsigned char buffer[len]; 41 | unsigned char *p = buffer; 42 | 43 | len = i2d_RSA_PUBKEY(octx->key, &p); 44 | 45 | SHA256(buffer, len, hash); 46 | 47 | RTLS_DEBUG( 48 | "the sha256 of public key [%d] %02x%02x%02x%02x%02x%02x%02x%02x...%02x%02x%02x%02x\n", 49 | len, hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], 50 | hash[28], hash[29], hash[30], hash[31]); 51 | } else { 52 | return -CRYPTO_WRAPPER_ERR_UNSUPPORTED_ALGO; 53 | } 54 | 55 | return CRYPTO_WRAPPER_ERR_NONE; 56 | } 57 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "openssl.h" 11 | 12 | crypto_wrapper_err_t openssl_init(crypto_wrapper_ctx_t *ctx) 13 | { 14 | openssl_ctx *octx = NULL; 15 | 16 | RTLS_DEBUG("ctx %p\n", ctx); 17 | 18 | octx = calloc(1, sizeof(*octx)); 19 | if (!octx) 20 | return -CRYPTO_WRAPPER_ERR_NO_MEM; 21 | 22 | ctx->crypto_private = octx; 23 | 24 | return CRYPTO_WRAPPER_ERR_NONE; 25 | } 26 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | crypto_wrapper_err_t openssl_pre_init(void); 12 | crypto_wrapper_err_t openssl_init(crypto_wrapper_ctx_t *ctx); 13 | crypto_wrapper_err_t openssl_gen_privkey(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 14 | uint8_t *privkey_buf, unsigned int *privkey_len); 15 | crypto_wrapper_err_t openssl_gen_pubkey_hash(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 16 | uint8_t *hash); 17 | crypto_wrapper_err_t openssl_gen_hash(crypto_wrapper_ctx_t *ctx, hash_algo_t hash_algo, 18 | const uint8_t *data, size_t size, uint8_t *hash); 19 | crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 20 | rats_tls_cert_info_t *cert_info); 21 | crypto_wrapper_err_t openssl_cleanup(crypto_wrapper_ctx_t *ctx); 22 | 23 | static const crypto_wrapper_opts_t openssl_opts = { 24 | .api_version = CRYPTO_WRAPPER_API_VERSION_DEFAULT, 25 | .name = "openssl", 26 | .priority = 25, 27 | .pre_init = openssl_pre_init, 28 | .init = openssl_init, 29 | .gen_privkey = openssl_gen_privkey, 30 | .gen_pubkey_hash = openssl_gen_pubkey_hash, 31 | .gen_hash = openssl_gen_hash, 32 | .gen_cert = openssl_gen_cert, 33 | .cleanup = openssl_cleanup, 34 | }; 35 | 36 | #ifdef SGX 37 | void libcrypto_wrapper_openssl_init(void) 38 | #else 39 | static void __attribute__((constructor)) libcrypto_wrapper_openssl_init(void) 40 | #endif 41 | { 42 | RTLS_DEBUG("called\n"); 43 | 44 | crypto_wrapper_err_t err = crypto_wrapper_register(&openssl_opts); 45 | if (err != CRYPTO_WRAPPER_ERR_NONE) 46 | RTLS_ERR("failed to register the crypto wrapper 'openssl' %#x\n", err); 47 | } 48 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/openssl.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _OPENSSL_CRYPT_H 8 | #define _OPENSSL_CRYPT_H 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | typedef union { 23 | RSA *key; 24 | EC_KEY *eckey; 25 | } openssl_ctx; 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /src/crypto_wrappers/openssl/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | crypto_wrapper_err_t openssl_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return CRYPTO_WRAPPER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/include/edl/rtls.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | from "rtls_syscalls.edl" import *; 3 | from "rtls_socket.edl" import *; 4 | from "sgx_ecdsa.edl" import *; 5 | from "sgx_la.edl" import *; 6 | from "sgx_dummy.edl" import *; 7 | from "sgx_tstdc.edl" import *; 8 | from "sgx_pthread.edl" import *; 9 | }; 10 | -------------------------------------------------------------------------------- /src/include/edl/rtls_socket.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | include "rtls_socket.h" 3 | 4 | from "sgx_dummy.edl" import *; 5 | 6 | untrusted { 7 | int64_t ocall_socket(int domain, 8 | int type, 9 | int protocol) 10 | propagate_errno; 11 | int ocall_setsockopt(int64_t sockfd, 12 | int level, 13 | int optname, 14 | [in, size=optlen] const void *optval, 15 | uint32_t optlen) 16 | propagate_errno; 17 | int ocall_bind(int64_t sockfd, 18 | [in, size=addrlen] const struct rtls_sockaddr_in *addr, 19 | uint32_t addrlen) 20 | propagate_errno; 21 | int ocall_listen(int64_t sockfd, int backlog) 22 | propagate_errno; 23 | int64_t ocall_accept(int64_t sockfd, 24 | [out, size=addrlen_in] struct rtls_sockaddr_in *addr, 25 | uint32_t addrlen_in, 26 | [out] uint32_t *addrlen_out) 27 | propagate_errno; 28 | int ocall_connect(int64_t sockfd, 29 | [in, size=addrlen] const struct rtls_sockaddr_in *addr, 30 | uint32_t addrlen) 31 | propagate_errno; 32 | int ocall_close(int64_t sockfd) 33 | propagate_errno; 34 | }; 35 | }; 36 | -------------------------------------------------------------------------------- /src/include/edl/rtls_socket.h: -------------------------------------------------------------------------------- 1 | #ifndef _RTLS_SOCKET_H_ 2 | #define _RTLS_SOCKET_H_ 3 | 4 | #include 5 | 6 | // clang-format off 7 | #define RTLS_AF_INET 2 8 | #define RTLS_SOCK_STREAM 1 9 | #define RTLS_SOL_SOCKET 1 10 | #define RTLS_SO_REUSEADDR 2 11 | #define RTLS_SO_KEEPALIVE 9 12 | #define RTLS_SOL_TCP 6 13 | #define RTLS_TCP_KEEPIDLE 4 14 | #define RTLS_TCP_KEEPINTVL 5 15 | #define RTLS_TCP_KEEPCNT 6 16 | // clang-format on 17 | 18 | /* Define in_addr */ 19 | struct rtls_in_addr { 20 | uint32_t s_addr; 21 | }; 22 | 23 | /* Define sockaddr_in */ 24 | struct rtls_sockaddr_in { 25 | uint16_t sin_family; 26 | uint16_t sin_port; 27 | struct rtls_in_addr sin_addr; 28 | uint8_t sin_zero[8]; 29 | }; 30 | 31 | /* Define sockaddr */ 32 | struct rtls_sockaddr { 33 | uint16_t sa_family; 34 | char sa_data[14]; 35 | }; 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /src/include/edl/rtls_syscalls.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | include "rtls_syscalls.h" 3 | 4 | from "sgx_dummy.edl" import *; 5 | 6 | untrusted { 7 | void ocall_exit(void); 8 | void ocall_cpuid([in, out] int *eax, [in, out] int *ebx, [in, out] int *ecx, 9 | [in, out] int *edx); 10 | void ocall_is_sgx_dev([in, out] bool *retval, [in] const char *dev); 11 | void ocall_print_string([in, string] const char *str); 12 | uint64_t ocall_opendir([in, string] const char *name) propagate_errno; 13 | int ocall_readdir(uint64_t dirp, [out, count=1] struct ocall_dirent * entry) 14 | propagate_errno; 15 | int ocall_closedir(uint64_t dirp) propagate_errno; 16 | ssize_t ocall_read(int fd, [out, size=count] void *buf, size_t count); 17 | ssize_t ocall_write(int fd, [in, size=count] const void *buf, size_t count); 18 | void ocall_getenv([in, string] const char *name, [out, size=len] char *value, 19 | size_t len); 20 | void ocall_current_time([out] double *time); 21 | void ocall_low_res_time([out] int *time); 22 | size_t ocall_recv(int sockfd, [out, size=len] void *buf, size_t len, int flags) 23 | propagate_errno; 24 | size_t ocall_send(int sockfd, [in, size=len] const void *buf, size_t len, 25 | int flags) propagate_errno; 26 | }; 27 | }; 28 | -------------------------------------------------------------------------------- /src/include/edl/rtls_syscalls.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _RTLS_SYSCALL_H_ 8 | #define _RTLS_SYSCALL_H_ 9 | 10 | #include 11 | 12 | struct ocall_dirent { 13 | u_int64_t d_ino; 14 | int64_t d_off; //off_t 15 | u_int16_t d_reclen; 16 | u_int8_t d_type; 17 | char d_name[256]; // NAME_MAX + 1 = 256 18 | }; 19 | 20 | typedef u_int64_t uint64_t; 21 | 22 | #endif 23 | -------------------------------------------------------------------------------- /src/include/edl/sgx_dummy.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | trusted { 3 | public void dummy(void); 4 | }; 5 | }; 6 | -------------------------------------------------------------------------------- /src/include/edl/sgx_la.edl: -------------------------------------------------------------------------------- 1 | enclave { 2 | include "rats-tls/err.h" 3 | include "rats-tls/verifier.h" 4 | 5 | include "rats-tls/cert.h" 6 | 7 | from "sgx_dummy.edl" import *; 8 | 9 | untrusted { 10 | enclave_verifier_err_t ocall_la_verify_evidence([user_check] enclave_verifier_ctx_t *ctx, 11 | [in, size=evidence_len] attestation_evidence_t *evidence, 12 | uint32_t evidence_len, 13 | [in, size=hash_len] uint8_t *hash, 14 | uint32_t hash_len); 15 | }; 16 | }; 17 | -------------------------------------------------------------------------------- /src/include/edl/sgx_tsgxssl.edl: -------------------------------------------------------------------------------- 1 | /* sgx_tsgxssl.edl - Top EDL file. */ 2 | 3 | enclave { 4 | 5 | from "sgx_tstdc.edl" import *; 6 | 7 | untrusted { 8 | void u_sgxssl_ftime([out, size=timeb_len] void * timeptr, uint32_t timeb_len); 9 | int ocall_sgxssl_read(int fd, [out, size = buf_len] void *buf, size_t buf_len); 10 | int ocall_sgxssl_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len); 11 | int ocall_sgxssl_getenv([in, size = name_len] const char *name, size_t name_len, [out, size = buf_len] void *buf, int buf_len, [out] int *need_len); 12 | uint64_t ocall_sgxssl_fopen([in, size = filename_len] const char *filename, size_t filename_len, [in, size = mode_len] const char *mode, size_t mode_len); 13 | int ocall_sgxssl_fclose(uint64_t fp); 14 | int ocall_sgxssl_ferror(uint64_t fp); 15 | int ocall_sgxssl_feof(uint64_t fp); 16 | int ocall_sgxssl_fflush(uint64_t fp); 17 | long ocall_sgxssl_ftell(uint64_t fp); 18 | int ocall_sgxssl_fseek(uint64_t fp, long offset, int origin); 19 | size_t ocall_sgxssl_fread([out, size = total_size] void *buf, size_t total_size, size_t element_size, size_t cnt, uint64_t fp); 20 | size_t ocall_sgxssl_fwrite([in, size = total_size] const void *buf, size_t total_size, size_t element_size, size_t cnt, uint64_t fp); 21 | int ocall_sgxssl_fgets([out, size = max_cnt] char *str, int max_cnt, uint64_t fp); 22 | int ocall_sgxssl_fputs([in, size = total_size] const char *str, size_t total_size, uint64_t fp); 23 | }; 24 | 25 | trusted { 26 | 27 | }; 28 | }; 29 | -------------------------------------------------------------------------------- /src/include/internal/attester.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _INTERNAL_ATTESTER_H 8 | #define _INTERNAL_ATTESTER_H 9 | 10 | #include 11 | #include "internal/core.h" 12 | 13 | #define ENCLAVE_ATTESTERS_DIR "/usr/local/lib/rats-tls/attesters/" 14 | 15 | extern rats_tls_err_t rtls_enclave_attester_load_all(void); 16 | extern rats_tls_err_t rtls_enclave_attester_load_single(const char *); 17 | extern rats_tls_err_t rtls_attester_select(rtls_core_context_t *, const char *, 18 | rats_tls_cert_algo_t); 19 | extern enclave_attester_opts_t *enclave_attesters_opts[ENCLAVE_ATTESTER_TYPE_MAX]; 20 | extern enclave_attester_ctx_t *enclave_attesters_ctx[ENCLAVE_ATTESTER_TYPE_MAX]; 21 | extern unsigned int enclave_attester_nums; 22 | extern unsigned int registerd_enclave_attester_nums; 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /src/include/internal/core.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _INTERNAL_CORE_H 8 | #define _INTERNAL_CORE_H 9 | 10 | // clang-format off 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #ifdef SGX 18 | #include "rtls_syscalls.h" 19 | #endif 20 | // clang-format on 21 | 22 | typedef struct rtls_core_context_t { 23 | rats_tls_conf_t config; 24 | unsigned long flags; 25 | rats_tls_callback_t user_callback; 26 | enclave_attester_ctx_t *attester; 27 | enclave_verifier_ctx_t *verifier; 28 | tls_wrapper_ctx_t *tls_wrapper; 29 | crypto_wrapper_ctx_t *crypto_wrapper; 30 | } rtls_core_context_t; 31 | 32 | #ifdef SGX 33 | typedef struct ocall_dirent rtls_dirent; 34 | #else 35 | typedef struct dirent rtls_dirent; 36 | #endif 37 | 38 | extern rtls_core_context_t global_core_context; 39 | 40 | extern rats_tls_err_t rtls_core_generate_certificate(rtls_core_context_t *); 41 | 42 | extern void rtls_exit(void); 43 | 44 | extern rats_tls_err_t rtls_instance_init(const char *type, const char *realpath, void **handle); 45 | 46 | extern ssize_t rtls_write(int fd, const void *buf, size_t count); 47 | 48 | extern ssize_t rtls_read(int fd, void *buf, size_t count); 49 | 50 | extern uint64_t rtls_opendir(const char *name); 51 | 52 | extern int rtls_readdir(uint64_t dirp, rtls_dirent **ptr); 53 | 54 | extern int rtls_closedir(uint64_t dir); 55 | 56 | // Whether the quote instance is initialized 57 | #define RATS_TLS_CTX_FLAGS_QUOTING_INITIALIZED (1 << 0) 58 | // Whether the tls lib is initialized 59 | #define RATS_TLS_CTX_FLAGS_TLS_INITIALIZED (1 << 16) 60 | // Whether the tls library has completed the creation and initialization of the TLS certificate 61 | #define RATS_TLS_CTX_FLAGS_CERT_CREATED (1 << 17) 62 | // Whether the crypto lib is initialized 63 | #define RATS_TLS_CTX_FLAGS_CRYPTO_INITIALIZED (1 << 18) 64 | 65 | #endif 66 | -------------------------------------------------------------------------------- /src/include/internal/cpu.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _INTERNAL_CPU_H 8 | #define _INTERNAL_CPU_H 9 | 10 | #include 11 | 12 | #define SGX_CPUID 0x12 13 | #define TDX_CPUID 0x21 14 | 15 | #define SGX_DEVICE_MAJOR_NUM 10 16 | 17 | #define SGX1_STRING 0x00000001 18 | #define SGX2_STRING 0x00000002 19 | 20 | #define SEV_STATUS_MSR 0xc0010131 21 | #define SEV_FLAG 0 22 | #define SEV_ES_FLAG 1 23 | #define SEV_SNP_FLAG 2 24 | 25 | extern bool is_sgx1_supported(void); 26 | extern bool is_sgx2_supported(void); 27 | extern bool is_tdguest_supported(void); 28 | extern bool is_snpguest_supported(void); 29 | extern bool is_sevguest_supported(void); 30 | extern bool is_csvguest_supported(void); 31 | 32 | #endif /* _INTERNAL_CPU_H */ 33 | -------------------------------------------------------------------------------- /src/include/internal/crypto_wrapper.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _INTERNAL_CRYPTO_WRAPPER_H 8 | #define _INTERNAL_CRYPTO_WRAPPER_H 9 | 10 | #include 11 | #include "internal/core.h" 12 | 13 | #define CRYPTO_WRAPPERS_DIR "/usr/local/lib/rats-tls/crypto-wrappers/" 14 | 15 | extern rats_tls_err_t rtls_crypto_wrapper_load_all(void); 16 | extern rats_tls_err_t rtls_crypto_wrapper_load_single(const char *); 17 | extern rats_tls_err_t rtls_crypto_wrapper_select(rtls_core_context_t *, const char *); 18 | 19 | extern crypto_wrapper_ctx_t *crypto_wrappers_ctx[CRYPTO_WRAPPER_TYPE_MAX]; 20 | extern crypto_wrapper_opts_t *crypto_wrappers_opts[CRYPTO_WRAPPER_TYPE_MAX]; 21 | extern unsigned int crypto_wrappers_nums; 22 | extern unsigned registerd_crypto_wrapper_nums; 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /src/include/internal/tls_wrapper.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _INTERNAL_TLS_WRAPPER_H 8 | #define _INTERNAL_TLS_WRAPPER_H 9 | 10 | #include 11 | #include "internal/core.h" 12 | 13 | #define TLS_WRAPPERS_DIR "/usr/local/lib/rats-tls/tls-wrappers/" 14 | 15 | extern rats_tls_err_t rtls_tls_wrapper_load_all(void); 16 | extern rats_tls_err_t rtls_tls_wrapper_load_single(const char *); 17 | extern rats_tls_err_t rtls_tls_wrapper_select(rtls_core_context_t *, const char *); 18 | 19 | extern tls_wrapper_ctx_t *tls_wrappers_ctx[TLS_WRAPPER_TYPE_MAX]; 20 | extern tls_wrapper_opts_t *tls_wrappers_opts[TLS_WRAPPER_TYPE_MAX]; 21 | extern unsigned int tls_wrappers_nums; 22 | extern unsigned registerd_tls_wrapper_nums; 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /src/include/internal/verifier.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _INTERNAL_VERIFIER_H 8 | #define _INTERNAL_VERIFIER_H 9 | 10 | #include 11 | #include "internal/core.h" 12 | 13 | #define ENCLAVE_VERIFIERS_DIR "/usr/local/lib/rats-tls/verifiers/" 14 | 15 | extern rats_tls_err_t rtls_enclave_verifier_load_all(void); 16 | extern rats_tls_err_t rtls_enclave_verifier_load_single(const char *); 17 | extern rats_tls_err_t rtls_verifier_select(rtls_core_context_t *, const char *, 18 | rats_tls_cert_algo_t); 19 | extern enclave_verifier_opts_t *enclave_verifiers_opts[ENCLAVE_VERIFIER_TYPE_MAX]; 20 | extern enclave_verifier_ctx_t *enclave_verifiers_ctx[ENCLAVE_VERIFIER_TYPE_MAX]; 21 | extern unsigned int enclave_verifier_nums; 22 | extern unsigned int registerd_enclave_verifier_nums; 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /src/include/rats-tls/cert.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _ENCLAVE_CERT_H 8 | #define _ENCLAVE_CERT_H 9 | 10 | typedef struct { 11 | const unsigned char *organization; 12 | const unsigned char *organization_unit; 13 | const unsigned char *common_name; 14 | } cert_subject_t; 15 | 16 | typedef struct { 17 | uint8_t ias_report[2 * 1024]; 18 | uint32_t ias_report_len; 19 | uint8_t ias_sign_ca_cert[2 * 1024]; 20 | uint32_t ias_sign_ca_cert_len; 21 | uint8_t ias_sign_cert[2 * 1024]; 22 | uint32_t ias_sign_cert_len; 23 | uint8_t ias_report_signature[2 * 1024]; 24 | uint32_t ias_report_signature_len; 25 | } attestation_verification_report_t; 26 | 27 | typedef struct { 28 | uint8_t quote[8192]; 29 | uint32_t quote_len; 30 | } ecdsa_attestation_evidence_t; 31 | 32 | typedef struct { 33 | uint8_t report[8192]; 34 | uint32_t report_len; 35 | } la_attestation_evidence_t; 36 | 37 | typedef struct { 38 | uint8_t quote[8192]; 39 | uint32_t quote_len; 40 | } tdx_attestation_evidence_t; 41 | 42 | typedef struct { 43 | uint8_t report[8192]; 44 | uint32_t report_len; 45 | } snp_attestation_evidence_t; 46 | 47 | typedef struct { 48 | uint8_t report[8192]; 49 | uint32_t report_len; 50 | } sev_attestation_evidence_t; 51 | 52 | typedef struct { 53 | uint8_t report[8192]; 54 | uint32_t report_len; 55 | } csv_attestation_evidence_t; 56 | 57 | typedef struct { 58 | char type[ENCLAVE_ATTESTER_TYPE_NAME_SIZE]; 59 | union { 60 | attestation_verification_report_t epid; 61 | ecdsa_attestation_evidence_t ecdsa; 62 | la_attestation_evidence_t la; 63 | tdx_attestation_evidence_t tdx; 64 | snp_attestation_evidence_t snp; 65 | sev_attestation_evidence_t sev; 66 | csv_attestation_evidence_t csv; 67 | }; 68 | } attestation_evidence_t; 69 | 70 | typedef struct { 71 | cert_subject_t subject; 72 | unsigned int cert_len; 73 | uint8_t *cert_buf; 74 | uint8_t *evidence_buffer; 75 | size_t evidence_buffer_size; 76 | uint8_t *endorsements_buffer; 77 | size_t endorsements_buffer_size; 78 | } rats_tls_cert_info_t; 79 | 80 | #endif 81 | -------------------------------------------------------------------------------- /src/include/rats-tls/claim.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _RATS_TLS_CLAIM_H_ 8 | #define _RATS_TLS_CLAIM_H_ 9 | 10 | #include 11 | #include 12 | 13 | /** 14 | * Claims struct used for claims parameters. 15 | */ 16 | typedef struct claim claim_t; 17 | struct claim { 18 | char *name; 19 | uint8_t *value; 20 | size_t value_size; 21 | } __attribute__((packed)); 22 | 23 | void free_claims_list(claim_t *claims, size_t claims_length); 24 | claim_t *clone_claims_list(claim_t *claims, size_t claims_length); 25 | 26 | #endif /* _RATS_TLS_CLAIM_H_ */ 27 | -------------------------------------------------------------------------------- /src/include/rats-tls/compilation.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _ENCLAVE_COMPILATION_H_ 8 | #define _ENCLAVE_COMPILATION_H_ 9 | 10 | #define __secured 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /src/include/rats-tls/crypto_wrapper.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _RATS_TLS_CRYPTO_WRAPPER_H 8 | #define _RATS_TLS_CRYPTO_WRAPPER_H 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #define CRYPTO_WRAPPER_TYPE_MAX 32 19 | 20 | #define CRYPTO_WRAPPER_API_VERSION_1 1 21 | #define CRYPTO_WRAPPER_API_VERSION_MAX CRYPTO_WRAPPER_API_VERSION_1 22 | #define CRYPTO_WRAPPER_API_VERSION_DEFAULT CRYPTO_WRAPPER_API_VERSION_1 23 | 24 | #define CRYPTO_WRAPPER_OPTS_FLAGS_SGX_ENCLAVE 1 25 | 26 | typedef struct crypto_wrapper_ctx crypto_wrapper_ctx_t; 27 | 28 | typedef struct { 29 | uint8_t api_version; 30 | unsigned long flags; 31 | const char name[CRYPTO_TYPE_NAME_SIZE]; 32 | uint8_t priority; 33 | 34 | /* Optional */ 35 | crypto_wrapper_err_t (*pre_init)(void); 36 | crypto_wrapper_err_t (*init)(crypto_wrapper_ctx_t *ctx); 37 | crypto_wrapper_err_t (*gen_privkey)(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 38 | uint8_t *privkey_buf, unsigned int *privkey_len); 39 | crypto_wrapper_err_t (*gen_pubkey_hash)(crypto_wrapper_ctx_t *ctx, 40 | rats_tls_cert_algo_t algo, uint8_t *hash); 41 | crypto_wrapper_err_t (*gen_hash)(crypto_wrapper_ctx_t *ctx, hash_algo_t hash_algo, 42 | const uint8_t *data, size_t size, uint8_t *hash); 43 | crypto_wrapper_err_t (*gen_cert)(crypto_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 44 | rats_tls_cert_info_t *cert_info); 45 | crypto_wrapper_err_t (*cleanup)(crypto_wrapper_ctx_t *ctx); 46 | } crypto_wrapper_opts_t; 47 | 48 | struct crypto_wrapper_ctx { 49 | crypto_wrapper_opts_t *opts; 50 | void *crypto_private; 51 | unsigned long conf_flags; 52 | rats_tls_log_level_t log_level; 53 | rats_tls_cert_algo_t cert_algo; 54 | void *handle; 55 | }; 56 | 57 | extern crypto_wrapper_err_t crypto_wrapper_register(const crypto_wrapper_opts_t *); 58 | 59 | #endif /* _ENCLAVE_CRYPTO_WRAPPER_H */ 60 | -------------------------------------------------------------------------------- /src/include/rats-tls/endorsement.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _RATS_TLS_ENDORSEMENT_H 8 | #define _RATS_TLS_ENDORSEMENT_H 9 | 10 | #include 11 | 12 | typedef struct { 13 | uint32_t version; 14 | char *pck_crl_issuer_chain; 15 | uint32_t pck_crl_issuer_chain_size; 16 | char *root_ca_crl; 17 | uint32_t root_ca_crl_size; 18 | char *pck_crl; 19 | uint32_t pck_crl_size; 20 | char *tcb_info_issuer_chain; 21 | uint32_t tcb_info_issuer_chain_size; 22 | char *tcb_info; 23 | uint32_t tcb_info_size; 24 | char *qe_identity_issuer_chain; 25 | uint32_t qe_identity_issuer_chain_size; 26 | char *qe_identity; 27 | uint32_t qe_identity_size; 28 | } sgx_ecdsa_attestation_collateral_t; 29 | 30 | typedef struct { 31 | union { 32 | sgx_ecdsa_attestation_collateral_t ecdsa; /* SGX / TDX ECDSA */ 33 | }; 34 | } attestation_endorsement_t; 35 | 36 | void free_endorsements(const char *type, attestation_endorsement_t *endorsements); 37 | 38 | #endif 39 | -------------------------------------------------------------------------------- /src/include/rats-tls/hash.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2023 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _RATS_TLS_HASH_H 8 | #define _RATS_TLS_HASH_H 9 | 10 | #include 11 | #include 12 | 13 | #define SHA256_HASH_SIZE 32 14 | #define SHA384_HASH_SIZE 48 15 | #define SHA512_HASH_SIZE 64 16 | #define MAX_HASH_SIZE SHA512_HASH_SIZE 17 | 18 | /* https://www.iana.org/assignments/named-information/named-information.xhtml */ 19 | typedef enum { 20 | HASH_ALGO_RESERVED = 0, 21 | HASH_ALGO_SHA256 = 1, 22 | HASH_ALGO_SHA384 = 7, 23 | HASH_ALGO_SHA512 = 8, 24 | } hash_algo_t; 25 | 26 | static inline size_t hash_size_of_algo(uint8_t hash_algo) 27 | { 28 | switch (hash_algo) { 29 | case HASH_ALGO_RESERVED: 30 | case HASH_ALGO_SHA256: 31 | return SHA256_HASH_SIZE; 32 | break; 33 | case HASH_ALGO_SHA384: 34 | return SHA384_HASH_SIZE; 35 | break; 36 | case HASH_ALGO_SHA512: 37 | return SHA512_HASH_SIZE; 38 | break; 39 | default: 40 | return 0; 41 | } 42 | } 43 | 44 | #endif /* _RATS_TLS_HASH_H */ 45 | -------------------------------------------------------------------------------- /src/include/rats-tls/sgx.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _ENCLAVE_SGX_H_ 8 | #define _ENCLAVE_SGX_H_ 9 | 10 | #define fprintf(stream, fmt, ...) printf(fmt, ##__VA_ARGS__) 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /src/include/rats-tls/tls_wrapper.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _RATS_TLS_TLS_WRAPPER_H 8 | #define _RATS_TLS_TLS_WRAPPER_H 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #define TLS_WRAPPER_TYPE_MAX 32 18 | 19 | #define TLS_WRAPPER_API_VERSION_1 1 20 | #define TLS_WRAPPER_API_VERSION_MAX TLS_WRAPPER_API_VERSION_1 21 | #define TLS_WRAPPER_API_VERSION_DEFAULT TLS_WRAPPER_API_VERSION_1 22 | 23 | #define TLS_WRAPPER_OPTS_FLAGS_SGX_ENCLAVE 1 24 | 25 | typedef struct tls_wrapper_ctx tls_wrapper_ctx_t; 26 | 27 | typedef struct { 28 | uint8_t api_version; 29 | unsigned long flags; 30 | const char name[TLS_TYPE_NAME_SIZE]; 31 | uint8_t priority; 32 | 33 | /* Optional */ 34 | tls_wrapper_err_t (*pre_init)(void); 35 | tls_wrapper_err_t (*init)(tls_wrapper_ctx_t *ctx); 36 | tls_wrapper_err_t (*use_privkey)(tls_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 37 | void *privkey_buf, size_t privkey_len); 38 | tls_wrapper_err_t (*use_cert)(tls_wrapper_ctx_t *ctx, rats_tls_cert_info_t *cert_info); 39 | tls_wrapper_err_t (*negotiate)(tls_wrapper_ctx_t *ctx, int fd); 40 | tls_wrapper_err_t (*transmit)(tls_wrapper_ctx_t *ctx, void *buf, size_t *buf_size); 41 | tls_wrapper_err_t (*receive)(tls_wrapper_ctx_t *ctx, void *buf, size_t *buf_size); 42 | tls_wrapper_err_t (*cleanup)(tls_wrapper_ctx_t *ctx); 43 | } tls_wrapper_opts_t; 44 | 45 | struct tls_wrapper_ctx { 46 | /* associate tls wrapper with the enclave verifier instances */ 47 | struct rtls_core_context_t *rtls_handle; 48 | tls_wrapper_opts_t *opts; 49 | void *tls_private; 50 | int fd; 51 | unsigned long conf_flags; 52 | rats_tls_log_level_t log_level; 53 | void *handle; 54 | }; 55 | 56 | extern tls_wrapper_err_t tls_wrapper_register(const tls_wrapper_opts_t *); 57 | 58 | extern tls_wrapper_err_t 59 | tls_wrapper_verify_certificate_extension(tls_wrapper_ctx_t *tls_ctx, const uint8_t *pubkey_buffer, 60 | size_t pubkey_buffer_size, uint8_t *evidence_buffer, 61 | size_t evidence_buffer_size, uint8_t *endorsements_buffer, 62 | size_t endorsements_buffer_size); 63 | 64 | #endif 65 | -------------------------------------------------------------------------------- /src/sgx/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(trust) 2 | add_subdirectory(untrust) 3 | -------------------------------------------------------------------------------- /src/sgx/trust/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(rtls_edl_t) 3 | 4 | # Set include directory 5 | include_directories(${INCLUDE_DIRS}) 6 | 7 | # Set source file 8 | set(SOURCES sgx_dummy.c 9 | rtls_syscalls.c 10 | sgx_ecdsa_ecalls.c 11 | ) 12 | 13 | # Generate library 14 | set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../../include/edl) 15 | set(RTLS_EDL ${CMAKE_CURRENT_SOURCE_DIR}/../../include/edl/rtls.edl) 16 | add_trusted_library(${PROJECT_NAME} 17 | SRCS ${SOURCES} 18 | EDL ${RTLS_EDL} 19 | EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS} 20 | ) 21 | 22 | # Install library 23 | install(TARGETS ${PROJECT_NAME} 24 | DESTINATION ${RATS_TLS_INSTALL_LIB_PATH}) 25 | -------------------------------------------------------------------------------- /src/sgx/trust/rtls_syscalls.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "rtls_t.h" 10 | 11 | #define POSSIBLE_UNUSED __attribute__((unused)) 12 | 13 | void printf(const char *fmt, ...) 14 | { 15 | char buf[BUFSIZ] = { '\0' }; 16 | va_list ap; 17 | va_start(ap, fmt); 18 | vsnprintf(buf, BUFSIZ, fmt, ap); 19 | va_end(ap); 20 | ocall_print_string(buf); 21 | } 22 | 23 | size_t recv(int sockfd, void *buf, size_t len, int flags) 24 | { 25 | size_t ret; 26 | sgx_status_t POSSIBLE_UNUSED sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags); 27 | 28 | return ret; 29 | } 30 | 31 | size_t send(int sockfd, const void *buf, size_t len, int flags) 32 | { 33 | size_t ret; 34 | sgx_status_t POSSIBLE_UNUSED sgxStatus = ocall_send(&ret, sockfd, buf, len, flags); 35 | 36 | return ret; 37 | } 38 | 39 | double current_time(void) 40 | { 41 | double curr; 42 | ocall_current_time(&curr); 43 | return curr; 44 | } 45 | 46 | int LowResTimer(void) 47 | { 48 | int time; 49 | ocall_low_res_time(&time); 50 | return time; 51 | } 52 | -------------------------------------------------------------------------------- /src/sgx/trust/sgx_dummy.c: -------------------------------------------------------------------------------- 1 | void dummy(void) 2 | { 3 | } 4 | -------------------------------------------------------------------------------- /src/sgx/trust/sgx_ecdsa_ecalls.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "sgx_report.h" 8 | #include "sgx_trts.h" 9 | #include "sgx_utils.h" 10 | -------------------------------------------------------------------------------- /src/sgx/untrust/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(rats_tls_u) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/edl 9 | ${CMAKE_CURRENT_SOURCE_DIR}/../../verifiers/sgx-ecdsa 10 | ${CMAKE_CURRENT_SOURCE_DIR}/../../verifiers/sgx-ecdsa-qve 11 | ${CMAKE_CURRENT_SOURCE_DIR}/../../verifiers/sgx-la 12 | ) 13 | include_directories(${INCLUDE_DIRS}) 14 | 15 | # Set source file 16 | set(SOURCES rtls_syscalls_ocall.c 17 | rtls_socket_ocall.c 18 | sgx_ecdsa_ocall.c 19 | sgx_la_ocall.c 20 | ) 21 | 22 | # Generate library 23 | set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../../include/edl) 24 | set(RTLS_EDL ${CMAKE_CURRENT_SOURCE_DIR}/../../include/edl/rtls.edl) 25 | 26 | add_untrusted_library(${PROJECT_NAME} STATIC 27 | SRCS ${SOURCES} 28 | EDL ${RTLS_EDL} 29 | EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS} 30 | ) 31 | 32 | # Install library 33 | install(TARGETS ${PROJECT_NAME} 34 | DESTINATION ${RATS_TLS_INSTALL_LIB_PATH}) 35 | -------------------------------------------------------------------------------- /src/sgx/untrust/rtls_openssl_ocall.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | tls_wrapper_err_t ocall_openssl_lib_init() 11 | { 12 | OpenSSL_add_all_algorithms(); 13 | SSL_load_error_strings(); 14 | 15 | if (SSL_library_init() < 0) { 16 | RTLS_ERR("failed to initialize the openssl library\n"); 17 | return -TLS_WRAPPER_ERR_NOT_FOUND; 18 | } 19 | 20 | return TLS_WRAPPER_ERR_NONE; 21 | } 22 | -------------------------------------------------------------------------------- /src/sgx/untrust/rtls_socket_ocall.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include "rtls_socket.h" 17 | 18 | int64_t ocall_socket(int domain, int type, int protocol) 19 | { 20 | errno = 0; 21 | 22 | return socket(domain, type, protocol); 23 | } 24 | 25 | int ocall_setsockopt(int64_t sockfd, int level, int optname, const void *optval, uint32_t optlen) 26 | { 27 | errno = 0; 28 | 29 | return setsockopt((int)sockfd, level, optname, optval, optlen); 30 | } 31 | 32 | int ocall_bind(int64_t sockfd, const struct rtls_sockaddr_in *addr, uint32_t addrlen) 33 | { 34 | errno = 0; 35 | 36 | return bind((int)sockfd, (const struct sockaddr *)addr, addrlen); 37 | } 38 | 39 | int ocall_listen(int64_t sockfd, int backlog) 40 | { 41 | errno = 0; 42 | 43 | return listen((int)sockfd, backlog); 44 | } 45 | 46 | int64_t ocall_accept(int64_t sockfd, struct rtls_sockaddr_in *addr, uint32_t addrlen_in, 47 | uint32_t *addrlen_out) 48 | { 49 | int ret; 50 | 51 | errno = 0; 52 | 53 | if ((ret = accept((int)sockfd, (struct sockaddr *)addr, &addrlen_in)) != -1) { 54 | if (addrlen_out) 55 | *addrlen_out = addrlen_in; 56 | } 57 | 58 | return ret; 59 | } 60 | 61 | int ocall_connect(int64_t sockfd, const struct rtls_sockaddr_in *addr, uint32_t addrlen) 62 | { 63 | errno = 0; 64 | 65 | return connect((int)sockfd, (const struct sockaddr *)addr, addrlen); 66 | } 67 | 68 | int ocall_close(int64_t fd) 69 | { 70 | errno = 0; 71 | 72 | return close((int)fd); 73 | } 74 | -------------------------------------------------------------------------------- /src/sgx/untrust/sgx_la_ocall.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "sgx_error.h" 12 | #include "sgx_quote_3.h" 13 | #include "sgx_dcap_ql_wrapper.h" 14 | 15 | enclave_verifier_err_t ocall_la_verify_evidence(enclave_verifier_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | __attribute__((unused)) uint32_t evidence_len, 18 | uint8_t *hash, uint32_t hash_len) 19 | { 20 | uint32_t quote_size = 0; 21 | unsigned char quote[8192]; 22 | sgx_target_info_t qe_target_info; 23 | quote3_error_t qe3_ret = SGX_QL_SUCCESS; 24 | 25 | RTLS_DEBUG("ctx %p, evidence %p, hash %p\n", ctx, evidence, hash); 26 | 27 | /* Firstly verify hash value */ 28 | sgx_report_t *lreport = (sgx_report_t *)evidence->la.report; 29 | 30 | if (memcmp(hash, lreport->body.report_data.d, hash_len) != 0) { 31 | RTLS_ERR("unmatched hash value in evidence\n"); 32 | return -ENCLAVE_VERIFIER_ERR_INVALID; 33 | } 34 | 35 | qe3_ret = sgx_qe_get_target_info(&qe_target_info); 36 | if (SGX_QL_SUCCESS != qe3_ret) { 37 | RTLS_ERR("failed to get QE's target info %04x\n", qe3_ret); 38 | return SGX_LA_VERIFIER_ERR_CODE((int)qe3_ret); 39 | } 40 | 41 | qe3_ret = sgx_qe_get_quote_size("e_size); 42 | if (SGX_QL_SUCCESS != qe3_ret) { 43 | RTLS_ERR("failed to get quote size %04x\n", qe3_ret); 44 | return SGX_LA_VERIFIER_ERR_CODE((int)qe3_ret); 45 | } 46 | 47 | qe3_ret = sgx_qe_get_quote((sgx_report_t *)evidence->la.report, quote_size, quote); 48 | if (SGX_QL_SUCCESS != qe3_ret) { 49 | RTLS_ERR("failed to get quote %04x\n", qe3_ret); 50 | return SGX_LA_VERIFIER_ERR_CODE((int)qe3_ret); 51 | } 52 | 53 | return ENCLAVE_VERIFIER_ERR_NONE; 54 | } 55 | -------------------------------------------------------------------------------- /src/tls_wrappers/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(nulltls) 2 | add_subdirectory(openssl) 3 | -------------------------------------------------------------------------------- /src/tls_wrappers/api/tls_wrapper_register.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "internal/tls_wrapper.h" 12 | 13 | tls_wrapper_err_t tls_wrapper_register(const tls_wrapper_opts_t *opts) 14 | { 15 | if (!opts) 16 | return -CRYPTO_WRAPPER_ERR_INVALID; 17 | 18 | RTLS_DEBUG("registering the tls wrapper '%s' ...\n", opts->name); 19 | 20 | tls_wrapper_opts_t *new_opts = (tls_wrapper_opts_t *)malloc(sizeof(*new_opts)); 21 | if (!new_opts) 22 | return -TLS_WRAPPER_ERR_NO_MEM; 23 | 24 | memcpy(new_opts, opts, sizeof(*new_opts)); 25 | 26 | if (new_opts->name[0] == '\0') { 27 | RTLS_ERR("invalid tls wrapper name\n"); 28 | goto err; 29 | } 30 | 31 | if (new_opts->api_version > TLS_WRAPPER_API_VERSION_MAX) { 32 | RTLS_ERR("unsupported tls wrapper api version %d > %d\n", new_opts->api_version, 33 | TLS_WRAPPER_API_VERSION_MAX); 34 | goto err; 35 | } 36 | 37 | tls_wrappers_opts[registerd_tls_wrapper_nums++] = new_opts; 38 | 39 | RTLS_INFO("the tls wrapper '%s' registered\n", opts->name); 40 | 41 | return TLS_WRAPPER_ERR_NONE; 42 | 43 | err: 44 | free(new_opts); 45 | return -TLS_WRAPPER_ERR_INVALID; 46 | } 47 | -------------------------------------------------------------------------------- /src/tls_wrappers/internal/rtls_tls_wrapper_load_all.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | // clang-format off 8 | #include 9 | #include 10 | #ifndef SGX 11 | #include 12 | #include 13 | #endif 14 | #include 15 | #include 16 | #include "internal/tls_wrapper.h" 17 | #define PATTERN_SUFFIX ".so" 18 | #ifdef SGX 19 | #include 20 | #include "rtls_t.h" 21 | #define DT_REG 8 22 | #define DT_LNK 10 23 | #endif 24 | // clang-format on 25 | 26 | static int tls_wrapper_cmp(const void *a, const void *b) 27 | { 28 | return (*(tls_wrapper_ctx_t **)b)->opts->priority - 29 | (*(tls_wrapper_ctx_t **)a)->opts->priority; 30 | } 31 | 32 | rats_tls_err_t rtls_tls_wrapper_load_all(void) 33 | { 34 | RTLS_DEBUG("called\n"); 35 | 36 | uint64_t dir = rtls_opendir(TLS_WRAPPERS_DIR); 37 | if (!dir) { 38 | RTLS_ERR("failed to open %s\n", TLS_WRAPPERS_DIR); 39 | return -RATS_TLS_ERR_UNKNOWN; 40 | } 41 | 42 | unsigned int total_loaded = 0; 43 | rtls_dirent *ptr; 44 | while (rtls_readdir(dir, &ptr) != 1) { 45 | if (!strcmp(ptr->d_name, ".") || !strcmp(ptr->d_name, "..")) { 46 | continue; 47 | } 48 | if (strncmp(ptr->d_name + strlen(ptr->d_name) - strlen(PATTERN_SUFFIX), 49 | PATTERN_SUFFIX, strlen(PATTERN_SUFFIX))) { 50 | continue; 51 | } 52 | 53 | #ifdef OCCLUM 54 | /* Occlum can't identify the d_type of the file, always return DT_UNKNOWN */ 55 | if (strncmp(ptr->d_name + strlen(ptr->d_name) - strlen(PATTERN_SUFFIX), 56 | PATTERN_SUFFIX, strlen(PATTERN_SUFFIX)) == 0) { 57 | #else 58 | if (ptr->d_type == DT_REG || ptr->d_type == DT_LNK) { 59 | #endif 60 | if (rtls_tls_wrapper_load_single(ptr->d_name) == RATS_TLS_ERR_NONE) 61 | ++total_loaded; 62 | } 63 | } 64 | 65 | rtls_closedir((uint64_t)dir); 66 | 67 | if (!total_loaded) { 68 | RTLS_ERR("unavailable tls wrapper instance under %s\n", TLS_WRAPPERS_DIR); 69 | return -RATS_TLS_ERR_LOAD_TLS_WRAPPERS; 70 | } 71 | 72 | /* Sort all tls_wrappers_ctx_t instances in the tls_wrappers_ctx, and the higher priority 73 | * instance should be sorted in front of the tls_wrappers_ctx array. 74 | */ 75 | qsort(tls_wrappers_ctx, tls_wrappers_nums, sizeof(tls_wrapper_ctx_t *), tls_wrapper_cmp); 76 | 77 | return RATS_TLS_ERR_NONE; 78 | } 79 | -------------------------------------------------------------------------------- /src/tls_wrappers/internal/rtls_tls_wrapper_select.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "internal/core.h" 11 | #include "internal/tls_wrapper.h" 12 | 13 | static rats_tls_err_t init_tls_wrapper(tls_wrapper_ctx_t *tls_ctx) 14 | { 15 | tls_wrapper_err_t err = tls_ctx->opts->init(tls_ctx); 16 | 17 | if (err != TLS_WRAPPER_ERR_NONE) 18 | return err; 19 | 20 | if (!tls_ctx->tls_private) 21 | return -RATS_TLS_ERR_INIT; 22 | 23 | return RATS_TLS_ERR_NONE; 24 | } 25 | 26 | rats_tls_err_t rtls_tls_wrapper_select(rtls_core_context_t *ctx, const char *name) 27 | { 28 | RTLS_DEBUG("selecting the tls wrapper '%s' ...\n", name); 29 | 30 | tls_wrapper_ctx_t *tls_ctx = NULL; 31 | for (unsigned int i = 0; i < registerd_tls_wrapper_nums; ++i) { 32 | if (name && strcmp(name, tls_wrappers_ctx[i]->opts->name)) 33 | continue; 34 | 35 | tls_ctx = malloc(sizeof(*tls_ctx)); 36 | if (!tls_ctx) 37 | return -RATS_TLS_ERR_NO_MEM; 38 | 39 | *tls_ctx = *tls_wrappers_ctx[i]; 40 | 41 | /* Set necessary configurations from rats_tls_init() to 42 | * make init() working correctly. 43 | */ 44 | tls_ctx->conf_flags = ctx->config.flags; 45 | tls_ctx->log_level = ctx->config.log_level; 46 | 47 | if (init_tls_wrapper(tls_ctx) == RATS_TLS_ERR_NONE) 48 | break; 49 | 50 | free(tls_ctx); 51 | tls_ctx = NULL; 52 | } 53 | 54 | if (!tls_ctx) { 55 | if (!name) 56 | RTLS_ERR("failed to select a tls wrapper\n"); 57 | else 58 | RTLS_ERR("failed to select the tls wrapper '%s'\n", name); 59 | 60 | return -RATS_TLS_ERR_INIT; 61 | } 62 | 63 | ctx->tls_wrapper = tls_ctx; 64 | ctx->flags |= RATS_TLS_CTX_FLAGS_TLS_INITIALIZED; 65 | tls_ctx->rtls_handle = ctx; 66 | 67 | RTLS_INFO("the tls wrapper '%s' selected\n", tls_ctx->opts->name); 68 | 69 | return RATS_TLS_ERR_NONE; 70 | } 71 | -------------------------------------------------------------------------------- /src/tls_wrappers/internal/tls_wrapper.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "internal/tls_wrapper.h" 8 | 9 | tls_wrapper_opts_t *tls_wrappers_opts[TLS_WRAPPER_TYPE_MAX]; 10 | unsigned int registerd_tls_wrapper_nums; 11 | 12 | tls_wrapper_ctx_t *tls_wrappers_ctx[TLS_WRAPPER_TYPE_MAX]; 13 | unsigned int tls_wrappers_nums; 14 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(tls_wrapper_nulltls) 3 | 4 | # Set include directory 5 | include_directories(${INCLUDE_DIRS}) 6 | 7 | # Set dependency library directory 8 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 9 | ${RATS_TLS_INSTALL_LIB_PATH} 10 | ) 11 | link_directories(${LIBRARY_DIRS}) 12 | 13 | # Set source file 14 | set(SOURCES cleanup.c 15 | init.c 16 | main.c 17 | negotiate.c 18 | pre_init.c 19 | receive.c 20 | transmit.c 21 | use_cert.c 22 | use_privkey.c 23 | ) 24 | 25 | # Generate library 26 | if(SGX) 27 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 28 | add_dependencies(${PROJECT_NAME} rtls_edl_t) 29 | else() 30 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 31 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 32 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 33 | endif() 34 | 35 | # Install library 36 | install(TARGETS ${PROJECT_NAME} 37 | DESTINATION ${RATS_TLS_INSTALL_LIBTW_PATH}) 38 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | tls_wrapper_err_t nulltls_cleanup(tls_wrapper_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("ctx %p\n", ctx); 13 | 14 | return TLS_WRAPPER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | tls_wrapper_err_t nulltls_init(tls_wrapper_ctx_t *ctx) 13 | { 14 | RTLS_DEBUG("ctx %p\n", ctx); 15 | 16 | ctx->tls_private = &dummy_private; 17 | 18 | return TLS_WRAPPER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern tls_wrapper_err_t nulltls_pre_init(void); 12 | extern tls_wrapper_err_t nulltls_init(tls_wrapper_ctx_t *); 13 | extern tls_wrapper_err_t nulltls_use_privkey(tls_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 14 | void *privkey_buf, size_t privkey_len); 15 | extern tls_wrapper_err_t nulltls_use_cert(tls_wrapper_ctx_t *ctx, rats_tls_cert_info_t *cert_info); 16 | extern tls_wrapper_err_t nulltls_negotiate(tls_wrapper_ctx_t *, int fd); 17 | extern tls_wrapper_err_t nulltls_transmit(tls_wrapper_ctx_t *, void *, size_t *); 18 | extern tls_wrapper_err_t nulltls_receive(tls_wrapper_ctx_t *, void *, size_t *); 19 | extern tls_wrapper_err_t nulltls_cleanup(tls_wrapper_ctx_t *); 20 | 21 | static tls_wrapper_opts_t nulltls_opts = { 22 | .api_version = TLS_WRAPPER_API_VERSION_DEFAULT, 23 | .name = "nulltls", 24 | .priority = 0, 25 | .pre_init = nulltls_pre_init, 26 | .init = nulltls_init, 27 | .use_privkey = nulltls_use_privkey, 28 | .use_cert = nulltls_use_cert, 29 | .negotiate = nulltls_negotiate, 30 | .transmit = nulltls_transmit, 31 | .receive = nulltls_receive, 32 | .cleanup = nulltls_cleanup, 33 | }; 34 | 35 | #ifdef SGX 36 | void libtls_wrapper_nulltls_init(void) 37 | #else 38 | void __attribute__((constructor)) libtls_wrapper_nulltls_init(void) 39 | #endif 40 | { 41 | RTLS_DEBUG("called\n"); 42 | 43 | tls_wrapper_err_t err = tls_wrapper_register(&nulltls_opts); 44 | if (err != TLS_WRAPPER_ERR_NONE) 45 | RTLS_ERR("failed to register the tls wrapper 'nulltls' %#x\n", err); 46 | } 47 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/negotiate.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | tls_wrapper_err_t nulltls_negotiate(tls_wrapper_ctx_t *ctx, int fd) 14 | { 15 | RTLS_DEBUG("ctx %p, fd %d\n", ctx, fd); 16 | 17 | if (!(ctx->conf_flags & RATS_TLS_CONF_FLAGS_SERVER) || 18 | ((ctx->conf_flags & RATS_TLS_CONF_FLAGS_MUTUAL) && 19 | (ctx->conf_flags & RATS_TLS_CONF_FLAGS_SERVER))) { 20 | RTLS_INFO( 21 | "there is no evidence in tls_wrapper_nulltls, so we just use a dummy evidence here"); 22 | 23 | size_t pubkey_buffer_size = 0; 24 | uint8_t pubkey_buffer[pubkey_buffer_size]; 25 | tls_wrapper_err_t err = tls_wrapper_verify_certificate_extension( 26 | ctx, pubkey_buffer, pubkey_buffer_size, NULL, 0, NULL, 0); 27 | if (err != TLS_WRAPPER_ERR_NONE) { 28 | RTLS_ERR("ERROR: failed to verify certificate extension\n"); 29 | return err; 30 | } 31 | } 32 | return TLS_WRAPPER_ERR_NONE; 33 | } 34 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | tls_wrapper_err_t nulltls_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return TLS_WRAPPER_ERR_NONE; 15 | } -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/receive.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "internal/core.h" 11 | 12 | tls_wrapper_err_t nulltls_receive(tls_wrapper_ctx_t *ctx, void *buf, size_t *buf_size) 13 | { 14 | RTLS_DEBUG("ctx %p, buf %p, buf_size %p\n", ctx, buf, buf_size); 15 | 16 | ssize_t rc = rtls_read(ctx->fd, buf, *buf_size); 17 | if (rc < 0) { 18 | RTLS_ERR("failed to receive data %zu\n", rc); 19 | return -TLS_WRAPPER_ERR_RECEIVE; 20 | } 21 | 22 | *buf_size = (size_t)rc; 23 | 24 | return TLS_WRAPPER_ERR_NONE; 25 | } 26 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/transmit.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "internal/core.h" 11 | 12 | tls_wrapper_err_t nulltls_transmit(tls_wrapper_ctx_t *ctx, void *buf, size_t *buf_size) 13 | { 14 | RTLS_DEBUG("ctx %p, buf %p, buf_size %p\n", ctx, buf, buf_size); 15 | 16 | ssize_t rc = rtls_write(ctx->fd, buf, *buf_size); 17 | if (rc < 0) { 18 | RTLS_DEBUG("ERROR: tls_wrapper_null transmit()\n"); 19 | return TLS_WRAPPER_ERR_TRANSMIT; 20 | } 21 | 22 | *buf_size = (size_t)rc; 23 | 24 | return TLS_WRAPPER_ERR_NONE; 25 | } 26 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/use_cert.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | tls_wrapper_err_t nulltls_use_cert(tls_wrapper_ctx_t *ctx, rats_tls_cert_info_t *cert_info) 11 | { 12 | RTLS_DEBUG("ctx %p, cert_info %p\n", ctx, cert_info); 13 | 14 | return TLS_WRAPPER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/tls_wrappers/nulltls/use_privkey.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | tls_wrapper_err_t nulltls_use_privkey(tls_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 11 | void *privkey_buf, size_t privkey_len) 12 | { 13 | RTLS_DEBUG("ctx %p, algo %u, privkey_buf %p, privkey_len %ld\n", ctx, algo, privkey_buf, 14 | privkey_len); 15 | 16 | return TLS_WRAPPER_ERR_NONE; 17 | } 18 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(tls_wrapper_openssl) 3 | 4 | # Set include directory 5 | if(SGX) 6 | list(APPEND INCLUDE_DIRS /opt/intel/sgxsdk/include/tlibc) 7 | endif() 8 | include_directories(${INCLUDE_DIRS}) 9 | 10 | # Set dependency library directory 11 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 12 | /opt/intel/sgxsdk/lib64 13 | ${RATS_TLS_INSTALL_LIB_PATH} 14 | ) 15 | if(SGX) 16 | list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/../src/external/sgx-ssl/intel-sgx-ssl/src/intel-sgx-ssl/Linux/package/lib64) 17 | endif() 18 | link_directories(${LIBRARY_DIRS}) 19 | 20 | # Set source file 21 | set(SOURCES cleanup.c 22 | init.c 23 | main.c 24 | negotiate.c 25 | un_negotiate.c 26 | pre_init.c 27 | receive.c 28 | transmit.c 29 | use_cert.c 30 | use_privkey.c 31 | x509_openssl10x.c 32 | ) 33 | 34 | # Generate library 35 | if(SGX) 36 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 37 | add_dependencies(${PROJECT_NAME} intel-sgx-ssl) 38 | else() 39 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 40 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB} ssl) 41 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 42 | endif() 43 | 44 | # Install library 45 | install(TARGETS ${PROJECT_NAME} 46 | DESTINATION ${RATS_TLS_INSTALL_LIBTW_PATH}) 47 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | tls_wrapper_err_t openssl_tls_cleanup(tls_wrapper_ctx_t *ctx) 12 | { 13 | RTLS_DEBUG("ctx %p\n", ctx); 14 | 15 | if (!ctx) 16 | return -TLS_WRAPPER_ERR_INVALID; 17 | 18 | openssl_ctx_t *ssl_ctx = (openssl_ctx_t *)ctx->tls_private; 19 | 20 | if (ssl_ctx != NULL) { 21 | if (ssl_ctx->ssl != NULL) { 22 | SSL_shutdown(ssl_ctx->ssl); 23 | SSL_free(ssl_ctx->ssl); 24 | } 25 | if (ssl_ctx->sctx != NULL) 26 | SSL_CTX_free(ssl_ctx->sctx); 27 | } 28 | free(ssl_ctx); 29 | 30 | return TLS_WRAPPER_ERR_NONE; 31 | } 32 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | tls_wrapper_err_t openssl_tls_init(tls_wrapper_ctx_t *ctx) 12 | { 13 | RTLS_DEBUG("ctx %p\n", ctx); 14 | 15 | if (!ctx) 16 | return -TLS_WRAPPER_ERR_INVALID; 17 | 18 | OpenSSL_add_all_algorithms(); 19 | SSL_load_error_strings(); 20 | ERR_load_crypto_strings(); 21 | OpenSSL_add_all_ciphers(); 22 | 23 | if (SSL_library_init() < 0) { 24 | RTLS_ERR("failed to initialize the openssl library\n"); 25 | return -TLS_WRAPPER_ERR_NOT_FOUND; 26 | } 27 | 28 | openssl_ctx_t *ssl_ctx = calloc(1, sizeof(*ssl_ctx)); 29 | if (!ssl_ctx) 30 | return -TLS_WRAPPER_ERR_NO_MEM; 31 | 32 | if (ctx->conf_flags & RATS_TLS_CONF_FLAGS_SERVER) 33 | #if OPENSSL_VERSION_NUMBER < 0x10100000L 34 | ssl_ctx->sctx = SSL_CTX_new(TLSv1_2_server_method()); 35 | #else 36 | ssl_ctx->sctx = SSL_CTX_new(TLS_server_method()); 37 | #endif 38 | else 39 | #if OPENSSL_VERSION_NUMBER < 0x10100000L 40 | ssl_ctx->sctx = SSL_CTX_new(TLSv1_2_client_method()); 41 | #else 42 | ssl_ctx->sctx = SSL_CTX_new(TLS_client_method()); 43 | #endif 44 | 45 | if (!ssl_ctx->sctx) { 46 | free(ssl_ctx); 47 | RTLS_ERR("failed to init openssl ctx\n"); 48 | return -TLS_WRAPPER_ERR_NO_MEM; 49 | } 50 | 51 | ctx->tls_private = ssl_ctx; 52 | 53 | return TLS_WRAPPER_ERR_NONE; 54 | } 55 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "openssl.h" 11 | 12 | extern tls_wrapper_err_t openssl_tls_pre_init(void); 13 | extern tls_wrapper_err_t openssl_tls_init(tls_wrapper_ctx_t *); 14 | extern tls_wrapper_err_t openssl_tls_use_privkey(tls_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 15 | void *privkey_buf, size_t privkey_len); 16 | extern tls_wrapper_err_t openssl_tls_use_cert(tls_wrapper_ctx_t *ctx, 17 | rats_tls_cert_info_t *cert_info); 18 | extern tls_wrapper_err_t openssl_tls_negotiate(tls_wrapper_ctx_t *, int fd); 19 | extern tls_wrapper_err_t openssl_tls_transmit(tls_wrapper_ctx_t *, void *, size_t *); 20 | extern tls_wrapper_err_t openssl_tls_receive(tls_wrapper_ctx_t *, void *, size_t *); 21 | extern tls_wrapper_err_t openssl_tls_cleanup(tls_wrapper_ctx_t *); 22 | 23 | static tls_wrapper_opts_t openssl_opts = { 24 | .api_version = TLS_WRAPPER_API_VERSION_DEFAULT, 25 | .name = "openssl", 26 | .priority = 25, 27 | .pre_init = openssl_tls_pre_init, 28 | .init = openssl_tls_init, 29 | .use_privkey = openssl_tls_use_privkey, 30 | .use_cert = openssl_tls_use_cert, 31 | .negotiate = openssl_tls_negotiate, 32 | .transmit = openssl_tls_transmit, 33 | .receive = openssl_tls_receive, 34 | .cleanup = openssl_tls_cleanup, 35 | }; 36 | 37 | int openssl_ex_data_idx; 38 | 39 | #ifdef SGX 40 | void libtls_wrapper_openssl_init(void) 41 | #else 42 | void __attribute__((constructor)) libtls_wrapper_openssl_init(void) 43 | #endif 44 | { 45 | RTLS_DEBUG("called\n"); 46 | 47 | tls_wrapper_err_t err = tls_wrapper_register(&openssl_opts); 48 | if (err != TLS_WRAPPER_ERR_NONE) 49 | RTLS_ERR("failed to register the tls wrapper 'openssl' %#x\n", err); 50 | 51 | openssl_ex_data_idx = X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL); 52 | } 53 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/openssl.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _OPENSSL_PRIVATE_H 8 | #define _OPENSSL_PRIVATE_H 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #define SSL_SUCCESS 1 28 | 29 | extern int openssl_ex_data_idx; 30 | 31 | typedef struct { 32 | SSL_CTX *sctx; 33 | SSL *ssl; 34 | } openssl_ctx_t; 35 | 36 | static inline void print_openssl_err_all() 37 | { 38 | unsigned long l; 39 | 40 | while ((l = ERR_get_error())) { 41 | char buf[1024]; 42 | 43 | ERR_error_string_n(l, buf, sizeof buf); 44 | RTLS_DEBUG("Error %lx: %s\n", l, buf); 45 | } 46 | } 47 | 48 | #if OPENSSL_VERSION_NUMBER < 0x10100000L 49 | extern int X509_STORE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 50 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 51 | extern const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509 *x); 52 | extern int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data); 53 | extern void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx); 54 | extern X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); 55 | extern int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits, uint32_t *flags); 56 | #endif 57 | #endif 58 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | tls_wrapper_err_t openssl_tls_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return TLS_WRAPPER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/receive.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | tls_wrapper_err_t openssl_tls_receive(tls_wrapper_ctx_t *ctx, void *buf, size_t *buf_size) 12 | { 13 | RTLS_DEBUG("ctx %p, buf %p, buf_size %p\n", ctx, buf, buf_size); 14 | 15 | if (!ctx || !buf || !buf_size) 16 | return -TLS_WRAPPER_ERR_INVALID; 17 | 18 | openssl_ctx_t *ssl_ctx = (openssl_ctx_t *)ctx->tls_private; 19 | if (ssl_ctx == NULL || ssl_ctx->ssl == NULL) 20 | return -TLS_WRAPPER_ERR_RECEIVE; 21 | 22 | ERR_clear_error(); 23 | 24 | int rc = SSL_read(ssl_ctx->ssl, buf, (int)*buf_size); 25 | if (rc <= 0) { 26 | // TODO: handle result of SSL_get_error() 27 | RTLS_ERR("SSL_read() failed: %d, SSL_get_error(): %d\n", rc, 28 | SSL_get_error(ssl_ctx->ssl, rc)); 29 | print_openssl_err_all(); 30 | return -TLS_WRAPPER_ERR_RECEIVE; 31 | } 32 | *buf_size = (size_t)rc; 33 | 34 | return TLS_WRAPPER_ERR_NONE; 35 | } 36 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/transmit.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | tls_wrapper_err_t openssl_tls_transmit(tls_wrapper_ctx_t *ctx, void *buf, size_t *buf_size) 12 | { 13 | RTLS_DEBUG("ctx %p, buf %p, buf_size %p\n", ctx, buf, buf_size); 14 | 15 | if (!ctx || !buf || !buf_size) 16 | return -TLS_WRAPPER_ERR_INVALID; 17 | 18 | openssl_ctx_t *ssl_ctx = (openssl_ctx_t *)ctx->tls_private; 19 | if (ssl_ctx == NULL || ssl_ctx->ssl == NULL) 20 | return -TLS_WRAPPER_ERR_TRANSMIT; 21 | 22 | ERR_clear_error(); 23 | 24 | int rc = SSL_write(ssl_ctx->ssl, buf, (int)*buf_size); 25 | if (rc <= 0) { 26 | // TODO: handle result of SSL_get_error() 27 | RTLS_ERR("SSL_write() failed: %d, SSL_get_error(): %d\n", rc, 28 | SSL_get_error(ssl_ctx->ssl, rc)); 29 | print_openssl_err_all(); 30 | return -TLS_WRAPPER_ERR_TRANSMIT; 31 | } 32 | *buf_size = (size_t)rc; 33 | 34 | return TLS_WRAPPER_ERR_NONE; 35 | } 36 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/use_cert.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | tls_wrapper_err_t openssl_tls_use_cert(tls_wrapper_ctx_t *ctx, rats_tls_cert_info_t *cert_info) 12 | { 13 | RTLS_DEBUG("ctx %p, cert_info %p\n", ctx, cert_info); 14 | 15 | if (!ctx || !cert_info) 16 | return -TLS_WRAPPER_ERR_INVALID; 17 | 18 | openssl_ctx_t *ssl_ctx = (openssl_ctx_t *)ctx->tls_private; 19 | int ret = SSL_CTX_use_certificate_ASN1(ssl_ctx->sctx, cert_info->cert_len, 20 | cert_info->cert_buf); 21 | if (ret != SSL_SUCCESS) { 22 | RTLS_ERR("failed to use certificate %d\n", ret); 23 | return OPENSSL_ERR_CODE(ret); 24 | } 25 | 26 | return TLS_WRAPPER_ERR_NONE; 27 | } 28 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/use_privkey.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "openssl.h" 10 | 11 | tls_wrapper_err_t openssl_tls_use_privkey(tls_wrapper_ctx_t *ctx, rats_tls_cert_algo_t algo, 12 | void *privkey_buf, size_t privkey_len) 13 | { 14 | RTLS_DEBUG("ctx %p, privkey_buf %p, privkey_len %zu\n", ctx, privkey_buf, privkey_len); 15 | 16 | if (!ctx || !privkey_buf || !privkey_len) 17 | return -TLS_WRAPPER_ERR_INVALID; 18 | 19 | openssl_ctx_t *ssl_ctx = (openssl_ctx_t *)ctx->tls_private; 20 | 21 | int EPKEY; 22 | 23 | if (algo == RATS_TLS_CERT_ALGO_ECC_256_SHA256) { 24 | EPKEY = EVP_PKEY_EC; 25 | } else if (algo == RATS_TLS_CERT_ALGO_RSA_3072_SHA256) { 26 | EPKEY = EVP_PKEY_RSA; 27 | } else { 28 | return -CRYPTO_WRAPPER_ERR_UNSUPPORTED_ALGO; 29 | } 30 | 31 | int ret = SSL_CTX_use_PrivateKey_ASN1(EPKEY, ssl_ctx->sctx, privkey_buf, (long)privkey_len); 32 | 33 | if (ret != SSL_SUCCESS) { 34 | RTLS_ERR("failed to use private key.\n"); 35 | print_openssl_err_all(); 36 | return OPENSSL_ERR_CODE(ret); 37 | } 38 | 39 | return TLS_WRAPPER_ERR_NONE; 40 | } 41 | -------------------------------------------------------------------------------- /src/tls_wrappers/openssl/x509_openssl10x.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | 9 | // clang-format off 10 | #if OPENSSL_VERSION_NUMBER < 0x10100000L 11 | #include 12 | #include 13 | #include 14 | // clang-format on 15 | 16 | int X509_STORE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 17 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 18 | { 19 | return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, argl, argp, new_func, dup_func, 20 | free_func); 21 | } 22 | 23 | const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509 *x) 24 | { 25 | return x->cert_info->extensions; 26 | } 27 | 28 | int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data) 29 | { 30 | return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 31 | } 32 | 33 | void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx) 34 | { 35 | return CRYPTO_get_ex_data(&ctx->ex_data, idx); 36 | } 37 | 38 | X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) 39 | { 40 | return ctx->ctx; 41 | } 42 | 43 | #endif 44 | -------------------------------------------------------------------------------- /src/verifiers/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(nullverifier) 2 | 3 | include(FindSgxDcapQuoteVerify) 4 | 5 | if(HOST OR TDX) 6 | if(SGXDCAPQV_FOUND) 7 | add_subdirectory(sgx-ecdsa) 8 | else() 9 | message(WARNING "It will not build sgx_ecdsa verifier due to libsgx_dcap_quoteverify.so not found") 10 | endif() 11 | add_subdirectory(sev-snp) 12 | add_subdirectory(sev) 13 | add_subdirectory(csv) 14 | endif() 15 | 16 | if(TDX OR SGX) 17 | if(SGXDCAPQV_FOUND) 18 | add_subdirectory(tdx-ecdsa) 19 | else() 20 | message(WARNING "It will not build tdx_ecdsa verifier due to libsgx_dcap_quoteverify.so not found") 21 | endif() 22 | endif() 23 | 24 | if(OCCLUM OR SGX) 25 | add_subdirectory(sgx-ecdsa-qve) 26 | endif() 27 | 28 | if(SGX) 29 | add_subdirectory(sgx-la) 30 | endif() 31 | -------------------------------------------------------------------------------- /src/verifiers/api/enclave_verifier_register.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "internal/verifier.h" 12 | #include "internal/cpu.h" 13 | 14 | enclave_verifier_err_t enclave_verifier_register(const enclave_verifier_opts_t *opts) 15 | { 16 | if (!opts) 17 | return -ENCLAVE_VERIFIER_ERR_INVALID; 18 | 19 | RTLS_DEBUG("registering the enclave verifier '%s' ...\n", opts->name); 20 | 21 | enclave_verifier_opts_t *new_opts = (enclave_verifier_opts_t *)malloc(sizeof(*new_opts)); 22 | if (!new_opts) 23 | return -ENCLAVE_VERIFIER_ERR_NO_MEM; 24 | 25 | memcpy(new_opts, opts, sizeof(*new_opts)); 26 | 27 | if ((new_opts->name[0] == '\0') || (strlen(new_opts->name) >= sizeof(new_opts->name))) { 28 | RTLS_ERR("invalid enclave verifier name\n"); 29 | goto err; 30 | } 31 | 32 | if (strlen(new_opts->type) >= sizeof(new_opts->type)) { 33 | RTLS_ERR("invalid enclave verifier type\n"); 34 | goto err; 35 | } 36 | 37 | if (new_opts->api_version > ENCLAVE_VERIFIER_API_VERSION_MAX) { 38 | RTLS_ERR("unsupported enclave verifier api version %d > %d\n", 39 | new_opts->api_version, ENCLAVE_VERIFIER_API_VERSION_MAX); 40 | goto err; 41 | } 42 | 43 | /* Default type equals to name */ 44 | if (new_opts->type[0] == '\0') 45 | snprintf(new_opts->type, sizeof(new_opts->type), "%s", new_opts->name); 46 | 47 | enclave_verifiers_opts[registerd_enclave_verifier_nums++] = new_opts; 48 | 49 | RTLS_INFO("the enclave verifier '%s' registered with type '%s'\n", new_opts->name, 50 | new_opts->type); 51 | 52 | return ENCLAVE_VERIFIER_ERR_NONE; 53 | 54 | err: 55 | free(new_opts); 56 | return -ENCLAVE_VERIFIER_ERR_INVALID; 57 | } 58 | -------------------------------------------------------------------------------- /src/verifiers/csv/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_csv) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ) 9 | include_directories(${INCLUDE_DIRS}) 10 | 11 | # Set dependency library directory 12 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 13 | ${RATS_TLS_INSTALL_LIB_PATH} 14 | ) 15 | link_directories(${LIBRARY_DIRS}) 16 | 17 | # Set source file 18 | set(SOURCES cleanup.c 19 | hygoncert.c 20 | init.c 21 | main.c 22 | pre_init.c 23 | verify_evidence.c 24 | ) 25 | 26 | # Generate library 27 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 28 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB} crypto) 29 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 30 | 31 | # Install library 32 | install(TARGETS ${PROJECT_NAME} 33 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 34 | -------------------------------------------------------------------------------- /src/verifiers/csv/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t csv_verifier_cleanup(enclave_verifier_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/csv/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_verifier_err_t csv_verifier_init(enclave_verifier_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->verifier_private = &dummy_private; 17 | 18 | return ENCLAVE_VERIFIER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/verifiers/csv/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); 11 | extern enclave_verifier_err_t csv_verifier_pre_init(void); 12 | extern enclave_verifier_err_t csv_verifier_init(enclave_verifier_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo); 14 | extern enclave_verifier_err_t csv_verify_evidence(enclave_verifier_ctx_t *ctx, 15 | attestation_evidence_t *evidence, uint8_t *hash, 16 | uint32_t hash_len, 17 | attestation_endorsement_t *endorsements); 18 | extern enclave_verifier_err_t csv_verifier_cleanup(enclave_verifier_ctx_t *ctx); 19 | 20 | static enclave_verifier_opts_t csv_verifier_opts = { 21 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 22 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_CSV, 23 | .name = "csv", 24 | .priority = 20, 25 | .pre_init = csv_verifier_pre_init, 26 | .init = csv_verifier_init, 27 | .verify_evidence = csv_verify_evidence, 28 | .cleanup = csv_verifier_cleanup, 29 | }; 30 | 31 | void __attribute__((constructor)) libverifier_csv_init(void) 32 | { 33 | RTLS_DEBUG("called\n"); 34 | 35 | enclave_verifier_err_t err = enclave_verifier_register(&csv_verifier_opts); 36 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 37 | RTLS_ERR("failed to register the enclave verifier 'csv' %#x\n", err); 38 | } 39 | -------------------------------------------------------------------------------- /src/verifiers/csv/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Hygon Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t csv_verifier_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/internal/enclave_verifier.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "internal/verifier.h" 8 | 9 | enclave_verifier_opts_t *enclave_verifiers_opts[ENCLAVE_VERIFIER_TYPE_MAX]; 10 | unsigned int registerd_enclave_verifier_nums; 11 | 12 | enclave_verifier_ctx_t *enclave_verifiers_ctx[ENCLAVE_VERIFIER_TYPE_MAX]; 13 | unsigned int enclave_verifier_nums; 14 | -------------------------------------------------------------------------------- /src/verifiers/nullverifier/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_nullverifier) 3 | 4 | # Set include directory 5 | include_directories(${INCLUDE_DIRS}) 6 | 7 | # Set dependency library directory 8 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 9 | ${RATS_TLS_INSTALL_LIB_PATH} 10 | ) 11 | link_directories(${LIBRARY_DIRS}) 12 | 13 | # Set source file 14 | set(SOURCES cleanup.c 15 | init.c 16 | main.c 17 | pre_init.c 18 | verify_evidence.c 19 | ) 20 | 21 | # Generate library 22 | if(SGX) 23 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 24 | else() 25 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 26 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 27 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 28 | endif() 29 | 30 | # Install library 31 | install(TARGETS ${PROJECT_NAME} 32 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 33 | -------------------------------------------------------------------------------- /src/verifiers/nullverifier/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t nullverifier_cleanup(enclave_verifier_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called enclave verifier ctx: %p\n", ctx); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/nullverifier/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_verifier_err_t nullverifier_init(enclave_verifier_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->verifier_private = &dummy_private; 17 | 18 | return ENCLAVE_VERIFIER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/verifiers/nullverifier/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *); 12 | extern enclave_verifier_err_t nullverifier_pre_init(void); 13 | extern enclave_verifier_err_t nullverifier_init(enclave_verifier_ctx_t *, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_verifier_err_t nullverifier_verify_evidence(enclave_verifier_ctx_t *, 16 | attestation_evidence_t *, uint8_t *, 17 | uint32_t hash_len, 18 | attestation_endorsement_t *endorsements); 19 | extern enclave_verifier_err_t nullverifier_cleanup(enclave_verifier_ctx_t *); 20 | 21 | static enclave_verifier_opts_t nullverifier_opts = { 22 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, 24 | .name = "nullverifier", 25 | .priority = 0, 26 | .pre_init = nullverifier_pre_init, 27 | .init = nullverifier_init, 28 | .verify_evidence = nullverifier_verify_evidence, 29 | .cleanup = nullverifier_cleanup, 30 | }; 31 | 32 | #ifdef SGX 33 | void libverifier_null_init(void) 34 | #else 35 | void __attribute__((constructor)) libverifier_null_init(void) 36 | #endif 37 | { 38 | RTLS_DEBUG("called\n"); 39 | 40 | enclave_verifier_err_t err = enclave_verifier_register(&nullverifier_opts); 41 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 42 | RTLS_ERR("failed to register the enclave verifier 'nullverifier' %#x\n", err); 43 | } 44 | -------------------------------------------------------------------------------- /src/verifiers/nullverifier/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t nullverifier_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/nullverifier/verify_evidence.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t nullverifier_verify_evidence(enclave_verifier_ctx_t *ctx, 11 | attestation_evidence_t *evidence, uint8_t *hash, 12 | __attribute__((unused)) unsigned int hash_len, 13 | attestation_endorsement_t *endorsements) 14 | { 15 | RTLS_DEBUG("ctx %p, evidence %p, hash %p endorsements %p\n", ctx, evidence, hash, 16 | endorsements); 17 | 18 | return ENCLAVE_VERIFIER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_sev_snp) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ${CMAKE_CURRENT_SOURCE_DIR} 9 | /usr/include 10 | ) 11 | include_directories(${INCLUDE_DIRS}) 12 | 13 | # Set dependency library directory 14 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 15 | ${RATS_TLS_INSTALL_LIB_PATH} 16 | ) 17 | 18 | link_directories(${LIBRARY_DIRS}) 19 | 20 | # Set extra link library 21 | set(EXTRA_LINK_LIBRARY crypto) 22 | 23 | # Set source file 24 | set(SOURCES cleanup.c 25 | init.c 26 | main.c 27 | pre_init.c 28 | verify_evidence.c 29 | utils.c 30 | x509cert.c 31 | crypto.c 32 | ) 33 | 34 | # Generate library 35 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 36 | target_link_libraries(${PROJECT_NAME} ${EXTRA_LINK_LIBRARY} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 37 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 38 | 39 | # Install library 40 | install(TARGETS ${PROJECT_NAME} 41 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 42 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sev_snp_verifier_cleanup(enclave_verifier_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/crypto.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _CRYPTO_H 8 | #define _CRYPTO_H 9 | 10 | #include 11 | #include 12 | #include 13 | #include "sevapi.h" 14 | #include "utils.h" 15 | 16 | bool digest_sha(const void *msg, size_t msg_len, uint8_t *digest, size_t digest_len, 17 | SHA_TYPE hash_algo); 18 | bool verify_message(sev_sig *sig, EVP_PKEY **evp_key_pair, const uint8_t *msg, size_t length, 19 | const SEV_SIG_ALGO algo); 20 | 21 | #endif /* _CRYPTO_H */ 22 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_verifier_err_t sev_snp_verifier_init(enclave_verifier_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->verifier_private = &dummy_private; 17 | 18 | return ENCLAVE_VERIFIER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); 12 | extern enclave_verifier_err_t sev_snp_verifier_pre_init(void); 13 | extern enclave_verifier_err_t sev_snp_verifier_init(enclave_verifier_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_verifier_err_t sev_snp_verify_evidence(enclave_verifier_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | uint8_t *hash, uint32_t hash_len, 18 | attestation_endorsement_t *endorsements); 19 | extern enclave_verifier_err_t sev_snp_verifier_cleanup(enclave_verifier_ctx_t *ctx); 20 | 21 | static enclave_verifier_opts_t sev_snp_verifier_opts = { 22 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_SNP, 24 | .name = "sev_snp", 25 | .priority = 42, 26 | .pre_init = sev_snp_verifier_pre_init, 27 | .init = sev_snp_verifier_init, 28 | .verify_evidence = sev_snp_verify_evidence, 29 | .cleanup = sev_snp_verifier_cleanup, 30 | }; 31 | 32 | void __attribute__((constructor)) libverifier_sev_snp_init(void) 33 | { 34 | RTLS_DEBUG("called\n"); 35 | 36 | enclave_verifier_err_t err = enclave_verifier_register(&sev_snp_verifier_opts); 37 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 38 | RTLS_ERR("failed to register the enclave verifier 'sev_snp' %#x\n", err); 39 | } 40 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | #define TOOL_NUM 3 11 | #define TOOL_BUF 16 12 | 13 | enclave_verifier_err_t sev_snp_verifier_pre_init(void) 14 | { 15 | RTLS_DEBUG("called\n"); 16 | 17 | /* These tools are used to verify SEV-SNP report */ 18 | const char names[TOOL_NUM][TOOL_BUF] = { "openssl", "wget", "csplit" }; 19 | const char parameters[TOOL_NUM][TOOL_BUF] = { "version", "-V", "--version" }; 20 | 21 | for (unsigned int i = 0; i < TOOL_NUM; ++i) { 22 | char cmdline_str[64]; 23 | 24 | snprintf(cmdline_str, sizeof(cmdline_str), "%s %s >/dev/null 2>&1", names[i], 25 | parameters[i]); 26 | 27 | if (system(cmdline_str)) { 28 | RTLS_ERR("Please install %s for sev_snp verifier\n", names[i]); 29 | return -ENCLAVE_VERIFIER_ERR_NO_TOOL; 30 | } 31 | } 32 | 33 | return ENCLAVE_VERIFIER_ERR_NONE; 34 | } 35 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/sevapi.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _SEVAPI_H 8 | #define _SEVAPI_H 9 | 10 | #include 11 | 12 | // Chapter 2 - Summary of Keys 13 | typedef uint8_t aes_128_key[128 / 8]; 14 | typedef uint8_t hmac_key_128[128 / 8]; 15 | typedef uint8_t hmac_sha_256[256 / 8]; 16 | typedef uint8_t hmac_sha_384[384 / 8]; 17 | typedef uint8_t hmac_sha_512[512 / 8]; 18 | 19 | typedef enum __attribute__((mode(QI))) SHA_TYPE { 20 | SHA_ALGO_256 = 0, 21 | SHA_ALGO_384 = 1, 22 | } SHA_TYPE; 23 | 24 | // Appendix C.1: ALGO Enumeration 25 | /** 26 | * SEV Algorithm cipher codes. 27 | */ 28 | typedef enum __attribute__((mode(HI))) SEV_SIG_ALGO { 29 | SEV_SIG_ALGO_INVALID = 0x0, 30 | SEV_SIG_ALGO_RSA_SHA256 = 0x1, 31 | SEV_SIG_ALGO_ECDSA_SHA256 = 0x2, 32 | SEV_SIG_ALGO_ECDH_SHA256 = 0x3, 33 | SEV_SIG_ALGO_RSA_SHA384 = 0x101, 34 | SEV_SIG_ALGO_ECDSA_SHA384 = 0x102, 35 | SEV_SIG_ALGO_ECDH_SHA384 = 0x103, 36 | } SEV_SIG_ALGO; 37 | 38 | // Appendix C.4: Signature Formats 39 | /** 40 | * SEV Signature may be RSA or ECDSA. 41 | */ 42 | #define SEV_RSA_SIG_MAX_BITS 4096 43 | #define SEV_ECDSA_SIG_COMP_MAX_BITS 576 44 | #define SEV_SIG_SIZE (SEV_RSA_SIG_MAX_BITS / 8) 45 | 46 | // Appendix C.4.1: RSA Signature 47 | /** 48 | * SEV RSA Signature data. 49 | * 50 | * @S - Signature bits. 51 | */ 52 | typedef struct __attribute__((__packed__)) sev_rsa_sig_t { 53 | uint8_t s[SEV_RSA_SIG_MAX_BITS / 8]; 54 | } sev_rsa_sig; 55 | 56 | // Appendix C.4.2: ECDSA Signature 57 | /** 58 | * SEV Elliptical Curve Signature data. 59 | * 60 | * @r - R component of the signature. 61 | * @s - S component of the signature. 62 | * @rmbz - RESERVED. Must be zero! 63 | */ 64 | typedef struct __attribute__((__packed__)) sev_ecdsa_sig_t { 65 | uint8_t r[SEV_ECDSA_SIG_COMP_MAX_BITS / 8]; 66 | uint8_t s[SEV_ECDSA_SIG_COMP_MAX_BITS / 8]; 67 | uint8_t rmbz[SEV_SIG_SIZE - 2 * SEV_ECDSA_SIG_COMP_MAX_BITS / 8]; 68 | } sev_ecdsa_sig; 69 | 70 | /** 71 | * SEV Signature may be RSA or ECDSA. 72 | */ 73 | typedef union { 74 | sev_rsa_sig rsa; 75 | sev_ecdsa_sig ecdsa; 76 | } sev_sig; 77 | 78 | #endif /* _SEVAPI_H */ 79 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/utils.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include "utils.h" 13 | 14 | int get_file_size(char *name) 15 | { 16 | struct stat statbuf; 17 | 18 | if (stat(name, &statbuf) == 0) 19 | return statbuf.st_size; 20 | 21 | return 0; 22 | } 23 | 24 | bool reverse_bytes(uint8_t *bytes, size_t size) 25 | { 26 | uint8_t *start = bytes; 27 | uint8_t *end = bytes + size - 1; 28 | 29 | if (!bytes) 30 | return false; 31 | 32 | while (start < end) { 33 | uint8_t byte = *start; 34 | *start = *end; 35 | *end = byte; 36 | start++; 37 | end--; 38 | } 39 | 40 | return true; 41 | } 42 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/utils.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _UTILS_H 8 | #define _UTILS_H 9 | 10 | #include 11 | #include 12 | 13 | /* Store the SEV-SNP certs downloaded from AMD KDS */ 14 | #define SEV_SNP_DEFAULT_DIR "/opt/sev-snp/" 15 | 16 | #define KDS_CERT_SITE "https://kdsintf.amd.com" 17 | #define KDS_CEK KDS_CERT_SITE "/cek/id/" 18 | #define KDS_VCEK KDS_CERT_SITE "/vcek/v1/" 19 | 20 | #define KDS_VCEK_CERT_CHAIN "cert_chain" 21 | #define VCEK_CERT_CHAIN_PEM_FILENAME "cert_chain.pem" 22 | #define VCEK_DER_FILENAME "vcek.der" 23 | #define VCEK_PEM_FILENAME "vcek.pem" 24 | #define VCEK_ASK_PEM_FILENAME "ask.pem" 25 | #define VCEK_ARK_PEM_FILENAME "ark.pem" 26 | 27 | int get_file_size(char *name); 28 | bool reverse_bytes(uint8_t *bytes, size_t size); 29 | 30 | #endif /* _UTILS_H */ 31 | -------------------------------------------------------------------------------- /src/verifiers/sev-snp/x509cert.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _X509CERT_H 8 | #define _X509CERT_H 9 | 10 | #include 11 | 12 | int convert_der_to_pem(char *in_file_name, char *out_file_name); 13 | bool read_pem_into_x509(char *file_name, X509 **x509_cert); 14 | bool x509_validate_signature(X509 *child_cert, X509 *intermediate_cert, X509 *parent_cert); 15 | 16 | #endif /* _X509CERT_H */ 17 | -------------------------------------------------------------------------------- /src/verifiers/sev/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_sev) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../include 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 8 | ) 9 | include_directories(${INCLUDE_DIRS}) 10 | 11 | # Set dependency library directory 12 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 13 | ${RATS_TLS_INSTALL_LIB_PATH} 14 | ) 15 | link_directories(${LIBRARY_DIRS}) 16 | 17 | # Set source file 18 | set(SOURCES cleanup.c 19 | init.c 20 | sev_utils.c 21 | sevcert.c 22 | amdcert.c 23 | main.c 24 | pre_init.c 25 | verify_evidence.c 26 | ) 27 | 28 | # Generate library 29 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 30 | target_link_libraries(${PROJECT_NAME} ${RATS_TLS_LDFLAGS} ${RTLS_LIB} crypto) 31 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 32 | 33 | # Install library 34 | install(TARGETS ${PROJECT_NAME} 35 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 36 | -------------------------------------------------------------------------------- /src/verifiers/sev/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sev_verifier_cleanup(enclave_verifier_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/sev/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_verifier_err_t sev_verifier_init(enclave_verifier_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->verifier_private = &dummy_private; 17 | 18 | return ENCLAVE_VERIFIER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/verifiers/sev/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); 11 | extern enclave_verifier_err_t sev_verifier_pre_init(void); 12 | extern enclave_verifier_err_t sev_verifier_init(enclave_verifier_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo); 14 | extern enclave_verifier_err_t sev_verify_evidence(enclave_verifier_ctx_t *ctx, 15 | attestation_evidence_t *evidence, uint8_t *hash, 16 | uint32_t hash_len, 17 | attestation_endorsement_t *endorsements); 18 | extern enclave_verifier_err_t sev_verifier_cleanup(enclave_verifier_ctx_t *ctx); 19 | 20 | static enclave_verifier_opts_t sev_verifier_opts = { 21 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 22 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_SNP, 23 | .name = "sev", 24 | .priority = 35, 25 | .pre_init = sev_verifier_pre_init, 26 | .init = sev_verifier_init, 27 | .verify_evidence = sev_verify_evidence, 28 | .cleanup = sev_verifier_cleanup, 29 | }; 30 | 31 | void __attribute__((constructor)) libverifier_sev_init(void) 32 | { 33 | RTLS_DEBUG("called\n"); 34 | 35 | enclave_verifier_err_t err = enclave_verifier_register(&sev_verifier_opts); 36 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 37 | RTLS_ERR("failed to register the enclave verifier 'sev' %#x\n", err); 38 | } 39 | -------------------------------------------------------------------------------- /src/verifiers/sev/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sev_verifier_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | if (!system("wget -V >/dev/null 2>&1")) 15 | return ENCLAVE_VERIFIER_ERR_NONE; 16 | 17 | RTLS_ERR("Please install wget for sev verifier\n"); 18 | 19 | return -ENCLAVE_VERIFIER_ERR_NO_TOOL; 20 | } 21 | -------------------------------------------------------------------------------- /src/verifiers/sev/sev_utils.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "../sev-snp/utils.c" 11 | 12 | int read_file(const char *filename, void *buffer, size_t len) 13 | { 14 | FILE *fp = NULL; 15 | size_t count = 0; 16 | 17 | if ((fp = fopen(filename, "r")) == NULL) { 18 | RTLS_ERR("failed to open %s\n", filename); 19 | return 0; 20 | } 21 | 22 | if ((count = fread(buffer, 1, len, fp)) != len) { 23 | fclose(fp); 24 | RTLS_ERR("failed to read %s with count %zu\n", filename, count); 25 | return 0; 26 | } 27 | 28 | fclose(fp); 29 | return count; 30 | } 31 | -------------------------------------------------------------------------------- /src/verifiers/sev/sev_utils.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _SEV_UTILS_H 8 | #define _SEV_UTILS_H 9 | 10 | #include 11 | #include 12 | #include "../../attesters/sev/sev.h" 13 | #include "../sev-snp/utils.h" 14 | 15 | #define SEV_DEFAULT_DIR "/opt/sev/" 16 | #define SEV_NAPLES_DEFAULT_DIR SEV_DEFAULT_DIR "naple" 17 | #define SEV_ROME_DEFAULT_DIR SEV_DEFAULT_DIR "rome" 18 | #define SEV_MILAN_DEFAULT_DIR SEV_DEFAULT_DIR "milan" 19 | 20 | #define AMD_SEV_DEVELOPER_SITE "https://developer.amd.com/sev/" 21 | #define ASK_ARK_PATH_SITE "https://developer.amd.com/wp-content/resources/" 22 | 23 | #define ASK_ARK_FILENAME "ask_ark.cert" 24 | #define ASK_ARK_NAPLES_FILE "ask_ark_naples.cert" 25 | #define ASK_ARK_ROME_FILE "ask_ark_rome.cert" 26 | #define ASK_ARK_MILAN_FILE "ask_ark_milan.cert" 27 | 28 | #define ASK_ARK_NAPLES_SITE ASK_ARK_PATH_SITE ASK_ARK_NAPLES_FILE 29 | #define ASK_ARK_ROME_SITE ASK_ARK_PATH_SITE ASK_ARK_ROME_FILE 30 | #define ASK_ARK_MILAN_SITE ASK_ARK_PATH_SITE ASK_ARK_MILAN_FILE 31 | 32 | int read_file(const char *filename, void *buffer, size_t len); 33 | 34 | #endif /* _SEV_UTILS_H */ 35 | -------------------------------------------------------------------------------- /src/verifiers/sev/sevcert.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2022 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _SEVCERT_H 8 | #define _SEVCERT_H 9 | 10 | #include "sev_utils.h" 11 | 12 | bool verify_sev_cert(const sev_cert *child_cert, const sev_cert *parent_cert1, 13 | const sev_cert *parent_cert2); 14 | bool validate_attestation(sev_cert *pek, sev_attestation_report *report); 15 | 16 | #endif /* _SEVCERT_H */ 17 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa-qve/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_sgx_ecdsa_qve) 3 | 4 | # Set include directory 5 | list(APPEND INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}) 6 | if(OCCLUM) 7 | list(APPEND INCLUDE_DIRS ${SGXSDK_INSTALL_INCLUDE_PATH}) 8 | endif() 9 | include_directories(${INCLUDE_DIRS}) 10 | 11 | # Set dependency library directory 12 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 13 | ${RATS_TLS_INSTALL_LIB_PATH} 14 | ) 15 | if(OCCLUM) 16 | list(APPEND LIBRARY_DIRS ${SGXSDK_INSTALL_LIB_PATH}) 17 | endif() 18 | link_directories(${LIBRARY_DIRS}) 19 | 20 | # Set extra link library 21 | if(OCCLUM) 22 | set(EXTRA_LINK_LIBRARY sgx_dcap_quoteverify) 23 | endif() 24 | 25 | # Set source file 26 | set(SOURCES cleanup.c 27 | init.c 28 | main.c 29 | pre_init.c 30 | verify_evidence.c 31 | ) 32 | 33 | # Generate library 34 | if(SGX) 35 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 36 | add_dependencies(${PROJECT_NAME} rtls_edl_t) 37 | else() 38 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 39 | target_link_libraries(${PROJECT_NAME} ${EXTRA_LINK_LIBRARY} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 40 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 41 | endif() 42 | 43 | # Install library 44 | install(TARGETS ${PROJECT_NAME} 45 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 46 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa-qve/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "../sgx-ecdsa/cleanup.c" 8 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa-qve/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2022 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "../sgx-ecdsa/init.c" 8 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa-qve/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); 12 | extern enclave_verifier_err_t sgx_ecdsa_verifier_pre_init(void); 13 | extern enclave_verifier_err_t sgx_ecdsa_verifier_init(enclave_verifier_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_verifier_err_t sgx_ecdsa_verify_evidence(enclave_verifier_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | uint8_t *hash, uint32_t hash_len, 18 | attestation_endorsement_t *endorsements); 19 | extern enclave_verifier_err_t sgx_ecdsa_verifier_cleanup(enclave_verifier_ctx_t *ctx); 20 | 21 | static enclave_verifier_opts_t sgx_ecdsa_qve_opts = { 22 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, 24 | .name = "sgx_ecdsa_qve", 25 | .type = "sgx_ecdsa", 26 | .priority = 53, 27 | .pre_init = sgx_ecdsa_verifier_pre_init, 28 | .init = sgx_ecdsa_verifier_init, 29 | .verify_evidence = sgx_ecdsa_verify_evidence, 30 | .cleanup = sgx_ecdsa_verifier_cleanup, 31 | }; 32 | 33 | #ifdef SGX 34 | void libverifier_sgx_ecdsa_qve_init(void) 35 | #else 36 | void __attribute__((constructor)) libverifier_sgx_ecdsa_qve_init(void) 37 | #endif 38 | { 39 | RTLS_DEBUG("called\n"); 40 | 41 | enclave_verifier_err_t err = enclave_verifier_register(&sgx_ecdsa_qve_opts); 42 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 43 | RTLS_DEBUG("failed to register the enclave verifier 'sgx_ecdsa_qve' %#x\n", err); 44 | } 45 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa-qve/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "../sgx-ecdsa/pre_init.c" 8 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa-qve/verify_evidence.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "../sgx-ecdsa/verify_evidence.c" 8 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_sgx_ecdsa) 3 | 4 | # Set include directory 5 | list(APPEND INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} 6 | /usr/include 7 | ) 8 | if(OCCLUM) 9 | list(APPEND INCLUDE_DIRS ${SGXSDK_INSTALL_INCLUDE_PATH}) 10 | endif() 11 | include_directories(${INCLUDE_DIRS}) 12 | 13 | # Set dependency library directory 14 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 15 | ${RATS_TLS_INSTALL_LIB_PATH} 16 | ) 17 | 18 | if(OCCLUM) 19 | list(APPEND LIBRARY_DIRS ${SGXSDK_INSTALL_LIB_PATH}) 20 | endif() 21 | link_directories(${LIBRARY_DIRS}) 22 | 23 | # Set extra link library 24 | set(EXTRA_LINK_LIBRARY sgx_dcap_quoteverify sgx_urts) 25 | 26 | # Set source file 27 | set(SOURCES cleanup.c 28 | init.c 29 | main.c 30 | pre_init.c 31 | verify_evidence.c 32 | ) 33 | 34 | # Generate library 35 | if(SGX) 36 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 37 | add_dependencies(${PROJECT_NAME} rtls_edl_t) 38 | else() 39 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 40 | target_link_libraries(${PROJECT_NAME} ${EXTRA_LINK_LIBRARY} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 41 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 42 | endif() 43 | 44 | # Install library 45 | install(TARGETS ${PROJECT_NAME} 46 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 47 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sgx_ecdsa_verifier_cleanup(__attribute__((unused)) 11 | enclave_verifier_ctx_t *ctx) 12 | { 13 | RTLS_DEBUG("called\n"); 14 | 15 | return ENCLAVE_VERIFIER_ERR_NONE; 16 | } 17 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_verifier_err_t sgx_ecdsa_verifier_init(enclave_verifier_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo) 14 | { 15 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 16 | 17 | ctx->verifier_private = &dummy_private; 18 | 19 | return ENCLAVE_VERIFIER_ERR_NONE; 20 | } 21 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); 12 | extern enclave_verifier_err_t sgx_ecdsa_verifier_pre_init(void); 13 | extern enclave_verifier_err_t sgx_ecdsa_verifier_init(enclave_verifier_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_verifier_err_t sgx_ecdsa_verify_evidence(enclave_verifier_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | uint8_t *hash, uint32_t hash_len, 18 | attestation_endorsement_t *endorsements); 19 | extern enclave_verifier_err_t sgx_ecdsa_verifier_cleanup(enclave_verifier_ctx_t *ctx); 20 | 21 | static enclave_verifier_opts_t sgx_ecdsa_verifier_opts = { 22 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, 24 | .name = "sgx_ecdsa", 25 | .priority = 52, 26 | .pre_init = sgx_ecdsa_verifier_pre_init, 27 | .init = sgx_ecdsa_verifier_init, 28 | .verify_evidence = sgx_ecdsa_verify_evidence, 29 | .cleanup = sgx_ecdsa_verifier_cleanup, 30 | }; 31 | 32 | #ifdef SGX 33 | void libverifier_sgx_ecdsa_init(void) 34 | #else 35 | void __attribute__((constructor)) libverifier_sgx_ecdsa_init(void) 36 | #endif 37 | { 38 | RTLS_DEBUG("called\n"); 39 | 40 | enclave_verifier_err_t err = enclave_verifier_register(&sgx_ecdsa_verifier_opts); 41 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 42 | RTLS_DEBUG("failed to register the enclave verifier 'sgx_ecdsa' %#x\n", err); 43 | } 44 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sgx_ecdsa_verifier_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/sgx-ecdsa/quote_verification.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef QUOTE_VERIFICATION_H_ 8 | #define QUOTE_VERIFICATION_H_ 9 | 10 | #include 11 | #include 12 | 13 | /** @struct sgxioc_ver_dcap_quote_arg_t 14 | * A structure for DCAP quote verification 15 | * 16 | * @var quote_bufer 17 | * A pointer to the buffer storing the input quote. 18 | * @var quote_size 19 | * The size of the input quote. 20 | * @var collateral_expiration_status 21 | * A pointer to the value that stores the verification collateral 22 | * expiration status. It is used by libos as a parameter to 23 | * sgx_qv_verify_quote. 24 | * @var supplemental_data_size 25 | * The size of the buffer to store supplemental data. 26 | * @var supplemental_data 27 | * The pointer to the buffer to store the supplemental data. 28 | */ 29 | typedef struct { 30 | const uint8_t *quote_buf; 31 | uint32_t quote_size; 32 | uint32_t *collateral_expiration_status; 33 | sgx_ql_qv_result_t *quote_verification_result; 34 | uint32_t supplemental_data_size; 35 | uint8_t *supplemental_data; 36 | } sgxioc_ver_dcap_quote_arg_t; 37 | 38 | #define SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE _IOR('s', 9, uint32_t) 39 | #define SGXIOC_VER_DCAP_QUOTE _IOWR('s', 10, sgxioc_ver_dcap_quote_arg_t) 40 | 41 | #endif /* QUOTE_VERIFICATION_H_ */ 42 | -------------------------------------------------------------------------------- /src/verifiers/sgx-la/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_sgx_la) 3 | 4 | if(SGX) 5 | # Set include directory 6 | list(APPEND INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}) 7 | include_directories(${INCLUDE_DIRS}) 8 | 9 | set(LIBRARY_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../ 10 | ${SGXSDK_INSTALL_LIB_PATH} 11 | ) 12 | link_directories(${LIBRARY_DIRS}) 13 | 14 | # Set source file 15 | set(SOURCES cleanup.c 16 | init.c 17 | main.c 18 | pre_init.c 19 | verify_evidence.c 20 | ) 21 | 22 | # Generate library 23 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 24 | add_dependencies(${PROJECT_NAME} rtls_edl_t) 25 | 26 | # Install library 27 | install(TARGETS ${PROJECT_NAME} 28 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 29 | endif() 30 | -------------------------------------------------------------------------------- /src/verifiers/sgx-la/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sgx_la_verifier_cleanup(__attribute__((unused)) enclave_verifier_ctx_t *ctx) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/sgx-la/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | static unsigned int dummy_private; 11 | 12 | enclave_verifier_err_t sgx_la_verifier_init(enclave_verifier_ctx_t *ctx, rats_tls_cert_algo_t algo) 13 | { 14 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 15 | 16 | ctx->verifier_private = &dummy_private; 17 | 18 | return ENCLAVE_VERIFIER_ERR_NONE; 19 | } 20 | -------------------------------------------------------------------------------- /src/verifiers/sgx-la/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *); 12 | extern enclave_verifier_err_t sgx_la_verifier_pre_init(void); 13 | extern enclave_verifier_err_t sgx_la_verifier_init(enclave_verifier_ctx_t *, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_verifier_err_t sgx_la_verify_evidence(enclave_verifier_ctx_t *, 16 | attestation_evidence_t *, uint8_t *, 17 | unsigned int hash_len, 18 | attestation_endorsement_t *endorsements); 19 | extern enclave_verifier_err_t sgx_la_verifier_cleanup(enclave_verifier_ctx_t *); 20 | 21 | static enclave_verifier_opts_t sgx_la_verifier_opts = { 22 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_DEFAULT, 24 | .name = "sgx_la", 25 | .priority = 15, 26 | .pre_init = sgx_la_verifier_pre_init, 27 | .init = sgx_la_verifier_init, 28 | .verify_evidence = sgx_la_verify_evidence, 29 | .cleanup = sgx_la_verifier_cleanup, 30 | }; 31 | 32 | #ifdef SGX 33 | void libverifier_sgx_la_init(void) 34 | #else 35 | void __attribute__((constructor)) libverifier_sgx_la_init(void) 36 | #endif 37 | { 38 | RTLS_DEBUG("called\n"); 39 | 40 | enclave_verifier_err_t err = enclave_verifier_register(&sgx_la_verifier_opts); 41 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 42 | RTLS_DEBUG("failed to register the enclave verifier 'sgx_la' %#x\n", err); 43 | } 44 | -------------------------------------------------------------------------------- /src/verifiers/sgx-la/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t sgx_la_verifier_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/sgx-la/verify_evidence.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include "sgx_error.h" 10 | #include "rtls_t.h" 11 | 12 | /* Refer to explanation in sgx_la_collect_evidence */ 13 | enclave_verifier_err_t sgx_la_verify_evidence(enclave_verifier_ctx_t *ctx, 14 | attestation_evidence_t *evidence, uint8_t *hash, 15 | uint32_t hash_len, 16 | __attribute__((unused)) 17 | attestation_endorsement_t *endorsements) 18 | { 19 | enclave_verifier_err_t err = -ENCLAVE_VERIFIER_ERR_UNKNOWN; 20 | 21 | ocall_la_verify_evidence(&err, ctx, evidence, sizeof(attestation_evidence_t), hash, 22 | hash_len); 23 | 24 | return err; 25 | } 26 | -------------------------------------------------------------------------------- /src/verifiers/tdx-ecdsa/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Project name 2 | project(verifier_tdx_ecdsa) 3 | 4 | # Set include directory 5 | set(INCLUDE_DIRS ${INCLUDE_DIRS} 6 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include 7 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/rats-tls 8 | ${CMAKE_CURRENT_SOURCE_DIR}/../../include/internal 9 | ${CMAKE_CURRENT_SOURCE_DIR} 10 | /usr/include 11 | ) 12 | include_directories(${INCLUDE_DIRS}) 13 | 14 | # Set dependency library directory 15 | set(LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src 16 | ${RATS_TLS_INSTALL_LIB_PATH} 17 | ) 18 | 19 | link_directories(${LIBRARY_DIRS}) 20 | 21 | # Set extra link library 22 | set(EXTRA_LINK_LIBRARY sgx_dcap_quoteverify sgx_urts) 23 | 24 | # Set source file 25 | set(SOURCES cleanup.c 26 | init.c 27 | main.c 28 | pre_init.c 29 | verify_evidence.c 30 | ) 31 | 32 | if(SGX) 33 | MESSAGE(ERROR "ENCLAVE_INCLUDES = ${ENCLAVE_INCLUDES}.") 34 | add_trusted_library(${PROJECT_NAME} SRCS ${SOURCES}) 35 | add_dependencies(${PROJECT_NAME} rtls_edl_t) 36 | else() 37 | add_library(${PROJECT_NAME} SHARED ${SOURCES}) 38 | target_link_libraries(${PROJECT_NAME} ${EXTRA_LINK_LIBRARY} ${RATS_TLS_LDFLAGS} ${RTLS_LIB}) 39 | set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${VERSION_MAJOR}) 40 | endif() 41 | 42 | # Install library 43 | install(TARGETS ${PROJECT_NAME} 44 | DESTINATION ${RATS_TLS_INSTALL_LIBV_PATH}) 45 | -------------------------------------------------------------------------------- /src/verifiers/tdx-ecdsa/cleanup.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include "tdx-ecdsa.h" 8 | #include 9 | #include 10 | 11 | enclave_verifier_err_t tdx_ecdsa_verifier_cleanup(enclave_verifier_ctx_t *ctx) 12 | { 13 | RTLS_DEBUG("called\n"); 14 | 15 | tdx_ctx_t *tdx_ctx = (tdx_ctx_t *)ctx->verifier_private; 16 | 17 | free(tdx_ctx); 18 | 19 | return ENCLAVE_VERIFIER_ERR_NONE; 20 | } 21 | -------------------------------------------------------------------------------- /src/verifiers/tdx-ecdsa/init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include "tdx-ecdsa.h" 11 | 12 | enclave_verifier_err_t tdx_ecdsa_verifier_init(enclave_verifier_ctx_t *ctx, 13 | rats_tls_cert_algo_t algo) 14 | { 15 | RTLS_DEBUG("ctx %p, algo %d\n", ctx, algo); 16 | 17 | tdx_ctx_t *tdx_ctx = calloc(1, sizeof(*tdx_ctx)); 18 | if (!tdx_ctx) 19 | return -ENCLAVE_VERIFIER_ERR_NO_MEM; 20 | 21 | memset(tdx_ctx->mrowner, 0, sizeof(tdx_ctx->mrowner)); 22 | ctx->verifier_private = tdx_ctx; 23 | 24 | return ENCLAVE_VERIFIER_ERR_NONE; 25 | } 26 | -------------------------------------------------------------------------------- /src/verifiers/tdx-ecdsa/main.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | extern enclave_verifier_err_t enclave_verifier_register(enclave_verifier_opts_t *opts); 12 | extern enclave_verifier_err_t tdx_ecdsa_verifier_pre_init(void); 13 | extern enclave_verifier_err_t tdx_ecdsa_verifier_init(enclave_verifier_ctx_t *ctx, 14 | rats_tls_cert_algo_t algo); 15 | extern enclave_verifier_err_t tdx_ecdsa_verify_evidence(enclave_verifier_ctx_t *ctx, 16 | attestation_evidence_t *evidence, 17 | uint8_t *hash, uint32_t hash_len, 18 | attestation_endorsement_t *endorsements); 19 | extern enclave_verifier_err_t tdx_ecdsa_verifier_cleanup(enclave_verifier_ctx_t *ctx); 20 | 21 | static enclave_verifier_opts_t tdx_ecdsa_verifier_opts = { 22 | .api_version = ENCLAVE_VERIFIER_API_VERSION_DEFAULT, 23 | .flags = ENCLAVE_VERIFIER_OPTS_FLAGS_TDX, 24 | .name = "tdx_ecdsa", 25 | .priority = 42, 26 | .pre_init = tdx_ecdsa_verifier_pre_init, 27 | .init = tdx_ecdsa_verifier_init, 28 | .verify_evidence = tdx_ecdsa_verify_evidence, 29 | .cleanup = tdx_ecdsa_verifier_cleanup, 30 | }; 31 | 32 | void __attribute__((constructor)) libverifier_tdx_ecdsa_init(void) 33 | { 34 | RTLS_DEBUG("called\n"); 35 | 36 | enclave_verifier_err_t err = enclave_verifier_register(&tdx_ecdsa_verifier_opts); 37 | if (err != ENCLAVE_VERIFIER_ERR_NONE) 38 | RTLS_ERR("failed to register the enclave verifier 'tdx_ecdsa' %#x\n", err); 39 | } 40 | -------------------------------------------------------------------------------- /src/verifiers/tdx-ecdsa/pre_init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | enclave_verifier_err_t tdx_ecdsa_verifier_pre_init(void) 11 | { 12 | RTLS_DEBUG("called\n"); 13 | 14 | return ENCLAVE_VERIFIER_ERR_NONE; 15 | } 16 | -------------------------------------------------------------------------------- /src/verifiers/tdx-ecdsa/tdx-ecdsa.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Intel Corporation 2 | * Copyright (c) 2020-2021 Alibaba Cloud 3 | * 4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 7 | #ifndef _TDX_ECDSA_H 8 | #define _TDX_ECDSA_H 9 | 10 | #include 11 | #include 12 | 13 | #define TDX_NUM_RTMRS 4 14 | 15 | typedef struct { 16 | uint8_t mrowner[SHA384_HASH_SIZE]; 17 | } tdx_ctx_t; 18 | 19 | /* TDX attestation specification */ 20 | 21 | typedef struct { 22 | uint16_t version; 23 | uint16_t attestation_key_type; 24 | uint32_t tee_type; 25 | uint16_t qe_svn; 26 | uint16_t pce_svn; 27 | uint8_t qe_vendor_id[16]; 28 | uint8_t user_data[20]; 29 | } __attribute__((packed)) tdx_quote_header_t; 30 | 31 | typedef struct { 32 | uint8_t tee_tcb_svn[16]; 33 | uint8_t mrseam[SHA384_HASH_SIZE]; 34 | uint8_t mrsigner_seam[SHA384_HASH_SIZE]; 35 | uint8_t seam_attributes[8]; 36 | uint8_t td_attributes[8]; 37 | uint8_t xfam[8]; 38 | uint8_t mrtd[SHA384_HASH_SIZE]; 39 | uint8_t mrconfig_id[SHA384_HASH_SIZE]; 40 | uint8_t mrowner[SHA384_HASH_SIZE]; 41 | uint8_t mrowner_config[SHA384_HASH_SIZE]; 42 | uint8_t rtmr[TDX_NUM_RTMRS][SHA384_HASH_SIZE]; 43 | uint8_t report_data[64]; 44 | } __attribute__((packed)) tdx_report_body_t; 45 | 46 | /* FIXME: currently we only care about report data */ 47 | typedef struct { 48 | tdx_quote_header_t header; 49 | tdx_report_body_t report_body; 50 | } __attribute__((__packed__)) tdx_quote_t; 51 | 52 | #endif /* _TDX_ECDSA_H */ 53 | --------------------------------------------------------------------------------