test

Signed-off-by: Bruno Vavala <[email protected]>
bvavala · Mar 28, 2024 · a397be4 · a397be4
1 parent ab3608d
commit a397be4
Show file tree

Hide file tree

Showing 18 changed files with 79 additions and 188 deletions.
diff --git a/build/Makefile b/build/Makefile
@@ -43,7 +43,6 @@ SRCDIR ?= $(abspath $(SCRIPTDIR)/..)
 
 BUILD = $(abspath $(SCRIPTDIR)/__tools__/build.sh)
 VERIFY_PRE_BUILD = $(abspath $(SCRIPTDIR)/__tools__/verify-pre-build.sh)
-VERIFY_PRE_CONF = $(abspath $(SCRIPTDIR)/__tools__/verify-pre-conf.sh)
 CLEAN = $(abspath $(SCRIPTDIR)/__tools__/clean.sh)
 TESTSCRIPT = $(abspath $(SCRIPTDIR)/__tools__/run-tests.sh)
 BENCHMARKSCRIPT = $(abspath $(SCRIPTDIR)/__tools__/run-benchmarks.sh)
@@ -95,9 +94,6 @@ $(DSTDIR) :
 verify-pre-build :
 	$(VERIFY_PRE_BUILD)
 
-verify-pre-config :
-	$(VERIFY_PRE_CONF)
-
 build : $(PYTHON_DIR)
 	. $(abspath $(DSTDIR)/bin/activate) && $(BUILD)
 
@@ -125,12 +121,12 @@ $(SERVICES_CONF_TARGET) : $(PYTHON_DIR) $(SERVICE_CONF_TEMPLATES)
 
 config-services : $(SERVICES_CONF_TARGET)
 
-verified-config : verify-pre-config
+verified-config :
 	${MAKE} config
 
 config : config-services config-client
 
-force-config : verify-pre-config
+force-config :
 	- rm -f $(SERVICES_CONF_TARGET) $(CLIENT_CONF_TARGET)
 	${MAKE} config
 
@@ -171,6 +167,6 @@ benchmark : $(PYTHON_DIR)
 .PHONY : all environment register system-keys
 .PHONY : build rebuild verified-build verify-pre-build
 .PHONY : clean clean-build clean-install
-.PHONY : config config-services force-config verified-config verify-pre-config
+.PHONY : config config-services force-config verified-config
 .PHONY : client build-client config-client
 .PHONY : benchmark test
diff --git a/build/__tools__/expand-config b/build/__tools__/expand-config
@@ -76,8 +76,6 @@ try :
     ContractHome = os.environ["PDO_HOME"]
     LedgerURL = os.environ["PDO_LEDGER_URL"]
     LedgerType = os.environ["PDO_LEDGER_TYPE"]
-    SPID = os.environ["PDO_SPID"]
-    SPID_API_KEY = os.environ["PDO_SPID_API_KEY"]
 except KeyError as ke :
     print("incomplete configuration, missing definition of {0}".format(str(ke)))
     sys.exit(-1)
@@ -110,9 +108,7 @@ config_map = {
     'ledger_type': LedgerType,
     'ledger_key_root' : LedgerKeyRoot,
     'eservice_key_format': EserviceKeyFormat,
-    'proxy' : HttpsProxy,
-    'spid' : SPID,
-    'spid_api_key' : SPID_API_KEY
+    'proxy' : HttpsProxy
 }
 
 # -----------------------------------------------------------------

diff --git a/build/__tools__/verify-pre-conf.sh b/build/__tools__/verify-pre-conf.sh
diff --git a/build/common-config.sh b/build/common-config.sh
@@ -113,9 +113,8 @@ var_set() {
     env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${SCRIPTDIR}/keys/sgx_mode_${SGX_MODE,,}}"
 	env_desc[PDO_SGX_KEY_ROOT]="
 		PDO_SGX_KEY_ROOT is the root directory where SGX & IAS related keys are stored.
-		The default points to a directory which contains values which are good
-		enough for SGX simulator mode.  However, for SGX HW mode you
-		should provide your own version, at least for PDO_SPID and PDO_SPID_API_KEY
+		If SGX_MODE=SIM, the default folder contains mock files that are good for simulation mode.
+		If SGX_MODE=HW, the default (or custom) folder must be filled with legitimate SGX & IAS keys.
 	"
 	env_key_sort[$i]="PDO_SGX_KEY_ROOT"; i=$i+1; export PDO_SGX_KEY_ROOT=${env_val[PDO_SGX_KEY_ROOT]}
 
@@ -130,20 +129,6 @@ var_set() {
 	"
 	env_key_sort[$i]="PDO_ENCLAVE_CODE_SIGN_PEM"; i=$i+1; export PDO_ENCLAVE_CODE_SIGN_PEM=${env_val[PDO_ENCLAVE_CODE_SIGN_PEM]}
 
-	env_val[PDO_SPID]="${PDO_SPID:-$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid.txt)}"
-	env_desc[PDO_SPID]="
-		PDO_SPID is the ID that accompanies the certificate registered
-		with the Intel Attestation Service. This should be a 32 character
-		hex string.
-	"
-	env_key_sort[$i]="PDO_SPID"; i=$i+1; export PDO_SPID=${env_val[PDO_SPID]}
-
-	env_val[PDO_SPID_API_KEY]="${PDO_SPID_API_KEY:-$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt)}"
-	env_desc[PDO_SPID_API_KEY]="
-		PDO_SPID_API_KEY is API-key associated with the SPID.
-	"
-	env_key_sort[$i]="PDO_SPID_API_KEY"; i=$i+1; export PDO_SPID_API_KEY=${env_val[PDO_SPID_API_KEY]}
-
 	env_val[PDO_LEDGER_KEY_ROOT]="${PDO_LEDGER_KEY_ROOT:-${PDO_INSTALL_ROOT}/opt/pdo/etc/keys/ledger}"
 	env_desc[PDO_LEDGER_KEY_ROOT]="
 		PDO_LEDGER_KEY_ROOT is the root directory where the system keys are stored
@@ -201,8 +186,7 @@ If passed the parameter --evalable-export it will
 return a list of export commands of the variables
 instead of directly exporting them to the environment.
 Passing parameter --reset-keys will unset keying variables
-PDO_ENCLAVE_CODE_SIGN_PEM,
-PDO_SPID and PDO_SPID_API_KEY before setting variables.
+PDO_ENCLAVE_CODE_SIGN_PEM before setting variables.
 
 The list of variables set (in order they are defined, their defaults
 and semantics is as follows:
@@ -229,8 +213,6 @@ do
             # depend on those variables
 	    # -----------------------------------------------------------------
 	    unset PDO_ENCLAVE_CODE_SIGN_PEM
-	    unset PDO_SPID
-	    unset PDO_SPID_API_KEY
             ;;
         --evalable-export|-e)
 	    is_sourced=0

diff --git a/build/template/enclave.toml b/build/template/enclave.toml
@@ -20,9 +20,6 @@
 # Number of available enclave workers to service requests
 num_of_enclaves = '7'
 
-# spid is a 32-digit hex string tied to the enclave implementation
-spid = '${spid}'
-
 # ias_url is the URL of the Intel Attestation Service (IAS) server.  The
 # example server is for debug enclaves only,
 # the production url is without the trailing '/dev'
@@ -31,5 +28,3 @@ ias_url = 'https://api.trustedservices.intel.com/sgx/dev'
 # proxy configuration ..
 https_proxy = '${proxy}'
 
-# spid_api_key is a 32-digit hex string tied to the SPID
-spid_api_key = '${spid_api_key}'
diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh
@@ -50,11 +50,6 @@ export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
 # eservice and pservice enclaves
 export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem
 
-# these are only used for configuration and registration
-# they are not used at build or run time
-export PDO_SPID="$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid.txt)"
-export PDO_SPID_API_KEY="$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt)"
-
 # set up the ccf directories, ccf_base is where the ccf
 # core is installed, ccf_pdo_dir is where the pdo tp
 # components will be installed, and ccf_ledger_dir is

diff --git a/docs/environment.md b/docs/environment.md
@@ -50,8 +50,7 @@ list of export commands of the variables instead of directly exporting
 them to the environment.
 
 Passing parameter `--reset-keys` will unset key variables
-`PDO_ENCLAVE_CODE_SIGN_PEM`,
-`PDO_SPID` and `PDO_SPID_API_KEY` before setting variables.
+`PDO_ENCLAVE_CODE_SIGN_PEM` before setting variables.
 
 <!-- -------------------------------------------------- -->
 <!-- -------------------------------------------------- -->
@@ -143,11 +142,11 @@ run in a real SGX enclave.
 (default: `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}/`):
 
 `PDO_SGX_KEY_ROOT` is the root directory where SGX and IAS related keys
-are stored. The default points to a directory which contains values
-which are good enough for SGX simulator mode. However, for SGX HW mode
-you should provide your own version, at least for `PDO_SPID` and
-`PDO_SPID_API_KEY`. See [SGX section](install.md#SGX) of the
-[BUILD document](install.md) for more information.
+are stored. If SGX_MODE=SIM, the default folder contains mock files that
+are good for simulation mode. If SGX_MODE=HW, the default (or custom)
+folder must be filled with legitimate SGX & IAS keys.
+See [SGX section](install.md#SGX) of the [BUILD document](install.md)
+for more information.
 
 <!-- -------------------------------------------------- -->
 ### `PDO_ENCLAVE_CODE_SIGN_PEM`
@@ -166,35 +165,6 @@ key can generated by the command:
 The default path points to a key which is automatically generated during
 the build.
 
-<!-- -------------------------------------------------- -->
-### `PDO_SPID`
-(default: `DEADBEEF00000000DEADBEEF00000000`)
-
-`PDO_SPID` is the ID that accompanies the certificate registered with
-the Intel Attestation Service. This should be a 32 character hex
-string. If the variable is unset, the configuration script
-`common-config.sh` will pull the value from the file
-`${PDO_SGX_KEY_ROOT}/sgx_spid.txt`.
-
-The default value will work for SGX simulation mode. See
-[SGX section](install.md#SGX) of the [BUILD document](install.md) for
-instructions to create the SPID to support SGX hardware mode.
-
-<!-- -------------------------------------------------- -->
-### `PDO_SPID_API_KEY`
-(default `deadbeef00000000deadbeef00000000`)
-
-`PDO_SPID_API_KEY` is the key used to authenticate IAS client
-requests. This should be a 32 character hex string.
-If the variable is unset, the configuration script
-`common-config.sh` will pull the value from the file
-`${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt`.
-
-The default value will work for SGX simulation mode. See
-[SGX section](install.md#SGX) of the [BUILD document](install.md) for
-instructions to create the API key to support SGX hardware mode.
-
-<!-- -------------------------------------------------- -->
 <!-- -------------------------------------------------- -->
 ## Ledger Environment Variables
 

diff --git a/eservice/bin/register-with-ledger.sh b/eservice/bin/register-with-ledger.sh
@@ -23,8 +23,12 @@ ESERVICE_IDENTITY=eservice1
 ESERVICE_TOML=${ESERVICE_IDENTITY}.toml
 ENCLAVE_TOML=enclave.toml
 
-PDO_IAS_SIGNING_CERT_PATH=${PDO_SGX_KEY_ROOT}/ias_signing.cert
-PDO_IAS_KEY_PEM=${PDO_SGX_KEY_ROOT}/sgx_ias_key.pem
+SGX_KEY_ROOT=${PDO_SGX_KEY_ROOT:-${SRCDIR}/build/keys/sgx_mode_${SGX_MODE,,}}
+
+IAS_SIGNING_CERT_PATH=${SGX_KEY_ROOT}/ias_signing.cert
+IAS_KEY_PEM=${SGX_KEY_ROOT}/sgx_ias_key.pem
+SPID_PATH=${SGX_KEY_ROOT}/sgx_spid.txt
+SPID_API_KEY_PATH=${SGX_KEY_ROOT}/sgx_spid_api_key.txt
 
 eservice_enclave_info_file=$(mktemp /tmp/pdo-test.XXXXXXXXX)
 
@@ -39,36 +43,19 @@ function cleanup {
 
 trap cleanup EXIT
 
-#Set SPID to parameter if passed
-SPID=$PDO_SPID
-if (( "$#" == 1 )) ; then
-    SPID=$1
-fi
-
 function DeriveIasPublicKey {
-    try test -e ${PDO_IAS_SIGNING_CERT_PATH}
-    try openssl x509 -pubkey -noout -in ${PDO_IAS_SIGNING_CERT_PATH} > ${PDO_IAS_KEY_PEM}
+    yell Derive IAS public to be registered on the ledger
+    try test -e ${IAS_SIGNING_CERT_PATH}
+    try openssl x509 -pubkey -noout -in ${IAS_SIGNING_CERT_PATH} > ${IAS_KEY_PEM}
+    yell IAS public derived in ${IAS_KEY_PEM}
 }
 
-# Store MR_ENCLAVE & MR_BASENAME to eservice_enclave_info_file
-# Note: an alternative way without any enclave invocations would be the following.
-#
-#    if [ -z "${SPID}" -o ${#SPID} != 32 ]; then
-#	echo "No valid (length 32) SPID pass as argument or PDO_SPID environment variable"
-#	exit 1
-#    fi
-#    perl -0777 -ne 'if (/metadata->enclave_css.body.enclave_hash.m:([a-fx0-9 \n]+)/) { $eh = $1; $eh=~s/0x| |\n//g; $eh=~tr/a-z/A-Z/; $bn="'${SPID}'"; $bn .= "0" x (64 - length $bn); print "MRENCLAVE:${eh}\nBASENAME:${bn}\n"; }' ./build/lib/libpdo-enclave.signed.so.meta > $eservice_enclave_info_file
-#    # Note: group id is always zero, hence the zero-padding ...
-#
-# This would also allow removing in eservice/pservice the code related to CreateErsatzEnclaveReport and GetEnclave Characteristics
-# However, getting basename via enclave invocation & quote is somewhat cleaner than below ..
 function Store {
-    : "${SPID:?Need PDO_SPID environment variable set or passed in for valid MR_BASENAME}"
     try test -e ${ETCDIR}/${ESERVICE_TOML}
     try test -e ${ETCDIR}/${ENCLAVE_TOML}
     yell Download IAS certificates and Compute the enclave information
     try eservice-enclave-info \
-        --spid ${SPID} \
+        --sgx-key-root ${SGX_KEY_ROOT}
         --save ${eservice_enclave_info_file} \
         --loglevel warn \
         --logfile __screen__ \
@@ -87,14 +74,14 @@ function Register {
         VAR_BASENAME=$(grep -o 'BASENAME:.*' ${eservice_enclave_info_file} | cut -f2- -d:)
 
         : "${PDO_LEDGER_URL:?Registration failed! PDO_LEDGER_URL environment variable not set}"
-        : "PDO_IAS_KEY_PEM" "${PDO_IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
+        : "IAS_KEY_PEM" "${IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
 
         if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then
-            yell Register enclave with CCF ledger
+            yell Register enclave with CCF ledger: mrenclave=${VAR_MRENCLAVE} basename=${VAR_BASENAME}
             source ${PDO_INSTALL_ROOT}/bin/activate
             try ${PDO_INSTALL_ROOT}/bin/ccf_set_expected_sgx_measurements \
                 --logfile __screen__ --loglevel INFO --mrenclave ${VAR_MRENCLAVE} \
-                --basename  ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)"
+                --basename  ${VAR_BASENAME} --ias-public-key "$(cat $IAS_KEY_PEM)"
         else
             die unsupported ledger ${PDO_LEDGER_TYPE}
         fi

diff --git a/eservice/docs/test-scripts.md b/eservice/docs/test-scripts.md
@@ -66,10 +66,8 @@ The following configuration variables can be specified:
   will send all logging information to the console
 
 * ``EnclaveModule``
-  * ``spid`` -- a 32-digit hex string tied to the enclave implementation
   * ``ias_url`` --  URL of the Intel Attestation Service (IAS) server (ignored)
   * ``https_proxy`` -- proxy used to contact IAS server (ignored)
-  * ``spid_api_key`` -- the api key corresponding to spid (ignored)
 
 * ``contract`` -- the base name of the contract to use, this is
   expected to reference a file found in ``SourceSearchPath``

diff --git a/eservice/etc/sample_eservice.toml b/eservice/etc/sample_eservice.toml
@@ -83,14 +83,9 @@ num_of_enclaves = '7'
 # This is safe to share between eservice's
 block_store_file_name = "${data}/blockstore.mdb"
 
-# spid is a 32-digit hex string tied to the enclave implementation
-spid = 'DEADBEEF00000000DEADBEEF00000000'
-
 # ias_url is the URL of the Intel Attestation Service (IAS) server.  The
 # example server is for debug enclaves only,
 # the production url is without the trailing '/dev'
 ias_url = 'https://api.trustedservices.intel.com/sgx/dev'
 https_proxy = ''
 
-# spid_api_key is a 32-digit hex string tied to the SPID
-spid_api_key = 'DEADBEEF00000000DEADBEEF00000000'
diff --git a/eservice/pdo/eservice/enclave/enclave/enclave.cpp b/eservice/pdo/eservice/enclave/enclave/enclave.cpp
@@ -22,6 +22,7 @@
 #include <stdexcept>
 #include <unistd.h>
 #include <pthread.h>
+#include <ctype.h>
 
 #include <sgx_uae_epid.h>
 #include "sgx_support.h"
@@ -327,10 +328,16 @@ namespace pdo {
             const HexEncodedString& inSpid
             )
         {
+            // check SPID length
             pdo::error::ThrowIf<pdo::error::ValueError>(
                 inSpid.length() != 32,
                 "Invalid SPID length");
 
+            // check SPID format
+            pdo::error::ThrowIf<pdo::error::ValueError>(
+                ! std::all_of(str.begin(), str.end(), ::isxdigit),
+                "Invalid SPID format");
+
             HexStringToBinary(this->spid.id, sizeof(this->spid.id), inSpid);
         } // Enclave::SetSpid