Skip to content

Commit

Permalink
Add sgx flag checks to pservice.
Browse files Browse the repository at this point in the history
This normalizes the attestation verification checks with the TP.

Signed-off-by: Bruno Vavala <[email protected]>
  • Loading branch information
bvavala committed May 24, 2024
1 parent a95fe15 commit b16dfbf
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 9 deletions.
15 changes: 14 additions & 1 deletion build/__tools__/generate_mrenclave_header
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ parser.add_argument('--enclave', type=str, help='Name of the enclave to use in t

options = parser.parse_args()

# get mrenclave from metadata
pattern_start = '^metadata->enclave_css.body.enclave_hash.m:$'
pattern_end = '^metadata->'

values = []
with open(options.metadata, 'r') as f:
for line in f :
Expand All @@ -43,11 +43,22 @@ with open(options.metadata, 'r') as f:
values.extend(list(map(lambda v : v.upper()[2:], line.strip().split(' '))))
break

def get_meta_parameter(meta_file, pattern):
with open(meta_file, 'r') as f:
for line in f :
if re.match(pattern, line) :
return line.strip().split(': ')[1]

attributes_flags = get_meta_parameter(options.metadata, '^metadata->enclave_css.body.attributes.flags:')
attribute_mask_flags = get_meta_parameter(options.metadata, '^metadata->enclave_css.body.attribute_mask.flags:')

template_fields = dict()
template_fields['mrenclave'] = ''.join(values)
template_fields['source_file'] = options.metadata
template_fields['timestamp'] = datetime.date.today().isoformat()
template_fields['enclave'] = options.enclave
template_fields['attributes_flags'] = attributes_flags
template_fields['attribute_mask_flags'] = attribute_mask_flags

with open(options.header, 'w') as f:
f.write("""
Expand All @@ -58,4 +69,6 @@ with open(options.header, 'w') as f:
#include "types.h"
HexEncodedString {enclave}_ENCLAVE_MRENCLAVE = "{mrenclave}";
uint64_t attributes_flags = {attributes_flags};
uint64_t attribute_mask_flags = {attribute_mask_flags};
""".format(**template_fields))
27 changes: 19 additions & 8 deletions pservice/lib/libpdo_enclave/secret_enclave.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -651,6 +651,7 @@ pdo_err_t VerifyEnclaveInfo(const std::string& enclaveInfo,
sgx_report_body_t* reportBody = &quoteBody->report_body;
sgx_report_data_t expectedReportData = *(&reportBody->report_data);
sgx_measurement_t mrEnclaveFromReport = *(&reportBody->mr_enclave);
sgx_attributes_t attributes = *(&reportBody->attributes);

ByteArray allowedContractMR_ENCLAVE = HexEncodedStringToByteArray(ESERVICE_ENCLAVE_MRENCLAVE);

Expand All @@ -676,14 +677,24 @@ pdo_err_t VerifyEnclaveInfo(const std::string& enclaveInfo,
memcmp(computedReportData.d, expectedReportData.d, SGX_REPORT_DATA_SIZE) != 0,
"Invalid Report data: computedReportData does not match expectedReportData");

//Note that we do not currently verify whether the enclave debug flag is
//turned on or not. In order to ensure that the enclave is run in a mode
//that supports enhanced-confidentiality and execution integrity, the debug
//flag (SGX_FLAGS_DEBUG / 0x0000000000000002ULL in the report's attribute)
//should be set to 0. For additional details on how we plan to support this
//check, please see
//https://github.com/hyperledger-labs/private-data-objects/issues/195.
//
// Verify 64-bit enclave
pdo::error::ThrowIf<pdo::error::ValueError>((attributes.flags & SGX_FLAGS_MODE64BIT) == 0,
"Invalid 64-bit flag: 0");

// Verify SGX debug flag: check mask and enforce if necessary
if(attribute_mask_flags & SGX_FLAGS_DEBUG) //if bit is set, enforce debug flag check
{
pdo::error::ThrowIf<pdo::error::ValueError>(
(attributes.flags & SGX_FLAGS_DEBUG) != (attributes_flags & SGX_FLAGS_DEBUG),
"Invalid SGX debug flag");
}

// Note that we do not currently verify whether the TCB version of the enclave.
// This must be implemented to ensure that the enclave does not run using an old
// superseded TCB.
// For additional details on how we plan to support this check, please see
// https://github.com/hyperledger-labs/private-data-objects/issues/195.

return result;
}// VerifyEnclaveInfo

Expand Down

0 comments on commit b16dfbf

Please sign in to comment.