Implemented Key Sharing and Seperation Config id Feature for Singleton.

Signed-off-by: Karthika Murthy <[email protected]>

Author: karthikamurthy

enclave_manager/avalon_enclave_manager/kme/kme_enclave_info.py

@@ -15,6 +15,7 @@
 import os
 import json
 import time
+import random
 import logging
 
 from ssl import SSLError
@@ -23,27 +24,29 @@
 import utility.hex_utils as hex_utils
 import utility.file_utils as file_utils
 import avalon_enclave_manager.kme.kme_enclave as enclave
-from avalon_enclave_manager.base_enclave_info import BaseEnclaveInfo
+import avalon_enclave_manager.base_enclave_info as enclave_info
 
 logger = logging.getLogger(__name__)
 
 
-class KeyManagementEnclaveInfo(BaseEnclaveInfo):
+class KeyManagementEnclaveInfo(enclave_info.BaseEnclaveInfo):
     """
     KME info class to initialize enclave, signup enclave and hold
     data obtained post signup.
     """
 
     # -------------------------------------------------------
-    def __init__(self, config, worker_id, enlcave_type):
+    def __init__(self, config, worker_id):
 
         enclave._SetLogger(logger)
-        super().__init__(config, enlcave_type)
+        super().__init__(enclave.is_sgx_simulator())
 
+        self._config = config
         self._worker_id = worker_id
         self._initialize_enclave()
         enclave_info = self._create_enclave_signup_data()
         try:
+            self.ias_nonce = enclave_info['ias_nonce']
             self.sealed_data = enclave_info['sealed_data']
             self.verifying_key = enclave_info['verifying_key']
             self.encryption_key = enclave_info['encryption_key']
@@ -66,43 +69,52 @@ def _create_enclave_signup_data(self):
             @returns enclave_info - A dictionary of enclave data
         """
 
+        ias_nonce = '{0:032X}'.format(random.getrandbits(128))
         try:
-            enclave_data = self._create_signup_info()
+            enclave_data = self._create_signup_info(ias_nonce)
         except Exception as err:
             raise Exception('failed to create enclave signup data; {}'
                             .format(str(err)))
 
         enclave_info = dict()
+        enclave_info['ias_nonce'] = ias_nonce
         enclave_info['sealed_data'] = enclave_data.sealed_signup_data
         enclave_info['verifying_key'] = enclave_data.verifying_key
         enclave_info['encryption_key'] = enclave_data.encryption_key
         enclave_info['encryption_key_signature'] = \
             enclave_data.encryption_key_signature
         enclave_info['enclave_id'] = enclave_data.verifying_key
         enclave_info['proof_data'] = ''
-        if not self.is_sgx_simulator():
+        if not enclave.is_sgx_simulator():
             enclave_info['proof_data'] = enclave_data.proof_data
 
         return enclave_info
 
     # -----------------------------------------------------------------
 
-    def _create_signup_info(self):
+    def _create_signup_info(self, ias_nonce):
         """
         Create enclave signup data
 
+        Parameters :
+            @param ias_nonce - Used in IAS request to verify attestation
+                               as a distinguishing factor
         Returns :
             @returns signup_info_obj - Signup info data
         """
 
+        # Part of what is returned with the signup data is an enclave quote, we
+        # want to update the revocation list first.
+        self._update_sig_rl()
+        # Now, let the enclave create the signup data
+
         signup_cpp_obj = enclave.SignupInfoKME()
 
         if "wpe_mrenclave" in self._config:
             self._wpe_mrenclave = self._config["wpe_mrenclave"]
         else:
-            tcf_home = os.environ.get("TCF_HOME", '../../../')
             self._wpe_mrenclave = hex_utils.mrenclave_hex_string(
-                tcf_home + "/"
+                enclave_info.TCF_HOME + "/"
                 + self._config["wpe_mrenclave_read_from_file"])
 
         # @TODO : Passing in_ext_data_signature as empty string "" as of now
@@ -112,7 +124,7 @@ def _create_signup_info(self):
             return None
 
         signup_info = self._get_signup_info(
-            signup_data, signup_cpp_obj)
+            signup_data, signup_cpp_obj, ias_nonce)
 
         # Now we can finally serialize the signup info and create a
         # corresponding signup info object. Because we don't want the
@@ -160,22 +172,23 @@ def _verify_enclave_info(self, enclave_info, mr_enclave, signup_cpp_obj):
                                                 self._wpe_mrenclave)
 
     # ----------------------------------------------------------------
-    def _init_enclave_with(self, signed_enclave):
+    def _init_enclave_with(self, signed_enclave, config):
         """
         Initialize and return tcf_enclave_info that holds details about
         the KME enclave
 
         Parameters :
             @param signed_enclave - The enclave binary read from filesystem
+            @param config - A dictionary of configurations
         Returns :
             @returns tcf_enclave_info - An instance of the tcf_enclave_info
         """
         # Get sealed data if persisted from previous startup.
         persisted_sealed_data = file_utils.read_file(
             self._get_sealed_data_file_name(self._config["sealed_data_path"],
                                             self._worker_id))
-        return self._attestation.init_enclave_info(
-            signed_enclave, persisted_sealed_data,
-            int(self._config['num_of_enclaves']))
+        return enclave.tcf_enclave_info(
+            signed_enclave, config['spid'], persisted_sealed_data,
+            int(config['num_of_enclaves']))
 
     # -----------------------------------------------------------------

enclave_manager/avalon_enclave_manager/singleton/singleton_enclave_info.py

@@ -96,8 +96,12 @@ def _create_signup_info(self):
         """
 
         signup_cpp_obj = enclave.SignupInfoSingleton()
+        if self._config.get("kss_config") is not None:
+            signup_data = signup_cpp_obj.CreateEnclaveData(
+                self._config.get("kss_config"))
+        else:
+            signup_data = signup_cpp_obj.CreateEnclaveData()
 
-        signup_data = signup_cpp_obj.CreateEnclaveData()
         if signup_data is None:
             return None
 
@@ -114,10 +118,11 @@ def _create_signup_info(self):
         if signup_info_obj.sealed_signup_data is None:
             logger.info("Sealed data is None, so nothing to persist.")
         else:
-            file_utils.write_to_file(signup_info_obj.sealed_signup_data,
-                                     self._get_sealed_data_file_name(
-                                         self._config["sealed_data_path"],
-                                         self._worker_id))
+            file_utils.write_to_file(
+                signup_info_obj.sealed_signup_data,
+                self._get_sealed_data_file_name(
+                    self._config["sealed_data_path"],
+                    self._worker_id))
         # Now we can return the real object
         return signup_info_obj
 
@@ -166,8 +171,15 @@ def _init_enclave_with(self, signed_enclave):
         persisted_sealed_data = file_utils.read_file(
             self._get_sealed_data_file_name(self._config["sealed_data_path"],
                                             self._worker_id))
-        return self._attestation.init_enclave_info(
-            signed_enclave, persisted_sealed_data,
-            int(self._config['num_of_enclaves']))
+
+        if self._config.get("kss_config") is not None:
+            return self._attestation.init_enclave_info(
+                signed_enclave, persisted_sealed_data,
+                int(self._config['num_of_enclaves']),
+                self._config.get("kss_config"))
+        else:
+            return self._attestation.init_enclave_info(
+                signed_enclave, persisted_sealed_data,
+                int(self._config['num_of_enclaves']))
 
     # -----------------------------------------------------------------

enclave_manager/avalon_enclave_manager/singleton/singleton_enclave_manager.py

@@ -119,6 +119,9 @@ def main(args=None):
     parser.add_argument("--config-dir", help="configuration folder", nargs="+")
     parser.add_argument("--worker_id",
                         help="Id of worker in plain text", type=str)
+    parser.add_argument("--kss_config",
+                        help="Key sharing and separation configuration id",
+                        type=str)
 
     (options, remainder) = parser.parse_known_args(args)
 
@@ -138,6 +141,9 @@ def main(args=None):
     if options.worker_id:
         config["WorkerConfig"]["worker_id"] = options.worker_id
 
+    if options.kss_config:
+        config["EnclaveModule"]["kss_config"] = options.kss_config
+
     plogger.setup_loggers(config.get("Logging", {}))
     sys.stdout = plogger.stream_to_logger(
         logging.getLogger("STDOUT"), logging.DEBUG)

tc/sgx/trusted_worker_manager/enclave/kme/signup_enclave_kme.cpp

@@ -22,6 +22,7 @@
 #include <sgx_tseal.h>
 #include <sgx_utils.h>
 #include <sgx_quote.h>
+#include <sgx_key.h>
 
 #include "crypto.h"
 #include "error.h"

tc/sgx/trusted_worker_manager/enclave/wpe/signup_enclave_wpe.cpp

@@ -22,6 +22,7 @@
 
 #include <sgx_utils.h>
 #include <sgx_quote.h>
+#include <sgx_key.h>
 
 #include "crypto.h"
 #include "error.h"

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/base.cpp

@@ -48,7 +48,6 @@ int tcf::enclave_api::base::IsSgxSimulator() {
 #endif  // defined(SGX_SIMULATOR)
 }  // tcf::enclave_api::base::IsSgxSimulator
 
-
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 tcf::enclave_queue::ReadyEnclave tcf::enclave_api::base::GetReadyEnclave() {
     return tcf::enclave_queue::ReadyEnclave(g_EnclaveReadyQueue);
@@ -60,7 +59,6 @@ void tcf::enclave_api::base::SetLastError(
     const std::string& message) {
     g_LastError = message;
 }  // tcf::enclave_api::base::SetLastError
-
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 std::string tcf::enclave_api::base::GetLastError(void) {
     return g_LastError;
@@ -71,7 +69,8 @@ tcf_err_t tcf::enclave_api::base::Initialize(
     const std::string& inPathToEnclave,
     const Attestation *attestation,
     const std::string& persisted_sealed_data,
-    const int numOfEnclaves) {
+    const int numOfEnclaves,
+    const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]) {
     tcf_err_t ret = TCF_SUCCESS;
 
     try {
@@ -86,7 +85,7 @@ tcf_err_t tcf::enclave_api::base::Initialize(
             }
 
             for (tcf::enclave_api::Enclave& enc : g_Enclave) {
-                enc.Load(inPathToEnclave, persisted_sealed_data);
+                enc.Load(inPathToEnclave, persisted_sealed_data, kss_config_id);
             }
 
             g_IsInitialized = true;

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/base.h

@@ -17,7 +17,7 @@
 
 #include <stdlib.h>
 #include <string>
-
+#include "sgx_key.h"
 #include "error.h"
 #include "tcf_error.h"
 #include "types.h"
@@ -60,10 +60,12 @@ namespace tcf {
               persisted_sealed_data - Sealed data persisted from last bootup
               numOfEnclaves -- Number of worker enclaves to create
             */
+
             tcf_err_t Initialize(const std::string& inPathToEnclave,
                 const Attestation *attestation,
                 const std::string& persisted_sealed_data,
-                const int numOfEnclaves);
+                const int numOfEnclaves,
+                const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]);
 
             /*
               Stop Avalon services

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/enclave.cpp

@@ -70,15 +70,21 @@ namespace tcf {
         // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         void Enclave::Load(
             const std::string& inEnclaveFilePath,
-            const Base64EncodedString& inSealedEnclaveData) {
+            const Base64EncodedString& inSealedEnclaveData,
+            const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]) {
             tcf::error::ThrowIf<tcf::error::ValueError>(
                 inEnclaveFilePath.empty() ||
                 inEnclaveFilePath.length() > PATH_MAX,
                 "Invalid enclave path.");
 
             this->Unload();
             this->enclaveFilePath = inEnclaveFilePath;
+            for(int i=0; i <SGX_CONFIGID_SIZE;i++ ){
+                this->_kss_config[i] = kss_config_id[i];
+            }
+
             this->LoadEnclave(inSealedEnclaveData);
+
         }  // Enclave::Load
 
         // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@@ -114,6 +120,11 @@ namespace tcf {
 		"Attestation object is not initialized"
 	    );
 	    this->attestation->CreateQuoteFromReport(inEnclaveReport, outEnclaveQuote);
+        
+        sgx_quote_t* enclaveQuote =
+                reinterpret_cast<sgx_quote_t *>(&outEnclaveQuote[0]);
+        tcf::Log(TCF_LOG_INFO,"KSS Config Id added to the EnclaveQuote : %s\n", enclaveQuote->report_body.config_id );
+
         }  // Enclave::GenerateSignupData
 
 
@@ -137,7 +148,6 @@ namespace tcf {
             if (!this->enclaveId) {
                 /* Enclave id, used in communicating with enclave */
                 Enclave::QuerySgxStatus();
-
                 sgx_launch_token_t token = { 0 };
                 int flags = SGX_DEBUG_FLAG;
                 tcf::error::ThrowSgxError((SGX_DEBUG_FLAG == 0 ?
@@ -147,7 +157,9 @@ namespace tcf {
 
                 // First attempt to load the enclave executable
                 sgx_status_t ret = SGX_SUCCESS;
-                ret = tcf::sgx_util::CallSgx([this, flags, &token] () {
+                if(this->_kss_config[0] == NULL){
+                    
+                    ret = tcf::sgx_util::CallSgx([this, flags, &token] () {
                         int updated = 0;
                         return sgx_create_enclave(
                             this->enclaveFilePath.c_str(),
@@ -160,7 +172,30 @@ namespace tcf {
                     10,  // retries
                     250  // retryWaitMs
                     );
-                tcf::error::ThrowSgxError(ret, "Unable to create enclave.");
+                    tcf::error::ThrowSgxError(ret, "Unable to create enclave.");
+                    
+                } else {
+                    tcf::Log(TCF_LOG_INFO, "Enclave::sgx_create_enclave_ex called" );
+                    void *enclave_ex_p[32] = { 0 };
+                    enclave_ex_p[SGX_CREATE_ENCLAVE_EX_KSS_BIT_IDX] = &this->_kss_config;
+                    
+                    ret = tcf::sgx_util::CallSgx([this, flags, &token, enclave_ex_p] () {
+                        int updated = 0;
+                        return sgx_create_enclave_ex(
+                                                this->enclaveFilePath.c_str(),
+                                                flags,
+                                                &token,
+                                                &updated,
+                                                &this->enclaveId,
+                                                NULL,
+                                                SGX_CREATE_ENCLAVE_EX_KSS,
+                                                (const void** )enclave_ex_p);
+                    },
+                    10,  // retries
+                    250  // retryWaitMs
+                    );
+                     tcf::error::ThrowSgxError(ret, "Unable to create enclave with Config id");
+                }
                 // Initialize the enclave
                 tcf_err_t tcfError = TCF_SUCCESS;