/* * Copyright (C) 2011-2016 Intel Corporation. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * Neither the name of Intel Corporation nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include "isv_enclave_t.h" #include "sgx_tkey_exchange.h" #include "sgx_tcrypto.h" #include "string.h" // This is the public EC key of the SP. The corresponding private EC key is // used by the SP to sign data used in the remote attestation SIGMA protocol // to sign channel binding data in MSG2. A successful verification of the // signature confirms the identity of the SP to the ISV app in remote // attestation secure channel binding. The public EC key should be hardcoded in // the enclave or delivered in a trustworthy manner. The use of a spoofed public // EC key in the remote attestation with secure channel binding session may lead // to a security compromise. Every different SP the enlcave communicates to // must have a unique SP public key. Delivery of the SP public key is // determined by the ISV. The TKE SIGMA protocl expects an Elliptical Curve key // based on NIST P-256 static const sgx_ec256_public_t g_sp_pub_key = { { 0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf, 0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad, 0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d, 0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38 }, { 0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b, 0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2, 0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28, 0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06 } }; // Used to store the secret passed by the SP in the sample code. The // size is forced to be 8 bytes. Expected value is // 0x01,0x02,0x03,0x04,0x0x5,0x0x6,0x0x7 uint8_t g_secret[8] = {0}; // This ecall is a wrapper of sgx_ra_init to create the trusted // KE exchange key context needed for the remote attestation // SIGMA API's. Input pointers aren't checked since the trusted stubs // copy them into EPC memory. // // @param b_pse Indicates whether the ISV app is using the // platform services. // @param p_context Pointer to the location where the returned // key context is to be copied. // // @return Any error return from the create PSE session if b_pse // is true. // @return Any error returned from the trusted key exchange API // for creating a key context. sgx_status_t enclave_init_ra( int b_pse, sgx_ra_context_t *p_context) { // isv enclave call to trusted key exchange library. sgx_status_t ret; if(b_pse) { int busy_retry_times = 2; do{ ret = sgx_create_pse_session(); }while (ret == SGX_ERROR_BUSY && busy_retry_times--); if (ret != SGX_SUCCESS) return ret; } ret = sgx_ra_init(&g_sp_pub_key, b_pse, p_context); if(b_pse) { sgx_close_pse_session(); return ret; } return ret; } // Closes the tKE key context used during the SIGMA key // exchange. // // @param context The trusted KE library key context. // // @return Return value from the key context close API sgx_status_t SGXAPI enclave_ra_close( sgx_ra_context_t context) { sgx_status_t ret; ret = sgx_ra_close(context); return ret; } // Verify the mac sent in att_result_msg from the SP using the // MK key. Input pointers aren't checked since the trusted stubs // copy them into EPC memory. // // // @param context The trusted KE library key context. // @param p_message Pointer to the message used to produce MAC // @param message_size Size in bytes of the message. // @param p_mac Pointer to the MAC to compare to. // @param mac_size Size in bytes of the MAC // // @return SGX_ERROR_INVALID_PARAMETER - MAC size is incorrect. // @return Any error produced by tKE API to get SK key. // @return Any error produced by the AESCMAC function. // @return SGX_ERROR_MAC_MISMATCH - MAC compare fails. sgx_status_t verify_att_result_mac(sgx_ra_context_t context, uint8_t* p_message, size_t message_size, uint8_t* p_mac, size_t mac_size) { sgx_status_t ret; sgx_ec_key_128bit_t mk_key; if(mac_size != sizeof(sgx_mac_t)) { ret = SGX_ERROR_INVALID_PARAMETER; return ret; } if(message_size > UINT32_MAX) { ret = SGX_ERROR_INVALID_PARAMETER; return ret; } do { uint8_t mac[SGX_CMAC_MAC_SIZE] = {0}; ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key); if(SGX_SUCCESS != ret) { break; } ret = sgx_rijndael128_cmac_msg(&mk_key, p_message, (uint32_t)message_size, &mac); if(SGX_SUCCESS != ret) { break; } if(0 == consttime_memequal(p_mac, mac, sizeof(mac))) { ret = SGX_ERROR_MAC_MISMATCH; break; } } while(0); return ret; } // Generate a secret information for the SP encrypted with SK. // Input pointers aren't checked since the trusted stubs copy // them into EPC memory. // // @param context The trusted KE library key context. // @param p_secret Message containing the secret. // @param secret_size Size in bytes of the secret message. // @param p_gcm_mac The pointer the the AESGCM MAC for the // message. // // @return SGX_ERROR_INVALID_PARAMETER - secret size if // incorrect. // @return Any error produced by tKE API to get SK key. // @return Any error produced by the AESGCM function. // @return SGX_ERROR_UNEXPECTED - the secret doesn't match the // expected value. sgx_status_t put_secret_data( sgx_ra_context_t context, uint8_t *p_secret, uint32_t secret_size, uint8_t *p_gcm_mac) { sgx_status_t ret = SGX_SUCCESS; sgx_ec_key_128bit_t sk_key; do { if(secret_size != 8) { ret = SGX_ERROR_INVALID_PARAMETER; break; } ret = sgx_ra_get_keys(context, SGX_RA_KEY_SK, &sk_key); if(SGX_SUCCESS != ret) { break; } uint8_t aes_gcm_iv[12] = {0}; ret = sgx_rijndael128GCM_decrypt(&sk_key, p_secret, secret_size, &g_secret[0], &aes_gcm_iv[0], 12, NULL, 0, (const sgx_aes_gcm_128bit_tag_t *) (p_gcm_mac)); uint32_t i; bool secret_match = true; for(i=0;i