ias_ra.h 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209
  1. /*
  2. * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #ifndef _IAS_RA_H
  32. #define _IAS_RA_H
  33. #include "ecp.h"
  34. typedef enum {
  35. IAS_QUOTE_OK,
  36. IAS_QUOTE_SIGNATURE_INVALID,
  37. IAS_QUOTE_GROUP_REVOKED,
  38. IAS_QUOTE_SIGNATURE_REVOKED,
  39. IAS_QUOTE_KEY_REVOKED,
  40. IAS_QUOTE_SIGRL_VERSION_MISMATCH,
  41. IAS_QUOTE_GROUP_OUT_OF_DATE,
  42. } ias_quote_status_t;
  43. // These status should align with the definition in IAS API spec(rev 0.6)
  44. typedef enum {
  45. IAS_PSE_OK,
  46. IAS_PSE_DESC_TYPE_NOT_SUPPORTED,
  47. IAS_PSE_ISVSVN_OUT_OF_DATE,
  48. IAS_PSE_MISCSELECT_INVALID,
  49. IAS_PSE_ATTRIBUTES_INVALID,
  50. IAS_PSE_MRSIGNER_INVALID,
  51. IAS_PS_HW_GID_REVOKED,
  52. IAS_PS_HW_PRIVKEY_RLVER_MISMATCH,
  53. IAS_PS_HW_SIG_RLVER_MISMATCH,
  54. IAS_PS_HW_CA_ID_INVALID,
  55. IAS_PS_HW_SEC_INFO_INVALID,
  56. IAS_PS_HW_PSDA_SVN_OUT_OF_DATE,
  57. } ias_pse_status_t;
  58. // Revocation Reasons from RFC5280
  59. typedef enum {
  60. IAS_REVOC_REASON_NONE,
  61. IAS_REVOC_REASON_KEY_COMPROMISE,
  62. IAS_REVOC_REASON_CA_COMPROMISED,
  63. IAS_REVOC_REASON_SUPERCEDED,
  64. IAS_REVOC_REASON_CESSATION_OF_OPERATION,
  65. IAS_REVOC_REASON_CERTIFICATE_HOLD,
  66. IAS_REVOC_REASON_PRIVILEGE_WITHDRAWN,
  67. IAS_REVOC_REASON_AA_COMPROMISE,
  68. } ias_revoc_reason_t;
  69. // These status should align with the definition in IAS API spec(rev 0.6)
  70. #define IAS_EPID_GROUP_STATUS_REVOKED_BIT_POS 0x00
  71. #define IAS_EPID_GROUP_STATUS_REKEY_AVAILABLE_BIT_POS 0x01
  72. #define IAS_TCB_EVAL_STATUS_CPUSVN_OUT_OF_DATE_BIT_POS 0x00
  73. #define IAS_TCB_EVAL_STATUS_ISVSVN_OUT_OF_DATE_BIT_POS 0x01
  74. #define IAS_PSE_EVAL_STATUS_ISVSVN_OUT_OF_DATE_BIT_POS 0x00
  75. #define IAS_PSE_EVAL_STATUS_EPID_GROUP_REVOKED_BIT_POS 0x01
  76. #define IAS_PSE_EVAL_STATUS_PSDASVN_OUT_OF_DATE_BIT_POS 0x02
  77. #define IAS_PSE_EVAL_STATUS_SIGRL_OUT_OF_DATE_BIT_POS 0x03
  78. #define IAS_PSE_EVAL_STATUS_PRIVRL_OUT_OF_DATE_BIT_POS 0x04
  79. // These status should align with the definition in IAS API spec(rev 0.6)
  80. #define ISVSVN_SIZE 2
  81. #define PSDA_SVN_SIZE 4
  82. #define GID_SIZE 4
  83. #define PSVN_SIZE 18
  84. #define SAMPLE_HASH_SIZE 32 // SHA256
  85. #define SAMPLE_MAC_SIZE 16 // Message Authentication Code
  86. // - 16 bytes
  87. #define SAMPLE_REPORT_DATA_SIZE 64
  88. typedef uint8_t sample_measurement_t[SAMPLE_HASH_SIZE];
  89. typedef uint8_t sample_mac_t[SAMPLE_MAC_SIZE];
  90. typedef uint8_t sample_report_data_t[SAMPLE_REPORT_DATA_SIZE];
  91. typedef uint16_t sample_prod_id_t;
  92. #define SAMPLE_CPUSVN_SIZE 16
  93. typedef uint8_t sample_cpu_svn_t[SAMPLE_CPUSVN_SIZE];
  94. typedef uint16_t sample_isv_svn_t;
  95. typedef struct sample_attributes_t
  96. {
  97. uint64_t flags;
  98. uint64_t xfrm;
  99. } sample_attributes_t;
  100. typedef struct sample_report_body_t {
  101. sample_cpu_svn_t cpu_svn; // ( 0) Security Version of the CPU
  102. uint8_t reserved1[32]; // ( 16)
  103. sample_attributes_t attributes; // ( 48) Any special Capabilities
  104. // the Enclave possess
  105. sample_measurement_t mr_enclave; // ( 64) The value of the enclave's
  106. // ENCLAVE measurement
  107. uint8_t reserved2[32]; // ( 96)
  108. sample_measurement_t mr_signer; // (128) The value of the enclave's
  109. // SIGNER measurement
  110. uint8_t reserved3[32]; // (160)
  111. sample_measurement_t mr_reserved1; // (192)
  112. sample_measurement_t mr_reserved2; // (224)
  113. sample_prod_id_t isv_prod_id; // (256) Product ID of the Enclave
  114. sample_isv_svn_t isv_svn; // (258) Security Version of the
  115. // Enclave
  116. uint8_t reserved4[60]; // (260)
  117. sample_report_data_t report_data; // (320) Data provided by the user
  118. } sample_report_body_t;
  119. #pragma pack(push, 1)
  120. // This is a context data structure used in SP side
  121. // @TODO: Modify at production to use the values specified by the Production
  122. // IAS API
  123. typedef struct _ias_att_report_t
  124. {
  125. uint32_t id;
  126. ias_quote_status_t status;
  127. uint32_t revocation_reason;
  128. ias_platform_info_blob_t info_blob;
  129. ias_pse_status_t pse_status;
  130. uint32_t policy_report_size;
  131. uint8_t policy_report[];// IAS_Q: Why does it specify a
  132. // list of reports?
  133. } ias_att_report_t;
  134. typedef uint8_t sample_epid_group_id_t[4];
  135. typedef struct sample_spid_t
  136. {
  137. uint8_t id[16];
  138. } sample_spid_t;
  139. typedef struct sample_basename_t
  140. {
  141. uint8_t name[32];
  142. } sample_basename_t;
  143. typedef struct sample_quote_nonce_t
  144. {
  145. uint8_t rand[16];
  146. } sample_quote_nonce_t;
  147. #define SAMPLE_QUOTE_UNLINKABLE_SIGNATURE 0
  148. #define SAMPLE_QUOTE_LINKABLE_SIGNATURE 1
  149. typedef struct sample_quote_t {
  150. uint16_t version; // 0
  151. uint16_t sign_type; // 2
  152. sample_epid_group_id_t epid_group_id; // 4
  153. sample_isv_svn_t qe_svn; // 8
  154. uint8_t reserved[6]; // 10
  155. sample_basename_t basename; // 16
  156. sample_report_body_t report_body; // 48
  157. uint32_t signature_len; // 432
  158. uint8_t signature[]; // 436
  159. } sample_quote_t;
  160. #pragma pack(pop)
  161. #ifdef __cplusplus
  162. extern "C" {
  163. #endif
  164. int ias_enroll(int sp_credentials, sample_spid_t* spid,
  165. int* authentication_token);
  166. int ias_get_sigrl(const sample_epid_group_id_t gid, uint32_t* p_sig_rl_size,
  167. uint8_t** p_sig_rl);
  168. int ias_verify_attestation_evidence(sample_quote_t* p_isv_quote,
  169. uint8_t* pse_manifest,
  170. ias_att_report_t* attestation_verification_report);
  171. #ifdef __cplusplus
  172. }
  173. #endif
  174. #endif