isv_enclave.cpp 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #include <assert.h>
  32. #include "isv_enclave_t.h"
  33. #include "sgx_tkey_exchange.h"
  34. #include "sgx_tcrypto.h"
  35. #include "string.h"
  36. // This is the public EC key of the SP. The corresponding private EC key is
  37. // used by the SP to sign data used in the remote attestation SIGMA protocol
  38. // to sign channel binding data in MSG2. A successful verification of the
  39. // signature confirms the identity of the SP to the ISV app in remote
  40. // attestation secure channel binding. The public EC key should be hardcoded in
  41. // the enclave or delivered in a trustworthy manner. The use of a spoofed public
  42. // EC key in the remote attestation with secure channel binding session may lead
  43. // to a security compromise. Every different SP the enlcave communicates to
  44. // must have a unique SP public key. Delivery of the SP public key is
  45. // determined by the ISV. The TKE SIGMA protocl expects an Elliptical Curve key
  46. // based on NIST P-256
  47. static const sgx_ec256_public_t g_sp_pub_key = {
  48. {
  49. 0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf,
  50. 0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad,
  51. 0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d,
  52. 0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38
  53. },
  54. {
  55. 0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b,
  56. 0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2,
  57. 0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28,
  58. 0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06
  59. }
  60. };
  61. // Used to store the secret passed by the SP in the sample code. The
  62. // size is forced to be 8 bytes. Expected value is
  63. // 0x01,0x02,0x03,0x04,0x0x5,0x0x6,0x0x7
  64. uint8_t g_secret[8] = {0};
  65. #ifdef SUPPLIED_KEY_DERIVATION
  66. #pragma message ("Supplied key derivation function is used.")
  67. typedef struct _hash_buffer_t
  68. {
  69. uint8_t counter[4];
  70. sgx_ec256_dh_shared_t shared_secret;
  71. uint8_t algorithm_id[4];
  72. } hash_buffer_t;
  73. const char ID_U[] = "SGXRAENCLAVE";
  74. const char ID_V[] = "SGXRASERVER";
  75. // Derive two keys from shared key and key id.
  76. bool derive_key(
  77. const sgx_ec256_dh_shared_t *p_shared_key,
  78. uint8_t key_id,
  79. sgx_ec_key_128bit_t *first_derived_key,
  80. sgx_ec_key_128bit_t *second_derived_key)
  81. {
  82. sgx_status_t sgx_ret = SGX_SUCCESS;
  83. hash_buffer_t hash_buffer;
  84. sgx_sha_state_handle_t sha_context;
  85. sgx_sha256_hash_t key_material;
  86. memset(&hash_buffer, 0, sizeof(hash_buffer_t));
  87. /* counter in big endian */
  88. hash_buffer.counter[3] = key_id;
  89. /*convert from little endian to big endian */
  90. for (size_t i = 0; i < sizeof(sgx_ec256_dh_shared_t); i++)
  91. {
  92. hash_buffer.shared_secret.s[i] = p_shared_key->s[sizeof(p_shared_key->s)-1 - i];
  93. }
  94. sgx_ret = sgx_sha256_init(&sha_context);
  95. if (sgx_ret != SGX_SUCCESS)
  96. {
  97. return false;
  98. }
  99. sgx_ret = sgx_sha256_update((uint8_t*)&hash_buffer, sizeof(hash_buffer_t), sha_context);
  100. if (sgx_ret != SGX_SUCCESS)
  101. {
  102. sgx_sha256_close(sha_context);
  103. return false;
  104. }
  105. sgx_ret = sgx_sha256_update((uint8_t*)&ID_U, sizeof(ID_U), sha_context);
  106. if (sgx_ret != SGX_SUCCESS)
  107. {
  108. sgx_sha256_close(sha_context);
  109. return false;
  110. }
  111. sgx_ret = sgx_sha256_update((uint8_t*)&ID_V, sizeof(ID_V), sha_context);
  112. if (sgx_ret != SGX_SUCCESS)
  113. {
  114. sgx_sha256_close(sha_context);
  115. return false;
  116. }
  117. sgx_ret = sgx_sha256_get_hash(sha_context, &key_material);
  118. if (sgx_ret != SGX_SUCCESS)
  119. {
  120. sgx_sha256_close(sha_context);
  121. return false;
  122. }
  123. sgx_ret = sgx_sha256_close(sha_context);
  124. assert(sizeof(sgx_ec_key_128bit_t)* 2 == sizeof(sgx_sha256_hash_t));
  125. memcpy(first_derived_key, &key_material, sizeof(sgx_ec_key_128bit_t));
  126. memcpy(second_derived_key, (uint8_t*)&key_material + sizeof(sgx_ec_key_128bit_t), sizeof(sgx_ec_key_128bit_t));
  127. // memset here can be optimized away by compiler, so please use memset_s on
  128. // windows for production code and similar functions on other OSes.
  129. memset(&key_material, 0, sizeof(sgx_sha256_hash_t));
  130. return true;
  131. }
  132. //isv defined key derivation function id
  133. #define ISV_KDF_ID 2
  134. typedef enum _derive_key_type_t
  135. {
  136. DERIVE_KEY_SMK_SK = 0,
  137. DERIVE_KEY_MK_VK,
  138. } derive_key_type_t;
  139. sgx_status_t key_derivation(const sgx_ec256_dh_shared_t* shared_key,
  140. uint16_t kdf_id,
  141. sgx_ec_key_128bit_t* smk_key,
  142. sgx_ec_key_128bit_t* sk_key,
  143. sgx_ec_key_128bit_t* mk_key,
  144. sgx_ec_key_128bit_t* vk_key)
  145. {
  146. bool derive_ret = false;
  147. if (NULL == shared_key)
  148. {
  149. return SGX_ERROR_INVALID_PARAMETER;
  150. }
  151. if (ISV_KDF_ID != kdf_id)
  152. {
  153. //fprintf(stderr, "\nError, key derivation id mismatch in [%s].", __FUNCTION__);
  154. return SGX_ERROR_KDF_MISMATCH;
  155. }
  156. derive_ret = derive_key(shared_key, DERIVE_KEY_SMK_SK,
  157. smk_key, sk_key);
  158. if (derive_ret != true)
  159. {
  160. //fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
  161. return SGX_ERROR_UNEXPECTED;
  162. }
  163. derive_ret = derive_key(shared_key, DERIVE_KEY_MK_VK,
  164. mk_key, vk_key);
  165. if (derive_ret != true)
  166. {
  167. //fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
  168. return SGX_ERROR_UNEXPECTED;
  169. }
  170. return SGX_SUCCESS;
  171. }
  172. #else
  173. #pragma message ("Default key derivation function is used.")
  174. #endif
  175. // This ecall is a wrapper of sgx_ra_init to create the trusted
  176. // KE exchange key context needed for the remote attestation
  177. // SIGMA API's. Input pointers aren't checked since the trusted stubs
  178. // copy them into EPC memory.
  179. //
  180. // @param b_pse Indicates whether the ISV app is using the
  181. // platform services.
  182. // @param p_context Pointer to the location where the returned
  183. // key context is to be copied.
  184. //
  185. // @return Any error return from the create PSE session if b_pse
  186. // is true.
  187. // @return Any error returned from the trusted key exchange API
  188. // for creating a key context.
  189. sgx_status_t enclave_init_ra(
  190. int b_pse,
  191. sgx_ra_context_t *p_context)
  192. {
  193. // isv enclave call to trusted key exchange library.
  194. sgx_status_t ret;
  195. if(b_pse)
  196. {
  197. int busy_retry_times = 2;
  198. do{
  199. ret = sgx_create_pse_session();
  200. }while (ret == SGX_ERROR_BUSY && busy_retry_times--);
  201. if (ret != SGX_SUCCESS)
  202. return ret;
  203. }
  204. #ifdef SUPPLIED_KEY_DERIVATION
  205. ret = sgx_ra_init_ex(&g_sp_pub_key, b_pse, key_derivation, p_context);
  206. #else
  207. ret = sgx_ra_init(&g_sp_pub_key, b_pse, p_context);
  208. #endif
  209. if(b_pse)
  210. {
  211. sgx_close_pse_session();
  212. return ret;
  213. }
  214. return ret;
  215. }
  216. // Closes the tKE key context used during the SIGMA key
  217. // exchange.
  218. //
  219. // @param context The trusted KE library key context.
  220. //
  221. // @return Return value from the key context close API
  222. sgx_status_t SGXAPI enclave_ra_close(
  223. sgx_ra_context_t context)
  224. {
  225. sgx_status_t ret;
  226. ret = sgx_ra_close(context);
  227. return ret;
  228. }
  229. // Verify the mac sent in att_result_msg from the SP using the
  230. // MK key. Input pointers aren't checked since the trusted stubs
  231. // copy them into EPC memory.
  232. //
  233. //
  234. // @param context The trusted KE library key context.
  235. // @param p_message Pointer to the message used to produce MAC
  236. // @param message_size Size in bytes of the message.
  237. // @param p_mac Pointer to the MAC to compare to.
  238. // @param mac_size Size in bytes of the MAC
  239. //
  240. // @return SGX_ERROR_INVALID_PARAMETER - MAC size is incorrect.
  241. // @return Any error produced by tKE API to get SK key.
  242. // @return Any error produced by the AESCMAC function.
  243. // @return SGX_ERROR_MAC_MISMATCH - MAC compare fails.
  244. sgx_status_t verify_att_result_mac(sgx_ra_context_t context,
  245. uint8_t* p_message,
  246. size_t message_size,
  247. uint8_t* p_mac,
  248. size_t mac_size)
  249. {
  250. sgx_status_t ret;
  251. sgx_ec_key_128bit_t mk_key;
  252. if(mac_size != sizeof(sgx_mac_t))
  253. {
  254. ret = SGX_ERROR_INVALID_PARAMETER;
  255. return ret;
  256. }
  257. if(message_size > UINT32_MAX)
  258. {
  259. ret = SGX_ERROR_INVALID_PARAMETER;
  260. return ret;
  261. }
  262. do {
  263. uint8_t mac[SGX_CMAC_MAC_SIZE] = {0};
  264. ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key);
  265. if(SGX_SUCCESS != ret)
  266. {
  267. break;
  268. }
  269. ret = sgx_rijndael128_cmac_msg(&mk_key,
  270. p_message,
  271. (uint32_t)message_size,
  272. &mac);
  273. if(SGX_SUCCESS != ret)
  274. {
  275. break;
  276. }
  277. if(0 == consttime_memequal(p_mac, mac, sizeof(mac)))
  278. {
  279. ret = SGX_ERROR_MAC_MISMATCH;
  280. break;
  281. }
  282. }
  283. while(0);
  284. return ret;
  285. }
  286. // Generate a secret information for the SP encrypted with SK.
  287. // Input pointers aren't checked since the trusted stubs copy
  288. // them into EPC memory.
  289. //
  290. // @param context The trusted KE library key context.
  291. // @param p_secret Message containing the secret.
  292. // @param secret_size Size in bytes of the secret message.
  293. // @param p_gcm_mac The pointer the the AESGCM MAC for the
  294. // message.
  295. //
  296. // @return SGX_ERROR_INVALID_PARAMETER - secret size if
  297. // incorrect.
  298. // @return Any error produced by tKE API to get SK key.
  299. // @return Any error produced by the AESGCM function.
  300. // @return SGX_ERROR_UNEXPECTED - the secret doesn't match the
  301. // expected value.
  302. sgx_status_t put_secret_data(
  303. sgx_ra_context_t context,
  304. uint8_t *p_secret,
  305. uint32_t secret_size,
  306. uint8_t *p_gcm_mac)
  307. {
  308. sgx_status_t ret = SGX_SUCCESS;
  309. sgx_ec_key_128bit_t sk_key;
  310. do {
  311. if(secret_size != 8)
  312. {
  313. ret = SGX_ERROR_INVALID_PARAMETER;
  314. break;
  315. }
  316. ret = sgx_ra_get_keys(context, SGX_RA_KEY_SK, &sk_key);
  317. if(SGX_SUCCESS != ret)
  318. {
  319. break;
  320. }
  321. uint8_t aes_gcm_iv[12] = {0};
  322. ret = sgx_rijndael128GCM_decrypt(&sk_key,
  323. p_secret,
  324. secret_size,
  325. &g_secret[0],
  326. &aes_gcm_iv[0],
  327. 12,
  328. NULL,
  329. 0,
  330. (const sgx_aes_gcm_128bit_tag_t *)
  331. (p_gcm_mac));
  332. uint32_t i;
  333. bool secret_match = true;
  334. for(i=0;i<secret_size;i++)
  335. {
  336. if(g_secret[i] != i)
  337. {
  338. secret_match = false;
  339. }
  340. }
  341. if(!secret_match)
  342. {
  343. ret = SGX_ERROR_UNEXPECTED;
  344. }
  345. // Once the server has the shared secret, it should be sealed to
  346. // persistent storage for future use. This will prevents having to
  347. // perform remote attestation until the secret goes stale. Once the
  348. // enclave is created again, the secret can be unsealed.
  349. } while(0);
  350. return ret;
  351. }