ref_le.cpp 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #include "ref_le.h"
  32. #include "byte_order.h"
  33. #include "sgx_utils.h"
  34. #include "sgx_trts.h"
  35. #include "metadata.h"
  36. #include "se_memcpy.h"
  37. #include "ref_le_t.h"
  38. #include <stdlib.h> /* for malloc/free etc */
  39. #define REF_LE_WL_MAX_NUM_OF_RECORDS 512
  40. #define REF_LE_WL_CURRENT_VERSION 0x0100 /*big endian*/
  41. // staticly allocate the white list cache - all the values in the cache are in little endian
  42. static uint8_t g_buffer[REF_LE_WL_SIZE(REF_LE_WL_MAX_NUM_OF_RECORDS)] = { 0 };
  43. static ref_le_white_list_t *g_ref_le_white_list_cache = (ref_le_white_list_t*)g_buffer;
  44. static void copy_reversed_byte_array(uint8_t *dst, const uint8_t *src, size_t size)
  45. {
  46. for (size_t i = 0; i < size; i++)
  47. {
  48. dst[i] = src[size - i - 1];
  49. }
  50. }
  51. // calculate the white list expected size based on entry count
  52. static size_t ref_le_get_white_list_size(const ref_le_white_list_t* val)
  53. {
  54. if (val == NULL) {
  55. return 0;
  56. }
  57. uint16_t entries_count = _ntohs(val->entries_count);
  58. if (entries_count > REF_LE_WL_MAX_NUM_OF_RECORDS || entries_count == 0) {
  59. // list cannot be empty nor can be larget than max records
  60. return 0;
  61. }
  62. return REF_LE_WL_SIZE(entries_count);
  63. }
  64. // this function gets a white list and signature, verifies the correctness and signature of the
  65. // white list and updates the white list cache in case of success
  66. int ref_le_init_white_list(const ref_le_white_list_t* p_ref_le_white_list, uint32_t ref_le_white_list_size, const sgx_rsa3072_signature_t* p_ref_le_white_list_signature)
  67. {
  68. sgx_status_t sgx_stat = SGX_SUCCESS;
  69. if (p_ref_le_white_list == NULL || ref_le_white_list_size < (uint32_t)sizeof(ref_le_white_list_t) || p_ref_le_white_list_signature == NULL)
  70. {
  71. return LE_INVALID_PARAMETER;
  72. }
  73. uint32_t data_size = (uint32_t)ref_le_get_white_list_size(p_ref_le_white_list);
  74. if (data_size == 0 || data_size != ref_le_white_list_size ||
  75. data_size > REF_LE_WL_SIZE(REF_LE_WL_MAX_NUM_OF_RECORDS))
  76. {
  77. // calculated size must match the declared one and 0 is illegal
  78. // also checking that it is no more than the max size as a defence in depth
  79. return LE_INVALID_PARAMETER;
  80. }
  81. if (!sgx_is_within_enclave(p_ref_le_white_list, ref_le_white_list_size) ||
  82. !sgx_is_within_enclave(p_ref_le_white_list_signature, sizeof(sgx_rsa3072_signature_t)))
  83. {
  84. return LE_INVALID_PARAMETER;
  85. }
  86. // Format version should be 1 (big endian)
  87. if (p_ref_le_white_list->version != REF_LE_WL_CURRENT_VERSION)
  88. {
  89. return LE_INVALID_PARAMETER;
  90. }
  91. // ===== version checking =====
  92. uint32_t wl_version = _ntohl(p_ref_le_white_list->wl_version);
  93. if (g_ref_le_white_list_cache->wl_version >= wl_version)
  94. {
  95. // white list version must be newer or equal to the existing
  96. return LE_WHITE_LIST_ALREADY_UPDATED;
  97. }
  98. // ===== verify list signer =====
  99. sgx_rsa3072_public_key_t temp_public_key;
  100. copy_reversed_byte_array((uint8_t*)&(temp_public_key.exp), (const uint8_t*)&(p_ref_le_white_list->signer_pubkey.exp), sizeof(temp_public_key.exp));
  101. copy_reversed_byte_array((uint8_t*)&(temp_public_key.mod), (const uint8_t*)&(p_ref_le_white_list->signer_pubkey.mod), sizeof(temp_public_key.mod));
  102. // calculate the hash of the provided public key
  103. sgx_sha256_hash_t signer_hash;
  104. sgx_stat = sgx_sha256_msg(temp_public_key.mod, SGX_RSA3072_KEY_SIZE, &signer_hash);
  105. if (sgx_stat != SGX_SUCCESS)
  106. {
  107. return LE_UNEXPECTED_ERROR;
  108. }
  109. // get self report - signer pubkey must match the self signing key aquired in report
  110. sgx_report_t report;
  111. sgx_stat = sgx_create_report(NULL, NULL, &report);
  112. if (sgx_stat != SGX_SUCCESS)
  113. {
  114. return LE_UNEXPECTED_ERROR;
  115. }
  116. // compare the signer of the LE acquired from the report to the one provided in the list
  117. if (memcmp(&(report.body.mr_signer), &signer_hash, sizeof(signer_hash)) != 0)
  118. {
  119. return LE_INVALID_PARAMETER;
  120. }
  121. // ===== verify signature =====
  122. // create a little-endian copy of the signature
  123. sgx_rsa3072_signature_t temp_signature;
  124. copy_reversed_byte_array((uint8_t*)&temp_signature, (const uint8_t*)p_ref_le_white_list_signature, sizeof(*p_ref_le_white_list_signature));
  125. // verify the signed white list
  126. sgx_rsa_result_t verify_result = SGX_RSA_INVALID_SIGNATURE;
  127. sgx_stat = sgx_rsa3072_verify((const uint8_t *)p_ref_le_white_list, data_size, &temp_public_key, &temp_signature, &verify_result);
  128. if (sgx_stat != SGX_SUCCESS)
  129. {
  130. return LE_UNEXPECTED_ERROR;
  131. }
  132. if (verify_result != SGX_RSA_VALID)
  133. {
  134. return LE_INVALID_PARAMETER;
  135. }
  136. // ===== update the white list cache =====
  137. // clear the existing records
  138. memset(g_ref_le_white_list_cache, 0, REF_LE_WL_SIZE(REF_LE_WL_MAX_NUM_OF_RECORDS));
  139. // copy white list as little endian to the cache
  140. // the count was verified earilier in this function when verified the size
  141. uint16_t entries_count = _ntohs(p_ref_le_white_list->entries_count);
  142. for (uint32_t i = 0; i < entries_count; ++i)
  143. {
  144. (g_ref_le_white_list_cache->wl_entries[i]).provision_key = ((p_ref_le_white_list->wl_entries[i]).provision_key) ? 1 : 0;
  145. (g_ref_le_white_list_cache->wl_entries[i]).match_mr_enclave = ((p_ref_le_white_list->wl_entries[i]).match_mr_enclave) ? 1 : 0;
  146. copy_reversed_byte_array((uint8_t*)&((g_ref_le_white_list_cache->wl_entries[i]).mr_signer),
  147. (const uint8_t*)&((p_ref_le_white_list->wl_entries[i]).mr_signer),
  148. sizeof((g_ref_le_white_list_cache->wl_entries[i]).mr_signer));
  149. if ((g_ref_le_white_list_cache->wl_entries[i]).match_mr_enclave)
  150. {
  151. copy_reversed_byte_array((uint8_t*)&((g_ref_le_white_list_cache->wl_entries[i]).mr_enclave),
  152. (const uint8_t*)&((p_ref_le_white_list->wl_entries[i]).mr_enclave),
  153. sizeof((g_ref_le_white_list_cache->wl_entries[i]).mr_enclave));
  154. }
  155. }
  156. g_ref_le_white_list_cache->entries_count = entries_count;
  157. g_ref_le_white_list_cache->wl_version = wl_version;
  158. return AE_SUCCESS;
  159. }
  160. // this function gets the enclave information and provides token if priviledge is valid
  161. int ref_le_get_launch_token(const sgx_measurement_t* mrenclave, const sgx_measurement_t* mrsigner, const sgx_attributes_t* se_attributes, token_t* lictoken)
  162. {
  163. int result = AE_SUCCESS;
  164. if (NULL == mrenclave || NULL == mrsigner || NULL == se_attributes || NULL == lictoken)
  165. {
  166. return LE_INVALID_PARAMETER;
  167. }
  168. if (!sgx_is_within_enclave(mrenclave, sizeof(sgx_measurement_t)) ||
  169. !sgx_is_within_enclave(mrsigner, sizeof(sgx_measurement_t)) ||
  170. !sgx_is_within_enclave(se_attributes, sizeof(sgx_attributes_t)) ||
  171. !sgx_is_within_enclave(lictoken, sizeof(token_t)))
  172. {
  173. return LE_INVALID_PARAMETER;
  174. }
  175. // ===== verify priviledge =====
  176. // lookup for launch priviledges
  177. bool valid_priviledge = false;
  178. uint8_t provision = (se_attributes->flags & SGX_FLAGS_PROVISION_KEY) ? 1 : 0;
  179. for (uint16_t i = 0; i < g_ref_le_white_list_cache->entries_count; ++i)
  180. {
  181. ref_le_white_list_entry_t *current_entry = &(g_ref_le_white_list_cache->wl_entries[i]);
  182. if ((current_entry->provision_key || !provision) &&
  183. (memcmp(&(current_entry->mr_signer), mrsigner, sizeof(sgx_measurement_t)) == 0) &&
  184. (!current_entry->match_mr_enclave ||
  185. (memcmp(&(current_entry->mr_enclave), mrenclave, sizeof(sgx_measurement_t)) == 0))
  186. )
  187. {
  188. valid_priviledge = true;
  189. break;
  190. }
  191. }
  192. if (!valid_priviledge)
  193. {
  194. return LE_INVALID_PRIVILEGE_ERROR;
  195. }
  196. // ===== init EINIT token values =====
  197. // initial EINIT Token and set 0 for all reserved area
  198. memset(lictoken, 0, sizeof(*lictoken));
  199. // set EINIT Token valid
  200. lictoken->body.valid = 1;
  201. // set EINIT Token mrenclave
  202. memcpy(&lictoken->body.mr_enclave, mrenclave, sizeof(lictoken->body.mr_enclave));
  203. // set EINIT Token mrsigner
  204. memcpy(&lictoken->body.mr_signer, mrsigner, sizeof(lictoken->body.mr_signer));
  205. // set EINIT Token attributes
  206. memcpy(&lictoken->body.attributes, se_attributes, sizeof(lictoken->body.attributes));
  207. // set EINIT Token with platform information from EREPORT
  208. // create report to get current cpu_svn and isv_svn.
  209. sgx_report_t report;
  210. memset(&report, 0, sizeof(report));
  211. sgx_status_t sgx_stat = sgx_create_report(NULL, NULL, &report);
  212. if (sgx_stat != SGX_SUCCESS)
  213. {
  214. return LE_UNEXPECTED_ERROR;
  215. }
  216. memcpy(&lictoken->cpu_svn_le, &(report.body.cpu_svn), sizeof(lictoken->cpu_svn_le));
  217. lictoken->isv_svn_le = report.body.isv_svn;
  218. lictoken->isv_prod_id_le = report.body.isv_prod_id;
  219. lictoken->masked_misc_select_le = report.body.misc_select & DEFAULT_MISC_MASK;
  220. lictoken->attributes_le.flags = report.body.attributes.flags & ~SGX_FLAGS_MODE64BIT;
  221. lictoken->attributes_le.xfrm = 0;
  222. // equire random
  223. sgx_stat = sgx_read_rand((uint8_t*)&lictoken->key_id, sizeof(sgx_key_id_t));
  224. if (sgx_stat != SGX_SUCCESS)
  225. {
  226. memset_s(lictoken, sizeof(token_t), 0, sizeof(*lictoken));
  227. return LE_UNEXPECTED_ERROR;
  228. }
  229. // Create key request
  230. sgx_key_request_t key_request;
  231. memset(&key_request, 0, sizeof(key_request));
  232. key_request.key_name = SGX_KEYSELECT_EINITTOKEN;
  233. key_request.attribute_mask.xfrm = 0;
  234. key_request.attribute_mask.flags = ~SGX_FLAGS_MODE64BIT;
  235. key_request.misc_mask = DEFAULT_MISC_MASK;
  236. key_request.isv_svn = lictoken->isv_svn_le;
  237. memcpy(&key_request.key_id, &lictoken->key_id, sizeof(key_request.key_id));
  238. memcpy(&key_request.cpu_svn, &(lictoken->cpu_svn_le), sizeof(key_request.cpu_svn));
  239. sgx_cmac_state_handle_t p_cmac_handle = NULL;
  240. sgx_key_128bit_t launch_key;
  241. // ===== calculate the EINIT token =====
  242. do
  243. {
  244. // call EGETKEY
  245. sgx_stat = sgx_get_key(&key_request, &launch_key);
  246. if (sgx_stat != SGX_SUCCESS)
  247. {
  248. result = LE_GET_EINITTOKEN_KEY_ERROR;
  249. break;
  250. }
  251. // generate MAC for the token with the aquired key
  252. sgx_stat = sgx_cmac128_init(&launch_key, &p_cmac_handle);
  253. if (sgx_stat != SGX_SUCCESS)
  254. {
  255. result = AE_FAILURE;
  256. break;
  257. }
  258. sgx_stat = sgx_cmac128_update((uint8_t*)&lictoken->body, sizeof(lictoken->body), p_cmac_handle);
  259. if (sgx_stat != SGX_SUCCESS)
  260. {
  261. result = AE_FAILURE;
  262. break;
  263. }
  264. sgx_stat = sgx_cmac128_final(p_cmac_handle, (sgx_cmac_128bit_tag_t*)&lictoken->mac);
  265. if (sgx_stat != SGX_SUCCESS)
  266. {
  267. result = AE_FAILURE;
  268. break;
  269. }
  270. } while (0);
  271. // ===== wrap up =====
  272. // clear launch_key after being used
  273. memset_s(&launch_key, sizeof(sgx_key_128bit_t), 0, sizeof(launch_key));
  274. // close CMAC handle
  275. if (p_cmac_handle != NULL)
  276. {
  277. sgx_cmac128_close(p_cmac_handle);
  278. }
  279. // on failure, clear the EINIT token
  280. if (result != AE_SUCCESS)
  281. {
  282. memset_s(lictoken, sizeof(token_t), 0, sizeof(*lictoken));
  283. }
  284. return result;
  285. }