helper.cpp 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. /**
  32. * File: helper.cpp
  33. * Description: Cpp file to some helper function to extract some enclave information
  34. *
  35. * Wrap functions to get PPID, PWK, PSID, PSVN, PSK and seal/unseal function
  36. */
  37. #include "helper.h"
  38. #include "string.h"
  39. #include "sgx_error.h"
  40. #include "sgx_utils.h"
  41. #include "cipher.h"
  42. #include "sgx_trts.h"
  43. #include "sgx_tcrypto.h"
  44. #include <stdlib.h>
  45. #include "byte_order.h"
  46. #include "util.h"
  47. //Function to get provisioning key using the provided PSVN
  48. //If the psvn is NULL, both CPUSVN and ISVSVN is set to 0 (used for PPID generation only)
  49. //Input: psvn, the psvn used to generate provisioning key
  50. //Output: key, the provisioning key to return
  51. // return PVEC_SUCCESS on success
  52. static pve_status_t get_provision_key(sgx_key_128bit_t *key, const psvn_t *psvn)
  53. {
  54. sgx_status_t se_ret = SGX_SUCCESS;
  55. sgx_key_request_t wrap_key_req;
  56. //memset here will also set cpusvn isvsvn to 0 for the case when psvn==NULL
  57. memset(&wrap_key_req, 0, sizeof(sgx_key_request_t));
  58. if(psvn==NULL){
  59. //keeping isv_svn and cpu_svn all 0 according to spec (this is for calcuation of PPID)
  60. }else{
  61. memcpy(&wrap_key_req.cpu_svn, &psvn->cpu_svn, sizeof(wrap_key_req.cpu_svn));
  62. memcpy(&wrap_key_req.isv_svn, &psvn->isv_svn, sizeof(wrap_key_req.isv_svn));
  63. }
  64. wrap_key_req.key_name = SGX_KEYSELECT_PROVISION; //provisioning key
  65. wrap_key_req.attribute_mask.xfrm = 0;
  66. wrap_key_req.misc_mask = 0xFFFFFFFF;
  67. wrap_key_req.attribute_mask.flags = ~SGX_FLAGS_MODE64BIT; //set all bits except the SGX_FLAGS_MODE64BIT
  68. se_ret = sgx_get_key(&wrap_key_req, key);
  69. if(SGX_SUCCESS != se_ret)
  70. {
  71. return sgx_error_to_pve_error(se_ret);
  72. }
  73. return PVEC_SUCCESS;
  74. }
  75. pve_status_t get_ppid(ppid_t* ppid)
  76. {
  77. sgx_key_128bit_t key_tmp;
  78. sgx_status_t sgx_status = SGX_SUCCESS;
  79. memset(&key_tmp, 0, sizeof(key_tmp));
  80. //get Provisioning Key with both CPUSVN and ISVSVN set to 0
  81. pve_status_t status = get_provision_key(&key_tmp, NULL);
  82. if(status != PVEC_SUCCESS){
  83. (void)memset_s(&key_tmp,sizeof(key_tmp), 0, sizeof(key_tmp));
  84. return status;
  85. }
  86. uint8_t content[16];
  87. memset(&content, 0, sizeof(content));
  88. //generate the mac as PPID
  89. se_static_assert(sizeof(sgx_cmac_128bit_key_t) == sizeof(sgx_key_128bit_t)); /*size of sgx_cmac_128bit_key_t and sgx_key_128bit_t should be same*/
  90. se_static_assert(sizeof(sgx_cmac_128bit_tag_t) == sizeof(ppid_t)); /*size of sgx_cmac_128bit_tag_t and ppit_t should be same*/
  91. if((sgx_status=sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(&key_tmp),
  92. content, sizeof(content), reinterpret_cast<sgx_cmac_128bit_tag_t *>(ppid)))!=SGX_SUCCESS){
  93. status = sgx_error_to_pve_error(sgx_status);
  94. }else{
  95. status = PVEC_SUCCESS;
  96. }
  97. (void)memset_s(&key_tmp,sizeof(key_tmp), 0, sizeof(key_tmp));//clear provisioning key in stack
  98. return status;
  99. }
  100. #define PROV_WRAP_2 "PROV_WRAP_2"
  101. #define PROV_WRAP_2_LEN 11
  102. #define START_OFF_PROV_WRAP_2 1
  103. #define START_OFF_NONCE_2 14
  104. #define OFF_BYTE_ZERO 30
  105. #define OFF_BYTE_0X80 31
  106. //Get Provisioning Wrap2 Key with respect to the PSVN
  107. pve_status_t get_pwk2(
  108. const psvn_t* psvn,
  109. const uint8_t n2[NONCE_2_SIZE],
  110. sgx_key_128bit_t* wrap_key)
  111. {
  112. if( psvn == NULL)
  113. return PVEC_PARAMETER_ERROR;
  114. uint8_t content[32];
  115. sgx_status_t sgx_status = SGX_SUCCESS;
  116. sgx_key_128bit_t key_tmp;
  117. pve_status_t status = PVEC_SUCCESS;
  118. memset(&key_tmp, 0, sizeof(key_tmp));
  119. status = get_provision_key(&key_tmp, psvn); //Generate Provisioning Key with respect to the psvn
  120. if(status != PVEC_SUCCESS)
  121. goto ret_point;
  122. memset(&content, 0, sizeof(content));
  123. content[0] = 0x01;
  124. memcpy(&content[START_OFF_PROV_WRAP_2], PROV_WRAP_2, PROV_WRAP_2_LEN); // byte 1-11 : "PROV_WRAP_2" (ascii encoded)
  125. memcpy(&content[START_OFF_NONCE_2], n2, NONCE_2_SIZE);
  126. content[OFF_BYTE_ZERO] = 0x00; //fill zero in byte offset 30
  127. content[OFF_BYTE_0X80] = 0x80; //fill 0x80 in byte offset 31
  128. //get the cmac of provision key as PWK2
  129. se_static_assert(sizeof(sgx_cmac_128bit_key_t)==sizeof(key_tmp)); /*size of sgx_cmac_128bit_key_t should be same as sgx_key_128bit_t*/
  130. se_static_assert(sizeof(sgx_cmac_128bit_tag_t)==sizeof(sgx_key_128bit_t)); /*size of sgx_cmac_128bit_tag_t should be same as sgx_key_128bit_t*/
  131. if((sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(&key_tmp),
  132. reinterpret_cast<const uint8_t *>(content), sizeof(content),
  133. reinterpret_cast<sgx_cmac_128bit_tag_t *>(wrap_key)))!=SGX_SUCCESS){
  134. status = sgx_error_to_pve_error(sgx_status);
  135. }else{
  136. status = PVEC_SUCCESS;
  137. }
  138. ret_point:
  139. (void)memset_s(&key_tmp,sizeof(key_tmp), 0 ,sizeof(key_tmp)); //clear provisioninig key in stack
  140. return status;
  141. }
  142. //Function to generate Provisioning Sealing Key given the psvn
  143. //The key is used to seal the private parameter f before sending to backend server
  144. pve_status_t get_pve_psk(
  145. const psvn_t* psvn,
  146. sgx_key_128bit_t* seal_key)
  147. {
  148. sgx_status_t se_ret = SGX_SUCCESS;
  149. sgx_key_request_t seal_key_req;
  150. if(psvn == NULL)
  151. return PVEC_PARAMETER_ERROR;
  152. memset(&seal_key_req, 0, sizeof(sgx_key_request_t));
  153. memcpy(&seal_key_req.cpu_svn, &psvn->cpu_svn, SGX_CPUSVN_SIZE);
  154. memcpy(&seal_key_req.isv_svn, &psvn->isv_svn, sizeof(psvn->isv_svn));
  155. seal_key_req.key_name = SGX_KEYSELECT_PROVISION_SEAL; //provisioning sealling key
  156. seal_key_req.attribute_mask.xfrm = 0;
  157. seal_key_req.attribute_mask.flags = ~SGX_FLAGS_MODE64BIT;
  158. se_ret = sgx_get_key(&seal_key_req, seal_key);
  159. if(SGX_SUCCESS != se_ret)
  160. {
  161. return sgx_error_to_pve_error(se_ret);
  162. }
  163. return PVEC_SUCCESS;
  164. }
  165. //simple wrapper for memcpy but checking type of parameter
  166. void pve_memcpy_out(external_memory_byte_t *dst, const void *src, uint32_t size)
  167. {
  168. memcpy(dst, src, size);
  169. }
  170. void pve_memcpy_in(void *dst, const external_memory_byte_t *src, uint32_t size)
  171. {
  172. memcpy(dst, src, size);
  173. }
  174. pve_status_t se_read_rand_error_to_pve_error(sgx_status_t error)
  175. {
  176. if(error == SGX_SUCCESS)return PVEC_SUCCESS;
  177. else if(error == SGX_ERROR_INVALID_PARAMETER) return PVEC_UNEXPECTED_ERROR;
  178. else return PVEC_READ_RAND_ERROR; //read rand hardware error
  179. }
  180. pve_status_t epid_error_to_pve_error(EpidStatus epid_result)
  181. {
  182. if(kEpidNoErr == epid_result)
  183. return PVEC_SUCCESS;
  184. switch(epid_result){
  185. case kEpidMemAllocErr:
  186. case kEpidNoMemErr:
  187. return PVEC_MALLOC_ERROR;
  188. case kEpidSigInvalid:
  189. return PVEC_INVALID_EPID_KEY;
  190. default:
  191. return PVEC_EPID_ERROR;
  192. }
  193. }
  194. pve_status_t sgx_error_to_pve_error(sgx_status_t status)
  195. {
  196. switch(status){
  197. case SGX_SUCCESS:
  198. return PVEC_SUCCESS;
  199. case SGX_ERROR_OUT_OF_MEMORY:
  200. return PVEC_MALLOC_ERROR;
  201. case SGX_ERROR_INVALID_CPUSVN:
  202. case SGX_ERROR_INVALID_ISVSVN:
  203. return PVEC_INVALID_CPU_ISV_SVN;
  204. default:
  205. return PVEC_SE_ERROR;
  206. }
  207. }