Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sgxs-sign support offline signing #327

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

sgxs-sign support offline signing #327

wants to merge 4 commits into from

Conversation

ravenac95
Copy link
Contributor

This PR adds support to sgxs-sign for an offline signing process for enclaves. This should allow for things like HSMs to be part of the signing ceremony for enclaves created with this sdk.

Notes:

  • The cli was updated in such a way that it should maintain backwards compatibility.
  • sgxs-sign now has subcommands that mirror those available with intel's sgx sdk. These subcommands are:
    • sign - This is the same as the original sgxs-sign behavior
    • gendata - Generates a hash of the sigstruct data to be signed
    • catsig - Adds a signature to a sigstruct
  • A new subcommand command verify validates a SIGSTRUCT against a given public key (the enclave hash is not validated but is output to stdout).

@ravenac95 ravenac95 mentioned this pull request Apr 1, 2021
Open
@jethrogb
Copy link
Member

jethrogb commented Apr 1, 2021
edited
Loading

Thanks for the PR! I'd certainly like to support signing with key that's not just stored on disk. However, I'm not sure if the proposed flow is the right UX. As mentioned in #184 (comment), I'm thinking more along the lines of different implementations of sgxs::crypto::SgxRsaOps, for example PKCS#11 or KMIP. Would that work for you?

@ravenac95
Copy link
Contributor Author

@jethrogb Thanks for the quick response! Completely understand this isn't ideal UX. There was a practical reason on my side, I didn't want to install too many things on an airgapped device. That being said, I think you're right that ultimately that's a nicer UX. Would you be open to supporting both experiences?

@trevor-crypto
Copy link

I'm thinking more along the lines of different implementations of sgxs::crypto::SgxRsaOps,

This is exactly what I have done for multiple types of signing. It worked out nicely.

@arai-fortanix arai-fortanix mentioned this pull request Dec 21, 2022
Merged
bors bot added a commit that referenced this pull request Jan 3, 2023
@bors @ravenac95 @arai-fortanix
Merge #429
9c4589c 
429: sgxs crate changes to enable offline signing r=[Pagten] a=arai-fortanix

This change adds new interfaces to the `sgxs` crate to make it possible to sign enclaves separately from creating the sigstructs. This is useful, for example, for performing signing via an HSM.

The first two commits in this sequence come from this pull request from ravenac95: #327. I did not include the changes to the command-line sgx-sign tool from that pull request. I think we can have a separate discussion about whether we want to support that model. The library changes should be less controversial.

I also included a change to expose the hash bytes from an EnclaveHash object. That comes from #341 from trevor-crypto.

This change should be backward-compatible with old code using this crate. New code that wants to use the new `cat_sign()` method and is using a custom key implementation will need to provide the new `SgxRsaPubOps()` trait for calculating the Q1 and Q2 values from a signature, instead of doing this during signing.

Co-authored-by: Reuven V. Gonzales <[email protected]>
Co-authored-by: Daniel Arai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ravenac95 @jethrogb @trevor-crypto