Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime: Do SGX enclave signing ourself #2893

Merged
merged 6 commits into from
May 14, 2020
Merged

runtime: Do SGX enclave signing ourself #2893

merged 6 commits into from
May 14, 2020

Conversation

Yawning
Copy link
Contributor

@Yawning Yawning commented May 7, 2020
edited
Loading

  • Add the ability to generate signed SIGSTRUCTs, without using the fortanix SGX SDK.
  • Generate and pass the signature to the runtime loader (with a mock key for now).

@Yawning Yawning added the c:common Category: common libraries label May 7, 2020
@Yawning Yawning self-assigned this May 7, 2020
@codecov
Copy link

codecov bot commented May 7, 2020
edited
Loading

Codecov Report

Merging #2893 into master will decrease coverage by 0.17%.
The diff coverage is 61.56%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2893      +/-   ##
==========================================
- Coverage   68.16%   67.98%   -0.18%     
==========================================
  Files         354      357       +3     
  Lines       34347    34597     +250     
==========================================
+ Hits        23411    23521     +110     
- Misses       7961     8056      +95     
- Partials     2975     3020      +45
Impacted Files Coverage Δ
go/common/sgx/ias/quote.go 77.00% <33.33%> (-0.46%) ⬇️
go/runtime/host/sgx/sgx.go 72.48% <48.88%> (-8.31%) ⬇️
go/common/sgx/common.go 68.68% <50.00%> (+2.02%) ⬆️
go/common/sgx/fortanix_dummy.go 50.00% <50.00%> (ø)
go/runtime/host/sandbox/sandbox.go 75.19% <50.00%> (-1.08%) ⬇️
go/worker/common/config.go 61.29% <60.00%> (-0.62%) ⬇️
go/common/sgx/sigstruct/debug_builder.go 68.42% <68.42%> (ø)
go/common/sgx/sigstruct/sigstruct.go 69.12% <69.12%> (ø)
go/common/sgx/ias/avr.go 41.61% <100.00%> (-0.37%) ⬇️
go/worker/compute/executor/committee/state.go 74.07% <0.00%> (-11.12%) ⬇️
... and 41 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9152bad...2a90ba4. Read the comment docs.

@Yawning Yawning force-pushed the yawning/feature/sgx-sigstruct branch from cb1c995 to d794d8f Compare May 7, 2020 13:34
@Yawning Yawning changed the title runtime: Do SGX enclave signing ourself. runtime: Do SGX enclave signing ourself May 7, 2020
@Yawning Yawning force-pushed the yawning/feature/sgx-sigstruct branch 6 times, most recently from b33c331 to 029e714 Compare May 13, 2020 13:48
@Yawning Yawning marked this pull request as ready for review May 13, 2020 13:48
kostko
kostko approved these changes May 13, 2020
View reviewed changes
go/runtime/host/sgx/sgx.go Outdated Show resolved Hide resolved
kostko
kostko reviewed May 13, 2020
View reviewed changes
go/worker/common/config.go Outdated Show resolved Hide resolved
go/worker/common/config.go Outdated Show resolved Hide resolved
go/worker/common/config.go Show resolved Hide resolved
Yawning added 6 commits May 14, 2020 07:22
@Yawning
go/common/sgx/sigstruct: Add the ability to create SGX SIGSTRUCTS
5b5ea45 
This structure has mountains of brain damage including but not limited
to:
 * 1 BCD encoded date.
 * 4 little endian(!) 3072 bit big ints.
 * 2 pre-computed big ints, because terrorizing developers is preferable
   to fully implementing RSA.
@Yawning
go/common/sgx: Move encave attributes type to the sgx package
9fdd162 
This was only used for IAS, but now that SIGSTRUCT generation is a
thing, it's better in the common sgx package.
@Yawning
go/common/sgx: Include the Fortanix enclave-runner signing key
1d2085a 
 * The private key is now included, and accessible with enough flags.
 * The MRSIGNER now lives in the sgx package instead of the IAS one.

There's nothing stopping us from generating yet another key for this
and using the new key as the oasis test key, but there's also no
compelling reason that I can see to do so.
@Yawning
runtime-loader: Use a file backed SIGSTRUCT (--signature)
4f2d711 
Instead of using the Fortanix SGX runtime's dummy signer, a new argument
`--signature` is added for sgxs enclaves, for the purpose of specifying
the path to a pre-generated SIGSTRUCT.
@Yawning
go/common/sgx/sigstruct: Add Verify
757ae37 
Being able to verify these is also probably useful.
@Yawning
go/runtime/host/sgx: Add support for SIGSTRUCTs
2a90ba4 
For now this will just generate one, signed with the same key that
`runtime-loader` used to use (the Fortanix dummy key), but this will
also support using file backed signatures, once we have an idea on how
we are going to handle the process for such things.
@Yawning Yawning force-pushed the yawning/feature/sgx-sigstruct branch from 0c10cb2 to 2a90ba4 Compare May 14, 2020 07:29
@Yawning Yawning merged commit edb8515 into master May 14, 2020
@Yawning Yawning deleted the yawning/feature/sgx-sigstruct branch May 14, 2020 07:52
@Yawning Yawning mentioned this pull request May 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kostko kostko kostko approved these changes

@peterjgilbert peterjgilbert Awaiting requested review from peterjgilbert peterjgilbert is a code owner

@pro-wh pro-wh Awaiting requested review from pro-wh pro-wh is a code owner

Assignees

@Yawning Yawning

Labels
c:common Category: common libraries
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Yawning @kostko