From e00babeb5167fdce14daf590359fc53272ba3e03 Mon Sep 17 00:00:00 2001 From: Jernej Kos Date: Sat, 5 Mar 2022 14:33:22 +0100 Subject: [PATCH] go/runtime/bundle: Verify SGX signature if present --- .changelog/4542.internal.md | 1 + go/runtime/bundle/bundle.go | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 .changelog/4542.internal.md diff --git a/.changelog/4542.internal.md b/.changelog/4542.internal.md new file mode 100644 index 00000000000..91e3066228b --- /dev/null +++ b/.changelog/4542.internal.md @@ -0,0 +1 @@ +go/runtime/bundle: Verify SGX signature if present diff --git a/go/runtime/bundle/bundle.go b/go/runtime/bundle/bundle.go index 397bb96a204..2924538c3dc 100644 --- a/go/runtime/bundle/bundle.go +++ b/go/runtime/bundle/bundle.go @@ -12,6 +12,7 @@ import ( "github.com/oasisprotocol/oasis-core/go/common/crypto/hash" "github.com/oasisprotocol/oasis-core/go/common/sgx" + "github.com/oasisprotocol/oasis-core/go/common/sgx/sigstruct" ) // Bundle is a runtime bundle instance. @@ -80,6 +81,11 @@ func (bnd *Bundle) Validate() error { } } + // Make sure the SGX signature is valid if it exists. + if err := bnd.verifySgxSignature(); err != nil { + return err + } + return nil } @@ -120,6 +126,27 @@ func (bnd *Bundle) MrEnclave() (*sgx.MrEnclave, error) { return &mrEnclave, nil } +func (bnd *Bundle) verifySgxSignature() error { + if bnd.Manifest.SGX == nil || bnd.Manifest.SGX.Signature == "" { + return nil + } + + mrEnclave, err := bnd.MrEnclave() + if err != nil { + return err + } + _, sigStruct, err := sigstruct.Verify(bnd.Data[bnd.Manifest.SGX.Signature]) + if err != nil { + return fmt.Errorf("runtime/bundle: failed to verify sigstruct: %w", err) + } + + if sigStruct.EnclaveHash != *mrEnclave { + return fmt.Errorf("runtime/bundle: sigstruct does not match SGXS (got: %s expected: %s)", sigStruct.EnclaveHash, *mrEnclave) + } + + return nil +} + // Write serializes a runtime bundle to the on-disk representation. func (bnd *Bundle) Write(fn string) error { // Ensure the bundle is well-formed.