Implemented Key Sharing and Seperation Config id Feature for Singleton.

Signed-off-by: Karthika Murthy <[email protected]>

Author: karthikamurthy

enclave_manager/avalon_enclave_manager/singleton/singleton_enclave_info.py

@@ -42,7 +42,7 @@ def __init__(self, config, worker_id, enclave_type):
         self._worker_id = worker_id
         super().__init__(config, enclave_type)
 
-        self._initialize_enclave()
+        self._initialize_enclave(config)
         enclave_info = self._create_enclave_signup_data()
         try:
             self.sealed_data = enclave_info['sealed_data']
@@ -96,8 +96,11 @@ def _create_signup_info(self):
         """
 
         signup_cpp_obj = enclave.SignupInfoSingleton()
+        if self._config.get("kss_config") is not None:
+            signup_data = signup_cpp_obj.CreateEnclaveData(self._config.get("kss_config"))
+        else:
+            signup_data = signup_cpp_obj.CreateEnclaveData()
 
-        signup_data = signup_cpp_obj.CreateEnclaveData()
         if signup_data is None:
             return None
 
@@ -164,10 +167,16 @@ def _init_enclave_with(self, signed_enclave):
         """
         # Get sealed data if persisted from previous startup
         persisted_sealed_data = file_utils.read_file(
-            self._get_sealed_data_file_name(self._config["sealed_data_path"],
-                                            self._worker_id))
-        return self._attestation.init_enclave_info(
-            signed_enclave, persisted_sealed_data,
-            int(self._config['num_of_enclaves']))
+            self._get_sealed_data_file_name(config["sealed_data_path"],
+                                           self._worker_id))
+
+        if config.get("kss_config") is not None:
+            return enclave.tcf_enclave_info(
+                signed_enclave, config['spid'], persisted_sealed_data,
+                int(config['num_of_enclaves']), config.get("kss_config"))
+        else :
+            return enclave.tcf_enclave_info(
+                signed_enclave, config['spid'], persisted_sealed_data,
+                int(config['num_of_enclaves']))
 
     # -----------------------------------------------------------------

enclave_manager/avalon_enclave_manager/singleton/singleton_enclave_manager.py

@@ -119,6 +119,7 @@ def main(args=None):
     parser.add_argument("--config-dir", help="configuration folder", nargs="+")
     parser.add_argument("--worker_id",
                         help="Id of worker in plain text", type=str)
+    parser.add_argument("--kss_config", help="Key sharing and separation configuration id", type=str)
 
     (options, remainder) = parser.parse_known_args(args)
 
@@ -138,6 +139,9 @@ def main(args=None):
     if options.worker_id:
         config["WorkerConfig"]["worker_id"] = options.worker_id
 
+    if options.kss_config:
+        config["EnclaveModule"]["kss_config"] = options.kss_config
+
     plogger.setup_loggers(config.get("Logging", {}))
     sys.stdout = plogger.stream_to_logger(
         logging.getLogger("STDOUT"), logging.DEBUG)

tc/sgx/trusted_worker_manager/enclave/kme/signup_enclave_kme.cpp

@@ -22,6 +22,7 @@
 #include <sgx_tseal.h>
 #include <sgx_utils.h>
 #include <sgx_quote.h>
+#include <sgx_key.h>
 
 #include "crypto.h"
 #include "error.h"

tc/sgx/trusted_worker_manager/enclave/wpe/signup_enclave_wpe.cpp

@@ -22,6 +22,7 @@
 
 #include <sgx_utils.h>
 #include <sgx_quote.h>
+#include <sgx_key.h>
 
 #include "crypto.h"
 #include "error.h"

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/base.cpp

@@ -48,19 +48,6 @@ int tcf::enclave_api::base::IsSgxSimulator() {
 #endif  // defined(SGX_SIMULATOR)
 }  // tcf::enclave_api::base::IsSgxSimulator
 
-
-// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-tcf::enclave_queue::ReadyEnclave tcf::enclave_api::base::GetReadyEnclave() {
-    return tcf::enclave_queue::ReadyEnclave(g_EnclaveReadyQueue);
-}  // tcf::enclave_api::base::GetReadyEnclaveIndex
-
-
-// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-void tcf::enclave_api::base::SetLastError(
-    const std::string& message) {
-    g_LastError = message;
-}  // tcf::enclave_api::base::SetLastError
-
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 std::string tcf::enclave_api::base::GetLastError(void) {
     return g_LastError;
@@ -71,7 +58,8 @@ tcf_err_t tcf::enclave_api::base::Initialize(
     const std::string& inPathToEnclave,
     const Attestation *attestation,
     const std::string& persisted_sealed_data,
-    const int numOfEnclaves) {
+    const int numOfEnclaves,
+    const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]) {
     tcf_err_t ret = TCF_SUCCESS;
 
     try {
@@ -86,7 +74,7 @@ tcf_err_t tcf::enclave_api::base::Initialize(
             }
 
             for (tcf::enclave_api::Enclave& enc : g_Enclave) {
-                enc.Load(inPathToEnclave, persisted_sealed_data);
+                enc.Load(inPathToEnclave, persisted_sealed_data, kss_config_id);
             }
 
             g_IsInitialized = true;

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/base.h

@@ -17,7 +17,7 @@
 
 #include <stdlib.h>
 #include <string>
-
+#include "sgx_key.h"
 #include "error.h"
 #include "tcf_error.h"
 #include "types.h"
@@ -60,10 +60,12 @@ namespace tcf {
               persisted_sealed_data - Sealed data persisted from last bootup
               numOfEnclaves -- Number of worker enclaves to create
             */
+
             tcf_err_t Initialize(const std::string& inPathToEnclave,
                 const Attestation *attestation,
                 const std::string& persisted_sealed_data,
-                const int numOfEnclaves);
+                const int numOfEnclaves,
+                const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]);
 
             /*
               Stop Avalon services

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/enclave.cpp

@@ -70,15 +70,21 @@ namespace tcf {
         // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         void Enclave::Load(
             const std::string& inEnclaveFilePath,
-            const Base64EncodedString& inSealedEnclaveData) {
+            const Base64EncodedString& inSealedEnclaveData,
+            const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]) {
             tcf::error::ThrowIf<tcf::error::ValueError>(
                 inEnclaveFilePath.empty() ||
                 inEnclaveFilePath.length() > PATH_MAX,
                 "Invalid enclave path.");
 
             this->Unload();
             this->enclaveFilePath = inEnclaveFilePath;
+            for(int i=0; i <SGX_CONFIGID_SIZE;i++ ){
+                this->_kss_config[i] = kss_config_id[i];
+            }
+
             this->LoadEnclave(inSealedEnclaveData);
+
         }  // Enclave::Load
 
         // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@@ -114,6 +120,11 @@ namespace tcf {
 		"Attestation object is not initialized"
 	    );
 	    this->attestation->CreateQuoteFromReport(inEnclaveReport, outEnclaveQuote);
+        
+        sgx_quote_t* enclaveQuote =
+                reinterpret_cast<sgx_quote_t *>(&outEnclaveQuote[0]);
+        tcf::Log(TCF_LOG_INFO,"KSS Config Id added to the EnclaveQuote : %s\n", enclaveQuote->report_body.config_id );
+
         }  // Enclave::GenerateSignupData
 
 
@@ -137,7 +148,6 @@ namespace tcf {
             if (!this->enclaveId) {
                 /* Enclave id, used in communicating with enclave */
                 Enclave::QuerySgxStatus();
-
                 sgx_launch_token_t token = { 0 };
                 int flags = SGX_DEBUG_FLAG;
                 tcf::error::ThrowSgxError((SGX_DEBUG_FLAG == 0 ?
@@ -147,7 +157,9 @@ namespace tcf {
 
                 // First attempt to load the enclave executable
                 sgx_status_t ret = SGX_SUCCESS;
-                ret = tcf::sgx_util::CallSgx([this, flags, &token] () {
+                if(this->_kss_config[0] == NULL){
+                    
+                    ret = tcf::sgx_util::CallSgx([this, flags, &token] () {
                         int updated = 0;
                         return sgx_create_enclave(
                             this->enclaveFilePath.c_str(),
@@ -160,7 +172,30 @@ namespace tcf {
                     10,  // retries
                     250  // retryWaitMs
                     );
-                tcf::error::ThrowSgxError(ret, "Unable to create enclave.");
+                    tcf::error::ThrowSgxError(ret, "Unable to create enclave.");
+                    
+                } else {
+                    tcf::Log(TCF_LOG_INFO, "Enclave::sgx_create_enclave_ex called" );
+                    void *enclave_ex_p[32] = { 0 };
+                    enclave_ex_p[SGX_CREATE_ENCLAVE_EX_KSS_BIT_IDX] = &this->_kss_config;
+                    
+                    ret = tcf::sgx_util::CallSgx([this, flags, &token, enclave_ex_p] () {
+                        int updated = 0;
+                        return sgx_create_enclave_ex(
+                                                this->enclaveFilePath.c_str(),
+                                                flags,
+                                                &token,
+                                                &updated,
+                                                &this->enclaveId,
+                                                NULL,
+                                                SGX_CREATE_ENCLAVE_EX_KSS,
+                                                (const void** )enclave_ex_p);
+                    },
+                    10,  // retries
+                    250  // retryWaitMs
+                    );
+                     tcf::error::ThrowSgxError(ret, "Unable to create enclave with Config id");
+                }
                 // Initialize the enclave
                 tcf_err_t tcfError = TCF_SUCCESS;
 

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/enclave.h

@@ -19,6 +19,7 @@
 #include <string>
 #include <vector>
 
+#include "sgx_key.h"
 #include "error.h"
 #include "tcf_error.h"
 #include "types.h"
@@ -36,7 +37,8 @@ namespace tcf {
 
             void Load(
                 const std::string& inEnclaveFilePath,
-                const Base64EncodedString& inSealedEnclaveData);
+                const Base64EncodedString& inSealedEnclaveData,
+                const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE]);
 
             void Unload();
 
@@ -73,6 +75,7 @@ namespace tcf {
 	    void LoadEnclave(
                 const Base64EncodedString& persistedSealedEnclaveData = "");
 
+
 #ifdef BUILD_SINGLETON
             tcf_err_t VerifyEnclaveInfoSingleton(
 		const std::string& enclave_info,
@@ -102,7 +105,11 @@ namespace tcf {
             size_t sealedSignupDataSize;
 
             std::string enclaveError;
-	    Attestation *attestation;
+
+
+        private:
+            uint8_t _kss_config[SGX_CONFIGID_SIZE] = {NULL};
+            Attestation *attestation;
 
         };  // class Enclave
 

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/kme/signup_kme.h

@@ -17,6 +17,7 @@
 #pragma once
 
 #include <stdlib.h>
+#include <sgx_key.h>
 
 #include "types.h"
 #include "signup.h"

tc/sgx/trusted_worker_manager/enclave_untrusted/enclave_bridge/singleton/signup_singleton.cpp

@@ -27,8 +27,10 @@
 #include "signup_singleton.h"
 #include "sgx_utility.h"
 
+
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 tcf_err_t SignupDataSingleton::CreateEnclaveData(
+    const uint8_t (&kss_config_id)[SGX_CONFIGID_SIZE],
     StringArray& outPublicEnclaveData,
     Base64EncodedString& outSealedEnclaveData,
     Base64EncodedString& outEnclaveQuote) {
@@ -50,6 +52,9 @@ tcf_err_t SignupDataSingleton::CreateEnclaveData(
         // We need target info in order to create signup data report
         sgx_target_info_t target_info = { 0 };
         sgx_epid_group_id_t epidGroupId = { 0 };
+        sgx_config_id_t config_id = { 0 };
+
+
         sresult = tcf::sgx_util::CallSgx(
                 [&target_info,
                  &epidGroupId] () {
@@ -62,6 +67,8 @@ tcf_err_t SignupDataSingleton::CreateEnclaveData(
         // Properly size the sealed signup data buffer for the caller
         // and call into the enclave to create the signup data
         sgx_report_t enclave_report = { 0 };
+        for(int i=0; i <SGX_CONFIGID_SIZE;i++ ){
+            config_id[i] = kss_config_id[i];}
 
         sresult = tcf::sgx_util::CallSgx(
             [enclaveid,
@@ -88,11 +95,17 @@ tcf_err_t SignupDataSingleton::CreateEnclaveData(
         outSealedEnclaveData = \
             ByteArrayToBase64EncodedString(sealed_enclave_data_buffer);
 
+        memcpy(
+            enclave_report.body.config_id,
+            config_id,
+            sizeof(sgx_config_id_t));
+
         // Take the report generated and create a quote for it, encode it
         size_t quote_size = tcf::enclave_api::base::GetEnclaveQuoteSize();
         ByteArray enclave_quote_buffer(quote_size);
         g_Enclave[0].CreateQuoteFromReport(&enclave_report, enclave_quote_buffer);
         outEnclaveQuote = ByteArrayToBase64EncodedString(enclave_quote_buffer);
+
     } catch (tcf::error::Error& e) {
         tcf::enclave_api::base::SetLastError(e.what());
         result = e.error_code();