提交 2c5620e8 编写于 作者: Y YiLin.Li 提交者: jia zhang

rune/libenclave: Support to IAS remote attestation when Enclave Runtime started.

Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
上级 28f51f18
...@@ -25,7 +25,7 @@ func (pal *enclaveRuntimeCore) Init(args string, logLevel string) (err error) { ...@@ -25,7 +25,7 @@ func (pal *enclaveRuntimeCore) Init(args string, logLevel string) (err error) {
return fmt.Errorf("enclave runtime core Init() unimplemented") return fmt.Errorf("enclave runtime core Init() unimplemented")
} }
func (pal *enclaveRuntimeCore) Attest() (err error) { func (pal *enclaveRuntimeCore) Attest(string, string, uint32, uint32) (err error) {
return fmt.Errorf("enclave runtime core Attest() unimplemented") return fmt.Errorf("enclave runtime core Attest() unimplemented")
} }
......
...@@ -13,7 +13,7 @@ import ( ...@@ -13,7 +13,7 @@ import (
type EnclaveRuntime interface { type EnclaveRuntime interface {
Load(path string) error Load(path string) error
Init(args string, logLevel string) error Init(args string, logLevel string) error
Attest() error Attest(string, string, uint32, uint32) error
Exec(cmd []string, envp []string, stdio [3]*os.File) (int32, error) Exec(cmd []string, envp []string, stdio [3]*os.File) (int32, error)
Kill(sig int, pid int) error Kill(sig int, pid int) error
Destroy() error Destroy() error
...@@ -56,10 +56,10 @@ func StartInitialization(config *configs.InitEnclaveConfig, logLevel string) (*E ...@@ -56,10 +56,10 @@ func StartInitialization(config *configs.InitEnclaveConfig, logLevel string) (*E
return rt, nil return rt, nil
} }
func (rt *EnclaveRuntimeWrapper) LaunchAttestation() error { func (rt *EnclaveRuntimeWrapper) LaunchAttestation(spid string, subscriptionKey string, product uint32, quoteType uint32) error {
logrus.Debugf("attesting enclave runtime") logrus.Debugf("attesting enclave runtime")
return rt.runtime.Attest() return rt.runtime.Attest(spid, subscriptionKey, product, quoteType)
} }
func (rt *EnclaveRuntimeWrapper) ExecutePayload(cmd []string, envp []string, stdio [3]*os.File) (int32, error) { func (rt *EnclaveRuntimeWrapper) ExecutePayload(cmd []string, envp []string, stdio [3]*os.File) (int32, error) {
......
package enclave_runtime_pal // import "github.com/opencontainers/runc/libenclave/internal/runtime/pal" package enclave_runtime_pal // import "github.com/opencontainers/runc/libenclave/internal/runtime/pal"
import "C"
import ( import (
"encoding/binary"
"fmt" "fmt"
"github.com/go-restruct/restruct"
"github.com/opencontainers/runc/libenclave/attestation"
"github.com/opencontainers/runc/libenclave/attestation/sgx"
_ "github.com/opencontainers/runc/libenclave/attestation/sgx/ias"
"github.com/opencontainers/runc/libenclave/intelsgx"
"log"
"os" "os"
) )
...@@ -31,10 +40,6 @@ func (pal *enclaveRuntimePal) Init(args string, logLevel string) error { ...@@ -31,10 +40,6 @@ func (pal *enclaveRuntimePal) Init(args string, logLevel string) error {
return api.init(args, logLevel) return api.init(args, logLevel)
} }
func (pal *enclaveRuntimePal) Attest() (err error) {
return nil
}
func (pal *enclaveRuntimePal) Exec(cmd []string, envp []string, stdio [3]*os.File) (int32, error) { func (pal *enclaveRuntimePal) Exec(cmd []string, envp []string, stdio [3]*os.File) (int32, error) {
if pal.version == 1 { if pal.version == 1 {
api := &enclaveRuntimePalApiV1{} api := &enclaveRuntimePalApiV1{}
...@@ -67,3 +72,79 @@ func (pal *enclaveRuntimePal) GetLocalReport(targetInfo []byte) ([]byte, error) ...@@ -67,3 +72,79 @@ func (pal *enclaveRuntimePal) GetLocalReport(targetInfo []byte) ([]byte, error)
return nil, fmt.Errorf("unsupported pal api version %d", pal.version) return nil, fmt.Errorf("unsupported pal api version %d", pal.version)
} }
func parseAttestParameters(spid string, subscriptionKey string, product uint32) map[string]string {
p := make(map[string]string)
p["spid"] = spid
p["subscription-key"] = subscriptionKey
if product == sgx.ProductEnclave {
p["service-class"] = "product"
} else if product == sgx.DebugEnclave {
p["service-class"] = "dev"
}
return p
}
func (pal *enclaveRuntimePal) Attest(spid string, subscriptionKey string, product uint32, quoteType uint32) (err error) {
if pal.GetLocalReport == nil {
return nil
}
targetInfo, err := intelsgx.GetQeTargetInfo()
if err != nil {
return err
}
if len(targetInfo) != intelsgx.TargetinfoLength {
return fmt.Errorf("len(targetInfo) is not %d, but %d", intelsgx.TargetinfoLength, len(targetInfo))
}
// get local report of SGX
report, err := pal.GetLocalReport(targetInfo)
if err != nil {
return err
}
if len(report) != intelsgx.ReportLength {
return fmt.Errorf("len(report) is not %d, but %d", intelsgx.ReportLength, len(report))
}
// get quote from QE(aesmd)
linkable := false
if quoteType == intelsgx.QuoteSignatureTypeLinkable {
linkable = true
}
quote, err := intelsgx.GetQuote(report, spid, linkable)
if err != nil {
return err
}
q := &intelsgx.Quote{}
if err := restruct.Unpack(quote, binary.LittleEndian, &q); err != nil {
return err
}
// get IAS remote attestation report
var verbose bool = true
p := parseAttestParameters(spid, subscriptionKey, product)
svc, err := attestation.NewService(p, verbose)
if err != nil {
log.Fatal(err)
return err
}
if err = svc.Check(quote); err != nil {
log.Fatal(err)
return err
}
status := svc.Verify(quote)
if status.ErrorMessage != "" {
return fmt.Errorf("%s", status.ErrorMessage)
}
svc.ShowStatus(status)
return nil
}
...@@ -4,6 +4,7 @@ import ( ...@@ -4,6 +4,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/opencontainers/runc/libcontainer/utils" "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runc/libenclave/attestation/sgx"
"github.com/opencontainers/runc/libenclave/configs" "github.com/opencontainers/runc/libenclave/configs"
"github.com/opencontainers/runc/libenclave/internal/runtime" "github.com/opencontainers/runc/libenclave/internal/runtime"
pb "github.com/opencontainers/runc/libenclave/proto" pb "github.com/opencontainers/runc/libenclave/proto"
...@@ -68,9 +69,11 @@ func StartInitialization(cmd []string, cfg *RuneletConfig) (exitCode int32, err ...@@ -68,9 +69,11 @@ func StartInitialization(cmd []string, cfg *RuneletConfig) (exitCode int32, err
} }
// Launch a remote attestation to the enclave runtime. // Launch a remote attestation to the enclave runtime.
if err = rt.LaunchAttestation(); err != nil { if config.RaType == sgx.EPID {
if err = rt.LaunchAttestation(config.RaEpidSpid, config.RaEpidSubscriptionKey, config.IsProductEnclave, config.RaEpidIsLinkable); err != nil {
return 1, err return 1, err
} }
}
if err = readSync(initPipe, procEnclaveReady); err != nil { if err = readSync(initPipe, procEnclaveReady); err != nil {
return 1, err return 1, err
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册