From 3a07022b052e71ae28e33dd767b95671c350cae8 Mon Sep 17 00:00:00 2001 From: "YiLin.Li" Date: Tue, 18 Aug 2020 20:54:14 +0000 Subject: [PATCH] rune/libenclave/skeleton: Support PAL API v3 1. Support PAL API V3. 2. Support `rune attest` command. 3. Add skeleton_remote_attestation_with_rune.md. Signed-off-by: Yilin Li --- .../internal/runtime/pal/skeleton/Makefile | 8 +++- .../pal/skeleton/liberpal-skeleton-v3.c | 45 ++++++++++++++++++ .../runtime/pal/skeleton/liberpal-skeleton.c | 46 +++++++++++++++++++ .../runtime/pal/skeleton/liberpal-skeleton.h | 1 + .../skeleton_remote_attestation_with_rune.md | 45 ++++++++++++++++++ 5 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton-v3.c create mode 100644 rune/libenclave/internal/runtime/pal/skeleton/skeleton_remote_attestation_with_rune.md diff --git a/rune/libenclave/internal/runtime/pal/skeleton/Makefile b/rune/libenclave/internal/runtime/pal/skeleton/Makefile index b3cd95c..1e934f6 100644 --- a/rune/libenclave/internal/runtime/pal/skeleton/Makefile +++ b/rune/libenclave/internal/runtime/pal/skeleton/Makefile @@ -12,7 +12,7 @@ HOST_LDFLAGS := -fPIC -shared -Wl,-Bsymbolic IS_OOT_DRIVER := $(shell [ ! -e /dev/isgx ]) IS_SGX_FLC := $(shell lscpu | grep -q sgx_lc) -TEST_CUSTOM_PROGS := $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss $(OUTPUT)/liberpal-skeleton-v1.so $(OUTPUT)/liberpal-skeleton-v2.so $(OUTPUT)/signing_key.pem +TEST_CUSTOM_PROGS := $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss $(OUTPUT)/liberpal-skeleton-v1.so $(OUTPUT)/liberpal-skeleton-v2.so $(OUTPUT)/liberpal-skeleton-v3.so $(OUTPUT)/signing_key.pem ifeq ($(IS_OOT_DRIVER),1) TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token @@ -37,6 +37,12 @@ $(OUTPUT)/liberpal-skeleton-v2.o: liberpal-skeleton-v2.c liberpal-skeleton.c $(OUTPUT)/liberpal-skeleton.o: liberpal-skeleton.c $(CC) $(HOST_CFLAGS) -c $< -o $@ +$(OUTPUT)/liberpal-skeleton-v3.so: $(OUTPUT)/sgx_call.o $(OUTPUT)/liberpal-skeleton-v3.o $(OUTPUT)/liberpal-skeleton.o + $(CC) $(HOST_LDFLAGS) -o $@ $^ + +$(OUTPUT)/liberpal-skeleton-v3.o: liberpal-skeleton-v3.c liberpal-skeleton.c + $(CC) $(HOST_CFLAGS) -c $< -o $@ + $(OUTPUT)/sgx_call.o: sgx_call.S $(CC) $(HOST_CFLAGS) -c $< -o $@ diff --git a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton-v3.c b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton-v3.c new file mode 100644 index 0000000..b632d9c --- /dev/null +++ b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton-v3.c @@ -0,0 +1,45 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include "liberpal-skeleton.h" +#include "sgx_call.h" +#include "defines.h" + +int pal_get_version(void) +{ + return 3; +} + +int pal_init(pal_attr_t *attr) +{ + return __pal_init(attr); +} + +int pal_create_process(pal_create_process_args *args) +{ + return __pal_create_process(args); +} + +int pal_exec(pal_exec_args *attr) +{ + return wait4child(attr); +} + +int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len) { + return __pal_get_local_report(targetinfo, targetinfo_len, report, report_len); +} + +int pal_kill(int pid, int sig) +{ + return __pal_kill(pid, sig); +} + +int pal_destroy(void) +{ + return __pal_destory(); +} diff --git a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c index ea0e7e1..fdc2e0b 100644 --- a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c +++ b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c @@ -39,6 +39,7 @@ static int exit_code; static char *sgx_dev_path; static bool no_sgx_flc = false; static bool enclave_debug = true; +static int wait_timeout; bool debugging = false; bool is_oot_driver; /* @@ -471,6 +472,15 @@ int __pal_exec(char *path, char *argv[], pal_stdio_fds *stdio, int *exit_code) return -1; } + for (int i = 0; argv[i]; i++) { + if (!strcmp(argv[i], "wait_timeout") && argv[i+1]) { + wait_timeout = atoi(argv[i+1]); + if (wait_timeout > 0) + sleep(wait_timeout); + break; + } + } + fprintf(fp, "Enclave runtime skeleton initialization succeeded\n"); fclose(fp); @@ -545,6 +555,42 @@ int wait4child(pal_exec_args *attr) return 0; } +int __pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len) +{ + uint8_t report_data[64] = { 0, }; + struct sgx_report report_align; + int ret; + + if (!initialized) { + fprintf(stderr, "Enclave runtime skeleton uninitialized yet!\n"); + return -1; + } + + if (targetinfo == NULL || targetinfo_len != sizeof(struct sgx_target_info)) { + fprintf(stderr, "Input parameter targetinfo is NULL or targentinfo_len != sizeof(struct sgx_target_info)!\n"); + return -1; + } + + if (report == NULL || report_len == NULL || *report_len < SGX_REPORT_SIZE) { + fprintf(stderr, "Input parameter report is NULL or report_len is not enough!\n"); + return -1; + } + + ret = SGX_ENTER_3_ARGS(ECALL_REPORT, (void *)secs.base, targetinfo, + report_data, &report_align); + if (ret) { + fprintf(stderr, "failed to get report\n"); + return ret; + } + + memcpy(report, &report_align, SGX_REPORT_SIZE); + if (debugging) { + fprintf(stdout, "succeed to get local report\n"); + } + + return 0; +} + int __pal_kill(int pid, int sig) { if (!initialized) { diff --git a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.h b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.h index cddb492..aa63742 100644 --- a/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.h +++ b/rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.h @@ -32,6 +32,7 @@ int __pal_init(pal_attr_t *attr); int __pal_exec(char *path, char *argv[], pal_stdio_fds *stdio, int *exit_code); int __pal_create_process(pal_create_process_args *args); int wait4child(pal_exec_args *attr); +int __pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len); int __pal_kill(int pid, int sig); int __pal_destory(void); diff --git a/rune/libenclave/internal/runtime/pal/skeleton/skeleton_remote_attestation_with_rune.md b/rune/libenclave/internal/runtime/pal/skeleton/skeleton_remote_attestation_with_rune.md new file mode 100644 index 0000000..71e915b --- /dev/null +++ b/rune/libenclave/internal/runtime/pal/skeleton/skeleton_remote_attestation_with_rune.md @@ -0,0 +1,45 @@ +# Introduction +This guide will guide you how to use remote attestation based on SGX in skeleton with rune. + +# Before you start +- Build a skeleton bundle according to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md) from scratch. +- Build rune according to [this guide](https://github.com/alibaba/inclavare-containers#rune). +- Register a `SPID` and `Subscription Key` of [IAS](https://api.portal.trustedservices.intel.com/EPID-attestation). After the registration, Intel will respond with a SPID which is needed to communicate with IAS. + +# Run skeleton bundle with `rune` +Before using `rune attest` command, you must ensure your skeleton container/bundles(such as skeleton-enclave-container) running by setting `"wait_timeout","100"` of `process.args` in config.json, just like +```json +"process": { + "args": [ + "${YOUR_PROGRAM}","wait_timeout","100" + ], +} +``` + +Then you can run your skeleton containers by typing the following commands: + +```shell +cd "$HOME/rune_workdir/rune-container" + +# copy /etc/resolv.conf from host to bundles to ensure network is ready for the remote attestation of IAS. +cp /etc/resolv.conf rootfs/etc/resolv.conf + +sudo rune run skeleton-enclave-container +``` + +# Use `rune attest` command with skeleton +You can type the following command to use `rune attest` command with skeleton in another shell: + +```shell +rune attest --product=false \ + --linkable=false \ + --spid=${EPID_SPID} \ + --subscription-key=${EPID_SUBSCRIPTION_KEY} \ + skeleton-enclave-container +``` + +where: +- @product: specify the type of enclave is in product mode or debug mode. +- @linkable: specify the type of `EPID` is `linkable` or `unlinkable`. +- @spid: specify the `SPID`. +- @subscription-key: specify the `Subscription Key`. -- GitLab