From 3392e9a7e6d62efdb9c42288d2a47a6c1867de9f Mon Sep 17 00:00:00 2001 From: Shanwei Cen <58789783+shnwc@users.noreply.github.com> Date: Fri, 28 Aug 2020 21:38:45 -0700 Subject: [PATCH] Update SGX format IDs for support of OE reports and raw SGX quotes Signed-off-by: Shanwei Cen <58789783+shnwc@users.noreply.github.com> --- common/attest_plugin.c | 28 ++- common/attest_plugin.h | 17 ++ common/sgx/verifier.c | 114 ++++++------ enclave/sgx/attester.c | 116 +++++------- enclave/sgx/report.c | 72 +++++--- enclave/sgx/report.h | 6 + host/sgx/report.c | 4 +- host/sgx/sgxquote.c | 8 +- .../openenclave/attestation/sgx/evidence.h | 89 +++++++-- include/openenclave/bits/sgx/sgxtypes.h | 21 +++ include/openenclave/internal/report.h | 3 - samples/attested_tls/common/utility.cpp | 4 +- .../remote_attestation/common/attestation.cpp | 2 +- tests/attestation_plugin/enc/enc.c | 172 +++++------------- tests/attestation_plugin/plugin/tests.c | 127 +++++++------ tests/attestation_plugin_cert/enc/enc.cpp | 2 +- tests/report/host/host.cpp | 2 +- 17 files changed, 414 insertions(+), 373 deletions(-) diff --git a/common/attest_plugin.c b/common/attest_plugin.c index c393366ffc..5e54f33c47 100644 --- a/common/attest_plugin.c +++ b/common/attest_plugin.c @@ -49,8 +49,8 @@ const char* OE_OPTIONAL_CLAIMS[OE_OPTIONAL_CLAIMS_COUNT] = { static oe_plugin_list_node_t* verifiers = NULL; // UUID for all OE reports generated by oe_get_report(). -static const oe_uuid_t _sgx_ecdsa_report_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT}; +static const oe_uuid_t _uuid_legacy_report_remote = { + OE_FORMAT_UUID_LEGACY_REPORT_REMOTE}; // verify report user data against peer certificate static oe_result_t verify_sgx_report_user_data( @@ -306,7 +306,11 @@ oe_result_t oe_verify_evidence( if (evidence_buffer_size < sizeof(oe_attestation_header_t) || evidence->version != OE_ATTESTATION_HEADER_VERSION) - OE_RAISE(OE_INVALID_PARAMETER); + OE_RAISE_MSG( + OE_INVALID_PARAMETER, + "Invalid attestation header version %d, expected %d", + evidence->version, + OE_ATTESTATION_HEADER_VERSION); if (endorsements_buffer) { @@ -315,7 +319,11 @@ oe_result_t oe_verify_evidence( if (endorsements_buffer_size < sizeof(oe_attestation_header_t) || endorsements->version != OE_ATTESTATION_HEADER_VERSION) - OE_RAISE(OE_INVALID_PARAMETER); + OE_RAISE_MSG( + OE_INVALID_PARAMETER, + "Invalid attestation header version %d, expected %d", + endorsements->version, + OE_ATTESTATION_HEADER_VERSION); if (memcmp( &evidence->format_id, @@ -447,7 +455,11 @@ oe_result_t oe_verify_attestation_certificate_with_evidence( // find the report version header = (oe_report_header_t*)report; if (header->version != OE_ATTESTATION_HEADER_VERSION) - OE_RAISE_MSG(OE_INVALID_PARAMETER, "Invalid report version", NULL); + OE_RAISE_MSG( + OE_INVALID_PARAMETER, + "Invalid attestation header version %d, expected %d", + header->version, + OE_ATTESTATION_HEADER_VERSION); result = oe_verify_evidence( // The format ID parameter is NULL in this case, as the format ID is @@ -466,9 +478,9 @@ oe_result_t oe_verify_attestation_certificate_with_evidence( else // oid_oe_report or oid_new_oe_report { result = oe_verify_evidence( - // The format ID is OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT for all OE - // reports. - &_sgx_ecdsa_report_uuid, + // The format ID is OE_FORMAT_UUID_LEGACY_REPORT_REMOTE for all OE + // reports for remote attestation. + &_uuid_legacy_report_remote, report, report_size, NULL, diff --git a/common/attest_plugin.h b/common/attest_plugin.h index 8476da2faf..1c85dddc08 100644 --- a/common/attest_plugin.h +++ b/common/attest_plugin.h @@ -20,6 +20,23 @@ OE_EXTERNC_BEGIN +/** + * Note: V1 is OE_REPORT_HEADER_VERSION, for legacy report headers + * of type oe_report_header_t. + * + * V2 is for legacy attestation headers of type oe_attestation_header_t. + * For SGX local and remote attestation, the evidence requires a legacy + * report header of type oe_report_header_t to prefix the SGX report or + * quote. + * + * V3 is the current version. Its also for attestation headers of type + * oe_attestation_header_t. SGX report or quote will not be prefixed with + * a legacy header of type oe_report_header_t. + * + * Only the latest header version is supported. + */ +#define OE_ATTESTATION_HEADER_VERSION (3) + /** * Evidence header: the structure that the OE SDK runtime puts on top of * evidence data, when oe_get_evidence() is asked to include the format ID diff --git a/common/sgx/verifier.c b/common/sgx/verifier.c index f035919052..cad23fd516 100644 --- a/common/sgx/verifier.c +++ b/common/sgx/verifier.c @@ -3,6 +3,7 @@ #include #include +#include #include #include #include @@ -32,12 +33,13 @@ typedef oe_mutex oe_mutex_t; #define OE_MUTEX_INITIALIZER OE_H_MUTEX_INITIALIZER #endif -static const oe_uuid_t _local_uuid = {OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; -static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; -static const oe_uuid_t _ecdsa_report_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT}; -static const oe_uuid_t _ecdsa_quote_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE}; +static const oe_uuid_t _uuid_sgx_local_attestation = { + OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; +static const oe_uuid_t _uuid_sgx_ecdsa = {OE_FORMAT_UUID_SGX_ECDSA}; +static const oe_uuid_t _uuid_legacy_report_remote = { + OE_FORMAT_UUID_LEGACY_REPORT_REMOTE}; +static const oe_uuid_t _uuid_raw_sgx_quote_ecdsa = { + OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA}; static oe_result_t _on_register( oe_attestation_role_t* context, @@ -111,17 +113,16 @@ static oe_result_t _get_input_time( } static oe_result_t _verify_local_report( - const uint8_t* evidence_buffer, - size_t evidence_buffer_size) + const uint8_t* report_body, + size_t report_body_size) { // Do a normal report verification on the enclave side. // Local report verification is unsupported for host side. #ifdef OE_BUILD_ENCLAVE - return oe_verify_report_internal( - evidence_buffer, evidence_buffer_size, NULL); + return oe_verify_raw_sgx_report(report_body, report_body_size); #else - OE_UNUSED(evidence_buffer); - OE_UNUSED(evidence_buffer_size); + OE_UNUSED(report_body); + OE_UNUSED(report_body_size); return OE_UNSUPPORTED; #endif } @@ -577,36 +578,35 @@ static oe_result_t _verify_evidence( // Check the datetime policy if it exists. OE_CHECK(_get_input_time(policies, policies_size, &time)); - if (!memcmp(format_id, &_local_uuid, sizeof(oe_uuid_t))) + if (!memcmp(format_id, &_uuid_sgx_local_attestation, sizeof(oe_uuid_t))) { - // evidence_buffer has oe_report_header_t header, - // followed by an SGX report for local attestation. - oe_report_header_t* report = (oe_report_header_t*)evidence_buffer; + // evidence_buffer has an SGX report for local attestation + // followed by an optional custom claims buffer. + // Note: sgx_report_t has no field that can be checked quickly + // to verify it being an SGX report. - if (evidence_buffer_size < sizeof(*report) || - report->version != OE_REPORT_HEADER_VERSION || - report->report_type != OE_REPORT_TYPE_SGX_LOCAL) + if (evidence_buffer_size < sizeof(sgx_report_t)) OE_RAISE(OE_INVALID_PARAMETER); format_type = SGX_FORMAT_TYPE_LOCAL; } - else if (!memcmp(format_id, &_ecdsa_uuid, sizeof(oe_uuid_t))) + else if (!memcmp(format_id, &_uuid_sgx_ecdsa, sizeof(oe_uuid_t))) { - // evidence_buffer has oe_report_header_t header, - // followed by an SGX ECDSA-p256 quote. - oe_report_header_t* report = (oe_report_header_t*)evidence_buffer; + // evidence_buffer has an SGX ECDSA-p256 quote + // followed by an optional custom claims buffer. + sgx_quote_t* quote = (sgx_quote_t*)evidence_buffer; - if (evidence_buffer_size < sizeof(*report) || - report->version != OE_REPORT_HEADER_VERSION || - report->report_type != OE_REPORT_TYPE_SGX_REMOTE) + if (evidence_buffer_size < sizeof(*quote) + quote->signature_len || + quote->version != SGX_QE3_QUOTE_VERSION || + quote->sign_type != SGX_QL_ALG_ECDSA_P256) OE_RAISE(OE_INVALID_PARAMETER); format_type = SGX_FORMAT_TYPE_REMOTE; } - else if (!memcmp(format_id, &_ecdsa_report_uuid, sizeof(oe_uuid_t))) + else if (!memcmp(format_id, &_uuid_legacy_report_remote, sizeof(oe_uuid_t))) { - // evidence_buffer has an oe_report_header_t header, - // followed by an SGX ECDSA-p256 quote. + // evidence_buffer has an oe_report_header_t header + // followed by an SGX report or ECDSA-p256 quote. oe_report_header_t* report = (oe_report_header_t*)evidence_buffer; if (evidence_buffer_size < sizeof(*report) || @@ -616,10 +616,17 @@ static oe_result_t _verify_evidence( format_type = SGX_FORMAT_TYPE_LEGACY_REPORT; } - else if (!memcmp(format_id, &_ecdsa_quote_uuid, sizeof(oe_uuid_t))) + else if (!memcmp(format_id, &_uuid_raw_sgx_quote_ecdsa, sizeof(oe_uuid_t))) { // evidence_buffer has no header. - // It contains a raw SGX ECDSA-p256 quote. + // It holds an SGX ECDSA_p256 quote generated by the Intel SGX DCAP + // or quote-ex library. + sgx_quote_t* quote = (sgx_quote_t*)evidence_buffer; + + if (evidence_buffer_size < sizeof(*quote) + quote->signature_len || + quote->version != SGX_QE3_QUOTE_VERSION || + quote->sign_type != SGX_QL_ALG_ECDSA_P256) + OE_RAISE(OE_INVALID_PARAMETER); format_type = SGX_FORMAT_TYPE_RAW_QUOTE; } @@ -630,27 +637,23 @@ static oe_result_t _verify_evidence( // not including the custom claims section. if (format_type == SGX_FORMAT_TYPE_LOCAL) { - oe_report_header_t* report = (oe_report_header_t*)evidence_buffer; - - report_body = report->report; - report_body_size = report->report_size; + report_body = evidence_buffer; + report_body_size = sizeof(sgx_report_t); custom_claims_buffer = report_body + report_body_size; - custom_claims_buffer_size = - evidence_buffer_size - (sizeof(*report) + report_body_size); + custom_claims_buffer_size = evidence_buffer_size - report_body_size; - OE_CHECK(_verify_local_report( - evidence_buffer, report->report_size + sizeof(oe_report_header_t))); + OE_CHECK(_verify_local_report(report_body, report_body_size)); } else { if (format_type == SGX_FORMAT_TYPE_REMOTE) { - oe_report_header_t* report = (oe_report_header_t*)evidence_buffer; - report_body = report->report; - report_body_size = report->report_size; + sgx_quote_t* quote = (sgx_quote_t*)evidence_buffer; + + report_body = evidence_buffer; + report_body_size = sizeof(*quote) + quote->signature_len; custom_claims_buffer = report_body + report_body_size; - custom_claims_buffer_size = - evidence_buffer_size - (sizeof(*report) + report_body_size); + custom_claims_buffer_size = evidence_buffer_size - report_body_size; } else if (format_type == SGX_FORMAT_TYPE_LEGACY_REPORT) { @@ -737,7 +740,10 @@ static oe_result_t _get_format_settings( if (!context || !settings || !settings_size) OE_RAISE(OE_INVALID_PARAMETER); - if (!memcmp(&context->base.format_id, &_local_uuid, sizeof(oe_uuid_t))) + if (!memcmp( + &context->base.format_id, + &_uuid_sgx_local_attestation, + sizeof(oe_uuid_t))) { #ifdef OE_BUILD_ENCLAVE // Enclave-side, SGX local attestation is supported @@ -771,7 +777,8 @@ static oe_result_t _get_format_settings( OE_RAISE(OE_UNSUPPORTED); #endif } - else if (!memcmp(&context->base.format_id, &_ecdsa_uuid, sizeof(oe_uuid_t))) + else if (!memcmp( + &context->base.format_id, &_uuid_sgx_ecdsa, sizeof(oe_uuid_t))) { *settings = NULL; *settings_size = 0; @@ -803,9 +810,12 @@ static oe_result_t _verify_report( // Host-side, verifies only ECDSA report if ( #ifdef OE_BUILD_ENCLAVE - !memcmp(&context->base.format_id, &_local_uuid, sizeof(oe_uuid_t)) || + !memcmp( + &context->base.format_id, + &_uuid_sgx_local_attestation, + sizeof(oe_uuid_t)) || #endif - !memcmp(&context->base.format_id, &_ecdsa_uuid, sizeof(oe_uuid_t))) + !memcmp(&context->base.format_id, &_uuid_sgx_ecdsa, sizeof(oe_uuid_t))) { #ifdef OE_BUILD_ENCLAVE OE_CHECK(oe_verify_report_internal(report, report_size, parsed_report)); @@ -833,12 +843,12 @@ static oe_result_t _get_verifier_plugins( if (!verifiers || !verifiers_length) OE_RAISE(OE_INVALID_PARAMETER); - uuids[0] = &_ecdsa_uuid; - uuids[1] = &_ecdsa_report_uuid; - uuids[2] = &_ecdsa_quote_uuid; + uuids[0] = &_uuid_sgx_ecdsa; + uuids[1] = &_uuid_legacy_report_remote; + uuids[2] = &_uuid_raw_sgx_quote_ecdsa; #ifdef OE_BUILD_ENCLAVE - uuids[3] = &_local_uuid; + uuids[3] = &_uuid_sgx_local_attestation; uuid_count = 4; // In enclave, local attestation and 3 ECDSA formats are supported. #else diff --git a/enclave/sgx/attester.c b/enclave/sgx/attester.c index 6fa33b0d71..1b2f8856e4 100644 --- a/enclave/sgx/attester.c +++ b/enclave/sgx/attester.c @@ -59,14 +59,11 @@ OE_WEAK_ALIAS( _oe_get_supported_attester_format_ids_ocall, oe_get_supported_attester_format_ids_ocall); -static const oe_uuid_t _local_uuid = {OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; -static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; -static const oe_uuid_t _ecdsa_report_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT}; -static const oe_uuid_t _ecdsa_quote_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE}; -static const oe_uuid_t _epid_linkable_uuid = {OE_FORMAT_UUID_SGX_EPID_LINKABLE}; -static const oe_uuid_t _epid_unlinkable_uuid = { +static const oe_uuid_t _uuid_sgx_local_attestation = { + OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; +static const oe_uuid_t _uuid_sgx_ecdsa = {OE_FORMAT_UUID_SGX_ECDSA}; +static const oe_uuid_t _uuid_epid_linkable = {OE_FORMAT_UUID_SGX_EPID_LINKABLE}; +static const oe_uuid_t _uuid_epid_unlinkable = { OE_FORMAT_UUID_SGX_EPID_UNLINKABLE}; static oe_result_t _on_register( @@ -111,7 +108,7 @@ static oe_result_t _get_evidence( sgx_evidence_format_type_t format_type = SGX_FORMAT_TYPE_UNKNOWN; const oe_uuid_t* format_id = NULL; // for ECDSA report / quote, oe_get_report_v2_internal() takes - // the original &_ecdsa_uuid. quote_format_id holds the format ID + // the original &_uuid_sgx_ecdsa. quote_format_id holds the format ID // for this function. const oe_uuid_t* quote_format_id = NULL; bool is_epid_quote = false; @@ -125,7 +122,7 @@ static oe_result_t _get_evidence( quote_format_id = format_id; // Set flags based on format id, ignore and overwrite the input value - if (!memcmp(format_id, &_local_uuid, sizeof(oe_uuid_t))) + if (!memcmp(format_id, &_uuid_sgx_local_attestation, sizeof(oe_uuid_t))) { flags = 0; format_type = SGX_FORMAT_TYPE_LOCAL; @@ -134,21 +131,11 @@ static oe_result_t _get_evidence( { flags = OE_REPORT_FLAGS_REMOTE_ATTESTATION; - if (!memcmp(format_id, &_ecdsa_uuid, sizeof(oe_uuid_t))) + if (!memcmp(format_id, &_uuid_sgx_ecdsa, sizeof(oe_uuid_t))) format_type = SGX_FORMAT_TYPE_REMOTE; - else if (!memcmp(format_id, &_ecdsa_report_uuid, sizeof(oe_uuid_t))) - { - format_type = SGX_FORMAT_TYPE_LEGACY_REPORT; - quote_format_id = &_ecdsa_uuid; - } - else if (!memcmp(format_id, &_ecdsa_quote_uuid, sizeof(oe_uuid_t))) - { - format_type = SGX_FORMAT_TYPE_RAW_QUOTE; - quote_format_id = &_ecdsa_uuid; - } else if ( - !memcmp(format_id, &_epid_linkable_uuid, sizeof(oe_uuid_t)) || - !memcmp(format_id, &_epid_unlinkable_uuid, sizeof(oe_uuid_t))) + !memcmp(format_id, &_uuid_epid_linkable, sizeof(oe_uuid_t)) || + !memcmp(format_id, &_uuid_epid_unlinkable, sizeof(oe_uuid_t))) { format_type = SGX_FORMAT_TYPE_RAW_QUOTE; is_epid_quote = true; @@ -160,6 +147,7 @@ static oe_result_t _get_evidence( if (format_type == SGX_FORMAT_TYPE_LOCAL || format_type == SGX_FORMAT_TYPE_REMOTE) { // Evidence of these types has its custom claims hashed. + oe_report_header_t* header = NULL; OE_SHA256 hash; // Hash the custom_claims_buffer. @@ -184,25 +172,25 @@ static oe_result_t _get_evidence( "SGX Plugin: Failed to get OE report. %s", oe_result_str(result)); - // Combine the report and custom_claims_buffer to get the evidence. - tmp_buffer_size = report_size + custom_claims_buffer_size; + // Combine the report body and custom_claims_buffer to get the evidence. + // Drop the legacy report header + header = (oe_report_header_t*)report; + tmp_buffer_size = header->report_size + custom_claims_buffer_size; tmp_buffer = (uint8_t*)oe_malloc(tmp_buffer_size); if (tmp_buffer == NULL) OE_RAISE(OE_OUT_OF_MEMORY); - // Copy SGX report to evidence - memcpy(tmp_buffer, report, report_size); + // Copy SGX report body to evidence + memcpy(tmp_buffer, header->report, header->report_size); // Copy custom claims to evidence memcpy( - tmp_buffer + report_size, + tmp_buffer + header->report_size, custom_claims_buffer, custom_claims_buffer_size); // Get the endorsements from the report if needed. if (endorsements_buffer && flags == OE_REPORT_FLAGS_REMOTE_ATTESTATION) { - oe_report_header_t* header = (oe_report_header_t*)report; - OE_CHECK_MSG( oe_get_sgx_endorsements( header->report, @@ -213,8 +201,10 @@ static oe_result_t _get_evidence( oe_result_str(result)); } } - else // SGX_FORMAT_TYPE_LEGACY_REPORT or _QUOTE + else if (format_type == SGX_FORMAT_TYPE_RAW_QUOTE) { + oe_report_header_t* header = NULL; + // Get the report with the custom_claims_buffer as the report data. OE_CHECK_MSG( oe_get_report_v2_internal( @@ -245,22 +235,15 @@ static oe_result_t _get_evidence( oe_result_str(result)); } - if (format_type == SGX_FORMAT_TYPE_RAW_QUOTE) - { // Discard / overwrite oe_report_header_t header - oe_report_header_t* header = (oe_report_header_t*)report; - tmp_buffer = report; - tmp_buffer_size = header->report_size; - memmove(tmp_buffer, header->report, tmp_buffer_size); - report = NULL; - } - else // SGX_FORMAT_TYPE_LEGACY_REPORT - { - oe_report_header_t* header = (oe_report_header_t*)report; - tmp_buffer = report; - tmp_buffer_size = sizeof(*header) + header->report_size; - report = NULL; - } + // Discard / overwrite oe_report_header_t structure + header = (oe_report_header_t*)report; + tmp_buffer = report; + tmp_buffer_size = header->report_size; + memmove(tmp_buffer, header->report, tmp_buffer_size); + report = NULL; } + else + OE_RAISE(OE_UNEXPECTED); *evidence_buffer = tmp_buffer; *evidence_buffer_size = tmp_buffer_size; @@ -319,10 +302,13 @@ static oe_result_t _get_report( OE_RAISE(OE_INVALID_PARAMETER); // Check to ensure the flags matches the plugin UUID - if ((!flags && - !memcmp(&context->base.format_id, &_local_uuid, sizeof(oe_uuid_t))) || + if ((!flags && !memcmp( + &context->base.format_id, + &_uuid_sgx_local_attestation, + sizeof(oe_uuid_t))) || (flags == OE_REPORT_FLAGS_REMOTE_ATTESTATION && - !memcmp(&context->base.format_id, &_ecdsa_uuid, sizeof(oe_uuid_t)))) + !memcmp( + &context->base.format_id, &_uuid_sgx_ecdsa, sizeof(oe_uuid_t)))) { uint8_t* report = NULL; size_t report_size = 0; @@ -363,7 +349,6 @@ static oe_result_t _get_attester_plugins( uint8_t* temporary_buffer = NULL; oe_uuid_t* uuid_list = NULL; size_t uuid_count = 0; - size_t legacy_uuid_count = 0; // Count for SGX ECDSA report / quote if (!attesters || !attesters_length) OE_RAISE(OE_INVALID_PARAMETER); @@ -398,42 +383,27 @@ static oe_result_t _get_attester_plugins( uuid_list = (oe_uuid_t*)temporary_buffer; uuid_count = temporary_buffer_size / sizeof(oe_uuid_t); - // If format SGX ECDSA_p256 is supported, then legacy OE report and SGX - // quote can also be supported. The two UUIDs for these two legacy formats - // are added - for (size_t i = 0; i < uuid_count; i++) - if (!memcmp(uuid_list + i, &_ecdsa_uuid, sizeof(oe_uuid_t))) - { - legacy_uuid_count = 2; - break; - } - - OE_TRACE_INFO("uuid_count=%lu legacy=%lu", uuid_count, legacy_uuid_count); + OE_TRACE_INFO("uuid_count=%lu", uuid_count); // Add one plugin for SGX local attestation - *attesters = (oe_attester_t*)oe_malloc( - sizeof(oe_attester_t) * (1 + uuid_count + legacy_uuid_count)); + *attesters = + (oe_attester_t*)oe_malloc(sizeof(oe_attester_t) * (1 + uuid_count)); if (*attesters == NULL) OE_RAISE(OE_OUT_OF_MEMORY); - for (size_t i = 0; i < 1 + uuid_count + legacy_uuid_count; i++) + for (size_t i = 0; i < 1 + uuid_count; i++) { oe_attester_t* plugin = *attesters + i; if (i == 0) // First plugin is for SGX local attestation - memcpy(&plugin->base.format_id, &_local_uuid, sizeof(oe_uuid_t)); - else if (i < 1 + uuid_count) memcpy( &plugin->base.format_id, - uuid_list + (i - 1), + &_uuid_sgx_local_attestation, sizeof(oe_uuid_t)); - else if (i == 1 + uuid_count) + else memcpy( &plugin->base.format_id, - &_ecdsa_report_uuid, + uuid_list + (i - 1), sizeof(oe_uuid_t)); - else // (i == 1 + uuid_count + 1) - memcpy( - &plugin->base.format_id, &_ecdsa_quote_uuid, sizeof(oe_uuid_t)); plugin->base.on_register = &_on_register; plugin->base.on_unregister = &_on_unregister; @@ -442,7 +412,7 @@ static oe_result_t _get_attester_plugins( plugin->free_endorsements = &_free_endorsements; plugin->get_report = &_get_report; } - *attesters_length = 1 + uuid_count + legacy_uuid_count; + *attesters_length = 1 + uuid_count; result = OE_OK; diff --git a/enclave/sgx/report.c b/enclave/sgx/report.c index 13bee19c91..752ce51547 100644 --- a/enclave/sgx/report.c +++ b/enclave/sgx/report.c @@ -23,7 +23,7 @@ OE_STATIC_ASSERT(OE_REPORT_DATA_SIZE == sizeof(sgx_report_data_t)); static const oe_uuid_t _local_uuid = {OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; -static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA}; static oe_result_t _get_report_key( const sgx_report_t* sgx_report, @@ -43,12 +43,52 @@ static oe_result_t _get_report_key( result = OE_OK; done: - // Cleanup secret. + // Clean up secret. oe_secure_zero_fill(&sgx_key_request, sizeof(sgx_key_request)); return result; } +// The input report_buffer holds a raw sgx_report_t structure. +oe_result_t oe_verify_raw_sgx_report( + const uint8_t* report_buffer, + size_t report_buffer_size) +{ + oe_result_t result = OE_UNEXPECTED; + sgx_key_t sgx_key = {{0}}; + const size_t aes_cmac_length = sizeof(sgx_key); + oe_aes_cmac_t report_aes_cmac = {{0}}; + oe_aes_cmac_t computed_aes_cmac = {{0}}; + sgx_report_t* sgx_report = (sgx_report_t*)report_buffer; + + if (!report_buffer || report_buffer_size < sizeof(sgx_report_t)) + OE_RAISE(OE_INVALID_PARAMETER); + + OE_CHECK(_get_report_key(sgx_report, &sgx_key)); + + OE_CHECK(oe_aes_cmac_sign( + (uint8_t*)&sgx_key, + sizeof(sgx_key), + (uint8_t*)&sgx_report->body, + sizeof(sgx_report->body), + &computed_aes_cmac)); + + // Fetch cmac from sgx_report. + // Note: sizeof(sgx_report->mac) <= sizeof(oe_aes_cmac_t). + oe_secure_memcpy(&report_aes_cmac, sgx_report->mac, aes_cmac_length); + + if (!oe_secure_aes_cmac_equal(&computed_aes_cmac, &report_aes_cmac)) + OE_RAISE(OE_VERIFY_FAILED_AES_CMAC_MISMATCH); + + result = OE_OK; + +done: + // Clean up secret. + oe_secure_zero_fill(&sgx_key, sizeof(sgx_key)); + + return result; +} + // oe_verify_report_internal needs crypto library's cmac computation. // oecore does not have crypto functionality. Hence oe_verify_report_internal // is implemented here instead of in oecore. @@ -60,15 +100,8 @@ oe_result_t oe_verify_report_internal( { oe_result_t result = OE_UNEXPECTED; oe_report_t oe_report = {0}; - sgx_key_t sgx_key = {{0}}; oe_report_header_t* header = (oe_report_header_t*)report; - sgx_report_t* sgx_report = NULL; - - const size_t aes_cmac_length = sizeof(sgx_key); - oe_aes_cmac_t report_aes_cmac = {{0}}; - oe_aes_cmac_t computed_aes_cmac = {{0}}; - // Ensure that the report is parseable before using the header. OE_CHECK(oe_parse_report(report, report_size, &oe_report)); @@ -79,23 +112,7 @@ oe_result_t oe_verify_report_internal( } else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL) { - sgx_report = (sgx_report_t*)header->report; - - OE_CHECK(_get_report_key(sgx_report, &sgx_key)); - - OE_CHECK(oe_aes_cmac_sign( - (uint8_t*)&sgx_key, - sizeof(sgx_key), - (uint8_t*)&sgx_report->body, - sizeof(sgx_report->body), - &computed_aes_cmac)); - - // Fetch cmac from sgx_report. - // Note: sizeof(sgx_report->mac) <= sizeof(oe_aes_cmac_t). - oe_secure_memcpy(&report_aes_cmac, sgx_report->mac, aes_cmac_length); - - if (!oe_secure_aes_cmac_equal(&computed_aes_cmac, &report_aes_cmac)) - OE_RAISE(OE_VERIFY_FAILED_AES_CMAC_MISMATCH); + OE_CHECK(oe_verify_raw_sgx_report(header->report, header->report_size)); } else { @@ -109,9 +126,6 @@ oe_result_t oe_verify_report_internal( result = OE_OK; done: - // Cleanup secret. - oe_secure_zero_fill(&sgx_key, sizeof(sgx_key)); - return result; } diff --git a/enclave/sgx/report.h b/enclave/sgx/report.h index 6a93aed0ac..59e03c16b7 100644 --- a/enclave/sgx/report.h +++ b/enclave/sgx/report.h @@ -8,6 +8,12 @@ void oe_handle_verify_report(uint64_t arg_in, uint64_t* arg_out); +// The input report_buffer holds a raw sgx_report_t structure. +oe_result_t oe_verify_raw_sgx_report( + const uint8_t* report_buffer, + size_t report_buffer_size); + +// The input report holds an OE report returned by oe_get_report(). oe_result_t oe_verify_report_internal( const uint8_t* report, size_t report_size, diff --git a/host/sgx/report.c b/host/sgx/report.c index a18f704764..1ab173b683 100644 --- a/host/sgx/report.c +++ b/host/sgx/report.c @@ -8,7 +8,7 @@ #include "platform_u.h" -static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static const oe_uuid_t _uuid_sgx_ecdsa = {OE_FORMAT_UUID_SGX_ECDSA}; // Host version, supports ECDSA remote attestation natively. // for SGX local attestation, it makes ecall to the enclave. oe_result_t oe_verify_report( @@ -26,7 +26,7 @@ oe_result_t oe_verify_report( if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE) { - const oe_uuid_t* uuid = &_ecdsa_uuid; + const oe_uuid_t* uuid = &_uuid_sgx_ecdsa; OE_UNUSED(enclave); diff --git a/host/sgx/sgxquote.c b/host/sgx/sgxquote.c index 1ee4f63760..214576fbe3 100644 --- a/host/sgx/sgxquote.c +++ b/host/sgx/sgxquote.c @@ -22,7 +22,7 @@ OE_STATIC_ASSERT(sizeof(sgx_target_info_t) == 512); OE_STATIC_ASSERT(sizeof(sgx_report_t) == 432); -static const oe_uuid_t _ecdsa_p256_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static const oe_uuid_t _ecdsa_p256_uuid = {OE_FORMAT_UUID_SGX_ECDSA}; OE_STATIC_ASSERT(sizeof(sgx_att_key_id_ext_t) == sizeof(sgx_att_key_id_t)); @@ -32,7 +32,6 @@ OE_STATIC_ASSERT(sizeof(sgx_att_key_id_ext_t) == sizeof(sgx_att_key_id_t)); static oe_sgx_quote_ex_library_t _quote_ex_library = {0}; static const oe_uuid_t _unknown_uuid = {OE_FORMAT_UUID_SGX_UNKNOWN}; -static const oe_uuid_t _ecdsa_p384_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P384}; static const oe_uuid_t _epid_linkable_uuid = {OE_FORMAT_UUID_SGX_EPID_LINKABLE}; static const oe_uuid_t _epid_unlinkable_uuid = { OE_FORMAT_UUID_SGX_EPID_UNLINKABLE}; @@ -249,11 +248,6 @@ static void _load_quote_ex_library_once(void) local_mapped[i] = true; mapped_key_id_count++; break; - case SGX_QL_ALG_ECDSA_P384: - uuid = &_ecdsa_p384_uuid; - local_mapped[i] = true; - mapped_key_id_count++; - break; default: uuid = &_unknown_uuid; local_mapped[i] = false; diff --git a/include/openenclave/attestation/sgx/evidence.h b/include/openenclave/attestation/sgx/evidence.h index e90ee74653..f62c0bc0ee 100644 --- a/include/openenclave/attestation/sgx/evidence.h +++ b/include/openenclave/attestation/sgx/evidence.h @@ -4,8 +4,73 @@ /** * @file attestation/sgx/evidence.h * - * This file defines options for SGX evidence. + * This file defines macros for SGX evidence format IDs and claims. * + * A number of SGX specific format IDs are defined for evidence generation + * and verification. + * + * The API function oe_get_evidence() supports the values listed below in its + * format_id parameter. The output evidence will be prefixed with an + * oe_attestation_header if the OE_EVIDENCE_FLAGS_EMBED_FORMAT_ID bit in its + * flags parameter is set. + * - OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION + * - OE_FORMAT_UUID_SGX_ECDSA + * - OE_FORMAT_UUID_SGX_EPID_LINKABLE + * - OE_FORMAT_UUID_SGX_EPID_UNLINKABLE + * + * The API function oe_verify_evidence() supports the values listed below in its + * format_id parameter. + * - NULL: + * + The input evidence is generated by oe_get_evidence(), with + * the OE_EVIDENCE_FLAGS_EMBED_FORMAT_ID bit set in its flags parameter. + * - OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION: + * + The input evidence is generated by oe_get_evidence() for format + * OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION, with the + * OE_EVIDENCE_FLAGS_EMBED_FORMAT_ID bit cleared in its flags parameter. + * - OE_FORMAT_UUID_SGX_ECDSA: + * + The input evidence is generated by oe_get_evidence() for format + * OE_FORMAT_UUID_SGX_ECDSA, with the + * OE_EVIDENCE_FLAGS_EMBED_FORMAT_ID bit cleared in its flags parameter. + * - OE_FORMAT_UUID_LEGACY_REPORT_REMOTE: + * + The input evidence is an OE report generated by the legacy API function + * oe_get_report() with the OE_REPORT_FLAGS_REMOTE_ATTESTATION flag. + * - OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA: + * + The input evidence is an SGX ECDSA quote generated by the + * Intel SGX SDK DCAP library, or the quote-ex library with algorithm ID + * SGX_QL_ALG_ECDSA_P256. + * + * The table below shows the structure of the evidence data for all the + * supported SGX format IDs, as generated by an attester plugin or verified + * by a verifier plugin. + * + * | Format ID | Evidence structure | + * | -- | - | + * | OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION | [ oe_attestation_header ] \|\| SGX_report(hash) \|\| custom_claims_buffer | + * | OE_FORMAT_UUID_SGX_ECDSA | [ oe_attestation_header ] \|\| SGX_ECDSA_quote(hash) \|\| custom_claims_buffer | + * | OE_FORMAT_UUID_SGX_EPID_LINKABLE | [ oe_attestation_header ] \|\| SGX_EPID_linkable_quote(custom_claims_buffer) | + * | OE_FORMAT_UUID_SGX_EPID_UNLINKABLE | [ oe_attestation_header ] \|\| SGX_EPID_unlinkable_quote(custom_claims_buffer) | + * | OE_FORMAT_UUID_LEGACY_REPORT_REMOTE | oe_report_header (for remote attestation) \|\| SGX_ECDSA_quote(custom_claims_buffer) | + * | OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA | SGX_ECDSA_quote(custom_claims_buffer) | + * + * In the above table: + * - The optional header oe_attestation_header is a structure of type + * oe_attestation_header_t. + * - For every format supported by oe_get_evidence(), the evidence + * will be prefixed with an oe_attestation_header when the + * OE_EVIDENCE_FLAGS_EMBED_FORMAT_ID bit in its flags parameter is set. + * oe_report_header is the OE report header of type oe_report_header_t. + * - hash is the SHA256 hash of the custom claims held in a flat buffer + * custom_claims_buffer. + * - An SGX report (SGX_report(), of type sgx_report_t) or quote (SGX_*quote(), + * of type sgx_quote_t) embeds a flat buffer of 64 bytes for its SGX report + * data field. Depending on the format, this field holds either the hash of + * the custom claims, or the custom claims directly. */ #ifndef _OE_ATTESTATION_SGX_EVIDENCE_H @@ -15,30 +80,24 @@ OE_EXTERNC_BEGIN -#define OE_FORMAT_UUID_SGX_ECDSA_P256 \ +#define OE_FORMAT_UUID_SGX_ECDSA \ { \ 0xa3, 0xa2, 0x1e, 0x87, 0x1b, 0x4d, 0x40, 0x14, 0xb7, 0x0a, 0xa1, \ 0x25, 0xd2, 0xfb, 0xcd, 0x8c \ } -#define OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT \ +#define OE_FORMAT_UUID_LEGACY_REPORT_REMOTE \ { \ 0xc8, 0x30, 0x34, 0x54, 0xd9, 0x23, 0x4c, 0x2c, 0xa6, 0x91, 0xdf, \ 0x7d, 0xef, 0x46, 0x0a, 0x76 \ } -#define OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE \ +#define OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA \ { \ 0x19, 0x23, 0xd9, 0x1e, 0x12, 0xd2, 0x4c, 0x72, 0xb2, 0x20, 0x25, \ 0xcd, 0x8d, 0xac, 0xe8, 0x71 \ } -#define OE_FORMAT_UUID_SGX_ECDSA_P384 \ - { \ - 0xac, 0x17, 0x68, 0x6f, 0x37, 0x0c, 0x46, 0x24, 0x91, 0x4a, 0x32, \ - 0xdc, 0x90, 0x97, 0x3d, 0x12 \ - } - #define OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION \ { \ 0x09, 0x26, 0x8c, 0x33, 0x6e, 0x0b, 0x45, 0xe5, 0x8a, 0x27, 0x15, \ @@ -63,9 +122,8 @@ OE_EXTERNC_BEGIN 0x00, 0x00, 0x00, 0x00, 0x00 \ } -/** - * SGX specific claim: SGX Quote verification collateral. - */ +// SGX specific claims: SGX Quote verification collateral. + #define OE_CLAIM_SGX_TCB_INFO "sgx_tcb_info" #define OE_CLAIM_SGX_TCB_ISSUER_CHAIN "sgx_tcb_issuer_chain" #define OE_CLAIM_SGX_PCK_CRL "sgx_pck_crl" @@ -75,9 +133,8 @@ OE_EXTERNC_BEGIN #define OE_CLAIM_SGX_QE_ID_ISSUER_CHAIN "sgx_qe_id_issuer_chain" #define OE_SGX_CLAIMS_COUNT 7 -/** - * Additional SGX specific claim: for the report data embedded in the SGX quote. - */ +// Additional SGX specific claim: for the report data embedded in the SGX quote. + #define OE_CLAIM_SGX_REPORT_DATA "sgx_report_data" OE_EXTERNC_END diff --git a/include/openenclave/bits/sgx/sgxtypes.h b/include/openenclave/bits/sgx/sgxtypes.h index 925a5426d9..d419752678 100644 --- a/include/openenclave/bits/sgx/sgxtypes.h +++ b/include/openenclave/bits/sgx/sgxtypes.h @@ -668,6 +668,27 @@ OE_PACK_END OE_CHECK_SIZE(sizeof(sgx_quote_t), 436); +/* +**============================================================================== +** +** sgx_ql_attestation_algorithm_id_t +** +**============================================================================== +*/ +// Enumerates the different attestation key algorithms +// For the sign_type field in sgx_quote_t +typedef enum +{ + SGX_QL_ALG_EPID = 0, // EPID 2.0 - Anonymous: EPID unlinkable + SGX_QL_ALG_RESERVED_1 = 1, // Reserved: EPID linkable + SGX_QL_ALG_ECDSA_P256 = 2, // ECDSA-256-with-P-256 curve + SGX_QL_ALG_ECDSA_P384 = 3, // ECDSA-384-with-P-384 curve (not supported) + SGX_QL_ALG_MAX = 4 +} sgx_ql_attestation_algorithm_id_t; + +// The required "version" value in sgx_quote_t for ECDSA quotes +#define SGX_QE3_QUOTE_VERSION 3 + // Size of actual data within the quote excluding authentication information. // This data is signed for quote verification. #define SGX_QUOTE_SIGNED_DATA_SIZE OE_OFFSETOF(sgx_quote_t, signature_len) diff --git a/include/openenclave/internal/report.h b/include/openenclave/internal/report.h index bfdce6d53b..c5aee11d30 100644 --- a/include/openenclave/internal/report.h +++ b/include/openenclave/internal/report.h @@ -94,7 +94,4 @@ OE_STATIC_ASSERT( // For old OE reports. #define OE_REPORT_HEADER_VERSION (1) -// For attestation plugin reports. -#define OE_ATTESTATION_HEADER_VERSION (2) - #endif //_OE_INCLUDE_REPORT_H_ diff --git a/samples/attested_tls/common/utility.cpp b/samples/attested_tls/common/utility.cpp index 8980b868d7..f58f44f6ef 100644 --- a/samples/attested_tls/common/utility.cpp +++ b/samples/attested_tls/common/utility.cpp @@ -9,7 +9,7 @@ #include // SGX Remote Attestation UUID. -static oe_uuid_t sgx_remote_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static oe_uuid_t _uuid_sgx_ecdsa = {OE_FORMAT_UUID_SGX_ECDSA}; // input: input_data and input_data_len // output: key, key_size @@ -97,7 +97,7 @@ oe_result_t generate_certificate_and_pkey( // both ec key such ASYMMETRIC_KEY_EC_SECP256P1 or RSA key work oe_attester_initialize(); result = oe_get_attestation_certificate_with_evidence( - &sgx_remote_uuid, + &_uuid_sgx_ecdsa, (const unsigned char*)"CN=Open Enclave SDK,O=OESDK TLS,C=US", private_key_buf, private_key_buf_size, diff --git a/samples/remote_attestation/common/attestation.cpp b/samples/remote_attestation/common/attestation.cpp index a09ec8952e..90c3dc97dd 100644 --- a/samples/remote_attestation/common/attestation.cpp +++ b/samples/remote_attestation/common/attestation.cpp @@ -11,7 +11,7 @@ #include "log.h" // SGX Remote Attestation UUID. -static oe_uuid_t sgx_remote_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static oe_uuid_t sgx_remote_uuid = {OE_FORMAT_UUID_SGX_ECDSA}; Attestation::Attestation(Crypto* crypto, uint8_t* enclave_signer_id) { diff --git a/tests/attestation_plugin/enc/enc.c b/tests/attestation_plugin/enc/enc.c index e6b1415eb2..75f1594386 100644 --- a/tests/attestation_plugin/enc/enc.c +++ b/tests/attestation_plugin/enc/enc.c @@ -14,16 +14,13 @@ #include #include +#include "../../../common/attest_plugin.h" #include "../../../common/sgx/quote.h" #include "../plugin/tests.h" #include "plugin_t.h" -static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA}; static const oe_uuid_t _local_uuid = {OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; -static const oe_uuid_t _ecdsa_report_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT}; -static const oe_uuid_t _ecdsa_quote_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE}; static const oe_uuid_t _epid_linkable_uuid = {OE_FORMAT_UUID_SGX_EPID_LINKABLE}; static const oe_uuid_t _epid_unlinkable_uuid = { OE_FORMAT_UUID_SGX_EPID_UNLINKABLE}; @@ -95,6 +92,7 @@ static void _test_sgx_remote() 0); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; // Get evidence with endorsements. printf("====== running _test_sgx_remote #2: + Endorsements\n"); @@ -144,7 +142,9 @@ static void _test_sgx_remote() 0); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; OE_TEST(oe_free_endorsements(endorsements) == OE_OK); + endorsements = NULL; // Get a remote report with both. printf("====== running _test_sgx_remote #3: + Claims\n"); @@ -192,7 +192,9 @@ static void _test_sgx_remote() endorsements_size) == OE_OK); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; OE_TEST(oe_free_endorsements(endorsements) == OE_OK); + endorsements = NULL; printf("testing a 65-byte custom claims\n"); OE_TEST_CODE( @@ -228,38 +230,9 @@ static void _test_sgx_remote() TEST_LARGE_CLAIMS_SIZE); OE_TEST(oe_free_evidence(evidence) == OE_OK); - OE_TEST(oe_free_endorsements(endorsements) == OE_OK); - - printf("====== running _test_sgx_remote #4: OE_report\n"); - printf("verifying OE_report generated by oe_get_evidence()\n"); - - OE_TEST_CODE( - oe_get_evidence( - &_ecdsa_report_uuid, - 0, - test_claims, // place custom claims in sgx report data - TEST_CLAIMS_SIZE, - NULL, - 0, - &evidence, - &evidence_size, - &endorsements, - &endorsements_size), - OE_OK); - - verify_sgx_evidence( - &_ecdsa_report_uuid, - false, - evidence, - evidence_size, - endorsements, - endorsements_size, - endorsements, - endorsements_size, - test_claims, - TEST_CLAIMS_SIZE); - - OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; + // Note: endorsements are reused in testing legacy report / quote + // In those tests, the prefixed attestation header is ignored. printf("verifying OE_report generated by oe_get_report()\n"); @@ -274,66 +247,24 @@ static void _test_sgx_remote() &evidence_size), OE_OK); - verify_sgx_evidence( - &_ecdsa_report_uuid, - false, - evidence, - evidence_size, - NULL, - 0, - endorsements, // reuse the endorsement generated above - endorsements_size, - test_claims, - TEST_CLAIMS_SIZE); - - OE_TEST(oe_free_evidence(evidence) == OE_OK); - OE_TEST(oe_free_endorsements(endorsements) == OE_OK); - - printf("testing a 65-byte custom claims that should failed\n"); - OE_TEST_CODE( - oe_get_evidence( + { + static const oe_uuid_t _ecdsa_report_uuid = { + OE_FORMAT_UUID_LEGACY_REPORT_REMOTE}; + verify_sgx_evidence( &_ecdsa_report_uuid, - 0, - test_large_claims, - TEST_LARGE_CLAIMS_SIZE, - NULL, - 0, - &evidence, - &evidence_size, - &endorsements, - &endorsements_size), - OE_INVALID_PARAMETER); - - printf("====== running _test_sgx_remote #5: SGX_quote\n"); - printf("verifying SGX quote generated by oe_get_evidence()\n"); - - OE_TEST_CODE( - oe_get_evidence( - &_ecdsa_quote_uuid, - 0, - test_claims, // place custom claims in sgx report data - TEST_CLAIMS_SIZE, + false, + evidence, + evidence_size, NULL, 0, - &evidence, - &evidence_size, - &endorsements, - &endorsements_size), - OE_OK); - - verify_sgx_evidence( - &_ecdsa_quote_uuid, - false, - evidence, - evidence_size, - endorsements, - endorsements_size, - endorsements, - endorsements_size, - test_claims, - TEST_CLAIMS_SIZE); + endorsements + sizeof(oe_attestation_header_t), + endorsements_size - sizeof(oe_attestation_header_t), + test_claims, + TEST_CLAIMS_SIZE); + } OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; printf("verifying SGX quote extracted from OE_report\n"); @@ -348,44 +279,35 @@ static void _test_sgx_remote() &evidence_size), OE_OK); - verify_sgx_evidence( - &_ecdsa_quote_uuid, - false, - // offset OE_report by oe_report_header_t to get OE_report.report which - // is an SGX quote - evidence + sizeof(oe_report_header_t), - evidence_size - sizeof(oe_report_header_t), - NULL, - 0, - endorsements, // reuse the endorsement generated above - endorsements_size, - test_claims, - TEST_CLAIMS_SIZE); - - OE_TEST(oe_free_evidence(evidence) == OE_OK); - OE_TEST(oe_free_endorsements(endorsements) == OE_OK); - - printf("testing a 65-byte custom claims that should failed\n"); - OE_TEST_CODE( - oe_get_evidence( + { + static const oe_uuid_t _ecdsa_quote_uuid = { + OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA}; + verify_sgx_evidence( &_ecdsa_quote_uuid, - 0, - test_large_claims, - TEST_LARGE_CLAIMS_SIZE, + false, + // offset OE_report by oe_report_header_t to get OE_report.report + // which is an SGX quote + evidence + sizeof(oe_report_header_t), + evidence_size - sizeof(oe_report_header_t), NULL, 0, - &evidence, - &evidence_size, - &endorsements, - &endorsements_size), - OE_INVALID_PARAMETER); + endorsements + sizeof(oe_attestation_header_t), + endorsements_size - sizeof(oe_attestation_header_t), + test_claims, + TEST_CLAIMS_SIZE); + } + + OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; + OE_TEST(oe_free_endorsements(endorsements) == OE_OK); + endorsements = NULL; if (oe_attester_select_format(&_epid_linkable_uuid, 1, &selected_format) == OE_OK) { uint8_t spid[16] = "SPID"; - printf("====== running _test_sgx_remote #6: get EPID evidence\n"); + printf("====== running _test_sgx_remote #4: get EPID evidence\n"); OE_TEST_CODE( oe_get_evidence( @@ -401,7 +323,9 @@ static void _test_sgx_remote() &endorsements_size), OE_OK); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; OE_TEST(oe_free_endorsements(endorsements) == OE_OK); + endorsements = NULL; OE_TEST_CODE( oe_get_evidence( @@ -417,7 +341,9 @@ static void _test_sgx_remote() &endorsements_size), OE_OK); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; OE_TEST(oe_free_endorsements(endorsements) == OE_OK); + endorsements = NULL; OE_TEST_CODE( oe_get_evidence( @@ -434,7 +360,7 @@ static void _test_sgx_remote() OE_INVALID_PARAMETER); } else - printf("====== note: _test_sgx_remote #6: EPID not supported\n"); + printf("====== note: _test_sgx_remote #4: EPID not supported\n"); printf("====== done _test_sgx_remote\n"); @@ -487,6 +413,7 @@ static void _test_sgx_local() 0); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; // Evidence + claims. printf("====== running _test_sgx_local #2: + Claims\n"); @@ -516,6 +443,7 @@ static void _test_sgx_local() TEST_CLAIMS_SIZE); OE_TEST(oe_free_evidence(evidence) == OE_OK); + evidence = NULL; oe_verifier_free_format_settings(target); } diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c index 1b6202288b..9b2b4dac55 100644 --- a/tests/attestation_plugin/plugin/tests.c +++ b/tests/attestation_plugin/plugin/tests.c @@ -411,41 +411,33 @@ static void _test_time( { oe_datetime_t tmp; - OE_TEST( + OE_TEST_CODE( oe_verify_sgx_quote( - report_body, - report_body_size, - collaterals, - collaterals_size, - from) == OE_OK); + report_body, report_body_size, collaterals, collaterals_size, from), + OE_OK); - OE_TEST( + OE_TEST_CODE( oe_verify_sgx_quote( report_body, report_body_size, collaterals, collaterals_size, - until) == OE_OK); + until), + OE_OK); tmp = *from; tmp.year--; - OE_TEST( + OE_TEST_CODE( oe_verify_sgx_quote( - report_body, - report_body_size, - collaterals, - collaterals_size, - &tmp) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); + report_body, report_body_size, collaterals, collaterals_size, &tmp), + OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); tmp = *until; tmp.year++; - OE_TEST( + OE_TEST_CODE( oe_verify_sgx_quote( - report_body, - report_body_size, - collaterals, - collaterals_size, - &tmp) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); + report_body, report_body_size, collaterals, collaterals_size, &tmp), + OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); } static void _test_time_policy( @@ -480,10 +472,10 @@ static void _test_time_policy( &claims, &claims_size), OE_OK); - OE_TEST(oe_free_claims(claims, claims_size) == OE_OK); + OE_TEST_CODE(oe_free_claims(claims, claims_size), OE_OK); dt = *until; - OE_TEST( + OE_TEST_CODE( oe_verify_evidence( wrapped_with_header ? NULL : format_id, evidence, @@ -493,12 +485,13 @@ static void _test_time_policy( &policy, 1, &claims, - &claims_size) == OE_OK); - OE_TEST(oe_free_claims(claims, claims_size) == OE_OK); + &claims_size), + OE_OK); + OE_TEST_CODE(oe_free_claims(claims, claims_size), OE_OK); dt = *from; dt.year--; - OE_TEST( + OE_TEST_CODE( oe_verify_evidence( wrapped_with_header ? NULL : format_id, evidence, @@ -508,11 +501,12 @@ static void _test_time_policy( &policy, 1, &claims, - &claims_size) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); + &claims_size), + OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); dt = *until; dt.year++; - OE_TEST( + OE_TEST_CODE( oe_verify_evidence( wrapped_with_header ? NULL : format_id, evidence, @@ -522,15 +516,15 @@ static void _test_time_policy( &policy, 1, &claims, - &claims_size) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); + &claims_size), + OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD); } static const oe_uuid_t _local_uuid = {OE_FORMAT_UUID_SGX_LOCAL_ATTESTATION}; -static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; +static const oe_uuid_t _ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA}; static const oe_uuid_t _ecdsa_report_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT}; -static const oe_uuid_t _ecdsa_quote_uuid = { - OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE}; + OE_FORMAT_UUID_LEGACY_REPORT_REMOTE}; +static const oe_uuid_t _ecdsa_quote_uuid = {OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA}; void verify_sgx_evidence( const oe_uuid_t* format_id, @@ -573,32 +567,37 @@ void verify_sgx_evidence( if (!memcmp(format_id, &_local_uuid, sizeof(oe_uuid_t))) { - // evidence has oe_report_header_t - oe_report_header_t* report = - (oe_report_header_t*)(wrapped_with_header ? evidence_header->data : evidence); + // evidence might be prefixed with oe_attestation_header_t + // but not with oe_report_header_t + if (wrapped_with_header) + { + OE_TEST(evidence_size > sizeof(oe_attestation_header_t)); + report_body = evidence_header->data; + } + else + report_body = evidence; - OE_TEST( - report->version == OE_REPORT_HEADER_VERSION && - report->report_type == OE_REPORT_TYPE_SGX_LOCAL); + report_body_size = sizeof(sgx_report_t); format_type = SGX_FORMAT_TYPE_LOCAL; - report_body = report->report; - report_body_size = report->report_size; is_local = true; } else if (!memcmp(format_id, &_ecdsa_uuid, sizeof(oe_uuid_t))) { - // evidence has oe_report_header_t - oe_report_header_t* report = - (oe_report_header_t*)(wrapped_with_header ? evidence_header->data : evidence); + // evidence might be prefixed with oe_attestation_header_t + // but not with oe_report_header_t + if (wrapped_with_header) + { + OE_TEST(evidence_size > sizeof(oe_attestation_header_t)); + report_body = evidence_header->data; + } + else + report_body = evidence; - OE_TEST( - report->version == OE_REPORT_HEADER_VERSION && - report->report_type == OE_REPORT_TYPE_SGX_REMOTE); + report_body_size = + sizeof(sgx_quote_t) + ((sgx_quote_t*)report_body)->signature_len; format_type = SGX_FORMAT_TYPE_REMOTE; - report_body = report->report; - report_body_size = report->report_size; is_local = false; } else if (!memcmp(format_id, &_ecdsa_report_uuid, sizeof(oe_uuid_t))) @@ -847,8 +846,10 @@ void verify_sgx_evidence( oe_result_t result; oe_attestation_header_t* evidence_header = (oe_attestation_header_t*)evidence; - oe_report_header_t* report_header = - (oe_report_header_t*)evidence_header->data; + const sgx_quote_t* quote = (sgx_quote_t*)evidence_header->data; + size_t quote_size = sizeof(*quote) + quote->signature_len; + uint8_t* report_buffer = NULL; + size_t report_buffer_size = sizeof(oe_report_header_t) + quote_size; OE_SHA256 hash; printf( @@ -859,11 +860,22 @@ void verify_sgx_evidence( custom_claims_buffer, custom_claims_buffer_size, &hash), OE_OK); + report_buffer = (uint8_t*)oe_malloc(report_buffer_size); + OE_TEST(report_buffer != NULL); + { // Create a temporary buffer with OE report for SGX remote attestation + oe_report_header_t* report_header = + (oe_report_header_t*)report_buffer; + report_header->version = OE_REPORT_HEADER_VERSION; + report_header->report_type = OE_REPORT_TYPE_SGX_REMOTE; + report_header->report_size = quote_size; + memcpy(report_header->report, quote, quote_size); + } + OE_TEST_CODE( oe_verify_evidence( &_ecdsa_report_uuid, - evidence_header->data, - sizeof(oe_report_header_t) + report_header->report_size, + report_buffer, + report_buffer_size, NULL, 0, NULL, @@ -872,6 +884,9 @@ void verify_sgx_evidence( &claims_size), OE_OK); + oe_free(report_buffer); + report_buffer = NULL; + value = _find_claim(claims, claims_size, OE_CLAIM_SGX_REPORT_DATA); OE_TEST(value != NULL && !memcmp(&hash, value, sizeof(hash))); @@ -883,8 +898,8 @@ void verify_sgx_evidence( OE_TEST_CODE( oe_verify_evidence( &_ecdsa_quote_uuid, - report_header->report, - report_header->report_size, + (const uint8_t*)quote, + quote_size, NULL, 0, NULL, @@ -908,8 +923,8 @@ void verify_sgx_evidence( // find a plugin, since the evidence has no valid attestation header. result = oe_verify_evidence( NULL, - evidence_header->data, - sizeof(oe_report_header_t) + report_header->report_size, + (const uint8_t*)quote, + quote_size, NULL, 0, NULL, diff --git a/tests/attestation_plugin_cert/enc/enc.cpp b/tests/attestation_plugin_cert/enc/enc.cpp index 4423425462..4ffaac76d1 100644 --- a/tests/attestation_plugin_cert/enc/enc.cpp +++ b/tests/attestation_plugin_cert/enc/enc.cpp @@ -238,7 +238,7 @@ oe_result_t get_tls_cert_signed_with_key( size_t private_key_size = 0; uint8_t* public_key = nullptr; size_t public_key_size = 0; - const oe_uuid_t format = {OE_FORMAT_UUID_SGX_ECDSA_P256}; + const oe_uuid_t format = {OE_FORMAT_UUID_SGX_ECDSA}; OE_TRACE_INFO("called into enclave\n"); diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp index c82a53416e..b8f4290f4a 100644 --- a/tests/report/host/host.cpp +++ b/tests/report/host/host.cpp @@ -161,7 +161,7 @@ int main(int argc, const char* argv[]) if (oe_has_sgx_quote_provider()) { - static oe_uuid_t sgx_ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256}; + static oe_uuid_t sgx_ecdsa_uuid = {OE_FORMAT_UUID_SGX_ECDSA}; /* Initialize the target info */ {