From 6b1c77a12188719864bcd315f8aa70297146fb3b Mon Sep 17 00:00:00 2001 From: Simon Ott Date: Mon, 13 May 2024 11:28:51 +0000 Subject: [PATCH 1/3] example-setup: move generic functions to common file Signed-off-by: Simon Ott --- example-setup/setup-full-ids | 9 ++------- example-setup/setup-full-simple | 9 ++------- example-setup/sgx-setup-sample | 21 +++++++++------------ example-setup/update-app-manifest | 21 ++------------------- example-setup/update-app-manifest-live | 16 ---------------- example-setup/update-full-ids | 9 ++------- example-setup/update-full-simple | 10 ++-------- example-setup/utils.sh | 17 +++++++++++++++++ 8 files changed, 36 insertions(+), 76 deletions(-) create mode 100644 example-setup/utils.sh diff --git a/example-setup/setup-full-ids b/example-setup/setup-full-ids index dc7ea918..ab9a80c5 100755 --- a/example-setup/setup-full-ids +++ b/example-setup/setup-full-ids @@ -3,15 +3,10 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)" +source "${dir}/utils.sh" export PATH=${PATH}:${HOME}/go/bin -function abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - if [[ "$#" -ne 3 ]]; then echo "Usage: ./setup-full-ids " exit 1 diff --git a/example-setup/setup-full-simple b/example-setup/setup-full-simple index f9f0ad00..b89ffe71 100755 --- a/example-setup/setup-full-simple +++ b/example-setup/setup-full-simple @@ -3,15 +3,10 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)" +source "${dir}/utils.sh" export PATH=${PATH}:${HOME}/go/bin -abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - if [[ "$#" -ne 3 ]]; then echo "Usage: ./setup-full-simple " exit diff --git a/example-setup/sgx-setup-sample b/example-setup/sgx-setup-sample index 1112abbb..57dc043c 100755 --- a/example-setup/sgx-setup-sample +++ b/example-setup/sgx-setup-sample @@ -3,17 +3,12 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)" +source "${dir}/utils.sh" export PATH=${PATH}:${HOME}/go/bin -abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - -if [[ "$#" -ne 3 ]]; then - echo "Usage: ./setup-full-simple " +if [[ "$#" -ne 5 ]]; then + echo "Usage: ./setup-full-simple " exit fi @@ -21,13 +16,15 @@ fi cmc="$(abs_path "${1}")" data="$(abs_path "${2}")" ser="${3}" +mrenclave="${4}" +mrsigner="${5}" if [[ ! -d "$cmc" ]]; then echo "cmc directory does not exist. Did you clone the repository? Abort.." exit 1 fi -if [[ ! -d "${data}" ]]; then +if [[ ! -d "${data}" ]]; then mkdir -p "${data}" fi @@ -80,7 +77,7 @@ decoded=$(printf '%b' "$(echo "$cert_chain" | sed 's/SGX-PCK-Certificate-Issuer- root_ca=$(echo -e "$decoded" | sed -n '/-----END CERTIFICATE-----/,$p' | sed '1d') ca_fingerprint=$(openssl x509 -in <(echo "$root_ca") -noout -sha256 -fingerprint | awk -F= '{print $2}' | tr -d ': ' | tr '[:upper:]' '[:lower:]') -# GET TCB Info +# GET TCB Info tcb_info="$(curl -s -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=$fmspc" | jq -c .)" echo "$tcb_info" > "${data}/metadata-raw/tcb_info.json" @@ -98,7 +95,7 @@ jq --argjson tcb_info "$tcb_info" --argjson qe_identity "$qe_identity" --argjson "sgx": { "version": 3, "collateral": { - "teeType": 0, + "teeType": 0, "tcbInfo": $tcb_info, "tcbInfoSize": $tcb_info_size, "qeIdentity": $qe_identity, diff --git a/example-setup/update-app-manifest b/example-setup/update-app-manifest index 8c6bd9fb..7f6a5d3f 100755 --- a/example-setup/update-app-manifest +++ b/example-setup/update-app-manifest @@ -3,24 +3,10 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)" +source "${dir}/utils.sh" export PATH=${PATH}:${HOME}/go/bin -abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - -extendarr() { - local key=$1 - shift - local param=$1 - - # Add new value - json="$(echo "${json}" | jq ".${key} += [${param}]")" -} - if [[ "$#" -ne 2 ]]; then echo "Usage: ./update-app-manifest " exit 1 @@ -39,9 +25,6 @@ fi echo "Using ${data} as directory for local data" -# Load manifest -json=$(cat "${data}/metadata-raw/app.manifest.json") - # Calculate the IMA app reference values referenceValues=$(sudo calculate-ima-pcr -t 10 -i ima-ng -p /usr/bin) diff --git a/example-setup/update-app-manifest-live b/example-setup/update-app-manifest-live index 81f20e62..aa53a3a5 100755 --- a/example-setup/update-app-manifest-live +++ b/example-setup/update-app-manifest-live @@ -5,22 +5,6 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT export PATH=${PATH}:${HOME}/go/bin -abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - -extendarr() { - local key=$1 - shift - local param=$1 - - # Add new value - json="$(echo "${json}" | jq ".${key} += [${param}]")" -} - if [[ "$#" -ne 2 ]]; then echo "Usage: ./update-app-manifest-live " exit 1 diff --git a/example-setup/update-full-ids b/example-setup/update-full-ids index 1c78115c..b7cc1761 100755 --- a/example-setup/update-full-ids +++ b/example-setup/update-full-ids @@ -3,15 +3,10 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)" +source "${dir}/utils.sh" export PATH=${PATH}:${HOME}/go/bin -function abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - if [[ "$#" -ne 2 ]]; then echo "Usage: ./update-full-ids " exit 1 diff --git a/example-setup/update-full-simple b/example-setup/update-full-simple index 6c3785e2..bcd75611 100755 --- a/example-setup/update-full-simple +++ b/example-setup/update-full-simple @@ -3,16 +3,10 @@ set -euo pipefail trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)" +source "${dir}/utils.sh" export PATH=${PATH}:${HOME}/go/bin -abs_path() { - if [[ -d "$(dirname "$1")" ]] - then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true - fi -} - - if [[ "$#" -ne 2 ]]; then echo "Usage: ./update-full-simple " exit 1 diff --git a/example-setup/utils.sh b/example-setup/utils.sh new file mode 100644 index 00000000..f651eba4 --- /dev/null +++ b/example-setup/utils.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +abs_path() { + if [[ -d "$(dirname "$1")" ]] + then + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true + fi +} + +extendarr() { + local key=$1 + shift + local param=$1 + + # Add new value + json="$(echo "${json}" | jq ".${key} += [${param}]")" +} \ No newline at end of file From 77444da41e0326f35a3d3e50589f6aed234b4c88 Mon Sep 17 00:00:00 2001 From: Simon Ott Date: Thu, 30 May 2024 11:56:38 +0000 Subject: [PATCH 2/3] attestationreport: perform mutual check for apps Check if every app manifest has a corresponding app description and vice versa. Signed-off-by: Simon Ott --- attestationreport/attestationreport.go | 31 +++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/attestationreport/attestationreport.go b/attestationreport/attestationreport.go index d8fede03..281dbe07 100644 --- a/attestationreport/attestationreport.go +++ b/attestationreport/attestationreport.go @@ -671,11 +671,19 @@ func Verify(arRaw, nonce, casPem []byte, policies []byte, polEng PolicyEngineSel result.Success = false } - // Check that every AppManifest has a corresponding AppDescription + // Extract app description names appDescriptions := make([]string, 0) for _, a := range metadata.DeviceDescription.AppDescriptions { appDescriptions = append(appDescriptions, a.AppManifest) } + // Extract app manifest names + appManifestNames := make([]string, 0) + for _, a := range metadata.AppManifests { + appManifestNames = append(appManifestNames, a.Name) + } + + // Check that every AppManifest has a corresponding AppDescription + log.Tracef("Iterating app manifests length %v", len(metadata.AppManifests)) for _, a := range metadata.AppManifests { r := Result{ Success: true, @@ -691,6 +699,27 @@ func Verify(arRaw, nonce, casPem []byte, policies []byte, polEng PolicyEngineSel result.DevDescResult.CorrectApps = append(result.DevDescResult.CorrectApps, r) } + // Check that every App Description has a corresponding App Manifest + log.Tracef("Iterating app descriptions length %v", len(metadata.DeviceDescription.AppDescriptions)) + for _, desc := range metadata.DeviceDescription.AppDescriptions { + found := false + for _, manifest := range metadata.AppManifests { + if desc.AppManifest == manifest.Name { + found = true + } + } + if !found { + log.Tracef("No app manifest for app description: %v", desc.AppManifest) + r := Result{ + Success: false, + Got: desc.AppManifest, + ExpectedOneOf: appManifestNames, + } + result.DevDescResult.CorrectApps = append(result.DevDescResult.CorrectApps, r) + result.Success = false + } + } + // Check that the Rtm Manifest is compatible with the OS Manifest if contains(metadata.RtmManifest.Name, metadata.OsManifest.Rtms) { result.DevDescResult.RtmOsCompatibility.Success = true From e68107113bee113e767438d5dc558789cd0a3290 Mon Sep 17 00:00:00 2001 From: Simon Ott Date: Thu, 30 May 2024 11:57:38 +0000 Subject: [PATCH 3/3] attestationreport: allow unknown provers Set the prover name to unknown if it cannot be extracted from the app description. Signed-off-by: Simon Ott --- attestationreport/attestationreport.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/attestationreport/attestationreport.go b/attestationreport/attestationreport.go index 281dbe07..1d6ff9c9 100644 --- a/attestationreport/attestationreport.go +++ b/attestationreport/attestationreport.go @@ -774,9 +774,16 @@ func Verify(arRaw, nonce, casPem []byte, policies []byte, polEng PolicyEngineSel // Add additional information result.Prover = metadata.DeviceDescription.Name + if result.Prover == "" { + result.Prover = "Unknown" + } result.Created = time.Now().Format(time.RFC3339) - log.Tracef("Verification Result: %v", result.Success) + if result.Success { + log.Infof("SUCCESS: Verification for Prover %v (%v)", result.Prover, result.Created) + } else { + log.Infof("FAILED: Verification for Prover %v (%v)", result.Prover, result.Created) + } return result }