This code implements the trusted mpc use sgx as trust-computing base.
This code sample contains an implementation of Integrating Remote Attestation with Transport Layer Security, with the modification of the untrusted side.
The same combination of (hardware,enviroment,context) will generates the same mr_enclave
measurement. And it is almost impossible to counterfeit it.
We could achieve trust computing and data privacy based on this feature.
Assuming that there are two players: Alice and Bob.
With Intel SGX, and baiduxlab/sgx-rust image, we could do this in the following steps:
mr_enclave
.mr_enclave
from report and compares it with his.To use this code sample, one needs to register at Intel website for dev IAS service access. Once the registration is finished, the following stuff should be ready:
client.crt
client.key
To check whether your IAS registration is complete, please perform the following query with your client certificate and private key:
curl -1 --tlsv1.2 -v --key client.key --cert client.crt https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v3/sigrl/00000ABC
Here 00000ABC
is a fake group id which is only used here for testing connection. If this http request can successfully obtain a HTTP status code (no matter which code it is), the IAS service registration should be fine.
To establish a TLS channel, we need a CA and generates a client cert for mutual authentication. We store them at cert
.
Generate CA private key openssl ecparam -genkey -name prime256v1 -out ca.key
Generate CA cert openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -out ca.crt
Generate Client private key openssl ecparam -genkey -name prime256v1 -out client.key
Export the keys to pkcs8 unencrypted format openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pkcs8
Generate Client CSR openssl req -new -SHA256 -key client.key -nodes -out client.csr
Generate Client Cert openssl x509 -req -extfile <(printf “subjectAltName=DNS:localhost,DNS:www.example.com”) -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Intel CA report signing pem. Download and uncompress: https://software.intel.com/sites/default/files/managed/7b/de/RK_PUB.zip
enclave/src/lib.rs
contains three funcs load_certs
load_private_key
and load_spid
. These three functions are configured to load cert/key/spid from client.crt
client.key
spid.txt
from bin
directory respectively. One can either adjust the file paths/names or copy the cert/key/spid to bin
. spid.txt
should only contain one line of 32 chars such as DEADBEAFDEADBEAFDEADBEAFDEADBEAF
.
Start Bob's verify server
cd tr-mpc-server make cd bin ./app --verify(add --unlink if your spid's type is unlinkable)
Start Alice's server
cd tr-mpc-server cd bin ./app (add --unlink if your spid's type is unlinkable)
Start Bob's client
cd tr-mpc-client cargo run