[attestation] Fix mutual attestation (#338)
diff --git a/.drone.yml b/.drone.yml
index ad3b531..679c23c 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -128,7 +128,7 @@
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- mkdir -p build
- - cd build && cmake -DTEST_MODE=ON ..
+ - cd build && cmake -DCMAKE_BUILD_TYPE=Release -DTEST_MODE=OFF ..
- name: check
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
@@ -138,12 +138,7 @@
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && cmake -DTEST_MODE=OFF .. && make VERBOSE=1 -j2
-- name: compile-test-mode
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
- commands:
- - . /root/.cargo/env
- - cd build && cmake -DTEST_MODE=ON .. && make VERBOSE=1 -j2
+ - cd build && make VERBOSE=1 -j2
- name: test
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
privileged: true
@@ -161,7 +156,7 @@
path: /var/run/aesmd/aesm.socket
commands:
- . /root/.cargo/env
- - cd build && make run-tests
+ - cd build && make run-examples
volumes:
- name: isgx
@@ -186,7 +181,7 @@
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- mkdir -p build
- - cd build && cmake -DTEST_MODE=ON ..
+ - cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON -DTEST_MODE=ON ..
- name: check
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
@@ -196,9 +191,16 @@
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2
+ - cd build && make VERBOSE=1 -j2
- name: test
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
+ environment:
+ AS_ALGO: sgx_epid
+ AS_URL: https://api.trustedservices.intel.com:443
+ AS_KEY:
+ from_secret: V5_KEY
+ AS_SPID:
+ from_secret: V5_SPID
commands:
- . /root/.cargo/env
- cd build && make run-tests
@@ -218,7 +220,7 @@
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- mkdir -p build
- - cd build && cmake -DTEST_MODE=YES ..
+ - cd build && cmake -DCMAKE_BUILD_TYPE=Release -DSGX_SIM_MODE=ON -DTEST_MODE=OFF ..
- name: check
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
@@ -228,12 +230,12 @@
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && cmake -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2
+ - cd build && make VERBOSE=1 -j2
- name: test
image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0
commands:
- . /root/.cargo/env
- - cd build && make run-tests
+ - cd build && make run-examples
node:
instance: mesatee-sgx
diff --git a/cmake/UtilTargets.cmake b/cmake/UtilTargets.cmake
index e53b32e..5de4258 100644
--- a/cmake/UtilTargets.cmake
+++ b/cmake/UtilTargets.cmake
@@ -38,8 +38,6 @@
add_custom_target(
run-functional-tests COMMAND ${TEACLAVE_COMMON_ENVS}
${MT_SCRIPT_DIR}/test.sh functional)
- add_custom_target(run-examples COMMAND ${TEACLAVE_COMMON_ENVS}
- ${MT_SCRIPT_DIR}/test.sh example)
else()
add_custom_target(
run-tests
@@ -49,6 +47,9 @@
)
endif()
+add_custom_target(run-examples COMMAND ${TEACLAVE_COMMON_ENVS}
+ ${MT_SCRIPT_DIR}/test.sh example)
+
add_custom_target(cov COMMAND ${TEACLAVE_COMMON_ENVS}
${MT_SCRIPT_DIR}/gen_cov.sh)
diff --git a/cmake/scripts/test.sh b/cmake/scripts/test.sh
index c2b2fa9..64859a0 100755
--- a/cmake/scripts/test.sh
+++ b/cmake/scripts/test.sh
@@ -137,6 +137,7 @@
trap cleanup INT TERM ERR
echo_title "examples"
+ mkdir -p /tmp/fusion_data
pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
./teaclave_authentication_service &
./teaclave_storage_service &
diff --git a/services/execution/enclave/src/lib.rs b/services/execution/enclave/src/lib.rs
index 77487d3..3d46869 100644
--- a/services/execution/enclave/src/lib.rs
+++ b/services/execution/enclave/src/lib.rs
@@ -24,9 +24,9 @@
use std::prelude::v1::*;
use std::untrusted::path::PathEx;
-use anyhow::{ensure, Result};
+use anyhow::{anyhow, ensure, Result};
-use teaclave_attestation::verifier;
+use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
use teaclave_binder::proto::{
ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput,
StartServiceInput, StartServiceOutput,
@@ -43,6 +43,11 @@
mod task_file_manager;
fn start_service(config: &RuntimeConfig) -> Result<()> {
+ let attestation_config = AttestationConfig::from_teaclave_config(&config)?;
+ let attested_tls_config = RemoteAttestation::new(attestation_config)
+ .generate_and_endorse()?
+ .attested_tls_config()
+ .ok_or_else(|| anyhow!("cannot get attested TLS config"))?;
let enclave_info = EnclaveInfo::verify_and_new(
&config.audit.enclave_info_bytes,
AUDITOR_PUBLIC_KEYS,
@@ -54,7 +59,8 @@
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let fusion_base = config.mount.fusion_base_dir.clone();
diff --git a/services/frontend/enclave/src/lib.rs b/services/frontend/enclave/src/lib.rs
index 12ce802..53990bb 100644
--- a/services/frontend/enclave/src/lib.rs
+++ b/services/frontend/enclave/src/lib.rs
@@ -53,7 +53,8 @@
.generate_and_endorse()?
.attested_tls_config()
.ok_or_else(|| anyhow!("cannot get attested TLS config"))?;
- let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?;
+ let server_config =
+ SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?;
let mut server = SgxTrustedTlsServer::<TeaclaveFrontendResponse, TeaclaveFrontendRequest>::new(
listen_address,
@@ -66,14 +67,16 @@
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config.clone(),
+ )?;
let management_service_endpoint = create_trusted_management_endpoint(
&config.internal_endpoints.management.advertised_address,
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let service = service::TeaclaveFrontendService::new(
authentication_service_endpoint,
diff --git a/services/management/enclave/src/lib.rs b/services/management/enclave/src/lib.rs
index a5dbc11..f4deec4 100644
--- a/services/management/enclave/src/lib.rs
+++ b/services/management/enclave/src/lib.rs
@@ -63,12 +63,13 @@
None => Err(anyhow!("cannot get enclave attribute of {}", service)),
})
.collect::<Result<_>>()?;
- let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?
- .attestation_report_verifier(
- accepted_enclave_attrs,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )?;
+ let server_config =
+ SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )?;
let mut server =
SgxTrustedTlsServer::<TeaclaveManagementResponse, TeaclaveManagementRequest>::new(
listen_address,
@@ -80,7 +81,8 @@
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let service = service::TeaclaveManagementService::new(storage_service_endpoint)?;
match server.start(service) {
diff --git a/services/scheduler/enclave/src/lib.rs b/services/scheduler/enclave/src/lib.rs
index 93b5943..9cd60de 100644
--- a/services/scheduler/enclave/src/lib.rs
+++ b/services/scheduler/enclave/src/lib.rs
@@ -66,12 +66,13 @@
None => Err(anyhow!("cannot get enclave attribute of {}", service)),
})
.collect::<Result<_>>()?;
- let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?
- .attestation_report_verifier(
- accepted_enclave_attrs,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )?;
+ let server_config =
+ SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )?;
let mut server =
SgxTrustedTlsServer::<TeaclaveSchedulerResponse, TeaclaveSchedulerRequest>::new(
@@ -85,7 +86,8 @@
&enclave_info,
AS_ROOT_CA_CERT,
verifier::universal_quote_verifier,
- );
+ attested_tls_config,
+ )?;
let service = service::TeaclaveSchedulerService::new(storage_service_endpoint)?;
match server.start(service) {
diff --git a/services/utils/service_enclave_utils/src/lib.rs b/services/utils/service_enclave_utils/src/lib.rs
index 51e9fa1..0faba96 100644
--- a/services/utils/service_enclave_utils/src/lib.rs
+++ b/services/utils/service_enclave_utils/src/lib.rs
@@ -23,7 +23,9 @@
use log::debug;
use log::error;
use std::backtrace;
+use std::sync::{Arc, SgxRwLock as RwLock};
use teaclave_attestation::verifier::AttestationReportVerificationFn;
+use teaclave_attestation::AttestedTlsConfig;
use teaclave_rpc::config::SgxTrustedTlsClientConfig;
use teaclave_rpc::endpoint::Endpoint;
use teaclave_types::EnclaveInfo;
@@ -77,19 +79,21 @@
enclave_info: &EnclaveInfo,
as_root_ca_cert: &[u8],
verifier: AttestationReportVerificationFn,
- ) -> Endpoint {
+ attested_tls_config: Arc<RwLock<AttestedTlsConfig>>,
+ ) -> anyhow::Result<Endpoint> {
let service_enclave_attrs = enclave_info
.get_enclave_attr($enclave_attr)
.expect("enclave_info");
- let service_client_config = SgxTrustedTlsClientConfig::new()
- .attestation_report_verifier(
- vec![service_enclave_attrs],
- as_root_ca_cert,
- verifier,
- );
+ let service_client_config =
+ SgxTrustedTlsClientConfig::from_attested_tls_config(attested_tls_config)?
+ .attestation_report_verifier(
+ vec![service_enclave_attrs],
+ as_root_ca_cert,
+ verifier,
+ );
let service_address = &advertised_address;
- Endpoint::new(service_address).config(service_client_config)
+ Ok(Endpoint::new(service_address).config(service_client_config))
}
};
}