| // SPDX-License-Identifier: GPL-2.0 |
| /* Copyright(c) 2016-20 Intel Corporation. */ |
| |
| #define _GNU_SOURCE |
| #include <assert.h> |
| #include <getopt.h> |
| #include <stdbool.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| #include <openssl/err.h> |
| #include <openssl/pem.h> |
| #include "defines.h" |
| #include "main.h" |
| |
| /* |
| * FIXME: OpenSSL 3.0 has deprecated some functions. For now just ignore |
| * the warnings. |
| */ |
| #pragma GCC diagnostic ignored "-Wdeprecated-declarations" |
| |
| struct q1q2_ctx { |
| BN_CTX *bn_ctx; |
| BIGNUM *m; |
| BIGNUM *s; |
| BIGNUM *q1; |
| BIGNUM *qr; |
| BIGNUM *q2; |
| }; |
| |
| static void free_q1q2_ctx(struct q1q2_ctx *ctx) |
| { |
| BN_CTX_free(ctx->bn_ctx); |
| BN_free(ctx->m); |
| BN_free(ctx->s); |
| BN_free(ctx->q1); |
| BN_free(ctx->qr); |
| BN_free(ctx->q2); |
| } |
| |
| static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m, |
| struct q1q2_ctx *ctx) |
| { |
| ctx->bn_ctx = BN_CTX_new(); |
| ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL); |
| ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL); |
| ctx->q1 = BN_new(); |
| ctx->qr = BN_new(); |
| ctx->q2 = BN_new(); |
| |
| if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr || |
| !ctx->q2) { |
| free_q1q2_ctx(ctx); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| static void reverse_bytes(void *data, int length) |
| { |
| int i = 0; |
| int j = length - 1; |
| uint8_t temp; |
| uint8_t *ptr = data; |
| |
| while (i < j) { |
| temp = ptr[i]; |
| ptr[i] = ptr[j]; |
| ptr[j] = temp; |
| i++; |
| j--; |
| } |
| } |
| |
| static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1, |
| uint8_t *q2) |
| { |
| struct q1q2_ctx ctx; |
| int len; |
| |
| if (!alloc_q1q2_ctx(s, m, &ctx)) { |
| fprintf(stderr, "Not enough memory for Q1Q2 calculation\n"); |
| return false; |
| } |
| |
| if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx)) |
| goto out; |
| |
| if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx)) |
| goto out; |
| |
| if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) { |
| fprintf(stderr, "Too large Q1 %d bytes\n", |
| BN_num_bytes(ctx.q1)); |
| goto out; |
| } |
| |
| if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx)) |
| goto out; |
| |
| if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx)) |
| goto out; |
| |
| if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) { |
| fprintf(stderr, "Too large Q2 %d bytes\n", |
| BN_num_bytes(ctx.q2)); |
| goto out; |
| } |
| |
| len = BN_bn2bin(ctx.q1, q1); |
| reverse_bytes(q1, len); |
| len = BN_bn2bin(ctx.q2, q2); |
| reverse_bytes(q2, len); |
| |
| free_q1q2_ctx(&ctx); |
| return true; |
| out: |
| free_q1q2_ctx(&ctx); |
| return false; |
| } |
| |
| struct sgx_sigstruct_payload { |
| struct sgx_sigstruct_header header; |
| struct sgx_sigstruct_body body; |
| }; |
| |
| static bool check_crypto_errors(void) |
| { |
| int err; |
| bool had_errors = false; |
| const char *filename; |
| int line; |
| char str[256]; |
| |
| for ( ; ; ) { |
| if (ERR_peek_error() == 0) |
| break; |
| |
| had_errors = true; |
| err = ERR_get_error_line(&filename, &line); |
| ERR_error_string_n(err, str, sizeof(str)); |
| fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line); |
| } |
| |
| return had_errors; |
| } |
| |
| static inline const BIGNUM *get_modulus(RSA *key) |
| { |
| const BIGNUM *n; |
| |
| RSA_get0_key(key, &n, NULL, NULL); |
| return n; |
| } |
| |
| static RSA *gen_sign_key(void) |
| { |
| unsigned long sign_key_length; |
| BIO *bio; |
| RSA *key; |
| |
| sign_key_length = (unsigned long)&sign_key_end - |
| (unsigned long)&sign_key; |
| |
| bio = BIO_new_mem_buf(&sign_key, sign_key_length); |
| if (!bio) |
| return NULL; |
| |
| key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL); |
| BIO_free(bio); |
| |
| return key; |
| } |
| |
| enum mrtags { |
| MRECREATE = 0x0045544145524345, |
| MREADD = 0x0000000044444145, |
| MREEXTEND = 0x00444E4554584545, |
| }; |
| |
| static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data) |
| { |
| if (!EVP_DigestUpdate(ctx, data, 64)) { |
| fprintf(stderr, "digest update failed\n"); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave) |
| { |
| unsigned int size; |
| |
| if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) { |
| fprintf(stderr, "digest commit failed\n"); |
| return false; |
| } |
| |
| if (size != 32) { |
| fprintf(stderr, "invalid digest size = %u\n", size); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| struct mrecreate { |
| uint64_t tag; |
| uint32_t ssaframesize; |
| uint64_t size; |
| uint8_t reserved[44]; |
| } __attribute__((__packed__)); |
| |
| |
| static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size) |
| { |
| struct mrecreate mrecreate; |
| uint64_t encl_size; |
| |
| for (encl_size = 0x1000; encl_size < blob_size; ) |
| encl_size <<= 1; |
| |
| memset(&mrecreate, 0, sizeof(mrecreate)); |
| mrecreate.tag = MRECREATE; |
| mrecreate.ssaframesize = 1; |
| mrecreate.size = encl_size; |
| |
| if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL)) |
| return false; |
| |
| return mrenclave_update(ctx, &mrecreate); |
| } |
| |
| struct mreadd { |
| uint64_t tag; |
| uint64_t offset; |
| uint64_t flags; /* SECINFO flags */ |
| uint8_t reserved[40]; |
| } __attribute__((__packed__)); |
| |
| static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags) |
| { |
| struct mreadd mreadd; |
| |
| memset(&mreadd, 0, sizeof(mreadd)); |
| mreadd.tag = MREADD; |
| mreadd.offset = offset; |
| mreadd.flags = flags; |
| |
| return mrenclave_update(ctx, &mreadd); |
| } |
| |
| struct mreextend { |
| uint64_t tag; |
| uint64_t offset; |
| uint8_t reserved[48]; |
| } __attribute__((__packed__)); |
| |
| static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset, |
| const uint8_t *data) |
| { |
| struct mreextend mreextend; |
| int i; |
| |
| for (i = 0; i < 0x1000; i += 0x100) { |
| memset(&mreextend, 0, sizeof(mreextend)); |
| mreextend.tag = MREEXTEND; |
| mreextend.offset = offset + i; |
| |
| if (!mrenclave_update(ctx, &mreextend)) |
| return false; |
| |
| if (!mrenclave_update(ctx, &data[i + 0x00])) |
| return false; |
| |
| if (!mrenclave_update(ctx, &data[i + 0x40])) |
| return false; |
| |
| if (!mrenclave_update(ctx, &data[i + 0x80])) |
| return false; |
| |
| if (!mrenclave_update(ctx, &data[i + 0xC0])) |
| return false; |
| } |
| |
| return true; |
| } |
| |
| static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl, |
| struct encl_segment *seg) |
| { |
| uint64_t end = seg->size; |
| uint64_t offset; |
| |
| for (offset = 0; offset < end; offset += PAGE_SIZE) { |
| if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags)) |
| return false; |
| |
| if (seg->measure) { |
| if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset)) |
| return false; |
| } |
| } |
| |
| return true; |
| } |
| |
| bool encl_measure(struct encl *encl) |
| { |
| uint64_t header1[2] = {0x000000E100000006, 0x0000000000010000}; |
| uint64_t header2[2] = {0x0000006000000101, 0x0000000100000060}; |
| struct sgx_sigstruct *sigstruct = &encl->sigstruct; |
| struct sgx_sigstruct_payload payload; |
| uint8_t digest[SHA256_DIGEST_LENGTH]; |
| unsigned int siglen; |
| RSA *key = NULL; |
| EVP_MD_CTX *ctx; |
| int i; |
| |
| memset(sigstruct, 0, sizeof(*sigstruct)); |
| |
| sigstruct->header.header1[0] = header1[0]; |
| sigstruct->header.header1[1] = header1[1]; |
| sigstruct->header.header2[0] = header2[0]; |
| sigstruct->header.header2[1] = header2[1]; |
| sigstruct->exponent = 3; |
| sigstruct->body.attributes = SGX_ATTR_MODE64BIT; |
| sigstruct->body.xfrm = 3; |
| |
| /* sanity check */ |
| if (check_crypto_errors()) |
| goto err; |
| |
| key = gen_sign_key(); |
| if (!key) { |
| ERR_print_errors_fp(stdout); |
| goto err; |
| } |
| |
| BN_bn2bin(get_modulus(key), sigstruct->modulus); |
| |
| ctx = EVP_MD_CTX_create(); |
| if (!ctx) |
| goto err; |
| |
| if (!mrenclave_ecreate(ctx, encl->src_size)) |
| goto err; |
| |
| for (i = 0; i < encl->nr_segments; i++) { |
| struct encl_segment *seg = &encl->segment_tbl[i]; |
| |
| if (!mrenclave_segment(ctx, encl, seg)) |
| goto err; |
| } |
| |
| if (!mrenclave_commit(ctx, sigstruct->body.mrenclave)) |
| goto err; |
| |
| memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header)); |
| memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body)); |
| |
| SHA256((unsigned char *)&payload, sizeof(payload), digest); |
| |
| if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH, |
| sigstruct->signature, &siglen, key)) |
| goto err; |
| |
| if (!calc_q1q2(sigstruct->signature, sigstruct->modulus, sigstruct->q1, |
| sigstruct->q2)) |
| goto err; |
| |
| /* BE -> LE */ |
| reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE); |
| reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE); |
| |
| EVP_MD_CTX_destroy(ctx); |
| RSA_free(key); |
| return true; |
| |
| err: |
| EVP_MD_CTX_destroy(ctx); |
| RSA_free(key); |
| return false; |
| } |