1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Copyright(c) 2016-20 Intel Corporation. */ |
3 | |
4 | #define _GNU_SOURCE |
5 | #include <assert.h> |
6 | #include <getopt.h> |
7 | #include <stdbool.h> |
8 | #include <stdint.h> |
9 | #include <stdio.h> |
10 | #include <stdlib.h> |
11 | #include <string.h> |
12 | #include <sys/stat.h> |
13 | #include <sys/types.h> |
14 | #include <unistd.h> |
15 | #include <openssl/err.h> |
16 | #include <openssl/pem.h> |
17 | #include "defines.h" |
18 | #include "main.h" |
19 | |
20 | /* |
21 | * FIXME: OpenSSL 3.0 has deprecated some functions. For now just ignore |
22 | * the warnings. |
23 | */ |
24 | #pragma GCC diagnostic ignored "-Wdeprecated-declarations" |
25 | |
26 | struct q1q2_ctx { |
27 | BN_CTX *bn_ctx; |
28 | BIGNUM *m; |
29 | BIGNUM *s; |
30 | BIGNUM *q1; |
31 | BIGNUM *qr; |
32 | BIGNUM *q2; |
33 | }; |
34 | |
35 | static void free_q1q2_ctx(struct q1q2_ctx *ctx) |
36 | { |
37 | BN_CTX_free(ctx->bn_ctx); |
38 | BN_free(ctx->m); |
39 | BN_free(ctx->s); |
40 | BN_free(ctx->q1); |
41 | BN_free(ctx->qr); |
42 | BN_free(ctx->q2); |
43 | } |
44 | |
45 | static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m, |
46 | struct q1q2_ctx *ctx) |
47 | { |
48 | ctx->bn_ctx = BN_CTX_new(); |
49 | ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL); |
50 | ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL); |
51 | ctx->q1 = BN_new(); |
52 | ctx->qr = BN_new(); |
53 | ctx->q2 = BN_new(); |
54 | |
55 | if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr || |
56 | !ctx->q2) { |
57 | free_q1q2_ctx(ctx); |
58 | return false; |
59 | } |
60 | |
61 | return true; |
62 | } |
63 | |
64 | static void reverse_bytes(void *data, int length) |
65 | { |
66 | int i = 0; |
67 | int j = length - 1; |
68 | uint8_t temp; |
69 | uint8_t *ptr = data; |
70 | |
71 | while (i < j) { |
72 | temp = ptr[i]; |
73 | ptr[i] = ptr[j]; |
74 | ptr[j] = temp; |
75 | i++; |
76 | j--; |
77 | } |
78 | } |
79 | |
80 | static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1, |
81 | uint8_t *q2) |
82 | { |
83 | struct q1q2_ctx ctx; |
84 | int len; |
85 | |
86 | if (!alloc_q1q2_ctx(s, m, ctx: &ctx)) { |
87 | fprintf(stderr, "Not enough memory for Q1Q2 calculation\n" ); |
88 | return false; |
89 | } |
90 | |
91 | if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx)) |
92 | goto out; |
93 | |
94 | if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx)) |
95 | goto out; |
96 | |
97 | if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) { |
98 | fprintf(stderr, "Too large Q1 %d bytes\n" , |
99 | BN_num_bytes(ctx.q1)); |
100 | goto out; |
101 | } |
102 | |
103 | if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx)) |
104 | goto out; |
105 | |
106 | if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx)) |
107 | goto out; |
108 | |
109 | if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) { |
110 | fprintf(stderr, "Too large Q2 %d bytes\n" , |
111 | BN_num_bytes(ctx.q2)); |
112 | goto out; |
113 | } |
114 | |
115 | len = BN_bn2bin(ctx.q1, q1); |
116 | reverse_bytes(data: q1, length: len); |
117 | len = BN_bn2bin(ctx.q2, q2); |
118 | reverse_bytes(data: q2, length: len); |
119 | |
120 | free_q1q2_ctx(ctx: &ctx); |
121 | return true; |
122 | out: |
123 | free_q1q2_ctx(ctx: &ctx); |
124 | return false; |
125 | } |
126 | |
127 | struct sgx_sigstruct_payload { |
128 | struct sgx_sigstruct_header ; |
129 | struct sgx_sigstruct_body body; |
130 | }; |
131 | |
132 | static bool check_crypto_errors(void) |
133 | { |
134 | int err; |
135 | bool had_errors = false; |
136 | const char *filename; |
137 | int line; |
138 | char str[256]; |
139 | |
140 | for ( ; ; ) { |
141 | if (ERR_peek_error() == 0) |
142 | break; |
143 | |
144 | had_errors = true; |
145 | err = ERR_get_error_line(&filename, &line); |
146 | ERR_error_string_n(err, str, sizeof(str)); |
147 | fprintf(stderr, "crypto: %s: %s:%d\n" , str, filename, line); |
148 | } |
149 | |
150 | return had_errors; |
151 | } |
152 | |
153 | static inline const BIGNUM *get_modulus(RSA *key) |
154 | { |
155 | const BIGNUM *n; |
156 | |
157 | RSA_get0_key(key, &n, NULL, NULL); |
158 | return n; |
159 | } |
160 | |
161 | static RSA *gen_sign_key(void) |
162 | { |
163 | unsigned long sign_key_length; |
164 | BIO *bio; |
165 | RSA *key; |
166 | |
167 | sign_key_length = (unsigned long)&sign_key_end - |
168 | (unsigned long)&sign_key; |
169 | |
170 | bio = BIO_new_mem_buf(&sign_key, sign_key_length); |
171 | if (!bio) |
172 | return NULL; |
173 | |
174 | key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL); |
175 | BIO_free(bio); |
176 | |
177 | return key; |
178 | } |
179 | |
180 | enum mrtags { |
181 | MRECREATE = 0x0045544145524345, |
182 | MREADD = 0x0000000044444145, |
183 | MREEXTEND = 0x00444E4554584545, |
184 | }; |
185 | |
186 | static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data) |
187 | { |
188 | if (!EVP_DigestUpdate(ctx, data, 64)) { |
189 | fprintf(stderr, "digest update failed\n" ); |
190 | return false; |
191 | } |
192 | |
193 | return true; |
194 | } |
195 | |
196 | static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave) |
197 | { |
198 | unsigned int size; |
199 | |
200 | if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) { |
201 | fprintf(stderr, "digest commit failed\n" ); |
202 | return false; |
203 | } |
204 | |
205 | if (size != 32) { |
206 | fprintf(stderr, "invalid digest size = %u\n" , size); |
207 | return false; |
208 | } |
209 | |
210 | return true; |
211 | } |
212 | |
213 | struct mrecreate { |
214 | uint64_t tag; |
215 | uint32_t ssaframesize; |
216 | uint64_t size; |
217 | uint8_t reserved[44]; |
218 | } __attribute__((__packed__)); |
219 | |
220 | |
221 | static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size) |
222 | { |
223 | struct mrecreate mrecreate; |
224 | uint64_t encl_size; |
225 | |
226 | for (encl_size = 0x1000; encl_size < blob_size; ) |
227 | encl_size <<= 1; |
228 | |
229 | memset(&mrecreate, 0, sizeof(mrecreate)); |
230 | mrecreate.tag = MRECREATE; |
231 | mrecreate.ssaframesize = 1; |
232 | mrecreate.size = encl_size; |
233 | |
234 | if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL)) |
235 | return false; |
236 | |
237 | return mrenclave_update(ctx, &mrecreate); |
238 | } |
239 | |
240 | struct mreadd { |
241 | uint64_t tag; |
242 | uint64_t offset; |
243 | uint64_t flags; /* SECINFO flags */ |
244 | uint8_t reserved[40]; |
245 | } __attribute__((__packed__)); |
246 | |
247 | static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags) |
248 | { |
249 | struct mreadd mreadd; |
250 | |
251 | memset(&mreadd, 0, sizeof(mreadd)); |
252 | mreadd.tag = MREADD; |
253 | mreadd.offset = offset; |
254 | mreadd.flags = flags; |
255 | |
256 | return mrenclave_update(ctx, &mreadd); |
257 | } |
258 | |
259 | struct mreextend { |
260 | uint64_t tag; |
261 | uint64_t offset; |
262 | uint8_t reserved[48]; |
263 | } __attribute__((__packed__)); |
264 | |
265 | static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset, |
266 | const uint8_t *data) |
267 | { |
268 | struct mreextend mreextend; |
269 | int i; |
270 | |
271 | for (i = 0; i < 0x1000; i += 0x100) { |
272 | memset(&mreextend, 0, sizeof(mreextend)); |
273 | mreextend.tag = MREEXTEND; |
274 | mreextend.offset = offset + i; |
275 | |
276 | if (!mrenclave_update(ctx, &mreextend)) |
277 | return false; |
278 | |
279 | if (!mrenclave_update(ctx, &data[i + 0x00])) |
280 | return false; |
281 | |
282 | if (!mrenclave_update(ctx, &data[i + 0x40])) |
283 | return false; |
284 | |
285 | if (!mrenclave_update(ctx, &data[i + 0x80])) |
286 | return false; |
287 | |
288 | if (!mrenclave_update(ctx, &data[i + 0xC0])) |
289 | return false; |
290 | } |
291 | |
292 | return true; |
293 | } |
294 | |
295 | static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl, |
296 | struct encl_segment *seg) |
297 | { |
298 | uint64_t end = seg->size; |
299 | uint64_t offset; |
300 | |
301 | for (offset = 0; offset < end; offset += PAGE_SIZE) { |
302 | if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags)) |
303 | return false; |
304 | |
305 | if (seg->measure) { |
306 | if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset)) |
307 | return false; |
308 | } |
309 | } |
310 | |
311 | return true; |
312 | } |
313 | |
314 | bool encl_measure(struct encl *encl) |
315 | { |
316 | uint64_t [2] = {0x000000E100000006, 0x0000000000010000}; |
317 | uint64_t [2] = {0x0000006000000101, 0x0000000100000060}; |
318 | struct sgx_sigstruct *sigstruct = &encl->sigstruct; |
319 | struct sgx_sigstruct_payload payload; |
320 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
321 | EVP_MD_CTX *ctx = NULL; |
322 | unsigned int siglen; |
323 | RSA *key = NULL; |
324 | int i; |
325 | |
326 | memset(sigstruct, 0, sizeof(*sigstruct)); |
327 | |
328 | sigstruct->header.header1[0] = header1[0]; |
329 | sigstruct->header.header1[1] = header1[1]; |
330 | sigstruct->header.header2[0] = header2[0]; |
331 | sigstruct->header.header2[1] = header2[1]; |
332 | sigstruct->exponent = 3; |
333 | sigstruct->body.attributes = SGX_ATTR_MODE64BIT; |
334 | sigstruct->body.xfrm = 3; |
335 | |
336 | /* sanity check */ |
337 | if (check_crypto_errors()) |
338 | goto err; |
339 | |
340 | key = gen_sign_key(); |
341 | if (!key) { |
342 | ERR_print_errors_fp(stdout); |
343 | goto err; |
344 | } |
345 | |
346 | BN_bn2bin(get_modulus(key), sigstruct->modulus); |
347 | |
348 | ctx = EVP_MD_CTX_create(); |
349 | if (!ctx) |
350 | goto err; |
351 | |
352 | if (!mrenclave_ecreate(ctx, encl->src_size)) |
353 | goto err; |
354 | |
355 | for (i = 0; i < encl->nr_segments; i++) { |
356 | struct encl_segment *seg = &encl->segment_tbl[i]; |
357 | |
358 | if (!mrenclave_segment(ctx, encl, seg)) |
359 | goto err; |
360 | } |
361 | |
362 | if (!mrenclave_commit(ctx, sigstruct->body.mrenclave)) |
363 | goto err; |
364 | |
365 | memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header)); |
366 | memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body)); |
367 | |
368 | SHA256((unsigned char *)&payload, sizeof(payload), digest); |
369 | |
370 | if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH, |
371 | sigstruct->signature, &siglen, key)) |
372 | goto err; |
373 | |
374 | if (!calc_q1q2(s: sigstruct->signature, m: sigstruct->modulus, q1: sigstruct->q1, |
375 | q2: sigstruct->q2)) |
376 | goto err; |
377 | |
378 | /* BE -> LE */ |
379 | reverse_bytes(data: sigstruct->signature, SGX_MODULUS_SIZE); |
380 | reverse_bytes(data: sigstruct->modulus, SGX_MODULUS_SIZE); |
381 | |
382 | EVP_MD_CTX_destroy(ctx); |
383 | RSA_free(key); |
384 | return true; |
385 | |
386 | err: |
387 | if (ctx) |
388 | EVP_MD_CTX_destroy(ctx); |
389 | RSA_free(key); |
390 | return false; |
391 | } |
392 | |