sigstruct.c source code [linux/tools/testing/selftests/sgx/sigstruct.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/ Copyright(c) 2016-20 Intel Corporation. /
3
4	#define _GNU_SOURCE
5	#include <assert.h>
6	#include <getopt.h>
7	#include <stdbool.h>
8	#include <stdint.h>
9	#include <stdio.h>
10	#include <stdlib.h>
11	#include <string.h>
12	#include <sys/stat.h>
13	#include <sys/types.h>
14	#include <unistd.h>
15	#include <openssl/err.h>
16	#include <openssl/pem.h>
17	#include "defines.h"
18	#include "main.h"
19
20	/*
21	* FIXME: OpenSSL 3.0 has deprecated some functions. For now just ignore
22	* the warnings.
23	*/
24	#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
25
26	struct q1q2_ctx {
27	BN_CTX *bn_ctx;
28	BIGNUM *m;
29	BIGNUM *s;
30	BIGNUM *q1;
31	BIGNUM *qr;
32	BIGNUM *q2;
33	};
34
35	static void free_q1q2_ctx(struct q1q2_ctx *ctx)
36	{
37	BN_CTX_free(ctx->bn_ctx);
38	BN_free(ctx->m);
39	BN_free(ctx->s);
40	BN_free(ctx->q1);
41	BN_free(ctx->qr);
42	BN_free(ctx->q2);
43	}
44
45	static bool alloc_q1q2_ctx(const uint8_t s, const* uint8_t *m,
46	struct q1q2_ctx *ctx)
47	{
48	ctx->bn_ctx = BN_CTX_new();
49	ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL);
50	ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL);
51	ctx->q1 = BN_new();
52	ctx->qr = BN_new();
53	ctx->q2 = BN_new();
54
55	if (!ctx->bn_ctx \|\| !ctx->s \|\| !ctx->m \|\| !ctx->q1 \|\| !ctx->qr \|\|
56	!ctx->q2) {
57	free_q1q2_ctx(ctx);
58	return false;
59	}
60
61	return true;
62	}
63
64	static void reverse_bytes(void data, int* length)
65	{
66	int i = `0`;
67	int j = length - `1`;
68	uint8_t temp;
69	uint8_t *ptr = data;
70
71	while (i < j) {
72	temp = ptr[i];
73	ptr[i] = ptr[j];
74	ptr[j] = temp;
75	i++;
76	j--;
77	}
78	}
79
80	static bool calc_q1q2(const uint8_t s, const* uint8_t m, uint8_t q1,
81	uint8_t *q2)
82	{
83	struct q1q2_ctx ctx;
84	int len;
85
86	if (!alloc_q1q2_ctx(s, m, ctx: &ctx)) {
87	fprintf(stderr, "Not enough memory for Q1Q2 calculation\n");
88	return false;
89	}
90
91	if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx))
92	goto out;
93
94	if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx))
95	goto out;
96
97	if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) {
98	fprintf(stderr, "Too large Q1 %d bytes\n",
99	BN_num_bytes(ctx.q1));
100	goto out;
101	}
102
103	if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx))
104	goto out;
105
106	if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx))
107	goto out;
108
109	if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) {
110	fprintf(stderr, "Too large Q2 %d bytes\n",
111	BN_num_bytes(ctx.q2));
112	goto out;
113	}
114
115	len = BN_bn2bin(ctx.q1, q1);
116	reverse_bytes(data: q1, length: len);
117	len = BN_bn2bin(ctx.q2, q2);
118	reverse_bytes(data: q2, length: len);
119
120	free_q1q2_ctx(ctx: &ctx);
121	return true;
122	out:
123	free_q1q2_ctx(ctx: &ctx);
124	return false;
125	}
126
127	struct sgx_sigstruct_payload {
128	struct sgx_sigstruct_header header;
129	struct sgx_sigstruct_body body;
130	};
131
132	static bool check_crypto_errors(void)
133	{
134	int err;
135	bool had_errors = false;
136	const char *filename;
137	int line;
138	char str[`256`];
139
140	for ( ; ; ) {
141	if (ERR_peek_error() == `0`)
142	break;
143
144	had_errors = true;
145	err = ERR_get_error_line(&filename, &line);
146	ERR_error_string_n(err, str, sizeof(str));
147	fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line);
148	}
149
150	return had_errors;
151	}
152
153	static inline const BIGNUM get_modulus(RSA key)
154	{
155	const BIGNUM *n;
156
157	RSA_get0_key(key, &n, NULL, NULL);
158	return n;
159	}
160
161	static RSA gen_sign_key(void*)
162	{
163	unsigned long sign_key_length;
164	BIO *bio;
165	RSA *key;
166
167	sign_key_length = (unsigned long)&sign_key_end -
168	(unsigned long)&sign_key;
169
170	bio = BIO_new_mem_buf(&sign_key, sign_key_length);
171	if (!bio)
172	return NULL;
173
174	key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL);
175	BIO_free(bio);
176
177	return key;
178	}
179
180	enum mrtags {
181	MRECREATE = `0x0045544145524345`,
182	MREADD = `0x0000000044444145`,
183	MREEXTEND = `0x00444E4554584545`,
184	};
185
186	static bool mrenclave_update(EVP_MD_CTX ctx, const* void *data)
187	{
188	if (!EVP_DigestUpdate(ctx, data, `64`)) {
189	fprintf(stderr, "digest update failed\n");
190	return false;
191	}
192
193	return true;
194	}
195
196	static bool mrenclave_commit(EVP_MD_CTX ctx, uint8_t mrenclave)
197	{
198	unsigned int size;
199
200	if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) {
201	fprintf(stderr, "digest commit failed\n");
202	return false;
203	}
204
205	if (size != `32`) {
206	fprintf(stderr, "invalid digest size = %u\n", size);
207	return false;
208	}
209
210	return true;
211	}
212
213	struct mrecreate {
214	uint64_t tag;
215	uint32_t ssaframesize;
216	uint64_t size;
217	uint8_t reserved[`44`];
218	} __attribute__((__packed__));
219
220
221	static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size)
222	{
223	struct mrecreate mrecreate;
224	uint64_t encl_size;
225
226	for (encl_size = `0x1000`; encl_size < blob_size; )
227	encl_size <<= `1`;
228
229	memset(&mrecreate, `0`, sizeof(mrecreate));
230	mrecreate.tag = MRECREATE;
231	mrecreate.ssaframesize = `1`;
232	mrecreate.size = encl_size;
233
234	if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))
235	return false;
236
237	return mrenclave_update(ctx, &mrecreate);
238	}
239
240	struct mreadd {
241	uint64_t tag;
242	uint64_t offset;
243	uint64_t flags; / SECINFO flags /
244	uint8_t reserved[`40`];
245	} __attribute__((__packed__));
246
247	static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags)
248	{
249	struct mreadd mreadd;
250
251	memset(&mreadd, `0`, sizeof(mreadd));
252	mreadd.tag = MREADD;
253	mreadd.offset = offset;
254	mreadd.flags = flags;
255
256	return mrenclave_update(ctx, &mreadd);
257	}
258
259	struct mreextend {
260	uint64_t tag;
261	uint64_t offset;
262	uint8_t reserved[`48`];
263	} __attribute__((__packed__));
264
265	static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
266	const uint8_t *data)
267	{
268	struct mreextend mreextend;
269	int i;
270
271	for (i = `0`; i < `0x1000`; i += `0x100`) {
272	memset(&mreextend, `0`, sizeof(mreextend));
273	mreextend.tag = MREEXTEND;
274	mreextend.offset = offset + i;
275
276	if (!mrenclave_update(ctx, &mreextend))
277	return false;
278
279	if (!mrenclave_update(ctx, &data[i + `0x00`]))
280	return false;
281
282	if (!mrenclave_update(ctx, &data[i + `0x40`]))
283	return false;
284
285	if (!mrenclave_update(ctx, &data[i + `0x80`]))
286	return false;
287
288	if (!mrenclave_update(ctx, &data[i + `0xC0`]))
289	return false;
290	}
291
292	return true;
293	}
294
295	static bool mrenclave_segment(EVP_MD_CTX ctx, struct* encl *encl,
296	struct encl_segment *seg)
297	{
298	uint64_t end = seg->size;
299	uint64_t offset;
300
301	for (offset = `0`; offset < end; offset += PAGE_SIZE) {
302	if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags))
303	return false;
304
305	if (seg->measure) {
306	if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
307	return false;
308	}
309	}
310
311	return true;
312	}
313
314	bool encl_measure(struct encl *encl)
315	{
316	uint64_t header1[`2`] = {`0x000000E100000006`, `0x0000000000010000`};
317	uint64_t header2[`2`] = {`0x0000006000000101`, `0x0000000100000060`};
318	struct sgx_sigstruct *sigstruct = &encl->sigstruct;
319	struct sgx_sigstruct_payload payload;
320	uint8_t digest[SHA256_DIGEST_LENGTH];
321	EVP_MD_CTX *ctx = NULL;
322	unsigned int siglen;
323	RSA *key = NULL;
324	int i;
325
326	memset(sigstruct, `0`, sizeof(*sigstruct));
327
328	sigstruct->header.header1[`0`] = header1[`0`];
329	sigstruct->header.header1[`1`] = header1[`1`];
330	sigstruct->header.header2[`0`] = header2[`0`];
331	sigstruct->header.header2[`1`] = header2[`1`];
332	sigstruct->exponent = `3`;
333	sigstruct->body.attributes = SGX_ATTR_MODE64BIT;
334	sigstruct->body.xfrm = `3`;
335
336	/ sanity check /
337	if (check_crypto_errors())
338	goto err;
339
340	key = gen_sign_key();
341	if (!key) {
342	ERR_print_errors_fp(stdout);
343	goto err;
344	}
345
346	BN_bn2bin(get_modulus(key), sigstruct->modulus);
347
348	ctx = EVP_MD_CTX_create();
349	if (!ctx)
350	goto err;
351
352	if (!mrenclave_ecreate(ctx, encl->src_size))
353	goto err;
354
355	for (i = `0`; i < encl->nr_segments; i++) {
356	struct encl_segment *seg = &encl->segment_tbl[i];
357
358	if (!mrenclave_segment(ctx, encl, seg))
359	goto err;
360	}
361
362	if (!mrenclave_commit(ctx, sigstruct->body.mrenclave))
363	goto err;
364
365	memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
366	memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
367
368	SHA256((unsigned char )&payload, sizeof*(payload), digest);
369
370	if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
371	sigstruct->signature, &siglen, key))
372	goto err;
373
374	if (!calc_q1q2(s: sigstruct->signature, m: sigstruct->modulus, q1: sigstruct->q1,
375	q2: sigstruct->q2))
376	goto err;
377
378	/ BE -> LE /
379	reverse_bytes(data: sigstruct->signature, SGX_MODULUS_SIZE);
380	reverse_bytes(data: sigstruct->modulus, SGX_MODULUS_SIZE);
381
382	EVP_MD_CTX_destroy(ctx);
383	RSA_free(key);
384	return true;
385
386	err:
387	if (ctx)
388	EVP_MD_CTX_destroy(ctx);
389	RSA_free(key);
390	return false;
391	}
392

source code of linux/tools/testing/selftests/sgx/sigstruct.c