sgx_status_t derive_key(
const sgx_ec256_dh_shared_t* shared_key,
const char* label,
uint32_t label_length,
sgx_ec_key_128bit_t* derived_key)
{
sgx_status_t se_ret = SGX_SUCCESS;
uint8_t cmac_key[MAC_KEY_SIZE];
sgx_ec_key_128bit_t key_derive_key;
if (!shared_key || !derived_key || !label)
{
return SGX_ERROR_INVALID_PARAMETER;
}
/*check integer overflow */
if (label_length > EC_DERIVATION_BUFFER_SIZE(label_length))
{
return SGX_ERROR_INVALID_PARAMETER;
}
memset(cmac_key, 0, MAC_KEY_SIZE);
se_ret = sgx_rijndael128_cmac_msg((sgx_cmac_128bit_key_t *)cmac_key,
(uint8_t*)shared_key,
sizeof(sgx_ec256_dh_shared_t),
(sgx_cmac_128bit_tag_t *)&key_derive_key);
if (SGX_SUCCESS != se_ret)
{
memset_s(&key_derive_key, sizeof(key_derive_key), 0, sizeof(key_derive_key));
INTERNAL_SGX_ERROR_CODE_CONVERTOR(se_ret);
return se_ret;
}
/* derivation_buffer = counter(0x01) || label || 0x00 || output_key_len(0x0080) */
uint32_t derivation_buffer_length = EC_DERIVATION_BUFFER_SIZE(label_length);
uint8_t *p_derivation_buffer = (uint8_t *)malloc(derivation_buffer_length);
if (p_derivation_buffer == NULL)
{
return SGX_ERROR_OUT_OF_MEMORY;
}
memset(p_derivation_buffer, 0, derivation_buffer_length);
/*counter = 0x01 */
p_derivation_buffer[0] = 0x01;
/*label*/
memcpy(&p_derivation_buffer[1], label, label_length);
/*output_key_len=0x0080*/
uint16_t *key_len = (uint16_t *)&p_derivation_buffer[derivation_buffer_length - 2];
*key_len = 0x0080;
se_ret = sgx_rijndael128_cmac_msg((sgx_cmac_128bit_key_t *)&key_derive_key,
p_derivation_buffer,
derivation_buffer_length,
(sgx_cmac_128bit_tag_t *)derived_key);
memset_s(&key_derive_key, sizeof(key_derive_key), 0, sizeof(key_derive_key));
free(p_derivation_buffer);
if(SGX_SUCCESS != se_ret)
{
INTERNAL_SGX_ERROR_CODE_CONVERTOR(se_ret);
}
return se_ret;
}
pve_status_t get_ppid(ppid_t* ppid)
{
sgx_key_128bit_t key_tmp;
sgx_status_t sgx_status = SGX_SUCCESS;
memset(&key_tmp, 0, sizeof(key_tmp));
//get Provisioning Key with both CPUSVN and ISVSVN set to 0
pve_status_t status = get_provision_key(&key_tmp, NULL);
if(status != PVEC_SUCCESS){
(void)memset_s(&key_tmp,sizeof(key_tmp), 0, sizeof(key_tmp));
return status;
}
uint8_t content[16];
memset(&content, 0, sizeof(content));
//generate the mac as PPID
se_static_assert(sizeof(sgx_cmac_128bit_key_t) == sizeof(sgx_key_128bit_t)); /*size of sgx_cmac_128bit_key_t and sgx_key_128bit_t should be same*/
se_static_assert(sizeof(sgx_cmac_128bit_tag_t) == sizeof(ppid_t)); /*size of sgx_cmac_128bit_tag_t and ppit_t should be same*/
if((sgx_status=sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(&key_tmp),
content, sizeof(content), reinterpret_cast<sgx_cmac_128bit_tag_t *>(ppid)))!=SGX_SUCCESS){
status = sgx_error_to_pve_error(sgx_status);
}else{
status = PVEC_SUCCESS;
}
(void)memset_s(&key_tmp,sizeof(key_tmp), 0, sizeof(key_tmp));//clear provisioning key in stack
return status;
}
ae_error_t CertificateProvisioningProtocol::aesCMAC(const upse::Buffer& key, const upse::Buffer& message, upse::Buffer& cmac)
{
ae_error_t status = AE_FAILURE;
do
{
if (key.getSize() != sizeof(sgx_aes_gcm_128bit_key_t))
break;
status = cmac.Alloc(sizeof(sgx_cmac_128bit_tag_t));
if (AE_FAILED(status))
break;
uint8_t* pCMAC;
status = upse::BufferWriter(cmac).reserve(cmac.getSize(), &pCMAC);
if (AE_FAILED(status))
break;
sgx_status_t sgx_status;
sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(key.getData()),
message.getData(), message.getSize(), reinterpret_cast<sgx_cmac_128bit_tag_t *>(pCMAC));
if (SGX_SUCCESS != sgx_status)
{
status = AE_FAILURE;
break;
}
status = AE_SUCCESS;
} while (0);
return status;
}
sgx_status_t sgx_verify_report(const sgx_report_t *report)
{
sgx_mac_t mac;
sgx_key_request_t key_request;
sgx_key_128bit_t key;
sgx_status_t err = SGX_ERROR_UNEXPECTED;
//check parameter
if(!report||!sgx_is_within_enclave(report, sizeof(*report)))
{
return SGX_ERROR_INVALID_PARAMETER;
}
memset(&mac, 0, sizeof(sgx_mac_t));
memset(&key_request, 0, sizeof(sgx_key_request_t));
memset(&key, 0, sizeof(sgx_key_128bit_t));
//prepare the key_request
key_request.key_name = SGX_KEYSELECT_REPORT;
memcpy_s(&key_request.key_id, sizeof(key_request.key_id), &report->key_id, sizeof(report->key_id));
//get the report key
// Since the key_request is not an input parameter by caller,
// we suppose sgx_get_key would never return the following error code:
// SGX_ERROR_INVALID_PARAMETER
// SGX_ERROR_INVALID_ATTRIBUTE
// SGX_ERROR_INVALID_CPUSVN
// SGX_ERROR_INVALID_ISVSVN
// SGX_ERROR_INVALID_KEYNAME
err = sgx_get_key(&key_request, &key);
if(err != SGX_SUCCESS)
{
return err; // err must be SGX_ERROR_OUT_OF_MEMORY or SGX_ERROR_UNEXPECTED
}
//get the report mac
err = sgx_rijndael128_cmac_msg((sgx_cmac_128bit_key_t*)&key, (const uint8_t *)(&report->body), sizeof(sgx_report_body_t), &mac);
memset_s (&key, sizeof(sgx_key_128bit_t), 0, sizeof(sgx_key_128bit_t));
if (SGX_SUCCESS != err)
{
if(err != SGX_ERROR_OUT_OF_MEMORY)
err = SGX_ERROR_UNEXPECTED;
return err;
}
if(consttime_memequal(mac, report->mac, sizeof(sgx_mac_t)) == 0)
{
return SGX_ERROR_MAC_MISMATCH;
}
else
{
return SGX_SUCCESS;
}
}
sgx_status_t verify_att_result_mac(sgx_ra_context_t context,
uint8_t* p_message,
size_t message_size,
uint8_t* p_mac,
size_t mac_size)
{
sgx_status_t ret;
sgx_ec_key_128bit_t mk_key;
if(mac_size != sizeof(sgx_mac_t))
{
ret = SGX_ERROR_INVALID_PARAMETER;
return ret;
}
if(message_size > UINT32_MAX)
{
ret = SGX_ERROR_INVALID_PARAMETER;
return ret;
}
do {
uint8_t mac[SGX_CMAC_MAC_SIZE] = {0};
ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key);
if(SGX_SUCCESS != ret)
{
break;
}
ret = sgx_rijndael128_cmac_msg(&mk_key,
p_message,
(uint32_t)message_size,
&mac);
if(SGX_SUCCESS != ret)
{
break;
}
if(0 == consttime_memequal(p_mac, mac, sizeof(mac)))
{
ret = SGX_ERROR_MAC_MISMATCH;
break;
}
}
while(0);
return ret;
}
//Get Provisioning Wrap2 Key with respect to the PSVN
pve_status_t get_pwk2(
const psvn_t* psvn,
const uint8_t n2[NONCE_2_SIZE],
sgx_key_128bit_t* wrap_key)
{
if( psvn == NULL)
return PVEC_PARAMETER_ERROR;
uint8_t content[32];
sgx_status_t sgx_status = SGX_SUCCESS;
sgx_key_128bit_t key_tmp;
pve_status_t status = PVEC_SUCCESS;
memset(&key_tmp, 0, sizeof(key_tmp));
status = get_provision_key(&key_tmp, psvn); //Generate Provisioning Key with respect to the psvn
if(status != PVEC_SUCCESS)
goto ret_point;
memset(&content, 0, sizeof(content));
content[0] = 0x01;
memcpy(&content[START_OFF_PROV_WRAP_2], PROV_WRAP_2, PROV_WRAP_2_LEN); // byte 1-11 : "PROV_WRAP_2" (ascii encoded)
memcpy(&content[START_OFF_NONCE_2], n2, NONCE_2_SIZE);
content[OFF_BYTE_ZERO] = 0x00; //fill zero in byte offset 30
content[OFF_BYTE_0X80] = 0x80; //fill 0x80 in byte offset 31
//get the cmac of provision key as PWK2
se_static_assert(sizeof(sgx_cmac_128bit_key_t)==sizeof(key_tmp)); /*size of sgx_cmac_128bit_key_t should be same as sgx_key_128bit_t*/
se_static_assert(sizeof(sgx_cmac_128bit_tag_t)==sizeof(sgx_key_128bit_t)); /*size of sgx_cmac_128bit_tag_t should be same as sgx_key_128bit_t*/
if((sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(&key_tmp),
reinterpret_cast<const uint8_t *>(content), sizeof(content),
reinterpret_cast<sgx_cmac_128bit_tag_t *>(wrap_key)))!=SGX_SUCCESS){
status = sgx_error_to_pve_error(sgx_status);
}else{
status = PVEC_SUCCESS;
}
ret_point:
(void)memset_s(&key_tmp,sizeof(key_tmp), 0 ,sizeof(key_tmp)); //clear provisioninig key in stack
return status;
}
extern "C" sgx_status_t sgx_ra_proc_msg2_trusted(
sgx_ra_context_t context,
const sgx_ra_msg2_t *p_msg2, //(g_b||spid||quote_type|| KDF_ID ||sign_gb_ga||cmac||sig_rl_size||sig_rl)
const sgx_target_info_t *p_qe_target,
sgx_report_t *p_report,
sgx_quote_nonce_t* p_nonce)
{
sgx_status_t se_ret = SGX_ERROR_UNEXPECTED;
//p_msg2[in] p_qe_target[in] p_report[out] p_nonce[out] in EDL file
if(vector_size(&g_ra_db) <= context
|| !p_msg2
|| !p_qe_target
|| !p_report
|| !p_nonce)
return SGX_ERROR_INVALID_PARAMETER;
ra_db_item_t* item = NULL;
if(0 != vector_get(&g_ra_db, context, reinterpret_cast<void**>(&item)) || item == NULL )
return SGX_ERROR_INVALID_PARAMETER;
sgx_ec256_private_t a;
memset(&a, 0, sizeof(a));
// Create gb_ga
sgx_ec256_public_t gb_ga[2];
sgx_ec256_public_t sp_pubkey;
sgx_ec_key_128bit_t smkey = {0};
sgx_ec_key_128bit_t skey = {0};
sgx_ec_key_128bit_t mkey = {0};
sgx_ec_key_128bit_t vkey = {0};
sgx_ra_derive_secret_keys_t ra_key_cb = NULL;
memset(&gb_ga[0], 0, sizeof(gb_ga));
sgx_spin_lock(&item->item_lock);
//sgx_ra_get_ga must have been called
if (item->state != ra_get_gaed)
{
sgx_spin_unlock(&item->item_lock);
return SGX_ERROR_INVALID_STATE;
}
memcpy(&a, &item->a, sizeof(a));
memcpy(&gb_ga[1], &item->g_a, sizeof(gb_ga[1]));
memcpy(&sp_pubkey, &item->sp_pubkey, sizeof(sp_pubkey));
ra_key_cb = DEC_KDF_POINTER(item->derive_key_cb);
sgx_spin_unlock(&item->item_lock);
memcpy(&gb_ga[0], &p_msg2->g_b, sizeof(gb_ga[0]));
sgx_ecc_state_handle_t ecc_state = NULL;
// ecc_state need to be freed when exit.
se_ret = sgx_ecc256_open_context(&ecc_state);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
return se_ret;
}
sgx_ec256_dh_shared_t dh_key;
memset(&dh_key, 0, sizeof(dh_key));
sgx_ec256_public_t* p_msg2_g_b = const_cast<sgx_ec256_public_t*>(&p_msg2->g_b);
se_ret = sgx_ecc256_compute_shared_dhkey(&a,
(sgx_ec256_public_t*)p_msg2_g_b,
&dh_key, ecc_state);
if(SGX_SUCCESS != se_ret)
{
if (SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
sgx_ecc256_close_context(ecc_state);
return se_ret;
}
// Verify signature of gb_ga
uint8_t result;
sgx_ec256_signature_t* p_msg2_sign_gb_ga = const_cast<sgx_ec256_signature_t*>(&p_msg2->sign_gb_ga);
se_ret = sgx_ecdsa_verify((uint8_t *)&gb_ga, sizeof(gb_ga),
&sp_pubkey,
p_msg2_sign_gb_ga,
&result, ecc_state);
if(SGX_SUCCESS != se_ret)
{
if (SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
sgx_ecc256_close_context(ecc_state);
return se_ret;
}
if(SGX_EC_VALID != result)
{
sgx_ecc256_close_context(ecc_state);
return SGX_ERROR_INVALID_SIGNATURE;
}
do
{
if(NULL != ra_key_cb)
{
se_ret = ra_key_cb(&dh_key,
p_msg2->kdf_id,
&smkey,
&skey,
&mkey,
&vkey);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret &&
SGX_ERROR_INVALID_PARAMETER != se_ret &&
SGX_ERROR_KDF_MISMATCH != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
}
else if (p_msg2->kdf_id == 0x0001)
{
se_ret = derive_key(&dh_key, "SMK", (uint32_t)(sizeof("SMK") -1), &smkey);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
se_ret = derive_key(&dh_key, "SK", (uint32_t)(sizeof("SK") -1), &skey);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
se_ret = derive_key(&dh_key, "MK", (uint32_t)(sizeof("MK") -1), &mkey);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
se_ret = derive_key(&dh_key, "VK", (uint32_t)(sizeof("VK") -1), &vkey);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
}
else
{
se_ret = SGX_ERROR_KDF_MISMATCH;
break;
}
sgx_cmac_128bit_tag_t mac;
uint32_t maced_size = offsetof(sgx_ra_msg2_t, mac);
se_ret = sgx_rijndael128_cmac_msg(&smkey, (const uint8_t *)p_msg2, maced_size, &mac);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
//Check mac
if(0 == consttime_memequal(mac, p_msg2->mac, sizeof(mac)))
{
se_ret = SGX_ERROR_MAC_MISMATCH;
break;
}
//create a nonce
se_ret =sgx_read_rand((uint8_t*)p_nonce, sizeof(sgx_quote_nonce_t));
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
break;
}
sgx_spin_lock(&item->item_lock);
//sgx_ra_get_ga must have been called
if (item->state != ra_get_gaed)
{
se_ret = SGX_ERROR_INVALID_STATE;
sgx_spin_unlock(&item->item_lock);
break;
}
memcpy(&item->g_b, &p_msg2->g_b, sizeof(item->g_b));
memcpy(&item->smk_key, smkey, sizeof(item->smk_key));
memcpy(&item->sk_key, skey, sizeof(item->sk_key));
memcpy(&item->mk_key, mkey, sizeof(item->mk_key));
memcpy(&item->vk_key, vkey, sizeof(item->vk_key));
memcpy(&item->qe_target, p_qe_target, sizeof(sgx_target_info_t));
memcpy(&item->quote_nonce, p_nonce, sizeof(sgx_quote_nonce_t));
sgx_report_data_t report_data = {{0}};
se_static_assert(sizeof(sgx_report_data_t)>=sizeof(sgx_sha256_hash_t));
// H = SHA256(ga || gb || VK_CMAC)
uint32_t sha256ed_size = offsetof(ra_db_item_t, sp_pubkey);
//report_data is 512bits, H is 256bits. The H is in the lower 256 bits of report data while the higher 256 bits are all zeros.
se_ret = sgx_sha256_msg((uint8_t *)&item->g_a, sha256ed_size,
(sgx_sha256_hash_t *)&report_data);
if(SGX_SUCCESS != se_ret)
{
if (SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
sgx_spin_unlock(&item->item_lock);
break;
}
//REPORTDATA = H
se_ret = sgx_create_report(p_qe_target, &report_data, p_report);
if (SGX_SUCCESS != se_ret)
{
if(SGX_ERROR_OUT_OF_MEMORY != se_ret)
se_ret = SGX_ERROR_UNEXPECTED;
sgx_spin_unlock(&item->item_lock);
break;
}
item->state = ra_proc_msg2ed;
sgx_spin_unlock(&item->item_lock);
}while(0);
memset_s(&dh_key, sizeof(dh_key), 0, sizeof(dh_key));
sgx_ecc256_close_context(ecc_state);
memset_s(&a, sizeof(sgx_ec256_private_t),0, sizeof(sgx_ec256_private_t));
memset_s(smkey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t));
memset_s(skey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t));
memset_s(mkey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t));
memset_s(vkey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t));
return se_ret;
}
//Function to decode ProvMsg4 and generate epid data blob
uint32_t CPVEClass::proc_prov_msg4(
const pve_data_t &data,
const uint8_t *msg4,
uint32_t msg4_size,
uint8_t *data_blob,
uint32_t blob_size)
{
ae_error_t ret = AE_SUCCESS;
uint8_t local_ek2[SK_SIZE];
uint8_t *decoded_msg4 = NULL;
uint8_t temp[XID_SIZE+NONCE_SIZE];
sgx_status_t sgx_status;
const provision_response_header_t *msg4_header = reinterpret_cast<const provision_response_header_t *>(msg4);
if(msg4_size < PROVISION_RESPONSE_HEADER_SIZE) {
AESM_DBG_ERROR("invalid msg4 size");
return PVE_MSG_ERROR;
}
if (blob_size != SGX_TRUSTED_EPID_BLOB_SIZE_PAK) {
AESM_DBG_FATAL("invalid input epid blob size");
return PVE_PARAMETER_ERROR;
}
ret = check_prov_msg4_header(msg4_header, msg4_size);
if( AE_SUCCESS != ret) {
AESM_DBG_ERROR("Invalid ProvMsg4 Header:(ae%d)",ret);
return ret;
}
if(0!=memcmp(msg4_header->xid, data.xid, XID_SIZE)) {
AESM_DBG_ERROR("Invalid XID in msg4 header");
return PVE_MSG_ERROR;
}
ret = check_epid_pve_pg_status_before_mac_verification(msg4_header);
if( AE_SUCCESS != ret) {
AESM_DBG_ERROR("Backend return failure in ProvMsg4 Header:(ae%d)",ret);
return ret;
}
do {
TLVsMsg tlvs_msg4;
uint8_t aad[PROVISION_RESPONSE_HEADER_SIZE+NONCE_SIZE];
tlv_status_t tlv_status;
tlv_status = tlvs_msg4.init_from_buffer(msg4+static_cast<uint32_t>(PROVISION_RESPONSE_HEADER_SIZE), msg4_size - static_cast<uint32_t>(PROVISION_RESPONSE_HEADER_SIZE));
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS!=ret) {
AESM_DBG_ERROR("fail to decode ProvMsg4:(ae%d)",ret);
break;
}
ret = msg4_integrity_checking(tlvs_msg4);
if(AE_SUCCESS != ret) {
AESM_DBG_ERROR("ProvMsg4 integrity checking error:(ae%d)",ret);
break;
}
AESM_DBG_TRACE("ProvMsg4 decoded");
se_static_assert(sizeof(sgx_cmac_128bit_key_t)==SK_SIZE);
if(0!=memcpy_s(temp,sizeof(temp), data.xid, XID_SIZE)||
0!=memcpy_s(temp+XID_SIZE, sizeof(temp)-XID_SIZE, MSG4_TOP_FIELD_NONCE.payload, NONCE_SIZE)) {
AESM_DBG_ERROR("Fail in memcpy");
ret = AE_FAILURE;
break;
}
if((sgx_status=sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(data.sk),
temp, XID_SIZE+NONCE_SIZE, reinterpret_cast<sgx_cmac_128bit_tag_t *>(local_ek2)))!=SGX_SUCCESS) {
AESM_DBG_ERROR("Fail to generate ek2:(sgx0x%x)",sgx_status);
ret = AE_FAILURE;
break;
}
se_static_assert(SK_SIZE==sizeof(sgx_aes_gcm_128bit_key_t));
tlv_msg_t field1 = block_cipher_tlv_get_encrypted_text(MSG4_TOP_FIELD_DATA);
decoded_msg4 = reinterpret_cast<uint8_t *>(malloc(field1.msg_size));
if(NULL == decoded_msg4) {
AESM_DBG_ERROR("malloc error");
ret = AE_OUT_OF_MEMORY_ERROR;
break;
}
if (memcpy_s(aad, sizeof(aad), msg4_header, PROVISION_RESPONSE_HEADER_SIZE) != 0 ||
memcpy_s(aad + PROVISION_RESPONSE_HEADER_SIZE, sizeof(aad)-PROVISION_RESPONSE_HEADER_SIZE,
MSG4_TOP_FIELD_NONCE.payload, MSG4_TOP_FIELD_NONCE.size) != 0) {
AESM_DBG_ERROR("memcpy failure");
ret = AE_FAILURE;
break;
}
sgx_status_t sgx_status = sgx_rijndael128GCM_decrypt(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(local_ek2),
field1.msg_buf, field1.msg_size, decoded_msg4,
reinterpret_cast<uint8_t *>(block_cipher_tlv_get_iv(MSG4_TOP_FIELD_DATA)), IV_SIZE,
aad, sizeof(aad),
reinterpret_cast<const sgx_aes_gcm_128bit_tag_t *>(MSG4_TOP_FIELD_MAC.payload));
if(SGX_ERROR_MAC_MISMATCH == sgx_status) {
AESM_DBG_ERROR("fail to decrypt ProvMsg4 by EK2 (sgx0x%x)",sgx_status);
ret = PVE_INTEGRITY_CHECK_ERROR;
break;
}
if( AE_SUCCESS != (ret = sgx_error_to_ae_error(sgx_status))) {
AESM_DBG_ERROR("error in decrypting ProvMsg4:(sgx0x%x)",sgx_status);
break;
}
AESM_DBG_TRACE("ProvMsg4 decrypted by EK2 successfully");
ret = check_epid_pve_pg_status_after_mac_verification(msg4_header);
if(AE_SUCCESS != ret) {
AESM_DBG_ERROR("Backend reported error passed MAC verification:(ae%d)",ret);
break;
}
TLVsMsg tlvs_field1;
tlv_status = tlvs_field1.init_from_buffer(decoded_msg4, field1.msg_size);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS != ret) {
AESM_DBG_ERROR("ProvMsg4 Field2.1 decoding failed:(ae%d)",ret);
break;
}
ret = msg4_field1_msg_checking(tlvs_field1);
if( AE_SUCCESS != ret) {
AESM_DBG_ERROR("ProvMsg4 Field2.1 invalid:(ae%d)",ret);
break;
}
proc_prov_msg4_input_t msg4_input;
tlv_msg_t Axf_data = block_cipher_tlv_get_encrypted_text(MSG4_FIELD1_ENC_Axf);
if(0!=memcpy_s(&msg4_input.group_cert, sizeof(msg4_input.group_cert), MSG4_FIELD1_GROUP_CERT.payload, MSG4_FIELD1_GROUP_CERT.size)||
0!=memcpy_s(&msg4_input.n2, NONCE_2_SIZE, MSG4_FIELD1_Nonce2.payload, MSG4_FIELD1_Nonce2.size) ||
0!=memcpy_s(&msg4_input.equivalent_psvn, sizeof(psvn_t), platform_info_tlv_get_psvn(MSG4_FIELD1_PLATFORM_INFO), sizeof(psvn_t))||
0!=memcpy_s(&msg4_input.fmsp, sizeof(fmsp_t), platform_info_tlv_get_fmsp(MSG4_FIELD1_PLATFORM_INFO), sizeof(fmsp_t))||
0!=memcpy_s(&msg4_input.member_credential_iv, IV_SIZE, block_cipher_tlv_get_iv(MSG4_FIELD1_ENC_Axf), IV_SIZE)||
0!=memcpy_s(&msg4_input.encrypted_member_credential, HARD_CODED_EPID_MEMBER_WITH_ESCROW_TLV_SIZE, Axf_data.msg_buf, Axf_data.msg_size)||
0!=memcpy_s(&msg4_input.member_credential_mac, MAC_SIZE, MSG4_FIELD1_MAC_Axf.payload, MSG4_FIELD1_MAC_Axf.size)) {
AESM_DBG_ERROR("memcpy error");
ret = PVE_UNEXPECTED_ERROR;
break;
}
if (AE_SUCCESS != (ret =XEGDBlob::instance().read(msg4_input.xegb))) {
AESM_DBG_ERROR("Fail to read extend epid blob info (ae%d)",ret);
return ret;
}
ret = CPVEClass::instance().load_enclave();//Load PvE enclave now
if( ret != AE_SUCCESS) {
AESM_DBG_ERROR("Fail to load PvE enclave:(ae%d)\n",ret);
break;
}
ret = (ae_error_t)proc_prov_msg4_data(&msg4_input, reinterpret_cast<proc_prov_msg4_output_t *>(data_blob));
AESM_DBG_TRACE("PvE return (ae%d) in Process ProvMsg4",ret);
} while(0);
if(decoded_msg4)free(decoded_msg4);
return ret;
}
uint32_t CPVEClass::gen_prov_msg1(
pve_data_t &pve_data,
uint8_t *msg1,
uint32_t msg1_size)
{
uint32_t ret = AE_SUCCESS;
uint16_t pce_id = 0;
uint16_t pce_isv_svn = 0;
sgx_report_t pek_report;
uint8_t *field2 = NULL;
uint8_t field2_iv[IV_SIZE];
uint8_t field2_mac[MAC_SIZE];
uint8_t encrypted_ppid[RSA_3072_KEY_BYTES];
//msg1 header will be in the beginning part of the output msg
provision_request_header_t *msg1_header = reinterpret_cast<provision_request_header_t *>(msg1);
memset(&pek_report, 0, sizeof(pek_report));
sgx_target_info_t pce_target_info;
sgx_status_t sgx_status;
//Load PCE Enclave required
ret = CPCEClass::instance().load_enclave();
if(ret != AE_SUCCESS){
AESM_DBG_ERROR("Fail to load PCE enclave:( ae%d)\n",ret);
return ret;
}
ret = CPCEClass::instance().get_pce_target(&pce_target_info);
if(ret != AE_SUCCESS){
AESM_DBG_ERROR("Fail to get PCE target info:( ae %d)\n",ret);
return ret;
}
//Load PvE enclave now
ret = CPVEClass::instance().load_enclave();
if( ret != AE_SUCCESS){
AESM_DBG_ERROR("Fail to load PvE enclave:(ae%d)\n",ret);
return ret;
}
//The code will generate a report on PEK by PvE
ret = gen_prov_msg1_data(&pve_data.pek, &pce_target_info, &pek_report);
if(AE_SUCCESS != ret ){
AESM_DBG_ERROR("Gen ProvMsg1 in trusted code failed:( ae %d)",ret);
return ret;
}
se_static_assert(sizeof(encrypted_ppid)==PEK_MOD_SIZE);
//Load PCE Enclave required
ret = CPCEClass::instance().load_enclave();
if(ret != AE_SUCCESS){
AESM_DBG_ERROR("Fail to load PCE enclave:( ae %d)\n",ret);
return ret;
}
ret = CPCEClass::instance().get_pce_info(pek_report, pve_data.pek, pce_id,
pce_isv_svn, encrypted_ppid);
if(AE_SUCCESS != ret){
AESM_DBG_ERROR("Fail to generate pc_info:(ae%d)",ret);
return ret;
}
//randomly generate XID
ret = aesm_read_rand(pve_data.xid, XID_SIZE);
if(AE_SUCCESS != ret ){
AESM_DBG_ERROR("Fail to generate random XID (ae%d)",ret);
return ret;
}
//randomly generate SK
ret = aesm_read_rand(pve_data.sk, SK_SIZE);
if(AE_SUCCESS != ret ){
AESM_DBG_ERROR("Fail to generate random SK (ae%d)",ret);
return ret;
}
CPCEClass::instance().unload_enclave();
ret = prov_msg1_gen_header(msg1_header, pve_data.is_performance_rekey, pve_data.xid, msg1_size);
if(AE_SUCCESS != ret){
AESM_DBG_ERROR("fail to generate ProvMsg1 Header:(ae %d)",ret);
return ret;
}
{
TLVsMsg tlvs_msg1_sub;
tlv_status_t tlv_status;
sgx_sha256_hash_t psid;
tlv_status = tlvs_msg1_sub.add_block_cipher_info(pve_data.sk);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS!=ret){
AESM_DBG_ERROR("Fail to generate SK TLV of ProvMsg1 (ae %d)",ret);
return ret;
}
sgx_status = sgx_sha256_msg(reinterpret_cast<const uint8_t *>(&pve_data.pek.n),
static_cast<uint32_t>(sizeof(pve_data.pek.n) + sizeof(pve_data.pek.e)), &psid);
if(SGX_SUCCESS != sgx_status){
AESM_DBG_ERROR("Fail to generate PSID, (sgx0x%x)",sgx_status);
return AE_FAILURE;
}
se_static_assert(sizeof(sgx_sha256_hash_t)==sizeof(psid_t));
tlv_status = tlvs_msg1_sub.add_psid(reinterpret_cast<const psid_t *>(&psid));
ret = tlv_error_2_pve_error(tlv_status);
if(SGX_SUCCESS != ret){
AESM_DBG_ERROR("Fail to add PSID TLV ae(%d)",ret);
return ret;
}
//transform rsa format PEK public key of Provision Server
void *rsa_pub_key = NULL;
signed_pek_t le_pek{};
// Change the endian for the PEK public key
for(uint32_t i = 0; i< sizeof(le_pek.n); i++)
{
le_pek.n[i] = pve_data.pek.n[sizeof(le_pek.n) - i - 1];
}
for(uint32_t i= 0; i < sizeof(le_pek.e); i++)
{
le_pek.e[i] = pve_data.pek.e[sizeof(le_pek.e) - i - 1];
}
sgx_status = get_provision_server_rsa_pub_key(le_pek, &rsa_pub_key);
if( SGX_SUCCESS != sgx_status){
AESM_DBG_ERROR("Fail to decode PEK:%d",sgx_status);
return AE_FAILURE;
}
uint8_t field0[RSA_3072_KEY_BYTES];
ret = aesm_rsa_oaep_encrypt(tlvs_msg1_sub.get_tlv_msg(), tlvs_msg1_sub.get_tlv_msg_size(), rsa_pub_key, field0);
sgx_free_rsa_key(rsa_pub_key, SGX_RSA_PUBLIC_KEY, RSA_3072_KEY_BYTES, sizeof(le_pek.e));
if(AE_SUCCESS!=ret){
AESM_DBG_ERROR("Fail to in RSA_OAEP for ProvMsg1:(ae%d)",ret);
return ret;
}
TLVsMsg tlvs_msg1;
tlv_status= tlvs_msg1.add_cipher_text(field0, RSA_3072_KEY_BYTES, PEK_3072_PUB);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS!=ret){
AESM_DBG_ERROR("Fail to generate field0 TLV of ProvMsg1( ae%d)",ret);
return ret;
}
TLVsMsg tlvs_msg2_sub;
tlv_status = tlvs_msg2_sub.add_cipher_text(encrypted_ppid, RSA_3072_KEY_BYTES, PEK_3072_PUB);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS!=ret){
return ret;
}
if(!pve_data.is_backup_retrieval){
if(0!=memcpy_s(&pve_data.bpi.cpu_svn, sizeof(pve_data.bpi.cpu_svn),
&pek_report.body.cpu_svn, sizeof(pek_report.body.cpu_svn))){
AESM_DBG_FATAL("fail in memcpy_s");
return PVE_UNEXPECTED_ERROR;
}
if(0!=memcpy_s(&pve_data.bpi.pve_svn, sizeof(pve_data.bpi.pve_svn),
&pek_report.body.isv_svn, sizeof(pek_report.body.isv_svn))){
AESM_DBG_FATAL("fail in memcpy_s");
return PVE_UNEXPECTED_ERROR;
}
if(0!=memcpy_s(&pve_data.bpi.pce_svn, sizeof(pve_data.bpi.pce_svn),
&pce_isv_svn, sizeof(pce_isv_svn))){
AESM_DBG_FATAL("fail in memcpy_s");
return PVE_UNEXPECTED_ERROR;
}
}
//always use pce_id from PCE enclave
pve_data.bpi.pce_id = pce_id;
memset(&pve_data.bpi.fmsp, 0, sizeof(pve_data.bpi.fmsp));
tlv_status = tlvs_msg2_sub.add_platform_info(pve_data.bpi);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS != ret){
AESM_DBG_ERROR("Fail to generate Platform Info TLV of ProvMsg1 (ae%d)",ret);
return ret;
}
if(pve_data.is_performance_rekey){
flags_t flags;
memset(&flags,0,sizeof(flags));
//set performance rekey flags
flags.flags[FLAGS_SIZE-1]=1;
tlv_status = tlvs_msg2_sub.add_flags(&flags);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS != ret){
AESM_DBG_ERROR("Fail to generate FLAGS TLV of ProvMsg1, (ae %d)",ret);
return ret;
}
}
ret = aesm_read_rand(field2_iv, IV_SIZE);
if(AE_SUCCESS != ret){
AESM_DBG_ERROR("Fail to read rand:(ae%d)",ret);
return ret;
}
sgx_cmac_128bit_tag_t ek1;
se_static_assert(SK_SIZE==sizeof(sgx_cmac_128bit_key_t));
if((sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(pve_data.sk),
pve_data.xid, XID_SIZE, &ek1))!=SGX_SUCCESS){
AESM_DBG_ERROR("Fail to generate ek1:(sgx%d)",sgx_status);
return AE_FAILURE;
}
field2 = (uint8_t *)malloc(tlvs_msg2_sub.get_tlv_msg_size());
if(NULL == field2){
AESM_DBG_ERROR("Out of memory");
return AE_OUT_OF_MEMORY_ERROR;
}
sgx_status = sgx_rijndael128GCM_encrypt(&ek1,
tlvs_msg2_sub.get_tlv_msg(), tlvs_msg2_sub.get_tlv_msg_size(),
field2,field2_iv, IV_SIZE, (const uint8_t *)msg1_header, sizeof(provision_request_header_t),
(sgx_aes_gcm_128bit_tag_t *)field2_mac);
if(SGX_SUCCESS != sgx_status){
ret = sgx_error_to_ae_error(sgx_status);
AESM_DBG_ERROR("Fail to do AES encrypt (sgx %d)", sgx_status);
free(field2);
return ret;
}
tlv_status = tlvs_msg1.add_block_cipher_text(field2_iv, field2, tlvs_msg2_sub.get_tlv_msg_size());
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS!=ret){
free(field2);
AESM_DBG_ERROR("Fail to generate field1 TLV of ProvMsg1(ae%d)",ret);
return ret;
}
free(field2);
tlv_status = tlvs_msg1.add_mac(field2_mac);
ret = tlv_error_2_pve_error(tlv_status);
if(AE_SUCCESS!=ret){
AESM_DBG_ERROR("Fail to create field2 TLV of ProvMsg1:(ae %d)",ret);
return ret;
}
uint32_t size = tlvs_msg1.get_tlv_msg_size();
if(memcpy_s(msg1+PROVISION_REQUEST_HEADER_SIZE, msg1_size - PROVISION_REQUEST_HEADER_SIZE,
tlvs_msg1.get_tlv_msg(), size)!=0){
//The size overflow has been checked in header generation
AESM_DBG_FATAL("fail in memcpy_s");
return PVE_UNEXPECTED_ERROR;
}
}
return AE_SUCCESS;
}
