sgx_status_t derive_key( const sgx_ec256_dh_shared_t* shared_key, const char* label, uint32_t label_length, sgx_ec_key_128bit_t* derived_key) { sgx_status_t se_ret = SGX_SUCCESS; uint8_t cmac_key[MAC_KEY_SIZE]; sgx_ec_key_128bit_t key_derive_key; if (!shared_key || !derived_key || !label) { return SGX_ERROR_INVALID_PARAMETER; } /*check integer overflow */ if (label_length > EC_DERIVATION_BUFFER_SIZE(label_length)) { return SGX_ERROR_INVALID_PARAMETER; } memset(cmac_key, 0, MAC_KEY_SIZE); se_ret = sgx_rijndael128_cmac_msg((sgx_cmac_128bit_key_t *)cmac_key, (uint8_t*)shared_key, sizeof(sgx_ec256_dh_shared_t), (sgx_cmac_128bit_tag_t *)&key_derive_key); if (SGX_SUCCESS != se_ret) { memset_s(&key_derive_key, sizeof(key_derive_key), 0, sizeof(key_derive_key)); INTERNAL_SGX_ERROR_CODE_CONVERTOR(se_ret); return se_ret; } /* derivation_buffer = counter(0x01) || label || 0x00 || output_key_len(0x0080) */ uint32_t derivation_buffer_length = EC_DERIVATION_BUFFER_SIZE(label_length); uint8_t *p_derivation_buffer = (uint8_t *)malloc(derivation_buffer_length); if (p_derivation_buffer == NULL) { return SGX_ERROR_OUT_OF_MEMORY; } memset(p_derivation_buffer, 0, derivation_buffer_length); /*counter = 0x01 */ p_derivation_buffer[0] = 0x01; /*label*/ memcpy(&p_derivation_buffer[1], label, label_length); /*output_key_len=0x0080*/ uint16_t *key_len = (uint16_t *)&p_derivation_buffer[derivation_buffer_length - 2]; *key_len = 0x0080; se_ret = sgx_rijndael128_cmac_msg((sgx_cmac_128bit_key_t *)&key_derive_key, p_derivation_buffer, derivation_buffer_length, (sgx_cmac_128bit_tag_t *)derived_key); memset_s(&key_derive_key, sizeof(key_derive_key), 0, sizeof(key_derive_key)); free(p_derivation_buffer); if(SGX_SUCCESS != se_ret) { INTERNAL_SGX_ERROR_CODE_CONVERTOR(se_ret); } return se_ret; }
pve_status_t get_ppid(ppid_t* ppid) { sgx_key_128bit_t key_tmp; sgx_status_t sgx_status = SGX_SUCCESS; memset(&key_tmp, 0, sizeof(key_tmp)); //get Provisioning Key with both CPUSVN and ISVSVN set to 0 pve_status_t status = get_provision_key(&key_tmp, NULL); if(status != PVEC_SUCCESS){ (void)memset_s(&key_tmp,sizeof(key_tmp), 0, sizeof(key_tmp)); return status; } uint8_t content[16]; memset(&content, 0, sizeof(content)); //generate the mac as PPID se_static_assert(sizeof(sgx_cmac_128bit_key_t) == sizeof(sgx_key_128bit_t)); /*size of sgx_cmac_128bit_key_t and sgx_key_128bit_t should be same*/ se_static_assert(sizeof(sgx_cmac_128bit_tag_t) == sizeof(ppid_t)); /*size of sgx_cmac_128bit_tag_t and ppit_t should be same*/ if((sgx_status=sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(&key_tmp), content, sizeof(content), reinterpret_cast<sgx_cmac_128bit_tag_t *>(ppid)))!=SGX_SUCCESS){ status = sgx_error_to_pve_error(sgx_status); }else{ status = PVEC_SUCCESS; } (void)memset_s(&key_tmp,sizeof(key_tmp), 0, sizeof(key_tmp));//clear provisioning key in stack return status; }
ae_error_t CertificateProvisioningProtocol::aesCMAC(const upse::Buffer& key, const upse::Buffer& message, upse::Buffer& cmac) { ae_error_t status = AE_FAILURE; do { if (key.getSize() != sizeof(sgx_aes_gcm_128bit_key_t)) break; status = cmac.Alloc(sizeof(sgx_cmac_128bit_tag_t)); if (AE_FAILED(status)) break; uint8_t* pCMAC; status = upse::BufferWriter(cmac).reserve(cmac.getSize(), &pCMAC); if (AE_FAILED(status)) break; sgx_status_t sgx_status; sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(key.getData()), message.getData(), message.getSize(), reinterpret_cast<sgx_cmac_128bit_tag_t *>(pCMAC)); if (SGX_SUCCESS != sgx_status) { status = AE_FAILURE; break; } status = AE_SUCCESS; } while (0); return status; }
sgx_status_t sgx_verify_report(const sgx_report_t *report) { sgx_mac_t mac; sgx_key_request_t key_request; sgx_key_128bit_t key; sgx_status_t err = SGX_ERROR_UNEXPECTED; //check parameter if(!report||!sgx_is_within_enclave(report, sizeof(*report))) { return SGX_ERROR_INVALID_PARAMETER; } memset(&mac, 0, sizeof(sgx_mac_t)); memset(&key_request, 0, sizeof(sgx_key_request_t)); memset(&key, 0, sizeof(sgx_key_128bit_t)); //prepare the key_request key_request.key_name = SGX_KEYSELECT_REPORT; memcpy_s(&key_request.key_id, sizeof(key_request.key_id), &report->key_id, sizeof(report->key_id)); //get the report key // Since the key_request is not an input parameter by caller, // we suppose sgx_get_key would never return the following error code: // SGX_ERROR_INVALID_PARAMETER // SGX_ERROR_INVALID_ATTRIBUTE // SGX_ERROR_INVALID_CPUSVN // SGX_ERROR_INVALID_ISVSVN // SGX_ERROR_INVALID_KEYNAME err = sgx_get_key(&key_request, &key); if(err != SGX_SUCCESS) { return err; // err must be SGX_ERROR_OUT_OF_MEMORY or SGX_ERROR_UNEXPECTED } //get the report mac err = sgx_rijndael128_cmac_msg((sgx_cmac_128bit_key_t*)&key, (const uint8_t *)(&report->body), sizeof(sgx_report_body_t), &mac); memset_s (&key, sizeof(sgx_key_128bit_t), 0, sizeof(sgx_key_128bit_t)); if (SGX_SUCCESS != err) { if(err != SGX_ERROR_OUT_OF_MEMORY) err = SGX_ERROR_UNEXPECTED; return err; } if(consttime_memequal(mac, report->mac, sizeof(sgx_mac_t)) == 0) { return SGX_ERROR_MAC_MISMATCH; } else { return SGX_SUCCESS; } }
sgx_status_t verify_att_result_mac(sgx_ra_context_t context, uint8_t* p_message, size_t message_size, uint8_t* p_mac, size_t mac_size) { sgx_status_t ret; sgx_ec_key_128bit_t mk_key; if(mac_size != sizeof(sgx_mac_t)) { ret = SGX_ERROR_INVALID_PARAMETER; return ret; } if(message_size > UINT32_MAX) { ret = SGX_ERROR_INVALID_PARAMETER; return ret; } do { uint8_t mac[SGX_CMAC_MAC_SIZE] = {0}; ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key); if(SGX_SUCCESS != ret) { break; } ret = sgx_rijndael128_cmac_msg(&mk_key, p_message, (uint32_t)message_size, &mac); if(SGX_SUCCESS != ret) { break; } if(0 == consttime_memequal(p_mac, mac, sizeof(mac))) { ret = SGX_ERROR_MAC_MISMATCH; break; } } while(0); return ret; }
//Get Provisioning Wrap2 Key with respect to the PSVN pve_status_t get_pwk2( const psvn_t* psvn, const uint8_t n2[NONCE_2_SIZE], sgx_key_128bit_t* wrap_key) { if( psvn == NULL) return PVEC_PARAMETER_ERROR; uint8_t content[32]; sgx_status_t sgx_status = SGX_SUCCESS; sgx_key_128bit_t key_tmp; pve_status_t status = PVEC_SUCCESS; memset(&key_tmp, 0, sizeof(key_tmp)); status = get_provision_key(&key_tmp, psvn); //Generate Provisioning Key with respect to the psvn if(status != PVEC_SUCCESS) goto ret_point; memset(&content, 0, sizeof(content)); content[0] = 0x01; memcpy(&content[START_OFF_PROV_WRAP_2], PROV_WRAP_2, PROV_WRAP_2_LEN); // byte 1-11 : "PROV_WRAP_2" (ascii encoded) memcpy(&content[START_OFF_NONCE_2], n2, NONCE_2_SIZE); content[OFF_BYTE_ZERO] = 0x00; //fill zero in byte offset 30 content[OFF_BYTE_0X80] = 0x80; //fill 0x80 in byte offset 31 //get the cmac of provision key as PWK2 se_static_assert(sizeof(sgx_cmac_128bit_key_t)==sizeof(key_tmp)); /*size of sgx_cmac_128bit_key_t should be same as sgx_key_128bit_t*/ se_static_assert(sizeof(sgx_cmac_128bit_tag_t)==sizeof(sgx_key_128bit_t)); /*size of sgx_cmac_128bit_tag_t should be same as sgx_key_128bit_t*/ if((sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(&key_tmp), reinterpret_cast<const uint8_t *>(content), sizeof(content), reinterpret_cast<sgx_cmac_128bit_tag_t *>(wrap_key)))!=SGX_SUCCESS){ status = sgx_error_to_pve_error(sgx_status); }else{ status = PVEC_SUCCESS; } ret_point: (void)memset_s(&key_tmp,sizeof(key_tmp), 0 ,sizeof(key_tmp)); //clear provisioninig key in stack return status; }
extern "C" sgx_status_t sgx_ra_proc_msg2_trusted( sgx_ra_context_t context, const sgx_ra_msg2_t *p_msg2, //(g_b||spid||quote_type|| KDF_ID ||sign_gb_ga||cmac||sig_rl_size||sig_rl) const sgx_target_info_t *p_qe_target, sgx_report_t *p_report, sgx_quote_nonce_t* p_nonce) { sgx_status_t se_ret = SGX_ERROR_UNEXPECTED; //p_msg2[in] p_qe_target[in] p_report[out] p_nonce[out] in EDL file if(vector_size(&g_ra_db) <= context || !p_msg2 || !p_qe_target || !p_report || !p_nonce) return SGX_ERROR_INVALID_PARAMETER; ra_db_item_t* item = NULL; if(0 != vector_get(&g_ra_db, context, reinterpret_cast<void**>(&item)) || item == NULL ) return SGX_ERROR_INVALID_PARAMETER; sgx_ec256_private_t a; memset(&a, 0, sizeof(a)); // Create gb_ga sgx_ec256_public_t gb_ga[2]; sgx_ec256_public_t sp_pubkey; sgx_ec_key_128bit_t smkey = {0}; sgx_ec_key_128bit_t skey = {0}; sgx_ec_key_128bit_t mkey = {0}; sgx_ec_key_128bit_t vkey = {0}; sgx_ra_derive_secret_keys_t ra_key_cb = NULL; memset(&gb_ga[0], 0, sizeof(gb_ga)); sgx_spin_lock(&item->item_lock); //sgx_ra_get_ga must have been called if (item->state != ra_get_gaed) { sgx_spin_unlock(&item->item_lock); return SGX_ERROR_INVALID_STATE; } memcpy(&a, &item->a, sizeof(a)); memcpy(&gb_ga[1], &item->g_a, sizeof(gb_ga[1])); memcpy(&sp_pubkey, &item->sp_pubkey, sizeof(sp_pubkey)); ra_key_cb = DEC_KDF_POINTER(item->derive_key_cb); sgx_spin_unlock(&item->item_lock); memcpy(&gb_ga[0], &p_msg2->g_b, sizeof(gb_ga[0])); sgx_ecc_state_handle_t ecc_state = NULL; // ecc_state need to be freed when exit. se_ret = sgx_ecc256_open_context(&ecc_state); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; return se_ret; } sgx_ec256_dh_shared_t dh_key; memset(&dh_key, 0, sizeof(dh_key)); sgx_ec256_public_t* p_msg2_g_b = const_cast<sgx_ec256_public_t*>(&p_msg2->g_b); se_ret = sgx_ecc256_compute_shared_dhkey(&a, (sgx_ec256_public_t*)p_msg2_g_b, &dh_key, ecc_state); if(SGX_SUCCESS != se_ret) { if (SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; sgx_ecc256_close_context(ecc_state); return se_ret; } // Verify signature of gb_ga uint8_t result; sgx_ec256_signature_t* p_msg2_sign_gb_ga = const_cast<sgx_ec256_signature_t*>(&p_msg2->sign_gb_ga); se_ret = sgx_ecdsa_verify((uint8_t *)&gb_ga, sizeof(gb_ga), &sp_pubkey, p_msg2_sign_gb_ga, &result, ecc_state); if(SGX_SUCCESS != se_ret) { if (SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; sgx_ecc256_close_context(ecc_state); return se_ret; } if(SGX_EC_VALID != result) { sgx_ecc256_close_context(ecc_state); return SGX_ERROR_INVALID_SIGNATURE; } do { if(NULL != ra_key_cb) { se_ret = ra_key_cb(&dh_key, p_msg2->kdf_id, &smkey, &skey, &mkey, &vkey); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret && SGX_ERROR_INVALID_PARAMETER != se_ret && SGX_ERROR_KDF_MISMATCH != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } } else if (p_msg2->kdf_id == 0x0001) { se_ret = derive_key(&dh_key, "SMK", (uint32_t)(sizeof("SMK") -1), &smkey); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } se_ret = derive_key(&dh_key, "SK", (uint32_t)(sizeof("SK") -1), &skey); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } se_ret = derive_key(&dh_key, "MK", (uint32_t)(sizeof("MK") -1), &mkey); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } se_ret = derive_key(&dh_key, "VK", (uint32_t)(sizeof("VK") -1), &vkey); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } } else { se_ret = SGX_ERROR_KDF_MISMATCH; break; } sgx_cmac_128bit_tag_t mac; uint32_t maced_size = offsetof(sgx_ra_msg2_t, mac); se_ret = sgx_rijndael128_cmac_msg(&smkey, (const uint8_t *)p_msg2, maced_size, &mac); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } //Check mac if(0 == consttime_memequal(mac, p_msg2->mac, sizeof(mac))) { se_ret = SGX_ERROR_MAC_MISMATCH; break; } //create a nonce se_ret =sgx_read_rand((uint8_t*)p_nonce, sizeof(sgx_quote_nonce_t)); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; break; } sgx_spin_lock(&item->item_lock); //sgx_ra_get_ga must have been called if (item->state != ra_get_gaed) { se_ret = SGX_ERROR_INVALID_STATE; sgx_spin_unlock(&item->item_lock); break; } memcpy(&item->g_b, &p_msg2->g_b, sizeof(item->g_b)); memcpy(&item->smk_key, smkey, sizeof(item->smk_key)); memcpy(&item->sk_key, skey, sizeof(item->sk_key)); memcpy(&item->mk_key, mkey, sizeof(item->mk_key)); memcpy(&item->vk_key, vkey, sizeof(item->vk_key)); memcpy(&item->qe_target, p_qe_target, sizeof(sgx_target_info_t)); memcpy(&item->quote_nonce, p_nonce, sizeof(sgx_quote_nonce_t)); sgx_report_data_t report_data = {{0}}; se_static_assert(sizeof(sgx_report_data_t)>=sizeof(sgx_sha256_hash_t)); // H = SHA256(ga || gb || VK_CMAC) uint32_t sha256ed_size = offsetof(ra_db_item_t, sp_pubkey); //report_data is 512bits, H is 256bits. The H is in the lower 256 bits of report data while the higher 256 bits are all zeros. se_ret = sgx_sha256_msg((uint8_t *)&item->g_a, sha256ed_size, (sgx_sha256_hash_t *)&report_data); if(SGX_SUCCESS != se_ret) { if (SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; sgx_spin_unlock(&item->item_lock); break; } //REPORTDATA = H se_ret = sgx_create_report(p_qe_target, &report_data, p_report); if (SGX_SUCCESS != se_ret) { if(SGX_ERROR_OUT_OF_MEMORY != se_ret) se_ret = SGX_ERROR_UNEXPECTED; sgx_spin_unlock(&item->item_lock); break; } item->state = ra_proc_msg2ed; sgx_spin_unlock(&item->item_lock); }while(0); memset_s(&dh_key, sizeof(dh_key), 0, sizeof(dh_key)); sgx_ecc256_close_context(ecc_state); memset_s(&a, sizeof(sgx_ec256_private_t),0, sizeof(sgx_ec256_private_t)); memset_s(smkey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t)); memset_s(skey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t)); memset_s(mkey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t)); memset_s(vkey, sizeof(sgx_ec_key_128bit_t),0, sizeof(sgx_ec_key_128bit_t)); return se_ret; }
//Function to decode ProvMsg4 and generate epid data blob uint32_t CPVEClass::proc_prov_msg4( const pve_data_t &data, const uint8_t *msg4, uint32_t msg4_size, uint8_t *data_blob, uint32_t blob_size) { ae_error_t ret = AE_SUCCESS; uint8_t local_ek2[SK_SIZE]; uint8_t *decoded_msg4 = NULL; uint8_t temp[XID_SIZE+NONCE_SIZE]; sgx_status_t sgx_status; const provision_response_header_t *msg4_header = reinterpret_cast<const provision_response_header_t *>(msg4); if(msg4_size < PROVISION_RESPONSE_HEADER_SIZE) { AESM_DBG_ERROR("invalid msg4 size"); return PVE_MSG_ERROR; } if (blob_size != SGX_TRUSTED_EPID_BLOB_SIZE_PAK) { AESM_DBG_FATAL("invalid input epid blob size"); return PVE_PARAMETER_ERROR; } ret = check_prov_msg4_header(msg4_header, msg4_size); if( AE_SUCCESS != ret) { AESM_DBG_ERROR("Invalid ProvMsg4 Header:(ae%d)",ret); return ret; } if(0!=memcmp(msg4_header->xid, data.xid, XID_SIZE)) { AESM_DBG_ERROR("Invalid XID in msg4 header"); return PVE_MSG_ERROR; } ret = check_epid_pve_pg_status_before_mac_verification(msg4_header); if( AE_SUCCESS != ret) { AESM_DBG_ERROR("Backend return failure in ProvMsg4 Header:(ae%d)",ret); return ret; } do { TLVsMsg tlvs_msg4; uint8_t aad[PROVISION_RESPONSE_HEADER_SIZE+NONCE_SIZE]; tlv_status_t tlv_status; tlv_status = tlvs_msg4.init_from_buffer(msg4+static_cast<uint32_t>(PROVISION_RESPONSE_HEADER_SIZE), msg4_size - static_cast<uint32_t>(PROVISION_RESPONSE_HEADER_SIZE)); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS!=ret) { AESM_DBG_ERROR("fail to decode ProvMsg4:(ae%d)",ret); break; } ret = msg4_integrity_checking(tlvs_msg4); if(AE_SUCCESS != ret) { AESM_DBG_ERROR("ProvMsg4 integrity checking error:(ae%d)",ret); break; } AESM_DBG_TRACE("ProvMsg4 decoded"); se_static_assert(sizeof(sgx_cmac_128bit_key_t)==SK_SIZE); if(0!=memcpy_s(temp,sizeof(temp), data.xid, XID_SIZE)|| 0!=memcpy_s(temp+XID_SIZE, sizeof(temp)-XID_SIZE, MSG4_TOP_FIELD_NONCE.payload, NONCE_SIZE)) { AESM_DBG_ERROR("Fail in memcpy"); ret = AE_FAILURE; break; } if((sgx_status=sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(data.sk), temp, XID_SIZE+NONCE_SIZE, reinterpret_cast<sgx_cmac_128bit_tag_t *>(local_ek2)))!=SGX_SUCCESS) { AESM_DBG_ERROR("Fail to generate ek2:(sgx0x%x)",sgx_status); ret = AE_FAILURE; break; } se_static_assert(SK_SIZE==sizeof(sgx_aes_gcm_128bit_key_t)); tlv_msg_t field1 = block_cipher_tlv_get_encrypted_text(MSG4_TOP_FIELD_DATA); decoded_msg4 = reinterpret_cast<uint8_t *>(malloc(field1.msg_size)); if(NULL == decoded_msg4) { AESM_DBG_ERROR("malloc error"); ret = AE_OUT_OF_MEMORY_ERROR; break; } if (memcpy_s(aad, sizeof(aad), msg4_header, PROVISION_RESPONSE_HEADER_SIZE) != 0 || memcpy_s(aad + PROVISION_RESPONSE_HEADER_SIZE, sizeof(aad)-PROVISION_RESPONSE_HEADER_SIZE, MSG4_TOP_FIELD_NONCE.payload, MSG4_TOP_FIELD_NONCE.size) != 0) { AESM_DBG_ERROR("memcpy failure"); ret = AE_FAILURE; break; } sgx_status_t sgx_status = sgx_rijndael128GCM_decrypt(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(local_ek2), field1.msg_buf, field1.msg_size, decoded_msg4, reinterpret_cast<uint8_t *>(block_cipher_tlv_get_iv(MSG4_TOP_FIELD_DATA)), IV_SIZE, aad, sizeof(aad), reinterpret_cast<const sgx_aes_gcm_128bit_tag_t *>(MSG4_TOP_FIELD_MAC.payload)); if(SGX_ERROR_MAC_MISMATCH == sgx_status) { AESM_DBG_ERROR("fail to decrypt ProvMsg4 by EK2 (sgx0x%x)",sgx_status); ret = PVE_INTEGRITY_CHECK_ERROR; break; } if( AE_SUCCESS != (ret = sgx_error_to_ae_error(sgx_status))) { AESM_DBG_ERROR("error in decrypting ProvMsg4:(sgx0x%x)",sgx_status); break; } AESM_DBG_TRACE("ProvMsg4 decrypted by EK2 successfully"); ret = check_epid_pve_pg_status_after_mac_verification(msg4_header); if(AE_SUCCESS != ret) { AESM_DBG_ERROR("Backend reported error passed MAC verification:(ae%d)",ret); break; } TLVsMsg tlvs_field1; tlv_status = tlvs_field1.init_from_buffer(decoded_msg4, field1.msg_size); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS != ret) { AESM_DBG_ERROR("ProvMsg4 Field2.1 decoding failed:(ae%d)",ret); break; } ret = msg4_field1_msg_checking(tlvs_field1); if( AE_SUCCESS != ret) { AESM_DBG_ERROR("ProvMsg4 Field2.1 invalid:(ae%d)",ret); break; } proc_prov_msg4_input_t msg4_input; tlv_msg_t Axf_data = block_cipher_tlv_get_encrypted_text(MSG4_FIELD1_ENC_Axf); if(0!=memcpy_s(&msg4_input.group_cert, sizeof(msg4_input.group_cert), MSG4_FIELD1_GROUP_CERT.payload, MSG4_FIELD1_GROUP_CERT.size)|| 0!=memcpy_s(&msg4_input.n2, NONCE_2_SIZE, MSG4_FIELD1_Nonce2.payload, MSG4_FIELD1_Nonce2.size) || 0!=memcpy_s(&msg4_input.equivalent_psvn, sizeof(psvn_t), platform_info_tlv_get_psvn(MSG4_FIELD1_PLATFORM_INFO), sizeof(psvn_t))|| 0!=memcpy_s(&msg4_input.fmsp, sizeof(fmsp_t), platform_info_tlv_get_fmsp(MSG4_FIELD1_PLATFORM_INFO), sizeof(fmsp_t))|| 0!=memcpy_s(&msg4_input.member_credential_iv, IV_SIZE, block_cipher_tlv_get_iv(MSG4_FIELD1_ENC_Axf), IV_SIZE)|| 0!=memcpy_s(&msg4_input.encrypted_member_credential, HARD_CODED_EPID_MEMBER_WITH_ESCROW_TLV_SIZE, Axf_data.msg_buf, Axf_data.msg_size)|| 0!=memcpy_s(&msg4_input.member_credential_mac, MAC_SIZE, MSG4_FIELD1_MAC_Axf.payload, MSG4_FIELD1_MAC_Axf.size)) { AESM_DBG_ERROR("memcpy error"); ret = PVE_UNEXPECTED_ERROR; break; } if (AE_SUCCESS != (ret =XEGDBlob::instance().read(msg4_input.xegb))) { AESM_DBG_ERROR("Fail to read extend epid blob info (ae%d)",ret); return ret; } ret = CPVEClass::instance().load_enclave();//Load PvE enclave now if( ret != AE_SUCCESS) { AESM_DBG_ERROR("Fail to load PvE enclave:(ae%d)\n",ret); break; } ret = (ae_error_t)proc_prov_msg4_data(&msg4_input, reinterpret_cast<proc_prov_msg4_output_t *>(data_blob)); AESM_DBG_TRACE("PvE return (ae%d) in Process ProvMsg4",ret); } while(0); if(decoded_msg4)free(decoded_msg4); return ret; }
uint32_t CPVEClass::gen_prov_msg1( pve_data_t &pve_data, uint8_t *msg1, uint32_t msg1_size) { uint32_t ret = AE_SUCCESS; uint16_t pce_id = 0; uint16_t pce_isv_svn = 0; sgx_report_t pek_report; uint8_t *field2 = NULL; uint8_t field2_iv[IV_SIZE]; uint8_t field2_mac[MAC_SIZE]; uint8_t encrypted_ppid[RSA_3072_KEY_BYTES]; //msg1 header will be in the beginning part of the output msg provision_request_header_t *msg1_header = reinterpret_cast<provision_request_header_t *>(msg1); memset(&pek_report, 0, sizeof(pek_report)); sgx_target_info_t pce_target_info; sgx_status_t sgx_status; //Load PCE Enclave required ret = CPCEClass::instance().load_enclave(); if(ret != AE_SUCCESS){ AESM_DBG_ERROR("Fail to load PCE enclave:( ae%d)\n",ret); return ret; } ret = CPCEClass::instance().get_pce_target(&pce_target_info); if(ret != AE_SUCCESS){ AESM_DBG_ERROR("Fail to get PCE target info:( ae %d)\n",ret); return ret; } //Load PvE enclave now ret = CPVEClass::instance().load_enclave(); if( ret != AE_SUCCESS){ AESM_DBG_ERROR("Fail to load PvE enclave:(ae%d)\n",ret); return ret; } //The code will generate a report on PEK by PvE ret = gen_prov_msg1_data(&pve_data.pek, &pce_target_info, &pek_report); if(AE_SUCCESS != ret ){ AESM_DBG_ERROR("Gen ProvMsg1 in trusted code failed:( ae %d)",ret); return ret; } se_static_assert(sizeof(encrypted_ppid)==PEK_MOD_SIZE); //Load PCE Enclave required ret = CPCEClass::instance().load_enclave(); if(ret != AE_SUCCESS){ AESM_DBG_ERROR("Fail to load PCE enclave:( ae %d)\n",ret); return ret; } ret = CPCEClass::instance().get_pce_info(pek_report, pve_data.pek, pce_id, pce_isv_svn, encrypted_ppid); if(AE_SUCCESS != ret){ AESM_DBG_ERROR("Fail to generate pc_info:(ae%d)",ret); return ret; } //randomly generate XID ret = aesm_read_rand(pve_data.xid, XID_SIZE); if(AE_SUCCESS != ret ){ AESM_DBG_ERROR("Fail to generate random XID (ae%d)",ret); return ret; } //randomly generate SK ret = aesm_read_rand(pve_data.sk, SK_SIZE); if(AE_SUCCESS != ret ){ AESM_DBG_ERROR("Fail to generate random SK (ae%d)",ret); return ret; } CPCEClass::instance().unload_enclave(); ret = prov_msg1_gen_header(msg1_header, pve_data.is_performance_rekey, pve_data.xid, msg1_size); if(AE_SUCCESS != ret){ AESM_DBG_ERROR("fail to generate ProvMsg1 Header:(ae %d)",ret); return ret; } { TLVsMsg tlvs_msg1_sub; tlv_status_t tlv_status; sgx_sha256_hash_t psid; tlv_status = tlvs_msg1_sub.add_block_cipher_info(pve_data.sk); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS!=ret){ AESM_DBG_ERROR("Fail to generate SK TLV of ProvMsg1 (ae %d)",ret); return ret; } sgx_status = sgx_sha256_msg(reinterpret_cast<const uint8_t *>(&pve_data.pek.n), static_cast<uint32_t>(sizeof(pve_data.pek.n) + sizeof(pve_data.pek.e)), &psid); if(SGX_SUCCESS != sgx_status){ AESM_DBG_ERROR("Fail to generate PSID, (sgx0x%x)",sgx_status); return AE_FAILURE; } se_static_assert(sizeof(sgx_sha256_hash_t)==sizeof(psid_t)); tlv_status = tlvs_msg1_sub.add_psid(reinterpret_cast<const psid_t *>(&psid)); ret = tlv_error_2_pve_error(tlv_status); if(SGX_SUCCESS != ret){ AESM_DBG_ERROR("Fail to add PSID TLV ae(%d)",ret); return ret; } //transform rsa format PEK public key of Provision Server void *rsa_pub_key = NULL; signed_pek_t le_pek{}; // Change the endian for the PEK public key for(uint32_t i = 0; i< sizeof(le_pek.n); i++) { le_pek.n[i] = pve_data.pek.n[sizeof(le_pek.n) - i - 1]; } for(uint32_t i= 0; i < sizeof(le_pek.e); i++) { le_pek.e[i] = pve_data.pek.e[sizeof(le_pek.e) - i - 1]; } sgx_status = get_provision_server_rsa_pub_key(le_pek, &rsa_pub_key); if( SGX_SUCCESS != sgx_status){ AESM_DBG_ERROR("Fail to decode PEK:%d",sgx_status); return AE_FAILURE; } uint8_t field0[RSA_3072_KEY_BYTES]; ret = aesm_rsa_oaep_encrypt(tlvs_msg1_sub.get_tlv_msg(), tlvs_msg1_sub.get_tlv_msg_size(), rsa_pub_key, field0); sgx_free_rsa_key(rsa_pub_key, SGX_RSA_PUBLIC_KEY, RSA_3072_KEY_BYTES, sizeof(le_pek.e)); if(AE_SUCCESS!=ret){ AESM_DBG_ERROR("Fail to in RSA_OAEP for ProvMsg1:(ae%d)",ret); return ret; } TLVsMsg tlvs_msg1; tlv_status= tlvs_msg1.add_cipher_text(field0, RSA_3072_KEY_BYTES, PEK_3072_PUB); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS!=ret){ AESM_DBG_ERROR("Fail to generate field0 TLV of ProvMsg1( ae%d)",ret); return ret; } TLVsMsg tlvs_msg2_sub; tlv_status = tlvs_msg2_sub.add_cipher_text(encrypted_ppid, RSA_3072_KEY_BYTES, PEK_3072_PUB); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS!=ret){ return ret; } if(!pve_data.is_backup_retrieval){ if(0!=memcpy_s(&pve_data.bpi.cpu_svn, sizeof(pve_data.bpi.cpu_svn), &pek_report.body.cpu_svn, sizeof(pek_report.body.cpu_svn))){ AESM_DBG_FATAL("fail in memcpy_s"); return PVE_UNEXPECTED_ERROR; } if(0!=memcpy_s(&pve_data.bpi.pve_svn, sizeof(pve_data.bpi.pve_svn), &pek_report.body.isv_svn, sizeof(pek_report.body.isv_svn))){ AESM_DBG_FATAL("fail in memcpy_s"); return PVE_UNEXPECTED_ERROR; } if(0!=memcpy_s(&pve_data.bpi.pce_svn, sizeof(pve_data.bpi.pce_svn), &pce_isv_svn, sizeof(pce_isv_svn))){ AESM_DBG_FATAL("fail in memcpy_s"); return PVE_UNEXPECTED_ERROR; } } //always use pce_id from PCE enclave pve_data.bpi.pce_id = pce_id; memset(&pve_data.bpi.fmsp, 0, sizeof(pve_data.bpi.fmsp)); tlv_status = tlvs_msg2_sub.add_platform_info(pve_data.bpi); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS != ret){ AESM_DBG_ERROR("Fail to generate Platform Info TLV of ProvMsg1 (ae%d)",ret); return ret; } if(pve_data.is_performance_rekey){ flags_t flags; memset(&flags,0,sizeof(flags)); //set performance rekey flags flags.flags[FLAGS_SIZE-1]=1; tlv_status = tlvs_msg2_sub.add_flags(&flags); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS != ret){ AESM_DBG_ERROR("Fail to generate FLAGS TLV of ProvMsg1, (ae %d)",ret); return ret; } } ret = aesm_read_rand(field2_iv, IV_SIZE); if(AE_SUCCESS != ret){ AESM_DBG_ERROR("Fail to read rand:(ae%d)",ret); return ret; } sgx_cmac_128bit_tag_t ek1; se_static_assert(SK_SIZE==sizeof(sgx_cmac_128bit_key_t)); if((sgx_status = sgx_rijndael128_cmac_msg(reinterpret_cast<const sgx_cmac_128bit_key_t *>(pve_data.sk), pve_data.xid, XID_SIZE, &ek1))!=SGX_SUCCESS){ AESM_DBG_ERROR("Fail to generate ek1:(sgx%d)",sgx_status); return AE_FAILURE; } field2 = (uint8_t *)malloc(tlvs_msg2_sub.get_tlv_msg_size()); if(NULL == field2){ AESM_DBG_ERROR("Out of memory"); return AE_OUT_OF_MEMORY_ERROR; } sgx_status = sgx_rijndael128GCM_encrypt(&ek1, tlvs_msg2_sub.get_tlv_msg(), tlvs_msg2_sub.get_tlv_msg_size(), field2,field2_iv, IV_SIZE, (const uint8_t *)msg1_header, sizeof(provision_request_header_t), (sgx_aes_gcm_128bit_tag_t *)field2_mac); if(SGX_SUCCESS != sgx_status){ ret = sgx_error_to_ae_error(sgx_status); AESM_DBG_ERROR("Fail to do AES encrypt (sgx %d)", sgx_status); free(field2); return ret; } tlv_status = tlvs_msg1.add_block_cipher_text(field2_iv, field2, tlvs_msg2_sub.get_tlv_msg_size()); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS!=ret){ free(field2); AESM_DBG_ERROR("Fail to generate field1 TLV of ProvMsg1(ae%d)",ret); return ret; } free(field2); tlv_status = tlvs_msg1.add_mac(field2_mac); ret = tlv_error_2_pve_error(tlv_status); if(AE_SUCCESS!=ret){ AESM_DBG_ERROR("Fail to create field2 TLV of ProvMsg1:(ae %d)",ret); return ret; } uint32_t size = tlvs_msg1.get_tlv_msg_size(); if(memcpy_s(msg1+PROVISION_REQUEST_HEADER_SIZE, msg1_size - PROVISION_REQUEST_HEADER_SIZE, tlvs_msg1.get_tlv_msg(), size)!=0){ //The size overflow has been checked in header generation AESM_DBG_FATAL("fail in memcpy_s"); return PVE_UNEXPECTED_ERROR; } } return AE_SUCCESS; }