Пример #1
0
static int
tweak_generic_bytes(struct vsb *vsb, volatile ssize_t *dest, const char *arg,
    const char *min, const char *max)
{
	uintmax_t r, rmin = 0, rmax = 0;
	const char *p;

	if (arg != NULL) {
		if (min != NULL) {
			p = VNUM_2bytes(min, &rmin, 0);
			if (p != NULL) {
				VSB_printf(vsb, "Invalid min-val: %s\n", min);
				return (-1);
			}
		}
		if (max != NULL) {
			p = VNUM_2bytes(max, &rmax, 0);
			if (p != NULL) {
				VSB_printf(vsb, "Invalid max-val: %s\n", max);
				return (-1);
			}
		}
		p = VNUM_2bytes(arg, &r, 0);
		if (p != NULL) {
			VSB_printf(vsb, "Could not convert to bytes.\n");
			VSB_printf(vsb, "%s\n", p);
			VSB_printf(vsb,
			    "  Try something like '80k' or '120M'\n");
			return (-1);
		}
		if ((uintmax_t)((ssize_t)r) != r) {
			fmt_bytes(vsb, r);
			VSB_printf(vsb,
			    " is too large for this architecture.\n");
			return (-1);
		}
		if (max != NULL && r > rmax) {
			VSB_printf(vsb, "Must be no more than %s\n", max);
			VSB_printf(vsb, "\n");
			return (-1);
		}
		if (min != NULL && r < rmin) {
			VSB_printf(vsb, "Must be at least %s\n", min);
			return (-1);
		}
		*dest = r;
	} else {
		fmt_bytes(vsb, *dest);
	}
	return (0);
}
Пример #2
0
void cmd_measure(char *binary, char *size, char *offset, char *code_start, char *code_end,
                 char *data_start, char *data_end, char *entry)
{
    FILE *fp = NULL;
    unsigned char *buffer;
    long nbytes;
    int n;

    nbytes = atoi(size);
    buffer = malloc(nbytes);
    memset(buffer, 0, nbytes);

    fp = fopen(binary, "rb");
    if (fp == NULL)
        return;

    n = fread(buffer, nbytes, 1, fp);
    // XXX: fread will return 0 when MAX_BUFFER_SIZE > BINARY SIZE
	if (n < 0)
        return;

    long ecode_size = strtol(code_end, NULL, 16) - strtol(code_start, NULL, 16);
    long edata_size = strtol(data_end, NULL, 16) - strtol(data_start, NULL, 16);
    int ecode_page_n = ((ecode_size - 1) / PAGE_SIZE) + 1;
    int edata_page_n = ((edata_size - 1) / PAGE_SIZE) + 1;
    int n_of_pages = ecode_page_n + edata_page_n;
    long code_offset = strtol(offset, NULL, 16);
    long entry_offset = strtol(entry, NULL, 16) -  strtol(code_start, NULL, 16);

    printf("ecode_size: %ld edata_size: %ld offset: %ld entry_offset: %ld\n", ecode_size,
                                                                              edata_size, code_offset, entry_offset);

    unsigned char *code;
    unsigned char hash[32];

    code = (unsigned char *)malloc(n_of_pages * PAGE_SIZE);
    memset(code, 0, n_of_pages * PAGE_SIZE);
    memcpy(code, buffer + code_offset, n_of_pages * PAGE_SIZE);

    generate_enclavehash(hash, code, n_of_pages, entry_offset);

    // generate sgx-[binary].conf
    // # ENTRY: (size, offset)
    // HASH: XXX
    // PUBKEY: ...

    uint64_t target_size = ecode_size + edata_size;
    printf("# target binary\n");
    printf("offset: %lX size: %ld bytes\n", code_offset, target_size);

    int i;
    for (i = 0; i < 20; i++)
        printf("%02X ", code[i]);
    printf("\n");

    char *hash_str = fmt_bytes(hash, 32);
    printf("# generated measurement\n");
    printf("MEASUREMENT: %s\n", hash_str);
}
Пример #3
0
void cmd_genkey(char *bits)
{
    // generate RSA key pair
    int key_bits;
    size_t key_bytes;

    key_bits = atoi(bits);

    key_bytes = key_bits >> 3;
    if ((key_bits & 0x7) > 0)
        key_bytes++;

    uint8_t pubkey[key_bytes];
    uint8_t seckey[key_bytes];

    rsa_context rsa;
    rsa_key_generate(pubkey, seckey, &rsa, key_bits);

    uint8_t P[key_bytes];
    uint8_t Q[key_bytes];
    uint8_t E[key_bytes];

    mpi_write_binary(&rsa.P, P, key_bytes);
    mpi_write_binary(&rsa.Q, Q, key_bytes);
    mpi_write_binary(&rsa.E, E, key_bytes);

    char *pubkey_str = fmt_bytes(pubkey, key_bytes);
    char *seckey_str = fmt_bytes(seckey, key_bytes);
    char *p_str = fmt_bytes(P, key_bytes);
    char *q_str = fmt_bytes(Q, key_bytes);
    char *e_str = fmt_bytes(E, key_bytes);

    printf("# generated config\n");
    printf("PUBKEY: %s\n", pubkey_str);
    printf("SECKEY: %s\n", seckey_str);
    printf("P: %s\n", p_str);
    printf("Q: %s\n", q_str);
    printf("E: %s\n", e_str);

    free(pubkey_str);
    free(seckey_str);
    free(p_str);
    free(q_str);
    free(e_str);
}
Пример #4
0
void cmd_mac(char *conf, char *key)
{
    printf("# MAC information\n");

    einittoken_t *token;
    token = load_einittoken(conf);

    unsigned char device_pubkey[DEVICE_KEY_LENGTH];
    unsigned char device_seckey[DEVICE_KEY_LENGTH];
    unsigned char launch_key[DEVICE_KEY_LENGTH];
    unsigned char mac[MAC_SIZE];
    //do we need this?
    //rsa_context *ctx;
    char *launch_key_str;
    char *mac_str;

    load_rsa_keys(key, device_pubkey, device_seckey, DEVICE_KEY_LENGTH_BITS);
    {
        char *pubkey_str = fmt_bytes(device_pubkey, DEVICE_KEY_LENGTH);
        char *seckey_str = fmt_bytes(device_seckey, DEVICE_KEY_LENGTH);

        printf("DEVICE PUBKEY     : %s\n", pubkey_str);
        printf("DEVICE SECKEY     : %s\n", seckey_str);

        free(pubkey_str);
        free(seckey_str);
    }

    generate_launch_key(device_seckey, launch_key);

    cmac(launch_key, (unsigned char *)token, 192, mac);

    launch_key_str = fmt_bytes(launch_key, DEVICE_KEY_LENGTH);
    mac_str = fmt_bytes(mac, MAC_SIZE);
    printf("LAUNCH LEY        : %s\n", launch_key_str);
    printf("MAC               : %s\n", mac_str);

    memcpy(token->mac, mac, 16);
    char *msg = dbg_dump_einittoken(token);
    printf("# EINITTOKEN START\n");
    printf("%s\n", msg);
    printf("# EINITTOKEN END\n");
}
Пример #5
0
static void
tweak_generic_bytes(struct cli *cli, volatile ssize_t *dest, const char *arg,
    double min, double max)
{
	uintmax_t r;
	const char *p;

	if (arg != NULL) {
		p = VNUM_2bytes(arg, &r, 0);
		if (p != NULL) {
			VCLI_Out(cli, "Could not convert to bytes.\n");
			VCLI_Out(cli, "%s\n", p);
			VCLI_Out(cli,
			    "  Try something like '80k' or '120M'\n");
			VCLI_SetResult(cli, CLIS_PARAM);
			return;
		}
		if ((uintmax_t)((ssize_t)r) != r) {
			fmt_bytes(cli, r);
			VCLI_Out(cli, " is too large for this architecture.\n");
			VCLI_SetResult(cli, CLIS_PARAM);
			return;
		}
		if (max != 0. && r > max) {
			VCLI_Out(cli, "Must be no more than ");
			fmt_bytes(cli, (uintmax_t)max);
			VCLI_Out(cli, "\n");
			VCLI_SetResult(cli, CLIS_PARAM);
			return;
		}
		if (r < min) {
			VCLI_Out(cli, "Must be at least ");
			fmt_bytes(cli, (uintmax_t)min);
			VCLI_Out(cli, "\n");
			VCLI_SetResult(cli, CLIS_PARAM);
			return;
		}
		*dest = r;
	} else {
		fmt_bytes(cli, *dest);
	}
}
Пример #6
0
void cmd_gen_einittoken(char *conf)
{
    einittoken_t t;
    unsigned char valid_default[4] = {0x00, 0x00, 0x00, 0x01};
    unsigned char xfrm_default[8] = {0x00, 0x00, 0x00, 0x00,
                                     0x00, 0x00, 0x00, 0x03};
    unsigned char isvprodid_default[2] = {0x00, 0x00};
    unsigned char isvsvn_default[2] = {0x00, 0x00};
    int exinfo = 0;
    int debug = 0;
    int mode64bit = 1;
    int provisionkey = 0;
    int einittokenkey = 1;

    sigstruct_t *s;
    s = load_sigstruct(conf);
    unsigned char signer[32];
    sha256(s->modulus, KEY_LENGTH, signer, 0);
    char *mrsigner = fmt_bytes(signer, 32);
    char *mrenclave = fmt_bytes(s->enclaveHash, 32);

    // set default value
    memset(t.cpuSvnLE, 0, 16);
    memset(t.keyid, 0, 32);

    // fill reserved fields with 0s
    memset(t.reserved1, 0, 44);
    memset(t.reserved2, 0, 32);
    memset(t.reserved3, 0, 32);
    memset(t.reserved4, 0, 24);
    t.attributes.reserved1 = 0;
    t.attributes.reserved2 = 0;
    t.attributes.reserved3 = 0;
    memset(t.attributes.reserved4, 0, 7);
    t.maskedmiscSelectLE.reserved1 = 0;
    memset(t.maskedmiscSelectLE.reserved2, 0, 3);
    t.maskedAttributesLE.reserved1 = 0;
    t.maskedAttributesLE.reserved2 = 0;
    t.maskedAttributesLE.reserved3 = 0;
    memset(t.maskedAttributesLE.reserved4, 0, 7);

    char *cpusvnle      = fmt_bytes(t.cpuSvnLE, 16);
    char *keyid         = fmt_bytes(t.keyid, 32);
    char *valid         = fmt_bytes(valid_default, 4);
    char *xfrm          = fmt_bytes(xfrm_default, 8);
    char *isvprodid     = fmt_bytes(isvprodid_default, 2);
    char *isvsvn        = fmt_bytes(isvsvn_default, 2);
    char *rsv1          = fmt_bytes(t.reserved1, 44);
    char *rsv2          = fmt_bytes(t.reserved2, 32);
    char *rsv3          = fmt_bytes(t.reserved3, 32);
    char *rsv4          = fmt_bytes(t.reserved4, 24);
    char *attr_rsv4     = fmt_bytes(t.attributes.reserved4, 7);
    char *maskmisc_rsv2 = fmt_bytes(t.maskedmiscSelectLE.reserved2, 3);
    char *maskattr_rsv4 = fmt_bytes(t.maskedAttributesLE.reserved4, 7);

    printf("# generated EINIT token structure (EINITTOKEN)\n");
    printf("# EINITTOKEN START\n");
    printf("VALID             : %s\n", valid);
    printf("RESERVED1         : %s\n", rsv1);
    printf("ATTRIBUTES\n");
    printf(".RESERVED1        : %d\n", t.attributes.reserved1);
    printf(".DEBUG            : %d\n", debug);
    printf(".MODE64BIT        : %d\n", mode64bit);
    printf(".RESERVED2        : %d\n", t.attributes.reserved2);
    printf(".PROVISIONKEY     : %d\n", provisionkey);
    printf(".EINITTOKENKEY    : %d\n", einittokenkey);
    printf(".RESERVED3        : %d%s\n", t.attributes.reserved3, attr_rsv4);
    printf(".XFRM             : %s\n", xfrm);
    printf("MRENCLAVE         : %s\n", mrenclave);
    printf("RESERVED2         : %s\n", rsv2);
    printf("MRSIGNER          : %s\n", mrsigner);
    printf("RESERVED3         : %s\n", rsv3);
    printf("CPUSVNLE          : %s\n", cpusvnle);
    printf("ISVPRODIDLE       : %s\n", isvprodid);
    printf("ISVSVNLE          : %s\n", isvsvn);
    printf("RESERVED4         : %s\n", rsv4);
    printf("MASKEDMISCSELECTLE\n");
    printf(".EXINFO           : %d\n", exinfo);
    printf(".RESERVED         : %d%s\n", t.maskedmiscSelectLE.reserved1,
                                         maskmisc_rsv2);
    printf("MASKEDATTRIBUTESLE\n");
    printf(".RESERVED1        : %d\n", t.maskedAttributesLE.reserved1);
    printf(".DEBUG            : %d\n", debug);
    printf(".MODE64BIT        : %d\n", mode64bit);
    printf(".RESERVED2        : %d\n", t.maskedAttributesLE.reserved2);
    printf(".PROVISIONKEY     : %d\n", provisionkey);
    printf(".EINITTOKENKEY    : %d\n", einittokenkey);
    printf(".RESERVED3        : %d%s\n", t.maskedAttributesLE.reserved3,
                                         maskattr_rsv4);
    printf(".XFRM             : %s\n", xfrm);
    printf("KEYID             : %s\n", keyid);
    printf("MAC               : \n");
    printf("# EINITTOKEN END\n");
}
Пример #7
0
void cmd_sign(char *conf, char *key)
{
    rsa_sig_t sign;
    rsa_key_t pubkey;
    rsa_key_t seckey;
    rsa_context *ctx;
    sigstruct_t *sigstruct;

    // Load sigstruct from file
    sigstruct = load_sigstruct(conf);

    // Ignore fields don't need to sign
    memset(sigstruct->modulus, 0, 384);
    sigstruct->exponent = 0;
    memset(sigstruct->signature, 0, 384);
    memset(sigstruct->q1, 0, 384);
    memset(sigstruct->q2, 0, 384);

    // Load rsa keys from file
	ctx = load_rsa_keys(key, pubkey, seckey, KEY_LENGTH_BITS);
#if 0
    {
        char *pubkey_str = fmt_bytes(pubkey, KEY_LENGTH);
        char *seckey_str = fmt_bytes(seckey, KEY_LENGTH);

        printf("PUBKEY: %.40s..\n", pubkey_str);
        printf("SECKEY: %.40s..\n", seckey_str);

        free(pubkey_str);
        free(seckey_str);
    }
#endif

    // Generate rsa sign on sigstruct with private key
    rsa_sign(ctx, sign, (unsigned char *)sigstruct, sizeof(sigstruct_t));

    // Compute q1, q2
    unsigned char *q1, *q2;
    q1 = malloc(384);
    q2 = malloc(384);
    memset(q1, 0, 384);
    memset(q2, 0, 384);

    mpi Q1, Q2, S, M, T1, T2, R;
    mpi_init(&Q1);
    mpi_init(&Q2);
    mpi_init(&S);
    mpi_init(&M);
    mpi_init(&T1);
    mpi_init(&T2);
    mpi_init(&R);

    // q1 = signature ^ 2 / modulus
    mpi_read_binary(&S, sign, 384);
    mpi_read_binary(&M, pubkey, 384);
    mpi_mul_mpi(&T1, &S, &S);
    mpi_div_mpi(&Q1, &R, &T1, &M);

    // q2 = (signature ^ 3 - q1 * signature * modulus) / modulus
    mpi_init(&R);
    mpi_mul_mpi(&T1, &T1, &S);
    mpi_mul_mpi(&T2, &Q1, &S);
    mpi_mul_mpi(&T2, &T2, &M);
    mpi_sub_mpi(&Q2, &T1, &T2);
    mpi_div_mpi(&Q2, &R, &Q2, &M);

    mpi_write_binary(&Q1, q1, 384);
    mpi_write_binary(&Q2, q2, 384);

    mpi_free(&Q1);
    mpi_free(&Q2);
    mpi_free(&S);
    mpi_free(&M);
    mpi_free(&T1);
    mpi_free(&T2);
    mpi_free(&R);

    sigstruct = load_sigstruct(conf);
    sigstruct->exponent = 3;
    memcpy(sigstruct->modulus, pubkey, 384);
    memcpy(sigstruct->signature, sign, 384);
    memcpy(sigstruct->q1, q1, 384);
    memcpy(sigstruct->q2, q2, 384);

    char *msg = dump_sigstruct(sigstruct);
    printf("# SIGSTRUCT START\n");
    printf("%s\n", msg);
    printf("# SIGSTRUCT END\n");

    /*unsigned char exp[4] = { 0x00, 0x00, 0x00, 0x03 };
    char *mod_str = fmt_bytes(pubkey, 384);
    char *exp_str = fmt_bytes(exp, 4);
    char *sign_str = fmt_bytes(sign, 384);
    char *q1_str = fmt_bytes(q1, 384);
    char *q2_str = fmt_bytes(q2, 384);

    printf("# sign information\n");
    printf("MODULUS       : %s\n", mod_str);
    printf("EXPONENT      : %s\n", exp_str);
    printf("SIGNATURE     : %s\n", sign_str);
    printf("Q1            : %s\n", q1_str);
    printf("Q2            : %s\n", q2_str);

    free(mod_str);
    free(exp_str);
    free(sign_str);

    unsigned char signer[32];
    sha256(pubkey, KEY_LENGTH, signer, 0);
    char *signer_str = fmt_bytes(pubkey, 32);
    printf("# hash of public key\n");
    printf("MRSIGNER      : %s\n", signer_str);*/
}
Пример #8
0
void cmd_gen_sigstruct(char *conf)
{
    sigstruct_t s;

    unsigned char header[16] = SIG_HEADER1;
    unsigned char header2[16] = SIG_HEADER2;
    unsigned char xfrm_default[8] = {0x00, 0x00, 0x00, 0x00,
                                     0x00, 0x00, 0x00, 0x03};
    unsigned char isvprodid_default[2] = {0x00, 0x00};
    unsigned char isvsvn_default[2] = {0x00, 0x00};
    int exinfo = 0;
    int debug = 0;
    int mode64bit = 1;
    int provisionkey = 1;
    int einittokenkey = 0;

    unsigned char *measurement = load_measurement(conf);

    time_t t = time(NULL);
    struct tm tm = *localtime(&t);
    long date = (tm.tm_year + 1900) * 10000 + (tm.tm_mon + 1) * 100 + tm.tm_mday;

    memcpy(&s.header,  swap_endian(header, 16),  16);
    memcpy(&s.header2, swap_endian(header2, 16), 16);

    // For non-intel enclave
    memset(&s.vendor, 0, 4);

    // Set default value
    memset(&s.swdefined, 0, 4);

    // fill reserved fields with 0s
    memset(s.reserved1, 0, 84);
    memset(s.reserved2, 0, 20);
    memset(s.reserved3, 0, 32);
    memset(s.reserved4, 0, 12);
    s.miscselect.reserved1 = 0;
    memset(s.miscselect.reserved2, 0, 3);
    s.miscmask.reserved1 = 0;
    memset(s.miscmask.reserved2, 0, 3);
    s.attributes.reserved1 = 0;
    s.attributes.reserved2 = 0;
    s.attributes.reserved3 = 0;
    memset(s.attributes.reserved4, 0, 7);
    s.attributeMask.reserved1 = 0;
    s.attributeMask.reserved2 = 0;
    s.attributeMask.reserved3 = 0;
    memset(s.attributeMask.reserved4, 0, 7);

    char *hdr           = fmt_bytes(swap_endian(s.header, 16), 16);
    char *hdr2          = fmt_bytes(swap_endian(s.header2, 16), 16);
    char *vendor        = fmt_bytes((uint8_t*)&vendor, 4);
    char *enclavehash   = fmt_bytes(measurement, 32);
    char *swdef         = fmt_bytes((uint8_t*)&s.swdefined, 4);
    char *xfrm          = fmt_bytes(xfrm_default, 8);
    char *isvprodid     = fmt_bytes(isvprodid_default, 2);
    char *isvsvn        = fmt_bytes(isvsvn_default, 2);
    char *rsv1          = fmt_bytes(s.reserved1, 84);
    char *rsv2          = fmt_bytes(s.reserved2, 20);
    char *rsv3          = fmt_bytes(s.reserved3, 32);
    char *rsv4          = fmt_bytes(s.reserved4, 12);
    char *mselect_rsv2  = fmt_bytes(s.miscselect.reserved2, 3);
    char *mmasck_rsv2   = fmt_bytes(s.miscmask.reserved2, 3);
    char *attrs_rsv4    = fmt_bytes(s.attributes.reserved4, 7);
    char *attrmask_rsv4 = fmt_bytes(s.attributes.reserved4, 7);

    printf("# generated enclave signature structure (SIGSTRUCT)\n");
    printf("# SIGSTRUCT START\n");
    printf("HEADER        : %s\n", hdr);
    printf("VENDOR        : %s\n", vendor);
    printf("DATE          : %ld\n", date);
    printf("HEADER2       : %s\n", hdr2);
    printf("SWDEFINO      : %s\n", swdef);
    printf("RESERVED1     : %s\n", rsv1);
    printf("MODULUS       : \n");
    printf("EXPONENT      : \n");
    printf("SIGNATURE     : \n");
    printf("MISCSELECT\n");
    printf(".EXINFO       : %d\n", exinfo);
    printf(".RESERVED     : %d%s\n", s.miscselect.reserved1,
                                     mselect_rsv2);
    printf("MISCMASK\n");
    printf(".EXINFO       : %d\n", exinfo);
    printf(".RESERVED     : %d%s\n", s.miscmask.reserved1,
                                     mmasck_rsv2);
    printf("RESERVED2     : %s\n", rsv2);
    printf("ATTRIBUTES\n");
    printf(".RESERVED1    : %d\n", s.attributes.reserved1);
    printf(".DEBUG        : %d\n", debug);
    printf(".MODE64BIT    : %d\n", mode64bit);
    printf(".RESERVED2    : %d\n", s.attributes.reserved2);
    printf(".PROVISIONKEY : %d\n", provisionkey);
    printf(".EINITTOKENKEY: %d\n", einittokenkey);
    printf(".RESERVED3    : %d%s\n", s.attributes.reserved3,
                                     attrs_rsv4);
    printf(".XFRM         : %s\n", xfrm);
    printf("ATTRIBUTEMASK\n");
    printf(".RESERVED1    : %d\n", s.attributeMask.reserved1);
    printf(".DEBUG        : %d\n", debug);
    printf(".MODE64BIT    : %d\n", mode64bit);
    printf(".RESERVED2    : %d\n", s.attributeMask.reserved2);
    printf(".PROVISIONKEY : %d\n", provisionkey);
    printf(".EINITTOKENKEY: %d\n", einittokenkey);
    printf(".RESERVED3    : %d%s\n", s.attributeMask.reserved3,
                                     attrmask_rsv4);
    printf(".XFRM         : %s\n", xfrm);
    printf("ENCLAVEHASH   : %s\n", enclavehash);
    printf("RESERVED3     : %s\n", rsv3);
    printf("ISVPRODID     : %s\n", isvprodid);
    printf("ISVSVN        : %s\n", isvsvn);
    printf("RESERVED4     : %s\n", rsv4);
    printf("Q1            : \n");
    printf("Q2            : \n");
    printf("# SIGSTRUCT END\n");
}