diff --git a/codegen/data_enclave/bindings.h b/codegen/data_enclave/bindings.h index 9c07553b..1928c0a4 100644 --- a/codegen/data_enclave/bindings.h +++ b/codegen/data_enclave/bindings.h @@ -37,10 +37,56 @@ typedef struct CryptoError { }; } CryptoError; +/** + * Failed to acquire session / protected channel. + * + * See: `rtc_tenclave::dh::sessions::DhSessions` + */ +typedef enum AcquireSessionError_Tag { + /** + * This should generally be treated as an unrecoverable error. + */ + ACQUIRE_SESSION_ERROR_CHANNEL_MUTEX_POISONED, + ACQUIRE_SESSION_ERROR_NO_ACTIVE_SESSION, + ACQUIRE_SESSION_ERROR_SGX, +} AcquireSessionError_Tag; + +typedef struct AcquireSessionError { + AcquireSessionError_Tag tag; + union { + struct { + sgx_enclave_id_t no_active_session; + }; + struct { + sgx_status_t sgx; + }; + }; +} AcquireSessionError; + +typedef enum SealingError_Tag { + SEALING_ERROR_CHANNEL_NOT_FOUND, + SEALING_ERROR_RKYV_BUFFER_SERIALIZER_ERROR, + SEALING_ERROR_SGX, +} SealingError_Tag; + +typedef struct SealingError { + SealingError_Tag tag; + union { + struct { + struct AcquireSessionError channel_not_found; + }; + struct { + sgx_status_t sgx; + }; + }; +} SealingError; + typedef enum DataUploadError_Tag { DATA_UPLOAD_ERROR_VALIDATION, DATA_UPLOAD_ERROR_SEALING, DATA_UPLOAD_ERROR_CRYPTO, + DATA_UPLOAD_ERROR_SAVE_ACCESS_KEY_SEALING_ERROR, + DATA_UPLOAD_ERROR_SAVE_ACCESS_KEY_FAILED, } DataUploadError_Tag; typedef struct DataUploadError { @@ -52,6 +98,9 @@ typedef struct DataUploadError { struct { struct CryptoError crypto; }; + struct { + struct SealingError save_access_key_sealing_error; + }; }; } DataUploadError; @@ -82,6 +131,44 @@ typedef struct UploadMetadata { uint8_t nonce[24]; } UploadMetadata; +typedef uint8_t RecommendedAesGcmIv[12]; + +typedef struct SetAccessKeyEncryptedResponse { + sgx_aes_gcm_128bit_tag_t tag; + uint8_t ciphertext[SET_ACCESS_KEY_RESPONSE_SIZE]; + uint8_t aad[0]; + RecommendedAesGcmIv nonce; +} SetAccessKeyEncryptedResponse; + +/** + * FFI safe result type that can be converted to and from a rust result. + */ +typedef enum EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag { + ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_OK_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR, + ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_ERR_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR, +} EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag; + +typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError { + EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag tag; + union { + struct { + struct SetAccessKeyEncryptedResponse ok; + }; + struct { + struct SealingError err; + }; + }; +} EcallResult_SetAccessKeyEncryptedResponse__SealingError; + +typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError SetAccessKeyResult; + +typedef struct SetAccessKeyEncryptedRequest { + sgx_aes_gcm_128bit_tag_t tag; + uint8_t ciphertext[SET_ACCESS_KEY_REQUEST_SIZE]; + uint8_t aad[ARCHIVED_ENCLAVE_ID_SIZE]; + RecommendedAesGcmIv nonce; +} SetAccessKeyEncryptedRequest; + /** * FFI safe result type that can be converted to and from a rust result. */ diff --git a/codegen/data_enclave/rtc_data_t.c b/codegen/data_enclave/rtc_data_t.c index ed7493cd..9aff5901 100644 --- a/codegen/data_enclave/rtc_data_t.c +++ b/codegen/data_enclave/rtc_data_t.c @@ -36,6 +36,7 @@ typedef struct ms_enclave_create_report_t { typedef struct ms_validate_and_save_t { DataUploadResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; const uint8_t* ms_payload_ptr; size_t ms_payload_len; UploadMetadata ms_metadata; @@ -68,6 +69,12 @@ typedef struct ms_end_session_t { sgx_enclave_id_t ms_src_enclave_id; } ms_end_session_t; +typedef struct ms_rtc_save_access_key_u_t { + SetAccessKeyResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; + SetAccessKeyEncryptedRequest ms_encrypted_request; +} ms_rtc_save_access_key_u_t; + typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; const uint8_t* ms_blob_ptr; @@ -707,7 +714,7 @@ static sgx_status_t SGX_CDECL sgx_validate_and_save(void* pms) } - ms->ms_retval = validate_and_save((const uint8_t*)_in_payload_ptr, _tmp_payload_len, ms->ms_metadata); + ms->ms_retval = validate_and_save(ms->ms_auth_enclave_id, (const uint8_t*)_in_payload_ptr, _tmp_payload_len, ms->ms_metadata); err: if (_in_payload_ptr) free(_in_payload_ptr); @@ -883,9 +890,9 @@ SGX_EXTERNC const struct { SGX_EXTERNC const struct { size_t nr_ocall; - uint8_t entry_table[74][8]; + uint8_t entry_table[75][8]; } g_dyn_entry_table = { - 74, + 75, { {0, 0, 0, 0, 0, 0, 0, 0, }, {0, 0, 0, 0, 0, 0, 0, 0, }, @@ -961,10 +968,40 @@ SGX_EXTERNC const struct { {0, 0, 0, 0, 0, 0, 0, 0, }, {0, 0, 0, 0, 0, 0, 0, 0, }, {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, } }; +sgx_status_t SGX_CDECL rtc_save_access_key_u(SetAccessKeyResult* retval, sgx_enclave_id_t auth_enclave_id, SetAccessKeyEncryptedRequest encrypted_request) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_rtc_save_access_key_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_save_access_key_u_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_save_access_key_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_save_access_key_u_t)); + ocalloc_size -= sizeof(ms_rtc_save_access_key_u_t); + + ms->ms_auth_enclave_id = auth_enclave_id; + ms->ms_encrypted_request = encrypted_request; + status = sgx_ocall(0, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]) { sgx_status_t status = SGX_SUCCESS; @@ -1026,7 +1063,7 @@ sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_ ms->ms_uuid = NULL; } - status = sgx_ocall(0, ms); + status = sgx_ocall(1, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1075,7 +1112,7 @@ sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const v } ms->ms_tcs = tcs; - status = sgx_ocall(1, ms); + status = sgx_ocall(2, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1146,7 +1183,7 @@ sgx_status_t SGX_CDECL u_thread_wait_event_ocall(int* retval, int* error, const ms->ms_timeout = NULL; } - status = sgx_ocall(2, ms); + status = sgx_ocall(3, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1221,7 +1258,7 @@ sgx_status_t SGX_CDECL u_thread_set_multiple_events_ocall(int* retval, int* erro } ms->ms_total = total; - status = sgx_ocall(3, ms); + status = sgx_ocall(4, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1293,7 +1330,7 @@ sgx_status_t SGX_CDECL u_thread_setwait_events_ocall(int* retval, int* error, co ms->ms_timeout = NULL; } - status = sgx_ocall(4, ms); + status = sgx_ocall(5, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1363,7 +1400,7 @@ sgx_status_t SGX_CDECL u_clock_gettime_ocall(int* retval, int* error, int clk_id ms->ms_tp = NULL; } - status = sgx_ocall(5, ms); + status = sgx_ocall(6, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1426,7 +1463,7 @@ sgx_status_t SGX_CDECL u_read_ocall(size_t* retval, int* error, int fd, void* bu ms->ms_fd = fd; ms->ms_buf = buf; ms->ms_count = count; - status = sgx_ocall(6, ms); + status = sgx_ocall(7, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1484,7 +1521,7 @@ sgx_status_t SGX_CDECL u_pread64_ocall(size_t* retval, int* error, int fd, void* ms->ms_buf = buf; ms->ms_count = count; ms->ms_offset = offset; - status = sgx_ocall(7, ms); + status = sgx_ocall(8, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1556,7 +1593,7 @@ sgx_status_t SGX_CDECL u_readv_ocall(size_t* retval, int* error, int fd, const s } ms->ms_iovcnt = iovcnt; - status = sgx_ocall(8, ms); + status = sgx_ocall(9, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1629,7 +1666,7 @@ sgx_status_t SGX_CDECL u_preadv64_ocall(size_t* retval, int* error, int fd, cons ms->ms_iovcnt = iovcnt; ms->ms_offset = offset; - status = sgx_ocall(9, ms); + status = sgx_ocall(10, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1686,7 +1723,7 @@ sgx_status_t SGX_CDECL u_write_ocall(size_t* retval, int* error, int fd, const v ms->ms_fd = fd; ms->ms_buf = buf; ms->ms_count = count; - status = sgx_ocall(10, ms); + status = sgx_ocall(11, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1744,7 +1781,7 @@ sgx_status_t SGX_CDECL u_pwrite64_ocall(size_t* retval, int* error, int fd, cons ms->ms_buf = buf; ms->ms_count = count; ms->ms_offset = offset; - status = sgx_ocall(11, ms); + status = sgx_ocall(12, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1816,7 +1853,7 @@ sgx_status_t SGX_CDECL u_writev_ocall(size_t* retval, int* error, int fd, const } ms->ms_iovcnt = iovcnt; - status = sgx_ocall(12, ms); + status = sgx_ocall(13, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1889,7 +1926,7 @@ sgx_status_t SGX_CDECL u_pwritev64_ocall(size_t* retval, int* error, int fd, con ms->ms_iovcnt = iovcnt; ms->ms_offset = offset; - status = sgx_ocall(13, ms); + status = sgx_ocall(14, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1945,7 +1982,7 @@ sgx_status_t SGX_CDECL u_fcntl_arg0_ocall(int* retval, int* error, int fd, int c ms->ms_fd = fd; ms->ms_cmd = cmd; - status = sgx_ocall(14, ms); + status = sgx_ocall(15, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2002,7 +2039,7 @@ sgx_status_t SGX_CDECL u_fcntl_arg1_ocall(int* retval, int* error, int fd, int c ms->ms_fd = fd; ms->ms_cmd = cmd; ms->ms_arg = arg; - status = sgx_ocall(15, ms); + status = sgx_ocall(16, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2058,7 +2095,7 @@ sgx_status_t SGX_CDECL u_ioctl_arg0_ocall(int* retval, int* error, int fd, int r ms->ms_fd = fd; ms->ms_request = request; - status = sgx_ocall(16, ms); + status = sgx_ocall(17, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2136,7 +2173,7 @@ sgx_status_t SGX_CDECL u_ioctl_arg1_ocall(int* retval, int* error, int fd, int r ms->ms_arg = NULL; } - status = sgx_ocall(17, ms); + status = sgx_ocall(18, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2197,7 +2234,7 @@ sgx_status_t SGX_CDECL u_close_ocall(int* retval, int* error, int fd) } ms->ms_fd = fd; - status = sgx_ocall(18, ms); + status = sgx_ocall(19, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2252,7 +2289,7 @@ sgx_status_t SGX_CDECL u_malloc_ocall(void** retval, int* error, size_t size) } ms->ms_size = size; - status = sgx_ocall(19, ms); + status = sgx_ocall(20, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2286,7 +2323,7 @@ sgx_status_t SGX_CDECL u_free_ocall(void* p) ocalloc_size -= sizeof(ms_u_free_ocall_t); ms->ms_p = p; - status = sgx_ocall(20, ms); + status = sgx_ocall(21, ms); if (status == SGX_SUCCESS) { } @@ -2339,7 +2376,7 @@ sgx_status_t SGX_CDECL u_mmap_ocall(void** retval, int* error, void* start, size ms->ms_flags = flags; ms->ms_fd = fd; ms->ms_offset = offset; - status = sgx_ocall(21, ms); + status = sgx_ocall(22, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2395,7 +2432,7 @@ sgx_status_t SGX_CDECL u_munmap_ocall(int* retval, int* error, void* start, size ms->ms_start = start; ms->ms_length = length; - status = sgx_ocall(22, ms); + status = sgx_ocall(23, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2452,7 +2489,7 @@ sgx_status_t SGX_CDECL u_msync_ocall(int* retval, int* error, void* addr, size_t ms->ms_addr = addr; ms->ms_length = length; ms->ms_flags = flags; - status = sgx_ocall(23, ms); + status = sgx_ocall(24, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2509,7 +2546,7 @@ sgx_status_t SGX_CDECL u_mprotect_ocall(int* retval, int* error, void* addr, siz ms->ms_addr = addr; ms->ms_length = length; ms->ms_prot = prot; - status = sgx_ocall(24, ms); + status = sgx_ocall(25, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2584,7 +2621,7 @@ sgx_status_t SGX_CDECL u_open_ocall(int* retval, int* error, const char* pathnam } ms->ms_flags = flags; - status = sgx_ocall(25, ms); + status = sgx_ocall(26, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2660,7 +2697,7 @@ sgx_status_t SGX_CDECL u_open64_ocall(int* retval, int* error, const char* path, ms->ms_oflag = oflag; ms->ms_mode = mode; - status = sgx_ocall(26, ms); + status = sgx_ocall(27, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2730,7 +2767,7 @@ sgx_status_t SGX_CDECL u_fstat_ocall(int* retval, int* error, int fd, struct sta ms->ms_buf = NULL; } - status = sgx_ocall(27, ms); + status = sgx_ocall(28, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2806,7 +2843,7 @@ sgx_status_t SGX_CDECL u_fstat64_ocall(int* retval, int* error, int fd, struct s ms->ms_buf = NULL; } - status = sgx_ocall(28, ms); + status = sgx_ocall(29, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2901,7 +2938,7 @@ sgx_status_t SGX_CDECL u_stat_ocall(int* retval, int* error, const char* path, s ms->ms_buf = NULL; } - status = sgx_ocall(29, ms); + status = sgx_ocall(30, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2996,7 +3033,7 @@ sgx_status_t SGX_CDECL u_stat64_ocall(int* retval, int* error, const char* path, ms->ms_buf = NULL; } - status = sgx_ocall(30, ms); + status = sgx_ocall(31, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3091,7 +3128,7 @@ sgx_status_t SGX_CDECL u_lstat_ocall(int* retval, int* error, const char* path, ms->ms_buf = NULL; } - status = sgx_ocall(31, ms); + status = sgx_ocall(32, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3186,7 +3223,7 @@ sgx_status_t SGX_CDECL u_lstat64_ocall(int* retval, int* error, const char* path ms->ms_buf = NULL; } - status = sgx_ocall(32, ms); + status = sgx_ocall(33, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3249,7 +3286,7 @@ sgx_status_t SGX_CDECL u_lseek_ocall(uint64_t* retval, int* error, int fd, int64 ms->ms_fd = fd; ms->ms_offset = offset; ms->ms_whence = whence; - status = sgx_ocall(33, ms); + status = sgx_ocall(34, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3306,7 +3343,7 @@ sgx_status_t SGX_CDECL u_lseek64_ocall(int64_t* retval, int* error, int fd, int6 ms->ms_fd = fd; ms->ms_offset = offset; ms->ms_whence = whence; - status = sgx_ocall(34, ms); + status = sgx_ocall(35, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3362,7 +3399,7 @@ sgx_status_t SGX_CDECL u_ftruncate_ocall(int* retval, int* error, int fd, int64_ ms->ms_fd = fd; ms->ms_length = length; - status = sgx_ocall(35, ms); + status = sgx_ocall(36, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3418,7 +3455,7 @@ sgx_status_t SGX_CDECL u_ftruncate64_ocall(int* retval, int* error, int fd, int6 ms->ms_fd = fd; ms->ms_length = length; - status = sgx_ocall(36, ms); + status = sgx_ocall(37, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3493,7 +3530,7 @@ sgx_status_t SGX_CDECL u_truncate_ocall(int* retval, int* error, const char* pat } ms->ms_length = length; - status = sgx_ocall(37, ms); + status = sgx_ocall(38, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3568,7 +3605,7 @@ sgx_status_t SGX_CDECL u_truncate64_ocall(int* retval, int* error, const char* p } ms->ms_length = length; - status = sgx_ocall(38, ms); + status = sgx_ocall(39, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3623,7 +3660,7 @@ sgx_status_t SGX_CDECL u_fsync_ocall(int* retval, int* error, int fd) } ms->ms_fd = fd; - status = sgx_ocall(39, ms); + status = sgx_ocall(40, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3678,7 +3715,7 @@ sgx_status_t SGX_CDECL u_fdatasync_ocall(int* retval, int* error, int fd) } ms->ms_fd = fd; - status = sgx_ocall(40, ms); + status = sgx_ocall(41, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3734,7 +3771,7 @@ sgx_status_t SGX_CDECL u_fchmod_ocall(int* retval, int* error, int fd, uint32_t ms->ms_fd = fd; ms->ms_mode = mode; - status = sgx_ocall(41, ms); + status = sgx_ocall(42, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3808,7 +3845,7 @@ sgx_status_t SGX_CDECL u_unlink_ocall(int* retval, int* error, const char* pathn ms->ms_pathname = NULL; } - status = sgx_ocall(42, ms); + status = sgx_ocall(43, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3902,7 +3939,7 @@ sgx_status_t SGX_CDECL u_link_ocall(int* retval, int* error, const char* oldpath ms->ms_newpath = NULL; } - status = sgx_ocall(43, ms); + status = sgx_ocall(44, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3996,7 +4033,7 @@ sgx_status_t SGX_CDECL u_rename_ocall(int* retval, int* error, const char* oldpa ms->ms_newpath = NULL; } - status = sgx_ocall(44, ms); + status = sgx_ocall(45, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4071,7 +4108,7 @@ sgx_status_t SGX_CDECL u_chmod_ocall(int* retval, int* error, const char* path, } ms->ms_mode = mode; - status = sgx_ocall(45, ms); + status = sgx_ocall(46, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4165,7 +4202,7 @@ sgx_status_t SGX_CDECL u_readlink_ocall(size_t* retval, int* error, const char* } ms->ms_bufsz = bufsz; - status = sgx_ocall(46, ms); + status = sgx_ocall(47, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4265,7 +4302,7 @@ sgx_status_t SGX_CDECL u_symlink_ocall(int* retval, int* error, const char* path ms->ms_path2 = NULL; } - status = sgx_ocall(47, ms); + status = sgx_ocall(48, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4339,7 +4376,7 @@ sgx_status_t SGX_CDECL u_realpath_ocall(char** retval, int* error, const char* p ms->ms_pathname = NULL; } - status = sgx_ocall(48, ms); + status = sgx_ocall(49, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4414,7 +4451,7 @@ sgx_status_t SGX_CDECL u_mkdir_ocall(int* retval, int* error, const char* pathna } ms->ms_mode = mode; - status = sgx_ocall(49, ms); + status = sgx_ocall(50, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4488,7 +4525,7 @@ sgx_status_t SGX_CDECL u_rmdir_ocall(int* retval, int* error, const char* pathna ms->ms_pathname = NULL; } - status = sgx_ocall(50, ms); + status = sgx_ocall(51, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4562,7 +4599,7 @@ sgx_status_t SGX_CDECL u_opendir_ocall(void** retval, int* error, const char* pa ms->ms_pathname = NULL; } - status = sgx_ocall(51, ms); + status = sgx_ocall(52, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4635,7 +4672,7 @@ sgx_status_t SGX_CDECL u_readdir64_r_ocall(int* retval, void* dirp, struct diren ms->ms_result = NULL; } - status = sgx_ocall(52, ms); + status = sgx_ocall(53, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4696,7 +4733,7 @@ sgx_status_t SGX_CDECL u_closedir_ocall(int* retval, int* error, void* dirp) } ms->ms_dirp = dirp; - status = sgx_ocall(53, ms); + status = sgx_ocall(54, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4751,7 +4788,7 @@ sgx_status_t SGX_CDECL u_dirfd_ocall(int* retval, int* error, void* dirp) } ms->ms_dirp = dirp; - status = sgx_ocall(54, ms); + status = sgx_ocall(55, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4842,7 +4879,7 @@ sgx_status_t SGX_CDECL u_fstatat64_ocall(int* retval, int* error, int dirfd, con } ms->ms_flags = flags; - status = sgx_ocall(55, ms); + status = sgx_ocall(56, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4904,7 +4941,7 @@ sgx_status_t SGX_CDECL sgx_oc_cpuidex(int cpuinfo[4], int leaf, int subleaf) ms->ms_leaf = leaf; ms->ms_subleaf = subleaf; - status = sgx_ocall(56, ms); + status = sgx_ocall(57, ms); if (status == SGX_SUCCESS) { if (cpuinfo) { @@ -4937,7 +4974,7 @@ sgx_status_t SGX_CDECL sgx_thread_wait_untrusted_event_ocall(int* retval, const ocalloc_size -= sizeof(ms_sgx_thread_wait_untrusted_event_ocall_t); ms->ms_self = self; - status = sgx_ocall(57, ms); + status = sgx_ocall(58, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4965,7 +5002,7 @@ sgx_status_t SGX_CDECL sgx_thread_set_untrusted_event_ocall(int* retval, const v ocalloc_size -= sizeof(ms_sgx_thread_set_untrusted_event_ocall_t); ms->ms_waiter = waiter; - status = sgx_ocall(58, ms); + status = sgx_ocall(59, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4994,7 +5031,7 @@ sgx_status_t SGX_CDECL sgx_thread_setwait_untrusted_events_ocall(int* retval, co ms->ms_waiter = waiter; ms->ms_self = self; - status = sgx_ocall(59, ms); + status = sgx_ocall(60, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5044,7 +5081,7 @@ sgx_status_t SGX_CDECL sgx_thread_set_multiple_untrusted_events_ocall(int* retva } ms->ms_total = total; - status = sgx_ocall(60, ms); + status = sgx_ocall(61, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5132,7 +5169,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_exclusive_file_open(void** retval, const ms->ms_error_code = NULL; } - status = sgx_ocall(61, ms); + status = sgx_ocall(62, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5193,7 +5230,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_check_if_file_exists(uint8_t* retval, co ms->ms_filename = NULL; } - status = sgx_ocall(62, ms); + status = sgx_ocall(63, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5244,7 +5281,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fread_node(int32_t* retval, void* f, uin } ms->ms_node_size = node_size; - status = sgx_ocall(63, ms); + status = sgx_ocall(64, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5302,7 +5339,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fwrite_node(int32_t* retval, void* f, ui } ms->ms_node_size = node_size; - status = sgx_ocall(64, ms); + status = sgx_ocall(65, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5330,7 +5367,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fclose(int32_t* retval, void* f) ocalloc_size -= sizeof(ms_u_sgxprotectedfs_fclose_t); ms->ms_f = f; - status = sgx_ocall(65, ms); + status = sgx_ocall(66, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5358,7 +5395,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fflush(uint8_t* retval, void* f) ocalloc_size -= sizeof(ms_u_sgxprotectedfs_fflush_t); ms->ms_f = f; - status = sgx_ocall(66, ms); + status = sgx_ocall(67, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5407,7 +5444,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_remove(int32_t* retval, const char* file ms->ms_filename = NULL; } - status = sgx_ocall(67, ms); + status = sgx_ocall(68, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5456,7 +5493,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_recovery_file_open(void** retval, const ms->ms_filename = NULL; } - status = sgx_ocall(68, ms); + status = sgx_ocall(69, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5507,7 +5544,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fwrite_recovery_node(uint8_t* retval, vo } ms->ms_data_length = data_length; - status = sgx_ocall(69, ms); + status = sgx_ocall(70, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5577,7 +5614,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_do_file_recovery(int32_t* retval, const } ms->ms_node_size = node_size; - status = sgx_ocall(70, ms); + status = sgx_ocall(71, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5606,7 +5643,7 @@ sgx_status_t SGX_CDECL rtc_session_request_u(SessionRequestResult* retval, sgx_e ms->ms_src_enclave_id = src_enclave_id; ms->ms_dest_enclave_id = dest_enclave_id; - status = sgx_ocall(71, ms); + status = sgx_ocall(72, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5653,7 +5690,7 @@ sgx_status_t SGX_CDECL rtc_exchange_report_u(ExchangeReportResult* retval, sgx_e ms->ms_dh_msg2 = NULL; } - status = sgx_ocall(72, ms); + status = sgx_ocall(73, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5682,7 +5719,7 @@ sgx_status_t SGX_CDECL rtc_end_session_u(sgx_status_t* retval, sgx_enclave_id_t ms->ms_src_enclave_id = src_enclave_id; ms->ms_dest_enclave_id = dest_enclave_id; - status = sgx_ocall(73, ms); + status = sgx_ocall(74, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; diff --git a/codegen/data_enclave/rtc_data_t.h b/codegen/data_enclave/rtc_data_t.h index 775e5bb3..49d8adcd 100644 --- a/codegen/data_enclave/rtc_data_t.h +++ b/codegen/data_enclave/rtc_data_t.h @@ -27,7 +27,7 @@ extern "C" { #endif CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -DataUploadResult validate_and_save(const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +DataUploadResult validate_and_save(sgx_enclave_id_t auth_enclave_id, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); sgx_status_t local_attestation(sgx_enclave_id_t rtc_local_attestation); void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); @@ -35,6 +35,7 @@ SessionRequestResult session_request(sgx_enclave_id_t src_enclave_id); ExchangeReportResult exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); sgx_status_t end_session(sgx_enclave_id_t src_enclave_id); +sgx_status_t SGX_CDECL rtc_save_access_key_u(SetAccessKeyResult* retval, sgx_enclave_id_t auth_enclave_id, SetAccessKeyEncryptedRequest encrypted_request); sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); sgx_status_t SGX_CDECL u_thread_wait_event_ocall(int* retval, int* error, const void* tcs, const struct timespec* timeout); diff --git a/codegen/data_enclave/rtc_data_u.c b/codegen/data_enclave/rtc_data_u.c index 17d281bd..cac74212 100644 --- a/codegen/data_enclave/rtc_data_u.c +++ b/codegen/data_enclave/rtc_data_u.c @@ -10,6 +10,7 @@ typedef struct ms_enclave_create_report_t { typedef struct ms_validate_and_save_t { DataUploadResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; const uint8_t* ms_payload_ptr; size_t ms_payload_len; UploadMetadata ms_metadata; @@ -42,6 +43,12 @@ typedef struct ms_end_session_t { sgx_enclave_id_t ms_src_enclave_id; } ms_end_session_t; +typedef struct ms_rtc_save_access_key_u_t { + SetAccessKeyResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; + SetAccessKeyEncryptedRequest ms_encrypted_request; +} ms_rtc_save_access_key_u_t; + typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; const uint8_t* ms_blob_ptr; @@ -557,6 +564,14 @@ typedef struct ms_rtc_end_session_u_t { sgx_enclave_id_t ms_dest_enclave_id; } ms_rtc_end_session_u_t; +static sgx_status_t SGX_CDECL rtc_data_rtc_save_access_key_u(void* pms) +{ + ms_rtc_save_access_key_u_t* ms = SGX_CAST(ms_rtc_save_access_key_u_t*, pms); + ms->ms_retval = rtc_save_access_key_u(ms->ms_auth_enclave_id, ms->ms_encrypted_request); + + return SGX_SUCCESS; +} + static sgx_status_t SGX_CDECL rtc_data_rtc_save_sealed_blob_u(void* pms) { ms_rtc_save_sealed_blob_u_t* ms = SGX_CAST(ms_rtc_save_sealed_blob_u_t*, pms); @@ -1151,10 +1166,11 @@ static sgx_status_t SGX_CDECL rtc_data_rtc_end_session_u(void* pms) static const struct { size_t nr_ocall; - void * table[74]; + void * table[75]; } ocall_table_rtc_data = { - 74, + 75, { + (void*)rtc_data_rtc_save_access_key_u, (void*)rtc_data_rtc_save_sealed_blob_u, (void*)rtc_data_u_thread_set_event_ocall, (void*)rtc_data_u_thread_wait_event_ocall, @@ -1243,10 +1259,11 @@ sgx_status_t rtc_data_enclave_create_report(sgx_enclave_id_t eid, CreateReportRe return status; } -sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata) +sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, sgx_enclave_id_t auth_enclave_id, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata) { sgx_status_t status; ms_validate_and_save_t ms; + ms.ms_auth_enclave_id = auth_enclave_id; ms.ms_payload_ptr = payload_ptr; ms.ms_payload_len = payload_len; ms.ms_metadata = metadata; diff --git a/codegen/data_enclave/rtc_data_u.h b/codegen/data_enclave/rtc_data_u.h index 5468e32d..76ec767c 100644 --- a/codegen/data_enclave/rtc_data_u.h +++ b/codegen/data_enclave/rtc_data_u.h @@ -27,6 +27,10 @@ extern "C" { #endif +#ifndef RTC_SAVE_ACCESS_KEY_U_DEFINED__ +#define RTC_SAVE_ACCESS_KEY_U_DEFINED__ +SetAccessKeyResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_save_access_key_u, (sgx_enclave_id_t auth_enclave_id, SetAccessKeyEncryptedRequest encrypted_request)); +#endif #ifndef RTC_SAVE_SEALED_BLOB_U_DEFINED__ #define RTC_SAVE_SEALED_BLOB_U_DEFINED__ sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_save_sealed_blob_u, (const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16])); @@ -325,7 +329,7 @@ sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_end_session_u, (sgx_enclave_id_t #endif sgx_status_t rtc_data_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, sgx_enclave_id_t auth_enclave_id, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); sgx_status_t rtc_data_local_attestation(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t rtc_local_attestation); sgx_status_t rtc_data_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); sgx_status_t rtc_data_t_global_exit_ecall(sgx_enclave_id_t eid); diff --git a/rtc_data_enclave/rtc_data.edl b/rtc_data_enclave/rtc_data.edl index e57a9598..c7d3d2f6 100644 --- a/rtc_data_enclave/rtc_data.edl +++ b/rtc_data_enclave/rtc_data.edl @@ -20,13 +20,24 @@ enclave { [out, isary]EnclaveHeldData enclave_data, [out]sgx_report_t* p_report); - public DataUploadResult validate_and_save([in, count=payload_len]const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); + public DataUploadResult validate_and_save( + sgx_enclave_id_t auth_enclave_id, + [in, count=payload_len]const uint8_t* payload_ptr, + size_t payload_len, + UploadMetadata metadata + ); + public sgx_status_t local_attestation(sgx_enclave_id_t rtc_local_attestation); }; untrusted { /* define OCALLs here. */ + SetAccessKeyResult rtc_save_access_key_u( + sgx_enclave_id_t auth_enclave_id, + SetAccessKeyEncryptedRequest encrypted_request + ); + sgx_status_t rtc_save_sealed_blob_u([in, count=blob_len]const uint8_t* blob_ptr, size_t blob_len,[in]uint8_t uuid[16]); }; }; diff --git a/rtc_data_enclave/src/lib.rs b/rtc_data_enclave/src/lib.rs index f6e047dc..a9e0f536 100644 --- a/rtc_data_enclave/src/lib.rs +++ b/rtc_data_enclave/src/lib.rs @@ -19,6 +19,7 @@ use std::prelude::v1::*; #[allow(unused_imports)] // for ECALL linking use rtc_tenclave::enclave::enclave_create_report; +use rtc_types::enclave_messages::set_access_key; use rtc_types::*; use sgx_types::*; @@ -29,6 +30,7 @@ use sgx_types::*; /// length `payload_len` #[no_mangle] pub unsafe extern "C" fn validate_and_save( + #[allow(unused)] auth_enclave_id: sgx_enclave_id_t, // TODO: pass to validate_and_seal payload_ptr: *const u8, payload_len: usize, metadata: UploadMetadata, @@ -41,6 +43,20 @@ pub unsafe extern "C" fn validate_and_save( Err(err) => return EcallResult::Err(err), }; + // TODO: Get access key request data from validate_and_seal? + let request = set_access_key::Request { + uuid: Default::default(), + access_key: Default::default(), + unsealed_size: Default::default(), + }; + let response = match ocalls::save_access_key(auth_enclave_id, request) { + Ok(response) => response, + Err(err) => return EcallResult::Err(DataUploadError::SaveAccessKeySealingError(err)), + }; + if !response.success { + return EcallResult::Err(DataUploadError::SaveAccessKeyFailed); + } + match ocalls::save_sealed_blob_u(sealed.sealed_data, sealed.uuid) { sgx_status_t::SGX_SUCCESS => EcallResult::Ok(sealed.client_payload.into()), err => EcallResult::Err(DataUploadError::Sealing(err)), diff --git a/rtc_data_enclave/src/ocalls/mod.rs b/rtc_data_enclave/src/ocalls/mod.rs new file mode 100644 index 00000000..3f20610b --- /dev/null +++ b/rtc_data_enclave/src/ocalls/mod.rs @@ -0,0 +1,9 @@ +//! OCALL definitions + +mod save_access_key_impl; +mod save_sealed_blob_impl; + +// Re-export the OCALL entry points we're interested in: + +pub(crate) use save_access_key_impl::save_access_key; +pub(crate) use save_sealed_blob_impl::save_sealed_blob_u; diff --git a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs new file mode 100644 index 00000000..c4182e40 --- /dev/null +++ b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs @@ -0,0 +1,77 @@ +//! OCALL definition: `save_access_key` (`rtc_save_access_key_u`) +//! +//! This call is responsible for establishing a protected channel with the auth enclave, +//! and relaying the sealed exchange with the auth enclave's `save_access_key` ECALL. + +use rtc_tenclave::dh::{dh_sessions, sealing, DhSessions, ProtectedChannel}; +use rtc_types::enclave_messages::errors::SealingError; +pub use rtc_types::enclave_messages::ffi_set_access_key::SetAccessKeyEncryptedRequest; +use rtc_types::enclave_messages::{ffi_set_access_key, set_access_key}; +use rtc_types::EcallResult; +use sgx_tstd::enclave::get_enclave_id; +use sgx_types::{sgx_enclave_id_t, sgx_status_t}; + +// Handle protected channel establishment +pub(crate) fn save_access_key( + auth_enclave_id: sgx_enclave_id_t, + request: set_access_key::Request, +) -> Result { + let sessions: &DhSessions<_, _> = dh_sessions(); + sessions.with_acquire_new_or_established(auth_enclave_id, |channel| { + save_access_key_sealing(auth_enclave_id, channel, request) + })? +} + +// Handle message sealing +fn save_access_key_sealing( + auth_enclave_id: sgx_enclave_id_t, + channel: &mut ProtectedChannel, + request: set_access_key::Request, +) -> Result { + let sending_enclave_id: sgx_enclave_id_t = get_enclave_id(); + + // Seal the request + let encrypted_request = + sealing::rkyv_seal_associated(channel, &request, &sending_enclave_id).unwrap(); + + // Exchange with the auth enclave + let encrypted_response = save_access_key_ffi(auth_enclave_id, encrypted_request)?; + + // Unseal the response + let response = + unsafe { sealing::rkyv_unseal::(channel, encrypted_response) }?; + Ok(response) +} + +/// Handle converting between the [`ffi_set_access_key`] and [`set_access_key`] types. +fn save_access_key_ffi( + auth_enclave_id: sgx_enclave_id_t, + encrypted_request: set_access_key::EncryptedRequest, +) -> set_access_key::SetAccessKeyResult { + let ffi_encrypted_request = encrypted_request.into(); + let ffi_result = save_access_key_u(auth_enclave_id, ffi_encrypted_request); + ffi_result.into() +} + +// Handle call +fn save_access_key_u( + auth_enclave_id: sgx_enclave_id_t, + encrypted_request: ffi_set_access_key::SetAccessKeyEncryptedRequest, +) -> ffi_set_access_key::SetAccessKeyResult { + let mut retval = ffi_set_access_key::SetAccessKeyResult::default(); + + // Safety: Copies ffi_set_access_key::SetAccessKeyResult into retval, + // but only valid for sgx_status_t::SGX_SUCCESS. + match unsafe { rtc_save_access_key_u(&mut retval, auth_enclave_id, encrypted_request) } { + sgx_status_t::SGX_SUCCESS => retval, + status_err => EcallResult::Err(status_err.into()), + } +} + +extern "C" { + fn rtc_save_access_key_u( + retval: *mut ffi_set_access_key::SetAccessKeyResult, + auth_enclave_id: sgx_enclave_id_t, + request: ffi_set_access_key::SetAccessKeyEncryptedRequest, + ) -> sgx_status_t; +} diff --git a/rtc_data_enclave/src/ocalls.rs b/rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs similarity index 89% rename from rtc_data_enclave/src/ocalls.rs rename to rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs index 69ebb93b..0d930d9c 100644 --- a/rtc_data_enclave/src/ocalls.rs +++ b/rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs @@ -1,6 +1,8 @@ +//! OCALL definition: `save_sealed_blob_u` (`rtc_save_sealed_blob_u`) + use std::boxed::Box; -use sgx_types::*; +use sgx_types::sgx_status_t; use uuid::Uuid; extern "C" { diff --git a/rtc_data_service/src/data_upload/message.rs b/rtc_data_service/src/data_upload/message.rs index a591ade4..7064ee2e 100644 --- a/rtc_data_service/src/data_upload/message.rs +++ b/rtc_data_service/src/data_upload/message.rs @@ -30,7 +30,10 @@ impl Handler for DataEnclaveActor { type Result = ::Result; fn handle(&mut self, msg: DataUploadMessage, _ctx: &mut Self::Context) -> Self::Result { - self.get_enclave() - .upload_data(&msg.request.payload, msg.request.metadata) + self.get_enclave().upload_data( + msg.auth_enclave_id, + &msg.request.payload, + msg.request.metadata, + ) } } diff --git a/rtc_data_service/tests/web_api/data_upload.rs b/rtc_data_service/tests/web_api/data_upload.rs index 276ff54f..96a5b633 100644 --- a/rtc_data_service/tests/web_api/data_upload.rs +++ b/rtc_data_service/tests/web_api/data_upload.rs @@ -3,7 +3,8 @@ use std::convert::TryInto; use std::path::Path; -use actix_web::test; +use actix_web::web::Bytes; +use actix_web::{http, test}; use rtc_data_service::data_upload::models; use sgx_types::sgx_target_info_t; use uuid::Uuid; @@ -57,10 +58,17 @@ async fn data_service_data_upload_ok() { .to_request(); let resp = test::call_service(&app, req).await; + let status: http::StatusCode = resp.status(); + let body: Bytes = test::read_body(resp).await; + + assert!( + status.is_success(), + "status = {}, body = {:?}", + status, + body + ); - assert!(resp.status().is_success()); - - let body: models::ResponseBody = serde_json::from_slice(&test::read_body(resp).await).unwrap(); + let body: models::ResponseBody = serde_json::from_slice(&body).unwrap(); // NOTE: re-add padding since sodalite supports the C-style nacl api let mut m = vec![0_u8; body.ciphertext.len() + CRYPTO_BOX_BOXZEROBYTES]; diff --git a/rtc_types/src/data_upload.rs b/rtc_types/src/data_upload.rs index b21f6f39..69c5f408 100644 --- a/rtc_types/src/data_upload.rs +++ b/rtc_types/src/data_upload.rs @@ -2,16 +2,25 @@ use thiserror; use thiserror::Error; use super::*; +use crate::enclave_messages::errors::SealingError; #[repr(C)] #[derive(Copy, Clone, PartialEq, Eq, Ord, PartialOrd, Debug, Error)] pub enum DataUploadError { #[error("Data validation failed")] Validation, - #[error("Data sealing failed: {}", .0)] + + #[error("Data sealing failed: {0}")] Sealing(sgx_status_t), - #[error("Crypto failed: {}", .0)] + + #[error("Crypto failed: {0}")] Crypto(#[from] CryptoError), + + #[error("save_access_key OCALL sealing error: {0}")] + SaveAccessKeySealingError(SealingError), + + #[error("save_access_key OCALL failed")] + SaveAccessKeyFailed, } #[repr(C)] diff --git a/rtc_types/src/enclave_messages/errors.rs b/rtc_types/src/enclave_messages/errors.rs index 71553c74..1dac639e 100644 --- a/rtc_types/src/enclave_messages/errors.rs +++ b/rtc_types/src/enclave_messages/errors.rs @@ -9,7 +9,7 @@ use thiserror::Error; /// Failed to acquire session / protected channel. /// /// See: `rtc_tenclave::dh::sessions::DhSessions` -#[derive(Debug, PartialEq)] // core +#[derive(Copy, Clone, PartialEq, Eq, Ord, PartialOrd, Debug)] // core #[derive(Error)] // thiserror #[repr(C)] pub enum AcquireSessionError { @@ -39,7 +39,7 @@ impl From for AcquireSessionError { } } -#[derive(Debug)] // core +#[derive(Copy, Clone, PartialEq, Eq, Ord, PartialOrd, Debug)] // core #[derive(Error)] // thiserror #[repr(C)] pub enum SealingError { diff --git a/rtc_uenclave/data-ocalls/src/lib.rs b/rtc_uenclave/data-ocalls/src/lib.rs index 56d57e62..7c403028 100644 --- a/rtc_uenclave/data-ocalls/src/lib.rs +++ b/rtc_uenclave/data-ocalls/src/lib.rs @@ -1,65 +1,4 @@ #![deny(unsafe_op_in_unsafe_fn)] -use std::fs::OpenOptions; -use std::io::Write; -use std::{fs, slice}; - -use sgx_types::*; -use uuid::Uuid; - -/// Saves a blob of data received from the enclave -/// -/// Safety: -/// Caller needs to ensure that the blob_ptr is valid for a slice of length `blob_len` -#[no_mangle] -pub unsafe extern "C" fn rtc_save_sealed_blob_u( - blob_ptr: *const u8, - blob_len: usize, - uuid: *const [u8; 16], -) -> sgx_status_t { - // Safety: SGX should copy a buffer of the correct size, and the pointer - // will be valid for a slice of length `blob_len` - let blob = unsafe { slice::from_raw_parts(blob_ptr, blob_len) }; - - // TODO: Replace this with Azure Blob storage. - let uuid = Uuid::from_bytes(unsafe { *uuid }); - if let Err(err) = save_sealed_blob_to_fs(uuid, blob) { - println!("rtc_save_sealed_blob_u: failed to save {:?}: {}", uuid, err); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - }; - - sgx_status_t::SGX_SUCCESS -} - -/// Stop-gap helper: Save `blob` to the file system under `sealed_data/{uuid}`. -/// -/// If saving fails, just return a plain string error to report, for now. -/// -fn save_sealed_blob_to_fs(uuid: Uuid, blob: &[u8]) -> Result<(), String> { - // TODO: use some run time path for saving the data? (read path from a file next to execution or use env vars) - let data_dir = "sealed_data"; - fs::create_dir_all(data_dir) - .map_err(|err| format!("create_dir_all({:?}) failed: {:?}", data_dir, err))?; - - let data_file_path = format!("{}/{}", data_dir, uuid); - let mut data_file = OpenOptions::new() - // Abort if a data file already exists for this UUID. - .create_new(true) - .write(true) - .open(&data_file_path) - .map_err(|err| format!("open {:?} failed: {}", data_file_path, err))?; - - data_file - .write_all(blob) - .map_err(|err| format!("write_all to {:?} failed: {}", data_file, err))?; - - Ok(()) -} - -#[cfg(test)] -mod tests { - #[test] - fn it_works() { - assert_eq!(2 + 2, 4); - } -} +mod save_access_key; +mod save_sealed_blob; diff --git a/rtc_uenclave/data-ocalls/src/save_access_key.rs b/rtc_uenclave/data-ocalls/src/save_access_key.rs new file mode 100644 index 00000000..a6cc79e4 --- /dev/null +++ b/rtc_uenclave/data-ocalls/src/save_access_key.rs @@ -0,0 +1,11 @@ +//! OCALL definition: [`rtc_save_access_key_u`] + +use rtc_types::enclave_messages::ffi_set_access_key; + +#[no_mangle] +pub unsafe extern "C" fn rtc_save_access_key_u( + #[allow(unused)] // TODO + request: ffi_set_access_key::SetAccessKeyEncryptedRequest, +) -> ffi_set_access_key::SetAccessKeyResult { + todo!() +} diff --git a/rtc_uenclave/data-ocalls/src/save_sealed_blob.rs b/rtc_uenclave/data-ocalls/src/save_sealed_blob.rs new file mode 100644 index 00000000..4f2a66bd --- /dev/null +++ b/rtc_uenclave/data-ocalls/src/save_sealed_blob.rs @@ -0,0 +1,57 @@ +//! OCALL definition: [`rtc_save_sealed_blob_u`] + +use std::fs::OpenOptions; +use std::io::Write; +use std::{fs, slice}; + +use sgx_types::sgx_status_t; +use uuid::Uuid; + +/// Saves a blob of data received from the enclave +/// +/// Safety: +/// Caller needs to ensure that the blob_ptr is valid for a slice of length `blob_len` +#[no_mangle] +pub unsafe extern "C" fn rtc_save_sealed_blob_u( + blob_ptr: *const u8, + blob_len: usize, + uuid: *const [u8; 16], +) -> sgx_status_t { + // Safety: SGX should copy a buffer of the correct size, and the pointer + // will be valid for a slice of length `blob_len` + let blob = unsafe { slice::from_raw_parts(blob_ptr, blob_len) }; + + // TODO: Replace this with Azure Blob storage. + let uuid = Uuid::from_bytes(unsafe { *uuid }); + if let Err(err) = save_sealed_blob_to_fs(uuid, blob) { + println!("rtc_save_sealed_blob_u: failed to save {:?}: {}", uuid, err); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + }; + + sgx_status_t::SGX_SUCCESS +} + +/// Stop-gap helper: Save `blob` to the file system under `sealed_data/{uuid}`. +/// +/// If saving fails, just return a plain string error to report, for now. +/// +fn save_sealed_blob_to_fs(uuid: Uuid, blob: &[u8]) -> Result<(), String> { + // TODO: use some run time path for saving the data? (read path from a file next to execution or use env vars) + let data_dir = "sealed_data"; + fs::create_dir_all(data_dir) + .map_err(|err| format!("create_dir_all({:?}) failed: {:?}", data_dir, err))?; + + let data_file_path = format!("{}/{}", data_dir, uuid); + let mut data_file = OpenOptions::new() + // Abort if a data file already exists for this UUID. + .create_new(true) + .write(true) + .open(&data_file_path) + .map_err(|err| format!("open {:?} failed: {}", data_file_path, err))?; + + data_file + .write_all(blob) + .map_err(|err| format!("write_all to {:?} failed: {}", data_file, err))?; + + Ok(()) +} diff --git a/rtc_uenclave/src/enclaves/rtc_data.rs b/rtc_uenclave/src/enclaves/rtc_data.rs index b9f92ba1..a31705e6 100644 --- a/rtc_uenclave/src/enclaves/rtc_data.rs +++ b/rtc_uenclave/src/enclaves/rtc_data.rs @@ -41,10 +41,11 @@ where /// uploaded data pub fn upload_data( &self, + auth_enclave_id: sgx_enclave_id_t, payload: &[u8], metadata: UploadMetadata, ) -> Result> { - ecalls::validate_and_save(self.0.geteid(), payload, metadata) + ecalls::validate_and_save(self.0.geteid(), auth_enclave_id, payload, metadata) } /// Issue a new execution token. @@ -84,6 +85,7 @@ pub mod ecalls { pub fn validate_and_save( eid: sgx_enclave_id_t, + auth_enclave_id: sgx_enclave_id_t, payload: &[u8], metadata: UploadMetadata, ) -> Result> { @@ -93,6 +95,7 @@ pub mod ecalls { ffi::rtc_data_validate_and_save( eid, &mut retval, + auth_enclave_id, payload.as_ptr(), payload.len(), metadata,