From 95157d6160a7cbb4dd8dc6dbaa82b7ece554aa0e Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 18:27:32 +0200 Subject: [PATCH 01/14] data(rtc_data_enclave): add auth_enclave_id arg to validate_and_save ECALL --- codegen/data_enclave/rtc_data_t.c | 3 ++- codegen/data_enclave/rtc_data_t.h | 2 +- codegen/data_enclave/rtc_data_u.c | 4 +++- codegen/data_enclave/rtc_data_u.h | 2 +- rtc_data_enclave/rtc_data.edl | 8 +++++++- rtc_data_enclave/src/lib.rs | 1 + rtc_data_service/src/data_upload/message.rs | 7 +++++-- rtc_uenclave/src/enclaves/rtc_data.rs | 5 ++++- 8 files changed, 24 insertions(+), 8 deletions(-) diff --git a/codegen/data_enclave/rtc_data_t.c b/codegen/data_enclave/rtc_data_t.c index ed7493cd..51ef01f1 100644 --- a/codegen/data_enclave/rtc_data_t.c +++ b/codegen/data_enclave/rtc_data_t.c @@ -36,6 +36,7 @@ typedef struct ms_enclave_create_report_t { typedef struct ms_validate_and_save_t { DataUploadResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; const uint8_t* ms_payload_ptr; size_t ms_payload_len; UploadMetadata ms_metadata; @@ -707,7 +708,7 @@ static sgx_status_t SGX_CDECL sgx_validate_and_save(void* pms) } - ms->ms_retval = validate_and_save((const uint8_t*)_in_payload_ptr, _tmp_payload_len, ms->ms_metadata); + ms->ms_retval = validate_and_save(ms->ms_auth_enclave_id, (const uint8_t*)_in_payload_ptr, _tmp_payload_len, ms->ms_metadata); err: if (_in_payload_ptr) free(_in_payload_ptr); diff --git a/codegen/data_enclave/rtc_data_t.h b/codegen/data_enclave/rtc_data_t.h index 775e5bb3..53e22bd8 100644 --- a/codegen/data_enclave/rtc_data_t.h +++ b/codegen/data_enclave/rtc_data_t.h @@ -27,7 +27,7 @@ extern "C" { #endif CreateReportResult enclave_create_report(const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -DataUploadResult validate_and_save(const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +DataUploadResult validate_and_save(sgx_enclave_id_t auth_enclave_id, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); sgx_status_t local_attestation(sgx_enclave_id_t rtc_local_attestation); void t_global_init_ecall(uint64_t id, const uint8_t* path, size_t len); void t_global_exit_ecall(void); diff --git a/codegen/data_enclave/rtc_data_u.c b/codegen/data_enclave/rtc_data_u.c index 17d281bd..c10d3edc 100644 --- a/codegen/data_enclave/rtc_data_u.c +++ b/codegen/data_enclave/rtc_data_u.c @@ -10,6 +10,7 @@ typedef struct ms_enclave_create_report_t { typedef struct ms_validate_and_save_t { DataUploadResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; const uint8_t* ms_payload_ptr; size_t ms_payload_len; UploadMetadata ms_metadata; @@ -1243,10 +1244,11 @@ sgx_status_t rtc_data_enclave_create_report(sgx_enclave_id_t eid, CreateReportRe return status; } -sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata) +sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, sgx_enclave_id_t auth_enclave_id, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata) { sgx_status_t status; ms_validate_and_save_t ms; + ms.ms_auth_enclave_id = auth_enclave_id; ms.ms_payload_ptr = payload_ptr; ms.ms_payload_len = payload_len; ms.ms_metadata = metadata; diff --git a/codegen/data_enclave/rtc_data_u.h b/codegen/data_enclave/rtc_data_u.h index 5468e32d..f8d29a4d 100644 --- a/codegen/data_enclave/rtc_data_u.h +++ b/codegen/data_enclave/rtc_data_u.h @@ -325,7 +325,7 @@ sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_end_session_u, (sgx_enclave_id_t #endif sgx_status_t rtc_data_enclave_create_report(sgx_enclave_id_t eid, CreateReportResult* retval, const sgx_target_info_t* p_qe3_target, EnclaveHeldData enclave_data, sgx_report_t* p_report); -sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); +sgx_status_t rtc_data_validate_and_save(sgx_enclave_id_t eid, DataUploadResult* retval, sgx_enclave_id_t auth_enclave_id, const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); sgx_status_t rtc_data_local_attestation(sgx_enclave_id_t eid, sgx_status_t* retval, sgx_enclave_id_t rtc_local_attestation); sgx_status_t rtc_data_t_global_init_ecall(sgx_enclave_id_t eid, uint64_t id, const uint8_t* path, size_t len); sgx_status_t rtc_data_t_global_exit_ecall(sgx_enclave_id_t eid); diff --git a/rtc_data_enclave/rtc_data.edl b/rtc_data_enclave/rtc_data.edl index e57a9598..8c6799cf 100644 --- a/rtc_data_enclave/rtc_data.edl +++ b/rtc_data_enclave/rtc_data.edl @@ -20,7 +20,13 @@ enclave { [out, isary]EnclaveHeldData enclave_data, [out]sgx_report_t* p_report); - public DataUploadResult validate_and_save([in, count=payload_len]const uint8_t* payload_ptr, size_t payload_len, UploadMetadata metadata); + public DataUploadResult validate_and_save( + sgx_enclave_id_t auth_enclave_id, + [in, count=payload_len]const uint8_t* payload_ptr, + size_t payload_len, + UploadMetadata metadata + ); + public sgx_status_t local_attestation(sgx_enclave_id_t rtc_local_attestation); }; diff --git a/rtc_data_enclave/src/lib.rs b/rtc_data_enclave/src/lib.rs index f6e047dc..9db697eb 100644 --- a/rtc_data_enclave/src/lib.rs +++ b/rtc_data_enclave/src/lib.rs @@ -29,6 +29,7 @@ use sgx_types::*; /// length `payload_len` #[no_mangle] pub unsafe extern "C" fn validate_and_save( + #[allow(unused)] auth_enclave_id: sgx_enclave_id_t, // TODO: pass to validate_and_seal payload_ptr: *const u8, payload_len: usize, metadata: UploadMetadata, diff --git a/rtc_data_service/src/data_upload/message.rs b/rtc_data_service/src/data_upload/message.rs index a591ade4..7064ee2e 100644 --- a/rtc_data_service/src/data_upload/message.rs +++ b/rtc_data_service/src/data_upload/message.rs @@ -30,7 +30,10 @@ impl Handler for DataEnclaveActor { type Result = ::Result; fn handle(&mut self, msg: DataUploadMessage, _ctx: &mut Self::Context) -> Self::Result { - self.get_enclave() - .upload_data(&msg.request.payload, msg.request.metadata) + self.get_enclave().upload_data( + msg.auth_enclave_id, + &msg.request.payload, + msg.request.metadata, + ) } } diff --git a/rtc_uenclave/src/enclaves/rtc_data.rs b/rtc_uenclave/src/enclaves/rtc_data.rs index b9f92ba1..a31705e6 100644 --- a/rtc_uenclave/src/enclaves/rtc_data.rs +++ b/rtc_uenclave/src/enclaves/rtc_data.rs @@ -41,10 +41,11 @@ where /// uploaded data pub fn upload_data( &self, + auth_enclave_id: sgx_enclave_id_t, payload: &[u8], metadata: UploadMetadata, ) -> Result> { - ecalls::validate_and_save(self.0.geteid(), payload, metadata) + ecalls::validate_and_save(self.0.geteid(), auth_enclave_id, payload, metadata) } /// Issue a new execution token. @@ -84,6 +85,7 @@ pub mod ecalls { pub fn validate_and_save( eid: sgx_enclave_id_t, + auth_enclave_id: sgx_enclave_id_t, payload: &[u8], metadata: UploadMetadata, ) -> Result> { @@ -93,6 +95,7 @@ pub mod ecalls { ffi::rtc_data_validate_and_save( eid, &mut retval, + auth_enclave_id, payload.as_ptr(), payload.len(), metadata, From 6c82a14c219d079f77717262b0ce20329264355d Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 15:37:34 +0200 Subject: [PATCH 02/14] refactor(rtc_data_enclave::ocalls): promote module to directory --- rtc_data_enclave/src/{ocalls.rs => ocalls/mod.rs} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rtc_data_enclave/src/{ocalls.rs => ocalls/mod.rs} (100%) diff --git a/rtc_data_enclave/src/ocalls.rs b/rtc_data_enclave/src/ocalls/mod.rs similarity index 100% rename from rtc_data_enclave/src/ocalls.rs rename to rtc_data_enclave/src/ocalls/mod.rs From 6479c9fcdf9b0251ab0f11e27d3a01306203873d Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 15:54:35 +0200 Subject: [PATCH 03/14] refactor(rtc_data_enclave::ocalls): extract mod save_sealed_blob_impl --- rtc_data_enclave/src/ocalls/mod.rs | 35 +++--------------- .../src/ocalls/save_sealed_blob_impl.rs | 36 +++++++++++++++++++ 2 files changed, 40 insertions(+), 31 deletions(-) create mode 100644 rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs diff --git a/rtc_data_enclave/src/ocalls/mod.rs b/rtc_data_enclave/src/ocalls/mod.rs index 69ebb93b..0e3264e4 100644 --- a/rtc_data_enclave/src/ocalls/mod.rs +++ b/rtc_data_enclave/src/ocalls/mod.rs @@ -1,34 +1,7 @@ -use std::boxed::Box; +//! OCALL definitions -use sgx_types::*; -use uuid::Uuid; +mod save_sealed_blob_impl; -extern "C" { - // rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len); - fn rtc_save_sealed_blob_u( - retval: *mut sgx_status_t, - blob_ptr: *const u8, - blob_len: usize, - uuid: &[u8; 16], - ) -> sgx_status_t; -} +// Re-export the OCALL entry points we're interested in: -pub fn save_sealed_blob_u(blob: Box<[u8]>, uuid: Uuid) -> sgx_status_t { - let mut retval = sgx_status_t::default(); - let sgx_res = unsafe { - rtc_save_sealed_blob_u( - &mut retval as *mut _, - blob.as_ptr(), - blob.len(), - uuid.as_bytes(), - ) - }; - - if retval != sgx_status_t::SGX_SUCCESS { - retval - } else if sgx_res != sgx_status_t::SGX_SUCCESS { - sgx_res - } else { - sgx_status_t::SGX_SUCCESS - } -} +pub(crate) use save_sealed_blob_impl::save_sealed_blob_u; diff --git a/rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs b/rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs new file mode 100644 index 00000000..0d930d9c --- /dev/null +++ b/rtc_data_enclave/src/ocalls/save_sealed_blob_impl.rs @@ -0,0 +1,36 @@ +//! OCALL definition: `save_sealed_blob_u` (`rtc_save_sealed_blob_u`) + +use std::boxed::Box; + +use sgx_types::sgx_status_t; +use uuid::Uuid; + +extern "C" { + // rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len); + fn rtc_save_sealed_blob_u( + retval: *mut sgx_status_t, + blob_ptr: *const u8, + blob_len: usize, + uuid: &[u8; 16], + ) -> sgx_status_t; +} + +pub fn save_sealed_blob_u(blob: Box<[u8]>, uuid: Uuid) -> sgx_status_t { + let mut retval = sgx_status_t::default(); + let sgx_res = unsafe { + rtc_save_sealed_blob_u( + &mut retval as *mut _, + blob.as_ptr(), + blob.len(), + uuid.as_bytes(), + ) + }; + + if retval != sgx_status_t::SGX_SUCCESS { + retval + } else if sgx_res != sgx_status_t::SGX_SUCCESS { + sgx_res + } else { + sgx_status_t::SGX_SUCCESS + } +} From 9f323a19dbdf2a5c682f48d42e425144f48ec7f0 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 17:27:05 +0200 Subject: [PATCH 04/14] chore(rtc_types::enclave_messages::errors): add derives to satisfy EcallResult --- rtc_types/src/enclave_messages/errors.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rtc_types/src/enclave_messages/errors.rs b/rtc_types/src/enclave_messages/errors.rs index 71553c74..1dac639e 100644 --- a/rtc_types/src/enclave_messages/errors.rs +++ b/rtc_types/src/enclave_messages/errors.rs @@ -9,7 +9,7 @@ use thiserror::Error; /// Failed to acquire session / protected channel. /// /// See: `rtc_tenclave::dh::sessions::DhSessions` -#[derive(Debug, PartialEq)] // core +#[derive(Copy, Clone, PartialEq, Eq, Ord, PartialOrd, Debug)] // core #[derive(Error)] // thiserror #[repr(C)] pub enum AcquireSessionError { @@ -39,7 +39,7 @@ impl From for AcquireSessionError { } } -#[derive(Debug)] // core +#[derive(Copy, Clone, PartialEq, Eq, Ord, PartialOrd, Debug)] // core #[derive(Error)] // thiserror #[repr(C)] pub enum SealingError { From a2fd1a0ee739f734660123b9b3d37ee74086d793 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 17:33:06 +0200 Subject: [PATCH 05/14] feat(rtc_types::data_upload): enum DataUploadError: add SaveAccessKeySealingError, SaveAccessKeyFailed --- codegen/data_enclave/bindings.h | 49 +++++++++++++++++++++++++++++++++ rtc_types/src/data_upload.rs | 7 +++++ 2 files changed, 56 insertions(+) diff --git a/codegen/data_enclave/bindings.h b/codegen/data_enclave/bindings.h index 9c07553b..2004b86b 100644 --- a/codegen/data_enclave/bindings.h +++ b/codegen/data_enclave/bindings.h @@ -37,10 +37,56 @@ typedef struct CryptoError { }; } CryptoError; +/** + * Failed to acquire session / protected channel. + * + * See: `rtc_tenclave::dh::sessions::DhSessions` + */ +typedef enum AcquireSessionError_Tag { + /** + * This should generally be treated as an unrecoverable error. + */ + ACQUIRE_SESSION_ERROR_CHANNEL_MUTEX_POISONED, + ACQUIRE_SESSION_ERROR_NO_ACTIVE_SESSION, + ACQUIRE_SESSION_ERROR_SGX, +} AcquireSessionError_Tag; + +typedef struct AcquireSessionError { + AcquireSessionError_Tag tag; + union { + struct { + sgx_enclave_id_t no_active_session; + }; + struct { + sgx_status_t sgx; + }; + }; +} AcquireSessionError; + +typedef enum SealingError_Tag { + SEALING_ERROR_CHANNEL_NOT_FOUND, + SEALING_ERROR_RKYV_BUFFER_SERIALIZER_ERROR, + SEALING_ERROR_SGX, +} SealingError_Tag; + +typedef struct SealingError { + SealingError_Tag tag; + union { + struct { + struct AcquireSessionError channel_not_found; + }; + struct { + sgx_status_t sgx; + }; + }; +} SealingError; + typedef enum DataUploadError_Tag { DATA_UPLOAD_ERROR_VALIDATION, DATA_UPLOAD_ERROR_SEALING, DATA_UPLOAD_ERROR_CRYPTO, + DATA_UPLOAD_ERROR_SAVE_ACCESS_KEY_SEALING_ERROR, + DATA_UPLOAD_ERROR_SAVE_ACCESS_KEY_FAILED, } DataUploadError_Tag; typedef struct DataUploadError { @@ -52,6 +98,9 @@ typedef struct DataUploadError { struct { struct CryptoError crypto; }; + struct { + struct SealingError save_access_key_sealing_error; + }; }; } DataUploadError; diff --git a/rtc_types/src/data_upload.rs b/rtc_types/src/data_upload.rs index b21f6f39..4f1abbbf 100644 --- a/rtc_types/src/data_upload.rs +++ b/rtc_types/src/data_upload.rs @@ -2,6 +2,7 @@ use thiserror; use thiserror::Error; use super::*; +use crate::enclave_messages::errors::SealingError; #[repr(C)] #[derive(Copy, Clone, PartialEq, Eq, Ord, PartialOrd, Debug, Error)] @@ -12,6 +13,12 @@ pub enum DataUploadError { Sealing(sgx_status_t), #[error("Crypto failed: {}", .0)] Crypto(#[from] CryptoError), + + #[error("save_access_key OCALL sealing error: {0}")] + SaveAccessKeySealingError(SealingError), + + #[error("save_access_key OCALL failed")] + SaveAccessKeyFailed, } #[repr(C)] From 1e755a977693d190bff73c4520c14fa6f1b5bcae Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 17:40:07 +0200 Subject: [PATCH 06/14] style(rtc_types::data_upload): whitespace --- rtc_types/src/data_upload.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rtc_types/src/data_upload.rs b/rtc_types/src/data_upload.rs index 4f1abbbf..9fd46019 100644 --- a/rtc_types/src/data_upload.rs +++ b/rtc_types/src/data_upload.rs @@ -9,8 +9,10 @@ use crate::enclave_messages::errors::SealingError; pub enum DataUploadError { #[error("Data validation failed")] Validation, + #[error("Data sealing failed: {}", .0)] Sealing(sgx_status_t), + #[error("Crypto failed: {}", .0)] Crypto(#[from] CryptoError), From caa24fbf955ff823756dbaadc08b67e506cb8896 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 17:40:35 +0200 Subject: [PATCH 07/14] style(rtc_types::data_upload): error description formatting --- rtc_types/src/data_upload.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rtc_types/src/data_upload.rs b/rtc_types/src/data_upload.rs index 9fd46019..69c5f408 100644 --- a/rtc_types/src/data_upload.rs +++ b/rtc_types/src/data_upload.rs @@ -10,10 +10,10 @@ pub enum DataUploadError { #[error("Data validation failed")] Validation, - #[error("Data sealing failed: {}", .0)] + #[error("Data sealing failed: {0}")] Sealing(sgx_status_t), - #[error("Crypto failed: {}", .0)] + #[error("Crypto failed: {0}")] Crypto(#[from] CryptoError), #[error("save_access_key OCALL sealing error: {0}")] From 02aedb8cf9807b9fc585fad2e6a919551a25a2ac Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Wed, 7 Jul 2021 22:33:03 +0200 Subject: [PATCH 08/14] chore(rtc_uenclave/data-ocalls): drop template tests --- rtc_uenclave/data-ocalls/src/lib.rs | 8 -------- 1 file changed, 8 deletions(-) diff --git a/rtc_uenclave/data-ocalls/src/lib.rs b/rtc_uenclave/data-ocalls/src/lib.rs index 56d57e62..fccae20d 100644 --- a/rtc_uenclave/data-ocalls/src/lib.rs +++ b/rtc_uenclave/data-ocalls/src/lib.rs @@ -55,11 +55,3 @@ fn save_sealed_blob_to_fs(uuid: Uuid, blob: &[u8]) -> Result<(), String> { Ok(()) } - -#[cfg(test)] -mod tests { - #[test] - fn it_works() { - assert_eq!(2 + 2, 4); - } -} From 580c1aba40b669f904320e8d507d25262608a07a Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Wed, 7 Jul 2021 22:42:00 +0200 Subject: [PATCH 09/14] refactor(rtc_uenclave/data-ocalls::save_sealed_blob): extract module --- rtc_uenclave/data-ocalls/src/lib.rs | 56 +----------------- .../data-ocalls/src/save_sealed_blob.rs | 57 +++++++++++++++++++ 2 files changed, 58 insertions(+), 55 deletions(-) create mode 100644 rtc_uenclave/data-ocalls/src/save_sealed_blob.rs diff --git a/rtc_uenclave/data-ocalls/src/lib.rs b/rtc_uenclave/data-ocalls/src/lib.rs index fccae20d..d888485f 100644 --- a/rtc_uenclave/data-ocalls/src/lib.rs +++ b/rtc_uenclave/data-ocalls/src/lib.rs @@ -1,57 +1,3 @@ #![deny(unsafe_op_in_unsafe_fn)] -use std::fs::OpenOptions; -use std::io::Write; -use std::{fs, slice}; - -use sgx_types::*; -use uuid::Uuid; - -/// Saves a blob of data received from the enclave -/// -/// Safety: -/// Caller needs to ensure that the blob_ptr is valid for a slice of length `blob_len` -#[no_mangle] -pub unsafe extern "C" fn rtc_save_sealed_blob_u( - blob_ptr: *const u8, - blob_len: usize, - uuid: *const [u8; 16], -) -> sgx_status_t { - // Safety: SGX should copy a buffer of the correct size, and the pointer - // will be valid for a slice of length `blob_len` - let blob = unsafe { slice::from_raw_parts(blob_ptr, blob_len) }; - - // TODO: Replace this with Azure Blob storage. - let uuid = Uuid::from_bytes(unsafe { *uuid }); - if let Err(err) = save_sealed_blob_to_fs(uuid, blob) { - println!("rtc_save_sealed_blob_u: failed to save {:?}: {}", uuid, err); - return sgx_status_t::SGX_ERROR_UNEXPECTED; - }; - - sgx_status_t::SGX_SUCCESS -} - -/// Stop-gap helper: Save `blob` to the file system under `sealed_data/{uuid}`. -/// -/// If saving fails, just return a plain string error to report, for now. -/// -fn save_sealed_blob_to_fs(uuid: Uuid, blob: &[u8]) -> Result<(), String> { - // TODO: use some run time path for saving the data? (read path from a file next to execution or use env vars) - let data_dir = "sealed_data"; - fs::create_dir_all(data_dir) - .map_err(|err| format!("create_dir_all({:?}) failed: {:?}", data_dir, err))?; - - let data_file_path = format!("{}/{}", data_dir, uuid); - let mut data_file = OpenOptions::new() - // Abort if a data file already exists for this UUID. - .create_new(true) - .write(true) - .open(&data_file_path) - .map_err(|err| format!("open {:?} failed: {}", data_file_path, err))?; - - data_file - .write_all(blob) - .map_err(|err| format!("write_all to {:?} failed: {}", data_file, err))?; - - Ok(()) -} +mod save_sealed_blob; diff --git a/rtc_uenclave/data-ocalls/src/save_sealed_blob.rs b/rtc_uenclave/data-ocalls/src/save_sealed_blob.rs new file mode 100644 index 00000000..4f2a66bd --- /dev/null +++ b/rtc_uenclave/data-ocalls/src/save_sealed_blob.rs @@ -0,0 +1,57 @@ +//! OCALL definition: [`rtc_save_sealed_blob_u`] + +use std::fs::OpenOptions; +use std::io::Write; +use std::{fs, slice}; + +use sgx_types::sgx_status_t; +use uuid::Uuid; + +/// Saves a blob of data received from the enclave +/// +/// Safety: +/// Caller needs to ensure that the blob_ptr is valid for a slice of length `blob_len` +#[no_mangle] +pub unsafe extern "C" fn rtc_save_sealed_blob_u( + blob_ptr: *const u8, + blob_len: usize, + uuid: *const [u8; 16], +) -> sgx_status_t { + // Safety: SGX should copy a buffer of the correct size, and the pointer + // will be valid for a slice of length `blob_len` + let blob = unsafe { slice::from_raw_parts(blob_ptr, blob_len) }; + + // TODO: Replace this with Azure Blob storage. + let uuid = Uuid::from_bytes(unsafe { *uuid }); + if let Err(err) = save_sealed_blob_to_fs(uuid, blob) { + println!("rtc_save_sealed_blob_u: failed to save {:?}: {}", uuid, err); + return sgx_status_t::SGX_ERROR_UNEXPECTED; + }; + + sgx_status_t::SGX_SUCCESS +} + +/// Stop-gap helper: Save `blob` to the file system under `sealed_data/{uuid}`. +/// +/// If saving fails, just return a plain string error to report, for now. +/// +fn save_sealed_blob_to_fs(uuid: Uuid, blob: &[u8]) -> Result<(), String> { + // TODO: use some run time path for saving the data? (read path from a file next to execution or use env vars) + let data_dir = "sealed_data"; + fs::create_dir_all(data_dir) + .map_err(|err| format!("create_dir_all({:?}) failed: {:?}", data_dir, err))?; + + let data_file_path = format!("{}/{}", data_dir, uuid); + let mut data_file = OpenOptions::new() + // Abort if a data file already exists for this UUID. + .create_new(true) + .write(true) + .open(&data_file_path) + .map_err(|err| format!("open {:?} failed: {}", data_file_path, err))?; + + data_file + .write_all(blob) + .map_err(|err| format!("write_all to {:?} failed: {}", data_file, err))?; + + Ok(()) +} From 1150e9190e61067d8ffcbd6a28bbe24a0628cdd8 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 8 Jul 2021 00:18:45 +0200 Subject: [PATCH 10/14] refactor(rtc_uenclave/data-ocalls::save_access_key): add stub for rtc_save_access_key_u --- rtc_uenclave/data-ocalls/src/lib.rs | 1 + rtc_uenclave/data-ocalls/src/save_access_key.rs | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 rtc_uenclave/data-ocalls/src/save_access_key.rs diff --git a/rtc_uenclave/data-ocalls/src/lib.rs b/rtc_uenclave/data-ocalls/src/lib.rs index d888485f..7c403028 100644 --- a/rtc_uenclave/data-ocalls/src/lib.rs +++ b/rtc_uenclave/data-ocalls/src/lib.rs @@ -1,3 +1,4 @@ #![deny(unsafe_op_in_unsafe_fn)] +mod save_access_key; mod save_sealed_blob; diff --git a/rtc_uenclave/data-ocalls/src/save_access_key.rs b/rtc_uenclave/data-ocalls/src/save_access_key.rs new file mode 100644 index 00000000..a6cc79e4 --- /dev/null +++ b/rtc_uenclave/data-ocalls/src/save_access_key.rs @@ -0,0 +1,11 @@ +//! OCALL definition: [`rtc_save_access_key_u`] + +use rtc_types::enclave_messages::ffi_set_access_key; + +#[no_mangle] +pub unsafe extern "C" fn rtc_save_access_key_u( + #[allow(unused)] // TODO + request: ffi_set_access_key::SetAccessKeyEncryptedRequest, +) -> ffi_set_access_key::SetAccessKeyResult { + todo!() +} From 291065fabad72848d0bd2affeef8c0b8fa99468a Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 24 Jun 2021 18:28:04 +0200 Subject: [PATCH 11/14] feat(rtc_data_enclave): add rtc_save_access_key_u OCALL definition and stub --- codegen/data_enclave/bindings.h | 38 ++++ codegen/data_enclave/rtc_data_t.c | 188 +++++++++++------- codegen/data_enclave/rtc_data_t.h | 1 + codegen/data_enclave/rtc_data_u.c | 19 +- codegen/data_enclave/rtc_data_u.h | 4 + rtc_data_enclave/rtc_data.edl | 5 + rtc_data_enclave/src/ocalls/mod.rs | 1 + .../src/ocalls/save_access_key_impl.rs | 16 ++ 8 files changed, 194 insertions(+), 78 deletions(-) create mode 100644 rtc_data_enclave/src/ocalls/save_access_key_impl.rs diff --git a/codegen/data_enclave/bindings.h b/codegen/data_enclave/bindings.h index 2004b86b..1928c0a4 100644 --- a/codegen/data_enclave/bindings.h +++ b/codegen/data_enclave/bindings.h @@ -131,6 +131,44 @@ typedef struct UploadMetadata { uint8_t nonce[24]; } UploadMetadata; +typedef uint8_t RecommendedAesGcmIv[12]; + +typedef struct SetAccessKeyEncryptedResponse { + sgx_aes_gcm_128bit_tag_t tag; + uint8_t ciphertext[SET_ACCESS_KEY_RESPONSE_SIZE]; + uint8_t aad[0]; + RecommendedAesGcmIv nonce; +} SetAccessKeyEncryptedResponse; + +/** + * FFI safe result type that can be converted to and from a rust result. + */ +typedef enum EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag { + ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_OK_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR, + ECALL_RESULT_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR_ERR_SET_ACCESS_KEY_ENCRYPTED_RESPONSE_SEALING_ERROR, +} EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag; + +typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError { + EcallResult_SetAccessKeyEncryptedResponse__SealingError_Tag tag; + union { + struct { + struct SetAccessKeyEncryptedResponse ok; + }; + struct { + struct SealingError err; + }; + }; +} EcallResult_SetAccessKeyEncryptedResponse__SealingError; + +typedef struct EcallResult_SetAccessKeyEncryptedResponse__SealingError SetAccessKeyResult; + +typedef struct SetAccessKeyEncryptedRequest { + sgx_aes_gcm_128bit_tag_t tag; + uint8_t ciphertext[SET_ACCESS_KEY_REQUEST_SIZE]; + uint8_t aad[ARCHIVED_ENCLAVE_ID_SIZE]; + RecommendedAesGcmIv nonce; +} SetAccessKeyEncryptedRequest; + /** * FFI safe result type that can be converted to and from a rust result. */ diff --git a/codegen/data_enclave/rtc_data_t.c b/codegen/data_enclave/rtc_data_t.c index 51ef01f1..9aff5901 100644 --- a/codegen/data_enclave/rtc_data_t.c +++ b/codegen/data_enclave/rtc_data_t.c @@ -69,6 +69,12 @@ typedef struct ms_end_session_t { sgx_enclave_id_t ms_src_enclave_id; } ms_end_session_t; +typedef struct ms_rtc_save_access_key_u_t { + SetAccessKeyResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; + SetAccessKeyEncryptedRequest ms_encrypted_request; +} ms_rtc_save_access_key_u_t; + typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; const uint8_t* ms_blob_ptr; @@ -884,9 +890,9 @@ SGX_EXTERNC const struct { SGX_EXTERNC const struct { size_t nr_ocall; - uint8_t entry_table[74][8]; + uint8_t entry_table[75][8]; } g_dyn_entry_table = { - 74, + 75, { {0, 0, 0, 0, 0, 0, 0, 0, }, {0, 0, 0, 0, 0, 0, 0, 0, }, @@ -962,10 +968,40 @@ SGX_EXTERNC const struct { {0, 0, 0, 0, 0, 0, 0, 0, }, {0, 0, 0, 0, 0, 0, 0, 0, }, {0, 0, 0, 0, 0, 0, 0, 0, }, + {0, 0, 0, 0, 0, 0, 0, 0, }, } }; +sgx_status_t SGX_CDECL rtc_save_access_key_u(SetAccessKeyResult* retval, sgx_enclave_id_t auth_enclave_id, SetAccessKeyEncryptedRequest encrypted_request) +{ + sgx_status_t status = SGX_SUCCESS; + + ms_rtc_save_access_key_u_t* ms = NULL; + size_t ocalloc_size = sizeof(ms_rtc_save_access_key_u_t); + void *__tmp = NULL; + + + __tmp = sgx_ocalloc(ocalloc_size); + if (__tmp == NULL) { + sgx_ocfree(); + return SGX_ERROR_UNEXPECTED; + } + ms = (ms_rtc_save_access_key_u_t*)__tmp; + __tmp = (void *)((size_t)__tmp + sizeof(ms_rtc_save_access_key_u_t)); + ocalloc_size -= sizeof(ms_rtc_save_access_key_u_t); + + ms->ms_auth_enclave_id = auth_enclave_id; + ms->ms_encrypted_request = encrypted_request; + status = sgx_ocall(0, ms); + + if (status == SGX_SUCCESS) { + if (retval) *retval = ms->ms_retval; + } + sgx_ocfree(); + return status; +} + sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]) { sgx_status_t status = SGX_SUCCESS; @@ -1027,7 +1063,7 @@ sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_ ms->ms_uuid = NULL; } - status = sgx_ocall(0, ms); + status = sgx_ocall(1, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1076,7 +1112,7 @@ sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const v } ms->ms_tcs = tcs; - status = sgx_ocall(1, ms); + status = sgx_ocall(2, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1147,7 +1183,7 @@ sgx_status_t SGX_CDECL u_thread_wait_event_ocall(int* retval, int* error, const ms->ms_timeout = NULL; } - status = sgx_ocall(2, ms); + status = sgx_ocall(3, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1222,7 +1258,7 @@ sgx_status_t SGX_CDECL u_thread_set_multiple_events_ocall(int* retval, int* erro } ms->ms_total = total; - status = sgx_ocall(3, ms); + status = sgx_ocall(4, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1294,7 +1330,7 @@ sgx_status_t SGX_CDECL u_thread_setwait_events_ocall(int* retval, int* error, co ms->ms_timeout = NULL; } - status = sgx_ocall(4, ms); + status = sgx_ocall(5, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1364,7 +1400,7 @@ sgx_status_t SGX_CDECL u_clock_gettime_ocall(int* retval, int* error, int clk_id ms->ms_tp = NULL; } - status = sgx_ocall(5, ms); + status = sgx_ocall(6, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1427,7 +1463,7 @@ sgx_status_t SGX_CDECL u_read_ocall(size_t* retval, int* error, int fd, void* bu ms->ms_fd = fd; ms->ms_buf = buf; ms->ms_count = count; - status = sgx_ocall(6, ms); + status = sgx_ocall(7, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1485,7 +1521,7 @@ sgx_status_t SGX_CDECL u_pread64_ocall(size_t* retval, int* error, int fd, void* ms->ms_buf = buf; ms->ms_count = count; ms->ms_offset = offset; - status = sgx_ocall(7, ms); + status = sgx_ocall(8, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1557,7 +1593,7 @@ sgx_status_t SGX_CDECL u_readv_ocall(size_t* retval, int* error, int fd, const s } ms->ms_iovcnt = iovcnt; - status = sgx_ocall(8, ms); + status = sgx_ocall(9, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1630,7 +1666,7 @@ sgx_status_t SGX_CDECL u_preadv64_ocall(size_t* retval, int* error, int fd, cons ms->ms_iovcnt = iovcnt; ms->ms_offset = offset; - status = sgx_ocall(9, ms); + status = sgx_ocall(10, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1687,7 +1723,7 @@ sgx_status_t SGX_CDECL u_write_ocall(size_t* retval, int* error, int fd, const v ms->ms_fd = fd; ms->ms_buf = buf; ms->ms_count = count; - status = sgx_ocall(10, ms); + status = sgx_ocall(11, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1745,7 +1781,7 @@ sgx_status_t SGX_CDECL u_pwrite64_ocall(size_t* retval, int* error, int fd, cons ms->ms_buf = buf; ms->ms_count = count; ms->ms_offset = offset; - status = sgx_ocall(11, ms); + status = sgx_ocall(12, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1817,7 +1853,7 @@ sgx_status_t SGX_CDECL u_writev_ocall(size_t* retval, int* error, int fd, const } ms->ms_iovcnt = iovcnt; - status = sgx_ocall(12, ms); + status = sgx_ocall(13, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1890,7 +1926,7 @@ sgx_status_t SGX_CDECL u_pwritev64_ocall(size_t* retval, int* error, int fd, con ms->ms_iovcnt = iovcnt; ms->ms_offset = offset; - status = sgx_ocall(13, ms); + status = sgx_ocall(14, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -1946,7 +1982,7 @@ sgx_status_t SGX_CDECL u_fcntl_arg0_ocall(int* retval, int* error, int fd, int c ms->ms_fd = fd; ms->ms_cmd = cmd; - status = sgx_ocall(14, ms); + status = sgx_ocall(15, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2003,7 +2039,7 @@ sgx_status_t SGX_CDECL u_fcntl_arg1_ocall(int* retval, int* error, int fd, int c ms->ms_fd = fd; ms->ms_cmd = cmd; ms->ms_arg = arg; - status = sgx_ocall(15, ms); + status = sgx_ocall(16, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2059,7 +2095,7 @@ sgx_status_t SGX_CDECL u_ioctl_arg0_ocall(int* retval, int* error, int fd, int r ms->ms_fd = fd; ms->ms_request = request; - status = sgx_ocall(16, ms); + status = sgx_ocall(17, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2137,7 +2173,7 @@ sgx_status_t SGX_CDECL u_ioctl_arg1_ocall(int* retval, int* error, int fd, int r ms->ms_arg = NULL; } - status = sgx_ocall(17, ms); + status = sgx_ocall(18, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2198,7 +2234,7 @@ sgx_status_t SGX_CDECL u_close_ocall(int* retval, int* error, int fd) } ms->ms_fd = fd; - status = sgx_ocall(18, ms); + status = sgx_ocall(19, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2253,7 +2289,7 @@ sgx_status_t SGX_CDECL u_malloc_ocall(void** retval, int* error, size_t size) } ms->ms_size = size; - status = sgx_ocall(19, ms); + status = sgx_ocall(20, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2287,7 +2323,7 @@ sgx_status_t SGX_CDECL u_free_ocall(void* p) ocalloc_size -= sizeof(ms_u_free_ocall_t); ms->ms_p = p; - status = sgx_ocall(20, ms); + status = sgx_ocall(21, ms); if (status == SGX_SUCCESS) { } @@ -2340,7 +2376,7 @@ sgx_status_t SGX_CDECL u_mmap_ocall(void** retval, int* error, void* start, size ms->ms_flags = flags; ms->ms_fd = fd; ms->ms_offset = offset; - status = sgx_ocall(21, ms); + status = sgx_ocall(22, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2396,7 +2432,7 @@ sgx_status_t SGX_CDECL u_munmap_ocall(int* retval, int* error, void* start, size ms->ms_start = start; ms->ms_length = length; - status = sgx_ocall(22, ms); + status = sgx_ocall(23, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2453,7 +2489,7 @@ sgx_status_t SGX_CDECL u_msync_ocall(int* retval, int* error, void* addr, size_t ms->ms_addr = addr; ms->ms_length = length; ms->ms_flags = flags; - status = sgx_ocall(23, ms); + status = sgx_ocall(24, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2510,7 +2546,7 @@ sgx_status_t SGX_CDECL u_mprotect_ocall(int* retval, int* error, void* addr, siz ms->ms_addr = addr; ms->ms_length = length; ms->ms_prot = prot; - status = sgx_ocall(24, ms); + status = sgx_ocall(25, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2585,7 +2621,7 @@ sgx_status_t SGX_CDECL u_open_ocall(int* retval, int* error, const char* pathnam } ms->ms_flags = flags; - status = sgx_ocall(25, ms); + status = sgx_ocall(26, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2661,7 +2697,7 @@ sgx_status_t SGX_CDECL u_open64_ocall(int* retval, int* error, const char* path, ms->ms_oflag = oflag; ms->ms_mode = mode; - status = sgx_ocall(26, ms); + status = sgx_ocall(27, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2731,7 +2767,7 @@ sgx_status_t SGX_CDECL u_fstat_ocall(int* retval, int* error, int fd, struct sta ms->ms_buf = NULL; } - status = sgx_ocall(27, ms); + status = sgx_ocall(28, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2807,7 +2843,7 @@ sgx_status_t SGX_CDECL u_fstat64_ocall(int* retval, int* error, int fd, struct s ms->ms_buf = NULL; } - status = sgx_ocall(28, ms); + status = sgx_ocall(29, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2902,7 +2938,7 @@ sgx_status_t SGX_CDECL u_stat_ocall(int* retval, int* error, const char* path, s ms->ms_buf = NULL; } - status = sgx_ocall(29, ms); + status = sgx_ocall(30, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -2997,7 +3033,7 @@ sgx_status_t SGX_CDECL u_stat64_ocall(int* retval, int* error, const char* path, ms->ms_buf = NULL; } - status = sgx_ocall(30, ms); + status = sgx_ocall(31, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3092,7 +3128,7 @@ sgx_status_t SGX_CDECL u_lstat_ocall(int* retval, int* error, const char* path, ms->ms_buf = NULL; } - status = sgx_ocall(31, ms); + status = sgx_ocall(32, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3187,7 +3223,7 @@ sgx_status_t SGX_CDECL u_lstat64_ocall(int* retval, int* error, const char* path ms->ms_buf = NULL; } - status = sgx_ocall(32, ms); + status = sgx_ocall(33, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3250,7 +3286,7 @@ sgx_status_t SGX_CDECL u_lseek_ocall(uint64_t* retval, int* error, int fd, int64 ms->ms_fd = fd; ms->ms_offset = offset; ms->ms_whence = whence; - status = sgx_ocall(33, ms); + status = sgx_ocall(34, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3307,7 +3343,7 @@ sgx_status_t SGX_CDECL u_lseek64_ocall(int64_t* retval, int* error, int fd, int6 ms->ms_fd = fd; ms->ms_offset = offset; ms->ms_whence = whence; - status = sgx_ocall(34, ms); + status = sgx_ocall(35, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3363,7 +3399,7 @@ sgx_status_t SGX_CDECL u_ftruncate_ocall(int* retval, int* error, int fd, int64_ ms->ms_fd = fd; ms->ms_length = length; - status = sgx_ocall(35, ms); + status = sgx_ocall(36, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3419,7 +3455,7 @@ sgx_status_t SGX_CDECL u_ftruncate64_ocall(int* retval, int* error, int fd, int6 ms->ms_fd = fd; ms->ms_length = length; - status = sgx_ocall(36, ms); + status = sgx_ocall(37, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3494,7 +3530,7 @@ sgx_status_t SGX_CDECL u_truncate_ocall(int* retval, int* error, const char* pat } ms->ms_length = length; - status = sgx_ocall(37, ms); + status = sgx_ocall(38, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3569,7 +3605,7 @@ sgx_status_t SGX_CDECL u_truncate64_ocall(int* retval, int* error, const char* p } ms->ms_length = length; - status = sgx_ocall(38, ms); + status = sgx_ocall(39, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3624,7 +3660,7 @@ sgx_status_t SGX_CDECL u_fsync_ocall(int* retval, int* error, int fd) } ms->ms_fd = fd; - status = sgx_ocall(39, ms); + status = sgx_ocall(40, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3679,7 +3715,7 @@ sgx_status_t SGX_CDECL u_fdatasync_ocall(int* retval, int* error, int fd) } ms->ms_fd = fd; - status = sgx_ocall(40, ms); + status = sgx_ocall(41, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3735,7 +3771,7 @@ sgx_status_t SGX_CDECL u_fchmod_ocall(int* retval, int* error, int fd, uint32_t ms->ms_fd = fd; ms->ms_mode = mode; - status = sgx_ocall(41, ms); + status = sgx_ocall(42, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3809,7 +3845,7 @@ sgx_status_t SGX_CDECL u_unlink_ocall(int* retval, int* error, const char* pathn ms->ms_pathname = NULL; } - status = sgx_ocall(42, ms); + status = sgx_ocall(43, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3903,7 +3939,7 @@ sgx_status_t SGX_CDECL u_link_ocall(int* retval, int* error, const char* oldpath ms->ms_newpath = NULL; } - status = sgx_ocall(43, ms); + status = sgx_ocall(44, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -3997,7 +4033,7 @@ sgx_status_t SGX_CDECL u_rename_ocall(int* retval, int* error, const char* oldpa ms->ms_newpath = NULL; } - status = sgx_ocall(44, ms); + status = sgx_ocall(45, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4072,7 +4108,7 @@ sgx_status_t SGX_CDECL u_chmod_ocall(int* retval, int* error, const char* path, } ms->ms_mode = mode; - status = sgx_ocall(45, ms); + status = sgx_ocall(46, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4166,7 +4202,7 @@ sgx_status_t SGX_CDECL u_readlink_ocall(size_t* retval, int* error, const char* } ms->ms_bufsz = bufsz; - status = sgx_ocall(46, ms); + status = sgx_ocall(47, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4266,7 +4302,7 @@ sgx_status_t SGX_CDECL u_symlink_ocall(int* retval, int* error, const char* path ms->ms_path2 = NULL; } - status = sgx_ocall(47, ms); + status = sgx_ocall(48, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4340,7 +4376,7 @@ sgx_status_t SGX_CDECL u_realpath_ocall(char** retval, int* error, const char* p ms->ms_pathname = NULL; } - status = sgx_ocall(48, ms); + status = sgx_ocall(49, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4415,7 +4451,7 @@ sgx_status_t SGX_CDECL u_mkdir_ocall(int* retval, int* error, const char* pathna } ms->ms_mode = mode; - status = sgx_ocall(49, ms); + status = sgx_ocall(50, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4489,7 +4525,7 @@ sgx_status_t SGX_CDECL u_rmdir_ocall(int* retval, int* error, const char* pathna ms->ms_pathname = NULL; } - status = sgx_ocall(50, ms); + status = sgx_ocall(51, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4563,7 +4599,7 @@ sgx_status_t SGX_CDECL u_opendir_ocall(void** retval, int* error, const char* pa ms->ms_pathname = NULL; } - status = sgx_ocall(51, ms); + status = sgx_ocall(52, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4636,7 +4672,7 @@ sgx_status_t SGX_CDECL u_readdir64_r_ocall(int* retval, void* dirp, struct diren ms->ms_result = NULL; } - status = sgx_ocall(52, ms); + status = sgx_ocall(53, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4697,7 +4733,7 @@ sgx_status_t SGX_CDECL u_closedir_ocall(int* retval, int* error, void* dirp) } ms->ms_dirp = dirp; - status = sgx_ocall(53, ms); + status = sgx_ocall(54, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4752,7 +4788,7 @@ sgx_status_t SGX_CDECL u_dirfd_ocall(int* retval, int* error, void* dirp) } ms->ms_dirp = dirp; - status = sgx_ocall(54, ms); + status = sgx_ocall(55, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4843,7 +4879,7 @@ sgx_status_t SGX_CDECL u_fstatat64_ocall(int* retval, int* error, int dirfd, con } ms->ms_flags = flags; - status = sgx_ocall(55, ms); + status = sgx_ocall(56, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4905,7 +4941,7 @@ sgx_status_t SGX_CDECL sgx_oc_cpuidex(int cpuinfo[4], int leaf, int subleaf) ms->ms_leaf = leaf; ms->ms_subleaf = subleaf; - status = sgx_ocall(56, ms); + status = sgx_ocall(57, ms); if (status == SGX_SUCCESS) { if (cpuinfo) { @@ -4938,7 +4974,7 @@ sgx_status_t SGX_CDECL sgx_thread_wait_untrusted_event_ocall(int* retval, const ocalloc_size -= sizeof(ms_sgx_thread_wait_untrusted_event_ocall_t); ms->ms_self = self; - status = sgx_ocall(57, ms); + status = sgx_ocall(58, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4966,7 +5002,7 @@ sgx_status_t SGX_CDECL sgx_thread_set_untrusted_event_ocall(int* retval, const v ocalloc_size -= sizeof(ms_sgx_thread_set_untrusted_event_ocall_t); ms->ms_waiter = waiter; - status = sgx_ocall(58, ms); + status = sgx_ocall(59, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -4995,7 +5031,7 @@ sgx_status_t SGX_CDECL sgx_thread_setwait_untrusted_events_ocall(int* retval, co ms->ms_waiter = waiter; ms->ms_self = self; - status = sgx_ocall(59, ms); + status = sgx_ocall(60, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5045,7 +5081,7 @@ sgx_status_t SGX_CDECL sgx_thread_set_multiple_untrusted_events_ocall(int* retva } ms->ms_total = total; - status = sgx_ocall(60, ms); + status = sgx_ocall(61, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5133,7 +5169,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_exclusive_file_open(void** retval, const ms->ms_error_code = NULL; } - status = sgx_ocall(61, ms); + status = sgx_ocall(62, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5194,7 +5230,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_check_if_file_exists(uint8_t* retval, co ms->ms_filename = NULL; } - status = sgx_ocall(62, ms); + status = sgx_ocall(63, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5245,7 +5281,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fread_node(int32_t* retval, void* f, uin } ms->ms_node_size = node_size; - status = sgx_ocall(63, ms); + status = sgx_ocall(64, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5303,7 +5339,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fwrite_node(int32_t* retval, void* f, ui } ms->ms_node_size = node_size; - status = sgx_ocall(64, ms); + status = sgx_ocall(65, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5331,7 +5367,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fclose(int32_t* retval, void* f) ocalloc_size -= sizeof(ms_u_sgxprotectedfs_fclose_t); ms->ms_f = f; - status = sgx_ocall(65, ms); + status = sgx_ocall(66, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5359,7 +5395,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fflush(uint8_t* retval, void* f) ocalloc_size -= sizeof(ms_u_sgxprotectedfs_fflush_t); ms->ms_f = f; - status = sgx_ocall(66, ms); + status = sgx_ocall(67, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5408,7 +5444,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_remove(int32_t* retval, const char* file ms->ms_filename = NULL; } - status = sgx_ocall(67, ms); + status = sgx_ocall(68, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5457,7 +5493,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_recovery_file_open(void** retval, const ms->ms_filename = NULL; } - status = sgx_ocall(68, ms); + status = sgx_ocall(69, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5508,7 +5544,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_fwrite_recovery_node(uint8_t* retval, vo } ms->ms_data_length = data_length; - status = sgx_ocall(69, ms); + status = sgx_ocall(70, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5578,7 +5614,7 @@ sgx_status_t SGX_CDECL u_sgxprotectedfs_do_file_recovery(int32_t* retval, const } ms->ms_node_size = node_size; - status = sgx_ocall(70, ms); + status = sgx_ocall(71, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5607,7 +5643,7 @@ sgx_status_t SGX_CDECL rtc_session_request_u(SessionRequestResult* retval, sgx_e ms->ms_src_enclave_id = src_enclave_id; ms->ms_dest_enclave_id = dest_enclave_id; - status = sgx_ocall(71, ms); + status = sgx_ocall(72, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5654,7 +5690,7 @@ sgx_status_t SGX_CDECL rtc_exchange_report_u(ExchangeReportResult* retval, sgx_e ms->ms_dh_msg2 = NULL; } - status = sgx_ocall(72, ms); + status = sgx_ocall(73, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; @@ -5683,7 +5719,7 @@ sgx_status_t SGX_CDECL rtc_end_session_u(sgx_status_t* retval, sgx_enclave_id_t ms->ms_src_enclave_id = src_enclave_id; ms->ms_dest_enclave_id = dest_enclave_id; - status = sgx_ocall(73, ms); + status = sgx_ocall(74, ms); if (status == SGX_SUCCESS) { if (retval) *retval = ms->ms_retval; diff --git a/codegen/data_enclave/rtc_data_t.h b/codegen/data_enclave/rtc_data_t.h index 53e22bd8..49d8adcd 100644 --- a/codegen/data_enclave/rtc_data_t.h +++ b/codegen/data_enclave/rtc_data_t.h @@ -35,6 +35,7 @@ SessionRequestResult session_request(sgx_enclave_id_t src_enclave_id); ExchangeReportResult exchange_report(sgx_enclave_id_t src_enclave_id, const sgx_dh_msg2_t* dh_msg2); sgx_status_t end_session(sgx_enclave_id_t src_enclave_id); +sgx_status_t SGX_CDECL rtc_save_access_key_u(SetAccessKeyResult* retval, sgx_enclave_id_t auth_enclave_id, SetAccessKeyEncryptedRequest encrypted_request); sgx_status_t SGX_CDECL rtc_save_sealed_blob_u(sgx_status_t* retval, const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16]); sgx_status_t SGX_CDECL u_thread_set_event_ocall(int* retval, int* error, const void* tcs); sgx_status_t SGX_CDECL u_thread_wait_event_ocall(int* retval, int* error, const void* tcs, const struct timespec* timeout); diff --git a/codegen/data_enclave/rtc_data_u.c b/codegen/data_enclave/rtc_data_u.c index c10d3edc..cac74212 100644 --- a/codegen/data_enclave/rtc_data_u.c +++ b/codegen/data_enclave/rtc_data_u.c @@ -43,6 +43,12 @@ typedef struct ms_end_session_t { sgx_enclave_id_t ms_src_enclave_id; } ms_end_session_t; +typedef struct ms_rtc_save_access_key_u_t { + SetAccessKeyResult ms_retval; + sgx_enclave_id_t ms_auth_enclave_id; + SetAccessKeyEncryptedRequest ms_encrypted_request; +} ms_rtc_save_access_key_u_t; + typedef struct ms_rtc_save_sealed_blob_u_t { sgx_status_t ms_retval; const uint8_t* ms_blob_ptr; @@ -558,6 +564,14 @@ typedef struct ms_rtc_end_session_u_t { sgx_enclave_id_t ms_dest_enclave_id; } ms_rtc_end_session_u_t; +static sgx_status_t SGX_CDECL rtc_data_rtc_save_access_key_u(void* pms) +{ + ms_rtc_save_access_key_u_t* ms = SGX_CAST(ms_rtc_save_access_key_u_t*, pms); + ms->ms_retval = rtc_save_access_key_u(ms->ms_auth_enclave_id, ms->ms_encrypted_request); + + return SGX_SUCCESS; +} + static sgx_status_t SGX_CDECL rtc_data_rtc_save_sealed_blob_u(void* pms) { ms_rtc_save_sealed_blob_u_t* ms = SGX_CAST(ms_rtc_save_sealed_blob_u_t*, pms); @@ -1152,10 +1166,11 @@ static sgx_status_t SGX_CDECL rtc_data_rtc_end_session_u(void* pms) static const struct { size_t nr_ocall; - void * table[74]; + void * table[75]; } ocall_table_rtc_data = { - 74, + 75, { + (void*)rtc_data_rtc_save_access_key_u, (void*)rtc_data_rtc_save_sealed_blob_u, (void*)rtc_data_u_thread_set_event_ocall, (void*)rtc_data_u_thread_wait_event_ocall, diff --git a/codegen/data_enclave/rtc_data_u.h b/codegen/data_enclave/rtc_data_u.h index f8d29a4d..76ec767c 100644 --- a/codegen/data_enclave/rtc_data_u.h +++ b/codegen/data_enclave/rtc_data_u.h @@ -27,6 +27,10 @@ extern "C" { #endif +#ifndef RTC_SAVE_ACCESS_KEY_U_DEFINED__ +#define RTC_SAVE_ACCESS_KEY_U_DEFINED__ +SetAccessKeyResult SGX_UBRIDGE(SGX_NOCONVENTION, rtc_save_access_key_u, (sgx_enclave_id_t auth_enclave_id, SetAccessKeyEncryptedRequest encrypted_request)); +#endif #ifndef RTC_SAVE_SEALED_BLOB_U_DEFINED__ #define RTC_SAVE_SEALED_BLOB_U_DEFINED__ sgx_status_t SGX_UBRIDGE(SGX_NOCONVENTION, rtc_save_sealed_blob_u, (const uint8_t* blob_ptr, size_t blob_len, uint8_t uuid[16])); diff --git a/rtc_data_enclave/rtc_data.edl b/rtc_data_enclave/rtc_data.edl index 8c6799cf..c7d3d2f6 100644 --- a/rtc_data_enclave/rtc_data.edl +++ b/rtc_data_enclave/rtc_data.edl @@ -33,6 +33,11 @@ enclave { untrusted { /* define OCALLs here. */ + SetAccessKeyResult rtc_save_access_key_u( + sgx_enclave_id_t auth_enclave_id, + SetAccessKeyEncryptedRequest encrypted_request + ); + sgx_status_t rtc_save_sealed_blob_u([in, count=blob_len]const uint8_t* blob_ptr, size_t blob_len,[in]uint8_t uuid[16]); }; }; diff --git a/rtc_data_enclave/src/ocalls/mod.rs b/rtc_data_enclave/src/ocalls/mod.rs index 0e3264e4..d255fe75 100644 --- a/rtc_data_enclave/src/ocalls/mod.rs +++ b/rtc_data_enclave/src/ocalls/mod.rs @@ -1,5 +1,6 @@ //! OCALL definitions +mod save_access_key_impl; mod save_sealed_blob_impl; // Re-export the OCALL entry points we're interested in: diff --git a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs new file mode 100644 index 00000000..1892d1a1 --- /dev/null +++ b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs @@ -0,0 +1,16 @@ +//! OCALL definition: `save_access_key` (`rtc_save_access_key_u`) +//! +//! This call is responsible for establishing a protected channel with the auth enclave, +//! and relaying the sealed exchange with the auth enclave's `save_access_key` ECALL. + +use rtc_types::enclave_messages::ffi_set_access_key; +use sgx_types::{sgx_enclave_id_t, sgx_status_t}; + +extern "C" { + #[allow(dead_code)] // TODO + fn rtc_save_access_key_u( + retval: *mut ffi_set_access_key::SetAccessKeyResult, + auth_enclave_id: sgx_enclave_id_t, + request: ffi_set_access_key::SetAccessKeyEncryptedRequest, + ) -> sgx_status_t; +} From 7a53f6457dd8570972b962f14bedc8407459c66e Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 8 Jul 2021 00:37:33 +0200 Subject: [PATCH 12/14] feat(rtc_data_enclave::ocalls): flesh out save_access_key OCALL --- rtc_data_enclave/src/ocalls/mod.rs | 2 + .../src/ocalls/save_access_key_impl.rs | 66 ++++++++++++++++++- 2 files changed, 66 insertions(+), 2 deletions(-) diff --git a/rtc_data_enclave/src/ocalls/mod.rs b/rtc_data_enclave/src/ocalls/mod.rs index d255fe75..7b0c5596 100644 --- a/rtc_data_enclave/src/ocalls/mod.rs +++ b/rtc_data_enclave/src/ocalls/mod.rs @@ -5,4 +5,6 @@ mod save_sealed_blob_impl; // Re-export the OCALL entry points we're interested in: +#[allow(unused_imports)] // TODO +pub(crate) use save_access_key_impl::save_access_key; pub(crate) use save_sealed_blob_impl::save_sealed_blob_u; diff --git a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs index 1892d1a1..6facb049 100644 --- a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs +++ b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs @@ -3,11 +3,73 @@ //! This call is responsible for establishing a protected channel with the auth enclave, //! and relaying the sealed exchange with the auth enclave's `save_access_key` ECALL. -use rtc_types::enclave_messages::ffi_set_access_key; +use rtc_tenclave::dh::{dh_sessions, sealing, DhSessions, ProtectedChannel}; +use rtc_types::enclave_messages::errors::SealingError; +pub use rtc_types::enclave_messages::ffi_set_access_key::SetAccessKeyEncryptedRequest; +use rtc_types::enclave_messages::{ffi_set_access_key, set_access_key}; +use rtc_types::EcallResult; +use sgx_tstd::enclave::get_enclave_id; use sgx_types::{sgx_enclave_id_t, sgx_status_t}; +// Handle protected channel establishment +#[allow(dead_code)] // TODO +pub(crate) fn save_access_key( + auth_enclave_id: sgx_enclave_id_t, + request: set_access_key::Request, +) -> Result { + let sessions: &DhSessions<_, _> = dh_sessions(); + sessions.with_acquire_new_or_established(auth_enclave_id, |channel| { + save_access_key_sealing(auth_enclave_id, channel, request) + })? +} + +// Handle message sealing +fn save_access_key_sealing( + auth_enclave_id: sgx_enclave_id_t, + channel: &mut ProtectedChannel, + request: set_access_key::Request, +) -> Result { + let sending_enclave_id: sgx_enclave_id_t = get_enclave_id(); + + // Seal the request + let encrypted_request = + sealing::rkyv_seal_associated(channel, &request, &sending_enclave_id).unwrap(); + + // Exchange with the auth enclave + let encrypted_response = save_access_key_ffi(auth_enclave_id, encrypted_request)?; + + // Unseal the response + let response = + unsafe { sealing::rkyv_unseal::(channel, encrypted_response) }?; + Ok(response) +} + +/// Handle converting between the [`ffi_set_access_key`] and [`set_access_key`] types. +fn save_access_key_ffi( + auth_enclave_id: sgx_enclave_id_t, + encrypted_request: set_access_key::EncryptedRequest, +) -> set_access_key::SetAccessKeyResult { + let ffi_encrypted_request = encrypted_request.into(); + let ffi_result = save_access_key_u(auth_enclave_id, ffi_encrypted_request); + ffi_result.into() +} + +// Handle call +fn save_access_key_u( + auth_enclave_id: sgx_enclave_id_t, + encrypted_request: ffi_set_access_key::SetAccessKeyEncryptedRequest, +) -> ffi_set_access_key::SetAccessKeyResult { + let mut retval = ffi_set_access_key::SetAccessKeyResult::default(); + + // Safety: Copies ffi_set_access_key::SetAccessKeyResult into retval, + // but only valid for sgx_status_t::SGX_SUCCESS. + match unsafe { rtc_save_access_key_u(&mut retval, auth_enclave_id, encrypted_request) } { + sgx_status_t::SGX_SUCCESS => retval, + status_err => EcallResult::Err(status_err.into()), + } +} + extern "C" { - #[allow(dead_code)] // TODO fn rtc_save_access_key_u( retval: *mut ffi_set_access_key::SetAccessKeyResult, auth_enclave_id: sgx_enclave_id_t, From 08458399d03dc8f1096c26e18a49962182a7b490 Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 8 Jul 2021 00:43:13 +0200 Subject: [PATCH 13/14] feat(rtc_data_enclave::validate_and_save): insert stub call to save_access_key OCALL --- rtc_data_enclave/src/lib.rs | 15 +++++++++++++++ rtc_data_enclave/src/ocalls/mod.rs | 1 - .../src/ocalls/save_access_key_impl.rs | 1 - 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/rtc_data_enclave/src/lib.rs b/rtc_data_enclave/src/lib.rs index 9db697eb..a9e0f536 100644 --- a/rtc_data_enclave/src/lib.rs +++ b/rtc_data_enclave/src/lib.rs @@ -19,6 +19,7 @@ use std::prelude::v1::*; #[allow(unused_imports)] // for ECALL linking use rtc_tenclave::enclave::enclave_create_report; +use rtc_types::enclave_messages::set_access_key; use rtc_types::*; use sgx_types::*; @@ -42,6 +43,20 @@ pub unsafe extern "C" fn validate_and_save( Err(err) => return EcallResult::Err(err), }; + // TODO: Get access key request data from validate_and_seal? + let request = set_access_key::Request { + uuid: Default::default(), + access_key: Default::default(), + unsealed_size: Default::default(), + }; + let response = match ocalls::save_access_key(auth_enclave_id, request) { + Ok(response) => response, + Err(err) => return EcallResult::Err(DataUploadError::SaveAccessKeySealingError(err)), + }; + if !response.success { + return EcallResult::Err(DataUploadError::SaveAccessKeyFailed); + } + match ocalls::save_sealed_blob_u(sealed.sealed_data, sealed.uuid) { sgx_status_t::SGX_SUCCESS => EcallResult::Ok(sealed.client_payload.into()), err => EcallResult::Err(DataUploadError::Sealing(err)), diff --git a/rtc_data_enclave/src/ocalls/mod.rs b/rtc_data_enclave/src/ocalls/mod.rs index 7b0c5596..3f20610b 100644 --- a/rtc_data_enclave/src/ocalls/mod.rs +++ b/rtc_data_enclave/src/ocalls/mod.rs @@ -5,6 +5,5 @@ mod save_sealed_blob_impl; // Re-export the OCALL entry points we're interested in: -#[allow(unused_imports)] // TODO pub(crate) use save_access_key_impl::save_access_key; pub(crate) use save_sealed_blob_impl::save_sealed_blob_u; diff --git a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs index 6facb049..c4182e40 100644 --- a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs +++ b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs @@ -12,7 +12,6 @@ use sgx_tstd::enclave::get_enclave_id; use sgx_types::{sgx_enclave_id_t, sgx_status_t}; // Handle protected channel establishment -#[allow(dead_code)] // TODO pub(crate) fn save_access_key( auth_enclave_id: sgx_enclave_id_t, request: set_access_key::Request, From 17bb90fff75ec8d4ef487d15ce7ba050a9834bfd Mon Sep 17 00:00:00 2001 From: Pi Delport Date: Thu, 8 Jul 2021 01:14:01 +0200 Subject: [PATCH 14/14] test(rtc_data_service): web_api/data_upload: better failure reporting --- rtc_data_service/tests/web_api/data_upload.rs | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/rtc_data_service/tests/web_api/data_upload.rs b/rtc_data_service/tests/web_api/data_upload.rs index 276ff54f..96a5b633 100644 --- a/rtc_data_service/tests/web_api/data_upload.rs +++ b/rtc_data_service/tests/web_api/data_upload.rs @@ -3,7 +3,8 @@ use std::convert::TryInto; use std::path::Path; -use actix_web::test; +use actix_web::web::Bytes; +use actix_web::{http, test}; use rtc_data_service::data_upload::models; use sgx_types::sgx_target_info_t; use uuid::Uuid; @@ -57,10 +58,17 @@ async fn data_service_data_upload_ok() { .to_request(); let resp = test::call_service(&app, req).await; + let status: http::StatusCode = resp.status(); + let body: Bytes = test::read_body(resp).await; + + assert!( + status.is_success(), + "status = {}, body = {:?}", + status, + body + ); - assert!(resp.status().is_success()); - - let body: models::ResponseBody = serde_json::from_slice(&test::read_body(resp).await).unwrap(); + let body: models::ResponseBody = serde_json::from_slice(&body).unwrap(); // NOTE: re-add padding since sodalite supports the C-style nacl api let mut m = vec![0_u8; body.ciphertext.len() + CRYPTO_BOX_BOXZEROBYTES];