1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2016-20 Intel Corporation. */
3
4 #define _GNU_SOURCE
5 #include <assert.h>
6 #include <getopt.h>
7 #include <stdbool.h>
8 #include <stdint.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/stat.h>
13 #include <sys/types.h>
14 #include <unistd.h>
15 #include <openssl/err.h>
16 #include <openssl/pem.h>
17 #include "defines.h"
18 #include "main.h"
19
20 struct q1q2_ctx {
21 BN_CTX *bn_ctx;
22 BIGNUM *m;
23 BIGNUM *s;
24 BIGNUM *q1;
25 BIGNUM *qr;
26 BIGNUM *q2;
27 };
28
free_q1q2_ctx(struct q1q2_ctx * ctx)29 static void free_q1q2_ctx(struct q1q2_ctx *ctx)
30 {
31 BN_CTX_free(ctx->bn_ctx);
32 BN_free(ctx->m);
33 BN_free(ctx->s);
34 BN_free(ctx->q1);
35 BN_free(ctx->qr);
36 BN_free(ctx->q2);
37 }
38
alloc_q1q2_ctx(const uint8_t * s,const uint8_t * m,struct q1q2_ctx * ctx)39 static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
40 struct q1q2_ctx *ctx)
41 {
42 ctx->bn_ctx = BN_CTX_new();
43 ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL);
44 ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL);
45 ctx->q1 = BN_new();
46 ctx->qr = BN_new();
47 ctx->q2 = BN_new();
48
49 if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr ||
50 !ctx->q2) {
51 free_q1q2_ctx(ctx);
52 return false;
53 }
54
55 return true;
56 }
57
calc_q1q2(const uint8_t * s,const uint8_t * m,uint8_t * q1,uint8_t * q2)58 static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1,
59 uint8_t *q2)
60 {
61 struct q1q2_ctx ctx;
62
63 if (!alloc_q1q2_ctx(s, m, &ctx)) {
64 fprintf(stderr, "Not enough memory for Q1Q2 calculation\n");
65 return false;
66 }
67
68 if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx))
69 goto out;
70
71 if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx))
72 goto out;
73
74 if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) {
75 fprintf(stderr, "Too large Q1 %d bytes\n",
76 BN_num_bytes(ctx.q1));
77 goto out;
78 }
79
80 if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx))
81 goto out;
82
83 if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx))
84 goto out;
85
86 if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) {
87 fprintf(stderr, "Too large Q2 %d bytes\n",
88 BN_num_bytes(ctx.q2));
89 goto out;
90 }
91
92 BN_bn2bin(ctx.q1, q1);
93 BN_bn2bin(ctx.q2, q2);
94
95 free_q1q2_ctx(&ctx);
96 return true;
97 out:
98 free_q1q2_ctx(&ctx);
99 return false;
100 }
101
102 struct sgx_sigstruct_payload {
103 struct sgx_sigstruct_header header;
104 struct sgx_sigstruct_body body;
105 };
106
check_crypto_errors(void)107 static bool check_crypto_errors(void)
108 {
109 int err;
110 bool had_errors = false;
111 const char *filename;
112 int line;
113 char str[256];
114
115 for ( ; ; ) {
116 if (ERR_peek_error() == 0)
117 break;
118
119 had_errors = true;
120 err = ERR_get_error_line(&filename, &line);
121 ERR_error_string_n(err, str, sizeof(str));
122 fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line);
123 }
124
125 return had_errors;
126 }
127
get_modulus(RSA * key)128 static inline const BIGNUM *get_modulus(RSA *key)
129 {
130 const BIGNUM *n;
131
132 RSA_get0_key(key, &n, NULL, NULL);
133 return n;
134 }
135
gen_sign_key(void)136 static RSA *gen_sign_key(void)
137 {
138 unsigned long sign_key_length;
139 BIO *bio;
140 RSA *key;
141
142 sign_key_length = (unsigned long)&sign_key_end -
143 (unsigned long)&sign_key;
144
145 bio = BIO_new_mem_buf(&sign_key, sign_key_length);
146 if (!bio)
147 return NULL;
148
149 key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL);
150 BIO_free(bio);
151
152 return key;
153 }
154
reverse_bytes(void * data,int length)155 static void reverse_bytes(void *data, int length)
156 {
157 int i = 0;
158 int j = length - 1;
159 uint8_t temp;
160 uint8_t *ptr = data;
161
162 while (i < j) {
163 temp = ptr[i];
164 ptr[i] = ptr[j];
165 ptr[j] = temp;
166 i++;
167 j--;
168 }
169 }
170
171 enum mrtags {
172 MRECREATE = 0x0045544145524345,
173 MREADD = 0x0000000044444145,
174 MREEXTEND = 0x00444E4554584545,
175 };
176
mrenclave_update(EVP_MD_CTX * ctx,const void * data)177 static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data)
178 {
179 if (!EVP_DigestUpdate(ctx, data, 64)) {
180 fprintf(stderr, "digest update failed\n");
181 return false;
182 }
183
184 return true;
185 }
186
mrenclave_commit(EVP_MD_CTX * ctx,uint8_t * mrenclave)187 static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave)
188 {
189 unsigned int size;
190
191 if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) {
192 fprintf(stderr, "digest commit failed\n");
193 return false;
194 }
195
196 if (size != 32) {
197 fprintf(stderr, "invalid digest size = %u\n", size);
198 return false;
199 }
200
201 return true;
202 }
203
204 struct mrecreate {
205 uint64_t tag;
206 uint32_t ssaframesize;
207 uint64_t size;
208 uint8_t reserved[44];
209 } __attribute__((__packed__));
210
211
mrenclave_ecreate(EVP_MD_CTX * ctx,uint64_t blob_size)212 static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size)
213 {
214 struct mrecreate mrecreate;
215 uint64_t encl_size;
216
217 for (encl_size = 0x1000; encl_size < blob_size; )
218 encl_size <<= 1;
219
220 memset(&mrecreate, 0, sizeof(mrecreate));
221 mrecreate.tag = MRECREATE;
222 mrecreate.ssaframesize = 1;
223 mrecreate.size = encl_size;
224
225 if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))
226 return false;
227
228 return mrenclave_update(ctx, &mrecreate);
229 }
230
231 struct mreadd {
232 uint64_t tag;
233 uint64_t offset;
234 uint64_t flags; /* SECINFO flags */
235 uint8_t reserved[40];
236 } __attribute__((__packed__));
237
mrenclave_eadd(EVP_MD_CTX * ctx,uint64_t offset,uint64_t flags)238 static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags)
239 {
240 struct mreadd mreadd;
241
242 memset(&mreadd, 0, sizeof(mreadd));
243 mreadd.tag = MREADD;
244 mreadd.offset = offset;
245 mreadd.flags = flags;
246
247 return mrenclave_update(ctx, &mreadd);
248 }
249
250 struct mreextend {
251 uint64_t tag;
252 uint64_t offset;
253 uint8_t reserved[48];
254 } __attribute__((__packed__));
255
mrenclave_eextend(EVP_MD_CTX * ctx,uint64_t offset,const uint8_t * data)256 static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
257 const uint8_t *data)
258 {
259 struct mreextend mreextend;
260 int i;
261
262 for (i = 0; i < 0x1000; i += 0x100) {
263 memset(&mreextend, 0, sizeof(mreextend));
264 mreextend.tag = MREEXTEND;
265 mreextend.offset = offset + i;
266
267 if (!mrenclave_update(ctx, &mreextend))
268 return false;
269
270 if (!mrenclave_update(ctx, &data[i + 0x00]))
271 return false;
272
273 if (!mrenclave_update(ctx, &data[i + 0x40]))
274 return false;
275
276 if (!mrenclave_update(ctx, &data[i + 0x80]))
277 return false;
278
279 if (!mrenclave_update(ctx, &data[i + 0xC0]))
280 return false;
281 }
282
283 return true;
284 }
285
mrenclave_segment(EVP_MD_CTX * ctx,struct encl * encl,struct encl_segment * seg)286 static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
287 struct encl_segment *seg)
288 {
289 uint64_t end = seg->offset + seg->size;
290 uint64_t offset;
291
292 for (offset = seg->offset; offset < end; offset += PAGE_SIZE) {
293 if (!mrenclave_eadd(ctx, offset, seg->flags))
294 return false;
295
296 if (!mrenclave_eextend(ctx, offset, encl->src + offset))
297 return false;
298 }
299
300 return true;
301 }
302
encl_measure(struct encl * encl)303 bool encl_measure(struct encl *encl)
304 {
305 uint64_t header1[2] = {0x000000E100000006, 0x0000000000010000};
306 uint64_t header2[2] = {0x0000006000000101, 0x0000000100000060};
307 struct sgx_sigstruct *sigstruct = &encl->sigstruct;
308 struct sgx_sigstruct_payload payload;
309 uint8_t digest[SHA256_DIGEST_LENGTH];
310 unsigned int siglen;
311 RSA *key = NULL;
312 EVP_MD_CTX *ctx;
313 int i;
314
315 memset(sigstruct, 0, sizeof(*sigstruct));
316
317 sigstruct->header.header1[0] = header1[0];
318 sigstruct->header.header1[1] = header1[1];
319 sigstruct->header.header2[0] = header2[0];
320 sigstruct->header.header2[1] = header2[1];
321 sigstruct->exponent = 3;
322 sigstruct->body.attributes = SGX_ATTR_MODE64BIT;
323 sigstruct->body.xfrm = 3;
324
325 /* sanity check */
326 if (check_crypto_errors())
327 goto err;
328
329 key = gen_sign_key();
330 if (!key) {
331 ERR_print_errors_fp(stdout);
332 goto err;
333 }
334
335 BN_bn2bin(get_modulus(key), sigstruct->modulus);
336
337 ctx = EVP_MD_CTX_create();
338 if (!ctx)
339 goto err;
340
341 if (!mrenclave_ecreate(ctx, encl->src_size))
342 goto err;
343
344 for (i = 0; i < encl->nr_segments; i++) {
345 struct encl_segment *seg = &encl->segment_tbl[i];
346
347 if (!mrenclave_segment(ctx, encl, seg))
348 goto err;
349 }
350
351 if (!mrenclave_commit(ctx, sigstruct->body.mrenclave))
352 goto err;
353
354 memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
355 memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
356
357 SHA256((unsigned char *)&payload, sizeof(payload), digest);
358
359 if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
360 sigstruct->signature, &siglen, key))
361 goto err;
362
363 if (!calc_q1q2(sigstruct->signature, sigstruct->modulus, sigstruct->q1,
364 sigstruct->q2))
365 goto err;
366
367 /* BE -> LE */
368 reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE);
369 reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE);
370 reverse_bytes(sigstruct->q1, SGX_MODULUS_SIZE);
371 reverse_bytes(sigstruct->q2, SGX_MODULUS_SIZE);
372
373 EVP_MD_CTX_destroy(ctx);
374 RSA_free(key);
375 return true;
376
377 err:
378 EVP_MD_CTX_destroy(ctx);
379 RSA_free(key);
380 return false;
381 }
382