diff --git a/.github/workflows/build-deb.yml b/.github/workflows/build-deb.yml index 8f3d3fc5..f44e2f1b 100644 --- a/.github/workflows/build-deb.yml +++ b/.github/workflows/build-deb.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-22.04 env: SGX_MODE: HW - VERSION: "1.0.2" + VERSION: "1.0.3" PRODUCTION_MODE: true steps: - uses: actions/checkout@v3 diff --git a/.gitignore b/.gitignore index 1db44a57..c90bbd1d 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,7 @@ build/ vendor **quote.dat sgxvm/Enclave_private.pem + +# Dynamic libraries +**libsgx_wrapper** +**libsgx_attestation_wrapper** diff --git a/Makefile b/Makefile index 4b2b58ed..0063dc23 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION := v1.0.2 +VERSION := v1.0.3 COMMIT := $(shell git log -1 --format='%H') ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave PRODUCTION_MODE ?= false diff --git a/deb/postinst b/deb/postinst index 3167dc2b..1d9d492e 100644 --- a/deb/postinst +++ b/deb/postinst @@ -8,7 +8,7 @@ then export SUDO_USER=root fi -cat < /etc/systemd/system/swisstronik-node-v1.0.2.service +cat < /etc/systemd/system/swisstronik-node-v1.0.3.service [Unit] Description=Swisstronik node service After=network.target @@ -16,7 +16,7 @@ After=network.target [Service] Type=simple WorkingDirectory=$(eval echo ~"$SUDO_USER") -ExecStart=/usr/local/bin/swisstronikd_v1.0.2 start --rpc.laddr "tcp://0.0.0.0:26657" --json-rpc.address 0.0.0.0:8545 --json-rpc.ws-address 0.0.0.0:8546 --home /opt/swisstronik/.swisstronik +ExecStart=/usr/local/bin/swisstronikd_v1.0.3 start --rpc.laddr "tcp://0.0.0.0:26657" --json-rpc.address 0.0.0.0:8545 --json-rpc.ws-address 0.0.0.0:8546 --home /opt/swisstronik/.swisstronik User=$SUDO_USER Restart=on-failure StartLimitInterval=0 diff --git a/deb/postrm b/deb/postrm index 201138ce..3821ee5e 100644 --- a/deb/postrm +++ b/deb/postrm @@ -3,8 +3,8 @@ set -e -systemctl stop swisstronik-node-v1.0.2 || true -systemctl disable swisstronik-node-v1.0.2 || true -rm -f /etc/systemd/system/swisstronik-node-v1.0.2.service || true +systemctl stop swisstronik-node-v1.0.3 || true +systemctl disable swisstronik-node-v1.0.3 || true +rm -f /etc/systemd/system/swisstronik-node-v1.0.3.service || true rm -r /opt/swisstronik/ || true systemctl daemon-reload || true diff --git a/docker/deb.Dockerfile b/docker/deb.Dockerfile index 207cedc6..5e2e2cf1 100644 --- a/docker/deb.Dockerfile +++ b/docker/deb.Dockerfile @@ -47,7 +47,7 @@ RUN make build ############ Node binary for deb package FROM compile-base as build-deb -ARG BUILD_VERSION="v1.0.2" +ARG BUILD_VERSION="v1.0.3" ENV VERSION=${BUILD_VERSION} ARG DEB_BIN_DIR=/usr/local/bin ENV DEB_BIN_DIR=${DEB_BIN_DIR} @@ -61,7 +61,7 @@ WORKDIR /root # Copy over binaries from the build-env COPY --from=compile-chain /root/chain/build/swisstronikd swisstronikd COPY --from=compile-chain /root/.swisstronik-enclave /usr/lib/.swisstronik-enclave -COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so /usr/lib/.swisstronik-enclave/libsgx_wrapper_v1.0.2.x86_64.so +COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.3.x86_64.so /usr/lib/.swisstronik-enclave/libsgx_wrapper_v1.0.3.x86_64.so COPY ./deb ./deb COPY ./scripts/build_deb.sh . diff --git a/docker/node.Dockerfile b/docker/node.Dockerfile index adb11fe3..57ae94ae 100644 --- a/docker/node.Dockerfile +++ b/docker/node.Dockerfile @@ -46,7 +46,7 @@ FROM base as hw-node COPY --from=compile-chain /root/chain/build/swisstronikd /usr/local/bin/swisstronikd COPY --from=compile-chain /root/.swisstronik-enclave /root/.swisstronik-enclave -COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.2.x86_64.so +COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.3.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.3.x86_64.so COPY --from=compile-chain /opt/intel /opt/intel EXPOSE 26656 26657 1317 9090 8545 8546 8999 @@ -62,7 +62,7 @@ RUN rm -rf /var/lib/apt/lists/* COPY --from=compile-chain /root/chain/build/swisstronikd /usr/bin/swisstronikd COPY --from=compile-chain /root/.swisstronik-enclave /root/.swisstronik-enclave -COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.2.x86_64.so +COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.3.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.3.x86_64.so COPY --from=compile-chain /opt/intel/sgxsdk/sdk_libs/* /lib/x86_64-linux-gnu/ COPY --from=compile-chain /root/chain/scripts/local-node.sh /root/local-node.sh diff --git a/go-sgxvm/Cargo.toml b/go-sgxvm/Cargo.toml index cd8e6f52..39db3ea6 100644 --- a/go-sgxvm/Cargo.toml +++ b/go-sgxvm/Cargo.toml @@ -18,5 +18,8 @@ protobuf = "=2.8.1" sgx_types = { git = "https://github.com/apache/teaclave-sgx-sdk.git", rev = "3c903bda" } sgx_urts = { git = "https://github.com/apache/teaclave-sgx-sdk.git", rev = "3c903bda" } +[features] +attestation_server = [] + [build-dependencies] cbindgen = "0.24.3" diff --git a/go-sgxvm/Makefile b/go-sgxvm/Makefile index 63d721cb..f8cebee1 100644 --- a/go-sgxvm/Makefile +++ b/go-sgxvm/Makefile @@ -8,24 +8,30 @@ CXX=clang++ SGX_MODE ?= HW ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave PRODUCTION_MODE ?= false -VERSION := v1.0.2 +AS_MODE ?= false +VERSION := v1.0.3 +Wrapper_build_feature := "" + +Wrapper_lib := libsgx_wrapper_$(VERSION).x86_64.so +ifeq ($(AS_MODE), true) + Wrapper_lib := libsgx_attestation_wrapper_$(VERSION).x86_64.so + Wrapper_build_feature += attestation_server +endif build: - @ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) make build -C ../sgxvm/ + @ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) AS_MODE=$(AS_MODE) VERSION=$(VERSION) make build -C ../sgxvm/ @protoc --rust_out src/protobuf_generated/ proto/node.proto - @ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --release - @mkdir -p $(ENCLAVE_HOME) && cp $(CURDIR)/../sgxvm/sgx-artifacts/bin/enclave.signed.so $(ENCLAVE_HOME)/$(VERSION)_enclave.signed.so - @cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/libsgx_wrapper_$(VERSION).x86_64.so + @ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --features "$(Wrapper_build_feature)" --release + @cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/$(Wrapper_lib) @protoc --go_out=types --proto_path=../sgxvm/proto/ ../sgxvm/proto/ffi.proto @protoc --go_out=types --proto_path=proto/ proto/node.proto @cp types/github.com/SigmaGmbH/librustgo/types/* types/ && rm -rf types/github.com build_d: - @ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) make build_d -C ../sgxvm/ + @ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) AS_MODE=$(AS_MODE) VERSION=$(VERSION) make build_d -C ../sgxvm/ @protoc --rust_out src/protobuf_generated/ proto/node.proto - @ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --release - @mkdir -p $(ENCLAVE_HOME) && cp $(CURDIR)/../sgxvm/sgx-artifacts/bin/enclave.signed.so $(ENCLAVE_HOME)/$(VERSION)_enclave.signed.so - @cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/libsgx_wrapper_$(VERSION).x86_64.so + @ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --features "$(Wrapper_build_feature)" --release + @cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/$(Wrapper_lib) @protoc --go_out=types --proto_path=../sgxvm/proto/ ../sgxvm/proto/ffi.proto @protoc --go_out=types --proto_path=proto/ proto/node.proto @cp types/github.com/SigmaGmbH/librustgo/types/* types/ && rm -rf types/github.com diff --git a/go-sgxvm/internal/api/lib_nosgx.go b/go-sgxvm/internal/api/lib_nosgx.go index 3c2a7c5a..a98cddeb 100644 --- a/go-sgxvm/internal/api/lib_nosgx.go +++ b/go-sgxvm/internal/api/lib_nosgx.go @@ -79,6 +79,7 @@ func Call( gasLimit, nonce uint64, txContext *types.TransactionContext, commit bool, + isUnencrypted bool, ) (*types.HandleTransactionResponse, error) { return nil, nil } diff --git a/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so b/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so deleted file mode 100755 index d82ef1f7..00000000 Binary files a/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so and /dev/null differ diff --git a/go-sgxvm/internal/api/link_glibclinux_aarch64.go b/go-sgxvm/internal/api/link_glibclinux_aarch64.go index bd5d5ab6..2e765e50 100644 --- a/go-sgxvm/internal/api/link_glibclinux_aarch64.go +++ b/go-sgxvm/internal/api/link_glibclinux_aarch64.go @@ -2,5 +2,5 @@ package api -// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2.aarch64 +// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3.aarch64 import "C" diff --git a/go-sgxvm/internal/api/link_glibclinux_x86_64.attestation.go b/go-sgxvm/internal/api/link_glibclinux_x86_64.attestation.go new file mode 100644 index 00000000..7102f77a --- /dev/null +++ b/go-sgxvm/internal/api/link_glibclinux_x86_64.attestation.go @@ -0,0 +1,6 @@ +//go:build linux && !muslc && amd64 && !sys_sgx_wrapper && !nosgx && attestationServer + +package api + +// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_attestation_wrapper_v1.0.3.x86_64 +import "C" diff --git a/go-sgxvm/internal/api/link_glibclinux_x86_64.go b/go-sgxvm/internal/api/link_glibclinux_x86_64.go index 8db1308f..2d3f30e9 100644 --- a/go-sgxvm/internal/api/link_glibclinux_x86_64.go +++ b/go-sgxvm/internal/api/link_glibclinux_x86_64.go @@ -1,6 +1,6 @@ -//go:build linux && !muslc && amd64 && !sys_sgx_wrapper && !nosgx +//go:build linux && !muslc && amd64 && !sys_sgx_wrapper && !nosgx && !attestationServer package api -// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2.x86_64 +// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3.x86_64 import "C" diff --git a/go-sgxvm/internal/api/link_mac.go b/go-sgxvm/internal/api/link_mac.go index b1a7c3e9..9b1492aa 100644 --- a/go-sgxvm/internal/api/link_mac.go +++ b/go-sgxvm/internal/api/link_mac.go @@ -2,5 +2,5 @@ package api -// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2 +// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3 import "C" diff --git a/go-sgxvm/internal/api/link_muslc.go b/go-sgxvm/internal/api/link_muslc.go index 7fc22c74..de53c6ca 100644 --- a/go-sgxvm/internal/api/link_muslc.go +++ b/go-sgxvm/internal/api/link_muslc.go @@ -2,5 +2,5 @@ package api -// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2_muslc +// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3_muslc import "C" diff --git a/go-sgxvm/internal/api/link_system.go b/go-sgxvm/internal/api/link_system.go index 599bdb2a..36752d35 100644 --- a/go-sgxvm/internal/api/link_system.go +++ b/go-sgxvm/internal/api/link_system.go @@ -2,5 +2,5 @@ package api -// #cgo LDFLAGS: -lsgx_wrapper_v1.0.2 +// #cgo LDFLAGS: -lsgx_wrapper_v1.0.3 import "C" diff --git a/go-sgxvm/internal/api/link_windows.go b/go-sgxvm/internal/api/link_windows.go index 940181e5..f74dbd7d 100644 --- a/go-sgxvm/internal/api/link_windows.go +++ b/go-sgxvm/internal/api/link_windows.go @@ -2,5 +2,5 @@ package api -// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2 +// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3 import "C" diff --git a/go-sgxvm/src/enclave/doorbell.rs b/go-sgxvm/src/enclave/doorbell.rs index c6a891aa..5c48fe8e 100644 --- a/go-sgxvm/src/enclave/doorbell.rs +++ b/go-sgxvm/src/enclave/doorbell.rs @@ -5,7 +5,16 @@ use std::env; use std::ops::Deref; use std::time::Duration; -static ENCLAVE_FILE: &'static str = "v1.0.2_enclave.signed.so"; +#[cfg(not(feature = "attestation_server"))] +static ENCLAVE_FILE: &'static str = "v1.0.3_enclave.signed.so"; + +#[cfg(feature = "attestation_server")] +static ENCLAVE_FILE: &'static str = "v1.0.3_attestation_enclave.signed.so"; + +#[cfg(feature = "attestation_server")] +const ENCLAVE_LOCK_TIMEOUT: u64 = 6 * 50; + +#[cfg(not(feature = "attestation_server"))] const ENCLAVE_LOCK_TIMEOUT: u64 = 6 * 5; pub struct EnclaveDoorbell { diff --git a/sgxvm/Makefile b/sgxvm/Makefile index 9983ee51..07b201b6 100644 --- a/sgxvm/Makefile +++ b/sgxvm/Makefile @@ -16,6 +16,8 @@ Enclave_build_feature = hardware_mode Enclave_Security_Link_Flags := -Wl,-z,relro,-z,now,-z,noexecstack Enclave_config_file ?= Enclave.config.development.xml Enclave_signing_key ?= Enclave_dev_private.pem +Enclave_signed_file ?= enclave.signed.so +VERSION ?= v1.0.3 # ENCLAVE SETTINGS ifneq ($(SGX_MODE), HW) @@ -30,6 +32,7 @@ endif ifeq ($(AS_MODE), true) Enclave_build_feature += attestation_server + Enclave_signed_file := attestation_enclave.signed.so endif ifneq ($(PRODUCTION_MODE), true) @@ -127,7 +130,8 @@ define sign_enclave @echo "Sign enclave using" @/opt/intel/sgxsdk/bin/x64/sgx_sign -version @mkdir -p $(CURDIR)/sgx-artifacts/bin - /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key $(CURDIR)/$(Enclave_signing_key) -enclave $(CURDIR)/enclave.unsigned.so -out $(CURDIR)/sgx-artifacts/bin/enclave.signed.so -config $(CURDIR)/$(Enclave_config_file) + /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key $(CURDIR)/$(Enclave_signing_key) -enclave $(CURDIR)/enclave.unsigned.so -out $(CURDIR)/sgx-artifacts/bin/$(Enclave_signed_file) -config $(CURDIR)/$(Enclave_config_file) + @mkdir -p $(ENCLAVE_HOME) && cp $(CURDIR)/../sgxvm/sgx-artifacts/bin/$(Enclave_signed_file) $(ENCLAVE_HOME)/$(VERSION)_$(Enclave_signed_file) endef define sgx_build diff --git a/sgxvm/src/attestation/tls/auth.rs b/sgxvm/src/attestation/tls/auth.rs index d7035d6c..5b3d9689 100644 --- a/sgxvm/src/attestation/tls/auth.rs +++ b/sgxvm/src/attestation/tls/auth.rs @@ -34,7 +34,12 @@ impl rustls::ClientCertVerifier for ClientAuth { } if self.is_dcap { - crate::attestation::cert::verify_dcap_cert(&certs[0].0).unwrap(); + crate::attestation::cert::verify_dcap_cert(&certs[0].0).map_err(|err| { + println!("[Attestastion Server] Cannot verify DCAP cert. Reason: {:?}", err); + rustls::TLSError::WebPKIError( + webpki::Error::ExtensionValueInvalid, + ) + })?; return Ok(rustls::ClientCertVerified::assertion()); }