-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: Roman Volosatovs <[email protected]> Signed-off-by: Richard Zak <[email protected]>
- Loading branch information
1 parent
a102dd8
commit 99c6039
Showing
15 changed files
with
962 additions
and
140 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]> | ||
// SPDX-License-Identifier: AGPL-3.0-only | ||
|
||
use serde::{Deserialize, Deserializer, Serialize}; | ||
use sgx::parameters::Features; | ||
use validation_common::Measurements; | ||
|
||
#[derive(Clone, Deserialize, Debug, Serialize)] | ||
pub enum SgxFeatures { | ||
CET, | ||
Debug, | ||
EIntKey, | ||
KSS, | ||
ProvisioningKey, | ||
} | ||
|
||
#[derive(Clone, Deserialize, Debug, Default)] | ||
pub struct Config { | ||
/// Values for `mrsigner` in the report body, as `Measurements::signer()` | ||
/// This is the list of public keys which have signed the Enarx binary. | ||
/// Values for `mrenclave` in the report body, as `Measurements::hash()` | ||
/// This is the hash of the Enclave environment after the Enarx binary is loaded | ||
/// but before any workload is loaded, so this is a hash of the Enarx binary | ||
/// in memory. | ||
#[serde(default, flatten)] | ||
pub measurements: Measurements<32>, | ||
|
||
/// Values for `features`. | ||
#[serde(default)] | ||
#[serde(deserialize_with = "from_features")] | ||
pub features: u64, | ||
|
||
/// Minimum value for `isv_svn`. | ||
pub enclave_security_version: Option<u16>, | ||
|
||
/// Value for `isv_prodid`, do not allow versions below this. | ||
pub enclave_product_id: Option<u16>, | ||
} | ||
|
||
fn from_features<'de, D>(deserializer: D) -> Result<u64, D::Error> | ||
where | ||
D: Deserializer<'de>, | ||
{ | ||
let s: Vec<SgxFeatures> = Deserialize::deserialize(deserializer)?; | ||
|
||
let mut flags = Features::empty(); | ||
|
||
// Must be set according to Intel SGX documentation, this indicates permission | ||
// to create SGX enclaves. | ||
flags |= Features::INIT; | ||
|
||
// Required by Enarx, as Wasmtime requires 64-bit, and modern systems are all 64-bit anyway | ||
flags |= Features::MODE64BIT; | ||
|
||
for flag in s { | ||
match flag { | ||
SgxFeatures::CET => { | ||
flags |= Features::CET; | ||
} | ||
SgxFeatures::Debug => { | ||
flags |= Features::DEBUG; | ||
} | ||
SgxFeatures::EIntKey => { | ||
flags |= Features::EINIT_KEY; | ||
} | ||
SgxFeatures::KSS => { | ||
flags |= Features::KSS; | ||
} | ||
SgxFeatures::ProvisioningKey => { | ||
flags |= Features::PROVISIONING_KEY; | ||
} | ||
} | ||
} | ||
|
||
Ok(flags.bits()) | ||
} | ||
|
||
#[cfg(test)] | ||
mod tests { | ||
use super::*; | ||
use validation_common::Digest; | ||
|
||
#[test] | ||
fn empty_config() { | ||
assert!(toml::from_str::<Config>("").is_err()); | ||
} | ||
|
||
#[test] | ||
fn list_of_hashes() { | ||
const SIGNER: &str = r#"enarx_signer = ["2eba0f494f428e799c22d6f12778aebea4dc8d991f9e63fd3cddd57ac6eb5dd9"]"#; | ||
let signer = Digest([ | ||
0x2e, 0xba, 0x0f, 0x49, 0x4f, 0x42, 0x8e, 0x79, 0x9c, 0x22, 0xd6, 0xf1, 0x27, 0x78, | ||
0xae, 0xbe, 0xa4, 0xdc, 0x8d, 0x99, 0x1f, 0x9e, 0x63, 0xfd, 0x3c, 0xdd, 0xd5, 0x7a, | ||
0xc6, 0xeb, 0x5d, 0xd9, | ||
]); | ||
|
||
let config: Config = toml::from_str(&format!( | ||
r#" | ||
{SIGNER} | ||
"#, | ||
)) | ||
.expect("Couldn't deserialize"); | ||
|
||
assert_eq!(config.measurements.signer.len(), 1); | ||
assert!(config.measurements.signer.contains(&signer)); | ||
} | ||
|
||
#[test] | ||
fn too_short() { | ||
let config: Result<Config, toml::de::Error> = toml::from_str( | ||
r#" | ||
enarx_signer = ["41c179d5c0d5bc4915752ccf9bbd2baa574716832235ef5bb998fadcda1e46"] | ||
"#, | ||
); | ||
assert!(config.is_err()); | ||
} | ||
} |
Binary file not shown.
Oops, something went wrong.