[draft] Move to new attestation api

build/__tools__/build.sh

@@ -91,7 +91,7 @@ fi
 cd build
 #try cmake ${CMAKE_ARGS} ..
 #try make ${MAKE_ARGS}
-try cmake --build . -- ${MAKE_ARGS}
+try cmake --build . -- ${MAKE_ARGS} -j1
 
 yell --------------- BIN ---------------
 cd $SRCDIR/bin

build/cmake/SGX.cmake

@@ -110,7 +110,7 @@ ENDIF()
 SET(SGX_TRUSTED_LIBS sgx_tstdc sgx_tcxx sgx_tcrypto ${SERVICE_LIBRARY_NAME})
 SET(SGX_UNTRUSTED_LIBS ${URTS_LIBRARY_NAME} pthread)
 
-SET(SGX_SEARCH_PATH "${SGX_SDK}/include:${SGX_SSL}/include")
+SET(SGX_SEARCH_PATH "${SGX_SDK}/include:${SGX_SSL}/include:$ENV{PDO_SOURCE_ROOT}/common")
 SET(SGX_TRUSTED_INCLUDE_DIRS
   "${SGX_SDK}/include"
   "${SGX_SDK}/include/tlibc"

common/cmake/CommonVariables.cmake

@@ -29,6 +29,9 @@ SET(C_COMMON_LIB_NAME cpdo-common)
 SET(U_COMMON_LIB_NAME updo-common)
 SET(T_COMMON_LIB_NAME tpdo-common)
 
+# import attestation lib variables U_ONE_ATTESTATION_LIB_NAME, T_ONE_ATTESTATION_LIB_NAME
+INCLUDE("${COMMON_SOURCE_DIR}/crypto/one-attestation-api/CMakeVariables.txt")
+
 SET(INTERPRETER_LIB_NAME pdo-contract)
 
 # Block store library does not depend on sgx at all
@@ -78,6 +81,7 @@ LIST(APPEND COMMON_CLIENT_LIBS pthread lmdb)
 LIST(APPEND COMMON_UNTRUSTED_LIBS ${U_COMMON_LIB_NAME})
 LIST(APPEND COMMON_UNTRUSTED_LIBS ${U_CRYPTO_LIB_NAME})
 LIST(APPEND COMMON_UNTRUSTED_LIBS ${BLOCK_STORE_LIB_NAME})
+LIST(APPEND COMMON_UNTRUSTED_LIBS ${U_ONE_ATTESTATION_LIB_NAME})
 LIST(APPEND COMMON_UNTRUSTED_LIBS pthread lmdb)
 
 # -----------------------------------------------------------------
@@ -88,4 +92,5 @@ LIST(APPEND COMMON_TRUSTED_LIBS ${T_COMMON_LIB_NAME})
 LIST(APPEND COMMON_TRUSTED_LIBS ${T_CRYPTO_LIB_NAME})
 LIST(APPEND COMMON_TRUSTED_LIBS ${BLOCK_STORE_LIB_NAME})
 LIST(APPEND COMMON_TRUSTED_LIBS ${COMMON_INTERPRETER_LIBRARIES})
+LIST(APPEND COMMON_TRUSTED_LIBS ${T_ONE_ATTESTATION_LIB_NAME})
 LIST(APPEND COMMON_TRUSTED_LIBS lmdb)

common/crypto/CMakeLists.txt

@@ -39,6 +39,9 @@ ENDIF()
 # by the client (ias verification requires sgx).
 ################################################################################
 IF (BUILD_TRUSTED OR BUILD_UNTRUSTED)
+  # Build attestation library
+  ADD_SUBDIRECTORY (one-attestation-api)
+
   SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.txt)
   SET_SOURCE_FILES_PROPERTIES(${PROJECT_GENERATED_IAS_SOURCES} PROPERTIES GENERATED TRUE)
   SET(FETCH_IAS_CERTS ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/fetch_ias_certificates.sh)

docker/pdo_services_base.dockerfile

@@ -36,6 +36,7 @@ RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${U
     --no-install-recommends \
     libsgx-urts \
     libsgx-uae-service \
+    libsgx-dcap-ql-dev \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 

eservice/lib/libpdo_enclave/enclave.edl

@@ -20,4 +20,5 @@ enclave {
     from "signup.edl" import *;
     from "contract.edl" import *;
     from "block_store.edl" import *;
+    from "crypto/one-attestation-api/ocalls/attestation-ocalls.edl" import *;
 };

eservice/lib/libpdo_enclave/signup.edl

@@ -30,6 +30,11 @@ enclave {
         public pdo_err_t ecall_CreateEnclaveData(
             [in] const sgx_target_info_t* inTargetInfo,
             [in, string] const char* inOriginatorPublicKeyHash,
+            [in, size=inAttestationParamsSize] uint8_t* inAttestationParams,
+            size_t inAttestationParamsSize,
+            [out, size=inAllocatedAttestationSize] uint8_t* outAttestation,
+            size_t inAllocatedAttestationSize,
+            [out] size_t* outAttestationSize,
             [out, size=inAllocatedPublicEnclaveDataSize] char* outPublicEnclaveData,
             size_t inAllocatedPublicEnclaveDataSize,
             [out] size_t* outPublicEnclaveDataSize,

eservice/lib/libpdo_enclave/signup_enclave.cpp

@@ -40,6 +40,8 @@
 #include "enclave_utils.h"
 #include "signup_enclave.h"
 
+#include "one-attestation-api/include/attestation.h"
+
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 // XX Declaration of static helper functions                         XX
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@@ -109,6 +111,11 @@ pdo_err_t ecall_CalculatePublicEnclaveDataSize(size_t* pPublicEnclaveDataSize)
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo,
     const char* inOriginatorPublicKeyHash,
+    uint8_t* inAttestationParams,
+    size_t inAttestationParamsSize,
+    uint8_t* outAttestation,
+    size_t inAllocatedAttestationSize,
+    size_t* outAttestationSize,
     char* outPublicEnclaveData,
     size_t inAllocatedPublicEnclaveDataSize,
     size_t* outPublicEnclaveDataSize,
@@ -158,6 +165,16 @@ pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo,
         sgx_report_data_t reportData = {0};
         CreateSignupReportData(inOriginatorPublicKeyHash, enclaveData, &reportData);
 
+        // get serialized statement (which will be later hashed to create report data)
+        std::string hashString;
+        hashString.append(enclaveData.get_serialized_signing_key());
+        hashString.append(enclaveData.get_serialized_encryption_key());
+        std::transform(inOriginatorPublicKeyHash,
+                inOriginatorPublicKeyHash + strlen(inOriginatorPublicKeyHash), std::back_inserter(hashString),
+                [](char c) {
+                return c;  // do nothing
+                });
+
         sgx_status_t ret = sgx_create_report(inTargetInfo, &reportData, outEnclaveReport);
         pdo::error::ThrowSgxError(ret, "Failed to create enclave report");
 
@@ -187,6 +204,15 @@ pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo,
         strncpy_s(outPublicEnclaveData, inAllocatedPublicEnclaveDataSize,
             enclaveData.get_public_data().c_str(),
             enclaveData.get_public_data_size());
+
+        bool b = init_attestation(inAttestationParams, inAttestationParamsSize);
+        pdo::error::ThrowIf<pdo::error::ValueError>(b == false, "Error in init attestation");
+
+        uint32_t as;
+        b = get_attestation((uint8_t*)hashString.c_str(), hashString.length(), outAttestation, inAllocatedAttestationSize, &as);
+        *outAttestationSize = (size_t)as;
+        pdo::error::ThrowIf<pdo::error::ValueError>(b == false, "Error in attestation");
+
     }
     catch (pdo::error::Error& e)
     {

eservice/lib/libpdo_enclave/signup_enclave.h

@@ -29,6 +29,11 @@ extern pdo_err_t ecall_CalculatePublicEnclaveDataSize(size_t* pPublicEnclaveData
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 extern pdo_err_t ecall_CreateEnclaveData(const sgx_target_info_t* inTargetInfo,
     const char* inOriginatorPublicKeyHash,
+    uint8_t* inAttestationParams,
+    size_t inAttestationParamsSize,
+    uint8_t* outAttestation,
+    size_t inAllocatedAttestationSize,
+    size_t* outAttestationSize,
     char* outPublicEnclaveData,
     size_t inAllocatedPublicEnclaveDataSize,
     size_t* outPublicEnclaveDataSize,

eservice/pdo/eservice/enclave/enclave/enclave.h

@@ -103,6 +103,7 @@ namespace pdo {
             {
                 return this->threadId;
             }
+            sgx_spid_t spid;
 
         protected:
             void LoadEnclave();
@@ -116,7 +117,6 @@ namespace pdo {
             size_t sealedSignupDataSize;
 
             std::string signatureRevocationList;
-            sgx_spid_t spid;
 
             sgx_target_info_t reportTargetInfo;
             sgx_epid_group_id_t epidGroupId;

eservice/pdo/eservice/enclave/enclave/signup.cpp

@@ -26,6 +26,8 @@
 #include "pdo_error.h"
 #include "types.h"
 #include "zero.h"
+#include "jsonvalue.h"
+#include "hex_string.h"
 
 #include "enclave/enclave.h"
 #include "enclave/base.h"
@@ -134,11 +136,24 @@ pdo_err_t pdo::enclave_api::enclave_data::CreateEnclaveData(
         size_t computed_public_enclave_data_size;
         size_t computed_sealed_enclave_data_size;
 
+        std::string hex_spid = BinaryToHexString(g_Enclave[0].spid.id, 16);
+        std::string attestation_params =
+            std::string("{\"attestation_type\": \"epid-linkable\", \"hex_spid\": \"") +
+            hex_spid +
+            std::string("\", \"sig_rl\": \"\"}")
+            ;
+        ByteArray attestation;
+        attestation.resize(1 << 12);
+        size_t attestation_size;
+
         sresult = g_Enclave[0].CallSgx(
             [enclaveid,
              &presult,
              target_info,
              inOriginatorPublicKeyHash,
+             &attestation_params,
+             &attestation,
+             &attestation_size,
              &outPublicEnclaveData,
              &computed_public_enclave_data_size,
              &sealed_enclave_data_buffer,
@@ -150,6 +165,11 @@ pdo_err_t pdo::enclave_api::enclave_data::CreateEnclaveData(
                     &presult,
                     &target_info,
                     inOriginatorPublicKeyHash.c_str(),
+                    (uint8_t*)(attestation_params.c_str()),
+                    attestation_params.length(),
+                    attestation.data(),
+                    attestation.size(),
+                    &attestation_size,
                     outPublicEnclaveData.data(),
                     outPublicEnclaveData.size(),
                     &computed_public_enclave_data_size,
@@ -175,6 +195,23 @@ pdo_err_t pdo::enclave_api::enclave_data::CreateEnclaveData(
         g_Enclave[0].CreateQuoteFromReport(&enclave_report, enclave_quote_buffer);
         outEnclaveQuote = ByteArrayToBase64EncodedString(enclave_quote_buffer);
 
+
+        {
+            const char* pvalue = nullptr;
+            std::string a(attestation.begin(), attestation.end());
+
+            JsonValue parsed(json_parse_string(a.c_str()));
+            pdo::error::ThrowIfNull(parsed.value, "failed to parse serialized attestation; badly formed JSON");
+
+            JSON_Object* data_object = json_value_get_object(parsed);
+            pdo::error::ThrowIfNull(data_object, "invalid serialized attestation; missing root object");
+
+            pvalue = json_object_dotget_string(data_object, "attestation");
+            pdo::error::ThrowIfNull(pvalue, "invalid serialized attestation; missing attestation");
+
+            outEnclaveQuote.assign(pvalue);
+        }
+
     } catch (pdo::error::Error& e) {
         pdo::enclave_api::base::SetLastError(e.what());
         result = e.error_code();

eservice/setup.py

@@ -100,6 +100,7 @@
 
 libraries = [
     'updo-common',
+    'u-one-attestation',
     'pdo-lmdb-block-store',
     'lmdb'
 ]
@@ -109,7 +110,7 @@
 else :
     libraries += ['sgx_urts', 'sgx_uae_service']
 
-libraries += ['sgx_usgxssl']
+libraries += ['sgx_usgxssl', 'sgx_dcap_ql']
 
 module_files = [
     os.path.join(module_src_path, 'pdo_enclave_internal.i'),