Add backup schema for machine-binding-Rootkey

cczoo/sgx_kms/.gitignore

@@ -0,0 +1,16 @@
+rkeyserver/App/enclave_u.*
+rkeyserver/Enclave/enclave_t.*
+rkeyserver/App/*.o
+rkeyserver/Enclave/*.o
+
+utils/tkey_exchange/*.o
+utils/tkey_exchange/sgx_tkey_exchange_t.*
+utils/tkey_exchange/sgx_tkey_exchange_u.*
+utils/ukey_exchange/*.o
+
+out/
+
+.history/
+.vscode/
+
+rkeyserver/App/auto_version.h

cczoo/sgx_kms/Makefile

@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include buildenv.mk
+
+SUB_DIR := utils/tkey_exchange utils/ukey_exchange rkeyserver
+
+.PHONY: all clean
+
+all:
+	for dir in $(SUB_DIR); do \
+		$(MAKE) -C $$dir; \
+	done
+
+ifeq ($(Build_Mode), HW_DEBUG)
+	@echo "The project has been built in hardware debug mode."
+else ifeq ($(Build_Mode), HW_RELEAESE)
+	@echo "The project has been built in hardware release mode."
+else ifeq ($(Build_Mode), HW_PRERELEAESE)
+	@echo "The project has been built in hardware pre-release mode."
+else ifeq ($(Build_Mode), SIM_DEBUG)
+	@echo "The project has been built in simulation debug mode."
+else ifeq ($(Build_Mode), SIM_RELEAESE)
+	@echo "The project has been built in simulation release mode."
+else ifeq ($(Build_Mode), SIM_PRERELEAESE)
+	@echo "The project has been built in simulation pre-release mode."
+endif
+
+clean:
+	@rm -rf $(OUTDIR)
+	for dir in $(SUB_DIR); do \
+		$(MAKE) -C $$dir clean; \
+	done

cczoo/sgx_kms/README.md

@@ -0,0 +1,61 @@
+## Overview of this backup schema of sgx_kms
+
+In the design architecture of sgx_kms, the TCP/IP socket server is used to provide the root key, the remote secure channel provided by SGX is used to transmit the root key in the enclave, and the SGX Keys are used to encrypt the root key and store it in a local file or database, so that it can be safely stored outside the enclave environment. In this way, the root key is also bound with the unique SGX Keys of the processor, reducing the correlation between the root key and the maintenance personnel. Considering that the server may fail, we have designed a backup architecture. When we start the standby server, we will ask the primary server for the root key and keep it securely. When the primary server goes down, the backup server can play a role as the primary server.
+
+The root key stored in the keystore needs to be decrypted by all root key providing service instances, while other platforms cannot decrypt the root key encrypted through the SGX sealing mechanism. Therefore, in the SGX security enhanced root key providing service design, the Root Key is deployed in each backup instance by using SGX remote authentication to establish a secure session. The scheme design is shown in the figure. This scheme is stored on the platform through SGX sealed encryption, and the root key is only used for decryption in Enclave, so that every instance has the same root key, and the attacker is prevented from directly obtaining the master key from memory.
+
+<img src="./docs/arch-of-back-sgxkms.png" alt="arch-of-back-sgxkms" style="zoom:50%;" />
+
+## Build Instructions
+
+- If you need to synchronize the domain key between the host machine (the machine that has the domain key) and the backup machine (the machine that requests the domain key from the host machine), then you can compile first.
+
+``` bash
+make
+```
+
+- In this way, the directory `out/` will be generated, and in this directory, there will be the following files
+
+``` 
+rkeyserver 
+
+lib
+```
+
+- Enter the folder rkeyserver, there will be the following file rkeyserver
+
+```
+ libenclave-rkeyserver.signed.so 
+
+ libenclave-rkeyserver.so
+```
+
+- On the host side, execute
+
+``` bash
+./rkeyserver
+```
+
+- on the backup machine, execute
+
+``` bash
+./rkeyserver -i 10.23.100.2 -p 8888
+```
+
+`-i` is followed by the ip address of the host (`10.23.100.2` is used here as an example), `-p` is the port number of the host, the default is `8888`.
+
+- If the following message is displayed
+
+```
+INFO [App/ra_getkey.cpp(454) -> start_getkey]: Successfully received the DomainKey from deploy server.
+```
+
+It means that the domain key is successfully obtained on the backup machine. By default, the domain key is stored in the directory `/etc/rkey.bin` in encrypted form.
+
+It is worth mentioning that when the `/etc/rkey.bin` file already exists, when the backup machine continues to request the domain key from the host, the original `rkey.bin` file will be replaced by the new `rkey.bin` file and the following information is output on the screen
+
+```
+file already exist, substitute by new file
+```
+
+> ***Many source codes in this project come from [intel/ehsm](https://github.com/intel/ehsm/tree/t-multi-dkeyserver-reference)***

cczoo/sgx_kms/buildenv.mk

@@ -0,0 +1,135 @@
+#
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+######## auto_version Settings ########
+DATE_STRING := `date "+20%y.%m.%d %k:%M"`
+KMS_GIT_SHA=$(shell git rev-parse --short=7 --verify HEAD)
+
+# -------------------------------------------------------------------
+#  Function : parent-dir
+#  Arguments: 1: path
+#  Returns  : Parent dir or path of $1, with final separator removed.
+# -------------------------------------------------------------------
+parent-dir = $(patsubst %/,%,$(dir $(1:%/=%)))
+
+# ------------------------------------------------------------------
+#  Macro    : my-dir
+#  Returns  : the directory of the current Makefile
+#  Usage    : $(my-dir)
+# ------------------------------------------------------------------
+my-dir = $(realpath $(call parent-dir,$(lastword $(MAKEFILE_LIST))))
+
+ROOT_DIR := $(call my-dir)
+ifneq ($(words $(subst :, ,$(ROOT_DIR))), 1)
+  $(error main directory cannot contain spaces nor colons)
+endif
+
+######## Output Settings ########
+TOPDIR = $(ROOT_DIR)
+OUTDIR := out
+OUTLIB_DIR := $(OUTDIR)/lib
+
+######## Compiler Settings ########
+CP = cp
+CC ?= gcc
+CXX ?= g++
+RM = rm -f
+
+######## SGX SDK Settings ########
+
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_MODE ?= HW
+SGX_ARCH ?= x64
+SGX_DEBUG ?= 1
+#SUPPLIED_KEY_DERIVATION ?= 1
+
+include $(SGX_SDK)/buildenv.mk
+
+ifeq ($(shell getconf LONG_BIT), 32)
+	SGX_ARCH := x86
+else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
+	SGX_ARCH := x86
+endif
+
+ifeq ($(SGX_ARCH), x86)
+	SGX_COMMON_FLAGS := -m32
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
+else
+	SGX_COMMON_FLAGS := -m64
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+ifeq ($(SGX_PRERELEASE), 1)
+$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
+endif
+endif
+
+ifeq ($(SUPPLIED_KEY_DERIVATION), 1)
+	SGX_COMMON_FLAGS += -DSUPPLIED_KEY_DERIVATION
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+    SGX_COMMON_FLAGS += -O0 -ggdb3
+else
+    SGX_COMMON_FLAGS += -O2
+endif
+
+SGX_COMMON_FLAGS += -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type \
+    -Waddress -Wsequence-point -Wformat-security \
+    -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow \
+    -Wcast-align -Wredundant-decls
+
+#SGX_COMMON_CFLAGS += $(SGX_COMMON_FLAGS) -Wstrict-prototypes -Wunsuffixed-float-constants -Wcast-qual
+
+SGX_COMMON_CXXFLAGS := $(SGX_COMMON_FLAGS) -Wnon-virtual-dtor -std=c++11
+
+######## BUILD Settings ########
+ifeq ($(SGX_MODE), HW)
+ifeq ($(SGX_DEBUG), 1)
+	Build_Mode = HW_DEBUG
+else ifeq ($(SGX_PRERELEASE), 1)
+	Build_Mode = HW_PRERELEASE
+else
+	Build_Mode = HW_RELEASE
+endif
+else
+ifeq ($(SGX_DEBUG), 1)
+	Build_Mode = SIM_DEBUG
+else ifeq ($(SGX_PRERELEASE), 1)
+	Build_Mode = SIM_PRERELEASE
+else
+	Build_Mode = SIM_RELEASE
+endif
+endif
+
+ifneq ($(SGX_MODE), HW)
+	Urts_Library_Name := sgx_urts_sim
+else
+	Urts_Library_Name := sgx_urts
+endif
+
+ifneq ($(SGX_MODE), HW)
+	Trts_Library_Name := sgx_trts_sim
+	Service_Library_Name := sgx_tservice_sim
+else
+	Trts_Library_Name := sgx_trts
+	Service_Library_Name := sgx_tservice
+endif
+

cczoo/sgx_kms/include/datatypes.h

@@ -0,0 +1,125 @@
+/*
+ *
+ * Copyright (c) 2022 Intel Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "sgx_report.h"
+#include "sgx_eid.h"
+#include "sgx_ecp_types.h"
+#include "sgx_dh.h"
+#include "sgx_tseal.h"
+
+#ifndef DATATYPES_H_
+#define DATATYPES_H_
+
+#define DH_KEY_SIZE        20
+#define NONCE_SIZE         16
+#define MAC_SIZE           16
+#define MAC_KEY_SIZE       16
+#define PADDING_SIZE       16
+
+#define EH_API_KEY_SIZE     32
+#define UUID_STR_LEN	   37
+
+#define TAG_SIZE        16
+#define IV_SIZE            12
+
+#define DERIVE_MAC_KEY      0x0
+#define DERIVE_SESSION_KEY  0x1
+#define DERIVE_VK1_KEY      0x3
+#define DERIVE_VK2_KEY      0x4
+
+#define CLOSED 0x0
+#define IN_PROGRESS 0x1
+#define ACTIVE 0x2
+
+#define SGX_DOMAIN_KEY_SIZE     16
+
+#define MESSAGE_EXCHANGE 0x0
+
+#define MESSAGE_EXCHANGE_CMD_DK 0x1
+
+#define ENCLAVE_TO_ENCLAVE_CALL 0x1
+
+#define INVALID_ARGUMENT                   -2   ///< Invalid function argument
+#define LOGIC_ERROR                        -3   ///< Functional logic error
+#define FILE_NOT_FOUND                     -4   ///< File not found
+
+#define VMC_ATTRIBUTE_MASK  0xFFFFFFFFFFFFFFCB
+
+#define _T(x) x
+
+#define UNUSED(val) (void)(val)
+
+#define TCHAR   char
+
+#define _TCHAR  char
+
+#define scanf_s scanf
+
+#define _tmain  main
+
+#ifndef INT_MAX
+#define INT_MAX     0x7fffffff
+#endif
+
+#ifndef SAFE_FREE
+#define SAFE_FREE(ptr) {if (NULL != (ptr)) {free(ptr); (ptr) = NULL;}}
+#endif
+
+#ifndef _ERRNO_T_DEFINED
+#define _ERRNO_T_DEFINED
+typedef int errno_t;
+#endif
+
+
+typedef uint8_t dh_nonce[NONCE_SIZE];
+typedef uint8_t cmac_128[MAC_SIZE];
+
+#pragma pack(push, 1)
+
+//Format of the AES-GCM message being exchanged between the source and the destination enclaves
+typedef struct _secure_message_t
+{
+    uint32_t session_id; //Session ID identifyting the session to which the message belongs
+    sgx_aes_gcm_data_t message_aes_gcm_data;
+} secure_message_t;
+
+//Format of the input function parameter structure
+typedef struct _ms_in_msg_exchange_t {
+    uint32_t msg_type; //Type of Call E2E or general message exchange
+    uint32_t target_fn_id; //Function Id to be called in Destination. Is valid only when msg_type=ENCLAVE_TO_ENCLAVE_CALL
+    uint32_t inparam_buff_len; //Length of the serialized input parameters
+    uint8_t inparam_buff[1]; //Serialized input parameters
+} ms_in_msg_exchange_t;
+
+//Format of the return value and output function parameter structure
+typedef struct _ms_out_msg_exchange_t {
+    uint32_t retval_len; //Length of the return value
+    uint32_t ret_outparam_buff_len; //Length of the serialized return value and output parameters
+    uint8_t ret_outparam_buff[1]; //Serialized return value and output parameters
+} ms_out_msg_exchange_t;
+
+//Session Tracker to generate session ids
+typedef struct _session_id_tracker_t
+{
+    uint32_t          session_id;
+} session_id_tracker_t;
+
+#pragma pack(pop)
+
+
+#endif