From 5ffee2c752f166bec4cc4498399cb511628798c4 Mon Sep 17 00:00:00 2001 From: "Kopf, Benedikt" Date: Wed, 22 Apr 2020 10:24:44 +0200 Subject: [PATCH 1/3] Add sealing key feature documentation --- .../Keystone-Applications/Data-Sealing.rst | 92 ++++++++++++++++++ .../_static/images/keystone_key_hierarchy.png | Bin 0 -> 21564 bytes .../_static/images/sealing_key_deriv.png | Bin 0 -> 35815 bytes docs/source/index.rst | 1 + 4 files changed, 93 insertions(+) create mode 100644 docs/source/Keystone-Applications/Data-Sealing.rst create mode 100644 docs/source/_static/images/keystone_key_hierarchy.png create mode 100644 docs/source/_static/images/sealing_key_deriv.png diff --git a/docs/source/Keystone-Applications/Data-Sealing.rst b/docs/source/Keystone-Applications/Data-Sealing.rst new file mode 100644 index 000000000..34ebc49a0 --- /dev/null +++ b/docs/source/Keystone-Applications/Data-Sealing.rst @@ -0,0 +1,92 @@ +Data-Sealing +============ + +The data-sealing feature allows an enclave to derive a key for data encryption, +to be able to save data in untrusted, non-volatile memory outside the enclave. +This key is bound to the identity of the processor, the security monitor and the +enclave. Therefore only the same enclave running on the same security monitor +and the same processor is able to derive the same key. This key can be used to +encrypt data and store them to unprotected, non-volatile memory. After an +enclave restart, the enclave can derive the same key again, fetch the encrypted +data from the untrusted storage and decrypt them using the derived key. + + +Keystone Key-Hierarchy +###################### + +The following figure shows the key hierarchy of Keystone: + +.. figure:: /_static/images/keystone_key_hierarchy.png + +The root of the key hierarchy is the asymmetric processor key pair (SK_D / +PK_D). The asymmetric security monitor key pair (SK_SK / PK_SM) is derived from +the measurement of the security monitor (H_SM) and the private processor key +SK_D. + +The resulting security monitor key pair is therefore bound to the processor and +to the identity of the security monitor itself. + + +Sealing-Key Derivation +###################### + +The following figure shows, how the sealing-key is derived in Keystone: + +.. figure:: /_static/images/sealing_key_deriv.png + +The key is derived using three main inputs: + +* The private security monitor key (SK_SM) +* The hash of the enclave (H_SM) +* A key identifier + +The private security monitor key (SK_SM) ensures that the resulting sealing-key +is bound to the identity of the processor and the identity of the security +monitor. Whenever one of the two components change, the resulting sealing-key is +different. + +The enclave hash ensures that the sealing-key is bound to the enclave's +identity. Therefore, no enclave can derive the key from another enclave. + +The key identifier is an additional input to the key derivation function, which +can be chosen by the enclave. By choosing different values for the key +identifier, a single enclave is able to derive multiple keys. + + +Usage +##### + +The enclave application library contains the function: + +.. code-block:: c + + /* Returns 0 on success */ + int get_sealing_key(void *sealing_key_struct, + size_t sealing_key_struct_size, + void *key_ident, size_t key_ident_size) + +The ``get_sealing_key`` function takes a pointer to the ``sealing_key_struct`` as +first parameter followed by the length of the struct. The third parameter is a +pointer to the buffer containing the key identifier and the last parameter +specifies the length of the key identifier. + +The ``sealing_key_struct`` is defined in ``sdk/lib/app/include/sealing.h`` as +follows: + +.. code-block:: c + + struct sealing_key { + uint8_t key[SEALING_KEY_LENGTH]; + uint8_t signature[SIGNATURE_SIZE]; + }; + +A generic sealing-key derivation example can be found at +``sdk/examples/data-sealing`` and looks as follows: + +.. code-block:: c + + struct sealing_key key_buffer; + char *key_identifier = "identifier"; + + int ret = get_sealing_key((void *)&key_buffer, sizeof(key_buffer), + (void *)key_identifier, strlen(key_identifier)); diff --git a/docs/source/_static/images/keystone_key_hierarchy.png b/docs/source/_static/images/keystone_key_hierarchy.png new file mode 100644 index 0000000000000000000000000000000000000000..0192cb061771a599e6f329f3f5cc6c99c0f1bc10 GIT binary patch literal 21564 zcmeHv1yogQ*Y4VMgS660gLH|Mgd%JjrMm^Ck!FJeiXuptgdhmgNT;N-DM9H*N|5fn zYZD&7``s{#P_697Qo z$3OxgK`0rh zEcKF=0Tw}^&D{O&t;F0bWf_|%Wk_s6Pxxd)Wguj_k(aGyh_RpfA(1*gVn=GNuqRQu zp=CFA@zpk!c-3*NN2l$P&02^r#r?+|9+f@Y3pFx~#0qVVA|v2}oWv>ur-$(wazxL-9k7>n$`i^L590 z#xy79eB2i0J8IeY!loA5^}I>207{lU3cTZhW5?wnbs@iv{@rI2PRCwJ7kDrH&55>S@wRu54gzo0C zPp5^9LG?Fxpx+Uo-LG+&x`N`gqK!$QDTqX-$vr%V!)8*B+!_V z?j&P6`Ci~cj;bRS0?5W8o;L{kfgM^jdL+n4q;f-aWdwDPK^>x^u%>nP>ys39kZa?1|_VN+g2I^%4;m^d1M>UBIU&e=3Rc@opLc%dPJ( z@1{}AOD)k!nv(9q>XR**8Rf{#o;uvzP1$*?{^hPZcNUg2(pTT_G9yyKsnTydEqS!5 za~_pQtatg&Svrwc0D3PTNSCJOr38KspLN7-P(V%F2Ja#0JUFk@%AFaB7qCxKJ~3emWk(fFUkyc2|4gJURXElHR4XB z+hM!fR|$_IE&GPl+15voQ>={aT;I8UfONyJ?y}|uPfYvARFAPF*(NR-JzoisrOzU0 zf2!Z8Iq71Ix=Or?W}mR*E6rdPUY16nie|+*FEr0HPdASn3+<&H3VZZv{#*4o#k}6(^JhlpUC-BX}dOM`+nsl?4cCh(JBxxfbtS zTUA-Th8g!b<#C|&Yv}^%qDFZrb`?Wi$!A83t%x8ea#CPeZI@BSO8spJ^7qa;gdGY z-Aw3wST}Y$eRu=Z@Gh4}>}4}IGmB}QY2j(eG%86{P?B7tTzo6h9Y0nbez{_3@vS>) z>1i{$QSW+RZ^=^Sb=(b65l(j5-vU$s}s#`tpbZ70|Nv)s<{VDyyv!ya> zsZIq>r98Fe$eK9s{3Gu}vBOR@Ml?(`P*=E_0UQBt0V4rE6jl_g!CAped5n23y4Clc z`@Z)z3pc-PzV)0YrVBc(;1a(PmT03X*%gVX~xx~!Y{?oOKnOL^c%E^%F~V7A4dk=iMjJCvMbJt>YmpZZOc>}B6Bs{ z^|rfT1?o#ay9A{+J)KJUR#nKGPt;#L)b4n-Os6dR#|00jeaU?Yde);PsmKPkTO=)( zEu^B3cBG1+QYZB_5|zi4+t|-LGnDU@-7Ob$>~SF~bFOSy;#fi- zZt2a+Q_voohlsdRql+ZE7K*5e`fS#_y1C!+5ZxBo=-6CZPuaEEu-bB)wVu_P-0xTF z;cUojNt&dY9Q!6tV@RWXi5BMz{xG5Iby)#sfwyer6pJ*&q~pVHFKj1lGKaA4ccWIf)NA8zbZlQm{FA&FB)T+*K z=$x&8Qm-R}CNnMbtm$AbfvLSW#F zerl_nJ8!RM9lG*u%{>y%sCeNXytif&V-nkvD7YiIaoBj2nW<7z@OHIlHEpV%Xq3r4 zzAY{;ZaQ9GdpzoSRBSjM)AEtcv7^Sj2iAHNsX24RLXr00n>bTypC`D8jyMK*rEg~M z4aB)}w| z>nWCtcrfg>N_RFVwrC*djV^C~rz)Fq|IzH+vY@dqseou(5Hs~5K2wr%nAsHiDdDcra&@vwRl ztQzha)i?Bo@X%Zp85IklX7jv!ly;DL(6cvI>}^XFhsF7PC}dlF-EGU&PkePP1)STAf zxFmaMO+-5mHrPaA+R17;0)XyK#2*N8gwzf2LnCyz9>tp!2aCzsHmcs1Gif9ev5)z0sqC_^D<_q3ASsAsn@j3(mqCocc< z@ITu4$2Wlgp^>swO~zGjruAY^C8t=*yTez$LhCE(-D1@b3?te1u-^%9kwSpvXsXz% z@jPVIXs4pAtJ(M7_?#Prd{-y_yb;|-wB7(weuR>Ul)&?lM%y1 zcZ>`;uHa=V`+|gSSUwL+z#Fs_gXV-vYh0Al|_4>_L)oI1Nrg4X_&Sij9WXLJmyoshA}Dr zCpSQd_#-Z6hi|v!6u)3Q_Y(4mKdZ1`x;=!`o-6N)73j6~T)$@5Qx2{({s!Pfb#(vR zSL5XRDrY%d>DRCR&x!qS$#}n0U$#fFnX`&}JuuJLYU23s2-#S@eO|VJn}zJ~sf?Ur zeYVWbUy?tfE`T}KB82l`Eelak3>TWSW-skv>eRl0FLvrR z##18KkwG*u!~3w19mI%!?i6P ztY$i`xu@)njl^oS)3Yl=rjpX~HeyvB>yMl9>;#vqzM$78<)x>Mt z78QknQ=i$#!NPtyQg^phzz(T%T%8uXx=JM`(ikft15Q6>mwN^9d@$YH(39lt(^tqY zetZS6<26N};DJc+yBu}WV}C$pNw;&>Q92xqlhr?Z>lNHVg&yIRm{j9kA6Gug{m!}k zNoi4BIeiQ(rFMBt34UbUfoC>aReW7$ z!oln)b@GWHv>a0#n!uGYX+2@v$=F5;(x%?f$EKp(S@zgZO7d~~IF>6YFM6O~wVUck zw3_hDl`UKwU}h7|?!-h!AFSSAS=YgPy0A>9Y}(aV6#=O8c7;~2MKwu8&og2}l*26S zypP`cPKL6-m&#HT$iN(#vuAMG)lb#t=$ zZ;=3(?`5fyXq6K7AYDc+3}9wxm*z6wCrQreg0-)s!-pe$aWNK9Q&OiD54YnYD(wb zbCk2~Ag2a}=!aYNI$B}@PW0~p3E2TUYxv|#bO^v9OSw050j2`R5$8ufo%wX24%+ct zVvsJT^ z-Cz2TO9ipi)qdn_A!O%hVv~dPUU!jZJet@HxduGS5;uJqZv}sSWEMAm0}ZwdB?>g9 zE2C{99zRb1#HZ)l1;93I9HI{ZfNh{K<~chGpz~CU_oe^IBekZNfN|)RL^grRI7nIY zE?RGd4(S#B^b37BfMX0NUT_TCO4U~` zoxGSJ56Y++!~%mN0~_{+UPZ+&iecAG+uh#*X~9CK25}y6<3>2B+PY7SFF>Q{1{q`N zjx@&3cv4FNJMFe=-FcJ1O3Kr~MW_xbkpUw>YY}&5iI2MJM}$HzIe9AveJ zgz^rD9=i3^9)5-*JCz|cY=;WI8_e$XCB(15m5oNI0q)qWZC%aNZd>XxkkO(zUVsX_ z6_}P>bE|x*%*qXb5#b1%=9QRn&zZSbY!cO=0*d1o6V^XT+TBou`aTiQfbRx>6z9bS z>SAknKF!vKC#}b&m>5tZ11cuC14DO8*_$g6`sZE6QA7nT8*Geavpz9CPr~AD9yb;+ z2W|NPk+8qjKAhsiEoMsbS_3xVR7o{<5dyQmWcE?t6K)&<-`M@pDhVXi@d`D7ek4q+ zroX<7)bf2t@Vi3$mhdMufO+Y<$KvQy0z+W@O)H{il(vGIBz^W`!V>7~NKM53=Gh-y zJ~WKAI$#2Z!7WdxWvjKARVy5@CvOgd4P`Re|mEQyM!-O`Nv@jS`W01o4 z9Ssdc1^_@xvz+K99+&j!Y4_9i^1NK0emny28oyV3Iz5k+b0D|WiWKP z;VK2}-8Hw5anJX`;OD|^ut(RzXa-H(qb>eT{Q(445V2>bZ;E8dIEw?)q5-CL-CPew}%B^;tCdVi}%2SPe05g7GR6ZnNdK zyCcg4*ik7N)w$&Wc0xL&2qJb!_HWs>Fh;>dD-ddfXhZyLv;csN2@etpHs+jf?WpS; zFaRPQ-Z_5=Ae6AG{TPhS>X>|zkCORd?O%zT8W&j22kI{MD77tL7djM0O^%ZfPP8v& z|DLx3CL$ogq)SNM(=937e;l`o*pL@_^Aj9hnurugw-`p2;4fkC0Aotx#$=b3DP2EU zN_HY+E8+w30PpZont3t*XtUjlkP!`}y01`iQ<_NaHpU(UL?!Luo_ibVKVC?z278Dm zinjz6r@^v920G}Yz$&qds1oq6OPs)p0%e8XVn=-!_}nX;{dll)xWrn)j!Mwe-eO6R z@!}3B5&KXEaoU0n5^ygoL69}?KARRsFQ|_rL(iibGuJgcNZq9r(I;MyT+?wc0L=WR zJ@<0&1*=Bi28*CQ?xnL@U|0)RTv*=5@cg1p!H0w-K^BPew1sAEm$t^H1Y*d88o0Ro zJ!I1_I`ile8j!8wSqPW3;|FWbEe@d!DzM+YwaX<-S>s>O*-4&%om`ho3qqi3^wCA* zSYN#i5&h8Y9h*phJOdnc7qDFC1f>by+zxUu?OhV`r(-eh+9P>*-EP27++AIq{ z$P23R+WITL;6Eddf3P&YKbU>Ig-^BladCVM9iV;_xG7OSt)%2ZP#XMhuyjBF2r|64 zPP5z**OZX30F*^cN^KqXb(Wf~#!n)≪WjMY1tP!89e3&Fy$|B=3sN>lmc`SR;I( z(ktY19)4m8-20D!l%W&f<=S($74@@jp#ddwA!(R5M{RAd9&FxlUr6adjT=Yw zz{64{%k5N_ODD;@%=c!1(E9*(rw+MfMlg8Po38?2oa&$JufM1YNfLfV0^H>>#s7R* zjs;3H#}O?EravJBzE1m~Wz_cv8lc$_O63Pf0d!;8Q4V^3+m*F_`fZm%Av9c4o3@>k$fe=O3!04ZSW5zU43 zkFy~h=2zJIPdOV1FTqS)WzMi-5&OSjqYt9iu&Jx?ZV=O`qyL5l7%Cg%0Cp_(_(0?z z!h&4MoOp`HASC-w9AY9gr*56IeGW7O z%`<-%9Y<_{&MvMnGc9WI`#GE1x4lm1DIy-j21Vs);P;C&zmy3((EBJGz|H8%i~kAf zZd`nEBmi3t7@a?^jnmc;Fw|39;3lK;@Y1^Zc5Y}(4C(J0DU0bGAEb=VNuxa zs^{?sE)t^0d1hK03J}05_H67!`!Z6!wKIO~R;(Z@AS-{i7}{r>>aFl&UAHSho!vPf z7Mt5|vJX;0VM0UCgsF2KQe$B|mIo#Nc=POC!~E*Zh)6PoM41>Ta614zcVdq$T;mxa z259k5^$);|YCv*Tn&7Ll=ZiIbz6_GHeF+N4LvW@M@?;HGv*}=P#lJ~nu@En(#YvYMHxAYNrYUj)-r#W&gP${<(rbFSk!vuUb#N!j9& zfCO92ieXS;n%n&}-)m<5U6{mTIO3z%0*Sd}Sv8CYzWRr2hDP5pygS ztkcopQtf!oHTQrgL)H5eNXw!km;(S9S6vqpvrb)0Mqp8?8m+6Uc)p!D;ZH%IhoW9uDFNi%*Yr=zbft zVw_0?dYI%nU9d2oD;7cUd}RRe_`@b1C|D0O>)vNyZMEf0uK1juu%_O6}3N>Q|udgYA6Xp^Rp2Azq0jTEz>V<^gE;{1u9@^QD)`GBia<2=kp&4mA_wV z&{kk_e&2gD`pm`4W6l!u-{;}K<3|5#WC_)r;?FwlUS_c zzmaC*mv>@wJnime6%kdbpXs)M z%o!2!6C$M(KZy{Y5V?Z(lStNyli*znJ14^YO`rlSkB^O1#^bcDeZnro3mab%zBy%i zkJ|)X(n@5{%+JSfA$aceV*X?ibix8pvWP|Xw6MxxBANv+6ti=|zn_%AiuuH!L=+H2 z<}yvr1y2@62%cQT@sld%Nf|oyiamcP<`F`>1e12>?-*V}lq87=Qa?eJ=^9AFS%iT;T;?szZ3YS|U0azz1w+oA2PnUgjVoWF$ zA+%6uOV?BNlQy*u3I=_0$ZS$9Qd=V}LmgDxdYQxE)e5411B@n!z#6yVL}ory%lZXG zDn;8Nk~%YAOc;B80h zPbdh(2&6qXWgkQqu5rQ)s0;Zel1|FnD9<52S76K2cEd|?RzPkWDm5TM_xGp8Uvkec z$^4(5;7>PM|MUcZ*tPz*?g<+2JDr3y7l_r<81!fl6~F(HC!TKHPVk`s%mfUlj$?OC zr@1J}pi0cR+Bz0pJ=<+ss`lcMc>d#R+m|XIZQ@Ko8XTwHJIrVLVjM0OO1963S^UHG zJvt-*AbwkJE+Q$FB5LroI+rMzdSN_HX-E>-1~2aA`Ls?QSJxhz-M{fP zFo<93@x#i6)`@XVuq4qVf;#9ac^U+$h)IqWp*c2z| zzI$~`F~ELNs?>Ag`>j<^MltZ1=lEq5wecsM9@7V*crZ={t~peoC@wEnpQc0nz^s#! zWQiy1a3^;RHQ>QQ5Wmknx8TY_t+02iQr}nk_hlv%D-Iz4Y7{lYz#pP!Y=Wf}WNU{% zR(%;3z2I*>cDgv^^#~KDv>r_8@5Lxa66 z29||6uzHs4IcDrF3GA$zRo62xRqlxHuJ`qcqo$d4VT-xj3{Y{_#q#x_tKW7Vj$Rj9 zmgFR{&h1Ev>$%nfzHf*3fq2Kpgnqj7*lV|6TddfCd;h@IzK99 zE~271@XX!$2n|7{Tm(T zc3wzfsTJ3;Wq&==Rc=N<{zWzB0`Ksg78;?$JyxUE79_^y)?>BAE2!l4pJqL$mn?kl z_3FN4QCYvfs~HOJxM7YM=~XjJ5f*{lLDwGG=ea3Y!RL1T1w%t`76{OzP&}*tZ0?nj^=spaIKM=dVo4OMCZhJ?!3U1Dj=&;IyWnsko`XSFpWy;T8|Ld0h*oI>>Ha35z>{K zx67r=au7Z3gSqMDwWXJyOwp_B?|%%kE!aX@?f1Flnj&=zW*pK~K>+`y3h4%Wb*~=!7T8_XXQT@C3hy7ky#yo$tXG+p{zbVf8 zrCeq`!Um2+P+u|*58murbL>}e34spzYXc}IIoZeIg6*Sl)?0kg<{P5AO+!OL{IhA% zslpWC>?R#7i3jpNxDtA3)nS#3CXl=~VyC)S=6jSE@6M0*csIpie}=0(LAXphh*4z7 zc|^afH765=OGqjzXe7suTJK!aIVxJv!?TD9ncDm8OLS%NO*A+-q9yr2EaB6B!9B|N zaYEc${$R^q*-@%s*ZSHILYVm;Y%H?G>}s`#!c6>d5WhxBbSf#rp>=%?v24zXlK;0XR^g8Eqs>869 z8?;v+>FW+O_YPcuJbxXVsMECH7{p&2kri#S{|L2IeZT5`%fsq}?9HYlH~3-G^3mbt zJ!)*PZQrZd!$-N#Y%KvGfB@>NFtfk_{c3~9A`KN z?|~PXeLP;}Z+UT8Q`uEV<F)$%fM#Dh)V#XIXf0kkUGF^&pJIKM+3DiJA^7Z zA$|E?pJ(3AT1(5Pfeo&3xImAEcS}%4dl0|Hip6vB+YI8%f|k}ll;p;-0*^VIL;UIY z>%4q_h_fXf@$S_@fN?Bvlc3{#uvyn%X`M+7TUdEyLq0j3GFygxRA$I~e>@!H_KQ^H z&YQcAgqke-Q;$4KeCDRu#;)F*EK+{ksfi4d=$%H)7K#a9SE!eYl*}QhZDyA&6P0L&>ZtR0 zf)C2HxS;{7wu>UNMmq0R0Eh+mW4)9$v2DEJtt&`?Y!iN=67QG^Kg$_VbPtmJcTZznH zHS9&|9C3f19ijDUmoRV??CG%bywW-4k#59TyW1ZJ0BH;{NJ-A+nb&>l=1rp8`Ci3e z)2fy*cf@y}F4!iNl%3A!?9&V*;fO>!=!P~FUCoRL_YfE6*s^wq;R-tqLw##-d$>>soRxeZkhR)s3 z+wrN_Uq-B(4WW-Sv~O&)j;`Fz-sRivgC1cey~!!>D_Cjw@AW;Jc)zfY#rF~fvN6-^ z9&E?AH3*8>iz=`Yz4@39tguhe9!6AT&pJ-BkT?$nc9vh>)6DvTEdnlaWQ%d_UNueU z*u!4i!Ds8N0DuFg$QIGjS&Ooq&7DMb8`Na1NBXmKJj;V2F9Qai(m;GH(|vN1sM&Jg z1o4wOND54ktW~lfptx~d`%aDh6=5NvSVOFh0>QLyFLf(<*6DlV6i9~HuQDuJ4>aq# z?Bj?$kEOm7Rk5w@26nJZvsKxHiR=^IEkAMQ-MM`xPUBKOe*Sfq2e#s>u6t z1*RAW2s^`W1ylxn1Zg-3FEt?deTO%OaZ5_@9>U$nVRY3rceL-fe94Qo{Z&Iw6)uv^`)c|eIZLL4BxWA$v?kThGAz|9isUd~$BxeR zbC(_E23do>UomLB3K2G=@hAuK4*E_GT%b<=_&EnK^RUC~bME|t!BM4-JxtzBaM;_bR0y||V@KrJ zi%YDg`zWl7k#0>j+4m<^q{d&G@8zpoTbXc^SaZw@*S4{U&JSi+f~&U!%NHj*oX~zd z@w>pjupTcU!ZUp5CGPtr;e{6GOHd`=!^M3ygQjqcrZ~2WjxW{^Ye`6j-+eQ9;}gLK zj)oK+Df9p?sP&I&-1S0se_@v9?kV7laoIbLoUNjLtob2ICapKiB|==>2)9fWVe8fH zaK7s>Z>wG53O1crc+&x=^yQtx!AGBq>#zeVvx*9KE(H0zS*7>gHy|-d3UILz4hrIr zb{x<$p{X@I;#{x_09#{jUhq6%;o(t3XC8#3-mdSHU$bkWo~-H0v|NdpFAiVNvXH!^ zUjr4bJ(+om7Y|A2RjccnK}(=|xj<-Z{5!{fQOfeX7+RKHjj>n?8EdW|jMpl?l7fG} zUa;T`$WLwB+Pi!tsn$FPJDxS3MLkCW4FD)W{KU4L2rULS!J(xzzo$6< zb(i76okDppx2|{ehGKE^%2LfGwZony)`>U67%Sy35=k>CUMD5YjeX4EwK4m;kDm(w zIKjZxiLQ9MCXrN~eUVnYL6563NlK|tWF^epU9W4!GmoKG*F3siqhLn6!e{yk@ki8B zc#-6KdOtX{HN^fvJpL%5^w4Bp8g0!n-7k2Lnv5d>c9pMZ;V3)Fwzmz_WN4)G0FF>FW^x7tgW^@ugk26<%3@2$K{SYOn6S)?xLg2$LU>O!6gTV}n|{LpO3%o8o4>xZ@oLZ`Ja(HwRxQr6wa39Qn+_K?VV0;tjD9Sa%iD z(f4dts|3>LS0OWoWo-Dk%mA1;#xT8B1}Y1F*ov*L{wL#5eLIm*K0(r_ zZ{0ByojTzHU)o`|ar@BbV7q|#D?OTrJG0E48pJgFs*?f=Iq-OAsu2Gq!G)^6?^q+~ zCF(o&%RdT3#gE^~EufvupH{S#8L!Mz4MIi9M#_88!W`q|n1u)2ihp>l-H~f)e^`7K zRip=Mv9c8KaB5{MX*;oKm$lc^tn)(9LtdkPK93w4Z1H_HDj)qZ?)WtmL;_;+W68fA zZS?f9xXR#kYk2zHiE%10c2!_Od_8Ve@$M5N;<@bK_(-g4%A(^J;kONH@+^?pTIySC zYjrx{KFiJpukO=eY+6*`ITi*06mZv(Q}f)cjr;lghYTBsy{St!&XZ+BS3p?Jg9N{FZk$S31Xv7^LC3c6DP$49 zzRVQzMs*9X+H-)ScwtIRELu=IFVYc~i$WXUHj*c@rdjtQmni&jDsJqOTo1HQ)xJkP z`=Xx^CD>i_eu(HB{3GasR~beAQ5k>;|g3={v}@kUhh<0$A-{I$sB+^)=;P!2#kc z;4foo;Q==lb+5oaYqPLtq{G6d%h!zFTLN6uj3`wEI{cfpTkWw1rDL7a2t3pLQ(z4Q%as8J#qN*{@Y zcy88l2GqkxPa@qd~Kl0;lZ_)aaqviPR61B^Y)5x6UgqA3F9Zy zz+ItSU)lw5ehk2D5I90s_r+IHEl7p+B>~Uu@{wnG^+0SjvE^}7`9=(OhV-T&Dhe~+;710546EeI79x4; z`(_oy8ML6un7|4EM5Lr%1iHJS$V}iMqH|zI%q^n`Z2d#eM$Z!ZImI5p^eT5@2&Yi# zWl%z@Gx$<8}$C3{YqQ zpxiPCyHqS&#P0<_{GZ^zHNf>dXFPsEhySYvPFDSw4WsX!ouxofO%^~n#_9E!jJtmo z{y%Z(b?Q=x1^>%(!Q%pmLD=DP?_izWnLdCZaKm|i|Lb|2zt2{HA>nV+N(qiXo?n1R zg@D7WaGswtbKn>If-S|_a$p41)5t)b4)p~Lz{(2zfg%6~PRba6IUE4g9j_vWcc<6y z9S=A;Wf2PI87FW+XblcpK#!vQg`@GR8VD+#UYGyeKzPUC`orf#TsYDyT_{e+Y_`H0 zEXLCKY5uW6kt-ge?0|&iZ-Dq8-cAmR0sysf&Zc)~TQkF{Ty_{_U>-ibWHJ5&Zgnfs zDZ!(|zlaE8AFaRrwi3d6uzH+c|KD!=mLR|i0dJ89h>Ibvgr>ij{~s<96wtsh#~J?6 zd?spnxOmq2TUzv;r2Oy8544=e5w}8)B&VW_#5`lEjlbwad0wZEr2fcbjN99ma8KU` z0FlsVr*mEK1Nz7R+#>Yyj~-6F;~zczPt}7r5cMf-*x|9N31Wq}WfY}zB@O-l7jN*M AB>(^b literal 0 HcmV?d00001 diff --git a/docs/source/_static/images/sealing_key_deriv.png b/docs/source/_static/images/sealing_key_deriv.png new file mode 100644 index 0000000000000000000000000000000000000000..b5d5cfea0d261a651deb8427952e9d3960a12b84 GIT binary patch literal 35815 zcmeFZ1yohvw`0i{Kx8$>`Uk910jQX(at(%pSjJSZY4DIqN>Al;3ma1f+hy1VP` zL;n6_eD@pojr+#?zIWe$jUk@1&RVn9TyxGf*WCNPf}9lg4bmF`0ANc$7FPuSa|VEG zMi|IokKWw-B>=e2X(}eBU}*GG&(Xp`$Ie)v)zrWM03N>&4K-E>enHf@vLP_{R^;X* zUj?zx%nZ;FJoUSs8L1+(Ulk-Q-W4OW_`QQje3C#S(hQ|Fm$-%b;WhGYhd1|-TS{#S zpNYP(8729;Lm^y#65$TFKDM78v4`*3AW^@2V^q`XuCG{HJ=h#TLVW8N>gZkn*s$8Q zO$U_G?lOEJv);XQ6uy^*f&ba`aH_bt+-{HQwF3~hXw>uTiTsQ4#8w&Hz>`{IRka_Q zW1OREXcQ?kXa>{{-KS~$q?ZFu86KLyzEIbXQ zkv#E+8%yX^Ou7Mm_5k%krQ3KY;IND=vj1CE-m)Y+!~@`4UVVTXapIO5ij9o{MV=Kw zyNj$GcirI?K08WS^=%%2Xbj0i6t551rADJiMruMX(M7)tNa#}WV5E!OHvweh2&2)y zjtLYaXT2F5VO5e zcq-h4 zQ=KyNO`*s}$E#TrhufuqR)CdwQDSzy@9*GQXJRbaD?Pnm?CoEuWyoJXNG7%??t+#0 zlhn)TPXAE*j-`Tb{&uSxrq`8ot?$XA^diF|p3}_(N~wCLaeteDVqMLfthlNH<_%i) z*yG7Im@c;Ed?Uy!uL7&BYs1ILR)=@_ccl-JMPFCbs^NQFxAmd$x$%f)oK(+$7511u z9k1=ZcD>qPC;e+{x7N^Xqjz74GnfV!C*dignX=9C%yG`q%wb2!^iU55y=k7CteCvB zuDt$y-JK)yOAN96y+;;NY6WV(eV_VRZp0+WjVo{|*xj89c@V-M^1`;f7{;S2AmfqY zQn1Ur_H2#!dZbUhkFR)wc#e2pz3h8a=CE{8$2duajkLy8)ieT#Px6zA&fWa4`Dg&V%?3zxDj=s#_X&h}qFW1y~zu)fpa_2>tb&vmMnIvbermCQu}5WqL}X_i%K-@8WNRPOKQ3qA$#&AL zuypL5?`_~~_}n1nPxYlkW=Pg4YV(T+=fektUkW4JzobRHjqLvNF?Y^F-ihM?#yc?7 z?h&=;x`BH;`S#rHl>5iIe+vAIEDEEw>(mKKlJ(krLj9D#D1Qy@h%}`z^ZcW3l4wEj z^11cKFO_bt+QQ#Xeu+QdPef0a=RWvB&{r_nW`Dm}qd0sC-<|Q`(E$>A`kPp>(7NYR zgpDSRx1~M@zwdgP(%NoftU7blo+xmQGPbv#pyW%5h3%XpL&<)zN{NttmlHv;V_DrY z>oWRKV^4avtoq;_l7I^(xQe*wW9lGhl|CsA8S1JoJ*&@{tu|QF~-f)d$FwGsB zYczBVFBbB8M~A4(X!Ppdehm4jM+Wyv5JPzsB}P;yP&;2YUF$mjaGX{s-22@LXDwI4 zJ^eeK%()Od<`(93h#B7i^S;QYjK8dm>o1FY+=a~Bj?wm-mO~!pQip51-+Z7xh2om} zCVxxl%@jQpt#kG5oYr;y83v(V>Xd_)7g{a_^m5k_~$WJo4*#xL_|+S zcf?BGVP3o8Q$t3h9qZ1KeB&;q0E2eu;< zc2Fpce&yEY7NK)fmcOvl)OLSob9ds?kJ`+H48=@4ohf}~nQof`Ek})y9&Is^dv*A} zz5#udrkTpA_tTGDAltKV_)1>Z$rzn15JAFb(6%vBinKYKE1$7FlBE>@A*9+xeet@m2oOPJ+YsFwf+z z@B96cPU`M@=znt3#QuPa7Og1*wHoD|MfA~XlI1?MuOU&bt-Ms10>5M$@{^M@88@FUDZ+89Uys(NuyH#gl||s5fgz zswzzh6BW$XA`ByE_RvAlXH9oJwg=_n3jpwa<3zpu#u*AiK5w7Wu#hf3LuHIGE z%wm_Hsh^V|!ojl^(SmpJ5ol6^U49lx{x^z$3km@Ktx>?g_XTJb{%t@2;D3Xq%^kh8 z^X(60yY{iCU5{OMwgv&BztI5Tk#ug9p=+L4@3pN+qT<&-4oNke+j&6?gbxRPytQ6Q zkTY-PMFQ@oTnw$L2oYH+&6C&s+hN#xs;4bLeO#0Isn?W3b6uIzKt3Ze44JoeO73+M58WvPir@g|zhR z{a;BZtED?(Z0f>ny{7ySAqC;=Ize7W0Ejy3ayxe~)j3?~A}uuOUuODq{t(Wf0%I%} z{)t%jXQ+&X#Ns60ylBykk7?u+mHuS0ZHns5)N|LSdp8$%Ae}h>*;@pq!597uru=Q~ zreDr0<)DK}1W|Dp{!0jt@Y&y-*XbxPU7R?8A-{_W4SJ?Z>aOJO`*~SBAbAIuuCq@< z9|K@#zmU&rgqy!JJ#5F&8Kv6uf(W4Rv3}D_75hro1Dr9dOTTGB!+{DEqg+hI%2;-I z{)96|8Y??B*8X+#YF29{N-@pF&%o$sVq{>*_ktqHmz_-M!Nl6?xHCSK4b@yA*MgT+ z-DN<4CcBu6mG$?}^9=#>)@2!e9$4WFYVf#LxF@=eMpfoT*r4s*6Q$t!g zJ#gb!BdLb<`*=Z(gd+Rey@-MR2S;S^cdODM8L{j4zg=_^mpJY^Ywy zknW7a)7M`{a!XsU`s+Sj&dv+S9Aa<^N~4YpPY zQL-x|m)SE{tUuS;%MvyjMY5r}0889bmezU040t>tv!#C4|ODOsO$OpJiKXVXcj3tPC$LKp%4hwhR2eTlpMaRpIKW8wj_YMos zRUFAO=1uxO`ny4u_rv9di^riN8QFh^;KsQt0e;qu4;Jice=+Z<@745cmMss--9L&Z z@CwiraGQE}Um6Ru@%hwDLJw|ljD0&S;-0(4E*aGR@KV!7Jl%Upz50axgWW^0^Lp-E zTYT>DmDBcn5SZW^GqKGrFuTsW!sQhp*M42B0H_}Yt0k%7a15D9v@4#Zu@KHv0I zH#v8M^aQd$9dtLf{UppRhpJu=;v$!5oEv8^+vJVc^oSH=jn-n}K!pZg=p*}gb$cVr zg=h0}qD6XGQ4dIu+8P~|$+TubdR8Jx{E|e(}8=7cX4{gC+nBIdf>OFn1UcA-OF7v^z+z1nVp$0RdC=( zf1AA17mxHI1CpUB(N21Zh5N1hvFo3F>rFvz5O)E7G+HlQM7YN8I96FVuiK`2sYp{c z(Dhpgexhx^PNZnWuonJNb4uh|9HISrq+6ZoS*A4GSp7{uVN-cGw>-xxSwULgW!(Xm z8IZ8WKSE!X;Uza_LWZ;6cwEuJ_Zxs1vYrRbV<(iE&2C%}+2^s!Pht~G{Q|Q`?2hw< zhbeKfu?a@Bj-spi+_9mLrZ4P`cK6reCrzDI$2-qX=rl|Jei<#<^mp#1*z06RVgY&+ zF2?14?u;hvf(#1`F^&Fa%#IowvLurAnz@58hi?gk&$xsZRcg`i41Zh*Ty+16H8C%z z#$7U#m|8!oAcehtFB%)*z9dw)t-CdTPN&tnO}?FqI9!*njzO3Wu;IQS3~Eabc|TCr z-`cXGZOcA268aWgQg+#wd1WmD3z?#e8=%$H{BU85h}&|#OP?e<5r(yC%}4-%r2bFC zv+bfwZfk4UOynNI7HQ!o4Cp?-So^WOT7_&&IMKnQ_v4}?6+aH1mSwEuW&~Ds$j00O zRxi8+(4c#xZi9k|bUWFDPb>g$=I+$ZMSdv9g=vKveEsw#Rn6_WXW(YlhZD(E%WFWx zzNJ0&{RgG+(q^`pSlt=6ZDMbjwN{5P_xmM5KUMuo)j=oeJ25 zkxhZzoddF=#-*Lf35G%RvH44Ll00+U(0+c+t`YmiuU4&OQ)Vg|JtTrEjorH}C4oZ8 zrRwqH_)@;zMw>*$f48=*bNim-z~mYdx;ej=>CD?+=r%ViZ)*Nf*i#pO zW#*@7&hBz*R`;z|C-S{588x(U;#R--AJ8(BOit(NjBh`sw5_W|8GCd|d%!wzmH?c& z#4|qVRayJ$r@q+HdGhf0lNWHK}gVp zT}#2!wF3W`%(=Qf+M@=lF)xfOV57svLY>X_?r=wofflg2jOBn`xSI(Gj{6GSFL4;~ zkDz8uIEM~WLj%}oTn@RbPb&tD!S1ZQI>%U?*C_CIMM$Jbg%hwbzOZHhG&VN>-a16~ zCOCTf*M%IbhwmTM8VjkR1It(G4`Jc7hnt`I0O-ZO0Uq`47*5{TGh8dP=rS$<};BK(#;MS?Gd|5(Um&V``FY?6O@GqZO`#GJq@9g0q zn)CKQpX|HZ^$%sbHg|Uf;Mh`#J%d+dOt;}QDYMxdK&9n>DOS1}g;o1uI$+1c2=R{&{Q8VuMR+O}}K7V+H* z1USQ0yJD)=o!xtf0f4oQjJJI<_}Janv%v3uHHw0FboCuU45T|J@F7=(G|5x8aI zo@Y7#u#8CQa%yWu+3QP|N7srTI7CmGKn0*gLV`wVAROPKXqQU#EEtk3D4%6|g*9~V zDT|5C&Yt7KXlE)Hu4H_@%mh_#d@#-pK#483Z6O3W`j zby(T@CbK3;vu&r5-{#cX`+zE4Jzzt?x$Kv%FdY&Q$I=CH&3=5pwd%cYb2s~#f*hyk z{3^w3I@CCO1dfy95u}N^$;LfvVmVHbB0SO&1>e|BdxB$yYdBN%C_vp0eNLeIq+|q% z-11m;;S~UM@VAlJAcHC;#@jp;JdDlG97=N-SmCZ=O(<0hnC-V7RB_sWj=-{P`SM1D z!89{t#1tJBnsWlSm+9Kzy3B z$W3Mt{OV1}q_@D_j8M8>btV=k(80na2Iy+eQ-Jdg=}a(&q#j}whl(bfTJbPFc7Dw& z4Q`}2iYrh7C2|1JmG1ZyPS=jDR0q`{F$ChQLBguv{ox1aHpz70-FcDLUOS=$+jBk@BgAM@Afb% z9Xzzuu4y1w*DbaW;Ccyf_gLI?T`W&kTxILD&So=ozkaPO|5<=Kg0Y-bXB+jkgofYB zzJBl%sw_7F9otkF@)dK*Aj%-aQDk6Kyu*fkFLv|9EjJ+krJ^6GO&LmWe)Z~4#P?){ z7anF3Fy$BN>>aG8#P+VMg|58%YvaOJaX91lAe_pDUvhyg&pv8(F3Y-1Z)VX{FD=i- zK+8RHtzg~b_tx86yhB7gPW{ht0)oJ#8CuZ%hW1K_(rqwINjrdY^Az5VOO*W!Ib&+2Q$mbEn%n` zM8v|L&Eu*uZ`|7(jQ(aa9v)@OM|q6ejuzX6y7B51XUWGl+h}hZ(&g;)RTjmPOzB32 z&;aay0?+lg0uC!x66E11@1lm!9YO8iXJhgB%9F2Te z%CTL_t~qLl++05CdZCy|F8vtP6)}Ys-IS%3nrv?#*)9qxMrmQ!;`tgc61T_w%;3>s z5EXlGV>S4g(U>acZFs10ZHyic=B@C__R0D|$==@2OSVj!zki3a3h$XdQ#Un9x%x^k8}6cYbGvf%0&_2s-I`6T`F3U^ zIXMGpzc=M8COV#k$I2+LxKxK4D5XCi7Bu*-y=9W{*G7u&sprgA&S%4ltW|HV>>$vi z1jmhI%nQwps_nK<>9{8BP3EoQ)041*OQR~CE@Je-Z%_yuf5y&KzVI+3v53msZ`3#1 zN;>T!jOgo>ai!ICifmt%&#E)LI|27dMT1*aqO@h}t%p|a7R48{@6g_bE%_zTaSfUO za%*genh9Vvo2liu*(W~oTz4~e_iETRB_ztA3?EQZ52Dmy@p1bZlir_+4HmwdsJnPA zxmV(fEy#_&3}1@Ig$uO{V&W3jvb1F>V878`+S50)b1r|hl8;3v^ZA|0C2A?r#OKn7?3Sl&?rErbWLy zn6Z-WurjZV`^eR;DWzcH0RX`9AmpOMj7QxF?TAe#buzlYF!g1oHj2gjWHLD{TE&dO zPtz>;?$&${y@qNy=^AH zzWGT}`6d8lA>d~+9=X1xBL7CJlFk5oj**ETG5=~>xVy2!-j1uRiK1!4lX|J+Ymy%B z%vL`;8~J|bL1g{HXyeb35o$zC@ED|CGRpH&(0$9bY{u0jdWwgJpkZ6Z60H+e^6u1G zXc);`O;oD$Gtck0@vRD<$jW}A42z7q?X}<8HHF=`wXfY(_HC}gSB|RX*y$%q=d=Tb zY*sKxdTGK)4&-sggdaVBz5i#+ez$k%_W?i}gEU|w=alA{w<{^6g-N7nKc`&f&A5-z zmIko;MhIEN?ag{NQI|19ZT+@=X8siR3`giQNDN>6NX`b4>>{^Pgsssm zqhYcyxI<(+Y}9_nZuUlcy4?1PH0x{Efza1V=)fBVyb}bgthSrmqdr*`7Tw>d>bAn^ zzy&=^9Lqe#wSMsS5|G7%ByBMs#k|#tCsq06iEO^-J9T(p(>$jww%DnzlOpBKbAJIZ zGj8yR`Q>n@e@~;hM?Y$(N%P^dW9;)M!<3z(C%-)QQTiR&XGK{^D@0Pvwgun|+ev0L z@ZAcRP`*vpw|i5=z4ch@O8BT z!h6W2I(sCHfWaX9>tw2B#UARfdOnsz$)wxw&4`uOsuea&_atr~Lr0Uh`N+E~dWiRS z%x6PL6c!T6hY>3#nKZJdJh~MipuWO5BnzI3fp%W?{U(8f$DRH?X)w=kq-f-{J%wCN zJLIGVwkBamJ@}|x2rCI%CeW3~xyN9vC!Y$%{w;{`*_5SIX7oTms~WdN2Fr+7h`J+- zpjnko(PmKuh5e5vF>t>UhqyJuEVcrE=Xc7dO5m0>;h+|l;J=;^()k{qSpPFQjKW4p zkRS5BfOaPMSbZkZc%1tg_MmRQkD}xO!ID(}b@_p=g^^NoV{{WwPN%|G)pf_G4%$qp zEm?`sJHiq?%|S%zKUm3h<$Lv=WT*u5C6X4(%A?@Cz$J}^J+E7Q5P&m5A%)euqm*6A zg_rsWBuW?KG=9*!$&rK`^Y(eP8Sx)Gow$;%g+~iZqiM@8D>FS4d$%Y!JPzKkSmf90 z(efgK4wHF`*!+=Wl|Hyd7kHP|cSpZTmH$9&*lOa%Zm?3FkZHxyrxqS-xnU}kX_Be~ zZ&%Ia6W4?0^&+=YRLFk8$5l*55iUdoGW&-=j`u9M;YcF-D1>PpX-2H@Y^{s^#I>Tm z!Zvs+OWWH(kAfRZxF`QG1%;94`y>sxmsdZ#p({_WF#h=lD);J5j!AsnUqUiAxnSh= zgk&b4)cC0egw5jQhbo-~-6}CiGW6BU7ZVn9s!pJL>|n(g<4a}~Hi$kFXb*ezXri2V zt8I{KCbKUnJBT~``*QHxKnhuJa|{^56|K6ZIe$MU10$hmaV&nWf%>7m)l#K8Z4`@p zNsjxAWh*f=JxDc~11MN?=6u>8NGYa>eL!zsO*Bt2l>XbR)?gDnRD_9RmB_>TecPjb zK>nVv%=G>geOVEKtvs@9WyazO?DurUiN8byiznSJn$DA;W%pe1iz$4|KMMxk_iu8L zi+aoNw+V5Y8v)O--y{=y+nb3oZduo+ctH0d$oumJ}8GSJf zVHPS;4PW4Fa?U;==(#H;cS=aY2uE?36yx~l@^5*!1aPVRW$JB22xB*+Jh2`>#7a%w zk9xl1m1!zgr}}v?aO%;#)d55{7v_t#z}Tnu5+`kq!KK6R~Z9eE-ge_Ie0 zpnl^z9`VqR7$@Uz@UhBEs+Zij3fL%=3O1>(7TxhUu#gY@^m=yYd|6JxPfHE#owOry zzvAGoY{Qmm@;=%je1Q$rO)7ky{HwrySG8$BG3L5$JOHZqo){+!gs7eu=m)Re6Mu;1 zB9azAt?*=VB{<=i#BtB+Ae&16HZ6-Kw-vF~aXWT@u?}+qOC{^f?6^kkac`8ZgF$aB z+lYNopxy8+kELeMY1jaH8JTQfG_fJTW-Wu;UEIyTTqwkM;M~;UF(Ga(Jt9xJ;n*u! z{!uRnyd?I!H#ttJnA8Sl=jil#zE4@6%<-=-$nR5q@hs2$yW+g_-RR&&@q=&oy4hzN zwt%+mM8@?J+!f8%eY17PKk8nUiwbz!1Cgsv2WzFmx)_$w-8`;5XN9C}qmG<7Frr(VG?#rxPr9+|A6QS{Uy6-lQ$>amjq@76ID)QyO z^I76f%5SPZ@r_<-+M=W?P#L|L1M8(D?{PPMMSxU#u-nQoeEVQN>>Q?daQp^ z+D#=r<$>K}pjw71`4cPr{E{-VP0*znnA|W_bYGn+jfJCT0l!ZE!+vQ#f!4CPwGJFx z*m6C^xS3nlf=v-y!`mz0jCcm(tj5As+-v*Nz;STmgyNto6sP3mrfWX2#w6xpY;?v~ zZKd)!w;jvo0Iyp*x~YtP1blDt?8Z<_4iY)GSqzrf5Gd%$1osyLd~qNeiO zU-f3(hqDCcMor+Ed4XbV!+ZJLTTvG64`KXY>X6|W2K%voez^YZA93{cK0BSPjC3TR z;0$9djb>%9d~8i_D#06x|JsM^?)GQvp!?%N^=p=N*1@}tP{ej)ZsHf!Ho0^`E}c%kQtmcqX~sZkNq%)7!#s*tCIX+a*|fo9;!7e~Vvv z>dQY_PgDh8>dW<=n9V>E@|^A%XUVlHhxe#qKG{>`waK{-wwY*;jqc+`2D+$ zO{A@wD1fuc)U{)Z3?72r%`Bng=-mnAK`Qq+2G3QS+0@@|O*B~!)n1ZVsrtX3vw0Y) zu0@q{>{x!-mVs}SOV7UQ_q{H+qf~b{wd8}AJ@)h`@Z?IcGSjO0xJ?X*EYzo?Id3|05>k1&!^wNoU`T%) z_lN7Q4}TuAT=*ISz(0Z8A8gPTaV+%Su3#^KIPC7m#oMMdGdAdioV@hbH@mqt2T|4BPZH>1jR=1D0s%>hklZ3LXgMcp3eo@Vt8=( zR?=l*$?-B=iWg9B#JGxQ2w4ES?# z$_de&UR1I^O$D7dKwK|e0D9w#Mvw5(7p?yAqLKvcfq^w@OLy{X%0OA3H|Q4-!$reG z#DN!0|6E-V-$i83ks`jlLvVA^I6$FaH0nG5M2uLl^Y(uPlAPE9@PG<7DA%tI%`(K* zpa=(8rFmld_vF3ve@mACS1#USiW5S;!Gi#H7v$&&yqhA_K&Z(o@yb7yYUD~qs%;Lx zz5a?Yh8OL>sb>9G#eBKDEx*i^I1zx-g6b!msvmdNpAdlCZ%k)oIRVir^kp4Ige$8Z z5MlY}uK$m>W#6fz*lN2_ch}^@)gPvjVJ8ka$mWu0E+eDY2Cie+L|$osNBopCFj9#N zRC`^Shs~E1EVm%2JW`iN0-EJ<dDcXP3ln`_!vLu(>(TLEkmix77*y=a zRLs`!3Gu);1mNyM*Q*(?P(axHi7Ss9w`Y(r{xQGs<2$`wxO~;M>c}fAhJ8TFF|->W zM^mkOH9z0XxZY;M`#LGI#g&bVllG;Bkx}76Q2YKtr@Ndu7PrtH6O7gOS3p1VQh-2z z#LmrLOK{(1_1=Mf&OYCX}iHr7D5Or+CMsPOM}xhZi6uCu14NS13R%n`NC+gIz6w` z!KzTPU)5YKq{54VcjIiLV!DQxst(p=bkr7W6OdGzMk;=zL0TR|1gU3DsY^W4Mr>gT zefP=LV%z{rujvwc8&v?0D`Y@81}QSd0U{}I-XtOLjm%b^J15K9L?Vs<-x{C)e|elM zYQki?lx$2l1c+Y9)u=F7bUw`p=tw{E%Qs7uW>geSJ z1`Csf&!>n7&&&*T+vi0Ed$;O`cc)-F(9c5W$PiwWyWlf0U~@nuML~AY`XLL%8oOcmdu2oE;j?>ldKv z&e+ktHFLpEb<-Ir;-=r1pm@$eHRK9kfI4&a)i&Fx*b-+)6z#J$_BXv`X7%YAGoqe1 zF3=sGErhNnf8Lw3g{b~TV>E5u2O9;n+!f9{D3^0)3A4_ zhZU+@8L$ABd~Gcp#DZ=VD&GZ}lRI^L)f-7zypy|0`24)JZ!k+@#DA&P_Gc@-e>%eF z=$pd_Wbxaj+5Mb@4|7{9Tj3mxF-nJ{VpDa9W^3+{AfU(HV-l;>5d12t05Pxz#}-H10Uln5rlH z$31q7DW6j&$#;YdVYdMlA2J}0wO2nf;Q$LU(m}rElWYntEH>7|Q_x_Mal*2-H+F)} zTxh+SxqUez@0-K+=_#7tX+KjyuUIc0p5eE08(uq=Y|3Mj z_2JME$^Iwl#H$epJ$Hz%`yTwF8gEln#F2NIn4xi@_k>P6^a5Sq3XD!23%ECb46V z#WyQEFki}F#i5^XLSuh6cU;E<(g`4o(()DSv%@nuI0%*ih3F6(hlhxaDm#v7ozQG( zQFAsT*$21;b57E<;Sdu4;$hwQ02f%q8x=coAy+l)e6=N8KE*roez9etV*pr5fDTg8 zx?;ZNP~T;t9p_WFpdXU3NK_l&AXHEcAL9Qw8>}+}4bBaa+YpLSQ?tHmUC9?<(iwo3 zqGB766sl&uI9(KcX%fx^J@f~DKf1u*xUQ2*ay-s1U&%bpsDX#)CZZ$kW-QJxNYyX8 zAY0DeDA3;+q=oY5;K`Z98uZyGgkZ~1+j3Ugc6XrTj%Z!jTr@0ke`Rcb!6 z>psZnt%xFWS|0(~?CFZhmfzdv%_Mz-bA=gnE zC3x(IF{{_G`yDLcB?*|*mTUPWBh{dzp*utYrDLuXu<{-{vTw-cU$^JS)Re7Noziz> zkNnZ{8NzvOf)L#}P~%|`4p(`?4B23R)cnCn`QBj(1|^+|TKMx*cp~V>e^{ZnjmiyI zmy(0lJ$ky--vaq@yWM)ny`Po6KSCI)LdTWr+4pjM*^*Zddujlc^#!R)mq{0j!#;S? z>nc`5M-4}tj~NV$-ZAoUNZ|x#`Em0^j4)A6o!`kz-gC{0!&QVO8R2Rd2J?K^1^^lX zn~L52&Tju!EA9S%{JPk{_wP7+VrUHfiWhi;GC#d&(Az(3`HVVP!-U0@@x-82=z54H zAt;Kt8=`eH{dJkP;s{|tEk?flN?yn|$k?r|{Mu3x|DK;X(-lU=mLk5VM;ZI%N0TG3 zL3i_tknYxvu~_sSWzkmsWuf<;l?_F0T`&2iW-^}`lnL$V^$U`$?Sy8&k);k)WfYdq zE`KQJ`K>P)fx^F86Sl~-K6J9@id}_+>rU%Ib#Qwu&hN!xcmo|wy5O&-1o_ao5hJIC zUfr7;!+mmTUaYTuBYv-vxJ^k7RS+b550|nc0L8gab54Hf{Zzd*^Erjs3fS3$XxAAy`FrV4eecbq%s>fGR;2~&Yb)bGKQ&ks#YsJaEGIyo(7;zw_A3z z_$HxUd$48wm@`%W;4qq`QKf!$?@4KrYRq_!XLozo=^YR?E0b6jUlh+hp&>6rc7ugj z|05LkxN@d0?NK+okkTlJi8{6woYL@lv-lj@u8`kYs8VCp_;ng{p}ui7r#z`XCQ|e zQx94%Aen9p5N92#-3j+x2SnVnyGh*tclewDv6}8 zN=JuwX!qVy{iLogM<1PTxiFoi$*bu&I^GxY+otNKG3D-)`X91xQ;4|$Xk_im^2Ac= zjbt#O=!-+D_p-(B4|x@HO76%Qw3cbyZhYlQ3xmj+pB`TIKXXn}akn-9QR?WZzYg5` z-TuvzynvQ2mK*n=2wP$RHW*Y&X=U*mrV#c{Z(_5B#cY1>G$_D(7eYhFnPmH!<9ggv z*KmL+z}Q3EZD4d`N%gT}X2Z62Yd_IlbJHKR`oy(76?VhM2-*-ES%l;(_BEuAcapWV z#wicz6P!o~58zU{Op&zr969{3yY1~_Qs)_+7Iva?wxc0>M;o?s~D*()-ckl|2u1GFH9w7VNue-&&4$U zGQtcA%kEQ=3u$jaj&%OlLJ*rr7D6>ZJFyi{|yfSkf}^{fonp| zc3X{(r?FielOhbO?Z-m1S=RfQ9dy(>20_+`!XigR?m*L5*0d!PMaqfzmf+XYBAAfvAOc4RIA+C=n-V9Y# z#;3)>wet{t$prh{qw zELGX?Imv50sdSXy9sAF8-AaRR%H9(P-02~_uTp@(0-#Hi5|++Y|8Py&@H@(;3bP5Z8zZWsnXnFT3;QknEWHBnhAz+3sB(W> zqYOa)l04U9u(pkk62MbN&|>8ns&^g51+eziY@K%1wtT$Zy|mX_^Rw)8rqS`FRqIUq zFYP}yZ(}>9K4g9?XmIl3hk!3W3DDVP0 zyFWl_era(P{e-OJ482h3(Lkxhi~C7qx3#>p*FGyB9%^j#yxfMkI}kdO4KBov=#0Wi zds>1Xndf_}C(53NdY)jE`6<&i5XWl==2!e#42}Ku*YD#!zOkxFO@`2W9Y0y?KhKL~ zHWVKA!d>fez3?RykGgO&Pm?yp_2ERXK3e=TeI!@$U@gOTo6LZ8gOm|= zjc4YLl-@rr`yXaOT$1=~cCtpinetGyqFJ;Q;Pv$nadl(!P=OSeanNQ+7U9HU*puXL zZ{?Prz$)pU0)RTf)cUacS9ovN0Of4oaM}JYxo>q;?5W}aN;F1I!ki5jSR0^ZY`8t; z5fTDYr$AGL_^|!%EMF-iahgmMDHA`-t;K=v2>dzj*;&pEQ22V9IqaZ4OE&^0=b1zV z4B*q9%WEP4NV>Wo0)UI!6~ri!f84hHd&>VxiB%OKUb={AP#W+Ks0@`joQhfibld|B z3b21XRSJcir8!TBQePCLAih1mx?Kf;PA_w!(;?uWx(M*<`Z}P{2azp!I(GY?&j)v& zrBP2u{%0Zod&-4i|NBa8smKY5<5Ud+mv>+WoBba5qf@R|!NbD^`~PWc0P400c*#@n z6oC2`&m#eKc69Zf5ZTs~4A)awhvyG^dkN9PnyV183PAkn?3N>O@U)l#(RFrF&z^sD z7c4M9bg*AsFgVhS-#trh`Jbglp`r{EZ@@~14UfswBM(4#R=KAuu7O|IO|>nIiEn1=y+;&MzT;_P-nN zK?jQoz)q;`Ih{V`U}xibr|4N{M->ZxT_!Fj>8ag5Co0aqmky?(gAX|kH%ia$EJWZ> zB(RDq&)K@5$tv_Cv6ZLRSz2%Q{D#1@lup060Pidp7XmTemrvF1cBO|13j+>arnCj0%bl23Wk#iHagy@ zgFF#}RTGGLo@aulE-wW;yU#l*&N~Zl)50_m)eDG`31{Yt`iB$PiKt#cbUr%oOz#0Z zuYm;wh)&xxZ-l29gP7&GJy-|IaUHz)WIq7xa`3Et6EIPAT`+x(iUWoL21om|J z(h2^Zpy=%FTwbo0{LWj~+cuP4(!Yd!UN0d+za({i=ag23mNcRDgE}dF%boXX_OJ-q;G4G>GJ9n#PBrRVQeRx7 zxkMuLC%*yA+!QBjF-*7}n7=q)I9O;Nu)1Lak^-;s7@yY(Ci_yMm0||)oE5l0*_XXI zD?RX5m;}Jnx@5->G7{1Ja3=w&LIb|%{uvjXq&UmX4qEk+ggMj3 z7T^A=7YehDF+bnUEBkoOo9CdW%~1K76Hort4VN7FxSfhQ!S3&OdD#}MQ9R{zaOcB{ zy4b;(9EnEm@v)R^ln19;l}VZ(UB3GebAkb1d!R_ycA8(7uS*`tRIWW8xE@#29pT)sL%1m^)M z@>7Y|4%cQL{?c%N-umMH4>weTf0S-TfE8BXTw|UZVP~^VmL@BD5`8c=41c6B^5ry1 z0g7&~oR7DZPU?x!`{&vp=l3x~sDwU32HT_VV>ReqUJe)6gG8}B6r~W0I0>%s=}7t9 z@e_sRa^u*9f{&SkI`V++Pu3Kxv$c9-8P20CtwIKg$Zo%b^HmIb`*O)dNM6H+AHtt#2Ao490%r)cDyYk*3T)A!>a2`!!-&-;S1P zA91XMFlWe46`}2Z>AQ!)dXdT5mR{XAqu1huFN0gCzBm@sU44IW-`x8uX!M@A7UPOo zEPSzq4`1;8)izWeRu=W}#fW{l!9w}dCW1r@)BODh^BpeN@V5Cj`05D0@2wLD z$93-Ed=oY2ZXX;u#{7ybD9d*>+4M$l7;Vq5L4N(+<58mra$KgqWapk70Wka>v7-3% z=O~o7a$dHp$8-oWK17vVO>sI6IKbcWzPzK+p|HN$EH89>LPJj9S+hQJB~=e^!`qAq zS>USDj`KZnu0iT5iD!q&EAScz0UB&gH2O^xX0q5Wpn-e$aP(QTr+S~HuHluYM82ar z$f|FT!ClhQajB2g=-KH(8oyMEYF=8{P-e>_lqkx!J`!{O9#LQaG(dD^Bd^oKJe29< zx719s$J~ACdNey^o68xw?Mqli#m25qAOYZmZyCyTC7q8bF_sABgFu@aM_X{8NO1@2 zf$Z~EcQTh>=MEaAnHmjWY*njo-g1QvjUx?YIny7)f_b!ueoc%Dc0%E-yu4&aF?0ts1_VNgCz7gfUy8Ml z?#m;(!dxA66ieml<_};v;H;NnF;&w{R3_XU;-xM8z?NWNuIqG9+XynK{IXCSw$m zGRu@i8IPfip$x~6F@+~n#$*2WeFom|yRPrO-s}D2yWa1*p8G%R-1lC4t-bc%YyI}x z%QW#06Q}Zxt3~UjdS9EBV z3~Gcq-~3E@xDwYl5`e1y;nJ*gm8k&6x8Ya7lPD&L!|P22qlIIHZ!;=w54b4|7@Xbe zao(94ma*Qxxm_n8C^KwLB7SXI1Vl-w0gZwF(LlaizYazQ3rGZ)=(@R8gmb`fKZzso zFH~w+(5hcE!QmYFe*|=9zf`m~WZbs#4b}h}wOa!opd1G^O$&TWR6wa<4Zh$zT;k0H z$hZdFB5^q!OM@spNu$$t`=}jA<&s~{zDi*QwTsZuA*Wn9jZ^8;Y#L-`8ulr}MJ~uc zqo1=N@r|N(#EojgoTbZ@inZYwIH#k2J7ef#QvKGHp_rUUMIvX3RR^dW;HrX1wJs=c znuXE}Je=58D%hLVwloRe`5Qf2#e4~3`WjTiq0#Pg3_{zX*i?@y@K`0rvjH+o z5IH~wB&;YaIb(3Q`r zE%hD|2AgaZac%nbd=Qz>;5irW&x4$bykOf4R;A<%L5q_Q6FH3O>fn6MN=g(C;iGdc ztPupL8DtY--KjEy2HKkjIq@*|%o0&fPB?-NPpTrBb7+j=)l+|b7kSOaHxe$xR7()# zWAR%(7<>=`h;VF!?V=LV-IV}o7~nFdBi%EoYTHNNw9K?X%8${etrN4^3$R$vE1Hrs zny_CiRgpy)3qZdI=(m-rbZ1L-K(_&Oc(a~Yq0&+C{SlvjAUVi5f^MIt(#zQZ7~<0i z1QG!n8GA$(s7w@n^xH~Kr8JferiW4K>j!y{e!CI?=pYRS8jGaT}s6sY=9a~zyK#&uPBqpL3K$H(4PT1yoV-wQRy`cmjJyU&|$J4m8?4N z1jx$>0v5i?foGxWEjUFJ(8T~f9H#%dMSo=u=vM*#8p-E>>_YJElWTe12a4-NJ||_1 zfXy`1vu37D4fGjyqp@Fzp*f_^4f;*?^|=hovLIUBMW;6#CQjQP+}UGxbG;z>R?Z!3 zR-;SGW(zWsVV5I1DV4!Z~!!`D8MgD9-kr2YMH z@3%-L6*E)7+r9rGdP90#lS_wtsMqvEzefKq_3H;uQl@w!E6h+6sNrfy z*yYT~ul;uFA{>k4zCuax9PzMxj8?W-D!N;QN9n%3_W;3Q-}`f&JQK7?QiPu{M<4&b ze&jB}Xu~Z~$csbxgJ#?69kh3^xYxbe!xNz<;?D>7a*t9!nl_zAfE5R{JLS<<8X#8D z=isGYvYy-iLH4D)=`>I4+qV@z?pHeZiztfOrCD$2flMV8tuSKj4T zFs%JG*Ku9UV+D0x(45F-c>Qt!ZaRoCT5E)8mMm-4S~Y6_Btsn7&@7Y=GB6#IcM-p<=Cw{rhha`+qGsTMh1P z+r@nQ!|6#E5!tE9G^@awWKuhc$;hF*x%a1*D#|uHEkeFzp47V^JcJU&$*~^uZgIut zYl*jiXO~v+A?*ZB>J3g;MR;rGECmfJF*yRp6!!utJ5?f#BC1IE{K<(XDd z!b0ZmfxzT^m^clp6^qgdwVM`kp=*|`bPM`Y(WG-nGulm08LV;t;R*K3bJ;#?`8f(F zXPj64e?3^8<_b%856k1bCMk$h4@R>#82d1!TH;=2`8(+E@?|L58rvMM^ibcgP5K$0 zq~*B_0KfO*O%{%n82c(*8Mr`{kxuv|=HC&F<^_=?R{%~?{yO@Krptq#vxQFA{yf8X zSq;_!bU#cou*>4a%y6dL+tYK116mgh>eMbzg#ZC~fB-GQMd?qH?KgvcEICLEJ`88l zvRC>GBxmO>3Yyp1U{?GM=$SLF{T4VcQD)dOOjZ_b$(TP4s?+ru$1fP4F>3ekaF@cM zj*jpP(Wh&-hGl;3f7N-s=3K;P@}y8BX}yQ<)3<8GU0BHcc=m~Yoytp6Co&j0BL-Lo zVhin8y}l#A^bC`20P@h_sCw(qUP(Ay0QIlx0$jj6Q5?dv&@&&j>b@q`>Q?H%^5^D9 z(#W|)NCtMF7j?`k^`}oBwkKL9&PqYAQO5$?yld_1B}sE{=8NMr0p4|XUX915JDK@s z^1Q4@D@%FAU#I$`D8h*V;R5dy4o^OZ`Z8MN>(BXOBK$npp4~ckyW68H%S11Z#;KG! zx4ty`j4&PBA|q#&l1KUX>`xR?`YZaGu@enB4+-f}>E-zO($6pCtO_FvMyxB+z#MJk zb!^DFRVM-QwxPY^HaQ%_Dr@&jaz|~lFBI4a;+9u$%pW4H#|75nDuZ_`XhQ_)=ZE{2 z_Sc)}iSQ1s6ohxgUH9{znD`xu*%;}6`S8u2SY|BYR*;{oQ&aq@#&98Yx>Fzz^Ux#E z+S(R$`E6&Zjku0e{`)b}FXBEMS}nafwdB;>HdU*? z)HnA=y%>p=Pbu83WtU2z4W(!P;80`K-dcmIMy=M7wVDTR<0iPaZm!Ve$Hp5J&wv@7j_Z!x)lj5y8|n?J5+r4^LFPaD7<) zC@r0bn8Ikr_diam{LwQJC}~>Xd$-^Igw40;YNY_2am+INLK0BjwAB=KYB(FZ`hD4ja_W+;H-S#+Tp8=U2<{KS4(xS~9Wv47< zIGl$NZ3ML^gP9!kOJouYnN~nxnoA4!7^HpWth&>9y4A+sD-G}$KW&-~ zZCMlZmNt)T`^)R-=u`ufNnfHVa?Eb}OZ`<&l`GYKugViVr*nm$u5BU->d~mWPu6gn zqN2{CWZ>@mhr^fp!Uk(H#KviTcwTrJ_BOYwL~;c9?;O<_b*f1$N?&Trp7~+lit#+@ zb=Q=%@*&K{RfrS0%1%BXOFu6nt(F9!I!DL;L$bf7cq-~DxyIhxec@K)gOZ%i4AsVX zJm&btzAy?LK#avg_%l)xD^a5%EGZKqjnhlkX#I6U&-A$=dI$eog5-?WZjOmYt0qP9 zy!XzIF*h8ejM@po*Y5fWM%4W2b9=p%vTb-8;AWn$zFHnXS?L|L2Rl{Vo~izvs!OHbr)vf_Jg%7JFO%8$^V6x-RAqqw(W>(rB@0BQ*Ze?pc zZu~MT#kND_J!5E7ppCYaUYdu1_jxA_)9xQfQ@LY+2~?)-_lwF7<-M%NzuN*fBmOkM zGA>B!y}az~+|>pq2Hn`~b{hO^LTFrBcW;(&yvudxS_aX)eMfH&u>NdaXJ62$ahlF$ zU(OrrSKpyqtPumN5L@mU*)O zm9O0Ruu}CY^6sDrj7P8Ww>;A<@z50{;U>1k)wbhK$SLhu5wS9Std{1nHX?h61g4Ta zTf?HG1lph2f|UOqmoAs7)1;=18C}?*39Ag3%{o*MO1;?Reuhr@M!Rl=)H!De`#(8F znyT*LsHS5fGdBLUR&u5_6ra~DSJ-?g`|}fcX!ubop7rb#jhzWd$~xVx!J)j%qx0K9 z`~HhZhM>sHg%{U}v}t~CM&BQv^eC1Ap!Rs9S);fvb+-j^z)(k_y)=8n+<8Xm;vG+1 zuFNCD?B?}%8+T0V)MxF|nK$3maguC`|uHY*ijh00e z)1D*_W{g9_pOQ#qBqIry->}@VL%H z+odqGEPvoaLRC;cE?LlA<9Ijj#U#>{;zUFMCxT6$&E}@Zj{0olOJ(WAri(&ftyi+M z&9Z7CS#551Rpbz(Qgs2vfdk`DV+QSf{n6FW!DaGm)~o53X3U+U-pPiKz>>3Ua>cb? z-UiM*;aL-D>YW4|_%ct1X{NKXFZhZL$$9*gYaKUlX3Ti~aYzkiB9j!u7L2YkEIlQe z_YhudAh~eh*UbOeT-_DF@uW(t^x6Y(MvYu*T6H(z;^@pmL0eTl2FsN-a=Fo(}0eWmxABSJ3rTA ziN|+F_L-)2hL+6{=d4zpgFVXIC1hWIDoO2!WQkScYB7)Fe~eq-H~qxP5H%*qM#p-e zYrb(N7)SIZt;@&2?oeWDC|(?+#(6V!M|)ynY^|xfT&L+$YG;p)nDV>aw=^?i9y_9e z)}7l1UST-rg)CMu`D8I0foATgWrag0m^f2sIi z1*0VcM~c$Dl&Vw8nM9^ZUbGnxSWKF=I(D_N1lB*4R&qV#BYj7~Cb$0hX0!s`qpm$W z|G*yKmucwsjls4I(Io#B9pKp4F4ZZ6_mnif*JQsMO}4T@a8C)7eqKP8bAf40(7VM` zVb(%O1xpX6^TBE{Teo`C(>SVTqJ~52Eq{0H32MmEt~fFM{rfW=g}JeecPYFsQ4)H? zL)op0#4g!s45U$)CiU^hhtt}ELz>D7)X(?sw|bxB7(-a{^>sW!teN#`{;ZH7O0Qsg zeB9W6kl3-hNDLJp)v&M)-7`q9q>|8uM(_)~XgnXW#=fxLLXhqIwcE{a>A*B~2WNu! zzVcV=OMJSg177H!?Pog6gFgn2k5iUtW+g<<-8E`on|fGtx7PT^(nOJg zL;KBS18}#zCX9V{O0drzx7WJ$;N%+{>bA@e`q{IqGlRWGm$BDxv$`k9U#?8bQ=#e` zJ+t+~l}Em9X(GJU42tr?mZHyA+22i%Yd$Lp-JXaX21^}tX?!#1g%bBERi7R^hZT7G zI-^F+7Ii^9fb78h1ZjjVI$0Bk5O7S8)1-!jJf1#+-|;1{PETQv6I4*$`5>y6uR+bX z7|nmeUjQCu$PB*VC_#6yz^eWoblX}KM5^F{TZAH6j>UhnFzk0Il94||plyAg0m?Cf z=V<~!Z<WDc2t1f2a38~(pP01i>|rEyLz-K59yYAns=B{^G=0OvV`?Z21J}z^(iwawkCoCY(m8b(V^i zLGR%+{_CJ<38iTg=oPt*3F^S1{4ymK2D~#010f(AfV5nJFnJHW!m*K4ionnKB3~~V z2}Xz)-f>Cn5lQbix*UJ-B+zL+vg0>A)X{5W-vR&%>x~66+RwTX=*7LdaRP zpv%m#^zPg2kHhRGw%NmV)FoKA*~8Eu8n?y16;8~0sJYD^MqP2+(jS9i)$iNV_kdG- zY~{A}pJDbI+w9@GHD>5-_7*UEaDGZrZX%q0^xUb_ZN+rK3N8uUt hSug*ejR1n)Y(g<2CYszYPzPag&Yad!%~3WB_%EOkJnH}e literal 0 HcmV?d00001 diff --git a/docs/source/index.rst b/docs/source/index.rst index af65777ce..3c0f0b896 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -28,6 +28,7 @@ Welcome to Keystone Enclave's documentation! Keystone-Applications/Compiling-Applications Keystone-Applications/Edge-Calls Keystone-Applications/Attestation + Keystone-Applications/Data-Sealing .. toctree:: :maxdepth: 1 From a7571b4db6324d8e8c063b349a413c040639651b Mon Sep 17 00:00:00 2001 From: "Kopf, Benedikt" Date: Wed, 22 Apr 2020 10:26:06 +0200 Subject: [PATCH 2/3] Add sealing key feature test --- tests/test-qemu.expected.log | 2 + tests/tests/Makefile | 2 +- tests/tests/data-sealing/Makefile | 3 + tests/tests/data-sealing/data-sealing.c | 59 +++++++++ tests/tests/data-sealing/data-sealing.h | 16 +++ .../data-sealing/data-sealing_with_output.c | 123 ++++++++++++++++++ tests/tests/vault.sh | 1 + 7 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 tests/tests/data-sealing/Makefile create mode 100644 tests/tests/data-sealing/data-sealing.c create mode 100644 tests/tests/data-sealing/data-sealing.h create mode 100644 tests/tests/data-sealing/data-sealing_with_output.c diff --git a/tests/test-qemu.expected.log b/tests/test-qemu.expected.log index 57b807663..27ed250c2 100644 --- a/tests/test-qemu.expected.log +++ b/tests/test-qemu.expected.log @@ -16,4 +16,6 @@ Enclave said value: 13 Enclave said value: 20 testing attestation Attestation report SIGNATURE is valid +testing data-sealing +Enclave said: Sealing key derivation successful! # \ No newline at end of file diff --git a/tests/tests/Makefile b/tests/tests/Makefile index ac12cd9a8..0bc286a42 100644 --- a/tests/tests/Makefile +++ b/tests/tests/Makefile @@ -15,7 +15,7 @@ RUNNER=test-runner.riscv CCFLAGS = -I$(SDK_INCLUDE_HOST_DIR) -I$(SDK_INCLUDE_EDGE_DIR) -I$(SDK_INCLUDE_VERIFIER_DIR) -std=c++11 LDFLAGS = -L$(SDK_LIB_DIR) -TESTS=stack fibonacci long-nop loop malloc fib-bench untrusted attestation +TESTS=stack fibonacci long-nop loop malloc fib-bench untrusted attestation data-sealing SRCS = $(patsubst %.riscv, %.cpp, $(RUNNER)) OBJS = $(patsubst %.riscv, %.o,$(RUNNER)) $(KEYSTONE_OBJ) edge_wrapper.o diff --git a/tests/tests/data-sealing/Makefile b/tests/tests/data-sealing/Makefile new file mode 100644 index 000000000..8caa47a3d --- /dev/null +++ b/tests/tests/data-sealing/Makefile @@ -0,0 +1,3 @@ +APP = data-sealing +APP_C_SRCS = data-sealing.c +include ../app.mk diff --git a/tests/tests/data-sealing/data-sealing.c b/tests/tests/data-sealing/data-sealing.c new file mode 100644 index 000000000..23fe361d0 --- /dev/null +++ b/tests/tests/data-sealing/data-sealing.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2018, The Regents of the University of California (Regents). + * + * Copyright (C) 2020 Fraunhofer AISEC + * Authors: Benedikt Kopf + * Lukas Auer + * Mathias Morbitzer + * + * data-sealing.c + * + * Shows how to use the sealing key feature of Keystone + * + * All Rights Reserved. See LICENSE for license details. + */ + +#include "eapp_utils.h" +#include "string.h" +#include +#include "data-sealing.h" + +/* + * Function main: + * + * Description: + * Derives the sealing key + */ +int main() +{ + char *key_identifier = "identifier"; + struct sealing_key key_buffer; + int ret = 0; + + /* Derive the sealing key */ + ret = get_sealing_key(&key_buffer, sizeof(key_buffer), + (void *)key_identifier, strlen(key_identifier)); + + if (ret) { + ocall_print_buffer("Sealing key derivation failed!\n", 32); + EAPP_RETURN(-1); + } else { + ocall_print_buffer("Sealing key derivation successful!\n", 36); + EAPP_RETURN(0); + } +} + +/* + * Function ocall_print_buffer: + * + * Description: + * Prints the buffer to the console + */ +unsigned long ocall_print_buffer(char *data, size_t data_len) +{ + unsigned long retval; + + ocall(OCALL_PRINT_BUFFER, data, data_len, &retval ,sizeof(unsigned long)); + + return retval; +} diff --git a/tests/tests/data-sealing/data-sealing.h b/tests/tests/data-sealing/data-sealing.h new file mode 100644 index 000000000..87096a2e2 --- /dev/null +++ b/tests/tests/data-sealing/data-sealing.h @@ -0,0 +1,16 @@ +/* + * Copyright (C) 2020 Fraunhofer AISEC + * Authors: Benedikt Kopf + * Lukas Auer + * Mathias Morbitzer + * + * data-sealing.h + * + * All Rights Reserved. See LICENSE for license details. + */ + +#include "sealing.h" + +#define OCALL_PRINT_BUFFER 1 + +unsigned long ocall_print_buffer(char *data, size_t data_len); diff --git a/tests/tests/data-sealing/data-sealing_with_output.c b/tests/tests/data-sealing/data-sealing_with_output.c new file mode 100644 index 000000000..27bc0452e --- /dev/null +++ b/tests/tests/data-sealing/data-sealing_with_output.c @@ -0,0 +1,123 @@ +/* + * Copyright (c) 2018, The Regents of the University of California (Regents). + * + * Copyright (C) 2020 Fraunhofer AISEC + * Authors: Benedikt Kopf + * Lukas Auer + * Mathias Morbitzer + * + * data-sealing.c + * + * Shows how to use the sealing key feature of Keystone + * + * All Rights Reserved. See LICENSE for license details. + */ + +#include "eapp_utils.h" +#include "string.h" +#include +#include "data-sealing.h" + +int hextostring(const unsigned char *hex_in, size_t hex_in_size, + char *str_out, size_t str_out_size); + +/* + * Function main: + * + * Description: + * Derives the sealing key + */ +int main() +{ + char *key_identifier = "identifier"; + char *key_identifier_2 = "identifier2"; + struct sealing_key key_buffer; + int ret = 0; + + /* Derive the sealing key */ + ret = get_sealing_key(&key_buffer, sizeof(key_buffer), + (void *)key_identifier, strlen(key_identifier)); + + size_t string_key_size = SEALING_KEY_SIZE * 2 + 1; + char string_key[string_key_size]; + size_t string_signature_size = SIGNATURE_SIZE * 2 + 1; + char string_signature[string_signature_size]; + + hextostring((const unsigned char *)&key_buffer.key, SEALING_KEY_SIZE, string_key, string_key_size); + hextostring((const unsigned char *)&key_buffer.signature, SIGNATURE_SIZE, string_signature, string_signature_size); + + ocall_print_buffer("Key:\n", 6); + ocall_print_buffer(string_key, string_key_size); + ocall_print_buffer("\nSignature:\n", 13); + ocall_print_buffer(string_signature, string_signature_size); + ocall_print_buffer("\n", 2); + + ret = get_sealing_key(&key_buffer, sizeof(key_buffer), + (void *)key_identifier_2, strlen(key_identifier_2)); + + hextostring((const unsigned char *)&key_buffer.key, SEALING_KEY_SIZE, string_key, string_key_size); + hextostring((const unsigned char *)&key_buffer.signature, SIGNATURE_SIZE, string_signature, string_signature_size); + + ocall_print_buffer("Key:\n", 6); + ocall_print_buffer(string_key, string_key_size); + ocall_print_buffer("\nSignature:\n", 13); + ocall_print_buffer(string_signature, string_signature_size); + ocall_print_buffer("\n", 2); + + if (ret) { + ocall_print_buffer("Sealing key derivation failed!\n", 32); + EAPP_RETURN(-1); + } else { + ocall_print_buffer("Sealing key derivation successful!\n", 36); + EAPP_RETURN(0); + } +} + +/* + * Function ocall_print_buffer: + * + * Description: + * Prints the buffer to the console + */ +unsigned long ocall_print_buffer(char *data, size_t data_len) +{ + unsigned long retval; + + ocall(OCALL_PRINT_BUFFER, data, data_len, &retval ,sizeof(unsigned long)); + + return retval; +} + +/* + * Function hextostring: + * + * Description: + * Writes the string representation using the hexadecimal system into the + * output buffer and terminates the generated string with \0 + * + * Parameters: + * hex_in: Pointer to the source buffer + * hex_in_size: Size of the source buffer + * str_out: Pointer to the buffer for the string representation + * str_out_size: Size of the output buffer + * + * Return value: 0 if function has performed correctly + */ +int hextostring(const unsigned char *hex_in, size_t hex_in_size, + char *str_out, size_t str_out_size) +{ + char *hex = "0123456789ABCDEF"; + int i; + + if (str_out_size < 2 * hex_in_size + 1) { + return -1; + } + + for (i = 0; i < hex_in_size; i++) { + str_out[2 * i] = hex[hex_in[i] >> 4]; + str_out[2 * i + 1] = hex[hex_in[i] & 0x0F]; + } + + str_out[2 * i] = 0x00; + return 0; +} diff --git a/tests/tests/vault.sh b/tests/tests/vault.sh index c4ac87d81..d9f0da28c 100755 --- a/tests/tests/vault.sh +++ b/tests/tests/vault.sh @@ -18,6 +18,7 @@ PACKAGE_FILES="stack/stack.eapp_riscv \ fib-bench/fib-bench.eapp_riscv \ untrusted/untrusted.eapp_riscv \ attestation/attestation.eapp_riscv \ + data-sealing/data-sealing.eapp_riscv \ test-runner.riscv \ test \ $EYRIE_DIR/eyrie-rt" From eed0aa16ea7e7ced900b4612a233931f08c3eda4 Mon Sep 17 00:00:00 2001 From: Dayeol Lee Date: Wed, 6 May 2020 19:14:49 +0000 Subject: [PATCH 3/3] Bump riscv-pk and sdk --- riscv-pk | 2 +- sdk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/riscv-pk b/riscv-pk index 5b3d7151d..759b646a9 160000 --- a/riscv-pk +++ b/riscv-pk @@ -1 +1 @@ -Subproject commit 5b3d7151daa509ba0c2b330323208823abce324a +Subproject commit 759b646a9dd8288b700bf9adc8b4cc91f8eac20a diff --git a/sdk b/sdk index 7c3fcf0eb..f79917cd3 160000 --- a/sdk +++ b/sdk @@ -1 +1 @@ -Subproject commit 7c3fcf0eb499508cf582fd9b550d3a5f0d587dff +Subproject commit f79917cd31b397296cdb5e641e55b83809cc4eff