Skip to content

Commit

Permalink
Add support for AESM command line option --supported_attestation_types
Browse files Browse the repository at this point in the history 
Signed-off-by: lingyuji <[email protected]>
  • Loading branch information
@lingyuj @llly
lingyuj authored and llly committed Apr 6, 2023
1 parent 33a1ec1 commit 1efe23c
Show file tree
Hide file tree
Showing 8 changed files with 136 additions and 37 deletions.
6 changes: 6 additions & 0 deletions psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,12 @@ class EcdsaQuoteServiceImp : public IQuoteProviderService
*att_key_id_num = 1;
return AESM_SUCCESS;
}

uint16_t get_attestation_type()
{
return ATTESTATION_TYPE_ECDSA;

}
};

class Activator : public BundleActivator
Expand Down
6 changes: 6 additions & 0 deletions psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -577,6 +577,12 @@ class EpidQuoteServiceImp : public IEpidQuoteService, public IQuoteProviderServi
update_info, update_info_size,
config, status);
}

uint16_t get_attestation_type()
{
return ATTESTATION_TYPE_EPID;

}
};

class Activator : public BundleActivator
Expand Down
60 changes: 39 additions & 21 deletions psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,16 @@ class QuoteExServiceImp : public IQuoteProxyService
std::vector<quote_provider_t> available_providers;
ListenerToken listenerToken;
AESMLogicMutex quote_ex_mutex;
uint16_t supported_attestation_types;

public:
QuoteExServiceImp():initialized(false), default_quoting_type(AESM_QUOTING_DEFAULT_VALUE) {}
QuoteExServiceImp():initialized(false), default_quoting_type(AESM_QUOTING_DEFAULT_VALUE),
supported_attestation_types(0) {}

void set_supported_attestation_types(uint16_t att_types)
{
supported_attestation_types = att_types;
}

ae_error_t start()
{
Expand All @@ -95,27 +102,38 @@ class QuoteExServiceImp : public IQuoteProxyService
if (IQuoteProviderService::VERSION != bundle.GetVersion().GetMajor())
continue;

auto service = context.GetService(sr);
if (service
&& (AE_SUCCESS == service->start()))
{
uint32_t num = 0;
sgx_att_key_id_ext_t att_key_id_ext_list[BUNLE_ATT_KEY_NUM_MAX] ={0};

available_providers.push_back(service);
if (AESM_SUCCESS != service->get_att_key_id_num(&num))
continue;
if (num > BUNLE_ATT_KEY_NUM_MAX)
continue;
if (AESM_SUCCESS != service->get_att_key_id((uint8_t *)att_key_id_ext_list, sizeof(att_key_id_ext_list)))
continue;
for (int i = 0; i <num; i++)
{
available_key_id_t temp = {0};
memcpy_s(&temp.key_id, sizeof(temp.key_id), &att_key_id_ext_list[i], sizeof(att_key_id_ext_list[i]));
temp.service = service;
available_key_ids.push_back(temp);
AESM_DBG_INFO("quote type %d available", temp.key_id.base.algorithm_id);
auto service = context.GetService(sr);
if (service) {
ae_error_t service_started = service->start();
if (AE_SUCCESS == service_started) {
uint32_t num = 0;
sgx_att_key_id_ext_t att_key_id_ext_list[BUNLE_ATT_KEY_NUM_MAX] ={0};

available_providers.push_back(service);
if (AESM_SUCCESS != service->get_att_key_id_num(&num))
continue;
if (num > BUNLE_ATT_KEY_NUM_MAX)
continue;
if (AESM_SUCCESS != service->get_att_key_id((uint8_t *)att_key_id_ext_list, sizeof(att_key_id_ext_list)))
continue;
for (int i = 0; i <num; i++)
{
available_key_id_t temp = {0};
memcpy_s(&temp.key_id, sizeof(temp.key_id), &att_key_id_ext_list[i], sizeof(att_key_id_ext_list[i]));
temp.service = service;
available_key_ids.push_back(temp);
AESM_DBG_INFO("quote type %d available", temp.key_id.base.algorithm_id);
}
}
else {
// If the attestation type was required but the service failed to start, return error.
// Otherwise ignore the failure
uint16_t att_type_of_service = service->get_attestation_type();
if (supported_attestation_types & att_type_of_service) {
AESM_DBG_INFO("Failed to start attestation service : %d ", att_type_of_service);
return service_started;
}
}
}
}
Expand Down
29 changes: 26 additions & 3 deletions psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
static cppmicroservices::BundleContext g_fw_ctx;
using namespace cppmicroservices;
static Framework g_fw = FrameworkFactory().NewFramework();

extern uint16_t supported_attestation_types;

#ifdef US_PLATFORM_POSIX
#define PATH_SEPARATOR "/"
Expand Down Expand Up @@ -688,6 +688,23 @@ ae_error_t AESMLogicWrapper::service_start()
// Start the framework itself.
g_fw.Start();
auto bundles = g_fw_ctx.GetBundles();
// check required attestation bundles
bool found_epid = false, found_ecdsa = false;
for (Bundle &bundle : bundles) {
if (bundle.GetSymbolicName() == "epid_quote_service_bundle_name")
found_epid = true;
else if (bundle.GetSymbolicName() == "ecdsa_quote_service_bundle_name")
found_ecdsa = true;
}
if (!found_epid && (supported_attestation_types & ATTESTATION_TYPE_EPID)) {
AESM_LOG_ERROR("EPID attestation is required but the bundle is not installed.");
return AE_FAILURE;
}
if (!found_ecdsa && (supported_attestation_types & ATTESTATION_TYPE_ECDSA)) {
AESM_LOG_ERROR("ECDSA attestation is required but the bundle is not installed.");
return AE_FAILURE;
}

for (auto &bundle : bundles)
{
bundle.Start();
Expand Down Expand Up @@ -722,8 +739,14 @@ ae_error_t AESMLogicWrapper::service_start()
}
{
std::shared_ptr<IQuoteProxyService> service;
if (get_service_wrapper(service, g_fw_ctx))
service->start();
if (get_service_wrapper(service, g_fw_ctx))
{
service->set_supported_attestation_types(supported_attestation_types);
ae_error_t ret = service->start();

if (ret != AE_SUCCESS)
return ret;
}
}
AESM_DBG_INFO("aesm service started");

Expand Down
68 changes: 55 additions & 13 deletions psw/ae/aesm_service/source/core/main.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,22 @@
#include <CAESMServer.h>
#include <CSelector.h>
#include <AESMLogicWrapper.h>
#include "quote_ex_service.h"
#include <curl/curl.h>
#include <oal/error_report.h>

#include <SocketConfig.h>

#include <iostream>
#include <getopt.h>

static CAESMServer* server = NULL;
volatile bool reload = false;
// Each bit indicates a certain type of attestation is supported.
// If a attestation type is marked as supported but AESM fails to load the corresponding module,
// AESM will exit.
// Currently only two attestation types can be supported: Bit 0: EPID Bit 1: ECDSA
uint16_t supported_attestation_types = 0;

void signal_handler(int sig)
{
Expand All @@ -67,26 +74,61 @@ void signal_handler(int sig)
}
}

void print_usage() {
printf("Usage: aesm_service [--no-daemon] [--no-syslog] [--supported_attestation_types=[EPID][,ECDSA]]\n");
}

int main(int argc, char *argv[]) {
bool noDaemon = false, noSyslog = false;
int opt= 0;

if (argc > 3) {
AESM_LOG_INIT();
AESM_LOG_FATAL("Invalid command line.");
AESM_LOG_FINI();
exit(1);
}
//Specifying the expected options
static struct option long_options[] = {
{"no-daemon", no_argument, 0, 0 },
{"no-syslog", no_argument, 0, 1 },
{"supported_attestation_types", required_argument, 0, 2 },
{0, 0, 0, 0}
};

for (int i = 1; i < argc; ++i) {
std::string arg = argv[i];
if (arg == "--no-daemon") {
noDaemon = true;
}
else if (arg == "--no-syslog"){
noSyslog = true;
int long_index =0;
while ((opt = getopt_long(argc, argv, "012:", long_options, &long_index )) != -1) {
switch (opt) {
case 0:
noDaemon = true;
break;
case 1:
noSyslog = true;
break;
case 2:
if (optarg) {
char * token = strtok(optarg, ",");
while( token != NULL ) {
if (strcasecmp(token, "epid") == 0) {
supported_attestation_types |= ATTESTATION_TYPE_EPID;
}
else if (strcasecmp(token, "ecdsa") == 0) {
supported_attestation_types |= ATTESTATION_TYPE_ECDSA;
}
else {
print_usage();
exit(EXIT_FAILURE);
}
token = strtok(NULL, ",");
}
}
break;
default:
print_usage();
exit(EXIT_FAILURE);
}
}

if (optind < argc) {
fprintf(stderr, "%s: invalid option -- '%s'\n", argv[0], argv[optind]);
print_usage();
exit(EXIT_FAILURE);
}

AESM_LOG_INIT_EX(noSyslog);

if(!noDaemon) {
Expand Down
2 changes: 2 additions & 0 deletions psw/ae/aesm_service/source/interfaces/quote_ex_service.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@
#include <stddef.h>
#include "aesm_error.h"

#define ATTESTATION_TYPE_EPID 0x0001
#define ATTESTATION_TYPE_ECDSA 0x0002

struct IQuoteExService : virtual public IService
{
Expand Down
1 change: 1 addition & 0 deletions psw/ae/aesm_service/source/interfaces/quote_provider_service.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ struct IQuoteProviderService : public IQuoteExService, public IGetAttKeyID
// The value should be the same as the major version in manifest.json
enum {VERSION = 2};
virtual ~IQuoteProviderService() = default;
virtual uint16_t get_attestation_type() = 0;
};

#endif /* QUOTE_PROVIDER_SERVICE_EXPORT_H */
Expand Down
1 change: 1 addition & 0 deletions psw/ae/aesm_service/source/interfaces/quote_proxy_service.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ struct IQuoteProxyService : public IQuoteExService, public ISelectAttKeyID, publ
// The value should be the same as the major version in manifest.json
enum {VERSION = 2};
virtual ~IQuoteProxyService() = default;
virtual void set_supported_attestation_types(uint16_t att_types) = 0;
};

#endif /* QUOTE_PROXY_SERVICE_EXPORT_H */
Expand Down

0 comments on commit 1efe23c

Please sign in to comment.