diff --git a/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp index 3c2649132..ba8b2ca6e 100644 --- a/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp +++ b/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp @@ -427,6 +427,12 @@ class EcdsaQuoteServiceImp : public IQuoteProviderService *att_key_id_num = 1; return AESM_SUCCESS; } + + uint16_t get_attestation_type() + { + return ATTESTATION_TYPE_ECDSA; + + } }; class Activator : public BundleActivator diff --git a/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp index c7db8d38d..74f924d88 100644 --- a/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp +++ b/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp @@ -577,6 +577,12 @@ class EpidQuoteServiceImp : public IEpidQuoteService, public IQuoteProviderServi update_info, update_info_size, config, status); } + + uint16_t get_attestation_type() + { + return ATTESTATION_TYPE_EPID; + + } }; class Activator : public BundleActivator diff --git a/psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp index e5bc3dedd..efd96a1f1 100644 --- a/psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp +++ b/psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp @@ -67,9 +67,16 @@ class QuoteExServiceImp : public IQuoteProxyService std::vector available_providers; ListenerToken listenerToken; AESMLogicMutex quote_ex_mutex; + uint16_t supported_attestation_types; public: - QuoteExServiceImp():initialized(false), default_quoting_type(AESM_QUOTING_DEFAULT_VALUE) {} + QuoteExServiceImp():initialized(false), default_quoting_type(AESM_QUOTING_DEFAULT_VALUE), + supported_attestation_types(0) {} + + void set_supported_attestation_types(uint16_t att_types) + { + supported_attestation_types = att_types; + } ae_error_t start() { @@ -95,27 +102,38 @@ class QuoteExServiceImp : public IQuoteProxyService if (IQuoteProviderService::VERSION != bundle.GetVersion().GetMajor()) continue; - auto service = context.GetService(sr); - if (service - && (AE_SUCCESS == service->start())) - { - uint32_t num = 0; - sgx_att_key_id_ext_t att_key_id_ext_list[BUNLE_ATT_KEY_NUM_MAX] ={0}; - available_providers.push_back(service); - if (AESM_SUCCESS != service->get_att_key_id_num(&num)) - continue; - if (num > BUNLE_ATT_KEY_NUM_MAX) - continue; - if (AESM_SUCCESS != service->get_att_key_id((uint8_t *)att_key_id_ext_list, sizeof(att_key_id_ext_list))) - continue; - for (int i = 0; i start(); + if (AE_SUCCESS == service_started) { + uint32_t num = 0; + sgx_att_key_id_ext_t att_key_id_ext_list[BUNLE_ATT_KEY_NUM_MAX] ={0}; + + available_providers.push_back(service); + if (AESM_SUCCESS != service->get_att_key_id_num(&num)) + continue; + if (num > BUNLE_ATT_KEY_NUM_MAX) + continue; + if (AESM_SUCCESS != service->get_att_key_id((uint8_t *)att_key_id_ext_list, sizeof(att_key_id_ext_list))) + continue; + for (int i = 0; i get_attestation_type(); + if (supported_attestation_types & att_type_of_service) { + AESM_DBG_INFO("Failed to start attestation service : %d ", att_type_of_service); + return service_started; + } } } } diff --git a/psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp b/psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp index 8fd74b6b5..973e7d462 100644 --- a/psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp +++ b/psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp @@ -61,7 +61,7 @@ static cppmicroservices::BundleContext g_fw_ctx; using namespace cppmicroservices; static Framework g_fw = FrameworkFactory().NewFramework(); - +extern uint16_t supported_attestation_types; #ifdef US_PLATFORM_POSIX #define PATH_SEPARATOR "/" @@ -688,6 +688,23 @@ ae_error_t AESMLogicWrapper::service_start() // Start the framework itself. g_fw.Start(); auto bundles = g_fw_ctx.GetBundles(); + // check required attestation bundles + bool found_epid = false, found_ecdsa = false; + for (Bundle &bundle : bundles) { + if (bundle.GetSymbolicName() == "epid_quote_service_bundle_name") + found_epid = true; + else if (bundle.GetSymbolicName() == "ecdsa_quote_service_bundle_name") + found_ecdsa = true; + } + if (!found_epid && (supported_attestation_types & ATTESTATION_TYPE_EPID)) { + AESM_LOG_ERROR("EPID attestation is required but the bundle is not installed."); + return AE_FAILURE; + } + if (!found_ecdsa && (supported_attestation_types & ATTESTATION_TYPE_ECDSA)) { + AESM_LOG_ERROR("ECDSA attestation is required but the bundle is not installed."); + return AE_FAILURE; + } + for (auto &bundle : bundles) { bundle.Start(); @@ -722,8 +739,14 @@ ae_error_t AESMLogicWrapper::service_start() } { std::shared_ptr service; - if (get_service_wrapper(service, g_fw_ctx)) - service->start(); + if (get_service_wrapper(service, g_fw_ctx)) + { + service->set_supported_attestation_types(supported_attestation_types); + ae_error_t ret = service->start(); + + if (ret != AE_SUCCESS) + return ret; + } } AESM_DBG_INFO("aesm service started"); diff --git a/psw/ae/aesm_service/source/core/main.cpp b/psw/ae/aesm_service/source/core/main.cpp index 6e3f80bb6..6f5146b07 100644 --- a/psw/ae/aesm_service/source/core/main.cpp +++ b/psw/ae/aesm_service/source/core/main.cpp @@ -34,15 +34,22 @@ #include #include #include +#include "quote_ex_service.h" #include #include #include #include +#include static CAESMServer* server = NULL; volatile bool reload = false; +// Each bit indicates a certain type of attestation is supported. +// If a attestation type is marked as supported but AESM fails to load the corresponding module, +// AESM will exit. +// Currently only two attestation types can be supported: Bit 0: EPID Bit 1: ECDSA +uint16_t supported_attestation_types = 0; void signal_handler(int sig) { @@ -67,26 +74,61 @@ void signal_handler(int sig) } } +void print_usage() { + printf("Usage: aesm_service [--no-daemon] [--no-syslog] [--supported_attestation_types=[EPID][,ECDSA]]\n"); +} + int main(int argc, char *argv[]) { bool noDaemon = false, noSyslog = false; + int opt= 0; - if (argc > 3) { - AESM_LOG_INIT(); - AESM_LOG_FATAL("Invalid command line."); - AESM_LOG_FINI(); - exit(1); - } + //Specifying the expected options + static struct option long_options[] = { + {"no-daemon", no_argument, 0, 0 }, + {"no-syslog", no_argument, 0, 1 }, + {"supported_attestation_types", required_argument, 0, 2 }, + {0, 0, 0, 0} + }; - for (int i = 1; i < argc; ++i) { - std::string arg = argv[i]; - if (arg == "--no-daemon") { - noDaemon = true; - } - else if (arg == "--no-syslog"){ - noSyslog = true; + int long_index =0; + while ((opt = getopt_long(argc, argv, "012:", long_options, &long_index )) != -1) { + switch (opt) { + case 0: + noDaemon = true; + break; + case 1: + noSyslog = true; + break; + case 2: + if (optarg) { + char * token = strtok(optarg, ","); + while( token != NULL ) { + if (strcasecmp(token, "epid") == 0) { + supported_attestation_types |= ATTESTATION_TYPE_EPID; + } + else if (strcasecmp(token, "ecdsa") == 0) { + supported_attestation_types |= ATTESTATION_TYPE_ECDSA; + } + else { + print_usage(); + exit(EXIT_FAILURE); + } + token = strtok(NULL, ","); + } + } + break; + default: + print_usage(); + exit(EXIT_FAILURE); } } + if (optind < argc) { + fprintf(stderr, "%s: invalid option -- '%s'\n", argv[0], argv[optind]); + print_usage(); + exit(EXIT_FAILURE); + } + AESM_LOG_INIT_EX(noSyslog); if(!noDaemon) { diff --git a/psw/ae/aesm_service/source/interfaces/quote_ex_service.h b/psw/ae/aesm_service/source/interfaces/quote_ex_service.h index 06b36a15a..e31cf3907 100644 --- a/psw/ae/aesm_service/source/interfaces/quote_ex_service.h +++ b/psw/ae/aesm_service/source/interfaces/quote_ex_service.h @@ -36,6 +36,8 @@ #include #include "aesm_error.h" +#define ATTESTATION_TYPE_EPID 0x0001 +#define ATTESTATION_TYPE_ECDSA 0x0002 struct IQuoteExService : virtual public IService { diff --git a/psw/ae/aesm_service/source/interfaces/quote_provider_service.h b/psw/ae/aesm_service/source/interfaces/quote_provider_service.h index f6972f6e7..e806666b0 100644 --- a/psw/ae/aesm_service/source/interfaces/quote_provider_service.h +++ b/psw/ae/aesm_service/source/interfaces/quote_provider_service.h @@ -39,6 +39,7 @@ struct IQuoteProviderService : public IQuoteExService, public IGetAttKeyID // The value should be the same as the major version in manifest.json enum {VERSION = 2}; virtual ~IQuoteProviderService() = default; + virtual uint16_t get_attestation_type() = 0; }; #endif /* QUOTE_PROVIDER_SERVICE_EXPORT_H */ diff --git a/psw/ae/aesm_service/source/interfaces/quote_proxy_service.h b/psw/ae/aesm_service/source/interfaces/quote_proxy_service.h index 43c268267..20fcaaa01 100644 --- a/psw/ae/aesm_service/source/interfaces/quote_proxy_service.h +++ b/psw/ae/aesm_service/source/interfaces/quote_proxy_service.h @@ -40,6 +40,7 @@ struct IQuoteProxyService : public IQuoteExService, public ISelectAttKeyID, publ // The value should be the same as the major version in manifest.json enum {VERSION = 2}; virtual ~IQuoteProxyService() = default; + virtual void set_supported_attestation_types(uint16_t att_types) = 0; }; #endif /* QUOTE_PROXY_SERVICE_EXPORT_H */