1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright(c) 2016-20 Intel Corporation. */ 3 4 #define _GNU_SOURCE 5 #include <assert.h> 6 #include <getopt.h> 7 #include <stdbool.h> 8 #include <stdint.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <sys/stat.h> 13 #include <sys/types.h> 14 #include <unistd.h> 15 #include <openssl/err.h> 16 #include <openssl/pem.h> 17 #include "defines.h" 18 #include "main.h" 19 20 struct q1q2_ctx { 21 BN_CTX *bn_ctx; 22 BIGNUM *m; 23 BIGNUM *s; 24 BIGNUM *q1; 25 BIGNUM *qr; 26 BIGNUM *q2; 27 }; 28 29 static void free_q1q2_ctx(struct q1q2_ctx *ctx) 30 { 31 BN_CTX_free(ctx->bn_ctx); 32 BN_free(ctx->m); 33 BN_free(ctx->s); 34 BN_free(ctx->q1); 35 BN_free(ctx->qr); 36 BN_free(ctx->q2); 37 } 38 39 static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m, 40 struct q1q2_ctx *ctx) 41 { 42 ctx->bn_ctx = BN_CTX_new(); 43 ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL); 44 ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL); 45 ctx->q1 = BN_new(); 46 ctx->qr = BN_new(); 47 ctx->q2 = BN_new(); 48 49 if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr || 50 !ctx->q2) { 51 free_q1q2_ctx(ctx); 52 return false; 53 } 54 55 return true; 56 } 57 58 static void reverse_bytes(void *data, int length) 59 { 60 int i = 0; 61 int j = length - 1; 62 uint8_t temp; 63 uint8_t *ptr = data; 64 65 while (i < j) { 66 temp = ptr[i]; 67 ptr[i] = ptr[j]; 68 ptr[j] = temp; 69 i++; 70 j--; 71 } 72 } 73 74 static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1, 75 uint8_t *q2) 76 { 77 struct q1q2_ctx ctx; 78 int len; 79 80 if (!alloc_q1q2_ctx(s, m, &ctx)) { 81 fprintf(stderr, "Not enough memory for Q1Q2 calculation\n"); 82 return false; 83 } 84 85 if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx)) 86 goto out; 87 88 if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx)) 89 goto out; 90 91 if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) { 92 fprintf(stderr, "Too large Q1 %d bytes\n", 93 BN_num_bytes(ctx.q1)); 94 goto out; 95 } 96 97 if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx)) 98 goto out; 99 100 if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx)) 101 goto out; 102 103 if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) { 104 fprintf(stderr, "Too large Q2 %d bytes\n", 105 BN_num_bytes(ctx.q2)); 106 goto out; 107 } 108 109 len = BN_bn2bin(ctx.q1, q1); 110 reverse_bytes(q1, len); 111 len = BN_bn2bin(ctx.q2, q2); 112 reverse_bytes(q2, len); 113 114 free_q1q2_ctx(&ctx); 115 return true; 116 out: 117 free_q1q2_ctx(&ctx); 118 return false; 119 } 120 121 struct sgx_sigstruct_payload { 122 struct sgx_sigstruct_header header; 123 struct sgx_sigstruct_body body; 124 }; 125 126 static bool check_crypto_errors(void) 127 { 128 int err; 129 bool had_errors = false; 130 const char *filename; 131 int line; 132 char str[256]; 133 134 for ( ; ; ) { 135 if (ERR_peek_error() == 0) 136 break; 137 138 had_errors = true; 139 err = ERR_get_error_line(&filename, &line); 140 ERR_error_string_n(err, str, sizeof(str)); 141 fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line); 142 } 143 144 return had_errors; 145 } 146 147 static inline const BIGNUM *get_modulus(RSA *key) 148 { 149 const BIGNUM *n; 150 151 RSA_get0_key(key, &n, NULL, NULL); 152 return n; 153 } 154 155 static RSA *gen_sign_key(void) 156 { 157 unsigned long sign_key_length; 158 BIO *bio; 159 RSA *key; 160 161 sign_key_length = (unsigned long)&sign_key_end - 162 (unsigned long)&sign_key; 163 164 bio = BIO_new_mem_buf(&sign_key, sign_key_length); 165 if (!bio) 166 return NULL; 167 168 key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL); 169 BIO_free(bio); 170 171 return key; 172 } 173 174 enum mrtags { 175 MRECREATE = 0x0045544145524345, 176 MREADD = 0x0000000044444145, 177 MREEXTEND = 0x00444E4554584545, 178 }; 179 180 static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data) 181 { 182 if (!EVP_DigestUpdate(ctx, data, 64)) { 183 fprintf(stderr, "digest update failed\n"); 184 return false; 185 } 186 187 return true; 188 } 189 190 static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave) 191 { 192 unsigned int size; 193 194 if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) { 195 fprintf(stderr, "digest commit failed\n"); 196 return false; 197 } 198 199 if (size != 32) { 200 fprintf(stderr, "invalid digest size = %u\n", size); 201 return false; 202 } 203 204 return true; 205 } 206 207 struct mrecreate { 208 uint64_t tag; 209 uint32_t ssaframesize; 210 uint64_t size; 211 uint8_t reserved[44]; 212 } __attribute__((__packed__)); 213 214 215 static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size) 216 { 217 struct mrecreate mrecreate; 218 uint64_t encl_size; 219 220 for (encl_size = 0x1000; encl_size < blob_size; ) 221 encl_size <<= 1; 222 223 memset(&mrecreate, 0, sizeof(mrecreate)); 224 mrecreate.tag = MRECREATE; 225 mrecreate.ssaframesize = 1; 226 mrecreate.size = encl_size; 227 228 if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL)) 229 return false; 230 231 return mrenclave_update(ctx, &mrecreate); 232 } 233 234 struct mreadd { 235 uint64_t tag; 236 uint64_t offset; 237 uint64_t flags; /* SECINFO flags */ 238 uint8_t reserved[40]; 239 } __attribute__((__packed__)); 240 241 static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags) 242 { 243 struct mreadd mreadd; 244 245 memset(&mreadd, 0, sizeof(mreadd)); 246 mreadd.tag = MREADD; 247 mreadd.offset = offset; 248 mreadd.flags = flags; 249 250 return mrenclave_update(ctx, &mreadd); 251 } 252 253 struct mreextend { 254 uint64_t tag; 255 uint64_t offset; 256 uint8_t reserved[48]; 257 } __attribute__((__packed__)); 258 259 static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset, 260 const uint8_t *data) 261 { 262 struct mreextend mreextend; 263 int i; 264 265 for (i = 0; i < 0x1000; i += 0x100) { 266 memset(&mreextend, 0, sizeof(mreextend)); 267 mreextend.tag = MREEXTEND; 268 mreextend.offset = offset + i; 269 270 if (!mrenclave_update(ctx, &mreextend)) 271 return false; 272 273 if (!mrenclave_update(ctx, &data[i + 0x00])) 274 return false; 275 276 if (!mrenclave_update(ctx, &data[i + 0x40])) 277 return false; 278 279 if (!mrenclave_update(ctx, &data[i + 0x80])) 280 return false; 281 282 if (!mrenclave_update(ctx, &data[i + 0xC0])) 283 return false; 284 } 285 286 return true; 287 } 288 289 static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl, 290 struct encl_segment *seg) 291 { 292 uint64_t end = seg->offset + seg->size; 293 uint64_t offset; 294 295 for (offset = seg->offset; offset < end; offset += PAGE_SIZE) { 296 if (!mrenclave_eadd(ctx, offset, seg->flags)) 297 return false; 298 299 if (!mrenclave_eextend(ctx, offset, encl->src + offset)) 300 return false; 301 } 302 303 return true; 304 } 305 306 bool encl_measure(struct encl *encl) 307 { 308 uint64_t header1[2] = {0x000000E100000006, 0x0000000000010000}; 309 uint64_t header2[2] = {0x0000006000000101, 0x0000000100000060}; 310 struct sgx_sigstruct *sigstruct = &encl->sigstruct; 311 struct sgx_sigstruct_payload payload; 312 uint8_t digest[SHA256_DIGEST_LENGTH]; 313 unsigned int siglen; 314 RSA *key = NULL; 315 EVP_MD_CTX *ctx; 316 int i; 317 318 memset(sigstruct, 0, sizeof(*sigstruct)); 319 320 sigstruct->header.header1[0] = header1[0]; 321 sigstruct->header.header1[1] = header1[1]; 322 sigstruct->header.header2[0] = header2[0]; 323 sigstruct->header.header2[1] = header2[1]; 324 sigstruct->exponent = 3; 325 sigstruct->body.attributes = SGX_ATTR_MODE64BIT; 326 sigstruct->body.xfrm = 3; 327 328 /* sanity check */ 329 if (check_crypto_errors()) 330 goto err; 331 332 key = gen_sign_key(); 333 if (!key) { 334 ERR_print_errors_fp(stdout); 335 goto err; 336 } 337 338 BN_bn2bin(get_modulus(key), sigstruct->modulus); 339 340 ctx = EVP_MD_CTX_create(); 341 if (!ctx) 342 goto err; 343 344 if (!mrenclave_ecreate(ctx, encl->src_size)) 345 goto err; 346 347 for (i = 0; i < encl->nr_segments; i++) { 348 struct encl_segment *seg = &encl->segment_tbl[i]; 349 350 if (!mrenclave_segment(ctx, encl, seg)) 351 goto err; 352 } 353 354 if (!mrenclave_commit(ctx, sigstruct->body.mrenclave)) 355 goto err; 356 357 memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header)); 358 memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body)); 359 360 SHA256((unsigned char *)&payload, sizeof(payload), digest); 361 362 if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH, 363 sigstruct->signature, &siglen, key)) 364 goto err; 365 366 if (!calc_q1q2(sigstruct->signature, sigstruct->modulus, sigstruct->q1, 367 sigstruct->q2)) 368 goto err; 369 370 /* BE -> LE */ 371 reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE); 372 reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE); 373 374 EVP_MD_CTX_destroy(ctx); 375 RSA_free(key); 376 return true; 377 378 err: 379 EVP_MD_CTX_destroy(ctx); 380 RSA_free(key); 381 return false; 382 } 383