1 // SPDX-License-Identifier: GPL-2.0
2 /*  Copyright(c) 2016-20 Intel Corporation. */
3 
4 #define _GNU_SOURCE
5 #include <assert.h>
6 #include <getopt.h>
7 #include <stdbool.h>
8 #include <stdint.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/stat.h>
13 #include <sys/types.h>
14 #include <unistd.h>
15 #include <openssl/err.h>
16 #include <openssl/pem.h>
17 #include "defines.h"
18 #include "main.h"
19 
20 /*
21  * FIXME: OpenSSL 3.0 has deprecated some functions. For now just ignore
22  * the warnings.
23  */
24 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
25 
26 struct q1q2_ctx {
27 	BN_CTX *bn_ctx;
28 	BIGNUM *m;
29 	BIGNUM *s;
30 	BIGNUM *q1;
31 	BIGNUM *qr;
32 	BIGNUM *q2;
33 };
34 
35 static void free_q1q2_ctx(struct q1q2_ctx *ctx)
36 {
37 	BN_CTX_free(ctx->bn_ctx);
38 	BN_free(ctx->m);
39 	BN_free(ctx->s);
40 	BN_free(ctx->q1);
41 	BN_free(ctx->qr);
42 	BN_free(ctx->q2);
43 }
44 
45 static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
46 			   struct q1q2_ctx *ctx)
47 {
48 	ctx->bn_ctx = BN_CTX_new();
49 	ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL);
50 	ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL);
51 	ctx->q1 = BN_new();
52 	ctx->qr = BN_new();
53 	ctx->q2 = BN_new();
54 
55 	if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr ||
56 	    !ctx->q2) {
57 		free_q1q2_ctx(ctx);
58 		return false;
59 	}
60 
61 	return true;
62 }
63 
64 static void reverse_bytes(void *data, int length)
65 {
66 	int i = 0;
67 	int j = length - 1;
68 	uint8_t temp;
69 	uint8_t *ptr = data;
70 
71 	while (i < j) {
72 		temp = ptr[i];
73 		ptr[i] = ptr[j];
74 		ptr[j] = temp;
75 		i++;
76 		j--;
77 	}
78 }
79 
80 static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1,
81 		      uint8_t *q2)
82 {
83 	struct q1q2_ctx ctx;
84 	int len;
85 
86 	if (!alloc_q1q2_ctx(s, m, &ctx)) {
87 		fprintf(stderr, "Not enough memory for Q1Q2 calculation\n");
88 		return false;
89 	}
90 
91 	if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx))
92 		goto out;
93 
94 	if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx))
95 		goto out;
96 
97 	if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) {
98 		fprintf(stderr, "Too large Q1 %d bytes\n",
99 			BN_num_bytes(ctx.q1));
100 		goto out;
101 	}
102 
103 	if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx))
104 		goto out;
105 
106 	if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx))
107 		goto out;
108 
109 	if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) {
110 		fprintf(stderr, "Too large Q2 %d bytes\n",
111 			BN_num_bytes(ctx.q2));
112 		goto out;
113 	}
114 
115 	len = BN_bn2bin(ctx.q1, q1);
116 	reverse_bytes(q1, len);
117 	len = BN_bn2bin(ctx.q2, q2);
118 	reverse_bytes(q2, len);
119 
120 	free_q1q2_ctx(&ctx);
121 	return true;
122 out:
123 	free_q1q2_ctx(&ctx);
124 	return false;
125 }
126 
127 struct sgx_sigstruct_payload {
128 	struct sgx_sigstruct_header header;
129 	struct sgx_sigstruct_body body;
130 };
131 
132 static bool check_crypto_errors(void)
133 {
134 	int err;
135 	bool had_errors = false;
136 	const char *filename;
137 	int line;
138 	char str[256];
139 
140 	for ( ; ; ) {
141 		if (ERR_peek_error() == 0)
142 			break;
143 
144 		had_errors = true;
145 		err = ERR_get_error_line(&filename, &line);
146 		ERR_error_string_n(err, str, sizeof(str));
147 		fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line);
148 	}
149 
150 	return had_errors;
151 }
152 
153 static inline const BIGNUM *get_modulus(RSA *key)
154 {
155 	const BIGNUM *n;
156 
157 	RSA_get0_key(key, &n, NULL, NULL);
158 	return n;
159 }
160 
161 static RSA *gen_sign_key(void)
162 {
163 	unsigned long sign_key_length;
164 	BIO *bio;
165 	RSA *key;
166 
167 	sign_key_length = (unsigned long)&sign_key_end -
168 			  (unsigned long)&sign_key;
169 
170 	bio = BIO_new_mem_buf(&sign_key, sign_key_length);
171 	if (!bio)
172 		return NULL;
173 
174 	key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL);
175 	BIO_free(bio);
176 
177 	return key;
178 }
179 
180 enum mrtags {
181 	MRECREATE = 0x0045544145524345,
182 	MREADD = 0x0000000044444145,
183 	MREEXTEND = 0x00444E4554584545,
184 };
185 
186 static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data)
187 {
188 	if (!EVP_DigestUpdate(ctx, data, 64)) {
189 		fprintf(stderr, "digest update failed\n");
190 		return false;
191 	}
192 
193 	return true;
194 }
195 
196 static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave)
197 {
198 	unsigned int size;
199 
200 	if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) {
201 		fprintf(stderr, "digest commit failed\n");
202 		return false;
203 	}
204 
205 	if (size != 32) {
206 		fprintf(stderr, "invalid digest size = %u\n", size);
207 		return false;
208 	}
209 
210 	return true;
211 }
212 
213 struct mrecreate {
214 	uint64_t tag;
215 	uint32_t ssaframesize;
216 	uint64_t size;
217 	uint8_t reserved[44];
218 } __attribute__((__packed__));
219 
220 
221 static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size)
222 {
223 	struct mrecreate mrecreate;
224 	uint64_t encl_size;
225 
226 	for (encl_size = 0x1000; encl_size < blob_size; )
227 		encl_size <<= 1;
228 
229 	memset(&mrecreate, 0, sizeof(mrecreate));
230 	mrecreate.tag = MRECREATE;
231 	mrecreate.ssaframesize = 1;
232 	mrecreate.size = encl_size;
233 
234 	if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))
235 		return false;
236 
237 	return mrenclave_update(ctx, &mrecreate);
238 }
239 
240 struct mreadd {
241 	uint64_t tag;
242 	uint64_t offset;
243 	uint64_t flags; /* SECINFO flags */
244 	uint8_t reserved[40];
245 } __attribute__((__packed__));
246 
247 static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags)
248 {
249 	struct mreadd mreadd;
250 
251 	memset(&mreadd, 0, sizeof(mreadd));
252 	mreadd.tag = MREADD;
253 	mreadd.offset = offset;
254 	mreadd.flags = flags;
255 
256 	return mrenclave_update(ctx, &mreadd);
257 }
258 
259 struct mreextend {
260 	uint64_t tag;
261 	uint64_t offset;
262 	uint8_t reserved[48];
263 } __attribute__((__packed__));
264 
265 static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
266 			      const uint8_t *data)
267 {
268 	struct mreextend mreextend;
269 	int i;
270 
271 	for (i = 0; i < 0x1000; i += 0x100) {
272 		memset(&mreextend, 0, sizeof(mreextend));
273 		mreextend.tag = MREEXTEND;
274 		mreextend.offset = offset + i;
275 
276 		if (!mrenclave_update(ctx, &mreextend))
277 			return false;
278 
279 		if (!mrenclave_update(ctx, &data[i + 0x00]))
280 			return false;
281 
282 		if (!mrenclave_update(ctx, &data[i + 0x40]))
283 			return false;
284 
285 		if (!mrenclave_update(ctx, &data[i + 0x80]))
286 			return false;
287 
288 		if (!mrenclave_update(ctx, &data[i + 0xC0]))
289 			return false;
290 	}
291 
292 	return true;
293 }
294 
295 static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
296 			      struct encl_segment *seg)
297 {
298 	uint64_t end = seg->size;
299 	uint64_t offset;
300 
301 	for (offset = 0; offset < end; offset += PAGE_SIZE) {
302 		if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags))
303 			return false;
304 
305 		if (seg->measure) {
306 			if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
307 				return false;
308 		}
309 	}
310 
311 	return true;
312 }
313 
314 bool encl_measure(struct encl *encl)
315 {
316 	uint64_t header1[2] = {0x000000E100000006, 0x0000000000010000};
317 	uint64_t header2[2] = {0x0000006000000101, 0x0000000100000060};
318 	struct sgx_sigstruct *sigstruct = &encl->sigstruct;
319 	struct sgx_sigstruct_payload payload;
320 	uint8_t digest[SHA256_DIGEST_LENGTH];
321 	EVP_MD_CTX *ctx = NULL;
322 	unsigned int siglen;
323 	RSA *key = NULL;
324 	int i;
325 
326 	memset(sigstruct, 0, sizeof(*sigstruct));
327 
328 	sigstruct->header.header1[0] = header1[0];
329 	sigstruct->header.header1[1] = header1[1];
330 	sigstruct->header.header2[0] = header2[0];
331 	sigstruct->header.header2[1] = header2[1];
332 	sigstruct->exponent = 3;
333 	sigstruct->body.attributes = SGX_ATTR_MODE64BIT;
334 	sigstruct->body.xfrm = 3;
335 
336 	/* sanity check */
337 	if (check_crypto_errors())
338 		goto err;
339 
340 	key = gen_sign_key();
341 	if (!key) {
342 		ERR_print_errors_fp(stdout);
343 		goto err;
344 	}
345 
346 	BN_bn2bin(get_modulus(key), sigstruct->modulus);
347 
348 	ctx = EVP_MD_CTX_create();
349 	if (!ctx)
350 		goto err;
351 
352 	if (!mrenclave_ecreate(ctx, encl->src_size))
353 		goto err;
354 
355 	for (i = 0; i < encl->nr_segments; i++) {
356 		struct encl_segment *seg = &encl->segment_tbl[i];
357 
358 		if (!mrenclave_segment(ctx, encl, seg))
359 			goto err;
360 	}
361 
362 	if (!mrenclave_commit(ctx, sigstruct->body.mrenclave))
363 		goto err;
364 
365 	memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
366 	memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
367 
368 	SHA256((unsigned char *)&payload, sizeof(payload), digest);
369 
370 	if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
371 		      sigstruct->signature, &siglen, key))
372 		goto err;
373 
374 	if (!calc_q1q2(sigstruct->signature, sigstruct->modulus, sigstruct->q1,
375 		       sigstruct->q2))
376 		goto err;
377 
378 	/* BE -> LE */
379 	reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE);
380 	reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE);
381 
382 	EVP_MD_CTX_destroy(ctx);
383 	RSA_free(key);
384 	return true;
385 
386 err:
387 	if (ctx)
388 		EVP_MD_CTX_destroy(ctx);
389 	RSA_free(key);
390 	return false;
391 }
392