gramine icon indicating copy to clipboard operation
gramine copied to clipboard

Published 20 hours ago verified publisher icon gramineproject

[CI-Examples] Add SGX measurements verification code to ra-tls-secret…

Open veenasai2 opened this issue 3 years ago • 3 comments

…-prov server

Signed-off-by: Veena Saini [email protected]

Description of the changes

Currently the CI-Examples/ra-tls-secret-prov/ server code just prints the SGX measurements received by the client. This PR incorporates SGX measurements verification code with ra-tls-secret-prov server code (just the way it done for ra-tls-mbedtls code.

How to test this PR?

Step 1: $ cd gramine/CI-Examples/ra-tls-secret-prov Step 2: $ make app dcap files/input.txt RA_TYPE=dcap

Flow 1

Step 1.1: $ RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 \ RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 \ ./secret_prov_server_dcap 0 0 0 0 & Step 1.2: $ gramine-sgx ./secret_prov_min_client // client should receive a secret (this test should pass for other clients too) Step 1.3: Kill the server

Flow 2

Step 2.1: $ RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 \ ./secret_prov_server_dcap & Step 2.2: $ gramine-sgx ./secret_prov_client // client should receive a secret (this test should pass for other clients too) Step 2.3: Kill the server

Flow 3

Step 3.1 RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 \ ./secret_prov_server_dcap \ <MRENCLAVE of the min client enclave> \ <MRSIGNER of the min client enclave> \ <ISV_PROD_ID of the min client enclave> \ <ISV_SVN of the min client enclave> & Step 3.2 $ gramine-sgx ./secret_prov_min_client // client should receive a secret (as the server is expecting min client's measurements) Step 3.3 $ gramine-sgx ./secret_prov_client // client should not receive a secret and also at the server side one error message will be printed Step 3.4 $ gramine-sgx ./secret_prov_pf_client // client should not receive a secret and also at the server side one error message will be printed

Flow 4

Similar to DCAP , EPID flow can also be tested.

This change is Reviewable

veenasai2 avatar Jul 28 '22 12:07 veenasai2

Jenkins, test this please

dimakuv avatar Aug 01 '22 06:08 dimakuv

Reviewed all commit messages. Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @veenasai2)

a discussion (no related file): In the future, please create PRs from branches in <your-nick>/<change-descr> format, even if it's from your private repo - this makes it a bit easier for us to pull and rebase it before merging without polluting our local branch namespaces.

@mkow , I will take care of this point. Thanks.

veenasai2 avatar Aug 17 '22 03:08 veenasai2

@aneessahib adding you, to keep you in the loop. Thanks.

veenasai2 avatar Aug 29 '22 05:08 veenasai2

This PR needs a complete rewrite after https://github.com/gramineproject/gramine/pull/884 got merged, so I'm closing it. @veenasai2: If you want to pursue this change further then please rewrite and resubmit it.

mkow avatar Oct 28 '22 13:10 mkow