From c1a377d63e6d5c790981138f46a355ba7a03b34e Mon Sep 17 00:00:00 2001 From: Gordon King Date: Wed, 18 Oct 2023 14:41:22 -0700 Subject: [PATCH] Gramine-SGX Integration --- go-client/go_client.go | 97 +++++++++++++++++++ go-examples/README.md | 28 ++++++ go-examples/gramine-sgx/.gitignore | 7 ++ go-examples/gramine-sgx/Makefile | 61 ++++++++++++ go-examples/gramine-sgx/app.manifest.template | 31 ++++++ go-examples/gramine-sgx/lib-app/go.mod | 26 +++++ go-examples/gramine-sgx/lib-app/go.sum | 91 +++++++++++++++++ go-examples/gramine-sgx/lib-app/main.go | 33 +++++++ go-gramine/collect_evidence.go | 73 ++++++++++++++ go-gramine/gramine_adapter.go | 20 ++++ go-utility/go_utility.go | 25 +++++ 11 files changed, 492 insertions(+) create mode 100644 go-client/go_client.go create mode 100644 go-examples/README.md create mode 100644 go-examples/gramine-sgx/.gitignore create mode 100644 go-examples/gramine-sgx/Makefile create mode 100644 go-examples/gramine-sgx/app.manifest.template create mode 100644 go-examples/gramine-sgx/lib-app/go.mod create mode 100644 go-examples/gramine-sgx/lib-app/go.sum create mode 100644 go-examples/gramine-sgx/lib-app/main.go create mode 100644 go-gramine/collect_evidence.go create mode 100644 go-gramine/gramine_adapter.go create mode 100644 go-utility/go_utility.go diff --git a/go-client/go_client.go b/go-client/go_client.go new file mode 100644 index 0000000..5b04738 --- /dev/null +++ b/go-client/go_client.go @@ -0,0 +1,97 @@ +package client + +import ( + "crypto/tls" + "encoding/json" + "flag" + "fmt" + "os" + + "github.com/intel/trustauthority-client/go-connector" +) + +type TeeClient interface { + Token() (string, error) +} + +type attestClient struct { + config *connector.Config + adapter connector.EvidenceAdapter + connector connector.Connector +} + +type Config struct { + TrustAuthorityUrl string `json:"trustauthority_url"` + TrustAuthorityApiUrl string `json:"trustauthority_api_url"` + TrustAuthorityApiKey string `json:"trustauthority_api_key"` +} + +func New(cfg *connector.Config, adp connector.EvidenceAdapter) (TeeClient, error) { + return &attestClient{ + config: cfg, + adapter: adp, + }, nil +} + +func NewClient(adp connector.EvidenceAdapter) (teecli TeeClient, err error) { + + var configFile string + flag.StringVar(&configFile, "config", "config.json", "Config file containing trustauthority details in JSON format") + flag.Parse() + + configJson, err := os.ReadFile(configFile) + if err != nil { + return + } + + var config Config + err = json.Unmarshal(configJson, &config) + if err != nil { + return + } + + if config.TrustAuthorityUrl == "" || config.TrustAuthorityApiUrl == "" || config.TrustAuthorityApiKey == "" { + fmt.Println("Either Trust Authority URL, API URL or API Key is missing in config") + os.Exit(1) + } + + cfg := &connector.Config{ + TlsCfg: &tls.Config{ + InsecureSkipVerify: true, + }, + BaseUrl: config.TrustAuthorityUrl, + ApiUrl: config.TrustAuthorityApiUrl, + ApiKey: config.TrustAuthorityApiKey, + } + return New(cfg, adp) +} + +func (atclient *attestClient) Token() (tokenstr string, err error) { + + atclient.connector, err = connector.New(atclient.config) + if err != nil { + return + } + + req := connector.GetNonceArgs{ + RequestId: "nonce_req", + } + resp, err := atclient.connector.GetNonce(req) + if err != nil { + panic(err) + } + + evidence, err := atclient.adapter.CollectEvidence(append(resp.Nonce.Val, resp.Nonce.Iat[:]...)) + if err != nil { + panic(err) + } + tokenargs := connector.GetTokenArgs{resp.Nonce, evidence, nil, "req1"} + // dump.P(tokenargs) + + resp2, err := atclient.connector.GetToken(tokenargs) + if err != nil { + panic(err) + } + tokenstr = resp2.Token + return +} diff --git a/go-examples/README.md b/go-examples/README.md new file mode 100644 index 0000000..7b9ef63 --- /dev/null +++ b/go-examples/README.md @@ -0,0 +1,28 @@ +# Gramine-SGX Integration MVP + +## Deploy Gramine-SGX + +https://gramine.readthedocs.io/ + +## Build + +```sh +make SGX=1 +``` + +## Config + +1) Visit https://trustauthority.intel.com/ to get a API key. +2) Set the API key in lib-app/config.json file + +## Run + +```sh +gramine-sgx app +``` + +## Clean + +```sh +make clean +``` diff --git a/go-examples/gramine-sgx/.gitignore b/go-examples/gramine-sgx/.gitignore new file mode 100644 index 0000000..e952c8c --- /dev/null +++ b/go-examples/gramine-sgx/.gitignore @@ -0,0 +1,7 @@ +**/app.manifest.sgx +**/app.sig +**/lib-app/app +**/app.manifest +**/config.json +**/*.patch +.history/ diff --git a/go-examples/gramine-sgx/Makefile b/go-examples/gramine-sgx/Makefile new file mode 100644 index 0000000..0c247f6 --- /dev/null +++ b/go-examples/gramine-sgx/Makefile @@ -0,0 +1,61 @@ + +ifeq ($(DEBUG),1) +GRAMINE_LOG_LEVEL = debug +else +GRAMINE_LOG_LEVEL = error +endif + +.PHONY: all +all: lib-app/app app.manifest +ifeq ($(SGX),1) +all: app.manifest.sgx app.sig +endif + +lib-app/app: lib-app/main.go + cd lib-app && go build . + +app.manifest: app.manifest.template + gramine-manifest \ + -Dlog_level=$(GRAMINE_LOG_LEVEL) \ + $< $@ + +# gramine-sgx-sign generates both a .sig file and a .manifest.sgx file. This is somewhat +# hard to express properly in Make. The simple solution would be to use +# "Rules with Grouped Targets" (`&:`), however make on Ubuntu <= 20.04 doesn't support it. +# +# Simply using a normal rule with "two targets" is equivalent to creating separate rules +# for each of the targets, and when using `make -j`, this might cause two instances +# of gramine-sgx-sign to get launched simultaneously, potentially breaking the build. +# +# As a workaround, we use a dummy intermediate target, and mark both files as depending on it, to +# get the dependency graph we want. We mark this dummy target as .INTERMEDIATE, which means +# that make will consider the source tree up-to-date even if the sgx_sign file doesn't exist, +# as long as the other dependencies check out. This is in contrast to .PHONY, which would +# be rebuilt on every invocation of make. +app.sig app.manifest.sgx: sgx_sign + @: + +.INTERMEDIATE: sgx_sign +sgx_sign: app.manifest lib-app/app + gramine-sgx-sign \ + --manifest $< \ + --output $<.sgx + +ifeq ($(SGX),) +GRAMINE = gramine-direct +else +GRAMINE = gramine-sgx +endif + +.PHONY: check +check: all + $(GRAMINE) app > OUTPUT + @echo "[ Success ]" + +.PHONY: clean +clean: + $(RM) *.token *.sig *.manifest.sgx *.manifest lib-app/app OUTPUT + cd lib-app && go clean + +.PHONY: distclean +distclean: clean diff --git a/go-examples/gramine-sgx/app.manifest.template b/go-examples/gramine-sgx/app.manifest.template new file mode 100644 index 0000000..d80797b --- /dev/null +++ b/go-examples/gramine-sgx/app.manifest.template @@ -0,0 +1,31 @@ +# ITA client library integration manifest file example + +loader.entrypoint = "file:{{ gramine.libos }}" +loader.argv = ["--config", "config.json"] +libos.entrypoint = "/app" +loader.log_level = "{{ log_level }}" + +loader.env.LD_LIBRARY_PATH = "/lib" + +fs.mounts = [ + { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, + { path = "/app", uri = "file:lib-app/app" }, + { path = "/config.json", uri = "file:lib-app/config.json" }, +] + +sgx.remote_attestation = "dcap" +sgx.ra_client_spid = "" + +sgx.enclave_size = "4G" +sgx.max_threads = 128 +sgx.debug = false +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} + +sys.enable_extra_runtime_domain_names_conf = true + +sgx.trusted_files = [ + "file:{{ gramine.libos }}", + "file:lib-app/app", + "file:lib-app/config.json", + "file:{{ gramine.runtimedir() }}/", +] diff --git a/go-examples/gramine-sgx/lib-app/go.mod b/go-examples/gramine-sgx/lib-app/go.mod new file mode 100644 index 0000000..a13dcba --- /dev/null +++ b/go-examples/gramine-sgx/lib-app/go.mod @@ -0,0 +1,26 @@ +module github.com/bigdata-memory/app + +go 1.21.1 + +require github.com/intel/trustauthority-client v1.0.1 + +require ( + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect + github.com/goccy/go-json v0.10.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-retryablehttp v0.7.4 // indirect + github.com/lestrrat-go/blackmagic v1.0.1 // indirect + github.com/lestrrat-go/httpcc v1.0.1 // indirect + github.com/lestrrat-go/httprc v1.0.4 // indirect + github.com/lestrrat-go/iter v1.0.2 // indirect + github.com/lestrrat-go/jwx/v2 v2.0.11 // indirect + github.com/lestrrat-go/option v1.0.1 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/segmentio/asm v1.2.0 // indirect + golang.org/x/crypto v0.10.0 // indirect + golang.org/x/sys v0.10.0 // indirect +) + +replace github.com/intel/trustauthority-client => ../../../ diff --git a/go-examples/gramine-sgx/lib-app/go.sum b/go-examples/gramine-sgx/lib-app/go.sum new file mode 100644 index 0000000..2d1c3d8 --- /dev/null +++ b/go-examples/gramine-sgx/lib-app/go.sum @@ -0,0 +1,91 @@ +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= +github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= +github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA= +github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= +github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= +github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= +github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8= +github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= +github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= +github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= +github.com/lestrrat-go/jwx/v2 v2.0.11 h1:ViHMnaMeaO0qV16RZWBHM7GTrAnX2aFLVKofc7FuKLQ= +github.com/lestrrat-go/jwx/v2 v2.0.11/go.mod h1:ZtPtMFlrfDrH2Y0iwfa3dRFn8VzwBrB+cyrm3IBWdDg= +github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= +github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= +github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= +golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/go-examples/gramine-sgx/lib-app/main.go b/go-examples/gramine-sgx/lib-app/main.go new file mode 100644 index 0000000..297ff9a --- /dev/null +++ b/go-examples/gramine-sgx/lib-app/main.go @@ -0,0 +1,33 @@ +package main + +import ( + "crypto/rand" + "fmt" + + "github.com/intel/trustauthority-client/go-utility" +) + +func main() { + + // Generate a random user runtime data + blk, err := GenRandomBytes(10) + if err != nil { + panic(err) + } + + // Retrieve a token of Intel Trust Authority for this Gramine SGX enclave + tk, err := utility.GraToken(blk) + if err != nil { + panic(err) + } + + // Display the token + fmt.Printf("\nTOKEN: %s\n", tk) + +} + +func GenRandomBytes(size int) (blk []byte, err error) { + blk = make([]byte, size) + _, err = rand.Read(blk) + return +} diff --git a/go-gramine/collect_evidence.go b/go-gramine/collect_evidence.go new file mode 100644 index 0000000..9fd8f4c --- /dev/null +++ b/go-gramine/collect_evidence.go @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2023 Intel Corporation + * All rights reserved. + * SPDX-License-Identifier: BSD-3-Clause + */ +package gramine + +import ( + "crypto/sha256" + "os" + + "github.com/intel/trustauthority-client/go-connector" + "github.com/pkg/errors" +) + +const ( + QuoteFile = "/dev/attestation/quote" + UserReportDataFile = "/dev/attestation/user_report_data" + QuoteSizeMax = 8192 +) + +func (adapter *gramineAdapter) CollectEvidence(nonce []byte) (*connector.Evidence, error) { + + hash := sha256.New() + _, err := hash.Write(nonce) + if err != nil { + return nil, err + } + _, err = hash.Write(adapter.uData) + if err != nil { + return nil, err + } + reportData := hash.Sum(nil) + + userReportDataFile, err := os.OpenFile(UserReportDataFile, os.O_WRONLY, 0) + if err != nil { + return nil, errors.Wrapf(err, "Error while opening file %s", UserReportDataFile) + } + defer func() { + err = userReportDataFile.Close() + if err != nil { + errors.Errorf("Error closing file %s", UserReportDataFile) + } + }() + + _, err = userReportDataFile.Write(reportData) + if err != nil { + return nil, errors.Wrapf(err, "Error while writing reportdata to file %s", UserReportDataFile) + } + + quoteFile, err := os.Open(QuoteFile) + if err != nil { + return nil, errors.Wrapf(err, "Error while opening file %s", QuoteFile) + } + defer func() { + err = quoteFile.Close() + if err != nil { + errors.Errorf("Error closing file %s", QuoteFile) + } + }() + + quote := make([]byte, QuoteSizeMax) + quoteSize, err := quoteFile.Read(quote) + if err != nil { + return nil, errors.Wrapf(err, "Error while reading quote from file %s", QuoteFile) + } + + return &connector.Evidence{ + Type: 0, + Evidence: quote[:quoteSize], + UserData: adapter.uData, + }, nil +} diff --git a/go-gramine/gramine_adapter.go b/go-gramine/gramine_adapter.go new file mode 100644 index 0000000..6a3c912 --- /dev/null +++ b/go-gramine/gramine_adapter.go @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2023 Intel Corporation + * All rights reserved. + * SPDX-License-Identifier: BSD-3-Clause + */ +package gramine + +import ( + "github.com/intel/trustauthority-client/go-connector" +) + +type gramineAdapter struct { + uData []byte +} + +func NewEvidenceAdapter(udata []byte) (connector.EvidenceAdapter, error) { + return &gramineAdapter{ + uData: udata, + }, nil +} diff --git a/go-utility/go_utility.go b/go-utility/go_utility.go new file mode 100644 index 0000000..db282b9 --- /dev/null +++ b/go-utility/go_utility.go @@ -0,0 +1,25 @@ +package utility + +import ( + "github.com/intel/trustauthority-client/go-client" + "github.com/intel/trustauthority-client/go-gramine" +) + +func GraToken(udata []byte) (token string, err error) { + + adp, err := gramine.NewEvidenceAdapter(udata) + if err != nil { + return + } + + cli, err := client.NewClient(adp) + if err != nil { + return + } + + token, err = cli.Token() + if err != nil { + return + } + return +}