Enable remote attestation by librats in SGX mode (#1445)

Add library librats, update SGX build scripts, add sample and update document.
2022-09-06 14:29:58 +08:00
parent a9cb9206d6
commit 729c4aeeaa
15 changed files with 404 additions and 18 deletions
--- a/samples/sgx-ra/CMakeLists.txt
+++ b/samples/sgx-ra/CMakeLists.txt
@ -0,0 +1,81 @@
+# Copyright (c) 2022 Intel Corporation
+# Copyright (c) 2020-2021 Alibaba Cloud
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+cmake_minimum_required(VERSION 3.1.4)
+project(sgx-ra)
+
+################ runtime settings  ##############
+set (WAMR_BUILD_PLATFORM "linux-sgx")
+
+# Reset default linker flags
+set (CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
+set (CMAKE_SHARED_LIBRARY_LINK_CXX_FLAGS "")
+
+# Set WAMR_BUILD_TARGET
+if (NOT DEFINED WAMR_BUILD_TARGET)
+  if (CMAKE_SIZEOF_VOID_P EQUAL 8)
+    # Build as X86_64 by default in 64-bit platform
+    set (WAMR_BUILD_TARGET "X86_64")
+  elseif (CMAKE_SIZEOF_VOID_P EQUAL 4)
+    # Build as X86_32 by default in 32-bit platform
+    set (WAMR_BUILD_TARGET "X86_32")
+  else ()
+    message(SEND_ERROR "Unsupported build target platform!")
+  endif ()
+endif ()
+
+if (NOT CMAKE_BUILD_TYPE)
+  set (CMAKE_BUILD_TYPE Release)
+endif ()
+
+set (WAMR_BUILD_INTERP 1)
+set (WAMR_BUILD_AOT 1)
+set (WAMR_BUILD_JIT 0)
+set (WAMR_BUILD_LIBC_BUILTIN 1)
+set (WAMR_BUILD_LIBC_WASI 1)
+set (WAMR_BUILD_LIB_PTHREAD 1)
+set (WAMR_BUILD_FAST_INTERP 1)
+set (WAMR_BUILD_LIB_RATS 1)
+
+# compiling and linking flags
+if (COLLECT_CODE_COVERAGE EQUAL 1)
+  set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage")
+endif ()
+
+set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--gc-sections")
+set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -ffunction-sections -fdata-sections \
+                                     -Wall -Wno-unused-parameter -Wno-pedantic \
+                                     -nostdinc -fvisibility=hidden -fpie" )
+
+# build out vmlib
+set (WAMR_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
+set (SGX_PLATFORM_DIR ${WAMR_ROOT_DIR}/product-mini/platforms/linux-sgx)
+include (${WAMR_ROOT_DIR}/build-scripts/runtime_lib.cmake)
+
+add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
+
+add_custom_command (
+             OUTPUT libvmlib_untrusted.a
+             COMMAND mkdir -p untrusted && cd untrusted &&
+                     ${CMAKE_C_COMPILER} -c ${PLATFORM_SHARED_SOURCE_UNTRUSTED}
+             COMMAND ${CMAKE_AR} rc libvmlib_untrusted.a untrusted/*.o)
+
+add_custom_target (vmlib_untrusted ALL DEPENDS libvmlib_untrusted.a)
+
+execute_process (
+    COMMAND bash -c "sed -i -E 's/^#define LIB_RATS 0/#define LIB_RATS 1/g' ${SGX_PLATFORM_DIR}/enclave-sample/Enclave/Enclave.edl"
+    OUTPUT_VARIABLE cmdOutput
+)
+
+################ wamr runtime ###################
+add_custom_target (
+              iwasm ALL
+              DEPENDS vmlib_untrusted vmlib_untrusted
+              COMMAND make -C  ${SGX_PLATFORM_DIR}/enclave-sample SGX_MODE=HW SGX_DEBUG=1 VMLIB_BUILD_DIR=${CMAKE_BINARY_DIR}
+              COMMAND ${CMAKE_COMMAND} -E copy ${SGX_PLATFORM_DIR}/enclave-sample/enclave.signed.so ${CMAKE_BINARY_DIR}
+              COMMAND ${CMAKE_COMMAND} -E copy ${SGX_PLATFORM_DIR}/enclave-sample/iwasm ${CMAKE_BINARY_DIR}
+              COMMAND make -C ${SGX_PLATFORM_DIR}/enclave-sample clean)
+
+################ wasm application ###############
+add_subdirectory(wasm-app)
--- a/samples/sgx-ra/README.md
+++ b/samples/sgx-ra/README.md
@ -0,0 +1,42 @@
+"sgx-ra" sample introduction
+==============
+
+This sample demonstrates how to execute Remote Attestation on SGX with [librats](https://github.com/inclavare-containers/librats) and run it with iwasm. It can only build on [SGX supported processors](https://www.intel.com/content/www/us/en/support/articles/000028173/processors.html), please check it.
+
+## Preparation
+
+Before staring, we need to download and intall [SGX SDK](https://download.01.org/intel-sgx/latest/linux-latest/distro) and [SGX DCAP Library](https://download.01.org/intel-sgx/latest/dcap-latest) referring to this [guide](https://download.01.org/intel-sgx/sgx-dcap/1.8/linux/docs/Intel_SGX_DCAP_Linux_SW_Installation_Guide.pdf).
+
+The following command is the example of the SGX environment installation on ubuntu18.04.
+``` shell
+$ cd $HOME
+$ # Set your platform, you can get the platforms list on 
+$ # https://download.01.org/intel-sgx/latest/linux-latest/distro
+$ SGX_PALTFORM=ubuntu18.04-server
+$ SGX_SDK_VERSION=2.17.100.3
+$ SGX_DRIVER_VERSION=1.41
+$ # install SGX Driver
+$ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PALTFORM/sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+$ chmod +x sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+$ sudo ./sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+$ # install SGX SDK
+$ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PALTFORM/sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ chmod +x sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ sudo ./sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ # install SGX DCAP Library
+$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list > /dev/null
+$ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+$ sudo apt update
+$ sudo apt install libsgx-uae-service libsgx-dcap-default-qpl-dev libsgx-dcap-ql-dev libsgx-dcap-quote-verify-dev
+```
+
+## Build
+``` shell
+$ mkdir build && cd build
+$ cmake ..
+$ make
+$ # run the sample
+$ ./iwasm wasm-app/test.wasm
+```
+
+The sample will print the evidence in json and "Evidence is trusted." by default.
--- a/samples/sgx-ra/wasm-app/CMakeLists.txt
+++ b/samples/sgx-ra/wasm-app/CMakeLists.txt
@ -0,0 +1,38 @@
+# Copyright (c) 2022 Intel Corporation
+# Copyright (c) 2020-2021 Alibaba Cloud
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+cmake_minimum_required(VERSION 3.0)
+project(wasm-app)
+
+set (WAMR_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../../..)
+set (LIB_RATS_DIR ${WAMR_ROOT_DIR}/core/iwasm/libraries/lib-rats)
+
+set (CMAKE_C_LINK_FLAGS "")
+set (CMAKE_CXX_LINK_FLAGS "")
+if (APPLE)
+    set (HAVE_FLAG_SEARCH_PATHS_FIRST 0)
+endif ()
+
+set (CMAKE_SYSTEM_PROCESSOR wasm32)
+set (CMAKE_SYSROOT                  ${WAMR_ROOT_DIR}/wamr-sdk/app/libc-builtin-sysroot)
+
+if (NOT DEFINED WASI_SDK_DIR)
+    set (WASI_SDK_DIR               "/opt/wasi-sdk")
+endif ()
+
+set (CMAKE_C_FLAGS                  "-nostdlib")
+set (CMAKE_C_COMPILER_TARGET        "wasm32")
+set (CMAKE_C_COMPILER               "${WASI_SDK_DIR}/bin/clang")
+
+set (CMAKE_EXE_LINKER_FLAGS
+    "-Wl,--max-memory=131072 -z stack-size=8192   \
+     -Wl,--no-entry,--strip-all                   \
+     -Wl,--export=__main_argc_argv                \
+     -Wl,--export=__heap_base,--export=__data_end \
+     -Wl,--allow-undefined"
+)
+
+add_executable(test.wasm main.c)
+set_target_properties(test.wasm PROPERTIES INCLUDE_DIRECTORIES ${LIB_RATS_DIR})
+target_link_libraries(test.wasm)
--- a/samples/sgx-ra/wasm-app/main.c
+++ b/samples/sgx-ra/wasm-app/main.c
@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2022 Intel Corporation
+ * Copyright (c) 2020-2021 Alibaba Cloud
+ *
+ * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "lib_rats_wrapper.h"
+
+int
+main(int argc, char **argv)
+{
+    char *evidence_json = NULL;
+    const char *hash = "12345678123456781234567812345678";
+    evidence_json = librats_collect((const uint8_t *)hash);
+    if (evidence_json == NULL) {
+        printf("Librats collect evidence failed.\n");
+        return -1;
+    }
+    printf("evidence json:\n%s\n", evidence_json);
+
+    if (librats_verify(evidence_json, (const uint8_t *)hash) != 0) {
+        printf("Evidence is not trusted.\n");
+    }
+    else {
+        printf("Evidence is trusted.\n");
+    }
+
+    if (evidence_json) {
+        free(evidence_json);
+    }
+
+    return 0;
+}