Merge pull request #1648 from scrtlabs/dcap-07

Dcap 07

Author: valdok

check-hw/Cargo.lock

@@ -23,3 +23,4 @@ enclave-ffi-types = { path = "../cosmwasm/enclaves/ffi-types", features = [
 clap = "2.33"
 parking_lot = "0.11"
 lazy_static = "1.4"
+log = "0.4.17"

check-hw/Cargo.toml

@@ -11,4 +11,7 @@ fn main() {
     println!("cargo:rustc-link-lib=static=sgx_ukey_exchange");
     println!("cargo:rustc-link-lib=dylib=sgx_urts");
     println!("cargo:rustc-link-lib=dylib=sgx_uae_service");
+
+    println!("cargo:rustc-link-lib=dylib=sgx_dcap_ql");
+    println!("cargo:rustc-link-lib=dylib=sgx_dcap_quoteverify");
 }

check-hw/build.rs

@@ -13,6 +13,8 @@ use sgx_types::{
     sgx_report_t, sgx_spid_t, sgx_status_t, sgx_target_info_t, sgx_update_info_bit_t,
 };
 
+include!("../../cosmwasm/packages/sgx-vm/src/attestation_dcap.rs");
+
 // ecalls
 
 extern "C" {
@@ -186,53 +188,3 @@ pub extern "C" fn ocall_read_db(
 pub extern "C" fn ocall_allocate(_buffer: *const u8, _length: usize) -> UserSpaceBuffer {
     unimplemented!()
 }
-
-#[no_mangle]
-pub extern "C" fn ocall_get_quote_ecdsa_params(
-    ret_val: *mut sgx_status_t,
-    p_qe_info: *mut sgx_target_info_t,
-    p_quote_size: *mut u32,
-) -> sgx_status_t {
-    unimplemented!()
-}
-#[no_mangle]
-pub extern "C" fn ocall_get_quote_ecdsa(
-    ret_val: *mut sgx_status_t,
-    p_report: *const sgx_report_t,
-    p_quote: *mut u8,
-    n_quote: u32,
-) -> sgx_status_t {
-    unimplemented!()
-}
-
-#[no_mangle]
-pub extern "C" fn ocall_get_quote_ecdsa_collateral(
-    ret_val: *mut sgx_status_t,
-    p_quote: *const u8,
-    n_quote: u32,
-    p_col: *mut u8,
-    n_col: u32,
-    p_col_out: *mut u32,
-) -> sgx_status_t {
-    unimplemented!()
-}
-
-#[no_mangle]
-pub extern "C" fn ocall_verify_quote_ecdsa(
-    ret_val: *mut sgx_status_t,
-    p_quote: *const u8,
-    n_quote: u32,
-    p_col: *const u8,
-    n_col: u32,
-    p_target_info: *const sgx_target_info_t,
-    time_s: i64,
-    p_qve_report_info: *mut sgx_ql_qe_report_info_t,
-    p_supp_data: *mut u8,
-    n_supp_data: u32,
-    p_supp_data_size: *mut u32,
-    p_time_s: *mut i64,
-    p_collateral_expiration_status: *mut u32,
-    p_qv_result: *mut sgx_ql_qv_result_t,
-) -> sgx_status_t {
-    unimplemented!()
-}

check-hw/src/enclave_api.rs

@@ -166,46 +166,11 @@ pub fn validate_enclave_version(
         sgx_status_t::SGX_ERROR_UNEXPECTED
     })?;
 
-    // let timestamp = crate::registration::report::AttestationReport::from_cert(&cert_der)
-    //     .map_err(|_| sgx_status_t::SGX_ERROR_UNEXPECTED)?
-    //     .timestamp;
-
-    // if result.is_err() && in_grace_period(timestamp) {
-    //     let ecc_handle = SgxEccHandle::new();
-    //     let _result = ecc_handle.open();
-    //
-    //     // use ephemeral key
-    //     let (prv_k, pub_k) = ecc_handle.create_key_pair().unwrap();
-    //
-    //     // call create_report using the secp256k1 public key, and __not__ the P256 one
-    //     let signed_report =
-    //         match create_attestation_report(&kp.get_pubkey(), sign_type, api_key, challenge, false)
-    //         {
-    //             Ok(r) => r,
-    //             Err(e) => {
-    //                 error!("Error creating attestation report");
-    //                 return Err(e);
-    //             }
-    //         };
-    //
-    //     let payload: String = serde_json::to_string(&signed_report).map_err(|_| {
-    //         error!("Error serializing report. May be malformed, or badly encoded");
-    //         sgx_status_t::SGX_ERROR_UNEXPECTED
-    //     })?;
-    //     let (_key_der, cert_der) = super::cert::gen_ecc_cert(payload, &prv_k, &pub_k, &ecc_handle)?;
-    //     let _result = ecc_handle.close();
-    //
-    //     let verify_result = verify_ra_cert(&cert_der, None, false);
-    //     if verify_result.is_err() {
-    //         #[cfg(all(feature = "SGX_MODE_HW", feature = "production"))]
-    //         remove_all_keys();
-    //     }
-    // } else
-
     let (_key_der, cert_der) = super::cert::gen_ecc_cert(payload, &prv_k, &pub_k, &ecc_handle)?;
     let _result = ecc_handle.close();
+
     if verify_ra_cert(&cert_der, None, true).is_err() {
-        remove_all_keys();
+        sgx_status_t::SGX_ERROR_UNEXPECTED
     }
 
     Ok(())

cosmwasm/enclaves/execute/src/registration/attestation.rs

@@ -14,6 +14,9 @@ use crate::registration::attestation::create_attestation_report;
 #[cfg(feature = "SGX_MODE_HW")]
 use crate::registration::cert::verify_quote_status;
 
+#[cfg(feature = "SGX_MODE_HW")]
+use crate::registration::offchain::get_attestation_report_dcap;
+
 #[cfg(not(feature = "epid_whitelist_disabled"))]
 use crate::registration::cert::check_epid_gid_is_whitelisted;
 
@@ -52,6 +55,12 @@ pub unsafe extern "C" fn ecall_check_patch_level(
     // generate temporary key for attestation
     let temp_key_result = enclave_crypto::KeyPair::new().unwrap();
 
+    let res_dcap = unsafe { get_attestation_report_dcap(&temp_key_result) };
+    if res_dcap.is_ok() {
+        println!("DCAP attestation ok");
+        return NodeAuthResult::Success;
+    }
+
     let signed_report = match create_attestation_report(
         &temp_key_result.get_pubkey(),
         SIGNATURE_TYPE,