[Pal/Linux-SGX] Add MAA to RA-TLS and SecretProv libs

Microsoft Azure Attestation (MAA) is a new attestation scheme available in the MS Azure public cloud. It uses the classic DCAP SGX quotes but replaces the DCAP/EPID quote-verification software infrastructure with the new MAA attestation provider infrastructure. In particular, the remote user is supposed to send the SGX quote in the HTTPS REST attestation request to the MAA attestation provider and receive back the JSON Web Token (JWT) that contains claims about the attesting SGX enclave. This commit introduces new `_maa` versions of the RA-TLS and Secret Provisioning verification libraries. MAA attestation should be enabled via `sgx.remote_attestation = "maa"` (`RA_TYPE=maa` in Makefiles). The documentation and the `ra-tls-mbedtls` and `ra-tls-secret-prov` examples are updated. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
gramineproject · Oct 14, 2022 · a216621 · a216621
1 parent 546c598
commit a216621
Show file tree

Hide file tree

Showing 19 changed files with 1,547 additions and 65 deletions.
diff --git a/CI-Examples/busybox/README.md b/CI-Examples/busybox/README.md
@@ -17,6 +17,12 @@ a working DCAP setup. Then build the example as follows:
 make SGX=1 RA_TYPE=dcap
 ```
 
+If you run in Microsoft Azure cloud with a Confidential Computing offerring and
+want to build the example for MAA attestation, build it as follows:
+```
+make SGX=1 RA_TYPE=maa
+```
+
 Otherwise, you will probably want to use EPID attestation. For this, you will
 additionally need to provide an SPID and specify whether it is set up for
 linkable quotes or not:

diff --git a/CI-Examples/python/README.md b/CI-Examples/python/README.md
@@ -30,6 +30,12 @@ a working DCAP setup. Then build the example as follows:
 make SGX=1 RA_TYPE=dcap
 ```
 
+If you run in Microsoft Azure cloud with a Confidential Computing offerring and
+want to build the example for MAA attestation, build it as follows:
+```
+make SGX=1 RA_TYPE=maa
+```
+
 Otherwise, you will probably want to use EPID attestation. For this, you will
 additionally need to provide an SPID and specify whether it is set up for
 linkable quotes or not:

diff --git a/CI-Examples/ra-tls-mbedtls/Makefile b/CI-Examples/ra-tls-mbedtls/Makefile
@@ -27,6 +27,9 @@ epid: client_epid.manifest.sgx client_epid.sig client_epid.token
 .PHONY: dcap
 dcap: client_dcap.manifest.sgx client_dcap.sig client_dcap.token
 
+.PHONY: maa
+maa: client_maa.manifest.sgx client_maa.sig client_maa.token
+
 ############################# SSL DATA DEPENDENCY #############################
 
 # SSL data: key and x.509 self-signed certificate
@@ -127,6 +130,26 @@ sgx_sign_client_dcap: client_dcap.manifest client
 client_dcap.token: client_dcap.sig
 	gramine-sgx-get-token --output $@ --sig $<
 
+########################### CLIENT (MAA) MANIFEST #############################
+
+client_maa.manifest: client.manifest.template
+	gramine-manifest \
+		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
+		-Darch_libdir=$(ARCH_LIBDIR) \
+		$< >$@
+
+client_maa.manifest.sgx client_maa.sig: sgx_sign_client_maa
+	@:
+
+.INTERMEDIATE: sgx_sign_client_maa
+sgx_sign_client_maa: client_maa.manifest client
+	gramine-sgx-sign \
+		--manifest $< \
+		--output $<.sgx
+
+client_maa.token: client_maa.sig
+	gramine-sgx-get-token --output $@ --sig $<
+
 ########################### CLIENT (EPID) MANIFEST ############################
 
 client_epid.manifest: client.manifest.template
@@ -189,6 +212,26 @@ check_dcap_fail: app dcap
 	./client dcap && exit 1 || echo "[ Success 1/1 ]"; \
 	kill -9 $$SERVER_ID
 
+.PHONY: check_maa
+check_maa: app maa
+	gramine-sgx server >/dev/null & SERVER_ID=$$!; \
+	sleep 30; \
+	./client maa > OUTPUT; \
+	./client maa 0 0 0 0 >> OUTPUT; \
+	kill -9 $$SERVER_ID
+	@grep -q "using default SGX-measurement verification callback" OUTPUT && echo "[ Success 1/4 ]"
+	@grep -q "using our own SGX-measurement verification callback" OUTPUT && echo "[ Success 2/4 ]"
+	@grep -q "Verifying peer X.509 certificate... ok" OUTPUT && echo "[ Success 3/4 ]"
+	@(exit `grep -c "failed" "OUTPUT"`) && echo "[ Success 4/4 ]"
+	@rm OUTPUT
+
+.PHONY: check_maa_fail
+check_maa_fail: app maa
+	gramine-sgx server --test-malicious-quote >/dev/null & SERVER_ID=$$!; \
+	sleep 30; \
+	./client maa && exit 1 || echo "[ Success 1/1 ]"; \
+	kill -9 $$SERVER_ID
+
 ################################## CLEANUP ####################################
 
 .PHONY: clean

diff --git a/CI-Examples/ra-tls-mbedtls/README.md b/CI-Examples/ra-tls-mbedtls/README.md
@@ -11,13 +11,23 @@ verification callback to verify the server RA-TLS certificate via
 `ra_tls_verify_callback_der()`.
 
 This example uses the RA-TLS libraries `ra_tls_attest.so` for server and
-`ra_tls_verify_epid.so`/ `ra_tls_verify_dcap.so` for client. These libraries are
-installed together with Gramine (for DCAP version, you need `meson setup ...
--Ddcap=enabled`). For DCAP attestation, the DCAP software infrastructure must be
- installed and work correctly on the host.
+`ra_tls_verify_epid.so`/ `ra_tls_verify_dcap.so`/ `ra_tls_verify_maa.so` for
+client. These libraries are installed together with Gramine (for DCAP and MAA versions,
+you need `meson setup ... -Ddcap=enabled`).
+
+For DCAP attestation, the DCAP software infrastructure must be installed and
+work correctly on the host.
+
+For MAA attestation, the server must run on the Azure cloud, and the client must
+have internet access to the MAA attestation provider service.
 
 The current example works with both EPID (IAS) and ECDSA (DCAP) remote
-attestation schemes. For more documentation, refer to
+attestation schemes. The current example supports:
+- the IAS-based attestation scheme for EPID quotes,
+- the DCAP-based attestation scheme for DCAP quotes,
+- the MAA-based attestation scheme for DCAP quotes.
+
+For more documentation, refer to
 https://gramine.readthedocs.io/en/latest/attestation.html.
 
 ## RA-TLS server
@@ -33,10 +43,10 @@ This is useful for testing purposes.
 ## RA-TLS client
 
 The client is supposed to run on a trusted machine (*not* in an SGX enclave). If
-RA-TLS library `ra_tls_verify_epid.so` or `ra_tls_verify_dcap.so` is not
-requested by user via `epid` or `dcap` command-line arguments respectively, the
-client falls back to using normal X.509 PKI flows (specified as `native`
-command-line argument).
+RA-TLS library `ra_tls_verify_epid.so`, `ra_tls_verify_dcap.so` or
+`ra_tls_verify_maa.so` is not requested by user via `epid`, `dcap` or `maa`
+command-line arguments respectively, the client falls back to using normal X.509
+PKI flows (specified as `native` command-line argument).
 
 It is also possible to run the client in an SGX enclave. This will create a
 secure channel between two Gramine SGX processes, possibly running on different
@@ -59,7 +69,8 @@ Moreover, we set `RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1`, to allow performing
 the tests when some of Intel's security advisories haven't been addressed (for
 example, when the microcode or architectural enclaves aren't fully up-to-date).
 As the name of this setting suggests, this is not secure and likewise should not
-be used in production.
+be used in production. Note that this setting is irrelevant for the MAA
+attestation scheme because MAA always expects enclave TCB to be up-to-date.
 
 # Quick Start
 
@@ -125,6 +136,27 @@ RA_TLS_ISV_SVN=<ISV_SVN of the server enclave> \
 kill %%
 ```
 
+- RA-TLS flows with SGX and with Gramine, Microsoft Azure Attestation (MAA)
+  attestation:
+
+```sh
+make clean
+make app maa RA_TYPE=maa
+
+gramine-sgx ./server &
+
+RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 \
+RA_TLS_MAA_PROVIDER_URL="https://sharedcus.cus.attest.azure.net" \
+RA_TLS_MRENCLAVE=<MRENCLAVE of the server enclave> \
+RA_TLS_MRSIGNER=<MRSIGNER of the server enclave> \
+RA_TLS_ISV_PROD_ID=<ISV_PROD_ID of the server enclave> \
+RA_TLS_ISV_SVN=<ISV_SVN of the server enclave> \
+./client maa
+
+# client will successfully connect to the server via RA-TLS/MAA flows
+kill %%
+```
+
 - RA-TLS flows with SGX and with Gramine, client with its own verification callback:
 
 ```sh

diff --git a/CI-Examples/ra-tls-mbedtls/src/client.c b/CI-Examples/ra-tls-mbedtls/src/client.c
@@ -161,17 +161,18 @@ int main(int argc, char** argv) {
     mbedtls_x509_crt_init(&cacert);
     mbedtls_entropy_init(&entropy);
 
-    if (argc < 2 ||
-            (strcmp(argv[1], "native") && strcmp(argv[1], "epid") && strcmp(argv[1], "dcap"))) {
-        mbedtls_printf("USAGE: %s native|epid|dcap [SGX measurements]\n", argv[0]);
+    if (argc < 2 || (strcmp(argv[1], "native") && strcmp(argv[1], "epid") &&
+                strcmp(argv[1], "dcap") && strcmp(argv[1], "maa"))) {
+        mbedtls_printf("USAGE: %s native|epid|dcap|maa [SGX measurements]\n", argv[0]);
         return 1;
     }
 
     if (!strcmp(argv[1], "epid")) {
         ra_tls_verify_lib = dlopen("libra_tls_verify_epid.so", RTLD_LAZY);
         if (!ra_tls_verify_lib) {
             mbedtls_printf("%s\n", dlerror());
-            mbedtls_printf("User requested RA-TLS verification with EPID but cannot find lib\n");
+            mbedtls_printf("User requested RA-TLS verification with EPID but cannot find lib "
+                           "libra_tls_verify_epid.so\n");
             if (in_sgx) {
                 mbedtls_printf("Please make sure that you are using client_epid.manifest\n");
             }
@@ -186,26 +187,44 @@ int main(int argc, char** argv) {
             ra_tls_verify_lib = dlopen("libra_tls_verify_dcap_gramine.so", RTLD_LAZY);
             if (!ra_tls_verify_lib) {
                 mbedtls_printf("%s\n", dlerror());
-                mbedtls_printf("User requested RA-TLS verification with DCAP inside SGX but cannot find lib\n");
+                mbedtls_printf("User requested RA-TLS verification with DCAP inside SGX but cannot "
+                               "find lib libra_tls_verify_dcap_gramine.so\n");
                 mbedtls_printf("Please make sure that you are using client_dcap.manifest\n");
                 return 1;
             }
         } else {
             void* helper_sgx_urts_lib = dlopen("libsgx_urts.so", RTLD_NOW | RTLD_GLOBAL);
             if (!helper_sgx_urts_lib) {
                 mbedtls_printf("%s\n", dlerror());
-                mbedtls_printf("User requested RA-TLS verification with DCAP but cannot find helper"
-                               " libsgx_urts.so lib\n");
+                mbedtls_printf("User requested RA-TLS verification with DCAP but cannot find "
+                               "helper libsgx_urts.so lib\n");
                 return 1;
             }
 
             ra_tls_verify_lib = dlopen("libra_tls_verify_dcap.so", RTLD_LAZY);
             if (!ra_tls_verify_lib) {
                 mbedtls_printf("%s\n", dlerror());
-                mbedtls_printf("User requested RA-TLS verification with DCAP but cannot find lib\n");
+                mbedtls_printf("User requested RA-TLS verification with DCAP but cannot find lib "
+                               "libra_tls_verify_dcap.so\n");
                 return 1;
             }
         }
+    } else if (!strcmp(argv[1], "maa")) {
+        void* helper_sgx_urts_lib = dlopen("libsgx_urts.so", RTLD_NOW | RTLD_GLOBAL);
+        if (!helper_sgx_urts_lib) {
+            mbedtls_printf("%s\n", dlerror());
+            mbedtls_printf("User requested RA-TLS verification with MAA but cannot find helper "
+                           "libsgx_urts.so lib\n");
+            return 1;
+        }
+
+        ra_tls_verify_lib = dlopen("libra_tls_verify_maa.so", RTLD_LAZY);
+        if (!ra_tls_verify_lib) {
+            mbedtls_printf("%s\n", dlerror());
+            mbedtls_printf("User requested RA-TLS verification with MAA but cannot find lib "
+                           "libra_tls_verify_maa.so\n");
+            return 1;
+        }
     }
 
     if (ra_tls_verify_lib) {
@@ -215,7 +234,8 @@ int main(int argc, char** argv) {
             return 1;
         }
 
-        ra_tls_set_measurement_callback_f = dlsym(ra_tls_verify_lib, "ra_tls_set_measurement_callback");
+        ra_tls_set_measurement_callback_f = dlsym(ra_tls_verify_lib,
+                                                  "ra_tls_set_measurement_callback");
         if ((error = dlerror()) != NULL) {
             mbedtls_printf("%s\n", error);
             return 1;

diff --git a/CI-Examples/ra-tls-mbedtls/src/server.c b/CI-Examples/ra-tls-mbedtls/src/server.c
@@ -118,7 +118,8 @@ int main(int argc, char** argv) {
     if (ret == -ENOENT || !strcmp(attestation_type_str, "none")) {
         ra_tls_attest_lib = NULL;
         ra_tls_create_key_and_crt_der_f = NULL;
-    } else if (!strcmp(attestation_type_str, "epid") || !strcmp(attestation_type_str, "dcap")) {
+    } else if (!strcmp(attestation_type_str, "epid") || !strcmp(attestation_type_str, "dcap")
+                    || !strcmp(attestation_type_str, "maa")) {
         ra_tls_attest_lib = dlopen("libra_tls_attest.so", RTLD_LAZY);
         if (!ra_tls_attest_lib) {
             mbedtls_printf("User requested RA-TLS attestation but cannot find lib\n");

diff --git a/CI-Examples/ra-tls-secret-prov/.gitignore b/CI-Examples/ra-tls-secret-prov/.gitignore
@@ -2,12 +2,15 @@
 /secret_prov/client
 /secret_prov/server_epid
 /secret_prov/server_dcap
+/secret_prov/server_maa
 /secret_prov_minimal/client
 /secret_prov_minimal/server_epid
 /secret_prov_minimal/server_dcap
+/secret_prov_minimal/server_maa
 /secret_prov_pf/client
 /secret_prov_pf/server_epid
 /secret_prov_pf/server_dcap
+/secret_prov_pf/server_maa
 /secret_prov_pf/wrap_key
 /secret_prov_pf/enc_files/input.txt
 

diff --git a/CI-Examples/ra-tls-secret-prov/Makefile b/CI-Examples/ra-tls-secret-prov/Makefile
@@ -36,6 +36,10 @@ epid: ssl/server.crt secret_prov_minimal/server_epid secret_prov/server_epid sec
 dcap: ssl/server.crt secret_prov_minimal/server_dcap secret_prov/server_dcap secret_prov_pf/server_dcap \
       secret_prov_pf/wrap_key secret_prov_pf/enc_files/input.txt
 
+.PHONY: maa
+maa: ssl/server.crt secret_prov_minimal/server_maa secret_prov/server_maa secret_prov_pf/server_maa \
+     secret_prov_pf/wrap_key secret_prov_pf/enc_files/input.txt
+
 ############################# SSL DATA DEPENDENCY #############################
 
 # SSL data: key and x.509 self-signed certificate
@@ -65,6 +69,9 @@ LDFLAGS += -Wl,--enable-new-dtags $(shell pkg-config --libs sgx_util)
 %/server_dcap: %/server.c
 	$(CC) $< $(CFLAGS) $(LDFLAGS) -Wl,--no-as-needed -lsgx_urts -lsecret_prov_verify_dcap -pthread -o $@
 
+%/server_maa: %/server.c
+	$(CC) $< $(CFLAGS) $(LDFLAGS) -lsecret_prov_verify_maa -pthread -o $@
+
 secret_prov/client: secret_prov/client.c
 	$(CC) $< $(CFLAGS) $(LDFLAGS) -lsecret_prov_attest -o $@
 
@@ -227,6 +234,35 @@ check_dcap: app dcap
 
 	@rm OUTPUT
 
+.PHONY: check_maa
+check_maa: app maa
+	# secret_prov_minimal
+	cd secret_prov_minimal; \
+	./server_maa >/dev/null & SERVER_ID=$$!; \
+	../../../scripts/wait_for_server 60 127.0.0.1 4433; \
+	gramine-sgx client > ../OUTPUT; \
+	kill -9 $$SERVER_ID;
+	@grep -E "Received secret = 'A_SIMPLE_SECRET'" OUTPUT && echo "[ Success 1/4 ]"
+
+	# secret_prov
+	cd secret_prov; \
+	./server_maa >/dev/null & SERVER_ID=$$!; \
+	../../../scripts/wait_for_server 60 127.0.0.1 4433; \
+	gramine-sgx client > ../OUTPUT; \
+	kill -9 $$SERVER_ID;
+	@grep -E "Received secret1 = 'FIRST_SECRET', secret2 = '42'" OUTPUT && echo "[ Success 2/4 ]"
+
+	# secret_prov_pf
+	cd secret_prov_pf; \
+	./server_maa wrap_key >/dev/null & SERVER_ID=$$!; \
+	../../../scripts/wait_for_server 60 127.0.0.1 4433; \
+	gramine-sgx client > ../OUTPUT; \
+	kill -9 $$SERVER_ID;
+	@grep -E "\[parent\] Read from protected file: 'helloworld'" OUTPUT && echo "[ Success 3/4 ]"
+	@grep -E "\[child\] Read from protected file: 'helloworld'" OUTPUT && echo "[ Success 4/4 ]"
+
+	@rm OUTPUT
+
 ################################## CLEANUP ####################################
 
 .PHONY: clean