[Pal/Linux-SGX] Add MAA to RA-TLS and SecretProv libs

Microsoft Azure Attestation (MAA) is a new attestation scheme available in the MS Azure public cloud. It uses the classic DCAP SGX quotes but replaces the DCAP/EPID quote-verification software infrastructure with the new MAA attestation provider infrastructure. In particular, the remote user is supposed to send the SGX quote in the HTTPS REST attestation request to the MAA attestation provider and receive back the JSON Web Token (JWT) that contains claims about the attesting SGX enclave. This commit introduces new `_maa` versions of the RA-TLS and Secret Provisioning verification libraries. The documentation and the `ra-tls-mbedtls` and `ra-tls-secret-prov` examples are updated. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
gramineproject · Jun 14, 2022 · dd2f3e2 · dd2f3e2
1 parent aa4486b
commit dd2f3e2
Show file tree

Hide file tree

Showing 13 changed files with 1,453 additions and 68 deletions.
diff --git a/CI-Examples/ra-tls-mbedtls/Makefile b/CI-Examples/ra-tls-mbedtls/Makefile
@@ -31,6 +31,9 @@ epid: client_epid.manifest.sgx client_epid.sig client_epid.token
 .PHONY: dcap
 dcap: client_dcap.manifest.sgx client_dcap.sig client_dcap.token
 
+.PHONY: maa
+maa: client_maa.manifest.sgx client_maa.sig client_maa.token
+
 ############################# SSL DATA DEPENDENCY #############################
 
 # SSL data: key and x.509 self-signed certificate
@@ -131,6 +134,26 @@ sgx_sign_client_dcap: client_dcap.manifest client
 client_dcap.token: client_dcap.sig
 	gramine-sgx-get-token --output $@ --sig $<
 
+########################### CLIENT (MAA) MANIFEST #############################
+
+client_maa.manifest: client.manifest.template
+	gramine-manifest \
+		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
+		-Darch_libdir=$(ARCH_LIBDIR) \
+		$< >$@
+
+client_maa.manifest.sgx client_maa.sig: sgx_sign_client_maa
+	@:
+
+.INTERMEDIATE: sgx_sign_client_maa
+sgx_sign_client_maa: client_maa.manifest client
+	gramine-sgx-sign \
+		--manifest $< \
+		--output $<.sgx
+
+client_maa.token: client_maa.sig
+	gramine-sgx-get-token --output $@ --sig $<
+
 ########################### CLIENT (EPID) MANIFEST ############################
 
 client_epid.manifest: client.manifest.template
@@ -193,6 +216,26 @@ check_dcap_fail: app dcap
 	./client dcap && exit 1 || echo "[ Success 1/1 ]"; \
 	kill -9 $$SERVER_ID
 
+.PHONY: check_maa
+check_maa: app maa
+	gramine-sgx server maa >/dev/null & SERVER_ID=$$!; \
+	sleep 30; \
+	./client maa > OUTPUT; \
+	./client maa 0 0 0 0 >> OUTPUT; \
+	kill -9 $$SERVER_ID
+	@grep -q "using default SGX-measurement verification callback" OUTPUT && echo "[ Success 1/4 ]"
+	@grep -q "using our own SGX-measurement verification callback" OUTPUT && echo "[ Success 2/4 ]"
+	@grep -q "Verifying peer X.509 certificate... ok" OUTPUT && echo "[ Success 3/4 ]"
+	@(exit `grep -c "failed" "OUTPUT"`) && echo "[ Success 4/4 ]"
+	@rm OUTPUT
+
+.PHONY: check_maa_fail
+check_maa_fail: app maa
+	gramine-sgx server maa dummy-option >/dev/null & SERVER_ID=$$!; \
+	sleep 30; \
+	./client maa && exit 1 || echo "[ Success 1/1 ]"; \
+	kill -9 $$SERVER_ID
+
 ################################## CLEANUP ####################################
 
 .PHONY: clean

diff --git a/CI-Examples/ra-tls-mbedtls/README.md b/CI-Examples/ra-tls-mbedtls/README.md
@@ -5,28 +5,39 @@ minimal server and client written against the mbedTLS library.
 
 The server and client are based on `ssl_server.c` and `ssl_client1.c` example
 programs shipped with mbedTLS. We modified them to allow using RA-TLS flows if
-the programs are given the command-line argument `epid`/`dcap`.  In particular,
-the server uses a self-signed RA-TLS cert with the SGX quote embedded in it via
-`ra_tls_create_key_and_crt()`. The client uses an RA-TLS verification callback
-to verify the server RA-TLS certificate via `ra_tls_verify_callback()`.
+the programs are given the command-line argument `epid`/`dcap`/`maa`. In
+particular, the server uses a self-signed RA-TLS cert with the SGX quote
+embedded in it via `ra_tls_create_key_and_crt()`. The client uses an RA-TLS
+verification callback to verify the server RA-TLS certificate via
+`ra_tls_verify_callback()`.
 
 This example uses the RA-TLS libraries `ra_tls_attest.so` for server and
-`ra_tls_verify_epid.so`/ `ra_tls_verify_dcap.so` for client. These libraries are
-installed together with Gramine (for DCAP version, you need `meson setup ...
--Ddcap=enabled`). Additionally, mbedTLS libraries are required to correctly run
-RA-TLS, the client, and the server. For ECDSA/DCAP attestation, the DCAP
-software infrastructure must be installed and work correctly on the host.
-
-The current example works with both EPID (IAS) and ECDSA (DCAP) remote
-attestation schemes. For more documentation, refer to
+`ra_tls_verify_epid.so` / `ra_tls_verify_dcap.so` / `ra_tls_verify_maa.so` for
+client. These libraries are installed together with Gramine (for DCAP and MAA
+versions, you need `meson setup ...  -Ddcap=enabled`). Additionally, mbedTLS
+libraries are required.
+
+For ECDSA/DCAP attestation, the DCAP software infrastructure must be installed
+and work correctly on the host.
+
+For MAA attestation, the server must run on the Azure cloud, and the client must
+have internet access to the MAA attestation provider service.
+
+The current example works with both EPID and ECDSA/DCAP SGX quote formats. The
+current example supports:
+- the IAS-based attestation scheme for EPID quotes,
+- the DCAP-based attestation scheme for DCAP quotes,
+- the MAA-based attestation scheme for DCAP quotes.
+
+For more documentation, refer to
 https://gramine.readthedocs.io/en/latest/attestation.html.
 
 ## RA-TLS server
 
 The server is supposed to run in the SGX enclave with Gramine and RA-TLS
 dlopen-loaded. If RA-TLS library `ra_tls_attest.so` is not requested by user via
-`epid`/`dcap` command-line argument, the server falls back to using normal X.509
-PKI flows (specified as `native` command-line argument).
+`epid`/`dcap`/`maa` command-line argument, the server falls back to using normal
+X.509 PKI flows (specified as `native` command-line argument).
 
 If server is run with more command-line arguments (the only important thing is
 to have at least one additional argument), then the server will maliciously
@@ -36,10 +47,10 @@ purposes.
 ## RA-TLS client
 
 The client is supposed to run on a trusted machine (*not* in an SGX enclave). If
-RA-TLS library `ra_tls_verify_epid.so` or `ra_tls_verify_dcap.so` is not
-requested by user via `epid` or `dcap` command-line arguments respectively, the
-client falls back to using normal X.509 PKI flows (specified as `native`
-command-line argument).
+RA-TLS library `ra_tls_verify_epid.so`, `ra_tls_verify_dcap.so` or
+`ra_tls_verify_maa.so` is not requested by user via `epid`, `dcap` or `maa`
+command-line arguments respectively, the client falls back to using normal X.509
+PKI flows (specified as `native` command-line argument).
 
 It is also possible to run the client in an SGX enclave. This will create a
 secure channel between two Gramine SGX processes, possibly running on different
@@ -60,7 +71,8 @@ Moreover, we set `RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1`, to allow performing
 the tests when some of Intel's security advisories haven't been addressed (for
 example, when the microcode or architectural enclaves aren't fully up-to-date).
 As the name of this setting suggests, this is not secure and likewise should not
-be used in production.
+be used in production. Note that this setting is irrelevant for the MAA
+attestation scheme because MAA always expects enclave TCB to be up-to-date.
 
 # Quick Start
 
@@ -125,6 +137,27 @@ RA_TLS_ISV_SVN=<ISV_SVN of the server enclave> \
 kill %%
 ```
 
+- RA-TLS flows with SGX and with Gramine, Microsoft Azure Attestation (MAA)
+  attestation:
+
+```sh
+make clean
+make app maa
+
+gramine-sgx ./server maa &
+
+RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 \
+RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 \
+RA_TLS_MRENCLAVE=<MRENCLAVE of the server enclave> \
+RA_TLS_MRSIGNER=<MRSIGNER of the server enclave> \
+RA_TLS_ISV_PROD_ID=<ISV_PROD_ID of the server enclave> \
+RA_TLS_ISV_SVN=<ISV_SVN of the server enclave> \
+./client maa
+
+# client will successfully connect to the server via RA-TLS/DCAP flows
+kill %%
+```
+
 - RA-TLS flows with SGX and with Gramine, client with its own verification callback:
 
 ```sh

diff --git a/CI-Examples/ra-tls-mbedtls/client.manifest.template b/CI-Examples/ra-tls-mbedtls/client.manifest.template
@@ -1,4 +1,4 @@
-# Client manifest file (both for EPID and DCAP)
+# Client manifest file (same for EPID, DCAP and MAA)
 
 loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "client"

diff --git a/CI-Examples/ra-tls-mbedtls/src/client.c b/CI-Examples/ra-tls-mbedtls/src/client.c
@@ -155,9 +155,9 @@ int main(int argc, char** argv) {
     mbedtls_x509_crt_init(&cacert);
     mbedtls_entropy_init(&entropy);
 
-    if (argc < 2 ||
-            (strcmp(argv[1], "native") && strcmp(argv[1], "epid") && strcmp(argv[1], "dcap"))) {
-        mbedtls_printf("USAGE: %s native|epid|dcap [SGX measurements]\n", argv[0]);
+    if (argc < 2 || (strcmp(argv[1], "native") && strcmp(argv[1], "epid") &&
+                strcmp(argv[1], "dcap") && strcmp(argv[1], "maa"))) {
+        mbedtls_printf("USAGE: %s native|epid|dcap|maa [SGX measurements]\n", argv[0]);
         return 1;
     }
 
@@ -200,6 +200,21 @@ int main(int argc, char** argv) {
                 return 1;
             }
         }
+    } else if (!strcmp(argv[1], "maa")) {
+        void* helper_sgx_urts_lib = dlopen("libsgx_urts.so", RTLD_NOW | RTLD_GLOBAL);
+        if (!helper_sgx_urts_lib) {
+            mbedtls_printf("%s\n", dlerror());
+            mbedtls_printf("User requested RA-TLS verification with MAA but cannot find helper"
+                           " libsgx_urts.so lib\n");
+            return 1;
+        }
+
+        ra_tls_verify_lib = dlopen("libra_tls_verify_maa.so", RTLD_LAZY);
+        if (!ra_tls_verify_lib) {
+            mbedtls_printf("%s\n", dlerror());
+            mbedtls_printf("User requested RA-TLS verification with MAA but cannot find lib\n");
+            return 1;
+        }
     }
 
     if (ra_tls_verify_lib) {

diff --git a/CI-Examples/ra-tls-mbedtls/src/server.c b/CI-Examples/ra-tls-mbedtls/src/server.c
@@ -99,13 +99,13 @@ int main(int argc, char** argv) {
     mbedtls_debug_set_threshold(DEBUG_LEVEL);
 #endif
 
-    if (argc < 2 ||
-            (strcmp(argv[1], "native") && strcmp(argv[1], "epid") && strcmp(argv[1], "dcap"))) {
-        mbedtls_printf("USAGE: %s native|epid|dcap [SGX measurements]\n", argv[0]);
+    if (argc < 2 || (strcmp(argv[1], "native") && strcmp(argv[1], "epid") &&
+                strcmp(argv[1], "dcap") && strcmp(argv[1], "maa"))) {
+        mbedtls_printf("USAGE: %s native|epid|dcap|maa [SGX measurements]\n", argv[0]);
         return 1;
     }
 
-    if (!strcmp(argv[1], "epid") || !strcmp(argv[1], "dcap")) {
+    if (!strcmp(argv[1], "epid") || !strcmp(argv[1], "dcap") || !strcmp(argv[1], "maa")) {
         ra_tls_attest_lib = dlopen("libra_tls_attest.so", RTLD_LAZY);
         if (!ra_tls_attest_lib) {
             mbedtls_printf("User requested RA-TLS attestation but cannot find lib\n");

diff --git a/CI-Examples/ra-tls-secret-prov/Makefile b/CI-Examples/ra-tls-secret-prov/Makefile
@@ -38,6 +38,9 @@ epid: secret_prov_server_epid
 .PHONY: dcap
 dcap: secret_prov_server_dcap
 
+.PHONY: maa
+maa: secret_prov_server_maa
+
 ############################# SSL DATA DEPENDENCY #############################
 
 # SSL data: key and x.509 self-signed certificate
@@ -63,6 +66,9 @@ secret_prov_server_epid: src/secret_prov_server.c
 secret_prov_server_dcap: src/secret_prov_server.c
 	$(CC) $< $(CFLAGS) $(LDFLAGS) -Wl,--no-as-needed -lsgx_urts -lsecret_prov_verify_dcap -pthread -o $@
 
+secret_prov_server_maa: src/secret_prov_server.c
+	$(CC) $< $(CFLAGS) $(LDFLAGS) -lsecret_prov_verify_maa -pthread -o $@
+
 secret_prov_client: src/secret_prov_client.c
 	$(CC) $< $(CFLAGS) $(LDFLAGS) -lsecret_prov_attest -o $@
 
@@ -175,13 +181,27 @@ check_dcap: app dcap files/input.txt
 	@grep "\[child\] Read from protected file: 'helloworld'" OUTPUT && echo "[ Success 4/4 ]"
 	@rm OUTPUT
 
+.PHONY: check_maa
+check_maa: app maa files/input.txt
+	./secret_prov_server_maa >/dev/null & SERVER_ID=$$!; \
+	sleep 3; \
+	gramine-sgx ./secret_prov_min_client > OUTPUT; \
+	gramine-sgx ./secret_prov_client >> OUTPUT; \
+	gramine-sgx ./secret_prov_pf_client >> OUTPUT; \
+	kill -9 $$SERVER_ID;
+	@grep "Received secret = 'ffeeddccbbaa99887766554433221100'" OUTPUT && echo "[ Success 1/4 ]"
+	@grep "Received secret1 = 'ffeeddccbbaa99887766554433221100', secret2 = '42'" OUTPUT && echo "[ Success 2/4 ]"
+	@grep "\[parent\] Read from protected file: 'helloworld'" OUTPUT && echo "[ Success 3/4 ]"
+	@grep "\[child\] Read from protected file: 'helloworld'" OUTPUT && echo "[ Success 4/4 ]"
+	@rm OUTPUT
+
 ################################## CLEANUP ####################################
 
 .PHONY: clean
 clean:
 	$(RM) -r \
 		*.token *.sig *.manifest.sgx *.manifest *.so *.so.* OUTPUT \
-		secret_prov_server_epid secret_prov_server_dcap \
+		secret_prov_server_epid secret_prov_server_dcap secret_prov_server_maa \
 		secret_prov_client secret_prov_min_client secret_prov_pf_client
 
 .PHONY: distclean

diff --git a/CI-Examples/ra-tls-secret-prov/README.md b/CI-Examples/ra-tls-secret-prov/README.md
@@ -4,14 +4,24 @@ This directory contains the Makefile, the template client manifests, and the
 minimal server and clients written against the Secret Provisioning library.
 
 This example uses the Secret Provisioning libraries `secret_prov_attest.so` for
-clients and `secret_prov_verify_epid.so`/`secret_prov_verify_dcap.so` for
-server. These libraries are installed together with Gramine (for DCAP version,
-you need `meson setup ... -Ddcap=enabled`). Additionally, mbedTLS libraries are
-required. For ECDSA/DCAP attestation, the DCAP software infrastructure must be
-installed and work correctly on the host.
-
-The current example works with both EPID (IAS) and ECDSA (DCAP) remote
-attestation schemes. For more documentation, refer to
+clients and `secret_prov_verify_epid.so` / `secret_prov_verify_dcap.so` /
+`secret_prov_verify_maa.so` for server. These libraries are installed together
+with Gramine (for DCAP and MAA versions, you need `meson setup ...
+-Ddcap=enabled`). Additionally, mbedTLS libraries are required.
+
+For ECDSA/DCAP attestation, the DCAP software infrastructure must be installed
+and work correctly on the host.
+
+For MAA attestation, the server must run on the Azure cloud, and the client must
+have internet access to the MAA attestation provider service.
+
+The current example works with both EPID and ECDSA/DCAP SGX quote formats. The
+current example supports:
+- the IAS-based attestation scheme for EPID quotes,
+- the DCAP-based attestation scheme for DCAP quotes,
+- the MAA-based attestation scheme for DCAP quotes.
+
+For more documentation, refer to
 https://gramine.readthedocs.io/en/latest/attestation.html.
 
 ## Secret Provisioning server
@@ -23,20 +33,19 @@ verification succeeds, sends the first secret back to the client (the master key
 for encrypted files, read from `files/wrap-key`). If the client requests a
 second secret, the server sends the dummy string `42` as the second secret.
 
-There are two versions of the server: the EPID one and the DCAP one. Each of
-them links against the corresponding EPID/DCAP secret-provisioning library at
-build time.
+There are three versions of the server: EPID, DCAP and MAA. Each of them links
+against the corresponding secret-provisioning library at build time.
 
-Because this example builds and uses debug SGX enclaves (`sgx.debug` is set
-to `true`), we use environment variable `RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1`.
-Note that in production environments,
-you must *not* use this option!
+Because this example builds and uses debug SGX enclaves (`sgx.debug` is set to
+`true`), we use environment variable `RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1`.
+Note that in production environments, you must *not* use this option!
 
 Moreover, we set `RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1`, to allow performing
 the tests when some of Intel's security advisories haven't been addressed (for
 example, when the microcode or architectural enclaves aren't fully up-to-date).
 As the name of this setting suggests, this is not secure and likewise should not
-be used in production.
+be used in production. Note that this setting is irrelevant for the MAA
+attestation scheme because MAA always expects enclave TCB to be up-to-date.
 
 ## Secret Provisioning clients
 
@@ -109,3 +118,23 @@ gramine-sgx ./secret_prov_pf_client
 
 kill %%
 ```
+
+- Secret Provisioning flows, Microsoft Azure Attestation (MAA) attestation:
+
+```sh
+make app maa files/input.txt
+
+RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 \
+./secret_prov_server_maa &
+
+# test minimal client
+gramine-sgx ./secret_prov_min_client
+
+# test feature-rich client
+gramine-sgx ./secret_prov_client
+
+# test encrypted-files client
+gramine-sgx ./secret_prov_pf_client
+
+kill %%
+```