SGX attestation leftovers

[dimakuv]

Description of the problem

During my work on SGX attestation, RA-TLS, Secret Provisioning and MAA, there were several issues raised. I'll need to create PRs to fix each of them:

• Update the attestation readthedocs page with more specifics:

  • A clear distinction between "attestation evidence" (= SGX quotes), "attestation results" (aka "attestation report", "attestation claims"), and "SGX attestation schemes". Also, "verifier" vs "attester" (="relying party"). Basically, introduce a glossary at the beginning of the section, and rewrite the text to follow this glossary.
  • Explain again the differences between EPID, DCAP and MAA (in the future) attestation schemes, from the perspective of a user of Gramine. E.g., that IAS and IAS-related env variables are only used for EPID. That the gramine-sgx-ias-request utility is used to manually send the SGX quote and receive the IAS attestation report -- but normal users don't need to use this utility because that stuff is done by RA-TLS under the hood.

• Use more explicit logic of specifying envvars in manifest.template files:

  • Instead of this: sgx.ra_client_spid = "{{ env.get('RA_CLIENT_SPID', '') }}"
  • we need this: sgx.ra_client_spid = "{{ ra_client_spid }}"
  • with the corresponding line in the Makefile: gramine-manifest ... -Dra_client_spid=$(RA_CLIENT_SPID).
  • Replace this everywhere, in all examples, in all Gramine repos.

• Use UNIX error codes in RA-TLS and Secret Prov libraries:

  • Currently, there is an ugly mix of mbedTLS error codes, cJSON error codes and curl error codes with UNIX error codes in RA-TLS and Secret Prov codebases.
  • We need to introduce helpers mbedtls_to_unix_errno(), cjson_to_unix_errno(), curl_to_unix_errno(), if there are no such already (I know for sure that there are no such funcs in mbedTLS).
  • Add more ERROR() prints in error paths where errno is not enough.

• Introduce an envvar to choose between quiet and verbose modes in RA-TLS and Secret Prov.

• In the ra-tls-mbedtls example, the "in-enclave client" logic got out of control:

  • There is the exact same logic to create the manifest for the "in-enclave" client for EPID and for DCAP:

    gramine/CI-Examples/ra-tls-mbedtls/Makefile

    Lines 114 to 152 in aa4486b

    	########################### CLIENT (DCAP) MANIFEST ############################
    	client_dcap.manifest: client.manifest.template
    	gramine-manifest \
    	-Dlog_level=$(GRAMINE_LOG_LEVEL) \
    	-Darch_libdir=$(ARCH_LIBDIR) \
    	$< >$@
    	client_dcap.manifest.sgx client_dcap.sig: sgx_sign_client_dcap
    	@:
    	.INTERMEDIATE: sgx_sign_client_dcap
    	sgx_sign_client_dcap: client_dcap.manifest client
    	gramine-sgx-sign \
    	--manifest $< \
    	--output $<.sgx
    	client_dcap.token: client_dcap.sig
    	gramine-sgx-get-token --output $@ --sig $<
    	########################### CLIENT (EPID) MANIFEST ############################
    	client_epid.manifest: client.manifest.template
    	gramine-manifest \
    	-Dlog_level=$(GRAMINE_LOG_LEVEL) \
    	-Darch_libdir=$(ARCH_LIBDIR) \
    	$< >$@
    	client_epid.manifest.sgx client_epid.sig: sgx_sign_client_epid
    	@:
    	.INTERMEDIATE: sgx_sign_client_epid
    	sgx_sign_client_epid: client_epid.manifest client
    	gramine-sgx-sign \
    	--manifest $< \
    	--output $<.sgx
    	client_epid.token: client_epid.sig
    	gramine-sgx-get-token --output $@ --sig $<

  • I suspect that the whole RA_TLS_CLIENT_INSIDE_SGX envvar logic is redundant, and the library libra_tls_verify_dcap_gramine.so can be removed:

    gramine/CI-Examples/ra-tls-mbedtls/src/client.c

    Line 180 in aa4486b

    ra_tls_verify_lib = dlopen("libra_tls_verify_dcap_gramine.so", RTLD_LAZY);

  • The library libra_tls_verify_dcap_gramine.so differs from the normal libra_tls_verify_dcap.so only in the ra_tls_verify_dcap_urts.c file:

    gramine/Pal/src/host/Linux-SGX/tools/ra-tls/meson.build

    Line 112 in aa4486b

    'ra_tls_verify_dcap_urts.c',

  • This ra_tls_verify_dcap_urts.c file provides dummies: https://github.com/gramineproject/gramine/blob/master/Pal/src/host/Linux-SGX/tools/ra-tls/ra_tls_verify_dcap_urts.c
  • Check Intel-provided libsgx_dcap_quoteverify.so library, and how we can circumvent those dummies.