packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secGear/0017-update-signtool-codegen.patch

585 lines
24 KiB
Diff
Raw Normal View History

update signtool and codegen
2021-05-12 11:01:30 +08:00
From ace83320ad722deae65672e9801b1e58c62f7a81 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Wed, 12 May 2021 10:44:12 +0800
Subject: [PATCH] patch
---
CMakeLists.txt | 2 +-
README.en.md | 21 ++++--------
README.md | 15 +++------
docs/build_install.md | 4 +++
docs/codegener.md | 14 +++-----
docs/sign_tool.md | 14 ++++----
examples/helloworld/CMakeLists.txt | 3 +-
examples/helloworld/enclave/CMakeLists.txt | 6 ++--
examples/helloworld/host/main.c | 18 +++++++++-
examples/seal_data/CMakeLists.txt | 5 ++-
examples/seal_data/enclave/CMakeLists.txt | 7 ++--
src/enclave_src/CMakeLists.txt | 2 +-
tools/codegener/CMakeLists.txt | 10 ++----
tools/sign_tool/sign_tool.sh | 39 ++++++++--------------
14 files changed, 69 insertions(+), 91 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 98862a3..edb7d80 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(secGear C)
set(CMAKE_C_STANDARD 99)
diff --git a/README.en.md b/README.en.md
index fa47d03..aa8c4a8 100644
--- a/README.en.md
+++ b/README.en.md
@@ -1,4 +1,4 @@
-<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
+<img src="docs/logo.png" alt="secGear" style="zoom:100%;" />
secGear
============================
@@ -43,23 +43,22 @@ Then save as test.edl
### 2 Write the top-level CMakeLists.txt
- cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(TEST C)
set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
set(SECGEAR_INSTALL_PATH /lib64/)
+ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
@@ -254,8 +253,6 @@ Set sign tool and the security side log printing level
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_1 /vendor/bin/secgear_test)
@@ -270,8 +267,7 @@ Set sign tool and the security side log printing level
WHITE_LIS_X sets the whitelist of itrustee, only the host binary of these paths can call this secure image,
and up to 8 list paths can be configured. WHITE_LIST_OWNER set user, this user will be applied to all whitelist paths.
-DEVICEPEM public key is used by itrustee and is used to encrypt the enclave image of the security side with the
-dynamically generated aes key. Finally, set the name of the security side image after the final signature, and
+Finally, set the name of the security side image after the final signature, and
generate auxiliary code.
if(CC_SGX)
@@ -339,8 +335,8 @@ so -nostdinc -nodefaultlibs -nostdlib -nodefaultlibs compile link options was in
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
DESTINATION /data
@@ -425,9 +421,6 @@ configuration file. For details, please refer to the official development docum
Write itrustee related configuration files
The gpd.ta.appID in the manifest.txt.in file is the uuid configuration item, which is dynamically generated,
and the other configuration items can refer to the itrustee development document.
-
-Copy the rsa_public_key_cloud.pem device public key from other examples in the project to the enclave directory.
-The device public key here is used to encrypt the enclave image with the temporarily generated aes key.
### 5 build and install test
@@ -509,5 +502,5 @@ secGear introduce the signing tool to sign the enclave.
Milestone
---------
-<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
+<img src="docs/milestone_en.png" alt="secGear" style="zoom:80%;" />
diff --git a/README.md b/README.md
index 54c32e3..a90450b 100644
--- a/README.md
+++ b/README.md
@@ -35,23 +35,22 @@ SecGear则是面向计算产业的机密计算安全应用开发套件。旨在
### 2 编写最外层CMakeLists.txt文件
- cmake_minimum_required(VERSION 3.12 FATAL_ERROR)
+ cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
project(TEST C)
set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE test.edl)
set(LOCAL_ROOT_PATH "$ENV{CC_SDK}")
set(SECGEAR_INSTALL_PATH /lib64/)
+ set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
add_subdirectory(${CURRENT_ROOT_PATH}/enclave)
@@ -236,8 +235,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_1 /vendor/bin/secgear_test)
@@ -252,7 +249,6 @@ test_t.h该头文件为自动生成代码工具codegen通过edl文件生成
WHITE_LIST_x为设置iTrustee的二进制白名单只有这里定义的白名单在非安全侧的二进制才可以调用安全侧的动态库。上限为8个。
WHITE_LIST_OWNER为设置运行二进制的用户只有该用户才可以调用安全侧动态库。
-DEVICEPEM该公钥用来动态生成aes秘钥
AUTO_FILES由edl文件生成的安全侧二进制文件
if(CC_SGX)
@@ -319,8 +315,8 @@ AUTO_FILES由edl文件生成的安全侧二进制文件
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT})
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${OUTPUT}
DESTINATION /data
@@ -391,7 +387,6 @@ itrustee需要链接secgear_tee动态库提供seal接口等。
编写itrustee enclave相关配置文件
mainfest.txt.in:其中gpd.ta.appID 为动态生成uuid。其他配置参见itrustee开发文档。
-rsa_public_key_cloud.pem文件请将其他examples的中的拷贝过来这里的设备公钥用于使用临时生成的aes密钥用于对enclave动态库进行加密。
#### 5 构建 安装
@@ -451,4 +446,4 @@ secGear引入EDL(Enclave Description Language)和中间代码辅助生成工具c
里程碑
---------
-<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
\ No newline at end of file
+<img src="docs/milestone.png" alt="secGear" style="zoom:80%;" />
diff --git a/docs/build_install.md b/docs/build_install.md
index 482e8c2..760ceaa 100644
--- a/docs/build_install.md
+++ b/docs/build_install.md
@@ -13,6 +13,10 @@ openEuler x86
3. source environment && mkdir debug && cd debug
&& cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path" .. && make && sudo make install
+4. To run example tls_enclave, refer to https://gitee.com/src-openeuler/intel-sgx-ssl
+ download and install intel-sgx-ssl firstly.
+ source environment && mkdir debug && cd debug && cmake -DCMAKE_BUILD_TYPE=Debug -DCC_SGX=ON -DSGXSDK="sgx_sdk path"
+ && -DENCLAVE_SSL="sgxssl path" .. && make && sudo make install
openEuler arm
diff --git a/docs/codegener.md b/docs/codegener.md
index cc20013..85fc6a0 100644
--- a/docs/codegener.md
+++ b/docs/codegener.md
@@ -1,19 +1,15 @@
-# Getting started with the codegen_x86_64/codegen_arm64
+# Getting started with the codegen
-The codegen_x86_64/codegen_arm64 helps to define these special functions through the `edl` files and assist user to using enclave.
+The codegen helps to define these special functions through the `edl` files and assist user to using enclave.
-## The codegen_x86_64/codegen_arm64
+## The codegen
-The codegen_x86_64/codegen_arm64 is based on the 'edger8r' tool in SGX SDK.
+The codegen is based on the 'edger8r' tool in SGX SDK.
- For example
```
$ codegen_arm64 --trustzone test.edl
```
-OR
-```
-$ codegen_x86_64 --sgx test.edl
-```
-**Note**: using the `codegen_x86_64/codegen_arm64 --help` to get more details.
+**Note**: using the `codegen --help` to get more details.
## EDL format
- For SGX(x86)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index 3a49d5b..ccaa2e6 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -4,7 +4,7 @@ The sign_tool.sh helps to sign the enclave.
## The sign_tool.sh
-The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_too.py' for signing the trustzone enclave.
+The sign_tool.sh uses the 'sgx_sign' tool in SGX SDK for signing the sgx enclave and the 'sign_tool.py' for signing the trustzone enclave.
The tool supports the following two modes:
@@ -13,36 +13,34 @@ The tool supports the following two modes:
For example:
- `$ ./signtool.sh d sign x trustzone i test.enclave -m manifest.txt e device_pubkey.pem o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i test.enclave -c manifest.txt o signed.enclave `
- two-step method, it is used when the signature needs to be obtained from the signing organization or the private key is stored on another secure platform.
For example:
(1) generate the digest value.
- `$ ./signtool.sh d digest x trustzone i input -m manifest.txt e device_pubkey.pem o digest.data `
+ `$ ./sign_tool.sh d digest x trustzone i input -c manifest.txt o digest.data `
For trustzone, temporary files KeyInfo.enc, rawData.enc, and rawDataHash.bin are generated in the current directory. And for sgx, a temporary file signdata is generated in the current directory. The temporary file is required when generating the signed enclave in step 3 and is deleted after the signed enclave is generated.
(2) send the digest.data to the signing organization or platform and get the signature.
(3) use the signature to generate the signed enclave.
- `$ ./signtool.sh d sign x trustzone i input -m manifest.txt p pub.pem e device_pubkey.pem s signature o signed.enclave `
+ `$ ./sign_tool.sh d sign x trustzone i input -c manifest.txt p pub.pem s signature o signed.enclave `
## sign_tool.sh parameter
```
-a <parameter> API_LEVEL, indicates trustzone GP API version, defalut is 1.
- -c <file> config file.
+ -c <file> basic config file.
-d <parameter> sign tool command, sign/digest.
The sign command is used to generate a signed enclave.
The digest command is used to generate a digest value.
- -e <file> the device's public key certificate, used to protect the AES key of the encrypted rawdata,
- required by trustzone.
-f <parameter> OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0.
-i <file> enclave to be signed.
-k <file> private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx.
- -m <file> manifest file, required by trustzone.
+ -m <file> additional config for trustzone when TA_TYPE is 2.
-o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs digest value.
-p <file> signing server public key certificate, required for two-step method.
-s <file> the signed digest value required for two-step method, this parameter is empty to indicate single-step method.
diff --git a/examples/helloworld/CMakeLists.txt b/examples/helloworld/CMakeLists.txt
index a758f1c..5da2a6b 100644
--- a/examples/helloworld/CMakeLists.txt
+++ b/examples/helloworld/CMakeLists.txt
@@ -16,10 +16,10 @@ set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
#set edl name
set(EDL_FILE helloworld.edl)
+set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
add_definitions(-DPATH="/data/${UUID}.sec")
@@ -27,7 +27,6 @@ endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so")
endif()
diff --git a/examples/helloworld/enclave/CMakeLists.txt b/examples/helloworld/enclave/CMakeLists.txt
index c1638f8..0aefdae 100644
--- a/examples/helloworld/enclave/CMakeLists.txt
+++ b/examples/helloworld/enclave/CMakeLists.txt
@@ -27,8 +27,6 @@ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
#set whilelist. default: /vendor/bin/teec_hello
set(WHITE_LIST_0 /vendor/bin/helloworld)
set(WHITE_LIST_OWNER root)
@@ -101,8 +99,8 @@ if(CC_GP)
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/examples/helloworld/host/main.c b/examples/helloworld/host/main.c
index e4c4ec4..51993ce 100644
--- a/examples/helloworld/host/main.c
+++ b/examples/helloworld/host/main.c
@@ -11,6 +11,8 @@
*/
#include <stdio.h>
+#include <unistd.h>
+#include <linux/limits.h>
#include "enclave.h"
#include "helloworld_u.h"
@@ -26,7 +28,21 @@ int main()
printf("Create secgear enclave\n");
- res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
+ char real_p[PATH_MAX];
+ /* check file exists, if not exist then use absolute path */
+ if (realpath(path, real_p) == NULL) {
+ if (getcwd(real_p, sizeof(real_p)) == NULL) {
+ printf("Cannot find enclave.sign.so");
+ return -1;
+ }
+ if (PATH_MAX - strlen(real_p) <= strlen("/enclave.signed.so")) {
+ printf("Failed to strcat enclave.sign.so path");
+ return -1;
+ }
+ (void)strcat(real_p, "/enclave.signed.so");
+ }
+
+ res = cc_enclave_create(real_p, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context);
if (res != CC_SUCCESS) {
printf("Create enclave error\n");
return res;
diff --git a/examples/seal_data/CMakeLists.txt b/examples/seal_data/CMakeLists.txt
index 20e2fd5..3577301 100644
--- a/examples/seal_data/CMakeLists.txt
+++ b/examples/seal_data/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-cmake_minimum_required(VERSION 3.12)
+cmake_minimum_required(VERSION 3.10)
project(SealData C)
@@ -17,10 +17,10 @@ set(CMAKE_C_STANDARD 99)
set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR})
set(EDL_FILE seal_data.edl)
+set(CODEGEN codegen)
if(CC_GP)
set(CODETYPE trustzone)
- set(CODEGEN codegen_arm64)
execute_process(COMMAND uuidgen -r
OUTPUT_VARIABLE UUID)
string(REPLACE "\n" "" UUID ${UUID})
@@ -29,7 +29,6 @@ endif()
if(CC_SGX)
set(CODETYPE sgx)
- set(CODEGEN codegen_x86_64)
add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/seal_data.signed.so")
endif()
diff --git a/examples/seal_data/enclave/CMakeLists.txt b/examples/seal_data/enclave/CMakeLists.txt
index 20851bd..0ddcbd5 100644
--- a/examples/seal_data/enclave/CMakeLists.txt
+++ b/examples/seal_data/enclave/CMakeLists.txt
@@ -24,9 +24,6 @@ add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL})
if(CC_GP)
#set signed output
set(OUTPUT ${UUID}.sec)
- #set itrustee device key
- set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem)
-
set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h)
#set whilelist. default: /vendor/bin/teec_hello
set(WHITE_LIST_0 /vendor/bin/seal_data)
@@ -97,8 +94,8 @@ if(CC_GP)
add_custom_command(TARGET ${PREFIX}
POST_BUILD
- COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
- -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
+ COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -a 2 -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -c ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt
+ -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT})
install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}
DESTINATION /data
diff --git a/src/enclave_src/CMakeLists.txt b/src/enclave_src/CMakeLists.txt
index cb09b5c..66a36ea 100644
--- a/src/enclave_src/CMakeLists.txt
+++ b/src/enclave_src/CMakeLists.txt
@@ -8,7 +8,7 @@
# PURPOSE.
# See the Mulan PSL v2 for more details.
-project(secgear_tee)
+project(secgear_tee C)
set(target_lib secgear_tee)
set(LIBRARY_INSTALL /lib64)
diff --git a/tools/codegener/CMakeLists.txt b/tools/codegener/CMakeLists.txt
index c5fd618..e52d894 100644
--- a/tools/codegener/CMakeLists.txt
+++ b/tools/codegener/CMakeLists.txt
@@ -10,7 +10,7 @@
include(ExternalProject)
-project(CodeGen)
+project(CodeGen C)
find_program(DUNE dune)
@@ -18,13 +18,7 @@ if(NOT DUNE)
message(FATAL_ERROR "Please check your dune installation")
endif()
-if(CC_SGX)
- set(code codegen_x86_64)
-endif()
-
-if(CC_GP)
- set(code codegen_arm64)
-endif()
+set(code codegen)
ExternalProject_Add(codegen
SOURCE_DIR ${LOCAL_ROOT_PATH}/tools/codegener
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 8f2189c..212db5d 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -21,16 +21,14 @@ print_help(){
echo "sign tool usage: ./sign_tool.sh [options] ..."
echo "[options]"
echo "-a <parameter> API_LEVEL, indicates trustzone GP API version, defalut is 1."
- echo "-c <file> config file."
+ echo "-c <file> basic config file."
echo "-d <parameter> sign tool command, sign/digest."
echo " The sign command is used to generate a signed enclave."
echo " The digest command is used to generate a digest value."
- echo "-e <file> the device's public key certificate, used to protect the AES key of the encrypted rawdata,"
- echo " required by trustzone."
echo "-f <parameter> OTRP_FLAG, indicates whether the OTRP standard protocol is supported, default is 0."
echo "-i <file> enclave to be signed."
echo "-k <file> private key required for single-step method, required when trustzone TA_TYPE is 2 or sgx."
- echo "-m <file> manifest file, required by trustzone."
+ echo "-m <file> additional config for trustzone when TA_TYPE is 2."
echo "-o <file> output parameters, the sign command outputs sigend enclave, the digest command outputs"
echo " digest value."
echo "-p <file> signing server public key certificate, required for two-step method."
@@ -42,7 +40,7 @@ print_help(){
}
-while getopts "d:i:x:m:a:f:t:c:e:k:p:s:o:h" opt
+while getopts "d:i:x:m:a:f:t:c:k:p:s:o:h" opt
do
case $opt in
d)
@@ -73,7 +71,7 @@ do
echo "Error: parameter for -m is missing or incorrect"
exit -1
fi
- MANIFIST=$OPTARG
+ A_CONFIG_FILE=$OPTARG
;;
a)
if [[ $OPTARG =~ ^[1-3]$ ]]; then
@@ -118,13 +116,6 @@ do
fi
CONFIG_FILE=$OPTARG
;;
- e)
- if [[ $OPTARG == -* ]]; then
- echo "Error: parameter for -e is missing or incorrect"
- exit -1
- fi
- DEVICE_PUBKEY=$OPTARG
- ;;
k)
if [[ $OPTARG == -* ]]; then
echo "Error: parameter for -k is missing or incorrect"
@@ -169,23 +160,21 @@ fi
itrustee_start_sign(){
# check_native_sign
- if [ -z $MANIFIST ]; then
- echo "Error: missing manifest file for signing iTrustee enclave"
- exit -1
- fi
- if [ -z $DEVICE_PUBKEY ]; then
- echo "Error: missing device pubkey for signing iTrustee enclave"
+ MANIFEST=$CONFIG_FILE
+ if [ -z $MANIFEST ]; then
+ echo "Error: missing config file for signing iTrustee enclave"
exit -1
fi
if [ ${TA_TYPE} == 2 ]; then
- if [ -z $CONFIG_FILE]; then
- echo "Error: TA TYPE = 2, missing config file for signing iTrustee enclave"
+ if [ -z $A_CONFIG_FILE]; then
+ echo "Error: TA TYPE = 2, missing additional config file for signing iTrustee enclave"
exit -1
fi
else
- CONFIG_FILE="NULL"
+ A_CONFIG_FILE="NULL"
fi
+ DEVICE_PUBKEY=${localpath}/rsa_public_key_cloud.pem
if [ "${CMD}"x == "sign"x ]; then
if [ -z $SIGNATURE ]; then
@@ -194,18 +183,18 @@ itrustee_start_sign(){
echo "missing the signature private key"
exit -1
fi
- python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" "${SIG_KEY}"
+ python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIG_KEY}"
else
DEBUG=0
if [ -z $SERVER_PUBKEY ]; then
echo "Error: missing server public key for verifying signature"
exit -1
fi
- python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}"
+ python ${localpath}/sign_tool.py "sign" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}" "${SIGNATURE}" "${SERVER_PUBKEY}"
fi
elif [ "${CMD}"x == "digest"x ]; then
DEBUG=0
- python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFIST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${CONFIG_FILE}"
+ python ${localpath}/sign_tool.py "digest" "${DEBUG}" "${IN_ENCLAVE}" "${OUT_FILE}" "${MANIFEST}" "${OTRP_FLAG}" "${TA_TYPE}" "${API_LEVEL}" "${DEVICE_PUBKEY}" "${A_CONFIG_FILE}"
else
echo "Error: illegal command"
fi
--
2.27.0
Reference in New Issue Copy Permalink