sigstruct.c - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
sigstruct.c (7873B)
      1// SPDX-License-Identifier: GPL-2.0
      2/*  Copyright(c) 2016-20 Intel Corporation. */
      3
      4#define _GNU_SOURCE
      5#include <assert.h>
      6#include <getopt.h>
      7#include <stdbool.h>
      8#include <stdint.h>
      9#include <stdio.h>
     10#include <stdlib.h>
     11#include <string.h>
     12#include <sys/stat.h>
     13#include <sys/types.h>
     14#include <unistd.h>
     15#include <openssl/err.h>
     16#include <openssl/pem.h>
     17#include "defines.h"
     18#include "main.h"
     19
     20struct q1q2_ctx {
     21	BN_CTX *bn_ctx;
     22	BIGNUM *m;
     23	BIGNUM *s;
     24	BIGNUM *q1;
     25	BIGNUM *qr;
     26	BIGNUM *q2;
     27};
     28
     29static void free_q1q2_ctx(struct q1q2_ctx *ctx)
     30{
     31	BN_CTX_free(ctx->bn_ctx);
     32	BN_free(ctx->m);
     33	BN_free(ctx->s);
     34	BN_free(ctx->q1);
     35	BN_free(ctx->qr);
     36	BN_free(ctx->q2);
     37}
     38
     39static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
     40			   struct q1q2_ctx *ctx)
     41{
     42	ctx->bn_ctx = BN_CTX_new();
     43	ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL);
     44	ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL);
     45	ctx->q1 = BN_new();
     46	ctx->qr = BN_new();
     47	ctx->q2 = BN_new();
     48
     49	if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr ||
     50	    !ctx->q2) {
     51		free_q1q2_ctx(ctx);
     52		return false;
     53	}
     54
     55	return true;
     56}
     57
     58static void reverse_bytes(void *data, int length)
     59{
     60	int i = 0;
     61	int j = length - 1;
     62	uint8_t temp;
     63	uint8_t *ptr = data;
     64
     65	while (i < j) {
     66		temp = ptr[i];
     67		ptr[i] = ptr[j];
     68		ptr[j] = temp;
     69		i++;
     70		j--;
     71	}
     72}
     73
     74static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1,
     75		      uint8_t *q2)
     76{
     77	struct q1q2_ctx ctx;
     78	int len;
     79
     80	if (!alloc_q1q2_ctx(s, m, &ctx)) {
     81		fprintf(stderr, "Not enough memory for Q1Q2 calculation\n");
     82		return false;
     83	}
     84
     85	if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx))
     86		goto out;
     87
     88	if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx))
     89		goto out;
     90
     91	if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) {
     92		fprintf(stderr, "Too large Q1 %d bytes\n",
     93			BN_num_bytes(ctx.q1));
     94		goto out;
     95	}
     96
     97	if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx))
     98		goto out;
     99
    100	if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx))
    101		goto out;
    102
    103	if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) {
    104		fprintf(stderr, "Too large Q2 %d bytes\n",
    105			BN_num_bytes(ctx.q2));
    106		goto out;
    107	}
    108
    109	len = BN_bn2bin(ctx.q1, q1);
    110	reverse_bytes(q1, len);
    111	len = BN_bn2bin(ctx.q2, q2);
    112	reverse_bytes(q2, len);
    113
    114	free_q1q2_ctx(&ctx);
    115	return true;
    116out:
    117	free_q1q2_ctx(&ctx);
    118	return false;
    119}
    120
    121struct sgx_sigstruct_payload {
    122	struct sgx_sigstruct_header header;
    123	struct sgx_sigstruct_body body;
    124};
    125
    126static bool check_crypto_errors(void)
    127{
    128	int err;
    129	bool had_errors = false;
    130	const char *filename;
    131	int line;
    132	char str[256];
    133
    134	for ( ; ; ) {
    135		if (ERR_peek_error() == 0)
    136			break;
    137
    138		had_errors = true;
    139		err = ERR_get_error_line(&filename, &line);
    140		ERR_error_string_n(err, str, sizeof(str));
    141		fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line);
    142	}
    143
    144	return had_errors;
    145}
    146
    147static inline const BIGNUM *get_modulus(RSA *key)
    148{
    149	const BIGNUM *n;
    150
    151	RSA_get0_key(key, &n, NULL, NULL);
    152	return n;
    153}
    154
    155static RSA *gen_sign_key(void)
    156{
    157	unsigned long sign_key_length;
    158	BIO *bio;
    159	RSA *key;
    160
    161	sign_key_length = (unsigned long)&sign_key_end -
    162			  (unsigned long)&sign_key;
    163
    164	bio = BIO_new_mem_buf(&sign_key, sign_key_length);
    165	if (!bio)
    166		return NULL;
    167
    168	key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL);
    169	BIO_free(bio);
    170
    171	return key;
    172}
    173
    174enum mrtags {
    175	MRECREATE = 0x0045544145524345,
    176	MREADD = 0x0000000044444145,
    177	MREEXTEND = 0x00444E4554584545,
    178};
    179
    180static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data)
    181{
    182	if (!EVP_DigestUpdate(ctx, data, 64)) {
    183		fprintf(stderr, "digest update failed\n");
    184		return false;
    185	}
    186
    187	return true;
    188}
    189
    190static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave)
    191{
    192	unsigned int size;
    193
    194	if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) {
    195		fprintf(stderr, "digest commit failed\n");
    196		return false;
    197	}
    198
    199	if (size != 32) {
    200		fprintf(stderr, "invalid digest size = %u\n", size);
    201		return false;
    202	}
    203
    204	return true;
    205}
    206
    207struct mrecreate {
    208	uint64_t tag;
    209	uint32_t ssaframesize;
    210	uint64_t size;
    211	uint8_t reserved[44];
    212} __attribute__((__packed__));
    213
    214
    215static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size)
    216{
    217	struct mrecreate mrecreate;
    218	uint64_t encl_size;
    219
    220	for (encl_size = 0x1000; encl_size < blob_size; )
    221		encl_size <<= 1;
    222
    223	memset(&mrecreate, 0, sizeof(mrecreate));
    224	mrecreate.tag = MRECREATE;
    225	mrecreate.ssaframesize = 1;
    226	mrecreate.size = encl_size;
    227
    228	if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))
    229		return false;
    230
    231	return mrenclave_update(ctx, &mrecreate);
    232}
    233
    234struct mreadd {
    235	uint64_t tag;
    236	uint64_t offset;
    237	uint64_t flags; /* SECINFO flags */
    238	uint8_t reserved[40];
    239} __attribute__((__packed__));
    240
    241static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags)
    242{
    243	struct mreadd mreadd;
    244
    245	memset(&mreadd, 0, sizeof(mreadd));
    246	mreadd.tag = MREADD;
    247	mreadd.offset = offset;
    248	mreadd.flags = flags;
    249
    250	return mrenclave_update(ctx, &mreadd);
    251}
    252
    253struct mreextend {
    254	uint64_t tag;
    255	uint64_t offset;
    256	uint8_t reserved[48];
    257} __attribute__((__packed__));
    258
    259static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
    260			      const uint8_t *data)
    261{
    262	struct mreextend mreextend;
    263	int i;
    264
    265	for (i = 0; i < 0x1000; i += 0x100) {
    266		memset(&mreextend, 0, sizeof(mreextend));
    267		mreextend.tag = MREEXTEND;
    268		mreextend.offset = offset + i;
    269
    270		if (!mrenclave_update(ctx, &mreextend))
    271			return false;
    272
    273		if (!mrenclave_update(ctx, &data[i + 0x00]))
    274			return false;
    275
    276		if (!mrenclave_update(ctx, &data[i + 0x40]))
    277			return false;
    278
    279		if (!mrenclave_update(ctx, &data[i + 0x80]))
    280			return false;
    281
    282		if (!mrenclave_update(ctx, &data[i + 0xC0]))
    283			return false;
    284	}
    285
    286	return true;
    287}
    288
    289static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
    290			      struct encl_segment *seg)
    291{
    292	uint64_t end = seg->size;
    293	uint64_t offset;
    294
    295	for (offset = 0; offset < end; offset += PAGE_SIZE) {
    296		if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags))
    297			return false;
    298
    299		if (seg->measure) {
    300			if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
    301				return false;
    302		}
    303	}
    304
    305	return true;
    306}
    307
    308bool encl_measure(struct encl *encl)
    309{
    310	uint64_t header1[2] = {0x000000E100000006, 0x0000000000010000};
    311	uint64_t header2[2] = {0x0000006000000101, 0x0000000100000060};
    312	struct sgx_sigstruct *sigstruct = &encl->sigstruct;
    313	struct sgx_sigstruct_payload payload;
    314	uint8_t digest[SHA256_DIGEST_LENGTH];
    315	unsigned int siglen;
    316	RSA *key = NULL;
    317	EVP_MD_CTX *ctx;
    318	int i;
    319
    320	memset(sigstruct, 0, sizeof(*sigstruct));
    321
    322	sigstruct->header.header1[0] = header1[0];
    323	sigstruct->header.header1[1] = header1[1];
    324	sigstruct->header.header2[0] = header2[0];
    325	sigstruct->header.header2[1] = header2[1];
    326	sigstruct->exponent = 3;
    327	sigstruct->body.attributes = SGX_ATTR_MODE64BIT;
    328	sigstruct->body.xfrm = 3;
    329
    330	/* sanity check */
    331	if (check_crypto_errors())
    332		goto err;
    333
    334	key = gen_sign_key();
    335	if (!key) {
    336		ERR_print_errors_fp(stdout);
    337		goto err;
    338	}
    339
    340	BN_bn2bin(get_modulus(key), sigstruct->modulus);
    341
    342	ctx = EVP_MD_CTX_create();
    343	if (!ctx)
    344		goto err;
    345
    346	if (!mrenclave_ecreate(ctx, encl->src_size))
    347		goto err;
    348
    349	for (i = 0; i < encl->nr_segments; i++) {
    350		struct encl_segment *seg = &encl->segment_tbl[i];
    351
    352		if (!mrenclave_segment(ctx, encl, seg))
    353			goto err;
    354	}
    355
    356	if (!mrenclave_commit(ctx, sigstruct->body.mrenclave))
    357		goto err;
    358
    359	memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
    360	memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
    361
    362	SHA256((unsigned char *)&payload, sizeof(payload), digest);
    363
    364	if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
    365		      sigstruct->signature, &siglen, key))
    366		goto err;
    367
    368	if (!calc_q1q2(sigstruct->signature, sigstruct->modulus, sigstruct->q1,
    369		       sigstruct->q2))
    370		goto err;
    371
    372	/* BE -> LE */
    373	reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE);
    374	reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE);
    375
    376	EVP_MD_CTX_destroy(ctx);
    377	RSA_free(key);
    378	return true;
    379
    380err:
    381	EVP_MD_CTX_destroy(ctx);
    382	RSA_free(key);
    383	return false;
    384}