diff --git a/.gitignore b/.gitignore index 551cad8f9..fb47f289d 100644 --- a/.gitignore +++ b/.gitignore @@ -213,5 +213,8 @@ IDE/INTIME-RTOS/Debug_* # Hexiwear IDE/HEXIWEAR/wolfSSL_HW/Debug +# Linux-SGX +IDE/LINUX-SGX/*.a + # Binaries wolfcrypt/src/port/intel/qat_test diff --git a/IDE/LINUX-SGX/README.md b/IDE/LINUX-SGX/README.md new file mode 100644 index 000000000..2d88385ad --- /dev/null +++ b/IDE/LINUX-SGX/README.md @@ -0,0 +1,17 @@ +# Static Library: Building libwolfssl.sgx.static.lib.a for use with SGX Enclaves + +### Requirements: +This code was created to use Intel's SGX hardware. It is expected that the user has gone through the steps of both turning on the hardware in bios if needed and has installed the necesary software from Intel to make use of the hardware. (https://software.intel.com/en-us/sgx) If these steps have not been done then it is expected that the user is familure with simiulation software being used in place of hardware. + +### Overview and Build: +This project creates a static library to then link with Enclaves. A simple example of an Enclave linking to the created wolfSSL library can be found in wolfssl-examples on github. This project has been tested with gcc 5.4.0 on Ubuntu 16.04. + +To create the static library, simply call make: + +`make -f sgx_t_static.mk all` + +This will create a local static library, libwolfssl.sgx.static.lib.a, that can be linked with SGX enclaves to access wolfSSL APIs using SGX hardware. + +Limitations: + Single Threaded (multiple threaded applications have not been tested) + AES-NI use with SGX has not been added in yet diff --git a/IDE/LINUX-SGX/sgx_t_static.mk b/IDE/LINUX-SGX/sgx_t_static.mk new file mode 100644 index 000000000..f5b8769c0 --- /dev/null +++ b/IDE/LINUX-SGX/sgx_t_static.mk @@ -0,0 +1,138 @@ +######## Intel(R) SGX SDK Settings ######## +SGX_SDK ?= /opt/intel/sgxsdk +SGX_MODE ?= SIM +SGX_ARCH ?= x64 +WOLFSSL_ROOT ?= $(shell readlink -f ../..) + +ifeq ($(shell getconf LONG_BIT), 32) + SGX_ARCH := x86 +else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32) + SGX_ARCH := x86 +endif + +ifeq ($(SGX_ARCH), x86) + SGX_COMMON_CFLAGS := -m32 + SGX_LIBRARY_PATH := $(SGX_SDK)/lib + SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign + SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r +else + SGX_COMMON_CFLAGS := -m64 + SGX_LIBRARY_PATH := $(SGX_SDK)/lib64 + SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign + SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r +endif + +ifeq ($(SGX_DEBUG), 1) +ifeq ($(SGX_PRERELEASE), 1) +$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!) +endif +endif + +ifeq ($(SGX_DEBUG), 1) + SGX_COMMON_CFLAGS += -O0 -g +else + SGX_COMMON_CFLAGS += -O2 +endif + +ifneq ($(SGX_MODE), HW) + Trts_Library_Name := sgx_trts_sim + Service_Library_Name := sgx_tservice_sim +else + Trts_Library_Name := sgx_trts + Service_Library_Name := sgx_tservice +endif + +Crypto_Library_Name := sgx_tcrypto + +Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX +Wolfssl_C_Files :=$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/asn.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/blake2b.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/camellia.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/coding.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/chacha.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/chacha20_poly1305.c\ + $(WOLFSSL_ROOT)/src/crl.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/des3.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/dh.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/ecc.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/error.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/hash.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/hc128.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/hmac.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/integer.c\ + $(WOLFSSL_ROOT)/src/internal.c\ + $(WOLFSSL_ROOT)/src/io.c\ + $(WOLFSSL_ROOT)/src/keys.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/logging.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/md4.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/md5.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/memory.c\ + $(WOLFSSL_ROOT)/src/ocsp.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/pkcs7.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/pkcs12.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/poly1305.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/wolfmath.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/pwdbased.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/rabbit.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/random.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/ripemd.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/rsa.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/dsa.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/sha.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/sha256.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/sha512.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/signature.c\ + $(WOLFSSL_ROOT)/src/ssl.c\ + $(WOLFSSL_ROOT)/src/tls.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.c\ + $(WOLFSSL_ROOT)/wolfcrypt/src/wolfevent.c\ + $(WOLFSSL_ROOT)/wolfcrypt/test/test.c\ + $(WOLFSSL_ROOT)/wolfcrypt/benchmark/benchmark.c + +Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \ + -I$(WOLFSSL_ROOT)/wolfcrypt/ \ + -I$(WOLFSSL_ROOT)/wolfcrypt/test/ \ + -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/ \ + -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport + + +Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11 +Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Include_Paths) -fno-builtin-printf -I. +Wolfssl_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags) + +Wolfssl_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \ + -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \ + -Wl,--start-group -lsgx_tstdc -lsgx_tstdcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \ + -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ + -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \ + -Wl,--defsym,__ImageBase=0 \ + -Wl,--version-script=trusted/wolfcrypt.lds + +Wolfssl_C_Objects := $(Wolfssl_C_Files:.c=.o) + +ifeq ($(SGX_MODE), HW) +ifneq ($(SGX_DEBUG), 1) +ifneq ($(SGX_PRERELEASE), 1) +Build_Mode = HW_RELEASE +endif +endif +endif + +override CFLAGS += $(Wolfssl_C_Flags) + +.PHONY: all run + +all: libwolfssl.sgx.static.lib.a + +######## WolfSSL Objects ######## + +libwolfssl.sgx.static.lib.a: $(Wolfssl_C_Objects) + ar rcs libwolfssl.sgx.static.lib.a $(Wolfssl_C_Objects) + @echo "LINK => $@" + +clean: + @rm -f wolfcrypt.* static_trusted/wolfssl_t.* libwolfssl.sgx.static.lib.a $(Wolfssl_C_Objects) diff --git a/src/ssl.c b/src/ssl.c index a67836d15..d025bef39 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -929,6 +929,16 @@ int wolfSSL_GetObjectSize(void) return sizeof(WOLFSSL); } + +int wolfSSL_CTX_GetObjectSize(void) +{ + return sizeof(WOLFSSL_CTX); +} + +int wolfSSL_METHOD_GetObjectSize(void) +{ + return sizeof(WOLFSSL_METHOD); +} #endif diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index c81d38058..04551a561 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -123,7 +123,7 @@ #define fopen wolfSSL_fopen #endif -#if defined(__GNUC__) && defined(__x86_64__) && !defined(NO_ASM) +#if defined(__GNUC__) && defined(__x86_64__) && !defined(NO_ASM) && !defined(WOLFSSL_SGX) #define HAVE_GET_CYCLES static INLINE word64 get_intel_cycles(void); static THREAD_LS_T word64 total_cycles; @@ -3724,6 +3724,8 @@ exit_ed_verify: return time_now; } +#elif defined(WOLFSSL_SGX) + double current_time(int reset); #else diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 1a31d7a69..15ce6fa2d 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -117,6 +117,9 @@ void wolfSSL_Debugging_OFF(void) #else #include #endif +#elif defined(WOLFSSL_SGX) + /* Declare sprintf for ocall */ + int sprintf(char* buf, const char *fmt, ...); #else #include /* for default printf stuff */ #endif diff --git a/wolfssl/io.h b/wolfssl/io.h index 51d7545a3..c13419498 100644 --- a/wolfssl/io.h +++ b/wolfssl/io.h @@ -101,6 +101,8 @@ #include #include #include + #elif defined(WOLFSSL_SGX) + #include #elif !defined(WOLFSSL_NO_SOCK) #include #include diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 59608670b..ddf390de1 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1375,6 +1375,8 @@ WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL*); WOLFSSL_API int wolfSSL_CTX_SetMinVersion(WOLFSSL_CTX* ctx, int version); WOLFSSL_API int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version); WOLFSSL_API int wolfSSL_GetObjectSize(void); /* object size based on build */ +WOLFSSL_API int wolfSSL_CTX_GetObjectSize(void); +WOLFSSL_API int wolfSSL_METHOD_GetObjectSize(void); WOLFSSL_API int wolfSSL_GetOutputSize(WOLFSSL*, int); WOLFSSL_API int wolfSSL_GetMaxOutputSize(WOLFSSL*); WOLFSSL_API int wolfSSL_SetVersion(WOLFSSL* ssl, int version); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 40188b935..5531462d5 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1252,18 +1252,27 @@ extern void uITRON4_free(void *p) ; #endif #ifdef WOLFSSL_SGX - #define WOLFCRYPT_ONLY /* limitation until IO resolved */ + #ifdef _MSC_VER + #define WOLFCRYPT_ONLY + #define NO_RC4 + #define NO_DES3 + #define NO_SHA + #define NO_MD5 + #else + #define HAVE_ECC + #define TFM_TIMING_RESISTANT + #define NO_FILESYSTEM + #define NO_WRITEV + #define NO_MAIN_DRIVER + #define USER_TICKS + #define WOLFSSL_LOG_PRINTF + #define WOLFSSL_DH_CONST + #endif /* _MSC_VER */ #define SINGLE_THREADED #define NO_ASN_TIME /* can not use headers such as windows.h */ - - /* options used in created example */ #define HAVE_AESGCM #define USE_CERT_BUFFERS_2048 #define USE_FAST_MATH - #define NO_RC4 - #define NO_DES3 - #define NO_SHA - #define NO_MD5 #endif /* WOLFSSL_SGX */ /* FreeScale MMCAU hardware crypto has 4 byte alignment.