Skip to content

Commit

Permalink
zeroize EnclaveKey and UnsealedEnclaveKey after using them
Browse files Browse the repository at this point in the history
Signed-off-by: Jun Kimura <[email protected]>
  • Loading branch information
bluele committed Nov 19, 2024
1 parent fc3803f commit 2c0691b
Show file tree
Hide file tree
Showing 7 changed files with 53 additions and 45 deletions.
17 changes: 7 additions & 10 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ pub(crate) fn generate_enclave_key(
input: GenerateEnclaveKeyInput,
) -> Result<GenerateEnclaveKeyResponse, Error> {
let ek = EnclaveKey::new()?;
let sealed_ek = ek.seal()?;
let ek_pub = ek.get_pubkey();
let sealed_ek = ek.seal()?;
let report_data = ReportData::new(ek_pub.as_address(), input.operator);
let report = match rsgx_create_report(&input.target_info, &report_data.into()) {
Ok(r) => r,
Expand Down
17 changes: 7 additions & 10 deletions enclave/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion modules/crypto/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ serde = { version = "1.0.184", default-features = false, features = ["alloc", "d
serde-big-array = "0.5.1"
hex = { version = "0.4", default-features = false, features = ["alloc"] }
flex-error = { version = "0.4.4", default-features = false }
libsecp256k1 = { version = "0.7.1", default-features = false, features = ["static-context", "hmac"] }
libsecp256k1 = { rev = "48dabd8821852c5fe00b846f6c37e1f6b05c3d8c", git = "https://github.com/paritytech/libsecp256k1", default-features = false, features = ["static-context", "hmac"] }
zeroize = { version = "1.8.1", default-features = false, features = ["alloc", "zeroize_derive"] }

[features]
default = ["std"]
Expand Down
20 changes: 15 additions & 5 deletions modules/crypto/src/key.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@ use crate::prelude::*;
use crate::{Error, Keccak256, Signer, Verifier};
use alloc::fmt;
use core::fmt::Display;
use libsecp256k1::PublicKeyFormat;
use core::sync::atomic;
use libsecp256k1::{
curve::Scalar,
util::{COMPRESSED_PUBLIC_KEY_SIZE, SECRET_KEY_SIZE},
Message, PublicKey, RecoveryId, SecretKey, Signature,
Message, PublicKey, PublicKeyFormat, RecoveryId, SecretKey, Signature,
};
use serde::{Deserialize, Serialize};
use serde_big_array::BigArray;
use sgx_types::sgx_sealed_data_t;
use tiny_keccak::Keccak;
use zeroize::Zeroizing;

#[derive(Default)]
pub struct EnclaveKey {
pub(crate) secret_key: SecretKey,
}
Expand Down Expand Up @@ -42,15 +42,25 @@ impl EnclaveKey {
Ok(Self { secret_key })
}

pub fn get_privkey(&self) -> [u8; SECRET_KEY_SIZE] {
self.secret_key.serialize()
pub fn get_privkey(self) -> Zeroizing<[u8; SECRET_KEY_SIZE]> {
Zeroizing::new(self.secret_key.serialize())
}

pub fn get_pubkey(&self) -> EnclavePublicKey {
EnclavePublicKey(PublicKey::from_secret_key(&self.secret_key))
}
}

impl Drop for EnclaveKey {
fn drop(&mut self) {
self.secret_key.clear();
// Use fences to prevent accesses from being reordered before this
// point, which should hopefully help ensure that all accessors
// see zeroes after this point.
atomic::compiler_fence(atomic::Ordering::SeqCst);
}
}

#[derive(Debug, Clone, PartialEq, Eq)]
pub struct EnclavePublicKey(PublicKey);

Expand Down
37 changes: 20 additions & 17 deletions modules/crypto/src/sgx/sealing.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,39 +4,40 @@ use crate::EnclaveKey;
use crate::Error;
use crate::Signer;
use crate::{prelude::*, EnclavePublicKey};
use core::ops::Deref;
use libsecp256k1::{util::SECRET_KEY_SIZE, SecretKey};
use sgx_tseal::SgxSealedData;
use sgx_types::{marker::ContiguousMemory, sgx_sealed_data_t};
use sgx_types::{sgx_attributes_t, SGX_KEYPOLICY_MRENCLAVE, TSEAL_DEFAULT_MISCMASK};
use sgx_types::{
sgx_attributes_t, sgx_sealed_data_t, SGX_KEYPOLICY_MRENCLAVE, TSEAL_DEFAULT_MISCMASK,
};
use zeroize::Zeroizing;

#[derive(Clone, Copy)]
struct UnsealedEnclaveKey([u8; SECRET_KEY_SIZE]);

unsafe impl ContiguousMemory for UnsealedEnclaveKey {}
#[derive(Clone)]
struct UnsealedEnclaveKey(Zeroizing<[u8; SECRET_KEY_SIZE]>);

impl SealingKey for EnclaveKey {
fn seal(&self) -> Result<SealedEnclaveKey, Error> {
seal_enclave_key(UnsealedEnclaveKey(self.get_privkey()))
fn seal(self) -> Result<SealedEnclaveKey, Error> {
seal_enclave_key(&UnsealedEnclaveKey(self.get_privkey()))
}

fn unseal(sek: &SealedEnclaveKey) -> Result<Self, Error> {
let unsealed = unseal_enclave_key(&sek)?;
let secret_key = SecretKey::parse(&unsealed.0)?;
let secret_key = SecretKey::parse(unsealed.0.deref())?;
Ok(Self { secret_key })
}
}

fn seal_enclave_key(data: UnsealedEnclaveKey) -> Result<SealedEnclaveKey, Error> {
fn seal_enclave_key(data: &UnsealedEnclaveKey) -> Result<SealedEnclaveKey, Error> {
let attribute_mask = sgx_attributes_t {
flags: 0xffff_ffff_ffff_fff3,
xfrm: 0,
};
let sealed_data = SgxSealedData::<UnsealedEnclaveKey>::seal_data_ex(
let sealed_data = SgxSealedData::<[u8; SECRET_KEY_SIZE]>::seal_data_ex(
SGX_KEYPOLICY_MRENCLAVE,
attribute_mask,
TSEAL_DEFAULT_MISCMASK,
Default::default(),
&data,
data.0.deref(),
)
.map_err(|e| Error::sgx_error(e, "failed to seal enclave key".to_string()))?;
let mut sek = SealedEnclaveKey([0; SEALED_DATA_32_USIZE]);
Expand All @@ -56,16 +57,18 @@ fn seal_enclave_key(data: UnsealedEnclaveKey) -> Result<SealedEnclaveKey, Error>
fn unseal_enclave_key(sek: &SealedEnclaveKey) -> Result<UnsealedEnclaveKey, Error> {
let mut sek = sek.clone();
let sealed = unsafe {
SgxSealedData::<UnsealedEnclaveKey>::from_raw_sealed_data_t(
SgxSealedData::<[u8; SECRET_KEY_SIZE]>::from_raw_sealed_data_t(
sek.0.as_mut_ptr() as *mut sgx_sealed_data_t,
SEALED_DATA_32_SIZE,
)
}
.ok_or_else(|| Error::failed_unseal("failed to convert from raw sealed data".to_owned()))?;
Ok(*sealed
.unseal_data()
.map_err(|e| Error::sgx_error(e, "failed to unseal enclave key".to_string()))?
.get_decrypt_txt())
Ok(UnsealedEnclaveKey(Zeroizing::new(
*sealed
.unseal_data()
.map_err(|e| Error::sgx_error(e, "failed to unseal enclave key".to_string()))?
.get_decrypt_txt(),
)))
}

impl Signer for SealedEnclaveKey {
Expand Down
2 changes: 1 addition & 1 deletion modules/crypto/src/traits.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ pub trait SealingKey
where
Self: core::marker::Sized,
{
fn seal(&self) -> Result<SealedEnclaveKey, Error>;
fn seal(self) -> Result<SealedEnclaveKey, Error>;
fn unseal(sek: &SealedEnclaveKey) -> Result<Self, Error>;
}

Expand Down

0 comments on commit 2c0691b

Please sign in to comment.