Skip to content

Commit 8c6c056

Browse files
authored
Make it work with the new security monitor (#18)
1 parent f8d71ae commit 8c6c056

6 files changed

Lines changed: 60 additions & 19 deletions

File tree

CMakeLists.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ target_link_libraries(${host_bin} ${KEYSTONE_LIB_HOST} ${KEYSTONE_LIB_EDGE} ${KE
7171

7272
set(eyrie_files_to_copy eyrie-rt)
7373
add_eyrie_runtime(${eapp_bin}-eyrie
74-
"origin/master"
74+
"v1.0.0"
7575
${eyrie_plugins}
7676
${eyrie_files_to_copy})
7777

README.md

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,45 @@ The demo will generally work on the master branch of Keystone, but
1515
will ALWAYS work on the dev branch. We suggest building the dev branch
1616
of Keystone if you have any issues with the demo on master.
1717

18+
# Quick Start
19+
20+
The demo requires the expected hash of the security monitor.
21+
The hash will be used by the trusted client to verify that the server enclave
22+
is created and initialized by the known version of the SM.
23+
24+
If you want to skip this verification, you can pass in `--ignore-valid` flag
25+
to the client.
26+
27+
Please see the security monitor's documentation to see how to generate a hash.
28+
29+
Once you generated the `sm_expected_hash.h`, try:
30+
31+
```
32+
SM_HASH=<path/to/sm_expected_hash.h> ./quick-start.sh
33+
```
34+
35+
You should be able to see the server enclave package `demo-server.ke` and the
36+
trusted client `trusted_client.riscv` under `build` directory.
37+
38+
Copy these files into the machine, and run the server enclave.
39+
Then, connect to the server using the client.
40+
41+
```
42+
# on the server side
43+
./demo-server.ke
44+
```
45+
46+
```
47+
# on the client side
48+
./trusted_client.riscv
49+
```
50+
51+
The client will connect to the enclave and perform the remote attestation.
52+
If the attestation is successful, the client can send an arbitrary message to the server
53+
so that the server counts the number of words in the message and reply.
54+
1855
## Attestation Failures
1956

2057
It is expected that the client will reject the attestation report from
2158
the host if you haven't regenerated the expected hashes for the SM and
22-
eapp.
23-
24-
You can either use `make build-hash-using-qemu` to attempt a rebuild
25-
with new hashes or pass the `--ignore-valid` flag to the client for
26-
testing.
59+
eapp. Pass the `--ignore-valid` flag to the client for testing.

include/enclave_expected_hash.h

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
unsigned char enclave_expected_hash[] = {
2-
0xc3, 0x77, 0x32, 0x1b, 0xb3, 0x9f, 0x2a, 0x61, 0xac, 0x68, 0x6c, 0xcb,
3-
0x00, 0x08, 0x6d, 0x72, 0x7f, 0x5d, 0xb7, 0x30, 0x49, 0x86, 0xe8, 0x54,
4-
0xba, 0x3a, 0xa1, 0x77, 0xcd, 0xce, 0xfa, 0x0b, 0x58, 0x3e, 0x5d, 0xec,
5-
0x53, 0xbc, 0x5a, 0x95, 0xb9, 0xd0, 0x34, 0xb0, 0xc0, 0x1a, 0xe5, 0x4e,
6-
0xd5, 0x22, 0x3b, 0xd9, 0x66, 0x77, 0x7a, 0x6a, 0x9d, 0xdc, 0x17, 0x4d,
7-
0xab, 0x33, 0x8e, 0x93
2+
0x24, 0x68, 0x70, 0x51, 0x40, 0x1f, 0x75, 0x27,
3+
0x6f, 0xdb, 0x98, 0xd1, 0xd1, 0xdb, 0x6f, 0xff,
4+
0x7a, 0x8a, 0x72, 0x14, 0x91, 0x2f, 0x43, 0x1a,
5+
0x13, 0xa9, 0x63, 0x10, 0x2c, 0xba, 0xb1, 0x06,
6+
0x97, 0x29, 0xc7, 0x14, 0x3f, 0x2d, 0xb1, 0x94,
7+
0xcd, 0x18, 0xf3, 0xdc, 0xbd, 0x90, 0x77, 0xc1,
8+
0xcc, 0x00, 0x86, 0x86, 0x80, 0x32, 0xb1, 0x9e,
9+
0x9d, 0x4c, 0x3d, 0x88, 0x1f, 0x90, 0x8b, 0x57,
810
};
911
unsigned int enclave_expected_hash_len = 64;

quick-start.sh

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,9 @@ then
2929
exit 0
3030
fi
3131

32-
if [[ ! -v KEYSTONE_DIR ]]
32+
if [[ ! -v SM_HASH ]]
3333
then
34-
echo "KEYSTONE_DIR is not set! Please set this to where you cloned Keystone repo."
34+
echo "SM_HASH is not set! Please follow README to generate the expected hash"
3535
exit 0
3636
fi
3737

@@ -78,13 +78,14 @@ cd ..
7878

7979
# Copy the expected hash over
8080
echo "Copying expected sm hash from riscv-pk, this may be incorrect!"
81-
cp $KEYSTONE_DIR/riscv-pk/hash/*.h include/
81+
cp $SM_HASH include/
8282

8383
# Build the demo
8484
mkdir -p build
8585
cd build
8686
cmake ..
8787
make
88+
make package
8889

8990
# Done!
9091
echo -e "************ Demo binaries built and copied into overlay directory. ***************

server_eapp/channel.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,11 @@
44
#include "string.h"
55
#include "edge_wrapper.h"
66

7+
unsigned char server_pk[crypto_kx_PUBLICKEYBYTES], server_sk[crypto_kx_SECRETKEYBYTES];
8+
unsigned char client_pk[crypto_kx_PUBLICKEYBYTES];
9+
unsigned char rx[crypto_kx_SESSIONKEYBYTES];
10+
unsigned char tx[crypto_kx_SESSIONKEYBYTES];
11+
712
void channel_init(){
813

914
/* libsodium config */

server_eapp/channel.h

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ void channel_establish();
66
int channel_recv(unsigned char* msg_buffer, size_t len, size_t* datalen);
77
size_t channel_get_send_size(size_t len);
88
void channel_send(unsigned char* msg, size_t len, unsigned char* ctx);
9-
unsigned char server_pk[crypto_kx_PUBLICKEYBYTES], server_sk[crypto_kx_SECRETKEYBYTES];
10-
unsigned char client_pk[crypto_kx_PUBLICKEYBYTES];
11-
unsigned char rx[crypto_kx_SESSIONKEYBYTES];
12-
unsigned char tx[crypto_kx_SESSIONKEYBYTES];
9+
extern unsigned char server_pk[], server_sk[];
10+
extern unsigned char client_pk[];
11+
extern unsigned char rx[];
12+
extern unsigned char tx[];
1313

1414

1515
#endif /* _CHANNEL_H_ */

0 commit comments

Comments
 (0)