SGX onboarding attestation gathering and verification (#242)

- Updated setup script to gather and verify attestation after onboarding is completed - Added runtime attestation dependencies to the SGX distribution Dockerfile
rsksmart · Jan 7, 2025 · ccb345a · ccb345a
1 parent 92445fd
commit ccb345a
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/dist/sgx/Dockerfile b/dist/sgx/Dockerfile
@@ -12,6 +12,12 @@ RUN curl -L -o libssl1.1.deb  https://ftp.debian.org/debian/pool/main/o/openssl/
 
 # Install SGX runtime dependencies
 RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    echo 'deb [arch=amd64] http://azure.archive.ubuntu.com/ubuntu/ focal main restricted' | tee -a /etc/apt/sources.list.d/intel-sgx.list && \
+    echo 'deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main' | tee -a /etc/apt/sources.list.d/intel-sgx.list && \
+    gpg --keyserver keyserver.ubuntu.com --recv-keys 871920D1991BC93C 3B4FE6ACC0B21F32 EB3E94ADBE1229CF && \
+    gpg --export --armor 871920D1991BC93C | apt-key add - && \
+    gpg --export --armor 3B4FE6ACC0B21F32 | apt-key add - && \
+    gpg --export --armor EB3E94ADBE1229CF | apt-key add - && \
     curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
     apt-get update && \
-    apt-get install -y libsgx-enclave-common
+    apt-get install -y libsgx-enclave-common libsgx-quote-ex libsgx-dcap-ql az-dcap-client
diff --git a/dist/sgx/scripts/setup b/dist/sgx/scripts/setup
@@ -34,6 +34,7 @@ PIN_FILE="$ROOT_DIR/pin.txt"
 EXPORT_DIR="$ROOT_DIR/export"
 PUBLIC_KEY_FILE="$EXPORT_DIR/public-keys.txt"
 PUBLIC_KEY_FILE_JSON="$EXPORT_DIR/public-keys.json"
+ATTESTATION_FILE="$EXPORT_DIR/attestation.json"
 
 # HSM scripts directory
 SCRIPTS_DIR=$ROOT_DIR/scripts
@@ -139,7 +140,17 @@ function onboard() {
 }
 
 function keys() {
-    $ADMIN pubkeys -o $PUBLIC_KEY_FILE
+    $ADMIN pubkeys -uo $PUBLIC_KEY_FILE
+    error
+}
+
+function attestation() {
+    $ADMIN attestation -o $ATTESTATION_FILE
+    error
+}
+
+function verify_attestation() {
+    $ADMIN verify_attestation -t $ATTESTATION_FILE -b $PUBLIC_KEY_FILE_JSON
     error
 }
 
@@ -161,10 +172,16 @@ echo -e "\e[1;33mOnboarding the powHSM... \e[0m"
 onboard
 echo -e "\e[1;33mOnboarding complete.\e[0m"
 echo
-echo -e "\e[1;32mGathering public keys\e[0m"
+echo -e "\e[1;32mGathering attestation\e[0m"
 createOutputDir
+attestation
+echo
+echo -e "\e[1;32mGathering public keys\e[0m"
 keys
 echo
+echo -e "\e[1;32mVerifying attestation\e[0m"
+verify_attestation
+echo
 echo -e "\e[1;32mStopping the powHSM...\e[0m"
 stopPowHsm
 cleanBinaries