Re: [intel-sgx-kernel-dev] [PATCH RFC v3 10/12] intel_sgx: in-kernel launch enclave

Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> · Tue, 14 Nov 2017 16:22:50 +0200

On Wed, Nov 08, 2017 at 12:07:26PM -0800, Sean Christopherson wrote:
> On Tue, 2017-10-10 at 17:32 +0300, Jarkko Sakkinen wrote:
> > +static RSA *load_sign_key(const char *path)
> > +{
> > +	FILE *f;
> > +	RSA *key;
> > +
> > +	f = fopen(path, "rb");
> > +	if (!f) {
> > +		fprintf(stderr, "Unable to open %s\n", path);
> > +		return NULL;
> > +	}
> > +	key = RSA_new();
> > +	if (!PEM_read_RSAPrivateKey(f, &key, pem_passwd_cb, NULL))
> > +		return NULL;
> > +	fclose(f);
> > +
> > +	if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {
> 
> Dereferencing the RSA pointer (key) breaks on OpenSSL 1.1.0 as RSA is now an
> opaque object.  It's relatively easy to fudge around the issue, patch below.
> 
> https://github.com/openssl/openssl/issues/1491
> https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
> 
> > +		fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key-
> > >n));
> > +		RSA_free(key);
> > +		return NULL;
> > +	}
> > +
> > +	return key;
> > +}
> > +
> 
> diff --git drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> index 27e8c61d033c..e454dc95f438 100644
> --- drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> +++ drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> @@ -110,6 +110,17 @@ static int pem_passwd_cb(char *buf, int size, int rwflag,
> void *u)
>         return strlen(buf) >= size ? size - 1 : strlen(buf);
>  }
>  
> +static inline const BIGNUM *get_modulus(RSA *key)
> +{
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +       return key->n;
> +#else
> +       const BIGNUM *n;
> +       RSA_get0_key(key, &n, NULL, NULL);
> +       return n;
> +#endif
> +}
> +
>  static RSA *load_sign_key(const char *path)
>  {
>         FILE *f;
> @@ -125,8 +136,9 @@ static RSA *load_sign_key(const char *path)
>                 return NULL;
>         fclose(f);
>  
> -       if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {
> -               fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key->n));
> +       if (BN_num_bytes(get_modulus(key)) != SGX_MODULUS_SIZE) {
> +               fprintf(stderr, "Invalid key size %d\n",
> +                       BN_num_bytes(get_modulus(key)));
>                 RSA_free(key);
>                 return NULL;
>         }
> @@ -511,7 +523,7 @@ int main(int argc, char **argv)
>         if (!sign_key)
>                 goto out;
>  
> -       BN_bn2bin(sign_key->n, ss.modulus);
> +       BN_bn2bin(get_modulus(sign_key), ss.modulus);
>  
>         if (!measure_encl(argv[1], ss.body.mrenclave))
>                 goto out;
> 

Already sent v5 but I'll put this to v6. Thanks.

/Jarkko