-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added script to extract the digest and mrenclave from a signed enclav…
…e binary (#221)
- Loading branch information
1 parent
aa6489a
commit 2e8d75f
Showing
1 changed file
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| #! /usr/bin/env bash | ||
|
|
||
| function print_usage() { | ||
| echo "Usage: $0 <signed_enclave>" | ||
| echo " or $0 <unsigned_enclave> <config_file>" | ||
| echo "" | ||
| echo "Options:" | ||
| echo " signed_enclave: path of a signed enclave binary file (MUST end with '.signed' extension)." | ||
| echo " unsigned_enclave: path of an unsigned enclave binary file." | ||
| echo " config_file: configuration file specifying the enclave properties." | ||
| echo " refer to the oesign sign --help for the list of properties." | ||
| echo " this option is only required for unsigned enclaves." | ||
| echo "" | ||
| echo "Description:" | ||
| echo " This script extracts the MRENCLAVE and the DIGEST values from the enclave" | ||
| echo " binary and prints them to stdout. The script can be used both for unsigned" | ||
| echo " and signed enclave binaries." | ||
| echo "" | ||
| echo " Signed binaries:" | ||
| echo " The MRENCLAVE and DIGEST are calculated from the signed enclave binary." | ||
| echo " Both values are printed in hexadecimal format to stdout." | ||
| echo "" | ||
| echo " Unsigned binaries:" | ||
| echo " The DIGEST is calculated from the unsigned enclave binary and the enclave" | ||
| echo " properties specified in the configuration file. The MRENCLAVE is set to zero." | ||
| echo " Both values are printed in hexadecimal format to stdout." | ||
| } | ||
|
|
||
| if [[ $# -lt 1 ]]; then | ||
| print_usage | ||
| exit 1 | ||
| fi | ||
|
|
||
| pushd $(dirname $0) > /dev/null | ||
| BUILD_ROOT=$(pwd) | ||
| popd > /dev/null | ||
|
|
||
| HSM_ROOT=$(realpath $BUILD_ROOT/../../) | ||
|
|
||
| DOCKER_IMAGE=hsm:sgx | ||
| source $BUILD_ROOT/../../docker/check-image | ||
|
|
||
| ENCLAVE_BIN=$(realpath $1 --relative-to=$HSM_ROOT) | ||
| if [[ ! -f $ENCLAVE_BIN ]]; then | ||
| echo "Invalid enclave path: $ENCLAVE_BIN" | ||
| exit 1 | ||
| else | ||
| ENCLAVE_ARG="-e $ENCLAVE_BIN" | ||
| fi | ||
|
|
||
| if [[ $ENCLAVE_BIN == *.signed ]]; then | ||
| CONFIG_ARG="" | ||
| elif [[ $# -ge 2 ]]; then | ||
| CONFIG_ARG="-c $(realpath $2 --relative-to=$HSM_ROOT)" | ||
| else | ||
| echo "Invalid usage" | ||
| print_usage | ||
| exit 1 | ||
| fi | ||
|
|
||
| DIGEST_CMD="oesign digest $ENCLAVE_ARG $CONFIG_ARG -d /tmp/enclave_digest > /dev/null && hexdump -v -e '/1 \"%02x\"' /tmp/enclave_digest" | ||
| MRENCLAVE_CMD="oesign dump $ENCLAVE_ARG | grep mrenclave | cut -d '=' -f 2" | ||
| EXTRACT_CMD="\$SGX_ENVSETUP && echo digest: \$($DIGEST_CMD) && echo mrenclave: \$($MRENCLAVE_CMD)" | ||
|
|
||
| DOCKER_USER="$(id -u):$(id -g)" | ||
|
|
||
| docker run -t --rm --user $DOCKER_USER -w /hsm2 -v ${HSM_ROOT}:/hsm2 ${DOCKER_IMAGE} /bin/bash -c "$EXTRACT_CMD" |