diff --git a/firmware/build/extract-mrenclave b/firmware/build/extract-mrenclave new file mode 100755 index 00000000..68b18fde --- /dev/null +++ b/firmware/build/extract-mrenclave @@ -0,0 +1,67 @@ +#! /usr/bin/env bash + +function print_usage() { + echo "Usage: $0 " + echo " or $0 " + echo "" + echo "Options:" + echo " signed_enclave: path of a signed enclave binary file (MUST end with '.signed' extension)." + echo " unsigned_enclave: path of an unsigned enclave binary file." + echo " config_file: configuration file specifying the enclave properties." + echo " refer to the oesign sign --help for the list of properties." + echo " this option is only required for unsigned enclaves." + echo "" + echo "Description:" + echo " This script extracts the MRENCLAVE and the DIGEST values from the enclave" + echo " binary and prints them to stdout. The script can be used both for unsigned" + echo " and signed enclave binaries." + echo "" + echo " Signed binaries:" + echo " The MRENCLAVE and DIGEST are calculated from the signed enclave binary." + echo " Both values are printed in hexadecimal format to stdout." + echo "" + echo " Unsigned binaries:" + echo " The DIGEST is calculated from the unsigned enclave binary and the enclave" + echo " properties specified in the configuration file. The MRENCLAVE is set to zero." + echo " Both values are printed in hexadecimal format to stdout." +} + +if [[ $# -lt 1 ]]; then + print_usage + exit 1 +fi + +pushd $(dirname $0) > /dev/null +BUILD_ROOT=$(pwd) +popd > /dev/null + +HSM_ROOT=$(realpath $BUILD_ROOT/../../) + +DOCKER_IMAGE=hsm:sgx +source $BUILD_ROOT/../../docker/check-image + +ENCLAVE_BIN=$(realpath $1 --relative-to=$HSM_ROOT) +if [[ ! -f $ENCLAVE_BIN ]]; then + echo "Invalid enclave path: $ENCLAVE_BIN" + exit 1 +else + ENCLAVE_ARG="-e $ENCLAVE_BIN" +fi + +if [[ $ENCLAVE_BIN == *.signed ]]; then + CONFIG_ARG="" +elif [[ $# -ge 2 ]]; then + CONFIG_ARG="-c $(realpath $2 --relative-to=$HSM_ROOT)" +else + echo "Invalid usage" + print_usage + exit 1 +fi + +DIGEST_CMD="oesign digest $ENCLAVE_ARG $CONFIG_ARG -d /tmp/enclave_digest > /dev/null && hexdump -v -e '/1 \"%02x\"' /tmp/enclave_digest" +MRENCLAVE_CMD="oesign dump $ENCLAVE_ARG | grep mrenclave | cut -d '=' -f 2" +EXTRACT_CMD="\$SGX_ENVSETUP && echo digest: \$($DIGEST_CMD) && echo mrenclave: \$($MRENCLAVE_CMD)" + +DOCKER_USER="$(id -u):$(id -g)" + +docker run -t --rm --user $DOCKER_USER -w /hsm2 -v ${HSM_ROOT}:/hsm2 ${DOCKER_IMAGE} /bin/bash -c "$EXTRACT_CMD"