This software is a research proof of concept and not intended for production use
**IMPORTANT: First generate and copy an Intel(R) SGX enclave signing/private key into BarbiE/isv_enclave/isv_enclave_private.pem
Go to intel-sgx/source/SGX-Barbican/
Run
sudo ./makeself_installer.sh
It will create BarbiE.bz2.run binary
Execute "BarbiE.bz2.run" as root user on the machine where you want to setup Barbican with IP address as argument
sudo ./BarbiE.bz2.run <ip_v4_address>
During installation it will prompt for details for self signed SSL certificate generation.
-
All properties are mandatory
Required Properties are BARBICAN_ENCLAVE_PATH, IAS_URL, IAS_CRT_PATH, IAS_SPID, IAS_ENABLED for Barbican on different lines
Example:
BARBICAN_ENCLAVE_PATH=/opt/BarbiE/lib
IAS_URL=https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/report
IAS_CRT_PATH=/root/client.pem
IAS_SPID=76508EJNCLBLB8DS19AC35I5U7XDV828
IAS_ENABLED=True/False
KEY_PAIR_DIR=/path/to/dir
IAS_ENABLED : Enables/disables communication of server with IAS for quote verification and signing.
**IAS_URL, IAS_CRT_PATH, IAS_SPID ** : are required for quote validation for BarbiE server other wise Attestation will Fail.
**KEY_PAIR_DIR ** : Directory path to create server Intel(R) SGX remote attestation ECDSA key pair if not exists. Otherwise uses already available key pair with filenames public_key.pem and private_key.pem in the KEY_PAIR_DIR folder.
**IAS_CRT_PATH ** : It contains the path of certificate file to interact with IAS. This file will contain both certificate and private key.
/opt/BarbiE/startup.sh start/stop/restart
Go under /opt/BarbiE/test_scripts/
sudo python sgx.py <SPID> <CRT_PATH> <KDIR>
SPID : SPID provided by IAS in hexstring format (hexstring as provided by Intel(R) during IAS registration process of client cert) CRT_PATH : Absolute path of certificate for IAS server KDIR : Directory path to store client public private key pair
sudo python sgx_client_wo_hw.py -ip [<IP>] -p <proj_id> [--admin] -s [<SPID>] -crt [<IAS_CRT>] [--server_verify_ias] [--client_verify_ias] -kdir /dirpath/to/store/keypair
IP : IPv4 address of the server. Default :- localhost
proj_id : Project ID
client_verify_ias : Client will call IAS for quote verification.
server_verify_ias : Server will call IAS for quote verification.
SPID : SPID provided by IAS in hexstring format. Required only when we are providing 'client_verify_ias'
IAS_CRT : Absolute path of certificate for IAS server. This file will contain both certificate and private key. Required only when we are providing 'client_verify_ias'
kdir : Directory path to store client key pair
| ias_enable | server_verify_ias | client_verify_ias | Expected output |
|---|---|---|---|
| True | True | True | Client verified quote |
| True | True | False | Server(E) verified quote |
| True | False | True | Client verified quote |
| True | False | False | Server(E) verified quote |
| False | True | True | Client verified quote |
| False | True | False | Server(E) not configured to do ias verification |
| False | False | True | Client verified quote |
| False | False | False | No IAS verification required. Fake report generated by server(E) |
ias_enabled flag represents if server configured to talk with IAS.
server_verify_ias flag is provided by client to let server do the quote verification with IAS.
client_verify_ias flag is provided by client to let server know that client will verify quote with IAS.
sudo python sgx_client_wo_hw.py -ip [<IP>] -p <proj_id> [--admin] -s [<SPID>] -crt [<IAS_CRT>] [--server_verify_ias] [--client_verify_ias] -kdir /dirpath/to/store/keypair
IP : IPv4 address of the server.(Default - localhost)
proj_id : Project ID
client_verify_ias : Client will call IAS for quote verification.
server_verify_ias : Server will call IAS for quote verification.
SPID : SPID provided by IAS in hex string format. Required only when we are providing 'client_verify_ias'
IAS_CRT : Absolute path of certificate for IAS server. This file will contain both certificate and private key. Required only when we are providing 'client_verify_ias'
kdir : Directory path to store client key pair
sudo python sgx_client_wo_hw.py -ip [<IP>] -p <proj_id> -s [<SPID>] -crt [<IAS_CRT>] [--server_verify_ias] [--client_verify_ias] -kdir /dirpath/to/store/keypair
IP : IPv4 address of the server.(Default - localhost)
proj_id : Project ID
client_verify_ias : Client will call IAS for quote verification.
server_verify_ias : Server will call IAS for quote verification.
SPID : SPID provided by IAS in hexstring format. Required only when we are providing 'client_verify_ias'
IAS_CRT : Absolute path of certificate for IAS server. Required only when we are providing 'client_verify_ias'
kdir : Directory path to store client key pair
sudo python project_policy_mgmt.py -ip [<IP>] -p <proj_id> -po [<policy>] -att [<attribute>]
IP : IPv4 address of the server. Default :- localhost
proj_id : Project ID
policy : Project Policy to be set.
Accepted values :-
1 :- Mr Signer of the Client is validated.
2 :- Mr Enclave of the Client is validated.
3 :- Mr Enclave of the Client is validated with a list of third party enclaves.
attribute : Path of the file containing base64 encoded Mr Enclave or Mr Signer or list of Mr Enclave. First line of file will contain owner's Mr enclave.
* **NOTE** owner is that enclave who created the project *
E1 :- Enclave 1
E2 :- Enclave 2(BarbiE)
E1 is initiator of the Mutual Attestation with E2
| ias_enable | server_verify_ias | client_verify_ias | Expected output |
|---|---|---|---|
| True | True | True | E1 & E2 verify quote when acting as client enclave |
| True | True | False | E1 & E2 verify quote when acting as server enclave |
| True | False | True | E1 & E2 verify quote when acting as client enclave |
| True | False | False | E1 & E2 verify quote when acting as server enclave |
| False | True | True | Server not configured to do ias verification |
| False | True | False | Server not configured to do ias verification |
| False | False | True | Server not configured to do ias verification |
| False | False | False | E1 verify quote when acting as server enclave & E2 generate fake report when acting as server |
ias_enabled flag represents if server configured to talk with IAS.
server_verify_ias flag is provided by client to let server do the quote verification with IAS.
client_verify_ias flag is provided by client to let server know that client will verify quote with IAS.
sudo python sgx_client_with_hw.py -ip [<IP>] -p <proj_id> -po [<policy>] -mre [<mr_enclave_list_file_path>] -s [<SPID>] -crt [<IAS_CRT>] [--server_verify_ias] [--client_verify_ias] -o_mr_e [<owner_mr_enclave>] -kdir /dirpath/to/store/keypair
IP : IPv4 address of the server. Default :- localhost
proj_id : Project ID
client_verify_ias : Client will call IAS for quote verification.
server_verify_ias : Server will call IAS for quote verification.
SPID : SPID provided by IAS in hex string format
IAS_CRT : Absolute path of certificate for IAS server. This file will contain both certificate and private key. Required only when we are providing 'client_verify_ias'
owner_mr_enclave : Mr enclave of that enclave who created the project.
kdir : Directory path to store generated key pair
sudo python project_policy_mgmt.py -ip [<IP>] -p <proj_id> -po [<policy>] -att [<attribute>]
IP : IPv4 address of the server. Default :- localhost
proj_id : Project ID
policy : Project Policy to be set.
Accepted values :-
1 :- Mr Signer of the Client is validated.
2 :- Mr Enclave of the Client is validated.
3 :- Mr Enclave of the Client is validated with a list of third party enclaves.
attribute : Path of the file containing base64 encoded Mr Enclave or Mr Signer or list of Mr Enclave. First line of file will contain owner's Mr enclave.
* **NOTE** owner is that enclave who created the project *
- The above test scripts are for standalone use of barbican. If barbican is configured with Keystone, the client scripts wont work.