Giter Club home page Giter Club logo

aws-nitro-enclaves-nsm-api's Introduction

Nitro Secure Module library

version docs msrv

This is a collection of helpers which Nitro Enclaves userland applications can use to communicate with a connected NitroSecureModule (NSM) device.

Various operations can be requested such as:

  • PCR query and manipulation
  • Attestation
  • Entropy

Prerequisites

An up-to-date RUST toolchain (v1.63.0 or later)

How To Build

  1. Clone the repository
  2. Execute make nsm-api-stable

How to Test

Prerequisites

To run the tests it's required to build the command-executor tool, as follows:

make command-executor

License

This project is licensed under the Apache-2.0 License.

Security issue notifications

If you discover a potential security issue in the Nitro Enclaves NSM API, we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public GitHub issue.

aws-nitro-enclaves-nsm-api's People

Contributors

alcioa avatar amazon-auto avatar axlprv avatar bveaws avatar dependabot[bot] avatar devinschulz avatar kitjacky avatar kwantam avatar lfarrel6 avatar meerd avatar petreeftime avatar popegeo avatar thomas-fossati avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

axlprv donkersgoed cloud-architects shanecurran lememta ssisiss yujinis petreeftime veenaarv qpc-database lexnv openmev popegeo gbryant-arm chrisgreenaway outsidethecode fortanix maheshnaganna meerd sabin-rapan kitjacky muskanmahajan486 devinschulz eugkoira test-mass-forker-org-1 baylisscg emostov thomas-fossati eyakubovich lfarrel6 kwantam woshidama323 xianruimeng alexvelicu rajpathak-eng seanpm2001 matthew-puffer-finance-forks crawford

aws-nitro-enclaves-nsm-api's Issues

What is Infrastructure certificate ?

In the attestation process explanation page, the section explaining about the structure of Attestation document has the certificate field. I would like to understand more about this.

certificate: cert, ; the infrastructure certificate used to sign this
; document, DER encoded

  1. What does infrastructure certificate mean ?
  2. What kind of information is included inside this infrastructure certificate ?

Is there time service inside enclave?

There are time services such as Amazon Time Sync Service outside the enclave, however, they should pass from parent instance client and we can't approve the time is not modified from outside.
So is there any way I can get time from enclave? I can only find get attestation documents and random API here.

Versioning of the Nitro Secure Module?

I couldn't find any documentation of how to interpret the results of DescribeNSM response

From src/api/mod.rs:

pub enum Request {
...
  DescribeNSM
...
}

pub enum Response {
...
  DescribeNSM {
          /// Breaking API changes are denoted by `major_version`
          version_major: u16,
          /// Minor API changes are denoted by `minor_version`. Minor versions should be backwards compatible.
          version_minor: u16,
          /// Patch version. These are security and stability updates and do not affect API.
          version_patch: u16,
          /// `module_id` is an identifier for a singular NitroSecureModule
          module_id: String,
          /// The maximum number of PCRs exposed by the NitroSecureModule.
          max_pcrs: u16,
          /// The PCRs that are read-only.
          locked_pcrs: BTreeSet<u16>,
          /// The digest of the PCR Bank
          digest: Digest,
      },
...

}

Other than trying out different nitro enclaves and seeing what values it returns, is there some sort of guidance on how to interpret the versions returned here? Would that potentially affect the API used to send requests to the nsm device API in src/driver/mod.rs? Is that something my enclave application should worry about checking?

How to integrate this module in your Nitro Enclaves project

In the README.md the How to integrate this module in your Nitro Enclaves project section is still missing the link to the documentation. If this already exists it should be easy to add. If there is a link to the mentioned resource please provide it, I would be happy to help with the documentation.

Rust bindings?

Granted that this library is intended as a memory safe subcomponent of the C SDK, it'd be nice to be able to write an entire enclave application in Rust. Are there any plans to expose similar functionality in Rust? Or is the idea to turn the SDK into a libc and go the Fortanix route? Either way, it'd be great to write more Rust!

Request attestation document inside vsock-sample.py

Hi @petreeftime and other contributors!

You have this neat sample showing how to communicate with the enclave ("server") from the EC2 instance ("client"), in python:

https://github.com/aws/aws-nitro-enclaves-samples/blob/main/vsock_sample/py/vsock-sample.py

I'm wondering how to get the enclave/server side of the code to request the attestation document (to then share it with the client). Is there a CLI command that would obtain it from the Nitro Hypervisor? Otherwise, I assume I'd have to use a python-rust bindings utility like pyo3. Which is the right rust function to point it to?

Am I correct in assuming that I will be able to include arbitrary data (in particular: a public key manually generated by the python code running inside the enclave) into the attestation document by including it in the attestation request call?

Thanks a lot!

Cryptographically secure RNG for python libraries

Hi, I want to use python libraries like urllib.request and ecdsa from inside the enclave. Ultimately, their cryptographic security ultimately relies on library calls like ssl.RAND_bytes() and random.SystemRandom() to return cryptographically secure random numbers.

When I start the same .eif twice in a row, I see that ssl.RAND_bytes() returns different values. But I also read somewhere that "there's no randomness" in Nitro enclaves, and that for security reasons, I should use the RNG implemented in this library. I'm assuming the latter is correct, so I'm wondering what would be the easiest way to use the Nitro RNG provided by this library to make libraries like ssl act securely.

Is it possible to call the Nitro RNG only once in the beginning, and inject entropy "system-wide", such that any library that relies on a pseudo-RNG that's cryptographically secure on a regular machine, would also be inside a nitro enclave?

almost all PCRs in attestation document zero?

Hi @petreeftime. For some reason most PCR measurements in the attestation document are zero.

{'cabundle': [b'0\x82\x02\x110\x82\x01\x96\xa0\x03\x02\x01\x02\x02\x11\x00\xf91uh\x1b\x90\xaf\xe1\x1dF\xcc\xb4\xe4\xe7\xf8V0\n\x06\x08*\x86H\xce=\x04\x03\x030I1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1\x1b0\x19\x06\x03U\x04\x03\x0c\x12aws.nitro-enclaves0\x1e\x17\r191028132805Z\x17\r491028142805Z0I1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1\x1b0\x19\x06\x03U\x04\x03\x0c\x12aws.nitro-enclaves0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xfc\x02T\xeb\xa6\x08\xc1\xf3hp\xe2\x9a\xda\x90\xbeF82\x92sn\x89K\xff\xf6r\xd9\x89DKPQ\xe54\xa4\xb1\xf6\xdb\xe3\xc0\xbcX\x1a2\xb7\xb1v\x07\x0e\xde\x12\xd6\x9a?\xea!\x1bf\xe7R\xcf}\xd1\xdd\t_o\x13p\xf4\x17\x08C\xd9\xdc\x10\x01!\xe4\xcfc\x01(\tfD\x87\xc9yb\x840M\xc5?\xf4\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x90%\xb5\r\xd9\x05G\xe7\x96\xc3\x96\xfar\x9d\xcf\x99\xa9\xdfK\x960\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\n\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xa3\x7f/\x91\xa1\xc9\xbd^\xe7\xb8b|\x16\x98\xd2U\x03\x8e\x1f\x03C\xf9[c\xa9b\x8c=9\x80\x95E\xa1\x1e\xbc\xbf.;U\xd8\xae\xeeq\xb4\xc3\xd6\xad\xf3\x021\x00\xa2\xf3\x9b\x16\x05\xb2p(\xa5\xddK\xa0i\xb5\x01ne\xb4\xfb\xde\x8f\xe0\x06\x1djS\x19\x7f\x9c\xda\xf5\xd9C\xbca\xfc+\xeb\x03\xcbo\xee\x8d#\x02\xf3\xdf\xf6',
  b'0\x82\x02\xbe0\x82\x02D\xa0\x03\x02\x01\x02\x02\x10(P\xc5\xf45\x0e\x12\x8dZ\xcd\x9d\n-\xd2i\xfe0\n\x06\x08*\x86H\xce=\x04\x03\x030I1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1\x1b0\x19\x06\x03U\x04\x03\x0c\x12aws.nitro-enclaves0\x1e\x17\r210810174808Z\x17\r210830184808Z0d1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1604\x06\x03U\x04\x03\x0c-c6c4a82b17eaa51b.us-east-2.aws.nitro-enclaves0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xbf8\xe1|\x8da\x17\xdc\x98E\xbc\xd8c\xa7\x19\x0e\xa6\xe2\x1b9\x8e\x1bPK\xb3\x082\x88\xa5E\x1f\xd3\xa8\xdeP\xa2!\x90g\xd5\xec\xf1i\x14\xe3\x97\x9b::\xb6\xb0\xb8x\xc7r!\xe3\xc3G\xf3\xb8\xa3\xb7_\x06\xcd\x06\x16\x04\xca\x0b\x16\x06\x88\xb5&!\x03\x8fLBl/\x8a<\x1fp]\r\xca\x1c\xac\x0e\x84d\r\xa3\x81\xd50\x81\xd20\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x020\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x90%\xb5\r\xd9\x05G\xe7\x96\xc3\x96\xfar\x9d\xcf\x99\xa9\xdfK\x960\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x94\xf13\xf3\x8c\xc6\x12\x11\x0e\\\x89\xf1\xb7^m\x9aN\x04Q\xce0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860l\x06\x03U\x1d\x1f\x04e0c0a\xa0_\xa0]\x86[http://aws-nitro-enclaves-crl.s3.amazonaws.com/crl/ab4960cc-7d63-42bd-9e9f-59338cb67f84.crl0\n\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xae\x02*\xa0e\xcb\x1ay\x0b\xc80ZJ<X\x05\xe5om\x16vEGp\xd7\x01\xf8$k4zuv\x83\n\x15FX\xc0\x0e&\xfdL\x0b\xa4\x07\xf4\x1f\x020r\xb6\xf0\x13\x1a\x9a\x06\xe7N\\/\xbbi3\xbbo\xcb\x92\x94\x18\xae\x1c\xf1\x08*3\xdeE\xad\x86\x82a4\xd9|\x8e\xff\x99\xd0Hj\xde\xb3{\x9c\r\x90Y',
  b'0\x82\x03\x160\x82\x02\x9b\xa0\x03\x02\x01\x02\x02\x11\x00\xba\xcd\xa7\x0e\x8e\x81$Q1\xeck\xf7DN\xda\x9e0\n\x06\x08*\x86H\xce=\x04\x03\x030d1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1604\x06\x03U\x04\x03\x0c-c6c4a82b17eaa51b.us-east-2.aws.nitro-enclaves0\x1e\x17\r210812140211Z\x17\r210818030211Z0\x81\x891<0:\x06\x03U\x04\x03\x0c333d4c88459a338f1.zonal.us-east-2.aws.nitro-enclaves1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0b0\t\x06\x03U\x04\x08\x0c\x02WA1\x100\x0e\x06\x03U\x04\x07\x0c\x07Seattle0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x81Z\xf1N\xd3\x00}\xe1RC6Q\x8c\xdb+l\xf0\x10\xee\xf7\xf5ogL}\xd7\x92\x05\x0br\xd1\xb7\xe1\x10\x90y8\x9c\xd7A \xea\xcc\xec+\x97\x95\x8d\xfe\xc1\x1bF\xed\x98\xcdA\x91"\x162\xa1=\xd7T\xe0ST\x1f&\x1dG\xcd\xee\xaeJ\xbfN\x0e\x06\xa1\x02\xfe\xc7U\x87\xc6E\x84\x83\xe5\xe8\x83\xebj\xb5u\xa3\x81\xea0\x81\xe70\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x010\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x94\xf13\xf3\x8c\xc6\x12\x11\x0e\\\x89\xf1\xb7^m\x9aN\x04Q\xce0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xadw\xd6\xefu  \xd6\xca@+!\xff\x99\x98;\x93\xd4\x06\xf30\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x81\x80\x06\x03U\x1d\x1f\x04y0w0u\xa0s\xa0q\x86ohttp://crl-us-east-2-aws-nitro-enclaves.s3.us-east-2.amazonaws.com/crl/e6bf6be2-5873-418b-9c28-004f65b7da1b.crl0\n\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xb2\x9f\x85\x06\xcd@U|\x83\xe3\x1e\xbe\x13\xfa\xf4">\x80\xbb\xaa\xb8\xc2rO\x19I\xb0\xfb\x97\x87\x82\xf7\x1ee\\\xde\x93Z\x9c\x97D\xdf.\x96>\x1d\xeb\x94\x021\x00\xeaVt$\xe4\x91\x07LG\xdd\xfdh\xc7uh\x89\xa3?+\xee\xaf\x05FO\xd8\xd7\xbf\xb1\xdai\x045\x87f\xc5\xff\xcd\xfa\xf7\x1b\xc74\xa2$\xca\x02\x86\xfc',
  b'0\x82\x02\x7f0\x82\x02\x04\xa0\x03\x02\x01\x02\x02\x14;\xd9U7\xad\xcc\x94\xb5\xd1w\xea\x8f\x04\xae\x13Y\xb3\x11\xab\xec0\n\x06\x08*\x86H\xce=\x04\x03\x030\x81\x891<0:\x06\x03U\x04\x03\x0c333d4c88459a338f1.zonal.us-east-2.aws.nitro-enclaves1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0b0\t\x06\x03U\x04\x08\x0c\x02WA1\x100\x0e\x06\x03U\x04\x07\x0c\x07Seattle0\x1e\x17\r210812222850Z\x17\r210813222850Z0\x81\x8e1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x0c\nWashington1\x100\x0e\x06\x03U\x04\x07\x0c\x07Seattle1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1907\x06\x03U\x04\x03\x0c0i-0685ead7f58d20e1d.us-east-2.aws.nitro-enclaves0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xa7\xc8RHh\x95c\xee>>\xcd\xecq\x9d\xb5\xaf\xd69\x17\xae\x91\x05\xd3j\xb1\xb5\xb6\x9e\xc4>\x12\x07\x1d\xc6\xde\x89\xa90\xb2i\xde\xef\x16\xfb\x1d\xed\x84b\x94\xf6\xa0w\x11\xe0\xf3!\x8b\x80?G:9\xc1|J.]/{\x97n\x16v\xa3\x96F\xe05\xba\xee\xcbq\xdf\xb9\x04Bp\xf5\x00U:\xc5\xdb\xebk\x03\xa3&0$0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x02\x040\n\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xc3\xae\x18\xb2\xdf\xf0cY)\xa0\xcd\xb7\xbcWa\x97\xc4!\xff\xd9E\x93\xc2\x1f\xf7j\xfa\xd3v\x1aV\xf4\xef\xb3\xa4\x107\x0b*Ez\x1f\xf1~\xb7\x8c\xc3\xc4\x021\x00\xe8qW*\x05\x9c&\x04m\xc1\x84]\x88\xba\x88>\x9c\x95>\xb4 2$\x16\x8c\x00$)\xa6@\xc1{r*so\x15q\x88>O\xb2\xad\x14\x978=\xb3'],
 'certificate': b'0\x82\x02{0\x82\x02\x01\xa0\x03\x02\x01\x02\x02\x10\x01{=\nr\x01\r\xd2\x00\x00\x00\x00a\x15\xc5X0\n\x06\x08*\x86H\xce=\x04\x03\x030\x81\x8e1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x0c\nWashington1\x100\x0e\x06\x03U\x04\x07\x0c\x07Seattle1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1907\x06\x03U\x04\x03\x0c0i-0685ead7f58d20e1d.us-east-2.aws.nitro-enclaves0\x1e\x17\r210813010528Z\x17\r210813040528Z0\x81\x931\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x0c\nWashington1\x100\x0e\x06\x03U\x04\x07\x0c\x07Seattle1\x0f0\r\x06\x03U\x04\n\x0c\x06Amazon1\x0c0\n\x06\x03U\x04\x0b\x0c\x03AWS1>0<\x06\x03U\x04\x03\x0c5i-0685ead7f58d20e1d-enc017b3d0a72010dd2.us-east-2.aws0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04u\xd8\xfd\x8c\xe5\x97\xd7G\xb8\xd2\xa5"z\xcb\xec\x95/\x91E\xc9\x864\xffrK\xceTKwYWe\x9b\xa3\xf7\xb8-\xf6\xfb\xad\xa4\x15}\xf4\x92\x14\x96=\x96b\x95k?u\xf8!\x0fa\xb7\xa1\xa7\x0f\xc7\xde\xa8\xb0\xb0\xbc\xfc\\\xcc\x18\xbf\xe1\xb5{\xba\x06"\xa52\x1d\xe8\xae\xb5@\xb1\xfc\xf1\x01M\xc7\xf2L\x83=\xa3\x1d0\x1b0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x06\xc00\n\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xaco\xff\x06+\xef\x1ai4_\xd9$\xec\x96HZ\xd3P/\x0ex\xa9\xe5\x04\x91\x18\xd4Z\x07\xf4tz\x96\x95:a\xd9Yy6,\xab\x10H\xb8S\xa6"\x020[\xd8/M\x85\xb6vK\x98\x02\xe33\x06hj\n.ch\xc4\x8e\x17~+\xe5\xbd\xbdR\'\x87\x86\x8c\x80\x87\xf5\xfebB\x0eX\x95\xa4\xf9\x93\x86"\x14\x89',
 'digest': 'SHA384',
 'module_id': 'i-0685ead7f58d20e1d-enc017b3d0a72010dd2',
 'nonce': None,
 'pcrs': {0: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  1: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  2: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  3: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  4: b'\x88<\xba\xae\xecW\xd1\xc7\x84d\x02\x1cS\xfbx3\xf8\x02\xf7\xfa7\xca\x1e\x90\xdfi\xef:`\x08tCZ\xbd#\xf0\xa7/\xf2\x10\xe3\xacB;\xfb\xefO\xd2',
  5: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  6: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  7: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  8: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  9: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  10: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  11: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  12: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  13: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  14: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
  15: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'},
 'public_key': b'-----BEGIN PUBLIC KEY-----\nMFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE3/sH0SC/O1IvkIz25BYCrQmtkfNR4te4\nfYXRL14tPLNjVuE8xxXpL84CxS2ostG3rvs7T656bU77ZWmZwkuAug==\n-----END PUBLIC KEY-----\n',
 'timestamp': 1628816728491,
 'user_data': b'more stuff'}

This must be a bug, right? The nitro-cli build-enclave --docker-uri ${DOCKER_IMAGE_NAME} --output-file ${EIF_FILE} command outputs correct PCR0-PCR2 values upon completion.

Below is the Rust code executing the request:

use nsm_io::Request;
use serde_bytes::ByteBuf;
use std::env;

fn main() {
    let args: Vec<String> = env::args().collect();

    let nsm_fd = nsm_driver::nsm_init();

    let public_key = ByteBuf::from(args[1].as_bytes());
    let user_data = ByteBuf::from(args[2].as_bytes());

    let request = Request::Attestation {
        public_key: Some(public_key),
        user_data: Some(user_data),
        nonce: None,
    };

    let response = nsm_driver::nsm_process_request(nsm_fd, request);
    println!("{:?}", response);

    nsm_driver::nsm_exit(nsm_fd);
}

nsm-io: nix and libc dependencies

Hi @petreeftime, are the nix and libc dependencies in nsm-io crucial? I'm trying to compile a attestation doc verification rust code that uses nsm-io to WASM with cargo build --target=wasm32-unknown-emscripten. It seems that this target doesn't support those two.

Why pcr slots values in attestation doc almost zero?

When I get attestation document by nsm_get_attestation_doc, and then decoded to AttestationDoc and print pcrs fields. Then print the results is the following:

{0: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 1: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 2: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 3: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 4: [43, 2, 224, 20, 65, 32, 71, 91, 127, 148, 183, 117, 138, 95, 61, 59, 153, 88, 232, 190, 205, 67, 205, 13, 218, 144, 123, 199, 43, 243, 162, 193, 247, 13, 112, 193, 8, 250, 100, 109, 90, 122, 121, 58, 192, 20, 192, 152], 5: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 6: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 7: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 8: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 9: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 10: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 11: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 12: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 13: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 14: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 15: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]}

My question is:

  • why all PCR slots except slot 4 are zero?
  • I have read the PCR slots description in was official doc, which only introduced PCR 0,1,2,3,4, and 8. However, the number PCR slots are 16 actually, where can I read the PCR description in detail? and can I set custom PCR slots?

Thanks

Publish to crates.io

I am using nsm-driver and nsm-io in a Rust application, and it would be helpful to have those published on crates.io. As is, I will likely have to vendor them.

Feature Request: nix dependency should be optional

Outline of Issue

I'm implementing a crate which will allow clients to verify attestation documents served from Nitro Enclaves. While most of this is provided by aws-nitro-enclaves-cose, it's useful to use the AttestationDoc struct from the aws_nitro_enclaves_nsm_api crate to access the internals of the attestation document from the Cose payload.

This is currently possible, however the dependency on nix blocks these types being used on non *nix systems.

Proposal

As the nix dependency is only required for the driver module, I think it would be reasonable to introduce a nix feature flag. Leaving the feature default enabled would be no change for the crate as it exists.

The v0.2.0 release is unusable from crates.io

As the project is currently structured, the v0.2.0 release appears to be unusable when pulling from crates.io

As the code is currently structured/written, the only way to reasonably read a random number is using the nsm_lib::nsm_get_random. However, the nsm_lib code is unreachable when pulling the dependency from crates.io as follows in a Cargo.toml file:

aws-nitro-enclaves-nsm-api = "0.2.1"

since the nsm_lib library is placed as a sub-crate within the aws-nitro-enclaves-nsm-api crate, and cargo does not appear to have a way to reference crates this way.

This means that users wanting to pull random numbers from NSM need to specify the dependency as pulling from a tag on github as follows in a Cargo.toml file:

nsm_lib = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api.git/", tag = "v0.2.0", package = "nsm-lib", optional = true }

which is fine, but the aws-nitro-enclaves-nsm-api has been published to crates.io, so it was apparently your intention that this be possible.

There is evidence that there is work in progress to add accessor functions in aws-nitro-enclave-nsm-api for the nsm-lib functions (perhaps preventing us from having to use unsafe), but this work appears to be incomplete.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.