1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
//! Runtime attestation key handling.
use std::{
    collections::VecDeque,
    sync::{Arc, RwLock},
};

use anyhow::Result;
use base64::prelude::*;
use rand::{rngs::OsRng, Rng};
use sgx_isa::Targetinfo;
use thiserror::Error;
use tiny_keccak::{Hasher, TupleHash};

use crate::{
    common::{
        crypto::{
            hash::Hash,
            mrae::deoxysii::{self, Opener},
            signature::{self, Signature, Signer},
            x25519,
        },
        sgx::{self, EnclaveIdentity, Quote, QuotePolicy, VerifiedQuote},
        time::insecure_posix_time,
    },
    consensus::registry::EndorsedCapabilityTEE,
    TeeType, BUILD_INFO,
};

/// Context used for computing the RAK digest.
const RAK_HASH_CONTEXT: &[u8] = b"oasis-core/node: TEE RAK binding";
/// Context used for deriving the nonce used in quotes.
const QUOTE_NONCE_CONTEXT: &[u8] = b"oasis-core/node: TEE quote nonce";

/// A dummy RAK seed for use in non-SGX tests where integrity is not needed.
const INSECURE_RAK_SEED: &str = "ekiden test key manager RAK seed";
/// A dummy REK seed for use in non-SGX tests where confidentiality is not needed.
const INSECURE_REK_SEED: &str = "ekiden test key manager REK seed";

/// Identity-related error.
#[derive(Error, Debug)]
enum IdentityError {
    #[error("RAK binding mismatch")]
    BindingMismatch,
    #[error("malformed report data")]
    MalformedReportData,
}

/// Quote-related errors.
#[derive(Error, Debug)]
enum QuoteError {
    #[error("target info not set")]
    TargetInfoNotSet,
    #[error("malformed target_info")]
    MalformedTargetInfo,
    #[error("MRENCLAVE mismatch")]
    MrEnclaveMismatch,
    #[error("MRSIGNER mismatch")]
    MrSignerMismatch,
    #[error("quote nonce mismatch")]
    NonceMismatch,
    #[error("quote policy not set")]
    QuotePolicyNotSet,
    #[error("node identity not set")]
    NodeIdentityNotSet,
    #[error("endorsed quote mismatch")]
    EndorsedQuoteMismatch,
}

struct Inner {
    rak: signature::PrivateKey,
    rek: x25519::PrivateKey,
    quote: Option<Arc<Quote>>,
    quote_timestamp: Option<i64>,
    quote_policy: Option<Arc<QuotePolicy>>,
    known_quotes: VecDeque<Arc<Quote>>,
    enclave_identity: Option<EnclaveIdentity>,
    node_identity: Option<signature::PublicKey>,
    endorsed_capability_tee: Option<EndorsedCapabilityTEE>,
    target_info: Option<Targetinfo>,
    nonce: Option<[u8; 32]>,
}

/// Runtime identity.
///
/// The identity can be used to sign remote attestations with runtime
/// attestation key (RAK) or to decrypt ciphertexts sent to the enclave
/// with runtime encryption key (REK). RAK avoids round trips to IAS/PCS
/// for each verification as the verifier can instead verify the RAK signature
/// and the signature on the provided quote which binds RAK to the enclave.
/// REK allows enclaves to publish encrypted data on-chain to an enclave
/// instance.
pub struct Identity {
    inner: RwLock<Inner>,
}

impl Default for Identity {
    fn default() -> Self {
        Self::new()
    }
}

impl Identity {
    /// Create an uninitialized runtime identity.
    pub fn new() -> Self {
        let (rak, rek) = match BUILD_INFO.tee_type {
            TeeType::None => {
                // Use insecure mock keys for insecure non-TEE builds.
                assert!(!BUILD_INFO.is_secure);

                (
                    signature::PrivateKey::from_test_seed(INSECURE_RAK_SEED.to_string()),
                    x25519::PrivateKey::from_test_seed(INSECURE_REK_SEED.to_string()),
                )
            }
            _ => {
                // Generate ephemeral RAK and REK.
                (
                    signature::PrivateKey::generate(),
                    x25519::PrivateKey::generate(),
                )
            }
        };

        Self {
            inner: RwLock::new(Inner {
                rak,
                rek,
                quote: None,
                quote_timestamp: None,
                quote_policy: None,
                known_quotes: Default::default(),
                enclave_identity: EnclaveIdentity::current(),
                node_identity: None,
                endorsed_capability_tee: None,
                target_info: None,
                nonce: None,
            }),
        }
    }

    /// Generate report body = H(RAK_HASH_CONTEXT || RAK_pub).
    fn report_body_for_rak(rak: &signature::PublicKey) -> Hash {
        let mut message = [0; 64];
        message[0..32].copy_from_slice(RAK_HASH_CONTEXT);
        message[32..64].copy_from_slice(rak.as_ref());
        Hash::digest_bytes(&message)
    }

    /// Generate a random 256-bit nonce, for anti-replay.
    fn generate_nonce() -> [u8; 32] {
        let mut nonce_bytes = [0u8; 32];
        OsRng.fill(&mut nonce_bytes);

        let mut h = TupleHash::v256(QUOTE_NONCE_CONTEXT);
        h.update(&nonce_bytes);
        h.finalize(&mut nonce_bytes);

        nonce_bytes
    }

    /// Get the SGX target info.
    fn get_sgx_target_info(&self) -> Option<Targetinfo> {
        let inner = self.inner.read().unwrap();
        inner.target_info.clone()
    }

    /// Initialize the SGX target info.
    pub(crate) fn init_target_info(&self, target_info: Vec<u8>) -> Result<()> {
        match BUILD_INFO.tee_type {
            TeeType::Sgx => {
                let mut inner = self.inner.write().unwrap();

                // Set the Quoting Enclave target_info first, as unlike key generation
                // it can fail.
                let target_info = match Targetinfo::try_copy_from(&target_info) {
                    Some(target_info) => target_info,
                    None => return Err(QuoteError::MalformedTargetInfo.into()),
                };
                inner.target_info = Some(target_info);

                Ok(())
            }
            TeeType::Tdx => {
                // Target info configuration is not needed on TDX and MUST be empty.
                if !target_info.is_empty() {
                    return Err(QuoteError::MalformedTargetInfo.into());
                }

                Ok(())
            }
            TeeType::None => Ok(()),
        }
    }

    /// Initialize the attestation report.
    pub(crate) fn init_report(
        &self,
    ) -> Result<(signature::PublicKey, x25519::PublicKey, Vec<u8>, String)> {
        let rak_pub = self.public_rak();
        let rek_pub = self.public_rek();

        // Generate a new anti-replay nonce.
        let nonce = Self::generate_nonce();
        // Generate report body.
        let report_body = Self::report_body_for_rak(&rak_pub);
        let mut report_data = [0; 64];
        report_data[0..32].copy_from_slice(report_body.as_ref());
        report_data[32..64].copy_from_slice(nonce.as_ref());

        let result = match BUILD_INFO.tee_type {
            TeeType::Sgx => {
                let target_info = self
                    .get_sgx_target_info()
                    .ok_or(QuoteError::TargetInfoNotSet)?;

                // The derived nonce is only used in case IAS-based attestation is used
                // as it is included in the outer AVR envelope. But given that the body
                // also includes the nonce in our specific case, this is not relevant.
                let quote_nonce = BASE64_STANDARD.encode(&nonce[..24]);

                let report = sgx::report_for(&target_info, &report_data);
                let report: &[u8] = report.as_ref();
                let report = report.to_vec();

                // This used to reset the quote, but that is now done in the external
                // accessor combined with a freshness check.

                (rak_pub, rek_pub, report, quote_nonce)
            }
            #[cfg(feature = "tdx")]
            TeeType::Tdx => {
                // In TDX we can immediately generate a quote. Do it and return it as a "report".
                let quote = crate::common::tdx::report::get_quote(&report_data)?;

                (rak_pub, rek_pub, quote, String::new())
            }
            _ => panic!("init_report called outside TEE environment"),
        };

        // Cache the nonce, the report was generated.
        let mut inner = self.inner.write().unwrap();
        inner.nonce = Some(nonce);

        Ok(result)
    }

    /// Configure the remote attestation quote for RAK.
    pub(crate) fn set_quote(
        &self,
        node_id: signature::PublicKey,
        quote: Quote,
    ) -> Result<VerifiedQuote> {
        let rak_pub = self.public_rak();

        let mut inner = self.inner.write().unwrap();

        // If there is no anti-replay nonce set, we aren't in the process of attesting.
        let expected_nonce = match &inner.nonce {
            Some(nonce) => *nonce,
            None => return Err(QuoteError::NonceMismatch.into()),
        };

        // Verify that the quote's nonce matches one that we generated,
        // and remove it.  If the validation fails for any reason, we
        // should not accept a new quote with the same nonce as a quote
        // that failed.
        inner.nonce = None;

        let policy = inner
            .quote_policy
            .as_ref()
            .ok_or(QuoteError::QuotePolicyNotSet)?;
        let verified_quote = quote.verify(policy)?;
        let nonce = &verified_quote.report_data[32..];
        if expected_nonce.as_ref() != nonce {
            return Err(QuoteError::NonceMismatch.into());
        }

        // Verify that the quote's enclave identity matches our own.
        let enclave_identity = inner
            .enclave_identity
            .as_ref()
            .expect("Enclave identity must be configured");
        if verified_quote.identity.mr_enclave != enclave_identity.mr_enclave {
            return Err(QuoteError::MrEnclaveMismatch.into());
        }
        if verified_quote.identity.mr_signer != enclave_identity.mr_signer {
            return Err(QuoteError::MrSignerMismatch.into());
        }

        // Verify that the quote has H(RAK) in report body.
        Self::verify_binding(&verified_quote, &rak_pub)?;

        // If there is an existing quote that is dated more recently than
        // the one being set, silently ignore the update.
        if inner.quote.is_some() {
            let existing_timestamp = inner.quote_timestamp.unwrap();
            if existing_timestamp > verified_quote.timestamp {
                return Ok(verified_quote);
            }
        }

        // Ensure host identity cannot change.
        match inner.node_identity {
            Some(existing_node_id) if node_id != existing_node_id => {
                panic!("host node identity may never change");
            }
            Some(_) => {} // Host identity already set and is the same.
            None => inner.node_identity = Some(node_id),
        }

        let quote = Arc::new(quote);
        inner.quote = Some(quote.clone());
        inner.quote_timestamp = Some(verified_quote.timestamp);

        // Keep around last two valid quotes to allow for transition as node registration does not
        // happen immediately after a quote has been verified by the runtime.
        inner.known_quotes.push_back(quote);
        if inner.known_quotes.len() > 2 {
            inner.known_quotes.pop_front();
        }

        Ok(verified_quote)
    }

    /// Configure the runtime quote policy.
    pub(crate) fn set_quote_policy(&self, policy: QuotePolicy) -> Result<()> {
        let mut inner = self.inner.write().unwrap();
        inner.quote_policy = Some(Arc::new(policy));

        Ok(())
    }

    /// Configure the endorsed TEE capability.
    pub(crate) fn set_endorsed_capability_tee(&self, ect: EndorsedCapabilityTEE) -> Result<()> {
        // Make sure the endorsed quote is actually ours.
        if !ect.capability_tee.matches(self) {
            return Err(QuoteError::EndorsedQuoteMismatch.into());
        }

        let mut inner = self.inner.write().unwrap();
        let policy = inner
            .quote_policy
            .as_ref()
            .ok_or(QuoteError::QuotePolicyNotSet)?;
        let node_id = inner.node_identity.ok_or(QuoteError::NodeIdentityNotSet)?;

        // Verify the endorsed capability TEE to make sure it matches our state.
        if ect.node_endorsement.public_key != node_id {
            return Err(QuoteError::EndorsedQuoteMismatch.into());
        }
        ect.verify(policy)?;

        inner.endorsed_capability_tee = Some(ect);

        Ok(())
    }

    /// Endorsed TEE capability.
    pub fn endorsed_capability_tee(&self) -> Option<EndorsedCapabilityTEE> {
        let inner = self.inner.read().unwrap();
        inner.endorsed_capability_tee.clone()
    }

    /// Host node identity public key.
    pub fn node_identity(&self) -> Option<signature::PublicKey> {
        let inner = self.inner.read().unwrap();
        inner.node_identity
    }

    /// Public part of RAK.
    ///
    /// This method will return an insecure test key in the case where
    /// the enclave is not running on SGX hardware.
    pub fn public_rak(&self) -> signature::PublicKey {
        let inner = self.inner.read().unwrap();
        inner.rak.public_key()
    }

    /// Public part of REK.
    ///
    /// This method will return an insecure test key in the case where
    /// the enclave is not running on SGX hardware.
    pub fn public_rek(&self) -> x25519::PublicKey {
        let inner = self.inner.read().unwrap();
        inner.rek.public_key()
    }

    /// Quote for RAK.
    ///
    /// This method may return `None` in case quote has not yet been set from
    /// the outside, or if the quote has expired.
    pub fn quote(&self) -> Option<Arc<Quote>> {
        let now = insecure_posix_time();

        // Enforce quote expiration.
        let mut inner = self.inner.write().unwrap();
        if inner.quote.is_some() {
            let quote = inner.quote.as_ref().unwrap();
            let timestamp = inner.quote_timestamp.unwrap();
            let quote_policy = inner.quote_policy.as_ref().unwrap();

            if !quote.is_fresh(now, timestamp, quote_policy) {
                // Reset the quote.
                inner.quote = None;
                inner.quote_timestamp = None;
                inner.quote_policy = None;

                return None;
            }
        }

        inner.quote.clone()
    }

    /// Runtime quote policy.
    ///
    /// This method may return `None` in the case where the enclave is not
    /// running on SGX hardware or if the quote policy has not yet been
    /// fetched from the consensus layer.
    pub fn quote_policy(&self) -> Option<Arc<QuotePolicy>> {
        let inner = self.inner.read().unwrap();
        inner.quote_policy.clone()
    }

    /// Verify a provided RAK binding.
    pub fn verify_binding(quote: &VerifiedQuote, rak: &signature::PublicKey) -> Result<()> {
        if quote.report_data.len() < 32 {
            return Err(IdentityError::MalformedReportData.into());
        }
        if Self::report_body_for_rak(rak).as_ref() != &quote.report_data[..32] {
            return Err(IdentityError::BindingMismatch.into());
        }

        Ok(())
    }

    /// Checks whether the RAK matches another specified (RAK_pub, quote) pair.
    pub fn rak_matches(&self, rak: &signature::PublicKey, quote: &Quote) -> bool {
        // Check if public key matches.
        if &self.public_rak() != rak {
            return false;
        }

        let inner = self.inner.read().unwrap();
        inner.known_quotes.iter().any(|q| &**q == quote)
    }
}

impl Signer for Identity {
    fn public(&self) -> signature::PublicKey {
        let inner = self.inner.read().unwrap();
        inner.rak.public_key()
    }

    fn sign(&self, context: &[u8], message: &[u8]) -> Result<Signature> {
        let inner = self.inner.read().unwrap();
        inner.rak.sign(context, message)
    }
}

impl Opener for Identity {
    fn box_open(
        &self,
        nonce: &[u8; deoxysii::NONCE_SIZE],
        ciphertext: Vec<u8>,
        additional_data: Vec<u8>,
        peers_public_key: &x25519_dalek::PublicKey,
    ) -> Result<Vec<u8>> {
        let inner = self.inner.read().unwrap();
        let private_key = &inner.rek.0;

        deoxysii::box_open(
            nonce,
            ciphertext,
            additional_data,
            peers_public_key,
            private_key,
        )
    }
}