ADD: initialize enclave hyperledger#2

ZhAnGeek · Oct 16, 2021 · 3966571 · 3966571
1 parent d702301
commit 3966571
Show file tree

Hide file tree

Showing 8 changed files with 344 additions and 0 deletions.
diff --git a/peer/node/enclave/check-sgx-error.h b/peer/node/enclave/check-sgx-error.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright 2019 Intel Corporation
+ * Copyright IBM Corp. All Rights Reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef _CHECK_SGX_ERROR_H_
+#define _CHECK_SGX_ERROR_H_
+
+#include "log-defines.h"
+
+#define CHECK_SGX_ERROR_AND_RETURN_ON_ERROR(sgx_status_ret)                                        \
+    if (sgx_status_ret != SGX_SUCCESS)                                                             \
+    {                                                                                              \
+        LOG_ERROR(                                                                                 \
+            "Lib: ERROR - %s:%d: " #sgx_status_ret "=%d", __FUNCTION__, __LINE__, sgx_status_ret); \
+        return sgx_status_ret;                                                                     \
+    }
+
+#endif /* _CHECK_SGX_ERROR_H_ */
diff --git a/peer/node/enclave/common-sgxcclib.c b/peer/node/enclave/common-sgxcclib.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2019 Intel Corporation
+ * Copyright IBM Corp. All Rights Reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include "common-sgxcclib.h"
+
+#include "check-sgx-error.h"
+#include <unistd.h>
+#include <pwd.h>
+
+int sgxcc_create_enclave(sgx_enclave_id_t* eid, const char* enclave_file){
+    if (access(enclave_file, F_OK) == -1)
+    {
+        LOG_ERROR("Lib: enclave file does not exist! %s", enclave_file);
+        return SGX_ERROR_UNEXPECTED;
+    }
+
+    sgx_launch_token_t token = {0};
+    int updated = 0;
+
+    int ret = sgx_create_enclave(enclave_file, SGX_DEBUG_FLAG, &token, &updated, eid, NULL);
+    CHECK_SGX_ERROR_AND_RETURN_ON_ERROR(ret);
+
+    return SGX_SUCCESS;
+}
+
+int sgxcc_destroy_enclave(enclave_id_t eid){
+    int ret = sgx_destroy_enclave((sgx_enclave_id_t)eid);
+    CHECK_SGX_ERROR_AND_RETURN_ON_ERROR(ret)
+    return SGX_SUCCESS;
+}
diff --git a/peer/node/enclave/common-sgxcclib.h b/peer/node/enclave/common-sgxcclib.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2019 Intel Corporation
+ * Copyright IBM Corp. All Rights Reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef _COMMON_SGXCCLIB_H_
+#define _COMMON_SGXCCLIB_H_
+
+#include "fpc-types.h"
+#include "sgx_urts.h"
+#include "log-defines.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int sgxcc_create_enclave(enclave_id_t* eid,
+    const char* enclave_file);
+int sgxcc_destroy_enclave(enclave_id_t eid);
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* !_COMMON_SGXCCLIB_H_ */
diff --git a/peer/node/enclave/enclave.go b/peer/node/enclave/enclave.go
@@ -0,0 +1,20 @@
+package enclave
+import "C"
+
+// #cgo CFLAGS: -I${SRCDIR}/sgxsdk/include
+// #cgo LDFLAGS: -L${SRCDIR}/sgxsdk/lib64 -lsgx_urts_sim -lsgx_uae_service_sim
+// #include "common-sgxcclib.h"
+//
+import "C"
+import (
+	"github.com/pkg/errors"
+)
+
+func CreateEnclave(enclaveLibFile string) (err error) {
+	var eid C.enclave_id_t
+	var ret = C.sgxcc_create_enclave(&eid, C.CString(enclaveLibFile))
+	if ret != 0 {
+		return errors.Errorf("can not create enclave (%s): Reason: %v", enclaveLibFile, ret)
+	}
+	return nil
+}
diff --git a/peer/node/enclave/fpc-types.h b/peer/node/enclave/fpc-types.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright IBM Corp. All Rights Reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef _FPC_TYPES_H_
+#define _FPC_TYPES_H_
+
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+typedef uint64_t enclave_id_t;
+typedef uint8_t* quote_t;
+typedef struct spid_t
+{
+    uint8_t id[16];
+} spid_t;
+
+typedef uint8_t report_t[432];
+typedef uint8_t target_info_t[512];
+typedef uint8_t cmac_t[16];
+
+typedef struct ec256_public_t
+{
+    uint8_t gx[32];
+    uint8_t gy[32];
+} ec256_public_t;
+
+typedef struct ec256_signature_t
+{
+    uint32_t x[8];
+    uint32_t y[8];
+} ec256_signature_t;
+
+#endif
diff --git a/peer/node/enclave/log-defines.h b/peer/node/enclave/log-defines.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright IBM Corp. All Rights Reserved.
+ * Copyright 2020 Intel Corporation
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef LOG_DEFINES
+#define LOG_DEFINES
+
+#ifndef TAG
+#define TAG ""
+#endif
+
+#define LOC_FMT " (%s:%d) "
+
+#define NRM "\x1B[0m"
+#define CYN "\x1B[36m"
+#define YEL "\x1B[33m"
+#define RED "\x1B[31m"
+
+#include <stdio.h>
+
+/*
+ * Note: `DO_DEBUG` is set to `false` by default, so no `LOG_DEBUG` is displayed.
+ * At compile time, this behaviour can be changed by defining `-DDO_DEBUG=true` before the header is
+ * included. In SGX deployments, such define should be set "only" when the `SGX_BUILD` environment
+ * variable is set to `DEBUG`. Finally, notice that `DO_INFO`, `DO_WARNING` and `DO_ERROR` are set
+ * to `true` by default. So, unless they are explictly disabled at compile time, the respective logs
+ * will be displayed.
+ */
+
+#ifndef DO_DEBUG
+#define DO_DEBUG false
+#endif
+
+#ifndef DO_INFO
+#define DO_INFO true
+#endif
+
+#ifndef DO_WARNING
+#define DO_WARNING true
+#endif
+
+#ifndef DO_ERROR
+#define DO_ERROR true
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+int printf(const char* fmt, ...);
+#ifdef __cplusplus
+}
+#endif
+
+#if DO_DEBUG == true
+#define LOG_DEBUG(fmt, ...) \
+    printf(CYN "DEBUG " LOC_FMT TAG YEL fmt NRM "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+#else  // DO_DEBUG
+#define LOG_DEBUG(fmt, ...)
+#endif  // DO_DEBUG
+
+#if DO_INFO == true
+#define LOG_INFO(fmt, ...) \
+    printf(CYN "INFO " LOC_FMT TAG NRM fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+#else  // DO_INFO
+#define LOG_INFO(fmt, ...)
+#endif  // DO_INFO
+
+#if DO_WARNING == true
+#define LOG_WARNING(fmt, ...) \
+    printf(CYN "WARNING " LOC_FMT TAG RED fmt NRM "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+#else  // DO_WARNING
+#define LOG_WARNING(fmt, ...)
+#endif  // DO_WARNING
+
+#if DO_ERROR == true
+#define LOG_ERROR(fmt, ...) \
+    printf(CYN "ERROR " LOC_FMT TAG RED fmt NRM "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+#else  // DO_ERROR
+#define LOG_ERROR(fmt, ...)
+#endif  // DO_ERROR
+
+#define ERROR_LOG_STRING "error log - omitted"
+
+#endif  // LOG_DEFINES
diff --git a/peer/node/enclave/server/handle.go b/peer/node/enclave/server/handle.go
@@ -0,0 +1,56 @@
+package server
+
+import (
+	"github.com/hyperledger/fabric/common/flogging"
+	"github.com/hyperledger/fabric/peer/node/enclave"
+	"github.com/pkg/errors"
+	"github.com/spf13/viper"
+	"go.etcd.io/etcd/pkg/fileutil"
+	"net/http"
+)
+
+var logger = flogging.MustGetLogger("enclaveCmd")
+
+func CreateEnclave(enclaveSoPath string) (mrenclave string, enclavePk string, err error) {
+	if !fileutil.Exist(enclaveSoPath) {
+		err = errors.Errorf("no exists file path for enclave")
+		return
+	}
+
+	if e := enclave.CreateEnclave(enclaveSoPath); e == nil {
+		logger.Info("Enclave create success")
+	} else {
+		err = e
+		return
+	}
+	return
+}
+
+// 创建安全区
+func (s *HttpServer) HttpCreateEnclave(w http.ResponseWriter, r *http.Request) {
+	if viper.GetBool("peer.enclave.enabled") {
+		logger.Info("Enclave is creating...")
+		enclavePath := viper.GetString("peer.enclave.path")
+		w.WriteHeader(http.StatusOK)
+		if _, _, err := CreateEnclave(enclavePath) ; err != nil {
+			logger.Errorf("Error creating enclave for reason: %s", err)
+			w.WriteHeader(http.StatusBadRequest)
+		}
+	} else {
+		logger.Info("peer.enclave.enabled not set yet")
+		w.WriteHeader(http.StatusBadRequest)
+	}
+}
+
+// 获取安全区公钥
+func (s *HttpServer) HttpGetEnclavePubKey(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusOK)
+}
+
+func (s *HttpServer) HttpSaveKey(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusOK)
+}
+
+func (s *HttpServer) HttpGetKey(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusOK)
+}
diff --git a/peer/node/enclave/server/server.go b/peer/node/enclave/server/server.go
@@ -0,0 +1,61 @@
+package server
+
+import (
+	"log"
+	"net/http"
+	"strconv"
+)
+
+const (
+	CreateEnclaveEntry     = "/create-enclave"
+	GetEnclavePubKeyEntry  = "/get-enclave-pubkey"
+	SaveKeyEntry           = "/save-key"
+	GetKeyEntry            = "/get-key"
+)
+// http 监听请求
+type HttpServer struct {
+	port   int
+	server *http.Server
+}
+
+func NewServer(port int) *HttpServer {
+	httpServer := &HttpServer{
+		port:   port,
+		server: nil,
+	}
+	// set server
+	return httpServer
+}
+
+func (s *HttpServer) Run() {
+	// register server service and run
+	log.Printf("[Node] start the listen server")
+	s.registerServer()
+}
+
+func (s *HttpServer) registerServer() {
+	log.Printf("[Server] set listen port:%d\n", s.port)
+
+	httpRegister := map[string]func(http.ResponseWriter, *http.Request){
+		CreateEnclaveEntry:    s.HttpCreateEnclave,
+		GetEnclavePubKeyEntry: s.HttpGetEnclavePubKey,
+		SaveKeyEntry:    s.HttpSaveKey,
+		GetKeyEntry:     s.HttpGetKey,
+	}
+
+	mux := http.NewServeMux()
+	for k, v := range httpRegister {
+		log.Printf("[Server] register the func for %s", k)
+		mux.HandleFunc(k, v)
+	}
+
+	s.server = &http.Server{
+		Addr:    ":" + strconv.Itoa(s.port),
+		Handler: mux,
+	}
+
+	if err := s.server.ListenAndServe(); err != nil {
+		log.Printf("[Server Error] %s", err)
+		return
+	}
+}