-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dump attested TLS credentials upon starting up #108
base: oe_port
Are you sure you want to change the base?
Conversation
For each failure mode, could you add a SGXLKL_VERBOSE line? |
I wonder if this should be an optional feature enabled in the app config since it adds a strict dependency to DCAP and hence network. |
[ Duplicating our private discussion here ] We need to address the layering here before it can be merged. We should not be introducing new code into
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[ Duplicating our private discussion here ]
We need to address the layering here before it can be merged. We should not be introducing new code into
src/enclave
that has nontrivial dependencies on libc. Probably the best structure for this is to:
- Provide functionality in src/enclave for getting the raw attestation information, without mbedTLS dependencies. This can talk to OE APIs directly.
- Modify LKL to allow exposing that somewhere in sysfs (or possibly as a device node) by calling the APIs added in src/enclave.
@davidchisnall , which flow triggers sysfs here?- Add the userspace component that reads the raw data from the kernel-owned file, uses mbedTLS to generate the certificates, and puts them in a well-known location.
Is it still triggered by startmain in enclave_init.c as in the current change?
if (private_key_size_out) | ||
*private_key_size_out = 0; | ||
|
||
if (!cert_out || !cert_size_out || !private_key_out || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not clear about the logics here.
From lines 163-173, all the values pointed by these out parameter pointers are assigned NULL or 0 before the 'if' logic checks pointers and sends the flow to 'done'. Who will be manage the memory pointed by these pointers before nullifying them?
} | ||
|
||
|
||
static int _write_file(const char* path, const void* data, size_t size) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both this (_write_file) and _load_file are pretty general utility functions. Do we have a more common place for them than gencreds.c?
No description provided.