From 58b9dde877537f9738a82342baca55b596211852 Mon Sep 17 00:00:00 2001 From: Mike Brasher Date: Fri, 10 Feb 2023 01:08:15 +0000 Subject: [PATCH] Fix broken sigining of EXT2 rootfs --- samples/helloworld/ext2rootfs/Makefile | 4 +- tests/sign/Makefile | 60 ++++++++++++++++++++++++++ tests/sign/README.md | 5 +++ tests/sign/config.json | 13 ++++++ tests/sign/hello.c | 17 ++++++++ tools/myst/host/sign.c | 27 +++++++++++- 6 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 tests/sign/Makefile create mode 100644 tests/sign/README.md create mode 100644 tests/sign/config.json create mode 100644 tests/sign/hello.c diff --git a/samples/helloworld/ext2rootfs/Makefile b/samples/helloworld/ext2rootfs/Makefile index ed9beef37..6368d7d1a 100644 --- a/samples/helloworld/ext2rootfs/Makefile +++ b/samples/helloworld/ext2rootfs/Makefile @@ -28,7 +28,9 @@ package.pem: package: package.pem ext2rootfs echo "Generating a signed package" - @myst package-sgx --roothash=roothash appdir package.pem ../config.json + @myst package-sgx --roothash=roothash package.pem ../config.json + +export MYST_ROOTFS_PATH=$(CURDIR)/ext2rootfs run: package echo "Running Mystikos packaged application. No myst exec-sgx necessary" diff --git a/tests/sign/Makefile b/tests/sign/Makefile new file mode 100644 index 000000000..2ac752787 --- /dev/null +++ b/tests/sign/Makefile @@ -0,0 +1,60 @@ +TOP=$(abspath ../..) +include $(TOP)/defs.mak + +APPDIR = appdir +CFLAGS = -fPIC +LDFLAGS = -Wl,-rpath=$(MUSL_LIB) + +all: + $(MAKE) myst + $(MAKE) rootfs + +rootfs: hello.c + mkdir -p $(APPDIR)/bin + $(CC) $(CFLAGS) -o $(APPDIR)/bin/hello hello.c $(LDFLAGS) + $(MYST) mkext2 $(APPDIR) rootfs + +OPTS = + +ifdef STRACE +OPTS += --strace +endif + +ifdef PERF +OPTS += --perf +endif + +OPTS += --thread-stack-size=1048576 + +tests: all + $(MAKE) private.pem + $(RUNTEST) $(MYST_EXEC) rootfs /bin/hello $(OPTS) + $(MAKE) sign + $(MAKE) verify + $(MAKE) fail + @ echo "=== passed all tests" + +private.pem: + openssl genrsa -out private.pem -3 3072 + +sign: + $(MYST) fssig --roothash rootfs > roothash + rm -rf hello.signed + $(MYST) sign-sgx rootfs private.pem config.json --roothash=roothash + +verify: + ( cd hello.signed; ./bin/myst exec-sgx rootfs /bin/hello $(OPTS) ) + +myst: + $(MAKE) -C $(TOP)/tools/myst + +clean: + rm -rf $(APPDIR) rootfs export ramfs hello.signed roothash + +## +## Negative test to verify that hacking rootfs fails loading. +## +fail: + $(MAKE) sign + $(MYST) mkext2 --force $(APPDIR) hello.signed/rootfs + $(MAKE) verify 2> /dev/null; test $$? -eq 2 diff --git a/tests/sign/README.md b/tests/sign/README.md new file mode 100644 index 000000000..374ce6704 --- /dev/null +++ b/tests/sign/README.md @@ -0,0 +1,5 @@ +sign +==== + +This test verifies that a simple Mystikos application can be signed and +executed. diff --git a/tests/sign/config.json b/tests/sign/config.json new file mode 100644 index 000000000..eb19c2c42 --- /dev/null +++ b/tests/sign/config.json @@ -0,0 +1,13 @@ +{ + "version": "0.1", + "Debug": 1, + "ProductID": 1, + "SecurityVersion": 1, + "MemorySize": "40m", + "ThreadStackSize": "16m", + "ApplicationPath": "/bin/hello", + "ApplicationParameters": [], + "HostApplicationParameters": false, + "EnvironmentVariables": [], + "HostEnvironmentVariables": [] +} diff --git a/tests/sign/hello.c b/tests/sign/hello.c new file mode 100644 index 000000000..51e567b60 --- /dev/null +++ b/tests/sign/hello.c @@ -0,0 +1,17 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +#include +#include +#include +#include +#include +#include + +int main(int argc, const char* argv[]) +{ + printf("Hello!\n"); + printf("=== passed test (%s)\n", argv[0]); + + return 0; +} diff --git a/tools/myst/host/sign.c b/tools/myst/host/sign.c index ca95d4a02..c9b01c475 100644 --- a/tools/myst/host/sign.c +++ b/tools/myst/host/sign.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include "../config.h" #include "myst_u.h" @@ -293,6 +294,7 @@ int _sign(int argc, const char* argv[]) const char* signing_engine_name = NULL; const char* signing_engine_path = NULL; myst_buf_t roothash_buf = MYST_BUF_INITIALIZER; + char rootfs_path[] = "/tmp/mystXXXXXX"; // We are in the right operation, right? assert( @@ -341,6 +343,7 @@ int _sign(int argc, const char* argv[]) const char* program_file = get_program_file(); const char* rootfs_file = argv[2]; + const char* rootfs = rootfs_file; const char* pem_file = argv[3]; const char* config_file = argv[4]; const char* target = NULL; // Extracted from config file @@ -440,10 +443,28 @@ int _sign(int argc, const char* argv[]) assert(myst_validate_file_path(program_file)); assert(myst_validate_file_path(temp_oeconfig_file)); + /* if not a CPIO archive, create a zero-filled file with one page */ + if (myst_cpio_test(rootfs) == -ENOTSUP) + { + int fd; + uint8_t page[PAGE_SIZE]; + + if ((fd = mkstemp(rootfs_path)) < 0) + _err("failed to create temporary file"); + + memset(page, 0, sizeof(page)); + + if (write(fd, page, sizeof(page)) != sizeof(page)) + _err("failed to create file"); + + close(fd); + rootfs = rootfs_path; + } + // Setup all the regions if ((details = create_region_details_from_files( target, - rootfs_file, + rootfs, pubkeys_opt, roothashes_opt, config_file, @@ -453,6 +474,10 @@ int _sign(int argc, const char* argv[]) _err("Creating region data failed."); } + // Remove temporary file: + if (rootfs == rootfs_path) + unlink(rootfs); + if (copy_files_to_signing_directory( sign_dir, program_file,