evervault / node-secureworker Goto Github PK

Currently it is pretty big because of some binaries being committed into it in the history.

Currently, this code is modified from the release tarball. We should also wrap code changes in a new config flag or something.

Some notes:

duktape-dist

• SGX include dirs, /NODEFAULTLIB - Compile for SGX platform.
• DUK_OPT_NO_FILE_IO - File I/O is not available in enclave.
• DUK_OPT_CPP_EXCEPTIONS - The SGX SDK doesn't support setjmp.
• DUK_OPT_NO_JX - The SGX SDK doesn't support sscanf, which JX needs.
• /TP - Compile as C++ because we need C++ exceptions.

Code changes (duktape-dist)

• DUK_SNPRINTF in duk_bi_date.c - The SGX SDK doesn't support sprintf (without the "n"). Provide DUK_BI_DATE_ISO8601_BUFSIZE.
• duk_bi_date_get_*_sgx - Stubbed out routines for getting the time and locale information from the OS. Consider using SGX's Trusted Time system to implement this for real.
• Don't include <windows.h> - We're not running on Windows.
• Don't include <setjmp.h> - The SGX SDK doesn't have this file.
• Use unprefixed snprintf and vsnprintf - That's what the SGX SDK provides.
• Remove duk_file and DUK_STD* - The SGX SDK doesn't provide the underlying FILE and std*.

We pass every file that needs to go in the enclave to ld on a command line.

browserify --insert-global-vars __filename,__dirname --no-commondir -t [ babelify --presets [ es2015 ] ] enclave-source.js > enclave-bundle.js

With this command, which file in the node-secureworker repository should we use instead of enclave-source.js? Is it test-commands.js in node-secureworker/tests directory?
because I can't find a file named enclave-source.js in any directory.

I know eventually this file should be whatever code I want to run inside my enclave, but I wanted an example to make sure everything is running fine before moving forward?

Thanks

The package installs but enclaves won't build in new versions of Node.js. This happens when you run npm run test in v12.9.1.

root@anaconda:~/node-secureworker# npm run test

> [email protected] test /root/node-secureworker
> tests/run.js

cd duk_enclave && /opt/intel/sgxsdk/bin/x64/sgx_edger8r --untrusted duk_enclave.edl --search-path /opt/intel/sgxsdk/include
cc -m64 -O0 -g -fPIC -Wno-attributes -I/opt/intel/sgxsdk/include -DDEBUG -UNDEBUG -UEDEBUG   -c -o duk_enclave/duk_enclave_u.o duk_enclave/duk_enclave_u.c
node-gyp rebuild
make[1]: Entering directory '/root/node-secureworker/build'
  CXX(target) Release/obj.target/secureworker_internal/node-secureworker-internal/secureworker-internal.o
../node-secureworker-internal/secureworker-internal.cc: In destructor ‘virtual SecureWorkerInternal::~SecureWorkerInternal()’:
../node-secureworker-internal/secureworker-internal.cc:106:77: warning: throw will always call terminate() [-Wterminate]
     if (status != SGX_SUCCESS) throw sgx_error(status, "sgx_destroy_enclave");
                                                                             ^
../node-secureworker-internal/secureworker-internal.cc:106:77: note: in C++11 destructors default to noexcept
../node-secureworker-internal/secureworker-internal.cc: In static member function ‘static void SecureWorkerInternal::getQuoteSize(const uint8_t*, uint32_t*)’:
../node-secureworker-internal/secureworker-internal.cc:154:70: warning: ‘sgx_status_t sgx_get_quote_size(const uint8_t*, uint32_t*)’ is deprecated [-Wdeprecated-declarations]
     const sgx_status_t status = sgx_get_quote_size(sig_rl, quote_size);
                                                                      ^
In file included from ../node-secureworker-internal/secureworker-internal.cc:11:0:
/opt/intel/sgxsdk/include/sgx_uae_service.h:100:21: note: declared here
 sgx_status_t SGXAPI sgx_get_quote_size(
                     ^~~~~~~~~~~~~~~~~~
../node-secureworker-internal/secureworker-internal.cc: In function ‘void duk_enclave_post_message(const char*)’:
../node-secureworker-internal/secureworker-internal.cc:412:83: error: no matching function for call to ‘v8::Function::Call(v8::Local<v8::Object>&, int, v8::Local<v8::Value> [1])’
   handle_post_message.As<v8::Function>()->Call(thread_entry->entrant, 1, arguments);
                                                                                   ^
In file included from /root/.cache/node-gyp/12.9.1/include/node/node.h:63:0,
                 from ../node_modules/nan/nan.h:54,
                 from ../node-secureworker-internal/secureworker-internal.cc:1:
/root/.cache/node-gyp/12.9.1/include/node/v8.h:4161:43: note: candidate: v8::MaybeLocal<v8::Value> v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
   V8_WARN_UNUSED_RESULT MaybeLocal<Value> Call(Local<Context> context,
                                           ^~~~
/root/.cache/node-gyp/12.9.1/include/node/v8.h:4161:43: note:   candidate expects 4 arguments, 3 provided
secureworker_internal.target.mk:115: recipe for target 'Release/obj.target/secureworker_internal/node-secureworker-internal/secureworker-internal.o' failed
make[1]: *** [Release/obj.target/secureworker_internal/node-secureworker-internal/secureworker-internal.o] Error 1
make[1]: Leaving directory '/root/node-secureworker/build'
gyp ERR! build error
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/root/.nvm/versions/node/v12.9.1/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:196:23)
gyp ERR! stack     at ChildProcess.emit (events.js:209:13)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:272:12)
gyp ERR! System Linux 4.15.0-58-generic
gyp ERR! command "/root/.nvm/versions/node/v12.9.1/bin/node" "/root/.nvm/versions/node/v12.9.1/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /root/node-secureworker
gyp ERR! node -v v12.9.1
gyp ERR! node-gyp -v v5.0.3
gyp ERR! not ok
Makefile:140: recipe for target 'build/Release/secureworker_internal.node' failed
make: *** [build/Release/secureworker_internal.node] Error 1
child_process.js:642
    throw err;

Running "node tests/run.js" gives the following:

Error: Command failed: make enclave SCRIPTS=/home/stefan/Work/ForOthers/node-secureworker/tests/test.js /home/stefan/Work/ForOthers/node-secureworker/tests/test-commands.js ENCLAVE_KEY=/home/stefan/Work/ForOthers/node-secureworker/tests/key.pem ENCLAVE_CONFIG=/home/stefan/Work/ForOthers/node-secureworker/tests/enclave.config.xml ENCLAVE_OUTPUT=/home/stefan/Work/ForOthers/node-secureworker/tests/enclave.so at checkExecSyncError (child_process.js:601:13) at Object.execFileSync (child_process.js:621:13) at Object.<anonymous> (/home/stefan/Work/ForOthers/node-secureworker/bin/secureworker-create:34:15) at Module._compile (module.js:652:30) at Object.Module._extensions..js (module.js:663:10) at Module.load (module.js:565:32) at tryModuleLoad (module.js:505:12) at Function.Module._load (module.js:497:3) at Function.Module.runMain (module.js:693:10) at startup (bootstrap_node.js:188:16) child_process.js:624 throw err;

Note that I want to build this enclave and then execute it in simulation/mock mode as I do not have SGX on my machine

My program is working fine in mock mode, however I'd like to run in simulation mode to make use of the enclave.so file. When I run it, it says it can't find libsgx_urts_sim.so as below.

Could not load SGX secure worker binary:
Error: libsgx_urts_sim.so: cannot open shared object file: No such file or directory
at Object.Module._extensions..node (internal/modules/cjs/loader.js:1133:18)
at Module.load (internal/modules/cjs/loader.js:914:32)
at Function.Module._load (internal/modules/cjs/loader.js:822:14)
at Module.require (internal/modules/cjs/loader.js:956:19)
at require (internal/modules/cjs/helpers.js:74:18)
at Object. (/home/jason/WebstormProjects/sgx-test/node_modules/secureworker/lib/real.js:1:28)
at Module._compile (internal/modules/cjs/loader.js:1063:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1103:10)
at Module.load (internal/modules/cjs/loader.js:914:32)
at Function.Module._load (internal/modules/cjs/loader.js:822:14)
Mock implementation will be used instead. Do not use in production.

This issue is solved by others (presumably not using secureworker) by ensuring their environment variables are set and if that doesn't work then setting a file in r /etc/ld.so.conf.d and running ldconfig, but this doesn't work in my case. Any suggestions? Is simulation mode supposed to work with this package? The file its referring to definitely exists.

I am not sure if this is something worth mentioning or whether it doesn't have to do with the project but I in the README it's mentioned that one can bundle imports in a single file with browserify using:

$ browserify --insert-global-vars __filename,__dirname --no-commondir -t [ babelify --presets [ es2015 ] ] enclave-source.js > enclave-bundle.js

The above also requires babelify, babel-core and babel-preset-es2015 packages to work.

• where the enclave signing key is
• where the enclave DLL is

the API for this package has no way of passing this information in

It looks like it has a bit more features and I read it if slightly faster: https://bellard.org/quickjs/

Running npm install and I get the following error: make: *** No rule to make target 'node_modules/promise-polyfill/promise.js', needed by 'enclave-autoexec/autoexec.js'. Stop.
Any suggestions on how to fix this?

I'm trying to build an enclave.so file, but it seems to be missing an import. I spent a while installing SGX and have re-read the documentation a few times so I don't think the install is missing anything. How might I fix this? Where should this sgx_tae_service.h be? I can't find reference to it in the SGX SDK

./secureworker-create --output enclave.so hello-world-from-enclave.js
g++ -m64 -O0 -g -nostdinc -fvisibility=hidden -fpie -fstack-protector -I/opt/intel/sgxsdk/include -I/opt/intel/sgxsdk/include/tlibc -I/opt/intel/sgxsdk/include/stdc++ -std=c++03 -nostdinc++ -Iduktape-1.4.0/src-separate -Iscripts -c -o duk_enclave/duk_enclave.o duk_enclave/duk_enclave.cpp
duk_enclave/duk_enclave.cpp:6:10: fatal error: sgx_tae_service.h: No such file or directory
#include "sgx_tae_service.h"
^~~~~~~~~~~~~~~~~~~
compilation terminated.
: recipe for target 'duk_enclave/duk_enclave.o' failed
make: *** [duk_enclave/duk_enclave.o] Error 1
child_process.js:624
throw err;
^

Error: Command failed: make enclave SCRIPTS=/home/jason/WebstormProjects/sgx-test/node_modules/secureworker/bin/hello-world-from-enclave.js ENCLAVE_KEY=/home/jason/WebstormProjects/sgx-test/node_modules/secureworker/bin/key.pem ENCLAVE_CONFIG=/home/jason/WebstormProjects/sgx-test/node_modules/secureworker/bin/enclave.config.xml ENCLAVE_OUTPUT=/home/jason/WebstormProjects/sgx-test/node_modules/secureworker/bin/enclave.so
at checkExecSyncError (child_process.js:603:11)
at Object.execFileSync (child_process.js:621:15)
at Object. (/home/jason/WebstormProjects/sgx-test/node_modules/secureworker/bin/secureworker-create:34:15)
at Module._compile (internal/modules/cjs/loader.js:1063:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1103:10)
at Module.load (internal/modules/cjs/loader.js:914:32)
at Function.Module._load (internal/modules/cjs/loader.js:822:14)
at Function.Module.runMain (internal/modules/cjs/loader.js:1143:12)
at internal/main/run_main_module.js:16:11 {
status: 2,
signal: null,
output: [ null, null, null ],
pid: 41369,
stdout: null,
stderr: null
}

EDIT: I downgraded all of the SGX tools to 2.7 and it worked. I guess there is a breaking change in the latest SGX SDK or PSW.

We should probably properly integrate prebuild to really build binaries and publish the package.

Most of the mock implementation is probably the same as everyone using mock version of the package would be satisfied with (they can still override it). Probably only SecureWorker._resolveContentKey is the only one which has to be implemented.

Remote attestation commands can probably simply implemented in JavaScript. Report generation should probably be C/C++, but outside of enclave.

Remote attestation needs a key pair. I would provide one default with the package, but users should be able to set their own.

Remote attestation should use protocol V2 which returns a signed statement by Intel, and then validation of remote attestation should validate that statement.

Build an installer that checks for dependencies, SGX support, installs SGX SDK, SGX PSW and Kernel Driver