Implementation of Enclave Key Refresh

This feature initiates refresh of enclave encryption key pair based on
timer value set in the config file. A new pair of encryption key is
generated in the enclave and the updated enclave signup details are
stored in the KvStorage in workers table.

Additioanlly, encryption key signature is also generated during enclave
initialization and its made part of PublicEnclaveData. This encryption
key signature is re-computed when encryption key gets refreshed.

Signed-off-by: manju956 <[email protected]>

Author: manju956

common/cpp/error.h

@@ -46,6 +46,13 @@ namespace tcf {
                 ) : Error(TCF_ERR_CRYPTO, msg) {}
         }; // class CryptoError
 
+        // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+        class KeyRefreshError : public Error {
+        public:
+            explicit KeyRefreshError(
+                const std::string& msg
+                ) : Error(TCF_ERR_ENCRYPT_KEY_REFRESH, msg) {}
+        }; // class KeyRefreshError
 
         // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         class MemoryError : public Error {

common/cpp/json_utils.cpp

@@ -55,4 +55,3 @@ void JsonSetNumber(JSON_Object* json, const char* name, double value, const char
         JSON_Status jret = json_object_dotset_number(json, name, value);
         tcf::error::ThrowIf<tcf::error::RuntimeError>(jret != JSONSuccess, err);
 }
-

common/cpp/tcf_error.h

@@ -35,7 +35,8 @@ typedef enum {
                                   a TCF_ERR_SYSTEM for reporting.
                                 */
     TCF_ERR_CRYPTO = -11,
-    TCF_ERR_INVALID_WORKLOAD = -12  /* Invalid workload id */
+    TCF_ERR_INVALID_WORKLOAD = -12,  /* Invalid workload id */
+    TCF_ERR_ENCRYPT_KEY_REFRESH = -13  /* Enclave key refresh error */
 } tcf_err_t;
 
 typedef enum {

common/cpp/utils.h

@@ -20,4 +20,3 @@
 ByteArray StrToByteArray(std::string str);
 
 std::string ByteArrayToStr(ByteArray ba);
-

config/tcs_config.toml

@@ -99,3 +99,7 @@ DataEncryptionAlgorithm = "AES-GCM-256"
 # starting with tilde "~"
 workOrderPayloadFormats = "JSON-RPC"
 
+[WorkerKeyRefresh]
+# Configure key refresh interval based on need.
+# By default, key refresh feature is disabled.
+key_refresh_interval = 0

enclave_manager/avalon_enclave_manager/avalon_enclave_bridge.py

@@ -210,6 +210,7 @@ def create_signup_info(originator_public_key_hash, nonce):
     signup_info = {
         'verifying_key': signup_data['verifying_key'],
         'encryption_key': signup_data['encryption_key'],
+        'encryption_key_signature': signup_data['encryption_key_signature'],
         'proof_data': 'Not present',
         'enclave_persistent_id': 'Not present'
     }
@@ -263,3 +264,24 @@ def create_signup_info(originator_public_key_hash, nonce):
 
     # Now we can return the real object
     return signup_info_obj
+
+
+def refresh_worker_encryption_key(enclave_sealed_data):
+    """
+    Refresh worker encryption key pair
+    """
+    # start enclave key refresh
+    updated_signup_data = enclave.RefreshWorkerEncryptionKey(
+        enclave_sealed_data)
+    if updated_signup_data is None:
+        return None
+    signup_info = {
+        'encryption_key':
+            updated_signup_data['encryption_key'],
+        'encryption_key_signature':
+            updated_signup_data['encryption_key_signature'],
+        'sealed_enclave_data':
+            updated_signup_data['sealed_enclave_data']
+    }
+
+    return signup_info

enclave_manager/avalon_enclave_manager/avalon_enclave_helper.py

@@ -68,6 +68,8 @@ def create_enclave_signup_data(cls, tcf_instance_keys=None):
         enclave_info['sealed_data'] = enclave_data.sealed_signup_data
         enclave_info['verifying_key'] = enclave_data.verifying_key
         enclave_info['encryption_key'] = enclave_data.encryption_key
+        enclave_info['encryption_key_signature'] = \
+            enclave_data.encryption_key_signature
         enclave_info['enclave_id'] = enclave_data.verifying_key
         enclave_info['proof_data'] = ''
         if not avalon_enclave.enclave.is_sgx_simulator():
@@ -87,6 +89,8 @@ def __init__(self, enclave_info, tcf_instance_keys):
             self.sealed_data = enclave_info['sealed_data']
             self.verifying_key = enclave_info['verifying_key']
             self.encryption_key = enclave_info['encryption_key']
+            self.encryption_key_signature = \
+                enclave_info['encryption_key_signature']
             self.proof_data = enclave_info['proof_data']
             self.enclave_id = enclave_info['enclave_id']
         except KeyError as ke:
@@ -96,6 +100,23 @@ def __init__(self, enclave_info, tcf_instance_keys):
         self.enclave_keys = \
             keys.EnclaveKeys(self.verifying_key, self.encryption_key)
 
+    # -------------------------------------------------------
+    def initiate_refresh_worker_encryption_key(self):
+        """
+        Initiate worker encryption key refresh and update worker signup details
+        """
+        try:
+            updated_enclave_data = \
+                avalon_enclave.refresh_worker_encryption_key(self.sealed_data)
+        except Exception as err:
+            raise Exception('failed to refresh enclave key; {}'
+                            .format(str(err)))
+        self.encryption_key = updated_enclave_data["encryption_key"]
+        self.encryption_key_signature = \
+            updated_enclave_data["encryption_key_signature"]
+        self.sealed_data = updated_enclave_data["sealed_enclave_data"]
+        return self
+
     # -------------------------------------------------------
     def send_to_sgx_worker(self, encrypted_request):
         """

enclave_manager/avalon_enclave_manager/enclave_manager.py

@@ -20,8 +20,9 @@
 import os
 import sys
 import time
-import random
 import hashlib
+import secrets
+import asyncio
 
 import avalon_enclave_manager.sgx_work_order_request as work_order_request
 import avalon_enclave_manager.avalon_enclave_helper as enclave_helper
@@ -54,12 +55,9 @@ def __init__(self, config, signup_data, measurements):
         self.verifying_key = signup_data.verifying_key
         self.encryption_key = signup_data.encryption_key
 
-        # TODO: EncryptionKeyNonce and EncryptionKeySignature are hardcoded
-        # to dummy values.
-        # Need to come up with a scheme to generate both for every unique
-        # encryption key.
-        self.encryption_key_nonce = ""
-        self.encryption_key_signature = ""
+        self.encryption_key_signature = signup_data.encryption_key_signature
+        # Generate random 32 byte nonce in hex format
+        self.encryption_key_nonce = secrets.token_hex(32)
         self.enclave_id = signup_data.enclave_id
         self.extended_measurements = measurements
 
@@ -92,11 +90,8 @@ def manager_on_boot(self, kv_helper):
 
         worker_info = create_json_worker(self, self.config)
         logger.info("Adding enclave workers to workers table")
-        worker_id = crypto_utils.strip_begin_end_public_key(self.enclave_id) \
-            .encode("UTF-8")
-        # Calculate sha256 of worker id to get 32 bytes. The TC spec proxy
-        # model contracts expect byte32. Then take a hexdigest for hex str.
-        worker_id = hashlib.sha256(worker_id).hexdigest()
+        worker_id = crypto_utils.calculate_worker_id_from_public_key(
+            self.enclave_id)
 
         kv_helper.set("workers", worker_id, worker_info)
 
@@ -159,7 +154,6 @@ def manager_on_boot(self, kv_helper):
 
         # End of for-loop
 
-    # -----------------------------------------------------------------
     def process_work_orders(self, kv_helper):
         """
         Executes Run time flow of enclave manager
@@ -255,7 +249,6 @@ def process_work_orders(self, kv_helper):
         # end of for loop
 
     # -----------------------------------------------------------------
-
     def __update_receipt(self, kv_helper, wo_id, wo_json_resp):
         """
         Update the existing work order receipt with the status as in wo_json_
@@ -330,6 +323,71 @@ def create_enclave_signup_data():
     return enclave_signup_data
 
 
+# -----------------------------------------------------------------
+async def wo_process(config, kv_helper, enclave_manager):
+    """
+    Process work order requests in TEE and persist result in KvStorage
+
+    @param enclave_manager - instance of the EnclaveManager class
+    @param kv_helper - instance of KvStorage
+    @param config - instance of the configuration parsed while bringing up
+                    enclave manager service
+    """
+    try:
+        sleep_interval = int(config["EnclaveManager"]["sleep_interval"])
+    except Exception as err:
+        logger.error("Failed to get sleep interval from config file. " +
+                     "Setting sleep interval to 10 seconds: %s", str(err))
+        sleep_interval = 10
+
+    while True:
+        try:
+            enclave_manager.process_work_orders(kv_helper)
+        except Exception as e:
+            logger.error("Error while processing work-order")
+            logger.error("Exception: {} args {} details {}".format(type(e),
+                         e.args, e))
+        await asyncio.sleep(sleep_interval)
+
+
+# -----------------------------------------------------------------
+async def initiate_key_refresh(config, kv_helper, enclave_manager):
+
+    """
+    Initiate worker encryption key refresh and update worker details
+    and updates worker details to kv storage
+    @param lock - ayncio lock instance
+    @param config - instance of configuration parsed to enclave manager process
+    @param kv_helper - instance of KvStorage
+    @param enclave_manager - instance of enclave manager
+    """
+    try:
+        key_refresh_interval = \
+            int(config["WorkerKeyRefresh"]["key_refresh_interval"])
+        if key_refresh_interval <= 0:
+            return
+    except Exception as err:
+        logger.error("Failed to get key refresh interval from config file",
+                     str(err))
+        return
+    asyncio.sleep(key_refresh_interval)
+    while True:
+        try:
+            enclave_data = enclave_manager.enclave_data
+            enclave_signup_data = \
+                enclave_data.initiate_refresh_worker_encryption_key()
+            # Update Enclave Manager with updated signup data after key refresh
+            enclave_manager = EnclaveManager(
+                config, enclave_signup_data,
+                enclave_manager.extended_measurements)
+            # Persist updated worker to KV storage
+            persist_worker(enclave_manager, kv_helper)
+        except Exception as e:
+            logger.error("failed to get signup data after key refresh: %s",
+                         str(e))
+        await asyncio.sleep(key_refresh_interval)
+
+
 # -----------------------------------------------------------------
 def execute_work_order(enclave_data, input_json_str, indent=4):
     """
@@ -385,6 +443,8 @@ def create_json_worker(enclave_data, config):
     worker_type_data["encryptionKey"] = enclave_data.encryption_key
     worker_type_data["encryptionKeySignature"] = \
         enclave_data.encryption_key_signature
+    worker_type_data["encryptionKeyNonce"] = \
+        enclave_data.encryption_key_nonce
 
     worker_info = dict()
     worker_info["workerType"] = WorkerType.TEE_SGX.value
@@ -430,6 +490,37 @@ def create_json_worker(enclave_data, config):
     return json_worker_info
 
 
+# -----------------------------------------------------------------
+def persist_worker(enclave_manager, kv_helper):
+    """
+    Persists worker to KvStorage
+
+    @param enclave_manager - instance of EnclaveManager class
+    @param kv_helper - instance of KvStorage
+    """
+    worker_info = create_json_worker(enclave_manager, enclave_manager.config)
+    worker_id = crypto_utils.calculate_worker_id_from_public_key(
+        enclave_manager.enclave_id)
+    logger.info("Persisting worker to workers table")
+    kv_helper.set("workers", worker_id, worker_info)
+
+
+async def execute_tasks(enclave_manager, kv_helper, config):
+    """
+    Executes worker encryption key refresh task and work order execution
+    inside TEE asynchronously.
+
+    @param enclave_manager - instance of the EnclaveManager class
+    @param kv_helper - instance of KvStorage
+    @param config - instance of the configuration parsed while bringing up
+                    enclave manager service
+    """
+    await asyncio.wait([
+        wo_process(config, kv_helper, enclave_manager),
+        initiate_key_refresh(config, kv_helper, enclave_manager)
+    ])
+
+
 # -----------------------------------------------------------------
 def start_enclave_manager(config):
     """
@@ -475,23 +566,19 @@ def start_enclave_manager(config):
 
     try:
         sleep_interval = int(config["EnclaveManager"]["sleep_interval"])
+        key_refresh_interval = \
+            int(config["WorkerKeyRefresh"]["key_refresh_interval"])
     except Exception as err:
         logger.error("Failed to get sleep interval from config file. " +
                      "Setting sleep interval to 10 seconds: %s", str(err))
         sleep_interval = 10
 
+    event_loop = asyncio.get_event_loop()
     try:
-        while True:
-            # Poll KV storage for new work-order requests and process
-            enclave_manager.process_work_orders(kv_helper)
-            logger.info("Enclave manager sleeping for %d secs", sleep_interval)
-            time.sleep(sleep_interval)
-    except Exception as inst:
-        logger.error("Error while processing work-order; " +
-                     "shutting down enclave manager")
-        logger.error("Exception: {} args {} details {}".format(type(inst),
-                     inst.args, inst))
-        exit(1)
+        event_loop.run_until_complete(
+            execute_tasks(enclave_manager, kv_helper, config))
+    finally:
+        event_loop.close()
 
 
 TCFHOME = os.environ.get("TCF_HOME", "../../../../")

tc/sgx/trusted_worker_manager/enclave/enclave_data.cpp

@@ -31,6 +31,8 @@
 
 #include "jsonvalue.h"
 #include "parson.h"
+#include "base64.h"
+#include "enclave_utils.h"
 
 #include "enclave_data.h"
 
@@ -57,6 +59,8 @@ EnclaveData::EnclaveData(void) {
     // Create the public encryption key
     public_encryption_key_ = private_encryption_key_.GetPublicKey();
 
+    // Create encryption key signature
+    generate_encryption_key_signature();
     SerializePrivateData();
     SerializePublicData();
 }
@@ -74,15 +78,11 @@ EnclaveData::~EnclaveData(void) {
 // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 EnclaveData::EnclaveData(const uint8_t* inSealedData) {
     tcf::error::ThrowIfNull(inSealedData, "Sealed sign up data pointer is NULL");
-
     uint32_t decrypted_size =
         sgx_get_encrypt_txt_len(reinterpret_cast<const sgx_sealed_data_t*>(inSealedData));
 
-    // Need to check for error
-
     std::vector<uint8_t> decrypted_data;
     decrypted_data.resize(decrypted_size);
-
     // Unseal the data
     sgx_status_t ret = sgx_unseal_data(reinterpret_cast<const sgx_sealed_data_t*>(inSealedData),
         nullptr, 0, &decrypted_data[0], &decrypted_size);
@@ -95,6 +95,9 @@ EnclaveData::EnclaveData(const uint8_t* inSealedData) {
     decrypted_data.clear();
     decrypted_data_string.clear();
 
+    /* Create encryption key signature */
+    generate_encryption_key_signature();
+
     SerializePrivateData();
     SerializePublicData();
 }
@@ -263,6 +266,14 @@ void EnclaveData::SerializePublicData(void) {
     tcf::error::ThrowIf<tcf::error::RuntimeError>(
         jret != JSONSuccess, "enclave data serialization failed on public encryption key");
 
+    // Public encryption key signature
+    jret =
+        json_object_dotset_string(dataObject, "EncryptionKeySignature", \
+            encryption_key_signature_.c_str());
+    tcf::error::ThrowIf<tcf::error::RuntimeError>(
+        jret != JSONSuccess, \
+        "enclave data serialization failed on public encryption key signature");
+
     size_t serializedSize = json_serialization_size(dataValue);
 
     std::vector<char> serialized_buffer;