Asylo
enclave_assertion_authority_configs.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2019 Asylo authors
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef ASYLO_IDENTITY_ENCLAVE_ASSERTION_AUTHORITY_CONFIGS_H_
20 #define ASYLO_IDENTITY_ENCLAVE_ASSERTION_AUTHORITY_CONFIGS_H_
21 
22 #include <string>
23 #include <vector>
24 
25 #include "asylo/crypto/certificate.pb.h"
26 #include "asylo/identity/attestation/sgx/sgx_intel_ecdsa_qe_remote_assertion_authority_config.pb.h"
27 #include "asylo/identity/enclave_assertion_authority_config.pb.h"
28 #include "asylo/util/statusor.h"
29 
30 /// @file enclave_assertion_authority_configs.h
31 /// @brief Provides functions for creating enclave assertion authority configs.
32 ///
33 /// The term "enclave assertion authority" refers to the combination of
34 /// EnclaveAssertionGenerator and EnclaveAssertionVerifier for a particular type
35 /// of assertion.
36 ///
37 /// To configure assertion authorities in the untrusted application, use a
38 /// sequence of calls like the following:
39 ///
40 /// ```
41 /// std::vector<EnclaveAssertionAuthorityConfig> authority_configs = {
42 /// CreateNullAssertionAuthorityConfig(),
43 /// };
44 /// CHECK(InitializeEnclaveAssertionAuthorities(
45 /// authority_configs.cbegin(), authority_configs.cend()).ok());
46 /// ```
47 ///
48 /// To configure assertion authorities inside an enclave, pass the set of
49 /// configurations through the EnclaveConfig:
50 ///
51 /// ```
52 /// EnclaveManager *manager = ...
53 /// EnclaveLoadConfig load_config = ...
54 /// EnclaveConfig config;
55 /// *config.add_enclave_assertion_authority_configs() =
56 /// CreateNullAssertionAuthorityTestConfig();
57 /// *load_config.mutable_config() = config;
58 /// CHECK(manager->LoadEnclave(load_config).ok());
59 /// ```
60 ///
61 /// Assertion authorities are automatically initialized in TrustedApplication
62 /// using the provided configurations.
63 
64 namespace asylo {
65 
66 /// Creates a configuration for the null assertion authority.
67 ///
68 /// This configuration is required when using the NullAssertionGenerator or
69 /// NullAssertionVerifier.
70 ///
71 /// \return A config for the null assertion authority.
73 
74 /// Creates a configuration for the SGX local assertion authority.
75 ///
76 /// This configuration is required when using the SgxLocalAssertionGenerator or
77 /// SgxLocalAssertionVerifier.
78 ///
79 /// \param attestation_domain A 16-byte unique identifier for the SGX machine.
80 /// \return A config for the SGX local assertion authority.
83 
84 /// Creates a configuration for the SGX local assertion authority.
85 ///
86 /// The attestation domain is derived from the per-boot machine UUID in
87 /// /proc/sys/kernel/random/boot_id.
88 ///
89 /// This configuration is required when using the SgxLocalAssertionGenerator or
90 /// SgxLocalAssertionVerifier.
91 ///
92 /// /return A config for the SGX local assertion authority.
95 
96 namespace experimental {
97 
98 /// Creates configuration for the SGX Intel ECDSA QE remote assertion authority.
99 /// The returned configuration contains the Intel SGX Root CA Certificate for
100 /// verifying assertion root of trust. Any generated assertions will include the
101 /// certification data that the Intel DCAP library locates using the Platform
102 /// Quote Provider Library, as documented in
103 /// https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf
104 ///
105 /// This type of EnclaveAssertionAuthorityConfig is required when using the
106 /// SgxIntelEcdsaQeRemoteAssertionVerifier and/or
107 /// SgxIntelEcdsaQeRemoteAssertionGenerator.
108 ///
109 /// \return A config for the SGX Intel ECDSA QE remote assertion authority.
112 
113 /// Creates configuration for the SGX Intel ECDSA QE remote assertion authority.
114 /// The returned configuration contains the Intel SGX Root CA Certificate for
115 /// verifying assertion root of trust. Any generated assertions will include the
116 /// given `pck_certificate_chain` as certification data.
117 ///
118 /// This type of EnclaveAssertionAuthorityConfig is required when using the
119 /// SgxIntelEcdsaQeRemoteAssertionVerifier and/or
120 /// SgxIntelEcdsaQeRemoteAssertionGenerator.
121 ///
122 /// \param pck_certificate_chain The certification chain to include with any
123 /// generated assertions.
124 /// \return A config for the SGX Intel ECDSA QE remote assertion authority.
128 
129 } // namespace experimental
130 
131 } // namespace asylo
132 
133 #endif // ASYLO_IDENTITY_ENCLAVE_ASSERTION_AUTHORITY_CONFIGS_H_
EnclaveAssertionAuthorityConfig CreateNullAssertionAuthorityConfig()
Creates a configuration for the null assertion authority.
ABSL_CONST_INIT const char kStatusMoveAssignmentMsg[]
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxLocalAssertionAuthorityConfig()
Creates a configuration for the SGX local assertion authority.
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxIntelEcdsaQeRemoteAssertionAuthorityConfig()
Creates configuration for the SGX Intel ECDSA QE remote assertion authority.
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxIntelEcdsaQeRemoteAssertionAuthorityConfig(std::vector< Certificate > pck_certificate_chain)
Creates configuration for the SGX Intel ECDSA QE remote assertion authority.
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxLocalAssertionAuthorityConfig(std::string attestation_domain)
Creates a configuration for the SGX local assertion authority.
Definition: aead_cryptor.h:155