Asylo
Namespaces | Classes | Functions | Variables
asylo Namespace Reference

Namespaces

 error
 
 experimental
 

Classes

class  AesGcmSivCryptor
 An AEAD cryptor that provides Seal() and Open() functionality using the AES GCM SIV cipher for both 128-bit and 256-bit keys. More...
 
class  AesGcmSivNonceGenerator
 A 96-bit NonceGenerator that returns a uniformly distributed random nonce on each invocation of NextNonce(). More...
 
class  CheckOpMessageBuilder
 A helper class for formatting "expr (V1 vs. V2)" in a CHECK_XX statement. More...
 
class  EnclaveAssertionAuthority
 An EnclaveAssertionAuthority is an authority for assertions of a particular identity type. More...
 
class  EnclaveAssertionGenerator
 Defines an interface for assertion authorities that create assertion offers and generate assertions. More...
 
class  EnclaveAssertionVerifier
 Defines an interface for assertion authorities that generate assertion requests and verify assertions. More...
 
class  EnclaveAuthContext
 Encapsulates the authentication properties of an EKEP-based gRPC connection. More...
 
class  EnclaveClient
 An abstract enclave client. More...
 
struct  EnclaveCredentialsOptions
 Options used to configure a ::grpc::ChannelCredentials object or a ::grpc::ServerCredentials object for use in an enclave system. More...
 
class  EnclaveLoader
 An abstract enclave loader. More...
 
class  EnclaveManager
 A manager object responsible for creating and managing enclave instances. More...
 
class  EnclaveManagerOptions
 Enclave Manager configuration. More...
 
class  EnclaveSignalDispatcher
 
class  IdentityExpectationMatcher
 Defines an abstract interface that describes how to match an EnclaveIdentity against an EnclaveIdentityExpectation. More...
 
class  LogMessage
 Class representing a log message created by a log macro. More...
 
class  LogMessageFatal
 Default LogSeverity FATAL version of LogMessage. More...
 
class  LogMessageVoidify
 This class is used just to take an ostream type and make it a void type to satisify the ternary operator in LOG_IF. More...
 
class  NonceGenerator
 Defines a nonce-generator interface. More...
 
class  NullAssertionGenerator
 An implementation of the EnclaveAssertionGenerator interface for null assertions. More...
 
class  NullAssertionVerifier
 An implementation of the EnclaveAssertionVerifier interface for null assertions. More...
 
class  SecretSealer
 
class  SgxLocalAssertionGenerator
 An implementation of the EnclaveAssertionGenerator interface for SGX local assertions. More...
 
class  SgxLocalAssertionVerifier
 An implemention of the EnclaveAssertionVerifier interface for SGX local assertions. More...
 
class  SgxLocalSecretSealer
 An implementation of the SecretSealer abstract interface that binds the secrets to the enclave identity on a local machine. More...
 
class  SharedName
 A name shared between trusted and untrusted code. More...
 
class  SharedResourceManager
 A manager object for shared resources. More...
 
class  Status
 Status contains information about an error. More...
 
class  StatusOr
 A class for representing either a usable value, or an error. More...
 
class  TrustedApplication
 Abstract base class for trusted applications. More...
 

Functions

std::shared_ptr<::grpc::ChannelCredentials > EnclaveChannelCredentials (const EnclaveCredentialsOptions &options)
 Constructs a grpc::ChannelCredentials object for use in an enclave system. More...
 
std::shared_ptr<::grpc::ServerCredentials > EnclaveServerCredentials (const EnclaveCredentialsOptions &options)
 Constructs a grpc::ServerCredentials object for use in an enclave system. More...
 
EnclaveCredentialsOptions BidirectionalNullCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a bidirectionally-unauthenticated gRPC channel between two enclave entities. More...
 
EnclaveCredentialsOptions PeerNullCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities. More...
 
EnclaveCredentialsOptions SelfNullCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities. More...
 
EnclaveCredentialsOptions BidirectionalSgxLocalCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a bidirectionally-authenticated gRPC channel between two local SGX enclaves. More...
 
EnclaveCredentialsOptions PeerSgxLocalCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves. More...
 
EnclaveCredentialsOptions SelfSgxLocalCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves. More...
 
StatusOr< bool > EvaluateIdentityAcl (const std::vector< EnclaveIdentity > &identities, const IdentityAclPredicate &acl, const IdentityExpectationMatcher &matcher)
 Uses matcher to evaluate whether identities satisfies acl. More...
 
void SetEnclaveConfigDefaults (const HostConfig &host_config, EnclaveConfig *config)
 Sets uninitialized fields in #config to default values. More...
 
EnclaveConfig CreateDefaultEnclaveConfig (const HostConfig &host_config)
 Returns an EnclaveConfig proto with critical fields initialized to default values. More...
 
std::ostream & operator<< (std::ostream &os, const SharedName &name)
 
template<>
void MakeCheckOpValueString (std::ostream *os, const std::nullptr_t &p)
 
void set_vlog_level (int level)
 Sets the verbosity threshold for VLOG. More...
 
int get_vlog_level ()
 Gets the verbosity threshold for VLOG. More...
 
bool set_log_directory (const std::string &log_directory)
 Sets the log directory, as specified when this enclave is initialized. More...
 
const std::string get_log_directory ()
 Gets the log directory that was specified when this enclave is initialized. More...
 
bool EnsureDirectory (const char *path)
 Checks the log directory to make sure it's accessible, and creates it if it does not exist. More...
 
bool InitLogging (const char *directory, const char *file_name, int level)
 Initializes minimal logging library. More...
 
template<typename T >
CheckNotNull (const char *file, int line, const char *exprtext, T &&t)
 Logs a message if the given value of type T is null, and then forwards the value. More...
 
bool operator== (const Status &lhs, const Status &rhs)
 
bool operator!= (const Status &lhs, const Status &rhs)
 
std::ostream & operator<< (std::ostream &os, const Status &status)
 

Variables

constexpr size_t kAesGcmSivNonceSize = 12
 
constexpr char kValueMoveConstructorMsg []
 
constexpr char kValueMoveAssignmentMsg []
 
constexpr char kStatusMoveConstructorMsg []
 
constexpr char kValueOrDieMovedMsg [] = "Value moved by StatusOr::ValueOrDie"
 
constexpr char kStatusMoveAssignmentMsg []
 

Function Documentation

◆ BidirectionalNullCredentialsOptions()

EnclaveCredentialsOptions asylo::BidirectionalNullCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a bidirectionally-unauthenticated gRPC channel between two enclave entities.

A credential configured with these options enforces bidirectional authentication using the null identity. The null identity specifies no identity in particular, which means that the resulting connection is essentially unauthenticated.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a bidirectionally-unauthenticated channel.

◆ BidirectionalSgxLocalCredentialsOptions()

EnclaveCredentialsOptions asylo::BidirectionalSgxLocalCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a bidirectionally-authenticated gRPC channel between two local SGX enclaves.

A credential configured with these options enforces bidirectional authentication using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a bidirectionally-authenticated channel between SGX enclaves on the same platform.

◆ CheckNotNull()

template<typename T >
T asylo::CheckNotNull ( const char *  file,
int  line,
const char *  exprtext,
T &&  t 
)

Logs a message if the given value of type T is null, and then forwards the value.

In C++11, all cases can be handled by a single function. Since the value category of the argument is preserved (also for rvalue references), member initializer lists like the one below will compile correctly:

Foo()
: x_(CHECK_NOTNULL(MethodReturningUniquePtr())) {}
Parameters
fileThe source file that produced the log.
lineThe source code line that produced the log.
exprtextA string representation of the code in file at line.
tThe parameter being checked for null.

◆ CreateDefaultEnclaveConfig()

EnclaveConfig asylo::CreateDefaultEnclaveConfig ( const HostConfig &  host_config)

Returns an EnclaveConfig proto with critical fields initialized to default values.

Parameters
host_configInput used to fill in the host_config field of the returned EnclaveConfig.
Returns
An EnclaveConfig proto with critical fields initialized to their default values.

◆ EnclaveChannelCredentials()

std::shared_ptr<::grpc::ChannelCredentials> asylo::EnclaveChannelCredentials ( const EnclaveCredentialsOptions options)

Constructs a grpc::ChannelCredentials object for use in an enclave system.

The configuration options determines which assertions are presented by the entity that wields the resulting credentials object. options must meet the following criteria:

  • options.self_assertions must contain at least one assertion description.
  • options.accepted_peer_assertions must contain at least one assertion description.
Parameters
optionsOptions for configuring the credentials.
Returns
A gRPC channel credentials object.

◆ EnclaveServerCredentials()

std::shared_ptr<::grpc::ServerCredentials> asylo::EnclaveServerCredentials ( const EnclaveCredentialsOptions options)

Constructs a grpc::ServerCredentials object for use in an enclave system.

The configuration options determines which assertions are presented by the entity that wields the resulting credentials object. options must meet the following criteria:

  • options.self_assertions must contain at least one assertion description
  • options.accepted_peer_assertions must contain at least one assertion description
Parameters
optionsOptions for configuring the credentials.
Returns
A gRPC server credentials object.

◆ EnsureDirectory()

bool asylo::EnsureDirectory ( const char *  path)

Checks the log directory to make sure it's accessible, and creates it if it does not exist.

Parameters
pathThe directory to be checked.

◆ EvaluateIdentityAcl()

StatusOr<bool> asylo::EvaluateIdentityAcl ( const std::vector< EnclaveIdentity > &  identities,
const IdentityAclPredicate &  acl,
const IdentityExpectationMatcher matcher 
)

Uses matcher to evaluate whether identities satisfies acl.

The ACL is provided in the form of an IdentityAclPredicate. An IdentityAclPredicate is a recursive proto, each layer of which must conform to the following constraints:

  • A nested IdentityAclPredicate predicate must have predicate.item set.
  • A nested IdentityAclGroup group must have a non-empty group.predicates.
    • If group.type is GroupType::NOT, group.predicates must contain exactly one predicate.

Returns a non-OK status if acl is malformed or if matcher.Match() returns a non-OK status when invoked with any of identities.

Parameters
identitiesA list of identities to match against the ACL.
aclAn ACL specifying expectations on an identity.
matcherThe matcher to use to evaluate identities against acl.
Returns
A bool indicating whether the ACL evaluated to true, or a non-OK Status if any if the inputs are invalid.

◆ get_log_directory()

const std::string asylo::get_log_directory ( )

Gets the log directory that was specified when this enclave is initialized.

Returns
The directory where the log files will be.

◆ get_vlog_level()

int asylo::get_vlog_level ( )

Gets the verbosity threshold for VLOG.

A VLOG command with a level greater than this will be ignored.

Returns
The current verbosity threshold for VLOG.

◆ InitLogging()

bool asylo::InitLogging ( const char *  directory,
const char *  file_name,
int  level 
)

Initializes minimal logging library.

For untrusted logging, the program name specified by argv0 will be used as log filename; For enclave logging, the enclave name will be used as log filename (any slashes or dots will be removed). This method is called during enclave initialization. For untrusted logging, this should be called in main().

Parameters
directoryThe log file directory.
file_nameThe name of the log file.
levelThe verbosity threshold for VLOG commands. A VLOG command with a level equal to or lower than it will be logged.

◆ MakeCheckOpValueString()

template<>
void asylo::MakeCheckOpValueString ( std::ostream *  os,
const std::nullptr_t &  p 
)

◆ operator!=()

bool asylo::operator!= ( const Status lhs,
const Status rhs 
)

◆ operator<<() [1/2]

std::ostream& asylo::operator<< ( std::ostream &  os,
const SharedName name 
)
inline

◆ operator<<() [2/2]

std::ostream& asylo::operator<< ( std::ostream &  os,
const Status status 
)

◆ operator==()

bool asylo::operator== ( const Status lhs,
const Status rhs 
)

◆ PeerNullCredentialsOptions()

EnclaveCredentialsOptions asylo::PeerNullCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities.

A credential configured with these options enforces unidirectional authentication using the null identity. The null identity specifies no identity in particular, which means that in the resulting connection the peer does not authenticate.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unauthenticated on the peer's end.

◆ PeerSgxLocalCredentialsOptions()

EnclaveCredentialsOptions asylo::PeerSgxLocalCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves.

A credential configured with these options enforces that the peer authenticates using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unidirectionally-authenticated on the peer's end using SGX enclave code identity.

◆ SelfNullCredentialsOptions()

EnclaveCredentialsOptions asylo::SelfNullCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities.

A credential configured with these options enforces unidirectional authentication using the null identity. The null identity specifies no identity in particular, which means that in the resulting connection the credential holder does not authenticate.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unauthenticated on the credential holder's end.

◆ SelfSgxLocalCredentialsOptions()

EnclaveCredentialsOptions asylo::SelfSgxLocalCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves.

A credential configured with these options enforces that the credential holder authenticates using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unidirectionally-authenticated on the credential holder's end using SGX enclave code identity.

◆ set_log_directory()

bool asylo::set_log_directory ( const std::string &  log_directory)

Sets the log directory, as specified when this enclave is initialized.

This is only set once. Any request to reset it will return false.

Parameters
log_directoryThe log file directory.
Returns
True if and only if the log directory is set successfully.

◆ set_vlog_level()

void asylo::set_vlog_level ( int  level)

Sets the verbosity threshold for VLOG.

A VLOG command with a level greater than this will be ignored.

Parameters
levelThe verbosity threshold for VLOG to be set. A VLOG command with level less than or equal to this will be logged.

◆ SetEnclaveConfigDefaults()

void asylo::SetEnclaveConfigDefaults ( const HostConfig &  host_config,
EnclaveConfig *  config 
)

Sets uninitialized fields in #config to default values.

Parameters
host_configValues to set in the host_config field of #config.
config[out]EnclaveConfig object to populate.

Variable Documentation

◆ kAesGcmSivNonceSize

constexpr size_t asylo::kAesGcmSivNonceSize = 12

◆ kStatusMoveAssignmentMsg

constexpr char asylo::kStatusMoveAssignmentMsg[]
Initial value:
=
"Status moved by StatusOr move assignment"

◆ kStatusMoveConstructorMsg

constexpr char asylo::kStatusMoveConstructorMsg[]
Initial value:
=
"Status moved by StatusOr move constructor"

◆ kValueMoveAssignmentMsg

constexpr char asylo::kValueMoveAssignmentMsg[]
Initial value:
=
"Value moved by StatusOr move assignment"

◆ kValueMoveConstructorMsg

constexpr char asylo::kValueMoveConstructorMsg[]
Initial value:
=
"Value moved by StatusOr move constructor"

◆ kValueOrDieMovedMsg

constexpr char asylo::kValueOrDieMovedMsg[] = "Value moved by StatusOr::ValueOrDie"