Asylo
Namespaces | Classes | Typedefs | Enumerations | Functions | Variables
asylo Namespace Reference

Namespaces

 error
 
 experimental
 
 internal
 
 primitives
 
 sgx
 

Classes

class  AeadCryptor
 An AEAD cryptor that provides Seal() and Open() functionality. More...
 
class  CheckOpMessageBuilder
 A helper class for formatting "expr (V1 vs. V2)" in a CHECK_XX statement. More...
 
class  EnclaveAssertionAuthority
 An EnclaveAssertionAuthority is an authority for assertions of a particular identity type. More...
 
class  EnclaveAssertionGenerator
 Defines an interface for assertion authorities that create assertion offers and generate assertions. More...
 
class  EnclaveAssertionVerifier
 Defines an interface for assertion authorities that generate assertion requests and verify assertions. More...
 
class  EnclaveAuthContext
 Encapsulates the authentication properties of an EKEP-based gRPC connection. More...
 
class  EnclaveClient
 An abstract enclave client. More...
 
struct  EnclaveCredentialsOptions
 Options used to configure a ::grpc::ChannelCredentials object or a ::grpc::ServerCredentials object for use in an enclave system. More...
 
class  EnclaveLoader
 An abstract enclave loader. More...
 
class  EnclaveManager
 A manager object responsible for creating and managing enclave instances. More...
 
class  EnclaveManagerOptions
 Enclave Manager configuration. More...
 
class  IdentityExpectationMatcher
 Defines an abstract interface that describes how to match an EnclaveIdentity against an EnclaveIdentityExpectation. More...
 
class  LogMessage
 Class representing a log message created by a log macro. More...
 
class  LogMessageFatal
 A LogSeverity FATAL (or QFATAL) version of LogMessage that the compiler can interpret as noreturn. More...
 
class  LogMessageVoidify
 This class is used just to take an ostream type and make it a void type to satisify the ternary operator in LOG_IF. More...
 
class  NamedIdentityExpectationMatcher
 A NamedIdentityExpectationMatcher is capable of matching an identity to an expectation if the identity and the expectation's reference identity have the same identity descriptions, and they match the identity description returned by the Description() method of the matcher. More...
 
struct  Namer< NamedIdentityExpectationMatcher >
 
class  NonceGenerator
 Defines a nonce-generator interface. More...
 
class  NullAssertionGenerator
 An implementation of the EnclaveAssertionGenerator interface for null assertions. More...
 
class  NullAssertionVerifier
 An implementation of the EnclaveAssertionVerifier interface for null assertions. More...
 
class  SecretSealer
 
class  SgxAgeRemoteAssertionGenerator
 A thread-safe implementation of the EnclaveAssertionGenerator interface for SGX remote assertions generated by the Assertion Generator Enclave (AGE). More...
 
class  SgxAgeRemoteAssertionVerifier
 An implemention of the EnclaveAssertionVerifier interface for SGX remote assertions generated by the Assertion Generator Enclave. More...
 
class  SgxIdentityExpectationMatcher
 SgxIdentityExpectationMatcher is capable of matching SGX identities with SGX identity expectations. More...
 
class  SgxIntelEcdsaQeRemoteAssertionGenerator
 Implementation of EnclaveAssertionGenerator that generates assertions using the Intel ECDSA quoting enclave. More...
 
class  SgxIntelEcdsaQeRemoteAssertionVerifier
 Implementation of EnclaveAssertionVerifier that verifiers assertions generated by the Intel ECDSA quoting enclave. More...
 
class  SgxLocalAssertionGenerator
 An implementation of the EnclaveAssertionGenerator interface for SGX local assertions. More...
 
class  SgxLocalAssertionVerifier
 An implemention of the EnclaveAssertionVerifier interface for SGX local assertions. More...
 
class  SgxLocalSecretSealer
 An implementation of the SecretSealer abstract interface that binds the secrets to the enclave identity on a local machine. More...
 
class  SharedName
 A name shared between trusted and untrusted code. More...
 
class  SharedResourceManager
 A manager object for shared resources. More...
 
class  Status
 Status contains information about an error. More...
 
class  StatusOr
 A class for representing either a usable value, or an error. More...
 
class  TrustedApplication
 Abstract base class for trusted applications. More...
 

Typedefs

using CleansingString = std::basic_string< char, std::char_traits< char >, CleansingAllocator< char > >
 A string that zeros its memory on free. More...
 
template<typename T >
using CleansingVector = std::vector< T, CleansingAllocator< T > >
 A vector container that zeros its memory on free. More...
 

Enumerations

enum  SgxIdentityMatchSpecOptions { SgxIdentityMatchSpecOptions::DEFAULT, SgxIdentityMatchSpecOptions::STRICT_LOCAL, SgxIdentityMatchSpecOptions::STRICT_REMOTE }
 This enum defines a set of recommended match specs. More...
 

Functions

StatusOr< Sha256HashProto > CreateSha256HashProto (absl::string_view hash_hex)
 Returns a Sha256HashProto with the hash of the given |hash_hex|, or a non-OK Status if the provided string is an invalid hex-encoded SHA-256 hash. More...
 
Status ValidateSha256HashProto (const Sha256HashProto &hash_proto)
 Validates that |hash_proto| has a hash that is exactly 32 bytes. More...
 
bool operator== (const Sha256HashProto &lhs, const Sha256HashProto &rhs)
 Compares two Sha256HashProto messages for equality. More...
 
bool operator!= (const Sha256HashProto &lhs, const Sha256HashProto &rhs)
 Compares two Sha256HashProto messages for inequality. More...
 
std::shared_ptr<::grpc::ChannelCredentials > EnclaveChannelCredentials (EnclaveCredentialsOptions options)
 Constructs a grpc::ChannelCredentials object for use in an enclave system. More...
 
std::shared_ptr<::grpc::ServerCredentials > EnclaveServerCredentials (EnclaveCredentialsOptions options)
 Constructs a grpc::ServerCredentials object for use in an enclave system. More...
 
EnclaveCredentialsOptions BidirectionalNullCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a bidirectionally-unauthenticated gRPC channel between two enclave entities. More...
 
EnclaveCredentialsOptions PeerNullCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities. More...
 
EnclaveCredentialsOptions SelfNullCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities. More...
 
EnclaveCredentialsOptions PeerSgxAgeRemoteCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel where it accepts identities attested by a remote SGX enclave using Asylo's Assertion Generator Enclave. More...
 
EnclaveCredentialsOptions BidirectionalSgxAgeRemoteCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a bidirectionally-authenticated gRPC channel between two SGX enclaves which each use Asylo's Assertion Generator Enclave. More...
 
EnclaveCredentialsOptions SelfSgxAgeRemoteCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel. More...
 
EnclaveCredentialsOptions BidirectionalSgxLocalCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a bidirectionally-authenticated gRPC channel between two local SGX enclaves. More...
 
EnclaveCredentialsOptions PeerSgxLocalCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves. More...
 
EnclaveCredentialsOptions SelfSgxLocalCredentialsOptions ()
 Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves. More...
 
void SetNullAssertionDescription (AssertionDescription *assertion_description)
 Sets assertion_description to describe a null assertion. More...
 
void SetNullIdentityDescription (EnclaveIdentityDescription *identity_description)
 Sets identity_description to describe a null identity. More...
 
void SetSgxLocalAssertionDescription (AssertionDescription *assertion_description)
 Sets assertion_description to describe an SGX local assertion. More...
 
void SetSgxAgeRemoteAssertionDescription (AssertionDescription *assertion_description)
 Sets assertion_description to describe an SGX remote assertion generated by the Assertion Generator Enclave (AGE). More...
 
void SetSgxIntelEcdsaQeRemoteAssertionDescription (AssertionDescription *assertion_description)
 Sets assertion_description to describe an SGX remote assertion generated by the Intel ECDSA Quoting Enclave (QE). More...
 
void SetSgxIdentityDescription (EnclaveIdentityDescription *identity_description)
 Sets identity_description to describe an SGX identity. More...
 
EnclaveAssertionAuthorityConfig CreateNullAssertionAuthorityConfig ()
 Creates a configuration for the null assertion authority. More...
 
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxLocalAssertionAuthorityConfig (std::string attestation_domain)
 Creates a configuration for the SGX local assertion authority. More...
 
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxLocalAssertionAuthorityConfig ()
 Creates a configuration for the SGX local assertion authority. More...
 
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxAgeRemoteAssertionAuthorityConfig (Certificate intel_root_cert, std::vector< Certificate > certificates, std::string server_address, IdentityAclPredicate age_identity_expectation)
 Creates a configuration for the SGX AGE remote assertion authority. More...
 
StatusOr< EnclaveAssertionAuthorityConfig > CreateSgxAgeRemoteAssertionAuthorityConfig (std::string server_address, SgxIdentity age_identity)
 Creates a configuration for the SGX AGE remote assertion authority. More...
 
StatusOr< bool > EvaluateIdentityAcl (const std::vector< EnclaveIdentity > &identities, const IdentityAclPredicate &acl, const IdentityExpectationMatcher &matcher, std::string *explanation=nullptr)
 Uses matcher to evaluate whether identities satisfies acl. More...
 
 DEFINE_STATIC_MAP_OF_BASE_TYPE (IdentityExpectationMatcherMap, NamedIdentityExpectationMatcher)
 
EnclaveIdentityExpectation CreateNullIdentityExpectation ()
 Returns a default null identity expectation. More...
 
SgxIdentity GetSelfSgxIdentity ()
 Returns the current enclave's identity. More...
 
StatusOr< SgxIdentityMatchSpec > CreateSgxIdentityMatchSpec (SgxIdentityMatchSpecOptions options)
 Returns an SgxIdentityMatchSpec corresponding to options on success or a non-OK Status on failure. More...
 
StatusOr< SgxIdentityExpectation > CreateSgxIdentityExpectation (SgxIdentity identity, SgxIdentityMatchSpec match_spec)
 Returns an SgxIdentityExpectation formed from identity and match_spec, or returns a non-OK Status if either are invalid or if they are incompatible with each other. More...
 
StatusOr< SgxIdentityExpectation > CreateSgxIdentityExpectation (SgxIdentity identity, SgxIdentityMatchSpecOptions options)
 Returns an SgxIdentityExpectation formed from identity and the match spec corresponding to options, or returns a non-OK Status if either are invalid or if they are incompatible with each other. More...
 
bool IsValidSgxIdentity (const SgxIdentity &identity)
 Returns whether identity is valid. More...
 
bool IsValidSgxIdentityMatchSpec (const SgxIdentityMatchSpec &match_spec)
 Returns whether match_spec is valid. More...
 
bool IsValidSgxIdentityExpectation (const SgxIdentityExpectation &expectation)
 Returns whether expectation is valid. More...
 
StatusOr< SgxIdentity > ParseSgxIdentity (const EnclaveIdentity &generic_identity)
 Parses and validates generic_identity, returning an SgxIdentity on success or a non-OK Status on failure. More...
 
StatusOr< SgxIdentityMatchSpec > ParseSgxIdentityMatchSpec (const std::string &generic_match_spec)
 Parses and validates generic_match_spec, returning an SgxIdentityMatchSpec on success or a non-OK Status on failure. More...
 
StatusOr< SgxIdentityExpectation > ParseSgxIdentityExpectation (const EnclaveIdentityExpectation &generic_expectation)
 Parses and validates generic_expectation, returning an SgxIdentityExpectation on success or a non-OK Status on failure. More...
 
StatusOr< EnclaveIdentity > SerializeSgxIdentity (const SgxIdentity &sgx_identity)
 Serializes sgx_identity, returning an EnclaveIdentity on success or a non-OK Status on failure. More...
 
StatusOr< std::string > SerializeSgxIdentityMatchSpec (const SgxIdentityMatchSpec &sgx_match_spec)
 Serializes sgx_match_spec, returning a string on success or a non-OK Status on failure. More...
 
StatusOr< EnclaveIdentityExpectation > SerializeSgxIdentityExpectation (const SgxIdentityExpectation &sgx_expectation)
 Serializes sgx_expectation, returning an EnclaveIdentityExpectation on success or a non-OK Status on failure. More...
 
void SetEnclaveConfigDefaults (const HostConfig &host_config, EnclaveConfig *config)
 
void SetEnclaveConfigDefaults (EnclaveConfig *config)
 Sets critical uninitialized fields in config to default values. More...
 
EnclaveConfig CreateDefaultEnclaveConfig (const HostConfig &host_config)
 
EnclaveConfig CreateDefaultEnclaveConfig ()
 Returns an EnclaveConfig proto with critical fields initialize to default values. More...
 
primitives::ClientLoadEnclaveInChildProcess (absl::string_view enclave_name, void *enclave_base_address, size_t enclave_size)
 
std::ostream & operator<< (std::ostream &os, const SharedName &name)
 
template<>
void MakeCheckOpValueString (std::ostream *os, const std::nullptr_t &p)
 
void set_vlog_level (int level)
 Sets the verbosity threshold for VLOG. More...
 
int get_vlog_level ()
 Gets the verbosity threshold for VLOG. More...
 
bool set_log_directory (const std::string &log_directory)
 Sets the log directory, as specified when this enclave is initialized. More...
 
const std::string get_log_directory ()
 Gets the log directory that was specified when this enclave is initialized. More...
 
bool EnsureDirectory (const char *path)
 Checks the log directory to make sure it's accessible, and creates it if it does not exist. More...
 
bool InitLogging (const char *directory, const char *file_name, int level)
 Initializes minimal logging library. More...
 
template<typename T >
CheckNotNull (const char *file, int line, const char *exprtext, T &&t)
 Logs a message if the given value of type T is null, and then forwards the value. More...
 
template<class T >
bool AbslParseFlag (absl::string_view text, T *flag, std::string *error)
 
template<class T >
std::string AbslUnparseFlag (const T &flag)
 
bool operator== (const Status &lhs, const Status &rhs)
 
bool operator!= (const Status &lhs, const Status &rhs)
 
std::ostream & operator<< (std::ostream &os, const Status &status)
 

Variables

ABSL_CONST_INIT const char kValueMoveConstructorMsg []
 
ABSL_CONST_INIT const char kValueMoveAssignmentMsg []
 
ABSL_CONST_INIT const char kStatusMoveConstructorMsg []
 
ABSL_CONST_INIT const char kValueOrDieMovedMsg []
 
ABSL_CONST_INIT const char kStatusMoveAssignmentMsg []
 

Typedef Documentation

◆ CleansingString

using asylo::CleansingString = typedef std::basic_string<char, std::char_traits<char>, CleansingAllocator<char> >

A string that zeros its memory on free.

Deprecated:
Use CleansingVector instead.

◆ CleansingVector

template<typename T >
using asylo::CleansingVector = typedef std::vector<T, CleansingAllocator<T> >

A vector container that zeros its memory on free.

Enumeration Type Documentation

◆ SgxIdentityMatchSpecOptions

This enum defines a set of recommended match specs.

Users are advised to pick the one that most closely matches their application's security requirements and make adjustments to these match specs as needed.

DEFAULT

  • Requires a match on MRSIGNER, all MISCSELECT bits, and all ATTRIBUTES bits that are considered security-critical by default.
  • Does not require a match on any sgx::MachineConfiguration fields.

STRICT_LOCAL

  • Requires a match on MRENCLAVE, MRSIGNER, all MISCSELECT bits, and all ATTRIBUTES bits.
  • Requires a match on CPUSVN.
    • Note that no other sgx::MachineConfiguration fields are required to match, as they are unavailable in local attestation.

      STRICT_REMOTE

  • Equivalent to the STRICT_LOCAL match spec, with the added requirement of matching all sgx::MachineConfiguration fields (not just CPUSVN).
Enumerator
DEFAULT 
STRICT_LOCAL 
STRICT_REMOTE 

Function Documentation

◆ AbslParseFlag()

template<class T >
bool asylo::AbslParseFlag ( absl::string_view  text,
T *  flag,
std::string *  error 
)

◆ AbslUnparseFlag()

template<class T >
std::string asylo::AbslUnparseFlag ( const T &  flag)

◆ BidirectionalNullCredentialsOptions()

EnclaveCredentialsOptions asylo::BidirectionalNullCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a bidirectionally-unauthenticated gRPC channel between two enclave entities.

A credential configured with these options enforces bidirectional authentication using the null identity. The null identity specifies no identity in particular, which means that the resulting connection is essentially unauthenticated.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a bidirectionally-unauthenticated channel.

◆ BidirectionalSgxAgeRemoteCredentialsOptions()

EnclaveCredentialsOptions asylo::BidirectionalSgxAgeRemoteCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a bidirectionally-authenticated gRPC channel between two SGX enclaves which each use Asylo's Assertion Generator Enclave.

A credential configured with these options enforces bidirectional authentication using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a bidirectionally-authenticated channel between SGX enclaves.

◆ BidirectionalSgxLocalCredentialsOptions()

EnclaveCredentialsOptions asylo::BidirectionalSgxLocalCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a bidirectionally-authenticated gRPC channel between two local SGX enclaves.

A credential configured with these options enforces bidirectional authentication using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a bidirectionally-authenticated channel between SGX enclaves on the same platform.

◆ CheckNotNull()

template<typename T >
T asylo::CheckNotNull ( const char *  file,
int  line,
const char *  exprtext,
T &&  t 
)

Logs a message if the given value of type T is null, and then forwards the value.

In C++11, all cases can be handled by a single function. Since the value category of the argument is preserved (also for rvalue references), member initializer lists like the one below will compile correctly:

Foo()
: x_(CHECK_NOTNULL(MethodReturningUniquePtr())) {}
Parameters
fileThe source file that produced the log.
lineThe source code line that produced the log.
exprtextA string representation of the code in file at line.
tThe parameter being checked for null.

◆ CreateDefaultEnclaveConfig() [1/2]

EnclaveConfig asylo::CreateDefaultEnclaveConfig ( const HostConfig &  host_config)
Deprecated:
Returns an EnclaveConfig proto with critical fields initialized to default values.
Parameters
host_configThis parameter is ignored.
Returns
An EnclaveConfig proto with critical fields initialized to their default values.

◆ CreateDefaultEnclaveConfig() [2/2]

EnclaveConfig asylo::CreateDefaultEnclaveConfig ( )

Returns an EnclaveConfig proto with critical fields initialize to default values.

Returns
An EnclaveConfig proto with critical fields initialized to their default values.

◆ CreateNullAssertionAuthorityConfig()

EnclaveAssertionAuthorityConfig asylo::CreateNullAssertionAuthorityConfig ( )

Creates a configuration for the null assertion authority.

This configuration is required when using the NullAssertionGenerator or NullAssertionVerifier.

Returns
A config for the null assertion authority.

◆ CreateNullIdentityExpectation()

EnclaveIdentityExpectation asylo::CreateNullIdentityExpectation ( )

Returns a default null identity expectation.

◆ CreateSgxAgeRemoteAssertionAuthorityConfig() [1/2]

StatusOr<EnclaveAssertionAuthorityConfig> asylo::CreateSgxAgeRemoteAssertionAuthorityConfig ( Certificate  intel_root_cert,
std::vector< Certificate >  certificates,
std::string  server_address,
IdentityAclPredicate  age_identity_expectation 
)

Creates a configuration for the SGX AGE remote assertion authority.

This configuration is required when using the SgxAgeRemoteAssertionGenerator or SgxAgeRemoteAssertionVerifier.

Parameters
intel_certThe Intel root certificate to use for verification.
certificatesA vector of X.509-formatted CA certificates that can be used to verify whether an assertion is valid.
server_addressThe address of the AGE's service.
age_identity_expectationThe identity expectation for the AGE.
Returns
A config for the SGX AGE remote assertion authority.

◆ CreateSgxAgeRemoteAssertionAuthorityConfig() [2/2]

StatusOr<EnclaveAssertionAuthorityConfig> asylo::CreateSgxAgeRemoteAssertionAuthorityConfig ( std::string  server_address,
SgxIdentity  age_identity 
)

Creates a configuration for the SGX AGE remote assertion authority.

This configuration is required when using the SgxAgeRemoteAssertionGenerator or SgxAgeRemoteAssertionVerifier. It uses the Intel root certificate value |kIntelSgxRootCaCertificate| and no additional root certificates. It sets the AGE identity expectation to the default expectation of the given SgxIdentity, as documented by SgxIdentityMatchSpecOptions.

Parameters
server_addressThe address of the AGE's service.
age_identityThe expected identity of the AGE.
Returns
A config for the SGX AGE remote assertion authority.

◆ CreateSgxIdentityExpectation() [1/2]

StatusOr<SgxIdentityExpectation> asylo::CreateSgxIdentityExpectation ( SgxIdentity  identity,
SgxIdentityMatchSpec  match_spec 
)

Returns an SgxIdentityExpectation formed from identity and match_spec, or returns a non-OK Status if either are invalid or if they are incompatible with each other.

◆ CreateSgxIdentityExpectation() [2/2]

StatusOr<SgxIdentityExpectation> asylo::CreateSgxIdentityExpectation ( SgxIdentity  identity,
SgxIdentityMatchSpecOptions  options 
)

Returns an SgxIdentityExpectation formed from identity and the match spec corresponding to options, or returns a non-OK Status if either are invalid or if they are incompatible with each other.

◆ CreateSgxIdentityMatchSpec()

StatusOr<SgxIdentityMatchSpec> asylo::CreateSgxIdentityMatchSpec ( SgxIdentityMatchSpecOptions  options)

Returns an SgxIdentityMatchSpec corresponding to options on success or a non-OK Status on failure.

◆ CreateSgxLocalAssertionAuthorityConfig() [1/2]

StatusOr<EnclaveAssertionAuthorityConfig> asylo::CreateSgxLocalAssertionAuthorityConfig ( std::string  attestation_domain)

Creates a configuration for the SGX local assertion authority.

This configuration is required when using the SgxLocalAssertionGenerator or SgxLocalAssertionVerifier.

Parameters
attestation_domainA 16-byte unique identifier for the SGX machine.
Returns
A config for the SGX local assertion authority.

◆ CreateSgxLocalAssertionAuthorityConfig() [2/2]

StatusOr<EnclaveAssertionAuthorityConfig> asylo::CreateSgxLocalAssertionAuthorityConfig ( )

Creates a configuration for the SGX local assertion authority.

The attestation domain is derived from the per-boot machine UUID in /proc/sys/kernel/random/boot_id.

This configuration is required when using the SgxLocalAssertionGenerator or SgxLocalAssertionVerifier.

/return A config for the SGX local assertion authority.

◆ CreateSha256HashProto()

StatusOr<Sha256HashProto> asylo::CreateSha256HashProto ( absl::string_view  hash_hex)

Returns a Sha256HashProto with the hash of the given |hash_hex|, or a non-OK Status if the provided string is an invalid hex-encoded SHA-256 hash.

◆ DEFINE_STATIC_MAP_OF_BASE_TYPE()

asylo::DEFINE_STATIC_MAP_OF_BASE_TYPE ( IdentityExpectationMatcherMap  ,
NamedIdentityExpectationMatcher   
)

◆ EnclaveChannelCredentials()

std::shared_ptr<::grpc::ChannelCredentials> asylo::EnclaveChannelCredentials ( EnclaveCredentialsOptions  options)

Constructs a grpc::ChannelCredentials object for use in an enclave system.

The configuration options determines which assertions are presented by the entity that wields the resulting credentials object. options must meet the following criteria:

  • options.self_assertions must contain at least one assertion description.
  • options.accepted_peer_assertions must contain at least one assertion description.
Parameters
optionsOptions for configuring the credentials.
Returns
A gRPC channel credentials object.

◆ EnclaveServerCredentials()

std::shared_ptr<::grpc::ServerCredentials> asylo::EnclaveServerCredentials ( EnclaveCredentialsOptions  options)

Constructs a grpc::ServerCredentials object for use in an enclave system.

The configuration options determines which assertions are presented by the entity that wields the resulting credentials object. options must meet the following criteria:

  • options.self_assertions must contain at least one assertion description
  • options.accepted_peer_assertions must contain at least one assertion description
Parameters
optionsOptions for configuring the credentials.
Returns
A gRPC server credentials object.

◆ EnsureDirectory()

bool asylo::EnsureDirectory ( const char *  path)

Checks the log directory to make sure it's accessible, and creates it if it does not exist.

Parameters
pathThe directory to be checked.

◆ EvaluateIdentityAcl()

StatusOr<bool> asylo::EvaluateIdentityAcl ( const std::vector< EnclaveIdentity > &  identities,
const IdentityAclPredicate &  acl,
const IdentityExpectationMatcher matcher,
std::string *  explanation = nullptr 
)

Uses matcher to evaluate whether identities satisfies acl.

The ACL is provided in the form of an IdentityAclPredicate. An IdentityAclPredicate is a recursive proto, each layer of which must conform to the following constraints:

  • A nested IdentityAclPredicate predicate must have predicate.item set.
  • A nested IdentityAclGroup group must have a non-empty group.predicates.
    • If group.type is GroupType::NOT, group.predicates must contain exactly one predicate.

Returns a non-OK status if acl is malformed or if matcher.MatchAndExplain() returns a non-OK status when invoked with any of identities.

Parameters
identitiesA list of identities to match against the ACL.
aclAn ACL specifying expectations on an identity.
matcherThe matcher to use to evaluate identities against acl.
[out]explanationAn explanation of why the match failed, if the result is false.
Returns
A bool indicating whether the ACL evaluated to true, or a non-OK Status if any if the inputs are invalid.

◆ get_log_directory()

const std::string asylo::get_log_directory ( )

Gets the log directory that was specified when this enclave is initialized.

Returns
The directory where the log files will be.

◆ get_vlog_level()

int asylo::get_vlog_level ( )

Gets the verbosity threshold for VLOG.

A VLOG command with a level greater than this will be ignored.

Returns
The current verbosity threshold for VLOG.

◆ GetSelfSgxIdentity()

SgxIdentity asylo::GetSelfSgxIdentity ( )

Returns the current enclave's identity.

◆ InitLogging()

bool asylo::InitLogging ( const char *  directory,
const char *  file_name,
int  level 
)

Initializes minimal logging library.

For untrusted logging, the program name specified by argv0 will be used as log filename; For enclave logging, the enclave name will be used as log filename (any slashes or dots will be removed). This method is called during enclave initialization. For untrusted logging, this should be called in main().

Parameters
directoryThe log file directory.
file_nameThe name of the log file.
levelThe verbosity threshold for VLOG commands. A VLOG command with a level equal to or lower than it will be logged.

◆ IsValidSgxIdentity()

bool asylo::IsValidSgxIdentity ( const SgxIdentity &  identity)

Returns whether identity is valid.

An SgxIdentity is considered valid if its MISCSELECT and ATTRIBUTES properties are set and any additional fields present in the message are valid as well.

◆ IsValidSgxIdentityExpectation()

bool asylo::IsValidSgxIdentityExpectation ( const SgxIdentityExpectation &  expectation)

Returns whether expectation is valid.

An SgxIdentityExpectation is valid if its identity and match spec components are valid and they are both compatible with each other.

◆ IsValidSgxIdentityMatchSpec()

bool asylo::IsValidSgxIdentityMatchSpec ( const SgxIdentityMatchSpec &  match_spec)

Returns whether match_spec is valid.

An SgxIdentityMatchSpec is valid if all of its constituent fields are set.

◆ LoadEnclaveInChildProcess()

primitives::Client* asylo::LoadEnclaveInChildProcess ( absl::string_view  enclave_name,
void *  enclave_base_address,
size_t  enclave_size 
)

◆ MakeCheckOpValueString()

template<>
void asylo::MakeCheckOpValueString ( std::ostream *  os,
const std::nullptr_t &  p 
)

◆ operator!=() [1/2]

bool asylo::operator!= ( const Sha256HashProto &  lhs,
const Sha256HashProto &  rhs 
)

Compares two Sha256HashProto messages for inequality.

◆ operator!=() [2/2]

bool asylo::operator!= ( const Status lhs,
const Status rhs 
)

◆ operator<<() [1/2]

std::ostream& asylo::operator<< ( std::ostream &  os,
const SharedName name 
)
inline

◆ operator<<() [2/2]

std::ostream& asylo::operator<< ( std::ostream &  os,
const Status status 
)

◆ operator==() [1/2]

bool asylo::operator== ( const Sha256HashProto &  lhs,
const Sha256HashProto &  rhs 
)

Compares two Sha256HashProto messages for equality.

◆ operator==() [2/2]

bool asylo::operator== ( const Status lhs,
const Status rhs 
)

◆ ParseSgxIdentity()

StatusOr<SgxIdentity> asylo::ParseSgxIdentity ( const EnclaveIdentity &  generic_identity)

Parses and validates generic_identity, returning an SgxIdentity on success or a non-OK Status on failure.

◆ ParseSgxIdentityExpectation()

StatusOr<SgxIdentityExpectation> asylo::ParseSgxIdentityExpectation ( const EnclaveIdentityExpectation &  generic_expectation)

Parses and validates generic_expectation, returning an SgxIdentityExpectation on success or a non-OK Status on failure.

◆ ParseSgxIdentityMatchSpec()

StatusOr<SgxIdentityMatchSpec> asylo::ParseSgxIdentityMatchSpec ( const std::string &  generic_match_spec)

Parses and validates generic_match_spec, returning an SgxIdentityMatchSpec on success or a non-OK Status on failure.

◆ PeerNullCredentialsOptions()

EnclaveCredentialsOptions asylo::PeerNullCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities.

A credential configured with these options enforces unidirectional authentication using the null identity. The null identity specifies no identity in particular, which means that in the resulting connection the peer does not authenticate.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unauthenticated on the peer's end.

◆ PeerSgxAgeRemoteCredentialsOptions()

EnclaveCredentialsOptions asylo::PeerSgxAgeRemoteCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel where it accepts identities attested by a remote SGX enclave using Asylo's Assertion Generator Enclave.

A credential configured with these options enforces that the peer authenticates using SGX enclave code identity attested by Asylo's Assertion Generator Enclave..

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unidirectionally-authenticated on the peer's end using SGX enclave code identity.

◆ PeerSgxLocalCredentialsOptions()

EnclaveCredentialsOptions asylo::PeerSgxLocalCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves.

A credential configured with these options enforces that the peer authenticates using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unidirectionally-authenticated on the peer's end using SGX enclave code identity.

◆ SelfNullCredentialsOptions()

EnclaveCredentialsOptions asylo::SelfNullCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-unauthenticated gRPC channel between two enclave entities.

A credential configured with these options enforces unidirectional authentication using the null identity. The null identity specifies no identity in particular, which means that in the resulting connection the credential holder does not authenticate.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unauthenticated on the credential holder's end.

◆ SelfSgxAgeRemoteCredentialsOptions()

EnclaveCredentialsOptions asylo::SelfSgxAgeRemoteCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel.

A credential configured with these options enforces that the credential holder authenticates using SGX enclave code identity attested by Asylo's Assertion Generator Enclave.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unidirectionally-authenticated on the credential holder's end using SGX enclave code identity.

◆ SelfSgxLocalCredentialsOptions()

EnclaveCredentialsOptions asylo::SelfSgxLocalCredentialsOptions ( )

Creates options suitable for configuring a credential used in establishing a unidirectionally-authenticated gRPC channel between two local SGX enclaves.

A credential configured with these options enforces that the credential holder authenticates using SGX enclave code identity.

Sample usage for creating ::grpc::ChannelCredentials:

std::shared_ptr<::grpc::ChannelCredentials> creds =

Sample usage for creating ::grpc::ServerCredentials:

std::shared_ptr<::grpc::ServerCredentials> creds =
Returns
Options used to configure gRPC credentials for a channel that is unidirectionally-authenticated on the credential holder's end using SGX enclave code identity.

◆ SerializeSgxIdentity()

StatusOr<EnclaveIdentity> asylo::SerializeSgxIdentity ( const SgxIdentity &  sgx_identity)

Serializes sgx_identity, returning an EnclaveIdentity on success or a non-OK Status on failure.

◆ SerializeSgxIdentityExpectation()

StatusOr<EnclaveIdentityExpectation> asylo::SerializeSgxIdentityExpectation ( const SgxIdentityExpectation &  sgx_expectation)

Serializes sgx_expectation, returning an EnclaveIdentityExpectation on success or a non-OK Status on failure.

◆ SerializeSgxIdentityMatchSpec()

StatusOr<std::string> asylo::SerializeSgxIdentityMatchSpec ( const SgxIdentityMatchSpec &  sgx_match_spec)

Serializes sgx_match_spec, returning a string on success or a non-OK Status on failure.

◆ set_log_directory()

bool asylo::set_log_directory ( const std::string &  log_directory)

Sets the log directory, as specified when this enclave is initialized.

This is only set once. Any request to reset it will return false.

Parameters
log_directoryThe log file directory.
Returns
True if and only if the log directory is set successfully.

◆ set_vlog_level()

void asylo::set_vlog_level ( int  level)

Sets the verbosity threshold for VLOG.

A VLOG command with a level greater than this will be ignored.

Parameters
levelThe verbosity threshold for VLOG to be set. A VLOG command with level less than or equal to this will be logged.

◆ SetEnclaveConfigDefaults() [1/2]

void asylo::SetEnclaveConfigDefaults ( const HostConfig &  host_config,
EnclaveConfig *  config 
)
Deprecated:
Sets critical uninitialized fields in config to default values.
Parameters
host_configValues to set in the host_config field of config.
config[out]EnclaveConfig object to populate.

◆ SetEnclaveConfigDefaults() [2/2]

void asylo::SetEnclaveConfigDefaults ( EnclaveConfig *  config)

Sets critical uninitialized fields in config to default values.

Parameters
config[out]EnclaveConfig object to populate.

◆ SetNullAssertionDescription()

void asylo::SetNullAssertionDescription ( AssertionDescription *  assertion_description)
inline

Sets assertion_description to describe a null assertion.

Parameters
assertion_descriptionThe AssertionDescription to populate.

◆ SetNullIdentityDescription()

void asylo::SetNullIdentityDescription ( EnclaveIdentityDescription *  identity_description)
inline

Sets identity_description to describe a null identity.

Parameters
identity_descriptionThe EnclaveIdentityDescription to populate.

◆ SetSgxAgeRemoteAssertionDescription()

void asylo::SetSgxAgeRemoteAssertionDescription ( AssertionDescription *  assertion_description)
inline

Sets assertion_description to describe an SGX remote assertion generated by the Assertion Generator Enclave (AGE).

Parameters
assertion_descriptionThe AssertionDescription to populate.

◆ SetSgxIdentityDescription()

void asylo::SetSgxIdentityDescription ( EnclaveIdentityDescription *  identity_description)
inline

Sets identity_description to describe an SGX identity.

Parameters
identity_descriptionThe EnclaveIdentityDescription to populate.

◆ SetSgxIntelEcdsaQeRemoteAssertionDescription()

void asylo::SetSgxIntelEcdsaQeRemoteAssertionDescription ( AssertionDescription *  assertion_description)
inline

Sets assertion_description to describe an SGX remote assertion generated by the Intel ECDSA Quoting Enclave (QE).

Parameters
assertion_descriptionThe AssertionDescription to populate.

◆ SetSgxLocalAssertionDescription()

void asylo::SetSgxLocalAssertionDescription ( AssertionDescription *  assertion_description)
inline

Sets assertion_description to describe an SGX local assertion.

Parameters
assertion_descriptionThe AssertionDescription to populate.

◆ ValidateSha256HashProto()

Status asylo::ValidateSha256HashProto ( const Sha256HashProto &  hash_proto)

Validates that |hash_proto| has a hash that is exactly 32 bytes.

Variable Documentation

◆ kStatusMoveAssignmentMsg

ABSL_CONST_INIT const char asylo::kStatusMoveAssignmentMsg[]

◆ kStatusMoveConstructorMsg

ABSL_CONST_INIT const char asylo::kStatusMoveConstructorMsg[]

◆ kValueMoveAssignmentMsg

ABSL_CONST_INIT const char asylo::kValueMoveAssignmentMsg[]

◆ kValueMoveConstructorMsg

ABSL_CONST_INIT const char asylo::kValueMoveConstructorMsg[]

◆ kValueOrDieMovedMsg

ABSL_CONST_INIT const char asylo::kValueOrDieMovedMsg[]