Asylo
sgx_identity_util.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2019 Asylo authors
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef ASYLO_IDENTITY_SGX_SGX_IDENTITY_UTIL_H_
20 #define ASYLO_IDENTITY_SGX_SGX_IDENTITY_UTIL_H_
21 
22 #include <string>
23 
24 #include "asylo/identity/identity.pb.h"
25 #include "asylo/identity/sgx/sgx_identity.pb.h"
26 #include "asylo/util/statusor.h"
27 
28 namespace asylo {
29 
30 /// This enum defines a set of recommended match specs. Users are advised to
31 /// pick the one that most closely matches their application's security
32 /// requirements and make adjustments to these match specs as needed.
33 ///
34 /// ### `DEFAULT`
35 /// - Requires a match on MRSIGNER, all MISCSELECT bits, and all ATTRIBUTES
36 /// bits that are considered security-critical by default.
37 /// - Does not require a match on any `sgx::MachineConfiguration` fields.
38 ///
39 /// ### `STRICT_LOCAL`
40 /// - Requires a match on MRENCLAVE, MRSIGNER, all MISCSELECT bits, and all
41 /// ATTRIBUTES bits.
42 /// - Requires a match on CPUSVN.
43 /// - Note that no other `sgx::MachineConfiguration` fields are required to
44 /// match, as they are unavailable in local attestation.
45 /// ### `STRICT_REMOTE`
46 /// - Equivalent to the `STRICT_LOCAL` match spec, with the added requirement of
47 /// matching all `sgx::MachineConfiguration` fields (not just CPUSVN).
49 
50 /// Returns the current enclave's identity.
52 
53 /// Returns an `SgxIdentityMatchSpec` corresponding to `options` on success or a
54 /// non-OK Status on failure.
57 
58 /// Returns an `SgxIdentityExpectation` formed from `identity` and `match_spec`,
59 /// or returns a non-OK Status if either are invalid or if they are
60 /// incompatible with each other.
63 
64 /// Returns an `SgxIdentityExpectation` formed from `identity` and the match
65 /// spec corresponding to `options`, or returns a non-OK Status if either are
66 /// invalid or if they are incompatible with each other.
69 
70 /// Returns whether `identity` is valid.
71 ///
72 /// An `SgxIdentity` is considered valid if its MISCSELECT and ATTRIBUTES
73 /// properties are set and any additional fields present in the message are
74 /// valid as well.
75 bool IsValidSgxIdentity(const SgxIdentity &identity);
76 
77 /// Returns whether `match_spec` is valid.
78 ///
79 /// An `SgxIdentityMatchSpec` is valid if all of its constituent fields are set.
80 bool IsValidSgxIdentityMatchSpec(const SgxIdentityMatchSpec &match_spec);
81 
82 /// Returns whether `expectation` is valid.
83 ///
84 /// An `SgxIdentityExpectation` is valid if its identity and match spec
85 /// components are valid and they are both compatible with each other.
86 bool IsValidSgxIdentityExpectation(const SgxIdentityExpectation &expectation);
87 
88 /// Parses and validates `generic_identity`, returning an `SgxIdentity` on
89 /// success or a non-OK Status on failure.
91 
92 /// Parses and validates `generic_match_spec`, returning an
93 /// `SgxIdentityMatchSpec` on success or a non-OK Status on failure.
95  const std::string &generic_match_spec);
96 
97 /// Parses and validates `generic_expectation`, returning an
98 /// `SgxIdentityExpectation` on success or a non-OK Status on failure.
101 
102 /// Serializes `sgx_identity`, returning an `EnclaveIdentity` on success or a
103 /// non-OK Status on failure.
105 
106 /// Serializes `sgx_match_spec`, returning a string on success or a non-OK
107 /// Status on failure.
110 
111 /// Serializes `sgx_expectation`, returning an `EnclaveIdentityExpectation` on
112 /// success or a non-OK Status on failure.
115 
116 } // namespace asylo
117 
118 #endif // ASYLO_IDENTITY_SGX_SGX_IDENTITY_UTIL_H_
StatusOr< EnclaveIdentityExpectation > SerializeSgxIdentityExpectation(const SgxIdentityExpectation &sgx_expectation)
Serializes sgx_expectation, returning an EnclaveIdentityExpectation on success or a non-OK Status on ...
StatusOr< SgxIdentityExpectation > CreateSgxIdentityExpectation(SgxIdentity identity, SgxIdentityMatchSpec match_spec)
Returns an SgxIdentityExpectation formed from identity and match_spec, or returns a non-OK Status if ...
StatusOr< SgxIdentityMatchSpec > ParseSgxIdentityMatchSpec(const std::string &generic_match_spec)
Parses and validates generic_match_spec, returning an SgxIdentityMatchSpec on success or a non-OK Sta...
StatusOr< SgxIdentityExpectation > ParseSgxIdentityExpectation(const EnclaveIdentityExpectation &generic_expectation)
Parses and validates generic_expectation, returning an SgxIdentityExpectation on success or a non-OK ...
SgxIdentity GetSelfSgxIdentity()
Returns the current enclave&#39;s identity.
SgxIdentityMatchSpecOptions
This enum defines a set of recommended match specs.
Definition: sgx_identity_util.h:48
bool IsValidSgxIdentityExpectation(const SgxIdentityExpectation &expectation)
Returns whether expectation is valid.
ABSL_CONST_INIT const char kStatusMoveAssignmentMsg[]
StatusOr< std::string > SerializeSgxIdentityMatchSpec(const SgxIdentityMatchSpec &sgx_match_spec)
Serializes sgx_match_spec, returning a string on success or a non-OK Status on failure.
bool IsValidSgxIdentityMatchSpec(const SgxIdentityMatchSpec &match_spec)
Returns whether match_spec is valid.
StatusOr< EnclaveIdentity > SerializeSgxIdentity(const SgxIdentity &sgx_identity)
Serializes sgx_identity, returning an EnclaveIdentity on success or a non-OK Status on failure...
StatusOr< SgxIdentity > ParseSgxIdentity(const EnclaveIdentity &generic_identity)
Parses and validates generic_identity, returning an SgxIdentity on success or a non-OK Status on fail...
bool IsValidSgxIdentity(const SgxIdentity &identity)
Returns whether identity is valid.
StatusOr< SgxIdentityMatchSpec > CreateSgxIdentityMatchSpec(SgxIdentityMatchSpecOptions options)
Returns an SgxIdentityMatchSpec corresponding to options on success or a non-OK Status on failure...
StatusOr< SgxIdentityExpectation > CreateSgxIdentityExpectation(SgxIdentity identity, SgxIdentityMatchSpecOptions options)
Returns an SgxIdentityExpectation formed from identity and the match spec corresponding to options...