feat(rtc_uenclave::enclaves::rtc_auth): expose the save_access_key ECALL

ntls-io · Jun 21, 2021 · c05ba1c · c05ba1c
1 parent 80def4f
commit c05ba1c
Showing 1 changed file with 43 additions and 1 deletion.
diff --git a/rtc_uenclave/src/enclaves/rtc_auth.rs b/rtc_uenclave/src/enclaves/rtc_auth.rs
@@ -1,9 +1,11 @@
 use std::borrow::Borrow;
 
-use crate::{AttestationError, EnclaveConfig, EnclaveReportResult, RtcEnclave};
 use auth_sys::AuthSys;
+use rtc_types::enclave_messages::set_access_key;
 use sgx_types::*;
 
+use crate::{AttestationError, EnclaveConfig, EnclaveReportResult, RtcEnclave};
+
 /// Wraps all the functionality for interacting with the auth enclave
 pub struct RtcAuthEnclave<TCfg>(RtcEnclave<TCfg, AuthSys>)
 where
@@ -33,6 +35,17 @@ where
         self.0.dcap_attestation_azure()
     }
 
+    /// Save the generated access key for some data.
+    ///
+    /// This should be called from the data enclave with messages encrypted
+    /// using an established protected channel.
+    pub fn save_access_key(
+        &self,
+        encrypted_request: set_access_key::EncryptedRequest,
+    ) -> Result<set_access_key::SetAccessKeyResult, sgx_status_t> {
+        ecalls::save_access_key(self.0.geteid(), encrypted_request)
+    }
+
     /// Take ownership of self and drop resources
     pub fn destroy(self) {
         // Take ownership of self and drop
@@ -48,3 +61,32 @@ where
         self.0.geteid()
     }
 }
+
+mod ecalls {
+    //! Rust-friendly wrappers for the Edger8r-generated untrusted ECALL bridge functions.
+
+    use auth_sys::ffi;
+    use rtc_types::enclave_messages::{ffi_set_access_key, set_access_key};
+    use sgx_types::{sgx_enclave_id_t, sgx_status_t};
+
+    /// Implement [`super::RtcAuthEnclave::save_access_key`].
+    ///
+    /// This takes care of converting between the [`set_access_key`] and [`ffi_set_access_key`] types.
+    pub(crate) fn save_access_key(
+        eid: sgx_enclave_id_t,
+        encrypted_request: set_access_key::EncryptedRequest,
+    ) -> Result<set_access_key::SetAccessKeyResult, sgx_status_t> {
+        let mut retval = ffi_set_access_key::SetAccessKeyResult::default();
+        let encrypted_request: ffi_set_access_key::SetAccessKeyEncryptedRequest =
+            encrypted_request.into();
+
+        // Safety: Copies ffi_set_access_key::SetAccessKeyResult into retval,
+        // but only valid for sgx_status_t::SGX_SUCCESS.
+        let status = unsafe { ffi::rtc_auth_save_access_key(eid, &mut retval, encrypted_request) };
+
+        match status {
+            sgx_status_t::SGX_SUCCESS => Ok(set_access_key::SetAccessKeyResult::from(retval)),
+            err => Err(err),
+        }
+    }
+}