Add SGX private key provider and fuzz tests

* Add SGX private key provider and fuzz tests (envoyproxy#227) * Add fuzz test for sgx private key protection (envoyproxy#151) * Fix factory_context issues. * Fix fallback method in sgx private_key_provider. * temporarily disable sgx fuzz testing * Fix duplicate udpa symbols. Signed-off-by: Liu, Qiming <[email protected]> Signed-off-by: Huang Xin <[email protected]> Signed-off-by: Qiming Liu <[email protected]> Co-authored-by: Qiming <[email protected]>
soulxu · Feb 26, 2024 · f741e79 · f741e79
1 parent 79cb30e
commit f741e79
Show file tree

Hide file tree

Showing 26 changed files with 1,506 additions and 1 deletion.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -29,7 +29,8 @@ jobs:
         ENVOY_DOCKER_BUILD_DIR=/home/cicd ./ci/run_envoy_docker.sh "./ci/do_ci.sh release \
         -- //test/... //contrib/... @com_github_google_quiche//:ci_tests \
         -//test/extensions/filters/listener/original_dst:original_dst_integration_test \
-        -//test/common/network:io_socket_handle_impl_integration_test"
+        -//test/common/network:io_socket_handle_impl_integration_test \
+        -//contrib/sgx/private_key_providers/test:sgx_fuzz_test"
 
     #- name: Cleanup Image Resources
     #  if: always()

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -379,3 +379,4 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /contrib/dlb @mattklein123 @daixiang0
 /contrib/qat/ @giantcroc @soulxu
 /contrib/generic_proxy/ @wbpcode @soulxu @zhaohuabing @rojkov @htuch
+/contrib/sgx/ @gyohuangxin @qiming-007
diff --git a/api/BUILD b/api/BUILD
@@ -99,6 +99,7 @@ proto_library(
         "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
         "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",
         "//contrib/envoy/extensions/private_key_providers/qat/v3alpha:pkg",
+        "//contrib/envoy/extensions/private_key_providers/sgx/v3alpha:pkg",
         "//contrib/envoy/extensions/regex_engines/hyperscan/v3alpha:pkg",
         "//contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/vcl/v3alpha:pkg",

diff --git a/api/contrib/envoy/extensions/private_key_providers/sgx/v3alpha/BUILD b/api/contrib/envoy/extensions/private_key_providers/sgx/v3alpha/BUILD
@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)
diff --git a/api/contrib/envoy/extensions/private_key_providers/sgx/v3alpha/sgx.proto b/api/contrib/envoy/extensions/private_key_providers/sgx/v3alpha/sgx.proto
@@ -0,0 +1,35 @@
+syntax = "proto3";
+
+package envoy.extensions.private_key_providers.sgx.v3alpha;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.private_key_providers.sgx.v3alpha";
+option java_outer_classname = "SgxProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/private_key_providers/sgx/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SGX private key provider]
+// [#extension: envoy.tls.key_providers.sgx]
+
+// [#next-free-field: 7]
+message SgxPrivateKeyMethodConfig {
+  // Path to the ctk library file.
+  string sgx_library = 1;
+
+  // Label of the key.
+  string key_label = 2;
+
+  // User PIN.
+  string usr_pin = 3;
+
+  // Security Officer user Pin.
+  string so_pin = 4;
+
+  // Label of the token.
+  string token_label = 5;
+
+  // Type of the key pair in SGX enclave, `rsa` or `ecdsa`.
+  string key_type = 6;
+}
diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -37,6 +37,7 @@ proto_library(
         "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
         "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",
         "//contrib/envoy/extensions/private_key_providers/qat/v3alpha:pkg",
+        "//contrib/envoy/extensions/private_key_providers/sgx/v3alpha:pkg",
         "//contrib/envoy/extensions/regex_engines/hyperscan/v3alpha:pkg",
         "//contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/vcl/v3alpha:pkg",

diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -370,6 +370,7 @@ def envoy_dependencies(skip_targets = []):
     )
 
     _com_github_fdio_vpp_vcl()
+    _pkcs11_header_files()
 
     # Unconditional, since we use this only for compiler-agnostic fuzzing utils.
     _org_llvm_releases_compiler_rt()
@@ -1469,6 +1470,22 @@ def _utf8_range():
 def _rules_ruby():
     external_http_archive("rules_ruby")
 
+def _pkcs11_header_files():
+    external_http_archive(
+        name = "pkcs11",
+        build_file_content = """
+filegroup(
+    name = "pkcs11headers",
+    srcs = glob([
+        "include/pkcs11-v2.40/pkcs11.h",
+        "include/pkcs11-v2.40/pkcs11f.h",
+        "include/pkcs11-v2.40/pkcs11t.h",
+    ]),
+    visibility = ["@envoy//contrib/sgx/private_key_providers/source:__pkg__"],
+)
+""",
+    )
+
 def _foreign_cc_dependencies():
     external_http_archive("rules_foreign_cc")
 

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -1555,6 +1555,18 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         extensions = ["envoy.compression.qatzip.compressor"],
         cpe = "N/A",
     ),
+    pkcs11 = dict(
+        project_name = "PKCS #11",
+        project_desc = "PKCS #11 Cryptographic Token Interface Base Specification",
+        project_url = "http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html",
+        version = "2.40",
+        sha256 = "676fc5ae927c15536453d34848f5dde3726d9c26d39a1032bcb7c7a3060fe255",
+        urls = ["http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os.zip"],
+        use_category = ["dataplane_ext"],
+        extensions = ["envoy.tls.key_providers.sgx"],
+        release_date = "2016-05-13",
+        cpe = "N/A",
+    ),
 )
 
 def _compiled_protoc_deps(locations, versions):

diff --git a/contrib/all_contrib_extensions.bzl b/contrib/all_contrib_extensions.bzl
@@ -18,6 +18,8 @@ ARM64_SKIP_CONTRIB_TARGETS = [
     "envoy.tls.key_providers.qat",
     "envoy.network.connection_balance.dlb",
     "envoy.compression.qatzip.compressor",
+    "envoy.regex_engines.hyperscan",
+    "envoy.tls.key_providers.sgx",
 ]
 PPC_SKIP_CONTRIB_TARGETS = [
     "envoy.tls.key_providers.cryptomb",
@@ -26,6 +28,7 @@ PPC_SKIP_CONTRIB_TARGETS = [
     "envoy.network.connection_balance.dlb",
     "envoy.regex_engines.hyperscan",
     "envoy.compression.qatzip.compressor",
+    "envoy.tls.key_providers.sgx",
 ]
 
 def envoy_all_contrib_extensions(denylist = []):

diff --git a/contrib/contrib_build_config.bzl b/contrib/contrib_build_config.bzl
@@ -42,6 +42,7 @@ CONTRIB_EXTENSIONS = {
 
     "envoy.tls.key_providers.cryptomb":                         "//contrib/cryptomb/private_key_providers/source:config",
     "envoy.tls.key_providers.qat":                              "//contrib/qat/private_key_providers/source:config",
+    "envoy.tls.key_providers.sgx":                              "//contrib/sgx/private_key_providers/source:config",
 
     #
     # Socket interface extensions

diff --git a/contrib/extensions_metadata.yaml b/contrib/extensions_metadata.yaml
@@ -83,6 +83,11 @@ envoy.tls.key_providers.qat:
   - envoy.tls.key_providers
   security_posture: robust_to_untrusted_downstream
   status: alpha
+envoy.tls.key_providers.sgx:
+  categories:
+  - envoy.tls.key_providers
+  security_posture: robust_to_untrusted_downstream
+  status: alpha
 envoy.bootstrap.vcl:
   categories:
   - envoy.bootstrap

diff --git a/contrib/sgx/private_key_providers/source/BUILD b/contrib/sgx/private_key_providers/source/BUILD
@@ -0,0 +1,62 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_cc_library",
+    "envoy_contrib_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_contrib_package()
+
+envoy_cc_library(
+    name = "sgx_private_key_provider_lib",
+    srcs = [
+        "sgx.cc",
+        "sgx_private_key_provider.cc",
+        "utility.cc",
+    ],
+    hdrs = [
+        "sgx.h",
+        "sgx_private_key_provider.h",
+        "utility.h",
+        "@pkcs11//:pkcs11headers",
+    ],
+    copts = ["-I external/pkcs11/include/pkcs11-v2.40"],
+    external_deps = ["ssl"],
+    repository = "@envoy",
+    deps = [
+        "//envoy/api:api_interface",
+        "//envoy/event:dispatcher_interface",
+        "//envoy/registry",
+        "//envoy/server:transport_socket_config_interface",
+        "//envoy/ssl/private_key:private_key_config_interface",
+        "//envoy/ssl/private_key:private_key_interface",
+        "//source/common/common:logger_lib",
+        "//source/common/common:thread_lib",
+        "//source/common/common:utility_lib",
+        "//source/common/config:datasource_lib",
+        "//source/common/grpc:async_client_lib",
+        "//source/common/grpc:typed_async_client_lib",
+        "@envoy_api//contrib/envoy/extensions/private_key_providers/sgx/v3alpha:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    copts = ["-I external/pkcs11/include/pkcs11-v2.40"],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":sgx_private_key_provider_lib",
+        "//envoy/registry",
+        "//envoy/ssl/private_key:private_key_config_interface",
+        "//envoy/ssl/private_key:private_key_interface",
+        "//source/common/common:logger_lib",
+        "//source/common/config:utility_lib",
+        "//source/common/protobuf:utility_lib",
+        "@envoy_api//contrib/envoy/extensions/private_key_providers/sgx/v3alpha:pkg_cc_proto",
+        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
+    ],
+)
diff --git a/contrib/sgx/private_key_providers/source/config.cc b/contrib/sgx/private_key_providers/source/config.cc
@@ -0,0 +1,45 @@
+#include "contrib/sgx/private_key_providers/source/config.h"
+
+#include <memory>
+
+#include "envoy/registry/registry.h"
+#include "envoy/server/transport_socket_config.h"
+
+#include "source/common/config/utility.h"
+#include "source/common/protobuf/message_validator_impl.h"
+#include "source/common/protobuf/utility.h"
+
+#include "contrib/envoy/extensions/private_key_providers/sgx/v3alpha/sgx.pb.h"
+#include "contrib/envoy/extensions/private_key_providers/sgx/v3alpha/sgx.pb.validate.h"
+#include "contrib/sgx/private_key_providers/source/sgx.h"
+#include "openssl/ssl.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace PrivateKeyMethodProvider {
+namespace Sgx {
+
+Ssl::PrivateKeyMethodProviderSharedPtr
+SgxPrivateKeyMethodFactory::createPrivateKeyMethodProviderInstance(
+    const envoy::extensions::transport_sockets::tls::v3::PrivateKeyProvider& proto_config,
+    Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) {
+  ProtobufTypes::MessagePtr message = std::make_unique<
+      envoy::extensions::private_key_providers::sgx::v3alpha::SgxPrivateKeyMethodConfig>();
+
+  Config::Utility::translateOpaqueConfig(proto_config.typed_config(),
+                                         ProtobufMessage::getNullValidationVisitor(), *message);
+  const envoy::extensions::private_key_providers::sgx::v3alpha::SgxPrivateKeyMethodConfig conf =
+      MessageUtil::downcastAndValidate<
+          const envoy::extensions::private_key_providers::sgx::v3alpha::SgxPrivateKeyMethodConfig&>(
+          *message, private_key_provider_context.messageValidationVisitor());
+
+  SgxSharedPtr sgx = std::make_shared<Sgx>();
+  return std::make_shared<SgxPrivateKeyMethodProvider>(conf, private_key_provider_context, sgx);
+}
+
+REGISTER_FACTORY(SgxPrivateKeyMethodFactory, Ssl::PrivateKeyMethodProviderInstanceFactory);
+
+} // namespace Sgx
+} // namespace PrivateKeyMethodProvider
+} // namespace Extensions
+} // namespace Envoy
diff --git a/contrib/sgx/private_key_providers/source/config.h b/contrib/sgx/private_key_providers/source/config.h
@@ -0,0 +1,29 @@
+#pragma once
+
+#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
+#include "envoy/ssl/private_key/private_key.h"
+#include "envoy/ssl/private_key/private_key_config.h"
+
+#include "source/common/common/logger.h"
+
+#include "contrib/sgx/private_key_providers/source/sgx_private_key_provider.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace PrivateKeyMethodProvider {
+namespace Sgx {
+
+class SgxPrivateKeyMethodFactory : public Ssl::PrivateKeyMethodProviderInstanceFactory,
+                                   public Logger::Loggable<Logger::Id::connection> {
+public:
+  Ssl::PrivateKeyMethodProviderSharedPtr createPrivateKeyMethodProviderInstance(
+      const envoy::extensions::transport_sockets::tls::v3::PrivateKeyProvider& message,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) override;
+
+  std::string name() const override { return "sgx"; };
+};
+
+} // namespace Sgx
+} // namespace PrivateKeyMethodProvider
+} // namespace Extensions
+} // namespace Envoy