Make it work with the new security monitor (#18)

CMakeLists.txt

@@ -71,7 +71,7 @@ target_link_libraries(${host_bin} ${KEYSTONE_LIB_HOST} ${KEYSTONE_LIB_EDGE} ${KE
 
 set(eyrie_files_to_copy eyrie-rt)
 add_eyrie_runtime(${eapp_bin}-eyrie
-  "origin/master"
+  "v1.0.0"
   ${eyrie_plugins}
   ${eyrie_files_to_copy})
 

README.md

@@ -15,12 +15,45 @@ The demo will generally work on the master branch of Keystone, but
 will ALWAYS work on the dev branch. We suggest building the dev branch
 of Keystone if you have any issues with the demo on master.
 
+# Quick Start
+
+The demo requires the expected hash of the security monitor.
+The hash will be used by the trusted client to verify that the server enclave
+is created and initialized by the known version of the SM.
+
+If you want to skip this verification, you can pass in `--ignore-valid` flag
+to the client.
+
+Please see the security monitor's documentation to see how to generate a hash.
+
+Once you generated the `sm_expected_hash.h`, try:
+
+```
+SM_HASH=<path/to/sm_expected_hash.h> ./quick-start.sh
+```
+
+You should be able to see the server enclave package `demo-server.ke` and the
+trusted client `trusted_client.riscv` under `build` directory.
+
+Copy these files into the machine, and run the server enclave.
+Then, connect to the server using the client.
+
+```
+# on the server side
+./demo-server.ke
+```
+
+```
+# on the client side
+./trusted_client.riscv
+```
+
+The client will connect to the enclave and perform the remote attestation.
+If the attestation is successful, the client can send an arbitrary message to the server
+so that the server counts the number of words in the message and reply.
+
 ## Attestation Failures
 
 It is expected that the client will reject the attestation report from
 the host if you haven't regenerated the expected hashes for the SM and
-eapp.
-
-You can either use `make build-hash-using-qemu` to attempt a rebuild
-with new hashes or pass the `--ignore-valid` flag to the client for
-testing.
+eapp. Pass the `--ignore-valid` flag to the client for testing.

include/enclave_expected_hash.h

@@ -1,9 +1,11 @@
 unsigned char enclave_expected_hash[] = {
-  0xc3, 0x77, 0x32, 0x1b, 0xb3, 0x9f, 0x2a, 0x61, 0xac, 0x68, 0x6c, 0xcb,
-  0x00, 0x08, 0x6d, 0x72, 0x7f, 0x5d, 0xb7, 0x30, 0x49, 0x86, 0xe8, 0x54,
-  0xba, 0x3a, 0xa1, 0x77, 0xcd, 0xce, 0xfa, 0x0b, 0x58, 0x3e, 0x5d, 0xec,
-  0x53, 0xbc, 0x5a, 0x95, 0xb9, 0xd0, 0x34, 0xb0, 0xc0, 0x1a, 0xe5, 0x4e,
-  0xd5, 0x22, 0x3b, 0xd9, 0x66, 0x77, 0x7a, 0x6a, 0x9d, 0xdc, 0x17, 0x4d,
-  0xab, 0x33, 0x8e, 0x93
+  0x24, 0x68, 0x70, 0x51, 0x40, 0x1f, 0x75, 0x27,
+  0x6f, 0xdb, 0x98, 0xd1, 0xd1, 0xdb, 0x6f, 0xff,
+  0x7a, 0x8a, 0x72, 0x14, 0x91, 0x2f, 0x43, 0x1a,
+  0x13, 0xa9, 0x63, 0x10, 0x2c, 0xba, 0xb1, 0x06,
+  0x97, 0x29, 0xc7, 0x14, 0x3f, 0x2d, 0xb1, 0x94,
+  0xcd, 0x18, 0xf3, 0xdc, 0xbd, 0x90, 0x77, 0xc1,
+  0xcc, 0x00, 0x86, 0x86, 0x80, 0x32, 0xb1, 0x9e,
+  0x9d, 0x4c, 0x3d, 0x88, 0x1f, 0x90, 0x8b, 0x57,
 };
 unsigned int enclave_expected_hash_len = 64;

quick-start.sh

@@ -29,9 +29,9 @@ then
     exit 0
 fi
 
-if [[ ! -v KEYSTONE_DIR ]]
+if [[ ! -v SM_HASH ]]
 then
-    echo "KEYSTONE_DIR is not set! Please set this to where you cloned Keystone repo."
+    echo "SM_HASH is not set! Please follow README to generate the expected hash"
     exit 0
 fi
 
@@ -78,13 +78,14 @@ cd ..
 
 # Copy the expected hash over
 echo "Copying expected sm hash from riscv-pk, this may be incorrect!"
-cp $KEYSTONE_DIR/riscv-pk/hash/*.h include/
+cp $SM_HASH include/
 
 # Build the demo
 mkdir -p build
 cd build
 cmake ..
 make
+make package
 
 # Done!
 echo -e "************ Demo binaries built and copied into overlay directory. ***************

server_eapp/channel.c

@@ -4,6 +4,11 @@
 #include "string.h"
 #include "edge_wrapper.h"
 
+unsigned char server_pk[crypto_kx_PUBLICKEYBYTES], server_sk[crypto_kx_SECRETKEYBYTES];
+unsigned char client_pk[crypto_kx_PUBLICKEYBYTES];
+unsigned char rx[crypto_kx_SESSIONKEYBYTES];
+unsigned char tx[crypto_kx_SESSIONKEYBYTES];
+
 void channel_init(){
 
   /* libsodium config */

server_eapp/channel.h

@@ -6,10 +6,10 @@ void channel_establish();
 int channel_recv(unsigned char* msg_buffer, size_t len, size_t* datalen);
 size_t channel_get_send_size(size_t len);
 void channel_send(unsigned char* msg, size_t len, unsigned char* ctx);
-unsigned char server_pk[crypto_kx_PUBLICKEYBYTES], server_sk[crypto_kx_SECRETKEYBYTES];
-unsigned char client_pk[crypto_kx_PUBLICKEYBYTES];
-unsigned char rx[crypto_kx_SESSIONKEYBYTES];
-unsigned char tx[crypto_kx_SESSIONKEYBYTES];
+extern unsigned char server_pk[], server_sk[];
+extern unsigned char client_pk[];
+extern unsigned char rx[];
+extern unsigned char tx[];
 
 
 #endif /* _CHANNEL_H_ */