samplecode/mutual-ra fails to build against new third_party forks

[brenzi]

First issues I encountered:

• yasni API changed for forked version (i.e write_identifier() is private now)
• yasni.rs-sgx still depends on bit-vec form crates.io. Leads to two two different crates in cargo dep tree
  • shouldn't there be a fork of bit-vec too?

[brenzi]

Do you have plans to move all samplecode dependencies to the new forks? I think this would be helpful for devs as sample code can be transferred to an own implementation more easily (no need to fix relative paths in Cargo.toml). More transparent tracking of upstream changes.

Currently, the forks and the third_party folder have inconsistent upstream versions. Wouldn't it be easier for maintenance to just drop the third_party folder altogether?

[dingelish]

yeah. I have some colleagues finished porting all of the RA codes to depends on the forks! we've solved all of those problems :-)

yeah i have that plan to move all of those dependencies to the new forks! so let me start from the ra-based samples this week.

[dingelish]

And i'm playing with a customized crates-io. now i can upload crates but not download. if it's fully functional, do you prefer that private crates.io, or github based fork-solution?

[brenzi]

My two cents: If your private registry works as described here, I'm in favor of this solution as versioning is clearly readable when reading the toml. However, the question remains how you will tag your versions against upstream versions. I'd like to see the upstream version in the toml as primary information. But it might happen that you have patch versions for the sgx port which don't fir SemVer and therefore would be missing from the version string. Maybe that's acceptable, but it certainly causes abiguity.

The git variant wouldn't suffer this issue as you'll have to solve the tagging problem anyway, but you're not bound to SemVer.

[dingelish]

@brenzi

mutual-ra is updated. Please try!

[electronix]

@dingelish

I tried the updated code and it works!

Output of the server (some parts removed to reduce noise):

[+] Home dir is /home/marcel
[-] Open token file /home/marcel/enclave.token error! Will create one.
[+] Init Enclave Successful 2!
Running as server...
new client from V4(127.0.0.1:38278)
Entering ocall_sgx_init_quote
eg = [64, 11, 0, 0]
get_sigrl_from_intel fd = 7
GET /attestation/sgx/v3/sigrl/00000b40 HTTP/1.1
HOST: /attestation/sgx/v3/sigrl/

write complete
read_to_end complete
HTTP/1.1 200 OK
content-length: 0
request-id: 580a8d723cd84a37b977640fcf2a4b4e
date: Mon, 17 Jun 2019 12:45:58 GMT
Connection: keep-alive

parse_response_sigrl
parse result Ok(Complete(145))
parse responseResponse { ... }
OK Operation Successful
content length = 0
Report creation => success [131, 215, 25, 231, 125, 234, 202, 20, 112, 246, 186, 246, 42, 77, 119, 67, 3, 200, 153, 219, 105, 2, 15, 156, 112, 238, 29, 252, 8, 199, 206, 158]
rand finished
Entering ocall_get_quote
quote size = 1116
sgx_calc_quote_size returned SGX_SUCCESS.
rsgx_verify_report passed!
qe_report check passed
rhs hash = 9BA7BC617686ED5EC76BA60A19B164E908B1730172447FBE86C1994D9C45964B
report hs= 9BA7BC617686ED5EC76BA60A19B164E908B1730172447FBE86C1994D9C45964B
get_report_from_intel fd = 7
POST /attestation/sgx/v3/report HTTP/1.1
HOST: test-as.sgx.trustedservices.intel.com
Content-Length:1512
Content-Type: application/json

{...}

write complete
read_to_end complete
resp_string = HTTP/1.1 200 OK
request-id: c6b8158f94904639897e7002b0a623fc
date: Mon, 17 Jun 2019 12:46:04 GMT
content-type: application/json
content-length: 978
x-iasreport-signature: <SIGNATURE_REMOVED>
x-iasreport-signing-certificate: <CERTIFICATE_REMOVED>
advisory-url: https://security-center.intel.com
advisory-ids: INTEL-SA-00233,INTEL-SA-00161
Connection: keep-alive

<CONTENT_REMOVED>
parse_response_attn_report
parse result Ok(Complete(4443))
OK Operation Successful
content length = 978
Attestation report: <ATTESTION_REPORT_REMOVED>
client cert: <CERTIFICATE_REMOVED>
Cert is good
Signature good
Time diff = 5
isvEnclaveQuoteStatus = GROUP_OUT_OF_DATE
rt=SGX_ERROR_UPDATE_NEEDED
update_info.pswUpdate: 0
update_info.csmeFwUpdate: 0
update_info.ucodeUpdate: 1
outdated_ok is set, overriding outdated error
Client said: hello
ECALL success!
[+] Done!

We will now integrate some parts in our application. Issue can be closed. Thanks for your great and quick support! Marcel