Solidshield Systemic SGX
Overview
Solidshield Systemic SGX enables a strong baseline protection for binaries and can be used by itself or complemented by Solidshield code protection modes. Binaries are protected in confidentiality and integrity on both cold storage and at run-time, featuring Control Flow Shadowing, run-time integrity checks, using an enclave that exploits the hardware security extensions of Intel SGX.
Introduction
Solidshield Systemic works by encrypting the binary with a symmetric AES-128-GCM key and signing encrypted data with a private RSA-3072 key.
Both keys are supplied at protection time, when binary is loaded at run-time, the protected program does the following:
- Verifies the signature of encrypted data using the public RSA signing key
- Decrypts the encrypted data (code and read-only data) using the symmetric key
RSA public key and AES symmetric keys are embedded into the binary in an encrypted payload which is only decrypted inside the Trusted Environment of an enclave, thus never leaving the secured enclave. The enclave will verify the encryted parts of the binary, decrypt them and launch the binary.
To go beyond the integrity check at launch, Systemic SGX can trigger checks, from within the enclave, at run-time without impacting performances.
Pre-requisites
In order to use Systemic SGX on a target system, Intel(R) SGX Driver, SDK and PSW package need to be installed. They can be build from sources and installed following the guide available at the official GitHub repository.
Note
In order to run binaries protected in Systemic SGX mode, make sure to have enclave.signed.so and libsolidgate_64.so available in the working directory where the main binary is executed from. These two libraries are available in the /bin directory of the Solid_Examples.zip package available from download in the Overview tab of Management panel.
Supported targets
- ELF x86-64
- ELF x86
- PE x86
- PE x86-64
- Java
Technical details
The main differences with Solidshield Systemic, apart the use of an enclave with Intel SGX extensions, relies in the keys and algorithms used to encrypt and sign the binary. For Systemic SGX, they are:
-
AES-128-GCM encryption algorithm, so with a 16 bytes long encryption key.
-
RSA-3072 signing algorithm, with public exponent set to 3.
Note
An RSA key that meets the above requirements can be generated with openssl genrsa -out private_key.pem -3 3072
Protection parameters
| Description | SSP Project Field | sldcmd Parameters |
|---|---|---|
| Enable systemic SGX | "sgx": true | false | -systemic-sgx |
| Signing RSA-3072 private .pem key content | "signingPrivate": "-----BEGIN RSA PRIVATE KEY-----..." | |
| Signing RSA-3072 public .pem key content | "signingPublic": "-----BEGIN PUBLIC KEY-----" | |
| Full path for the RSA-3072 signing private .pem key file | -sys-sig-pri "<PEMfilePath>" |
|
| Full path for the RSA-3072 signing public .pem key file | -sys-sig-pub "<PEMfilePath>" |
|
| Hex string representing the AES-128-GCM symmetric encryption key | "encryptionSymmetricKey": "" | -sys-sym-key "<hexKey, eg: A1B2C3...>" |
Error Exit codes
| Exit Code | Description |
|---|---|
| 120 | Error verifying signature, possibly public key was either wrong (check it is RSA 3072 with public exponent 3) or not supplied. |
| 121 | Could not change memory protection (either writeable before decrypting or non-writeable after decryption) |
| 122 | Error when performing symmetric decryption. Possible HMAC mismatch. |
| 124 | Error when decrypting metadata with supplied key. Check the SLD_MD_KEY. |
Command-line usage examples
Providing everything as command-line argument, without an existing SSP project file:
# connection detail
serverHost=10.0.2.104:443
username="admin@solidshield.com"
password="demoadmin"
# systemic encryption symmetric AES key
aesKeySgx=E76B2413958B001EE76B2413958B001E
./sldcmd-lin64.exe -i "tests/sortingtest2.exe" -o "out/" -h "$serverHost" -n "Test Product" -u "$username" -w "$password" -systemic-sgx -sys-sig-pub "keys/signing-public-3072.pem" -sys-sig-pri "keys/signing-private-3072.pem" -sys-sym-key "$aesKeySgx"