# Keystone Security Monitor
This repository contains Keystone Security Monitor (SM) which is
the core software of [Keystone enclave](https://keystone-encloave.org) framework.
The security monitor has been originally implemented on top of the Berkeley Boot Loader (BBL),
but we decided to port it over to OpenSBI.
To see the old BBL version, please go to https://github.com/keystone-enclave/riscv-pk
We have changed all of our SBI functions to follow OpenSBI's SBI specification.
To see the spec, please see `spec` directory.
This version does not contain the Rust implementation that was in BBL version.
We will port the Rust version in the future.
## Initialize
Update the submodules.
```
git submodule update --init
```
OpenSBI is a submodule of this repository.
We periodically check for new OpenSBI versions for bump.
## Build
You can build the bootloader firmware with Keystone security monitor using OpenSBI's out-of-tree platform build.
```
make -C opensbi O=<build dir> PLATFORM_DIR=$(pwd)/plat/generic CROSS_COMPILE=riscv64-unknown-elf- FW_PAYLOAD_PATH=<path/to/linux/image> FW_PAYLOAD=y
```
In order to build 32-bit firmware, try:
```
make -C opensbi O=<build dir> PLATFORM_DIR=$(pwd)/plat/generic CROSS_COMPILE=riscv32-unknown-elf- FW_PAYLOAD_PATH=<path/to/linux/image> FW_PAYLOAD=y PLATFORM_RISCV_XLEN=32
```
Replace <build dir> with your build directory path and <path/to/linux/image> with Linux image.
For other platforms, please refer to the [Keystone documentation](https://docs.keystone-enclave.org).
The firmware will be generated under `<build dir>/platform/generic/firmware`
## Unit Test
Our unit tests are implemented with CMocka, and will run on RISC-V QEMU.
Please make sure `qemu-riscv64` (or `qemu-riscv32` for rv32) is in your PATH.
You can also download the prebuilt QEMU by:
```
wget https://keystone-enclave.eecs.berkeley.edu/files/qemu-riscv64
```
The test requires patched OpenSBI firmware because of software-simulated secure boot keys.
The patch is under `tests/patch`.
Please apply any patches under the directory to the opensbi submodule.
To run the tests, try the following:
```
cd tests
mkdir build
cd build
cmake ..
make test
```
## Hash Generation
In order to perform remote attestation and verify the security monitor,
you need an expected 64-byte hash of the security monitor firmware image.
We provide a simple tool for generating a header `sm_expected_hash.h` that contains
the expected hash for a given firmware image.
```
cd tools
make
make hash FW_PATH=<firmware path>
```
Where `<firmware path>` is the path containing OpenSBI's firmware images
(i.e., `fw_payload.elf` and `fw_payload.bin`)
The default `<firmware path>` is `../../build/sm.build/platform/generic/firmware`.
Thus, if you have already built the security monitor in the Keystone build directory, you can just do
```
make hash
```
You can see the generated `sm_expected_hash.h` that you can use for the remote attestation.
Here is an example:
```cpp
unsigned char sm_expected_hash[] = {
0x63,0x6a,0xc1,0x7c,0x15,0xb4,0x68,0xb9,
0x48,0x14,0xc7,0xaf,0xad,0xba,0xd3,0xc4,
0x57,0xd1,0xe3,0x68,0xc1,0x83,0x10,0xbd,
0x0d,0x9d,0x43,0x93,0x72,0xc2,0xc7,0x81,
0x27,0x17,0xb1,0x3f,0xda,0x8e,0x12,0x33,
0x5e,0xfe,0xdb,0xbc,0x5d,0x84,0x55,0x8f,
0xa3,0xb9,0x80,0xb2,0x47,0x87,0x67,0x1e,
0xcc,0x81,0x4a,0x8f,0xce,0xb3,0x30,0x1e,};
unsigned int sm_expected_hash_len = 64;
```
没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
Keystone 是一个开源项目,用于为各种平台和用例构建基于 RISC-V 的可定制可信执行环境(TEE),Keystone 的目标是建立一个安全可靠的开源安全硬件飞地 enclave,可应用于广泛的应用程序和设备。 具有 Keystone 功能的系统由多个处于不同特权模式的组件组成: 1.Trusted Hardware是由值得信赖的供应商构建的 CPU IP,必须包含 Keystone 兼容的标准 RISC-V 内核和信任根。硬件还可能包含可选功能,如缓存分区、内存加密、加密安全的随机性来源等。安全监视器需要特定于平台的插件来提供可选功能支持。 2.安全监视器(SM)是带有小型 TCB 的 M 模式软件。SM 为管理飞地的生命周期以及利用平台特定功能提供了一个接口。SM 强制执行 Keystone 的大部分安全保证,因为它管理飞地和不受信任的操作系统之间的隔离边界。 3.飞地 4.飞地应用 5.运行时
资源推荐
资源详情
资源评论
收起资源包目录
系统安全领域,虚拟化、系统隔离,secure monitor,用于构建安全可信的运行环境 (439个子文件)
libcmocka-static.a 150KB
libcmocka-static-32.a 96KB
make.bat 791B
mss_sys_services.c 59KB
aes.c 38KB
fe.c 38KB
fe.c 38KB
fe.c 36KB
mss_uart.c 29KB
sc.c 22KB
sc.c 22KB
printf.c 21KB
sc.c 21KB
enclave.c 19KB
io_wrap.c 16KB
tiny-malloc.c 16KB
pmp.c 13KB
net_wrap.c 11KB
syscall.c 11KB
elf.c 10KB
ge.c 10KB
ge.c 10KB
merkle.c 10KB
merkle.c 10KB
ge.c 9KB
edge_syscall.c 9KB
fu540_internal.c 8KB
platform.c 7KB
keystone-ioctl.c 7KB
test_pmp.c 7KB
platform.c 7KB
mm.c 7KB
paging.c 7KB
attest.c 6KB
linux_wrap.c 6KB
page_swap.c 5KB
sha256.c 5KB
waymasks.c 5KB
uart_helper.c 5KB
sbi_trap_hack.c 5KB
sm.c 5KB
hkdf_sha3_512.c 5KB
boot.c 5KB
hmac_sha3.c 4KB
page_swap.c 4KB
sha3.c 4KB
sha3.c 4KB
string.c 4KB
platform.c 4KB
sha3.c 4KB
test_enclave.c 4KB
bootloader.c 4KB
data-sealing_with_output.c 4KB
edge_call.c 4KB
thread.c 3KB
keystone-enclave.c 3KB
keystone-page.c 3KB
sbi.c 3KB
freemem.c 3KB
keystone.c 3KB
env.c 3KB
sm-sbi.c 3KB
sm-sbi-opensbi.c 2KB
rt_util.c 2KB
string.c 2KB
elf64.c 2KB
elf32.c 2KB
platform.c 1KB
data-sealing.c 1KB
verify.c 1KB
edge_dispatch.c 1KB
verify.c 1KB
opensbi.c 1KB
hash_generator.c 1KB
sifive_fu540.c 1KB
hss_clock.c 1KB
crypto.c 1KB
interrupt.c 1KB
syscall.c 1KB
edge_wrapper.c 1KB
attestor.c 1KB
multimem.c 1022B
platform.c 976B
untrusted.c 974B
string.c 960B
edge_wrapper.c 914B
fib-bench.c 896B
vm.c 892B
ipi.c 879B
sign.c 819B
sign.c 816B
sign.c 813B
cpu.c 747B
eapp_native.c 715B
keystone-sbi.c 680B
mprv.c 654B
attestation.c 594B
csr_helper.c 584B
fibonacci.c 547B
malloc.c 481B
共 439 条
- 1
- 2
- 3
- 4
- 5
资源评论
书香度年华
- 粉丝: 1w+
- 资源: 383
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- Cisco 思科 CP-7945g 7965g sip模式固件 9.4.2
- 贪吃蛇方案设计的方法.zip
- 微信支付账单(20240731-20240731).zip
- minio20240920.tar
- 集成供应链(Integrated Supply Chain,ISC)核心业务流程再造,华为的最佳实践
- zabbix-server-pgsql-7.0-centos-latest.tar
- zabbix-web-apache-pgsql-7.0-centos-latest.tar
- Altium Designer 24.9.1 Build 31 (x64)
- 基于JAVA的人机对弈的一字棋系统设计与实现课程设计源代码,极大极小搜索和α-β搜索算法
- 电子回单_2024092100085000842531409053050071685353.pdf
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功