More specifically, an Secp256k1 key pair generator & message signer where both the enclave and the app are written in pure Rust. Made possible by the fantastic Rust SGX Software Developer Kit by Baidux Labs: https://github.com/baidu/rust-sgx-sdk
Intel SGX Ethereum Key Management CLI.
Copyright: 2018 Oraclize.it
Questions: [email protected]
Usage: ethkeysgx generate [--keyfile=<path>]
ethkeysgx show public [--keyfile=<path>]
ethkeysgx show secret [--keyfile=<path>]
ethkeysgx show address [--keyfile=<path>]
ethkeysgx sign <message> [--keyfile=<path>] [-n | --noprefix]
ethkeysgx verify <address> <message> <signature> [--keyfile=<path>] [-n | --noprefix]
ethkeysgx [-h | --help]
Options:
-h, --help ❍ Show this usage message.
--keyfile=<path> ❍ Path to desired encrypted keyfile. [default: ./encrypted_keypair]
-n, --noprefix ❍ Does not add the ethereum message prefix when signing or verifying
a signed message. Messages signed with no prefix are NOT ECRecoverable!
Commands:
generate ❍ Generates an secp256k1 keypair inside an SGX enclave, encrypts
them & saves to disk as either ./encrypted_keypair.txt in the
current directory, or at the passed in path.
show public ❍ Log the public key from the given encrypted keypair to the console.
show secret ❍ Log the private key from the given encrypted keypair to the console.
sign ❍ Signs a passed in message using key pair provided, otherwise uses
default keypair if it exists. Defaults to using the ethereum message
prefix and ∴ signatures are ECRecoverable.
verify ❍ Verify a given address signed a given message with a given signature.
❍ Pull requisite files:
Pull the Rust SGX SDK Docker image
❍ sgx-nuc@~$ docker pull baiduxlab/sgx-rust
Clone this Repo
❍ sgx-nuc@~$ git clone https://gitlab.com/gskapka/secp256k1-enclave-rust.git
❍ Prepare the Docker Container:
If using SIMULATION mode:
❍ sgx-nuc@~$ sudo docker run -v /path/to/secp256k1-enclave-rust:/root/keygen -ti baiduxlab/sgx-rust
Else if using HARDWARE mode:
❍ sgx-nuc@~$ sudo docker run -v/path/to/secp256k1-enclave-rust:/root/keygen -ti --device /dev/isgx baiduxlab/sgx-rust
Rebuild the tool chain:
❍ sgx-nuc-docker@~# rustup default nightly-2018-10-01-x86_64-unknown-linux-gnu
Add required components:
❍ sgx-nuc-docker@~# rustup component add rust-src
Finally, if using HARDWARE mode, import the service:_
❍ sgx-nuc-docker@~# /opt/intel/libsgx-enclave-common/aesm/aesm_service &
❍ Prepare the keygen:
In the ❍ sgx-nuc-docker@~/keygen
directory inside the docker, first ensure the desired mode (SW or HW) is set correctly inside the Makefile
:
// ... Beginning of file ...
######## SGX SDK Settings ########
SGX_SDK ?= /opt/intel/sgxsdk
SGX_MODE ?= HW // <-- This option. HW for Hardware or SW for software.
SGX_ARCH ?= x64
// ... Remainder of file ...
Next, set the environment variable inside the docker to the desired mode:
❍ sgx-nuc-docker@~/keygen# export SGX_MODE=HW
Then build the project:
❍ sgx-nuc-docker@~/keygen# make
And finally run it to see the usage notes:
❍ sgx-nuc-docker@~/keygen# cd bin && ./ethkeysgx
✅ Refactor to lib crate.
✅ Test on real nuc in HW mode.
✅ Make CLI with Docopt.
🔲 Remotely attest!
✅ Make ECRecoverable sigs.
🔲 Stream to the enc. to allow file encryption.
🔲 Add rudimentary password protection.
🔲 Use mister enclave instead of mister signer!
🔲 Make threaded to have vanity addresses (can limit tried?)
🔲 Abstract out generic enclave funcs (mem. allocing etc)
✅ Separate the app from the SDK repo enclave to make it lean and mean.
🔲 Add transaction signing.
🔲 Make a stand alone binary for D/L.
🔲 Add a monotonic counter to the key accesses.
🔲 Add a monotonic counter to tx signing events.