Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/google/channel-id-enclave
Stores Chromium Channel ID private keys in an Intel SGX enclave.
https://github.com/google/channel-id-enclave
Last synced: about 1 month ago
JSON representation
Stores Chromium Channel ID private keys in an Intel SGX enclave.
- Host: GitHub
- URL: https://github.com/google/channel-id-enclave
- Owner: google
- Archived: true
- Created: 2016-06-11T00:31:30.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2016-06-13T18:41:56.000Z (over 8 years ago)
- Last Synced: 2024-08-03T01:24:31.369Z (4 months ago)
- Homepage:
- Size: 24.4 KB
- Stars: 33
- Watchers: 7
- Forks: 17
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- Awesome-SGX-Open-Source - https://github.com/google/channel-id-enclave
README
# Channel ID Private Key Protection
## About
There are two related patches in this project: The BoringSSL patch enables an
opaque key for Channel ID, and the Chromium patch enables an opaque key along
with providing an implementation of hardware-backed keys using the Intel SGX
SDK. Together, these patches demonstrate how Chromium could store its Channel ID
private keys in an Intel SGX enclave.
## Compile and run
Follow the following steps to compile and run:
1. Be on a machine with an SGX processor.
2. Enter the BIOS settings, and make sure SGX is set to `enabled`.
3. Install Linux.
4. Install the SGX Alpha SDK, following the included instructions.
5. Download the chromium repository following the instructions available. We
will call its path ``.
6. Checkout commit `f594a1085b49369c2479e5526dd0ef8b116e9af0` in the chromium
repository.
7. `cd third_party/boringssl/src`, checkout commit
`afe57cb14d36f70ad4a109fc5e7765d1adc67035`.
8. Chrome uses an included root to handle packages.
```
cd build/linux/debian_wheezy_-sysroot/
mkdir opt && cd opt && mkdir intel && cd intel
cp -r /opt/intel/sgxsdk .
```
9. Set up pkgconfig by creating the file `/usr/lib/pkgconfig/sgx.pc` with contents:
```
prefix=/opt/intel/sgxsdk
exec_prefix=${prefix}
includedir=${prefix}/include
libdir=${prefix}/lib64
Name: sgx
Description: Intel SGX SDK for Linux
Version: 1.0.0
Cflags: -I${includedir}
Libs: -L${libdir} -lsgx_urts -lsgx_uae_service -lsgx_tservice
```
10. add to `~/.bashrc`:
```
export LD_LIBRARY_PATH=/lib64:/usr/lib:/opt/intel/sgxsdk/lib64
export CHROME_DEVEL_SANDBOX="/usr/local/sbin/chrome-devel-sandbox"
```
(this second one should already be there if chrome compiles properly)
11. Apply `chromium/chromium.patch` to `/src`.
12. Apply `boringssl/bssl.patch` to `third_party/boringssl/src`.
13. If you're using gn, from `/src`:
```
gn args out/Default
add the line:
enable_nacl = false
```
14. Compile the enclave
```
cd net/ssl
make
cd ../../
```
15. Compile chrome
(first time: `ninja -C out/Default chrome chrome_sandbox`)
```
ninja -C out/Default chrome
```
16. Run chrome
```
out/Default/chrome
```
17. Load google.com
If you want to run tests:
```
ninja -C out/Default net_unittests
out/Default/net_unittests --gtest_filter=*ChannelID*
```
There are more tests within boringssl, with instructions in
`third_party/boringssl/src/BUILDING.md`