加入DEK_FILE_PATH和DEK_SEALED_PATH到配置中

en_config.h.in

@@ -24,5 +24,9 @@
 #define BACKUP_BIN_PATH             ENCRYPTSQL_INSTALL_DIR "/bin/backup"
 #define RESTORE_BIN_PATH            ENCRYPTSQL_INSTALL_DIR "/bin/restore"
 
+// 客户端侧用于decryptres解密
+#define DEK_FILE_PATH               ENCRYPTSQL_CONFIG_DIR "/dek"
+// 服务端用于存储加密的DEK
+#define DEK_SEALED_PATH             ENCRYPTSQL_CONFIG_DIR "/dek.sealed"
 
 #endif /* ENCRYPTSQL_CONFIG_H */

readme.md

@@ -40,6 +40,33 @@ cmake ..
 make
 make test
 sudo make install
+
+# 安装DCAP组件
+wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
+  | sudo gpg --dearmor -o /usr/share/keyrings/intel-sgx.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] \
+  https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
+  | sudo tee /etc/apt/sources.list.d/intel-sgx.list
+sudo apt update
+sudo apt install libsgx-dcap-ql libsgx-dcap-quote-verify \ 
+libsgx-enclave-common libsgx-urts libsgx-dcap-default-qpl \
+sgx-aesm-service
+
+# 安装Open Enclave SDK依赖
+wget -qO- https://packages.microsoft.com/keys/microsoft.asc \
+  | sudo gpg --dearmor -o /usr/share/keyrings/microsoft-oe.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-oe.gpg] \
+  https://packages.microsoft.com/ubuntu/20.04/prod focal main" \
+  | sudo tee /etc/apt/sources.list.d/openenclave.list
+sudo apt update
+sudo apt install open-enclave
+vim ~/.bashrc
+# vim 打开后，将以下内容插入
+export PKG_CONFIG_PATH=${PKG_CONFIG_PATH}:/opt/openenclave/share/pkgconfig
+export CMAKE_PREFIX_PATH=${CMAKE_PREFIX_PATH}:/opt/openenclave/lib/openenclave/cmake
+export PATH=${PATH}:/opt/openenclave/bin
+export OE_SDK_PATH=/opt/openenclave
+source ~/.bashrc
 ```
 
 ### 1.2 PostgreSQL安装
@@ -47,13 +74,8 @@ sudo make install
 现版本为PostgreSQL-14.2
 
 ```shell
-# 下载安装PostgreSQL-14.2
-wget https://ftp.postgresql.org/pub/source/v14.2/postgresql-14.2.tar.gz
-tar -xzvf postgresql-14.2.tar.gz
-
-# 解压本项目EncDB，并放到postgresql-14.2/src/interfaces/libpq路径下
-unzip encryptsql.zip
-cp -r encryptsql/ postgresql-14.2/src/interfaces/libpq/
+# 解压 PG
+tar -xzvf postgresql_final.tar.gz
 
 # 将pg编译到/usr/local/postgresql路径下
 sudo mkdir /usr/local/postgresql
@@ -118,7 +140,34 @@ sudo head -c 16 /dev/urandom > frag_b
 sudo head -c 16 /dev/urandom > frag_c
 ```
 
-### 1.3 配置数据库
+### 1.3 订阅 PCS 服务
+登录 PCS 服务官网，在`Manage Subscription` 中查看 API 密钥
+`https://api.portal.trustedservices.intel.com/products#product=liv-intel-software-guard-extensions-provisioning-certification-service` 
+```shell
+  //PCCS server address
+  "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
+
+  // To accept insecure HTTPS certificate, set this option to false
+  ,"use_secure_cert": true
+
+  // API key for accessing Intel Trusted Services
+  ,"api_key": "得到的api_key"
+```
+
+### 1.4 配置 Enclave 签名密钥对
+```shell
+sudo mkdir -p /etc/encryptsql/enclave
+# 生成 3072-bit RSA 私钥
+sudo openssl genrsa -3 -out /etc/encryptsql/enclave/sign_enclave_private.pem 3072
+# 从私钥导出公钥
+sudo openssl rsa -in /etc/encryptsql/enclave/sign_enclave_private.pem -pubout \
+  -out /etc/encryptsql/enclave/sign_enclave_public.pem
+# 权限
+sudo chmod 777 /etc/encryptsql/enclave/sign_enclave_private.pem
+sudo chmod 777 /etc/encryptsql/enclave/sign_enclave_public.pem
+```
+
+### 1.5 配置数据库
 
 ```shell
 cd /usr/local/postgresql
@@ -140,6 +189,7 @@ source ~/.bashrc
 
 initdb
 
+# 配置 KeyDistribution 后台接收服务（由 postmaster 启动）
 vim /usr/local/postgresql/data/postgresql.conf
 # vim 打开后，将下面内容加入到尾部
 shared_preload_libraries = 'keydist_receiver'

src/KeyDistribution/server/host/receiver.cpp

@@ -6,6 +6,7 @@
 #include <iterator>
 #include <memory>
 #include <vector>
+#include "en_config.h"
 
 extern "C" {
 #include "postgres.h"
@@ -34,7 +35,7 @@ void HandleSealedDek(const std::vector<uint8_t>& sealed)
     if (sealed.empty())
         return;
 
-    const char* path = "/etc/encryptsql/dek.sealed";
+    const char* path = DEK_SEALED_PATH; // 定义DEK文件路径
     std::ofstream ofs(path,
                       std::ios::binary | std::ios::trunc);
     if (!ofs)

src/crypto/cryptolib/libudf/Enclave/Ecalls.cpp

@@ -22,6 +22,7 @@
 #include <math.h>
 #include <string>
 #include "../../../KeyDistribution/common/blob_format.h"
+#include "en_config.h"
 
 
 std::unique_ptr<SymMHE> psmheCipher(new SymMHE());
@@ -103,7 +104,7 @@ static sgx_status_t decrypt_dek_blob(const uint8_t* blob,
 
 
 std::string readDEKFromFile() {
-    const char* dek_path = "/etc/encryptsql/dek.sealed";
+    const char* dek_path = DEK_SEALED_PATH; // 定义DEK文件路径
     constexpr size_t max_blob = 2048;
 
     std::vector<uint8_t> blob(max_blob);

src/encryptsql/decryptres.cpp

@@ -30,6 +30,7 @@ extern "C"
 #include "KeyManager.h"
 // #include "kms/KeyManagementService.hpp
 #include "kmsAdapter/dek_interface.hpp"
+#include "en_config.h"
 
 extern __thread bool Encrypt;
 extern __thread bool SkipDecryptRes;
@@ -142,7 +143,7 @@ void decryptResult(int numberAttr, int numTuples, pAttrDescs pattDescs, pTuples
                     
                     // 从文件中读取DEK
                     std::string dek;
-                    std::ifstream dekFile("/etc/encryptsql/dek", std::ios::binary);
+                    std::ifstream dekFile(DEK_FILE_PATH, std::ios::binary);
                     if (dekFile.is_open()) {
                         // 获取文件大小
                         dekFile.seekg(0, std::ios::end);

src/encryptsql/encryptstmt.cpp

@@ -294,7 +294,7 @@ static A_Const *encryptAConst(A_Const *aconst, T_Cipher encryptCipher, EncryptIn
 
     // 将dek存储到指定路径/etc/encryptsql/dek
     
-    std::ofstream dekFile("/etc/encryptsql/dek", std::ios::binary | std::ios::trunc);
+    std::ofstream dekFile(DEK_FILE_PATH, std::ios::binary | std::ios::trunc);
     if (dekFile.is_open()) {
         dekFile.write(dek_tmp.c_str(), dek_tmp.size());
         dekFile.flush();