From c43fe40a8835faa071253bb27a97bc7a7fa98faf Mon Sep 17 00:00:00 2001 From: Jay Gowdy Date: Thu, 16 Apr 2026 12:14:03 -0700 Subject: [PATCH] Call harden_process() at startup to disable core dumps Add enclaveapp_core::process::harden_process() as the first call in main() for both binaries (awsenc-cli, awsenc-tpm-bridge). This disables core dumps before any secrets are loaded. --- Cargo.lock | 112 ++++++++++++++++++++++++++++++++-- awsenc-cli/src/main.rs | 2 + awsenc-tpm-bridge/Cargo.toml | 1 + awsenc-tpm-bridge/src/main.rs | 2 + 4 files changed, 113 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3c9051c..f5dd672 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -204,6 +204,7 @@ dependencies = [ name = "awsenc-tpm-bridge" version = "0.0.0-dev" dependencies = [ + "enclaveapp-core", "enclaveapp-tpm-bridge", ] @@ -386,6 +387,26 @@ version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" +[[package]] +name = "core-foundation" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" +dependencies = [ + "core-foundation-sys", + "libc", +] + +[[package]] +name = "core-foundation" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.7" @@ -481,6 +502,27 @@ dependencies = [ "cipher", ] +[[package]] +name = "dbus" +version = "0.9.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "21b3aa68d7e7abee336255bd7248ea965cc393f3e70411135a6f6a4b651345d4" +dependencies = [ + "libc", + "libdbus-sys", + "windows-sys 0.59.0", +] + +[[package]] +name = "dbus-secret-service" +version = "4.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "708b509edf7889e53d7efb0ffadd994cc6c2345ccb62f55cfd6b0682165e4fa6" +dependencies = [ + "dbus", + "zeroize", +] + [[package]] name = "deadpool" version = "0.12.3" @@ -666,8 +708,8 @@ dependencies = [ "enclaveapp-apple", "enclaveapp-bridge", "enclaveapp-core", + "enclaveapp-keyring", "enclaveapp-linux-tpm", - "enclaveapp-software", "enclaveapp-windows", "enclaveapp-wsl", "rand 0.9.3", @@ -722,26 +764,27 @@ dependencies = [ "serde_json", "thiserror 2.0.18", "toml 0.8.23", + "tracing", ] [[package]] -name = "enclaveapp-linux-tpm" +name = "enclaveapp-keyring" version = "0.1.0" dependencies = [ "aes-gcm", "dirs 6.0.0", "elliptic-curve", "enclaveapp-core", + "keyring", "p256", "rand 0.9.3", "serde", "serde_json", "sha2", - "tss-esapi", ] [[package]] -name = "enclaveapp-software" +name = "enclaveapp-linux-tpm" version = "0.1.0" dependencies = [ "aes-gcm", @@ -753,6 +796,7 @@ dependencies = [ "serde", "serde_json", "sha2", + "tss-esapi", ] [[package]] @@ -1454,6 +1498,21 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "keyring" +version = "3.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eebcc3aff044e5944a8fbaf69eb277d11986064cba30c468730e8b9909fb551c" +dependencies = [ + "byteorder", + "dbus-secret-service", + "log", + "security-framework 2.11.1", + "security-framework 3.7.0", + "windows-sys 0.60.2", + "zeroize", +] + [[package]] name = "lazy_static" version = "1.5.0" @@ -1472,6 +1531,15 @@ version = "0.2.184" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af" +[[package]] +name = "libdbus-sys" +version = "0.2.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "328c4789d42200f1eeec05bd86c9c13c7f091d2ba9a6ea35acdf51f31bc0f043" +dependencies = [ + "pkg-config", +] + [[package]] name = "libredox" version = "0.1.16" @@ -2309,6 +2377,42 @@ dependencies = [ "zeroize", ] +[[package]] +name = "security-framework" +version = "2.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" +dependencies = [ + "bitflags", + "core-foundation 0.9.4", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework" +version = "3.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" +dependencies = [ + "bitflags", + "core-foundation 0.10.1", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework-sys" +version = "2.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "selectors" version = "0.31.0" diff --git a/awsenc-cli/src/main.rs b/awsenc-cli/src/main.rs index e53ce3a..194776c 100644 --- a/awsenc-cli/src/main.rs +++ b/awsenc-cli/src/main.rs @@ -28,6 +28,8 @@ pub(crate) static TEST_ENV_MUTEX: std::sync::Mutex<()> = std::sync::Mutex::new(( #[tokio::main] #[allow(clippy::print_stderr)] async fn main() { + enclaveapp_core::process::harden_process(); + let filter = tracing_subscriber::EnvFilter::try_from_env("AWSENC_LOG") .unwrap_or_else(|_| tracing_subscriber::EnvFilter::new("warn")); diff --git a/awsenc-tpm-bridge/Cargo.toml b/awsenc-tpm-bridge/Cargo.toml index 2fb7d0a..d309d46 100644 --- a/awsenc-tpm-bridge/Cargo.toml +++ b/awsenc-tpm-bridge/Cargo.toml @@ -12,4 +12,5 @@ path = "src/main.rs" workspace = true [dependencies] +enclaveapp-core = { workspace = true } enclaveapp-tpm-bridge = { workspace = true } diff --git a/awsenc-tpm-bridge/src/main.rs b/awsenc-tpm-bridge/src/main.rs index 0429aa1..fb6e8fd 100644 --- a/awsenc-tpm-bridge/src/main.rs +++ b/awsenc-tpm-bridge/src/main.rs @@ -3,6 +3,8 @@ #[allow(clippy::print_stderr)] fn main() { + enclaveapp_core::process::harden_process(); + let mut server = enclaveapp_tpm_bridge::BridgeServer::new("awsenc", "cache-key"); if let Err(e) = server.run_stdio() { eprintln!("{e}");