Time provisioning inside PDO enclaves

[bvavala]

A PDO enclave, in general, does not deal with time, but certificate expiration verification within sgx/openssl does.
Here is an overview of:

• how time is handled within sgx/openssl and the untrusted environment;
• what happens when the dependency on untrusted time is removed;
• and how to remove it safely.

First, X509_verify_cert (an ssl function used, for instance, to check IAS verification reports) checks for expired certificates. Even within an enclave, where presumably trusted time is not available, the function works properly.

This is due to the (untrusted) time provided by sgxssl, through the edge call in its EDL. Such EDL is imported in essentially all enclaves used in PDO, namely in the eservice, pservice and test enclaves.

Second, the edge API can be removed unsafely. Without the edge API, the enclave will likely compile, and likely crash when time is needed. This is due to the implementation of this assert which will check for the availability of the ocall before calling it. Note that the ocall will still be available in the untrusted sgx/openssl library, but there would be not call initiated from the enclave.

Third, instead, the edge API can be safely removed by making sure that ssl does not request the time from the system (and hence the edge API). In the case of certificate expiration verification, this can be achieved through the use of the X509_V_FLAG_USE_CHECK_TIME flag and setting the time against which to check the expiration, from within the enclave.

This brings to the question: how to best provision time inside an enclave for such verifications (and remove the ocalls)?
(comments are welcome)

[g2flyer]

Also related to above is time-handling for JWT which requires a ignore-time patch in SGXDataCenterAttestationPrimitives which is used also in our PR #501