kbs: ita: Set hash algorithm based on TEE type

If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned `Challenge` [2]. For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use. Partially-fixes: #242. [1] - In the optional `extra-params.supported-hash-algorithms` list. [2] - In `extra-params.selected-hash-algorithm`. Signed-off-by: James O. D. Hunt <[email protected]>
confidential-containers · Sep 9, 2024 · 666d2c2 · 666d2c2
1 parent 01403b0
commit 666d2c2
Show file tree

Hide file tree

Showing 5 changed files with 333 additions and 28 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs
@@ -22,15 +22,15 @@ use serde_json::{json, Value};
 use serde_variant::to_variant_name;
 use sha2::{Digest, Sha256, Sha384, Sha512};
 use std::{collections::HashMap, str::FromStr};
-use strum::{AsRefStr, EnumString};
+use strum::{AsRefStr, Display, EnumString};
 use thiserror::Error;
 use tokio::fs;
 use verifier::{InitDataHash, ReportData};
 
 use crate::utils::flatten_claims;
 
 /// Hash algorithms used to calculate runtime/init data binding
-#[derive(EnumString, AsRefStr)]
+#[derive(Display, EnumString, AsRefStr)]
 pub enum HashAlgorithm {
     #[strum(ascii_case_insensitive)]
     Sha256,

diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
@@ -34,7 +34,7 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"]
 coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]
 
 # Use Intel TA as backend attestation service
-intel-trust-authority-as = ["as", "reqwest", "resource"]
+intel-trust-authority-as = ["as", "reqwest", "resource", "attestation-service/default"]
 
 # Use pure rust crypto stack for KBS
 rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]