Skip to content

Commit

Permalink
ita: add support for Amber attestation using separate dedicated API
Browse files Browse the repository at this point in the history
Add support for azure tdxvm API and update attestation request body accordingly to chosen tee

Signed-off-by: Pawel Proskurnicki <[email protected]>
  • Loading branch information
pawelpros committed Sep 9, 2024
1 parent a43b73c commit d5e3d15
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 14 deletions.
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion kbs/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"]
coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]

# Use Intel TA as backend attestation service
intel-trust-authority-as = ["as", "reqwest", "resource"]
intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"]

# Use pure rust crypto stack for KBS
rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]
Expand Down Expand Up @@ -82,6 +82,7 @@ tokio.workspace = true
tonic = { workspace = true, optional = true }
uuid = { version = "1.2.2", features = ["serde", "v4"] }
openssl = { version = "0.10.46", optional = true }
az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }

[dev-dependencies]
tempfile.workspace = true
Expand Down
65 changes: 52 additions & 13 deletions kbs/src/attestation/intel_trust_authority/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,35 @@ use crate::token::{
};
use anyhow::*;
use async_trait::async_trait;
use az_cvm_vtpm::hcl::HclReport;
use base64::{engine::general_purpose::STANDARD, Engine};
use kbs_types::{Attestation, Tee};
use reqwest::header::{ACCEPT, CONTENT_TYPE};
use serde::{Deserialize, Serialize};
use serde_json::from_value;
use serde_json::json;

pub const BASE_AS_ADDR: &str = "/appraisal/v1/attest";

#[derive(Deserialize, Debug)]
struct IntelTrustAuthorityTeeEvidence {
struct ItaTeeEvidence {
#[serde(skip)]
_cc_eventlog: Option<String>,
quote: String,
}

#[derive(Deserialize, Debug)]
struct AzItaTeeEvidence {
hcl_report: Vec<u8>,
td_quote: Vec<u8>,
}

#[derive(Serialize, Debug)]
struct AttestReqData {
quote: String,
runtime_data: String,
#[serde(skip_serializing_if = "Option::is_none")]
user_data: Option<String>,
}

#[derive(Deserialize, Debug)]
Expand Down Expand Up @@ -59,36 +71,63 @@ pub struct IntelTrustAuthority {
#[async_trait]
impl Attest for IntelTrustAuthority {
async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String> {
if tee != Tee::Tdx && tee != Tee::Sgx {
bail!("Intel Trust Authority: TEE {tee:?} is not supported.");
}
// get quote
let attestation = serde_json::from_str::<Attestation>(attestation)
.context("Failed to deserialize Attestation request")?;
let evidence =
serde_json::from_value::<IntelTrustAuthorityTeeEvidence>(attestation.tee_evidence)
.context("Failed to deserialize TEE Evidence")?;

let runtime_data = json!({
"tee-pubkey": attestation.tee_pubkey,
"nonce": nonce,
})
.to_string();

// construct attest request data
let req_data = AttestReqData {
quote: evidence.quote,
runtime_data: STANDARD.encode(runtime_data),
// construct attest request data and attestation url
let (req_data, att_url) = match tee {
Tee::AzTdxVtpm => {
let att_url = format!("{}{}/azure/tdxvm", &self.config.base_url, BASE_AS_ADDR);

let evidence = from_value::<AzItaTeeEvidence>(attestation.tee_evidence)
.context("Failed to deserialize TEE Evidence")?;

let hcl_report = HclReport::new(evidence.hcl_report.clone())?;

let req_data = AttestReqData {
quote: STANDARD.encode(evidence.td_quote),
runtime_data: STANDARD.encode(hcl_report.var_data()),
user_data: Some(STANDARD.encode(runtime_data)),
};

(req_data, att_url)
}
Tee::Tdx | Tee::Sgx => {
let att_url = format!("{}{}", &self.config.base_url, BASE_AS_ADDR);

let evidence = from_value::<ItaTeeEvidence>(attestation.tee_evidence)
.context("Failed to deserialize TEE Evidence")?;

let req_data = AttestReqData {
quote: evidence.quote,
runtime_data: STANDARD.encode(runtime_data),
user_data: None,
};

(req_data, att_url)
}
_ => {
bail!("Intel Trust Authority: TEE {tee:?} is not supported.");
}
};

let attest_req_body = serde_json::to_string(&req_data)
.context("Failed to serialize attestation request body")?;

// send attest request
log::info!("post attestation request ...");
log::info!("POST attestation request ...");
log::debug!("Attestation URL: {:?}", &att_url);

let client = reqwest::Client::new();
let resp = client
.post(format!("{}/appraisal/v1/attest", &self.config.base_url))
.post(att_url)
.header(CONTENT_TYPE, "application/json")
.header(ACCEPT, "application/json")
.header("x-api-key", &self.config.api_key)
Expand Down

0 comments on commit d5e3d15

Please sign in to comment.