kbs: ita: Set hash algorithm based on TEE type #491
Conversation
|
Once I've taken it out of draft mode, this PR should land with confidential-containers/guest-components#712. |
| if let Some(hash_algorithms_found) = tee_parameters.get(SUPPORTED_HASH_ALGORITHMS_JSON_KEY) | ||
| { | ||
| if let Some(algorithms) = hash_algorithms_found.as_array() { | ||
| let hash_algorithms: Vec<String> = algorithms | ||
| .iter() | ||
| .filter_map(|s| s.as_str()) | ||
| .map(|s| s.to_lowercase()) | ||
| .collect(); | ||
|
|
||
| supported_hash_algorithms.append(&mut hash_algorithms.clone()); | ||
| } else { | ||
| return Err(anyhow!( | ||
| "Intel Trust Authority: expected array, found {hash_algorithms_found:?}" | ||
| )); | ||
| } | ||
| } else { | ||
| log::info!("ITA: generate_challenge: no TEE hash parameters, so falling back to legacy behaviour"); | ||
|
|
||
| return generic_generate_challenge(tee, tee_parameters).await; | ||
| } |
There was a problem hiding this comment.
We could use
let Some(xxx) = yyy() else {
bail!(".....");
}
// do next steps with xxxto avoid nested { ... }s .
| lazy_static! { | ||
| /// The hash algorithm used for Intel SGX. | ||
| static ref SGX_HASH_ALGORITHM: String = HashAlgorithm::Sha256.to_string().to_lowercase(); | ||
|
|
||
| /// The hash algorithm used for Intel TDX. | ||
| static ref TDX_HASH_ALGORITHM: String = HashAlgorithm::Sha512.to_string().to_lowercase(); | ||
|
|
||
| static ref ERR_NO_TDX_ALGORITHM: String = format!( | ||
| "Intel Trust Authority: {:?} not supported by TDX TEE", | ||
| *TDX_HASH_ALGORITHM | ||
| ); | ||
| static ref ERR_NO_SGX_ALGORITHM: String = format!( | ||
| "Intel Trust Authority: {:?} not supported by SGX TEE", | ||
| *TDX_HASH_ALGORITHM | ||
| ); |
There was a problem hiding this comment.
We might not need these consts. For SGX_HASH_ALGORITHM, we can
enum HashAlgorithm {
#[strum(serialize = "sha256")]
Sha256,
...
}
...
if supported_hash_algorithms.contains(HashAlgorithm::Sha256.as_ref()) {
...
}For errors, I suggest that directly use .context("...") for extra error context.
jodh-intel
force-pushed
the
kbs-ita-set-tee-hash-algorithm
branch
2 times, most recently
from
f0c55f9
to
666d2c2
Compare
| use crate::token::{ | ||
| jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig, | ||
| AttestationTokenVerifierType, | ||
| }; | ||
| use anyhow::*; | ||
| use async_trait::async_trait; | ||
| use attestation_service::HashAlgorithm; |
There was a problem hiding this comment.
I had somehow missed this dependency earlier. This is slightly problematic as it is right now. This makes one AS to depend on another AS code just for the sake of HashAlgorithm enum. Not only that but attestation-service/default makes the build to include all of the CoCo-AS verifier dependencies, such as the vtpm stuff that now makes se CI docker build to fail because the ITA Dockerfile does not have libtss2-dev installed.
There was a problem hiding this comment.
Branch updated. I've made a local definition of HashAlgorithm to resolve that issue.
Once this and confidential-containers/guest-components#712 land, I plan to tal at consolidating all the definitions though 😄
jodh-intel
force-pushed
the
kbs-ita-set-tee-hash-algorithm
branch
2 times, most recently
from
767a039
to
f8c34e9
Compare
There was a problem hiding this comment.
I wonder if it would be better to move the hash_alg support to the protocol level instead of putting it into the schemaless extra_params field. it can be optional, defaulting to sha348. atm, this seems local to ITA and otherwise unspecified strings supported/selected-hash-algorithms.
Sadly, this would need a (breaking) change on kbs-types, but it would make things a bit more explicit:
Challenge {
nonce String,
hash_alg: HashAlgorithm
extra_params: Value
}Maybe, if we don't want to touch kbs-types we can also introduce trustee ExtraParams that are more than just Value, but specify the hash_alg field.
| .filter_map(|s| s.as_str()) | ||
| .map(|s| s.to_lowercase()) |
There was a problem hiding this comment.
if we're already filter_map'ing why map?
| .filter_map(|s| s.as_str()) | |
| .map(|s| s.to_lowercase()) | |
| .filter_map(|s| s.as_str(). to_lowercase()) |
There was a problem hiding this comment.
It's a bit ugly now, but updated.
|
|
||
| if tee_parameters.is_null() { | ||
| log::debug!( | ||
| "ITA: generate_challenge: no TEE parameters so falling back to legacy behavour" |
There was a problem hiding this comment.
| "ITA: generate_challenge: no TEE parameters so falling back to legacy behavour" | |
| "ITA: generate_challenge: no TEE parameters so falling back to legacy behaviour" |
| pub(crate) async fn generic_generate_challenge( | ||
| _tee: Tee, | ||
| _tee_parameters: serde_json::Value, | ||
| ) -> Result<Challenge> { |
There was a problem hiding this comment.
why does this have params if we don't use them? Should we maybe do impl Default for Challenge?
There was a problem hiding this comment.
I was trying to make this a minimal change and if you look at the existing code, you'll see the same unused params.
Should we maybe do impl Default for Challenge?
I thought of that, but Challenge is defined in the kbs-types crate, so that can be done at a later time imho.
If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned `Challenge` [2]. For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use. Partially-fixes: confidential-containers#242. [1] - In the optional `extra-params.supported-hash-algorithms` list. [2] - In `extra-params.selected-hash-algorithm`. Signed-off-by: James O. D. Hunt <[email protected]>
jodh-intel
force-pushed
the
kbs-ita-set-tee-hash-algorithm
branch
from
f8c34e9
to
12da724
Compare
|
@mkulke - Thanks for the review. I agree that this can all be improved, but since we'd really like this PR and confidential-containers/guest-components#712 to be in the next release, and since testing these takes some time, can we defer some of these comments until after the upcoming release(s)? |
I see |
I can create the follow-up ticket with additional thoughts. |
| const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms"; | ||
| const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified"; |
There was a problem hiding this comment.
Let me do a refactoring about error information assertion later. Now it's good to me.
| return Err(anyhow!( | ||
| "ITA: expected array, found {hash_algorithms_found:?}" | ||
| )); |
There was a problem hiding this comment.
| return Err(anyhow!( | |
| "ITA: expected array, found {hash_algorithms_found:?}" | |
| )); | |
| bail!( | |
| "ITA: expected array, found {hash_algorithms_found:?}" | |
| ); |
|
Btw, shall we cut a release after ITA is supported on both gc and trustee side? |
I'm about to submit a PR for kustomization ( |
|
I've triggered the e2e tests as well, so let's wait for them to finish. |
|
Merged, thanks @jodh-intel for the work and all the reviewers for the reviews! :-) |
If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned
Challenge[2].For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use.
Partially-fixes: #242.
[1] - In the optional
extra-params.supported-hash-algorithmslist.[2] - In
extra-params.selected-hash-algorithm.