Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ita: add support for Azure attestation using dedicated API #494

Merged
merged 1 commit into from
Sep 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion kbs/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"]
coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]

# Use Intel TA as backend attestation service
intel-trust-authority-as = ["as", "reqwest", "resource"]
intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"]

# Use pure rust crypto stack for KBS
rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]
Expand Down Expand Up @@ -82,6 +82,7 @@ tokio.workspace = true
tonic = { workspace = true, optional = true }
uuid = { version = "1.2.2", features = ["serde", "v4"] }
openssl = { version = "0.10.46", optional = true }
az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }

[dev-dependencies]
tempfile.workspace = true
Expand Down
68 changes: 54 additions & 14 deletions kbs/src/attestation/intel_trust_authority/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ use crate::token::{
};
use anyhow::*;
use async_trait::async_trait;
use az_cvm_vtpm::hcl::HclReport;
use base64::{engine::general_purpose::STANDARD, Engine};
use kbs_types::Challenge;
use kbs_types::{Attestation, Tee};
use reqwest::header::{ACCEPT, CONTENT_TYPE};
use serde::{Deserialize, Serialize};
use serde_json::from_value;
use serde_json::json;
use strum::{AsRefStr, Display, EnumString};

Expand All @@ -24,6 +26,9 @@ const SELECTED_HASH_ALGORITHM_JSON_KEY: &str = "selected-hash-algorithm";
const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms";
const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified";

const BASE_AS_ADDR: &str = "/appraisal/v1/attest";
const AZURE_TDXVM_ADDR: &str = "/appraisal/v1/attest/azure/tdxvm";

#[derive(Display, EnumString, AsRefStr)]
pub enum HashAlgorithm {
#[strum(ascii_case_insensitive)]
Expand All @@ -37,16 +42,24 @@ pub enum HashAlgorithm {
}

#[derive(Deserialize, Debug)]
struct IntelTrustAuthorityTeeEvidence {
struct ItaTeeEvidence {
#[serde(skip)]
_cc_eventlog: Option<String>,
quote: String,
}

#[derive(Deserialize, Debug)]
struct AzItaTeeEvidence {
hcl_report: Vec<u8>,
td_quote: Vec<u8>,
}

#[derive(Serialize, Debug)]
struct AttestReqData {
quote: String,
runtime_data: String,
#[serde(skip_serializing_if = "Option::is_none")]
user_data: Option<String>,
pawelpros marked this conversation as resolved.
Show resolved Hide resolved
}

#[derive(Deserialize, Debug)]
Expand Down Expand Up @@ -80,36 +93,63 @@ pub struct IntelTrustAuthority {
#[async_trait]
impl Attest for IntelTrustAuthority {
async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String> {
if tee != Tee::Tdx && tee != Tee::Sgx {
bail!("ITA: TEE {tee:?} is not supported.");
}
// get quote
let attestation = serde_json::from_str::<Attestation>(attestation)
.context("Failed to deserialize Attestation request")?;
let evidence =
serde_json::from_value::<IntelTrustAuthorityTeeEvidence>(attestation.tee_evidence)
.context("Failed to deserialize TEE Evidence")?;

let runtime_data = json!({
"tee-pubkey": attestation.tee_pubkey,
"nonce": nonce,
})
.to_string();

// construct attest request data
let req_data = AttestReqData {
quote: evidence.quote,
runtime_data: STANDARD.encode(runtime_data),
// construct attest request data and attestation url
let (req_data, att_url) = match tee {
Tee::AzTdxVtpm => {
let att_url = format!("{}{AZURE_TDXVM_ADDR}", &self.config.base_url);

let evidence = from_value::<AzItaTeeEvidence>(attestation.tee_evidence)
.context(format!("Failed to deserialize TEE: {:?} Evidence", &tee))?;

let hcl_report = HclReport::new(evidence.hcl_report.clone())?;

let req_data = AttestReqData {
quote: STANDARD.encode(evidence.td_quote),
runtime_data: STANDARD.encode(hcl_report.var_data()),
user_data: Some(STANDARD.encode(runtime_data)),
};

(req_data, att_url)
pawelpros marked this conversation as resolved.
Show resolved Hide resolved
}
Tee::Tdx | Tee::Sgx => {
let att_url = format!("{}{BASE_AS_ADDR}", &self.config.base_url);

let evidence = from_value::<ItaTeeEvidence>(attestation.tee_evidence)
.context(format!("Failed to deserialize TEE: {:?} Evidence", &tee))?;

let req_data = AttestReqData {
quote: evidence.quote,
runtime_data: STANDARD.encode(runtime_data),
user_data: None,
};

(req_data, att_url)
}
_ => {
bail!("Intel Trust Authority: TEE {tee:?} is not supported.");
}
};

let attest_req_body = serde_json::to_string(&req_data)
.context("Failed to serialize attestation request body")?;

// send attest request
log::info!("post attestation request ...");
log::info!("POST attestation request ...");
log::debug!("Attestation URL: {:?}", &att_url);

let client = reqwest::Client::new();
let resp = client
.post(format!("{}/appraisal/v1/attest", &self.config.base_url))
.post(att_url)
.header(CONTENT_TYPE, "application/json")
.header(ACCEPT, "application/json")
.header("x-api-key", &self.config.api_key)
Expand Down Expand Up @@ -201,7 +241,7 @@ impl Attest for IntelTrustAuthority {
);

let hash_algorithm: String = match tee {
Tee::Sgx => {
Tee::Sgx | Tee::AzTdxVtpm => {
let needed_algorithm = HashAlgorithm::Sha256.as_ref().to_string().to_lowercase();

if supported_hash_algorithms.contains(&needed_algorithm) {
Expand Down
Loading