attestation-agent/Attesters: refactor the trait of Attester

Change the API of `get_evidence` function to just performing getting evidence via calling the underlying hardware drivers. Fixes: #283 Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
confidential-containers · Jul 25, 2023 · 705bff3 · 705bff3
1 parent 90d2b66
commit 705bff3
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 36 deletions.
diff --git a/attestation-agent/attester/src/az_snp_vtpm/mod.rs b/attestation-agent/attester/src/az_snp_vtpm/mod.rs
@@ -28,10 +28,9 @@ struct Evidence {
 }
 
 impl Attester for AzSnpVtpmAttester {
-    fn get_evidence(&self, report_data: String) -> Result<String> {
+    fn get_evidence(&self, report_data: Vec<u8>) -> Result<String> {
         let report = vtpm::get_report()?;
-        let report_data_bin = base64::decode(report_data)?;
-        let quote = vtpm::get_quote(&report_data_bin)?;
+        let quote = vtpm::get_quote(&report_data)?;
         let certs = imds::get_certs()?;
         let vcek = certs.vcek;
 

diff --git a/attestation-agent/attester/src/lib.rs b/attestation-agent/attester/src/lib.rs
@@ -58,7 +58,10 @@ impl Tee {
 }
 
 pub trait Attester {
-    fn get_evidence(&self, report_data: String) -> Result<String>;
+    /// Call the hardware driver to get the Hardware specific evidence.
+    /// The parameter `report_data` will be used as the user input of the
+    /// evidence to avoid reply attack.
+    fn get_evidence(&self, report_data: Vec<u8>) -> Result<String>;
 }
 
 // Detect which TEE platform the KBC running environment is.

diff --git a/attestation-agent/attester/src/sample/mod.rs b/attestation-agent/attester/src/sample/mod.rs
@@ -25,10 +25,10 @@ struct SampleQuote {
 pub struct SampleAttester {}
 
 impl Attester for SampleAttester {
-    fn get_evidence(&self, report_data: String) -> Result<String> {
+    fn get_evidence(&self, report_data: Vec<u8>) -> Result<String> {
         let evidence = SampleQuote {
             svn: "1".to_string(),
-            report_data,
+            report_data: base64::encode(report_data),
         };
 
         serde_json::to_string(&evidence).map_err(|_| anyhow!("Serialize sample evidence failed"))

diff --git a/attestation-agent/attester/src/sgx_dcap/mod.rs b/attestation-agent/attester/src/sgx_dcap/mod.rs
@@ -45,13 +45,12 @@ struct SgxDcapAttesterEvidence {
 pub struct SgxDcapAttester {}
 
 impl Attester for SgxDcapAttester {
-    fn get_evidence(&self, report_data: String) -> Result<String> {
-        let mut report_data_bin = base64::decode(report_data)?;
-        if report_data_bin.len() != 48 {
+    fn get_evidence(&self, mut report_data: Vec<u8>) -> Result<String> {
+        if report_data.len() > 64 {
             bail!("SGX Attester: Report data should be SHA384 base64 String");
         }
 
-        report_data_bin.extend([0; 16]);
+        report_data.resize(64, 0);
 
         let quote = match get_libos_type() {
             SgxLibOsType::Invalid => unimplemented!("empty quote"),
@@ -64,14 +63,14 @@ impl Attester for SgxDcapAttester {
 
                 match handler.generate_quote(
                     occlum_quote.as_mut_ptr(),
-                    report_data_bin.as_ptr() as *const sgx_report_data_t,
+                    report_data.as_ptr() as *const sgx_report_data_t,
                 ) {
                     Ok(_) => occlum_quote,
                     Err(e) => bail!("generate quote: {e}"),
                 }
             }
             SgxLibOsType::Gramine => {
-                std::fs::write("/dev/attestation/user_report_data", report_data_bin)?;
+                std::fs::write("/dev/attestation/user_report_data", report_data)?;
                 std::fs::read("/dev/attestation/quote")?
             }
         };
@@ -94,9 +93,8 @@ mod tests {
     fn test_sgx_get_evidence() {
         let attester = SgxDcapAttester::default();
         let report_data: Vec<u8> = vec![0; 48];
-        let report_data_base64 = base64::encode(report_data);
 
-        let evidence = attester.get_evidence(report_data_base64);
+        let evidence = attester.get_evidence(report_data);
         assert!(evidence.is_ok());
     }
 }
diff --git a/attestation-agent/attester/src/snp/mod.rs b/attestation-agent/attester/src/snp/mod.rs
@@ -25,17 +25,15 @@ struct SnpEvidence {
 pub struct SnpAttester {}
 
 impl Attester for SnpAttester {
-    fn get_evidence(&self, report_data: String) -> Result<String> {
-        let mut report_data_bin = base64::decode(report_data)?;
-
-        if report_data_bin.len() != 48 {
-            bail!("Malformed SNP Evidence");
+    fn get_evidence(&self, mut report_data: Vec<u8>) -> Result<String> {
+        if report_data.len() > 64 {
+            bail!("SNP Attester: Report data must be no more than 64 bytes");
         }
 
-        report_data_bin.extend([0; 16]);
+        report_data.resize(64, 0);
 
         let mut firmware = Firmware::open()?;
-        let data = report_data_bin.as_slice().try_into()?;
+        let data = report_data.as_slice().try_into()?;
 
         let (report, certs) = firmware
             .get_ext_report(None, Some(data), Some(0))

diff --git a/attestation-agent/attester/src/tdx/mod.rs b/attestation-agent/attester/src/tdx/mod.rs
@@ -28,17 +28,15 @@ struct TdxEvidence {
 pub struct TdxAttester {}
 
 impl Attester for TdxAttester {
-    fn get_evidence(&self, report_data: String) -> Result<String> {
-        let mut report_data_bin = base64::decode(report_data)?;
-        if report_data_bin.len() != 48 {
-            return Err(anyhow!(
-                "TDX Attester: Report data should be SHA384 base64 String"
-            ));
+    fn get_evidence(&self, mut report_data: Vec<u8>) -> Result<String> {
+        if report_data.len() > 64 {
+            bail!("TDX Attester: Report data must be no more than 64 bytes");
         }
-        report_data_bin.extend([0; 16]);
+
+        report_data.resize(64, 0);
 
         let tdx_report_data = tdx_attest_rs::tdx_report_data_t {
-            d: report_data_bin.as_slice().try_into()?,
+            d: report_data.as_slice().try_into()?,
         };
 
         let quote = match tdx_attest_rs::tdx_att_get_quote(Some(&tdx_report_data), None, None, 0) {
@@ -75,9 +73,8 @@ mod tests {
     fn test_tdx_get_evidence() {
         let attester = TdxAttester::default();
         let report_data: Vec<u8> = vec![0; 48];
-        let report_data_base64 = base64::encode(report_data);
 
-        let evidence = attester.get_evidence(report_data_base64);
+        let evidence = attester.get_evidence(report_data);
         assert!(evidence.is_ok());
     }
 }
diff --git a/attestation-agent/deps/crypto/src/teekey.rs b/attestation-agent/deps/crypto/src/teekey.rs
@@ -62,15 +62,13 @@ impl TeeKey {
     }
 }
 
-// Returns a base64 of the sha384 of all chunks.
-pub fn hash_chunks(chunks: Vec<Vec<u8>>) -> String {
+// Returns a sha384 of all chunks.
+pub fn hash_chunks(chunks: Vec<Vec<u8>>) -> Vec<u8> {
     let mut hasher = Sha384::new();
 
     for chunk in chunks.iter() {
         hasher.update(chunk);
     }
 
-    let res = hasher.finalize();
-
-    base64::encode(res)
+    hasher.finalize().to_vec()
 }