From 231177c4e16057535c809d5387940d634c11089c Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Fri, 15 Mar 2024 09:36:43 +0800 Subject: [PATCH] Verifier: IBM SE make both se and sample tee test pass Signed-off-by: Qi Feng Huo --- Cargo.lock | 27 +++++++-------------- kbs/docs/kbs.yaml | 6 +++++ kbs/docs/kbs_attestation_protocol.md | 7 ++++++ kbs/src/api/src/attestation/coco/builtin.rs | 2 +- kbs/src/api/src/attestation/coco/grpc.rs | 2 +- kbs/tools/attest.json | 3 ++- kbs/tools/client/Cargo.toml | 2 +- 7 files changed, 27 insertions(+), 22 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 49db2ea53d..3eb21e83f3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -564,7 +564,7 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536b4d6c5c1442b53916c908b54dde136e8" +source = "git+https://github.com/huoqifeng/guest-components.git?rev=cca0fcb0bae3ad0259efabbb84f3e33c986e1675#cca0fcb0bae3ad0259efabbb84f3e33c986e1675" dependencies = [ "anyhow", "async-trait", @@ -575,7 +575,7 @@ dependencies = [ "csv-rs", "hyper", "hyper-tls", - "kbs-types 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", + "kbs-types 0.5.3 (git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se)", "log", "nix", "occlum_dcap", @@ -583,6 +583,7 @@ dependencies = [ "serde", "serde_json", "sev", + "sha2", "strum", "tdx-attest-rs", "tempfile", @@ -1277,13 +1278,13 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536b4d6c5c1442b53916c908b54dde136e8" +source = "git+https://github.com/huoqifeng/guest-components.git?rev=cca0fcb0bae3ad0259efabbb84f3e33c986e1675#cca0fcb0bae3ad0259efabbb84f3e33c986e1675" dependencies = [ "aes-gcm", "anyhow", "base64 0.21.7", "ctr", - "kbs-types 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", + "kbs-types", "rand", "rsa 0.9.6", "serde", @@ -2422,17 +2423,7 @@ dependencies = [ [[package]] name = "kbs-types" version = "0.5.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1f4b0642769e12f56cfc646d8be13668ed48d3caed0e99efb161c407f3ec532" -dependencies = [ - "serde", - "serde_json", -] - -[[package]] -name = "kbs-types" -version = "0.5.3" -source = "git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se#681d9ea3bea0e4465d67f004234f628dbced1007" +source = "git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se#271ef4bac54035fb25fa44b24e5bbca844cd057c" dependencies = [ "serde", "serde_json", @@ -2441,7 +2432,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536b4d6c5c1442b53916c908b54dde136e8" +source = "git+https://github.com/huoqifeng/guest-components.git?rev=cca0fcb0bae3ad0259efabbb84f3e33c986e1675#cca0fcb0bae3ad0259efabbb84f3e33c986e1675" dependencies = [ "anyhow", "async-trait", @@ -3702,7 +3693,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=21b2c536b4d6c5c1442b53916c908b54dde136e8#21b2c536b4d6c5c1442b53916c908b54dde136e8" +source = "git+https://github.com/huoqifeng/guest-components.git?rev=cca0fcb0bae3ad0259efabbb84f3e33c986e1675#cca0fcb0bae3ad0259efabbb84f3e33c986e1675" dependencies = [ "anyhow", "serde", @@ -5285,7 +5276,7 @@ dependencies = [ "eventlog-rs", "hex", "jsonwebtoken", - "kbs-types 0.5.3 (git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se)", + "kbs-types", "log", "openssl", "rstest", diff --git a/kbs/docs/kbs.yaml b/kbs/docs/kbs.yaml index 9a582e4a5b..b04b7b2b12 100644 --- a/kbs/docs/kbs.yaml +++ b/kbs/docs/kbs.yaml @@ -212,6 +212,7 @@ components: required: - tee-pubkey - tee-evidence + - extra-params type: object properties: tee-pubkey: @@ -219,6 +220,11 @@ components: tee-evidence: description: HW-TEE specific attestation evidence. type: object + extra-params: + description: + Freely formatted JSON object used for HW-TEE specific attestation + processes. + type: object description: >- KBS attestation challenge, sent in response to the KBC Request. diff --git a/kbs/docs/kbs_attestation_protocol.md b/kbs/docs/kbs_attestation_protocol.md index 797696ee00..4662aacb91 100644 --- a/kbs/docs/kbs_attestation_protocol.md +++ b/kbs/docs/kbs_attestation_protocol.md @@ -147,6 +147,8 @@ evidence from the HW-TEE platform and organizes it into the following payload: /* The attestation evidence. Its format is specified by Attestation-Service. */ "tee-evidence": {} + /* Extra parameters to support some special HW-TEE attestation. */ + "extra-params": {} } ``` > **Note:** the `/*...*/` comments are not valid in JSON, and must not be used. @@ -178,6 +180,11 @@ Attestation-Service. The KBS does not parse or analyze the attestation evidence, it forwards it to the Attestation-Service for verification. +- `extra-params` + +The reserved extra parameter field which is used to pass the additional +information provided by the KBS when some specific HW-TEE needs to be attested. + ## `Response` Upon successful attestation, the KBC can request resources from the KBS, by diff --git a/kbs/src/api/src/attestation/coco/builtin.rs b/kbs/src/api/src/attestation/coco/builtin.rs index b9d017f60e..75b4cb7d43 100644 --- a/kbs/src/api/src/attestation/coco/builtin.rs +++ b/kbs/src/api/src/attestation/coco/builtin.rs @@ -29,7 +29,7 @@ impl Attest for BuiltInCoCoAs { let attestation: Attestation = serde_json::from_str(attestation)?; // TODO: align with the guest-components/kbs-protocol side. - let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce}); + let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce, "extra-params": attestation.extra_params}); self.inner .read() diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/api/src/attestation/coco/grpc.rs index e478df8d31..78784cf206 100644 --- a/kbs/src/api/src/attestation/coco/grpc.rs +++ b/kbs/src/api/src/attestation/coco/grpc.rs @@ -102,7 +102,7 @@ impl Attest for GrpcClientPool { let attestation: Attestation = serde_json::from_str(attestation)?; // TODO: align with the guest-components/kbs-protocol side. - let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce}); + let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce, "extra-params": attestation.extra_params}); let runtime_data_plaintext = serde_json::to_string(&runtime_data_plaintext) .context("CoCo AS client: serialize runtime data failed")?; diff --git a/kbs/tools/attest.json b/kbs/tools/attest.json index dd768b3eba..6cad336878 100644 --- a/kbs/tools/attest.json +++ b/kbs/tools/attest.json @@ -4,5 +4,6 @@ "k-mod": "my_modulus", "k-exp": "my_exponent" }, - "tee-evidence": "my_evidence" + "tee-evidence": "my_evidence", + "extra-params": "my_extra_params" } diff --git a/kbs/tools/client/Cargo.toml b/kbs/tools/client/Cargo.toml index c706e35738..c2cf4bd4d1 100644 --- a/kbs/tools/client/Cargo.toml +++ b/kbs/tools/client/Cargo.toml @@ -18,7 +18,7 @@ base64.workspace = true clap = { version = "4.0.29", features = ["derive"] } env_logger.workspace = true jwt-simple = "0.11.4" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "21b2c536b4d6c5c1442b53916c908b54dde136e8", default-features = false } +kbs_protocol = { git = "https://github.com/huoqifeng/guest-components.git", rev = "cca0fcb0bae3ad0259efabbb84f3e33c986e1675", default-features = false } log.workspace = true reqwest = { version = "0.11.18", default-features = false, features = ["cookies", "json"] } serde = { version = "1.0", features = ["derive"] }