Verifier: Add IBM Secure Execution protoc

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>

Cargo.toml

@@ -29,7 +29,7 @@ clap = { version = "4", features = ["derive"] }
 config = "0.13.3"
 env_logger = "0.10.0"
 hex = "0.4.3"
-kbs-types = "0.5.3" // TODO, update to pick new TEE type for IBM Secure Eexcution (SE) in https://github.com/virtee/kbs-types/blob/main/src/lib.rs#L24
+kbs-types = { git = "https://github.com/huoqifeng/kbs-types.git", branch = "s390x-se" }
 jsonwebtoken = "9"
 log = "0.4.17"
 prost = "0.11.0"

attestation-service/attestation-service/Cargo.toml

@@ -13,6 +13,7 @@ az-tdx-vtpm-verifier = [ "verifier/az-tdx-vtpm-verifier" ]
 snp-verifier = [ "verifier/snp-verifier" ]
 csv-verifier = [ "verifier/csv-verifier" ]
 cca-verifier = [ "verifier/cca-verifier" ]
+se-verifier  = [ "verifier/se-verifier" ]
 
 # Only for testing and CI
 rvps-builtin = [ "reference-value-provider-service" ]

attestation-service/attestation-service/src/bin/grpc/mod.rs

@@ -37,6 +37,7 @@ fn to_kbs_tee(tee: GrpcTee) -> Tee {
         GrpcTee::AzSnpVtpm => Tee::AzSnpVtpm,
         GrpcTee::Cca => Tee::Cca,
         GrpcTee::AzTdxVtpm => Tee::AzTdxVtpm,
+        GrpcTee::Se => Tee::Se,
     }
 }
 

attestation-service/attestation-service/src/bin/restful/mod.rs

@@ -62,6 +62,7 @@ fn to_tee(tee: &str) -> anyhow::Result<Tee> {
         "csv" => Tee::Csv,
         "sample" => Tee::Sample,
         "aztdxvtpm" => Tee::AzTdxVtpm,
+        "se" => Tee::Se,
         other => bail!("tee `{other} not supported`"),
     };
 

attestation-service/attestation-service/src/lib.rs

@@ -14,7 +14,7 @@ use crate::token::AttestationTokenBroker;
 
 use anyhow::{anyhow, Context, Result};
 use config::Config;
-pub use kbs_types::{Attestation, Tee};
+pub use kbs_types::{Attestation, Challenge, Tee};
 use log::debug;
 use policy_engine::{PolicyEngine, PolicyEngineType, SetPolicyInput};
 use rvps::RvpsApi;
@@ -242,7 +242,7 @@ impl AttestationService {
 
     pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
         let verifier = verifier::to_verifier(&tee)?;
-        verifier.generate_challenge(nonce)
+        verifier.generate_challenge(nonce).await
     }
 }
 

attestation-service/docs/parsed_claims.md

@@ -88,3 +88,6 @@ The claim inherit the fields from the SEV-SNP claim with and additional `tpm` hi
 - `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote.
 
 Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers.
+
+## IBM Secure Execution (SE)
+TBD

attestation-service/protos/attestation.proto

@@ -12,6 +12,7 @@ enum Tee {
     CSV = 6;
     CCA = 7;
     AzTdxVtpm = 8;
+    Se = 9;
 }
 
 message AttestationRequest {

attestation-service/verifier/src/lib.rs

@@ -106,7 +106,7 @@ pub fn to_verifier(tee: &Tee) -> Result<Box<dyn Verifier + Send + Sync>> {
         Tee::Se => {
             cfg_if::cfg_if! {
                 if #[cfg(feature = "se-verifier")] {
-                    Ok(Box::<se::Se>::default() as Box<dyn Verifier + Send + Sync>)
+                    Ok(Box::<se::SeVerifier>::default() as Box<dyn Verifier + Send + Sync>)
                 } else {
                     bail!("feature `se-verifier` is not enabled for `verifier` crate.")
                 }
@@ -169,10 +169,11 @@ pub trait Verifier {
 
     async fn generate_challenge(
         &self,
-        nonce: &str) -> Result<Challenge> {
+        nonce: &str,
+    ) -> Result<Challenge> {
 
-        Result::Ok(Challenge {
-            nonce,
+        Ok(Challenge {
+            nonce: String::from(nonce),
             extra_params: String::new(),
         })
     }

attestation-service/verifier/src/se/mod.rs

@@ -3,12 +3,12 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use super::*;
 use async_trait::async_trait;
 use anyhow::anyhow;
 use base64::prelude::*;
-use kbs_types::{Challenge, Tee};
+use kbs_types::Challenge;
 use crate::{InitDataHash, ReportData};
-use super::{TeeEvidenceParsedClaim, Verifier};
 use crate::se::seattest::FakeSeAttest;
 use crate::se::seattest::SeFakeVerifier;
 
@@ -25,22 +25,31 @@ impl Verifier for SeVerifier {
         expected_report_data: &ReportData,
         expected_init_data_hash: &InitDataHash,
     ) -> Result<TeeEvidenceParsedClaim> {
+
         verify_evidence(evidence, expected_report_data, expected_init_data_hash)
         .await
         .map_err(|e| anyhow!("Se Verifier: {:?}", e))
     }
 
-    async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
-        /// TODO replace FakeSeAttest with real crate
+    async fn generate_challenge(
+        &self,
+        nonce: &str,
+    ) -> Result<Challenge> {
+
+        // TODO replace FakeSeAttest with real crate
         let attester = FakeSeAttest::default();
 
         let hkds: Vec<String> = vec![String::new(); 2];
         let certk = String::new();
         let signk = String::new();
         let arpk = String::new();
-        Result::Ok(Challenge {
-            nonce,
-            extra_params: BASE64_STANDARD.encode(attester.create(hkds, certk, signk, arpk)),
+
+        let extra_params = attester.create(hkds, &certk, &signk, &arpk)
+                            .await
+                            .context("Create SE attestation request failed: {:?}")?;
+        Ok(Challenge {
+            nonce: String::from(nonce),
+            extra_params: BASE64_STANDARD.encode(extra_params),
         })
     }
 }
@@ -50,13 +59,15 @@ async fn verify_evidence(
     expected_report_data: &ReportData<'_>,
     expected_init_data_hash: &InitDataHash<'_>,
 ) -> Result<TeeEvidenceParsedClaim> {
-    /// TODO replace FakeSeAttest with real crate
+    // TODO replace FakeSeAttest with real crate
     let attester = FakeSeAttest::default();
 
     let arpk = String::new();
     let hdr = String::new();
-    let se = attester.verify(evidence, arpk, hdr);
+    let se = attester.verify(evidence, &arpk, &hdr)
+                .await
+                .context("Verify SE attestation evidence failed: {:?}")?;
 
-    let v = serde_json::to_value(se?).context("build json value from the se evidence")?;
+    let v = serde_json::to_value(se).context("build json value from the se evidence")?;
     Ok(v as TeeEvidenceParsedClaim)
 }

attestation-service/verifier/src/se/seattest.rs

@@ -16,14 +16,14 @@ pub trait SeFakeVerifier {
         hkdFiles: Vec<String>,
         certFile: &String,
         signingFile: &String,
-        arpkFile: &String
+        arpkFile: &String,
     ) -> Result<Vec<u8>>;
 
     async fn verify(
         &self,
-        evidence: Vec<u8>,
+        evidence: &[u8],
         arpkFile: &String,
-        hdr: Vec<u8>
+        hdr: &String,
     ) -> Result<Vec<u8>>;
 }
 
@@ -34,16 +34,16 @@ impl SeFakeVerifier for FakeSeAttest {
         hkdFiles: Vec<String>,
         certFile: &String,
         signingFile: &String,
-        arpkFile: &String
+        arpkFile: &String,
     ) -> Result<Vec<u8>> {
         Result::Ok(Vec::new())
     }
 
     async fn verify(
         &self,
-        evidence: Vec<u8>,
+        evidence: &[u8],
         arpkFile: &String,
-        hdr: Vec<u8>
+        hdr: &String,
     ) -> Result<Vec<u8>> {
         Result::Ok(Vec::new())
     }

kbs/src/api/src/attestation/coco/builtin.rs

@@ -9,7 +9,7 @@ use attestation_service::{
     config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService, Data,
     HashAlgorithm,
 };
-use kbs_types::{Attestation, Tee};
+use kbs_types::{Attestation, Challenge, Tee};
 use serde_json::json;
 use tokio::sync::RwLock;
 
@@ -45,6 +45,17 @@ impl Attest for BuiltInCoCoAs {
             )
             .await
     }
+
+    async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
+        self.inner
+            .read()
+            .await
+            .generate_challenge(
+                tee,
+                nonce,
+            )
+            .await
+    }
 }
 
 impl BuiltInCoCoAs {

kbs/src/api/src/attestation/coco/grpc.rs

@@ -125,6 +125,13 @@ impl Attest for GrpcClientPool {
 
         Ok(token)
     }
+
+    async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
+        Ok(Challenge {
+            nonce: String::from(nonce),
+            extra_params: String::new(),
+        })
+    }
 }
 
 pub struct GrpcManager {

kbs/src/api/src/attestation/mod.rs

@@ -98,7 +98,7 @@ impl AttestationService {
             #[cfg(feature = "coco-as-grpc")]
             AttestationService::CoCoASgRPC(inner) => inner.generate_challenge(tee, nonce).await,
             #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
-            AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge(tee, nonce, attestation).await,
+            AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge(tee, nonce).await,
             #[cfg(feature = "intel-trust-authority-as")]
             AttestationService::IntelTA(inner) => inner.generate_challenge(tee, nonce).await,
         }

kbs/src/api/src/http/attest.rs

@@ -7,7 +7,7 @@ use crate::{raise_error, session::SessionStatus};
 use super::*;
 
 use anyhow::anyhow;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
 use base64::Engine;
 use log::{error, info};
 use rand::{thread_rng, Rng};
@@ -32,9 +32,12 @@ pub(crate) async fn auth(
 ) -> Result<HttpResponse> {
     info!("request: {:?}", &request);
 
-    let challenge = attestation_service.generate_challenge(nonce()?);
+    let nonce = nonce()?;
+    let challenge = attestation_service.generate_challenge(request.tee, nonce.as_str())
+        .await
+        .unwrap();
 
-    let session = SessionStatus::auth(request.0, **timeout, challenge)
+    let session = SessionStatus::auth(request.0, **timeout, &challenge)
         .map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?;
 
     let response = HttpResponse::Ok()

kbs/src/api/src/session.rs

@@ -64,7 +64,7 @@ impl SessionStatus {
 
         Ok(Self::Authed {
             request,
-            challenge,
+            *challenge,
             id,
             timeout,
         })