Verifier: IBM SE make both se and sample tee test pass

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>

kbs/docs/kbs.yaml

@@ -212,13 +212,19 @@ components:
       required:
         - tee-pubkey
         - tee-evidence
+        - extra-params
       type: object
       properties:
         tee-pubkey:
           $ref: '#/components/schemas/PublicKey'
         tee-evidence:
           description: HW-TEE specific attestation evidence.
           type: object
+        extra-params:
+          description:
+            Freely formatted JSON object used for HW-TEE specific attestation
+            processes.
+          type: object
       description: >-
         KBS attestation challenge, sent in response to the KBC Request.
 

kbs/docs/kbs_attestation_protocol.md

@@ -147,6 +147,8 @@ evidence from the HW-TEE platform and organizes it into the following payload:
 
     /* The attestation evidence. Its format is specified by Attestation-Service. */
     "tee-evidence": {}
+    /* Extra parameters to support some special HW-TEE attestation. */
+    "extra-params": {}
 }
 ```
 > **Note:** the `/*...*/` comments are not valid in JSON, and must not be used.
@@ -178,6 +180,11 @@ Attestation-Service.
 The KBS does not parse or analyze the attestation evidence, it forwards it to
 the Attestation-Service for verification.
 
+- `extra-params`
+
+The reserved extra parameter field which is used to pass the additional
+information provided by the KBS when some specific HW-TEE needs to be attested.
+
 ## `Response`
 
 Upon successful attestation, the KBC can request resources from the KBS, by

kbs/src/api/src/attestation/coco/builtin.rs

@@ -29,7 +29,7 @@ impl Attest for BuiltInCoCoAs {
         let attestation: Attestation = serde_json::from_str(attestation)?;
 
         // TODO: align with the guest-components/kbs-protocol side.
-        let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce});
+        let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce, "extra-params": attestation.extra_params});
 
         self.inner
             .read()

kbs/src/api/src/attestation/coco/grpc.rs

@@ -102,7 +102,7 @@ impl Attest for GrpcClientPool {
         let attestation: Attestation = serde_json::from_str(attestation)?;
 
         // TODO: align with the guest-components/kbs-protocol side.
-        let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce});
+        let runtime_data_plaintext = json!({"tee-pubkey": attestation.tee_pubkey, "nonce": nonce, "extra-params": attestation.extra_params});
         let runtime_data_plaintext = serde_json::to_string(&runtime_data_plaintext)
             .context("CoCo AS client: serialize runtime data failed")?;
 

kbs/tools/attest.json

@@ -4,5 +4,6 @@
     "k-mod": "my_modulus",
     "k-exp": "my_exponent"
   },
-  "tee-evidence": "my_evidence"
+  "tee-evidence": "my_evidence",
+  "extra-params": "my_extra_params"
 }

kbs/tools/client/Cargo.toml

@@ -18,7 +18,7 @@ base64.workspace = true
 clap = { version = "4.0.29", features = ["derive"] }
 env_logger.workspace = true
 jwt-simple = "0.11.4"
-kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "21b2c536b4d6c5c1442b53916c908b54dde136e8", default-features = false }
+kbs_protocol = { git = "https://github.com/huoqifeng/guest-components.git", rev = "cca0fcb0bae3ad0259efabbb84f3e33c986e1675", default-features = false }
 log.workspace = true
 reqwest = { version = "0.11.18", default-features = false, features = ["cookies", "json"] }
 serde = { version = "1.0", features = ["derive"] }