Verifier: Add IBM Secure Execution driver framework

[huoqifeng]

Fixes: #342
This is kbs side code and related with PR: confidential-containers/guest-components#492
Depends on:

• Add a new TEE type: SE (IBM Secure Execution) virtee/kbs-types#26

The IBM SE Remote Attestation flow:

• The verifier generate the encrypted attestation-request based on hkd, CA, signing_key, a measurement key and a nonce, the encrypted data is protected by a symmetric attestation request protection key, which is encrypted using the Host-key document
• Verifier sends the request to attester
• Firmware on the Attester's system decrypts the request via private host-key and calculates the evidence based on the encrpted part of the request (Measurement key + nonce)
• Attester send the evidence to verifier
• Verifier recalculates the evidence based on the Configuration UID, Additional data, user-data, guest image hashes, and nonce. (its a HMAC-SHA512 with the measurement key as secret)
• if both HMACs, the one from the Firmware and the calculated one from the verifier match -> attestation success

[huoqifeng]

@Xynnn007 @fitzthum I'd like start the review process of the API change to support IBM SE. May you please help on that?

[Xynnn007]

Oh. I am still worried about the breakage for the PR. As it couple the KBS logic and AS logic to prepare an attreq.bin. After some reading of https://www.ibm.com/docs/en/linuxonibm/pdf/l130se03.pdf, I think of some different design ways for this and I must ignore something.

Way 1:

Con: We need to embed the host cert key chain (host key doc, CA cert, IBM_sign_key_cert) into the guest image

The logic of attester side:

1. After receiving challenge, generate an arp.key by HKDF(challenge || host_key_doc || CA cert || IBM_sign_key_cert)
2. Generate a report using the arp.key and other materials using pvattest

The logic of verifier side:

1. Use the same host key doc, CA cert, IBM_sign_key_cert and challenge to generate a same arp.key, and verify with pvattest verify -i attresp.bin --arpk arp.key --hdr hdr.bin

Rationality:
Looking at the entire attestation protocol of pvattest, the most critical thing is this arp.key, which is used for anti-replay, similar to the Nonce of other architectures, so we combine platform information host_key_doc || intermediate CA certificate || IBM sign key cert together with challenge. The strong binding information is used as the derivation factor of this key to ensure that the attester cannot use an instance on another platform to forge evidence that can pass verification - because the arp.key of the verifier side must be based on the certificate of the target environment.

BTW, if SE guest could support initdata (either though hostdata mechanism or vTPM), we could inject those documents when launching the guest without embed them inside the guest.

Way 2: Add a get_challenge to the verifier API

This is the current implementation.

Con: get_challenge() might mean nothing to other platforms.

This means every time KBS receives a RCAR request, it should first call the backend AS to call get_challenge().

This hints that CoCoAS should also support 4-pass protocol besides current 2-pass protocol, s.t. two ways to use CoCoAS

1. get_challenge() and then evaluate()
2. directly evaluate()

cc @jialez0

Way 3: Integrite IBM SE verifier logic inside KBS, and attester logic in KBS-client

Con: No se plugin will be support in attester and verifier crate, and thus not be support by AS. KBS should store arp.keys and se_guest.hdrs

This is based on a different attestation protocol of SE. We can introduce some conditional judgement for SE on the both KBS and KBS client side.

Way 4: Integrite IBM SE verifier logic inside KBS but attester logic in attester crate

Con: KBS should store arp.keys and se_guest.hdrs.

On the attester side, we can reuse report_data/challenge field for SE to present the host key doc, CA cert, IBM_sign_key_cert and attreq.bin bundle and generate an attresp.bin

On the verifier side, KBS will implement the generation of attreq.bin, and the verification of attresp.bin.

[huoqifeng]

Oh. I am still worried about the breakage for the PR. As it couple the KBS logic and AS logic to prepare an attreq.bin. After some reading of https://www.ibm.com/docs/en/linuxonibm/pdf/l130se03.pdf, I think of some different design ways for this and I must ignore something.

Way 1:

Con: We need to embed the host cert key chain (host key doc, CA cert, IBM_sign_key_cert) into the guest image

The logic of attester side:

1. After receiving `challenge`, generate an `arp.key` by `HKDF(challenge || host_key_doc || CA cert || IBM_sign_key_cert)`

2. Generate a report using the `arp.key` and other materials using `pvattest`

The logic of verifier side:

1. Use the same `host key doc`, `CA cert`, `IBM_sign_key_cert` and `challenge` to generate a same `arp.key`, and verify with `pvattest verify -i attresp.bin --arpk arp.key --hdr hdr.bin`

Rationality: Looking at the entire attestation protocol of pvattest, the most critical thing is this arp.key, which is used for anti-replay, similar to the Nonce of other architectures, so we combine platform information host_key_doc || intermediate CA certificate || IBM sign key cert together with challenge. The strong binding information is used as the derivation factor of this key to ensure that the attester cannot use an instance on another platform to forge evidence that can pass verification - because the arp.key of the verifier side must be based on the certificate of the target environment.

BTW, if SE guest could support initdata (either though hostdata mechanism or vTPM), we could inject those documents when launching the guest without embed them inside the guest.

Way 2: Add a get_challenge to the verifier API

This is the current implementation.

Con: get_challenge() might mean nothing to other platforms.

This means every time KBS receives a RCAR request, it should first call the backend AS to call get_challenge().

This hints that CoCoAS should also support 4-pass protocol besides current 2-pass protocol, s.t. two ways to use CoCoAS

1. `get_challenge()` and then [evaluate()](https://github.com/confidential-containers/trustee/blob/main/attestation-service/protos/attestation.proto#L92)

2. directly [evaluate()](https://github.com/confidential-containers/trustee/blob/main/attestation-service/protos/attestation.proto#L92)

cc @jialez0

Way 3: Integrite IBM SE verifier logic inside KBS, and attester logic in KBS-client

Con: No se plugin will be support in attester and verifier crate, and thus not be support by AS. KBS should store arp.keys and se_guest.hdrs

This is based on a different attestation protocol of SE. We can introduce some conditional judgement for SE on the both KBS and KBS client side.

Way 4: Integrite IBM SE verifier logic inside KBS but attester logic in attester crate

Con: KBS should store arp.keys and se_guest.hdrs.

On the attester side, we can reuse report_data/challenge field for SE to present the host key doc, CA cert, IBM_sign_key_cert and attreq.bin bundle and generate an attresp.bin

On the verifier side, KBS will implement the generation of attreq.bin, and the verification of attresp.bin.

Thanks @Xynnn007 for good suggestions, I think way 2 approach is used in this PR, generate_challenge_extra_params is added in verifier with a default impplementation. I'm happy to chnage the function name. CC @jialez0

[huoqifeng]

@Xynnn007 @jialez0 we also want to add the extra-params in Attestation like https://github.com/huoqifeng/kbs-types/blob/271ef4bac54035fb25fa44b24e5bbca844cd057c/src/lib.rs#L74-L75, how do you think?

[fitzthum]

This is a tricky one. If we get this extra challenge information from the AS, does that mean that the AS will have to maintain some per-connection state?

[huoqifeng]

This is a tricky one. If we get this extra challenge information from the AS, does that mean that the AS will have to maintain some per-connection state?

@fitzthum No need keep the state. For IBM SE, the attester will embed the original encrypted attestation request in evidence also, the verifier will extract the request first and then perform the verifying.

[huoqifeng]

@fitzthum @Xynnn007 CCC-Attestation/meetings#32, slides 9~18 describes the details of IBM SE attestation and also answers why we have attestation-request needed. The record is coming soon.

[mkulke]

lgtm.

I'll suggest to wait for the attester module to be merged first and then bump the kbs/tools/client guest-component dependency revision for e2e tests

[Xynnn007]

Thanks. lgtm. Let's get this merged after confidential-containers/guest-components#492

[huoqifeng]

@mkulke @Xynnn007 thank you very much for reviewing the PR and gave so many useful suggestions! thanks for your approval.

[huoqifeng]

Squashed commits.

[Xynnn007]

lgtm

[fitzthum]

Looks pretty good. A few comments.

[fitzthum]

LGTM

I do want to emphasize that since this verifier does not check the report data, it is not secure. Hopefully that will be addressed in a follow-up. I think this PR is fine for getting all the support code in.

[huoqifeng]

LGTM

I do want to emphasize that since this verifier does not check the report data, it is not secure. Hopefully that will be addressed in a follow-up. I think this PR is fine for getting all the support code in.

Thank you! @fitzthum , yes, the checking algorithm checks the evidence from TEE guest and re-calculated value from verifier, which also based on same SE OS Image. We'll add additional check in a follow up PR.

[Xynnn007]

confidential-containers/guest-components#492 was merged. we should update the rev in https://github.com/confidential-containers/trustee/blob/main/kbs/tools/client/Cargo.toml#L21