Move building of proto generated files to its own crate.

Cargo.toml

@@ -100,6 +100,7 @@ oak_grpc_utils = { path = "./oak_grpc_utils" }
 oak_launcher_utils = { path = "./oak_launcher_utils" }
 oak_linux_boot_params = { path = "./linux_boot_params" }
 oak_logger = { path = "./oak_functions/logger" }
+oak_proto = { path = "./proto" }
 oak_remote_attestation = { path = "./oak_remote_attestation" }
 oak_restricted_kernel_dice = { path = "./oak_restricted_kernel_dice" }
 oak_restricted_kernel_sdk = { path = "./oak_restricted_kernel_sdk" }

oak_attestation_verification/Cargo.toml

@@ -13,13 +13,11 @@ coset = { version = "*", default-features = false }
 ecdsa = { version = "*", features = ["pkcs8", "pem"] }
 hex = "*"
 oak_dice = { workspace = true }
+oak_proto = { workspace = true }
 prost = { workspace = true }
 p256 = { version = "*", features = ["ecdsa-core", "ecdsa", "pem"] }
 serde = { version = "*", features = ["derive"] }
 serde_jcs = "*"
 serde_json = "*"
 sha2 = { version = "*", default-features = false }
 time = { version = "0.3.28", features = ["serde", "parsing", "formatting"] }
-
-[build-dependencies]
-prost-build = { workspace = true }

oak_attestation_verification/src/claims.rs

@@ -21,9 +21,9 @@
 
 extern crate alloc;
 
-use crate::proto::oak::HexDigest;
 use alloc::{collections::BTreeMap, string::String, vec::Vec};
 use anyhow::Context;
+use oak_proto::oak::HexDigest;
 use serde::{Deserialize, Serialize};
 use time::OffsetDateTime;
 

oak_attestation_verification/src/endorsement.rs

@@ -21,12 +21,12 @@ use crate::{
         get_digest, parse_endorsement_statement, validate_endorsement, verify_validity_duration,
         EndorsementStatement,
     },
-    proto::oak::HexDigest,
     rekor::{get_rekor_log_entry_body, verify_rekor_log_entry},
     util::{convert_pem_to_raw, equal_keys, is_hex_digest_match, MatchResult},
 };
 use anyhow::Context;
 use base64::{prelude::BASE64_STANDARD, Engine as _};
+use oak_proto::oak::HexDigest;
 
 /// Compares the digest contained in the endorsement against the given one.
 pub fn verify_binary_digest(

oak_attestation_verification/src/lib.rs

@@ -19,24 +19,6 @@
 
 extern crate alloc;
 
-// Inlined from tonic::include_proto in order to cut dependency on tonic.
-macro_rules! include_proto {
-    ($package: tt) => {
-        include!(concat!(env!("OUT_DIR"), concat!("/", $package, ".rs")));
-    };
-}
-
-pub mod proto {
-    pub mod oak {
-        include_proto!("oak");
-        pub mod attestation {
-            pub mod v1 {
-                include_proto!("oak.attestation.v1");
-            }
-        }
-    }
-}
-
 pub mod claims;
 pub mod endorsement;
 pub mod rekor;

oak_attestation_verification/src/util.rs

@@ -14,12 +14,12 @@
 // limitations under the License.
 //
 
-use crate::proto::oak::{HexDigest, RawDigest};
 use alloc::{string::String, vec::Vec};
 use anyhow::Context;
 use base64::{prelude::BASE64_STANDARD, Engine as _};
 use core::{cmp::Ordering, str::FromStr};
 use ecdsa::{signature::Verifier, Signature};
+use oak_proto::oak::{HexDigest, RawDigest};
 use p256::ecdsa::VerifyingKey;
 use sha2::{Digest, Sha256, Sha384, Sha512};
 

oak_attestation_verification/src/verifier.rs

@@ -20,20 +20,6 @@ use crate::{
     alloc::string::ToString,
     claims::{get_digest, parse_endorsement_statement},
     endorsement::verify_binary_endorsement,
-    proto::oak::{
-        attestation::v1::{
-            attestation_results::Status, binary_reference_value, endorsements, reference_values,
-            ApplicationKeys, ApplicationLayerEndorsements, ApplicationLayerReferenceValues,
-            AttestationResults, BinaryReferenceValue, CbEndorsements, CbReferenceValues,
-            ContainerLayerEndorsements, ContainerLayerReferenceValues, Endorsements, Evidence,
-            KernelLayerEndorsements, KernelLayerReferenceValues, LayerEvidence,
-            OakContainersEndorsements, OakContainersReferenceValues,
-            OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues,
-            RootLayerEndorsements, RootLayerEvidence, RootLayerReferenceValues,
-            SystemLayerEndorsements, SystemLayerReferenceValues, TransparentReleaseEndorsement,
-        },
-        RawDigest,
-    },
     util::{
         hex_to_raw_digest, is_hex_digest_match, is_raw_digest_match, raw_to_hex_digest, MatchResult,
     },
@@ -49,6 +35,20 @@ use oak_dice::cert::{
     LAYER_2_CODE_MEASUREMENT_ID, LAYER_3_CODE_MEASUREMENT_ID, LAYER_3_CONFIG_MEASUREMENT_ID,
     MEMORY_MAP_MEASUREMENT_ID, SETUP_DATA_MEASUREMENT_ID, SHA2_256_ID, SYSTEM_IMAGE_LAYER_ID,
 };
+use oak_proto::oak::{
+    attestation::v1::{
+        attestation_results::Status, binary_reference_value, endorsements, reference_values,
+        ApplicationKeys, ApplicationLayerEndorsements, ApplicationLayerReferenceValues,
+        AttestationResults, BinaryReferenceValue, CbEndorsements, CbReferenceValues,
+        ContainerLayerEndorsements, ContainerLayerReferenceValues, Endorsements, Evidence,
+        KernelLayerEndorsements, KernelLayerReferenceValues, LayerEvidence,
+        OakContainersEndorsements, OakContainersReferenceValues, OakRestrictedKernelEndorsements,
+        OakRestrictedKernelReferenceValues, ReferenceValues, RootLayerEndorsements,
+        RootLayerEvidence, RootLayerReferenceValues, SystemLayerEndorsements,
+        SystemLayerReferenceValues, TransparentReleaseEndorsement,
+    },
+    RawDigest,
+};
 
 // We don't use additional authenticated data.
 const ADDITIONAL_DATA: &[u8] = b"";
@@ -58,21 +58,21 @@ pub struct DiceChainResult {
     signing_public_key: Vec<u8>,
 }
 
-impl From<&anyhow::Result<DiceChainResult>> for AttestationResults {
-    fn from(value: &anyhow::Result<DiceChainResult>) -> Self {
-        match value {
-            Ok(dice_chain_result) => AttestationResults {
-                status: Status::Success.into(),
-                encryption_public_key: dice_chain_result.encryption_public_key.clone(),
-                signing_public_key: dice_chain_result.signing_public_key.clone(),
-                ..Default::default()
-            },
-            Err(err) => AttestationResults {
-                status: Status::GenericFailure.into(),
-                reason: err.to_string(),
-                ..Default::default()
-            },
-        }
+pub fn to_attestation_results(
+    verify_result: &anyhow::Result<DiceChainResult>,
+) -> AttestationResults {
+    match verify_result {
+        Ok(dice_chain_result) => AttestationResults {
+            status: Status::Success.into(),
+            encryption_public_key: dice_chain_result.encryption_public_key.clone(),
+            signing_public_key: dice_chain_result.signing_public_key.clone(),
+            ..Default::default()
+        },
+        Err(err) => AttestationResults {
+            status: Status::GenericFailure.into(),
+            reason: err.to_string(),
+            ..Default::default()
+        },
     }
 }
 

oak_attestation_verification/tests/endorsement_tests.rs

@@ -25,11 +25,12 @@ use oak_attestation_verification::{
         verify_binary_digest, verify_binary_endorsement, verify_endorsement_statement,
         verify_endorser_public_key,
     },
-    proto::oak::HexDigest,
     rekor::{verify_rekor_log_entry, verify_rekor_signature},
     util::{convert_pem_to_raw, MatchResult},
 };
 
+use oak_proto::oak::HexDigest;
+
 const BINARY_DIGEST: &str = "39051983bbb600bbfb91bd22ee4c976420f8f0c6a895fd083dcb0d153ddd5fd6";
 const ENDORSEMENT_PATH: &str = "testdata/endorsement.json";
 

oak_attestation_verification/tests/verifier_tests.rs

@@ -18,17 +18,17 @@ use prost::Message;
 use std::fs;
 
 use oak_attestation_verification::{
-    proto::oak::attestation::v1::{
-        attestation_results::Status, AmdSevReferenceValues, AttestationResults,
-        BinaryReferenceValue, ContainerLayerEndorsements, ContainerLayerReferenceValues,
-        EndorsementReferenceValue, Endorsements, Evidence, KernelLayerEndorsements,
-        KernelLayerReferenceValues, OakContainersEndorsements, OakContainersReferenceValues,
-        ReferenceValues, RootLayerEndorsements, RootLayerReferenceValues, SkipVerification,
-        StringReferenceValue, SystemLayerEndorsements, SystemLayerReferenceValues,
-        TransparentReleaseEndorsement,
-    },
     util::convert_pem_to_raw,
-    verifier::verify,
+    verifier::{to_attestation_results, verify},
+};
+
+use oak_proto::oak::attestation::v1::{
+    attestation_results::Status, AmdSevReferenceValues, BinaryReferenceValue,
+    ContainerLayerEndorsements, ContainerLayerReferenceValues, EndorsementReferenceValue,
+    Endorsements, Evidence, KernelLayerEndorsements, KernelLayerReferenceValues,
+    OakContainersEndorsements, OakContainersReferenceValues, ReferenceValues,
+    RootLayerEndorsements, RootLayerReferenceValues, SkipVerification, StringReferenceValue,
+    SystemLayerEndorsements, SystemLayerReferenceValues, TransparentReleaseEndorsement,
 };
 
 const ENDORSEMENT_PATH: &str = "testdata/endorsement.json";
@@ -87,7 +87,7 @@ fn create_endorsements() -> Endorsements {
         container_layer: Some(container_layer),
     };
     Endorsements {
-        r#type: Some(oak_attestation_verification::proto::oak::attestation::v1::endorsements::Type::OakContainers(ends)),
+        r#type: Some(oak_proto::oak::attestation::v1::endorsements::Type::OakContainers(ends)),
     }
 }
 
@@ -108,10 +108,16 @@ fn create_reference_values() -> ReferenceValues {
         rekor_public_key,
     };
     let skip = BinaryReferenceValue {
-        r#type: Some(oak_attestation_verification::proto::oak::attestation::v1::binary_reference_value::Type::Skip(SkipVerification {})),
+        r#type: Some(
+            oak_proto::oak::attestation::v1::binary_reference_value::Type::Skip(
+                SkipVerification {},
+            ),
+        ),
     };
     let brv = BinaryReferenceValue {
-        r#type: Some(oak_attestation_verification::proto::oak::attestation::v1::binary_reference_value::Type::Endorsement(erv)),
+        r#type: Some(
+            oak_proto::oak::attestation::v1::binary_reference_value::Type::Endorsement(erv),
+        ),
     };
     let srv = StringReferenceValue {
         values: ["whatever".to_owned()].to_vec(),
@@ -150,7 +156,7 @@ fn create_reference_values() -> ReferenceValues {
         container_layer: Some(container_layer),
     };
     ReferenceValues {
-        r#type: Some(oak_attestation_verification::proto::oak::attestation::v1::reference_values::Type::OakContainers(vs)),
+        r#type: Some(oak_proto::oak::attestation::v1::reference_values::Type::OakContainers(vs)),
     }
 }
 
@@ -161,7 +167,7 @@ fn verify_succeeds() {
     let reference_values = create_reference_values();
 
     let r = verify(NOW_UTC_MILLIS, &evidence, &endorsements, &reference_values);
-    let p = AttestationResults::from(&r);
+    let p = to_attestation_results(&r);
 
     eprintln!("======================================");
     eprintln!("code={} reason={}", p.status as i32, p.reason);
@@ -178,7 +184,7 @@ fn verify_fails_with_manipulated_root_public_key() {
     let reference_values = create_reference_values();
 
     let r = verify(NOW_UTC_MILLIS, &evidence, &endorsements, &reference_values);
-    let p = AttestationResults::from(&r);
+    let p = to_attestation_results(&r);
 
     eprintln!("======================================");
     eprintln!("code={} reason={}", p.status as i32, p.reason);
@@ -194,7 +200,7 @@ fn verify_fails_with_empty_args() {
     let reference_values = ReferenceValues::default();
 
     let r = verify(NOW_UTC_MILLIS, &evidence, &endorsements, &reference_values);
-    let p = AttestationResults::from(&r);
+    let p = to_attestation_results(&r);
 
     assert!(r.is_err());
     assert!(p.status() == Status::GenericFailure);