attestation-agent: add TDX-vTPM feature to cargo manifests

This attester is supposed to procure evidence from Azure TDX CVMs The
attester uses a flow similar to the az_snp_vtpm module, albeit with
TDX Quotes.

Co-authored-by: Iago López Galeiras <[email protected]>

Signed-off-by: Magnus Kulke <[email protected]>

Cargo.toml

@@ -40,7 +40,7 @@ hex = "0.4.3"
 hmac = "0.12.1"
 jwt-simple = "0.11"
 # TODO: change it to "0.5", once released.
-kbs-types = { git = "https://github.com/virtee/kbs-types", rev = "c90df0e" }
+kbs-types = { git = "https://github.com/virtee/kbs-types", rev = "90b13bb" }
 lazy_static = "1.4.0"
 log = "0.4.14"
 openssl = "0.10"

attestation-agent/README.md

@@ -124,6 +124,7 @@ CC KBC supports different kinds of hardware TEE attesters, now
 | sgx-attester        | Intel SGX DCAP              |
 | snp-attester        | AMD SEV-SNP                 |
 | az-snp-vtpm-attester| Azure SEV-SNP CVM           |
+| az-tdx-vtpm-attester| Azure TDX CVM               |
 | cca-attester        | Arm Confidential Compute Architecture (CCA)  |
 
 To build cc kbc with all available attesters and install, use

attestation-agent/app/Cargo.toml

@@ -40,6 +40,7 @@ cc_kbc_all_attesters = ["cc_kbc", "attestation_agent/all-attesters"]
 cc_kbc_tdx = ["cc_kbc", "attestation_agent/tdx-attester"]
 cc_kbc_sgx = ["cc_kbc", "attestation_agent/sgx-attester"]
 cc_kbc_az_snp_vtpm = ["cc_kbc", "attestation_agent/az-snp-vtpm-attester"]
+cc_kbc_az_tdx_vtpm = ["cc_kbc", "attestation_agent/az-tdx-vtpm-attester"]
 cc_kbc_snp = ["cc_kbc", "attestation_agent/snp-attester"]
 
 eaa_kbc = ["attestation_agent/eaa_kbc"]

attestation-agent/attester/Cargo.toml

@@ -9,6 +9,7 @@ edition = "2021"
 anyhow.workspace = true
 async-trait.workspace = true
 az-snp-vtpm = { version = "0.4", default-features = false, features = ["attester"], optional = true }
+az-tdx-vtpm = { version = "0.4", default-features = false, features = ["attester"], optional = true }
 base64.workspace = true
 kbs-types.workspace = true
 log.workspace = true
@@ -31,11 +32,12 @@ tokio.workspace = true
 
 [features]
 default = ["all-attesters"]
-all-attesters = ["tdx-attester", "sgx-attester", "az-snp-vtpm-attester", "snp-attester", "csv-attester", "cca-attester"]
+all-attesters = ["tdx-attester", "sgx-attester", "az-snp-vtpm-attester", "az-tdx-vtpm-attester", "snp-attester", "csv-attester", "cca-attester"]
 
 tdx-attester = ["tdx-attest-rs"]
 sgx-attester = ["occlum_dcap"]
 az-snp-vtpm-attester = ["az-snp-vtpm"]
+az-tdx-vtpm-attester = ["az-tdx-vtpm"]
 snp-attester = ["sev"]
 csv-attester = ["csv-rs", "codicon", "hyper", "hyper-tls", "tokio"]
 cca-attester = ["nix"]

attestation-agent/attester/src/az_tdx_vtpm/mod.rs

@@ -0,0 +1,51 @@
+// Copyright (c) 2023 Microsoft Corporation
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use super::Attester;
+use anyhow::*;
+use az_tdx_vtpm::vtpm::Quote as TpmQuote;
+use az_tdx_vtpm::{hcl, imds, is_tdx_cvm, vtpm};
+use log::debug;
+use serde::{Deserialize, Serialize};
+use std::result::Result::Ok;
+
+pub fn detect_platform() -> bool {
+    match is_tdx_cvm() {
+        Ok(tdx) => tdx,
+        Err(err) => {
+            debug!("Couldn't perform Azure TDX platform detection: {err}");
+            false
+        }
+    }
+}
+
+#[derive(Debug, Default)]
+pub struct AzTdxVtpmAttester;
+
+#[derive(Serialize, Deserialize)]
+struct Evidence {
+    tpm_quote: TpmQuote,
+    hcl_report: Vec<u8>,
+    td_quote: Vec<u8>,
+}
+
+#[async_trait::async_trait]
+impl Attester for AzTdxVtpmAttester {
+    async fn get_evidence(&self, report_data: Vec<u8>) -> Result<String> {
+        let hcl_report_bytes = vtpm::get_report()?;
+        let hcl_report = hcl::HclReport::new(hcl_report_bytes.clone())?;
+        let td_report = hcl_report.try_into()?;
+        let td_quote_bytes = imds::get_td_quote(&td_report)?;
+
+        let tpm_quote = vtpm::get_quote(&report_data)?;
+
+        let evidence = Evidence {
+            tpm_quote,
+            hcl_report: hcl_report_bytes,
+            td_quote: td_quote_bytes,
+        };
+        Ok(serde_json::to_string(&evidence)?)
+    }
+}

attestation-agent/attester/src/lib.rs

@@ -11,6 +11,9 @@ pub mod sample;
 #[cfg(feature = "az-snp-vtpm-attester")]
 pub mod az_snp_vtpm;
 
+#[cfg(feature = "az-tdx-vtpm-attester")]
+pub mod az_tdx_vtpm;
+
 #[cfg(feature = "cca-attester")]
 pub mod cca;
 
@@ -40,6 +43,8 @@ impl TryFrom<Tee> for BoxedAttester {
             Tee::Sgx => Box::<sgx_dcap::SgxDcapAttester>::default(),
             #[cfg(feature = "az-snp-vtpm-attester")]
             Tee::AzSnpVtpm => Box::<az_snp_vtpm::AzSnpVtpmAttester>::default(),
+            #[cfg(feature = "az-tdx-vtpm-attester")]
+            Tee::AzTdxVtpm => Box::<az_tdx_vtpm::AzTdxVtpmAttester>::default(),
             #[cfg(feature = "cca-attester")]
             Tee::Cca => Box::<cca::CCAAttester>::default(),
             #[cfg(feature = "snp-attester")]
@@ -77,6 +82,11 @@ pub fn detect_tee_type() -> Option<Tee> {
         return Some(Tee::Sgx);
     }
 
+    #[cfg(feature = "az-tdx-vtpm-attester")]
+    if az_tdx_vtpm::detect_platform() {
+        return Some(Tee::AzTdxVtpm);
+    }
+
     #[cfg(feature = "az-snp-vtpm-attester")]
     if az_snp_vtpm::detect_platform() {
         return Some(Tee::AzSnpVtpm);

attestation-agent/kbc/Cargo.toml

@@ -41,6 +41,7 @@ all-attesters = ["kbs_protocol?/all-attesters"]
 tdx-attester = ["kbs_protocol/tdx-attester"]
 sgx-attester = ["kbs_protocol/sgx-attester"]
 az-snp-vtpm-attester= ["kbs_protocol/az-snp-vtpm-attester"]
+az-tdx-vtpm-attester= ["kbs_protocol/az-tdx-vtpm-attester"]
 snp-attester = ["kbs_protocol/snp-attester"]
 cca-attester = ["kbs_protocol/cca-attester"]
 

attestation-agent/kbs_protocol/Cargo.toml

@@ -48,6 +48,7 @@ all-attesters = ["attester/all-attesters"]
 tdx-attester = ["attester/tdx-attester"]
 sgx-attester = ["attester/sgx-attester"]
 az-snp-vtpm-attester = ["attester/az-snp-vtpm-attester"]
+az-tdx-vtpm-attester = ["attester/az-tdx-vtpm-attester"]
 snp-attester = ["attester/snp-attester"]
 csv-attester = ["attester/csv-attester"]
 cca-attester = ["attester/cca-attester"]

attestation-agent/lib/Cargo.toml

@@ -31,6 +31,7 @@ all-attesters = ["kbc/all-attesters", "kbs_protocol?/all-attesters", "attester/a
 tdx-attester = ["kbc/tdx-attester", "kbs_protocol/tdx-attester", "attester/tdx-attester"]
 sgx-attester = ["kbc/sgx-attester", "kbs_protocol/sgx-attester", "attester/sgx-attester"]
 az-snp-vtpm-attester = ["kbc/az-snp-vtpm-attester", "kbs_protocol/az-snp-vtpm-attester", "attester/az-snp-vtpm-attester"]
+az-tdx-vtpm-attester = ["kbc/az-tdx-vtpm-attester", "kbs_protocol/az-tdx-vtpm-attester", "attester/az-tdx-vtpm-attester"]
 snp-attester = ["kbc/snp-attester", "kbs_protocol/snp-attester", "attester/snp-attester"]
 
 sample_kbc = ["kbc/sample_kbc"]