Added checks for AS and KBS policy setting

Signed-off-by: Jiale Zhang <[email protected]>
confidential-containers · Dec 10, 2024 · 9123c94 · 9123c94
1 parent 525610b
commit 9123c94
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 2 deletions.
diff --git a/attestation-service/src/policy_engine/mod.rs b/attestation-service/src/policy_engine/mod.rs
@@ -35,6 +35,8 @@ pub enum PolicyError {
     Base64DecodeFailed(#[from] base64::DecodeError),
     #[error("Illegal policy id. Only support alphabet, numeric, `-` or `_`")]
     InvalidPolicyId,
+    #[error("Illegal policy: {0}")]
+    InvalidPolicy(#[source] anyhow::Error),
     #[error("Failed to load reference data: {0}")]
     LoadReferenceDataFailed(#[source] anyhow::Error),
     #[error("Failed to set input data: {0}")]

diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs
@@ -122,6 +122,13 @@ impl PolicyEngine for OPA {
             return Err(PolicyError::InvalidPolicyId);
         }
 
+        let policy_content =
+            String::from_utf8(policy_bytes).map_err(|e| PolicyError::InvalidPolicy(e.into()))?;
+        let mut engine = regorus::Engine::new();
+        engine
+            .add_policy(policy_id, policy_content)
+            .map_err(|e| PolicyError::InvalidPolicy(e.into()))?;
+
         let mut policy_file_path = PathBuf::from(
             &self
                 .policy_dir_path

diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs
@@ -37,7 +37,7 @@ const LOADER_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .1);
 const KDS_CERT_SITE: &str = "https://kdsintf.amd.com";
 const KDS_VCEK: &str = "/vcek/v1";
 
-/// Attestation report versions supported 
+/// Attestation report versions supported
 const REPORT_VERSION_MIN: u32 = 2;
 const REPORT_VERSION_MAX: u32 = 3;
 
@@ -110,7 +110,9 @@ impl Verifier for Snp {
 
         // See Trustee Issue#589 https://github.com/confidential-containers/trustee/issues/589
         if report.version < REPORT_VERSION_MIN || report.version > REPORT_VERSION_MAX {
-            return Err(anyhow!("Unexpected attestation report version. Check SNP Firmware ABI specification"));
+            return Err(anyhow!(
+                "Unexpected attestation report version. Check SNP Firmware ABI specification"
+            ));
         }
 
         if report.vmpl != 0 {

diff --git a/kbs/src/policy_engine/error.rs b/kbs/src/policy_engine/error.rs
@@ -33,4 +33,7 @@ pub enum KbsPolicyEngineError {
 
     #[error("Set Policy request is illegal for {0}")]
     IllegalSetPolicyRequest(&'static str),
+
+    #[error("Failed to set policy, illegal policy: {0}")]
+    InvalidPolicy(#[from] anyhow::Error),
 }
diff --git a/kbs/src/policy_engine/opa/mod.rs b/kbs/src/policy_engine/opa/mod.rs
@@ -60,6 +60,12 @@ impl PolicyEngineInterface for Opa {
 
     async fn set_policy(&mut self, policy: &str) -> Result<(), KbsPolicyEngineError> {
         let policy_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(policy)?;
+        let policy_content = String::from_utf8(policy_bytes)
+            .map_err(|e| KbsPolicyEngineError::InvalidPolicy(e.into()))?;
+        let mut engine = regorus::Engine::new();
+        engine
+            .add_policy(String::from("default"), policy_content)
+            .map_err(|e| KbsPolicyEngineError::InvalidPolicy(e))?;
 
         tokio::fs::write(&self.policy_path, policy_bytes).await?;