-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor Attestation-Service #216
Conversation
af2baf9
to
8347740
Compare
The e2e error is as expected, because after changing the token format of AS, no teepub key field will be inside the CoCoAS Token. Let me fix this in another PR. KBS will have its own token with tee pub key inside, which is rational because attestation token should not carry semantics of KBS protocol. The reason why KBS has its own "token" is because attestation (done by CoCo-AS) is a lower level semantics than authentication (done by KBS, the authorization is via KBS token). See #217 |
8347740
to
04dad00
Compare
04dad00
to
78ac576
Compare
34876a7
to
958bb61
Compare
Tidied the commits. Now ready to be reviewed. |
let evidence = serde_json::from_str::<Evidence>(&attestation.tee_evidence) | ||
if report_data.is_none() { | ||
bail!("Azure SNP vTPM verifier must provide report data field!"); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mkulke Hi Magnus, I've changed the API of verifier of AzSnpVtpm
. PTL if it looks good to you.
BTW, it will now change the behavior of current CoCoAS.
snp_report: &AttestationReport, | ||
vcek: &Vcek, | ||
init_data_hash: Option<&[u8]>, | ||
) -> Result<()> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @fitzthum Hi Tobin, I've changed the API of verifier of SNP
. PTL if it looks good to you.
BTW, it will now change the behavior of current CoCoAS.
attestation: &Attestation, | ||
evidence: &[u8], | ||
report_data: Option<&[u8]>, | ||
init_data_hash: Option<&[u8]>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @chendave Hi Dave, I've changed the API of verifier of CCA
. PTL if it looks good to you.
BTW, it will now change the behavior of current CoCoAS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
@@ -43,22 +43,18 @@ pub struct SgxVerifier {} | |||
impl Verifier for SgxVerifier { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mythi I've changed the API of verifier of SGX
. PTL if it looks good to you.
BTW, it will now change the behavior of current CoCoAS.
If the e2e tests fail and cannot be make pass in the scope of this PR, does this mean that |
"runtime_data": ["YWFhCg==...", "YWFhCg==..."], // base64 encoded materials that used to calculate the | ||
// digest inside report_data to check the binding. | ||
// If sets [] the comparation will be skipped. | ||
"init_data": ["YWFhCg==...", "YWFhCg==..."], // base64 encoded materials that used to calculate the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this an implementation of what's being proposed in RFC 171?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are related. The API here is provided by CoCo-AS. It can help a caller to check the original data and the binding with an evidence.
The API can not only help the checking step in the RFC, but also other users who use the CoCo-AS as a separate attestation service to check any binding relationship between some data and the evidence.
Sounds good. Let me just leave the code structure changing in this PR. |
603b135
to
b1820b8
Compare
Changed the PR intro. Now ready to be reviewed. Other work will be include in separate PRs. PTAL @mkulke |
d430c73
to
1203fc7
Compare
Fixed as @mkulke suggested. |
if we want to stop the noisy propagation of lifetimes (afaiu this is due to problems w/ diff --git a/attestation-service/attestation-service/src/lib.rs b/attestation-service/attestation-service/src/lib.rs
index 3a60109..a94cf2b 100644
--- a/attestation-service/attestation-service/src/lib.rs
+++ b/attestation-service/attestation-service/src/lib.rs
@@ -102,13 +102,13 @@ impl AttestationService {
let claims_from_tee_evidence = verifier
.evaluate(
attestation.tee_evidence.as_bytes(),
- report_data,
+ &report_data,
// We currently do not need to check the initdata hash in AS when using
// `verifier` crate.
//
// We will refactor the CoCo-AS' API to leverage the parameter.
// See https://github.com/confidential-containers/kbs/issues/177
- InitDataHash::NotProvided,
+ &InitDataHash::NotProvided,
)
.await
.map_err(|e| anyhow!("Verifier evaluate failed: {e:?}"))?;
diff --git a/attestation-service/verifier/src/lib.rs b/attestation-service/verifier/src/lib.rs
index c16f491..e50f873 100644
--- a/attestation-service/verifier/src/lib.rs
+++ b/attestation-service/verifier/src/lib.rs
@@ -123,10 +123,10 @@ pub trait Verifier {
/// instance is created. It is always provided by untrusted host,
/// but its integrity will be protected by the tee evidence.
/// Typical `init_data_hash` is `HOSTDATA` for SNP.
- async fn evaluate<'a, 'b>(
+ async fn evaluate(
&self,
evidence: &[u8],
- expected_report_data: ReportData<'a>,
- expected_init_data_hash: InitDataHash<'b>,
+ expected_report_data: &ReportData,
+ expected_init_data_hash: &InitDataHash,
) -> Result<TeeEvidenceParsedClaim>;
}
diff --git a/attestation-service/verifier/src/sample/mod.rs b/attestation-service/verifier/src/sample/mod.rs
index 4292f63..6f6cdcd 100644
--- a/attestation-service/verifier/src/sample/mod.rs
+++ b/attestation-service/verifier/src/sample/mod.rs
@@ -23,11 +23,11 @@ pub struct Sample {}
#[async_trait]
impl Verifier for Sample {
- async fn evaluate<'a, 'b>(
+ async fn evaluate(
&self,
evidence: &[u8],
- expected_report_data: ReportData<'a>,
- expected_init_data_hash: InitDataHash<'b>,
+ expected_report_data: &ReportData,
+ expected_init_data_hash: &InitDataHash,
) -> Result<TeeEvidenceParsedClaim> {
let tee_evidence = serde_json::from_slice::<SampleTeeEvidence>(evidence)
.context("Deserialize Quote failed.")?;
@@ -43,8 +43,8 @@ impl Verifier for Sample {
}
async fn verify_tee_evidence(
- expected_report_data: ReportData<'_>,
- expected_init_data_hash: InitDataHash<'_>,
+ expected_report_data: &ReportData<'_>,
+ expected_init_data_hash: &InitDataHash<'_>,
evidence: &SampleTeeEvidence,
) -> Result<()> {
// Verify the TEE Hardware signature. (Null for sample TEE)
@@ -55,7 +55,7 @@ async fn verify_tee_evidence(
let ev_report_data = base64::engine::general_purpose::STANDARD
.decode(&evidence.report_data)
.context("base64 decode report data for sample evidence")?;
- if expected_report_data != ev_report_data {
+ if *expected_report_data != ev_report_data {
bail!("REPORT_DATA is different from that in Sample Quote");
}
}
@@ -66,7 +66,7 @@ async fn verify_tee_evidence(
let ev_init_data_hash = base64::engine::general_purpose::STANDARD
.decode(&evidence.init_data_hash)
.context("base64 decode init data hash for sample evidence")?;
- if expected_init_data_hash != ev_init_data_hash {
+ if *expected_init_data_hash != ev_init_data_hash {
bail!("INIT DATA HASH is different from that in Sample Quote");
}
} |
@mkulke Cool. The propogation of lifetime really makes me sad : (. Let me try this. Thanks! |
1203fc7
to
21a5279
Compare
@mkulke Have fixed with your suggestion. PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Path of Dockerfile Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
21a5279
to
da32a48
Compare
was the PR merged by accident again? |
I think we get an agreement? |
to me, the agreement was to get this to work without any API changes first with the tradeoffs that are only impacting SGX/TDX. |
maybe a misunderstanding on my side, but I also assumed this was blocked by the init-data proposal being resolved? Would this code still be valid independently from how we inject init-data into the guest (embedded into policy or top-level via kata-agent api)? |
There's another blocker too that I'm talking about. It moved the code to the opposite direction to what I had in mind with confidential-containers/guest-components@4499301 which is related to my (slow) attempts to get CoCo KBS to work with non-CoCo ASes. |
These are independent things I think. As this only provides extra ability to check the initdata hash inside evidence for different verifiers, but we are still doing what we do before this PR -- does not care anything about initdata when doing KBS protocol and RCAR handshake -- as it used to be. So does #240 I think. If we use policy to inject initdata, we need an expected Does this make sense? Maybe I have missed something.. |
yup it does. thanks for clarifying! 👍 |
@mythi The common aim for us would be to support non-CoCo-AS in KBS protocol, right? Binding specific hash algorithm to specific TEE platform seems a coupling things. A potentially better and flexible way is to add hash algorithm handshake in KBS protocol. In this way, after the first round of RCAR handshake, the kbs-client will use the hash algorithm specified by the AS. By this I have made a PR based on that idea #240 to let CoCo-AS to handle attestation requests with flexible hash algorithms. I think it might be better for us to go straightforward to the way of updating protocol as the consensus? Starting from making a proposal for that.
I got your point that we should include the digest of the whole content of tee-pubkey inside the evidence here. This is great! |
For what is forth, this PR made the coupling stronger and blocked my work. I asked to avoid it but that was ignored. I find the pattern that code is merged by the PR author even when there is no consensus quite concerning. This is the second time it happened in a short period of time. Can we agree that in these type of case the PR author recuses themselves from merging?
I don't agree that "let's just change the spec" is the best approach to start with. The problem I was trying to solve does not require spec changes to start with. They are nice/good to have but a better approach would have been to fix things first and then see what are all the places that need updating.
It's not my "my point". It's what the protocol spec says and the implementation does not follow it. |
This huge PR mainly aims to refactor Attestation-Service crate and binaries, including the following:
verifier
and makes it as a separate crateThis would help other projects to import our different
verifier
plugins. Also this commit changes the API ofverifier
crate fromto
The reason is that
Attestation
struct is defined in KBS protocol that also includes thetee-pubkey
, but a user of averifier
crate will expect a direct API to verify the evidence without extra information.But the logic inside
attestation-service
crate will still do the same thing as before, s.t. the underlying change ofverifier
crate will not influence the behavior of CoCo-AS. I plan to update the CoCo-AS API in later PRs.rvps
as a separate crateThis is because CoCo-AS has two ways to integrate RVPS now:
A separate crate will decrease the size of the compiled binary when choosing to use gRPC remote RVPS. Also, the RVPS is functionally independent from CoCo-AS. A separate crate would do help to maintaince.
Adds
Makefile
s for RVPSRemoved
as-types
crateThis crate is somehow useless and only for the definition of
SetPolicyInput
. We can embed this definition in CoCo-AS because it is not used by other crates. Please see the commit 9e08408 for more details.DO NOT MERGE until @fitzthum and @mkulke approve as they are maintainer for SNP and Azure vTPM SNP verifier.