opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

COCOS-395 - Cloud Provider Firmware Integration (#415)

Browse Source 
* add CC platform identification capability

* add token verification

* add snp azure

* add azure snp report verification

* fix linter errors

* fix agent tests

* expand the CC provider

* fix azure atls

* rebase branch

* add nonce check for azure token

* rename package attestations

* remove alias attestations

---------

Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
This commit is contained in:
Danko Miladinovic
2025-05-19 16:42:39 +02:00
committed by GitHub
parent 5c60bc2a48
commit 3102114ff3
48 changed files with 1402 additions and 1996 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/main.yaml
+1 -1
View File
@@ -36,7 +36,7 @@ jobs:
mkdir coverage
- name: Run Agent tests
run: go test --tags embed -v --race -covermode=atomic -coverprofile coverage/agent.out ./agent/...
run: go test -v --race -covermode=atomic -coverprofile coverage/agent.out ./agent/...
- name: Run cli tests
run: go test -v --race -covermode=atomic -coverprofile coverage/cli.out ./cli/...
agent/api/grpc/endpoint.go
+2 -2
View File
@@ -7,7 +7,7 @@ import (
"github.com/go-kit/kit/endpoint"
"github.com/ultravioletrs/cocos/agent"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
)
func algoEndpoint(svc agent.Service) endpoint.Endpoint {
@@ -71,7 +71,7 @@ func attestationEndpoint(svc agent.Service) endpoint.Endpoint {
if err := req.validate(); err != nil {
return attestationRes{}, err
}
file, err := svc.Attestation(ctx, req.TeeNonce, req.VtpmNonce, config.AttestationType(req.AttType))
file, err := svc.Attestation(ctx, req.TeeNonce, req.VtpmNonce, attestation.PlatformType(req.AttType))
if err != nil {
return attestationRes{}, err
}
agent/api/grpc/endpoint_test.go
+3 -3
View File
@@ -9,7 +9,7 @@ import (
"github.com/ultravioletrs/cocos/agent"
"github.com/ultravioletrs/cocos/agent/mocks"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"golang.org/x/crypto/sha3"
)
@@ -142,11 +142,11 @@ func TestAttestationEndpoint(t *testing.T) {
}{
{
name: "Success",
req: attestationReq{TeeNonce: sha3.Sum512([]byte("report data")), VtpmNonce: sha3.Sum256([]byte("vtpm nonce")), AttType: config.SNP},
req: attestationReq{TeeNonce: sha3.Sum512([]byte("report data")), VtpmNonce: sha3.Sum256([]byte("vtpm nonce")), AttType: attestation.SNP},
},
{
name: "Service Error",
req: attestationReq{TeeNonce: sha3.Sum512([]byte("report data")), VtpmNonce: sha3.Sum256([]byte("vtpm nonce")), AttType: config.SNP},
req: attestationReq{TeeNonce: sha3.Sum512([]byte("report data")), VtpmNonce: sha3.Sum256([]byte("vtpm nonce")), AttType: attestation.SNP},
expectedErr: true,
},
}
agent/api/grpc/requests.go
+3 -3
View File
@@ -5,7 +5,7 @@ package grpc
import (
"errors"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
)
@@ -44,12 +44,12 @@ func (req resultReq) validate() error {
type attestationReq struct {
TeeNonce [quoteprovider.Nonce]byte
VtpmNonce [vtpm.Nonce]byte
AttType config.AttestationType
AttType attestation.PlatformType
}
func (req attestationReq) validate() error {
switch req.AttType {
case config.SNP, config.VTPM, config.SNPvTPM:
case attestation.SNP, attestation.VTPM, attestation.SNPvTPM:
return nil
default:
return errors.New("invalid attestation type in attestation request")
agent/api/grpc/server.go
+2 -2
View File
@@ -12,7 +12,7 @@ import (
"github.com/go-kit/kit/transport/grpc"
"github.com/ultravioletrs/cocos/agent"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"google.golang.org/grpc/codes"
@@ -124,7 +124,7 @@ func decodeAttestationRequest(_ context.Context, grpcReq interface{}) (interface
copy(reportData[:], req.TeeNonce)
copy(nonce[:], req.VtpmNonce)
return attestationReq{TeeNonce: reportData, VtpmNonce: nonce, AttType: config.AttestationType(req.Type)}, nil
return attestationReq{TeeNonce: reportData, VtpmNonce: nonce, AttType: attestation.PlatformType(req.Type)}, nil
}
func encodeAttestationResponse(_ context.Context, response interface{}) (interface{}, error) {
agent/api/grpc/server_test.go
+2 -2
View File
@@ -11,7 +11,7 @@ import (
"github.com/stretchr/testify/mock"
"github.com/ultravioletrs/cocos/agent"
"github.com/ultravioletrs/cocos/agent/mocks"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"google.golang.org/grpc"
@@ -156,7 +156,7 @@ func TestAttestation(t *testing.T) {
reportData := [quoteprovider.Nonce]byte{}
vtpmNonce := [vtpm.Nonce]byte{}
attestationType := config.SNP
attestationType := attestation.SNP
mockService.On("Attestation", mock.Anything, reportData, vtpmNonce, attestationType).Return([]byte("attestation data"), nil)
err := server.Attestation(&agent.AttestationRequest{TeeNonce: reportData[:]}, mockStream)
agent/api/logging.go
+2 -2
View File
@@ -13,7 +13,7 @@ import (
"time"
"github.com/ultravioletrs/cocos/agent"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
)
@@ -106,7 +106,7 @@ func (lm *loggingMiddleware) Result(ctx context.Context) (response []byte, err e
return lm.svc.Result(ctx)
}
func (lm *loggingMiddleware) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType config.AttestationType) (response []byte, err error) {
func (lm *loggingMiddleware) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType attestation.PlatformType) (response []byte, err error) {
defer func(begin time.Time) {
message := fmt.Sprintf("Method Attestation took %s to complete", time.Since(begin))
if err != nil {
agent/api/metrics.go
+2 -2
View File
@@ -12,7 +12,7 @@ import (
"github.com/go-kit/kit/metrics"
"github.com/ultravioletrs/cocos/agent"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
)
@@ -92,7 +92,7 @@ func (ms *metricsMiddleware) Result(ctx context.Context) ([]byte, error) {
return ms.svc.Result(ctx)
}
func (ms *metricsMiddleware) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType config.AttestationType) ([]byte, error) {
func (ms *metricsMiddleware) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType attestation.PlatformType) ([]byte, error) {
defer func(begin time.Time) {
ms.counter.With("method", "attestation").Add(1)
ms.latency.With("method", "attestation").Observe(time.Since(begin).Seconds())
agent/cvms/server/cvm.go
+2 -5
View File
@@ -8,7 +8,6 @@ import (
"fmt"
"log/slog"
"github.com/google/go-sev-guest/client"
"github.com/ultravioletrs/cocos/agent"
agentgrpc "github.com/ultravioletrs/cocos/agent/api/grpc"
"github.com/ultravioletrs/cocos/agent/auth"
@@ -33,17 +32,15 @@ type agentServer struct {
logger *slog.Logger
svc agent.Service
host string
qp client.LeveledQuoteProvider
caUrl string
cvmId string
}
func NewServer(logger *slog.Logger, svc agent.Service, host string, qp client.LeveledQuoteProvider, caUrl string, cvmId string) AgentServer {
func NewServer(logger *slog.Logger, svc agent.Service, host string, caUrl string, cvmId string) AgentServer {
return &agentServer{
logger: logger,
svc: svc,
host: host,
qp: qp,
caUrl: caUrl,
cvmId: cvmId,
}
@@ -81,7 +78,7 @@ func (as *agentServer) Start(cfg agent.AgentConfig, cmp agent.Computation) error
ctx, cancel := context.WithCancel(context.Background())
as.gs = grpcserver.New(ctx, cancel, svcName, agentGrpcServerConfig, registerAgentServiceServer, as.logger, as.qp, authSvc, as.caUrl, as.cvmId)
as.gs = grpcserver.New(ctx, cancel, svcName, agentGrpcServerConfig, registerAgentServiceServer, as.logger, authSvc, as.caUrl, as.cvmId)
go func() {
err := as.gs.Start()
agent/mocks/agent.go
+9 -9
View File
@@ -7,7 +7,7 @@ package mocks
import (
agent "github.com/ultravioletrs/cocos/agent"
config "github.com/ultravioletrs/cocos/pkg/attestation"
attestation "github.com/ultravioletrs/cocos/pkg/attestation"
context "context"
@@ -75,7 +75,7 @@ func (_c *Service_Algo_Call) RunAndReturn(run func(context.Context, agent.Algori
}
// Attestation provides a mock function with given fields: ctx, reportData, nonce, attType
func (_m *Service) Attestation(ctx context.Context, reportData [64]byte, nonce [32]byte, attType config.AttestationType) ([]byte, error) {
func (_m *Service) Attestation(ctx context.Context, reportData [64]byte, nonce [32]byte, attType attestation.PlatformType) ([]byte, error) {
ret := _m.Called(ctx, reportData, nonce, attType)
if len(ret) == 0 {
@@ -84,10 +84,10 @@ func (_m *Service) Attestation(ctx context.Context, reportData [64]byte, nonce [
var r0 []byte
var r1 error
if rf, ok := ret.Get(0).(func(context.Context, [64]byte, [32]byte, config.AttestationType) ([]byte, error)); ok {
if rf, ok := ret.Get(0).(func(context.Context, [64]byte, [32]byte, attestation.PlatformType) ([]byte, error)); ok {
return rf(ctx, reportData, nonce, attType)
}
if rf, ok := ret.Get(0).(func(context.Context, [64]byte, [32]byte, config.AttestationType) []byte); ok {
if rf, ok := ret.Get(0).(func(context.Context, [64]byte, [32]byte, attestation.PlatformType) []byte); ok {
r0 = rf(ctx, reportData, nonce, attType)
} else {
if ret.Get(0) != nil {
@@ -95,7 +95,7 @@ func (_m *Service) Attestation(ctx context.Context, reportData [64]byte, nonce [
}
}
if rf, ok := ret.Get(1).(func(context.Context, [64]byte, [32]byte, config.AttestationType) error); ok {
if rf, ok := ret.Get(1).(func(context.Context, [64]byte, [32]byte, attestation.PlatformType) error); ok {
r1 = rf(ctx, reportData, nonce, attType)
} else {
r1 = ret.Error(1)
@@ -113,14 +113,14 @@ type Service_Attestation_Call struct {
// - ctx context.Context
// - reportData [64]byte
// - nonce [32]byte
// - attType config.AttestationType
// - attType attestation.PlatformType
func (_e *Service_Expecter) Attestation(ctx interface{}, reportData interface{}, nonce interface{}, attType interface{}) *Service_Attestation_Call {
return &Service_Attestation_Call{Call: _e.mock.On("Attestation", ctx, reportData, nonce, attType)}
}
func (_c *Service_Attestation_Call) Run(run func(ctx context.Context, reportData [64]byte, nonce [32]byte, attType config.AttestationType)) *Service_Attestation_Call {
func (_c *Service_Attestation_Call) Run(run func(ctx context.Context, reportData [64]byte, nonce [32]byte, attType attestation.PlatformType)) *Service_Attestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].(context.Context), args[1].([64]byte), args[2].([32]byte), args[3].(config.AttestationType))
run(args[0].(context.Context), args[1].([64]byte), args[2].([32]byte), args[3].(attestation.PlatformType))
})
return _c
}
@@ -130,7 +130,7 @@ func (_c *Service_Attestation_Call) Return(_a0 []byte, _a1 error) *Service_Attes
return _c
}
func (_c *Service_Attestation_Call) RunAndReturn(run func(context.Context, [64]byte, [32]byte, config.AttestationType) ([]byte, error)) *Service_Attestation_Call {
func (_c *Service_Attestation_Call) RunAndReturn(run func(context.Context, [64]byte, [32]byte, attestation.PlatformType) ([]byte, error)) *Service_Attestation_Call {
_c.Call.Return(run)
return _c
}
agent/service.go
+33 -34
View File
@@ -6,7 +6,6 @@ package agent
import (
"context"
"encoding/json"
"errors"
"fmt"
"log/slog"
"os"
@@ -14,7 +13,7 @@ import (
"slices"
sync "sync"
"github.com/google/go-sev-guest/client"
"github.com/absmach/magistrala/pkg/errors"
"github.com/ultravioletrs/cocos/agent/algorithm"
"github.com/ultravioletrs/cocos/agent/algorithm/binary"
"github.com/ultravioletrs/cocos/agent/algorithm/docker"
@@ -23,7 +22,7 @@ import (
"github.com/ultravioletrs/cocos/agent/events"
"github.com/ultravioletrs/cocos/agent/statemachine"
"github.com/ultravioletrs/cocos/internal"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"golang.org/x/crypto/sha3"
@@ -105,6 +104,8 @@ var (
ErrAllResultsConsumed = errors.New("all results have been consumed by declared consumers")
// ErrAttestationFailed attestation failed.
ErrAttestationFailed = errors.New("failed to get raw quote")
// ErrAttestationVTpmFailed vTPM attestation failed.
ErrAttestationVTpmFailed = errors.New("failed to get vTPM quote")
// ErrAttType indicates that the attestation type that is requested does not exist or is not supported.
ErrAttestationType = errors.New("attestation type does not exist or is not supported")
)
@@ -117,41 +118,39 @@ type Service interface {
Algo(ctx context.Context, algorithm Algorithm) error
Data(ctx context.Context, dataset Dataset) error
Result(ctx context.Context) ([]byte, error)
Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType config.AttestationType) ([]byte, error)
Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType attestation.PlatformType) ([]byte, error)
IMAMeasurements(ctx context.Context) ([]byte, []byte, error)
State() string
}
type agentService struct {
mu sync.Mutex
computation Computation // Holds the current computation request details.
algorithm algorithm.Algorithm // Filepath to the algorithm received for the computation.
result []byte // Stores the result of the computation.
sm statemachine.StateMachine // Manages the state transitions of the agent service.
runError error // Stores any error encountered during the computation run.
eventSvc events.Service // Service for publishing events related to computation.
quoteProvider client.LeveledQuoteProvider // Provider for generating attestation quotes.
logger *slog.Logger // Logger for the agent service.
resultsConsumed bool // Indicates if the results have been consumed.
cancel context.CancelFunc // Cancels the computation context.
vmpl int // VMPL at which the Agent is running.
vtpmAttest vtpm.VtpmAttest // Attestation function.
computation Computation // Holds the current computation request details.
algorithm algorithm.Algorithm // Filepath to the algorithm received for the computation.
result []byte // Stores the result of the computation.
sm statemachine.StateMachine // Manages the state transitions of the agent service.
runError error // Stores any error encountered during the computation run.
eventSvc events.Service // Service for publishing events related to computation.
provider attestation.Provider // Provider for generating attestation quotes.
logger *slog.Logger // Logger for the agent service.
resultsConsumed bool // Indicates if the results have been consumed.
cancel context.CancelFunc // Cancels the computation context.
vmpl int // VMPL at which the Agent is running.
}
var _ Service = (*agentService)(nil)
// New instantiates the agent service implementation.
func New(ctx context.Context, logger *slog.Logger, eventSvc events.Service, quoteProvider client.LeveledQuoteProvider, vmlp int, vtpmAttest vtpm.VtpmAttest) Service {
func New(ctx context.Context, logger *slog.Logger, eventSvc events.Service, provider attestation.Provider, vmlp int) Service {
sm := statemachine.NewStateMachine(Idle)
ctx, cancel := context.WithCancel(ctx)
svc := &agentService{
sm: sm,
eventSvc: eventSvc,
quoteProvider: quoteProvider,
logger: logger,
cancel: cancel,
vmpl: vmlp,
vtpmAttest: vtpmAttest,
sm: sm,
eventSvc: eventSvc,
provider: provider,
logger: logger,
cancel: cancel,
vmpl: vmlp,
}
transitions := []statemachine.Transition{
@@ -423,24 +422,24 @@ func (as *agentService) Result(ctx context.Context) ([]byte, error) {
return as.result, as.runError
}
func (as *agentService) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType config.AttestationType) ([]byte, error) {
func (as *agentService) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType attestation.PlatformType) ([]byte, error) {
switch attType {
case config.SNP:
rawQuote, err := as.quoteProvider.GetRawQuoteAtLevel(reportData, uint(as.vmpl))
case attestation.SNP:
rawQuote, err := as.provider.TeeAttestation(reportData[:])
if err != nil {
return []byte{}, err
return []byte{}, errors.Wrap(ErrAttestationFailed, err)
}
return rawQuote, nil
case config.VTPM:
vTPMQuote, err := as.vtpmAttest(reportData[:], nonce[:], false)
case attestation.VTPM:
vTPMQuote, err := as.provider.VTpmAttestation(nonce[:])
if err != nil {
return []byte{}, err
return []byte{}, errors.Wrap(ErrAttestationVTpmFailed, err)
}
return vTPMQuote, nil
case config.SNPvTPM:
vTPMQuote, err := as.vtpmAttest(reportData[:], nonce[:], true)
case attestation.SNPvTPM:
vTPMQuote, err := as.provider.Attestation(reportData[:], nonce[:])
if err != nil {
return []byte{}, err
return []byte{}, errors.Wrap(ErrAttestationVTpmFailed, err)
}
return vTPMQuote, nil
default:
agent/service_test.go
+50 -23
View File
@@ -20,8 +20,9 @@ import (
"github.com/ultravioletrs/cocos/agent/events/mocks"
"github.com/ultravioletrs/cocos/agent/statemachine"
smmocks "github.com/ultravioletrs/cocos/agent/statemachine/mocks"
"github.com/ultravioletrs/cocos/pkg/attestation"
mocks2 "github.com/ultravioletrs/cocos/pkg/attestation/mocks"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
mocks2 "github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider/mocks"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"golang.org/x/crypto/sha3"
"google.golang.org/grpc/metadata"
@@ -36,9 +37,6 @@ var (
const datasetFile = "iris.csv"
func TestAlgo(t *testing.T) {
qp, err := quoteprovider.GetLeveledQuoteProvider()
require.NoError(t, err)
algo, err := os.ReadFile(algoPath)
require.NoError(t, err)
@@ -121,7 +119,7 @@ func TestAlgo(t *testing.T) {
ctx, cancel := context.WithCancel(ctx)
defer cancel()
svc := New(ctx, mglog.NewMock(), events, qp, 0, vtpm.EmptyAttest)
svc := New(ctx, mglog.NewMock(), events, &attestation.EmptyProvider{}, 0)
err := svc.InitComputation(ctx, testComputation(t))
require.NoError(t, err)
@@ -140,9 +138,6 @@ func TestAlgo(t *testing.T) {
}
func TestData(t *testing.T) {
qp, err := quoteprovider.GetLeveledQuoteProvider()
require.NoError(t, err)
algo, err := os.ReadFile(algoPath)
require.NoError(t, err)
@@ -216,7 +211,7 @@ func TestData(t *testing.T) {
ctx, cancel := context.WithCancel(ctx)
defer cancel()
svc := New(ctx, mglog.NewMock(), events, qp, 0, vtpm.EmptyAttest)
svc := New(ctx, mglog.NewMock(), events, &attestation.EmptyProvider{}, 0)
err := svc.InitComputation(ctx, testComputation(t))
require.NoError(t, err)
@@ -241,9 +236,6 @@ func TestData(t *testing.T) {
}
func TestResult(t *testing.T) {
qp, err := quoteprovider.GetLeveledQuoteProvider()
require.NoError(t, err)
cases := []struct {
name string
err error
@@ -301,10 +293,10 @@ func TestResult(t *testing.T) {
sm.On("SendEvent", mock.Anything).Return()
svc := &agentService{
sm: sm,
eventSvc: events,
quoteProvider: qp,
computation: testComputation(t),
sm: sm,
eventSvc: events,
provider: &attestation.EmptyProvider{},
computation: testComputation(t),
}
go func() {
@@ -324,29 +316,64 @@ func TestResult(t *testing.T) {
}
func TestAttestation(t *testing.T) {
qp := new(mocks2.LeveledQuoteProvider)
provider := new(mocks2.Provider)
cases := []struct {
name string
reportData [quoteprovider.Nonce]byte
nonce [vtpm.Nonce]byte
rawQuote []uint8
platform attestation.PlatformType
err error
}{
{
name: "Test attestation successful",
name: "Test SNP attestation successful",
reportData: generateReportData(),
nonce: [32]byte{},
rawQuote: make([]uint8, 0),
platform: attestation.SNP,
err: nil,
},
{
name: "Test attestation failed",
name: "Test SNP attestation failed",
reportData: generateReportData(),
nonce: [32]byte{},
rawQuote: nil,
platform: attestation.SNP,
err: ErrAttestationFailed,
},
{
name: "Test vTPM attestation successful",
reportData: generateReportData(),
nonce: [32]byte{},
rawQuote: make([]uint8, 0),
platform: attestation.VTPM,
err: nil,
},
{
name: "Test vTPM attestation failed",
reportData: generateReportData(),
nonce: [32]byte{},
rawQuote: nil,
platform: attestation.VTPM,
err: ErrAttestationVTpmFailed,
},
{
name: "Test SNP-vTPM attestation successful",
reportData: generateReportData(),
nonce: [32]byte{},
rawQuote: make([]uint8, 0),
platform: attestation.SNPvTPM,
err: nil,
},
{
name: "Test SNP-vTPM attestation failed",
reportData: generateReportData(),
nonce: [32]byte{},
rawQuote: nil,
platform: attestation.SNPvTPM,
err: ErrAttestationVTpmFailed,
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
@@ -359,13 +386,13 @@ func TestAttestation(t *testing.T) {
ctx, cancel := context.WithCancel(ctx)
defer cancel()
getQuote := qp.On("GetRawQuoteAtLevel", mock.Anything, mock.Anything).Return(tc.rawQuote, tc.err)
if tc.err != ErrAttestationFailed {
getQuote = qp.On("GetRawQuoteAtLevel", mock.Anything, mock.Anything).Return(tc.nonce, nil)
getQuote := provider.On("TeeAttestation", mock.Anything).Return(tc.rawQuote, tc.err)
if tc.err != ErrAttestationFailed && tc.err != ErrAttestationVTpmFailed {
getQuote = provider.On("TeeAttestation", mock.Anything).Return(tc.nonce, nil)
}
defer getQuote.Unset()
svc := New(ctx, mglog.NewMock(), events, qp, 0, vtpm.EmptyAttest)
svc := New(ctx, mglog.NewMock(), events, provider, 0)
time.Sleep(300 * time.Millisecond)
_, err := svc.Attestation(ctx, tc.reportData, tc.nonce, 0)
assert.True(t, errors.Contains(err, tc.err), "expected %v, got %v", tc.err, err)
attestation.go
-3
View File
@@ -1,9 +1,6 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
//go:build embed
// +build embed
package cocosai
import _ "embed"
cli/attestation.go
+93 -107
View File
@@ -3,7 +3,6 @@
package cli
import (
"crypto"
"encoding/hex"
"encoding/json"
"fmt"
@@ -20,11 +19,10 @@ import (
"github.com/google/go-sev-guest/proto/sevsnp"
"github.com/google/go-sev-guest/tools/lib/report"
tpmAttest "github.com/google/go-tpm-tools/proto/attest"
"github.com/google/go-tpm-tools/server"
"github.com/google/go-tpm/legacy/tpm2"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/azure"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"google.golang.org/protobuf/encoding/protojson"
@@ -112,6 +110,9 @@ const (
SNP = "snp"
VTPM = "vtpm"
SNPvTPM = "snp-vtpm"
CCNone = "none"
CCAzure = "azure"
CCGCP = "gcp"
)
var (
@@ -128,7 +129,7 @@ var (
trustedIdKeyHashes []string
attestationFile string
tpmAttestationFile string
attestation []byte
attestationRaw []byte
empty16 = [size16]byte{}
empty32 = [size32]byte{}
empty64 = [size64]byte{}
@@ -140,16 +141,11 @@ var (
format string
teeNonce []byte
getTextProtoAttestation bool
cloud string
)
var errEmptyFile = errors.New("input file is empty")
var marshalOptions = prototext.MarshalOptions{
Multiline: true,
EmitASCII: true,
}
var unmarshalOptions = prototext.UnmarshalOptions{}
func (cli *CLI) NewAttestationCmd() *cobra.Command {
return &cobra.Command{
Use: "attestation [command]",
@@ -203,32 +199,32 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
attestationType := args[0]
attType := config.SNP
attType := attestation.SNP
switch attestationType {
case SNP:
cmd.Println("Fetching SEV-SNP attestation report")
case VTPM:
cmd.Println("Fetching vTPM report")
attType = config.VTPM
attType = attestation.VTPM
case SNPvTPM:
cmd.Println("Fetching SEV-SNP and vTPM report")
attType = config.SNPvTPM
attType = attestation.SNPvTPM
}
if (attType == config.VTPM || attType == config.SNPvTPM) && len(nonce) == 0 {
if (attType == attestation.VTPM || attType == attestation.SNPvTPM) && len(nonce) == 0 {
msg := color.New(color.FgRed).Sprint("vTPM nonce must be defined for vTPM attestation ❌ ")
cmd.Println(msg)
return
}
if (attType == config.SNP || attType == config.SNPvTPM) && len(teeNonce) == 0 {
if (attType == attestation.SNP || attType == attestation.SNPvTPM) && len(teeNonce) == 0 {
msg := color.New(color.FgRed).Sprint("TEE nonce must be defined for SEV-SNP attestation ❌ ")
cmd.Println(msg)
return
}
var fixedReportData [quoteprovider.Nonce]byte
if attType != config.VTPM {
if attType != attestation.VTPM {
if len(teeNonce) > quoteprovider.Nonce {
msg := color.New(color.FgRed).Sprintf("nonce must be a hex encoded string of length lesser or equal %d bytes ❌ ", quoteprovider.Nonce)
cmd.Println(msg)
@@ -239,7 +235,7 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
}
var fixedVtpmNonceByte [vtpm.Nonce]byte
if attType != config.SNP {
if attType != attestation.SNP {
if len(nonce) > vtpm.Nonce {
msg := color.New(color.FgRed).Sprintf("vTPM nonce must be a hex encoded string of length lesser or equal %d bytes ❌ ", vtpm.Nonce)
cmd.Println(msg)
@@ -344,13 +340,15 @@ func isFileJSON(filename string) bool {
func (cli *CLI) NewValidateAttestationValidationCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "validate",
Short: "Validate and verify attestation information. You can choose from 3 modes: snp,vtpm and snp-vtpm.Default mode is snp.",
Short: fmt.Sprintf("Validate and verify attestation information. You can define the confidential computing cloud provider (%s, %s, %s; %s is the default) and can choose from 3 modes: %s, %s and %s. Default mode is %s.", CCNone, CCAzure, CCGCP, CCNone, SNP, VTPM, SNPvTPM, SNP),
Example: `Based on mode:
validate <attestationreportfilepath> --report_data <reportdata> --product <product data> //default
validate <attestationreportfilepath> --report_data <reportdata> --product <product data> --platform <cc platform> //default
validate --mode snp <attestationreportfilepath> --report_data <reportdata> --product <product data>
validate --mode vtpm <attestationreportfilepath> --nonce <noncevalue> --format <formatvalue> --output <outputvalue>
validate --mode snp-vtpm <attestationreportfilepath> --report_data <reportdata> --product <product data> --nonce <noncevalue> --format <formatvalue> --output <outputvalue>`,
validate --mode snp-vtpm <attestationreportfilepath> --report_data <reportdata> --product <product data> --nonce <noncevalue> --format <formatvalue> --output <outputvalue>
validate --cloud none --mode snp <attestationreportfilepath> --report_data <reportdata> --product <product data>
validate --cloud azure --mode vtpm <attestationreportfilepath> --nonce <noncevalue> --format <formatvalue> --output <outputvalue>
validate --cloud gcp --mode snp-vtpm <attestationreportfilepath> --report_data <reportdata> --product <product data> --nonce <noncevalue> --format <formatvalue> --output <outputvalue>`,
PreRunE: func(cmd *cobra.Command, args []string) error {
mode, _ := cmd.Flags().GetString("mode")
if len(args) != 1 {
@@ -359,38 +357,38 @@ func (cli *CLI) NewValidateAttestationValidationCmd() *cobra.Command {
// Validate flags based on the mode
switch mode {
case "snp":
case SNP:
if err := cmd.MarkFlagRequired("report_data"); err != nil {
return fmt.Errorf("failed to mark 'report_data' as required for SEV-SNP mode: %v", err)
return fmt.Errorf("failed to mark 'report_data' as required for SEV-%s mode: %v", SNP, err)
}
if err := cmd.MarkFlagRequired("product"); err != nil {
return fmt.Errorf("failed to mark flag as required: %v ❌ ", err)
}
case "snp-vtpm":
case SNPvTPM:
if err := cmd.MarkFlagRequired("nonce"); err != nil {
return fmt.Errorf("failed to mark 'nonce' as required for vTPM mode: %v", err)
return fmt.Errorf("failed to mark 'nonce' as required for %s mode: %v", VTPM, err)
}
if err := cmd.MarkFlagRequired("report_data"); err != nil {
return fmt.Errorf("failed to mark 'report_data' as required for SEV-SNP mode: %v", err)
return fmt.Errorf("failed to mark 'report_data' as required for SEV-%s mode: %v", SNP, err)
}
if err := cmd.MarkFlagRequired("product"); err != nil {
return fmt.Errorf("failed to mark flag as required: %v ❌ ", err)
}
if err := cmd.MarkFlagRequired("format"); err != nil {
return fmt.Errorf("failed to mark 'format' as required for vTPM mode: %v", err)
return fmt.Errorf("failed to mark 'format' as required for %s mode: %v", VTPM, err)
}
if err := cmd.MarkFlagRequired("output"); err != nil {
return fmt.Errorf("failed to mark 'output' as required for vTPM mode: %v", err)
return fmt.Errorf("failed to mark 'output' as required for %s mode: %v", VTPM, err)
}
case "vtpm":
case VTPM:
if err := cmd.MarkFlagRequired("nonce"); err != nil {
return fmt.Errorf("failed to mark 'nonce' as required for vTPM mode: %v", err)
return fmt.Errorf("failed to mark 'nonce' as required for %s mode: %v", VTPM, err)
}
if err := cmd.MarkFlagRequired("format"); err != nil {
return fmt.Errorf("failed to mark 'format' as required for vTPM mode: %v", err)
return fmt.Errorf("failed to mark 'format' as required for %s mode: %v", VTPM, err)
}
if err := cmd.MarkFlagRequired("output"); err != nil {
return fmt.Errorf("failed to mark 'output' as required for vTPM mode: %v", err)
return fmt.Errorf("failed to mark 'output' as required for %s mode: %v", VTPM, err)
}
default:
return fmt.Errorf("unknown mode: %s", mode)
@@ -399,13 +397,35 @@ func (cli *CLI) NewValidateAttestationValidationCmd() *cobra.Command {
},
RunE: func(cmd *cobra.Command, args []string) error {
mode, _ := cmd.Flags().GetString("mode")
cloud, _ := cmd.Flags().GetString("cloud")
output, err := createOutputFile()
if err != nil {
return fmt.Errorf("failed to create output file: %v ❌ ", err)
}
if closer, ok := output.(*os.File); ok {
defer closer.Close()
}
var provider attestation.Provider
switch cloud {
case CCNone:
provider = vtpm.New(nil, false, 0, output)
case CCAzure:
provider = azure.New(output)
case CCGCP:
provider = vtpm.New(nil, false, 0, output)
default:
provider = vtpm.New(nil, false, 0, output)
}
switch mode {
case "snp":
return sevsnpverify(cmd, args)
case "snp-vtpm":
return vtpmSevSnpverify(args)
case "vtpm":
return vtpmverify(args)
case SNP:
return sevsnpverify(cmd, provider, args)
case SNPvTPM:
return vtpmSevSnpverify(args, provider)
case VTPM:
return vtpmverify(args, provider)
default:
return fmt.Errorf("unknown mode: %s", mode)
}
@@ -413,11 +433,18 @@ func (cli *CLI) NewValidateAttestationValidationCmd() *cobra.Command {
SilenceUsage: true,
SilenceErrors: true,
}
cmd.Flags().StringVar(
&cloud,
"cloud",
"none", // default CC provider
"The confidential computing cloud provider. Example: azure",
)
cmd.Flags().StringVar(
&mode,
"mode",
"snp", // default mode
"The attestation validation mode. Example: sevsnp",
"The attestation validation mode. Example: snp",
)
// VTPM FLAGS
@@ -659,7 +686,7 @@ func (cli *CLI) NewMeasureCmd(igvmBinaryPath string) *cobra.Command {
return igvmmeasureCmd
}
func sevsnpverify(cmd *cobra.Command, args []string) error {
func sevsnpverify(cmd *cobra.Command, provider attestation.Provider, args []string) error {
cmd.Println("Checking attestation")
attestationFile = string(args[0])
@@ -669,20 +696,18 @@ func sevsnpverify(cmd *cobra.Command, args []string) error {
// This format is the attestation report in AMD's specified ABI format, immediately
// followed by the certificate table bytes.
if len(attestation) < abi.ReportSize {
return fmt.Errorf("attestation too small: got 0x%x bytes, need at least 0x%x bytes", len(attestation), abi.ReportSize)
if len(attestationRaw) < abi.ReportSize {
return fmt.Errorf("attestation too small: got 0x%x bytes, need at least 0x%x bytes", len(attestationRaw), abi.ReportSize)
}
if err := parseAttestationConfig(); err != nil {
return err
}
attestationPB, err := abi.ReportCertsToProto(attestation)
if err != nil {
return fmt.Errorf("failed to convert attestation bytes to struct %v ❌ ", err)
}
// Used for verification of SNP attestation report
attestation.AttestationPolicy.Config = &cfg
if err := quoteprovider.VerifyAndValidate(attestationPB, &cfg); err != nil {
if err := provider.VerifTeeAttestation(attestationRaw, cfg.Policy.ReportData); err != nil {
return fmt.Errorf("attestation validation and verification failed with error: %v ❌ ", err)
}
@@ -712,85 +737,40 @@ func parseAttestationConfig() error {
return nil
}
func vtpmSevSnpverify(args []string) error {
attestation, err := returnvTPMAttestation(args)
func vtpmSevSnpverify(args []string, provider attestation.Provider) error {
attest, err := returnvTPMAttestation(args)
if err != nil {
return err
}
var teeAttestation *sevsnp.Attestation
switch attestation.GetTeeAttestation().(type) {
case *tpmAttest.Attestation_SevSnpAttestation:
teeAttestation = attestation.GetSevSnpAttestation()
default:
teeAttestation = nil
}
if teeAttestation == nil {
return fmt.Errorf("tee attestation not fetched")
}
if err := parseAttestationConfig(); err != nil {
return err
}
if err := quoteprovider.VerifyAndValidate(teeAttestation, &cfg); err != nil {
return fmt.Errorf("attestation validation and verification failed with error: %v ❌ ", err)
}
// Used for verification of SNP attestation report
attestation.AttestationPolicy.Config = &cfg
if err := verifyvTPM(attestation); err != nil {
return err
if err := provider.VerifyAttestation(attest, cfg.Policy.ReportData, nonce); err != nil {
return fmt.Errorf("attestation validation and verification failed with error: %v ❌ ", err)
}
return nil
}
func vtpmverify(args []string) error {
func vtpmverify(args []string, provider attestation.Provider) error {
attestation, err := returnvTPMAttestation(args)
if err != nil {
return err
}
if err := verifyvTPM(attestation); err != nil {
return err
if err := provider.VerifVTpmAttestation(attestation, nonce); err != nil {
return fmt.Errorf("attestation validation and verification failed with error: %v ❌ ", err)
}
return nil
}
func verifyvTPM(attestation *tpmAttest.Attestation) error {
pub, err := tpm2.DecodePublic(attestation.GetAkPub())
if err != nil {
return err
}
cryptoPub, err := pub.Key()
if err != nil {
return err
}
ms, err := server.VerifyAttestation(attestation, server.VerifyOpts{Nonce: nonce, TrustedAKs: []crypto.PublicKey{cryptoPub}, TEEOpts: nil})
if err != nil {
return nil
}
out, err := marshalOptions.Marshal(ms)
if err != nil {
return nil
}
output, err := createOutputFile()
if err != nil {
return err
}
if closer, ok := output.(*os.File); ok {
defer closer.Close()
}
if _, err := output.Write(out); err != nil {
return fmt.Errorf("failed to write verified attestation report: %v", err)
}
return nil
}
func returnvTPMAttestation(args []string) (*tpmAttest.Attestation, error) {
func returnvTPMAttestation(args []string) ([]byte, error) {
tpmAttestationFile = string(args[0])
input, err := openInputFile()
if err != nil {
@@ -806,8 +786,9 @@ func returnvTPMAttestation(args []string) (*tpmAttest.Attestation, error) {
attestation := &tpmAttest.Attestation{}
if format == FormatBinaryPB {
err = proto.Unmarshal(attestationBytes, attestation)
return attestationBytes, nil
} else if format == FormatTextProto {
unmarshalOptions := prototext.UnmarshalOptions{}
err = unmarshalOptions.Unmarshal(attestationBytes, attestation)
} else {
return nil, fmt.Errorf("format should be either binarypb or textproto")
@@ -816,7 +797,12 @@ func returnvTPMAttestation(args []string) (*tpmAttest.Attestation, error) {
return nil, fmt.Errorf("fail to unmarshal attestation report: %v", err)
}
return attestation, nil
attestationBytes, err = proto.Marshal(attestation)
if err != nil {
return nil, fmt.Errorf("fail to marshal vTPM attestation report: %v", err)
}
return attestationBytes, nil
}
func openInputFile() (io.Reader, error) {
@@ -926,9 +912,9 @@ func parseAttestationFile() error {
if err != nil {
return err
}
attestation = file
attestationRaw = file
if isFileJSON(attestationFile) {
attestation, err = attesationFromJSON(attestation)
attestationRaw, err = attesationFromJSON(attestationRaw)
if err != nil {
return err
}
cli/attestation_policy.go
+59 -10
View File
@@ -16,7 +16,8 @@ import (
"github.com/google/go-tpm-tools/proto/attest"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/azure"
"github.com/ultravioletrs/cocos/pkg/attestation/gcp"
"google.golang.org/protobuf/proto"
)
@@ -37,13 +38,14 @@ const (
)
var (
errDecode = errors.New("base64 string could not be decoded")
errDataLength = errors.New("data does not have an adequate length")
errReadingAttestationPolicyFile = errors.New("error while reading the attestation policy file")
errUnmarshalJSON = errors.New("failed to unmarshal json")
errMarshalJSON = errors.New("failed to marshal json")
errWriteFile = errors.New("failed to write to file")
errAttestationPolicyField = errors.New("the specified field type does not exist in the attestation policy")
errDecode = errors.New("base64 string could not be decoded")
errDataLength = errors.New("data does not have an adequate length")
errReadingAttestationPolicyFile = errors.New("error while reading the attestation policy file")
errUnmarshalJSON = errors.New("failed to unmarshal json")
errMarshalJSON = errors.New("failed to marshal json")
errWriteFile = errors.New("failed to write to file")
errAttestationPolicyField = errors.New("the specified field type does not exist in the attestation policy")
policy uint64 = 196639
)
func (cli *CLI) NewAttestationPolicyCmd() *cobra.Command {
@@ -226,6 +228,53 @@ func (cli *CLI) NewDownloadGCPOvmfFile() *cobra.Command {
}
}
func (cli *CLI) NewAzureAttestationPolicy() *cobra.Command {
cmd := &cobra.Command{
Use: "azure",
Short: "Get attestation policy for Azure CVM",
Example: `azure <azure_maa_token_file> <token_nonce> <product_name>`,
Args: cobra.ExactArgs(3),
Run: func(cmd *cobra.Command, args []string) {
token, err := os.ReadFile(args[0])
if err != nil {
printError(cmd, "Error reading attestation report file: %v ❌ ", err)
return
}
nonce := []byte(args[1])
product := args[2]
config, err := azure.GenerateAttestationPolicy(string(token), product, policy, nonce)
if err != nil {
printError(cmd, "Error generating attestation policy: %v ❌ ", err)
return
}
attestationPolicyJson, err := json.MarshalIndent(&config, "", " ")
if err != nil {
printError(cmd, "Error marshaling attestation policy: %v ❌ ", err)
return
}
if err := os.WriteFile("attestation_policy.json", attestationPolicyJson, filePermission); err != nil {
printError(cmd, "Error writing attestation policy file: %v ❌ ", err)
return
}
cmd.Println("Attestation policy file generated successfully ✅")
},
}
cmd.Flags().Uint64Var(
&policy,
"policy",
policy,
"Policy of the guest CVM",
)
return cmd
}
func changeAttestationConfiguration(fileName, base64Data string, expectedLength int, field fieldType) error {
data, err := base64.StdEncoding.DecodeString(base64Data)
if err != nil {
@@ -236,14 +285,14 @@ func changeAttestationConfiguration(fileName, base64Data string, expectedLength
return errDataLength
}
ac := config.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &config.PcrConfig{}}
ac := attestation.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &attestation.PcrConfig{}}
f, err := os.ReadFile(fileName)
if err != nil {
return errors.Wrap(errReadingAttestationPolicyFile, err)
}
if err = config.ReadAttestationPolicyFromByte(f, &ac); err != nil {
if err = attestation.ReadAttestationPolicyFromByte(f, &ac); err != nil {
return errors.Wrap(errUnmarshalJSON, err)
}
cli/attestation_policy_test.go
+4 -4
View File
@@ -11,7 +11,7 @@ import (
"github.com/google/go-sev-guest/proto/check"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
)
func TestChangeAttestationConfiguration(t *testing.T) {
@@ -19,7 +19,7 @@ func TestChangeAttestationConfiguration(t *testing.T) {
require.NoError(t, err)
defer os.Remove(tmpfile.Name())
initialConfig := config.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &config.PcrConfig{}}
initialConfig := attestation.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &attestation.PcrConfig{}}
initialJSON, err := json.Marshal(initialConfig)
require.NoError(t, err)
@@ -87,8 +87,8 @@ func TestChangeAttestationConfiguration(t *testing.T) {
content, err := os.ReadFile(tmpfile.Name())
require.NoError(t, err)
ap := config.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &config.PcrConfig{}}
err = config.ReadAttestationPolicyFromByte(content, &ap)
ap := attestation.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &attestation.PcrConfig{}}
err = attestation.ReadAttestationPolicyFromByte(content, &ap)
require.NoError(t, err)
decodedData, _ := base64.StdEncoding.DecodeString(tt.base64Data)
cli/attestation_test.go
+3 -2
View File
@@ -182,7 +182,8 @@ func TestNewValidateAttestationValidationCmdDefaults(t *testing.T) {
cmd := cli.NewValidateAttestationValidationCmd()
assert.Equal(t, "validate", cmd.Use)
assert.Equal(t, "Validate and verify attestation information. You can choose from 3 modes: snp,vtpm and snp-vtpm.Default mode is snp.", cmd.Short)
expectedMessage := fmt.Sprintf("Validate and verify attestation information. You can define the confidential computing cloud provider (%s, %s, %s; %s is the default) and can choose from 3 modes: %s, %s and %s. Default mode is %s.", CCNone, CCAzure, CCGCP, CCNone, SNP, VTPM, SNPvTPM, SNP)
assert.Equal(t, expectedMessage, cmd.Short)
assert.Equal(t, fmt.Sprint(defaultMinimumTcb), cmd.Flag("minimum_tcb").Value.String())
assert.Equal(t, fmt.Sprint(defaultMinimumLaunchTcb), cmd.Flag("minimum_lauch_tcb").Value.String())
@@ -394,7 +395,7 @@ func TestParseFiles(t *testing.T) {
assert.NoError(t, err)
err = parseTrustedKeys()
assert.NoError(t, err)
assert.Equal(t, []byte("test attestation"), attestation)
assert.Equal(t, []byte("test attestation"), attestationRaw)
assert.Len(t, cfg.Policy.TrustedAuthorKeys, 1)
assert.Len(t, cfg.Policy.TrustedIdKeys, 1)
cli/cache.go
+3 -3
View File
@@ -12,7 +12,7 @@ import (
"github.com/google/go-sev-guest/proto/check"
"github.com/google/go-sev-guest/verify/trust"
"github.com/spf13/cobra"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
)
const (
@@ -27,8 +27,8 @@ func (cli *CLI) NewCABundleCmd(fileSavePath string) *cobra.Command {
Example: "ca-bundle <path_to_platform_info_json>",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {
attestationConfiguration := config.Config{Config: &check.Config{Policy: &check.Policy{}, RootOfTrust: &check.RootOfTrust{}}, PcrConfig: &config.PcrConfig{}}
err := config.ReadAttestationPolicy(args[0], &attestationConfiguration)
attestationConfiguration := attestation.Config{Config: &check.Config{Policy: &check.Policy{}, RootOfTrust: &check.RootOfTrust{}}, PcrConfig: &attestation.PcrConfig{}}
err := attestation.ReadAttestationPolicy(args[0], &attestationConfiguration)
if err != nil {
printError(cmd, "Error while reading manifest: %v ❌ ", err)
return
cmd/agent/main.go
+31 -38
View File
@@ -8,7 +8,6 @@ import (
"crypto/sha512"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"log"
"log/slog"
@@ -20,8 +19,7 @@ import (
mglog "github.com/absmach/magistrala/logger"
"github.com/absmach/magistrala/pkg/prometheus"
"github.com/caarlos0/env/v11"
"github.com/google/go-sev-guest/client"
"github.com/stretchr/testify/mock"
"github.com/edgelesssys/go-azguestattestation/maa"
"github.com/ultravioletrs/cocos/agent"
"github.com/ultravioletrs/cocos/agent/api"
"github.com/ultravioletrs/cocos/agent/cvms"
@@ -29,9 +27,8 @@ import (
"github.com/ultravioletrs/cocos/agent/cvms/server"
"github.com/ultravioletrs/cocos/agent/events"
agentlogger "github.com/ultravioletrs/cocos/internal/logger"
attestationconfig "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider/mocks"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/azure"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
pkggrpc "github.com/ultravioletrs/cocos/pkg/clients/grpc"
cvmsgrpc "github.com/ultravioletrs/cocos/pkg/clients/grpc/cvm"
@@ -52,6 +49,10 @@ type config struct {
AgentGrpcHost string `env:"AGENT_GRPC_HOST" envDefault:"0.0.0.0"`
CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""`
CVMId string `env:"AGENT_CVM_ID" envDefault:""`
AgentMaaURL string `env:"AGENT_MAA_URL" envDefault:"https://sharedeus2.eus2.attest.azure.net"`
AgentOSBuild string `env:"AGENT_OS_BUILD" envDefault:"UVC"`
AgentOSDistro string `env:"AGENT_OS_DISTRO" envDefault:"UVC"`
AgentOSType string `env:"AGENT_OS_TYPE" envDefault:"UVC"`
}
func main() {
@@ -85,22 +86,19 @@ func main() {
return
}
var qp client.LeveledQuoteProvider
vtpmAttest := vtpm.Attest
var provider attestation.Provider
ccPlatform := attestation.CCPlatform()
if !sevGuesDeviceExists() {
logger.Info("SEV-SNP device not found")
qpMock := new(mocks.LeveledQuoteProvider)
qpMock.On("GetRawQuoteAtLevel", mock.Anything, mock.Anything).Return([]uint8{}, errors.New("SEV-SNP device not found"))
qp = qpMock
vtpmAttest = vtpm.EmptyAttest
} else {
qp, err = quoteprovider.GetLeveledQuoteProvider()
if err != nil {
logger.Error(fmt.Sprintf("failed to create quote provider %s", err.Error()))
exitCode = 1
return
}
switch ccPlatform {
case attestation.SNP:
provider = vtpm.New(nil, false, uint(cfg.Vmpl), nil)
case attestation.SNPvTPM:
provider = vtpm.New(nil, true, uint(cfg.Vmpl), nil)
case attestation.Azure:
provider = azure.New(nil)
case attestation.NoCC:
logger.Info("TEE device not found")
provider = &attestation.EmptyProvider{}
}
cvmGrpcConfig := pkggrpc.CVMClientConfig{}
@@ -146,7 +144,11 @@ func main() {
return
}
svc := newService(ctx, logger, eventSvc, qp, cfg.Vmpl, vtpmAttest)
azure.MaaURL = cfg.AgentMaaURL
maa.OSBuild = cfg.AgentOSBuild
maa.OSDistro = cfg.AgentOSDistro
maa.OSType = cfg.AgentOSType
svc := newService(ctx, logger, eventSvc, provider, cfg.Vmpl)
if err := os.MkdirAll(storageDir, 0o755); err != nil {
logger.Error(fmt.Sprintf("failed to create storage directory: %s", err))
@@ -154,7 +156,7 @@ func main() {
return
}
mc, err := cvmsapi.NewClient(pc, svc, eventsLogsQueue, logger, server.NewServer(logger, svc, cfg.AgentGrpcHost, qp, cfg.CAUrl, cfg.CVMId), storageDir, reconnectFn, cvmGRPCClient)
mc, err := cvmsapi.NewClient(pc, svc, eventsLogsQueue, logger, server.NewServer(logger, svc, cfg.AgentGrpcHost, cfg.CAUrl, cfg.CVMId), storageDir, reconnectFn, cvmGRPCClient)
if err != nil {
logger.Error(err.Error())
exitCode = 1
@@ -180,7 +182,7 @@ func main() {
return mc.Process(ctx, cancel)
})
attestation, certSerialNumber, err := attestationFromCert(ctx, cvmGrpcConfig.ClientCert, svc)
attest, certSerialNumber, err := attestationFromCert(ctx, cvmGrpcConfig.ClientCert, svc)
if err != nil {
logger.Error(fmt.Sprintf("failed to get attestation: %s", err))
exitCode = 1
@@ -190,7 +192,7 @@ func main() {
eventsLogsQueue <- &cvms.ClientStreamMessage{
Message: &cvms.ClientStreamMessage_VTPMattestationReport{
VTPMattestationReport: &cvms.AttestationResponse{
File: attestation,
File: attest,
CertSerialNumber: certSerialNumber,
},
},
@@ -201,8 +203,8 @@ func main() {
}
}
func newService(ctx context.Context, logger *slog.Logger, eventSvc events.Service, qp client.LeveledQuoteProvider, vmpl int, vtpmAttest vtpm.VtpmAttest) agent.Service {
svc := agent.New(ctx, logger, eventSvc, qp, vmpl, vtpmAttest)
func newService(ctx context.Context, logger *slog.Logger, eventSvc events.Service, provider attestation.Provider, vmpl int) agent.Service {
svc := agent.New(ctx, logger, eventSvc, provider, vmpl)
svc = api.LoggingMiddleware(svc, logger)
counter, latency := prometheus.MakeMetrics(svcName, "api")
@@ -211,15 +213,6 @@ func newService(ctx context.Context, logger *slog.Logger, eventSvc events.Servic
return svc
}
func sevGuesDeviceExists() bool {
d, err := client.OpenDevice()
if err != nil {
return false
}
d.Close()
return true
}
func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Service) ([]byte, string, error) {
if certFilePath == "" {
return nil, "", nil
@@ -238,10 +231,10 @@ func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Ser
nonceSNP := sha512.Sum512(certFile)
nonceVTPM := sha256.Sum256(certFile)
attestation, err := svc.Attestation(ctx, nonceSNP, nonceVTPM, attestationconfig.SNPvTPM)
attest, err := svc.Attestation(ctx, nonceSNP, nonceVTPM, attestation.SNPvTPM)
if err != nil {
return nil, "", err
}
return attestation, certx509.SerialNumber.String(), nil
return attest, certx509.SerialNumber.String(), nil
}
cmd/cli/main.go
+1
View File
@@ -163,6 +163,7 @@ func main() {
attestationPolicyCmd.AddCommand(cliSVC.NewAddHostDataCmd())
attestationPolicyCmd.AddCommand(cliSVC.NewGCPAttestationPolicy())
attestationPolicyCmd.AddCommand(cliSVC.NewDownloadGCPOvmfFile())
attestationPolicyCmd.AddCommand(cliSVC.NewAzureAttestationPolicy())
if err := rootCmd.Execute(); err != nil {
logErrorCmd(*rootCmd, err)
cmd/manager/main.go
+1 -1
View File
@@ -112,7 +112,7 @@ func main() {
manager.RegisterManagerServiceServer(srv, managergrpc.NewServer(svc))
}
gs := grpcserver.New(ctx, cancel, svcName, managerGRPCConfig, registerManagerServiceServer, logger, nil, nil, "", "")
gs := grpcserver.New(ctx, cancel, svcName, managerGRPCConfig, registerManagerServiceServer, logger, nil, "", "")
g.Go(func() error {
return gs.Start()
go.mod
+6 -4
View File
@@ -27,7 +27,8 @@ require (
require (
cloud.google.com/go/storage v1.51.0
github.com/golang/protobuf v1.5.4
github.com/edgelesssys/go-azguestattestation v0.0.0-20250408071817-8c4457b235ff
github.com/golang-jwt/jwt/v5 v5.2.2
github.com/google/gce-tcb-verifier v0.3.1
)
@@ -52,10 +53,10 @@ require (
github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/gofrs/uuid/v5 v5.3.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/google/certificate-transparency-go v1.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/google/go-attestation v0.5.1 // indirect
github.com/google/go-eventlog v0.0.2-0.20241003021507-01bb555f7cba // indirect
github.com/google/go-tspi v0.3.0 // indirect
@@ -95,11 +96,12 @@ require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/docker/docker v28.0.4+incompatible
github.com/docker/docker v28.0.1+incompatible
github.com/go-kit/log v0.2.1 // indirect
github.com/go-logfmt/logfmt v0.6.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc // indirect
github.com/google/go-tpm v0.9.3
github.com/google/go-tpm-tools v0.4.4
go.sum
+37 -1190
View File
File diff suppressed because it is too large Load Diff
internal/server/grpc/grpc.go
+1 -4
View File
@@ -29,7 +29,6 @@ import (
certscli "github.com/absmach/certs/cli"
"github.com/absmach/certs/errors"
certssdk "github.com/absmach/certs/sdk"
"github.com/google/go-sev-guest/client"
agentgrpc "github.com/ultravioletrs/cocos/agent/api/grpc"
"github.com/ultravioletrs/cocos/agent/auth"
"github.com/ultravioletrs/cocos/internal/server"
@@ -61,7 +60,6 @@ type Server struct {
server.BaseServer
server *grpc.Server
registerService serviceRegister
quoteProvider client.LeveledQuoteProvider
authSvc auth.Authenticator
health *health.Server
caUrl string
@@ -76,7 +74,7 @@ type serviceRegister func(srv *grpc.Server)
var _ server.Server = (*Server)(nil)
func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, qp client.LeveledQuoteProvider, authSvc auth.Authenticator, caUrl string, cvmId string) server.Server {
func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, caUrl string, cvmId string) server.Server {
base := config.GetBaseConfig()
listenFullAddress := fmt.Sprintf("%s:%s", base.Host, base.Port)
return &Server{
@@ -89,7 +87,6 @@ func New(ctx context.Context, cancel context.CancelFunc, name string, config ser
Logger: logger,
},
registerService: registerService,
quoteProvider: qp,
authSvc: authSvc,
caUrl: caUrl,
cvmId: cvmId,
internal/server/grpc/grpc_test.go
+5 -11
View File
@@ -21,7 +21,6 @@ import (
"github.com/stretchr/testify/assert"
authmocks "github.com/ultravioletrs/cocos/agent/auth/mocks"
"github.com/ultravioletrs/cocos/internal/server"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider/mocks"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"google.golang.org/grpc"
"google.golang.org/grpc/test/bufconn"
@@ -70,10 +69,9 @@ func TestNew(t *testing.T) {
},
}
logger := slog.Default()
qp := new(mocks.LeveledQuoteProvider)
authSvc := new(authmocks.Authenticator)
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, qp, authSvc, "", "")
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, authSvc, "", "")
assert.NotNil(t, srv)
assert.IsType(t, &Server{}, srv)
@@ -120,10 +118,9 @@ func TestServerStartWithTLSFile(t *testing.T) {
logBuffer := &ThreadSafeBuffer{}
logger := slog.New(slog.NewTextHandler(logBuffer, &slog.HandlerOptions{Level: slog.LevelDebug}))
qp := new(mocks.LeveledQuoteProvider)
authSvc := new(authmocks.Authenticator)
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, qp, authSvc, "", "")
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, authSvc, "", "")
var wg sync.WaitGroup
wg.Add(1)
@@ -167,10 +164,9 @@ func TestServerStartWithmTLSFile(t *testing.T) {
logBuffer := &ThreadSafeBuffer{}
logger := slog.New(slog.NewTextHandler(logBuffer, &slog.HandlerOptions{Level: slog.LevelDebug}))
qp := new(mocks.LeveledQuoteProvider)
authSvc := new(authmocks.Authenticator)
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, qp, authSvc, "", "")
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, authSvc, "", "")
var wg sync.WaitGroup
wg.Add(1)
@@ -207,10 +203,9 @@ func TestServerStop(t *testing.T) {
}
buf := &ThreadSafeBuffer{}
logger := slog.New(slog.NewTextHandler(buf, &slog.HandlerOptions{Level: slog.LevelDebug}))
qp := new(mocks.LeveledQuoteProvider)
authSvc := new(authmocks.Authenticator)
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, qp, authSvc, "", "")
srv := New(ctx, cancel, "TestServer", config, func(srv *grpc.Server) {}, logger, authSvc, "", "")
go func() {
err := srv.Start()
@@ -399,10 +394,9 @@ func TestServerInitializationAndStartup(t *testing.T) {
logBuffer := &ThreadSafeBuffer{}
logger := slog.New(slog.NewTextHandler(logBuffer, &slog.HandlerOptions{Level: slog.LevelDebug}))
qp := new(mocks.LeveledQuoteProvider)
authSvc := new(authmocks.Authenticator)
srv := New(ctx, cancel, "TestServer", tc.config, func(srv *grpc.Server) {}, logger, qp, authSvc, "", "")
srv := New(ctx, cancel, "TestServer", tc.config, func(srv *grpc.Server) {}, logger, authSvc, "", "")
var wg sync.WaitGroup
wg.Add(1)
manager/attestation_policy.go
+3 -3
View File
@@ -19,7 +19,7 @@ import (
"github.com/google/go-sev-guest/proto/check"
"github.com/ultravioletrs/cocos/manager/qemu"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/cmdconfig"
"github.com/virtee/sev-snp-measure-go/cpuid"
"github.com/virtee/sev-snp-measure-go/guest"
@@ -63,9 +63,9 @@ func (ms *managerService) FetchAttestationPolicy(_ context.Context, computationI
return nil, err
}
attestationPolicy := config.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &config.PcrConfig{}}
attestationPolicy := attestation.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &attestation.PcrConfig{}}
if err = config.ReadAttestationPolicyFromByte(stdOutByte, &attestationPolicy); err != nil {
if err = attestation.ReadAttestationPolicyFromByte(stdOutByte, &attestationPolicy); err != nil {
return nil, err
}
manager/service.go
+3 -3
View File
@@ -22,7 +22,7 @@ import (
"github.com/google/uuid"
"github.com/ultravioletrs/cocos/manager/qemu"
"github.com/ultravioletrs/cocos/manager/vm"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/cmdconfig"
"github.com/ultravioletrs/cocos/pkg/manager"
"golang.org/x/crypto/sha3"
@@ -181,9 +181,9 @@ func (ms *managerService) CreateVM(ctx context.Context, req *CreateReq) (string,
return "", id, errors.Wrap(ErrFailedToCreateAttestationPolicy, err)
}
attestationPolicy := config.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &config.PcrConfig{}}
attestationPolicy := attestation.Config{Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}, PcrConfig: &attestation.PcrConfig{}}
if err = config.ReadAttestationPolicyFromByte(stdOutByte, &attestationPolicy); err != nil {
if err = attestation.ReadAttestationPolicyFromByte(stdOutByte, &attestationPolicy); err != nil {
return "", id, errors.Wrap(ErrUnmarshalFailed, err)
}
mockery.yml
+7 -14
View File
@@ -41,13 +41,6 @@ packages:
dir: "{{.InterfaceDir}}/mocks"
filename: "state.go"
mockname: "{{.InterfaceName}}"
github.com/ultravioletrs/cocos/internal/logger:
interfaces:
io.Writer:
config:
dir: "{{.InterfaceDir}}/mocks"
filename: "io_writer.go"
mockname: "{{.InterfaceName}}"
github.com/ultravioletrs/cocos/internal/server:
interfaces:
Server:
@@ -105,13 +98,6 @@ packages:
dir: "{{.InterfaceDir}}/mocks"
filename: "server.go"
mockname: "{{.InterfaceName}}"
github.com/google/go-sev-guest/client:
interfaces:
LeveledQuoteProvider:
config:
dir: "./pkg/attestation/quoteprovider/mocks"
filename: "QuoteProvider.go"
mockname: "{{.InterfaceName}}"
github.com/ultravioletrs/cocos/agent/cvms/api/grpc/storage:
interfaces:
Storage:
@@ -126,3 +112,10 @@ packages:
dir: "{{.InterfaceDir}}/mocks"
filename: "client.go"
mockname: "{{.InterfaceName}}"
github.com/ultravioletrs/cocos/pkg/attestation:
interfaces:
Provider:
config:
dir: "{{.InterfaceDir}}/mocks"
filename: "attestation.go"
mockname: "{{.InterfaceName}}"
pkg/atls/atlsListener.go
+49 -55
View File
@@ -5,14 +5,15 @@ package atls
// #cgo LDFLAGS: -lssl -lcrypto
// #include "extensions.h"
// #include <string.h>
import "C"
import (
"crypto/sha3"
"fmt"
"io"
"net"
"os"
"runtime/cgo"
"strconv"
"sync"
"syscall"
@@ -20,15 +21,12 @@ import (
"unsafe"
"github.com/absmach/magistrala/pkg/errors"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/azure"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
)
const (
NoTee int = iota
AmdSevSnp
)
const (
noError = 0
errorZeroReturn = 6
@@ -37,6 +35,7 @@ const (
errorSyscall = 5
errorSsl = 1
waitTime = 2
vmpl2 = 2
)
var (
@@ -51,57 +50,42 @@ var (
errConnCreate = errors.New("could not create connection")
)
type ValidationVerification func(data1, data2, data3, data4 []byte) error
type FetchAttestation func(data1, data2, data3 []byte) ([]byte, error)
func registerFetchAttestation(callback FetchAttestation) uintptr {
handle := cgo.NewHandle(callback)
return uintptr(handle)
func formTeeData(pubKey []byte, teeNonce []byte) []byte {
combined := append(pubKey, teeNonce...)
sum := sha3.Sum512(combined)
return sum[:]
}
func registerValidationVerification(callback ValidationVerification) uintptr {
handle := cgo.NewHandle(callback)
return uintptr(handle)
}
//export validationVerificationCallback
func validationVerificationCallback(teeType C.int) uintptr {
switch int(teeType) {
case NoTee:
return uintptr(0)
case AmdSevSnp:
return registerValidationVerification(vtpm.VTPMVerify)
func getPlatformProvider(platformType attestation.PlatformType, pubKey []byte) (attestation.Provider, error) {
switch platformType {
case attestation.SNPvTPM:
return vtpm.New(pubKey, true, vmpl2, nil), nil
case attestation.Azure:
return azure.New(nil), nil
default:
return uintptr(0)
}
}
//export fetchAttestationCallback
func fetchAttestationCallback(teeType C.int) uintptr {
switch int(teeType) {
case NoTee:
return uintptr(0)
case AmdSevSnp:
return registerFetchAttestation(vtpm.FetchATLSQuote)
default:
return uintptr(0)
return nil, fmt.Errorf("unsupported platform type: %d", platformType)
}
}
//export callVerificationValidationCallback
func callVerificationValidationCallback(callbackHandle uintptr, pubKey *C.uchar, pubKeyLen C.int, quote *C.uchar, quoteSize C.int, teeNonce *C.uchar, nonce *C.uchar) C.int {
handle := cgo.Handle(callbackHandle)
defer handle.Delete()
callback := handle.Value().(ValidationVerification)
func callVerificationValidationCallback(platformType C.int, pubKey *C.uchar, pubKeyLen C.int, attestReport *C.uchar, attestReportSize C.int, teeNonceByte *C.uchar, vTPMNonceByte *C.uchar) C.int {
pubKeyCert := C.GoBytes(unsafe.Pointer(pubKey), pubKeyLen)
attestationReport := C.GoBytes(unsafe.Pointer(quote), quoteSize)
teeData := C.GoBytes(unsafe.Pointer(teeNonce), quoteprovider.Nonce)
nonceData := C.GoBytes(unsafe.Pointer(nonce), vtpm.Nonce)
teeNonceData := C.GoBytes(unsafe.Pointer(teeNonceByte), quoteprovider.Nonce)
vTPMNonce := C.GoBytes(unsafe.Pointer(vTPMNonceByte), vtpm.Nonce)
pType := attestation.PlatformType(int(platformType))
attestationReport := C.GoBytes(unsafe.Pointer(attestReport), attestReportSize)
err := callback(attestationReport, pubKeyCert, teeData, nonceData)
teeData := formTeeData(pubKeyCert, teeNonceData)
provider, err := getPlatformProvider(pType, pubKeyCert)
if err != nil {
fmt.Fprintf(os.Stderr, "callback failed %v", err)
fmt.Fprintf(os.Stderr, "no attestation provider found for platform type %s", err.Error())
return C.int(-1)
}
err = provider.VerifyAttestation(attestationReport, teeData, vTPMNonce)
if err != nil {
fmt.Fprintf(os.Stderr, "verification callback failed %s", err.Error())
return C.int(-1)
}
@@ -109,18 +93,23 @@ func callVerificationValidationCallback(callbackHandle uintptr, pubKey *C.uchar,
}
//export callFetchAttestationCallback
func callFetchAttestationCallback(callbackHandle uintptr, pubKey *C.uchar, pubKeyLen C.int, teeNonceByte *C.uchar, vTPMNonceByte *C.uchar, outlen *C.ulong) *C.uchar {
handle := cgo.Handle(callbackHandle)
defer handle.Delete()
callback := handle.Value().(FetchAttestation)
func callFetchAttestationCallback(platformType C.int, pubKey *C.uchar, pubKeyLen C.int, teeNonceByte *C.uchar, vTPMNonceByte *C.uchar, outlen *C.ulong) *C.uchar {
pubKeyCert := C.GoBytes(unsafe.Pointer(pubKey), pubKeyLen)
teeNonceData := C.GoBytes(unsafe.Pointer(teeNonceByte), quoteprovider.Nonce)
vTPMNonce := C.GoBytes(unsafe.Pointer(vTPMNonceByte), vtpm.Nonce)
pType := attestation.PlatformType(int(platformType))
quote, err := callback(pubKeyCert, teeNonceData, vTPMNonce)
teeData := formTeeData(pubKeyCert, teeNonceData)
provider, err := getPlatformProvider(pType, pubKeyCert)
if err != nil {
fmt.Fprintf(os.Stderr, "attestation callback returned nil")
fmt.Fprintf(os.Stderr, "no attestation provider found for platform type %s", err.Error())
return nil
}
quote, err := provider.Attestation(teeData, vTPMNonce)
if err != nil {
fmt.Fprintf(os.Stderr, "attestation callback returned nil: %s", err.Error())
return nil
}
@@ -136,6 +125,11 @@ func callFetchAttestationCallback(callbackHandle uintptr, pubKey *C.uchar, pubKe
return (*C.uchar)(resultC)
}
//export returnCCPlatformType
func returnCCPlatformType() int32 {
return int32(attestation.CCPlatform())
}
type ATLSServerListener struct {
tlsListener *C.tls_server_connection
}
@@ -252,7 +246,7 @@ func (c *ATLSConn) Read(b []byte) (int, error) {
return 0, syscall.ECONNRESET // return connection reset error.
default:
fmt.Fprintf(os.Stderr, "SSL error occurred: %d\n", errCode)
return 0, fmt.Errorf("SSL error\n")
return 0, fmt.Errorf("SSL error")
}
}
pkg/atls/extensions.c
+18 -53
View File
@@ -7,41 +7,28 @@
#include <fcntl.h>
#include <unistd.h>
extern int callVerificationValidationCallback(uintptr_t callbackHandle, const u_char* pubKey, int pubKeyLen, const u_char* quote, int quoteSize, const u_char* teeNonce, const u_char* nonce);
extern u_char* callFetchAttestationCallback(uintptr_t callbackHandle, const u_char* pubKey, int pubKeyLen, const u_char* teeNonceByte, const u_char* vTPMNonceByte, unsigned long* outlen);
extern int callVerificationValidationCallback(int platformType, const u_char* pubKey, int pubKeyLen, const u_char* quote, int quoteSize, const u_char* teeNonceByte, const u_char* vTPMNonceByte);
extern u_char* callFetchAttestationCallback(int platformType, const u_char* pubKey, int pubKeyLen, const u_char* teeNonceByte, const u_char* vTPMNonceByte, unsigned long* outlen);
extern uintptr_t validationVerificationCallback(int teeType);
extern uintptr_t fetchAttestationCallback(int teeType);
extern uintptr_t getPlatformTypeHandle(int platformType, u_char *teeNonce, u_char *vtpmNonce);
extern int returnCCPlatformType();
int triggerVerificationValidationCallback(uintptr_t callbackHandle, u_char* pub_key, int pub_key_len, u_char *quote, int quote_size, u_char *tee_nonce, u_char *vtpm_nonce) {
int triggerVerificationValidationCallback(int platformType, u_char* pub_key, int pub_key_len, u_char *quote, int quote_size, u_char *tee_nonce, u_char *vtpm_nonce) {
if (quote == NULL || vtpm_nonce == NULL || tee_nonce == NULL || pub_key == NULL) {
fprintf(stderr, "attestation and noce and public key cannot be NULL\n");
return -1;
}
return callVerificationValidationCallback(callbackHandle, pub_key, pub_key_len, quote, quote_size, tee_nonce, vtpm_nonce);
return callVerificationValidationCallback(platformType, pub_key, pub_key_len, quote, quote_size, tee_nonce, vtpm_nonce);
}
u_char* triggerFetchAttestationCallback(uintptr_t callback_handle, u_char* pub_key, int pub_key_len, char *tee_nonce, char *vtpm_nonce, unsigned long *outlen) {
u_char* triggerFetchAttestationCallback(int platformType, u_char* pub_key, int pub_key_len, char *tee_nonce, char *vtpm_nonce, unsigned long *outlen) {
if(tee_nonce == NULL || vtpm_nonce == NULL) {
fprintf(stderr, "Report data cannot be NULL");
return NULL;
}
return callFetchAttestationCallback(callback_handle, pub_key, pub_key_len, tee_nonce, vtpm_nonce, outlen);
}
int check_sev_snp() {
int fd = open(SEV_GUEST_DRIVER_PATH, O_RDONLY);
if (fd == -1) {
perror("Error opening /dev/sev-guest");
fprintf(stderr, "SEV guest driver is not available.\n");
return -1;
} else {
close(fd);
}
return 1;
return callFetchAttestationCallback(platformType, pub_key, pub_key_len, tee_nonce, vtpm_nonce, outlen);
}
/*
@@ -78,9 +65,9 @@ int evidence_request_ext_add_cb(SSL *s, unsigned int ext_type,
}
if (ext_data != NULL) {
if (RAND_bytes(ext_data->er.vtpm_nonce, CLIENT_RANDOM_SIZE) != 1) {
if (RAND_bytes(ext_data->er.vtpm_nonce, NONCE_RANDOM_SIZE) != 1) {
perror("could not generate random bytes for vtpm nonce, will use SSL client random");
SSL_get_client_random(s, ext_data->er.vtpm_nonce, CLIENT_RANDOM_SIZE);
SSL_get_client_random(s, ext_data->er.vtpm_nonce, NONCE_RANDOM_SIZE);
}
if (RAND_bytes(ext_data->er.tee_nonce, REPORT_DATA_SIZE) != 1) {
@@ -94,10 +81,8 @@ int evidence_request_ext_add_cb(SSL *s, unsigned int ext_type,
return -1;
}
memcpy(er->vtpm_nonce, ext_data->er.vtpm_nonce, CLIENT_RANDOM_SIZE);
memcpy(er->vtpm_nonce, ext_data->er.vtpm_nonce, NONCE_RANDOM_SIZE);
memcpy(er->tee_nonce, ext_data->er.tee_nonce, REPORT_DATA_SIZE);
er->tee_type = AMD_TEE;
ext_data->er.tee_type = AMD_TEE;
*out = (const u_char *)er;
*outlen = sizeof(evidence_request);
@@ -116,19 +101,8 @@ int evidence_request_ext_add_cb(SSL *s, unsigned int ext_type,
return -1;
}
if (check_sev_snp() > 0) {
*platform_type = AMD_TEE;
} else {
*platform_type = NO_TEE;
}
if ((*platform_type != ext_data->er.tee_type) || (*platform_type == NO_TEE)) {
*platform_type = NO_TEE;
ext_data->er.tee_type = NO_TEE;
} else {
ext_data->er.tee_type = AMD_TEE;
ext_data->fetch_attestation_handler = fetchAttestationCallback(ext_data->er.tee_type);
}
*platform_type = returnCCPlatformType();
ext_data->platform_type = *platform_type;
*out = (u_char*)platform_type;
*outlen = sizeof(int32_t);
@@ -164,9 +138,8 @@ int evidence_request_ext_parse_cb(SSL *s, unsigned int ext_type,
evidence_request *er = (evidence_request*)in;
if (ext_data != NULL) {
memcpy(ext_data->er.vtpm_nonce, er->vtpm_nonce, CLIENT_RANDOM_SIZE);
memcpy(ext_data->er.vtpm_nonce, er->vtpm_nonce, NONCE_RANDOM_SIZE);
memcpy(ext_data->er.tee_nonce, er->tee_nonce, REPORT_DATA_SIZE);
ext_data->er.tee_type = er->tee_type;
} else {
fprintf(stderr, "parse_arg is NULL\n");
return 0;
@@ -175,18 +148,11 @@ int evidence_request_ext_parse_cb(SSL *s, unsigned int ext_type,
}
case SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS:
{
int *tee_type = (int*)in;
int *platform_type = (int*)in;
tls_extension_data *ext_data = (tls_extension_data*)parse_arg;
if (ext_data != NULL) {
ext_data->er.tee_type = *tee_type;
if (ext_data->er.tee_type != NO_TEE) {
ext_data->verification_validation_handler = validationVerificationCallback(ext_data->er.tee_type);
} else {
fprintf(stderr, "must use a TEE for aTLS\n");
return 0;
}
ext_data->platform_type = *platform_type;
} else {
fprintf(stderr, "parse_arg is NULL\n");
return 0;
@@ -253,7 +219,7 @@ int attestation_certificate_ext_add_cb(SSL *s, unsigned int ext_type,
return -1;
}
quote = triggerFetchAttestationCallback(ext_data->fetch_attestation_handler, pubkey_buf, pubkey_len, ext_data->er.tee_nonce, ext_data->er.vtpm_nonce, &len);
quote = triggerFetchAttestationCallback(ext_data->platform_type, pubkey_buf, pubkey_len, ext_data->er.tee_nonce, ext_data->er.vtpm_nonce, &len);
if (quote == NULL) {
fprintf(stderr, "attestation report is NULL\n");
*al = SSL_AD_INTERNAL_ERROR;
@@ -291,7 +257,6 @@ int attestation_certificate_ext_parse_cb(SSL *s, unsigned int ext_type,
switch (context)
{
case SSL_EXT_CLIENT_HELLO:
// Return 1 so the server can return the custom certificate extension.
return 1;
case SSL_EXT_TLS1_3_CERTIFICATE:
{
@@ -324,7 +289,7 @@ int attestation_certificate_ext_parse_cb(SSL *s, unsigned int ext_type,
}
memcpy(quote, in, inlen);
res = triggerVerificationValidationCallback(ext_data->verification_validation_handler,
res = triggerVerificationValidationCallback(ext_data->platform_type,
pubkey_buf,
pubkey_len,
quote,
pkg/atls/extensions.h
+3 -11
View File
@@ -7,25 +7,19 @@
#define EVIDENCE_REQUEST_HELLO_EXTENSION_TYPE 65
#define ATTESTATION_CERTIFICATE_EXTENSION_TYPE 66
#define REPORT_DATA_SIZE 64
#define CLIENT_RANDOM_SIZE 32
#define NONCE_RANDOM_SIZE 32
#define TLS_CLIENT_CTX 0
#define TLS_SERVER_CTX 1
#define SEV_GUEST_DRIVER_PATH "/dev/sev-guest"
#define NO_TEE 0
#define AMD_TEE 1
typedef struct evidence_request
{
int tee_type;
char vtpm_nonce[CLIENT_RANDOM_SIZE];
char vtpm_nonce[NONCE_RANDOM_SIZE];
char tee_nonce[REPORT_DATA_SIZE];
} evidence_request;
typedef struct tls_extension_data
{
uintptr_t fetch_attestation_handler;
uintptr_t verification_validation_handler;
int platform_type;
evidence_request er;
} tls_extension_data;
@@ -37,7 +31,6 @@ typedef struct tls_server_connection
char* key;
int key_len;
struct sockaddr_storage addr;
uintptr_t fetch_attestation_handler;
} tls_server_connection;
typedef struct tls_connection
@@ -61,7 +54,6 @@ int set_socket_read_timeout(tls_connection* conn, int timeout_sec, int timeout_u
int set_socket_write_timeout(tls_connection* conn, int timeout_sec, int timeout_usec);
char* tls_return_addr(struct sockaddr_storage *addr);
int tls_return_port(struct sockaddr_storage *addr);
int compute_sha256_of_public_key(X509 *cert, unsigned char *hash);
// Extensions
void evidence_request_ext_free_cb(SSL *s, unsigned int ext_type,
pkg/atls/listener.c
+1 -2
View File
@@ -289,9 +289,8 @@ tls_connection* tls_server_accept(tls_server_connection *tls_server) {
goto cleanup_fd;
}
// Set file descriptor and assign handlers
// Set file descriptor
conn->socket_fd = client_fd;
conn->tls_ext_data.fetch_attestation_handler = tls_server->fetch_attestation_handler;
SSL_set_fd(conn->ssl, client_fd);
// Get local address
pkg/attestation/config.go → pkg/attestation/attestation.go
+90 -3
View File
@@ -1,23 +1,35 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
package config
package attestation
import (
"encoding/json"
"fmt"
"io"
"net/http"
"os"
"github.com/absmach/magistrala/pkg/errors"
"github.com/google/go-sev-guest/client"
"github.com/google/go-sev-guest/proto/check"
"github.com/google/go-tpm/legacy/tpm2"
"google.golang.org/protobuf/encoding/protojson"
)
type AttestationType int32
type PlatformType int
const (
SNP AttestationType = iota
SNP PlatformType = iota
VTPM
SNPvTPM
Azure
NoCC
)
const (
azureMetadataUrl = "http://169.254.169.254/metadata/instance"
azureApiVersion = "2021-02-01"
)
var (
@@ -43,6 +55,20 @@ type Config struct {
*PcrConfig
}
type ccCheck struct {
checkFunc func() bool
platform PlatformType
}
type Provider interface {
Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error)
TeeAttestation(teeNonce []byte) ([]byte, error)
VTpmAttestation(vTpmNonce []byte) ([]byte, error)
VerifyAttestation(report []byte, teeNonce []byte, vTpmNonce []byte) error
VerifTeeAttestation(report []byte, teeNonce []byte) error
VerifVTpmAttestation(report []byte, vTpmNonce []byte) error
}
func ReadAttestationPolicy(policyPath string, attestationConfiguration *Config) error {
if policyPath != "" {
policyData, err := os.ReadFile(policyPath)
@@ -69,3 +95,64 @@ func ReadAttestationPolicyFromByte(policyData []byte, attestationConfiguration *
return nil
}
// CCPlatform returns the type of the confidential computing platform.
func CCPlatform() PlatformType {
checks := []ccCheck{
{SevGuestvTPMExists, SNPvTPM},
{SevGuesDeviceExists, SNP},
{isAzureVM, Azure},
}
for _, c := range checks {
if c.checkFunc() {
return c.platform
}
}
return NoCC
}
func SevGuesDeviceExists() bool {
d, err := client.OpenDevice()
if err != nil {
return false
}
d.Close()
return true
}
func SevGuestvTPMExists() bool {
d, err := tpm2.OpenTPM()
if err != nil {
return false
}
d.Close()
return SevGuesDeviceExists()
}
func isAzureVM() bool {
client := &http.Client{}
url := fmt.Sprintf("%s?api-version=%s", azureMetadataUrl, azureApiVersion)
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Metadata", "true")
resp, err := client.Do(req)
if err != nil {
return false
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusOK {
body, err := io.ReadAll(resp.Body)
if err != nil {
return false
}
return len(body) > 0
}
return false
}
pkg/attestation/azure/snp.go
+289
View File
@@ -0,0 +1,289 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
package azure
import (
"context"
"encoding/base64"
"encoding/hex"
"fmt"
"io"
"net/http"
"github.com/absmach/magistrala/pkg/errors"
"github.com/edgelesssys/go-azguestattestation/maa"
"github.com/golang-jwt/jwt/v5"
"github.com/google/go-sev-guest/abi"
"github.com/google/go-sev-guest/kds"
"github.com/google/go-sev-guest/proto/check"
"github.com/google/go-sev-guest/proto/sevsnp"
"github.com/google/go-sev-guest/tools/lib/report"
"github.com/google/go-tpm-tools/proto/attest"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"google.golang.org/protobuf/proto"
)
var MaaURL = "https://sharedeus2.eus2.attest.azure.net"
var _ attestation.Provider = (*provider)(nil)
type provider struct {
writer io.Writer
}
func New(writer io.Writer) attestation.Provider {
return provider{writer: writer}
}
func (a provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) {
var tokenNonce [vtpm.Nonce]byte
copy(tokenNonce[:], teeNonce)
params, err := maa.NewParameters(context.Background(), tokenNonce[:], http.DefaultClient, nil)
if err != nil {
return nil, fmt.Errorf("failed to get report: %w", err)
}
snpReport, err := report.ParseAttestation(params.SNPReport, "bin")
if err != nil {
return nil, fmt.Errorf("failed to parse SNP report: %w", err)
}
quote, err := vtpm.FetchQuote(vTpmNonce)
if err != nil {
return nil, fmt.Errorf("failed to fetch quote: %w", err)
}
quote.TeeAttestation = &attest.Attestation_SevSnpAttestation{
SevSnpAttestation: snpReport,
}
return proto.Marshal(quote)
}
func (a provider) TeeAttestation(teeNonce []byte) ([]byte, error) {
var tokenNonce [vtpm.Nonce]byte
copy(tokenNonce[:], teeNonce)
params, err := maa.NewParameters(context.Background(), tokenNonce[:], http.DefaultClient, nil)
if err != nil {
return nil, fmt.Errorf("failed to get report: %w", err)
}
return params.SNPReport, nil
}
func (a provider) VTpmAttestation(vTpmNonce []byte) ([]byte, error) {
quote, err := vtpm.FetchQuote(vTpmNonce)
if err != nil {
return []byte{}, errors.Wrap(vtpm.ErrFetchQuote, err)
}
return proto.Marshal(quote)
}
func (a provider) VerifTeeAttestation(report []byte, teeNonce []byte) error {
attestationReport, err := abi.ReportCertsToProto(report)
if err != nil {
return errors.Wrap(fmt.Errorf("failed to convert TEE report to proto"), err)
}
return quoteprovider.VerifyAttestationReportTLS(attestationReport, teeNonce)
}
func (a provider) VerifVTpmAttestation(report []byte, vTpmNonce []byte) error {
return vtpm.VerifyQuote(report, nil, vTpmNonce, a.writer)
}
func (a provider) VerifyAttestation(report []byte, teeNonce []byte, vTpmNonce []byte) error {
var tokenNonce [vtpm.Nonce]byte
copy(tokenNonce[:], teeNonce)
quote := &attest.Attestation{}
err := proto.Unmarshal(report, quote)
if err != nil {
return fmt.Errorf("failed to unmarshal vTPM quote: %w", err)
}
snpReport := quote.GetSevSnpAttestation()
if err = quoteprovider.VerifyAttestationReportTLS(snpReport, nil); err != nil {
return fmt.Errorf("failed to verify vTPM attestation report: %w", err)
}
return nil
}
func GenerateAttestationPolicy(token string, product string, policy uint64, nonce []byte) (*attestation.Config, error) {
claims, err := validateToken(token)
if err != nil {
return nil, fmt.Errorf("failed to validate token: %w", err)
}
if err := validateClaims(claims, nonce); err != nil {
return nil, fmt.Errorf("failed to validate claims: %w", err)
}
tee, ok := claims["x-ms-isolation-tee"].(map[string]interface{})
if !ok {
return nil, fmt.Errorf("failed to get tee from claims")
}
familyIdString, ok := tee["x-ms-sevsnpvm-familyId"].(string)
if !ok {
return nil, fmt.Errorf("failed to get familyId from claims")
}
familyId, err := hex.DecodeString(familyIdString)
if err != nil {
return nil, fmt.Errorf("failed to decode familyId: %w", err)
}
imageIdString, ok := tee["x-ms-sevsnpvm-imageId"].(string)
if !ok {
return nil, fmt.Errorf("failed to get imageId from claims")
}
imageId, err := hex.DecodeString(imageIdString)
if err != nil {
return nil, fmt.Errorf("failed to decode imageId: %w", err)
}
measurementString, ok := tee["x-ms-sevsnpvm-launchmeasurement"].(string)
if !ok {
return nil, fmt.Errorf("failed to get measurement from claims")
}
measurement, err := hex.DecodeString(measurementString)
if err != nil {
return nil, fmt.Errorf("failed to decode measurement: %w", err)
}
bootloaderVersion, ok := tee["x-ms-sevsnpvm-bootloader-svn"].(float64)
if !ok {
return nil, fmt.Errorf("failed to get bootloader version from claims")
}
teeVersion, ok := tee["x-ms-sevsnpvm-tee-svn"].(float64)
if !ok {
return nil, fmt.Errorf("failed to get tee version from claims")
}
snpVersion, ok := tee["x-ms-sevsnpvm-snpfw-svn"].(float64)
if !ok {
return nil, fmt.Errorf("failed to get snp version from claims")
}
microcodeVersion, ok := tee["x-ms-sevsnpvm-microcode-svn"].(float64)
if !ok {
return nil, fmt.Errorf("failed to get microcode version from claims")
}
minimalTCBParts := kds.TCBParts{
BlSpl: uint8(bootloaderVersion),
TeeSpl: uint8(teeVersion),
SnpSpl: uint8(snpVersion),
UcodeSpl: uint8(microcodeVersion),
}
minimalTCB, err := kds.ComposeTCBParts(minimalTCBParts)
if err != nil {
return nil, fmt.Errorf("failed to compose TCB parts: %w", err)
}
guestSVN, ok := tee["x-ms-sevsnpvm-guestsvn"].(float64)
if !ok {
return nil, fmt.Errorf("failed to get guest SVN from claims")
}
idKeyDigestString, ok := tee["x-ms-sevsnpvm-idkeydigest"].(string)
if !ok {
return nil, fmt.Errorf("failed to get idKeyDigest from claims")
}
idKeyDigest, err := hex.DecodeString(idKeyDigestString)
if err != nil {
return nil, fmt.Errorf("failed to decode idKeyDigest: %w", err)
}
reportIDString, ok := tee["x-ms-sevsnpvm-reportid"].(string)
if !ok {
return nil, fmt.Errorf("failed to get reportID from claims")
}
reportID, err := hex.DecodeString(reportIDString)
if err != nil {
return nil, fmt.Errorf("failed to decode reportID: %w", err)
}
sevProduct := quoteprovider.GetProductName(product)
return &attestation.Config{
Config: &check.Config{
RootOfTrust: &check.RootOfTrust{
CheckCrl: true,
},
Policy: &check.Policy{
ImageId: imageId,
FamilyId: familyId,
Measurement: measurement,
MinimumGuestSvn: uint32(guestSVN),
MinimumTcb: uint64(minimalTCB),
TrustedIdKeyHashes: [][]byte{idKeyDigest},
ReportId: reportID,
Product: &sevsnp.SevProduct{Name: sevProduct},
Policy: policy,
},
},
}, nil
}
func validateToken(token string) (map[string]interface{}, error) {
unverifiedToken, _, err := new(jwt.Parser).ParseUnverified(token, jwt.MapClaims{})
if err != nil {
return nil, fmt.Errorf("failed to parse token: %w", err)
}
jku, jkuOk := unverifiedToken.Header["jku"].(string)
if !jkuOk {
return nil, fmt.Errorf("token is missing jku or kid in header")
}
MaaUrlCerts := MaaURL
if MaaURL == "" {
MaaUrlCerts = jku
}
keySet, err := maa.GetKeySet(context.Background(), MaaUrlCerts, http.DefaultClient)
if err != nil {
return nil, fmt.Errorf("failed to get key set: %w", err)
}
claims, err := maa.ValidateToken(token, keySet)
if err != nil {
return nil, fmt.Errorf("failed to validate token: %w", err)
}
return claims, nil
}
func validateClaims(claims map[string]interface{}, nonce []byte) error {
runtime, ok := claims["x-ms-runtime"].(map[string]interface{})
if !ok {
return fmt.Errorf("failed to get runtime from claims")
}
payload, ok := runtime["client-payload"].(map[string]interface{})
if !ok {
return fmt.Errorf("failed to get client payload from claims")
}
tokenNonce, ok := payload["nonce"].(string)
if !ok {
return fmt.Errorf("failed to get nonce from claims")
}
if tokenNonce != base64.StdEncoding.EncodeToString(nonce) {
return fmt.Errorf("nonce mismatch: expected %s, got %s", base64.StdEncoding.EncodeToString(nonce), tokenNonce)
}
return nil
}
pkg/attestation/emptyprovider.go
+34
View File
@@ -0,0 +1,34 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
package attestation
import cocosai "github.com/ultravioletrs/cocos"
var _ Provider = (*EmptyProvider)(nil)
type EmptyProvider struct{}
func (e *EmptyProvider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) {
return cocosai.EmbeddedAttestation, nil
}
func (e *EmptyProvider) TeeAttestation(teeNonce []byte) ([]byte, error) {
return cocosai.EmbeddedAttestation, nil
}
func (e *EmptyProvider) VTpmAttestation(vTpmNonce []byte) ([]byte, error) {
return cocosai.EmbeddedAttestation, nil
}
func (e *EmptyProvider) VerifTeeAttestation(report []byte, teeNonce []byte) error {
return nil
}
func (e *EmptyProvider) VerifVTpmAttestation(report []byte, vTpmNonce []byte) error {
return nil
}
func (e *EmptyProvider) VerifyAttestation(report []byte, teeNonce []byte, vTpmNonce []byte) error {
return nil
}
pkg/attestation/gcp/gcp.go
+4 -4
View File
@@ -9,12 +9,12 @@ import (
"io"
"cloud.google.com/go/storage"
"github.com/golang/protobuf/proto"
"github.com/google/gce-tcb-verifier/proto/endorsement"
"github.com/google/go-sev-guest/proto/check"
"github.com/google/go-sev-guest/proto/sevsnp"
"github.com/google/go-sev-guest/tools/lib/report"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"google.golang.org/protobuf/proto"
)
const (
@@ -77,8 +77,8 @@ func GetLaunchEndorsement(ctx context.Context, measurement384 string) (*endorsem
return &goldenUEFI, nil
}
func GenerateAttestationPolicy(endorsement *endorsement.VMGoldenMeasurement, vcpuNum uint32) (*config.Config, error) {
attestationPolicy := config.Config{PcrConfig: &config.PcrConfig{}, Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}}
func GenerateAttestationPolicy(endorsement *endorsement.VMGoldenMeasurement, vcpuNum uint32) (*attestation.Config, error) {
attestationPolicy := attestation.Config{PcrConfig: &attestation.PcrConfig{}, Config: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}}
attestationPolicy.Config.Policy.Policy = endorsement.SevSnp.Policy
attestationPolicy.Config.Policy.Measurement = endorsement.SevSnp.Measurements[vcpuNum]
attestationPolicy.Config.RootOfTrust.DisallowNetwork = false
pkg/attestation/mocks/attestation.go
+352
View File
@@ -0,0 +1,352 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
// Code generated by mockery v2.53.3. DO NOT EDIT.
package mocks
import mock "github.com/stretchr/testify/mock"
// Provider is an autogenerated mock type for the Provider type
type Provider struct {
mock.Mock
}
type Provider_Expecter struct {
mock *mock.Mock
}
func (_m *Provider) EXPECT() *Provider_Expecter {
return &Provider_Expecter{mock: &_m.Mock}
}
// Attestation provides a mock function with given fields: teeNonce, vTpmNonce
func (_m *Provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) {
ret := _m.Called(teeNonce, vTpmNonce)
if len(ret) == 0 {
panic("no return value specified for Attestation")
}
var r0 []byte
var r1 error
if rf, ok := ret.Get(0).(func([]byte, []byte) ([]byte, error)); ok {
return rf(teeNonce, vTpmNonce)
}
if rf, ok := ret.Get(0).(func([]byte, []byte) []byte); ok {
r0 = rf(teeNonce, vTpmNonce)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).([]byte)
}
}
if rf, ok := ret.Get(1).(func([]byte, []byte) error); ok {
r1 = rf(teeNonce, vTpmNonce)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// Provider_Attestation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Attestation'
type Provider_Attestation_Call struct {
*mock.Call
}
// Attestation is a helper method to define mock.On call
// - teeNonce []byte
// - vTpmNonce []byte
func (_e *Provider_Expecter) Attestation(teeNonce interface{}, vTpmNonce interface{}) *Provider_Attestation_Call {
return &Provider_Attestation_Call{Call: _e.mock.On("Attestation", teeNonce, vTpmNonce)}
}
func (_c *Provider_Attestation_Call) Run(run func(teeNonce []byte, vTpmNonce []byte)) *Provider_Attestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([]byte), args[1].([]byte))
})
return _c
}
func (_c *Provider_Attestation_Call) Return(_a0 []byte, _a1 error) *Provider_Attestation_Call {
_c.Call.Return(_a0, _a1)
return _c
}
func (_c *Provider_Attestation_Call) RunAndReturn(run func([]byte, []byte) ([]byte, error)) *Provider_Attestation_Call {
_c.Call.Return(run)
return _c
}
// TeeAttestation provides a mock function with given fields: teeNonce
func (_m *Provider) TeeAttestation(teeNonce []byte) ([]byte, error) {
ret := _m.Called(teeNonce)
if len(ret) == 0 {
panic("no return value specified for TeeAttestation")
}
var r0 []byte
var r1 error
if rf, ok := ret.Get(0).(func([]byte) ([]byte, error)); ok {
return rf(teeNonce)
}
if rf, ok := ret.Get(0).(func([]byte) []byte); ok {
r0 = rf(teeNonce)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).([]byte)
}
}
if rf, ok := ret.Get(1).(func([]byte) error); ok {
r1 = rf(teeNonce)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// Provider_TeeAttestation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'TeeAttestation'
type Provider_TeeAttestation_Call struct {
*mock.Call
}
// TeeAttestation is a helper method to define mock.On call
// - teeNonce []byte
func (_e *Provider_Expecter) TeeAttestation(teeNonce interface{}) *Provider_TeeAttestation_Call {
return &Provider_TeeAttestation_Call{Call: _e.mock.On("TeeAttestation", teeNonce)}
}
func (_c *Provider_TeeAttestation_Call) Run(run func(teeNonce []byte)) *Provider_TeeAttestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([]byte))
})
return _c
}
func (_c *Provider_TeeAttestation_Call) Return(_a0 []byte, _a1 error) *Provider_TeeAttestation_Call {
_c.Call.Return(_a0, _a1)
return _c
}
func (_c *Provider_TeeAttestation_Call) RunAndReturn(run func([]byte) ([]byte, error)) *Provider_TeeAttestation_Call {
_c.Call.Return(run)
return _c
}
// VTpmAttestation provides a mock function with given fields: vTpmNonce
func (_m *Provider) VTpmAttestation(vTpmNonce []byte) ([]byte, error) {
ret := _m.Called(vTpmNonce)
if len(ret) == 0 {
panic("no return value specified for VTpmAttestation")
}
var r0 []byte
var r1 error
if rf, ok := ret.Get(0).(func([]byte) ([]byte, error)); ok {
return rf(vTpmNonce)
}
if rf, ok := ret.Get(0).(func([]byte) []byte); ok {
r0 = rf(vTpmNonce)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).([]byte)
}
}
if rf, ok := ret.Get(1).(func([]byte) error); ok {
r1 = rf(vTpmNonce)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// Provider_VTpmAttestation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'VTpmAttestation'
type Provider_VTpmAttestation_Call struct {
*mock.Call
}
// VTpmAttestation is a helper method to define mock.On call
// - vTpmNonce []byte
func (_e *Provider_Expecter) VTpmAttestation(vTpmNonce interface{}) *Provider_VTpmAttestation_Call {
return &Provider_VTpmAttestation_Call{Call: _e.mock.On("VTpmAttestation", vTpmNonce)}
}
func (_c *Provider_VTpmAttestation_Call) Run(run func(vTpmNonce []byte)) *Provider_VTpmAttestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([]byte))
})
return _c
}
func (_c *Provider_VTpmAttestation_Call) Return(_a0 []byte, _a1 error) *Provider_VTpmAttestation_Call {
_c.Call.Return(_a0, _a1)
return _c
}
func (_c *Provider_VTpmAttestation_Call) RunAndReturn(run func([]byte) ([]byte, error)) *Provider_VTpmAttestation_Call {
_c.Call.Return(run)
return _c
}
// VerifTeeAttestation provides a mock function with given fields: report, teeNonce
func (_m *Provider) VerifTeeAttestation(report []byte, teeNonce []byte) error {
ret := _m.Called(report, teeNonce)
if len(ret) == 0 {
panic("no return value specified for VerifTeeAttestation")
}
var r0 error
if rf, ok := ret.Get(0).(func([]byte, []byte) error); ok {
r0 = rf(report, teeNonce)
} else {
r0 = ret.Error(0)
}
return r0
}
// Provider_VerifTeeAttestation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'VerifTeeAttestation'
type Provider_VerifTeeAttestation_Call struct {
*mock.Call
}
// VerifTeeAttestation is a helper method to define mock.On call
// - report []byte
// - teeNonce []byte
func (_e *Provider_Expecter) VerifTeeAttestation(report interface{}, teeNonce interface{}) *Provider_VerifTeeAttestation_Call {
return &Provider_VerifTeeAttestation_Call{Call: _e.mock.On("VerifTeeAttestation", report, teeNonce)}
}
func (_c *Provider_VerifTeeAttestation_Call) Run(run func(report []byte, teeNonce []byte)) *Provider_VerifTeeAttestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([]byte), args[1].([]byte))
})
return _c
}
func (_c *Provider_VerifTeeAttestation_Call) Return(_a0 error) *Provider_VerifTeeAttestation_Call {
_c.Call.Return(_a0)
return _c
}
func (_c *Provider_VerifTeeAttestation_Call) RunAndReturn(run func([]byte, []byte) error) *Provider_VerifTeeAttestation_Call {
_c.Call.Return(run)
return _c
}
// VerifVTpmAttestation provides a mock function with given fields: report, vTpmNonce
func (_m *Provider) VerifVTpmAttestation(report []byte, vTpmNonce []byte) error {
ret := _m.Called(report, vTpmNonce)
if len(ret) == 0 {
panic("no return value specified for VerifVTpmAttestation")
}
var r0 error
if rf, ok := ret.Get(0).(func([]byte, []byte) error); ok {
r0 = rf(report, vTpmNonce)
} else {
r0 = ret.Error(0)
}
return r0
}
// Provider_VerifVTpmAttestation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'VerifVTpmAttestation'
type Provider_VerifVTpmAttestation_Call struct {
*mock.Call
}
// VerifVTpmAttestation is a helper method to define mock.On call
// - report []byte
// - vTpmNonce []byte
func (_e *Provider_Expecter) VerifVTpmAttestation(report interface{}, vTpmNonce interface{}) *Provider_VerifVTpmAttestation_Call {
return &Provider_VerifVTpmAttestation_Call{Call: _e.mock.On("VerifVTpmAttestation", report, vTpmNonce)}
}
func (_c *Provider_VerifVTpmAttestation_Call) Run(run func(report []byte, vTpmNonce []byte)) *Provider_VerifVTpmAttestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([]byte), args[1].([]byte))
})
return _c
}
func (_c *Provider_VerifVTpmAttestation_Call) Return(_a0 error) *Provider_VerifVTpmAttestation_Call {
_c.Call.Return(_a0)
return _c
}
func (_c *Provider_VerifVTpmAttestation_Call) RunAndReturn(run func([]byte, []byte) error) *Provider_VerifVTpmAttestation_Call {
_c.Call.Return(run)
return _c
}
// VerifyAttestation provides a mock function with given fields: report, teeNonce, vTpmNonce
func (_m *Provider) VerifyAttestation(report []byte, teeNonce []byte, vTpmNonce []byte) error {
ret := _m.Called(report, teeNonce, vTpmNonce)
if len(ret) == 0 {
panic("no return value specified for VerifyAttestation")
}
var r0 error
if rf, ok := ret.Get(0).(func([]byte, []byte, []byte) error); ok {
r0 = rf(report, teeNonce, vTpmNonce)
} else {
r0 = ret.Error(0)
}
return r0
}
// Provider_VerifyAttestation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'VerifyAttestation'
type Provider_VerifyAttestation_Call struct {
*mock.Call
}
// VerifyAttestation is a helper method to define mock.On call
// - report []byte
// - teeNonce []byte
// - vTpmNonce []byte
func (_e *Provider_Expecter) VerifyAttestation(report interface{}, teeNonce interface{}, vTpmNonce interface{}) *Provider_VerifyAttestation_Call {
return &Provider_VerifyAttestation_Call{Call: _e.mock.On("VerifyAttestation", report, teeNonce, vTpmNonce)}
}
func (_c *Provider_VerifyAttestation_Call) Run(run func(report []byte, teeNonce []byte, vTpmNonce []byte)) *Provider_VerifyAttestation_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([]byte), args[1].([]byte), args[2].([]byte))
})
return _c
}
func (_c *Provider_VerifyAttestation_Call) Return(_a0 error) *Provider_VerifyAttestation_Call {
_c.Call.Return(_a0)
return _c
}
func (_c *Provider_VerifyAttestation_Call) RunAndReturn(run func([]byte, []byte, []byte) error) *Provider_VerifyAttestation_Call {
_c.Call.Return(run)
return _c
}
// NewProvider creates a new instance of Provider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewProvider(t interface {
mock.TestingT
Cleanup(func())
}) *Provider {
mock := &Provider{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
pkg/attestation/quoteprovider/embed.go
-49
View File
@@ -1,49 +0,0 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
//go:build embed
// +build embed
package quoteprovider
import (
"github.com/google/go-sev-guest/client"
"github.com/google/go-sev-guest/proto/sevsnp"
pb "github.com/google/go-sev-guest/proto/sevsnp"
cocosai "github.com/ultravioletrs/cocos"
)
const Nonce = 64
var _ client.LeveledQuoteProvider = (*embeddedQuoteProvider)(nil)
type embeddedQuoteProvider struct {
}
func GetLeveledQuoteProvider() (client.LeveledQuoteProvider, error) {
return &embeddedQuoteProvider{}, nil
}
// GetRawQuoteAtLevel returns the SEV quote for the given report data and VMPL.
func (e *embeddedQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, vmpl uint) ([]byte, error) {
return cocosai.EmbeddedAttestation, nil
}
// IsSupported returns true if the SEV platform is supported.
func (e *embeddedQuoteProvider) IsSupported() bool {
return true
}
// Product returns the SEV product information.
// unimplemented since it is deprecated and not used.
func (e *embeddedQuoteProvider) Product() *pb.SevProduct {
panic("unimplemented")
}
func FetchAttestation(reportDataSlice []byte) ([]byte, error) {
return cocosai.EmbeddedAttestation, nil
}
func VerifyAttestationReportTLS(attestation *sevsnp.Attestation, reportData []byte) error {
return nil
}
pkg/attestation/quoteprovider/mocks/QuoteProvider.go
-189
View File
@@ -1,189 +0,0 @@
// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
// Code generated by mockery v2.53.3. DO NOT EDIT.
package mocks
import (
sevsnp "github.com/google/go-sev-guest/proto/sevsnp"
mock "github.com/stretchr/testify/mock"
)
// LeveledQuoteProvider is an autogenerated mock type for the LeveledQuoteProvider type
type LeveledQuoteProvider struct {
mock.Mock
}
type LeveledQuoteProvider_Expecter struct {
mock *mock.Mock
}
func (_m *LeveledQuoteProvider) EXPECT() *LeveledQuoteProvider_Expecter {
return &LeveledQuoteProvider_Expecter{mock: &_m.Mock}
}
// GetRawQuoteAtLevel provides a mock function with given fields: reportData, vmpl
func (_m *LeveledQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, vmpl uint) ([]uint8, error) {
ret := _m.Called(reportData, vmpl)
if len(ret) == 0 {
panic("no return value specified for GetRawQuoteAtLevel")
}
var r0 []uint8
var r1 error
if rf, ok := ret.Get(0).(func([64]byte, uint) ([]uint8, error)); ok {
return rf(reportData, vmpl)
}
if rf, ok := ret.Get(0).(func([64]byte, uint) []uint8); ok {
r0 = rf(reportData, vmpl)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).([]uint8)
}
}
if rf, ok := ret.Get(1).(func([64]byte, uint) error); ok {
r1 = rf(reportData, vmpl)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// LeveledQuoteProvider_GetRawQuoteAtLevel_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRawQuoteAtLevel'
type LeveledQuoteProvider_GetRawQuoteAtLevel_Call struct {
*mock.Call
}
// GetRawQuoteAtLevel is a helper method to define mock.On call
// - reportData [64]byte
// - vmpl uint
func (_e *LeveledQuoteProvider_Expecter) GetRawQuoteAtLevel(reportData interface{}, vmpl interface{}) *LeveledQuoteProvider_GetRawQuoteAtLevel_Call {
return &LeveledQuoteProvider_GetRawQuoteAtLevel_Call{Call: _e.mock.On("GetRawQuoteAtLevel", reportData, vmpl)}
}
func (_c *LeveledQuoteProvider_GetRawQuoteAtLevel_Call) Run(run func(reportData [64]byte, vmpl uint)) *LeveledQuoteProvider_GetRawQuoteAtLevel_Call {
_c.Call.Run(func(args mock.Arguments) {
run(args[0].([64]byte), args[1].(uint))
})
return _c
}
func (_c *LeveledQuoteProvider_GetRawQuoteAtLevel_Call) Return(_a0 []uint8, _a1 error) *LeveledQuoteProvider_GetRawQuoteAtLevel_Call {
_c.Call.Return(_a0, _a1)
return _c
}
func (_c *LeveledQuoteProvider_GetRawQuoteAtLevel_Call) RunAndReturn(run func([64]byte, uint) ([]uint8, error)) *LeveledQuoteProvider_GetRawQuoteAtLevel_Call {
_c.Call.Return(run)
return _c
}
// IsSupported provides a mock function with no fields
func (_m *LeveledQuoteProvider) IsSupported() bool {
ret := _m.Called()
if len(ret) == 0 {
panic("no return value specified for IsSupported")
}
var r0 bool
if rf, ok := ret.Get(0).(func() bool); ok {
r0 = rf()
} else {
r0 = ret.Get(0).(bool)
}
return r0
}
// LeveledQuoteProvider_IsSupported_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsSupported'
type LeveledQuoteProvider_IsSupported_Call struct {
*mock.Call
}
// IsSupported is a helper method to define mock.On call
func (_e *LeveledQuoteProvider_Expecter) IsSupported() *LeveledQuoteProvider_IsSupported_Call {
return &LeveledQuoteProvider_IsSupported_Call{Call: _e.mock.On("IsSupported")}
}
func (_c *LeveledQuoteProvider_IsSupported_Call) Run(run func()) *LeveledQuoteProvider_IsSupported_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *LeveledQuoteProvider_IsSupported_Call) Return(_a0 bool) *LeveledQuoteProvider_IsSupported_Call {
_c.Call.Return(_a0)
return _c
}
func (_c *LeveledQuoteProvider_IsSupported_Call) RunAndReturn(run func() bool) *LeveledQuoteProvider_IsSupported_Call {
_c.Call.Return(run)
return _c
}
// Product provides a mock function with no fields
func (_m *LeveledQuoteProvider) Product() *sevsnp.SevProduct {
ret := _m.Called()
if len(ret) == 0 {
panic("no return value specified for Product")
}
var r0 *sevsnp.SevProduct
if rf, ok := ret.Get(0).(func() *sevsnp.SevProduct); ok {
r0 = rf()
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*sevsnp.SevProduct)
}
}
return r0
}
// LeveledQuoteProvider_Product_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Product'
type LeveledQuoteProvider_Product_Call struct {
*mock.Call
}
// Product is a helper method to define mock.On call
func (_e *LeveledQuoteProvider_Expecter) Product() *LeveledQuoteProvider_Product_Call {
return &LeveledQuoteProvider_Product_Call{Call: _e.mock.On("Product")}
}
func (_c *LeveledQuoteProvider_Product_Call) Run(run func()) *LeveledQuoteProvider_Product_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *LeveledQuoteProvider_Product_Call) Return(_a0 *sevsnp.SevProduct) *LeveledQuoteProvider_Product_Call {
_c.Call.Return(_a0)
return _c
}
func (_c *LeveledQuoteProvider_Product_Call) RunAndReturn(run func() *sevsnp.SevProduct) *LeveledQuoteProvider_Product_Call {
_c.Call.Return(run)
return _c
}
// NewLeveledQuoteProvider creates a new instance of LeveledQuoteProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewLeveledQuoteProvider(t interface {
mock.TestingT
Cleanup(func())
}) *LeveledQuoteProvider {
mock := &LeveledQuoteProvider{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
pkg/attestation/quoteprovider/sev.go
+27 -22
View File
@@ -21,18 +21,16 @@ import (
"github.com/google/go-sev-guest/verify"
"github.com/google/go-sev-guest/verify/trust"
"github.com/google/logger"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"google.golang.org/protobuf/proto"
)
const (
cocosDirectory = ".cocos"
caBundleName = "ask_ark.pem"
attestationReportSize = 0x4A0
Nonce = 64
sevProductNameMilan = "Milan"
sevProductNameGenoa = "Genoa"
sevVMPL = 2
cocosDirectory = ".cocos"
caBundleName = "ask_ark.pem"
Nonce = 64
sevProductNameMilan = "Milan"
sevProductNameGenoa = "Genoa"
)
var (
@@ -87,15 +85,7 @@ func verifyReport(attestationPB *sevsnp.Attestation, cfg *check.Config) error {
}
if cfg.Policy.Product == nil {
productName := sevsnp.SevProduct_SEV_PRODUCT_UNKNOWN
switch cfg.RootOfTrust.ProductLine {
case sevProductNameMilan:
productName = sevsnp.SevProduct_SEV_PRODUCT_MILAN
case sevProductNameGenoa:
productName = sevsnp.SevProduct_SEV_PRODUCT_GENOA
default:
}
productName := GetProductName(cfg.RootOfTrust.ProductLine)
if productName == sevsnp.SevProduct_SEV_PRODUCT_UNKNOWN {
return errProductLine
}
@@ -127,7 +117,7 @@ func verifyReport(attestationPB *sevsnp.Attestation, cfg *check.Config) error {
func validateReport(attestationPB *sevsnp.Attestation, cfg *check.Config) error {
opts, err := validate.PolicyToOptions(cfg.Policy)
if err != nil {
return fmt.Errorf("failed to get policy for validation %v", errors.Wrap(errAttVerification, err))
return fmt.Errorf("failed to get policy for validation: %v", errors.Wrap(errAttVerification, err))
}
if err = validate.SnpAttestation(attestationPB, opts); err != nil {
@@ -142,7 +132,7 @@ func GetLeveledQuoteProvider() (client.LeveledQuoteProvider, error) {
}
func VerifyAttestationReportTLS(attestationPB *sevsnp.Attestation, reportData []byte) error {
config, err := copyConfig(config.AttestationPolicy.Config)
config, err := copyConfig(attestation.AttestationPolicy.Config)
if err != nil {
return errors.Wrap(fmt.Errorf("failed to create a copy of attestation policy"), err)
}
@@ -150,7 +140,11 @@ func VerifyAttestationReportTLS(attestationPB *sevsnp.Attestation, reportData []
// Certificate chain is populated based on the extra data that is appended to the SEV-SNP attestation report.
// This data is not part of the attestation report and it will be ignored.
attestationPB.CertificateChain = nil
config.Policy.ReportData = reportData[:]
if len(reportData) != 0 {
config.Policy.ReportData = reportData[:]
}
return VerifyAndValidate(attestationPB, config)
}
@@ -168,7 +162,7 @@ func VerifyAndValidate(attestationPB *sevsnp.Attestation, cfg *check.Config) err
return nil
}
func FetchAttestation(reportDataSlice []byte) ([]byte, error) {
func FetchAttestation(reportDataSlice []byte, vmpl uint) ([]byte, error) {
var reportData [Nonce]byte
qp, err := GetLeveledQuoteProvider()
@@ -181,10 +175,21 @@ func FetchAttestation(reportDataSlice []byte) ([]byte, error) {
}
copy(reportData[:], reportDataSlice)
rawQuote, err := qp.GetRawQuoteAtLevel(reportData, sevVMPL)
rawQuote, err := qp.GetRawQuoteAtLevel(reportData, vmpl)
if err != nil {
return []byte{}, fmt.Errorf("failed to get raw quote")
}
return rawQuote, nil
}
func GetProductName(product string) sevsnp.SevProduct_SevProductName {
switch product {
case sevProductNameMilan:
return sevsnp.SevProduct_SEV_PRODUCT_MILAN
case sevProductNameGenoa:
return sevsnp.SevProduct_SEV_PRODUCT_GENOA
default:
return sevsnp.SevProduct_SEV_PRODUCT_UNKNOWN
}
}
pkg/attestation/quoteprovider/sev_test.go
+2 -2
View File
@@ -185,8 +185,8 @@ func prepVerifyAttReport(t *testing.T) (*sevsnp.Attestation, []byte) {
file, err := os.ReadFile("../../../attestation.bin")
require.NoError(t, err)
if len(file) < attestationReportSize {
file = append(file, make([]byte, attestationReportSize-len(file))...)
if len(file) < abi.ReportSize {
file = append(file, make([]byte, abi.ReportSize-len(file))...)
}
rr, err := abi.ReportCertsToProto(file)
pkg/attestation/vtpm/vtpm.go
+121 -87
View File
@@ -8,7 +8,6 @@ import (
"crypto"
"crypto/sha256"
"crypto/sha512"
"crypto/x509"
"encoding/hex"
"fmt"
"io"
@@ -17,18 +16,22 @@ import (
"github.com/absmach/magistrala/pkg/errors"
"github.com/google/go-sev-guest/abi"
"github.com/google/go-sev-guest/proto/sevsnp"
"github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm-tools/proto/attest"
"github.com/google/go-tpm-tools/proto/tpm"
ptpm "github.com/google/go-tpm-tools/proto/tpm"
"github.com/google/go-tpm-tools/server"
"github.com/google/go-tpm/legacy/tpm2"
"github.com/google/go-tpm/tpmutil"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
"golang.org/x/crypto/sha3"
"google.golang.org/protobuf/encoding/prototext"
"google.golang.org/protobuf/proto"
)
var _ attestation.Provider = (*provider)(nil)
const (
eventLog = "/sys/kernel/security/tpm0/binary_bios_measurements"
Nonce = 32
@@ -41,24 +44,23 @@ const (
var (
ExternalTPM io.ReadWriteCloser
ErrNoHashAlgo = errors.New("hash algo is not supported")
ErrFetchQuote = errors.New("failed to fetch vTPM quote")
)
type VtpmAttest func(teeNonce []byte, vTPMNonce []byte, teeAttestaion bool) ([]byte, error)
type tpmWrapper struct {
type tpm struct {
io.ReadWriteCloser
}
func (et tpmWrapper) EventLog() ([]byte, error) {
func (et tpm) EventLog() ([]byte, error) {
return os.ReadFile(eventLog)
}
func OpenTpm() (io.ReadWriteCloser, error) {
if ExternalTPM != nil {
return tpmWrapper{ExternalTPM}, nil
return tpm{ExternalTPM}, nil
}
tw := tpmWrapper{}
tw := tpm{}
var err error
tw.ReadWriteCloser, err = tpm2.OpenTPM("/dev/tpmrm0")
@@ -89,14 +91,65 @@ func ExtendPCR(pcrIndex int, value []byte) error {
return nil
}
func Attest(teeNonce []byte, vTPMNonce []byte, teeAttestaion bool) ([]byte, error) {
attestation, err := fetchVTPMQuote(vTPMNonce)
type provider struct {
pubKey []byte
teeAttestaion bool
vmpl uint
writer io.Writer
}
func New(pubKey []byte, teeAttestation bool, vmpl uint, writer io.Writer) attestation.Provider {
return &provider{
pubKey: pubKey,
teeAttestaion: teeAttestation,
vmpl: vmpl,
writer: writer,
}
}
func (v provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) {
return Attest(teeNonce, vTpmNonce, v.teeAttestaion, v.vmpl)
}
func (v provider) TeeAttestation(teeNonce []byte) ([]byte, error) {
return quoteprovider.FetchAttestation(teeNonce, v.vmpl)
}
func (v provider) VTpmAttestation(vTpmNonce []byte) ([]byte, error) {
quote, err := FetchQuote(vTpmNonce)
if err != nil {
return []byte{}, errors.Wrap(ErrFetchQuote, err)
}
return proto.Marshal(quote)
}
func (v provider) VerifTeeAttestation(report []byte, teeNonce []byte) error {
attestReport, err := abi.ReportToProto(report)
if err != nil {
return errors.Wrap(fmt.Errorf("failed to convert TEE report to proto"), err)
}
attestationReport := sevsnp.Attestation{Report: attestReport, CertificateChain: nil}
return quoteprovider.VerifyAttestationReportTLS(&attestationReport, teeNonce)
}
func (v provider) VerifVTpmAttestation(report []byte, vTpmNonce []byte) error {
return VerifyQuote(report, v.pubKey, vTpmNonce, v.writer)
}
func (v provider) VerifyAttestation(report []byte, teeNonce []byte, vTpmNonce []byte) error {
return VTPMVerify(report, v.pubKey, teeNonce, vTpmNonce, v.writer)
}
func Attest(teeNonce []byte, vTPMNonce []byte, teeAttestaion bool, vmpl uint) ([]byte, error) {
attestation, err := FetchQuote(vTPMNonce)
if err != nil {
return []byte{}, err
}
if teeAttestaion {
attestation, err = addTEEAttestation(attestation, teeNonce)
err = addTEEAttestation(attestation, teeNonce, vmpl)
if err != nil {
return []byte{}, err
}
@@ -105,26 +158,26 @@ func Attest(teeNonce []byte, vTPMNonce []byte, teeAttestaion bool) ([]byte, erro
return marshalQuote(attestation)
}
func FetchATLSQuote(pubKey, teeNonce, vTPMNonce []byte) ([]byte, error) {
attestation, err := fetchVTPMQuote(vTPMNonce)
if err != nil {
return []byte{}, err
func VTPMVerify(quote []byte, pubKeyTLS []byte, teeNonce []byte, vtpmNonce []byte, writer io.Writer) error {
if err := VerifyQuote(quote, pubKeyTLS, vtpmNonce, writer); err != nil {
return fmt.Errorf("failed to verify vTPM quote: %v", err)
}
reportData, err := createTEEAttestationReportNonce(pubKey, attestation.GetAkPub(), teeNonce)
attestation := &attest.Attestation{}
err := proto.Unmarshal(quote, attestation)
if err != nil {
return []byte{}, err
return errors.Wrap(fmt.Errorf("failed to unmarshal quote"), err)
}
attestation, err = addTEEAttestation(attestation, reportData)
if err != nil {
return []byte{}, err
if err := quoteprovider.VerifyAttestationReportTLS(attestation.GetSevSnpAttestation(), teeNonce); err != nil {
return fmt.Errorf("failed to verify TEE attestation report: %v", err)
}
return marshalQuote(attestation)
return nil
}
func VTPMVerify(quote []byte, pubKeyTLS []byte, teeNonce []byte, vtpmNonce []byte) error {
func VerifyQuote(quote []byte, pubKeyTLS []byte, vtpmNonce []byte, writer io.Writer) error {
attestation := &attest.Attestation{}
err := proto.Unmarshal(quote, attestation)
@@ -143,16 +196,7 @@ func VTPMVerify(quote []byte, pubKeyTLS []byte, teeNonce []byte, vtpmNonce []byt
return err
}
reportData, err := createTEEAttestationReportNonce(pubKeyTLS, ak, teeNonce)
if err != nil {
return errors.Wrap(fmt.Errorf("failed to create TEE attestation report nonce"), err)
}
if err := quoteprovider.VerifyAttestationReportTLS(attestation.GetSevSnpAttestation(), reportData); err != nil {
return fmt.Errorf("failed to verify TEE attestation report: %v", err)
}
_, err = server.VerifyAttestation(attestation, server.VerifyOpts{Nonce: vtpmNonce, TrustedAKs: []crypto.PublicKey{cryptoPub}})
ms, err := server.VerifyAttestation(attestation, server.VerifyOpts{Nonce: vtpmNonce, TrustedAKs: []crypto.PublicKey{cryptoPub}})
if err != nil {
return errors.Wrap(fmt.Errorf("failed to verify attestation"), err)
}
@@ -163,44 +207,22 @@ func VTPMVerify(quote []byte, pubKeyTLS []byte, teeNonce []byte, vtpmNonce []byt
return fmt.Errorf("PCR values do not match expected PCR values: %w", err)
}
if writer != nil {
marshalOptions := prototext.MarshalOptions{Multiline: true, EmitASCII: true}
out, err := marshalOptions.Marshal(ms)
if err != nil {
return nil
}
if _, err := writer.Write(out); err != nil {
return fmt.Errorf("failed to write verified attestation report: %v", err)
}
}
return nil
}
// EmptyAttest is a dummy attestation function that returns an empty attestation report.
func EmptyAttest(teeNonce []byte, vTPMNonce []byte, teeAttestaion bool) ([]byte, error) {
return []byte{}, nil
}
func publicKeyToBytes(pubKey interface{}) ([]byte, error) {
derBytes, err := x509.MarshalPKIXPublicKey(pubKey)
if err != nil {
return nil, err
}
return derBytes, nil
}
func createTEEAttestationReportNonce(pubKeyTLS []byte, ak []byte, nonce []byte) ([]byte, error) {
pub, err := tpm2.DecodePublic(ak)
if err != nil {
return []byte{}, err
}
cryptoPub, err := pub.Key()
if err != nil {
return []byte{}, err
}
pubKeyBytes, err := publicKeyToBytes(cryptoPub)
if err != nil {
return []byte{}, err
}
reportData := append(append(pubKeyTLS, pubKeyBytes...), nonce...)
hash := sha3.Sum512(reportData)
return hash[:], nil
}
func marshalQuote(attestation *attest.Attestation) ([]byte, error) {
out, err := proto.Marshal(attestation)
if err != nil {
@@ -210,7 +232,7 @@ func marshalQuote(attestation *attest.Attestation) ([]byte, error) {
return out, nil
}
func fetchVTPMQuote(nonce []byte) (*attest.Attestation, error) {
func FetchQuote(nonce []byte) (*attest.Attestation, error) {
rwc, err := OpenTpm()
if err != nil {
return nil, err
@@ -241,46 +263,54 @@ func fetchVTPMQuote(nonce []byte) (*attest.Attestation, error) {
return attestation, nil
}
func addTEEAttestation(attestation *attest.Attestation, nonce []byte) (*attest.Attestation, error) {
rawTeeAttestation, err := quoteprovider.FetchAttestation(nonce)
func addTEEAttestation(attestation *attest.Attestation, nonce []byte, vmpl uint) error {
rawTeeAttestation, err := quoteprovider.FetchAttestation(nonce, vmpl)
if err != nil {
return attestation, fmt.Errorf("failed to fetch TEE attestation report: %v", err)
return fmt.Errorf("failed to fetch TEE attestation report: %v", err)
}
extReport, err := abi.ReportCertsToProto(rawTeeAttestation)
if err != nil {
return attestation, errors.Wrap(fmt.Errorf("failed to convert TEE report to proto"), err)
return errors.Wrap(fmt.Errorf("failed to convert TEE report to proto"), err)
}
attestation.TeeAttestation = &attest.Attestation_SevSnpAttestation{
SevSnpAttestation: extReport,
}
return attestation, nil
return nil
}
func checkExpectedPCRValues(attestation *attest.Attestation, ePcr256, ePcr384 []byte) error {
quotes := attestation.GetQuotes()
func checkExpectedPCRValues(attQuote *attest.Attestation, ePcr256, ePcr384 []byte) error {
quotes := attQuote.GetQuotes()
for i := range quotes {
quote := quotes[i]
var pcrMap map[string]string
var pcr15 []byte
switch quote.Pcrs.Hash {
case tpm.HashAlgo_SHA256:
pcrMap = config.AttestationPolicy.PcrConfig.PCRValues.Sha256
pcr15 = ePcr256
case tpm.HashAlgo_SHA384:
pcrMap = config.AttestationPolicy.PcrConfig.PCRValues.Sha384
pcr15 = ePcr384
case tpm.HashAlgo_SHA1:
pcrMap = config.AttestationPolicy.PcrConfig.PCRValues.Sha1
case ptpm.HashAlgo_SHA256:
pcrMap = attestation.AttestationPolicy.PcrConfig.PCRValues.Sha256
if ePcr256 == nil {
pcr15 = make([]byte, 32)
} else {
pcr15 = ePcr256
}
case ptpm.HashAlgo_SHA384:
pcrMap = attestation.AttestationPolicy.PcrConfig.PCRValues.Sha384
if ePcr384 == nil {
pcr15 = make([]byte, 48)
} else {
pcr15 = ePcr384
}
case ptpm.HashAlgo_SHA1:
pcrMap = attestation.AttestationPolicy.PcrConfig.PCRValues.Sha1
pcr15 = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
default:
return errors.Wrap(ErrNoHashAlgo, fmt.Errorf("algo: %s", tpm.HashAlgo_name[int32(quote.Pcrs.Hash)]))
return errors.Wrap(ErrNoHashAlgo, fmt.Errorf("algo: %s", ptpm.HashAlgo_name[int32(quote.Pcrs.Hash)]))
}
pcr15Index := uint32(15)
if !bytes.Equal(quote.Pcrs.Pcrs[pcr15Index], pcr15) {
return fmt.Errorf("for algo %s PCR[15] expected %s but found %s", tpm.HashAlgo_name[int32(quote.Pcrs.Hash)], hex.EncodeToString(pcr15), hex.EncodeToString(quote.Pcrs.Pcrs[pcr15Index]))
return fmt.Errorf("for algo %s PCR[15] expected %s but found %s", ptpm.HashAlgo_name[int32(quote.Pcrs.Hash)], hex.EncodeToString(pcr15), hex.EncodeToString(quote.Pcrs.Pcrs[pcr15Index]))
}
for i, v := range pcrMap {
@@ -293,7 +323,7 @@ func checkExpectedPCRValues(attestation *attest.Attestation, ePcr256, ePcr384 []
return errors.Wrap(fmt.Errorf("error converting PCR value to byte"), err)
}
if !bytes.Equal(quote.Pcrs.Pcrs[uint32(index)], value) {
return fmt.Errorf("for algo %s PCR[%d] expected %s but found %s", tpm.HashAlgo_name[int32(quote.Pcrs.Hash)], index, hex.EncodeToString(value), hex.EncodeToString(quote.Pcrs.Pcrs[uint32(index)]))
return fmt.Errorf("for algo %s PCR[%d] expected %s but found %s", ptpm.HashAlgo_name[int32(quote.Pcrs.Hash)], index, hex.EncodeToString(value), hex.EncodeToString(quote.Pcrs.Pcrs[uint32(index)]))
}
}
}
@@ -302,6 +332,10 @@ func checkExpectedPCRValues(attestation *attest.Attestation, ePcr256, ePcr384 []
// Return SHA256 and SHA384 values of the input public key.
func calculatePCRTLSKey(pubKey []byte) ([]byte, []byte) {
if len(pubKey) == 0 {
return nil, nil
}
init256 := make([]byte, Hash256)
init384 := make([]byte, Hash384)
pkg/clients/grpc/agent/agent_test.go
+2 -2
View File
@@ -15,7 +15,7 @@ import (
"github.com/ultravioletrs/cocos/agent"
agentgrpc "github.com/ultravioletrs/cocos/agent/api/grpc"
"github.com/ultravioletrs/cocos/agent/mocks"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
pkggrpc "github.com/ultravioletrs/cocos/pkg/clients/grpc"
"google.golang.org/grpc"
"google.golang.org/grpc/health"
@@ -113,7 +113,7 @@ func TestAgentClientIntegration(t *testing.T) {
},
AttestedTLS: true,
},
err: config.ErrAttestationPolicyMissing,
err: attestation.ErrAttestationPolicyMissing,
},
}
pkg/clients/grpc/atls.go
+2 -2
View File
@@ -18,12 +18,12 @@ import (
"github.com/absmach/magistrala/pkg/errors"
"github.com/ultravioletrs/cocos/pkg/atls"
config "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
"google.golang.org/grpc/credentials"
)
func setupATLS(cfg AgentClientConfig) (credentials.TransportCredentials, error) {
err := config.ReadAttestationPolicy(cfg.AttestationPolicy, &config.AttestationPolicy)
err := attestation.ReadAttestationPolicy(cfg.AttestationPolicy, &attestation.AttestationPolicy)
if err != nil {
return nil, errors.Wrap(fmt.Errorf("failed to read Attestation Policy"), err)
}
pkg/clients/grpc/connect_test.go
+7 -7
View File
@@ -19,7 +19,7 @@ import (
"github.com/google/go-sev-guest/proto/check"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
att "github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation"
)
func TestNewClient(t *testing.T) {
@@ -221,25 +221,25 @@ func TestReadAttestationPolicy(t *testing.T) {
name: "Invalid JSON",
manifestPath: "invalid_manifest.json",
fileContent: invalidJSON,
err: att.ErrAttestationPolicyDecode,
err: attestation.ErrAttestationPolicyDecode,
},
{
name: "Non-existent file",
manifestPath: "nonexistent.json",
fileContent: "",
err: att.ErrAttestationPolicyOpen,
err: attestation.ErrAttestationPolicyOpen,
},
{
name: "Empty manifest path",
manifestPath: "",
fileContent: "",
err: att.ErrAttestationPolicyMissing,
err: attestation.ErrAttestationPolicyMissing,
},
{
name: "Invalid JSON PCR",
manifestPath: "invalid_manifest.json",
fileContent: invalidJSONPCR,
err: att.ErrAttestationPolicyDecode,
err: attestation.ErrAttestationPolicyDecode,
},
}
@@ -251,8 +251,8 @@ func TestReadAttestationPolicy(t *testing.T) {
defer os.Remove(tt.manifestPath)
}
config := att.Config{Config: &check.Config{}, PcrConfig: &att.PcrConfig{}}
err := att.ReadAttestationPolicy(tt.manifestPath, &config)
config := attestation.Config{Config: &check.Config{}, PcrConfig: &attestation.PcrConfig{}}
err := attestation.ReadAttestationPolicy(tt.manifestPath, &config)
assert.True(t, errors.Contains(err, tt.err), fmt.Sprintf("expected error %v, got %v", tt.err, err))
if tt.err == nil {
pkg/clients/grpc/grpc.go
+10 -10
View File
@@ -27,16 +27,15 @@ const (
)
const (
AttestationReportSize = 0x4A0
WithATLS = "with aTLS"
WithTLS = "with TLS"
WithATLS = "with aTLS"
WithTLS = "with TLS"
)
var (
errGrpcConnect = errors.New("failed to connect to grpc server")
errGrpcClose = errors.New("failed to close grpc connection")
errCertificateParse = errors.New("failed to parse x509 certificate")
errAttVerification = errors.New("certificat is not sefl signed")
errAttVerification = errors.New("certificat is not self signed")
errFailedToLoadClientCertKey = errors.New("failed to load client certificate and key")
errFailedToLoadRootCA = errors.New("failed to load root ca file")
)
@@ -57,6 +56,7 @@ type AgentClientConfig struct {
BaseConfig
AttestationPolicy string `env:"ATTESTATION_POLICY" envDefault:""`
AttestedTLS bool `env:"ATTESTED_TLS" envDefault:"false"`
ProductName string `env:"PRODUCT_NAME" envDefault:"Milan"`
}
type ManagerClientConfig struct {
@@ -147,7 +147,7 @@ func connect(cfg ClientConfiguration) (*grpc.ClientConn, security, error) {
secure = withaTLS
} else {
conf := cfg.GetBaseConfig()
transportCreds, err, sec := loadTLSConfig(conf.ServerCAFile, conf.ClientCert, conf.ClientKey)
transportCreds, sec, err := loadTLSConfig(conf.ServerCAFile, conf.ClientCert, conf.ClientKey)
if err != nil {
return nil, secure, err
}
@@ -162,7 +162,7 @@ func connect(cfg ClientConfiguration) (*grpc.ClientConn, security, error) {
return conn, secure, nil
}
func loadTLSConfig(serverCAFile, clientCert, clientKey string) (credentials.TransportCredentials, error, security) {
func loadTLSConfig(serverCAFile, clientCert, clientKey string) (credentials.TransportCredentials, security, error) {
tlsConfig := &tls.Config{}
secure := withoutTLS
tc := insecure.NewCredentials()
@@ -170,12 +170,12 @@ func loadTLSConfig(serverCAFile, clientCert, clientKey string) (credentials.Tran
if serverCAFile != "" {
rootCA, err := os.ReadFile(serverCAFile)
if err != nil {
return nil, errors.Wrap(errFailedToLoadRootCA, err), secure
return nil, secure, errors.Wrap(errFailedToLoadRootCA, err)
}
if len(rootCA) > 0 {
capool := x509.NewCertPool()
if !capool.AppendCertsFromPEM(rootCA) {
return nil, fmt.Errorf("failed to append root ca to tls.Config"), secure
return nil, secure, fmt.Errorf("failed to append root ca to tls.Config")
}
tlsConfig.RootCAs = capool
secure = withTLS
@@ -186,12 +186,12 @@ func loadTLSConfig(serverCAFile, clientCert, clientKey string) (credentials.Tran
if clientCert != "" || clientKey != "" {
certificate, err := tls.LoadX509KeyPair(clientCert, clientKey)
if err != nil {
return nil, errors.Wrap(errFailedToLoadClientCertKey, err), secure
return nil, secure, errors.Wrap(errFailedToLoadClientCertKey, err)
}
tlsConfig.Certificates = []tls.Certificate{certificate}
secure = withmTLS
tc = credentials.NewTLS(tlsConfig)
}
return tc, nil, secure
return tc, secure, nil
}
test/cvms/README.md
+16 -6
View File
@@ -15,10 +15,20 @@ The service is configured using the environment variables from the following tab
## Running
```shell
go run main.go <algo_path> <public_key_path> <attested_tls_bool> <dataset(s)_path>
```
Usage of tests/cvms/main.go:
-algo-path string
Path to the algorithm
-attested-tls-bool string
Should aTLS be used, must be 'true' or 'false'
-ca-url string
URL for certificate authority, optional flag that can only be used if aTLS is enabled
-cvm-id string
UUID for a CVM, optional flag that can only be used if aTLS is enabled
-data-paths string
Paths to data sources, list of string separated with commas
-public-key-path string
Path to the public key file
- `algo_path`: Path to the algorithm file (python file,docker image file, wasm, compiled binary) \
- `public_key_path`: Path to the public key file (PEM format) \
- `attested_tls_bool`: Boolean flag to enable/disable attested TLS (true/false) \
- `dataset(s)_path`: Path to one or more dataset files.
# Example
go run ./tests/cvms/main.go -algo-path <alog_path> -attested-tls-bool false -data-paths <data_paths> -public-key-path <public_key_path>
```
test/cvms/main.go
+7 -7
View File
@@ -106,8 +106,8 @@ func main() {
flagSet.StringVar(&pubKeyFile, "public-key-path", "", "Path to the public key file")
flagSet.StringVar(&attestedTLSString, "attested-tls-bool", "", "Should aTLS be used, must be 'true' or 'false'")
flagSet.StringVar(&dataPathString, "data-paths", "", "Paths to data sources, list of string separated with commas")
flagSet.StringVar(&caUrl, "ca-url", "", "URL for certificate authority, must be specified if aTLS is used")
flagSet.StringVar(&cvmId, "cvm-id", "", "UUID for a CVM, must be specified if aTLS is used")
flagSet.StringVar(&caUrl, "ca-url", "", "URL for certificate authority, optional flag that can only be used if aTLS is enabled")
flagSet.StringVar(&cvmId, "cvm-id", "", "UUID for a CVM, optional flag that can only be used if aTLS is enabled")
flagSetParseError := flagSet.Parse(os.Args[1:])
if flagSetParseError != nil {
@@ -145,13 +145,13 @@ func main() {
dataPaths = strings.Split(dataPathString, ",")
}
if err == nil && attestedTLS && caUrl == "" {
parsingErrorString.WriteString("CA URL is required if attested TLS is used\n")
if err == nil && caUrl != "" && !attestedTLS {
parsingErrorString.WriteString("CA URL is only available with attested TLS\n")
parsingError = true
}
if err == nil && attestedTLS && cvmId == "" {
parsingErrorString.WriteString("CVM UUID is required if attested TLS is used\n")
if err == nil && cvmId != "" && !attestedTLS {
parsingErrorString.WriteString("CVM UUID is only available with attested TLS\n")
parsingError = true
}
@@ -191,7 +191,7 @@ func main() {
return
}
gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil, caUrl, cvmId)
gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, caUrl, cvmId)
g.Go(func() error {
return gs.Start()