diff --git a/Cargo.toml b/Cargo.toml index edae7caf..e660d2b0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,7 +13,7 @@ base64 = "0.13.0" bincode = { version = "1.3.3", optional = true } ctr = { version = "0.9.2", optional = true } foreign-types = { version = "0.5.0", optional = true } -kbs-types = "0.2" +kbs-types = { git = "https://github.com/chendave/kbs-types.git", branch = "demo1.0" } log = "0.4.14" openssl = { version = "0.10", features = ["vendored"], optional = true} prost = { version = "0.11.0", optional = true } @@ -39,7 +39,7 @@ rstest = "0.16.0" tonic-build = { version = "0.8.0", optional = true } [features] -default = ["sample_kbc", "rust-crypto"] +default = ["sample_kbc", "rust-crypto", "cc_kbc"] cc_kbc = ["rand", "rsa", "sha2", "reqwest"] all-attesters = ["tdx-attester"] diff --git a/src/kbc_modules/cc_kbc/attester/cca/cca-claims-without-realm-challenge.json b/src/kbc_modules/cc_kbc/attester/cca/cca-claims-without-realm-challenge.json new file mode 100644 index 00000000..a7d379b8 --- /dev/null +++ b/src/kbc_modules/cc_kbc/attester/cca/cca-claims-without-realm-challenge.json @@ -0,0 +1,50 @@ +{ + "cca-platform-token": { + "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0", + "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", + "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC", + "cca-platform-config": "AQID", + "cca-platform-lifecycle": 12288, + "cca-platform-sw-components": [ + { + "measurement-type": "BL", + "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "version": "3.4.2" + }, + { + "measurement-type": "M1", + "measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "version": "1.2.0" + }, + { + "measurement-type": "M2", + "measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "version": "1.2.3" + }, + { + "measurement-type": "M3", + "measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", + "version": "1.0.0" + } + ], + "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response", + "cca-platform-hash-algo-id": "sha-256" + }, + "cca-realm-delegated-token": { + "cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==", + "cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==", + "cca-realm-extensible-measurements": [ + "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==", + "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==", + "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==", + "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + ], + "cca-realm-hash-algo-id": "sha-256", + "cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==", + "cca-realm-public-key-hash-algo-id": "sha-512" + } +} diff --git a/src/kbc_modules/cc_kbc/attester/cca/mod.rs b/src/kbc_modules/cc_kbc/attester/cca/mod.rs new file mode 100644 index 00000000..da1f2649 --- /dev/null +++ b/src/kbc_modules/cc_kbc/attester/cca/mod.rs @@ -0,0 +1,30 @@ +// Copyright (c) 2023 Arm Ltd. +// +// SPDX-License-Identifier: Apache-2.0 +// + +use super::Attester; +use anyhow::*; +use std::env; + + +// If the environment variable "CCA_ATTESTER" is set, +// the TEE platform is considered as "CCA". +pub fn detect_platform() -> bool { + env::var("CCA_ATTESTER").is_ok() +} + + +#[derive(Debug, Default)] +pub struct CCAAttester {} + +// NOTE: If we sign the evidence here rather by a veraison proxy (proxy to veraison verifier), we need to rustify the cbor lib to support the logic around signature. +#[allow(unused_variables)] +impl Attester for CCAAttester { + fn get_evidence(&self, data: String) -> Result { + let s = std::include_str!("cca-claims-without-realm-challenge.json").as_bytes(); + let evidence = String::from_utf8_lossy(s); + println!("evidence: {}", evidence); + serde_json::to_string(&evidence).map_err(|_| anyhow!("Serialize evidence failed")) + } +} diff --git a/src/kbc_modules/cc_kbc/attester/mod.rs b/src/kbc_modules/cc_kbc/attester/mod.rs index 33838b15..78214ed8 100644 --- a/src/kbc_modules/cc_kbc/attester/mod.rs +++ b/src/kbc_modules/cc_kbc/attester/mod.rs @@ -6,6 +6,7 @@ use anyhow::*; pub mod sample; +pub mod cca; #[cfg(feature = "tdx-attester")] pub mod tdx; @@ -15,6 +16,7 @@ pub mod tdx; /// - Sgx: SGX TEE. /// - Sevsnp: SEV-SNP TEE. /// - Sample: A dummy TEE that used to test/demo the KBC functionalities. +/// - CCA: Arm Confidential Compute Architecture TEE. #[derive(Debug, EnumString, Display)] #[strum(ascii_case_insensitive, serialize_all = "lowercase")] pub enum Tee { @@ -22,6 +24,7 @@ pub enum Tee { Sgx, Sevsnp, Sample, + CCA, Unknown, } @@ -29,6 +32,7 @@ impl Tee { pub fn to_attester(&self) -> Result> { match self { Tee::Sample => Ok(Box::::default()), + Tee::CCA => Ok(Box::::default()), #[cfg(feature = "tdx-attester")] Tee::Tdx => Ok(Box::::default()), _ => bail!("TEE is not supported!"), @@ -45,6 +49,9 @@ pub fn detect_tee_type() -> Tee { if sample::detect_platform() { return Tee::Sample; } + if cca::detect_platform() { + return Tee::CCA; + } #[cfg(feature = "tdx-attester")] if tdx::detect_platform() { return Tee::Tdx;