WIP - New tee type: CCA (Confidential Compute Architecture) #184
Conversation
|
/hold |
chendave
changed the title
Cargo.toml
Outdated
| @@ -39,7 +39,7 @@ rstest = "0.16.0" | |||
| tonic-build = { version = "0.8.0", optional = true } | |||
|
|
|||
| [features] | |||
| default = ["sample_kbc", "rust-crypto"] | |||
| default = ["sample_kbc", "rust-crypto", "cc_kbc"] | |||
There was a problem hiding this comment.
Is this just for testing?
Note how other platforms have an additional feature to build their attester. You may want to add something similar.
There was a problem hiding this comment.
yes, this will be reverted I think.
| // If the environment variable "CCA_ATTESTER" is set, | ||
| // the TEE platform is considered as "CCA". | ||
| pub fn detect_platform() -> bool { | ||
| env::var("CCA_ATTESTER").is_ok() |
There was a problem hiding this comment.
Who sets this? Is there a way to query the platform more directly like via cpuid?
There was a problem hiding this comment.
I was thinking this might be an env, just like AA_SAMPLE_ATTESTER_TEST, query from platform is a great idea. Let's see if we can move toward that.
| #[allow(unused_variables)] | ||
| impl Attester for CCAAttester { | ||
| fn get_evidence(&self, data: String) -> Result<String> { | ||
| let s = std::include_str!("cca-claims-without-realm-challenge.json").as_bytes(); |
There was a problem hiding this comment.
This is some kind of placeholder?
There was a problem hiding this comment.
currently, I don't have a elegant way to get back the evidence, so just load it in this way instead, this will be updated if we there is any progress for us to get back the real evidence.
| #[derive(Debug, EnumString, Display)] | ||
| #[strum(ascii_case_insensitive, serialize_all = "lowercase")] | ||
| pub enum Tee { | ||
| Tdx, | ||
| Sgx, | ||
| Sevsnp, | ||
| Sample, | ||
| CCA, |
@fitzthum thanks a lot for your review, any comments is highly appreciated! |
chendave
force-pushed
the
demo1.0
branch
4 times, most recently
from
f9a3445
to
1393c4e
Compare
The evidence is currently loaded from disk, it's actually a placeholder and should be updated if there is way available to get back the real evidence. Signed-off-by: Dave Chen <[email protected]>
support ARM CCA (Confidential Compute Architecture), the evidence is loaded from the disk atm, this should be improved when there is a proper way to fetch the evidence instead.