aa/attester: add IBM Secure Execution evidence driver framework

Signed-off-by: Qi Feng Huo <[email protected]>

Cargo.toml

@@ -39,7 +39,7 @@ env_logger = "0.10.0"
 hex = "0.4.3"
 hmac = "0.12.1"
 jwt-simple = "0.11"
-kbs-types = "0.5.3"
+kbs-types = { git = "https://github.com/huoqifeng/kbs-types.git", branch = "s390x-se" }
 lazy_static = "1.4.0"
 log = "0.4.14"
 openssl = "0.10"

Makefile

@@ -35,6 +35,8 @@ else ifeq ($(TEE_PLATFORM), snp)
   ATTESTER = snp-attester
 else ifeq ($(TEE_PLATFORM), az-snp-vtpm)
   ATTESTER = az-snp-vtpm-attester
+else ifeq ($(TEE_PLATFORM), se)
+  ATTESTER = se-attester
 else ifeq ($(TEE_PLATFORM), all)
   LIBC = gnu
   ATTESTER = all-attesters

README.md

@@ -40,6 +40,7 @@ The `TEE_PLATFORM` parameter can be
 - `snp`: for AMD SEV-SNP
 - `amd`: for both AMD SEV(-ES) and AMD SEV-SNP
 - `az-snp-vtpm`: for AMD SEV-SNP with Azure vTPM
+- `se`: for IBM Secure Execution (SE)
 
 by default, `kbs`/`sev` as a resource provider will be built in Confidential Data Hub. If you do not want enable any
 default except for only builtin `offline-fs-kbc`, you can build with `NO_RESOURCE_PROVIDER` flag set to `true`.

attestation-agent/README.md

@@ -118,6 +118,7 @@ AA supports different kinds of hardware TEE attesters, now
 | az-snp-vtpm-attester| Azure SEV-SNP CVM           |
 | az-tdx-vtpm-attester| Azure TDX CVM               |
 | cca-attester        | Arm Confidential Compute Architecture (CCA)  |
+| se-attester         | IBM Secure Execution (SE)   |
 
 To build AA with all available attesters and install, use
 ```shell

attestation-agent/attestation-agent/Cargo.toml

@@ -60,6 +60,7 @@ sgx-attester = ["kbs_protocol/sgx-attester", "attester/sgx-attester"]
 az-snp-vtpm-attester = ["kbs_protocol/az-snp-vtpm-attester", "attester/az-snp-vtpm-attester"]
 az-tdx-vtpm-attester = ["kbs_protocol/az-tdx-vtpm-attester", "attester/az-tdx-vtpm-attester"]
 snp-attester = ["kbs_protocol/snp-attester", "attester/snp-attester"]
+se-attester = ["kbs_protocol/se-attester", "attester/se-attester"]
 
 # Either `rust-crypto` or `openssl` should be enabled to work as underlying crypto module
 rust-crypto = ["kbs_protocol?/rust-crypto"]

attestation-agent/attester/Cargo.toml

@@ -50,6 +50,7 @@ all-attesters = [
     "snp-attester",
     "csv-attester",
     "cca-attester",
+    "se-attester",
 ]
 
 # tsm-report enables a module that helps attesters to use Linux TSM_REPORTS for generating
@@ -63,5 +64,6 @@ az-tdx-vtpm-attester = ["az-tdx-vtpm"]
 snp-attester = ["sev"]
 csv-attester = ["csv-rs", "codicon", "hyper", "hyper-tls", "tokio"]
 cca-attester = ["nix"]
+se-attester  = []
 
 bin = ["tokio/rt", "tokio/macros", "all-attesters"]

attestation-agent/attester/src/lib.rs

@@ -33,6 +33,9 @@ pub mod csv;
 #[cfg(feature = "tsm-report")]
 pub mod tsm_report;
 
+#[cfg(feature = "se-attester")]
+pub mod se;
+
 pub type BoxedAttester = Box<dyn Attester + Send + Sync>;
 
 impl TryFrom<Tee> for BoxedAttester {
@@ -55,6 +58,8 @@ impl TryFrom<Tee> for BoxedAttester {
             Tee::Snp => Box::<snp::SnpAttester>::default(),
             #[cfg(feature = "csv-attester")]
             Tee::Csv => Box::<csv::CsvAttester>::default(),
+            #[cfg(feature = "se-attester")]
+            Tee::Se => Box::<se::SeAttester>::default(),
             _ => bail!("TEE is not supported!"),
         };
 
@@ -126,6 +131,11 @@ pub fn detect_tee_type() -> Tee {
         return Tee::Cca;
     }
 
+    #[cfg(feature = "se-attester")]
+    if se::detect_platform() {
+        return Tee::Se;
+    }
+
     log::warn!("No TEE platform detected. Sample Attester will be used.");
     Tee::Sample
 }

attestation-agent/attester/src/se/mod.rs

@@ -0,0 +1,58 @@
+// Copyright (C) Copyright IBM Corp. 2024
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use super::Attester;
+use crate::se::seattest::FakeSeAttest;
+use crate::se::seattest::SeImplAttester;
+use anyhow::*;
+use base64::prelude::*;
+use serde::{Deserialize, Serialize};
+
+pub mod seattest;
+
+pub fn detect_platform() -> bool {
+    // TODO replace FakeSeAttest with real crate
+    let attester = FakeSeAttest::default();
+    attester.is_se_guest()
+}
+
+#[derive(Serialize, Deserialize)]
+struct SeEvidence {
+    quote: Vec<u8>,
+}
+
+#[derive(Debug, Default)]
+pub struct SeAttester {}
+
+#[async_trait::async_trait]
+impl Attester for SeAttester {
+    async fn get_evidence(&self, _challenge: Vec<u8>) -> Result<String> {
+        // TODO replace FakeSeAttest with real crate
+        let attester = FakeSeAttest::default();
+
+        // TODO, append attesttaion request in KBS payload
+        // We want get challenge.extra_params from the input challenge, hashed string is not good.
+        let attestation_request_bin = Vec::new();
+        let userdata = Vec::new();
+        let evidence = attester.perform(attestation_request_bin, userdata).await?;
+
+        Ok(BASE64_STANDARD.encode(evidence))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[ignore]
+    #[tokio::test]
+    async fn test_se_get_evidence() {
+        let attester = SeAttester::default();
+        let report_data: Vec<u8> = vec![0; 64];
+
+        let evidence = attester.get_evidence(report_data).await;
+        assert!(evidence.is_ok());
+    }
+}

attestation-agent/attester/src/se/seattest.rs

@@ -0,0 +1,27 @@
+// Copyright (C) Copyright IBM Corp. 2024
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use anyhow::*;
+use async_trait;
+
+#[derive(Default)]
+pub struct FakeSeAttest {}
+
+#[async_trait::async_trait]
+pub trait SeImplAttester {
+    fn is_se_guest(&self) -> bool;
+    async fn perform(&self, _request: Vec<u8>, _userdata: Vec<u8>) -> Result<Vec<u8>>;
+}
+
+#[async_trait::async_trait]
+impl SeImplAttester for FakeSeAttest {
+    fn is_se_guest(&self) -> bool {
+        true
+    }
+
+    async fn perform(&self, _request: Vec<u8>, _userdata: Vec<u8>) -> Result<Vec<u8>> {
+        Result::Ok("test".as_bytes().to_vec())
+    }
+}

attestation-agent/kbc/Cargo.toml

@@ -44,6 +44,7 @@ az-snp-vtpm-attester= ["kbs_protocol/az-snp-vtpm-attester"]
 az-tdx-vtpm-attester= ["kbs_protocol/az-tdx-vtpm-attester"]
 snp-attester = ["kbs_protocol/snp-attester"]
 cca-attester = ["kbs_protocol/cca-attester"]
+se-attester  = ["kbs_protocol/se-attester"]
 
 sample_kbc = []
 eaa_kbc = ["foreign-types"]

attestation-agent/kbs_protocol/Cargo.toml

@@ -52,6 +52,7 @@ az-tdx-vtpm-attester = ["attester/az-tdx-vtpm-attester"]
 snp-attester = ["attester/snp-attester"]
 csv-attester = ["attester/csv-attester"]
 cca-attester = ["attester/cca-attester"]
+se-attester  = ["attester/se-attester"]
 
 rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"]
 openssl = ["reqwest/native-tls-vendored", "crypto/openssl"]

attestation-agent/kbs_protocol/src/client/rcar_client.rs

@@ -137,7 +137,9 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
         let runtime_data = json!({
             "tee-pubkey": tee_pubkey,
             "nonce": challenge.nonce,
+            // IBM-SE TODO "extra-params": challenge.extra_params,
         });
+        // IBM-SE TODO we want use challenge.extra_params in attester.get_evidence, so we can not hash runtime_data in generate_evidence(runtime_data)
         let runtime_data =
             serde_json::to_string(&runtime_data).context("serialize runtime data failed")?;
         let evidence = self.generate_evidence(runtime_data).await?;
@@ -183,6 +185,7 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
         let mut hasher = Sha384::new();
         hasher.update(runtime_data);
 
+        // IBM-SE TODO, we don't want pass a hash sting but a json string here.
         let ehd = hasher.finalize().to_vec();
 
         let tee_evidence = self
@@ -308,7 +311,9 @@ mod test {
         policy.push("test/policy.rego");
 
         let image = GenericImage::new(
-            "ghcr.io/confidential-containers/staged-images/kbs",
+            //"ghcr.io/confidential-containers/staged-images/kbs",
+            // TODO, rollback it and use a kbs with se tee implemented
+            "ibmhuoqif/kbs",
             "latest",
         )
         .with_exposed_port(8085)

attestation-agent/kbs_protocol/test/policy.rego

@@ -5,3 +5,7 @@ default allow = false
 allow {
 	input["tee"] == "sample"
 }
+
+allow {
+        input["tee"] == "se"
+}