aa/attester: IBM SE use nonce to pass attestation request

Signed-off-by: Qi Feng Huo <[email protected]>
confidential-containers · Jun 4, 2024 · cdeabd4 · cdeabd4
1 parent ec50279
commit cdeabd4
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs
@@ -7,6 +7,7 @@ use std::time::Duration;
 
 use anyhow::{bail, Context};
 use async_trait::async_trait;
+use base64::{engine::general_purpose::STANDARD, Engine};
 use kbs_types::{Attestation, Challenge, ErrorInformation, Request, Response, Tee};
 use log::{debug, warn};
 use resource_uri::ResourceUri;
@@ -141,7 +142,7 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
         let runtime_data =
             serde_json::to_string(&runtime_data).context("serialize runtime data failed")?;
         let evidence = self
-            .generate_evidence(tee, runtime_data, challenge.extra_params)
+            .generate_evidence(tee, runtime_data, challenge.nonce)
             .await?;
         debug!("get evidence with challenge: {evidence}");
 
@@ -185,14 +186,17 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
         &self,
         tee: Tee,
         runtime_data: String,
-        challenge_extra_params: String,
+        nonce: String,
     ) -> Result<String> {
+        debug!("Challenge nonce: {nonce}");
         let mut hasher = Sha384::new();
         hasher.update(runtime_data);
 
         let ehd = match tee {
-            // IBM SE uses challenge_extra_params as runtime_data to pass attestation_request
-            Tee::Se => challenge_extra_params.into_bytes(),
+            // IBM SE uses nonce as runtime_data to pass attestation_request
+            Tee::Se => STANDARD
+                .decode(nonce)
+                .map_err(|e| Error::GetEvidence(e.to_string()))?,
             _ => hasher.finalize().to_vec(),
         };