From ebfbab8d99543182f269a87102e297fd41e95148 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Mon, 3 Jun 2024 22:59:51 +0800 Subject: [PATCH] aa/attester: IBM SE fix review comments Signed-off-by: Qi Feng Huo --- attestation-agent/attester/Cargo.toml | 1 + attestation-agent/attester/src/se/ibmse.rs | 105 -------------------- attestation-agent/attester/src/se/mod.rs | 106 +++++++++++++++++---- 3 files changed, 88 insertions(+), 124 deletions(-) delete mode 100644 attestation-agent/attester/src/se/ibmse.rs diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml index 6608e964a..0cdafae13 100644 --- a/attestation-agent/attester/Cargo.toml +++ b/attestation-agent/attester/Cargo.toml @@ -53,6 +53,7 @@ all-attesters = [ "snp-attester", "csv-attester", "cca-attester", + # se-attester feature can work only on s390x target arch. "se-attester", ] diff --git a/attestation-agent/attester/src/se/ibmse.rs b/attestation-agent/attester/src/se/ibmse.rs deleted file mode 100644 index 986f10382..000000000 --- a/attestation-agent/attester/src/se/ibmse.rs +++ /dev/null @@ -1,105 +0,0 @@ -// Copyright (C) Copyright IBM Corp. 2024 -// -// SPDX-License-Identifier: Apache-2.0 -// - -use anyhow::{anyhow, Result}; -use log::debug; -use pv::{ - request::BootHdrTags, - uv::{AttestationCmd, ConfigUid, UvDevice}, -}; -use serde::{Deserialize, Serialize}; -use serde_json; -use serde_with::{base64::Base64, serde_as}; - -#[allow(unreachable_code)] -pub fn is_se_guest() -> bool { - #[cfg(not(target_arch = "s390x"))] - return false; - - let v = std::fs::read("/sys/firmware/uv/prot_virt_guest").unwrap_or_else(|_| vec![0]); - let v: u8 = String::from_utf8_lossy(&v[..1]).parse().unwrap_or(0); - v == 1 -} - -#[serde_as] -#[derive(Clone, Debug, Serialize, Deserialize)] -pub struct UserData { - #[serde_as(as = "Base64")] - image_btph: Vec, -} - -#[serde_as] -#[derive(Debug, Serialize, Deserialize)] -pub struct SeAttestationRequest { - #[serde_as(as = "Base64")] - request_blob: Vec, - measurement_size: u32, - additional_size: u32, - #[serde_as(as = "Base64")] - encr_measurement_key: Vec, - #[serde_as(as = "Base64")] - encr_request_nonce: Vec, - #[serde_as(as = "Base64")] - image_hdr_tags: BootHdrTags, -} - -#[serde_as] -#[derive(Clone, Debug, Serialize, Deserialize)] -pub struct SeAttestationResponse { - #[serde_as(as = "Base64")] - measurement: Vec, - #[serde_as(as = "Base64")] - additional_data: Vec, - #[serde_as(as = "Base64")] - user_data: Vec, - #[serde_as(as = "Base64")] - cuid: ConfigUid, - #[serde_as(as = "Base64")] - encr_measurement_key: Vec, - #[serde_as(as = "Base64")] - encr_request_nonce: Vec, - #[serde_as(as = "Base64")] - image_hdr_tags: BootHdrTags, -} - -pub fn calc_userdata() -> Result { - // TODO, calculate optional userdata based on the boot partition etc. - let image_btph = "optional check"; - Ok(UserData { - image_btph: image_btph.into(), - }) -} - -pub fn perform(req: &[u8]) -> Result { - let userdata = calc_userdata()?; - debug!("userdata json: {:#?}", &userdata.clone()); - // req is serialized SeAttestationRequest String bytes - let request: SeAttestationRequest = serde_json::from_slice(req)?; - let user_data = serde_json::to_vec(&userdata)?; - let mut uvc: AttestationCmd = AttestationCmd::new_request( - request.request_blob.clone().into(), - Some(user_data.to_vec()), - request.measurement_size, - request.additional_size, - )?; - let uv = UvDevice::open()?; - uv.send_cmd(&mut uvc)?; - let cuid = uvc.cuid(); - let additional_data = uvc - .additional_owned() - .ok_or(anyhow!("Failed to get additinal data."))?; - let response: SeAttestationResponse = SeAttestationResponse { - measurement: uvc.measurement().to_vec(), - additional_data, - user_data, - cuid: *cuid, - encr_measurement_key: request.encr_measurement_key, - encr_request_nonce: request.encr_request_nonce, - image_hdr_tags: request.image_hdr_tags, - }; - - debug!("response json: {:#?}", response.clone()); - Ok(serde_json::to_string(&response)?) -} diff --git a/attestation-agent/attester/src/se/mod.rs b/attestation-agent/attester/src/se/mod.rs index 2b9509511..582f8ae95 100644 --- a/attestation-agent/attester/src/se/mod.rs +++ b/attestation-agent/attester/src/se/mod.rs @@ -5,11 +5,61 @@ use super::Attester; use anyhow::*; - -pub mod ibmse; +use log::debug; +use pv::{ + request::BootHdrTags, + uv::{AttestationCmd, ConfigUid, UvDevice}, +}; +use serde::{Deserialize, Serialize}; +use serde_json; +use serde_with::{base64::Base64, serde_as}; pub fn detect_platform() -> bool { - ibmse::is_se_guest() + // run always on s390x machine + let v = std::fs::read("/sys/firmware/uv/prot_virt_guest").unwrap_or_else(|_| vec![0]); + let v: u8 = String::from_utf8_lossy(&v[..1]).parse().unwrap_or(0); + v == 1 +} + +#[serde_as] +#[derive(Clone, Debug, Serialize, Deserialize)] +pub struct UserData { + #[serde_as(as = "Base64")] + image_btph: Vec, +} + +#[serde_as] +#[derive(Debug, Serialize, Deserialize)] +pub struct SeAttestationRequest { + #[serde_as(as = "Base64")] + request_blob: Vec, + measurement_size: u32, + additional_size: u32, + #[serde_as(as = "Base64")] + encr_measurement_key: Vec, + #[serde_as(as = "Base64")] + encr_request_nonce: Vec, + #[serde_as(as = "Base64")] + image_hdr_tags: BootHdrTags, +} + +#[serde_as] +#[derive(Clone, Debug, Serialize, Deserialize)] +pub struct SeAttestationResponse { + #[serde_as(as = "Base64")] + measurement: Vec, + #[serde_as(as = "Base64")] + additional_data: Vec, + #[serde_as(as = "Base64")] + user_data: Vec, + #[serde_as(as = "Base64")] + cuid: ConfigUid, + #[serde_as(as = "Base64")] + encr_measurement_key: Vec, + #[serde_as(as = "Base64")] + encr_request_nonce: Vec, + #[serde_as(as = "Base64")] + image_hdr_tags: BootHdrTags, } #[derive(Debug, Default)] @@ -17,23 +67,41 @@ pub struct SeAttester {} #[async_trait::async_trait] impl Attester for SeAttester { - async fn get_evidence(&self, attestation_request: Vec) -> Result { - // attestation_request is serialized SeAttestationRequest String bytes - ibmse::perform(&attestation_request) - } -} - -#[cfg(test)] -mod tests { - use super::*; + async fn get_evidence(&self, req: Vec) -> Result { + // req is serialized SeAttestationRequest String bytes + // TODO, calculate optional userdata based on the boot partition etc. + let image_btph = "optional check"; + let userdata = UserData { + image_btph: image_btph.into(), + }; - #[ignore] - #[tokio::test] - async fn test_se_get_evidence() { - let attester = SeAttester::default(); - let report_data: Vec = vec![0; 64]; + debug!("userdata json: {:#?}", &userdata.clone()); + // req is serialized SeAttestationRequest String bytes + let request: SeAttestationRequest = serde_json::from_slice(req)?; + let user_data = serde_json::to_vec(&userdata)?; + let mut uvc: AttestationCmd = AttestationCmd::new_request( + request.request_blob.clone().into(), + Some(user_data.to_vec()), + request.measurement_size, + request.additional_size, + )?; + let uv = UvDevice::open()?; + uv.send_cmd(&mut uvc)?; + let cuid = uvc.cuid(); + let additional_data = uvc + .additional_owned() + .ok_or(anyhow!("Failed to get additinal data."))?; + let response: SeAttestationResponse = SeAttestationResponse { + measurement: uvc.measurement().to_vec(), + additional_data, + user_data, + cuid: *cuid, + encr_measurement_key: request.encr_measurement_key, + encr_request_nonce: request.encr_request_nonce, + image_hdr_tags: request.image_hdr_tags, + }; - let evidence = attester.get_evidence(report_data).await; - assert!(evidence.is_ok()); + debug!("response json: {:#?}", response.clone()); + Ok(serde_json::to_string(&response)?) } }