AA: kbs: Add supported hash algorithms to Request #712
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Xynnn007
reviewed
Sep 9, 2024
| @@ -0,0 +1,10 @@ | |||
| # Copyright (c) 2024 Intel Corporation | |||
There was a problem hiding this comment.
What about move this module under deps/crypto?
| } | ||
|
|
||
| /// Return a list of all supported hash algorithms. | ||
| pub fn get() -> Vec<HashAlgorithm> { |
There was a problem hiding this comment.
How about moving this function under impl HashAlgorithm and change a name? s.t.
pub fn list_all()-> Vec<Self> {
vec![
HashAlgorithm::Sha256,
HashAlgorithm::Sha384,
HashAlgorithm::Sha512,
]
}
Comment on lines
175
to
183
| let algorithm = if let Some(selected_hash_algorithm) = | ||
| extra_params.get(SELECTED_HASH_ALGORITHM_JSON_KEY) | ||
| { | ||
| // Note the blank string which will be handled as an error when parsed. | ||
| let name = selected_hash_algorithm | ||
| .as_str() | ||
| .unwrap_or("") | ||
| .to_lowercase(); | ||
|
|
||
| name.parse::<HashAlgorithm>() | ||
| .map_err(|_| Error::InvalidHashAlgorithm(name))? | ||
| } else { | ||
| DEFAULT_HASH_ALGORITHM | ||
| }; |
There was a problem hiding this comment.
How about using match instead of let if? That would look simpler
Comment on lines
249
to
282
| let hashed_data = match algorithm { | ||
| HashAlgorithm::Sha256 => { | ||
| let mut hasher = Sha256::new(); | ||
|
|
||
| hasher.update(runtime_data); | ||
|
|
||
| match tee { | ||
| // IBM SE uses nonce as runtime_data to pass attestation_request | ||
| Tee::Se => nonce.into_bytes(), | ||
| _ => hasher.finalize().to_vec(), | ||
| } | ||
| } | ||
| HashAlgorithm::Sha384 => { | ||
| let mut hasher = Sha384::new(); | ||
|
|
||
| hasher.update(runtime_data); | ||
|
|
||
| match tee { | ||
| // IBM SE uses nonce as runtime_data to pass attestation_request | ||
| Tee::Se => nonce.into_bytes(), | ||
| _ => hasher.finalize().to_vec(), | ||
| } | ||
| } | ||
| HashAlgorithm::Sha512 => { | ||
| let mut hasher = Sha512::new(); | ||
|
|
||
| hasher.update(runtime_data); | ||
|
|
||
| match tee { | ||
| // IBM SE uses nonce as runtime_data to pass attestation_request | ||
| Tee::Se => nonce.into_bytes(), | ||
| _ => hasher.finalize().to_vec(), | ||
| } | ||
| } |
There was a problem hiding this comment.
We have HashAlgorithm::digest() function that could help to avoid the match arms here.
jodh-intel
force-pushed
the
aa-advertise-hash-algorithms
branch
from
f61b511 to
f38d847
Compare
jodh-intel
force-pushed
the
aa-advertise-hash-algorithms
branch
from
f38d847 to
a2f4428
Compare
Split the algorithms code out of the AA eventlog and move it to the local `crypto` crate. Doing this allows other crates to consume the code rather than duplicating the logic. Signed-off-by: James O. D. Hunt <[email protected]>
Split the `rcar_handshake()` method so that the request is now built by a the new `build_request()` function. Signed-off-by: James O. D. Hunt <[email protected]>
jodh-intel
force-pushed
the
aa-advertise-hash-algorithms
branch
2 times, most recently
from
0099976 to
9fe321f
Compare
mkulke
approved these changes
Sep 10, 2024
| // Note the blank string which will be handled as an error when parsed. | ||
| let name = selected_hash_algorithm | ||
| .as_str() | ||
| .unwrap_or("") |
There was a problem hiding this comment.
nit: i'd use .ok_or(Error::NotAString(selected_hash_algorithm))? or something, otherwise we might swallow a malformed extra_params body
Add a `supported-hash-algorithms` list to the `Request` to allow the returned `Challenge` to select an appropriate TEE-specific algorithm from the list. Signed-off-by: James O. D. Hunt <[email protected]>
jodh-intel
force-pushed
the
aa-advertise-hash-algorithms
branch
from
9fe321f to
3f50b50
Compare
|
I am doing an E2E test with this PR and the ones on the Trustee side. |
huoqifeng
approved these changes
Sep 11, 2024
|
I was able to validate this in an E2E workflow, also testing the patches from trustee and also with changes to come on Kata Containers. Merging this now, thanks @jodh-intel for the work, and thanks all the reviewers for reviews! |
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a
supported-hash-algorithmslist to theRequestto allow thereturned
Challengeto select an appropriate TEE-specific algorithmfrom the list.
Signed-off-by: James O. D. Hunt [email protected]