-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kbs: ita: Set hash algorithm based on TEE type #491
kbs: ita: Set hash algorithm based on TEE type #491
Conversation
Once I've taken it out of draft mode, this PR should land with confidential-containers/guest-components#712. |
if let Some(hash_algorithms_found) = tee_parameters.get(SUPPORTED_HASH_ALGORITHMS_JSON_KEY) | ||
{ | ||
if let Some(algorithms) = hash_algorithms_found.as_array() { | ||
let hash_algorithms: Vec<String> = algorithms | ||
.iter() | ||
.filter_map(|s| s.as_str()) | ||
.map(|s| s.to_lowercase()) | ||
.collect(); | ||
|
||
supported_hash_algorithms.append(&mut hash_algorithms.clone()); | ||
} else { | ||
return Err(anyhow!( | ||
"Intel Trust Authority: expected array, found {hash_algorithms_found:?}" | ||
)); | ||
} | ||
} else { | ||
log::info!("ITA: generate_challenge: no TEE hash parameters, so falling back to legacy behaviour"); | ||
|
||
return generic_generate_challenge(tee, tee_parameters).await; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use
let Some(xxx) = yyy() else {
bail!(".....");
}
// do next steps with xxx
to avoid nested { ... }
s .
lazy_static! { | ||
/// The hash algorithm used for Intel SGX. | ||
static ref SGX_HASH_ALGORITHM: String = HashAlgorithm::Sha256.to_string().to_lowercase(); | ||
|
||
/// The hash algorithm used for Intel TDX. | ||
static ref TDX_HASH_ALGORITHM: String = HashAlgorithm::Sha512.to_string().to_lowercase(); | ||
|
||
static ref ERR_NO_TDX_ALGORITHM: String = format!( | ||
"Intel Trust Authority: {:?} not supported by TDX TEE", | ||
*TDX_HASH_ALGORITHM | ||
); | ||
static ref ERR_NO_SGX_ALGORITHM: String = format!( | ||
"Intel Trust Authority: {:?} not supported by SGX TEE", | ||
*TDX_HASH_ALGORITHM | ||
); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might not need these consts. For SGX_HASH_ALGORITHM
, we can
enum HashAlgorithm {
#[strum(serialize = "sha256")]
Sha256,
...
}
...
if supported_hash_algorithms.contains(HashAlgorithm::Sha256.as_ref()) {
...
}
For errors, I suggest that directly use .context("...")
for extra error context.
f0c55f9
to
666d2c2
Compare
use crate::token::{ | ||
jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig, | ||
AttestationTokenVerifierType, | ||
}; | ||
use anyhow::*; | ||
use async_trait::async_trait; | ||
use attestation_service::HashAlgorithm; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had somehow missed this dependency earlier. This is slightly problematic as it is right now. This makes one AS to depend on another AS code just for the sake of HashAlgorithm
enum. Not only that but attestation-service/default
makes the build to include all of the CoCo-AS verifier dependencies, such as the vtpm stuff that now makes se CI docker build to fail because the ITA Dockerfile
does not have libtss2-dev
installed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Branch updated. I've made a local definition of HashAlgorithm
to resolve that issue.
Once this and confidential-containers/guest-components#712 land, I plan to tal at consolidating all the definitions though 😄
767a039
to
f8c34e9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if it would be better to move the hash_alg support to the protocol level instead of putting it into the schemaless extra_params field. it can be optional, defaulting to sha348. atm, this seems local to ITA and otherwise unspecified strings supported/selected-hash-algorithms
.
Sadly, this would need a (breaking) change on kbs-types, but it would make things a bit more explicit:
Challenge {
nonce String,
hash_alg: HashAlgorithm
extra_params: Value
}
Maybe, if we don't want to touch kbs-types we can also introduce trustee ExtraParams
that are more than just Value, but specify the hash_alg field.
.filter_map(|s| s.as_str()) | ||
.map(|s| s.to_lowercase()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we're already filter_map'ing why map?
.filter_map(|s| s.as_str()) | |
.map(|s| s.to_lowercase()) | |
.filter_map(|s| s.as_str(). to_lowercase()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit ugly now, but updated.
|
||
if tee_parameters.is_null() { | ||
log::debug!( | ||
"ITA: generate_challenge: no TEE parameters so falling back to legacy behavour" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"ITA: generate_challenge: no TEE parameters so falling back to legacy behavour" | |
"ITA: generate_challenge: no TEE parameters so falling back to legacy behaviour" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
pub(crate) async fn generic_generate_challenge( | ||
_tee: Tee, | ||
_tee_parameters: serde_json::Value, | ||
) -> Result<Challenge> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does this have params if we don't use them? Should we maybe do impl Default for Challenge
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was trying to make this a minimal change and if you look at the existing code, you'll see the same unused params.
Should we maybe do impl Default for Challenge?
I thought of that, but Challenge
is defined in the kbs-types
crate, so that can be done at a later time imho.
If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned `Challenge` [2]. For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use. Partially-fixes: confidential-containers#242. [1] - In the optional `extra-params.supported-hash-algorithms` list. [2] - In `extra-params.selected-hash-algorithm`. Signed-off-by: James O. D. Hunt <[email protected]>
f8c34e9
to
12da724
Compare
@mkulke - Thanks for the review. I agree that this can all be improved, but since we'd really like this PR and confidential-containers/guest-components#712 to be in the next release, and since testing these takes some time, can we defer some of these comments until after the upcoming release(s)? |
I see |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. This should be part of the protocol imo but we can do that later.
I can create the follow-up ticket with additional thoughts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall lgtm. Only one nit. Thanks! @jodh-intel
const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms"; | ||
const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me do a refactoring about error information assertion later. Now it's good to me.
return Err(anyhow!( | ||
"ITA: expected array, found {hash_algorithms_found:?}" | ||
)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return Err(anyhow!( | |
"ITA: expected array, found {hash_algorithms_found:?}" | |
)); | |
bail!( | |
"ITA: expected array, found {hash_algorithms_found:?}" | |
); |
Btw, shall we cut a release after ITA is supported on both gc and trustee side? |
I'm about to submit a PR for kustomization ( |
I've triggered the e2e tests as well, so let's wait for them to finish. |
Merged, thanks @jodh-intel for the work and all the reviewers for the reviews! :-) |
If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned
Challenge
[2].For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use.
Partially-fixes: #242.
[1] - In the optional
extra-params.supported-hash-algorithms
list.[2] - In
extra-params.selected-hash-algorithm
.