diff --git a/Cargo.toml b/Cargo.toml index 220d61239..6e58b28ff 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -34,7 +34,9 @@ ctr = "0.9.2" env_logger = "0.11.6" hex = "0.4.3" hmac = "0.12.1" -jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] } +jwt-simple = { version = "0.12", default-features = false, features = [ + "pure-rust", +] } kbs-types = "0.7.0" log = "0.4.22" nix = "0.29" diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml index 667969a72..411f212f3 100644 --- a/attestation-agent/kbs_protocol/Cargo.toml +++ b/attestation-agent/kbs_protocol/Cargo.toml @@ -16,7 +16,7 @@ env_logger = { workspace = true, optional = true } jwt-simple.workspace = true kbs-types.workspace = true log.workspace = true -protobuf = { workspace = true, optional = true} +protobuf = { workspace = true, optional = true } reqwest = { workspace = true, features = ["cookies", "json"], optional = true } resource_uri.path = "../deps/resource_uri" serde.workspace = true @@ -24,7 +24,7 @@ serde_json.workspace = true sha2.workspace = true thiserror.workspace = true tokio.workspace = true -ttrpc = { workspace = true, optional = true} +ttrpc = { workspace = true, optional = true } url.workspace = true zeroize.workspace = true @@ -33,7 +33,7 @@ rstest.workspace = true serial_test.workspace = true tempfile.workspace = true testcontainers.workspace = true -tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]} +tokio = { workspace = true, features = ["rt", "macros", "fs", "process"] } [build-dependencies] ttrpc-codegen = { workspace = true, optional = true } @@ -46,8 +46,8 @@ required-features = ["bin"] default = ["background_check", "passport", "rust-crypto", "all-attesters"] passport = [] -# use a client of attestation-agent to get token for kbs -aa_token = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"] +# Allow to connect Attestation-Agent with TTRPC to get evidence, token, etc. +aa_ttrpc = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"] background_check = ["tokio/time"] all-attesters = ["attester/all-attesters"] @@ -58,7 +58,7 @@ az-tdx-vtpm-attester = ["attester/az-tdx-vtpm-attester"] snp-attester = ["attester/snp-attester"] csv-attester = ["attester/csv-attester"] cca-attester = ["attester/cca-attester"] -se-attester = ["attester/se-attester"] +se-attester = ["attester/se-attester"] rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"] openssl = ["reqwest/native-tls-vendored", "crypto/openssl"] diff --git a/attestation-agent/kbs_protocol/build.rs b/attestation-agent/kbs_protocol/build.rs index 5bb896da4..4998a27cc 100644 --- a/attestation-agent/kbs_protocol/build.rs +++ b/attestation-agent/kbs_protocol/build.rs @@ -4,7 +4,7 @@ // fn main() -> Result<(), Box> { - #[cfg(feature = "aa_token")] + #[cfg(feature = "aa_ttrpc")] { use std::fs::File; use std::io::{Read, Write}; @@ -28,7 +28,7 @@ fn main() -> Result<(), Box> { } ttrpc_codegen::Codegen::new() - .out_dir("src/token_provider/aa") + .out_dir("src/ttrpc_protos") .include("../protos") .inputs(["../protos/attestation-agent.proto"]) .rust_protobuf() @@ -42,7 +42,7 @@ fn main() -> Result<(), Box> { // Fix clippy warnings of code generated from ttrpc_codegen replace_text_in_file( - "src/token_provider/aa/attestation_agent_ttrpc.rs", + "src/ttrpc_protos/attestation_agent_ttrpc.rs", "client: client", "client", )?; diff --git a/attestation-agent/kbs_protocol/src/error.rs b/attestation-agent/kbs_protocol/src/error.rs index 5a75d59cb..15cbb4fac 100644 --- a/attestation-agent/kbs_protocol/src/error.rs +++ b/attestation-agent/kbs_protocol/src/error.rs @@ -9,6 +9,9 @@ pub type Result = std::result::Result; #[derive(Error, Debug)] pub enum Error { + #[error("Attestation Agent evidence provider error: {0}")] + AAEvidenceProvider(String), + #[error("Attestation Agent token provider error: {0}")] AATokenProvider(String), diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs b/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs new file mode 100644 index 000000000..79d35cfc1 --- /dev/null +++ b/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs @@ -0,0 +1,79 @@ +// Copyright (c) 2025 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use async_trait::async_trait; +use kbs_types::Tee; +use serde_json::json; +use ttrpc::context; + +use crate::{ + ttrpc_protos::{ + attestation_agent::{GetEvidenceRequest, GetTeeTypeRequest}, + attestation_agent_ttrpc::AttestationAgentServiceClient, + }, + Error, Result, +}; + +use super::EvidenceProvider; + +const AA_SOCKET_FILE: &str = + "unix:///run/confidential-containers/attestation-agent/attestation-agent.sock"; + +/// The timeout for ttrpc call to Attestation Agent +const AA_TTRPC_TIMEOUT_SECONDS: i64 = 50; + +pub struct AAEvidenceProvider { + client: AttestationAgentServiceClient, +} + +impl AAEvidenceProvider { + pub async fn new() -> Result { + let c = ttrpc::r#async::Client::connect(AA_SOCKET_FILE) + .map_err(|e| Error::AATokenProvider(format!("ttrpc connect failed {e}")))?; + let client = AttestationAgentServiceClient::new(c); + Ok(Self { client }) + } +} + +#[async_trait] +impl EvidenceProvider for AAEvidenceProvider { + /// Get evidence with as runtime data (report data, challege) + async fn get_evidence(&self, runtime_data: Vec) -> Result { + let req = GetEvidenceRequest { + RuntimeData: runtime_data, + ..Default::default() + }; + let res = self + .client + .get_evidence( + context::with_timeout(AA_TTRPC_TIMEOUT_SECONDS * 1000 * 1000 * 1000), + &req, + ) + .await + .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?; + let evidence = String::from_utf8(res.Evidence) + .map_err(|e| Error::AAEvidenceProvider(format!("non-utf8 evidence: {e}")))?; + Ok(evidence) + } + + /// Get the underlying Tee type + async fn get_tee_type(&self) -> Result { + let req = GetTeeTypeRequest { + ..Default::default() + }; + let res = self + .client + .get_tee_type( + context::with_timeout(AA_TTRPC_TIMEOUT_SECONDS * 1000 * 1000 * 1000), + &req, + ) + .await + .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?; + + let tee = serde_json::from_value(json!(res.tee)) + .map_err(|e| Error::AAEvidenceProvider(format!("failed to parse Tee type: {e}")))?; + Ok(tee) + } +} diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs b/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs index 51b8fea33..404f4c51d 100644 --- a/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs +++ b/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs @@ -9,6 +9,11 @@ pub use native::*; pub mod mock; pub use mock::*; +#[cfg(feature = "aa_ttrpc")] +pub mod aa_ttrpc; +#[cfg(feature = "aa_ttrpc")] +pub use aa_ttrpc::*; + use crate::Result; use async_trait::async_trait; use kbs_types::Tee; diff --git a/attestation-agent/kbs_protocol/src/lib.rs b/attestation-agent/kbs_protocol/src/lib.rs index eb4bd6d0b..59cd5b1aa 100644 --- a/attestation-agent/kbs_protocol/src/lib.rs +++ b/attestation-agent/kbs_protocol/src/lib.rs @@ -77,6 +77,8 @@ pub mod error; pub mod evidence_provider; pub mod keypair; pub mod token_provider; +#[cfg(feature = "aa_ttrpc")] +pub mod ttrpc_protos; pub use api::*; pub use builder::KbsClientBuilder; diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs b/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs index 94593fbb3..970666287 100644 --- a/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs +++ b/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs @@ -5,17 +5,15 @@ //! This is a token provider which connects the attestation-agent -mod attestation_agent; -mod attestation_agent_ttrpc; - use async_trait::async_trait; use serde::Deserialize; use ttrpc::context; -use crate::{Error, Result, TeeKeyPair, Token}; - -use self::{ - attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient, +use crate::{ + ttrpc_protos::{ + attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient, + }, + Error, Result, TeeKeyPair, Token, }; use super::TokenProvider; diff --git a/attestation-agent/kbs_protocol/src/token_provider/mod.rs b/attestation-agent/kbs_protocol/src/token_provider/mod.rs index 8f4d7ae88..6648e89c5 100644 --- a/attestation-agent/kbs_protocol/src/token_provider/mod.rs +++ b/attestation-agent/kbs_protocol/src/token_provider/mod.rs @@ -6,9 +6,9 @@ pub mod test; pub use test::*; -#[cfg(feature = "aa_token")] +#[cfg(feature = "aa_ttrpc")] pub mod aa; -#[cfg(feature = "aa_token")] +#[cfg(feature = "aa_ttrpc")] pub use aa::*; use anyhow::*; diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs similarity index 100% rename from attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs rename to attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent_ttrpc.rs similarity index 100% rename from attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs rename to attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent_ttrpc.rs diff --git a/attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs new file mode 100644 index 000000000..a149b0285 --- /dev/null +++ b/attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs @@ -0,0 +1,7 @@ +// Copyright (c) 2025 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod attestation_agent; +pub mod attestation_agent_ttrpc; diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 817b5876f..a36a569f8 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -39,15 +39,21 @@ base64.workspace = true bincode = { workspace = true, optional = true } cfg-if = { workspace = true, optional = true } chrono = { workspace = true, optional = true } -clap = { workspace = true, features = [ "derive" ], optional = true } +clap = { workspace = true, features = ["derive"], optional = true } config = { workspace = true, optional = true } const_format.workspace = true crypto.path = "../../attestation-agent/deps/crypto" -ehsm_client = {git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true } +ehsm_client = { git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true } env_logger = { workspace = true, optional = true } hex = { workspace = true, optional = true } -image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] } -kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = ["passport", "aa_token", "openssl"], optional = true } +image-rs = { path = "../../image-rs", default-features = false, features = [ + "kata-cc-rustls-tls", +] } +kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = [ + "passport", + "aa_ttrpc", + "openssl", +], optional = true } log.workspace = true p12 = { version = "0.6.3", optional = true } prost = { workspace = true, optional = true } @@ -63,7 +69,14 @@ sha2 = { workspace = true, optional = true } strum = { workspace = true, features = ["derive"] } tempfile = { workspace = true, optional = true } thiserror.workspace = true -tokio = { workspace = true, features = [ "fs", "macros", "io-util", "process", "rt-multi-thread", "sync" ] } +tokio = { workspace = true, features = [ + "fs", + "macros", + "io-util", + "process", + "rt-multi-thread", + "sync", +] } toml.workspace = true tonic = { workspace = true, optional = true } ttrpc = { workspace = true, features = ["async"], optional = true } @@ -84,13 +97,24 @@ nix.workspace = true rstest.workspace = true serial_test.workspace = true tempfile.workspace = true -tokio = { workspace = true, features = ["rt", "macros" ] } +tokio = { workspace = true, features = ["rt", "macros"] } [features] default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"] # support aliyun stacks (KMS, ..) -aliyun = ["chrono", "hex", "p12", "prost", "reqwest/rustls-tls", "sha2", "tempfile", "tonic", "url", "yasna"] +aliyun = [ + "chrono", + "hex", + "p12", + "prost", + "reqwest/rustls-tls", + "sha2", + "tempfile", + "tonic", + "url", + "yasna", +] # support coco-KBS to provide confidential resources kbs = ["kbs_protocol"] @@ -102,7 +126,7 @@ sev = ["bincode", "dep:sev", "prost", "tonic", "uuid"] ehsm = ["ehsm_client"] # Binary RPC type -bin = [ "anyhow", "cfg-if", "clap", "config", "env_logger", "serde" ] +bin = ["anyhow", "cfg-if", "clap", "config", "env_logger", "serde"] ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"] grpc = ["prost", "tonic", "tokio/signal"]