Skip to content

Commit

Permalink
OK
Browse files Browse the repository at this point in the history
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
  • Loading branch information
bluele committed Dec 16, 2024
1 parent 5cbcff4 commit f440290
Show file tree
Hide file tree
Showing 16 changed files with 301 additions and 193 deletions.
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions app/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ ecall-commands = { path = "../modules/ecall-commands" }
crypto = { path = "../modules/crypto" }
keymanager = { path = "../modules/keymanager" }
remote-attestation = { path = "../modules/remote-attestation" }
attestation-report = { path = "../modules/attestation-report" }

[build-dependencies]
git2 = "0.19"
Expand Down
74 changes: 39 additions & 35 deletions app/src/commands/enclave.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ use crate::{
opts::{EnclaveOpts, Opts},
};
use anyhow::{anyhow, Result};
use attestation_report::RAQuote;
use clap::Parser;
use crypto::Address;
use ecall_commands::GenerateEnclaveKeyInput;
Expand Down Expand Up @@ -87,10 +88,13 @@ fn run_generate_key<E: EnclaveCommandAPI<S>, S: CommitStore>(
) -> Result<()> {
let (target_info, _) = remote_attestation::init_quote(input.target_qe3)?;
let res = enclave
.generate_enclave_key(GenerateEnclaveKeyInput {
target_info,
operator: input.get_operator()?,
})
.generate_enclave_key(
GenerateEnclaveKeyInput {
target_info,
operator: input.get_operator()?,
},
input.target_qe3,
)
.map_err(|e| anyhow!("failed to generate an enclave key: {:?}", e))?;
println!("{}", res.pub_key.as_address());
Ok(())
Expand Down Expand Up @@ -121,37 +125,37 @@ fn run_list_keys<E: EnclaveCommandAPI<S>, S: CommitStore>(
};
let mut list_json = Vec::new();
for eki in list {
let ias_attested = eki.ias_report.is_some();
let dcap_attested = eki.dcap_quote.is_some();

if ias_attested {
let avr = eki.ias_report.as_ref().unwrap().get_avr()?;
let report_data = avr.parse_quote()?.report_data();
list_json.push(json! {{
"type": "ias",
"address": eki.address.to_hex_string(),
"attested": true,
"report_data": report_data.to_string(),
"isv_enclave_quote_status": avr.isv_enclave_quote_status,
"advisory_ids": avr.advisory_ids,
"attested_at": avr.timestamp
}});
} else if dcap_attested {
let dcap_quote = eki.dcap_quote.as_ref().unwrap();
list_json.push(json! {{
"type": "dcap",
"address": eki.address.to_hex_string(),
"attested": true,
"report_data": dcap_quote.report_data()?.to_string(),
"isv_enclave_quote_status": dcap_quote.tcb_status,
"advisory_ids": dcap_quote.advisory_ids,
"attested_at": dcap_quote.attested_at.to_string(),
}});
} else {
list_json.push(json! {{
"address": eki.address.to_hex_string(),
"attested": false,
}});
match eki.ra_quote {
Some(RAQuote::IAS(report)) => {
let avr = report.get_avr()?;
let report_data = avr.parse_quote()?.report_data();
list_json.push(json! {{
"type": "ias",
"address": eki.address.to_hex_string(),
"attested": true,
"report_data": report_data.to_string(),
"isv_enclave_quote_status": avr.isv_enclave_quote_status,
"advisory_ids": avr.advisory_ids,
"attested_at": avr.timestamp
}});
}
Some(RAQuote::DCAP(quote)) => {
list_json.push(json! {{
"type": "dcap",
"address": eki.address.to_hex_string(),
"attested": true,
"report_data": quote.report_data()?.to_string(),
"isv_enclave_quote_status": quote.tcb_status,
"advisory_ids": quote.advisory_ids,
"attested_at": quote.attested_at.to_string(),
}});
}
None => {
list_json.push(json! {{
"address": eki.address.to_hex_string(),
"attested": false,
}});
}
}
}
println!("{}", serde_json::to_string(&list_json).unwrap());
Expand Down
8 changes: 8 additions & 0 deletions modules/attestation-report/src/errors.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ define_error! {
format_args!("unexpected report data version: expected={} actual={}", e.expected, e.actual)
},

InvalidRaType
{
ra_type: u32
}
|e| {
format_args!("Invalid RA type: ra_type={}", e.ra_type)
},

MrenclaveMismatch
{
expected: Mrenclave,
Expand Down
8 changes: 0 additions & 8 deletions modules/attestation-report/src/ias.rs
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,6 @@ impl IASSignedReport {
pub fn get_avr(&self) -> Result<IASAttestationVerificationReport, Error> {
serde_json::from_slice(self.avr.as_ref()).map_err(Error::serde_json)
}

pub fn to_json(&self) -> Result<String, Error> {
serde_json::to_string(self).map_err(Error::serde_json)
}

pub fn from_json(json: &str) -> Result<Self, Error> {
serde_json::from_str(json).map_err(Error::serde_json)
}
}

// IASAttestationVerificationReport represents Intel's Attestation Verification Report
Expand Down
2 changes: 1 addition & 1 deletion modules/attestation-report/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ mod prelude {
pub use dcap::DCAPQuote;
pub use errors::Error;
pub use ias::{verify_ias_report, IASAttestationVerificationReport, IASSignedReport};
pub use report::{Quote, ReportData, VerifiableQuote};
pub use report::{Quote, RAQuote, RAType, ReportData};

pub(crate) mod serde_base64 {
use crate::prelude::*;
Expand Down
54 changes: 46 additions & 8 deletions modules/attestation-report/src/report.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,29 +9,67 @@ use sgx_types::{metadata::metadata_t, sgx_measurement_t, sgx_quote_t, sgx_report
pub const REPORT_DATA_V1: u8 = 1;

#[derive(Debug, Serialize, Deserialize)]
pub enum VerifiableQuote {
pub enum RAType {
IAS,
DCAP,
}

impl RAType {
pub fn as_u32(&self) -> u32 {
match self {
Self::IAS => 1,
Self::DCAP => 2,
}
}
pub fn from_u32(v: u32) -> Result<Self, Error> {
match v {
1 => Ok(Self::IAS),
2 => Ok(Self::DCAP),
_ => Err(Error::invalid_ra_type(v)),
}
}
}

#[derive(Debug, Serialize, Deserialize)]
#[serde(tag = "type")]
pub enum RAQuote {
IAS(IASSignedReport),
DCAP(DCAPQuote),
}

impl VerifiableQuote {
impl RAQuote {
pub fn ra_type(&self) -> RAType {
match self {
RAQuote::IAS(_) => RAType::IAS,
RAQuote::DCAP(_) => RAType::DCAP,
}
}

pub fn attested_at(&self) -> Result<Time, Error> {
match self {
VerifiableQuote::IAS(report) => report.get_avr()?.attestation_time(),
VerifiableQuote::DCAP(quote) => Ok(quote.attested_at),
RAQuote::IAS(report) => report.get_avr()?.attestation_time(),
RAQuote::DCAP(quote) => Ok(quote.attested_at),
}
}

pub fn from_json(json: &str) -> Result<Self, Error> {
serde_json::from_str(json).map_err(Error::serde_json)
}

pub fn to_json(&self) -> Result<String, Error> {
serde_json::to_string(self).map_err(Error::serde_json)
}
}

impl From<IASSignedReport> for VerifiableQuote {
impl From<IASSignedReport> for RAQuote {
fn from(report: IASSignedReport) -> Self {
VerifiableQuote::IAS(report)
RAQuote::IAS(report)
}
}

impl From<DCAPQuote> for VerifiableQuote {
impl From<DCAPQuote> for RAQuote {
fn from(quote: DCAPQuote) -> Self {
VerifiableQuote::DCAP(quote)
RAQuote::DCAP(quote)
}
}

Expand Down
13 changes: 11 additions & 2 deletions modules/enclave-api/src/api/command.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use crate::{EnclavePrimitiveAPI, Result};
use attestation_report::RAType;
use ecall_commands::{
AggregateMessagesInput, AggregateMessagesResponse, Command, CommandResponse,
EnclaveManageCommand, EnclaveManageResponse, GenerateEnclaveKeyInput,
Expand All @@ -14,6 +15,7 @@ pub trait EnclaveCommandAPI<S: CommitStore>: EnclavePrimitiveAPI<S> {
fn generate_enclave_key(
&self,
input: GenerateEnclaveKeyInput,
is_target_qe3: bool,
) -> Result<GenerateEnclaveKeyResponse> {
let res = match self.execute_command(
Command::EnclaveManage(EnclaveManageCommand::GenerateEnclaveKey(input)),
Expand All @@ -22,8 +24,15 @@ pub trait EnclaveCommandAPI<S: CommitStore>: EnclavePrimitiveAPI<S> {
CommandResponse::EnclaveManage(EnclaveManageResponse::GenerateEnclaveKey(res)) => res,
_ => unreachable!(),
};
self.get_key_manager()
.save(res.sealed_ek.clone(), res.report)?;
self.get_key_manager().save(
res.sealed_ek.clone(),
res.report,
if is_target_qe3 {
RAType::DCAP
} else {
RAType::IAS
},
)?;
Ok(res)
}

Expand Down
Loading

0 comments on commit f440290

Please sign in to comment.