Skip to content

Fixes for SVSM update #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tylerfanelli merged 5 commits into from
Nov 25, 2025
Merged

Fixes for SVSM update #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
52f438e
get report from JSON object
tylerfanelli Oct 6, 2025
53eb637
write test token string as part of /attest response
tylerfanelli Oct 6, 2025
784f4aa
serde SNP evidence untagged
tylerfanelli Oct 8, 2025
7141de0
restore configurable secret
tylerfanelli Oct 9, 2025
cb988a8
use p521
tylerfanelli Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ concat-kdf = "0.1.0"
hex = "0.4.3"
kbs-types = "0.14.0"
lazy_static = "1.5.0"
p256 = { version = "0.13.2", features = ["ecdh"] }
p521 = { version = "0.13.3", features = ["ecdh"] }
rand = "0.8.5"
sec1 = "0.7.3"
serde_json = "1.0.133"
Expand Down
49 changes: 38 additions & 11 deletions src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, prelude::BASE64_STANDARD,
use clap::Parser;
use kbs_types::{Challenge, ProtectedHeader, Request, Response, TeePubKey};
use lazy_static::lazy_static;
use p256::{
use p521::{
ecdh::EphemeralSecret, elliptic_curve::sec1::FromEncodedPoint, EncodedPoint, PublicKey,
};
use rand::Rng;
Expand All @@ -27,25 +27,32 @@ use uuid::Uuid;
const AES_GCM_256_ALGORITHM: &str = "A256GCM";
const AES_GCM_256_KEY_BITS: u32 = 256;
const ECDH_ES_A256KW: &str = "ECDH-ES+A256KW";
const P256_CURVE: &str = "P-256";
const P521_CURVE: &str = "P-521";
const EC_KTY: &str = "EC";

lazy_static! {
pub static ref KEY: RwLock<Vec<(String, String)>> = RwLock::new(Vec::new());
pub static ref MEASUREMENT: RwLock<Vec<u8>> = RwLock::new(Vec::new());
pub static ref SECRET: RwLock<Vec<u8>> = RwLock::new(Vec::new());
pub static ref ATTESTED: Mutex<bool> = Mutex::new(false);
}

#[derive(Debug, Parser)]
struct Args {
#[arg(long, short)]
pub measurement: Option<String>,
#[arg(long, short)]
pub secret: Option<String>,
}

fn launch_measurement() -> Vec<u8> {
MEASUREMENT.read().unwrap().clone()
}

fn secret() -> Vec<u8> {
SECRET.read().unwrap().clone()
}

#[actix_web::main]
async fn main() -> io::Result<()> {
let args = Args::parse();
Expand All @@ -58,6 +65,14 @@ async fn main() -> io::Result<()> {
m.append(&mut bytes);
}

if args.secret.is_some() {
let secret = args.secret.clone().unwrap();

let mut bytes = hex::decode(secret).unwrap();
let mut s = SECRET.write().unwrap();
s.append(&mut bytes);
}

HttpServer::new(|| {
App::new().service(
web::scope("/kbs/v0")
Expand Down Expand Up @@ -95,11 +110,19 @@ pub async fn attest(req: HttpRequest, attest: web::Json<kbs_types::Attestation>)

let attest = attest.into_inner();

let serde_json::Value::String(tee_evidence) = attest.tee_evidence.primary_evidence else {
let serde_json::Value::Object(tee_evidence) = attest.tee_evidence.primary_evidence else {
panic!("evidence not a base64 string");
};

let evidence = BASE64_STANDARD.decode(&tee_evidence).unwrap();
let evidence = {
let report = tee_evidence.get("snp-report").unwrap();

let Value::String(s) = report else {
panic!("SNP attestation report is not represented as a base64-encoded JSON string");
};

BASE64_STANDARD.decode(s).unwrap()
};

let report: AttestationReport = unsafe { std::ptr::read(evidence.as_ptr() as *const _) };

Expand Down Expand Up @@ -131,7 +154,11 @@ pub async fn attest(req: HttpRequest, attest: web::Json<kbs_types::Attestation>)

key.push((x, y));

HttpResponse::Ok().into()
let json = json!({
"token": "test-token".to_string(),
});

HttpResponse::Ok().json(json)
}

#[get("/resource/default/sample/test")]
Expand All @@ -142,7 +169,7 @@ pub async fn resource(_req: HttpRequest) -> HttpResponse {
return HttpResponse::ExpectationFailed().into();
}

let mut payload = "attestation successful".as_bytes().to_vec();
let mut payload = secret();

let mut rng = rand::thread_rng();

Expand All @@ -153,11 +180,11 @@ pub async fn resource(_req: HttpRequest) -> HttpResponse {

let (x, y) = key.pop().unwrap();

let x: [u8; 32] = URL_SAFE_NO_PAD.decode(x).unwrap().try_into().unwrap();
let y: [u8; 32] = URL_SAFE_NO_PAD.decode(y).unwrap().try_into().unwrap();
let x: [u8; 66] = URL_SAFE_NO_PAD.decode(x).unwrap().try_into().unwrap();
let y: [u8; 66] = URL_SAFE_NO_PAD.decode(y).unwrap().try_into().unwrap();
let client_point = EncodedPoint::from_affine_coordinates(
&GenericArray::from(x),
&GenericArray::from(y),
GenericArray::from_slice(&x),
GenericArray::from_slice(&y),
false,
);
let public_key = PublicKey::from_encoded_point(&client_point)
Expand Down Expand Up @@ -194,7 +221,7 @@ pub async fn resource(_req: HttpRequest) -> HttpResponse {
enc: AES_GCM_256_ALGORITHM.to_string(),
other_fields: json!({
"epk": {
"crv": P256_CURVE,
"crv": P521_CURVE,
"kty": EC_KTY,
"x": epk_x,
"y": epk_y
Expand Down