Skip to content

[WIP] AMD SNP: add derived-key endpoint #885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eldios wants to merge 147 commits into
base: main
Choose a base branch
from
Open

[WIP] AMD SNP: add derived-key endpoint #885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
147 commits
Select commit Hold shift + click to select a range
b075cd7
derived_key: first implementation
eldios Jan 21, 2025
5b61ef0
derived_key: small fixes
eldios Jan 21, 2025
252e05d
derived-key: put back code mistakenly changed
eldios Jan 21, 2025
a573d66
derived-key: fix code
eldios Jan 22, 2025
7f626cd
derived_keys: fix error
eldios Jan 22, 2025
f87a19d
devired_key: enable Derived key
eldios Jan 22, 2025
5a6bd89
devired_key: enable Derived key #2
eldios Jan 22, 2025
f76ed1f
devired_key: enable Derived key #3
eldios Jan 22, 2025
67cf51e
devired_key: enable Derived key #4
eldios Jan 22, 2025
e56cd04
devired_key: enable Derived key #5
eldios Jan 22, 2025
10185c0
devired_key: add endpoint
eldios Jan 22, 2025
7cb9717
derived_key: add back root_key
eldios Jan 22, 2025
12df167
derived_key: type issue
eldios Jan 22, 2025
04b57fa
derived_key: type issue #2
eldios Jan 22, 2025
19f4a89
derived_key: type issue #3
eldios Jan 22, 2025
6d057d9
derived_key: change path to comply to other ones
eldios Jan 22, 2025
110fbbd
cleanup: remove unneeded files
eldios Jan 23, 2025
6220af1
derived_key: add missing function
eldios Jan 23, 2025
4ddc843
attestation-agent: add GetDerivedKey in proto for attestation-agent
eldios Jan 23, 2025
5bee928
devired-key: add to grpc-aa server.rs
eldios Jan 24, 2025
d6a6824
devired-key: add to proto
eldios Jan 24, 2025
1e882c5
attestation-agent: add GetDerivedKey in proto for attestation-agent
eldios Jan 24, 2025
7aa94c3
derive-key: add methods to kbs
eldios Jan 25, 2025
a84a790
attestation-agent: add grpc by default
eldios Jan 25, 2025
ba2a449
get-derived-key: fix URL + add to KBS
eldios Jan 26, 2025
08c0a96
get-derived-key: fix URL + add to KBS #2
eldios Jan 26, 2025
b1a6d3c
get-derived-key: fix URL + add to KBS #3
eldios Jan 26, 2025
b06e290
get-derived-key: fix URL + add to KBS #4
eldios Jan 26, 2025
da2b528
get-derived-key: fix URL + add to KBS #4
eldios Jan 26, 2025
07877a3
get-derived-key: fix URL + add to KBS #5
eldios Jan 26, 2025
b35599b
get-derived-key: fix URL + add to KBS #6
eldios Jan 26, 2025
1eddd30
get-derived-key: fix URL + add to KBS #7
eldios Jan 26, 2025
d36603d
get-derived-key: fix URL + add to KBS #8
eldios Jan 26, 2025
a4e35e3
get-derived-key: fix URL + add to KBS #9
eldios Jan 26, 2025
fce495b
get-derived-key: fix URL + add to KBS #10
eldios Jan 26, 2025
52bd7e7
get-derived-key: fix URL + add to KBS #11
eldios Jan 26, 2025
fccdc1d
get-derived-key: fix URL + add to KBS #12
eldios Jan 26, 2025
e37b0ea
get-derived-key: add some debugging info
eldios Jan 26, 2025
d429f40
get-derived-key: add some debugging info #2
eldios Jan 26, 2025
452d7c8
derived-key: add debug info
eldios Jan 26, 2025
ad5b5ae
derived-key: add debug info #2
eldios Jan 26, 2025
2ee39bf
derived-key: add debug info #3
eldios Jan 26, 2025
5d4d39f
derived-key: add debug info #4
eldios Jan 26, 2025
a90514e
derived-key: add debug info #5
eldios Jan 26, 2025
c56c55a
derive_key: change key id to be correctly parsed
eldios Jan 27, 2025
6b47cea
derive_key: change key id to be correctly used #2
eldios Jan 27, 2025
cfb1a7a
derive_key: change key id to be correctly used #3
eldios Jan 27, 2025
eb20ef7
derive_key: change key id to be correctly used #4
eldios Jan 27, 2025
e31e413
derive_key: change key id to be correctly used #5 (revert test)
eldios Jan 27, 2025
5e5e602
derive_key: change key id to be correctly used #5 (testing)
eldios Jan 27, 2025
2df1527
derive_key: change key id to be correctly used #6 (typo)
eldios Jan 27, 2025
0343a71
derive_key: change key id to be correctly used #7 (testing)
eldios Jan 27, 2025
2e966f3
derive_key: change key id to be correctly used #8
eldios Jan 27, 2025
4acd936
derive_key: change key id to be correctly used #9
eldios Jan 27, 2025
b8b270c
derived_key: fix function
eldios Jan 27, 2025
2826752
derived_key: fix function (typo)
eldios Jan 27, 2025
a3f1c7b
derived_key: fix function #2
eldios Jan 27, 2025
353ca0a
derived_key: fix function #3
eldios Jan 27, 2025
d652e88
derived_key: remove grpc from default features
eldios Jan 27, 2025
f4bd660
derived_key: add docs about GuestFieldSelect + change to guest Policy
eldios Jan 27, 2025
cf100b1
devired_key: cleaning pass #1
eldios Jan 27, 2025
6c20af9
devired_key: cleaning pass #2
eldios Jan 27, 2025
bc7428a
devired_key: cleaning pass #3
eldios Jan 27, 2025
e97ca2e
devired_key: cleaning pass #4
eldios Jan 27, 2025
1c5bcea
devired_key: cleaning pass #5
eldios Jan 27, 2025
c37fc89
devired_key: cleaning pass #6
eldios Jan 27, 2025
2d66816
devired_key: cleaning pass #7
eldios Jan 27, 2025
588e1ad
devired_key: cleaning pass #8
eldios Jan 27, 2025
77efb17
derived-key: change fieldSelect to be measurement
eldios Jan 27, 2025
6ff3b99
derived_key: small fixes
eldios Jan 21, 2025
1a8dea9
derived-key: put back code mistakenly changed
eldios Jan 21, 2025
b86f0c8
derived-key: fix code
eldios Jan 22, 2025
6c67f61
derived_keys: fix error
eldios Jan 22, 2025
4699c36
devired_key: enable Derived key
eldios Jan 22, 2025
00999ae
devired_key: enable Derived key #2
eldios Jan 22, 2025
a8eef04
devired_key: enable Derived key #3
eldios Jan 22, 2025
fe09cbd
devired_key: enable Derived key #4
eldios Jan 22, 2025
1b74552
devired_key: enable Derived key #5
eldios Jan 22, 2025
1c42dbb
derived_key: add back root_key
eldios Jan 22, 2025
7013f1b
derived_key: type issue
eldios Jan 22, 2025
79e93df
derived_key: type issue #2
eldios Jan 22, 2025
3e94904
derived_key: type issue #3
eldios Jan 22, 2025
efc1baa
cleanup: remove unneeded files
eldios Jan 23, 2025
0ffafe7
derived_key: add missing function
eldios Jan 23, 2025
c08dc8c
attestation-agent: add GetDerivedKey in proto for attestation-agent
eldios Jan 23, 2025
d686659
devired-key: add to grpc-aa server.rs
eldios Jan 24, 2025
4c9ac1f
devired-key: add to proto
eldios Jan 24, 2025
5387e43
attestation-agent: add GetDerivedKey in proto for attestation-agent
eldios Jan 24, 2025
e89f318
attestation-agent: rebase changes
eldios Feb 5, 2025
e1cc392
attestation-agent: add grpc by default
eldios Jan 25, 2025
c327384
get-derived-key: fix URL + add to KBS
eldios Jan 26, 2025
bd4143d
get-derived-key: fix URL + add to KBS #2
eldios Jan 26, 2025
5ea8ec2
get-derived-key: fix URL + add to KBS #3
eldios Jan 26, 2025
f1b0a98
get-derived-key: fix URL + add to KBS #4
eldios Jan 26, 2025
0bb608d
get-derived-key: fix URL + add to KBS #4
eldios Jan 26, 2025
1cd2716
get-derived-key: fix URL + add to KBS #5
eldios Jan 26, 2025
2c84699
get-derived-key: fix URL + add to KBS #6
eldios Jan 26, 2025
f642e80
get-derived-key: fix URL + add to KBS #7
eldios Jan 26, 2025
ba0e042
get-derived-key: fix URL + add to KBS #8
eldios Jan 26, 2025
216ed33
get-derived-key: fix URL + add to KBS #9
eldios Jan 26, 2025
0af608d
get-derived-key: fix URL + add to KBS #10
eldios Jan 26, 2025
e6e7d83
get-derived-key: fix URL + add to KBS #11
eldios Jan 26, 2025
e451a3b
get-derived-key: fix URL + add to KBS #12
eldios Jan 26, 2025
e412645
get-derived-key: add some debugging info
eldios Jan 26, 2025
f5f31ec
get-derived-key: add some debugging info #2
eldios Jan 26, 2025
f926e53
derived-key: add debug info
eldios Jan 26, 2025
15f86c6
derived-key: add debug info #2
eldios Jan 26, 2025
14b976f
derived-key: add debug info #3
eldios Jan 26, 2025
3b5e3ad
derived-key: add debug info #4
eldios Jan 26, 2025
0030e9f
derived-key: add debug info #5
eldios Jan 26, 2025
85ae426
derive_key: change key id to be correctly parsed
eldios Jan 27, 2025
0fc689c
derive_key: change key id to be correctly used #2
eldios Jan 27, 2025
ff336f2
derive_key: change key id to be correctly used #3
eldios Jan 27, 2025
6238109
derive_key: change key id to be correctly used #4
eldios Jan 27, 2025
8232834
derive_key: change key id to be correctly used #5 (revert test)
eldios Jan 27, 2025
82c8098
derive_key: change key id to be correctly used #5 (testing)
eldios Jan 27, 2025
b62f37a
derive_key: change key id to be correctly used #6 (typo)
eldios Jan 27, 2025
3039200
derive_key: change key id to be correctly used #7 (testing)
eldios Jan 27, 2025
8a1514c
derive_key: change key id to be correctly used #8
eldios Jan 27, 2025
c15fb9c
derive_key: change key id to be correctly used #9
eldios Jan 27, 2025
5a15efc
derived_key: fix function
eldios Jan 27, 2025
9ce8c4d
derived_key: fix function (typo)
eldios Jan 27, 2025
cb1d791
derived_key: fix function #2
eldios Jan 27, 2025
28f514f
derived_key: fix function #3
eldios Jan 27, 2025
e07cc69
derived_key: remove grpc from default features
eldios Jan 27, 2025
99e124f
derived_key: add docs about GuestFieldSelect + change to guest Policy
eldios Jan 27, 2025
6916687
devired_key: cleaning pass #1
eldios Jan 27, 2025
8db5333
devired_key: cleaning pass #2
eldios Jan 27, 2025
7142a72
devired_key: cleaning pass #3
eldios Jan 27, 2025
b335ba2
devired_key: cleaning pass #4
eldios Jan 27, 2025
fc7a925
devired_key: cleaning pass #5
eldios Jan 27, 2025
9e5cdd4
devired_key: cleaning pass #6
eldios Jan 27, 2025
2ccc9ee
devired_key: cleaning pass #7
eldios Jan 27, 2025
1cf7a9c
devired_key: cleaning pass #8
eldios Jan 27, 2025
ec11a2f
derived-key: change fieldSelect to be measurement
eldios Jan 27, 2025
efd304b
merge main
eldios May 14, 2025
307309a
Merge branch 'confidential-containers:main' into SB-add-derivation-ke…
eldios Jun 12, 2025
c975b0c
Merge branch 'confidential-containers:main' into SB-add-derivation-ke…
eldios Jun 16, 2025
d9d83d7
get_derived_key: remove unneeded req and context
eldios Jun 18, 2025
42da3a0
get_derived_key: remove unneeded req and context #2
eldios Jun 18, 2025
b5a77aa
get_derived_key: remove unneeded req and context #3
eldios Jun 19, 2025
710579c
attester: fix derived_key function usage
eldios Jun 23, 2025
739491e
AA: add docker command
eldios Jun 23, 2025
ef1f856
ttrpx: fix getDerivedReq
eldios Jun 24, 2025
1acba1c
aa: fix unsed import
eldios Jun 24, 2025
c2a8ea6
get_derived_key: fix function usage
eldios Jun 25, 2025
8bd6ad2
get_derived_key: fix redundant code
eldios Jun 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,13 @@ $(AA_BINARY):
@echo build $(AA) for $(TEE_PLATFORM)
cd $(AA) && $(MAKE) ttrpc=true ARCH=$(ARCH) LIBC=$(LIBC) ATTESTER=$(ATTESTER)

aa-docker-protobuf:
docker run --rm -it -v "$$PWD":/app --workdir /app rust:1.87 sh \
-c "cd $(AA) && \
apt -y update && \
apt install -y tss2 libtss2-dev libtss2-esys-3.0.2-0 && \
cargo build -p kbs_protocol -p attestation-agent"

$(ASR_BINARY):
@echo build $(ASR) for $(TEE_PLATFORM)
cd $(ASR) && $(MAKE) ARCH=$(ARCH) LIBC=$(LIBC)
Expand Down
16 changes: 15 additions & 1 deletion api-server-rest/build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,20 @@ fn _evidence() {}
)]
fn _resource() {}

#[utoipa::path(
post,
path = "/aa/derived_key",
request_body = Vec<u8>,
responses(
(status = 200, description = "success response",
content_type = "application/octet-stream",
body = Vec<u8>),
(status = 400, description = "invalid user data"),
(status = 500, description = "internal server error")
)
)]
fn _derived_key() {}

fn generate_openapi_document() -> std::io::Result<()> {
#[derive(OpenApi)]
#[openapi(
Expand All @@ -72,7 +86,7 @@ fn generate_openapi_document() -> std::io::Result<()> {
(url = "http://127.0.0.1:8006", description = "CoCo Restful API")
),

paths(_token, _evidence, _resource)
paths(_token, _evidence, _resource, _derived_key)
)]
struct ApiDoc;
let mut file = File::create("openapi/api.json")?;
Expand Down
44 changes: 44 additions & 0 deletions api-server-rest/openapi/api.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,50 @@
}
],
"paths": {
"/aa/derived_key": {
"post": {
"tags": [],
"operationId": "_derived_key",
"requestBody": {
"content": {
"application/octet-stream": {
"schema": {
"type": "array",
"items": {
"type": "integer",
"format": "int32",
"minimum": 0
}
}
}
},
"required": true
},
"responses": {
"200": {
"description": "success response",
"content": {
"application/octet-stream": {
"schema": {
"type": "array",
"items": {
"type": "integer",
"format": "int32",
"minimum": 0
}
}
}
}
},
"400": {
"description": "invalid user data"
},
"500": {
"description": "internal server error"
}
}
}
},
"/aa/evidence": {
"get": {
"tags": [],
Expand Down
13 changes: 11 additions & 2 deletions api-server-rest/protos/attestation_agent.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,16 @@ message GetTokenResponse {
bytes Token = 1;
}

message GetDerivedKeyRequest {
bytes KeyId = 1;
}

message GetDerivedKeyResponse {
bytes DerivedKey = 1;
}

service AttestationAgentService {
rpc GetEvidence(GetEvidenceRequest) returns (GetEvidenceResponse) {};
rpc GetToken(GetTokenRequest) returns (GetTokenResponse) {};
rpc GetDerivedKey(GetDerivedKeyRequest) returns (GetDerivedKeyResponse) {};
rpc GetEvidence(GetEvidenceRequest) returns (GetEvidenceResponse) {};
rpc GetToken(GetTokenRequest) returns (GetTokenResponse) {};
}
70 changes: 51 additions & 19 deletions api-server-rest/src/aa.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
//

use crate::router::ApiHandler;
use crate::ttrpc_proto::attestation_agent::{GetEvidenceRequest, GetTokenRequest};
use crate::ttrpc_proto::attestation_agent::{
GetDerivedKeyRequest, GetEvidenceRequest, GetTokenRequest,
};
use crate::ttrpc_proto::attestation_agent_ttrpc::AttestationAgentServiceClient;
use anyhow::*;
use async_trait::async_trait;
Expand All @@ -20,6 +22,7 @@ pub const AA_ROOT: &str = "/aa";
/// URL for querying CDH get resource API
const AA_TOKEN_URL: &str = "/token";
const AA_EVIDENCE_URL: &str = "/evidence";
const AA_DERIVED_KEY_URL: &str = "/derived_key";

pub struct AAClient {
client: AttestationAgentServiceClient,
Expand Down Expand Up @@ -50,34 +53,52 @@ impl ApiHandler for AAClient {
.map(|v| form_urlencoded::parse(v.as_bytes()).into_owned().collect())
.unwrap_or_default();

if params.len() != 1 {
return self.not_allowed();
if params.len() == 0 {
match url_path {
AA_DERIVED_KEY_URL => {
let res = self.get_derived_key();
match res.await {
std::result::Result::Ok(results) => {
return self.octet_stream_response(results)
}
Err(e) => return self.internal_error(e.to_string()),
};
}
_ => {
return self.not_found();
}
}
}

match url_path {
AA_TOKEN_URL => match params.get("token_type") {
Some(token_type) => match self.get_token(token_type).await {
std::result::Result::Ok(results) => return self.octet_stream_response(results),
Err(e) => return self.internal_error(e.to_string()),
},
None => return self.bad_request(),
},
AA_EVIDENCE_URL => match params.get("runtime_data") {
Some(runtime_data) => {
match self.get_evidence(&runtime_data.clone().into_bytes()).await {
if params.len() == 1 {
match url_path {
AA_TOKEN_URL => match params.get("token_type") {
Some(token_type) => match self.get_token(token_type).await {
std::result::Result::Ok(results) => {
return self.octet_stream_response(results)
}
Err(e) => return self.internal_error(e.to_string()),
},
None => return self.bad_request(),
},
AA_EVIDENCE_URL => match params.get("runtime_data") {
Some(runtime_data) => {
match self.get_evidence(&runtime_data.clone().into_bytes()).await {
std::result::Result::Ok(results) => {
return self.octet_stream_response(results)
}
Err(e) => return self.internal_error(e.to_string()),
}
}
None => return self.bad_request(),
},
_ => {
return self.not_found();
}
None => return self.bad_request(),
},

_ => {
return self.not_found();
}
}

return self.not_found();
}
}

Expand Down Expand Up @@ -116,4 +137,15 @@ impl AAClient {
.await?;
Ok(res.Evidence)
}

pub async fn get_derived_key(&self) -> Result<Vec<u8>> {
let req = GetDerivedKeyRequest {
..Default::default()
};
let res = self
.client
.get_derived_key(ttrpc::context::with_timeout(TTRPC_TIMEOUT), &req)
.await?;
Ok(res.DerivedKey)
}
}
Loading