Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Trustee-specific TCB Claims Extension #664

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Use Trustee-specific TCB Claims Extension #664

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1f093b8
ear: use new extension for tcb_claims
fitzthum Jan 16, 2025
c65c069
token: adjust pointer to EAR public key
fitzthum Jan 16, 2025
990e03e
tests: change policy for new tcb claims extension
fitzthum Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ cfg-if = "1.0.0"
chrono = "0.4.19"
clap = { version = "4", features = ["derive"] }
config = "0.13.3"
ear = "0.3.0"
#ear = "0.3.0"
ear = { git = "https://github.com/veraison/rust-ear.git", branch = "ext-values" }
env_logger = "0.10.0"
hex = "0.4.3"
jwt-simple = { version = "0.12", default-features = false, features = [
Expand Down
53 changes: 33 additions & 20 deletions attestation-service/src/token/ear_broker.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,7 @@ use anyhow::*;

use base64::engine::general_purpose::URL_SAFE_NO_PAD;
use base64::Engine;
use ear::{
Algorithm, Appraisal, Ear, ExtensionKind, ExtensionValue, Extensions, RawValue, TrustVector,
VerifierID,
};
use ear::{Algorithm, Appraisal, Ear, Extensions, RawValue, RawValueKind, TrustVector, VerifierID};
use jsonwebtoken::jwk;
use kbs_types::Tee;
use log::{debug, info, warn};
Expand Down Expand Up @@ -39,6 +36,7 @@ pub const DEFAULT_PROFILE: &str = "tag:github.com,2024:confidential-containers/T
pub const DEFAULT_DEVELOPER_NAME: &str = "https://confidentialcontainers.org";

const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/ear/policies");
const TCB_CLAIMS_EXTENSION: &str = "ear.trustee.tcb_claims";

#[derive(Deserialize, Debug, Clone, PartialEq)]
pub struct TokenSignerConfig {
Expand Down Expand Up @@ -245,6 +243,10 @@ impl AttestationTokenBroker for EarAttestationTokenBroker {

let mut appraisal = Appraisal::new();

appraisal
.extensions
.register(TCB_CLAIMS_EXTENSION, -41121, ear::RawValueKind::Map)?;

for (k, v) in &policy_results.rules_result {
let claim_value = v.as_i8().context("Policy claim value not i8")?;

Expand All @@ -260,7 +262,9 @@ impl AttestationTokenBroker for EarAttestationTokenBroker {
}

appraisal.update_status_from_trust_vector();
appraisal.annotated_evidence = tcb_claims;
appraisal
.extensions
.set_by_name(TCB_CLAIMS_EXTENSION, RawValue::Map(tcb_claims))?;
appraisal.policy_id = Some(policy_ids[0].clone());

// For now, create only one submod, called `cpu`.
Expand All @@ -274,8 +278,8 @@ impl AttestationTokenBroker for EarAttestationTokenBroker {
.ok_or(anyhow!("Token expiration overflow."))?;

let mut extensions = Extensions::new();
extensions.register("exp", 4, ExtensionKind::Integer)?;
extensions.set_by_name("exp", ExtensionValue::Integer(exp.unix_timestamp()))?;
extensions.register("exp", 4, RawValueKind::Integer)?;
extensions.set_by_name("exp", RawValue::Integer(exp.unix_timestamp()))?;

let ear = Ear {
profile: self.config.profile_name.clone(),
Expand Down Expand Up @@ -399,8 +403,8 @@ pub fn transform_claims(
init_data_claims: Value,
runtime_data_claims: Value,
tee: Tee,
) -> Result<BTreeMap<String, RawValue>> {
let mut output_claims = BTreeMap::new();
) -> Result<Vec<(RawValue, RawValue)>> {
let mut output_claims: Vec<(RawValue, RawValue)> = vec![];

// If the verifier produces an init_data claim (meaning that
// it has validated the init_data hash), add the JSON init_data_claims,
Expand All @@ -410,31 +414,40 @@ pub fn transform_claims(
// They will also end up in the EAR token as part of the annotated evidence.
if let Some(claims_map) = input_claims.as_object_mut() {
if let Some(init_data) = claims_map.remove("init_data") {
output_claims.insert(
"init_data".to_string(),
RawValue::Text(init_data.as_str().unwrap().to_string()),
);
output_claims.push((
RawValue::String("init_data".to_string()),
RawValue::String(init_data.as_str().unwrap().to_string()),
));

let transformed_claims: RawValue =
serde_json::from_str(&serde_json::to_string(&init_data_claims)?)?;
output_claims.insert("init_data_claims".to_string(), transformed_claims);
output_claims.push((
RawValue::String("init_data_claims".to_string()),
transformed_claims,
));
}

if let Some(report_data) = claims_map.remove("report_data") {
output_claims.insert(
"report_data".to_string(),
RawValue::Text(report_data.as_str().unwrap().to_string()),
);
output_claims.push((
RawValue::String("report_data".to_string()),
RawValue::String(report_data.as_str().unwrap().to_string()),
));

let transformed_claims: RawValue =
serde_json::from_str(&serde_json::to_string(&runtime_data_claims)?)?;
output_claims.insert("runtime_data_claims".to_string(), transformed_claims);
output_claims.push((
RawValue::String("runtime_data_claims".to_string()),
transformed_claims,
));
}
}

let transformed_claims: RawValue =
serde_json::from_str(&serde_json::to_string(&input_claims)?)?;
output_claims.insert(to_variant_name(&tee)?.to_string(), transformed_claims);
output_claims.push((
RawValue::String(to_variant_name(&tee)?.to_string()),
transformed_claims,
));

Ok(output_claims)
}
Expand Down
2 changes: 1 addition & 1 deletion kbs/src/token/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ pub const TOKEN_TEE_PUBKEY_PATH_ITA: &str = "/attester_runtime_data/tee-pubkey";
pub const TOKEN_TEE_PUBKEY_PATH_ITA_VTPM: &str = "/attester_user_data/tee-pubkey";
pub const TOKEN_TEE_PUBKEY_PATH_COCO: &str = "/customized_claims/runtime_data/tee-pubkey";
pub const TOKEN_TEE_PUBKEY_PATH_EAR: &str =
"/submods/cpu/ear.veraison.annotated-evidence/runtime_data_claims/tee-pubkey";
"/submods/cpu/ear.trustee.tcb_claims/runtime_data_claims/tee-pubkey";

#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
pub struct AttestationTokenVerifierConfig {
Expand Down
2 changes: 1 addition & 1 deletion kbs/test/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ package policy
default allow = false

allow {
input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["$(TEE)"]
input["submods"]["cpu"]["ear.trustee.tcb_claims"]["$(TEE)"]
}
endef
export TEE_POLICY_REGO
Expand Down
Loading