Skip to content

Commit bf71a4d

Browse files
committed
kbs: add az-tdx-vtpm evidence parsing to ITA
We extend the current parsing to a version-aware parsing, it would be neat if we could import the schema from the other verifiers, but this will pull in a lot of platform dependent code (sev, vtpm) that will prohibit compilation for targets that don't have tpm or x86_64 instructions. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
1 parent ae47352 commit bf71a4d

File tree

3 files changed

+49
-5
lines changed

3 files changed

+49
-5
lines changed

Cargo.lock

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

kbs/Cargo.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,7 @@ serde_qs.workspace = true
7878
semver = "1.0.16"
7979
serde = { workspace = true, features = ["derive"] }
8080
serde_json.workspace = true
81+
serde_with.workspace = true
8182
sha2.workspace = true
8283
strum.workspace = true
8384
tempfile.workspace = true
@@ -88,7 +89,7 @@ tonic = { workspace = true, optional = true }
8889
tonic-prost = { workspace = true, optional = true }
8990
uuid = { version = "1.19.0", features = ["serde", "v4"] }
9091
openssl.workspace = true
91-
az-cvm-vtpm = { version = "0.7.4", default-features = false, optional = true }
92+
az-cvm-vtpm = { version = "0.8.0", default-features = false, optional = true }
9293
vaultrs = { version = "0.7.4", optional = true }
9394

9495
[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies]

kbs/src/attestation/intel_trust_authority/mod.rs

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ use kbs_types::{Challenge, HashAlgorithm, Tee};
1515
use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT};
1616
use serde::{Deserialize, Serialize};
1717
use serde_json::{from_value, json};
18+
use serde_with::base64::{Base64, UrlSafe};
19+
use serde_with::serde_as;
1820
use sha2::{Digest, Sha512};
1921
use std::result::Result::Ok;
2022

@@ -42,11 +44,51 @@ struct DcapTeeEvidence {
4244
}
4345

4446
#[derive(Deserialize, Debug)]
45-
struct AzItaTeeEvidence {
47+
struct AzItaTeeEvidenceV0 {
4648
hcl_report: Vec<u8>,
4749
td_quote: Vec<u8>,
4850
}
4951

52+
#[derive(Deserialize, Debug)]
53+
enum AzItaTeeEvidenceVersion {
54+
#[serde(rename = "1")]
55+
V1,
56+
}
57+
58+
#[serde_as]
59+
#[derive(Deserialize, Debug)]
60+
struct AzItaTeeEvidenceV1 {
61+
#[allow(dead_code)]
62+
version: AzItaTeeEvidenceVersion,
63+
#[serde_as(as = "Base64<UrlSafe>")]
64+
hcl_report: Vec<u8>,
65+
#[serde_as(as = "Base64<UrlSafe>")]
66+
td_quote: Vec<u8>,
67+
}
68+
69+
#[derive(Deserialize, Debug)]
70+
#[serde(untagged)]
71+
enum AzItaTeeEvidence {
72+
V0(AzItaTeeEvidenceV0),
73+
V1(AzItaTeeEvidenceV1),
74+
}
75+
76+
impl AzItaTeeEvidence {
77+
fn hcl_report(&self) -> &Vec<u8> {
78+
match self {
79+
Self::V0(evidence) => &evidence.hcl_report,
80+
Self::V1(evidence) => &evidence.hcl_report,
81+
}
82+
}
83+
84+
fn td_quote(&self) -> &Vec<u8> {
85+
match self {
86+
Self::V0(evidence) => &evidence.td_quote,
87+
Self::V1(evidence) => &evidence.td_quote,
88+
}
89+
}
90+
}
91+
5092
#[derive(Deserialize)]
5193
struct NvDeviceEvidence {
5294
device_evidence_list: Vec<NvDeviceReportAndCert>,
@@ -132,10 +174,10 @@ impl Attest for IntelTrustAuthority {
132174
independent_evidence.tee
133175
))?;
134176

135-
let hcl_report = HclReport::new(evidence.hcl_report.clone())?;
177+
let hcl_report = HclReport::new(evidence.hcl_report().clone())?;
136178

137179
req_data.tdx = Some(DcapTeeEvidence {
138-
quote: STANDARD.encode(evidence.td_quote),
180+
quote: STANDARD.encode(evidence.td_quote()),
139181
runtime_data: STANDARD.encode(hcl_report.var_data()),
140182
user_data: Some(
141183
STANDARD.encode(independent_evidence.runtime_data.to_string()),

0 commit comments

Comments
 (0)