Attesting data

Author: raoulstrackx

Cargo.lock

@@ -4,11 +4,13 @@ members = [
     "fortanix-vme/eif-tools",
     "fortanix-vme/fortanix-vme-abi",
     "fortanix-vme/fortanix-vme-runner",
+    "fortanix-vme/nsm",
     "fortanix-vme/nitro-attestation-verify",
     "fortanix-vme/tests/hello_world",
     "fortanix-vme/tests/outgoing_connection",
     "fortanix-vme/tests/incoming_connection",
     "fortanix-vme/tests/iron",
+    "fortanix-vme/tests/nsm-test",
     "intel-sgx/aesm-client",
     "intel-sgx/dcap-provider",
     "intel-sgx/dcap-ql-sys",
@@ -34,6 +36,7 @@ exclude = ["examples"]
 [patch.crates-io]
 libc  = { git = "https://github.com/fortanix/libc.git", branch = "fortanixvme" }
 mbedtls = { git = "https://github.com/fortanix/rust-mbedtls", branch = "master" }
+nix   = { git = "https://github.com/fortanix/nix.git", branch = "raoul/fortanixvme_r0.20.2" }
 serde = { git = "https://github.com/fortanix/serde.git", branch = "master" }
 vsock = { git = "https://github.com/fortanix/vsock-rs.git", branch = "fortanixvme" }
 rustc-serialize = { git = "https://github.com/jethrogb/rustc-serialize.git", branch = "portability" }

Cargo.toml

@@ -108,18 +108,20 @@ function cargo_test {
                 scp ./test_interaction.sh ubuntu@${AWS_VM}:/home/ubuntu/ci-fortanixvme/${name}/
             fi
         fi
-	RUST_BACKTRACE=full ${elf} -- --nocapture > ${out} 2> ${err}
+	if [ ! -f ./skip_on_dev_platform ]; then
+            RUST_BACKTRACE=full ${elf} -- --nocapture > ${out} 2> ${err}
 
-        out=$(cat ${out} | grep -v "^#" || true)
-        expected=$(cat ./out.expected)
+            out=$(cat ${out} | grep -v "^#" || true)
+            expected=$(cat ./out.expected)
 
-        if [ "${out}" == "${expected}" ]; then
-            echo "Test ${name}: Success"
-        else
-            echo "Test ${name}: Failed"
-	    echo "Got: ${out}"
-            echo "Expected: ${expected}"
-            exit -1
+            if [ "${out}" == "${expected}" ]; then
+                echo "Test ${name}: Success"
+            else
+                echo "Test ${name}: Failed"
+	        echo "Got: ${out}"
+                echo "Expected: ${expected}"
+                exit -1
+            fi
         fi
     fi
 

fortanix-vme/ci-common.sh

@@ -70,7 +70,8 @@ run_tests\
     hello_world \
     outgoing_connection \
     incoming_connection \
-    iron
+    iron \
+    nsm-test
 
 echo "********************************"
 echo "**    All tests succeeded!    **"

fortanix-vme/ci-fortanixvme.sh

@@ -0,0 +1,12 @@
+[package]
+name = "nsm"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+nitro-attestation-verify = { path = "../nitro-attestation-verify" }
+nsm-driver = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api" }
+nsm-io = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api" }
+serde_bytes = "0.11"

fortanix-vme/nsm/Cargo.toml

@@ -0,0 +1,106 @@
+pub use nitro_attestation_verify::{AttestationDocument, Unverified, NitroError as AttestationError};
+use nsm_io::{ErrorCode, Response, Request};
+pub use serde_bytes::ByteBuf;
+
+pub struct Nsm(i32);
+
+#[derive(Debug)]
+pub enum Error {
+    AttestationError(AttestationError),
+    BufferTooSmall,
+    CannotOpenDriver,
+    InputTooLarge,
+    InternalError,
+    InvalidArgument,
+    InvalidOperation,
+    InvalidPcrIndex,
+    InvalidResponse,
+    ReadOnlyPcrIndex,
+}
+
+impl std::fmt::Display for Error {
+    fn fmt(&self, fmt: &mut std::fmt::Formatter) -> std::fmt::Result {
+        match self {
+            Error::AttestationError(ref msg) => write!(fmt, "Attestation error: {}", msg),
+            Error::BufferTooSmall => write!(fmt, "Buffer too small"),
+            Error::CannotOpenDriver => write!(fmt, "CannotOpenDriver"),
+            Error::InputTooLarge => write!(fmt, "InputTooLarge"),
+            Error::InternalError => write!(fmt, "InternalError"),
+            Error::InvalidArgument => write!(fmt, "InvalidArgument"),
+            Error::InvalidOperation => write!(fmt, "InvalidOperation"),
+            Error::InvalidPcrIndex => write!(fmt, "InvalidPcrIndex"),
+            Error::InvalidResponse => write!(fmt, "InvalidResponse"),
+            Error::ReadOnlyPcrIndex => write!(fmt, "ReadOnlyPcrIndex"),
+        }
+    }
+}
+
+impl std::error::Error for Error {
+    fn description(&self) -> &str {
+        match self {
+            Error::AttestationError(_e) => "Attestation error",
+            Error::BufferTooSmall => "Provided output buffer too small",
+            Error::CannotOpenDriver => "Failed to open driver",
+            Error::InputTooLarge => "User-provided input is too large",
+            Error::InternalError => "NitroSecureModule cannot fulfill request due to internal error",
+            Error::InvalidArgument => "Invalid input argument",
+            Error::InvalidOperation => "Request cannot be fulfilled due to missing capabilities",
+            Error::InvalidPcrIndex => "Platform Configuration Register index out of bounds",
+            Error::InvalidResponse => "The received response does not correspond to the earlier request",
+            Error::ReadOnlyPcrIndex => "Platform Configuration Register is in read-only mode and the operation attempted to modify it",
+        }
+    }
+}
+
+impl From<AttestationError> for Error {
+    fn from(e: AttestationError) -> Self {
+        Error::AttestationError(e)
+    }
+}
+
+impl From<ErrorCode> for Error {
+    fn from(e: ErrorCode) -> Self {
+        match e {
+            ErrorCode::InvalidArgument => Error::InvalidArgument,
+            ErrorCode::InvalidIndex => Error::InvalidPcrIndex,
+            ErrorCode::InvalidResponse => Error::InvalidResponse,
+            ErrorCode::ReadOnlyIndex => Error::ReadOnlyPcrIndex,
+            ErrorCode::InvalidOperation => Error::InvalidOperation,
+            ErrorCode::BufferTooSmall => Error::BufferTooSmall,
+            ErrorCode::InputTooLarge => Error::InputTooLarge,
+            ErrorCode::InternalError => Error::InternalError,
+            ErrorCode::Success => Error::InvalidResponse,
+        }
+    }
+}
+
+impl Nsm {
+    pub fn new() -> Result<Self, Error> {
+        let fd = nsm_driver::nsm_init();
+
+        if fd < 0 {
+            Err(Error::CannotOpenDriver)
+        } else {
+            Ok(Nsm(fd))
+        }
+    }
+
+    pub fn attest(&mut self, user_data: Option<ByteBuf>, nonce: Option<ByteBuf>, public_key: Option<ByteBuf>) -> Result<AttestationDocument<Unverified>, Error> {
+        let req = Request::Attestation {
+            user_data,
+            nonce,
+            public_key,
+        };
+        match nsm_driver::nsm_process_request(self.0, req) {
+            Response::Attestation { document } => Ok(AttestationDocument::from_slice(document.as_slice())?),
+            Response::Error(code) => Err(code.into()),
+            _ => Err(Error::InvalidResponse),
+        }
+    }
+}
+
+impl Drop for Nsm {
+    fn drop(&mut self) {
+        nsm_driver::nsm_exit(self.0);
+    }
+}

fortanix-vme/nsm/src/lib.rs

@@ -0,0 +1,10 @@
+[package]
+name = "nsm-test"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+nsm = { path = "../../nsm" }
+pkix = { version = "0.1" }

fortanix-vme/tests/nsm-test/Cargo.toml

@@ -0,0 +1 @@
+Hello, world!

fortanix-vme/tests/nsm-test/out.expected

@@ -0,0 +1 @@
+Yes, this test only makes sense running as an AWS Nitro enclave

fortanix-vme/tests/nsm-test/skip_on_dev_platform

@@ -0,0 +1,24 @@
+use nsm::{ByteBuf, Nsm};
+
+fn main() {
+    let mut nsm = Nsm::new().unwrap();
+    let user_data = ByteBuf::from(vec![0, 1, 2]);
+    let nonce = ByteBuf::from(vec![3, 4, 5]);
+    let pub_key = ByteBuf::from(vec![6, 7, 8]);
+    let doc = nsm.attest(Some(user_data.clone()), Some(nonce.clone()), Some(pub_key.clone())).unwrap();
+    println!("#module_id: {}", doc.module_id);
+    println!("#timestamp: {}", doc.timestamp);
+    println!("digest: {}", doc.digest);
+    assert_eq!(doc.digest, "SHA384");
+    for (idx, val) in doc.pcrs.iter() {
+        println!("# pcr{} = {:?}", idx, val);
+    }
+    println!("#certificate: {}", pkix::pem::der_to_pem(&doc.certificate, pkix::pem::PEM_CERTIFICATE));
+    println!("#cabundle: {:?}", doc.cabundle.iter().map(|cert| pkix::pem::der_to_pem(cert, pkix::pem::PEM_CERTIFICATE)).collect::<Vec::<String>>());
+    println!("public_key: {:?}", pkix::pem::der_to_pem(doc.public_key.as_ref().unwrap(), pkix::pem::PEM_CERTIFICATE));
+    assert_eq!(doc.public_key.unwrap(), pub_key);
+    println!("user_data: {:?}", doc.user_data);
+    assert_eq!(doc.user_data.unwrap(), user_data);
+    println!("nonce: {:?}", doc.nonce);
+    assert_eq!(doc.nonce.unwrap(), nonce);
+}