Merge #381

381: [PLAT-66] Nitro nsm r=Pagten a=raoulstrackx

The AWS `nsm-driver` and `nsm-io` crates provide an interface to the AWS Nitro Security Module (NSM), but this is not Rust friendly. This new `nsm` crate avoids having the same conversion everywhere.

Co-authored-by: Raoul Strackx <[email protected]>

Author: bors[bot]

Cargo.lock

@@ -4,11 +4,13 @@ members = [
     "fortanix-vme/eif-tools",
     "fortanix-vme/fortanix-vme-abi",
     "fortanix-vme/fortanix-vme-runner",
+    "fortanix-vme/nsm",
     "fortanix-vme/nitro-attestation-verify",
     "fortanix-vme/tests/hello_world",
     "fortanix-vme/tests/outgoing_connection",
     "fortanix-vme/tests/incoming_connection",
     "fortanix-vme/tests/iron",
+    "fortanix-vme/tests/nsm-test",
     "intel-sgx/aesm-client",
     "intel-sgx/dcap-provider",
     "intel-sgx/dcap-ql-sys",
@@ -34,6 +36,7 @@ exclude = ["examples"]
 [patch.crates-io]
 libc  = { git = "https://github.com/fortanix/libc.git", branch = "fortanixvme" }
 mbedtls = { git = "https://github.com/fortanix/rust-mbedtls", branch = "master" }
+nix   = { git = "https://github.com/fortanix/nix.git", branch = "raoul/fortanixvme_r0.20.2" }
 serde = { git = "https://github.com/fortanix/serde.git", branch = "master" }
 vsock = { git = "https://github.com/fortanix/vsock-rs.git", branch = "fortanixvme" }
 rustc-serialize = { git = "https://github.com/jethrogb/rustc-serialize.git", branch = "portability" }

Cargo.toml

@@ -50,12 +50,15 @@ LIBS_SORTED=$(
 )
 
 for LIB in $LIBS_SORTED; do
+    echo ${LIB}
     LIB_DIR=$(find . -maxdepth 2 -name ${LIB} -type d)
-    cd ${LIB_DIR}
-    ARGS=""
-    if FEATURES="$(cargo read-manifest|jq -r '.metadata.docs.rs.features | join(",")' 2> /dev/null)"; then
-        ARGS="--features $FEATURES"
+    if [[ -d "${LIB_DIR}" ]]; then
+        pushd ${LIB_DIR}
+        ARGS=""
+        if FEATURES="$(cargo read-manifest|jq -r '.metadata.docs.rs.features | join(",")' 2> /dev/null)"; then
+            ARGS="--features $FEATURES"
+        fi
+        cargo doc --no-deps --lib $ARGS
+        popd
     fi
-    cargo doc --no-deps --lib $ARGS
-    cd -
 done

doc/generate-api-docs.sh

@@ -108,18 +108,20 @@ function cargo_test {
                 scp ./test_interaction.sh ubuntu@${AWS_VM}:/home/ubuntu/ci-fortanixvme/${name}/
             fi
         fi
-	RUST_BACKTRACE=full ${elf} -- --nocapture > ${out} 2> ${err}
+	if [ ! -f ./skip_on_dev_platform ]; then
+            RUST_BACKTRACE=full ${elf} -- --nocapture > ${out} 2> ${err}
 
-        out=$(cat ${out} | grep -v "^#" || true)
-        expected=$(cat ./out.expected)
+            out=$(cat ${out} | grep -v "^#" || true)
+            expected=$(cat ./out.expected)
 
-        if [ "${out}" == "${expected}" ]; then
-            echo "Test ${name}: Success"
-        else
-            echo "Test ${name}: Failed"
-	    echo "Got: ${out}"
-            echo "Expected: ${expected}"
-            exit -1
+            if [ "${out}" == "${expected}" ]; then
+                echo "Test ${name}: Success"
+            else
+                echo "Test ${name}: Failed"
+	        echo "Got: ${out}"
+                echo "Expected: ${expected}"
+                exit -1
+            fi
         fi
     fi
 

fortanix-vme/ci-common.sh

@@ -70,7 +70,8 @@ run_tests\
     hello_world \
     outgoing_connection \
     incoming_connection \
-    iron
+    iron \
+    nsm-test
 
 echo "********************************"
 echo "**    All tests succeeded!    **"

fortanix-vme/ci-fortanixvme.sh

@@ -10,7 +10,7 @@ serde_cbor = "0.11"
 # Required until PR36 is accepted
 # https://github.com/awslabs/aws-nitro-enclaves-cose/pull/36
 aws-nitro-enclaves-cose = { version = "0.5.0", git = "https://github.com/fortanix/aws-nitro-enclaves-cose.git", branch = "raoul/crypto_abstraction_pinned", default-features = false }
-mbedtls = { version = "0.8.2", features = ["rdrand", "std", "dsa", "time"], default-features = false, optional = true }
+mbedtls = { version = "0.8.2", features = ["rdrand", "std", "time"], default-features = false, optional = true }
 num-bigint = "0.4"
 serde = { version = "1.0", features = ["derive"] }
 serde_bytes = "0.11"

fortanix-vme/nitro-attestation-verify/Cargo.toml

@@ -22,7 +22,7 @@ use ::mbedtls::{alloc::List as MbedtlsList, x509::{Certificate, VerifyError}};
 mod mbedtls;
 
 #[cfg(feature = "mbedtls")]
-use crate::mbedtls::Mbedtls;
+pub use crate::mbedtls::Mbedtls;
 
 pub trait VerificationType {}
 

fortanix-vme/nitro-attestation-verify/src/lib.rs

@@ -13,7 +13,7 @@ use num_bigint::BigUint;
 use std::sync::Mutex;
 use std::ops::Deref;
 
-pub(crate) struct Mbedtls;
+pub struct Mbedtls;
 
 struct MdType(hash::Type);
 

fortanix-vme/nitro-attestation-verify/src/mbedtls.rs

@@ -0,0 +1,13 @@
+[package]
+name = "nsm"
+version = "0.1.0"
+authors = ["Raoul Strackx <[email protected]>"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+nitro-attestation-verify = { path = "../nitro-attestation-verify" }
+nsm-driver = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api" }
+nsm-io = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api" }
+serde_bytes = "0.11"