Pass the PCK certificates down to Intel DCAP

Update the QE remote assertion generator so that certificates are
passed through to the Intel code through the Intel architectural
enclave API.

Mark the QE assertion generator and verifier code/protos as public
since QE-based assertions are now fully functional.

PiperOrigin-RevId: 322399797
Change-Id: I1fff9f0f901f61e6f0d07bd42b284c84dbc16197

Author: sethmoo

asylo/identity/attestation/sgx/BUILD

@@ -53,7 +53,7 @@ cc_proto_library(
 proto_library(
     name = "sgx_intel_ecdsa_qe_remote_assertion_authority_config_proto",
     srcs = ["sgx_intel_ecdsa_qe_remote_assertion_authority_config.proto"],
-    visibility = ["//asylo:implementation"],
+    visibility = ["//visibility:public"],
     deps = [
         "//asylo/crypto:certificate_proto",
         "//asylo/identity:identity_acl_proto",
@@ -62,7 +62,7 @@ proto_library(
 
 cc_proto_library(
     name = "sgx_intel_ecdsa_qe_remote_assertion_authority_config_cc_proto",
-    visibility = ["//asylo:implementation"],
+    visibility = ["//visibility:public"],
     deps = ["sgx_intel_ecdsa_qe_remote_assertion_authority_config_proto"],
 )
 
@@ -284,6 +284,7 @@ cc_library(
     hdrs = ["sgx_intel_ecdsa_qe_remote_assertion_generator.h"],
     copts = ASYLO_DEFAULT_COPTS,
     tags = sgx.tags(),
+    visibility = ["//visibility:public"],
     deps = [
         ":sgx_intel_ecdsa_qe_remote_assertion_authority_config_cc_proto",
         "//asylo/crypto:certificate_cc_proto",

asylo/identity/attestation/sgx/internal/BUILD

@@ -302,6 +302,8 @@ cc_library(
     copts = ASYLO_DEFAULT_COPTS,
     visibility = ["//asylo:implementation"],
     deps = [
+        "//asylo/util:error_codes",
+        "//asylo/util:status",
         "@linux_sgx//:public",
         "@sgx_dcap//:pce_types",
         "@sgx_dcap//:quote_wrapper_common",

asylo/identity/attestation/sgx/sgx_intel_ecdsa_qe_remote_assertion_generator.cc

@@ -49,7 +49,6 @@
 #include "QuoteVerification/Src/AttestationLibrary/include/QuoteVerification/QuoteConstants.h"
 
 namespace asylo {
-namespace {
 
 using asylo::sgx::AlignedReportdataPtr;
 using asylo::sgx::AlignedReportPtr;
@@ -63,43 +62,6 @@ using asylo::sgx::kSgxIntelEcdsaQeRemoteAssertionAuthority;
 using GeneratorInfo =
     SgxIntelEcdsaQeRemoteAssertionAuthorityConfig_GeneratorInfo;
 
-// Implements the `absl::visit` pattern for appending the appropriate
-// certification data to a quote returned by the Intel quoting enclave.
-class AppendCertificationDataToQuote {
- public:
-  explicit AppendCertificationDataToQuote(std::vector<uint8_t> *quote)
-      : quote_(quote) {}
-
-  Status operator()(SgxIntelEcdsaQeRemoteAssertionGenerator::UseDcapDefault) {
-    // Noop, leave the quote alone
-    return Status::OkStatus();
-  }
-
-  Status operator()(const CertificateInterfaceVector &pck_certificate_chain) {
-    sgx::IntelQeQuote parsed_quote;
-    ASYLO_ASSIGN_OR_RETURN(parsed_quote, sgx::ParseDcapPackedQuote(*quote_));
-
-    parsed_quote.cert_data.qe_cert_data_type =
-        ::intel::sgx::qvl::constants::PCK_ID_PCK_CERT_CHAIN;
-    parsed_quote.cert_data.qe_cert_data.clear();
-    for (const auto &cert : pck_certificate_chain) {
-      Certificate pem_cert;
-      ASYLO_ASSIGN_OR_RETURN(pem_cert,
-                             cert->ToCertificateProto(Certificate::X509_PEM));
-      std::move(pem_cert.data().begin(), pem_cert.data().end(),
-                std::back_inserter(parsed_quote.cert_data.qe_cert_data));
-    }
-
-    *quote_ = sgx::PackDcapQuote(parsed_quote);
-    return Status::OkStatus();
-  }
-
- private:
-  std::vector<uint8_t> *quote_;
-};
-
-}  // namespace
-
 SgxIntelEcdsaQeRemoteAssertionGenerator::
     SgxIntelEcdsaQeRemoteAssertionGenerator()
     : SgxIntelEcdsaQeRemoteAssertionGenerator(
@@ -140,28 +102,25 @@ Status SgxIntelEcdsaQeRemoteAssertionGenerator::Initialize(
     return Status::OkStatus();
   }
 
-  ASYLO_ASSIGN_OR_RETURN(members_view->certification_data,
-                         ReadCertificationData(parsed_config));
+  ASYLO_RETURN_IF_ERROR(ReadCertificationData(parsed_config));
 
   members_view->is_initialized = true;
   return Status::OkStatus();
 }
 
-StatusOr<SgxIntelEcdsaQeRemoteAssertionGenerator::CertificationData>
-SgxIntelEcdsaQeRemoteAssertionGenerator::ReadCertificationData(
+Status SgxIntelEcdsaQeRemoteAssertionGenerator::ReadCertificationData(
     const SgxIntelEcdsaQeRemoteAssertionAuthorityConfig &config) const {
   switch (config.generator_info().certification_case()) {
     case GeneratorInfo::CERTIFICATION_NOT_SET:
       return Status(error::GoogleError::INVALID_ARGUMENT,
                     "Generator info is missing certification info");
 
     case GeneratorInfo::kPckCertificateChain:
-      return CreateCertificateChain(
-          {{Certificate::X509_PEM, X509Certificate::Create}},
+      return intel_enclaves_->SetPckCertificateChain(
           config.generator_info().pck_certificate_chain());
 
     case GeneratorInfo::kUseDcapDefault:
-      return UseDcapDefault{};
+      return Status::OkStatus();
   }
 
   return Status(
@@ -236,9 +195,6 @@ Status SgxIntelEcdsaQeRemoteAssertionGenerator::Generate(
   std::vector<uint8_t> quote;
   ASYLO_ASSIGN_OR_RETURN(quote, intel_enclaves_->GetQeQuote(report));
 
-  ASYLO_RETURN_IF_ERROR(absl::visit(AppendCertificationDataToQuote{&quote},
-                                    members_.ReaderLock()->certification_data));
-
   assertion->mutable_assertion()->assign(quote.begin(), quote.end());
   assertion->mutable_description()->set_authority_type(AuthorityType());
   assertion->mutable_description()->set_identity_type(IdentityType());

asylo/identity/attestation/sgx/sgx_intel_ecdsa_qe_remote_assertion_generator.h

@@ -22,7 +22,6 @@
 #include <memory>
 #include <string>
 
-#include "absl/types/variant.h"
 #include "asylo/crypto/certificate_util.h"
 #include "asylo/identity/additional_authenticated_data_generator.h"
 #include "asylo/identity/attestation/enclave_assertion_generator.h"
@@ -44,12 +43,6 @@ namespace asylo {
 class SgxIntelEcdsaQeRemoteAssertionGenerator
     : public EnclaveAssertionGenerator {
  public:
-  // Empty type used within the certification data variant
-  struct UseDcapDefault {};
-
-  using CertificationData =
-      absl::variant<UseDcapDefault, CertificateInterfaceVector>;
-
   // Constructs a new `SgxIntelEcdsaQeAssertionGenerator` that internally uses
   // the `EnclaveDcapLibraryInterface`, which uses ocalls to invoke all
   // Intel DCAP APIs. Default-constructed objects generate assertions suitable
@@ -91,10 +84,9 @@ class SgxIntelEcdsaQeRemoteAssertionGenerator
  private:
   struct Members {
     bool is_initialized = false;
-    CertificationData certification_data;
   };
 
-  StatusOr<CertificationData> ReadCertificationData(
+  Status ReadCertificationData(
       const SgxIntelEcdsaQeRemoteAssertionAuthorityConfig &config) const;
 
   MutexGuarded<Members> members_;

asylo/identity/attestation/sgx/sgx_intel_ecdsa_qe_remote_assertion_generator_test.cc

@@ -33,6 +33,7 @@
 #include "asylo/crypto/util/bytes.h"
 #include "asylo/crypto/util/trivial_object_util.h"
 #include "asylo/identity/additional_authenticated_data_generator.h"
+#include "asylo/identity/attestation/sgx/internal/intel_certs/qe_identity.h"
 #include "asylo/identity/attestation/sgx/internal/intel_ecdsa_quote.h"
 #include "asylo/identity/attestation/sgx/internal/mock_intel_architectural_enclave_interface.h"
 #include "asylo/identity/attestation/sgx/sgx_intel_ecdsa_qe_remote_assertion_authority_config.pb.h"
@@ -46,6 +47,7 @@
 #include "asylo/test/util/memory_matchers.h"
 #include "asylo/test/util/proto_matchers.h"
 #include "asylo/test/util/status_matchers.h"
+#include "asylo/util/error_codes.h"
 #include "asylo/util/proto_parse_util.h"
 #include "asylo/util/status.h"
 #include "asylo/util/thread.h"
@@ -75,7 +77,9 @@ class SgxIntelEcdsaQeRemoteAssertionGeneratorTests : public testing::Test {
     EnclaveAssertionAuthorityConfig config;
     ASYLO_ASSERT_OK_AND_ASSIGN(
         config,
-        experimental::CreateSgxIntelEcdsaQeRemoteAssertionAuthorityConfig());
+        experimental::CreateSgxIntelEcdsaQeRemoteAssertionAuthorityConfig(
+            sgx::GetFakePckCertificateChain(),
+            ParseTextProtoOrDie(sgx::kIntelEcdsaQeIdentityTextproto)));
     valid_config_ = std::move(*config.mutable_config());
   }
 
@@ -130,6 +134,8 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
 
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests, InitializeWorksOnce) {
   EXPECT_FALSE(generator_.IsInitialized());
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
   EXPECT_THAT(generator_.Initialize(valid_config_), IsOk());
   EXPECT_TRUE(generator_.IsInitialized());
   EXPECT_THAT(generator_.Initialize(valid_config_),
@@ -163,6 +169,24 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
               StatusIs(error::GoogleError::INVALID_ARGUMENT));
 }
 
+TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
+       InitializeFailsWhenSetPckCertificateChainFails) {
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status(error::GoogleError::INTERNAL, "kaboom")));
+  EXPECT_THAT(generator_.Initialize(valid_config_),
+              StatusIs(error::GoogleError::INTERNAL));
+}
+
+TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
+       InitializeSetsPckCertificateChain) {
+  auto expected_certs = sgx::GetFakePckCertificateChain();
+  EXPECT_CALL(
+      *mock_intel_enclaves_,
+      SetPckCertificateChain(EqualsProto(expected_certs)))
+      .WillOnce(Return(Status::OkStatus()));
+  EXPECT_THAT(generator_.Initialize(valid_config_), IsOk());
+}
+
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests, IdentityType) {
   EXPECT_THAT(generator_.IdentityType(), Eq(CODE_IDENTITY));
 }
@@ -174,6 +198,8 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests, AuthorityType) {
 
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
        CreateAssertionOfferSuccess) {
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
   ASSERT_THAT(generator_.Initialize(valid_config_), IsOk());
 
   AssertionOffer assertion_offer;
@@ -192,6 +218,8 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
 }
 
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests, CanGenerateSuccess) {
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
   ASSERT_THAT(generator_.Initialize(valid_config_), IsOk());
   AssertionRequest request;
   *request.mutable_description() = CreateValidAssertionDescription();
@@ -207,6 +235,8 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
 
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
        CanGenerateFailsForIncompatibleDescription) {
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
   ASSERT_THAT(generator_.Initialize(valid_config_), IsOk());
   AssertionRequest request;
 
@@ -232,6 +262,8 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests, GenerateSucceeds) {
   expected_report_data.data.replace(sizeof(kDataSha256) + sizeof(kAadPurpose),
                                     kAadUuid);
 
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
   ASSERT_THAT(generator_.Initialize(valid_config_), IsOk());
   AssertionRequest request;
   *request.mutable_description() = CreateValidAssertionDescription();
@@ -258,51 +290,6 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests, GenerateSucceeds) {
   EXPECT_THAT(assertion.assertion(), ElementsAreArray(fake_quote));
 }
 
-TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
-       GenerateSucceedsWithUserSuppliedCertChain) {
-  SgxIntelEcdsaQeRemoteAssertionAuthorityConfig config;
-  auto cert_chain =
-      config.mutable_generator_info()->mutable_pck_certificate_chain();
-  *cert_chain = sgx::GetFakePckCertificateChain();
-
-  std::string expected_output_cert_chain;
-  for (const auto &cert : cert_chain->certificates()) {
-    ASSERT_THAT(cert.format(), Eq(Certificate::X509_PEM));
-    absl::StrAppend(&expected_output_cert_chain, cert.data(), "\n");
-  }
-
-  std::string serialized_config;
-  ASSERT_TRUE(config.SerializeToString(&serialized_config));
-  EXPECT_THAT(generator_.Initialize(serialized_config), IsOk());
-
-  EXPECT_CALL(*mock_intel_enclaves_, GetQeTargetinfo())
-      .WillOnce(Return(CreateFakeTargetInfo()));
-  EXPECT_CALL(*mock_hardware_interface_, GetReport(_, _))
-      .WillOnce(Return(TrivialRandomObject<Report>()));
-
-  sgx::IntelQeQuote input_quote;
-  RandomFillTrivialObject(&input_quote.header);
-  RandomFillTrivialObject(&input_quote.body);
-  auto fake_quote = TrivialRandomObject<UnsafeBytes<101>>();
-  EXPECT_CALL(*mock_intel_enclaves_, GetQeQuote(_))
-      .WillOnce(Return(sgx::PackDcapQuote(input_quote)));
-
-  AssertionRequest request;
-  *request.mutable_description() = CreateValidAssertionDescription();
-
-  Assertion assertion;
-  ASSERT_THAT(generator_.Generate("user data", request, &assertion), IsOk());
-  sgx::IntelQeQuote output_quote;
-  ASYLO_ASSERT_OK_AND_ASSIGN(output_quote,
-                             sgx::ParseDcapPackedQuote(assertion.assertion()));
-
-  ASSERT_THAT(output_quote.cert_data.qe_cert_data_type,
-              Eq(::intel::sgx::qvl::constants::PCK_ID_PCK_CERT_CHAIN));
-  EXPECT_THAT(std::string(output_quote.cert_data.qe_cert_data.begin(),
-                          output_quote.cert_data.qe_cert_data.end()),
-              Eq(expected_output_cert_chain));
-}
-
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
        GenerateFailsIfNotInitialized) {
   ASSERT_FALSE(generator_.IsInitialized());
@@ -314,6 +301,8 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
 
 TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
        GenerateFailsForIncompatibleDescription) {
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
   ASSERT_THAT(generator_.Initialize(valid_config_), IsOk());
   AssertionRequest request;
   Assertion assertion;
@@ -335,6 +324,9 @@ TEST_F(SgxIntelEcdsaQeRemoteAssertionGeneratorTests,
        InitializeSucceedsOnceFromMultipleThreads) {
   constexpr int kNumThreads = 10;
 
+  EXPECT_CALL(*mock_intel_enclaves_, SetPckCertificateChain(_))
+      .WillOnce(Return(Status::OkStatus()));
+
   std::atomic<int> success_count(0);
   std::vector<Thread> threads;
   threads.reserve(kNumThreads);