Configure the SMS at startup to generate Scone sessions in Hardware or MAA mode (#275)

Author: Natchica

CHANGELOG.md

@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 
 - Accept scheduler default result-proxy as a web2 secret to fallback on it when no proxy
   is specified in deal parameters. (#273)
+- Configure the SMS at startup to generate Scone sessions in Hardware or MAA mode. (#275)
 
 ### Quality
 

README.md

@@ -84,6 +84,8 @@ To support:
 | `IEXEC_SMS_SSL_KEYSTORE_ALIAS` | Alias that identifies the key in the key store. | String | `iexec-core` |
 | `IEXEC_SCONE_TOLERATED_INSECURE_OPTIONS` | List of hardware or software Scone vulnerabilities to ignore. | String | |
 | `IEXEC_IGNORED_SGX_ADVISORIES` | List of hardware or software Intel vulnerabilities to ignore. | String | |
+| `TEE_SCONE_ATTESTATION_MODE` | Attestation mode used for TEE tasks Scone session generation. | String | `maa` |
+| `TEE_SCONE_ATTESTATION_URL` | URL of the Microsoft Azure Attestation service used for TEE tasks Scone session generation. | URL | `https://sharedweu.weu.attest.azure.net` |
 | `IEXEC_SMS_IMAGE_LAS_IMAGE` | Scontain LAS OCI image to be used by workers to execute TEE tasks. LAS performs local attestation which creates a quote that CAS can verify. | String | |
 
 ## Health checks

src/main/java/com/iexec/sms/tee/session/scone/SconeSessionHandlerService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,16 +38,16 @@ public class SconeSessionHandlerService implements TeeSessionHandler {
     private final CasConfiguration casConfiguration;
 
     public SconeSessionHandlerService(SconeSessionMakerService sessionService,
-            CasClient apiClient,
-            CasConfiguration casConfiguration) {
+                                      CasClient apiClient,
+                                      CasConfiguration casConfiguration) {
         this.sessionService = sessionService;
         this.apiClient = apiClient;
         this.casConfiguration = casConfiguration;
     }
 
     /**
      * Build and post secret session on secret provisioning service.
-     * 
+     *
      * @param request tee session generation request
      * @return String secret provisioning service url
      * @throws TeeSessionGenerationException if call to CAS failed

src/main/java/com/iexec/sms/tee/session/scone/SconeSessionMakerService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -85,7 +85,7 @@ public SconeSession generateSession(TeeSessionRequest request)
                     teeServicesConfig.getPreComputeProperties().getEntrypoint(),
                     true);
             services.add(sconePreEnclave);
-            images.add(new SconeSession.Image(
+            images.add(new Image(
                     sconePreEnclave.getImageName(),
                     List.of(iexecInVolume)));
         }
@@ -95,7 +95,7 @@ public SconeSession generateSession(TeeSessionRequest request)
                 request.getTaskDescription().getAppCommand(),
                 false);
         services.add(sconeAppEnclave);
-        images.add(new SconeSession.Image(
+        images.add(new Image(
                 sconeAppEnclave.getImageName(),
                 List.of(iexecInVolume, iexecOutVolume)));
         // post
@@ -104,22 +104,27 @@ public SconeSession generateSession(TeeSessionRequest request)
                 teeServicesConfig.getPostComputeProperties().getEntrypoint(),
                 true);
         services.add(sconePostEnclave);
-        images.add(new SconeSession.Image(
+        images.add(new Image(
                 sconePostEnclave.getImageName(),
                 List.of(iexecOutVolume, postComputeTmpVolume)));
 
         return SconeSession.builder()
                 .name(request.getSessionId())
-                .version("0.3")
+                .version("0.3.10")
                 .accessPolicy(new AccessPolicy(List.of("CREATOR"), List.of("NONE")))
                 .services(services)
                 .images(images)
                 .volumes(Arrays.asList(new Volumes(iexecInVolume.getName()),
                         new Volumes(iexecOutVolume.getName()),
                         new Volumes(postComputeTmpVolume.getName())))
-                .security(new Security(
-                        attestationSecurityConfig.getToleratedInsecureOptions(),
-                        attestationSecurityConfig.getIgnoredSgxAdvisories()))
+                .security(
+                        new Security(
+                                attestationSecurityConfig.getToleratedInsecureOptions(),
+                                attestationSecurityConfig.getIgnoredSgxAdvisories(),
+                                attestationSecurityConfig.getMode(),
+                                attestationSecurityConfig.getUrl()
+                        )
+                )
                 .build();
     }
 

src/main/java/com/iexec/sms/tee/session/scone/SconeSessionSecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,21 +18,32 @@
 
 import com.iexec.commons.poco.tee.TeeFramework;
 import com.iexec.sms.tee.ConditionalOnTeeFramework;
-import lombok.Getter;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Configuration;
+import lombok.Value;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.ConstructorBinding;
 
+import javax.validation.constraints.NotBlank;
+import java.net.URL;
 import java.util.List;
 
-@Configuration
+@Value
+@ConstructorBinding
+@ConfigurationProperties(prefix = "tee.scone.attestation")
 @ConditionalOnTeeFramework(frameworks = TeeFramework.SCONE)
 public class SconeSessionSecurityConfig {
+    List<String> toleratedInsecureOptions;
+    List<String> ignoredSgxAdvisories;
+    @NotBlank
+    String mode;
+    URL url;
 
-    @Value("${tee.scone.attestation.tolerated-insecure-options}")
-    @Getter
-    private List<String> toleratedInsecureOptions;
-
-    @Value("${tee.scone.attestation.ignored-sgx-advisories}")
-    @Getter
-    private List<String> ignoredSgxAdvisories;
+    public SconeSessionSecurityConfig(List<String> toleratedInsecureOptions, List<String> ignoredSgxAdvisories, String mode, URL url) {
+        this.toleratedInsecureOptions = toleratedInsecureOptions;
+        this.ignoredSgxAdvisories = ignoredSgxAdvisories;
+        this.mode = mode;
+        this.url = url;
+        if ("maa".equals(this.mode) && this.url == null) {
+            throw new IllegalArgumentException("Attestation URL can not be null when scone session mode is 'maa'");
+        }
+    }
 }

src/main/java/com/iexec/sms/tee/session/scone/cas/SconeSession.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import lombok.*;
 import lombok.extern.slf4j.Slf4j;
 
+import java.net.URL;
 import java.util.List;
 
 @Slf4j
@@ -85,8 +86,8 @@ public static class Security {
         @JsonProperty("attestation")
         private Attestation attestation;
 
-        public Security(List<String> tolerate, List<String> ignoreAdvisories) {
-            this.attestation = new Attestation(tolerate, ignoreAdvisories);
+        public Security(List<String> tolerate, List<String> ignoreAdvisories, String mode, URL url) {
+            this.attestation = new Attestation(tolerate, ignoreAdvisories, mode, url);
         }
 
         @AllArgsConstructor
@@ -96,6 +97,10 @@ public class Attestation {
             private List<String> tolerate;
             @JsonProperty("ignore_advisories")
             private List<String> ignoreAdvisories;
+            @JsonProperty("mode")
+            private String mode;
+            @JsonProperty("url")
+            private URL url;
         }
     }
 

src/main/resources/application-scone.yml

@@ -31,3 +31,5 @@ tee:
     attestation:
       tolerated-insecure-options: ${IEXEC_SCONE_TOLERATED_INSECURE_OPTIONS:} # e.g.: hyperthreading,software-hardening-needed,insecure-igpu,outdated-tcb,debug-mode
       ignored-sgx-advisories: ${IEXEC_IGNORED_SGX_ADVISORIES:} # e.g.: INTEL-SA-00220,INTEL-SA-00270
+      mode: maa
+      url: https://sharedweu.weu.attest.azure.net

src/test/java/com/iexec/sms/tee/session/scone/SconeSessionMakerServiceTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2024 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,29 +23,49 @@
 import com.iexec.sms.tee.session.base.SecretEnclaveBase;
 import com.iexec.sms.tee.session.base.SecretSessionBase;
 import com.iexec.sms.tee.session.base.SecretSessionBaseService;
+import com.iexec.sms.tee.session.generic.TeeSessionGenerationException;
 import com.iexec.sms.tee.session.generic.TeeSessionRequest;
 import com.iexec.sms.tee.session.scone.cas.SconeSession;
 import lombok.extern.slf4j.Slf4j;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
-import org.mockito.MockitoAnnotations;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.yaml.snakeyaml.Yaml;
 
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
 import java.util.List;
 import java.util.Map;
 
 import static com.iexec.sms.tee.session.TeeSessionTestUtils.*;
 import static org.mockito.Mockito.when;
 
 @Slf4j
+@ExtendWith(MockitoExtension.class)
 class SconeSessionMakerServiceTests {
 
     private static final String PRE_COMPUTE_ENTRYPOINT = "entrypoint1";
     private static final String APP_FINGERPRINT = "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b";
     private static final String APP_ENTRYPOINT = "appEntrypoint";
     private static final String POST_COMPUTE_ENTRYPOINT = "entrypoint3";
+    private static final URL MAA_URL;
+
+    static {
+        try {
+            MAA_URL = new URI("https://maa.attestation.service").toURL();
+        } catch (MalformedURLException | URISyntaxException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private final List<String> toleratedInsecureOptions = List.of("hyperthreading", "debug-mode");
+    private final List<String> ignoredSgxAdvisories = List.of("INTEL-SA-00161", "INTEL-SA-00289");
 
     private final TeeAppProperties preComputeProperties = TeeAppProperties.builder()
             .image("PRE_COMPUTE_IMAGE")
@@ -63,27 +83,29 @@ class SconeSessionMakerServiceTests {
     private SconeServicesProperties teeServicesConfig;
     @Mock
     private SecretSessionBaseService teeSecretsService;
-    @Mock
+
     private SconeSessionSecurityConfig attestationSecurityConfig;
 
     @InjectMocks
     private SconeSessionMakerService palaemonSessionService;
 
-    @BeforeEach
-    void beforeEach() {
-        MockitoAnnotations.openMocks(this);
+    private TeeSessionRequest request;
+
+    private void setupCommonMocks() throws TeeSessionGenerationException {
+        palaemonSessionService = new SconeSessionMakerService(
+                teeSecretsService,
+                teeServicesConfig,
+                attestationSecurityConfig
+        );
+
         when(teeServicesConfig.getPreComputeProperties()).thenReturn(preComputeProperties);
         when(teeServicesConfig.getPostComputeProperties()).thenReturn(postComputeProperties);
-    }
 
-    // region getSessionYml
-    @Test
-    void shouldGetSessionYml() throws Exception {
         TeeEnclaveConfiguration enclaveConfig = TeeEnclaveConfiguration.builder()
                 .fingerprint(APP_FINGERPRINT)
                 .entrypoint(APP_ENTRYPOINT)
                 .build();
-        TeeSessionRequest request = createSessionRequest(createTaskDescription(enclaveConfig).build());
+        request = createSessionRequest(createTaskDescription(enclaveConfig).build());
 
         SecretEnclaveBase preCompute = SecretEnclaveBase.builder()
                 .name("pre-compute")
@@ -141,25 +163,57 @@ void shouldGetSessionYml() throws Exception {
                         .appCompute(appCompute)
                         .postCompute(postCompute)
                         .build());
+    }
 
-        when(attestationSecurityConfig.getToleratedInsecureOptions())
-                .thenReturn(List.of("hyperthreading", "debug-mode"));
-        when(attestationSecurityConfig.getIgnoredSgxAdvisories())
-                .thenReturn(List.of("INTEL-SA-00161", "INTEL-SA-00289"));
+    // region HardwareModeTests
+    @Nested
+    class HardwareModeTests {
+        @BeforeEach
+        void setup() throws TeeSessionGenerationException {
+            attestationSecurityConfig = new SconeSessionSecurityConfig(
+                    toleratedInsecureOptions,
+                    ignoredSgxAdvisories,
+                    "hardware",
+                    null
+            );
+            setupCommonMocks();
+        }
 
-        when(teeSecretsService.getSecretsTokens(request))
-                .thenReturn(SecretSessionBase.builder()
-                        .preCompute(preCompute)
-                        .appCompute(appCompute)
-                        .postCompute(postCompute)
-                        .build());
+        @Test
+        void shouldGenerateHardwareSession() throws Exception {
+            SconeSession actualCasSession = palaemonSessionService.generateSession(request);
+            log.info(actualCasSession.toString());
+            Map<String, Object> actualYmlMap = new Yaml().load(actualCasSession.toString());
+            String expectedYamlString = FileHelper.readFile("src/test/resources/palaemon-tee-session-hardware.yml");
+            Map<String, Object> expectedYmlMap = new Yaml().load(expectedYamlString);
+            assertRecursively(expectedYmlMap, actualYmlMap);
+        }
+    }
+    // endregion
+
+    // region MaaModeTests
+    @Nested
+    class MaaModeTests {
+        @BeforeEach
+        void setup() throws TeeSessionGenerationException {
+            attestationSecurityConfig = new SconeSessionSecurityConfig(
+                    toleratedInsecureOptions,
+                    ignoredSgxAdvisories,
+                    "maa",
+                    MAA_URL
+            );
+            setupCommonMocks();
+        }
 
-        SconeSession actualCasSession = palaemonSessionService.generateSession(request);
-        log.info(actualCasSession.toString());
-        Map<String, Object> actualYmlMap = new Yaml().load(actualCasSession.toString());
-        String expectedYamlString = FileHelper.readFile("src/test/resources/palaemon-tee-session.yml");
-        Map<String, Object> expectedYmlMap = new Yaml().load(expectedYamlString);
-        assertRecursively(expectedYmlMap, actualYmlMap);
+        @Test
+        void shouldGenerateMaaSession() throws Exception {
+            SconeSession actualCasSession = palaemonSessionService.generateSession(request);
+            log.info(actualCasSession.toString());
+            Map<String, Object> actualYmlMap = new Yaml().load(actualCasSession.toString());
+            String expectedYamlString = FileHelper.readFile("src/test/resources/palaemon-tee-session-maa.yml");
+            Map<String, Object> expectedYmlMap = new Yaml().load(expectedYamlString);
+            assertRecursively(expectedYmlMap, actualYmlMap);
+        }
     }
     // endregion
 }