Merge pull request #8 from PeterFarber/peterfarber/attest-key

feat(ao_app): added attest_key func to use gotpm attest on 0 padded wallet addr

Author: twilson63

DEPLOY-notes.md

@@ -0,0 +1,39 @@
+# Deploy notes
+
+This document describes the notes for deploying HyperBEAM using packer.
+
+Packer is a tool that enables a single build to create images for multiple
+distribution networks.
+
+The current version is setup for gcp, so you will need to install your gcp.
+
+
+* https://cloud.google.com/sdk/docs/install
+
+* https://cloud.google.com/sdk/docs/initializing
+
+* https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to
+
+Install Packer
+
+* https://developer.hashicorp.com/packer/tutorials/docker-get-started/get-started-install-cli
+
+```sh
+rebar3 clean
+rebar3 get-deps
+rebar3 compile
+rebar3 release
+```
+
+```sh
+packer init .
+packer validate .
+packer build .
+```
+
+Install go-tpm-tools
+Install erlinit
+
+possibly build ao project using nerves
+
+replace /sbin/init with erlinit

GCP-notes.md

@@ -0,0 +1,125 @@
+# GCP & GoTPM Tools
+
+## Table of Contents
+
+- [GCP \& GoTPM Tools](#gcp--gotpm-tools)
+  - [Table of Contents](#table-of-contents)
+  - [Variables](#variables)
+  - [Create an AMD SEV-SNP Instance](#create-an-amd-sev-snp-instance)
+  - [Create an Intel TDX Instance](#create-an-intel-tdx-instance)
+  - [Connecting to the Instance](#connecting-to-the-instance)
+  - [Useful Commands](#useful-commands)
+    - [List Available Machine Types](#list-available-machine-types)
+    - [Generate Random Nonces](#generate-random-nonces)
+    - [Run `gotpm` Attestation](#run-gotpm-attestation)
+  - [Notes](#notes)
+
+## Variables
+
+```sh
+export GCI_NAME=PETES-SEV-SNP-TEST-0
+export GCI_PROJECT=arweave-437622
+export GCI_IMAGE=packer-1730219529 
+export GCI_ZONE=us-central1-a
+```
+
+## Create an AMD SEV-SNP Instance
+
+```sh
+gcloud compute instances create $GCI_NAME \
+    --zone=$GCI_ZONE \
+    --machine-type=n2d-standard-2 \
+    --min-cpu-platform="AMD Milan" \
+    --confidential-compute-type=SEV_SNP \
+    --maintenance-policy=TERMINATE \
+    --image-family=ubuntu-2404-lts-amd64 \
+    --image-project=ubuntu-os-cloud \
+    --project=$GCI_PROJECT \
+    --network-interface=network-tier=PREMIUM,nic-type=GVNIC,stack-type=IPV4_ONLY,subnet=default \
+    --tags=http-server,https-server \
+    --shielded-secure-boot \
+    --shielded-vtpm \
+    --shielded-integrity-monitoring \
+    --create-disk=auto-delete=yes,boot=yes,device-name=instance-20241030-131350,image=projects/$GCI_PROJECT/global/images/$GCI_IMAGE,mode=rw,size=20,type=pd-balanced
+```
+
+## Create an Intel TDX Instance
+
+```sh
+gcloud compute instances create $GCI_NAME \
+    --zone=$GCI_ZONE \
+    --machine-type=c3-standard-4 \
+    --confidential-compute-type=TDX \
+    --maintenance-policy=TERMINATE \
+    --image-family=ubuntu-2204-lts \
+    --image-project=ubuntu-os-cloud \
+    --project=$GCI_PROJECT \
+    --network-interface=network-tier=PREMIUM,nic-type=GVNIC,stack-type=IPV4_ONLY,subnet=default \
+    --tags=http-server,https-server \
+    --shielded-secure-boot \
+    --shielded-vtpm \
+    --shielded-integrity-monitoring \
+    --create-disk=auto-delete=yes,boot=yes,device-name=instance-20241030-131350,image=projects/$GCI_PROJECT/global/images/$GCI_IMAGE,mode=rw,size=20,type=pd-balanced
+```
+
+## Connecting to the Instance
+
+```sh
+gcloud compute ssh --zone "$GCI_ZONE" "$GCI_NAME" --project "$GCI_PROJECT"
+```
+
+## Useful Commands
+
+### List Available Machine Types
+
+```sh
+gcloud compute machine-types list --zones=$GCI_ZONE
+```
+
+### Generate Random Nonces
+
+- **32-byte Nonce** (for `--nonce`):
+
+  ```sh
+  head -c 32 /dev/urandom | xxd -p -c 64
+  ```
+
+- **64-byte TEE Nonce** (for `--tee-nonce`):
+
+  ```sh
+  head -c 64 /dev/urandom | xxd -p -c 128
+  ```
+
+### Run `gotpm` Attestation
+
+```sh
+sudo gotpm attest --key AK --nonce <32 bytes (64 hex characters)> --tee-nonce <64 bytes (128 hex characters)> --tee-technology <sev-snp/tdx>
+```
+
+## Notes
+
+> [!NOTE]
+> The requirement to include both `--nonce` and `--tee-nonce` for the `gotpm attest` command, even when `--tee-technology` (e.g., `sev-snp` or `tdx`) is specified, indicates that **both TPM and TEE layers** of attestation are being validated in this command. Here’s why this is the case:
+>
+> ### Dual-Layer Attestation in Confidential VMs
+>
+> **TPM Attestation Layer**:
+>
+> - The **`--nonce`** parameter is required for the **TPM (Trusted Platform Module) attestation**. It acts as a freshness mechanism for the TPM-based portion of the attestation, preventing replay attacks by ensuring the response is unique to each request.
+> - Even when the TEE technology is specified, `gotpm` still performs TPM-based attestation, which includes the TPM nonce (`--nonce`) in the attestation report.
+>
+> **TEE-Specific Attestation Layer**:
+>
+> - The **`--tee-nonce`** parameter is required for the **TEE (Trusted Execution Environment) attestation**. This layer provides hardware-backed isolation (e.g., Intel TDX or AMD SEV-SNP), and the larger 64-byte nonce uniquely identifies the TEE attestation report.
+> - The `--tee-technology` option (e.g., `sev-snp` or `tdx`) specifies which TEE environment to use, and `--tee-nonce` is essential for proving the freshness of the TEE report in that specific environment.
+>
+> ### Why Both Nonces Are Required Together
+>
+> Since the command produces an attestation report containing **both TPM and TEE layers**, each layer requires its own nonce:
+>
+> - **`--nonce` (TPM layer)**: Required for the general TPM quote in the attestation.
+> - **`--tee-nonce` (TEE layer)**: Required specifically for the TEE report tied to `sev-snp` or `tdx`.
+>
+> This design ensures that the attestation report is comprehensive and includes **freshness proofs** for both the TPM and TEE components, preventing replay attacks across both security layers. This dual nonce requirement is specific to environments where both TPM and TEE attestation are requested together, as in a Confidential VM using TEE.
+
+---

packer.pkr.hcl

@@ -0,0 +1,104 @@
+packer {
+  required_plugins {
+    googlecompute = {
+      version = ">= 1.1.6"
+      source  = "github.com/hashicorp/googlecompute"
+    }
+  }
+}
+
+# Define required variables
+variable "project_id" {
+  type    = string
+  default = "arweave-437622"
+}
+
+variable "region" {
+  type    = string
+  default = "us-east1"
+}
+
+variable "zone" {
+  type    = string
+  default = "us-east1-c"
+}
+
+variable "image_family" {
+  type    = string
+  default = "ao-image"
+}
+
+# Source block to define GCP builder
+source "googlecompute" "ubuntu" {
+  project_id          = var.project_id
+  source_image_family = "ubuntu-2204-lts"
+  zone                = var.zone
+  machine_type        = "n1-standard-1"
+  ssh_username        = "packer"
+}
+
+# Define the build stage
+build {
+  sources = ["source.googlecompute.ubuntu"]
+
+  # Add a provisioner to download and install go-tpm-tools
+  provisioner "shell" {
+    inline = [
+      "sudo apt-get update -y",
+      "sudo apt-get install -y wget tar",
+
+      # Download the go-tpm-tools binary archive
+      "wget https://github.com/google/go-tpm-tools/releases/download/v0.4.4/go-tpm-tools_Linux_x86_64.tar.gz -O /tmp/go-tpm-tools.tar.gz",
+
+      # Extract the binary
+      "tar -xzf /tmp/go-tpm-tools.tar.gz -C /tmp",
+
+      # Move the gotpm binary to /usr/local/bin
+      "sudo mv /tmp/gotpm /usr/local/bin/",
+
+      # Clean up
+      "rm -f /tmp/go-tpm-tools.tar.gz /tmp/LICENSE /tmp/README.md"
+    ]
+  }
+
+
+  # Upload the pre-built release (with ERTS included) to the instance
+  provisioner "file" {
+    source      = "./_build/default/rel/ao"
+    destination = "/tmp/ao"
+  }
+
+  provisioner "shell" {
+    inline = [
+      # Move the release to /opt with sudo
+      "sudo mv /tmp/ao /opt/ao",
+      "sudo chmod -R 755 /opt/ao",
+
+      # Create a symlink to make it easier to run the app
+      "sudo ln -s /opt/ao/bin/ao /usr/local/bin/ao",
+
+      # (Optional) If you want to create a systemd service to manage the app
+      "echo '[Unit]' | sudo tee /etc/systemd/system/ao.service",
+      "echo 'Description=Permaweb Node' | sudo tee -a /etc/systemd/system/ao.service",
+      "echo '[Service]' | sudo tee -a /etc/systemd/system/ao.service",
+      "echo 'Type=simple' | sudo tee -a /etc/systemd/system/ao.service",
+      "echo 'ExecStart=/opt/ao/bin/ao foreground' | sudo tee -a /etc/systemd/system/ao.service",
+      "echo 'Restart=on-failure' | sudo tee -a /etc/systemd/system/ao.service",
+      "echo '[Install]' | sudo tee -a /etc/systemd/system/ao.service",
+      "echo 'WantedBy=multi-user.target' | sudo tee -a /etc/systemd/system/ao.service",
+
+      # Enable and start the service
+      "sudo systemctl enable ao",
+      "sudo systemctl start ao"
+    ]
+  }
+
+  # Disable ssh
+  # provisioner "shell" {
+  #  inline = [
+  #    "sudo systemctl stop ssh",
+  #    "sudo systemctl disable ssh"
+  #  ]
+  # }
+}
+

rebar.config

@@ -42,4 +42,10 @@
     {apps, [ao]}
 ]}.
 
-{eunit_opts, [verbose]}.
+{eunit_opts, [verbose]}.
+
+{relx, [
+    {release, {'ao', "0.0.1"}, [ao, jiffy, cowboy, gun, gproc, b64fast]},
+    {include_erts, true},
+    {extended_start_script, true}
+  ]}.

src/ao_app.erl

@@ -8,10 +8,14 @@
 -behaviour(application).
 
 -export([start/2, stop/1]).
+-export([attest_key/0]).
 
 -include("include/ao.hrl").
 
+-ao_debug(print).
+
 start(_StartType, _StartArgs) ->
+    attest_key(),
     ao_sup:start_link(),
     ok = su_registry:start(),
     _TimestampServer = su_timestamp:start(),
@@ -23,23 +27,54 @@ stop(_State) ->
 attest_key() ->
     W = ao:wallet(),
     Addr = ar_wallet:to_address(W),
-    Cmd = lists:flatten(io_lib:format("...", [])),
-    case os:cmd(Cmd) of
-        {ok, Res} ->
-            Signed = ar_bundle:sign_item(
-                #tx{
-                    tags = [
-                        {<<"Type">>, <<"TEE-Attestation">>},
-                        {<<"Address">>, ar_util:id(Addr)}
-                    ],
-                    data = Res
-                },
-                W
-            ),
-            ao_client:upload(Signed),
-            ok;
-        {error, _} ->
-            skip
+
+    % Pad the address to 32 bytes (64 hex characters) for the TPM nonce
+    Nonce = pad_to_size(Addr, 32),
+
+    % Pad the address to 64 bytes (128 hex characters) for the TEE nonce
+    TeeNonce = pad_to_size(Addr, 64),
+
+    % Determine tee-technology based on the existence of TEE devices
+    TeeTech = case os:cmd("test -e /dev/tdx_guest && echo tdx || (test -e /dev/sev_guest && echo sev-snp)") of
+        "tdx\n" -> "tdx";
+        "sev-snp\n" -> "sev-snp";
+        _ -> {error, "No TEE device found"}
+    end,
+
+    % Proceed if a valid TEE technology is found
+    case TeeTech of
+        {error, _} -> {error, "Required TEE device not found"};
+        _ ->
+            Cmd = lists:flatten(io_lib:format("sudo gotpm attest --key AK --nonce ~s --tee-nonce ~s --tee-technology ~s", [Nonce, TeeNonce, TeeTech])),
+            CommandResult = os:cmd(Cmd),
+            case is_list(CommandResult) of
+                true ->
+                    % If CommandResult is a list of integers, convert it to binary
+                    BinaryResult = list_to_binary(CommandResult),
+                    ?c(BinaryResult),
+                    Signed = ar_bundles:sign_item(
+                        #tx{
+                            tags = [
+                                {<<"Type">>, <<"TEE-Attestation">>},
+                                {<<"Address">>, ar_util:id(Addr)}
+                            ],
+                            data = BinaryResult
+                        },
+                        W
+                    ),
+                    ?c(Signed),
+                    ao_client:upload(Signed),
+                    ok;
+                false ->
+                    {error, "Unexpected output format from gotpm attest command"}
+            end
     end.
 
+% Pads an address to the specified byte size (in hex characters)
+pad_to_size(Addr, SizeInBytes) ->
+    HexAddr = binary:encode_hex(Addr),
+    RequiredLength = SizeInBytes * 2,  % Convert bytes to hex characters
+    Padding = RequiredLength - byte_size(HexAddr),
+    lists:duplicate(Padding, $0) ++ HexAddr.
+
 %% internal functions

src/ar_util.erl

@@ -3,6 +3,14 @@
 -export([remove_common/2]).
 -include("include/ao.hrl").
 
+%% @doc Encode an ID in any format to a normalized, b64u 43 character binary.
+id(Bin) when is_binary(Bin) andalso byte_size(Bin) == 43 ->
+	Bin;
+id(Bin) when is_binary(Bin) andalso byte_size(Bin) == 32 ->
+	b64fast:encode(Bin);
+id(Data) when is_list(Data) ->
+	id(list_to_binary(Data)).
+
 %% @doc Encode an ID in any format to a normalized, b64u 43 character binary.
 id(Bin) when is_binary(Bin) andalso byte_size(Bin) == 43 ->
 	Bin;