kernel/attest: Decrypt secret from attestation proxy

On a successful attestation, the driver will receive an encrypted secret
from the attestation server. Decrypt the secret using an ECDH handshake
(with the server's public key, which is also supplied) and return it.

Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>

Author: tylerfanelli

Cargo.lock

@@ -57,6 +57,7 @@ release = { path = "release" }
 virtio-drivers = { path = "virtio-drivers" }
 
 # crates.io
+aes = "0.8.4"
 aes-gcm = { version = "0.10.3", default-features = false }
 arbitrary = "1.3.0"
 base64 = { version = "0.22.1", default-features = false }

Cargo.toml

@@ -129,10 +129,33 @@ impl AttestationProtocol for KbsProtocol {
         let resp: Response = serde_json::from_str(&text)
             .context("unable to convert KBS /resource response to KBS Response object")?;
 
+        let pub_key = {
+            let val = serde_json::from_slice(&resp.encrypted_key).unwrap();
+            let Value::Object(map) = val else {
+                panic!();
+            };
+
+            let x = map.get("x_b64url").unwrap();
+            let Value::String(x) = x else {
+                panic!();
+            };
+
+            let y = map.get("y_b64url").unwrap();
+            let Value::String(y) = y else {
+                panic!();
+            };
+
+            AttestationKey::EC {
+                crv: "EC384".to_string(),
+                x_b64url: x.to_string(),
+                y_b64url: y.to_string(),
+            }
+        };
+
         Ok(AttestationResponse {
             success: true,
             secret: Some(resp.ciphertext),
-            pub_key: Some(resp.encrypted_key),
+            pub_key: Some(pub_key),
         })
     }
 }

aproxy/src/backend/kbs.rs

@@ -25,6 +25,7 @@ libaproxy = { workspace = true, optional = true }
 elf.workspace = true
 syscall.workspace = true
 
+aes = { workspace = true, optional = true }
 aes-gcm = { workspace = true, features = ["aes", "alloc"] }
 base64 = { workspace = true, optional = true, features = ["alloc"] }
 bitfield-struct.workspace = true
@@ -69,7 +70,7 @@ verus_stub = { workspace = true }
 test.workspace = true
 
 [features]
-attest = ["dep:base64", "dep:cocoon-tpm-crypto", "dep:cocoon-tpm-tpm2-interface", "dep:cocoon-tpm-utils-common", "dep:kbs-types", "dep:libaproxy", "dep:serde", "dep:serde_json"]
+attest = ["dep:aes", "dep:base64", "dep:cocoon-tpm-crypto", "dep:cocoon-tpm-tpm2-interface", "dep:cocoon-tpm-utils-common", "dep:kbs-types", "dep:libaproxy", "dep:serde", "dep:serde_json"]
 
 default = []
 enable-gdb = ["dep:gdbstub", "dep:gdbstub_arch"]

kernel/Cargo.toml

@@ -13,20 +13,21 @@ use crate::{
     io::{Read, Write, DEFAULT_IO_DRIVER},
     serial::SerialPort,
 };
+use aes::{cipher::BlockDecrypt, Aes256};
+use aes_gcm::KeyInit;
 use alloc::{string::ToString, vec, vec::Vec};
 use base64::{prelude::*, Engine};
 use cocoon_tpm_crypto::{
-    ecc,
+    ecc::{curve::Curve, ecdh::ecdh_c_1e_1s_cdh_party_v_key_gen, EccKey},
     rng::{self, HashDrbg, RngCore as _, X86RdSeedRng},
     CryptoError, EmptyCryptoIoSlices,
 };
-use cocoon_tpm_tpm2_interface::{
-    self as tpm2_interface, Tpm2bEccParameter, TpmEccCurve, TpmiAlgHash, TpmsEccPoint,
-};
+use cocoon_tpm_tpm2_interface::{self as tpm2_interface, TpmEccCurve, TpmiAlgHash, TpmsEccPoint};
 use cocoon_tpm_utils_common::{
     alloc::try_alloc_zeroizing_vec,
     io_slices::{self, IoSlicesIterCommon as _},
 };
+use core::cmp::min;
 use kbs_types::Tee;
 use libaproxy::*;
 use serde::Serialize;
@@ -35,12 +36,12 @@ use zerocopy::{FromBytes, IntoBytes};
 
 /// The attestation driver that communicates with the proxy via some communication channel (serial
 /// port, virtio-vsock, etc...).
-#[derive(Debug)]
+#[allow(missing_debug_implementations)]
 pub struct AttestationDriver<'a> {
     sp: SerialPort<'a>,
     tee: Tee,
-    pub_key: TpmsEccPoint<'static>,
-    _priv_key: Tpm2bEccParameter<'static>,
+    ecc: EccKey,
+    curve: Curve,
 }
 
 impl TryFrom<Tee> for AttestationDriver<'_> {
@@ -57,13 +58,14 @@ impl TryFrom<Tee> for AttestationDriver<'_> {
             _ => return Err(AttestationError::UnsupportedTee.into()),
         }
 
-        let key = sc_key_generate(TpmEccCurve::NistP384).map_err(AttestationError::KeyGen)?;
+        let curve = Curve::new(TpmEccCurve::NistP384).map_err(AttestationError::Crypto)?;
+        let ecc = sc_key_generate(&curve).map_err(AttestationError::Crypto)?;
 
         Ok(Self {
             sp,
             tee,
-            pub_key: key.0,
-            _priv_key: key.1,
+            ecc,
+            curve,
         })
     }
 }
@@ -73,7 +75,8 @@ impl AttestationDriver<'_> {
     pub fn attest(&mut self) -> Result<Vec<u8>, SvsmError> {
         let negotiation = self.negotiation()?;
 
-        Ok(self.attestation(negotiation)?)
+        self.attestation(negotiation)
+            .map_err(SvsmError::TeeAttestation)
     }
 
     /// Send a negotiation request to the proxy. Proxy should reply with Negotiation parameters
@@ -95,15 +98,19 @@ impl AttestationDriver<'_> {
     /// containing the status (success/fail) and an optional secret returned from the server upon
     /// successful attestation.
     fn attestation(&mut self, n: NegotiationResponse) -> Result<Vec<u8>, AttestationError> {
-        let evidence = evidence(&self.tee, hash(n, &self.pub_key)?)?;
+        let pub_key = self
+            .ecc
+            .pub_key()
+            .to_tpms_ecc_point(&self.curve.curve_ops().map_err(AttestationError::Crypto)?)
+            .map_err(AttestationError::Crypto)?;
+
+        let evidence = evidence(&self.tee, hash(n, &pub_key)?)?;
 
         let req = AttestationRequest {
             evidence: BASE64_URL_SAFE.encode(evidence),
-            key: AttestationKey::EC {
-                crv: "EC384".to_string(),
-                x_b64url: BASE64_URL_SAFE.encode(&*self.pub_key.x.buffer),
-                y_b64url: BASE64_URL_SAFE.encode(&*self.pub_key.y.buffer),
-            },
+            key: (TpmEccCurve::NistP384, &pub_key)
+                .try_into()
+                .map_err(|_| AttestationError::AttestationDeserialize)?,
         };
 
         self.write(req)?;
@@ -112,7 +119,49 @@ impl AttestationDriver<'_> {
         let response: AttestationResponse = serde_json::from_slice(&payload)
             .map_err(|_| AttestationError::AttestationDeserialize)?;
 
-        todo!();
+        if !response.success {
+            return Err(AttestationError::Failed);
+        }
+
+        let Some(ak) = response.pub_key else {
+            return Err(AttestationError::PublicKeyMissing)?;
+        };
+
+        let pub_key: TpmsEccPoint<'static> = ak.try_into().map_err(AttestationError::Crypto)?;
+
+        let Some(ciphertext) = response.secret else {
+            return Err(AttestationError::SecretMissing);
+        };
+
+        self.decrypt(ciphertext, pub_key)
+    }
+
+    /// Decrypt a secret from the attestation server with the TEE private key.
+    fn decrypt(
+        &self,
+        ciphertext: Vec<u8>,
+        pub_key: TpmsEccPoint<'static>,
+    ) -> Result<Vec<u8>, AttestationError> {
+        let shared_secret =
+            ecdh_c_1e_1s_cdh_party_v_key_gen(TpmiAlgHash::Sha256, "", &self.ecc, &pub_key)
+                .map_err(AttestationError::Crypto)?;
+
+        let aes = Aes256::new_from_slice(&shared_secret[..])
+            .map_err(|_| AttestationError::AesGenerate)?;
+        // Decrypt each 16-byte block of the ciphertext with the symmetric key.
+        let mut ptr = 0;
+        let len = ciphertext.len();
+        let mut vec: Vec<u8> = Vec::new();
+        while ptr < len {
+            let remain = min(16, len - ptr);
+            let mut arr: [u8; 16] = [0u8; 16];
+            arr[..remain].copy_from_slice(&ciphertext[ptr..ptr + remain]);
+            aes.decrypt_block((&mut arr).into());
+            vec.append(&mut arr.to_vec());
+            ptr += remain;
+        }
+
+        Ok(vec)
     }
 
     /// Read attestation data from the serial port.
@@ -154,8 +203,12 @@ impl AttestationDriver<'_> {
 /// Possible errors when attesting TEE evidence.
 #[derive(Clone, Copy, Debug)]
 pub enum AttestationError {
+    /// Error generating AES key.
+    AesGenerate,
     /// Error deserializing the attestation response from JSON bytes.
     AttestationDeserialize,
+    /// Guest has failed attestation.
+    Failed,
     /// Error deserializing the negotiation response from JSON bytes.
     NegotiationDeserialize,
     /// Error serializing the negotiation request to JSON bytes.
@@ -164,10 +217,16 @@ pub enum AttestationError {
     ProxyRead,
     /// Error writing over the attestation proxy transport channel.
     ProxyWrite,
+    /// Attestation successful, but no public key found.
+    PublicKeyMissing,
     /// Unsupported TEE architecture.
     UnsupportedTee,
     /// Unable to generate secure channel key.
-    KeyGen(CryptoError),
+    Crypto(CryptoError),
+    /// Attestation successful, but unable to decrypt secret.
+    SecretDecrypt,
+    /// Attestation successful, but no secret found.
+    SecretMissing,
     /// Unable to fetch SEV-SNP attestation report.
     SnpGetReport,
 }
@@ -180,9 +239,7 @@ impl From<AttestationError> for SvsmError {
 
 /// Generate a key used to establish a secure channel between the confidential guest and
 /// attestation server.
-fn sc_key_generate(
-    curve_id: TpmEccCurve,
-) -> Result<(TpmsEccPoint<'static>, Tpm2bEccParameter<'static>), CryptoError> {
+fn sc_key_generate(curve: &Curve) -> Result<EccKey, CryptoError> {
     let mut rng = {
         let mut rdseed = X86RdSeedRng::instantiate().map_err(|_| CryptoError::RngFailure)?;
         let mut hash_drbg_entropy =
@@ -202,15 +259,9 @@ fn sc_key_generate(
         )
     }?;
 
-    let curve = ecc::curve::Curve::new(curve_id)?;
     let curve_ops = curve.curve_ops()?;
-    let ecc_key = ecc::EccKey::generate(&curve_ops, &mut rng, None)?;
-
-    let (pub_key, priv_key) = ecc_key.into_tpms(&curve_ops)?;
-
-    let priv_key = priv_key.ok_or(CryptoError::Internal)?;
 
-    Ok((pub_key, priv_key))
+    EccKey::generate(&curve_ops, &mut rng, None)
 }
 
 /// Hash negotiation parameters and fetch TEE evidence.

kernel/src/attest.rs

@@ -4,6 +4,19 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
+base64 = { workspace = true, features = ["alloc"] }
+cocoon-tpm-crypto = { workspace = true, features = [
+    "enable_arch_math_asm", "zeroize",
+    # Enable x86 rdseed based rng.
+    "enable_x86_64_rdseed",
+    # At least one of block cipher, mode and hash is needed,
+    # otherwise compilation will fail due to empty enums.
+    "aes", "cfb", "sha256", "sha384", "sha512",
+    "ecc", "ecdh", "ecdsa",
+    "ecc_nist_p224", "ecc_nist_p256",
+    "ecc_nist_p384", "ecc_nist_p521",
+]}
+cocoon-tpm-tpm2-interface.workspace = true
 kbs-types = { workspace = true, features = ["alloc"] }
 serde.workspace = true
 

libaproxy/Cargo.toml

@@ -6,7 +6,14 @@
 // Author: Tyler Fanelli <tfanelli@redhat.com>
 
 extern crate alloc;
-use alloc::{string::String, vec::Vec};
+use alloc::{
+    string::{String, ToString},
+    vec::Vec,
+};
+use base64::prelude::*;
+use cocoon_tpm_crypto::CryptoError;
+use cocoon_tpm_tpm2_interface::{Tpm2bEccParameter, TpmBuffer, TpmEccCurve, TpmsEccPoint};
+use core::convert::TryFrom;
 use serde::{Deserialize, Serialize};
 
 /// The format of the public key that is used to encrypt secrets sent to SVSM upon successful
@@ -23,6 +30,62 @@ pub enum AttestationKey {
     },
 }
 
+impl TryFrom<(TpmEccCurve, &TpmsEccPoint<'static>)> for AttestationKey {
+    type Error = CryptoError;
+
+    fn try_from(args: (TpmEccCurve, &TpmsEccPoint<'static>)) -> Result<Self, Self::Error> {
+        let x_b64url = BASE64_URL_SAFE.encode(&*args.1.x.buffer);
+        let y_b64url = BASE64_URL_SAFE.encode(&*args.1.y.buffer);
+
+        let crv = match args.0 {
+            TpmEccCurve::NistP224 => "EC224",
+            TpmEccCurve::NistP256 => "EC256",
+            TpmEccCurve::NistP384 => "EC384",
+            TpmEccCurve::NistP521 => "EC521",
+            _ => return Err(CryptoError::InvalidParams),
+        }
+        .to_string();
+
+        Ok(AttestationKey::EC {
+            crv,
+            x_b64url,
+            y_b64url,
+        })
+    }
+}
+
+impl TryFrom<AttestationKey> for TpmsEccPoint<'static> {
+    type Error = CryptoError;
+
+    fn try_from(arg: AttestationKey) -> Result<Self, CryptoError> {
+        match arg {
+            AttestationKey::EC {
+                crv: _,
+                x_b64url,
+                y_b64url,
+            } => {
+                let x_buf = BASE64_URL_SAFE
+                    .decode(&x_b64url)
+                    .map_err(|_| CryptoError::InvalidParams)?;
+                let y_buf = BASE64_URL_SAFE
+                    .decode(&y_b64url)
+                    .map_err(|_| CryptoError::InvalidParams)?;
+
+                let point = TpmsEccPoint {
+                    x: Tpm2bEccParameter {
+                        buffer: TpmBuffer::Owned(x_buf),
+                    },
+                    y: Tpm2bEccParameter {
+                        buffer: TpmBuffer::Owned(y_buf),
+                    },
+                };
+
+                Ok(point)
+            }
+        }
+    }
+}
+
 /// The attestation request payload sent to the proxy from SVSM.
 #[derive(Serialize, Deserialize, Debug)]
 pub struct AttestationRequest {
@@ -41,5 +104,5 @@ pub struct AttestationResponse {
     /// Secret encrypted with the key generated by SVSM
     pub secret: Option<Vec<u8>>,
     /// Server's public key used for symmetric encryption/decryption.
-    pub pub_key: Option<Vec<u8>>,
+    pub pub_key: Option<AttestationKey>,
 }