Merge pull request #76 from Dstack-TEE/quote-prefix

tappd: Add `prefix` for TdxQuote API
Dstack-TEE · Dec 23, 2024 · 1cb93c7 · 1cb93c7
2 parents 4966e55 + 727e5f7
commit 1cb93c7
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 11 deletions.
diff --git a/ra-tls/src/attestation.rs b/ra-tls/src/attestation.rs
@@ -10,22 +10,28 @@ use cc_eventlog::TdxEventLog as EventLog;
 
 /// The content type of a quote. A CVM should only generate quotes for these types.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum QuoteContentType {
+pub enum QuoteContentType<'a> {
     /// The public key of KMS root CA
     KmsRootCa,
     /// The public key of the RA-TLS certificate
     RaTlsCert,
     /// App defined data
     AppData,
+    /// The custom content type
+    Custom(&'a str),
 }
 
-impl QuoteContentType {
+/// The default hash algorithm used to hash the report data.
+pub const DEFAULT_HASH_ALGORITHM: &str = "sha512";
+
+impl QuoteContentType<'_> {
     /// The tag of the content type used in the report data.
-    pub fn tag(&self) -> &'static str {
+    pub fn tag(&self) -> &str {
         match self {
             Self::KmsRootCa => "kms-root-ca",
             Self::RaTlsCert => "ratls-cert",
             Self::AppData => "app-data",
+            Self::Custom(tag) => tag,
         }
     }
 
@@ -52,11 +58,15 @@ impl QuoteContentType {
                 padded
             }};
         }
+        let hash = if hash.is_empty() {
+            DEFAULT_HASH_ALGORITHM
+        } else {
+            hash
+        };
         let output = match hash {
             "sha256" => do_hash!(sha2::Sha256),
             "sha384" => do_hash!(sha2::Sha384),
-            // Default to sha512
-            "" | "sha512" => do_hash!(sha2::Sha512),
+            "sha512" => do_hash!(sha2::Sha512),
             "sha3-256" => do_hash!(sha3::Sha3_256),
             "sha3-384" => do_hash!(sha3::Sha3_384),
             "sha3-512" => do_hash!(sha3::Sha3_512),

diff --git a/tappd/rpc/proto/tappd_rpc.proto b/tappd/rpc/proto/tappd_rpc.proto
@@ -53,13 +53,21 @@ message TdxQuoteArgs {
   // - `keccak512`
   // - `raw`: Passes the report_data directly to the driver without any processing
   string hash_algorithm = 2;
+  // The prefix added to the report data before hashing. Default is `app-data:` if the hash algorithm is not `raw`.
+  string prefix = 3;
 }
 
 message TdxQuoteResponse {
   // TDX quote
   bytes quote = 1;
   // Event log
   string event_log = 2;
+
+  // The following fields might be used for app debugging purposes
+  // Hash algorithm used to hash the caller passed in report data
+  string hash_algorithm = 3;
+  // Prefix added to the report data before hashing
+  string prefix = 4;
 }
 
 // The request to derive a key

diff --git a/tappd/src/rpc_service.rs b/tappd/src/rpc_service.rs
@@ -4,7 +4,7 @@ use anyhow::{bail, Context, Result};
 use fs_err as fs;
 use ra_rpc::{CallContext, RpcCall};
 use ra_tls::{
-    attestation::QuoteContentType,
+    attestation::{QuoteContentType, DEFAULT_HASH_ALGORITHM},
     cert::{CaCert, CertRequest},
     kdf::derive_ecdsa_key_pair,
     qvl::quote::Report,
@@ -70,14 +70,34 @@ impl TappdRpc for InternalRpcHandler {
     }
 
     async fn tdx_quote(self, request: TdxQuoteArgs) -> Result<TdxQuoteResponse> {
-        let report_data = QuoteContentType::AppData
-            .to_report_data_with_hash(&request.report_data, &request.hash_algorithm)?;
+        let content_type = if request.prefix.is_empty() {
+            QuoteContentType::AppData
+        } else {
+            QuoteContentType::Custom(&request.prefix)
+        };
+        let report_data =
+            content_type.to_report_data_with_hash(&request.report_data, &request.hash_algorithm)?;
         let event_log = read_event_logs().context("Failed to decode event log")?;
         let event_log =
             serde_json::to_string(&event_log).context("Failed to serialize event log")?;
         let (_, quote) =
             tdx_attest::get_quote(&report_data, None).context("Failed to get quote")?;
-        Ok(TdxQuoteResponse { quote, event_log })
+        let hash_algorithm = if request.hash_algorithm.is_empty() {
+            DEFAULT_HASH_ALGORITHM
+        } else {
+            &request.hash_algorithm
+        };
+        let prefix = if hash_algorithm == "raw" {
+            "".into()
+        } else {
+            QuoteContentType::AppData.tag().to_string()
+        };
+        Ok(TdxQuoteResponse {
+            quote,
+            event_log,
+            hash_algorithm: hash_algorithm.to_string(),
+            prefix,
+        })
     }
 
     async fn info(self) -> Result<WorkerInfo> {

diff --git a/tappd/tappd.toml b/tappd/tappd.toml
@@ -7,10 +7,11 @@ keep_alive = 10
 log_level = "debug"
 
 [default.core]
+app_name = ""
 cert_file = "/etc/tappd/app-ca.cert"
 key_file = "/etc/tappd/app-ca.key"
-public_logs = false
-public_sysinfo = false
+public_logs = true
+public_sysinfo = true
 compose_file = "/tapp/app-compose.json"
 
 [internal]