tdx: sgx: Bump DCAP dependency

Background motivation: Building Trustee on CentOS 9 stream will break, due to an incompatibility of rust-bindgen and clang, as shown by the error below: ``` clang diag: warning: .: 'linker' input unused [-Wunused-command-line-argument] thread 'main' panicked at /home/cloud-user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/bindgen-0.60.1/src/ir/context.rs:861:9: "_sgx_ql_qv_supplemental_t_union_(anonymous_at_/usr/x86_64-intel-sgx/include/sgx_qve_header_h_95_5)" is not a valid Ident note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish... make: *** [Makefile:22: grpc-as] Error 101 ``` The rust-bindgen version causing this issue was coming from the SGXDataCenterAttestationPrimitives repo. With that in mind, and considering that the DCAP version used so far is 1+ years old, let's bump it and solve those two issues at the same time. Unfortunately, we're also adapting the code a little bit due to the API changes between 1.16 and 1.21. Signed-off-by: Fabiano Fidêncio <[email protected]>
confidential-containers · May 28, 2024 · 63c02d6 · 63c02d6
1 parent ac67246
commit 63c02d6
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 69 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/attestation-service/verifier/Cargo.toml b/attestation-service/verifier/Cargo.toml
@@ -6,8 +6,8 @@ edition = "2021"
 [features]
 default = [ "all-verifier" ]
 all-verifier = [ "tdx-verifier", "sgx-verifier", "snp-verifier", "az-snp-vtpm-verifier", "az-tdx-vtpm-verifier", "csv-verifier", "cca-verifier" ]
-tdx-verifier = [ "eventlog-rs", "scroll", "sgx-dcap-quoteverify-rs" ]
-sgx-verifier = [ "scroll", "sgx-dcap-quoteverify-rs" ]
+tdx-verifier = [ "eventlog-rs", "scroll", "intel-tee-quote-verification-rs" ]
+sgx-verifier = [ "scroll", "intel-tee-quote-verification-rs" ]
 az-snp-vtpm-verifier = [ "az-snp-vtpm", "sev", "snp-verifier" ]
 az-tdx-vtpm-verifier = [ "az-tdx-vtpm", "openssl", "tdx-verifier" ]
 snp-verifier = [ "asn1-rs", "openssl", "sev", "x509-parser" ]
@@ -39,7 +39,7 @@ scroll = { version = "0.11.0", default-features = false, features = ["derive"],
 serde.workspace = true
 serde_json.workspace = true
 sev = { version = "3.1.1", features = ["openssl", "snp"], optional = true }
-sgx-dcap-quoteverify-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.16", optional = true }
+intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true }
 strum.workspace = true
 veraison-apiclient = { git = "https://github.com/chendave/rust-apiclient", branch = "token", optional = true }
 ear = { git = "https://github.com/veraison/rust-ear", rev = "43f7f480d09ea2ebc03137af8fbcd70fe3df3468", optional = true }

diff --git a/attestation-service/verifier/src/sgx/mod.rs b/attestation-service/verifier/src/sgx/mod.rs
@@ -14,9 +14,9 @@ use base64::Engine;
 use log::{debug, warn};
 use scroll::Pread;
 use serde::{Deserialize, Serialize};
-use sgx_dcap_quoteverify_rs::{
+use intel_tee_quote_verification_rs::{
     sgx_ql_qv_result_t, sgx_ql_qv_supplemental_t, tee_get_supplemental_data_version_and_size,
-    tee_qv_get_collateral, tee_supp_data_descriptor_t, tee_verify_quote,
+    tee_qv_get_collateral, tee_supp_data_descriptor_t, tee_verify_quote, QuoteCollateral,
 };
 
 use crate::{regularize_data, InitDataHash, ReportData};
@@ -140,7 +140,7 @@ async fn ecdsa_quote_verification(quote: &[u8]) -> Result<()> {
         }
     };
 
-    let p_collateral: Option<&[u8]> = None;
+    let p_collateral: Option<&QuoteCollateral> = None;
 
     // set current time. This is only for sample purposes, in production mode a trusted time should be used.
     //

diff --git a/attestation-service/verifier/src/tdx/quote.rs b/attestation-service/verifier/src/tdx/quote.rs
@@ -10,7 +10,7 @@ use scroll::Pread;
 use std::mem;
 use std::time::{Duration, SystemTime};
 
-use sgx_dcap_quoteverify_rs as qvl;
+use intel_tee_quote_verification_rs as qvl;
 
 pub const QUOTE_HEADER_SIZE: usize = 48;
 
@@ -467,7 +467,7 @@ pub async fn ecdsa_quote_verification(quote: &[u8]) -> Result<()> {
     // call DCAP quote verify library for quote verification
     let (collateral_expiration_status, quote_verification_result) = tee_verify_quote(
         quote,
-        collateral.as_deref(),
+        collateral.as_ref(),
         current_time,
         None,
         p_supplemental_data,