protocols: change policy_ids to policy_id

When generating EAR tokens, it seems best to only use one policy at a time (per-submod). In the commit that introduces EAR token generation in the AS, we simply ignore all policies in the policy_ids list except the first one. Here, we change the interface so that only one policy can be provided in an attestation request The KBS always sets one policy ("default"), anyway. In the future, we should figure out how to set this policy id more dynamically. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
confidential-containers · Oct 4, 2024 · c8f74ad · c8f74ad
1 parent 881aa70
commit c8f74ad
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 28 deletions.
diff --git a/attestation-service/src/bin/grpc/mod.rs b/attestation-service/src/bin/grpc/mod.rs
@@ -173,11 +173,6 @@ impl AttestationService for Arc<RwLock<AttestationServer>> {
             }
         };
 
-        let policy_ids = match request.policy_ids.is_empty() {
-            true => vec!["default".into()],
-            false => request.policy_ids,
-        };
-
         let attestation_token = self
             .read()
             .await
@@ -189,7 +184,7 @@ impl AttestationService for Arc<RwLock<AttestationServer>> {
                 runtime_data_hash_algorithm,
                 init_data,
                 init_data_hash_algorithm,
-                policy_ids,
+                request.policy_id,
             )
             .await
             .map_err(|e| Status::aborted(format!("Attestation: {e:?}")))?;

diff --git a/attestation-service/src/bin/restful/mod.rs b/attestation-service/src/bin/restful/mod.rs
@@ -41,7 +41,7 @@ pub struct AttestationRequest {
     init_data: Option<Data>,
     runtime_data_hash_algorithm: Option<String>,
     init_data_hash_algorithm: Option<String>,
-    policy_ids: Vec<String>,
+    policy_id: String,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -139,13 +139,6 @@ pub async fn attestation(
         }
     };
 
-    let policy_ids = if request.policy_ids.is_empty() {
-        info!("no policy specified, use `default`");
-        vec!["default".into()]
-    } else {
-        request.policy_ids
-    };
-
     let token = cocoas
         .read()
         .await
@@ -156,7 +149,7 @@ pub async fn attestation(
             runtime_data_hash_algorithm,
             init_data,
             init_data_hash_algorithm,
-            policy_ids,
+            request.policy_id,
         )
         .await
         .context("attestation report evaluate")?;

diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs
@@ -175,7 +175,7 @@ impl AttestationService {
         runtime_data_hash_algorithm: HashAlgorithm,
         init_data: Option<Data>,
         init_data_hash_algorithm: HashAlgorithm,
-        policy_ids: Vec<String>,
+        policy_id: String,
     ) -> Result<String> {
         let verifier = verifier::to_verifier(&tee)?;
 
@@ -218,11 +218,7 @@ impl AttestationService {
 
         let appraisal = self
             .policy_engine
-            .evaluate(
-                reference_data_map.clone(),
-                tcb_claims,
-                policy_ids[0].clone(),
-            )
+            .evaluate(reference_data_map.clone(), tcb_claims, policy_id.clone())
             .await
             .map_err(|e| anyhow!("Policy Engine evaluation failed: {e}"))?;
 

diff --git a/attestation-service/tests/e2e/request.json.template b/attestation-service/tests/e2e/request.json.template
@@ -1,5 +1,5 @@
 {
     "tee": "%TEE_NAME%",
     "evidence": "%EVIDENCE%",
-    "policy_ids": []
-}
+    "policy_id": "default"
+}
diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs
@@ -40,7 +40,8 @@ impl Attest for BuiltInCoCoAs {
                 HashAlgorithm::Sha384,
                 None,
                 HashAlgorithm::Sha384,
-                vec!["default".into()],
+                // TODO: figure out a better way to set the policy id
+                "default",
             )
             .await
     }

diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs
@@ -110,7 +110,8 @@ impl Attest for GrpcClientPool {
             init_data_hash_algorithm: COCO_AS_HASH_ALGORITHM.into(),
             runtime_data: Some(RuntimeData::StructuredRuntimeData(runtime_data_plaintext)),
             init_data: None,
-            policy_ids: vec!["default".to_string()],
+            // TODO: figure out a better way to set this
+            policy_id: "default".to_string(),
         });
 
         let mut client = { self.pool.lock().await.get().await? };

diff --git a/protos/attestation.proto b/protos/attestation.proto
@@ -62,9 +62,8 @@ message AttestationRequest {
     // "sha384" or "sha512". If not specified, "sha384" will be selected.
     string init_data_hash_algorithm = 8;
 
-    // List of IDs of the policy used to check evidence. If not provided,
-    // a "default" one will be used.
-    repeated string policy_ids = 9;
+    // ID of the policy used to check evidence.
+    string policy_id = 9;
 }
 
 message AttestationResponse {