AS: change TEE parameter to string in gRPC

Before this pr TEE is an enum, which makes trouble for users to know which enum number is related to a specific TEE type. With string, it is much more straightforward. Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · May 22, 2024 · d646285 · d646285
1 parent f9e47d8
commit d646285
Show file tree

Hide file tree

Showing 15 changed files with 51 additions and 105 deletions.
diff --git a/attestation-service/attestation-service/src/bin/grpc/mod.rs b/attestation-service/attestation-service/src/bin/grpc/mod.rs
@@ -1,3 +1,4 @@
+use anyhow::bail;
 use attestation_service::HashAlgorithm;
 use attestation_service::{
     config::Config, config::ConfigError, AttestationService as Service, ServiceError, Tee,
@@ -14,9 +15,7 @@ use tonic::transport::Server;
 use tonic::{Request, Response, Status};
 
 use crate::as_api::attestation_service_server::{AttestationService, AttestationServiceServer};
-use crate::as_api::{
-    AttestationRequest, AttestationResponse, SetPolicyRequest, SetPolicyResponse, Tee as GrpcTee,
-};
+use crate::as_api::{AttestationRequest, AttestationResponse, SetPolicyRequest, SetPolicyResponse};
 
 use crate::rvps_api::reference_value_provider_service_server::{
     ReferenceValueProviderService, ReferenceValueProviderServiceServer,
@@ -27,18 +26,21 @@ use crate::rvps_api::{
     ReferenceValueRegisterResponse,
 };
 
-fn to_kbs_tee(tee: GrpcTee) -> Tee {
-    match tee {
-        GrpcTee::Sev => Tee::Sev,
-        GrpcTee::Sgx => Tee::Sgx,
-        GrpcTee::Snp => Tee::Snp,
-        GrpcTee::Tdx => Tee::Tdx,
-        GrpcTee::Csv => Tee::Csv,
-        GrpcTee::Sample => Tee::Sample,
-        GrpcTee::AzSnpVtpm => Tee::AzSnpVtpm,
-        GrpcTee::Cca => Tee::Cca,
-        GrpcTee::AzTdxVtpm => Tee::AzTdxVtpm,
-    }
+fn to_kbs_tee(tee: &str) -> anyhow::Result<Tee> {
+    let tee = match tee {
+        "sev" => Tee::Sev,
+        "sgx" => Tee::Sgx,
+        "snp" => Tee::Snp,
+        "tdx" => Tee::Tdx,
+        "csv" => Tee::Csv,
+        "sample" => Tee::Sample,
+        "azsnpvtpm" => Tee::AzSnpVtpm,
+        "cca" => Tee::Cca,
+        "aztdxvtpm" => Tee::AzTdxVtpm,
+        other => bail!("Unsupported TEE type: {other}"),
+    };
+
+    Ok(tee)
 }
 
 #[derive(Error, Debug)]
@@ -100,10 +102,8 @@ impl AttestationService for Arc<RwLock<AttestationServer>> {
         info!("AttestationEvaluate API called.");
         debug!("Evidence: {}", &request.evidence);
 
-        let tee = to_kbs_tee(
-            GrpcTee::from_i32(request.tee)
-                .ok_or_else(|| Status::aborted(format!("Invalid TEE {}", request.tee)))?,
-        );
+        let tee = to_kbs_tee(&request.tee)
+            .map_err(|e| Status::aborted(format!("parse TEE type: {e}")))?;
         let evidence = URL_SAFE_NO_PAD
             .decode(request.evidence)
             .map_err(|e| Status::aborted(format!("Illegal input Evidence: {e}")))?;

diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md
@@ -33,7 +33,7 @@ PCCS are usually supported by cloud providers, you can find the steps to configu
 - IBM Cloud: [Attestation with Intel SGX and Data Center Attestation Primitives (DCAP) for Virtual Servers for VPC](https://cloud.ibm.com/docs/vpc?topic=vpc-about-attestation-sgx-dcap-vpc)
 Or you can [set-up a PCCS yourself](https://download.01.org/intel-sgx/sgx-dcap/1.9/windows/docs/Intel_SGX_DCAP_Windows_SW_Installation_Guide.pdf).
 
-Then an attestation request can be used to request the server. We provide an [example request of validating a SGX quote](../tests/coco-as/grpc-request.json).
+Then an attestation request can be used to request the server. We provide an [example request of validating a SGX quote](../tests/coco-as/request.json).
 
 You can use the [tool](https://github.com/confidential-containers/guest-components/tree/main/attestation-agent/attester#evidence-getter-tool) to generate a report on
 any supported platform.
@@ -44,7 +44,7 @@ any supported platform.
 
 cd <path-to-attestation-service>
 
-REQ=$(cat tests/coco-as/grpc-request.json)
+REQ=$(cat tests/coco-as/request.json)
 grpcurl \
   -plaintext \
   -import-path protos \

diff --git a/attestation-service/docs/policy.md b/attestation-service/docs/policy.md
@@ -33,10 +33,10 @@ $REQ
 EOF
 ```
 
-Then, we can use the policy to check against an evidence. We use the [request](../tests/coco-as/policy/grpc-check.json) to do this.
+Then, we can use the policy to check against an evidence. We use the [request](../tests/coco-as/policy/check.json) to do this.
 
 ```shell
-REQ=$(cat ../../tests/coco-as/policy/grpc-check.json)
+REQ=$(cat ../../tests/coco-as/policy/check.json)
 grpcurl \
   -plaintext \
   -import-path ../../protos \
@@ -64,13 +64,13 @@ curl -k -X POST http://127.0.0.1:8080/policy \
      -d @../../tests/coco-as/policy/restful-set-policy.json
 ```
 
-Then, we can use the policy to check against an evidence. We use the [request](../tests/coco-as/policy/grpc-check.json) to do this.
+Then, we can use the policy to check against an evidence. We use the [request](../tests/coco-as/policy/check.json) to do this.
 
 ```shell
 curl -k -X POST http://127.0.0.1:8080/attestation \
      -i \
      -H 'Content-Type: application/json' \
-     -d @../../tests/coco-as/policy/restful-check.json
+     -d @../../tests/coco-as/policy/check.json
 ```
 
 ## How to Write a Policy (Experimental)

diff --git a/attestation-service/docs/restful-as.md b/attestation-service/docs/restful-as.md
@@ -33,7 +33,7 @@ PCCS are usually supported by cloud providers, you can find the steps to configu
 - IBM Cloud: [Attestation with Intel SGX and Data Center Attestation Primitives (DCAP) for Virtual Servers for VPC](https://cloud.ibm.com/docs/vpc?topic=vpc-about-attestation-sgx-dcap-vpc)
 Or you can [set-up a PCCS yourself](https://download.01.org/intel-sgx/sgx-dcap/1.9/windows/docs/Intel_SGX_DCAP_Windows_SW_Installation_Guide.pdf).
 
-Then an attestation request can be used to request the server. We provide an [example request of validating a SGX quote](../tests/coco-as/restful-request.json).
+Then an attestation request can be used to request the server. We provide an [example request of validating a SGX quote](../tests/coco-as/request.json).
 
 You can use the [tool](https://github.com/confidential-containers/guest-components/tree/main/attestation-agent/attester#evidence-getter-tool) to generate a report on
 any supported platform.
@@ -43,7 +43,7 @@ cd <path-to-attestation-service>
 curl -k -X POST http://127.0.0.1:8080/attestation \
      -i \
      -H 'Content-Type: application/json' \
-     -d @tests/coco-as/restful-request.json
+     -d @tests/coco-as/request.json
 ```
 
 Then, a token will be retrieved as HTTP response body like

diff --git a/attestation-service/protos/attestation.proto b/attestation-service/protos/attestation.proto
@@ -2,21 +2,9 @@ syntax = "proto3";
 
 package attestation;
 
-enum Tee {
-    SEV = 0;
-    SGX = 1;
-    SNP = 2;
-    TDX = 3;
-    Sample = 4;
-    AzSnpVtpm = 5;
-    CSV = 6;
-    CCA = 7;
-    AzTdxVtpm = 8;
-}
-
 message AttestationRequest {
     // TEE enum. Specify the evidence type
-    Tee tee = 1;
+    string tee = 1;
 
     // Base64 encoded evidence. The alphabet is URL_SAFE_NO_PAD.
     // defined in https://datatracker.ietf.org/doc/html/rfc4648#section-5

diff --git a/...e/tests/coco-as/policy/restful-check.json → ...n-service/tests/coco-as/policy/check.json b/...e/tests/coco-as/policy/restful-check.json → ...n-service/tests/coco-as/policy/check.json
diff --git a/attestation-service/tests/coco-as/policy/grpc-check.json b/attestation-service/tests/coco-as/policy/grpc-check.json