-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kbs: simplify tee-pubkey reading from the attestation token #414
Conversation
7e2657e
to
d9ee995
Compare
Can you add PR description and some commit messages? |
Done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one comment.
I wonder if we should incorporate the variable pubkey path into the Attest trait at some point. This seems fine for now.
kbs/src/api/src/attestation/mod.rs
Outdated
@@ -14,6 +14,11 @@ use intel_trust_authority::*; | |||
use kbs_types::{Challenge, Tee}; | |||
use rand::{thread_rng, Rng}; | |||
|
|||
#[cfg(any(feature = "coco-as-builtin", feature = "coco-as-grpc"))] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this just be #[cfg(not(feature = "intel-trust-authority-as"))]
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that works also. the proposed cfg
was a copy-paste from the other coco-as* configs in this file.
#[cfg(feature = "as")] | ||
const TOKEN_TEE_PUBKEY_PATH: &str = AS_TOKEN_TEE_PUBKEY_PATH; | ||
#[cfg(not(feature = "as"))] | ||
const TOKEN_TEE_PUBKEY_PATH: &str = "/customized_claims/runtime_data/tee-pubkey"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two places defining TOKEN_TEE_PUBKEY_PATH, like before. Is it possible to define only on one place and use a reference on the other side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted it to be like that but I found the problem that TOKEN_TEE_PUBKEY_PATH
needs to be defined even completely without attestation
(i.e., as
not enabled) so some "default" must be kept here.
get-resource API searches tee-pubkey claim from the attestation token. Instead of doing the search by ourselves, simply pass the desired path and leverage pointer() method to do the search. This simplifies the code when the search path needs to be made configurable. Signed-off-by: Mikko Ylinen <[email protected]>
Attestation service provided tokens carry tee-pubkey under a different claims structure. Piggyback the existing cargo features to let each AS implementation define their own search paths compile time. Signed-off-by: Mikko Ylinen <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
get-resource API searches
tee-pubkey
claim from the attestation token. Instead of doing the search by ourselves, simply pass the desired path and leveragepointer()
method to do the search. This simplifies the code when the search path needs to be made configurable.One such case as of today is when attestation service provided tokens carry
tee-pubkey
under a different claims structure. We piggyback the existing cargo features to let each AS implementation define their own search paths compile time.