WIP: transfer POC

Cargo.toml

@@ -30,7 +30,7 @@ clap = { version = "4", features = ["derive"] }
 config = "0.13.3"
 env_logger = "0.10.0"
 hex = "0.4.3"
-kbs-types = "0.5.3"
+kbs-types = "0.6.0"
 jsonwebtoken = { version = "9", default-features = false }
 log = "0.4.17"
 prost = "0.11.0"
@@ -47,3 +47,4 @@ tokio = { version = "1.23.0", features = ["full"] }
 tempfile = "3.4.0"
 tonic = "0.8.1"
 tonic-build = "0.8.0"
+

attestation-service/README.md

@@ -13,6 +13,7 @@ Today, the AS can validate evidence from the following TEEs:
 - Hygon CSV
 - Intel TDX with vTPM on Azure
 - AMD SEV-SNP with vTPM on Azure
+- IBM Secure Execution (SE)
 
 # Overview
 ```
@@ -80,6 +81,7 @@ Please refer to the individual verifiers for the specific format of the evidence
 - Azure TDX vTPM: [Evidence](./verifier/src/az_tdx_vtpm/mod.rs)
 - Arm CCA: [CcaEvidence](./verifier/src/cca/mod.rs)
 - Hygon CSV: [CsvEvidence](./verifier/src/csv/mod.rs)
+- IBM Secure Execution (SE) [(SeEvidence)](./verifier/src/se/mod.rs)
 
 ## Output
 
@@ -132,6 +134,7 @@ Supported Verifier Drivers:
 - `azsnpvtpm`: Verifier Driver for Azure vTPM based on SNP (Azure SNP vTPM)
 - `cca`: Verifier Driver for Confidential Compute Architecture (Arm CCA).
 - `csv`: Verifier Driver for China Security Virtualization (Hygon CSV).
+- `se`: Verifier Driver for IBM Secure Execution (SE).
 
 ### Policy Engine
 

attestation-service/attestation-service/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.1.0"
 edition = "2021"
 
 [features]
-default = [ "restful-bin", "rvps-grpc", "rvps-builtin", "all-verifier" ]
+default = [ "restful-bin", "rvps-grpc", "rvps-builtin" ]
 all-verifier = [ "verifier/all-verifier" ]
 tdx-verifier = [ "verifier/tdx-verifier" ]
 sgx-verifier = [ "verifier/sgx-verifier" ]
@@ -13,6 +13,7 @@ az-tdx-vtpm-verifier = [ "verifier/az-tdx-vtpm-verifier" ]
 snp-verifier = [ "verifier/snp-verifier" ]
 csv-verifier = [ "verifier/csv-verifier" ]
 cca-verifier = [ "verifier/cca-verifier" ]
+se-verifier  = [ "verifier/se-verifier" ]
 
 # Only for testing and CI
 rvps-builtin = [ "reference-value-provider-service" ]
@@ -62,7 +63,11 @@ thiserror = { workspace = true, optional = true }
 tokio.workspace = true
 tonic = { workspace = true, optional = true }
 uuid = { version = "1.1.2", features = ["v4"] }
-verifier = { path = "../verifier", default-features = false }
+[target.'cfg(not(target_arch = "s390x"))'.dependencies]
+verifier = { path = "../verifier", default-features = false, features = ["all-verifier"] }
+
+[target.'cfg(target_arch = "s390x")'.dependencies]
+verifier = { path = "../verifier", default-features = false, features = ["se-verifier"] }
 
 [build-dependencies]
 shadow-rs.workspace = true

attestation-service/attestation-service/src/bin/grpc/mod.rs

@@ -16,7 +16,8 @@ use tonic::{Request, Response, Status};
 
 use crate::as_api::attestation_service_server::{AttestationService, AttestationServiceServer};
 use crate::as_api::{
-    AttestationRequest, AttestationResponse, SetPolicyRequest, SetPolicyResponse, Tee as GrpcTee,
+    AttestationRequest, AttestationResponse, ChallengeRequest, ChallengeResponse, SetPolicyRequest,
+    SetPolicyResponse, Tee as GrpcTee,
 };
 
 use crate::rvps_api::reference_value_provider_service_server::{
@@ -39,6 +40,7 @@ fn to_kbs_tee(tee: GrpcTee) -> Tee {
         GrpcTee::AzSnpVtpm => Tee::AzSnpVtpm,
         GrpcTee::Cca => Tee::Cca,
         GrpcTee::AzTdxVtpm => Tee::AzTdxVtpm,
+        GrpcTee::Se => Tee::Se,
     }
 }
 
@@ -199,6 +201,30 @@ impl AttestationService for Arc<RwLock<AttestationServer>> {
         let res = AttestationResponse { attestation_token };
         Ok(Response::new(res))
     }
+
+    async fn get_attestation_challenge(
+        &self,
+        request: Request<ChallengeRequest>,
+    ) -> Result<Response<ChallengeResponse>, Status> {
+        let request: ChallengeRequest = request.into_inner();
+        let tee = to_kbs_tee(
+            GrpcTee::from_i32(request.tee)
+                .ok_or_else(|| Status::aborted(format!("Invalid TEE {}", request.tee)))?,
+        );
+
+        let attestation_challenge = self
+            .read()
+            .await
+            .attestation_service
+            .generate_supplemental_challenge(tee, request.tee_params.clone())
+            .await
+            .map_err(|e| Status::aborted(format!("Challenge: {e:?}")))?;
+
+        let res = ChallengeResponse {
+            attestation_challenge,
+        };
+        Ok(Response::new(res))
+    }
 }
 
 #[tonic::async_trait]

attestation-service/attestation-service/src/bin/restful-as.rs

@@ -13,7 +13,7 @@ use strum::{AsRefStr, EnumString};
 use thiserror::Error;
 use tokio::sync::RwLock;
 
-use crate::restful::{attestation, get_policies, set_policy};
+use crate::restful::{attestation, get_challenge, get_policies, set_policy};
 
 mod restful;
 
@@ -48,6 +48,9 @@ enum WebApi {
 
     #[strum(serialize = "/policy")]
     Policy,
+
+    #[strum(serialize = "/challenge")]
+    Challenge,
 }
 
 #[derive(Error, Debug)]
@@ -100,6 +103,7 @@ async fn main() -> Result<(), RestfulError> {
                     .route(web::post().to(set_policy))
                     .route(web::get().to(get_policies)),
             )
+            .service(web::resource(WebApi::Challenge.as_ref()).route(web::post().to(get_challenge)))
             .app_data(web::Data::clone(&attestation_service))
     });
 

attestation-service/attestation-service/src/bin/restful/mod.rs

@@ -44,6 +44,12 @@ pub struct AttestationRequest {
     policy_ids: Vec<String>,
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ChallengeRequest {
+    tee: String,
+    tee_params: String,
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "snake_case")]
 enum Data {
@@ -62,6 +68,7 @@ fn to_tee(tee: &str) -> anyhow::Result<Tee> {
         "csv" => Tee::Csv,
         "sample" => Tee::Sample,
         "aztdxvtpm" => Tee::AzTdxVtpm,
+        "se" => Tee::Se,
         other => bail!("tee `{other} not supported`"),
     };
 
@@ -173,6 +180,21 @@ pub async fn set_policy(
     Ok(HttpResponse::Ok().body(""))
 }
 
+/// This handler uses json extractor
+pub async fn get_challenge(
+    request: web::Json<ChallengeRequest>,
+    cocoas: web::Data<Arc<RwLock<AttestationService>>>,
+) -> Result<HttpResponse> {
+    let tee = to_tee(&request.tee)?;
+    let challenge = cocoas
+        .read()
+        .await
+        .generate_supplemental_challenge(tee, request.tee_params.clone())
+        .await
+        .context("generate challenge")?;
+    Ok(HttpResponse::Ok().body(challenge))
+}
+
 /// GET /policy
 /// GET /policy/{policy_id}
 pub async fn get_policies(

attestation-service/attestation-service/src/lib.rs

@@ -274,6 +274,17 @@ impl AttestationService {
     pub async fn register_reference_value(&mut self, message: &str) -> Result<()> {
         self.rvps.verify_and_extract(message).await
     }
+
+    pub async fn generate_supplemental_challenge(
+        &self,
+        tee: Tee,
+        tee_parameters: String,
+    ) -> Result<String> {
+        let verifier = verifier::to_verifier(&tee)?;
+        verifier
+            .generate_supplemental_challenge(tee_parameters)
+            .await
+    }
 }
 
 /// Get the expected init/runtime data and potential claims due to the given input

attestation-service/docs/parsed_claims.md

@@ -92,3 +92,6 @@ The claim inherit the fields from the SEV-SNP claim with and additional `tpm` hi
 - `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote.
 
 Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers.
+
+## IBM Secure Execution (SE)
+TBD

attestation-service/protos/attestation.proto

@@ -12,6 +12,7 @@ enum Tee {
     CSV = 6;
     CCA = 7;
     AzTdxVtpm = 8;
+    Se = 9;
 }
 
 message AttestationRequest {
@@ -88,8 +89,17 @@ message SetPolicyRequest {
 }
 message SetPolicyResponse {}
 
+message ChallengeRequest {
+    Tee tee           = 1;
+    string tee_params = 2;
+}
+message ChallengeResponse {
+    string attestation_challenge = 1;
+}
+
 service AttestationService {
     rpc AttestationEvaluate(AttestationRequest) returns (AttestationResponse) {};
     rpc SetAttestationPolicy(SetPolicyRequest) returns (SetPolicyResponse) {};
+    rpc GetAttestationChallenge(ChallengeRequest) returns (ChallengeResponse) {};
     // Get the GetPolicyRequest.user and GetPolicyRequest.tee specified Policy(.rego)
 }

attestation-service/verifier/Cargo.toml

@@ -5,14 +5,15 @@ edition = "2021"
 
 [features]
 default = [ "all-verifier" ]
-all-verifier = [ "tdx-verifier", "sgx-verifier", "snp-verifier", "az-snp-vtpm-verifier", "az-tdx-vtpm-verifier", "csv-verifier", "cca-verifier" ]
+all-verifier = [ "tdx-verifier", "sgx-verifier", "snp-verifier", "az-snp-vtpm-verifier", "az-tdx-vtpm-verifier", "csv-verifier", "cca-verifier", "se-verifier" ]
 tdx-verifier = [ "eventlog-rs", "scroll", "sgx-dcap-quoteverify-rs" ]
 sgx-verifier = [ "scroll", "sgx-dcap-quoteverify-rs" ]
 az-snp-vtpm-verifier = [ "az-snp-vtpm", "sev", "snp-verifier" ]
 az-tdx-vtpm-verifier = [ "az-tdx-vtpm", "openssl", "tdx-verifier" ]
 snp-verifier = [ "asn1-rs", "openssl", "sev", "x509-parser" ]
 csv-verifier = [ "openssl", "csv-rs", "codicon" ]
 cca-verifier = [ "ear", "jsonwebtoken", "veraison-apiclient" ]
+se-verifier = [ "openssl", "pv" ]
 
 [dependencies]
 anyhow.workspace = true
@@ -35,9 +36,11 @@ jsonwebtoken = { workspace = true, default-features = false, optional = true }
 kbs-types.workspace = true
 log.workspace = true
 openssl = { version = "0.10.55", optional = true }
+pv = { version = "0.10.0", package = "s390_pv" }
 scroll = { version = "0.11.0", default-features = false, features = ["derive"], optional = true }
 serde.workspace = true
 serde_json.workspace = true
+serde_yaml = "0.9.0"
 sev = { version = "1.2.0", features = ["openssl", "snp"], optional = true }
 sgx-dcap-quoteverify-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.16", optional = true }
 strum.workspace = true
@@ -54,3 +57,7 @@ assert-json-diff.workspace = true
 rstest.workspace = true
 serial_test.workspace = true
 tokio.workspace = true
+
+[patch.crates-io]
+s390_pv = { path = "/root/src/tmp_pv_crate/pv" }
+s390_pv_core = { path = "/root/src/tmp_pv_crate/pv_core" }

attestation-service/verifier/src/lib.rs

@@ -28,6 +28,9 @@ pub mod csv;
 #[cfg(feature = "cca-verifier")]
 pub mod cca;
 
+#[cfg(feature = "se-verifier")]
+pub mod se;
+
 pub fn to_verifier(tee: &Tee) -> Result<Box<dyn Verifier + Send + Sync>> {
     match tee {
         Tee::Sev => todo!(),
@@ -99,6 +102,17 @@ pub fn to_verifier(tee: &Tee) -> Result<Box<dyn Verifier + Send + Sync>> {
                 }
             }
         }
+
+        Tee::Se => {
+            cfg_if::cfg_if! {
+                if #[cfg(feature = "se-verifier")] {
+                    Ok(Box::<se::SeVerifier>::default() as Box<dyn Verifier + Send + Sync>)
+                } else {
+                    bail!("feature `se-verifier` is not enabled for `verifier` crate.")
+                }
+            }
+        }
+
     }
 }
 
@@ -152,6 +166,21 @@ pub trait Verifier {
         expected_report_data: &ReportData,
         expected_init_data_hash: &InitDataHash,
     ) -> Result<TeeEvidenceParsedClaim>;
+
+    /// Generate the supplemental challenge
+    /// 
+    /// Some TEE like IBM SE need a `challenge` generated on verifier side
+    /// and pass it to attester side. This challenge is used by attester to
+    /// generate the evidence
+    ///
+    /// A optional `tee_parameters` comes from the attester side as the input.
+
+    async fn generate_supplemental_challenge(
+        &self,
+        _tee_parameters: String,
+    ) -> Result<String> {
+        Ok(String::new())
+    }
 }
 
 /// Padding or truncate the given data slice to the given `len` bytes.