WIP: Added vts and provisioning plugins for AWS Nitro enclave attestation …

go.mod

@@ -6,22 +6,27 @@ require (
 	github.com/DATA-DOG/go-sqlmock v1.5.0
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/denisbrodbeck/machineid v1.0.1
+	github.com/fatih/color v1.13.0
 	github.com/gin-gonic/gin v1.8.1
 	github.com/go-playground/assert/v2 v2.0.1
 	github.com/golang/mock v1.6.0
+	github.com/golang/protobuf v1.5.2
 	github.com/google/go-tpm v0.3.3
 	github.com/google/uuid v1.3.0
+	github.com/hashicorp/go-hclog v1.2.0
 	github.com/hashicorp/go-plugin v1.4.4
 	github.com/jellydator/ttlcache/v3 v3.0.0
 	github.com/mattn/go-sqlite3 v1.14.14
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/moogar0880/problems v0.1.1
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/open-policy-agent/opa v0.43.1
+	github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/jwalterweatherman v1.1.0
 	github.com/spf13/viper v1.9.0
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.8.1
+	github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411
 	github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c
 	github.com/veraison/dice v0.0.1
 	github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff
@@ -37,7 +42,6 @@ require (
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect
-	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
@@ -47,8 +51,7 @@ require (
 	github.com/go-playground/validator/v10 v10.10.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.9.7 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.2.0 // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -65,12 +68,12 @@ require (
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/protoc-gen-go-json v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
-	github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect

go.sum

@@ -778,6 +778,8 @@ github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
+github.com/mitchellh/protoc-gen-go-json v1.1.0 h1:lEi1xtXyYKDwA8EB5u27+UUZOTznC4JpqVOKZwCGJUo=
+github.com/mitchellh/protoc-gen-go-json v1.1.0/go.mod h1:pACAKlMtBf4SMFbVswcjwNwWwlci6Vn841H5jPRcE9I=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
@@ -1022,6 +1024,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -1033,6 +1036,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
@@ -1055,6 +1060,10 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE=
 github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
+github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20220902142425-b49cd6e96cf5 h1:TamshIh803Xw8wEYgIuqRQjbUfaMSHMDsMtBH4TOpzw=
+github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20220902142425-b49cd6e96cf5/go.mod h1:EXpO454Q3yOKVoNc7ECuLRfP7cmTmuhPwtuFYbkxWBk=
+github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411 h1:QHBX9m8HlqC+qhc/gGLdHA+8hfwsNY/s8lBiVnzAde0=
+github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411/go.mod h1:JRldyv/2U+D7c5yI1HP9iY/Aa7j3TnhwpUvC1ZwE+Lw=
 github.com/veraison/apiclient v0.0.2/go.mod h1:H8YDx1ixM24GYP/aLbhq+HJsej0lVUqFCRIL5Uu4B0o=
 github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c h1:+qOmTV5aI475VuNXDfy8Klg8m2ovSISmdZlS63w0J64=
 github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c/go.mod h1:FOUHHZ7fOyWKk4oKUjO5Zw5gnkjz0rtzcJDvUZZFRSg=

proto/attestation_format.proto

@@ -18,5 +18,8 @@ enum AttestationFormat {
 
 	// TPM EnactTrust
 	TPM_ENACTTRUST = 3;
+
+	// AWS Nitro Enclaves
+	AWS_NITRO = 4;
 }
 

provisioning/plugins/Makefile

@@ -4,5 +4,6 @@
 SUBDIR += common
 SUBDIR += corim-psa-decoder
 SUBDIR += corim-tpm-enacttrust-decoder
+SUBDIR += corim-nitro-decoder
 
 include ../../mk/subdir.mk

provisioning/plugins/corim-nitro-decoder/Makefile

@@ -0,0 +1,15 @@
+# Copyright 2022 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
+
+PLUGIN := ../bin/veraison-provisining-decoder-corim-nitro
+GOPKG := github.com/veraison/services/provisioning/plugins/corim-nitro-decoder
+SRCS := $(wildcard *.go)
+
+all-hook-pre all-test-pre all-lint-pre:
+	$(MAKE) -C ../../../proto protogen
+	$(MAKE) -C ../../decoder protogen
+
+include ../../../mk/common.mk
+include ../../../mk/plugin.mk
+include ../../../mk/lint.mk
+include ../../../mk/test.mk

provisioning/plugins/corim-nitro-decoder/README.md

@@ -0,0 +1,36 @@
+# Endorsement Store Interface
+
+## Reference Value
+
+```json
+{
+  "scheme": "AWS_NITRO",
+  "type": "REFERENCE_VALUE",
+  "attributes": {
+    "psa.hw-model": "RoadRunner",
+    "psa.hw-vendor": "ACME",
+    "psa.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==",
+    "psa.measurement-desc": 1,
+    "psa.measurement-type": "BL",
+    "psa.measurement-value": "h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=",
+    "psa.signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
+    "psa.version": "2.1.0"
+  }
+}
+```
+
+## Trust Anchor
+
+```json
+{
+  "scheme": "AWS_NITRO",
+  "type": "VERIFICATION_KEY",
+  "attributes": {
+    "psa.hw-model": "RoadRunner",
+    "psa.hw-vendor": "ACME",
+    "psa.iak-pub": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Vwqe7hy3O8Ypa+BUETLUjBNU3rEXVUyt9XHR7HJWLG7XTKQd9i1kVRXeBPDLFnfYru1/euxRnJM7H9UoFDLdA==",
+    "psa.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==",
+    "psa.inst-id": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW"
+  }
+}
+```

provisioning/plugins/corim-nitro-decoder/classattributes.go

@@ -0,0 +1,40 @@
+// Copyright 2022 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package main
+
+import (
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+)
+
+type NitroClassAttributes struct {
+	//ImplID []byte
+	Vendor string
+	Model  string
+}
+
+// extract mandatory ImplID and optional vendor & model
+func (o *NitroClassAttributes) FromEnvironment(e comid.Environment) error {
+	class := e.Class
+
+	if class == nil {
+		return fmt.Errorf("expecting class in environment")
+	}
+
+	classID := class.ClassID
+
+	if classID == nil {
+		return fmt.Errorf("expecting class-id in class")
+	}
+
+	if class.Vendor != nil {
+		o.Vendor = *class.Vendor
+	}
+
+	if class.Model != nil {
+		o.Model = *class.Model
+	}
+
+	return nil
+}

provisioning/plugins/corim-nitro-decoder/decoder.go

@@ -0,0 +1,38 @@
+// Copyright 2022 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package main
+
+import (
+	"github.com/veraison/services/provisioning/decoder"
+	plugin_common "github.com/veraison/services/provisioning/plugins/common"
+)
+
+const (
+	SupportedMediaType = "application/corim-unsigned+cbor; profile=http://aws.com/nitro"
+	PluginName         = "unsigned-corim (AWS Nitro profile)"
+)
+
+type Decoder struct{}
+
+func (o Decoder) Init(params decoder.Params) error {
+	return nil // no-op
+}
+
+func (o Decoder) Close() error {
+	return nil // no-op
+}
+
+func (o Decoder) GetName() string {
+	return PluginName
+}
+
+func (o Decoder) GetSupportedMediaTypes() []string {
+	return []string{
+		SupportedMediaType,
+	}
+}
+
+func (o Decoder) Decode(data []byte) (*decoder.EndorsementDecoderResponse, error) {
+	result,err := plugin_common.UnsignedCorimDecoder(data, Extractor{})
+	return result, err
+}