Skip to content

Commit 6916687

Browse files
eldioseldios
committed
devired_key: cleaning pass confidential-containers#1 
1 parent 99e124f commit 6916687

File tree

12 files changed

+61
-91
lines changed

12 files changed

+61
-91
lines changed

api-server-rest/src/aa.rs

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,18 @@ impl ApiHandler for AAClient {
6767
_ => {
6868
return self.not_found();
6969
}
70+
None => return self.bad_request(),
71+
},
72+
AA_DERIVED_KEY_URL => match params.get() {
73+
Some(key) => match self.get_derived_key().await {
74+
std::result::Result::Ok(results) => return self.octet_stream_response(results),
75+
Err(e) => return self.internal_error(e.to_string()),
76+
},
77+
None => return self.bad_request(),
78+
},
79+
80+
_ => {
81+
return self.not_found();
7082
}
7183
}
7284

attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -164,14 +164,10 @@ impl AttestationAgentService for AA {
164164

165165
debug!("AA (grpc): get derived key ...");
166166

167-
let derived_key = self
168-
.inner
169-
.get_derived_key(&request.key_id)
170-
.await
171-
.map_err(|e| {
172-
error!("AA (grpc): get derived key failed:\n{e:?}\nkey_id:\n{&request.key_id}");
173-
Status::internal(format!("[ERROR:{AGENT_NAME}] AA get derived key failed"))
174-
})?;
167+
let derived_key = self.inner.get_derived_key().await.map_err(|e| {
168+
error!("AA (grpc): get derived key failed:\n{e:?}");
169+
Status::internal(format!("[ERROR:{AGENT_NAME}] AA get derived key failed"))
170+
})?;
175171

176172
debug!("AA (grpc): Get derived key successfully!");
177173

attestation-agent/attestation-agent/src/bin/ttrpc-aa-client.rs

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -80,11 +80,7 @@ struct GetTokenArgs {
8080

8181
#[derive(Args)]
8282
#[command(author, version, about, long_about = None)]
83-
struct GetDerivedKeyArgs {
84-
/// base64 encodede runtime data
85-
#[arg(short, long)]
86-
key_id: String,
87-
}
83+
struct GetDerivedKeyArgs {}
8884

8985
#[derive(Args)]
9086
#[command(author, version, about, long_about = None)]
@@ -152,15 +148,14 @@ pub async fn main() {
152148
}
153149
Operation::GetDerivedKey(get_derived_key_args) => {
154150
let req = GetDerivedKeyRequest {
155-
KeyId: get_derived_key_args.key_id,
156151
..Default::default()
157152
};
158153
let res = client
159154
.get_derived_key(context::with_timeout(TIMEOUT), &req)
160155
.await
161156
.expect("request to AA");
162-
let key_id = String::from_utf8(res.KeyId).unwrap();
163-
println!("{key_id}");
157+
let key = String::from_utf8(res.Key).unwrap();
158+
println!("{key}");
164159
}
165160
Operation::ExtendRuntimeMeasurement(extend_runtime_measurement_args) => {
166161
let req = ExtendRuntimeMeasurementRequest {

attestation-agent/attestation-agent/src/bin/ttrpc_dep/server.rs

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -84,21 +84,16 @@ impl AttestationAgentService for AA {
8484
) -> ::ttrpc::Result<GetDerivedKeyResponse> {
8585
debug!("AA (ttrpc): get derived key ...");
8686

87+
let empty_context = Vec::new();
8788
let derived_key = self
8889
.inner
89-
.get_derived_key(&req.KeyId, Vec::new())
90+
.get_derived_key(empty_context)
9091
.await
9192
.map_err(|e| {
92-
error!(
93-
"AA (ttrpc): get derived key failed:\n {e:?}\n key_id:\n {:#?}",
94-
&req.KeyId
95-
);
93+
error!("AA (ttrpc): get derived key failed:\n {e:?}");
9694
let mut error_status = ::ttrpc::proto::Status::new();
9795
error_status.set_code(Code::INTERNAL);
98-
error_status.set_message(format!(
99-
"[ERROR:{AGENT_NAME}] AA-KBC get derived key failed. key_id: {:#?}",
100-
&req.KeyId
101-
));
96+
error_status.set_message("[ERROR:{AGENT_NAME}] AA-KBC get derived key failed.");
10297
::ttrpc::Error::RpcStatus(error_status)
10398
})?;
10499

attestation-agent/attestation-agent/src/lib.rs

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,8 @@ pub trait AttestationAPIs {
6060
/// Get TEE hardware signed evidence that includes the runtime data.
6161
async fn get_evidence(&self, runtime_data: &[u8]) -> Result<Vec<u8>>;
6262

63-
/// Get a derived key using the provided key ID
64-
async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;
63+
/// Get a derived key
64+
async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;
6565

6666
/// Extend runtime measurement register
6767
async fn extend_runtime_measurement(
@@ -180,8 +180,8 @@ impl AttestationAPIs for AttestationAgent {
180180
Ok(evidence.into_bytes())
181181
}
182182

183-
async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {
184-
self.attester.get_derived_key(key_id, context).await
183+
async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {
184+
self.attester.get_derived_key(context).await
185185
}
186186

187187
/// Extend runtime measurement register. Parameters

attestation-agent/attester/src/snp/mod.rs

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,10 +71,6 @@ impl Attester for SnpAttester {
7171
}
7272

7373
context.resize(64, 0);
74-
let _root_key: u8 = root_key_hinit
75-
.first()
76-
.copied()
77-
.context("Invalid key or empty key specified")?;
7874

7975
let mut firmware: Firmware = Firmware::open()?;
8076

attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,9 +40,8 @@ impl AAEvidenceProvider {
4040
#[async_trait]
4141
impl EvidenceProvider for AAEvidenceProvider {
4242
/// Get derived key using the provided key ID
43-
async fn get_derived_key(&self, key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
43+
async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
4444
let req = GetDerivedKeyRequest {
45-
KeyId: key_id.to_vec(),
4645
..Default::default()
4746
};
4847
let res = self

attestation-agent/kbs_protocol/src/evidence_provider/mock.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ impl EvidenceProvider for MockedEvidenceProvider {
1919
Ok("test evidence".into())
2020
}
2121

22-
async fn get_derived_key(&self, _key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
22+
async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
2323
Ok(vec![0u8; 32]) // Return a mock 32-byte key filled with zeros
2424
}
2525

attestation-agent/kbs_protocol/src/evidence_provider/mod.rs

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@ pub trait EvidenceProvider: Send + Sync {
2727
async fn get_tee_type(&self) -> Result<Tee>;
2828

2929
/// Get a derived key using the hardware-specific key derivation function.
30-
/// The parameter `root_key_hint` is the root key used for derivation,
31-
/// and `context` is additional data used in the derivation process.
32-
async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;
30+
/// The parameter `context` is data potentially used in the derivation process.
31+
async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;
3332
}

attestation-agent/kbs_protocol/src/evidence_provider/native.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,9 @@ impl EvidenceProvider for NativeEvidenceProvider {
3535
Ok(detect_tee_type())
3636
}
3737

38-
async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {
38+
async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {
3939
self.0
40-
.get_derived_key(key_id, context)
40+
.get_derived_key(context)
4141
.await
4242
.map_err(|e| Error::GetDerivedKey(e.to_string()))
4343
}

attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs

Lines changed: 27 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -515,9 +515,6 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenResponse {
515515
// @@protoc_insertion_point(message:attestation_agent.GetDerivedKeyRequest)
516516
#[derive(PartialEq,Clone,Default,Debug)]
517517
pub struct GetDerivedKeyRequest {
518-
// message fields
519-
// @@protoc_insertion_point(field:attestation_agent.GetDerivedKeyRequest.KeyId)
520-
pub KeyId: ::std::vec::Vec<u8>,
521518
// special fields
522519
// @@protoc_insertion_point(special_field:attestation_agent.GetDerivedKeyRequest.special_fields)
523520
pub special_fields: ::protobuf::SpecialFields,
@@ -535,13 +532,8 @@ impl GetDerivedKeyRequest {
535532
}
536533

537534
fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
538-
let mut fields = ::std::vec::Vec::with_capacity(1);
535+
let mut fields = ::std::vec::Vec::with_capacity(0);
539536
let mut oneofs = ::std::vec::Vec::with_capacity(0);
540-
fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
541-
"KeyId",
542-
|m: &GetDerivedKeyRequest| { &m.KeyId },
543-
|m: &mut GetDerivedKeyRequest| { &mut m.KeyId },
544-
));
545537
::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetDerivedKeyRequest>(
546538
"GetDerivedKeyRequest",
547539
fields,
@@ -560,9 +552,6 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
560552
fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
561553
while let Some(tag) = is.read_raw_tag_or_eof()? {
562554
match tag {
563-
10 => {
564-
self.KeyId = is.read_bytes()?;
565-
},
566555
tag => {
567556
::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
568557
},
@@ -575,18 +564,12 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
575564
#[allow(unused_variables)]
576565
fn compute_size(&self) -> u64 {
577566
let mut my_size = 0;
578-
if !self.KeyId.is_empty() {
579-
my_size += ::protobuf::rt::bytes_size(1, &self.KeyId);
580-
}
581567
my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
582568
self.special_fields.cached_size().set(my_size as u32);
583569
my_size
584570
}
585571

586572
fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
587-
if !self.KeyId.is_empty() {
588-
os.write_bytes(1, &self.KeyId)?;
589-
}
590573
os.write_unknown_fields(self.special_fields.unknown_fields())?;
591574
::std::result::Result::Ok(())
592575
}
@@ -604,13 +587,11 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
604587
}
605588

606589
fn clear(&mut self) {
607-
self.KeyId.clear();
608590
self.special_fields.clear();
609591
}
610592

611593
fn default_instance() -> &'static GetDerivedKeyRequest {
612594
static instance: GetDerivedKeyRequest = GetDerivedKeyRequest {
613-
KeyId: ::std::vec::Vec::new(),
614595
special_fields: ::protobuf::SpecialFields::new(),
615596
};
616597
&instance
@@ -1856,33 +1837,32 @@ static file_descriptor_proto_data: &'static [u8] = b"\
18561837
\"1\n\x13GetEvidenceResponse\x12\x1a\n\x08Evidence\x18\x01\x20\x01(\x0cR\
18571838
\x08Evidence\"/\n\x0fGetTokenRequest\x12\x1c\n\tTokenType\x18\x01\x20\
18581839
\x01(\tR\tTokenType\"(\n\x10GetTokenResponse\x12\x14\n\x05Token\x18\x01\
1859-
\x20\x01(\x0cR\x05Token\",\n\x14GetDerivedKeyRequest\x12\x14\n\x05KeyId\
1860-
\x18\x01\x20\x01(\x0cR\x05KeyId\"7\n\x15GetDerivedKeyResponse\x12\x1e\n\
1861-
\nDerivedKey\x18\x01\x20\x01(\x0cR\nDerivedKey\"\xae\x01\n\x1fExtendRunt\
1862-
imeMeasurementRequest\x12\x16\n\x06Domain\x18\x01\x20\x01(\tR\x06Domain\
1863-
\x12\x1c\n\tOperation\x18\x02\x20\x01(\tR\tOperation\x12\x18\n\x07Conten\
1864-
t\x18\x03\x20\x01(\tR\x07Content\x12)\n\rRegisterIndex\x18\x04\x20\x01(\
1865-
\x04H\0R\rRegisterIndex\x88\x01\x01B\x10\n\x0e_RegisterIndex\"\"\n\x20Ex\
1866-
tendRuntimeMeasurementResponse\"K\n\x11InitDataPlaintext\x12\x18\n\x07Co\
1867-
ntent\x18\x01\x20\x01(\x0cR\x07Content\x12\x1c\n\tAlgorithm\x18\x02\x20\
1868-
\x01(\tR\tAlgorithm\"-\n\x13BindInitDataRequest\x12\x16\n\x06Digest\x18\
1869-
\x01\x20\x01(\x0cR\x06Digest\"\x16\n\x14BindInitDataResponse\"4\n\x1aUpd\
1870-
ateConfigurationRequest\x12\x16\n\x06config\x18\x01\x20\x01(\tR\x06confi\
1871-
g\"\x1d\n\x1bUpdateConfigurationResponse\"\x13\n\x11GetTeeTypeRequest\"&\
1872-
\n\x12GetTeeTypeResponse\x12\x10\n\x03tee\x18\x01\x20\x01(\tR\x03tee2\
1873-
\xe8\x05\n\x17AttestationAgentService\x12b\n\rGetDerivedKey\x12'.attesta\
1874-
tion_agent.GetDerivedKeyRequest\x1a(.attestation_agent.GetDerivedKeyResp\
1875-
onse\x12\\\n\x0bGetEvidence\x12%.attestation_agent.GetEvidenceRequest\
1876-
\x1a&.attestation_agent.GetEvidenceResponse\x12S\n\x08GetToken\x12\".att\
1877-
estation_agent.GetTokenRequest\x1a#.attestation_agent.GetTokenResponse\
1878-
\x12\x83\x01\n\x18ExtendRuntimeMeasurement\x122.attestation_agent.Extend\
1879-
RuntimeMeasurementRequest\x1a3.attestation_agent.ExtendRuntimeMeasuremen\
1880-
tResponse\x12_\n\x0cBindInitData\x12&.attestation_agent.BindInitDataRequ\
1881-
est\x1a'.attestation_agent.BindInitDataResponse\x12t\n\x13UpdateConfigur\
1882-
ation\x12-.attestation_agent.UpdateConfigurationRequest\x1a..attestation\
1883-
_agent.UpdateConfigurationResponse\x12Y\n\nGetTeeType\x12$.attestation_a\
1884-
gent.GetTeeTypeRequest\x1a%.attestation_agent.GetTeeTypeResponseb\x06pro\
1885-
to3\
1840+
\x20\x01(\x0cR\x05Token\"\x16\n\x14GetDerivedKeyRequest\"7\n\x15GetDeriv\
1841+
edKeyResponse\x12\x1e\n\nDerivedKey\x18\x01\x20\x01(\x0cR\nDerivedKey\"\
1842+
\xae\x01\n\x1fExtendRuntimeMeasurementRequest\x12\x16\n\x06Domain\x18\
1843+
\x01\x20\x01(\tR\x06Domain\x12\x1c\n\tOperation\x18\x02\x20\x01(\tR\tOpe\
1844+
ration\x12\x18\n\x07Content\x18\x03\x20\x01(\tR\x07Content\x12)\n\rRegis\
1845+
terIndex\x18\x04\x20\x01(\x04H\0R\rRegisterIndex\x88\x01\x01B\x10\n\x0e_\
1846+
RegisterIndex\"\"\n\x20ExtendRuntimeMeasurementResponse\"K\n\x11InitData\
1847+
Plaintext\x12\x18\n\x07Content\x18\x01\x20\x01(\x0cR\x07Content\x12\x1c\
1848+
\n\tAlgorithm\x18\x02\x20\x01(\tR\tAlgorithm\"-\n\x13BindInitDataRequest\
1849+
\x12\x16\n\x06Digest\x18\x01\x20\x01(\x0cR\x06Digest\"\x16\n\x14BindInit\
1850+
DataResponse\"4\n\x1aUpdateConfigurationRequest\x12\x16\n\x06config\x18\
1851+
\x01\x20\x01(\tR\x06config\"\x1d\n\x1bUpdateConfigurationResponse\"\x13\
1852+
\n\x11GetTeeTypeRequest\"&\n\x12GetTeeTypeResponse\x12\x10\n\x03tee\x18\
1853+
\x01\x20\x01(\tR\x03tee2\xe8\x05\n\x17AttestationAgentService\x12b\n\rGe\
1854+
tDerivedKey\x12'.attestation_agent.GetDerivedKeyRequest\x1a(.attestation\
1855+
_agent.GetDerivedKeyResponse\x12\\\n\x0bGetEvidence\x12%.attestation_age\
1856+
nt.GetEvidenceRequest\x1a&.attestation_agent.GetEvidenceResponse\x12S\n\
1857+
\x08GetToken\x12\".attestation_agent.GetTokenRequest\x1a#.attestation_ag\
1858+
ent.GetTokenResponse\x12\x83\x01\n\x18ExtendRuntimeMeasurement\x122.atte\
1859+
station_agent.ExtendRuntimeMeasurementRequest\x1a3.attestation_agent.Ext\
1860+
endRuntimeMeasurementResponse\x12_\n\x0cBindInitData\x12&.attestation_ag\
1861+
ent.BindInitDataRequest\x1a'.attestation_agent.BindInitDataResponse\x12t\
1862+
\n\x13UpdateConfiguration\x12-.attestation_agent.UpdateConfigurationRequ\
1863+
est\x1a..attestation_agent.UpdateConfigurationResponse\x12Y\n\nGetTeeTyp\
1864+
e\x12$.attestation_agent.GetTeeTypeRequest\x1a%.attestation_agent.GetTee\
1865+
TypeResponseb\x06proto3\
18861866
";
18871867

18881868
/// `FileDescriptorProto` object which was a source for this generated file

attestation-agent/protos/attestation-agent.proto

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,7 @@ message GetTokenResponse {
1818
bytes Token = 1;
1919
}
2020

21-
message GetDerivedKeyRequest {
22-
bytes KeyId = 1;
23-
}
21+
message GetDerivedKeyRequest {}
2422

2523
message GetDerivedKeyResponse {
2624
bytes DerivedKey = 1;

0 commit comments

Comments
 (0)