AA: support get CoCo AS Attestation Token

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
confidential-containers · Jan 18, 2024 · c04e77e · c04e77e
1 parent 98207c0
commit c04e77e
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 10 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/attestation-agent/lib/Cargo.toml b/attestation-agent/lib/Cargo.toml
@@ -25,17 +25,19 @@ tonic = { workspace = true, optional = true }
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 
 [features]
-default = ["sample_kbc", "rust-crypto", "kbs_as"]
+default = ["sample_kbc", "rust-crypto", "coco_as"]
 
 kbs_as = ["token/kbs"]
 
-cc_kbc = ["kbc/cc_kbc", "kbs_as"]
-all-attesters = ["kbc/all-attesters", "kbs_protocol?/all-attesters", "attester/all-attesters"]
-tdx-attester = ["kbc/tdx-attester", "kbs_protocol/tdx-attester", "attester/tdx-attester"]
-sgx-attester = ["kbc/sgx-attester", "kbs_protocol/sgx-attester", "attester/sgx-attester"]
-az-snp-vtpm-attester = ["kbc/az-snp-vtpm-attester", "kbs_protocol/az-snp-vtpm-attester", "attester/az-snp-vtpm-attester"]
-az-tdx-vtpm-attester = ["kbc/az-tdx-vtpm-attester", "kbs_protocol/az-tdx-vtpm-attester", "attester/az-tdx-vtpm-attester"]
-snp-attester = ["kbc/snp-attester", "kbs_protocol/snp-attester", "attester/snp-attester"]
+coco_as = ["token/coco_as"]
+
+cc_kbc = ["kbc/cc_kbc", "kbs_as", "coco_as"]
+all-attesters = ["kbc/all-attesters", "kbs_protocol?/all-attesters", "attester/all-attesters", "token?/all-attesters"]
+tdx-attester = ["kbc/tdx-attester", "kbs_protocol/tdx-attester", "attester/tdx-attester", "token?/tdx"]
+sgx-attester = ["kbc/sgx-attester", "kbs_protocol/sgx-attester", "attester/sgx-attester", "token?/sgx"]
+az-snp-vtpm-attester = ["kbc/az-snp-vtpm-attester", "kbs_protocol/az-snp-vtpm-attester", "attester/az-snp-vtpm-attester", "token?/az-snp-vtpm"]
+az-tdx-vtpm-attester = ["kbc/az-tdx-vtpm-attester", "kbs_protocol/az-tdx-vtpm-attester", "attester/az-tdx-vtpm-attester", "token?/az-tdx-vtpm"]
+snp-attester = ["kbc/snp-attester", "kbs_protocol/snp-attester", "attester/snp-attester", "token?/snp"]
 
 sample_kbc = ["kbc/sample_kbc"]
 eaa_kbc = ["kbc/eaa_kbc"]

diff --git a/attestation-agent/lib/src/lib.rs b/attestation-agent/lib/src/lib.rs
@@ -16,7 +16,7 @@ use std::{collections::HashMap, path::Path};
 
 mod config;
 
-#[cfg(any(feature = "cc_kbc", feature = "kbs_as"))]
+#[cfg(any(feature = "coco_as", feature = "kbs_as"))]
 use token::GetToken;
 
 /// Attestation Agent (AA for short) is a rust library crate for attestation procedure
@@ -190,6 +190,20 @@ impl<'a> AttestationAPIs for AttestationAgent<'a> {
                     .await?;
                 kbs_token
             }
+            #[cfg(feature = "coco_as")]
+            "coco_as" => {
+                let as_url = match config::get_host_url().await {
+                    Ok(url) => url,
+                    Err(_) => {
+                        let config = config::Config::try_from(self.config_file_path)?;
+                        config.as_url.clone()
+                    }
+                };
+                let coco_as_token = token::coco_as::CoCoASTokenGetter::default()
+                    .get_token(as_url)
+                    .await?;
+                coco_as_token
+            }
             typ => bail!("Unsupported token type {typ}"),
         };
 

diff --git a/attestation-agent/token/Cargo.toml b/attestation-agent/token/Cargo.toml
@@ -8,12 +8,26 @@ edition = "2021"
 [dependencies]
 anyhow.workspace = true
 async-trait.workspace = true
+attester = { path = "../attester", optional = true, default-features = false }
+base64.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 kbs_protocol = { path = "../kbs_protocol", optional = true }
+reqwest = { version = "0.11", features = ["json"], optional = true }
 tokio = { workspace = true, features = ["fs"] }
 toml.workspace = true
 
 [features]
-default = ["kbs"]
+default = ["kbs", "coco_as"]
+
 kbs = ["kbs_protocol/background_check"]
+coco_as = ["reqwest", "attester"]
+
+all-attesters = ["attester?/all-attesters"]
+tdx = ["attester?/tdx-attester"]
+sgx = ["attester?/sgx-attester"]
+az-snp-vtpm = ["attester?/az-snp-vtpm-attester"]
+az-tdx-vtpm = ["attester?/az-tdx-vtpm-attester"]
+snp = ["attester?/snp-attester"]
+csv = ["attester?/csv-attester"]
+cca = ["attester?/cca-attester"]
diff --git a/attestation-agent/token/src/coco_as.rs b/attestation-agent/token/src/coco_as.rs
@@ -0,0 +1,48 @@
+// Copyright (c) 2024 Alibaba Cloud
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use super::GetToken;
+use anyhow::*;
+use async_trait::async_trait;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine;
+
+#[derive(Default)]
+pub struct CoCoASTokenGetter {}
+
+#[async_trait]
+impl GetToken for CoCoASTokenGetter {
+    async fn get_token(&self, as_url: String) -> Result<Vec<u8>> {
+        let tee_type = attester::detect_tee_type();
+        let attester = attester::BoxedAttester::try_from(tee_type)?;
+        let evidence = attester.get_evidence(vec![]).await?;
+
+        let request_body = serde_json::json!({
+            "tee": serde_json::to_string(&tee_type)?,
+            "evidence": URL_SAFE_NO_PAD.encode(evidence.as_bytes()),
+        });
+
+        let client = reqwest::Client::new();
+        let res = client
+            .post(as_url)
+            .header("Content-Type", "application/json")
+            .json(&request_body)
+            .send()
+            .await?;
+
+        match res.status() {
+            reqwest::StatusCode::OK => {
+                let token = res.text().await?;
+                Ok(token.as_bytes().to_vec())
+            }
+            _ => {
+                bail!(
+                    "Rmote Attestation Failed, AS Response: {:?}",
+                    res.text().await?
+                );
+            }
+        }
+    }
+}
diff --git a/attestation-agent/token/src/lib.rs b/attestation-agent/token/src/lib.rs
@@ -8,6 +8,9 @@ use async_trait::async_trait;
 #[cfg(feature = "kbs")]
 pub mod kbs;
 
+#[cfg(feature = "coco_as")]
+pub mod coco_as;
+
 #[async_trait]
 pub trait GetToken {
     async fn get_token(&self, service_url: String) -> Result<Vec<u8>>;