From ffd22b3ca8b0887e995021198433668cbfdfbf4b Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 6 Jan 2025 15:39:28 +0800 Subject: [PATCH] AA/kbs_protocol: add AAEvidenceProvider AAEvidenceProvider gets evidence via ttrpc from AA. This patch also does some refactoring upon the code structure of ttrpc to avoid duplication of ttrpc files. Signed-off-by: Xynnn007 --- attestation-agent/kbs_protocol/build.rs | 4 +- attestation-agent/kbs_protocol/src/error.rs | 3 + .../src/evidence_provider/aa_ttrpc.rs | 79 +++++++++++++++++++ .../kbs_protocol/src/evidence_provider/mod.rs | 5 ++ attestation-agent/kbs_protocol/src/lib.rs | 2 + .../kbs_protocol/src/token_provider/aa/mod.rs | 12 ++- .../aa => ttrpc_protos}/attestation_agent.rs | 0 .../attestation_agent_ttrpc.rs | 0 .../kbs_protocol/src/ttrpc_protos/mod.rs | 7 ++ 9 files changed, 103 insertions(+), 9 deletions(-) create mode 100644 attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs rename attestation-agent/kbs_protocol/src/{token_provider/aa => ttrpc_protos}/attestation_agent.rs (100%) rename attestation-agent/kbs_protocol/src/{token_provider/aa => ttrpc_protos}/attestation_agent_ttrpc.rs (100%) create mode 100644 attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs diff --git a/attestation-agent/kbs_protocol/build.rs b/attestation-agent/kbs_protocol/build.rs index 4e28c31e6..4998a27cc 100644 --- a/attestation-agent/kbs_protocol/build.rs +++ b/attestation-agent/kbs_protocol/build.rs @@ -28,7 +28,7 @@ fn main() -> Result<(), Box> { } ttrpc_codegen::Codegen::new() - .out_dir("src/token_provider/aa") + .out_dir("src/ttrpc_protos") .include("../protos") .inputs(["../protos/attestation-agent.proto"]) .rust_protobuf() @@ -42,7 +42,7 @@ fn main() -> Result<(), Box> { // Fix clippy warnings of code generated from ttrpc_codegen replace_text_in_file( - "src/token_provider/aa/attestation_agent_ttrpc.rs", + "src/ttrpc_protos/attestation_agent_ttrpc.rs", "client: client", "client", )?; diff --git a/attestation-agent/kbs_protocol/src/error.rs b/attestation-agent/kbs_protocol/src/error.rs index 5a75d59cb..15cbb4fac 100644 --- a/attestation-agent/kbs_protocol/src/error.rs +++ b/attestation-agent/kbs_protocol/src/error.rs @@ -9,6 +9,9 @@ pub type Result = std::result::Result; #[derive(Error, Debug)] pub enum Error { + #[error("Attestation Agent evidence provider error: {0}")] + AAEvidenceProvider(String), + #[error("Attestation Agent token provider error: {0}")] AATokenProvider(String), diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs b/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs new file mode 100644 index 000000000..79d35cfc1 --- /dev/null +++ b/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs @@ -0,0 +1,79 @@ +// Copyright (c) 2025 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use async_trait::async_trait; +use kbs_types::Tee; +use serde_json::json; +use ttrpc::context; + +use crate::{ + ttrpc_protos::{ + attestation_agent::{GetEvidenceRequest, GetTeeTypeRequest}, + attestation_agent_ttrpc::AttestationAgentServiceClient, + }, + Error, Result, +}; + +use super::EvidenceProvider; + +const AA_SOCKET_FILE: &str = + "unix:///run/confidential-containers/attestation-agent/attestation-agent.sock"; + +/// The timeout for ttrpc call to Attestation Agent +const AA_TTRPC_TIMEOUT_SECONDS: i64 = 50; + +pub struct AAEvidenceProvider { + client: AttestationAgentServiceClient, +} + +impl AAEvidenceProvider { + pub async fn new() -> Result { + let c = ttrpc::r#async::Client::connect(AA_SOCKET_FILE) + .map_err(|e| Error::AATokenProvider(format!("ttrpc connect failed {e}")))?; + let client = AttestationAgentServiceClient::new(c); + Ok(Self { client }) + } +} + +#[async_trait] +impl EvidenceProvider for AAEvidenceProvider { + /// Get evidence with as runtime data (report data, challege) + async fn get_evidence(&self, runtime_data: Vec) -> Result { + let req = GetEvidenceRequest { + RuntimeData: runtime_data, + ..Default::default() + }; + let res = self + .client + .get_evidence( + context::with_timeout(AA_TTRPC_TIMEOUT_SECONDS * 1000 * 1000 * 1000), + &req, + ) + .await + .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?; + let evidence = String::from_utf8(res.Evidence) + .map_err(|e| Error::AAEvidenceProvider(format!("non-utf8 evidence: {e}")))?; + Ok(evidence) + } + + /// Get the underlying Tee type + async fn get_tee_type(&self) -> Result { + let req = GetTeeTypeRequest { + ..Default::default() + }; + let res = self + .client + .get_tee_type( + context::with_timeout(AA_TTRPC_TIMEOUT_SECONDS * 1000 * 1000 * 1000), + &req, + ) + .await + .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?; + + let tee = serde_json::from_value(json!(res.tee)) + .map_err(|e| Error::AAEvidenceProvider(format!("failed to parse Tee type: {e}")))?; + Ok(tee) + } +} diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs b/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs index 51b8fea33..404f4c51d 100644 --- a/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs +++ b/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs @@ -9,6 +9,11 @@ pub use native::*; pub mod mock; pub use mock::*; +#[cfg(feature = "aa_ttrpc")] +pub mod aa_ttrpc; +#[cfg(feature = "aa_ttrpc")] +pub use aa_ttrpc::*; + use crate::Result; use async_trait::async_trait; use kbs_types::Tee; diff --git a/attestation-agent/kbs_protocol/src/lib.rs b/attestation-agent/kbs_protocol/src/lib.rs index eb4bd6d0b..59cd5b1aa 100644 --- a/attestation-agent/kbs_protocol/src/lib.rs +++ b/attestation-agent/kbs_protocol/src/lib.rs @@ -77,6 +77,8 @@ pub mod error; pub mod evidence_provider; pub mod keypair; pub mod token_provider; +#[cfg(feature = "aa_ttrpc")] +pub mod ttrpc_protos; pub use api::*; pub use builder::KbsClientBuilder; diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs b/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs index 94593fbb3..970666287 100644 --- a/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs +++ b/attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs @@ -5,17 +5,15 @@ //! This is a token provider which connects the attestation-agent -mod attestation_agent; -mod attestation_agent_ttrpc; - use async_trait::async_trait; use serde::Deserialize; use ttrpc::context; -use crate::{Error, Result, TeeKeyPair, Token}; - -use self::{ - attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient, +use crate::{ + ttrpc_protos::{ + attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient, + }, + Error, Result, TeeKeyPair, Token, }; use super::TokenProvider; diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs similarity index 100% rename from attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs rename to attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent_ttrpc.rs similarity index 100% rename from attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs rename to attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent_ttrpc.rs diff --git a/attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs new file mode 100644 index 000000000..a149b0285 --- /dev/null +++ b/attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs @@ -0,0 +1,7 @@ +// Copyright (c) 2025 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod attestation_agent; +pub mod attestation_agent_ttrpc;