diff --git a/.github/workflows/aa_basic.yml b/.github/workflows/aa_basic.yml index 725143b83..63a1640f7 100644 --- a/.github/workflows/aa_basic.yml +++ b/.github/workflows/aa_basic.yml @@ -35,10 +35,10 @@ jobs: rust: - stable instance: - - ubuntu-22.04 + - ubuntu-24.04 - s390x include: - - instance: ubuntu-22.04 + - instance: ubuntu-24.04 make_args: "" cargo_test_opts: "--features openssl,rust-crypto,all-attesters,kbs,coco_as" cargo_lint_opts: "--workspace" @@ -67,14 +67,14 @@ jobs: - uses: ./.github/actions/install-intel-dcap with: - ubuntu-version: jammy - if: matrix.instance == 'ubuntu-22.04' + ubuntu-version: noble + if: matrix.instance == 'ubuntu-24.04' - name: Install TPM dependencies run: | sudo apt-get update sudo apt-get install -y libtss2-dev - if: matrix.instance == 'ubuntu-22.04' + if: matrix.instance == 'ubuntu-24.04' - name: Install dm-verity dependencies run: | @@ -91,7 +91,7 @@ jobs: - name: Musl build with all platform run: | make LIBC=musl ttrpc=true ATTESTER=none - if: matrix.instance == 'ubuntu-22.04' + if: matrix.instance == 'ubuntu-24.04' - name: Run cargo test uses: actions-rs/cargo@v1 diff --git a/.github/workflows/aa_cc_kbc.yml b/.github/workflows/aa_cc_kbc.yml index b5686dac4..35d6258cb 100644 --- a/.github/workflows/aa_cc_kbc.yml +++ b/.github/workflows/aa_cc_kbc.yml @@ -29,18 +29,17 @@ jobs: defaults: run: working-directory: ./attestation-agent - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: rust: - stable - kbc: - - cc_kbc - - cc_kbc_tdx - - cc_kbc_sgx - - cc_kbc_az_snp_vtpm - - cc_kbc_snp + attester: + - snp-attester + - tdx-attester + - az-snp-vtpm-attester + - az-tdx-vtpm-attester steps: - name: Code checkout uses: actions/checkout@v4 @@ -57,7 +56,7 @@ jobs: - uses: ./.github/actions/install-intel-dcap with: - ubuntu-version: jammy + ubuntu-version: noble - name: Install TPM dependencies run: | @@ -68,19 +67,18 @@ jobs: run: | sudo apt-get update && sudo apt-get install -y protobuf-compiler - - name: Build and install with ${{ matrix.kbc }} feature + - name: Build and install with ${{ matrix.attester }} feature run: | - make KBC=${{ matrix.kbc }} && make install + make ATTESTER=${{ matrix.attester }} && make install - name: Run rust lint check uses: actions-rs/cargo@v1 with: command: clippy - # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now - args: -p kbc --all-targets --features cc_kbc,all-attesters,rust-crypto -- -D warnings -A clippy::derive_partial_eq_without_eq + args: -p kbc --all-targets --features cc_kbc,${{ matrix.attester }},rust-crypto -- -D warnings - name: Run cargo test uses: actions-rs/cargo@v1 with: command: test - args: --features cc_kbc,all-attesters,rust-crypto -p kbc + args: --features cc_kbc,${{ matrix.attester }},rust-crypto -p kbc diff --git a/.github/workflows/aa_crypto.yml b/.github/workflows/aa_crypto.yml index d219cdb1d..a6f88053f 100644 --- a/.github/workflows/aa_crypto.yml +++ b/.github/workflows/aa_crypto.yml @@ -25,7 +25,7 @@ jobs: defaults: run: working-directory: ./attestation-agent - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: diff --git a/.github/workflows/aa_eaa_kbc.yml b/.github/workflows/aa_eaa_kbc.yml deleted file mode 100644 index f12009c47..000000000 --- a/.github/workflows/aa_eaa_kbc.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: attestation-agent eaa_kbc tests - -on: - # push: - # branches: - # - 'main' - # paths: - # - 'attestation-agent/kbc/eaa_kbc/**' - # - '.github/workflows/aa_eaa_kbc.yml' - # pull_request: - # paths: - # - 'attestation-agent/kbc/eaa_kbc/**' - # - '.github/workflows/aa_eaa_kbc.yml' - create: - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - eaa_kbc_ci: - if: github.event_name != 'push' - name: Check - defaults: - run: - working-directory: ./attestation-agent - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - rust: - - stable - - container: runetest/compilation-testing:ubuntu18.04 - - steps: - - name: Code checkout - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - - name: Install Rust toolchain - run: | - apt-get update && apt-get install -y cargo - cp -r /root/.cargo /github/home/.cargo - rustup install stable - rustup default stable - - - name: install dependencies - run: | - echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04 focal main' | tee /etc/apt/sources.list.d/inclavare-containers.list - curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key | apt-key add - - echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list - curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - - apt-get update - apt-get install -y rats-tls-tdx libtdx-attest=1.15\* - - - name: Build AA with EAA KBC - run: | - make KBC=eaa_kbc && make install - - - name: Run cargo test with eaa_kbc feature - run: | - RUSTFLAGS="-C link-args=-Wl,-rpath,/usr/local/lib/rats-tls" cargo test --manifest-path kbc/Cargo.toml --features eaa_kbc diff --git a/.github/workflows/aa_release.yml b/.github/workflows/aa_release.yml index 944f02e1c..f616b94cf 100644 --- a/.github/workflows/aa_release.yml +++ b/.github/workflows/aa_release.yml @@ -8,7 +8,7 @@ jobs: build-and-push-images: permissions: packages: write - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/aa_sample_keyprovider.yml b/.github/workflows/aa_sample_keyprovider.yml index b8ec783bf..e48ffcf69 100644 --- a/.github/workflows/aa_sample_keyprovider.yml +++ b/.github/workflows/aa_sample_keyprovider.yml @@ -21,7 +21,7 @@ jobs: coco_keyprovider_ci: if: github.event_name != 'push' name: Check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: diff --git a/.github/workflows/aa_sev_kbc.yml b/.github/workflows/aa_sev_kbc.yml index e5869390d..9f5a6b665 100644 --- a/.github/workflows/aa_sev_kbc.yml +++ b/.github/workflows/aa_sev_kbc.yml @@ -24,7 +24,7 @@ jobs: defaults: run: working-directory: ./attestation-agent - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: diff --git a/.github/workflows/api-server-rest-basic.yml b/.github/workflows/api-server-rest-basic.yml index a17e7d4df..d42624e51 100644 --- a/.github/workflows/api-server-rest-basic.yml +++ b/.github/workflows/api-server-rest-basic.yml @@ -33,7 +33,7 @@ jobs: fail-fast: false matrix: instance: - - ubuntu-latest + - ubuntu-24.04 - s390x rust: - stable @@ -64,7 +64,7 @@ jobs: - name: Musl build with default features run: | make LIBC=musl - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Run cargo test uses: actions-rs/cargo@v1 diff --git a/.github/workflows/cdh_basic.yml b/.github/workflows/cdh_basic.yml index 57ae407b7..c8926d172 100644 --- a/.github/workflows/cdh_basic.yml +++ b/.github/workflows/cdh_basic.yml @@ -33,7 +33,7 @@ jobs: fail-fast: false matrix: instance: - - ubuntu-latest + - ubuntu-24.04 - s390x rust: - stable @@ -63,7 +63,7 @@ jobs: - name: Musl build run: | make LIBC=musl - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Run cargo test run: | diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 1eb5d31a0..1496a1613 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -3,7 +3,7 @@ on: [pull_request] jobs: commits_check_job: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Commits Check steps: - name: Get PR Commits diff --git a/.github/workflows/image_rs_build.yml b/.github/workflows/image_rs_build.yml index 1e0fb13b3..6c5909226 100644 --- a/.github/workflows/image_rs_build.yml +++ b/.github/workflows/image_rs_build.yml @@ -35,7 +35,7 @@ jobs: - 1.76.0 - stable instance: - - ubuntu-latest + - ubuntu-24.04 - s390x runs-on: ${{ matrix.instance }} steps: @@ -58,26 +58,26 @@ jobs: - uses: ./.github/actions/install-intel-dcap with: - ubuntu-version: jammy - if: matrix.instance == 'ubuntu-latest' + ubuntu-version: noble + if: matrix.instance == 'ubuntu-24.04' - name: Install TPM dependencies run: | sudo apt-get update sudo apt-get install -y libtss2-dev - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Install dm-verity dependencies run: | sudo apt-get update sudo apt-get install -y libdevmapper-dev - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Install cross-compliation support dependencies run: | sudo apt install -y gcc-powerpc64le-linux-gnu rustup target add powerpc64le-unknown-linux-gnu - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Run cargo fmt check uses: actions-rs/cargo@v1 @@ -96,7 +96,7 @@ jobs: run: | cargo clippy -p image-rs --all-targets --features=enclave-cc-cckbc-native-tls --no-default-features -- -D warnings cargo clippy -p image-rs --all-targets --features=kata-cc-native-tls,nydus --no-default-features -- -D warnings - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Run cargo build uses: actions-rs/cargo@v1 @@ -107,7 +107,7 @@ jobs: - name: Run cargo build, cross-compiling for powerpc64le run: | sudo -E PATH=$PATH -s RUSTFLAGS=" -C linker=powerpc64le-linux-gnu-gcc" cargo build --target powerpc64le-unknown-linux-gnu -p image-rs --features default - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' - name: Run cargo test - default run: | @@ -142,4 +142,4 @@ jobs: - name: Run cargo test - kata-cc (native-tls version) with keywrap-ttrpc (default) + keywrap-jwe + nydus run: | sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=kata-cc-native-tls,keywrap-jwe,nydus - if: matrix.instance == 'ubuntu-latest' + if: matrix.instance == 'ubuntu-24.04' diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 4a18bff0d..932a9db57 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -9,7 +9,7 @@ on: jobs: checklinks: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/ocicrypt_rs_build.yml b/.github/workflows/ocicrypt_rs_build.yml index de865184f..d9a15a81c 100644 --- a/.github/workflows/ocicrypt_rs_build.yml +++ b/.github/workflows/ocicrypt_rs_build.yml @@ -25,7 +25,7 @@ jobs: ci: if: github.event_name != 'push' name: Check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: @@ -33,21 +33,12 @@ jobs: - 1.76.0 - stable - # Run all steps in the compilation testing containers - container: - image: runetest/compilation-testing:ubuntu20.04 - env: - LD_LIBRARY_PATH: /usr/local/lib/rats-tls - steps: - name: Code checkout uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Update cargo home - run: | - apt-get update && apt-get install -y cargo - cp -r /root/.cargo /github/home/.cargo + - name: Install Rust toolchain (${{ matrix.rust }}) uses: actions-rs/toolchain@v1 with: @@ -58,19 +49,7 @@ jobs: - name: Install tonic's protoc dependencies run: | - apt install -y protobuf-compiler libprotobuf-dev - - - name: Build and install rats-tls - run: | - PWD=$(pwd) - cd /tmp - apt-get install -y libcurl4-openssl-dev - git clone https://github.com/inclavare-containers/rats-tls - cd rats-tls - git reset --hard 8fbfdb6 - cmake -DBUILD_SAMPLES=on -H. -Bbuild - make -C build install - cd $PWD + sudo apt install -y protobuf-compiler libprotobuf-dev - name: Run cargo build uses: actions-rs/cargo@v1 diff --git a/.github/workflows/publish-artifacts.yml b/.github/workflows/publish-artifacts.yml index 1eef5c03d..cde918a83 100644 --- a/.github/workflows/publish-artifacts.yml +++ b/.github/workflows/publish-artifacts.yml @@ -26,7 +26,7 @@ jobs: { tee: cca, arch: x86_64, libc: musl }, { tee: se, arch: s390x, libc: gnu }, ] - runs-on: ${{ matrix.platform.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} + runs-on: ${{ matrix.platform.arch == 's390x' && 's390x' || 'ubuntu-24.04' }} env: TEE_PLATFORM: ${{ matrix.platform.tee }} LIBC: ${{ matrix.platform.libc }} @@ -61,7 +61,7 @@ jobs: - uses: ./.github/actions/install-intel-dcap with: - ubuntu-version: jammy + ubuntu-version: noble if: matrix.platform.tee == 'tdx' - uses: actions/checkout@v4 @@ -114,7 +114,7 @@ jobs: libc: musl - arch: s390x libc: gnu - runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} + runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-24.04' }} env: LIBC: ${{ matrix.libc }} REGISTRY: ghcr.io diff --git a/.github/workflows/vendor_release.yml b/.github/workflows/vendor_release.yml index 08c19b686..86aca3f95 100644 --- a/.github/workflows/vendor_release.yml +++ b/.github/workflows/vendor_release.yml @@ -6,7 +6,7 @@ on: jobs: generate-and-publish-vendored-code: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/Cargo.lock b/Cargo.lock index 0d6733c4f..30cb2682d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2094,28 +2094,7 @@ version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" dependencies = [ - "foreign-types-shared 0.1.1", -] - -[[package]] -name = "foreign-types" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d737d9aa519fb7b749cbc3b962edcf310a8dd1f4b67c91c4f83975dbdd17d965" -dependencies = [ - "foreign-types-macros", - "foreign-types-shared 0.3.1", -] - -[[package]] -name = "foreign-types-macros" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a5c6c585bc94aaf2c7b51dd4c2ba22680844aba4c687be581871a6f518c5742" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.58", + "foreign-types-shared", ] [[package]] @@ -2124,12 +2103,6 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" -[[package]] -name = "foreign-types-shared" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa9a19cbb55df58761df49b23516a86d432839add4af60fc256da840f66ed35b" - [[package]] name = "form_urlencoded" version = "1.2.1" @@ -3133,7 +3106,6 @@ dependencies = [ "base64 0.22.1", "bincode", "crypto", - "foreign-types 0.5.0", "kbs_protocol", "log", "prost 0.13.2", @@ -4101,7 +4073,7 @@ checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" dependencies = [ "bitflags 2.6.0", "cfg-if", - "foreign-types 0.3.2", + "foreign-types", "libc", "once_cell", "openssl-macros", @@ -5334,7 +5306,7 @@ checksum = "9f75b3a6c5bb5b3e8e4fdced5e8b406fcfaf909a96975c4010e839799bf25f48" dependencies = [ "byteorder", "curl", - "foreign-types 0.3.2", + "foreign-types", "log", "openssl", "openssl-sys", diff --git a/attestation-agent/coco_keyprovider/README.md b/attestation-agent/coco_keyprovider/README.md index c7ba181f4..df2e2d37e 100644 --- a/attestation-agent/coco_keyprovider/README.md +++ b/attestation-agent/coco_keyprovider/README.md @@ -6,7 +6,6 @@ The encrypted image can be decrypted using the following Key Broker Client (KBC) * offline-fs-kbc * offline-sev-kbc * online-sev-kbc - * eaa-kbc * sample kbc (toy KBC still supported for historical reason) The following guide will help make an encrypted image using [skopeo](https://github.com/containers/skopeo) and CoCo keyprovider, inspect the image as well as decrypt it. diff --git a/attestation-agent/docs/IMAGE_ENCRYPTION.md b/attestation-agent/docs/IMAGE_ENCRYPTION.md index 4c1c98b8f..10ee05116 100644 --- a/attestation-agent/docs/IMAGE_ENCRYPTION.md +++ b/attestation-agent/docs/IMAGE_ENCRYPTION.md @@ -37,7 +37,6 @@ Here are the steps. 3. `Attestation-Agent` will parse the annotation into an `AnnotationPacket`. 4. `Attestation-Agent` will use the `AnnotationPacket` to call related KBC's `decrypt_payload()` api to retrieve the `PLBCO`. * For `*_sev_kbc`, `offline_fs_kbc`, `get_key()` helps to get the `KEK` due to the `key id`, and then `crypto` module decrypts the PLBCO. - * For `eaa_kbc` and those KBCes who do not expose the plaintext of the `KEK`, `decrypt_payload()` api will perform its own decryption action. 7. `ocicrypt-rs` uses `PLBCO` to decrypt the layer. ## Specs diff --git a/attestation-agent/kbc/Cargo.toml b/attestation-agent/kbc/Cargo.toml index 69a435886..df7eebe28 100644 --- a/attestation-agent/kbc/Cargo.toml +++ b/attestation-agent/kbc/Cargo.toml @@ -11,7 +11,6 @@ async-trait.workspace = true base64.workspace = true bincode = { workspace = true, optional = true } crypto = { path = "../deps/crypto", default-features = false } -foreign-types = { version = "0.5.0", optional = true } kbs_protocol = { path = "../kbs_protocol", default-features = false, optional = true } log.workspace = true prost = { workspace = true, optional = true } @@ -47,7 +46,6 @@ cca-attester = ["kbs_protocol/cca-attester"] se-attester = ["kbs_protocol/se-attester"] sample_kbc = [] -eaa_kbc = ["foreign-types"] offline_fs_kbc = [] offline_sev_kbc = [] online_sev_kbc = ["tonic", "sev", "prost", "uuid", "bincode", "tokio"] diff --git a/attestation-agent/kbc/build.rs b/attestation-agent/kbc/build.rs index 9788a9ea6..1e52a2f5a 100644 --- a/attestation-agent/kbc/build.rs +++ b/attestation-agent/kbc/build.rs @@ -4,12 +4,6 @@ // fn main() -> std::io::Result<()> { - #[cfg(feature = "eaa_kbc")] - { - println!("cargo:rustc-link-search=native=/usr/local/lib/rats-tls"); - println!("cargo:rustc-link-lib=dylib=rats_tls"); - } - #[cfg(feature = "gen-proto")] { tonic_build::configure() diff --git a/attestation-agent/kbc/src/eaa_kbc/README.md b/attestation-agent/kbc/src/eaa_kbc/README.md deleted file mode 100644 index 3b40ed052..000000000 --- a/attestation-agent/kbc/src/eaa_kbc/README.md +++ /dev/null @@ -1,64 +0,0 @@ -# EAA KBC module - -## EAA Introduction - -Enclave Attestation Architecture (EAA) is a general attestation architecture in the cloud native scenario. EAA uses the standard attestation process to establish a secure and trusted TLS channel between EAA KBC and EAA KBS, and uses the TLS channel to send the decryption key of the encryption container image. - -EAA supports many different HW-TEE standard attestation processes, e.g: TDX, SEV .etc. (EAA KBC doesn't plan to handle pre-attestation in SEV(-ES). It should be covered by another KBC instance.) - -## Dependencies - -### rats-tls - -Installing and deploying rats-tls: - -``` -git clone https://github.com/alibaba/inclavare-containers.git -cd inclavare-containers/rats-tls -cmake -DBUILD_SAMPLES=on -H. -Bbuild -make -C build install -``` - -Or just make attestation-agent with EAA KBC, it will install and deploying rats-tls automatically: -``` -cd attestation-agent -make KBC=eaa_kbc -``` - -## EAA KBS - -In EAA design, we usually call KBS "verdictd". - -Installing and deploying EAA KBS (Verdictd): - -``` -git clone https://github.com/alibaba/inclavare-containers.git -cd inclavare-containers/eaa -make && make install -``` - -Refer to [EAA KBS readme](https://github.com/inclavare-containers/verdictd) to run verdictd and start the KBS service. - -## Usage - -Build and run attestation-agent with integrated EAA KBC module: - -``` -make KBC=eaa_kbc && make install -RUST_LOG=attestation_agent attestation-agent --keyprovider_sock 127.0.0.1:47777 --getresource_sock 127.0.0.1:48888 -``` - -Set KBC_NAME::KBS_URI pair in the following format: - -``` -eaa_kbc::: -``` - -e.g: EAA KBS address is 127.0.0.1:1122 : - -``` -eaa_kbc::127.0.0.1:1122 -``` - - - diff --git a/attestation-agent/kbc/src/eaa_kbc/mod.rs b/attestation-agent/kbc/src/eaa_kbc/mod.rs deleted file mode 100644 index f10fe4ced..000000000 --- a/attestation-agent/kbc/src/eaa_kbc/mod.rs +++ /dev/null @@ -1,316 +0,0 @@ -// Copyright (c) 2021 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -use crate::{KbcCheckInfo, KbcInterface}; -use anyhow::*; -use async_trait::async_trait; -use base64::Engine; -use log::*; -use resource_uri::ResourceUri; -use std::collections::HashMap; -use std::net::TcpStream; -use std::os::unix::io::AsRawFd; - -pub mod protocol; -pub mod rats_tls; -use protocol::*; - -use super::AnnotationPacket; - -// Verdictd is the EAA KBS's name, -// the repo is here: https://github.com/inclavare-containers/verdictd -const EAA_KBS_NAME: &str = "Verdictd"; - -const DEFAULT_RECV_BYTES_SIZE: usize = 4096; - -pub struct EAAKbc { - pub kbs_uri: String, - pub protocol_version: String, - pub algorithm: String, - pub key_length: u16, - pub tcp_stream: Option, - pub tls_handle: Option, -} - -#[async_trait] -impl KbcInterface for EAAKbc { - fn check(&self) -> Result { - let mut kbs_info: HashMap = HashMap::new(); - kbs_info.insert("kbs_addr".to_string(), self.kbs_uri.clone()); - kbs_info.insert( - "protocol_version".to_string(), - self.protocol_version.clone(), - ); - Ok(KbcCheckInfo { kbs_info }) - } - - /// Decrypt the payload inside annotation packet. - /// This function will **ignore** the kbs address the kid carries, - /// instead overwrite with the kbs_uri the [`Kbc`] carries. - /// Related issue: - async fn decrypt_payload(&mut self, annotation_packet: AnnotationPacket) -> Result> { - debug!("EAA KBC decrypt_payload() is called"); - - if self.tcp_stream.is_none() { - debug!("First request, connecting KBS..."); - self.establish_new_kbs_connection()?; - debug!("connect success! TLS is established"); - } - - debug!("start decrypt..."); - - let decrypted_payload = self.kbs_decrypt_payload( - base64::engine::general_purpose::STANDARD.decode(annotation_packet.wrapped_data)?, - annotation_packet.kid.resource_path(), - base64::engine::general_purpose::STANDARD.decode(annotation_packet.iv)?, - annotation_packet.wrap_type, - )?; - debug!("decrypted success"); - Ok(decrypted_payload) - } - - async fn get_resource(&mut self, rid: ResourceUri) -> Result> { - if self.tcp_stream.is_none() { - debug!("First request, connecting KBS..."); - self.establish_new_kbs_connection()?; - debug!("connect success! TLS is established"); - } - - self.kbs_get_resource(&rid) - } -} - -impl EAAKbc { - pub fn new(kbs_uri: String) -> EAAKbc { - EAAKbc { - kbs_uri, - protocol_version: String::new(), - algorithm: String::new(), - key_length: 0, - // kek_cache: HashMap::new(), - tcp_stream: None, - tls_handle: None, - } - } - - fn establish_new_kbs_connection(&mut self) -> Result<()> { - debug!("create RATS TLS handle..."); - self.tls_handle = - Some(rats_tls::RatsTls::new().map_err(|e| anyhow!("create rats_tls failed!:{:?}", e))?); - - self.tcp_stream = Some(TcpStream::connect(&self.kbs_uri)?); - - debug!("start negotiate (attestation) ..."); - self.tls_handle - .as_ref() - .unwrap() - .negotiate(self.tcp_stream.as_ref().unwrap().as_raw_fd()) - .map_err(|e| anyhow!("Negotiate Failed!:{:?}", e))?; - - self.protocol_version = self.kbs_query_version()?; - - Ok(()) - } - - fn kbs_query_version(&mut self) -> Result { - let request = VersionRequest::default(); - let trans_json = serde_json::to_string(&request)?; - let trans_data: &[u8] = trans_json.as_bytes(); - - let recv_string: String = - self.kbs_trans_and_recv(trans_data, DEFAULT_RECV_BYTES_SIZE, "Version")?; - let response: VersionResponse = - serde_json::from_str::(recv_string.as_str())?; - - match response.status.as_str() { - "OK" => Ok(response.version), - "Fail" => Err(anyhow!("The VersionResponse status is Fail")), - _ => Err(anyhow!("Cannot understand the VersionResponse status")), - } - } - - fn kbs_decrypt_payload( - &mut self, - encrypted_payload: Vec, - key_id: String, - iv: Vec, - wrap_type: String, - ) -> Result> { - let engine = base64::engine::general_purpose::STANDARD; - let blob = Blob { - kid: key_id, - encrypted_data: engine.encode(&encrypted_payload), - algorithm: wrap_type, - key_length: 256, - iv: engine.encode(iv), - }; - let request = DecryptionRequest::new(blob); - let trans_json = serde_json::to_string(&request)?; - let trans_data: &[u8] = trans_json.as_bytes(); - - let recv_string: String = - self.kbs_trans_and_recv(trans_data, DEFAULT_RECV_BYTES_SIZE, "Decryption")?; - let response: DecryptionResponse = - serde_json::from_str::(recv_string.as_str())?; - - let payload_hashmap = match response.status.as_str() { - "OK" => response.data, - "Fail" => { - return Err(anyhow!(format!( - "{}: {}", - EAA_KBS_NAME, - response.error.unwrap() - ))) - } - _ => return Err(anyhow!("Cannot understand the DecryptionResponse status")), - }; - - if let Some(hashmap_content) = payload_hashmap { - let encrypted_payload_string = engine.encode(&encrypted_payload); - let decrypted_payload_string = hashmap_content.get(&encrypted_payload_string).ok_or_else(|| anyhow!( - "There is no field matching the encrypted payload in the data field of DecryptionResponse" - ))?; - let decrypted_payload = engine.decode(decrypted_payload_string)?; - Ok(decrypted_payload) - } else { - Err(anyhow!( - "DecryptionResponse status is OK but the data is null" - )) - } - } - - fn kbs_get_resource(&mut self, rid: &ResourceUri) -> Result> { - let resource_path = rid.resource_path(); - - let request = GetResourceRequest::new( - "Get Resource", - [("resource_path".to_string(), resource_path.clone())].into(), - ); - let resource_info = self.kbs_get_resource_info(resource_path.as_str())?; - - let trans_json = serde_json::to_string(&request)?; - let trans_data: &[u8] = trans_json.as_bytes(); - let buffer_size: usize = resource_info.base64size.parse::()?; - - let recv_string: String = - self.kbs_trans_and_recv(trans_data, buffer_size, "Get Resource")?; - - let data_bytes = base64::engine::general_purpose::STANDARD.decode(recv_string)?; - - if let Result::Ok(data_str) = std::str::from_utf8(&data_bytes) { - if let Result::Ok(err_info) = serde_json::from_str::(data_str) { - return Err(anyhow!( - "{}: The resource data is null, error reason: {}.", - EAA_KBS_NAME, - err_info.error - )); - } - } - - Ok(data_bytes) - } - - fn kbs_get_resource_info(&mut self, resource_name: &str) -> Result { - let request = GetResourceInfoReq::new(resource_name); - let trans_json = serde_json::to_string(&request)?; - let trans_data: &[u8] = trans_json.as_bytes(); - - let recv_string: String = - self.kbs_trans_and_recv(trans_data, DEFAULT_RECV_BYTES_SIZE, "Get Resource Info")?; - - let response = serde_json::from_str::(recv_string.as_str())?; - - match response.status.as_str() { - "OK" => response - .data - .ok_or_else(|| anyhow!("{}: Resource info payload is null", EAA_KBS_NAME)), - "Fail" => Err(anyhow!(format!( - "{}: {}", - EAA_KBS_NAME, - response.error.unwrap() - ))), - _ => Err(anyhow!( - "Cannot understand the GetResourceInfoResponse status" - )), - } - } - - fn kbs_trans_and_recv( - &mut self, - trans_data: &[u8], - recv_size: usize, - error_info: &str, - ) -> Result { - if trans_data.to_vec().is_empty() || recv_size == 0 { - return Err(anyhow!( - "Transmit data cannot be empty and recieve buffer size cannot be zero." - )); - } - debug!("Transmit: {}", String::from_utf8(trans_data.to_vec())?); - self.tls_handle - .as_ref() - .ok_or_else(|| anyhow!("Missing TLS handle"))? - .transmit(trans_data) - .map_err(|e| { - error!("Transmit {} failed", error_info); - anyhow!(format!("Something wrong when transmit, error code: {}", e)) - })?; - - let mut recv_buffer = vec![0u8; rats_tls::MAX_FRAG_LENGTH]; - let mut recv_res = vec![]; - let mut len_recv = 0; - - while len_recv < recv_size { - let len_single = self - .tls_handle - .as_ref() - .ok_or_else(|| anyhow!("Missing TLS handle"))? - .receive(&mut recv_buffer) - .map_err(|e| { - error!("Transmit {} failed", error_info); - anyhow!(format!("Something wrong when revieve, error code: {}", e)) - })?; - - recv_res.append(&mut recv_buffer[..len_single].to_vec()); - if len_single < rats_tls::MAX_FRAG_LENGTH { - break; - }; - len_recv += len_single; - } - - let recv_string: String = String::from_utf8(recv_res)?; - debug!("Recieved: {}", recv_string); - - Ok(recv_string) - } -} - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn test_check_kbc() { - let kbs_addr = "127.0.0.1:30000".to_string(); - let kbs_protocol_version = "0.1.0".to_string(); - - let eaa_kbc = EAAKbc { - kbs_uri: kbs_addr.clone(), - protocol_version: kbs_protocol_version.clone(), - algorithm: String::new(), - key_length: 32, - tcp_stream: None, - tls_handle: None, - }; - - let check_res = eaa_kbc.check(); - assert!(check_res.is_ok()); - - let info = check_res.unwrap().kbs_info; - - assert_eq!(info.get("kbs_addr").unwrap(), &kbs_addr); - assert_eq!(info.get("protocol_version").unwrap(), &kbs_protocol_version); - } -} diff --git a/attestation-agent/kbc/src/eaa_kbc/protocol.rs b/attestation-agent/kbc/src/eaa_kbc/protocol.rs deleted file mode 100644 index e218f514f..000000000 --- a/attestation-agent/kbc/src/eaa_kbc/protocol.rs +++ /dev/null @@ -1,137 +0,0 @@ -// Copyright (c) 2021 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -use serde::{Deserialize, Serialize}; -use std::collections::HashMap; -use std::vec::Vec; - -pub const GET_RESOURCE_INFO_COMMAND: &str = "Get Resource Info"; - -#[derive(Serialize, Deserialize, Debug)] -pub struct VersionRequest { - pub command: String, -} - -impl VersionRequest { - pub fn new() -> VersionRequest { - VersionRequest { - command: String::from("version"), - } - } -} - -impl Default for VersionRequest { - fn default() -> Self { - Self::new() - } -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct VersionResponse { - pub status: String, - pub version: String, -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct DecryptionRequest { - pub command: String, - pub blobs: Vec, -} - -impl DecryptionRequest { - pub fn new(blob: Blob) -> DecryptionRequest { - DecryptionRequest { - command: String::from("Decrypt"), - blobs: vec![blob], - } - } -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct Blob { - pub kid: String, - pub encrypted_data: String, - pub algorithm: String, - pub key_length: u32, - pub iv: String, -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct DecryptionResponse { - pub status: String, - pub data: Option>, - pub error: Option, -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct GetKekRequest { - pub command: String, - pub kids: Vec, -} - -impl GetKekRequest { - #[allow(dead_code)] - pub fn new(key_id_list: Vec) -> GetKekRequest { - GetKekRequest { - command: String::from("Get KEK"), - kids: key_id_list, - } - } -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct GetKekResponse { - pub status: String, - pub data: Option>, - pub error: Option, -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct GetResourceRequest { - pub command: String, - pub optional: HashMap, -} - -impl GetResourceRequest { - pub fn new(command: &str, optional: HashMap) -> GetResourceRequest { - GetResourceRequest { - command: String::from(command), - optional, - } - } -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct GetResourceErrorInfo { - pub status: String, - pub error: String, -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct GetResourceInfoReq { - pub command: String, - pub name: String, -} - -impl GetResourceInfoReq { - pub fn new(name: &str) -> GetResourceInfoReq { - GetResourceInfoReq { - command: GET_RESOURCE_INFO_COMMAND.to_string(), - name: name.to_string(), - } - } -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct ResourceInfo { - pub base64size: String, -} - -#[derive(Serialize, Deserialize, Debug)] -pub struct GetResourceInfoResponse { - pub status: String, - pub data: Option, - pub error: Option, -} diff --git a/attestation-agent/kbc/src/eaa_kbc/rats_tls/ffi.rs b/attestation-agent/kbc/src/eaa_kbc/rats_tls/ffi.rs deleted file mode 100644 index 6e1180d4e..000000000 --- a/attestation-agent/kbc/src/eaa_kbc/rats_tls/ffi.rs +++ /dev/null @@ -1,188 +0,0 @@ -// Copyright (c) 2021 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -pub const __BOOL_TRUE_FALSE_ARE_DEFINED: u32 = 1; -pub const _STDINT_H: u32 = 1; -pub const _FEATURES_H: u32 = 1; -pub const _DEFAULT_SOURCE: u32 = 1; -pub const __USE_ISOC11: u32 = 1; -pub const __USE_ISOC99: u32 = 1; -pub const __USE_ISOC95: u32 = 1; -pub const __USE_POSIX_IMPLICITLY: u32 = 1; -pub const _POSIX_SOURCE: u32 = 1; -pub const _POSIX_C_SOURCE: u32 = 200809; -pub const __USE_POSIX: u32 = 1; -pub const __USE_POSIX2: u32 = 1; -pub const __USE_POSIX199309: u32 = 1; -pub const __USE_POSIX199506: u32 = 1; -pub const __USE_XOPEN2K: u32 = 1; -pub const __USE_XOPEN2K8: u32 = 1; -pub const _ATFILE_SOURCE: u32 = 1; -pub const __USE_MISC: u32 = 1; -pub const __USE_ATFILE: u32 = 1; -pub const __USE_FORTIFY_LEVEL: u32 = 0; -pub const _STDC_PREDEF_H: u32 = 1; -pub const __STDC_IEC_559__: u32 = 1; -pub const __STDC_IEC_559_COMPLEX__: u32 = 1; -pub const __STDC_ISO_10646__: u32 = 201605; -pub const __STDC_NO_THREADS__: u32 = 1; -pub const __GNU_LIBRARY__: u32 = 6; -pub const __GLIBC__: u32 = 2; -pub const __GLIBC_MINOR__: u32 = 24; -pub const _SYS_CDEFS_H: u32 = 1; -pub const __WORDSIZE: u32 = 64; -pub const __WORDSIZE_TIME64_COMPAT32: u32 = 1; -pub const __SYSCALL_WORDSIZE: u32 = 64; -pub const _BITS_WCHAR_H: u32 = 1; -pub const RATS_TLS_API_VERSION_DEFAULT: u32 = 1; -pub const RATS_TLS_CONF_FLAGS_MUTUAL: u64 = 1; -pub const RATS_TLS_ERR_NONE: RatsTlsErrT = 0; -pub type RatsTlsErrT = ::std::os::raw::c_uint; -pub type SizeT = ::std::os::raw::c_ulong; -#[repr(C)] -#[repr(align(16))] -#[derive(Debug, Default, Copy, Clone)] -pub struct max_align_t { - pub __clang_max_align_nonce1: ::std::os::raw::c_longlong, - pub __bindgen_padding_0: u64, - pub __clang_max_align_nonce2: u128, -} - -pub const RATS_TLS_LOG_LEVEL_DEBUG: RatsTlsLogLevelT = 0; -pub const RATS_TLS_LOG_LEVEL_DEFAULT: RatsTlsLogLevelT = 3; -pub type RatsTlsLogLevelT = ::std::os::raw::c_uint; -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct rats_tls_handle { - _unused: [u8; 0], -} -pub const RATS_TLS_CERT_ALGO_DEFAULT: RatsTlsCertAlgoT = 1; -pub type RatsTlsCertAlgoT = ::std::os::raw::c_uint; -pub type QuoteSgxEcdsaVerificationTypeT = ::std::os::raw::c_uint; -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct rats_tls_conf_t { - pub api_version: ::std::os::raw::c_uint, - pub flags: ::std::os::raw::c_ulong, - pub log_level: RatsTlsLogLevelT, - pub tls_type: [::std::os::raw::c_uchar; 32usize], - pub attester_type: [::std::os::raw::c_uchar; 32usize], - pub verifier_type: [::std::os::raw::c_uchar; 32usize], - pub crypto_type: [::std::os::raw::c_uchar; 32usize], - pub cert_algo: RatsTlsCertAlgoT, - pub enclave_id: ::std::os::raw::c_ulonglong, - pub quote_sgx_epid: rats_tls_conf_t__bindgen_ty_1, - pub quote_sgx_ecdsa: rats_tls_conf_t__bindgen_ty_2, -} -#[repr(C)] -#[derive(Debug, Default, Copy, Clone)] -pub struct rats_tls_conf_t__bindgen_ty_1 { - pub valid: bool, - pub spid: [u8; 16usize], - pub linkable: bool, -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct rats_tls_conf_t__bindgen_ty_2 { - pub valid: bool, - pub cert_type: u8, - pub verification_type: QuoteSgxEcdsaVerificationTypeT, -} - -impl Default for rats_tls_conf_t__bindgen_ty_2 { - fn default() -> Self { - unsafe { ::std::mem::zeroed() } - } -} - -impl Default for rats_tls_conf_t { - fn default() -> Self { - let mut conf: rats_tls_conf_t = unsafe { ::std::mem::zeroed() }; - conf.log_level = RATS_TLS_LOG_LEVEL_DEFAULT; - conf - } -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct rtls_sgx_evidence { - pub mr_enclave: *mut u8, - pub mr_signer: *mut u8, - pub product_id: u32, - pub security_version: u32, - pub attributes: *mut u8, - pub collateral_size: SizeT, - pub collateral: *mut ::std::os::raw::c_char, -} - -pub type RtlsSgxEvidenceT = rtls_sgx_evidence; -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct rtls_tdx_evidence {} - -pub type RtlsTdxEvidenceT = rtls_tdx_evidence; -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct ehd { - pub public_key: *mut ::std::os::raw::c_void, - pub user_data_size: ::std::os::raw::c_int, - pub user_data: *mut ::std::os::raw::c_char, - pub unhashed_size: ::std::os::raw::c_int, - pub unhashed: *mut ::std::os::raw::c_char, -} - -pub type EhdT = ehd; -pub type EnclaveEvidenceTypeT = ::std::os::raw::c_uint; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct rtls_evidence { - pub type_: EnclaveEvidenceTypeT, - pub ehd: EhdT, - pub quote_size: ::std::os::raw::c_int, - pub quote: *mut ::std::os::raw::c_char, - pub __bindgen_anon_1: rtls_evidence__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union rtls_evidence__bindgen_ty_1 { - pub sgx: RtlsSgxEvidenceT, - pub tdx: RtlsTdxEvidenceT, -} - -pub type RatsTlsCallbackT = ::std::option::Option< - unsafe extern "C" fn(arg1: *mut ::std::os::raw::c_void) -> ::std::os::raw::c_int, ->; - -extern "C" { - pub fn rats_tls_init( - conf: *const rats_tls_conf_t, - handle: *mut *mut rats_tls_handle, - ) -> RatsTlsErrT; - - pub fn rats_tls_set_verification_callback( - handle: *mut *mut rats_tls_handle, - user_callback: RatsTlsCallbackT, - ) -> RatsTlsErrT; - - pub fn rats_tls_negotiate( - handle: *const rats_tls_handle, - fd: ::std::os::raw::c_int, - ) -> RatsTlsErrT; - - pub fn rats_tls_receive( - handle: *const rats_tls_handle, - buf: *mut ::std::os::raw::c_void, - buf_size: *mut SizeT, - ) -> RatsTlsErrT; - - pub fn rats_tls_transmit( - handle: *const rats_tls_handle, - buf: *const ::std::os::raw::c_void, - buf_size: *mut SizeT, - ) -> RatsTlsErrT; - - pub fn rats_tls_cleanup(handle: *mut rats_tls_handle) -> RatsTlsErrT; -} diff --git a/attestation-agent/kbc/src/eaa_kbc/rats_tls/mod.rs b/attestation-agent/kbc/src/eaa_kbc/rats_tls/mod.rs deleted file mode 100644 index 81f52cda2..000000000 --- a/attestation-agent/kbc/src/eaa_kbc/rats_tls/mod.rs +++ /dev/null @@ -1,143 +0,0 @@ -// Copyright (c) 2021 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; -use log::*; -use std::ops::{Deref, DerefMut}; -use std::os::unix::io::RawFd; -use std::ptr::NonNull; - -mod ffi; -use ffi::*; - -pub const MAX_FRAG_LENGTH: usize = 16384; - -pub struct RatsTlsRef(Opaque); - -unsafe impl ForeignTypeRef for RatsTlsRef { - type CType = rats_tls_handle; -} - -#[derive(Clone)] -pub struct RatsTls(NonNull); - -unsafe impl Send for RatsTls {} -unsafe impl Sync for RatsTls {} - -unsafe impl ForeignType for RatsTls { - type CType = rats_tls_handle; - type Ref = RatsTlsRef; - - unsafe fn from_ptr(ptr: *mut rats_tls_handle) -> RatsTls { - RatsTls(NonNull::new(ptr).expect("rats_tls_handle ptr is null!")) - } - - fn as_ptr(&self) -> *mut rats_tls_handle { - self.0.as_ptr() - } - - fn into_ptr(self) -> *mut rats_tls_handle { - let inner = self.as_ptr(); - ::core::mem::forget(self); - inner - } -} - -impl Drop for RatsTls { - fn drop(&mut self) { - unsafe { - rats_tls_cleanup(self.as_ptr()); - } - } -} - -impl Deref for RatsTls { - type Target = RatsTlsRef; - - fn deref(&self) -> &RatsTlsRef { - unsafe { RatsTlsRef::from_ptr(self.as_ptr()) } - } -} - -impl DerefMut for RatsTls { - fn deref_mut(&mut self) -> &mut RatsTlsRef { - unsafe { RatsTlsRef::from_ptr_mut(self.as_ptr()) } - } -} - -impl RatsTls { - pub fn new() -> Result { - let mut conf = rats_tls_conf_t { - api_version: RATS_TLS_API_VERSION_DEFAULT, - log_level: RATS_TLS_LOG_LEVEL_DEBUG, - cert_algo: RATS_TLS_CERT_ALGO_DEFAULT, - enclave_id: 0, - ..Default::default() - }; - conf.flags |= RATS_TLS_CONF_FLAGS_MUTUAL; - - let mut handle: rats_tls_handle = unsafe { std::mem::zeroed() }; - let mut tls: *mut rats_tls_handle = &mut handle; - let err = unsafe { rats_tls_init(&conf, &mut tls) }; - if err != RATS_TLS_ERR_NONE { - error!("rats_tls_init() failed"); - return Err(err); - } - - let err = unsafe { rats_tls_set_verification_callback(&mut tls, None) }; - if err == RATS_TLS_ERR_NONE { - Ok(unsafe { RatsTls::from_ptr(tls) }) - } else { - Err(err) - } - } - - pub fn negotiate(&self, fd: RawFd) -> Result<(), RatsTlsErrT> { - let err = unsafe { rats_tls_negotiate(self.as_ptr(), fd) }; - if err == RATS_TLS_ERR_NONE { - Ok(()) - } else { - Err(err) - } - } - - pub fn receive(&self, buf: &mut [u8]) -> Result { - let mut len: SizeT = buf.len() as SizeT; - let err = unsafe { - rats_tls_receive( - self.as_ptr(), - buf.as_mut_ptr() as *mut ::std::os::raw::c_void, - &mut len, - ) - }; - if err == RATS_TLS_ERR_NONE { - Ok(len as usize) - } else { - Err(err) - } - } - - pub fn transmit(&self, buf: &[u8]) -> Result { - let mut len: SizeT = buf.len() as SizeT; - let err = unsafe { - rats_tls_transmit( - self.as_ptr(), - buf.as_ptr() as *const ::std::os::raw::c_void, - &mut len, - ) - }; - if err == RATS_TLS_ERR_NONE { - Ok(len as usize) - } else { - Err(err) - } - } - - #[no_mangle] - extern "C" fn callback(_evidence: *mut ::std::os::raw::c_void) -> ::std::os::raw::c_int { - info!("EAA KBC Rats-TLS callback function is unimplement!."); - 0 - } -} diff --git a/attestation-agent/kbc/src/lib.rs b/attestation-agent/kbc/src/lib.rs index fef321d7d..384a6f079 100644 --- a/attestation-agent/kbc/src/lib.rs +++ b/attestation-agent/kbc/src/lib.rs @@ -21,9 +21,6 @@ use resource_uri::ResourceUri; #[cfg(feature = "cc_kbc")] pub mod cc_kbc; -#[cfg(feature = "eaa_kbc")] -pub mod eaa_kbc; - #[cfg(feature = "offline_fs_kbc")] pub mod offline_fs_kbc; @@ -108,14 +105,6 @@ impl KbcModuleList { mod_list.insert("offline_fs_kbc".to_string(), instantiate_func); } - #[cfg(feature = "eaa_kbc")] - { - let instantiate_func: KbcInstantiateFunc = Box::new(|kbs_uri: String| -> KbcInstance { - Box::new(eaa_kbc::EAAKbc::new(kbs_uri)) - }); - mod_list.insert("eaa_kbc".to_string(), instantiate_func); - } - #[cfg(feature = "offline_sev_kbc")] { let instantiate_func: KbcInstantiateFunc = Box::new(|_: String| -> KbcInstance {