confidential-containers · Xynnn007 · Jan 6, 2025 · Jan 6, 2025 · Jan 6, 2025
@@ -34,7 +34,9 @@ ctr = "0.9.2"
 env_logger = "0.11.6"
 hex = "0.4.3"
 hmac = "0.12.1"
-jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] }
+jwt-simple = { version = "0.12", default-features = false, features = [
+    "pure-rust",
+] }
 kbs-types = "0.7.0"
 log = "0.4.22"
 nix = "0.29"

@@ -16,15 +16,15 @@ env_logger = { workspace = true, optional = true }
 jwt-simple.workspace = true
 kbs-types.workspace = true
 log.workspace = true
-protobuf = { workspace = true, optional = true}
+protobuf = { workspace = true, optional = true }
 reqwest = { workspace = true, features = ["cookies", "json"], optional = true }
 resource_uri.path = "../deps/resource_uri"
 serde.workspace = true
 serde_json.workspace = true
 sha2.workspace = true
 thiserror.workspace = true
 tokio.workspace = true
-ttrpc = { workspace = true, optional = true}
+ttrpc = { workspace = true, optional = true }
 url.workspace = true
 zeroize.workspace = true
 
@@ -33,7 +33,7 @@ rstest.workspace = true
 serial_test.workspace = true
 tempfile.workspace = true
 testcontainers.workspace = true
-tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]}
+tokio = { workspace = true, features = ["rt", "macros", "fs", "process"] }
 
 [build-dependencies]
 ttrpc-codegen = { workspace = true, optional = true }
@@ -46,8 +46,8 @@ required-features = ["bin"]
 default = ["background_check", "passport", "rust-crypto", "all-attesters"]
 
 passport = []
-# use a client of attestation-agent to get token for kbs
-aa_token = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"]
+# Allow to connect Attestation-Agent with TTRPC to get evidence, token, etc.
+aa_ttrpc = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"]
 
 background_check = ["tokio/time"]
 all-attesters = ["attester/all-attesters"]
@@ -58,7 +58,7 @@ az-tdx-vtpm-attester = ["attester/az-tdx-vtpm-attester"]
 snp-attester = ["attester/snp-attester"]
 csv-attester = ["attester/csv-attester"]
 cca-attester = ["attester/cca-attester"]
-se-attester  = ["attester/se-attester"]
+se-attester = ["attester/se-attester"]
 
 rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"]
 openssl = ["reqwest/native-tls-vendored", "crypto/openssl"]

@@ -4,7 +4,7 @@
 //
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    #[cfg(feature = "aa_token")]
+    #[cfg(feature = "aa_ttrpc")]
     {
         use std::fs::File;
         use std::io::{Read, Write};
@@ -28,7 +28,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         }
 
         ttrpc_codegen::Codegen::new()
-            .out_dir("src/token_provider/aa")
+            .out_dir("src/ttrpc_protos")
             .include("../protos")
             .inputs(["../protos/attestation-agent.proto"])
             .rust_protobuf()
@@ -42,7 +42,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
         // Fix clippy warnings of code generated from ttrpc_codegen
         replace_text_in_file(
-            "src/token_provider/aa/attestation_agent_ttrpc.rs",
+            "src/ttrpc_protos/attestation_agent_ttrpc.rs",
             "client: client",
             "client",
         )?;

@@ -9,6 +9,9 @@ pub type Result<T> = std::result::Result<T, Error>;
 
 #[derive(Error, Debug)]
 pub enum Error {
+    #[error("Attestation Agent evidence provider error: {0}")]
+    AAEvidenceProvider(String),
+
     #[error("Attestation Agent token provider error: {0}")]
     AATokenProvider(String),
 

@@ -0,0 +1,70 @@
+// Copyright (c) 2024 Alibaba Cloud
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use async_trait::async_trait;
+use kbs_types::Tee;
+use serde_json::json;
+use ttrpc::context;
+
+use crate::{
+    ttrpc_protos::{
+        attestation_agent::{GetEvidenceRequest, GetTeeTypeRequest},
+        attestation_agent_ttrpc::AttestationAgentServiceClient,
+    },
+    Error, Result,
+};
+
+use super::EvidenceProvider;
+
+const AA_SOCKET_FILE: &str =
+    "unix:///run/confidential-containers/attestation-agent/attestation-agent.sock";
+
+pub struct AAEvidenceProvider {
+    client: AttestationAgentServiceClient,
+}
+
+impl AAEvidenceProvider {
+    pub async fn new() -> Result<Self> {
+        let c = ttrpc::r#async::Client::connect(AA_SOCKET_FILE)
+            .map_err(|e| Error::AATokenProvider(format!("ttrpc connect failed {e}")))?;
+        let client = AttestationAgentServiceClient::new(c);
+        Ok(Self { client })
+    }
+}
+
+#[async_trait]
+impl EvidenceProvider for AAEvidenceProvider {
+    /// Get evidence with as runtime data (report data, challege)
+    async fn get_evidence(&self, runtime_data: Vec<u8>) -> Result<String> {
+        let req = GetEvidenceRequest {
+            RuntimeData: runtime_data,
+            ..Default::default()
+        };
+        let res = self
+            .client
+            .get_evidence(context::with_timeout(50 * 1000 * 1000 * 1000), &req)
+            .await
+            .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?;
+        let evidence = String::from_utf8(res.Evidence)
+            .map_err(|e| Error::AAEvidenceProvider(format!("non-utf8 evidence: {e}")))?;
+        Ok(evidence)
+    }
+
+    /// Get the underlying Tee type
+    async fn get_tee_type(&self) -> Result<Tee> {
+        let req = GetTeeTypeRequest {
+            ..Default::default()
+        };
+        let res = self
+            .client
+            .get_tee_type(context::with_timeout(50 * 1000 * 1000 * 1000), &req)
+            .await
+            .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?;
+
+        let tee = serde_json::from_value(json!(res.tee))
+            .map_err(|e| Error::AAEvidenceProvider(format!("failed to parse Tee type: {e}")))?;
+        Ok(tee)
+    }
+}
@@ -9,6 +9,11 @@ pub use native::*;
 pub mod mock;
 pub use mock::*;
 
+#[cfg(feature = "aa_ttrpc")]
+pub mod aa;
+#[cfg(feature = "aa_ttrpc")]
+pub use aa::*;
+
 use crate::Result;
 use async_trait::async_trait;
 use kbs_types::Tee;

@@ -77,6 +77,8 @@ pub mod error;
 pub mod evidence_provider;
 pub mod keypair;
 pub mod token_provider;
+#[cfg(feature = "aa_ttrpc")]
+pub mod ttrpc_protos;
 
 pub use api::*;
 pub use builder::KbsClientBuilder;

@@ -5,17 +5,15 @@
 
 //! This is a token provider which connects the attestation-agent
 
-mod attestation_agent;
-mod attestation_agent_ttrpc;
-
 use async_trait::async_trait;
 use serde::Deserialize;
 use ttrpc::context;
 
-use crate::{Error, Result, TeeKeyPair, Token};
-
-use self::{
-    attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient,
+use crate::{
+    ttrpc_protos::{
+        attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient,
+    },
+    Error, Result, TeeKeyPair, Token,
 };
 
 use super::TokenProvider;

@@ -6,9 +6,9 @@
 pub mod test;
 pub use test::*;
 
-#[cfg(feature = "aa_token")]
+#[cfg(feature = "aa_ttrpc")]
 pub mod aa;
-#[cfg(feature = "aa_token")]
+#[cfg(feature = "aa_ttrpc")]
 pub use aa::*;
 
 use anyhow::*;

@@ -0,0 +1,7 @@
+// Copyright (c) 2024 Alibaba Cloud
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+pub mod attestation_agent;
+pub mod attestation_agent_ttrpc;
@@ -39,15 +39,21 @@ base64.workspace = true
 bincode = { workspace = true, optional = true }
 cfg-if = { workspace = true, optional = true }
 chrono = { workspace = true, optional = true }
-clap = { workspace = true, features = [ "derive" ], optional = true }
+clap = { workspace = true, features = ["derive"], optional = true }
 config = { workspace = true, optional = true }
 const_format.workspace = true
 crypto.path = "../../attestation-agent/deps/crypto"
-ehsm_client = {git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true }
+ehsm_client = { git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true }
 env_logger = { workspace = true, optional = true }
 hex = { workspace = true, optional = true }
-image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] }
-kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = ["passport", "aa_token", "openssl"], optional = true }
+image-rs = { path = "../../image-rs", default-features = false, features = [
+    "kata-cc-rustls-tls",
+] }
+kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = [
+    "passport",
+    "aa_ttrpc",
+    "openssl",
+], optional = true }
 log.workspace = true
 p12 = { version = "0.6.3", optional = true }
 prost = { workspace = true, optional = true }
@@ -63,7 +69,14 @@ sha2 = { workspace = true, optional = true }
 strum = { workspace = true, features = ["derive"] }
 tempfile = { workspace = true, optional = true }
 thiserror.workspace = true
-tokio = { workspace = true, features = [ "fs", "macros", "io-util", "process", "rt-multi-thread", "sync" ] }
+tokio = { workspace = true, features = [
+    "fs",
+    "macros",
+    "io-util",
+    "process",
+    "rt-multi-thread",
+    "sync",
+] }
 toml.workspace = true
 tonic = { workspace = true, optional = true }
 ttrpc = { workspace = true, features = ["async"], optional = true }
@@ -84,13 +97,24 @@ nix.workspace = true
 rstest.workspace = true
 serial_test.workspace = true
 tempfile.workspace = true
-tokio = { workspace = true, features = ["rt", "macros" ] }
+tokio = { workspace = true, features = ["rt", "macros"] }
 
 [features]
 default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"]
 
 # support aliyun stacks (KMS, ..)
-aliyun = ["chrono", "hex", "p12", "prost", "reqwest/rustls-tls", "sha2", "tempfile", "tonic", "url", "yasna"]
+aliyun = [
+    "chrono",
+    "hex",
+    "p12",
+    "prost",
+    "reqwest/rustls-tls",
+    "sha2",
+    "tempfile",
+    "tonic",
+    "url",
+    "yasna",
+]
 
 # support coco-KBS to provide confidential resources
 kbs = ["kbs_protocol"]
@@ -102,7 +126,7 @@ sev = ["bincode", "dep:sev", "prost", "tonic", "uuid"]
 ehsm = ["ehsm_client"]
 
 # Binary RPC type
-bin = [ "anyhow", "cfg-if", "clap", "config", "env_logger", "serde" ]
+bin = ["anyhow", "cfg-if", "clap", "config", "env_logger", "serde"]
 ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"]
 grpc = ["prost", "tonic", "tokio/signal"]