From 893379d36abd096e64754c79d824abf891858fd9 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Wed, 13 Mar 2024 08:11:59 -0400 Subject: [PATCH] [WIP] Futher work Signed-off-by: Yogesh Deshpande --- builtin/schemes.gen.go | 4 ++ handler/README.md | 6 +- scheme/psa-iot/plugin/combined/main.go | 2 +- scheme/psa-iot/store_handler.go | 2 +- scheme/riot/plugin/store-handler/Makefile | 6 +- scheme/tpm-enacttrust/evidence_handler.go | 40 +----------- .../tpm-enacttrust/evidence_handler_test.go | 19 +----- scheme/tpm-enacttrust/plugin/Makefile | 1 + scheme/tpm-enacttrust/plugin/combined/main.go | 3 +- .../plugin/store-handler/Makefile | 11 ++++ .../plugin/store-handler/main.go | 14 ++++ scheme/tpm-enacttrust/store_handler.go | 64 +++++++++++++++++++ scheme/tpm-enacttrust/store_handler_test.go | 29 +++++++++ vts/cmd/vts-service/main.go | 2 +- vts/trustedservices/itrustedservices.go | 2 +- vts/trustedservices/trustedservices_grpc.go | 2 +- 16 files changed, 138 insertions(+), 69 deletions(-) create mode 100644 scheme/tpm-enacttrust/plugin/store-handler/Makefile create mode 100644 scheme/tpm-enacttrust/plugin/store-handler/main.go create mode 100644 scheme/tpm-enacttrust/store_handler.go create mode 100644 scheme/tpm-enacttrust/store_handler_test.go diff --git a/builtin/schemes.gen.go b/builtin/schemes.gen.go index 0cd446b5..bd4f179a 100644 --- a/builtin/schemes.gen.go +++ b/builtin/schemes.gen.go @@ -12,9 +12,13 @@ import ( var plugins = []plugin.IPluggable{ &scheme1.EvidenceHandler{}, &scheme1.EndorsementHandler{}, + &scheme1.StoreHandler{}, &scheme2.EvidenceHandler{}, + &scheme2.StoreHandler{}, &scheme3.EvidenceHandler{}, &scheme3.EndorsementHandler{}, + &scheme3.StoreHandler{}, &scheme4.EvidenceHandler{}, &scheme4.EndorsementHandler{}, + &scheme4.StoreHandler{}, } diff --git a/handler/README.md b/handler/README.md index a488c2b8..4f8a64d4 100644 --- a/handler/README.md +++ b/handler/README.md @@ -1,6 +1,6 @@ -This package defines [`IEvidenceHandler`](ievidencehandler.go) and -[`IEndorsementHandler`](iendorsementhandler.go) [pluggable](../plugin/README.md) +This package defines [`IEvidenceHandler`](ievidencehandler.go), +[`IEndorsementHandler`](iendorsementhandler.go) and [`IStoreHandler`](istorehandler.go) [pluggable](../plugin/README.md) interfaces and associated RPC channels. These are used to add new attestation scheme to Veraison services. Additionally, the package defines a [couple of wrappers](plugin.go) around `plugin.RegisterImplementation` for registering -implementations of these two interfaces. +implementations of these three interfaces. diff --git a/scheme/psa-iot/plugin/combined/main.go b/scheme/psa-iot/plugin/combined/main.go index 2c8082d4..e1a33e49 100644 --- a/scheme/psa-iot/plugin/combined/main.go +++ b/scheme/psa-iot/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main diff --git a/scheme/psa-iot/store_handler.go b/scheme/psa-iot/store_handler.go index 008362d5..c60d18e2 100644 --- a/scheme/psa-iot/store_handler.go +++ b/scheme/psa-iot/store_handler.go @@ -12,7 +12,7 @@ import ( type StoreHandler struct{} func (s StoreHandler) GetName() string { - return "cca-store-handler" + return "psa-store-handler" } func (s StoreHandler) GetAttestationScheme() string { diff --git a/scheme/riot/plugin/store-handler/Makefile b/scheme/riot/plugin/store-handler/Makefile index 3e67a556..cbaf5abe 100644 --- a/scheme/riot/plugin/store-handler/Makefile +++ b/scheme/riot/plugin/store-handler/Makefile @@ -1,8 +1,8 @@ -# Copyright 2021 Contributors to the Veraison project. +# Copyright 2024 Contributors to the Veraison project. # SPDX-License-Identifier: Apache-2.0 -PLUGIN := ../../../bin/cca-store-handler.plugin -GOPKG := github.com/veraison/services/scheme/cca-ssd-platform +PLUGIN := ../../../bin/riot.plugin +GOPKG := github.com/veraison/services/scheme/riot SRCS := main.go include ../../../../mk/common.mk diff --git a/scheme/tpm-enacttrust/evidence_handler.go b/scheme/tpm-enacttrust/evidence_handler.go index 378f8919..b39e4a3d 100644 --- a/scheme/tpm-enacttrust/evidence_handler.go +++ b/scheme/tpm-enacttrust/evidence_handler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package tpm_enacttrust @@ -32,44 +32,6 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string { return EvidenceMediaTypes } -func (s EvidenceHandler) SynthKeysFromRefValue( - tenantID string, - swComp *handler.Endorsement, -) ([]string, error) { - return synthKeysFromAttrs("software component", tenantID, swComp.Attributes) -} - -func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { - return synthKeysFromAttrs("trust anchor", tenantID, ta.Attributes) -} - -func (s EvidenceHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - supported := false - for _, mt := range EvidenceMediaTypes { - if token.MediaType == mt { - supported = true - break - } - } - - if !supported { - err := handler.BadEvidence( - "wrong media type: expect %q, but found %q", - strings.Join(EvidenceMediaTypes, ", "), - token.MediaType, - ) - return []string{""}, err - } - - var decoded Token - - if err := decoded.Decode(token.Data); err != nil { - return nil, handler.BadEvidence(err) - } - - return []string{tpmEnactTrustLookupKey(token.TenantId, decoded.NodeId.String())}, nil -} - func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, diff --git a/scheme/tpm-enacttrust/evidence_handler_test.go b/scheme/tpm-enacttrust/evidence_handler_test.go index 50335f6d..000ea145 100644 --- a/scheme/tpm-enacttrust/evidence_handler_test.go +++ b/scheme/tpm-enacttrust/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package tpm_enacttrust @@ -27,23 +27,6 @@ func Test_DecodeAttestationData_ok(t *testing.T) { assert.Equal(t, uint64(0x7), decoded.AttestationData.FirmwareVersion) } -func Test_GetTrustAnchorIds_ok(t *testing.T) { - data, err := os.ReadFile("test/tokens/basic.token") - require.NoError(t, err) - - ta := proto.AttestationToken{ - TenantId: "0", - MediaType: "application/vnd.enacttrust.tpm-evidence", - Data: data, - } - - var s EvidenceHandler - - taIDs, err := s.GetTrustAnchorIDs(&ta) - require.NoError(t, err) - assert.Equal(t, "TPM_ENACTTRUST://0/7df7714e-aa04-4638-bcbf-434b1dd720f1", taIDs[0]) -} - func readPublicKeyBytes(path string) ([]byte, error) { buf, err := os.ReadFile(path) if err != nil { diff --git a/scheme/tpm-enacttrust/plugin/Makefile b/scheme/tpm-enacttrust/plugin/Makefile index 37f7dc14..33a74ffc 100644 --- a/scheme/tpm-enacttrust/plugin/Makefile +++ b/scheme/tpm-enacttrust/plugin/Makefile @@ -2,6 +2,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/tpm-enacttrust/plugin/combined/main.go b/scheme/tpm-enacttrust/plugin/combined/main.go index 824d9afc..e37a08a1 100644 --- a/scheme/tpm-enacttrust/plugin/combined/main.go +++ b/scheme/tpm-enacttrust/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/tpm-enacttrust/plugin/store-handler/Makefile b/scheme/tpm-enacttrust/plugin/store-handler/Makefile new file mode 100644 index 00000000..2bd8a9ee --- /dev/null +++ b/scheme/tpm-enacttrust/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/tpm-enacttrust-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/tpm-enacttrust +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/tpm-enacttrust/plugin/store-handler/main.go b/scheme/tpm-enacttrust/plugin/store-handler/main.go new file mode 100644 index 00000000..96a44a44 --- /dev/null +++ b/scheme/tpm-enacttrust/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/tpm-enacttrust" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/tpm-enacttrust/store_handler.go b/scheme/tpm-enacttrust/store_handler.go new file mode 100644 index 00000000..77a64f52 --- /dev/null +++ b/scheme/tpm-enacttrust/store_handler.go @@ -0,0 +1,64 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package tpm_enacttrust + +import ( + "strings" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +type StoreHandler struct { +} + +func (s StoreHandler) GetName() string { + return "tpm-enacttrust-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + supported := false + for _, mt := range EvidenceMediaTypes { + if token.MediaType == mt { + supported = true + break + } + } + + if !supported { + err := handler.BadEvidence( + "wrong media type: expect %q, but found %q", + strings.Join(EvidenceMediaTypes, ", "), + token.MediaType, + ) + return []string{""}, err + } + + var decoded Token + + if err := decoded.Decode(token.Data); err != nil { + return nil, handler.BadEvidence(err) + } + + return []string{tpmEnactTrustLookupKey(token.TenantId, decoded.NodeId.String())}, nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + swComp *handler.Endorsement, +) ([]string, error) { + return synthKeysFromAttrs("software component", tenantID, swComp.Attributes) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + return synthKeysFromAttrs("trust anchor", tenantID, ta.Attributes) +} diff --git a/scheme/tpm-enacttrust/store_handler_test.go b/scheme/tpm-enacttrust/store_handler_test.go new file mode 100644 index 00000000..1a436ac7 --- /dev/null +++ b/scheme/tpm-enacttrust/store_handler_test.go @@ -0,0 +1,29 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package tpm_enacttrust + +import ( + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIds_ok(t *testing.T) { + data, err := os.ReadFile("test/tokens/basic.token") + require.NoError(t, err) + + ta := proto.AttestationToken{ + TenantId: "0", + MediaType: "application/vnd.enacttrust.tpm-evidence", + Data: data, + } + + var s StoreHandler + + taIDs, err := s.GetTrustAnchorIDs(&ta) + require.NoError(t, err) + assert.Equal(t, "TPM_ENACTTRUST://0/7df7714e-aa04-4638-bcbf-434b1dd720f1", taIDs[0]) +} diff --git a/vts/cmd/vts-service/main.go b/vts/cmd/vts-service/main.go index df9a4d6e..1dcce151 100644 --- a/vts/cmd/vts-service/main.go +++ b/vts/cmd/vts-service/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main diff --git a/vts/trustedservices/itrustedservices.go b/vts/trustedservices/itrustedservices.go index bab028fc..e01f7946 100644 --- a/vts/trustedservices/itrustedservices.go +++ b/vts/trustedservices/itrustedservices.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package trustedservices diff --git a/vts/trustedservices/trustedservices_grpc.go b/vts/trustedservices/trustedservices_grpc.go index a60c4600..5b960f3b 100644 --- a/vts/trustedservices/trustedservices_grpc.go +++ b/vts/trustedservices/trustedservices_grpc.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package trustedservices