From ce94c54913bbe769ec13d7f35a366b581082e965 Mon Sep 17 00:00:00 2001 From: houmingyong Date: Tue, 3 Sep 2024 19:50:58 +0800 Subject: [PATCH] add attestation readme --- service/attestation/README.md | 131 ++++++++++++++++++ .../agent/src/bin/aa-test/main.rs | 11 +- 2 files changed, 137 insertions(+), 5 deletions(-) create mode 100644 service/attestation/README.md diff --git a/service/attestation/README.md b/service/attestation/README.md new file mode 100644 index 0000000..b6c19d8 --- /dev/null +++ b/service/attestation/README.md @@ -0,0 +1,131 @@ +# Attestation +This project provides attestation service and attestation agent for common attestation scenes. + +## Components +- Attestation Agent: An agent depends by relying party or attester for attestation. +- Attestation Service: A verifier verifies TEE evidence. + +Note: The roles relying party, attester and verifier is defined in [RFC9334 RATS](https://datatracker.ietf.org/doc/html/rfc9334#name-architectural-overview). + +# Quick Start + +## Dependencies +- OS: openEuler 24.09 +- Repo +``` +vim /etc/yum.repos.d/openEuler.repo +[everything] +name=everything +baseurl=http://121.36.84.172/dailybuild/EBS-openEuler-24.09/openeuler-2024-09-03-08-34-41/everything/aarch64/ +enabled=1 +gpgcheck=0 +``` + +## Build + +### Build AA +``` +cd secGear/service/attestation/attestation-agent +cargo build --features virtcca-attester +``` + +### Build AS +``` +cd secGear/service/attestation/attestation-service +cargo build +``` + + +## Run AS, AA and aa-test Demo +### AS +#### Config AS +- Generate as config file +``` +mkdir -p /etc/attestation/attestation-service/ +vim /etc/attestation.bak/attestation-service/attestation-service.conf +{ + "token_cfg": { + "key": "/etc/attestation/attestation-service/token/private.pem", + "iss": "oeas", + "nbf": 0, + "valid_duration": 300, + "alg": "PS256" + } +} +``` +- Generate test private key and self-signed certificate +``` +openssl genrsa -out private.pem 2048 +openssl req -new -key private.pem -out server.csr +openssl x509 -req -in server.csr -out as_cert.pem -signkey private.pem -days 3650 + +mkdir -p /etc/attestation/attestation-service/token +cp private.pem /etc/attestation/attestation-service/token + +// as_cert.pem will be deployed into AA config directory +``` + +- Download Huawei root cert chain to verify virtCCA evidence + + [Root Cert](https://download.huawei.com/dl/download.do?actionFlag=download&nid=PKI1000000002&partNo=3001&mid=SUP_PKI) + + [Sub Cert](https://download.huawei.com/dl/download.do?actionFlag=download&nid=PKI1000000040&partNo=3001&mid=SUP_PKI) +``` +mkdir -p /etc/attestation/attestation-service/verifier/virtcca + +// upload root cert and sub cert to the above directory +``` + +#### Run AS +``` +cd secGear/service/attestation/attestation-service +./target/debug/attestation-service +``` +attestation service listens on 127.0.0.1:8080 default, also can specify custom ip:port by -s param such as +``` +./target/debug/attestation-service -s ip:port +``` + +- Config default policy +``` +cp secGear/service/attestation/attestation-service/policy/src/opa/default_vcca.rego /etc/attestation/attestation-service/policy +``` +- Config virtcca reference + +virtcca reference (such as rim:7d2e49c8d29f18b748e658e7243ecf26bc292e5fee93f72af11ad9da9810142a ) is generated by [rim_ref tools](https://gitee.com/openeuler/virtCCA_sdk/tree/master/attestation/rim_ref) +``` +curl -H "Content-Type:application/json" -X POST -d '{"refs":"{\"vcca.cvm.rim\":\"7d2e49c8d29f18b748e658e7243ecf26bc292e5fee93f72af11ad9da9810142a\"}"}' http://127.0.0.1:8080/reference +``` + +### AA + +#### Install attester depends SDK +``` +yum install virtCCA_sdk-devel +``` +#### Config AA +``` +mkdir -p /etc/attestation/attestation-agent/ +// svr_url为attestation service的ip和端口,需要根据实际部署网络修改配置 +// cert 为attestation service的公钥证书,本demo为在attestation service端手动生成的自签名公钥证书 +// iss 为attestation service签发token时的签发者名称 +vim /etc/attestation/attestation-agent/attestation-agent.conf +{ + "svr_url": "http://127.0.0.1:8080", + "token_cfg": { + "cert": "/etc/attestation/attestation-agent/as_cert.pem", + "iss": "oeas" + } +} +``` +#### Run AA +``` +cd secGear/service/attestation/attestation-agent +./target/debug/attestation-agent +``` + +### Run AA demo +``` +cd secGear/service/attestation/attestation-agent +./target/debug/aa-test +``` \ No newline at end of file diff --git a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs index 48e3e68..af72236 100644 --- a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +++ b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs @@ -18,6 +18,7 @@ use serde_json::json; use reqwest; const TEST_THREAD_NUM: i64 = 1; // multi thread num +const AA_ADDR: &str = "http://127.0.0.1:8081"; #[tokio::main] async fn main() { @@ -40,7 +41,7 @@ async fn aa_proc(i: i64) { // get challenge log::info!("thread {} case1 get challenge", i); let client = reqwest::Client::new(); - let challenge_endpoint = "http://127.0.0.1:8081/challenge"; + let challenge_endpoint = format!("{AA_ADDR}/challenge"); let res = client .get(challenge_endpoint) .header("Content-Type", "application/json") @@ -68,10 +69,10 @@ async fn aa_proc(i: i64) { "uuid": String::from("f68fd704-6eb1-4d14-b218-722850eb3ef0"), }); log::info!("thread {} case2 get evidence, request body: {}", i, request_body); - let attest_endpoint = "http://127.0.0.1:8081/evidence"; + let attest_endpoint = format!("{AA_ADDR}/evidence"); let client = reqwest::Client::new(); let res = client - .get(attest_endpoint) + .get(attest_endpoint.clone()) .header("Content-Type", "application/json") .json(&request_body) .send() @@ -119,7 +120,7 @@ async fn aa_proc(i: i64) { #[cfg(not(feature = "no_as"))] { // get token - let token_endpoint = "http://127.0.0.1:8081/token"; + let token_endpoint = format!("{AA_ADDR}/token"); let request_body = json!({ "challenge": challenge, "uuid": String::from("f68fd704-6eb1-4d14-b218-722850eb3ef0"), @@ -127,7 +128,7 @@ async fn aa_proc(i: i64) { log::info!("thread {} case5 get token, request body: {}", i, request_body); let client = reqwest::Client::new(); let res = client - .get(token_endpoint) + .get(token_endpoint.clone()) .header("Content-Type", "application/json") .json(&request_body) .send() -- Gitee