From 49dfb6d89fdbcd6e091b9e7a8c5482b52efc77c1 Mon Sep 17 00:00:00 2001 From: xuraoqing Date: Tue, 18 Mar 2025 20:13:23 +0800 Subject: [PATCH] sync patches from upstream Signed-off-by: xuraoqing (cherry picked from commit 4b7794d24e036b6bcc602d2fae567fa5bf14b524) --- 0089-add-parse-report-c-interface.patch | 94 +++++++++++++++++++ 0090-add-no_as-ima-reference-path.patch | 41 ++++++++ 0091-add-ima-detail-result-in-token.patch | 45 +++++++++ ...l-result-exclude-boot_aggregate-file.patch | 26 +++++ ...etailed-log-of-file-opening-failures.patch | 74 +++++++++++++++ secGear.spec | 11 ++- 6 files changed, 289 insertions(+), 2 deletions(-) create mode 100644 0089-add-parse-report-c-interface.patch create mode 100644 0090-add-no_as-ima-reference-path.patch create mode 100644 0091-add-ima-detail-result-in-token.patch create mode 100644 0092-ima-detail-result-exclude-boot_aggregate-file.patch create mode 100644 0093-add-detailed-log-of-file-opening-failures.patch diff --git a/0089-add-parse-report-c-interface.patch b/0089-add-parse-report-c-interface.patch new file mode 100644 index 0000000..805f203 --- /dev/null +++ b/0089-add-parse-report-c-interface.patch @@ -0,0 +1,94 @@ +From e835af7ff3667005be6893dedcb46a18452450d2 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Mon, 14 Oct 2024 11:35:12 +0800 +Subject: [PATCH] add parse report c interface + +Conflict: remove /attestation-agent/c_header/example.c,c_header/rust_attestation_agent.h + +--- + .../attestation-agent/agent/src/lib.rs | 31 +++++++++++++++++++ + .../attestation-service/verifier/src/lib.rs | 7 +++++ + .../verifier/src/virtcca/mod.rs | 10 ++++++ + 3 files changed, 48 insertions(+) + +diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs +index f1c4510..1164e2a 100644 +--- a/service/attestation/attestation-agent/agent/src/lib.rs ++++ b/service/attestation/attestation-agent/agent/src/lib.rs +@@ -373,6 +373,37 @@ pub fn get_report(c_challenge: Option<&repr_c::Vec>, c_ima: &repr_c::TaggedO + report.into() + } + ++#[cfg(feature = "no_as")] ++use verifier::virtcca_parse_evidence; ++ ++#[cfg(feature = "no_as")] ++#[ffi_export] ++pub fn parse_report(report: Option<&repr_c::Vec>) -> repr_c::String { ++ let report = match report { ++ None => { ++ log::error!("report is null"); ++ return "".to_string().into(); ++ }, ++ Some(report) => report.clone().to_vec(), ++ }; ++ let rt = Runtime::new().unwrap(); ++ let fut = async {virtcca_parse_evidence(&report)}; ++ let ret = rt.block_on(fut); ++ ++ let ret = match ret { ++ Ok(claim) => { ++ log::debug!("claim: {:?}", claim); ++ claim.to_string() ++ }, ++ Err(e) =>{ ++ log::error!("{e}"); ++ "".to_string() ++ }, ++ }; ++ ++ return ret.into(); ++} ++ + #[ffi_export] + pub fn verify_report(c_challenge: Option<&repr_c::Vec>, report: Option<&repr_c::Vec>) -> repr_c::String { + let challenge = match c_challenge { +diff --git a/service/attestation/attestation-service/verifier/src/lib.rs b/service/attestation/attestation-service/verifier/src/lib.rs +index 0b776c2..a0e0b58 100644 +--- a/service/attestation/attestation-service/verifier/src/lib.rs ++++ b/service/attestation/attestation-service/verifier/src/lib.rs +@@ -58,3 +58,10 @@ impl VerifierAPIs for Verifier { + } + } + } ++ ++pub fn virtcca_parse_evidence(evidence: &[u8]) -> Result { ++ let aa_evidence: Evidence = serde_json::from_slice(evidence)?; ++ let evidence = aa_evidence.evidence.as_bytes(); ++ ++ return virtcca::Evidence::parse_evidence(evidence); ++} +diff --git a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs +index 3de7c9f..ca3a2ff 100644 +--- a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs ++++ b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs +@@ -114,6 +114,16 @@ impl Evidence { + // todo parsed TeeClaim + evidence.parse_claim_from_evidence(ima) + } ++ pub fn parse_evidence(evidence: &[u8]) -> Result { ++ let virtcca_ev: VirtccaEvidence = serde_json::from_slice(evidence)?; ++ let evidence = virtcca_ev.evidence; ++ let evidence = Evidence::decode(evidence)?; ++ ++ let ima = json!(""); ++ // parsed TeeClaim ++ let claim = evidence.parse_claim_from_evidence(ima).unwrap(); ++ Ok(claim["payload"].clone() as TeeClaim) ++ } + fn parse_claim_from_evidence(&self, ima: serde_json::Value) -> Result { + let payload = json!({ + "vcca.cvm.challenge": hex::encode(self.cvm_token.challenge.clone()), +-- +2.33.0 + diff --git a/0090-add-no_as-ima-reference-path.patch b/0090-add-no_as-ima-reference-path.patch new file mode 100644 index 0000000..e1cd519 --- /dev/null +++ b/0090-add-no_as-ima-reference-path.patch @@ -0,0 +1,41 @@ +From f5266141477b9ea23c2f674e041d5f8dc6509668 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Wed, 16 Oct 2024 19:52:04 +0800 +Subject: [PATCH] add no_as ima reference path + +Conflict: remove attestation/attestation-agent/c_header/example.c +--- + .../attestation-service/verifier/src/virtcca/ima.rs | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +index 30a151f..2b73b46 100644 +--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs ++++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +@@ -14,8 +14,13 @@ use ima_measurements::{Event, EventData, Parser}; + use fallible_iterator::FallibleIterator; + use serde_json::{Value, Map, json}; + ++#[cfg(not(feature = "no_as"))] + const IMA_REFERENCE_FILE: &str = "/etc/attestation/attestation-service/verifier/virtcca/ima/digest_list_file"; + ++// attestation agent local ima reference ++#[cfg(feature = "no_as")] ++const IMA_REFERENCE_FILE: &str = "/etc/attestation/attestation-agent/local_verifier/virtcca/ima/digest_list_file"; ++ + #[derive(Debug, Default)] + pub struct ImaVerify {} + +@@ -72,7 +77,8 @@ impl ImaVerify { + use std::io::BufRead; + use std::io::BufReader; + fn file_reader(file_path: &str) -> ::std::io::Result> { +- let file = std::fs::File::open(file_path)?; ++ let file = std::fs::File::open(file_path) ++ .expect("open ima reference file failed"); + let mut strings = Vec::::new(); + let mut reader = BufReader::new(file); + let mut buf = String::new(); +-- +2.33.0 + diff --git a/0091-add-ima-detail-result-in-token.patch b/0091-add-ima-detail-result-in-token.patch new file mode 100644 index 0000000..217e390 --- /dev/null +++ b/0091-add-ima-detail-result-in-token.patch @@ -0,0 +1,45 @@ +From c26a4b5db3eb5ff5d558b9d14f962e3df4147dca Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Thu, 17 Oct 2024 18:58:00 +0800 +Subject: [PATCH] add ima detail result in token + +Conflict: remove service/attestation/attestation-agent/c_header/example.c +--- + service/attestation/attestation-agent/agent/src/lib.rs | 6 +----- + service/attestation/attestation-service/service/src/lib.rs | 3 +++ + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs +index 1164e2a..93809a2 100644 +--- a/service/attestation/attestation-agent/agent/src/lib.rs ++++ b/service/attestation/attestation-agent/agent/src/lib.rs +@@ -280,11 +280,7 @@ impl AttestationAgent { + match ret { + Ok(token) => { + let token_claim: serde_json::Value = serde_json::from_slice(token.claim.as_bytes())?; +- let tee_claim = json!({ +- "tee": token_claim["tee"].clone(), +- "payload" : token_claim["tcb_status"].clone(), +- }); +- Ok(tee_claim as TeeClaim) ++ Ok(token_claim as TeeClaim) + }, + Err(e) => { + log::error!("token to teeclaim failed:{:?}", e); +diff --git a/service/attestation/attestation-service/service/src/lib.rs b/service/attestation/attestation-service/service/src/lib.rs +index 1c5c907..dd10b89 100644 +--- a/service/attestation/attestation-service/service/src/lib.rs ++++ b/service/attestation/attestation-service/service/src/lib.rs +@@ -152,6 +152,9 @@ impl AttestationService { + } + } + ++ // add ima detail result to report ++ report.as_object_mut().unwrap().insert("ima".to_string(), claims_evidence["ima"].clone()); ++ + // issue attestation result token + let evl_report = EvlReport { + tee: String::from(claims_evidence["tee"].as_str().ok_or(anyhow!("tee type unknown"))?), +-- +2.33.0 + diff --git a/0092-ima-detail-result-exclude-boot_aggregate-file.patch b/0092-ima-detail-result-exclude-boot_aggregate-file.patch new file mode 100644 index 0000000..5dcfba7 --- /dev/null +++ b/0092-ima-detail-result-exclude-boot_aggregate-file.patch @@ -0,0 +1,26 @@ +From 9908ddc7947c10e0411c0b037160e320d8e83620 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Tue, 22 Oct 2024 19:51:26 +0800 +Subject: [PATCH] ima detail result exclude boot_aggregate file + +--- + .../attestation-service/verifier/src/virtcca/ima.rs | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +index 2b73b46..4a9a954 100644 +--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs ++++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +@@ -59,6 +59,9 @@ impl ImaVerify { + EventData::ImaNg{digest, name} => (name, digest.digest), + _ => bail!("Inalid event {:?}", event), + }; ++ if name == "boot_aggregate".to_string() { ++ continue; ++ } + let hex_str_digest = hex::encode(file_digest); + if ima_refs.contains(&hex_str_digest) { + ima_detail.insert(name, Value::Bool(true)); +-- +2.43.0 + diff --git a/0093-add-detailed-log-of-file-opening-failures.patch b/0093-add-detailed-log-of-file-opening-failures.patch new file mode 100644 index 0000000..16c2929 --- /dev/null +++ b/0093-add-detailed-log-of-file-opening-failures.patch @@ -0,0 +1,74 @@ +From 9c04006b8f5281bd5b436f81ec855f78a719dff7 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Wed, 18 Dec 2024 09:34:57 +0800 +Subject: [PATCH] add detailed log of file opening failures + +--- + .../attestation-service/verifier/src/virtcca/ima.rs | 8 ++++---- + .../attestation-service/verifier/src/virtcca/mod.rs | 9 ++++++--- + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +index 7af55e8..e25e55e 100644 +--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs ++++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +@@ -9,7 +9,7 @@ + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ +-use anyhow::{Result, bail}; ++use anyhow::{anyhow, Result, bail}; + use ima_measurements::{Event, EventData, Parser}; + use fallible_iterator::FallibleIterator; + use serde_json::{Value, Map, json}; +@@ -47,7 +47,8 @@ impl ImaVerify { + bail!("ima log hash verify failed"); + } + +- let ima_refs: Vec<_> = file_reader(IMA_REFERENCE_FILE)? ++ let ima_refs: Vec<_> = file_reader(IMA_REFERENCE_FILE) ++ .map_err(|_err| anyhow!("{} is not found", IMA_REFERENCE_FILE))? + .into_iter() + .map(String::from) + .collect(); +@@ -80,8 +81,7 @@ impl ImaVerify { + use std::io::BufRead; + use std::io::BufReader; + fn file_reader(file_path: &str) -> ::std::io::Result> { +- let file = std::fs::File::open(file_path) +- .expect("open ima reference file failed"); ++ let file = std::fs::File::open(file_path)?; + let mut strings = Vec::::new(); + let mut reader = BufReader::new(file); + let mut buf = String::new(); +diff --git a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs +index 97f5b6b..42f263a 100644 +--- a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs ++++ b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs +@@ -161,9 +161,11 @@ impl Evidence { + // todo verify cert chain, now only verify signature + fn verify_dev_cert_chain(dev_cert: &[u8]) -> Result<()> { + let dev_cert = x509::X509::from_der(dev_cert)?; +- let sub_cert_file = std::fs::read(VIRTCCA_SUB_CERT)?; ++ let sub_cert_file = std::fs::read(VIRTCCA_SUB_CERT) ++ .map_err(|_err| anyhow!("{} is not found", VIRTCCA_SUB_CERT))?; + let sub_cert = x509::X509::from_pem(&sub_cert_file)?; +- let root_cert_file = std::fs::read(VIRTCCA_ROOT_CERT)?; ++ let root_cert_file = std::fs::read(VIRTCCA_ROOT_CERT) ++ .map_err(|_err| anyhow!("{} is not found", VIRTCCA_ROOT_CERT))?; + let root_cert = x509::X509::from_pem(&root_cert_file)?; + + // verify dev_cert by sub_cert +@@ -229,7 +231,8 @@ impl Evidence { + } + #[cfg(feature = "no_as")] + fn compare_with_ref(&mut self) -> Result<()> { +- let ref_file = std::fs::read(VIRTCCA_REF_VALUE_FILE)?; ++ let ref_file = std::fs::read(VIRTCCA_REF_VALUE_FILE) ++ .map_err(|_err| anyhow!("{} is not found", VIRTCCA_REF_VALUE_FILE))?; + let js_ref = serde_json::from_slice(&ref_file)?; + match js_ref { + serde_json::Value::Object(obj) => { +-- +2.43.0 + diff --git a/secGear.spec b/secGear.spec index bd5b278..0036409 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 53 +Release: 54 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -98,7 +98,11 @@ Patch84: 0085-fix-multi-thread-request-as-generate-challenge-and-v.patch Patch85: 0086-add-error-type-for-api.patch Patch86: 0087-use-id-when-get-policy.patch Patch87: 0088-fix-evidence-decode-typos.patch - +Patch88: 0089-add-parse-report-c-interface.patch +Patch89: 0090-add-no_as-ima-reference-path.patch +Patch90: 0091-add-ima-detail-result-in-token.patch +Patch91: 0092-ima-detail-result-exclude-boot_aggregate-file.patch +Patch92: 0093-add-detailed-log-of-file-opening-failures.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -294,6 +298,9 @@ popd systemctl restart rsyslog %changelog +* Tue Mar 18 2025 xuraoqing - 0.1.0-54 +- sync patches from upstream + * Wed Mar 12 2025 houmingyong - 0.1.0-53 - generate cargo vendor on %prep stage -- Gitee