diff --git a/0105-attestation-service-reference-support-itrustee.patch b/0105-attestation-service-reference-support-itrustee.patch new file mode 100644 index 0000000000000000000000000000000000000000..339d1cc820eb32571cb1441e4cf8485b5f9b1e24 --- /dev/null +++ b/0105-attestation-service-reference-support-itrustee.patch @@ -0,0 +1,204 @@ +From f1a2eda20355976f01169a3f73d95fc73b5fdf78 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Wed, 11 Jun 2025 20:37:08 +0800 +Subject: [PATCH] attestation service reference support itrustee + +Reference: https://gitee.com/openeuler/secGear/pulls/338 + +--- + .../attestation-agent/agent/src/lib.rs | 7 +++-- + .../attestation-agent/c_header/example.c | 9 ++++-- + .../c_header/rust_attestation_agent.h | 8 ++---- + .../reference/src/reference/mod.rs | 17 ++++++++++- + .../verifier/src/itrustee/mod.rs | 28 ++++++++++++++----- + .../attestation-service/verifier/src/lib.rs | 2 +- + 6 files changed, 51 insertions(+), 20 deletions(-) + +diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs +index dae5559..7df0638 100644 +--- a/service/attestation/attestation-agent/agent/src/lib.rs ++++ b/service/attestation/attestation-agent/agent/src/lib.rs +@@ -490,6 +490,7 @@ pub fn init_env_logger(c_level: Option<&repr_c::String>) { + pub fn get_report( + c_challenge: Option<&repr_c::Vec>, + c_ima: &repr_c::TaggedOption, ++ c_uuid: &repr_c::String, + ) -> repr_c::Vec { + log::debug!("input challenge: {:?}, ima: {:?}", c_challenge, c_ima); + let ima = match c_ima { +@@ -505,7 +506,7 @@ pub fn get_report( + }; + + let input: EvidenceRequest = EvidenceRequest { +- uuid: "f68fd704-6eb1-4d14-b218-722850eb3ef0".to_string(), ++ uuid: c_uuid.to_string(), + challenge: challenge, + ima: Some(ima), + }; +@@ -529,10 +530,10 @@ pub fn get_report( + report.into() + } + +-#[cfg(feature = "no_as")] ++#[cfg(all(feature = "no_as", feature = "parse_evidence"))] + use verifier::virtcca_parse_evidence; + +-#[cfg(feature = "no_as")] ++#[cfg(all(feature = "no_as", feature = "parse_evidence"))] + #[ffi_export] + pub fn parse_report(report: Option<&repr_c::Vec>) -> repr_c::String { + let report = match report { +diff --git a/service/attestation/attestation-agent/c_header/example.c b/service/attestation/attestation-agent/c_header/example.c +index a75d018..0011fe0 100644 +--- a/service/attestation/attestation-agent/c_header/example.c ++++ b/service/attestation/attestation-agent/c_header/example.c +@@ -38,9 +38,14 @@ void *thread_proc(void *arg) + ._0 = true, + ._1 = false, // true: enable to get report with ima + }; +- ++ const char *uuid = "f68fd704-6eb1-4d14-b218-722850eb3ef0"; ++ Vec_uint8_t uuid_rust = { ++ .ptr = (uint8_t *)uuid, ++ .len = strlen(uuid), ++ .cap = strlen(uuid), ++ }; + // step3: get report +- Vec_uint8_t report = get_report(&challenge, &ima); ++ Vec_uint8_t report = get_report(&challenge, &ima, &uuid_rust); + Vec_uint8_t claim; + if (report.len != 0) { + report.ptr[report.len] = '\0'; // rust return string has no '\0' +diff --git a/service/attestation/attestation-agent/c_header/rust_attestation_agent.h b/service/attestation/attestation-agent/c_header/rust_attestation_agent.h +index 9c1a18f..4ce1793 100644 +--- a/service/attestation/attestation-agent/c_header/rust_attestation_agent.h ++++ b/service/attestation/attestation-agent/c_header/rust_attestation_agent.h +@@ -55,18 +55,14 @@ typedef struct Tuple2_bool_bool { + Vec_uint8_t + get_report ( + Vec_uint8_t const * c_challenge, +- Tuple2_bool_bool_t const * c_ima); ++ Tuple2_bool_bool_t const * c_ima, ++ Vec_uint8_t const * c_uuid); + + /** */ + void + init_env_logger ( + Vec_uint8_t const * c_level); + +-/** */ +-Vec_uint8_t +-parse_report ( +- Vec_uint8_t const * report); +- + /** */ + Vec_uint8_t + verify_report ( +diff --git a/service/attestation/attestation-service/reference/src/reference/mod.rs b/service/attestation/attestation-service/reference/src/reference/mod.rs +index c400683..b794de4 100644 +--- a/service/attestation/attestation-service/reference/src/reference/mod.rs ++++ b/service/attestation/attestation-service/reference/src/reference/mod.rs +@@ -16,6 +16,12 @@ use openssl::sha::sha256; + use serde::{Deserialize, Serialize}; + use serde_json::{json, Value}; + use thiserror::{self, Error}; ++use std::fs::File; ++use std::path::Path; ++use std::io::Write; ++ ++const ITRUSTEE_REF_VALUE_DIR: &str = ++ "/etc/attestation/attestation-service/reference-itrustee/"; + + pub struct ReferenceOps { + store: Box, +@@ -90,7 +96,16 @@ impl ReferenceOps { + let refs = + Extractor::split(ref_set).ok_or(RefOpError::Err("parse reference fail".to_string()))?; + for item in refs { +- self.register_reference(&item)? ++ self.register_reference(&item)?; ++ // refnamex with prefix "itrustee_" should write to seperate file,itrustee sdk will use it ++ if item.name.starts_with("itrustee_") { ++ let file_name = ITRUSTEE_REF_VALUE_DIR.to_string() + item.name.as_str(); ++ let path = Path::new(file_name.as_str()); ++ let mut file = File::create(path) ++ .map_err(|_|RefOpError::Err("create itrustee reference file failed: ".to_string() + file_name.as_str()))?; ++ file.write_all(&item.value.as_str().unwrap().as_bytes()) ++ .map_err(|_|RefOpError::Err("write itrustee reference file failed".to_string() + file_name.as_str()))?; ++ } + } + Ok(()) + } +diff --git a/service/attestation/attestation-service/verifier/src/itrustee/mod.rs b/service/attestation/attestation-service/verifier/src/itrustee/mod.rs +index 029f751..d098cde 100644 +--- a/service/attestation/attestation-service/verifier/src/itrustee/mod.rs ++++ b/service/attestation/attestation-service/verifier/src/itrustee/mod.rs +@@ -17,11 +17,12 @@ use log; + use serde_json::json; + use std::ops::Add; + use std::path::Path; ++use serde_json::Value; + + mod itrustee; + +-const ITRUSTEE_REF_VALUE_FILE: &str = +- "/etc/attestation/attestation-service/verifier/itrustee/basevalue.txt"; ++const ITRUSTEE_REF_VALUE_DIR: &str = ++ "/etc/attestation/attestation-service/reference-itrustee/"; + + #[derive(Debug, Default)] + pub struct ItrusteeVerifier {} +@@ -57,19 +58,32 @@ fn evalute_wrapper(user_data: &[u8], evidence: &[u8]) -> Result { + size: in_data.len() as ::std::os::raw::c_uint, + buf: in_data.as_mut_ptr() as *mut ::std::os::raw::c_uchar, + }; +- ++ // parse uuid from evidence to find it's basevalue file that store in ITRUSTEE_REF_VALUE_DIR ++ let evidence_json:Value = serde_json::from_slice(evidence)?; ++ println!("{}", serde_json::to_string_pretty(&evidence_json).unwrap()); ++ let uuid; ++ if let Some(v)= evidence_json.get("payload") ++ .and_then(|v|v.get("uuid")) ++ .and_then(|v|v.as_str()) { ++ uuid = v; ++ } ++ else { ++ log::error!("parse uuid from evidence failed"); ++ bail!("parse uuid from evidence faild"); ++ } + let policy: std::os::raw::c_int = 1; // 1: verify ta_imag; 2: verfiy ta_mem; 3: verify ta_img and ta_mem hash; +- if !Path::new(ITRUSTEE_REF_VALUE_FILE).exists() { ++ let ref_value_file = ITRUSTEE_REF_VALUE_DIR.to_string() + "itrustee_" + uuid; ++ if !Path::new(&ref_value_file).exists() { + log::error!( + "itrustee verify report {} not exists", +- ITRUSTEE_REF_VALUE_FILE ++ ref_value_file + ); + bail!( + "itrustee verify report {} not exists", +- ITRUSTEE_REF_VALUE_FILE ++ ref_value_file + ); + } +- let ref_file = String::from(ITRUSTEE_REF_VALUE_FILE); ++ let ref_file = String::from(ref_value_file); + let mut file = ref_file.add("\0"); + let basevalue = file.as_mut_ptr() as *mut ::std::os::raw::c_char; + unsafe { +diff --git a/service/attestation/attestation-service/verifier/src/lib.rs b/service/attestation/attestation-service/verifier/src/lib.rs +index c2ef3bc..bb02cc8 100644 +--- a/service/attestation/attestation-service/verifier/src/lib.rs ++++ b/service/attestation/attestation-service/verifier/src/lib.rs +@@ -69,7 +69,7 @@ impl VerifierAPIs for Verifier { + } + } + +-#[cfg(feature = "no_as")] ++#[cfg(all(feature = "no_as", feature = "parse_evidence"))] + pub fn virtcca_parse_evidence(evidence: &[u8]) -> Result { + let aa_evidence: Evidence = serde_json::from_slice(evidence)?; + let evidence = aa_evidence.evidence.as_bytes(); +-- +2.43.0 + diff --git a/secGear.spec b/secGear.spec index 04604a68f699a2428f3157136a2315bba0ac1a74..5f0ef974290b966331a4e6161c36bb83cefddbc4 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 62 +Release: 63 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -113,7 +113,8 @@ Patch99: 0100-challenge-may-generate-by-requester-so-aa-and-as-may.patch Patch100: 0101-generate-random-by-ra_tls-itself.patch Patch101: 0102-Add-support-for-UEFI-measured-boot-attestation.patch Patch102: 0103-fix-ima-attestation-log-and-add-pcr-check.patch -Patch103: 0104-attestation-service-Do-not-hardcode-the-token-path.patch +Patch103: 0104-attestation-service-Do-not-hardcode-the-token-path.patch +Patch104: 0105-attestation-service-reference-support-itrustee.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -126,7 +127,7 @@ BuildRequires: rust cargo rust-packaging virtCCA_sdk-devel virtCCA_sdk kunpengs Requires: rsyslog compat-openssl11-libs %ifarch x86_64 -Requires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts libsgx-aesm-launch-plugin intel-sgx-ssl +Requires: sgxsdk libsgx-launch libsgx-urts libsgx-aesm-launch-plugin intel-sgx-ssl %else Requires: itrustee_sdk %endif @@ -356,6 +357,9 @@ popd systemctl restart rsyslog %changelog +* Thu Aug 28 2025 houmingyong - 0.1.0-63 +- sync attestation service reference support itrustee feature + * Fri Jun 6 2025 xuraoqing - 0.1.0-62 - attestation service Do not hardcode the token path