From 8fcafe554012b79092d6c313d2f429f46f1e4ce7 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Fri, 20 Dec 2024 15:00:15 +0000 Subject: [PATCH] Use Variant proto message in Endorsements Fixes: 384532107 Change-Id: I1c9051336a8040879a938eea11b90b0539bae83a --- Cargo.lock | 1 - enclave_apps/Cargo.lock | 1 - oak_attestation_verification/BUILD | 2 - .../src/policy/application.rs | 21 ++++--- .../src/policy/binary.rs | 10 +-- .../src/policy/container.rs | 21 ++++--- .../src/policy/firmware.rs | 18 ++++-- .../src/policy/kernel.rs | 19 +++--- .../src/policy/platform.rs | 17 +++-- .../src/policy/system.rs | 18 +++--- oak_attestation_verification/src/util.rs | 14 +++-- oak_attestation_verification/src/verifier.rs | 32 +++++----- .../tests/policy_tests.rs | 62 ++++++++++--------- oak_attestation_verification_types/BUILD | 1 - oak_attestation_verification_types/Cargo.toml | 1 - oak_attestation_verification_types/src/lib.rs | 11 ++++ .../src/policy.rs | 5 +- .../examples/hello_world/proto/BUILD | 1 + .../examples/micro_rpc_noise/proto/BUILD | 1 + oak_gcp/examples/echo/proto/BUILD | 1 + .../generated/oak.attestation.v1.rs | 19 +++--- oak_proto_rust/grpc/BUILD | 1 + proto/attestation/BUILD | 2 +- proto/attestation/endorsement.proto | 15 +++-- 24 files changed, 166 insertions(+), 128 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 453a2ba59e..5d3b822001 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2163,7 +2163,6 @@ dependencies = [ "anyhow", "mockall", "oak_proto_rust", - "prost-types", ] [[package]] diff --git a/enclave_apps/Cargo.lock b/enclave_apps/Cargo.lock index 8adc82aa3d..83a6669fce 100644 --- a/enclave_apps/Cargo.lock +++ b/enclave_apps/Cargo.lock @@ -864,7 +864,6 @@ version = "0.1.0" dependencies = [ "anyhow", "oak_proto_rust", - "prost-types", ] [[package]] diff --git a/oak_attestation_verification/BUILD b/oak_attestation_verification/BUILD index 675d6dc1a1..036583e6e3 100644 --- a/oak_attestation_verification/BUILD +++ b/oak_attestation_verification/BUILD @@ -98,7 +98,6 @@ rust_test_suite( "@oak_crates_index//:hex", "@oak_crates_index//:lazy_static", "@oak_crates_index//:prost", - "@oak_crates_index//:prost-types", "@oak_crates_index//:x509-cert", "@oak_crates_index//:zerocopy", ], @@ -181,7 +180,6 @@ rust_test_suite( "@oak_crates_index//:hex", "@oak_crates_index//:lazy_static", "@oak_crates_index//:prost", - "@oak_crates_index//:prost-types", "@oak_crates_index//:x509-cert", "@oak_crates_index//:zerocopy", ], diff --git a/oak_attestation_verification/src/policy/application.rs b/oak_attestation_verification/src/policy/application.rs index 9a26a0cd69..90546df6e9 100644 --- a/oak_attestation_verification/src/policy/application.rs +++ b/oak_attestation_verification/src/policy/application.rs @@ -15,12 +15,14 @@ // use anyhow::Context; -use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - ApplicationLayerData, ApplicationLayerEndorsements, ApplicationLayerReferenceValues, - EventAttestationResults, +use oak_attestation_verification_types::{policy::Policy, APPLICATION_ENDORSEMENT_ID}; +use oak_proto_rust::oak::{ + attestation::v1::{ + ApplicationLayerData, ApplicationLayerEndorsements, ApplicationLayerReferenceValues, + EventAttestationResults, + }, + Variant, }; -use prost_types::Any; use crate::{ compare::compare_application_layer_measurement_digests, @@ -38,22 +40,23 @@ impl ApplicationPolicy { } } -// We have to use [`Policy<[u8], Any>`] instead of [`EventPolicy`], because +// We have to use [`Policy<[u8], Variant>`] instead of [`EventPolicy`], because // Rust doesn't yet support implementing trait aliases. // -impl Policy<[u8], Any> for ApplicationPolicy { +impl Policy<[u8], Variant> for ApplicationPolicy { fn verify( &self, encoded_event: &[u8], - encoded_event_endorsement: &Any, + encoded_event_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { let event = decode_event_proto::( "type.googleapis.com/oak.attestation.v1.ApplicationLayerData", encoded_event, )?; + // TODO: b/375137648 - Decode into new endorsement protos. let event_endorsement = decode_endorsement_proto::( - "type.googleapis.com/oak.attestation.v1.ApplicationLayerEndorsements", + APPLICATION_ENDORSEMENT_ID, encoded_event_endorsement, )?; diff --git a/oak_attestation_verification/src/policy/binary.rs b/oak_attestation_verification/src/policy/binary.rs index 861f9bf5d7..528464c66f 100644 --- a/oak_attestation_verification/src/policy/binary.rs +++ b/oak_attestation_verification/src/policy/binary.rs @@ -16,10 +16,10 @@ use anyhow::Context; use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - EventAttestationResults, EventData, EventReferenceValues, +use oak_proto_rust::oak::{ + attestation::v1::{EventAttestationResults, EventData, EventReferenceValues}, + Variant, }; -use prost_types::Any; use crate::{ compare::compare_event_measurement_digests, expect::get_event_expected_values, @@ -36,11 +36,11 @@ impl BinaryPolicy { } } -impl Policy<[u8], Any> for BinaryPolicy { +impl Policy<[u8], Variant> for BinaryPolicy { fn verify( &self, encoded_event: &[u8], - _encoded_event_endorsement: &Any, + _encoded_event_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { let event = decode_event_proto::( diff --git a/oak_attestation_verification/src/policy/container.rs b/oak_attestation_verification/src/policy/container.rs index 243050eced..a7841116a3 100644 --- a/oak_attestation_verification/src/policy/container.rs +++ b/oak_attestation_verification/src/policy/container.rs @@ -15,12 +15,14 @@ // use anyhow::Context; -use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - ContainerLayerData, ContainerLayerEndorsements, ContainerLayerReferenceValues, - EventAttestationResults, +use oak_attestation_verification_types::{policy::Policy, CONTAINER_ENDORSEMENT_ID}; +use oak_proto_rust::oak::{ + attestation::v1::{ + ContainerLayerData, ContainerLayerEndorsements, ContainerLayerReferenceValues, + EventAttestationResults, + }, + Variant, }; -use prost_types::Any; use crate::{ compare::compare_container_layer_measurement_digests, @@ -38,22 +40,23 @@ impl ContainerPolicy { } } -// We have to use [`Policy<[u8], Any>`] instead of [`EventPolicy`], because +// We have to use [`Policy<[u8], Variant>`] instead of [`EventPolicy`], because // Rust doesn't yet support implementing trait aliases. // -impl Policy<[u8], Any> for ContainerPolicy { +impl Policy<[u8], Variant> for ContainerPolicy { fn verify( &self, encoded_event: &[u8], - encoded_event_endorsement: &Any, + encoded_event_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { let event = decode_event_proto::( "type.googleapis.com/oak.attestation.v1.ContainerLayerData", encoded_event, )?; + // TODO: b/375137648 - Decode into new endorsement protos. let event_endorsement = decode_endorsement_proto::( - "type.googleapis.com/oak.attestation.v1.ContainerLayerEndorsements", + CONTAINER_ENDORSEMENT_ID, encoded_event_endorsement, )?; diff --git a/oak_attestation_verification/src/policy/firmware.rs b/oak_attestation_verification/src/policy/firmware.rs index 3b7e50e4c4..0a13b06555 100644 --- a/oak_attestation_verification/src/policy/firmware.rs +++ b/oak_attestation_verification/src/policy/firmware.rs @@ -15,14 +15,15 @@ // use anyhow::Context; -use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - BinaryReferenceValue, EventAttestationResults, FirmwareEndorsement, +use oak_attestation_verification_types::{policy::Policy, FIRMWARE_ENDORSEMENT_ID}; +use oak_proto_rust::oak::{ + attestation::v1::{BinaryReferenceValue, EventAttestationResults, FirmwareEndorsement}, + Variant, }; use crate::{ compare::compare_measurement_digest, expect::get_stage0_expected_values, - platform::convert_amd_sev_snp_initial_measurement, + platform::convert_amd_sev_snp_initial_measurement, util::decode_endorsement_proto, }; pub struct FirmwarePolicy { @@ -35,14 +36,19 @@ impl FirmwarePolicy { } } -impl Policy<[u8], FirmwareEndorsement> for FirmwarePolicy { +impl Policy<[u8], Variant> for FirmwarePolicy { fn verify( &self, firmware_measurement: &[u8], - _firmware_endorsement: &FirmwareEndorsement, + encoded_firmware_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { let initial_measurement = convert_amd_sev_snp_initial_measurement(firmware_measurement); + let _firmware_endorsement = decode_endorsement_proto::( + FIRMWARE_ENDORSEMENT_ID, + encoded_firmware_endorsement, + )?; + let initial_measurement_expected_values = get_stage0_expected_values( milliseconds_since_epoch, // TODO: b/375137648 - Use firmware endorsement, once we switch to new endorsment diff --git a/oak_attestation_verification/src/policy/kernel.rs b/oak_attestation_verification/src/policy/kernel.rs index 5a2db6b550..47912b0120 100644 --- a/oak_attestation_verification/src/policy/kernel.rs +++ b/oak_attestation_verification/src/policy/kernel.rs @@ -15,12 +15,14 @@ // use anyhow::Context; -use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - EventAttestationResults, KernelLayerEndorsements, KernelLayerReferenceValues, - Stage0Measurements, +use oak_attestation_verification_types::{policy::Policy, KERNEL_ENDORSEMENT_ID}; +use oak_proto_rust::oak::{ + attestation::v1::{ + EventAttestationResults, KernelLayerEndorsements, KernelLayerReferenceValues, + Stage0Measurements, + }, + Variant, }; -use prost_types::Any; use crate::{ compare::compare_kernel_layer_measurement_digests, @@ -39,11 +41,11 @@ impl KernelPolicy { } } -impl Policy<[u8], Any> for KernelPolicy { +impl Policy<[u8], Variant> for KernelPolicy { fn verify( &self, encoded_event: &[u8], - encoded_event_endorsement: &Any, + encoded_event_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { let event = @@ -51,8 +53,9 @@ impl Policy<[u8], Any> for KernelPolicy { "type.googleapis.com/oak.attestation.v1.Stage0Measurements", encoded_event, )?); + // TODO: b/375137648 - Decode into new endorsement protos. let event_endorsements = decode_endorsement_proto::( - "type.googleapis.com/oak.attestation.v1.KernelLayerEndorsements", + KERNEL_ENDORSEMENT_ID, encoded_event_endorsement, )?; diff --git a/oak_attestation_verification/src/policy/platform.rs b/oak_attestation_verification/src/policy/platform.rs index d3570af892..831537436c 100644 --- a/oak_attestation_verification/src/policy/platform.rs +++ b/oak_attestation_verification/src/policy/platform.rs @@ -15,9 +15,10 @@ // use anyhow::Context; -use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - AmdSevReferenceValues, AmdSevSnpEndorsement, EventAttestationResults, +use oak_attestation_verification_types::{policy::Policy, AMD_SEV_SNP_PLATFORM_ENDORSEMENT_ID}; +use oak_proto_rust::oak::{ + attestation::v1::{AmdSevReferenceValues, AmdSevSnpEndorsement, EventAttestationResults}, + Variant, }; use oak_sev_snp_attestation_report::AttestationReport; @@ -27,6 +28,7 @@ use crate::{ convert_amd_sev_snp_attestation_report, verify_amd_sev_attestation_report_values, verify_amd_sev_snp_attestation_report_validity, }, + util::decode_endorsement_proto, }; pub struct AmdSevSnpPolicy { @@ -39,13 +41,18 @@ impl AmdSevSnpPolicy { } } -impl Policy for AmdSevSnpPolicy { +impl Policy for AmdSevSnpPolicy { fn verify( &self, attestation_report: &AttestationReport, - platform_endorsement: &AmdSevSnpEndorsement, + encoded_platform_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { + let platform_endorsement = decode_endorsement_proto::( + AMD_SEV_SNP_PLATFORM_ENDORSEMENT_ID, + encoded_platform_endorsement, + )?; + // Ensure the Attestation report is properly signed by the platform and the // corresponding certificate is signed by AMD. verify_amd_sev_snp_attestation_report_validity( diff --git a/oak_attestation_verification/src/policy/system.rs b/oak_attestation_verification/src/policy/system.rs index b1db4bcfe6..f6eb1f1d4b 100644 --- a/oak_attestation_verification/src/policy/system.rs +++ b/oak_attestation_verification/src/policy/system.rs @@ -15,11 +15,14 @@ // use anyhow::Context; -use oak_attestation_verification_types::policy::Policy; -use oak_proto_rust::oak::attestation::v1::{ - EventAttestationResults, SystemLayerData, SystemLayerEndorsements, SystemLayerReferenceValues, +use oak_attestation_verification_types::{policy::Policy, SYSTEM_ENDORSEMENT_ID}; +use oak_proto_rust::oak::{ + attestation::v1::{ + EventAttestationResults, SystemLayerData, SystemLayerEndorsements, + SystemLayerReferenceValues, + }, + Variant, }; -use prost_types::Any; use crate::{ compare::compare_system_layer_measurement_digests, @@ -37,19 +40,20 @@ impl SystemPolicy { } } -impl Policy<[u8], Any> for SystemPolicy { +impl Policy<[u8], Variant> for SystemPolicy { fn verify( &self, encoded_event: &[u8], - encoded_event_endorsement: &Any, + encoded_event_endorsement: &Variant, milliseconds_since_epoch: i64, ) -> anyhow::Result { let event = decode_event_proto::( "type.googleapis.com/oak.attestation.v1.SystemLayerData", encoded_event, )?; + // TODO: b/375137648 - Decode into new endorsement protos. let event_endorsements = decode_endorsement_proto::( - "type.googleapis.com/oak.attestation.v1.SystemLayerEndorsements", + SYSTEM_ENDORSEMENT_ID, encoded_event_endorsement, )?; diff --git a/oak_attestation_verification/src/util.rs b/oak_attestation_verification/src/util.rs index 2e0c5d5924..9e05013c00 100644 --- a/oak_attestation_verification/src/util.rs +++ b/oak_attestation_verification/src/util.rs @@ -30,7 +30,7 @@ use oak_proto_rust::oak::{ RootLayerData, RootLayerReferenceValues, Signature, SkipVerification, StringLiterals, SystemLayerReferenceValues, TextReferenceValue, Validity, VerifyingKeySet, }, - HexDigest, RawDigest, + HexDigest, RawDigest, Variant, }; use p256::pkcs8::{der::Decode, DecodePublicKey}; use prost::Message; @@ -428,10 +428,16 @@ pub fn decode_event_proto( /// Decodes serialized endorsement into a specified [`Message`]. pub fn decode_endorsement_proto( - expected_type_url: &str, - endorsement_proto: &Any, + id: &[u8], + message: &Variant, ) -> anyhow::Result { - decode_protobuf_any::(expected_type_url, endorsement_proto) + if message.id == id { + let decoded_message = M::decode(message.value.as_ref()) + .map_err(|error| anyhow::anyhow!("couldn't decode endorsement: {:?}", error))?; + Ok(decoded_message) + } else { + anyhow::bail!("unexpected endorsement ID, expected {:?}, found {:?}", id, message.id); + } } /// Decodes [`Any`] message into a specified [`Message`]. diff --git a/oak_attestation_verification/src/verifier.rs b/oak_attestation_verification/src/verifier.rs index be0ceec68e..10542bf4a1 100644 --- a/oak_attestation_verification/src/verifier.rs +++ b/oak_attestation_verification/src/verifier.rs @@ -28,14 +28,16 @@ use oak_attestation_verification_types::{ verifier::AttestationVerifier, }; use oak_dice::cert::{cose_key_to_verifying_key, get_public_key_from_claims_set}; -use oak_proto_rust::oak::attestation::v1::{ - attestation_results::Status, endorsements, AttestationResults, Endorsements, - EventAttestationResults, EventLog, Evidence, ExpectedValues, ExtractedEvidence, LayerEvidence, - ReferenceValues, +use oak_proto_rust::oak::{ + attestation::v1::{ + attestation_results::Status, endorsements, AttestationResults, Endorsements, + EventAttestationResults, EventLog, Evidence, ExpectedValues, ExtractedEvidence, + LayerEvidence, ReferenceValues, + }, + Variant, }; use oak_sev_snp_attestation_report::AttestationReport; use p256::ecdsa::VerifyingKey; -use prost_types::Any; use zerocopy::FromBytes; use crate::{ @@ -109,15 +111,13 @@ impl AttestationVerifier for AmdSevSnpDiceAttestationVerifier { let firmware_measurement = &attestation_report.data.measurement; // Verify AMD SEV-SNP platform authenticity and configuration. - if let Some(endorsements::Platform::AmdSevSnp(platform_endorsement)) = - endorsements.platform.as_ref() - { - self.platform_policy - .verify(attestation_report, platform_endorsement, milliseconds_since_epoch) - .context("couldn't verify AMD SEV-SNP platform")?; - } else { - anyhow::bail!("AMD SEV-SNP endorsement wasn't provided in endorsements") - } + let platform_endorsement = endorsements + .platform + .as_ref() + .context("AMD SEV-SNP endorsement wasn't provided in endorsements")?; + self.platform_policy + .verify(attestation_report, platform_endorsement, milliseconds_since_epoch) + .context("couldn't verify AMD SEV-SNP platform")?; // Verify that the DICE root ECA key is bound to the attestation report. verify_dice_root_eca_key(attestation_report, &root_layer.eca_public_key) @@ -130,7 +130,7 @@ impl AttestationVerifier for AmdSevSnpDiceAttestationVerifier { // Verify firmware measurement. let firmware_endorsement = &endorsements - .firmware + .initial .as_ref() .context("firmware endorsement wasn't provided in endorsements")?; self.firmware_policy @@ -418,7 +418,7 @@ fn validate_that_event_log_is_captured_in_dice_layers( /// Policies and Events is done via ordering. fn verify_event_log( event_log: &EventLog, - event_endorsements: &[Any], + event_endorsements: &[Variant], policies: &[Box], milliseconds_since_epoch: i64, ) -> anyhow::Result> { diff --git a/oak_attestation_verification/tests/policy_tests.rs b/oak_attestation_verification/tests/policy_tests.rs index 32c506204d..fe0299027f 100644 --- a/oak_attestation_verification/tests/policy_tests.rs +++ b/oak_attestation_verification/tests/policy_tests.rs @@ -21,17 +21,23 @@ use oak_attestation_verification::policy::{ application::ApplicationPolicy, container::ContainerPolicy, firmware::FirmwarePolicy, kernel::KernelPolicy, platform::AmdSevSnpPolicy, system::SystemPolicy, }; -use oak_attestation_verification_types::policy::Policy; +use oak_attestation_verification_types::{ + policy::Policy, AMD_SEV_SNP_PLATFORM_ENDORSEMENT_ID, APPLICATION_ENDORSEMENT_ID, + CONTAINER_ENDORSEMENT_ID, FIRMWARE_ENDORSEMENT_ID, KERNEL_ENDORSEMENT_ID, + SYSTEM_ENDORSEMENT_ID, +}; use oak_file_utils::data_path; -use oak_proto_rust::oak::attestation::v1::{ - binary_reference_value, endorsements, reference_values, AmdSevSnpEndorsement, Endorsements, - Evidence, FirmwareEndorsement, OakContainersEndorsements, OakContainersReferenceValues, - OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues, - SkipVerification, +use oak_proto_rust::oak::{ + attestation::v1::{ + binary_reference_value, endorsements, reference_values, AmdSevSnpEndorsement, Endorsements, + Evidence, FirmwareEndorsement, OakContainersEndorsements, OakContainersReferenceValues, + OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues, + SkipVerification, + }, + Variant, }; use oak_sev_snp_attestation_report::AttestationReport; use prost::Message; -use prost_types::Any; use zerocopy::FromBytes; const OC_EVIDENCE_PATH: &str = @@ -185,8 +191,12 @@ fn amd_sev_snp_platform_policy_verify_succeeds() { let platform_endorsement = AmdSevSnpEndorsement { tee_certificate: OC_ENDORSEMENTS.root_layer.as_ref().unwrap().tee_certificate.to_vec(), }; + let encoded_endorsement = Variant { + id: AMD_SEV_SNP_PLATFORM_ENDORSEMENT_ID.to_vec(), + value: platform_endorsement.encode_to_vec(), + }; - let result = policy.verify(attestation_report, &platform_endorsement, MILLISECONDS_SINCE_EPOCH); + let result = policy.verify(attestation_report, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. assert!(result.is_ok()); } @@ -212,9 +222,13 @@ fn amd_sev_snp_firmware_policy_verify_succeeds() { let firmware_measurement = &extract_attestation_report(&OC_EVIDENCE).unwrap().data.measurement; // TODO: b/375137648 - Use new endorsements directly once available. let firmware_endorsement = FirmwareEndorsement { firmware: None }; + let encoded_endorsement = Variant { + id: FIRMWARE_ENDORSEMENT_ID.to_vec(), + value: firmware_endorsement.encode_to_vec(), + }; let result = - policy.verify(firmware_measurement, &firmware_endorsement, MILLISECONDS_SINCE_EPOCH); + policy.verify(firmware_measurement, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. assert!(result.is_ok()); } @@ -228,10 +242,8 @@ fn oc_kernel_policy_verify_succeeds() { let endorsement = OC_ENDORSEMENTS.kernel_layer.as_ref().unwrap(); // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = Any { - type_url: "type.googleapis.com/oak.attestation.v1.KernelLayerEndorsements".to_string(), - value: endorsement.encode_to_vec(), - }; + let encoded_endorsement = + Variant { id: KERNEL_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. @@ -247,10 +259,8 @@ fn oc_system_policy_verify_succeeds() { let endorsement = OC_ENDORSEMENTS.system_layer.as_ref().unwrap(); // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = Any { - type_url: "type.googleapis.com/oak.attestation.v1.SystemLayerEndorsements".to_string(), - value: endorsement.encode_to_vec(), - }; + let encoded_endorsement = + Variant { id: SYSTEM_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. @@ -270,10 +280,8 @@ fn oc_container_policy_verify_succeeds() { let endorsement = std::vec![]; // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = Any { - type_url: "type.googleapis.com/oak.attestation.v1.ContainerLayerEndorsements".to_string(), - value: endorsement.encode_to_vec(), - }; + let encoded_endorsement = + Variant { id: CONTAINER_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. @@ -289,10 +297,8 @@ fn rk_kernel_policy_verify_succeeds() { let endorsement = RK_ENDORSEMENTS.kernel_layer.as_ref().unwrap(); // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = Any { - type_url: "type.googleapis.com/oak.attestation.v1.KernelLayerEndorsements".to_string(), - value: endorsement.encode_to_vec(), - }; + let encoded_endorsement = + Variant { id: KERNEL_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. @@ -310,10 +316,8 @@ fn rk_application_policy_verify_succeeds() { let endorsement = RK_ENDORSEMENTS.application_layer.as_ref().unwrap(); // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = Any { - type_url: "type.googleapis.com/oak.attestation.v1.ApplicationLayerEndorsements".to_string(), - value: endorsement.encode_to_vec(), - }; + let encoded_endorsement = + Variant { id: APPLICATION_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. diff --git a/oak_attestation_verification_types/BUILD b/oak_attestation_verification_types/BUILD index 59ed85b78e..1d410cc745 100644 --- a/oak_attestation_verification_types/BUILD +++ b/oak_attestation_verification_types/BUILD @@ -32,6 +32,5 @@ rust_library( deps = [ "//oak_proto_rust", "@oak_crates_index//:anyhow", - "@oak_crates_index//:prost-types", ], ) diff --git a/oak_attestation_verification_types/Cargo.toml b/oak_attestation_verification_types/Cargo.toml index f49985d9d1..bfbc9e10dd 100644 --- a/oak_attestation_verification_types/Cargo.toml +++ b/oak_attestation_verification_types/Cargo.toml @@ -8,7 +8,6 @@ license = "Apache-2.0" [dependencies] anyhow = { version = "*", default-features = false } oak_proto_rust = { workspace = true } -prost-types = { version = "*", default-features = false } [dev-dependencies] mockall = { version = "*", default-features = false } diff --git a/oak_attestation_verification_types/src/lib.rs b/oak_attestation_verification_types/src/lib.rs index 46cde0edb6..42de9475e1 100644 --- a/oak_attestation_verification_types/src/lib.rs +++ b/oak_attestation_verification_types/src/lib.rs @@ -22,3 +22,14 @@ extern crate alloc; pub mod policy; pub mod util; pub mod verifier; + +// IDs are generated as UUID v4 which is represented as a random string, except +// for the four bits that are used to indicate version 4 and two to three bits +// are used to indicate the variant. +// +pub static AMD_SEV_SNP_PLATFORM_ENDORSEMENT_ID: &[u8] = b"5a12d00f-48a0-4224-bff4-975c7657438f"; +pub static FIRMWARE_ENDORSEMENT_ID: &[u8] = b"de4a0d55-60ea-4dc6-abd1-09ed744f80ea"; +pub static KERNEL_ENDORSEMENT_ID: &[u8] = b"89511d65-5d35-4601-900b-1e6dbaf842b6"; +pub static SYSTEM_ENDORSEMENT_ID: &[u8] = b"4722655d-963d-4fc9-8443-f14571dd32a2"; +pub static APPLICATION_ENDORSEMENT_ID: &[u8] = b"e84ed714-669d-430a-a60f-8a651e5a5503"; +pub static CONTAINER_ENDORSEMENT_ID: &[u8] = b"7297a51f-a05d-49a1-afdb-64cdee07862d"; diff --git a/oak_attestation_verification_types/src/policy.rs b/oak_attestation_verification_types/src/policy.rs index 55d5f0f07b..5d8300b8eb 100644 --- a/oak_attestation_verification_types/src/policy.rs +++ b/oak_attestation_verification_types/src/policy.rs @@ -14,8 +14,7 @@ // limitations under the License. // -use oak_proto_rust::oak::attestation::v1::EventAttestationResults; -use prost_types::Any; +use oak_proto_rust::oak::{attestation::v1::EventAttestationResults, Variant}; /// Verification Policy that takes a generic evidence and endorsement and /// performs attestation verification. @@ -34,4 +33,4 @@ pub trait Policy: Send + Sync { /// Verification Policy that takes an encoded Event and an encoded Event /// Endorsement and performs attestation verification for this specific Event. -pub trait EventPolicy = Policy<[u8], Any>; +pub trait EventPolicy = Policy<[u8], Variant>; diff --git a/oak_containers/examples/hello_world/proto/BUILD b/oak_containers/examples/hello_world/proto/BUILD index 660decb6d5..d92d1d862f 100644 --- a/oak_containers/examples/hello_world/proto/BUILD +++ b/oak_containers/examples/hello_world/proto/BUILD @@ -59,6 +59,7 @@ cargo_build_script( data = [ ":hello_world.proto", "//proto:digest.proto", + "//proto:variant.proto", "//proto/attestation:endorsement.proto", "//proto/attestation:eventlog.proto", "//proto/attestation:evidence.proto", diff --git a/oak_containers/examples/micro_rpc_noise/proto/BUILD b/oak_containers/examples/micro_rpc_noise/proto/BUILD index 7018cb413f..4f93a6d0a4 100644 --- a/oak_containers/examples/micro_rpc_noise/proto/BUILD +++ b/oak_containers/examples/micro_rpc_noise/proto/BUILD @@ -45,6 +45,7 @@ cargo_build_script( data = [ "//oak_containers/examples/micro_rpc_noise/proto:micro_rpc_noise.proto", "//proto:digest.proto", + "//proto:variant.proto", "//proto/attestation:endorsement.proto", "//proto/attestation:eventlog.proto", "//proto/attestation:evidence.proto", diff --git a/oak_gcp/examples/echo/proto/BUILD b/oak_gcp/examples/echo/proto/BUILD index 455be375f5..41c22002c5 100644 --- a/oak_gcp/examples/echo/proto/BUILD +++ b/oak_gcp/examples/echo/proto/BUILD @@ -35,6 +35,7 @@ cargo_build_script( data = [ ":echo.proto", "//proto:digest.proto", + "//proto:variant.proto", "//proto/attestation:endorsement.proto", "//proto/attestation:eventlog.proto", "//proto/attestation:evidence.proto", diff --git a/oak_proto_rust/generated/oak.attestation.v1.rs b/oak_proto_rust/generated/oak.attestation.v1.rs index ae198c22d8..0131aa6a64 100644 --- a/oak_proto_rust/generated/oak.attestation.v1.rs +++ b/oak_proto_rust/generated/oak.attestation.v1.rs @@ -908,20 +908,21 @@ pub struct ContainerEndorsement { #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost_derive::Message)] pub struct Endorsements { - /// Endorsement corresponding to the initial TEE measurement done by the + /// Endorsement that proves the TEE platform authenticity. + #[prost(message, optional, tag = "5")] + pub platform: ::core::option::Option, + /// Endorsement corresponding to the initial measurement done by the TEE /// platform. - /// Firmware endorsement is not included in the event log, because + /// Initial endorsement is not included in the event log, because /// events can only be generated after the TEE starts up. #[prost(message, optional, tag = "6")] - pub firmware: ::core::option::Option, + pub initial: ::core::option::Option, /// Endorsements corresponding to the event log. #[prost(message, repeated, tag = "7")] - pub events: ::prost::alloc::vec::Vec<::prost_types::Any>, + pub events: ::prost::alloc::vec::Vec, /// TODO: b/380407219 - Remove this field once Oak clients switch to policies. #[prost(oneof = "endorsements::Type", tags = "1, 2, 3")] pub r#type: ::core::option::Option, - #[prost(oneof = "endorsements::Platform", tags = "5")] - pub platform: ::core::option::Option, } /// Nested message and enum types in `Endorsements`. pub mod endorsements { @@ -936,12 +937,6 @@ pub mod endorsements { #[prost(message, tag = "3")] Cb(super::CbEndorsements), } - #[allow(clippy::derive_partial_eq_without_eq)] - #[derive(Clone, PartialEq, ::prost_derive::Oneof)] - pub enum Platform { - #[prost(message, tag = "5")] - AmdSevSnp(super::AmdSevSnpEndorsement), - } } /// Represents a verification result. Can be extended to return certain /// measurements and other detail to the client for further processing. diff --git a/oak_proto_rust/grpc/BUILD b/oak_proto_rust/grpc/BUILD index 7415d720ad..54e203b27e 100644 --- a/oak_proto_rust/grpc/BUILD +++ b/oak_proto_rust/grpc/BUILD @@ -50,6 +50,7 @@ cargo_build_script( crate_features = ["bazel"], data = [ "//proto:digest.proto", + "//proto:variant.proto", "//proto/attestation:endorsement.proto", "//proto/attestation:eventlog.proto", "//proto/attestation:evidence.proto", diff --git a/proto/attestation/BUILD b/proto/attestation/BUILD index 81ad2e81bd..c14e98917f 100644 --- a/proto/attestation/BUILD +++ b/proto/attestation/BUILD @@ -59,7 +59,7 @@ java_proto_library( proto_library( name = "endorsement_proto", srcs = ["endorsement.proto"], - deps = ["@com_google_protobuf//:any_proto"], + deps = ["//proto:variant_proto"], ) cc_proto_library( diff --git a/proto/attestation/endorsement.proto b/proto/attestation/endorsement.proto index 58d9eeff57..9e0c245e8a 100644 --- a/proto/attestation/endorsement.proto +++ b/proto/attestation/endorsement.proto @@ -18,7 +18,7 @@ syntax = "proto3"; package oak.attestation.v1; -import "google/protobuf/any.proto"; +import "proto/variant.proto"; option go_package = "proto/oak/attestation/v1"; option java_multiple_files = true; @@ -198,16 +198,15 @@ message Endorsements { CBEndorsements cb = 3; } - oneof platform { - AmdSevSnpEndorsement amd_sev_snp = 5; - } + // Endorsement that proves the TEE platform authenticity. + oak.Variant platform = 5; - // Endorsement corresponding to the initial TEE measurement done by the + // Endorsement corresponding to the initial measurement done by the TEE // platform. - // Firmware endorsement is not included in the event log, because + // Initial endorsement is not included in the event log, because // events can only be generated after the TEE starts up. - FirmwareEndorsement firmware = 6; + oak.Variant initial = 6; // Endorsements corresponding to the event log. - repeated google.protobuf.Any events = 7; + repeated oak.Variant events = 7; };