Commit a39bf21
committed
aproxy: implement decoupled KBS backend utilizing sev crate
Running SVSM against a trustee KBS service to verify the
attestation report and get the attestation token back fails with the
error "Deserialize SNP Evidence failed" [1]
On further inspection, here are a few problems identified with the
current attestation flow:
1. The trustee KBS service depends on the virtee sev crate
AttestationReport structure [2] and it does not match with the
structure of AttestationReport that SVSM sends to aproxy.
As a result the deserialization fails.
2. The additional_evidence is not passed in the report at all.
3. Runtime data is hashed using sha512 whereas KBS service expects to
use Sha384 hash function.
4. nonce should be stored from the negotiation response, so that it can
be sent back in the attestation request.
In this commit, we add the official 'sev' crate (from virtee, with snp
and serde features enabled) to aproxy's dependencies, and implement a
decoupled KBS backend in tools/aproxy. [3]
The aproxy KBS backend parses the raw report bytes received from SVSM
using sev::firmware::guest::AttestationReport. This completely decouples
the SVSM kernel from KBS serialization format requirements.
The standard parser utilized by the KBS evidence verifier is used in the
aproxy, resolving previous deserialization failures.
aproxy backend now constructs the complete, KBS-compliant runtime_data
JSON object (which contains the nonce and the tee-pubkey formatted
with JWS parameters like alg: 'ECDH-ES+A256KW' and crv: 'P-521').
aproxy serializes this entire JSON object, computes its SHA-384 hash,
and returns this combined hash to SVSM as the NegotiationResponse challenge.
SVSM then simply hashes this single challenge into its SEV-SNP report.
Update the hash function in kernel/src/attest.rs to directly copy the
48 byte challenge into a zero padded 64 byte array. Hashing is actually
performed in the aproxy and the hash function used is Sha384
Casting SNP report bytes into sev crate's AttestationReport structure
via read_unaligned causes undefined behaviour due to optimized Option
enums. Replace unsafe cast with sev::parser::Decoder to safely decode
the report byte-by-byte into the correct memory layout.
Adding resource_id: Option<String> to KbsProtocol prevents the Protocol
enum from implementing Copy. Therefore pattern matching on self.protocol
directly inside HttpClient method now borrows self, and that conflicts
with subsequently passing self as mutable reference to the backend method
calls like negotiation and attestation. Use idiomatic mem::replace pattern
to avoid this.
[1] https://github.com/confidential-containers/trustee/blob/main/deps/verifier/src/snp/mod.rs#L351
[2] https://github.com/confidential-containers/trustee/blob/main/deps/verifier/Cargo.toml#L96
[3] https://docs.rs/crate/sev/8.0.0/source/src/firmware/guest/types/snp.rs#255
Signed-off-by: Arun Menon <armenon@redhat.com>1 parent 54850e0 commit a39bf21
6 files changed
Lines changed: 538 additions & 400 deletions
0 commit comments