OK

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

Cargo.lock

@@ -26,6 +26,7 @@ ecall-commands = { path = "../modules/ecall-commands" }
 crypto = { path = "../modules/crypto" }
 keymanager = { path = "../modules/keymanager" }
 remote-attestation = { path = "../modules/remote-attestation" }
+attestation-report = { path = "../modules/attestation-report" }
 
 [build-dependencies]
 git2 = "0.19"

app/Cargo.toml

@@ -3,6 +3,7 @@ use crate::{
     opts::{EnclaveOpts, Opts},
 };
 use anyhow::{anyhow, Result};
+use attestation_report::RAQuote;
 use clap::Parser;
 use crypto::Address;
 use ecall_commands::GenerateEnclaveKeyInput;
@@ -87,10 +88,13 @@ fn run_generate_key<E: EnclaveCommandAPI<S>, S: CommitStore>(
 ) -> Result<()> {
     let (target_info, _) = remote_attestation::init_quote(input.target_qe3)?;
     let res = enclave
-        .generate_enclave_key(GenerateEnclaveKeyInput {
-            target_info,
-            operator: input.get_operator()?,
-        })
+        .generate_enclave_key(
+            GenerateEnclaveKeyInput {
+                target_info,
+                operator: input.get_operator()?,
+            },
+            input.target_qe3,
+        )
         .map_err(|e| anyhow!("failed to generate an enclave key: {:?}", e))?;
     println!("{}", res.pub_key.as_address());
     Ok(())
@@ -121,37 +125,37 @@ fn run_list_keys<E: EnclaveCommandAPI<S>, S: CommitStore>(
     };
     let mut list_json = Vec::new();
     for eki in list {
-        let ias_attested = eki.ias_report.is_some();
-        let dcap_attested = eki.dcap_quote.is_some();
-
-        if ias_attested {
-            let avr = eki.ias_report.as_ref().unwrap().get_avr()?;
-            let report_data = avr.parse_quote()?.report_data();
-            list_json.push(json! {{
-                "type": "ias",
-                "address": eki.address.to_hex_string(),
-                "attested": true,
-                "report_data": report_data.to_string(),
-                "isv_enclave_quote_status": avr.isv_enclave_quote_status,
-                "advisory_ids": avr.advisory_ids,
-                "attested_at": avr.timestamp
-            }});
-        } else if dcap_attested {
-            let dcap_quote = eki.dcap_quote.as_ref().unwrap();
-            list_json.push(json! {{
-                "type": "dcap",
-                "address": eki.address.to_hex_string(),
-                "attested": true,
-                "report_data": dcap_quote.report_data()?.to_string(),
-                "isv_enclave_quote_status": dcap_quote.tcb_status,
-                "advisory_ids": dcap_quote.advisory_ids,
-                "attested_at": dcap_quote.attested_at.to_string(),
-            }});
-        } else {
-            list_json.push(json! {{
-                "address": eki.address.to_hex_string(),
-                "attested": false,
-            }});
+        match eki.ra_quote {
+            Some(RAQuote::IAS(report)) => {
+                let avr = report.get_avr()?;
+                let report_data = avr.parse_quote()?.report_data();
+                list_json.push(json! {{
+                    "type": "ias",
+                    "address": eki.address.to_hex_string(),
+                    "attested": true,
+                    "report_data": report_data.to_string(),
+                    "isv_enclave_quote_status": avr.isv_enclave_quote_status,
+                    "advisory_ids": avr.advisory_ids,
+                    "attested_at": avr.timestamp
+                }});
+            }
+            Some(RAQuote::DCAP(quote)) => {
+                list_json.push(json! {{
+                    "type": "dcap",
+                    "address": eki.address.to_hex_string(),
+                    "attested": true,
+                    "report_data": quote.report_data()?.to_string(),
+                    "isv_enclave_quote_status": quote.tcb_status,
+                    "advisory_ids": quote.advisory_ids,
+                    "attested_at": quote.attested_at.to_string(),
+                }});
+            }
+            None => {
+                list_json.push(json! {{
+                    "address": eki.address.to_hex_string(),
+                    "attested": false,
+                }});
+            }
         }
     }
     println!("{}", serde_json::to_string(&list_json).unwrap());

app/src/commands/enclave.rs

@@ -23,6 +23,14 @@ define_error! {
             format_args!("unexpected report data version: expected={} actual={}", e.expected, e.actual)
         },
 
+        InvalidRaType
+        {
+            ra_type: u32
+        }
+        |e| {
+            format_args!("Invalid RA type: ra_type={}", e.ra_type)
+        },
+
         MrenclaveMismatch
         {
             expected: Mrenclave,

modules/attestation-report/src/errors.rs

@@ -42,14 +42,6 @@ impl IASSignedReport {
     pub fn get_avr(&self) -> Result<IASAttestationVerificationReport, Error> {
         serde_json::from_slice(self.avr.as_ref()).map_err(Error::serde_json)
     }
-
-    pub fn to_json(&self) -> Result<String, Error> {
-        serde_json::to_string(self).map_err(Error::serde_json)
-    }
-
-    pub fn from_json(json: &str) -> Result<Self, Error> {
-        serde_json::from_str(json).map_err(Error::serde_json)
-    }
 }
 
 // IASAttestationVerificationReport represents Intel's Attestation Verification Report

modules/attestation-report/src/ias.rs

@@ -23,7 +23,7 @@ mod prelude {
 pub use dcap::DCAPQuote;
 pub use errors::Error;
 pub use ias::{verify_ias_report, IASAttestationVerificationReport, IASSignedReport};
-pub use report::{Quote, ReportData, VerifiableQuote};
+pub use report::{Quote, RAQuote, RAType, ReportData};
 
 pub(crate) mod serde_base64 {
     use crate::prelude::*;

modules/attestation-report/src/lib.rs

@@ -9,29 +9,67 @@ use sgx_types::{metadata::metadata_t, sgx_measurement_t, sgx_quote_t, sgx_report
 pub const REPORT_DATA_V1: u8 = 1;
 
 #[derive(Debug, Serialize, Deserialize)]
-pub enum VerifiableQuote {
+pub enum RAType {
+    IAS,
+    DCAP,
+}
+
+impl RAType {
+    pub fn as_u32(&self) -> u32 {
+        match self {
+            Self::IAS => 1,
+            Self::DCAP => 2,
+        }
+    }
+    pub fn from_u32(v: u32) -> Result<Self, Error> {
+        match v {
+            1 => Ok(Self::IAS),
+            2 => Ok(Self::DCAP),
+            _ => Err(Error::invalid_ra_type(v)),
+        }
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
+pub enum RAQuote {
     IAS(IASSignedReport),
     DCAP(DCAPQuote),
 }
 
-impl VerifiableQuote {
+impl RAQuote {
+    pub fn ra_type(&self) -> RAType {
+        match self {
+            RAQuote::IAS(_) => RAType::IAS,
+            RAQuote::DCAP(_) => RAType::DCAP,
+        }
+    }
+
     pub fn attested_at(&self) -> Result<Time, Error> {
         match self {
-            VerifiableQuote::IAS(report) => report.get_avr()?.attestation_time(),
-            VerifiableQuote::DCAP(quote) => Ok(quote.attested_at),
+            RAQuote::IAS(report) => report.get_avr()?.attestation_time(),
+            RAQuote::DCAP(quote) => Ok(quote.attested_at),
         }
     }
+
+    pub fn from_json(json: &str) -> Result<Self, Error> {
+        serde_json::from_str(json).map_err(Error::serde_json)
+    }
+
+    pub fn to_json(&self) -> Result<String, Error> {
+        serde_json::to_string(self).map_err(Error::serde_json)
+    }
 }
 
-impl From<IASSignedReport> for VerifiableQuote {
+impl From<IASSignedReport> for RAQuote {
     fn from(report: IASSignedReport) -> Self {
-        VerifiableQuote::IAS(report)
+        RAQuote::IAS(report)
     }
 }
 
-impl From<DCAPQuote> for VerifiableQuote {
+impl From<DCAPQuote> for RAQuote {
     fn from(quote: DCAPQuote) -> Self {
-        VerifiableQuote::DCAP(quote)
+        RAQuote::DCAP(quote)
     }
 }
 

modules/attestation-report/src/report.rs

@@ -1,4 +1,5 @@
 use crate::{EnclavePrimitiveAPI, Result};
+use attestation_report::RAType;
 use ecall_commands::{
     AggregateMessagesInput, AggregateMessagesResponse, Command, CommandResponse,
     EnclaveManageCommand, EnclaveManageResponse, GenerateEnclaveKeyInput,
@@ -14,6 +15,7 @@ pub trait EnclaveCommandAPI<S: CommitStore>: EnclavePrimitiveAPI<S> {
     fn generate_enclave_key(
         &self,
         input: GenerateEnclaveKeyInput,
+        is_target_qe3: bool,
     ) -> Result<GenerateEnclaveKeyResponse> {
         let res = match self.execute_command(
             Command::EnclaveManage(EnclaveManageCommand::GenerateEnclaveKey(input)),
@@ -22,8 +24,15 @@ pub trait EnclaveCommandAPI<S: CommitStore>: EnclavePrimitiveAPI<S> {
             CommandResponse::EnclaveManage(EnclaveManageResponse::GenerateEnclaveKey(res)) => res,
             _ => unreachable!(),
         };
-        self.get_key_manager()
-            .save(res.sealed_ek.clone(), res.report)?;
+        self.get_key_manager().save(
+            res.sealed_ek.clone(),
+            res.report,
+            if is_target_qe3 {
+                RAType::DCAP
+            } else {
+                RAType::IAS
+            },
+        )?;
         Ok(res)
     }