Make remote_attestation crate no_std compatible

Author: conradgrobler

Cargo.lock

@@ -13,6 +13,7 @@ oak_remote_attestation = { path = "../remote_attestation/rust/" }
 oak_functions_abi = { path = "../oak_functions/abi/" }
 prost = "*"
 prost-types = "*"
+serde = { version = "*", features = ["derive"] }
 tokio = { version = "*", features = [
   "fs",
   "macros",

grpc_attestation/Cargo.toml

@@ -5,15 +5,17 @@ authors = ["Ivan Petrov <[email protected]>"]
 edition = "2021"
 license = "Apache-2.0"
 
+[features]
+default = ["alloc"]
+std = ["anyhow/std", "prost/std"]
+alloc = []
+
 [dependencies]
-anyhow = "*"
-bincode = "*"
+anyhow = { version = "*", default-features = false }
+bytes = { version = "*", default-features = false }
 log = "*"
-prost = "*"
+prost = { version = "*", default-features = false, features = ["prost-derive"] }
 ring = "*"
-serde = { version = "*", features = ["derive"] }
-serde-big-array = { version = "*", features = ["const-generics"] }
-sha2 = "*"
 
 [build-dependencies]
 prost-build = "*"

remote_attestation/rust/Cargo.toml

@@ -14,11 +14,10 @@
 // limitations under the License.
 //
 
-fn main() -> Result<(), Box<dyn std::error::Error>> {
+fn main() {
     prost_build::compile_protos(
         &["remote_attestation/proto/remote_attestation.proto"],
         &["../.."],
     )
     .expect("Proto compilation failed");
-    Ok(())
 }

remote_attestation/rust/build.rs

@@ -20,16 +20,17 @@
 // protocol.
 
 use crate::message::EncryptedData;
+use alloc::vec::Vec;
 use anyhow::{anyhow, Context};
+use core::convert::TryInto;
 use ring::{
     aead::{self, BoundKey},
     agreement,
+    digest::{digest, SHA256},
     hkdf::{Salt, HKDF_SHA256},
     rand::{SecureRandom, SystemRandom},
     signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm, KeyPair},
 };
-use sha2::{digest::Digest, Sha256};
-use std::convert::TryInto;
 
 /// Length of the encryption nonce.
 /// `ring::aead` uses 96-bit (12-byte) nonces.
@@ -193,7 +194,7 @@ impl KeyNegotiator {
             .map_err(|error| anyhow!("Couldn't get public key: {:?}", error))?
             .as_ref()
             .to_vec();
-        public_key.as_slice().try_into().context(format!(
+        public_key.as_slice().try_into().context(alloc::format!(
             "Incorrect public key length, expected {}, found {}",
             KEY_AGREEMENT_ALGORITHM_KEY_LENGTH,
             public_key.len()
@@ -234,7 +235,7 @@ impl KeyNegotiator {
             &agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key),
             anyhow!("Couldn't derive session keys"),
             |key_material| {
-                let key_material = key_material.try_into().context(format!(
+                let key_material = key_material.try_into().context(alloc::format!(
                     "Incorrect key material length, expected {}, found {}",
                     KEY_AGREEMENT_ALGORITHM_KEY_LENGTH,
                     key_material.len()
@@ -298,7 +299,7 @@ impl KeyNegotiator {
         client_public_key: &[u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH],
     ) -> anyhow::Result<[u8; AEAD_ALGORITHM_KEY_LENGTH]> {
         // Session key is derived from a purpose string and two public keys.
-        let info = vec![key_purpose.as_bytes(), server_public_key, client_public_key];
+        let info = alloc::vec![key_purpose.as_bytes(), server_public_key, client_public_key];
 
         // Initialize key derivation function.
         let salt = Salt::new(HKDF_SHA256, KEY_DERIVATION_SALT.as_bytes());
@@ -339,6 +340,7 @@ pub struct Signer {
 
 impl Signer {
     pub fn create() -> anyhow::Result<Self> {
+        // TODO(#2557): Ensure SystemRandom work when building for x86_64 UEFI targets.
         let rng = ring::rand::SystemRandom::new();
         let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng)
             .map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?;
@@ -350,7 +352,7 @@ impl Signer {
 
     pub fn public_key(&self) -> anyhow::Result<[u8; SIGNING_ALGORITHM_KEY_LENGTH]> {
         let public_key = self.key_pair.public_key().as_ref().to_vec();
-        public_key.as_slice().try_into().context(format!(
+        public_key.as_slice().try_into().context(alloc::format!(
             "Incorrect public key length, expected {}, found {}",
             SIGNING_ALGORITHM_KEY_LENGTH,
             public_key.len()
@@ -365,7 +367,7 @@ impl Signer {
             .map_err(|error| anyhow!("Couldn't sign input: {:?}", error))?
             .as_ref()
             .to_vec();
-        signature.as_slice().try_into().context(format!(
+        signature.as_slice().try_into().context(alloc::format!(
             "Incorrect signature length, expected {}, found {}",
             SIGNATURE_LENGTH,
             signature.len()
@@ -397,11 +399,8 @@ impl SignatureVerifier {
 
 /// Computes a SHA-256 digest of `input` and returns it in a form of raw bytes.
 pub fn get_sha256(input: &[u8]) -> [u8; SHA256_HASH_LENGTH] {
-    let mut hasher = Sha256::new();
-    hasher.update(&input);
-    hasher
-        .finalize()
-        .as_slice()
+    digest(&SHA256, input)
+        .as_ref()
         .try_into()
         .expect("Incorrect SHA-256 hash length")
 }

remote_attestation/rust/src/crypto.rs

@@ -34,6 +34,7 @@ use crate::{
     },
     proto::{AttestationInfo, AttestationReport},
 };
+use alloc::{boxed::Box, vec::Vec};
 use anyhow::{anyhow, Context};
 use prost::Message;
 
@@ -54,8 +55,8 @@ impl Default for ClientHandshakerState {
     }
 }
 
-impl std::fmt::Debug for ClientHandshakerState {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+impl core::fmt::Debug for ClientHandshakerState {
+    fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
         match self {
             Self::Initializing => write!(f, "Initializing"),
             Self::ExpectingServerIdentity(_) => write!(f, "ExpectingServerIdentity"),
@@ -81,8 +82,8 @@ impl Default for ServerHandshakerState {
     }
 }
 
-impl std::fmt::Debug for ServerHandshakerState {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+impl core::fmt::Debug for ServerHandshakerState {
+    fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
         match self {
             Self::ExpectingClientHello => write!(f, "ExpectingClientHello"),
             Self::ExpectingClientIdentity(_) => write!(f, "ExpectingClientIdentity"),
@@ -131,7 +132,7 @@ impl ClientHandshaker {
             deserialize_message(message).context("Couldn't deserialize message")?;
         match deserialized_message {
             MessageWrapper::ServerIdentity(server_identity) => {
-                match std::mem::take(&mut self.state) {
+                match core::mem::take(&mut self.state) {
                     ClientHandshakerState::ExpectingServerIdentity(key_negotiator) => {
                         let client_identity = self
                             .process_server_identity(server_identity, key_negotiator)
@@ -303,7 +304,7 @@ impl ClientHandshaker {
                 // Signing public key.
                 [Default::default(); SIGNING_ALGORITHM_KEY_LENGTH],
                 // Attestation info.
-                vec![],
+                alloc::vec![],
             )
         };
 
@@ -380,7 +381,7 @@ impl ServerHandshaker {
                 )),
             },
             MessageWrapper::ClientIdentity(client_identity) => {
-                match std::mem::take(&mut self.state) {
+                match core::mem::take(&mut self.state) {
                     ServerHandshakerState::ExpectingClientIdentity(key_negotiator) => {
                         self.process_client_identity(client_identity, key_negotiator)
                             .context("Couldn't process client identity message")?;
@@ -484,9 +485,9 @@ impl ServerHandshaker {
                 // Signing public key.
                 [Default::default(); SIGNING_ALGORITHM_KEY_LENGTH],
                 // Attestation info.
-                vec![],
+                alloc::vec![],
                 // Additional info.
-                vec![],
+                alloc::vec![],
             )
         };
 
@@ -602,8 +603,8 @@ pub struct AttestationBehavior {
     signer: Option<Signer>,
 }
 
-impl std::fmt::Debug for AttestationBehavior {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+impl core::fmt::Debug for AttestationBehavior {
+    fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
         match (
             self.contains_peer_attestation(),
             self.contains_self_attestation(),
@@ -680,7 +681,9 @@ struct Transcript {
 
 impl Transcript {
     pub fn new() -> Self {
-        Self { value: vec![] }
+        Self {
+            value: alloc::vec![],
+        }
     }
 
     /// Appends a serialized `message` to the end of [`Transcript::value`].
@@ -732,6 +735,7 @@ pub fn verify_attestation_info(
     expected_tee_measurement: &[u8],
 ) -> anyhow::Result<()> {
     let attestation_info = AttestationInfo::decode(attestation_info_bytes)
+        .map_err(anyhow::Error::msg)
         .context("Couldn't decode attestation info Protobuf message")?;
 
     // TODO(#1867): Add remote attestation support, use real TEE reports and check that
@@ -760,6 +764,7 @@ pub fn serialize_protobuf<M: prost::Message>(message: &M) -> anyhow::Result<Vec<
     let mut message_bytes = Vec::new();
     message
         .encode(&mut message_bytes)
+        .map_err(anyhow::Error::msg)
         .context("Couldn't serialize Protobuf message to bytes")?;
     Ok(message_bytes)
 }

remote_attestation/rust/src/handshaker.rs

@@ -14,6 +14,11 @@
 // limitations under the License.
 //
 
+#![cfg_attr(not(feature = "std"), no_std)]
+#![feature(exclusive_range_pattern)]
+
+extern crate alloc;
+
 pub mod proto {
     #![allow(clippy::return_self_not_must_use)]
     include!(concat!(env!("OUT_DIR"), "/oak.remote_attestation.rs"));