Make remote_attestation crate no_std compatible

grpc_attestation/Cargo.toml

@@ -13,6 +13,7 @@ oak_remote_attestation = { path = "../remote_attestation/rust/" }
 oak_functions_abi = { path = "../oak_functions/abi/" }
 prost = "*"
 prost-types = "*"
+serde = { version = "*", features = ["derive"] }
 tokio = { version = "*", features = [
   "fs",
   "macros",

remote_attestation/rust/Cargo.toml

@@ -5,15 +5,16 @@ authors = ["Ivan Petrov <[email protected]>"]
 edition = "2021"
 license = "Apache-2.0"
 
+[features]
+default = []
+std = ["anyhow/std", "prost/std"]
+
 [dependencies]
-anyhow = "*"
-bincode = "*"
+anyhow = { version = "*", default-features = false }
+bytes = { version = "*", default-features = false }
 log = "*"
-prost = "*"
+prost = { version = "*", default-features = false, features = ["prost-derive"] }
 ring = "*"
-serde = { version = "*", features = ["derive"] }
-serde-big-array = { version = "*", features = ["const-generics"] }
-sha2 = "*"
 
 [build-dependencies]
 prost-build = "*"

remote_attestation/rust/build.rs

@@ -14,11 +14,10 @@
 // limitations under the License.
 //
 
-fn main() -> Result<(), Box<dyn std::error::Error>> {
+fn main() {
     prost_build::compile_protos(
         &["remote_attestation/proto/remote_attestation.proto"],
         &["../.."],
     )
     .expect("Proto compilation failed");
-    Ok(())
 }

remote_attestation/rust/src/crypto.rs

@@ -20,16 +20,17 @@
 // protocol.
 
 use crate::message::EncryptedData;
+use alloc::{format, vec, vec::Vec};
 use anyhow::{anyhow, Context};
+use core::convert::TryInto;
 use ring::{
     aead::{self, BoundKey},
     agreement,
+    digest::{digest, SHA256},
     hkdf::{Salt, HKDF_SHA256},
     rand::{SecureRandom, SystemRandom},
     signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm, KeyPair},
 };
-use sha2::{digest::Digest, Sha256};
-use std::convert::TryInto;
 
 /// Length of the encryption nonce.
 /// `ring::aead` uses 96-bit (12-byte) nonces.
@@ -339,6 +340,7 @@ pub struct Signer {
 
 impl Signer {
     pub fn create() -> anyhow::Result<Self> {
+        // TODO(#2557): Ensure SystemRandom work when building for x86_64 UEFI targets.
         let rng = ring::rand::SystemRandom::new();
         let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng)
             .map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?;
@@ -397,11 +399,8 @@ impl SignatureVerifier {
 
 /// Computes a SHA-256 digest of `input` and returns it in a form of raw bytes.
 pub fn get_sha256(input: &[u8]) -> [u8; SHA256_HASH_LENGTH] {
-    let mut hasher = Sha256::new();
-    hasher.update(&input);
-    hasher
-        .finalize()
-        .as_slice()
+    digest(&SHA256, input)
+        .as_ref()
         .try_into()
         .expect("Incorrect SHA-256 hash length")
 }

remote_attestation/rust/src/handshaker.rs

@@ -34,6 +34,7 @@ use crate::{
     },
     proto::{AttestationInfo, AttestationReport},
 };
+use alloc::{boxed::Box, vec, vec::Vec};
 use anyhow::{anyhow, Context};
 use prost::Message;
 
@@ -54,8 +55,8 @@ impl Default for ClientHandshakerState {
     }
 }
 
-impl std::fmt::Debug for ClientHandshakerState {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+impl core::fmt::Debug for ClientHandshakerState {
+    fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
         match self {
             Self::Initializing => write!(f, "Initializing"),
             Self::ExpectingServerIdentity(_) => write!(f, "ExpectingServerIdentity"),
@@ -81,8 +82,8 @@ impl Default for ServerHandshakerState {
     }
 }
 
-impl std::fmt::Debug for ServerHandshakerState {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+impl core::fmt::Debug for ServerHandshakerState {
+    fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
         match self {
             Self::ExpectingClientHello => write!(f, "ExpectingClientHello"),
             Self::ExpectingClientIdentity(_) => write!(f, "ExpectingClientIdentity"),
@@ -131,7 +132,7 @@ impl ClientHandshaker {
             deserialize_message(message).context("Couldn't deserialize message")?;
         match deserialized_message {
             MessageWrapper::ServerIdentity(server_identity) => {
-                match std::mem::take(&mut self.state) {
+                match core::mem::take(&mut self.state) {
                     ClientHandshakerState::ExpectingServerIdentity(key_negotiator) => {
                         let client_identity = self
                             .process_server_identity(server_identity, key_negotiator)
@@ -380,7 +381,7 @@ impl ServerHandshaker {
                 )),
             },
             MessageWrapper::ClientIdentity(client_identity) => {
-                match std::mem::take(&mut self.state) {
+                match core::mem::take(&mut self.state) {
                     ServerHandshakerState::ExpectingClientIdentity(key_negotiator) => {
                         self.process_client_identity(client_identity, key_negotiator)
                             .context("Couldn't process client identity message")?;
@@ -602,8 +603,8 @@ pub struct AttestationBehavior {
     signer: Option<Signer>,
 }
 
-impl std::fmt::Debug for AttestationBehavior {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+impl core::fmt::Debug for AttestationBehavior {
+    fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result {
         match (
             self.contains_peer_attestation(),
             self.contains_self_attestation(),
@@ -732,6 +733,7 @@ pub fn verify_attestation_info(
     expected_tee_measurement: &[u8],
 ) -> anyhow::Result<()> {
     let attestation_info = AttestationInfo::decode(attestation_info_bytes)
+        .map_err(anyhow::Error::msg)
         .context("Couldn't decode attestation info Protobuf message")?;
 
     // TODO(#1867): Add remote attestation support, use real TEE reports and check that
@@ -760,6 +762,7 @@ pub fn serialize_protobuf<M: prost::Message>(message: &M) -> anyhow::Result<Vec<
     let mut message_bytes = Vec::new();
     message
         .encode(&mut message_bytes)
+        .map_err(anyhow::Error::msg)
         .context("Couldn't serialize Protobuf message to bytes")?;
     Ok(message_bytes)
 }

remote_attestation/rust/src/lib.rs

@@ -14,6 +14,10 @@
 // limitations under the License.
 //
 
+#![no_std]
+
+extern crate alloc;
+
 pub mod proto {
     #![allow(clippy::return_self_not_must_use)]
     include!(concat!(env!("OUT_DIR"), "/oak.remote_attestation.rs"));