chore(ao_app): testing attestations and verification on GCP

Author: PeterFarber

GCP-notes.md

@@ -17,9 +17,9 @@
 ## Variables
 
 ```sh
-export GCI_NAME=PETES-SEV-SNP-TEST-0
+export GCI_NAME=petes-sev-snp-test-5
 export GCI_PROJECT=arweave-437622
-export GCI_IMAGE=packer-1730219529 
+export GCI_IMAGE=packer-1731351804
 export GCI_ZONE=us-central1-a
 ```
 

certificate/amd-vcek-v1-Milan-cert_chain.pem

@@ -0,0 +1,74 @@
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBDigAwIBAgIDAQABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTgyNDIwWhcNNDUxMDIy
+MTgyNDIwWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAnU2drrNTfbhNQIllf+W2y+ROCbSzId1aKZft
+2T9zjZQOzjGccl17i1mIKWl7NTcB0VYXt3JxZSzOZjsjLNVAEN2MGj9TiedL+Qew
+KZX0JmQEuYjm+WKksLtxgdLp9E7EZNwNDqV1r0qRP5tB8OWkyQbIdLeu4aCz7j/S
+l1FkBytev9sbFGzt7cwnjzi9m7noqsk+uRVBp3+In35QPdcj8YflEmnHBNvuUDJh
+LCJMW8KOjP6++Phbs3iCitJcANEtW4qTNFoKW3CHlbcSCjTM8KsNbUx3A8ek5EVL
+jZWH1pt9E3TfpR6XyfQKnY6kl5aEIPwdW3eFYaqCFPrIo9pQT6WuDSP4JCYJbZne
+KKIbZjzXkJt3NQG32EukYImBb9SCkm9+fS5LZFg9ojzubMX3+NkBoSXI7OPvnHMx
+jup9mw5se6QUV7GqpCA2TNypolmuQ+cAaxV7JqHE8dl9pWf+Y3arb+9iiFCwFt4l
+AlJw5D0CTRTC1Y5YWFDBCrA/vGnmTnqG8C+jjUAS7cjjR8q4OPhyDmJRPnaC/ZG5
+uP0K0z6GoO/3uen9wqshCuHegLTpOeHEJRKrQFr4PVIwVOB0+ebO5FgoyOw43nyF
+D5UKBDxEB4BKo/0uAiKHLRvvgLbORbU8KARIs1EoqEjmF8UtrmQWV2hUjwzqwvHF
+ei8rPxMCAwEAAaOBozCBoDAdBgNVHQ4EFgQUO8ZuGCrD/T1iZEib47dHLLT8v/gw
+HwYDVR0jBBgwFoAUhawa0UP3yKxV1MUdQUir1XhK1FMwEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r
+ZHNpbnRmLmFtZC5jb20vdmNlay92MS9NaWxhbi9jcmwwRgYJKoZIhvcNAQEKMDmg
+DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID
+AgEwowMCAQEDggIBAIgeUQScAf3lDYqgWU1VtlDbmIN8S2dC5kmQzsZ/HtAjQnLE
+PI1jh3gJbLxL6gf3K8jxctzOWnkYcbdfMOOr28KT35IaAR20rekKRFptTHhe+DFr
+3AFzZLDD7cWK29/GpPitPJDKCvI7A4Ug06rk7J0zBe1fz/qe4i2/F12rvfwCGYhc
+RxPy7QF3q8fR6GCJdB1UQ5SlwCjFxD4uezURztIlIAjMkt7DFvKRh+2zK+5plVGG
+FsjDJtMz2ud9y0pvOE4j3dH5IW9jGxaSGStqNrabnnpF236ETr1/a43b8FFKL5QN
+mt8Vr9xnXRpznqCRvqjr+kVrb6dlfuTlliXeQTMlBoRWFJORL8AcBJxGZ4K2mXft
+l1jU5TLeh5KXL9NW7a/qAOIUs2FiOhqrtzAhJRg9Ij8QkQ9Pk+cKGzw6El3T3kFr
+Eg6zkxmvMuabZOsdKfRkWfhH2ZKcTlDfmH1H0zq0Q2bG3uvaVdiCtFY1LlWyB38J
+S2fNsR/Py6t5brEJCFNvzaDky6KeC4ion/cVgUai7zzS3bGQWzKDKU35SqNU2WkP
+I8xCZ00WtIiKKFnXWUQxvlKmmgZBIYPe01zD0N8atFxmWiSnfJl690B9rJpNR/fI
+ajxCW3Seiws6r1Zm+tCuVbMiNtpS9ThjNX4uve5thyfE2DgoxRFvY1CsoF5M
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy
+MTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg
+W41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta
+1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2
+SzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0
+60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05
+gmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg
+bKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs
++gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi
+Qi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ
+eTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18
+fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j
+WhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI
+rFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
+KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG
+SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
+AWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel
+ETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw
+STjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK
+dHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq
+zT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp
+KGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e
+pmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq
+HnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh
+3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn
+JZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH
+CViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4
+AFZEAwoKCQ==
+-----END CERTIFICATE-----

packer.pkr.hcl

@@ -41,27 +41,45 @@ source "googlecompute" "ubuntu" {
 build {
   sources = ["source.googlecompute.ubuntu"]
 
-  # Add a provisioner to download and install go-tpm-tools
+  # # Add a provisioner to download and install go-tpm-tools
+  # provisioner "shell" {
+  #   inline = [
+  #     "sudo apt-get update -y",
+  #     "sudo apt-get install -y wget tar",
+
+  #     # Download the go-tpm-tools binary archive
+  #     "wget https://github.com/google/go-tpm-tools/releases/download/v0.4.4/go-tpm-tools_Linux_x86_64.tar.gz -O /tmp/go-tpm-tools.tar.gz",
+      
+  #     # Extract the binary
+  #     "tar -xzf /tmp/go-tpm-tools.tar.gz -C /tmp",
+
+  #     # Move the gotpm binary to /usr/local/bin
+  #     "sudo mv /tmp/gotpm /usr/local/bin/",
+      
+  #     # Clean up
+  #     "rm -f /tmp/go-tpm-tools.tar.gz /tmp/LICENSE /tmp/README.md"
+  #   ]
+  # }
+
+  # Add a provisioner to install Rust and snpguest
   provisioner "shell" {
     inline = [
-      "sudo apt-get update -y",
-      "sudo apt-get install -y wget tar",
-
-      # Download the go-tpm-tools binary archive
-      "wget https://github.com/google/go-tpm-tools/releases/download/v0.4.4/go-tpm-tools_Linux_x86_64.tar.gz -O /tmp/go-tpm-tools.tar.gz",
-
-      # Extract the binary
-      "tar -xzf /tmp/go-tpm-tools.tar.gz -C /tmp",
+      # Install Rust
+      "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y",
+      ". ~/.cargo/env",
 
-      # Move the gotpm binary to /usr/local/bin
-      "sudo mv /tmp/gotpm /usr/local/bin/",
-
-      # Clean up
-      "rm -f /tmp/go-tpm-tools.tar.gz /tmp/LICENSE /tmp/README.md"
+      # Install snpguest
+      "sudo apt-get update -y",
+      "sudo apt-get install -y build-essential",
+      "git clone https://github.com/virtee/snpguest.git",
+      "cd snpguest",
+      "cargo build -r",
+      "sudo cp target/release/snpguest /usr/local/bin/",
+      "cd ..",
+      "rm -rf snpguest"
     ]
   }
 
-
   # Upload the pre-built release (with ERTS included) to the instance
   provisioner "file" {
     source      = "./_build/default/rel/ao"
@@ -73,7 +91,7 @@ build {
       # Move the release to /opt with sudo
       "sudo mv /tmp/ao /opt/ao",
       "sudo chmod -R 755 /opt/ao",
-
+      
       # Create a symlink to make it easier to run the app
       "sudo ln -s /opt/ao/bin/ao /usr/local/bin/ao",
 
@@ -86,19 +104,18 @@ build {
       "echo 'Restart=on-failure' | sudo tee -a /etc/systemd/system/ao.service",
       "echo '[Install]' | sudo tee -a /etc/systemd/system/ao.service",
       "echo 'WantedBy=multi-user.target' | sudo tee -a /etc/systemd/system/ao.service",
-
+      
       # Enable and start the service
       "sudo systemctl enable ao",
       "sudo systemctl start ao"
     ]
   }
 
-  # Disable ssh
+  # Disable ssh if desired
   # provisioner "shell" {
-  #  inline = [
-  #    "sudo systemctl stop ssh",
-  #    "sudo systemctl disable ssh"
-  #  ]
+  #   inline = [
+  #     "sudo systemctl stop ssh",
+  #     "sudo systemctl disable ssh"
+  #   ]
   # }
 }
-

rebar.config

@@ -45,7 +45,7 @@
 {eunit_opts, [verbose]}.
 
 {relx, [
-    {release, {'ao', "0.0.1"}, [ao, jiffy, cowboy, gun, gproc, b64fast]},
+    {release, {'ao', "0.0.1"}, [ao, jiffy, cowboy, b64fast]},
     {include_erts, true},
     {extended_start_script, true}
   ]}.

src/ao_app.erl

@@ -8,73 +8,12 @@
 -behaviour(application).
 
 -export([start/2, stop/1]).
--export([attest_key/0]).
-
--include("include/ao.hrl").
-
--ao_debug(print).
 
 start(_StartType, _StartArgs) ->
-    attest_key(),
     ao_sup:start_link(),
     ok = su_registry:start(),
     _TimestampServer = su_timestamp:start(),
     {ok, _} = ao_http_router:start().
 
 stop(_State) ->
     ok.
-
-attest_key() ->
-    W = ao:wallet(),
-    Addr = ar_wallet:to_address(W),
-
-    % Pad the address to 32 bytes (64 hex characters) for the TPM nonce
-    Nonce = pad_to_size(Addr, 32),
-
-    % Pad the address to 64 bytes (128 hex characters) for the TEE nonce
-    TeeNonce = pad_to_size(Addr, 64),
-
-    % Determine tee-technology based on the existence of TEE devices
-    TeeTech = case os:cmd("test -e /dev/tdx_guest && echo tdx || (test -e /dev/sev_guest && echo sev-snp)") of
-        "tdx\n" -> "tdx";
-        "sev-snp\n" -> "sev-snp";
-        _ -> {error, "No TEE device found"}
-    end,
-
-    % Proceed if a valid TEE technology is found
-    case TeeTech of
-        {error, _} -> {error, "Required TEE device not found"};
-        _ ->
-            Cmd = lists:flatten(io_lib:format("sudo gotpm attest --key AK --nonce ~s --tee-nonce ~s --tee-technology ~s", [Nonce, TeeNonce, TeeTech])),
-            CommandResult = os:cmd(Cmd),
-            case is_list(CommandResult) of
-                true ->
-                    % If CommandResult is a list of integers, convert it to binary
-                    BinaryResult = list_to_binary(CommandResult),
-                    ?c(BinaryResult),
-                    Signed = ar_bundles:sign_item(
-                        #tx{
-                            tags = [
-                                {<<"Type">>, <<"TEE-Attestation">>},
-                                {<<"Address">>, ar_util:id(Addr)}
-                            ],
-                            data = BinaryResult
-                        },
-                        W
-                    ),
-                    ?c(Signed),
-                    ao_client:upload(Signed),
-                    ok;
-                false ->
-                    {error, "Unexpected output format from gotpm attest command"}
-            end
-    end.
-
-% Pads an address to the specified byte size (in hex characters)
-pad_to_size(Addr, SizeInBytes) ->
-    HexAddr = binary:encode_hex(Addr),
-    RequiredLength = SizeInBytes * 2,  % Convert bytes to hex characters
-    Padding = RequiredLength - byte_size(HexAddr),
-    lists:duplicate(Padding, $0) ++ HexAddr.
-
-%% internal functions

src/sec.erl

@@ -0,0 +1,105 @@
+%%%---------------------------------------------------------------------
+%%% Module: sec
+%%%---------------------------------------------------------------------
+%%% Purpose: 
+%%% This module handles the generation and verification of attestation 
+%%% reports using both TPM and SEV-SNP. It combines attestation reports 
+%%% from both technologies into a single binary and provides functionality 
+%%% to verify the combined reports. 
+%%%
+%%% It uses the `sec_tpm` and `sec_tee` modules to interact with the TPM 
+%%% hardware and SEV-SNP for generating and verifying attestation reports.
+%%%---------------------------------------------------------------------
+%%% Exports
+%%%---------------------------------------------------------------------
+%%% generate_attestation(Nonce)
+%%%   Generates a combined attestation report using the provided nonce.
+%%%   It generates attestation reports from both TPM and SEV-SNP, calculates
+%%%   their sizes, creates a header containing the sizes, and combines them 
+%%%   into a single binary.
+%%%
+%%% verify_attestation(AttestationBinary)
+%%%   Verifies the provided attestation binary by extracting the TPM and 
+%%%   SEV-SNP reports, verifying them using their respective verification 
+%%%   methods, and then combining the results into a single binary.
+%%%---------------------------------------------------------------------
+
+-module(sec).
+-export([generate_attestation/1, verify_attestation/1]).
+
+-include("include/ao.hrl").
+
+-ao_debug(print).
+
+%% Generate attestation based on the provided nonce (both TPM and SEV-SNP)
+generate_attestation(Nonce) ->
+    ?c({"Generating TPM attestation..."}),
+
+    case sec_tpm:generate_attestation(Nonce) of
+        {ok, TPMAttestation} ->
+            ?c({"TPM attestation generated, size:", byte_size(TPMAttestation)}),
+
+            ?c({"Generating SEV-SNP attestation..."}),
+
+            case sec_tee:generate_attestation(Nonce) of
+                {ok, TEEAttestation} ->
+                    ?c({"SEV-SNP attestation generated, size:", byte_size(TEEAttestation)}),
+
+                    %% Calculate sizes of the two attestation binaries
+                    TPMSize = byte_size(TPMAttestation),
+                    TEESize = byte_size(TEEAttestation),
+
+                    %% Create the header containing the sizes
+                    Header = <<TPMSize:32/unit:8, TEESize:32/unit:8>>,
+                    ?c({"Header created, TPMSize:", TPMSize, "TEESize:", TEESize}),
+
+                    %% Combine the header with the two attestation binaries
+                    CombinedAttestation = <<Header/binary, TPMAttestation/binary, TEEAttestation/binary>>,
+                    ?c({"Combined attestation binary created, total size:", byte_size(CombinedAttestation)}),
+
+                    {ok, CombinedAttestation};
+
+                {error, Reason} ->
+                    ?c({"Error generating SEV-SNP attestation:", Reason}),
+                    {error, Reason}
+            end;
+
+        {error, Reason} ->
+            ?c({"Error generating TPM attestation:", Reason}),
+            {error, Reason}
+    end.
+
+%% Verify attestation report based on the provided binary (both TPM and SEV-SNP)
+verify_attestation(AttestationBinary) ->
+    ?c("Verifying attestation..."),
+
+    %% Extract the header (size info) and the attestation binaries
+    <<TPMSize:32/unit:8, TEESize:32/unit:8, Rest/binary>> = AttestationBinary,
+    ?c({"Header extracted, TPMSize:", TPMSize, "TEESize:", TEESize}),
+
+    %% Extract the TPM and SEV-SNP attestation binaries based on their sizes
+    <<TPMAttestation:TPMSize/binary, TEEAttestation:TEESize/binary>> = Rest,
+    ?c({"Extracted TPM and SEV-SNP attestation binaries"}),
+
+    %% Verify TPM attestation
+    case sec_tpm:verify_attestation(TPMAttestation) of
+        {ok, _TPMVerification} ->
+            ?c({"TPM attestation verification completed"}),
+
+            %% Verify SEV-SNP attestation
+            case sec_tee:verify_attestation(TEEAttestation) of
+                {ok, _TEEVerification} ->
+                    ?c({"SEV-SNP attestation verification completed"}),
+
+                    %% Return success if both verifications succeeded
+                    {ok, "Verified"};
+
+                {error, Reason} ->
+                    ?c({"Error verifying SEV-SNP attestation:", Reason}),
+                    {error, Reason}
+            end;
+
+        {error, Reason} ->
+            ?c({"Error verifying TPM attestation:", Reason}),
+            {error, Reason}
+    end.