veracruz-project
diff --git a/‎docker/attested-tls/Makefile
Lines changed: 58 additions & 0 deletions b/‎docker/attested-tls/Makefile
Lines changed: 58 additions & 0 deletions
diff --git a/‎docker/attested-tls/attester/attester.Dockerfile
Lines changed: 191 additions & 0 deletions b/‎docker/attested-tls/attester/attester.Dockerfile
Lines changed: 191 additions & 0 deletions
diff --git a/‎docker/attested-tls/attester/comid-pcr.json
Lines changed: 65 additions & 0 deletions b/‎docker/attested-tls/attester/comid-pcr.json
Lines changed: 65 additions & 0 deletions
diff --git a/‎docker/attested-tls/attester/corim.json
Lines changed: 6 additions & 0 deletions b/‎docker/attested-tls/attester/corim.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎docker/attested-tls/attester/endorse.sh
Lines changed: 17 additions & 0 deletions b/‎docker/attested-tls/attester/endorse.sh
Lines changed: 17 additions & 0 deletions
diff --git a/‎docker/attested-tls/attester/handshake.sh
Lines changed: 5 additions & 0 deletions b/‎docker/attested-tls/attester/handshake.sh
Lines changed: 5 additions & 0 deletions
diff --git a/‎docker/attested-tls/attester/parsec-config.toml
Lines changed: 33 additions & 0 deletions b/‎docker/attested-tls/attester/parsec-config.toml
Lines changed: 33 additions & 0 deletions
@@ -0,0 +1,58 @@
+.DEFAULT_GOAL := help
+
+# command line can override this
+ENV_FILE ?= demo.env
+
+DC := docker-compose --env-file $(ENV_FILE)
+
+NODES := $(shell $(DC) config --services | sed -e 's/_/-/g' | xargs)
+
+define interactive_shell_template
+sh-$(1): start ; docker exec -ti $(1) bash
+endef
+
+$(foreach node,$(NODES),$(eval $(call interactive_shell_template,$(node))))
+
+define logs
+logs-$(1): start ; $(DC) logs $(1)
+endef
+
+ifdef BUILD
+	BUILD_FLAGS := --build --progress=plain
+endif
+
+$(foreach node,$(NODES),$(eval $(call logs,$(node))))
+
+start: veraison-build-containers
+	$(DC) up -d $(BUILD_FLAGS)
+
+stop:
+	$(DC) down --remove-orphans
+
+show-logs:
+	$(DC) logs
+
+top:
+	$(DC) top
+
+endorse: start
+	$(DC) exec attester /root/endorse.sh
+
+handshake: start
+	$(DC) exec attester /root/handshake.sh
+
+help:
+	@echo "available targets:"
+	@echo
+	@echo "  start      start the demo environment (containers, network, volumes, etc.)"
+	@echo "             do \"make BUILD=true start\" to force building the containers"
+	@echo "  endorse    collect keys and reference values from the attester and provision the verifier"
+	@echo "  handshake  run an attested TLS handshake and exchange minimal application data between attester and verifier"
+	@echo "  stop       tear down the demo environment"
+	@echo "  show-logs  show logs for all the containers"
+	@echo "  log-<node> show logs for the specific container"
+	@echo "  sh-<node>  start an interactive shell in the container"
+	@echo
+	@echo "nodes: $(NODES)"
+
+include build/veraison.mk
@@ -0,0 +1,191 @@
+from ${DOCKER_ARCH}golang:1.19 AS go_builder
+
+RUN apt-get update && \
+    apt-get install -y wget curl vim git && \
+    apt-get clean
+
+RUN set -eux; \
+    echo "iteration 0"; \
+    git clone https://github.com/veracruz-project/proxy_attestation_server.git --branch main --tags ; \
+    cd proxy_attestation_server; \
+    git checkout v0.2.1; \
+    go build -o ./vts/vts -ldflags "-X 'github.com/veraison/services/config.SchemeLoader=builtin'" github.com/veraison/services/vts/cmd/vts-service; \
+    go build -o ./provisioning/provisioning -ldflags "-X 'github.com/veraison/services/config.SchemeLoader=builtin'" github.com/veraison/services/provisioning/cmd/provisioning-service; \
+    go build .; \
+    ls
+
+from ${DOCKER_ARCH}golang:1.19 AS corim_builder
+
+RUN set -eux; \
+    go install github.com/veraison/corim/cocli@latest
+
+COPY MyComidPsaIak.json /go/
+COPY corimMini.json /go/
+RUN pwd
+RUN cocli comid create --template MyComidPsaIak.json
+RUN cocli corim create -m MyComidPsaIak.cbor -t corimMini.json -o psa_corim.cbor
+RUN mkdir /opt/veraison/; \
+    mkdir /opt/veraison/vts; \
+    mkdir /opt/veraison/vts/plugins; \
+    mkdir /opt/veraison/provisioning; \
+    mkdir /opt/veraison/provisioning/plugins; \
+    mkdir ~/example/
+
+COPY --from=go_builder /go/proxy_attestation_server/vts /opt/veraison/vts/
+COPY --from=go_builder /go/proxy_attestation_server/provisioning /opt/veraison/provisioning/
+COPY --from=go_builder /go/proxy_attestation_server/proxy_attestation_server /opt/veraison/
+#COPY --from=corim_builder /go/psa_corim.cbor /opt/veraison/
+
+COPY vts_config.yaml /opt/veraison/vts/config.yaml
+COPY --from=go_builder /go/proxy_attestation_server/vts/skey.jwk /opt/veraison/vts/
+COPY provisioning_config.yaml /opt/veraison/provisioning/config.yaml
+
+
+FROM ubuntu:20.04
+
+ARG TARGETARCH
+ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt update
+RUN apt install -y autoconf-archive libcmocka0 libcmocka-dev procps
+RUN apt install -y iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev doxygen libjson-c-dev
+RUN apt install -y --fix-missing wget python3 cmake clang
+RUN apt install -y libini-config-dev libcurl4-openssl-dev curl libgcc1
+RUN apt install -y python3-distutils libclang-12-dev protobuf-compiler python3-pip 
+RUN apt install -y openssl
+RUN pip3 install Jinja2
+RUN apt-get -y install tzdata
+
+WORKDIR /tmp
+
+# Download and install TSS 2.0
+RUN git clone https://github.com/tpm2-software/tpm2-tss.git --branch 3.2.2
+RUN cd tpm2-tss \
+	&& ./bootstrap \
+	&& ./configure \
+	&& make -j$(nproc) \
+	&& make install \
+	&& ldconfig
+RUN rm -rf tpm2-tss
+
+# Download and install TPM 2.0 Tools verison 4.1.1
+RUN git clone https://github.com/tpm2-software/tpm2-tools.git --branch 4.1.1
+RUN cd tpm2-tools \
+	&& ./bootstrap \
+	&& ./configure --prefix=/usr \
+	&& make -j$(nproc) \
+	&& make install
+RUN rm -rf tpm2-tools
+
+# Download and install software TPM
+ARG ibmtpm_name=ibmtpm1637
+RUN wget -L "https://downloads.sourceforge.net/project/ibmswtpm2/$ibmtpm_name.tar.gz"
+RUN sha256sum $ibmtpm_name.tar.gz | grep ^dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327
+RUN mkdir -p $ibmtpm_name \
+	&& tar -xvf $ibmtpm_name.tar.gz -C $ibmtpm_name \
+	&& chown -R root:root $ibmtpm_name \
+	&& rm $ibmtpm_name.tar.gz
+WORKDIR $ibmtpm_name/src
+RUN sed -i 's/-DTPM_NUVOTON/-DTPM_NUVOTON $(CFLAGS)/' makefile
+RUN CFLAGS="-DNV_MEMORY_SIZE=32768 -DMIN_EVICT_OBJECTS=7" make -j$(nproc) \
+	&& cp tpm_server /usr/local/bin
+RUN rm -rf $ibmtpm_name/src $ibmtpm_name
+
+WORKDIR /tmp
+
+# Install Rust toolchain
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/root/.cargo/bin:/opt/rust/bin:${PATH}"
+
+# Install Parsec service
+RUN git clone -b attested-tls https://github.com/ionut-arm/parsec.git \
+	&& cd parsec \
+	&& git checkout 1ac2060531b391ff1f335369dc4d1e4f17aee1aa \
+	&& cargo build --release --features=tpm-provider \
+	&& cp ./target/release/parsec /usr/bin/
+RUN mkdir /etc/parsec/
+COPY parsec-config.toml /etc/parsec/config.toml
+
+# At runtime, Parsec is configured with the socket in /tmp/
+ENV PARSEC_SERVICE_ENDPOINT="unix:/tmp/parsec.sock"
+
+# Install MbedTLS (used for building purposes)
+RUN git clone https://github.com/ARMmbed/mbedtls.git
+RUN cd mbedtls \
+	&& git checkout v3.0.0 \
+	&& ./scripts/config.py crypto \
+	&& ./scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C \
+	&& make \
+	&& make install
+ENV MBEDTLS_PATH=/tmp/mbedtls
+ENV MBEDTLS_INCLUDE_DIR=$MBEDTLS_PATH/include
+
+# Build and install the Parsec C client
+RUN git clone -b attested-tls https://github.com/ionut-arm/parsec-se-driver.git
+RUN cd parsec-se-driver \
+	&& cargo build --release \
+	&& install -m 644 target/release/libparsec_se_driver.a /usr/local/lib \
+	&& mkdir -p /usr/local/include/parsec \
+	&& install -m 644 include/* /usr/local/include/parsec
+
+# Build and install QCBOR
+RUN git clone https://github.com/laurencelundblade/QCBOR
+RUN cd QCBOR \
+    && git checkout ad2f3877e16d20f0f2a8965c1a27770ef9407904 \
+	&& make \
+	&& make install
+
+# Build and install t_cose
+RUN git clone https://github.com/laurencelundblade/t_cose
+RUN cd t_cose \
+	&& env CRYPTO_LIB=/usr/local/lib/libmbedcrypto.a CRYPTO_INC="-I $MBEDTLS_INCLUDE_DIR" QCBOR_LIB="-lqcbor -lm" make -f Makefile.psa -e \
+	&& make -f Makefile.psa install
+
+# Build and install ctoken
+RUN git clone https://github.com/laurencelundblade/ctoken.git
+RUN cd ctoken \
+	&& env CRYPTO_LIB=/usr/local/lib/libmbedcrypto.a CRYPTO_INC="-I $MBEDTLS_INCLUDE_DIR" QCBOR_LIB="-lqcbor -lm" make -f Makefile.psa -e \
+	&& mkdir -p /usr/local/include/ctoken \
+	&& install -m 644  inc/ctoken/ctoken* /usr/local/include/ctoken \
+	&& install -m 644 libctoken.a /usr/local/lib
+
+# Build attester MbedTLS
+RUN cd mbedtls \
+	&& make clean \
+	&& git reset --hard HEAD \
+	&& git remote add ionut https://github.com/ionut-arm/mbedtls.git \
+	&& git fetch ionut parsec-attestation  \
+	&& git checkout f4ac7593826a506fc509c83cad73786acab1d442 \
+	&& make CFLAGS="-DCTOKEN_LABEL_CNF=8 -DCTOKEN_TEMP_LABEL_KAK_PUB=2500" LDFLAGS="-lctoken -lt_cose -lqcbor -lm -lparsec_se_driver -lpthread -ldl" \
+	&& install -m 755 programs/ssl/ssl_client2 /usr/local/bin
+
+# Install Parsec tool
+RUN git clone -b attested-tls https://github.com/ionut-arm/parsec-tool.git \
+	&& cd parsec-tool \
+	&& git checkout b123006aaeb8c3783c46b9157547453ab10a08f6 \
+	&& cargo build --release \
+	&& cp target/release/parsec-tool /usr/bin/parsec-tool
+
+# Install Go toolchain
+RUN wget -c https://go.dev/dl/go1.20.4.linux-arm64.tar.gz -O - | tar -xz -C /usr/local
+ENV PATH $PATH:/usr/local/go/bin:/root/go/bin
+
+# Install cocli
+RUN go install github.com/veraison/corim/[email protected]
+
+# Introduce scripts
+COPY endorse.sh /root/
+COPY handshake.sh /root/
+COPY start.sh /root/
+
+# Introduced platform endorsement templates
+COPY comid-pcr.json /root/
+COPY corim.json /root/
+
+WORKDIR /root/
+
+CMD /root/start.sh
+
+
+
@@ -0,0 +1,65 @@
+{
+    "tag-identity": {
+        "id": "99019224-57AA-44BC-BEF8-D36BDD6BD035"
+    },
+    "entities": [
+        {
+            "name": "Parsec",
+            "regid": "https://github.com/parallaxsecond",
+            "roles": [
+                "tagCreator",
+                "creator",
+                "maintainer"
+            ]
+        }
+    ],
+    "triples": {
+        "reference-values": [
+            {
+                "environment": {
+                    "class": {
+                        "id": {
+                            "type": "uuid",
+                            "value": "D10E4BD6-7E02-4D2C-BF1A-69AE22680478"
+                        }
+                    }
+                },
+                "measurements": [
+                    {
+                        "key": {
+                            "type": "uint",
+                            "value": 0
+                        },
+                        "value": {
+                            "digests": [
+                                "sha-256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+                            ]
+                        }
+                    },
+                    {
+                        "key": {
+                            "type": "uint",
+                            "value": 1
+                        },
+                        "value": {
+                            "digests": [
+                                "sha-256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+                            ]
+                        }
+                    },
+                    {
+                        "key": {
+                            "type": "uint",
+                            "value": 2
+                        },
+                        "value": {
+                            "digests": [
+                                "sha-256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+                            ]
+                        }
+                    }
+                ]
+            }
+        ]
+    }
+}
@@ -0,0 +1,6 @@
+{
+    "corim-id": "B3EC060E-2A5B-4BC2-8F71-1DAB08CE5BE9",
+    "profiles": [
+      "tag:github.com/parallaxsecond,2023-03-03:tpm"
+    ]
+}
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -xeuf -o pipefail
+
+# Create AIK endorsement
+mkdir -p endorsement/comid
+parsec-tool create-endorsement -c "D10E4BD6-7E02-4D2C-BF1A-69AE22680478" > endorsement/comid-key.json
+cp ~/comid-pcr.json ~/corim.json endorsement/
+
+# Create the endorsement bundle and endorse
+pushd endorsement
+cocli comid create -o comid -t comid-key.json
+cocli comid create -o comid -t comid-pcr.json
+cocli corim create -t corim.json -M comid -o corim-parsec-tpm.cbor
+cocli corim submit -f corim-parsec-tpm.cbor \
+                   -s 'http://pfe:8888/endorsement-provisioning/v1/submit' \
+                   -m 'application/corim-unsigned+cbor; profile="tag:github.com/parallaxsecond,2023-03-03:tpm"'
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -xuf -o pipefail
+
+ssl_client2 client_att_type=eat server_addr=$(getent hosts relying-party | cut -d ' ' -f1) server_port=4433
@@ -0,0 +1,33 @@
+[core_settings]
+log_level = "trace"
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "UnixPeerCredentials"
+
+[[key_manager]]
+name = "sqlite-manager"
+manager_type = "SQLite"
+sqlite_db_path = "/root/kim-mappings/sqlite/sqlite-key-info-manager.sqlite3"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "sqlite-manager"
+tcti = "mssim"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""
+root_of_trust = {pcr_list = [0,1,2] , pcr_hash_alg = "Sha256"}
+attesting_key = "Ecc"