AA: apply for initdata

This commit deletes UpdateConfiguration API for AA, also adds a new cmdline parameter `--initdata` for AA to check initdata when launching. The two changes are for initdata feature. Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 · Aug 9, 2024 · 1e7ba44 · 1e7ba44
1 parent 04be400
commit 1e7ba44
Show file tree

Hide file tree

Showing 10 changed files with 80 additions and 621 deletions.
diff --git a/attestation-agent/attestation-agent/src/bin/grpc-aa/main.rs b/attestation-agent/attestation-agent/src/bin/grpc-aa/main.rs
@@ -6,7 +6,8 @@
 mod server;
 
 use anyhow::*;
-use attestation_agent::AttestationAgent;
+use attestation_agent::{AttestationAPIs, AttestationAgent};
+use base64::Engine;
 use clap::Parser;
 use log::{debug, info};
 use tokio::signal::unix::{signal, SignalKind};
@@ -35,6 +36,14 @@ struct Cli {
     /// `--config /etc/attestation-agent.conf`
     #[arg(short, long)]
     config_file: Option<String>,
+
+    /// Initdata to be verified by AA. If initdata check failed, AA will failed to launch.
+    /// The initdata should be base64 standard encoding.
+    ///
+    /// Example:
+    /// `--initdata AAAAAAAAAAAA`
+    #[arg(short, long)]
+    initdata: Option<String>,
 }
 
 #[tokio::main]
@@ -45,6 +54,23 @@ pub async fn main() -> Result<()> {
     let attestation_socket = cli.attestation_sock.parse::<SocketAddr>()?;
 
     let mut aa = AttestationAgent::new(cli.config_file.as_deref()).context("start AA")?;
+    if let Some(initdata) = cli.initdata {
+        info!("Initdata is given by parameter, try to check.");
+        let initdata = base64::engine::general_purpose::STANDARD
+            .decode(&initdata)
+            .context("base64 decode initdata")?;
+        let res = aa
+            .check_init_data(&initdata)
+            .await
+            .context("check initdata")?;
+        match res {
+            attester::InitdataResult::Ok => info!("Check initdata passed."),
+            attester::InitdataResult::Unsupported => {
+                info!("Platform does not support initdata checking. Jumping.")
+            }
+        }
+    }
+
     aa.init().await.context("init AA")?;
     debug!(
         "Attestation gRPC service listening on: {:?}",

diff --git a/attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs b/attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs
@@ -10,8 +10,7 @@ use attestation::attestation_agent_service_server::{
 use attestation::{
     CheckInitDataRequest, CheckInitDataResponse, ExtendRuntimeMeasurementRequest,
     ExtendRuntimeMeasurementResponse, GetEvidenceRequest, GetEvidenceResponse, GetTeeTypeRequest,
-    GetTeeTypeResponse, GetTokenRequest, GetTokenResponse, UpdateConfigurationRequest,
-    UpdateConfigurationResponse,
+    GetTeeTypeResponse, GetTokenRequest, GetTokenResponse,
 };
 use attestation_agent::{AttestationAPIs, AttestationAgent};
 use log::{debug, error};
@@ -138,32 +137,6 @@ impl AttestationAgentService for AA {
         Result::Ok(Response::new(reply))
     }
 
-    async fn update_configuration(
-        &self,
-        request: Request<UpdateConfigurationRequest>,
-    ) -> Result<Response<UpdateConfigurationResponse>, Status> {
-        let request = request.into_inner();
-
-        let mut attestation_agent = self.inner.lock().await;
-
-        debug!("AA (grpc): update configuration ...");
-
-        attestation_agent
-            .update_configuration(&request.config)
-            .map_err(|e| {
-                error!("AA (grpc): update configuration failed:\n{e:?}");
-                Status::internal(format!(
-                    "[ERROR:{AGENT_NAME}] AA update configuration failed"
-                ))
-            })?;
-
-        debug!("AA (grpc): update configuration successfully!");
-
-        let reply = UpdateConfigurationResponse {};
-
-        Result::Ok(Response::new(reply))
-    }
-
     async fn get_tee_type(
         &self,
         _request: Request<GetTeeTypeRequest>,

diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc-aa/main.rs b/attestation-agent/attestation-agent/src/bin/ttrpc-aa/main.rs
@@ -5,7 +5,8 @@
 
 use ::ttrpc::asynchronous::Server;
 use anyhow::*;
-use attestation_agent::AttestationAgent;
+use attestation_agent::{AttestationAPIs, AttestationAgent};
+use base64::Engine;
 use clap::{arg, command, Parser};
 use const_format::concatcp;
 use log::{debug, info};
@@ -43,6 +44,14 @@ struct Cli {
     /// `--config /etc/attestation-agent.conf`
     #[arg(short, long)]
     config_file: Option<String>,
+
+    /// Initdata to be verified by AA. If initdata check failed, AA will failed to launch.
+    /// The initdata should be base64 standard encoding.
+    ///
+    /// Example:
+    /// `--initdata AAAAAAAAAAAA`
+    #[arg(short, long)]
+    initdata: Option<String>,
 }
 
 #[tokio::main]
@@ -58,6 +67,23 @@ pub async fn main() -> Result<()> {
         .context("clean previous attestation socket file")?;
 
     let mut aa = AttestationAgent::new(cli.config_file.as_deref()).context("start AA")?;
+    if let Some(initdata) = cli.initdata {
+        info!("Initdata is given by parameter, try to check.");
+        let initdata = base64::engine::general_purpose::STANDARD
+            .decode(&initdata)
+            .context("base64 decode initdata")?;
+        let res = aa
+            .check_init_data(&initdata)
+            .await
+            .context("check initdata")?;
+        match res {
+            attester::InitdataResult::Ok => info!("Check initdata passed."),
+            attester::InitdataResult::Unsupported => {
+                info!("Platform does not support initdata checking. Jumping.")
+            }
+        }
+    }
+
     aa.init().await.context("init AA")?;
     let att = server::start_ttrpc_service(aa)?;
 

diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc-aa/server.rs b/attestation-agent/attestation-agent/src/bin/ttrpc-aa/server.rs
@@ -17,7 +17,6 @@ use std::sync::Arc;
 use crate::ttrpc_protocol::attestation_agent::{
     ExtendRuntimeMeasurementRequest, ExtendRuntimeMeasurementResponse, GetEvidenceRequest,
     GetEvidenceResponse, GetTeeTypeRequest, GetTeeTypeResponse, GetTokenRequest, GetTokenResponse,
-    UpdateConfigurationRequest, UpdateConfigurationResponse,
 };
 use crate::ttrpc_protocol::attestation_agent_ttrpc::{
     create_attestation_agent_service, AttestationAgentService,
@@ -120,32 +119,6 @@ impl AttestationAgentService for AA {
         ::ttrpc::Result::Ok(reply)
     }
 
-    async fn update_configuration(
-        &self,
-        _ctx: &::ttrpc::r#async::TtrpcContext,
-        req: UpdateConfigurationRequest,
-    ) -> ::ttrpc::Result<UpdateConfigurationResponse> {
-        debug!("AA (ttrpc): update configuration ...");
-
-        let mut attestation_agent = self.inner.lock().await;
-
-        attestation_agent
-            .update_configuration(&req.config)
-            .map_err(|e| {
-                error!("AA (ttrpc): update configuration failed:\n {e:?}");
-                let mut error_status = ::ttrpc::proto::Status::new();
-                error_status.set_code(Code::INTERNAL);
-                error_status.set_message(format!(
-                    "[ERROR:{AGENT_NAME}] AA update configuration failed"
-                ));
-                ::ttrpc::Error::RpcStatus(error_status)
-            })?;
-
-        debug!("AA (ttrpc): update configuration succeeded.");
-        let reply = UpdateConfigurationResponse::new();
-        ::ttrpc::Result::Ok(reply)
-    }
-
     async fn get_tee_type(
         &self,
         _ctx: &::ttrpc::r#async::TtrpcContext,