From 21394331c1de995643a9731c194c31d03752b982 Mon Sep 17 00:00:00 2001 From: Xiangyu Tian <109123695+xiangyuT@users.noreply.github.com> Date: Wed, 14 Sep 2022 17:02:00 +0800 Subject: [PATCH] [PPML] Implement VerificationCLI to verify Attestation Service (#5742) * Implement VerificationCLI and a bash to use VerificationCLI * Refine Co-authored-by: xiangyuT --- .../ppml/attestation/VerificationCLI.scala | 88 +++++++++++++++++++ .../attestation/verify-attestation-service.sh | 48 ++++++++++ 2 files changed, 136 insertions(+) create mode 100644 scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/VerificationCLI.scala create mode 100644 scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/verify-attestation-service.sh diff --git a/scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/VerificationCLI.scala b/scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/VerificationCLI.scala new file mode 100644 index 00000000000..273d4ae12e4 --- /dev/null +++ b/scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/VerificationCLI.scala @@ -0,0 +1,88 @@ +/* + * Copyright 2016 The BigDL Authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +package com.intel.analytics.bigdl.ppml.attestation + +import org.apache.logging.log4j.LogManager +import scopt.OptionParser + +import java.util.Base64 + +/** + * Simple Command Line tool to verify attestation service + */ +object VerificationCLI { + def main(args: Array[String]): Unit = { + + val logger = LogManager.getLogger(getClass) + case class CmdParams(appID: String = "test", + apiKey: String = "test", + attestationType: String = ATTESTATION_CONVENTION.MODE_EHSM_KMS, + attestationURL: String = "127.0.0.1:9000", + challenge: String = "test") + + val cmdParser = new OptionParser[CmdParams]("PPML Quote Verification Cmd tool") { + opt[String]('i', "appID") + .text("app id for this app") + .action((x, c) => c.copy(appID = x)) + opt[String]('k', "apiKey") + .text("app key for this app") + .action((x, c) => c.copy(apiKey = x)) + opt[String]('u', "attestationURL") + .text("attestation service url, default is 127.0.0.1:9000") + .action((x, c) => c.copy(attestationURL = x)) + opt[String]('t', "attestationType") + .text("attestation service type, default is EHSMKeyManagementService") + .action((x, c) => c.copy(attestationType = x)) + opt[String]('c', "challenge") + .text("challenge to attestation service, default is '' which skip bi-attestation") + .action((x, c) => c.copy(challenge = x)) + } + val params = cmdParser.parse(args, CmdParams()).get + + // Attestation Client + val as = params.attestationType match { + case ATTESTATION_CONVENTION.MODE_EHSM_KMS => + new EHSMAttestationService(params.attestationURL.split(":")(0), + params.attestationURL.split(":")(1), params.appID, params.apiKey) + case ATTESTATION_CONVENTION.MODE_DUMMY => + new DummyAttestationService() + case _ => throw new AttestationRuntimeException("Wrong Attestation service type") + } + + val challengeString = params.challenge + if (params.attestationType != ATTESTATION_CONVENTION.MODE_DUMMY) { + val asQuote = params.attestationType match { + case ATTESTATION_CONVENTION.MODE_EHSM_KMS => + Base64.getDecoder().decode(as.getQuoteFromServer(challengeString)) + case _ => throw new AttestationRuntimeException("Wrong Attestation service type") + } + val quoteVerifier = new SGXDCAPQuoteVerifierImpl() + val verifyQuoteResult = quoteVerifier.verifyQuote(asQuote) + if (verifyQuoteResult == 0) { + System.out.println("Quote Verification Success!") + System.exit(0) + } else { + System.out.println("Quote Verification Fail! Application killed") + System.exit(1) + } + } else { + System.out.println("Dummy attestation service cannot be verified!") + System.exit(1) + } + } +} diff --git a/scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/verify-attestation-service.sh b/scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/verify-attestation-service.sh new file mode 100644 index 00000000000..721aeb8f4a0 --- /dev/null +++ b/scala/ppml/src/main/scala/com/intel/analytics/bigdl/ppml/attestation/verify-attestation-service.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -x + +export ATTESTATION_URL=your_attestation_url +export ATTESTATION_TYPE=your_attestation_service_type +export APP_ID=your_app_id +export API_KEY=your_api_key +export CHALLENGE=your_challenge_string +export SPARK_HOME=your_spark_home +export BIGDL_PPML_JAR=your_bigdl_ppml_jar + +if [ "$ATTESTATION_URL" = "your_attestation_url" ]; then + echo "[ERROR] ATTESTATION_URL is not set!" + echo "[INFO] PPML Application Exit!" + exit 1 +fi +if [ "$ATTESTATION_TYPE" = "your_attestation_service_type" ]; then + ATTESTATION_TYPE="EHSMAttestationService" +fi +if [ "$APP_ID" = "your_app_id" ]; then + echo "[ERROR] APP_ID is not set!" + echo "[INFO] PPML Application Exit!" + exit 1 +fi +if [ "$API_KEY" = "your_api_key" ]; then + echo "[ERROR] API_KEY is not set!" + echo "[INFO] PPML Application Exit!" + exit 1 +fi +if [ "$CHALLENGE" = "your_challenge_string" ]; then + echo "[ERROR] CHALLENGE is not set!" + echo "[INFO] PPML Application Exit!" + exit 1 +fi +if [ "$SPARK_HOME" = "your_spark_home" ]; then + echo "[ERROR] SPARK_HOME is not set!" + echo "[INFO] PPML Application Exit!" + exit 1 +fi +if [ "$BIGDL_PPML_JAR" = "your_bigdl_ppml_jar" ]; then + echo "[ERROR] BIGDL_PPML_JAR is not set!" + echo "[INFO] PPML Application Exit!" + exit 1 +fi + +JARS="$SPARK_HOME/jars/*:$SPARK_HOME/examples/jars/*:$BIGDL_PPML_JAR" + +java -cp $JARS com.intel.analytics.bigdl.ppml.attestation.VerificationCLI -i $APP_ID -k $API_KEY -c $CHALLENGE -u $ATTESTATION_URL -t $ATTESTATION_TYPE