refactor: compatible API for KBC

This commit aims to resolve the compatible problem for KBCes, including the following: - Defined a common AnnotationPacket format for all KBCes. - Brought decryption logic out of each KBC module - Refactored KBCs to match the new AnnotationPacket format - Added documents and specs - Added new feature openssl to support hardware acceleration for some HW Signed-off-by: Xynnn007 <[email protected]>
jialez0 · Feb 6, 2023 · 283db89 · 283db89
1 parent c6cdff6
commit 283db89
Show file tree

Hide file tree

Showing 22 changed files with 843 additions and 825 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,6 @@
 
 # Added by cargo
 
-/target
+/target
+
+Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,6 +11,7 @@ anyhow = "1.0"
 async-trait = "0.1.56"
 base64 = "0.13.0"
 bincode = { version = "1.3.3", optional = true }
+ctr = "0.9.2"
 foreign-types = { version = "0.5.0", optional = true }
 kbs-types = { git = "https://github.com/virtee/kbs-types" }
 log = "0.4.14"
@@ -24,9 +25,11 @@ serde_json = "1.0"
 sha2 = { version = "0.10", optional = true }
 strum = { version = "0.24.0", features = ["derive"] }
 tdx-attest-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", rev = "85cf8bdd", optional = true }
-tonic = { version = "0.8.0", optional = true }
 tokio = { version = "1.0", features = ["macros", "rt-multi-thread"], optional = true }
+tonic = { version = "0.8.0", optional = true }
+url = "2.3.1"
 uuid = { version = "1.1.2", features = ["serde", "v4"], optional = true }
+zeroize = "1.5.7"
 
 [dev-dependencies]
 tokio = { version = "1.20.1", features = ["macros", "rt-multi-thread"] }
@@ -36,10 +39,18 @@ tonic-build = { version = "0.8.0", optional = true }
 
 [features]
 default = ["sample_kbc"]
-sample_kbc = ["aes-gcm"]
-cc_kbc = ["aes-gcm", "rand", "rsa", "sha2", "tdx-attest-rs", "reqwest"]
+sample_kbc = []
+cc_kbc = ["rand", "rsa", "sha2", "tdx-attest-rs", "reqwest"]
 eaa_kbc = ["foreign-types"]
-offline_fs_kbc = ["openssl"]
-offline_sev_kbc = ["openssl"]
-online_sev_kbc = ["aes-gcm", "openssl", "tonic", "prost", "uuid", "bincode", "tokio"]
+offline_fs_kbc = []
+offline_sev_kbc = []
+online_sev_kbc = ["tonic", "prost", "uuid", "bincode", "tokio"]
 gen-proto = ["tonic-build"]
+
+# Either `rust-crypto` or `openssl` should be enabled to work as underlying crypto module
+rust-crypto = ["dep:aes-gcm", "crypto"]
+openssl = ["dep:openssl", "crypto"]
+
+crypto = []
+
+crypto-compatibility-test = [ "dep:aes-gcm", "openssl" ]
diff --git a/Makefile b/Makefile
@@ -22,9 +22,14 @@ LIBC ?= gnu
 KBC ?=
 DESTDIR ?= $(PREFIX)/bin
 RUSTFLAGS_ARGS ?=
+OPENSSL ?=
 
 ifdef KBC
     feature := --no-default-features --features
+    FEATURES := $(KBC)
+else
+    feature := --features
+    FEATURES := default
 endif
 
 ifeq ($(LIBC), musl)
@@ -92,8 +97,14 @@ ifneq ($(RUSTFLAGS_ARGS),)
     RUST_FLAGS := RUSTFLAGS="$(RUSTFLAGS_ARGS)"
 endif
 
+ifdef OPENSSL
+    FEATURES := $(FEATURES),openssl
+else
+    FEATURES := $(FEATURES),rust-crypto
+endif
+
 build:
-	cd app && $(RUST_FLAGS) cargo build $(release) $(feature) $(KBC) $(LIBC_FLAG)
+	cd app && $(RUST_FLAGS) cargo build $(release) $(feature) $(FEATURES) $(LIBC_FLAG)
 
 TARGET := app/$(TARGET_DIR)/$(BIN_NAME)
 
@@ -108,5 +119,5 @@ clean:
 
 help:
 	@echo "==========================Help========================================="
-	@echo "build: make [DEBUG=1] [LIBC=(musl)] [ARCH=(x86_64/s390x)] [KBC=xxx_kbc]"
+	@echo "build: make [DEBUG=1] [LIBC=(musl)] [ARCH=(x86_64/s390x)] [KBC=xxx_kbc] [OPENSSL=1]"
 	@echo "install: make install [DESTDIR=/path/to/target] [LIBC=(musl)]"
diff --git a/README.md b/README.md
@@ -57,6 +57,13 @@ To build and install with musl, just run:
 make LIBC=musl && make install
 ```
 
+#### Openssl support
+
+To build and install with openssl support (which is helpful in specific machines like `s390x`)
+```
+make OPENSSL=1 && make install
+```
+
 ### Run
 
 For help information, just run:
@@ -90,11 +97,12 @@ List of supported KBC modules:
 
 | KBC module name    | README                                                              | KBS protocol | Maintainer                |
 | ------------------ | ------------------------------------------------------------------- | ------------ | ------------------------- |
-| sample_kbc         | Null                                                                | Null         | Attestation Agent Authors |
+| sample_kbc	     |  Null                                                               | Null         |	Attestation Agent Authors |
 | offline_fs_kbc     | [Offline file system KBC](src/kbc_modules/offline_fs_kbc/README.md) | Null         | IBM                       |
 | eaa_kbc            | [EAA KBC](src/kbc_modules/eaa_kbc/README.md)                        | EAA protocol | Alibaba Cloud             |
 | offline_sev_kbc    | [Offline SEV KBC](src/kbc_modules/offline_sev_kbc/README.md)        | Null         | IBM                       |
 | online_sev_kbc     | [Online SEV KBC](src/kbc_modules/online_sev_kbc/README.md)          | simple-kbs   | IBM                       |
+| cc_kbc             | [CC KBC](src/kbc_modules/cc_kbc/README.md)                          | [CoCo KBS protocol](https://github.com/confidential-containers/kbs/blob/main/docs/kbs_attestation_protocol.md) | CoCo Community            |
 
 
 ## Tools
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,4 +3,6 @@ @@
     # Added by cargo
-    /target
+    /target
+    Cargo.lock