Skip to content
This repository has been archived by the owner on Feb 21, 2024. It is now read-only.

Commit

Permalink
feat: attestations considered valid over genesis (#58)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gitsimon
gitsimon authored Mar 3, 2023
1 parent cc9a683 commit a8674db
Show file tree
Hide file tree
Showing 3 changed files with 138 additions and 0 deletions.
2 changes: 2 additions & 0 deletions pallets/acurast/common/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ p384 = { package = "p384_vendored", path = "../p384", default-features = false,
sha2 = { version = "0.10", default-features = false, optional = true }
num-bigint = { version = "0.4.3", default-features = false, optional = true }
ecdsa-vendored = { package = "ecdsa_vendored", path = "../p384/ecdsa", default-features = false, optional = true }
serde = { version = "1.0.136", optional = true, features = ["derive"] }

[dev-dependencies]
base64 = { version = "0.13.0", default-features = false, features = ["alloc"] }
Expand All @@ -32,6 +33,7 @@ std = [
"sp-std/std",
"codec/std",
"scale-info/std",
"serde",
]
attestation = [
"asn1",
Expand Down
11 changes: 11 additions & 0 deletions pallets/acurast/common/src/types/bounded_attestation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ use crate::{
};

use frame_support::{pallet_prelude::*, storage::bounded_vec::BoundedVec};
#[cfg(feature = "std")]
use serde::{Deserialize, Serialize};
use sp_std::prelude::*;

const ISSUER_NAME_MAX_LENGTH: u32 = 64;
Expand Down Expand Up @@ -48,19 +50,22 @@ pub struct AttestationChain {

/// Structure representing a stored attestation.
#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct Attestation {
pub cert_ids: ValidatingCertIds,
pub key_description: BoundedKeyDescription,
pub validity: AttestationValidity,
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, Copy, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct AttestationValidity {
pub not_before: u64,
pub not_after: u64,
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct BoundedKeyDescription {
pub attestation_security_level: AttestationSecurityLevel,
pub key_mint_security_level: AttestationSecurityLevel,
Expand Down Expand Up @@ -149,6 +154,7 @@ impl TryFrom<asn::KeyDescriptionV100V200<'_>> for BoundedKeyDescription {
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub enum AttestationSecurityLevel {
Software,
TrustedEnvironemnt,
Expand All @@ -168,6 +174,7 @@ impl From<asn::SecurityLevel> for AttestationSecurityLevel {
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct BoundedAuthorizationList {
pub purpose: Option<Purpose>,
pub algorithm: Option<u8>,
Expand Down Expand Up @@ -670,6 +677,7 @@ impl TryFrom<asn::AuthorizationListV100V200<'_>> for BoundedAuthorizationList {
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct BoundedRootOfTrust {
pub verified_boot_key: VerifiedBootKey,
pub device_locked: bool,
Expand Down Expand Up @@ -708,6 +716,7 @@ impl TryFrom<asn::RootOfTrust<'_>> for BoundedRootOfTrust {
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub enum VerifiedBootState {
Verified,
SelfSigned,
Expand All @@ -727,6 +736,7 @@ impl From<asn::VerifiedBootState> for VerifiedBootState {
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct BoundedAttestationApplicationId {
pub package_infos: PackageInfoSet,
pub signature_digests: SignatureDigestSet,
Expand Down Expand Up @@ -755,6 +765,7 @@ impl<'a> TryFrom<asn::AttestationApplicationId<'a>> for BoundedAttestationApplic
}

#[derive(RuntimeDebug, Encode, Decode, MaxEncodedLen, TypeInfo, Clone, PartialEq, Eq)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct BoundedAttestationPackageInfo {
pub package_name: PackageName,
pub version: i64,
Expand Down
125 changes: 125 additions & 0 deletions pallets/acurast/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,131 @@ pub mod pallet {
type WeightInfo: WeightInfo;
}

#[pallet::genesis_config]
pub struct GenesisConfig<T: Config> {
/// Genesis attestations considered valid without ever calling [`Pallet<T>::submit_attestation`] and therefore skipping validation!
///
/// Specify a list o tuples (account_id, attestation) or (account_id, None) to use default long-term valid attestation.
///
/// This should only be used for test runtime configurations.
pub attestations: Vec<(T::AccountId, Option<Attestation>)>,
}

#[cfg(feature = "std")]
impl<T: Config> Default for GenesisConfig<T> {
fn default() -> Self {
Self {
attestations: vec![],
}
}
}

#[pallet::genesis_build]
impl<T: Config> GenesisBuild<T> for GenesisConfig<T> {
fn build(&self) {
for (who, attestation) in self.attestations.clone() {
<StoredAttestation<T>>::insert(
&who,
attestation.unwrap_or(Attestation {
cert_ids: ValidatingCertIds::default(),
key_description: BoundedKeyDescription {
attestation_security_level: AttestationSecurityLevel::Unknown,
key_mint_security_level: AttestationSecurityLevel::Unknown,
software_enforced: BoundedAuthorizationList {
purpose: None,
algorithm: None,
key_size: None,
digest: None,
padding: None,
ec_curve: None,
rsa_public_exponent: None,
mgf_digest: None,
rollback_resistance: None,
early_boot_only: None,
active_date_time: None,
origination_expire_date_time: None,
usage_expire_date_time: None,
usage_count_limit: None,
no_auth_required: false,
user_auth_type: None,
auth_timeout: None,
allow_while_on_body: false,
trusted_user_presence_required: None,
trusted_confirmation_required: None,
unlocked_device_required: None,
all_applications: None,
application_id: None,
creation_date_time: Some(1_672_527_600_000), // 1.1.2023
origin: None,
root_of_trust: None,
os_version: None,
os_patch_level: None,
attestation_application_id: None,
attestation_id_brand: None,
attestation_id_device: None,
attestation_id_product: None,
attestation_id_serial: None,
attestation_id_imei: None,
attestation_id_meid: None,
attestation_id_manufacturer: None,
attestation_id_model: None,
vendor_patch_level: None,
boot_patch_level: None,
device_unique_attestation: None,
},
tee_enforced: BoundedAuthorizationList {
purpose: None,
algorithm: None,
key_size: None,
digest: None,
padding: None,
ec_curve: None,
rsa_public_exponent: None,
mgf_digest: None,
rollback_resistance: None,
early_boot_only: None,
active_date_time: None,
origination_expire_date_time: None,
usage_expire_date_time: None,
usage_count_limit: None,
no_auth_required: false,
user_auth_type: None,
auth_timeout: None,
allow_while_on_body: false,
trusted_user_presence_required: None,
trusted_confirmation_required: None,
unlocked_device_required: None,
all_applications: None,
application_id: None,
creation_date_time: None,
origin: None,
root_of_trust: None,
os_version: None,
os_patch_level: None,
attestation_application_id: None,
attestation_id_brand: None,
attestation_id_device: None,
attestation_id_product: None,
attestation_id_serial: None,
attestation_id_imei: None,
attestation_id_meid: None,
attestation_id_manufacturer: None,
attestation_id_model: None,
vendor_patch_level: None,
boot_patch_level: None,
device_unique_attestation: None,
},
},
validity: AttestationValidity {
not_before: 0,
not_after: 4_102_441_200_000, // 1.1.2100
},
}),
);
}
}
}

#[pallet::pallet]
#[pallet::generate_store(pub (super) trait Store)]
#[pallet::without_storage_info]
Expand Down

0 comments on commit a8674db

Please sign in to comment.