Refactor kbs client #304
Refactor kbs client #304
Conversation
Xynnn007
requested review from
sameo,
jiangliu,
arronwy,
lumjjb and
jialez0
as code owners
Xynnn007
force-pushed
the
refactor-kbs-client
branch
5 times, most recently
from
3ee1a72
to
a091b61
Compare
Xynnn007
force-pushed
the
refactor-kbs-client
branch
from
a091b61
to
da1d6f6
Compare
There was a problem hiding this comment.
I have only looked at the kbs client part so far, I will look at the passport part seperately:
I found that the Attester and the EvidenceProvider traits are very similar. Is there a reason to keep the Attester trait in the current form?
but if we still want to keep both traits we can create a "trait alias", it's a tiny bit of ceremony, but the evidence_provider code would be redundant, plz see this commit for reference
Xynnn007
force-pushed
the
refactor-kbs-client
branch
from
da1d6f6
to
4440b77
Compare
Thanks for the reference! My first idea was that the
I discussed with @jialez0 and the If we do not need to "know which tee is via communicating with a remote server", What is your opinion? |
yes, I agree. this makes sense. In this case Looking from the user side, a kbs client impl could look like this: use kbs_protocol::{EvidenceProvider, KbsClientCapabilities};
use kbs_types::Tee;
use std::error::Error;
struct MyEvidenceProvider;
#[async_trait::async_trait]
impl EvidenceProvider for MyEvidenceProvider {
async fn get_evidence(&self, _d: Vec<u8>) -> Result<String, Box<dyn Error>> {
todo!();
}
async fn get_tee_type(&self) -> Result<Tee, Box<dyn Error>> {
todo!();
}
}
#[tokio::main]
async fn main() {
let provider = Box::new(MyEvidenceProvider);
let mut client =
kbs_protocol::KbsClientBuilder::with_evidence_provider(provider, "https://kbs.com")
.build()
.unwrap();
let resource_uri = "one/two/key".try_into().unwrap();
let _ = client.get_resource(resource_uri).await.unwrap();
} |
| //! ```no_run | ||
| //! use kbs_protocol::KbsClientBuilder; | ||
| //! use kbs_protocol::evidence_provider::NativeEvidenceProvider; | ||
| //! use kbs_protocol::{PassportClientCapabilities, KbsClientCapabilities}; |
There was a problem hiding this comment.
Do we need to import PassportClientCapabilities here?
There was a problem hiding this comment.
yes, PassportClientCapabilities defines get_token ability.
Also I find the names passport and background check are very confusing in the code. Let me rename them and just tell "how to perform a passport-model access or a background-check-model access in code"
There was a problem hiding this comment.
Ok, I was getting confused by those. I think it makes more sense now.
I notice that the passport feature doesn't have any attester associated with it. I assume we will be adding some new ones there?
There was a problem hiding this comment.
The passport feature Client does not need to care about attester. As attesters in KBS Client only helps to generate evidence in order to get token. The passport feature Client does not assume the origin of the token, and it just call get_token from TokenProvider.
| async fn get_token(&self) -> Result<(Token, TeeKeyPair)>; | ||
| } | ||
|
|
||
| #[derive(Clone, Debug)] |
There was a problem hiding this comment.
We should implement ToString or some thing like for this struct, so that we can get the original content of JWT.
Xynnn007
force-pushed
the
refactor-kbs-client
branch
from
4440b77
to
b005d9b
Compare
|
Ok, I think I've wrapped my head around this. Let me try to summarize. This PR gives us two methods to request a resource from a KBS. One is the RCAR method that we have been using, which is based on "evidence". The other uses a token instead of evidence. When we use a token, we skip over the typical challenge and attestation steps of RCAR by providing the token in the request and immediately getting a response. Now to make things a bit more complicated, there is also a token involved in a normal RCAR request. The KBS sends a token to the client once attestation is successful. Here when we use the TokenProvider, we don't use this token from the KBS. Instead we use one generated by a TokenProvider. It doesn't seem like we've really implemented this yet, but presumably these tokens will come from the HW evidence of certain platforms. Whether you have a platform that gives you "evidence" or a platform that gives you a token, you can connect to the KBS and get a resource. In both cases you can also get a token. In the RCAR case the token comes from the KBS. In the TokenProvider case, it comes directly from the TokenProvider. What is the difference between a token and evidence? A token represents the attestation of the entire workload, whereas evidence is typically the initial state of the enclave. Hence the alternate terms passport and background check. A token is a passport and evidence is more like a background check. Again, you can get a passport/token either from RCAR or TokenProvider and you can connect to a KBS with RCAR or TokenProvider. With TokenProvider you can get a passport without connecting to the KBS. Is this summary correct? |
|
@fitzthum Nice summury and I think it is correct. About the When I firstly designed this, two scenarios were considered:
The two scenarios are abstractly the same, s.t. we need a We should also be careful. The trait |
Xynnn007
force-pushed
the
refactor-kbs-client
branch
from
b005d9b
to
79ebf60
Compare
Hmmm. I guess I have misunderstood part of the design of the CDH. I had thought that the AA would not make any network calls. Instead it would just be responsible for getting the hardware measurement, which would be used by the KBS either as evidence or a token. What you're saying is that we are going to use something more like the RATS passport model where the KBS will give the AA a token and then the CDH will use that token for future requests? |
Yes |
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
We should try to avoid duplicated definitions of TeeTypes. This commit helps to use the Tee definition in `kbs-types` for better maintaining. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
default-features are not used in a sub workspace Cargo.toml Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007
force-pushed
the
refactor-kbs-client
branch
2 times, most recently
from
751d695
to
e55a910
Compare
Rebased and fixed the conflict. cc @mythi the conflict is about the commit |
yeah, looks like it was merged yesterday ahead of this so a rebase was needed. Thanks! |
This crate now provides two basic ways to connect to a KBS: - Background Check model: when getting resources, it will do RCAR handshake underneath. The request is based on http session. - Passport model: when getting resources, it will use a token which is for the target KBS. The request is based on http bear auth header. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
now the conversion from a ResourceUri to a http address will be performed in crate kbs_protocol. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
now tee key mod is implemented in kbs-protocol crate. The underlying crypto operations (RSA) is implemented in crypto crate. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
each line of the input pem certificate must be left aligned Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Actually there is no error that happens. Only no supported tee is detected. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007
force-pushed
the
refactor-kbs-client
branch
from
e55a910
to
ca6fe3b
Compare
|
@mkulke Thanks for the suggestions. I've fixed them. PTAL |
This PR mainly aims to tidy & refactor the code in
kbs_protocol. Now KBS protocol supports both passport & background check model to access a resource. So the different ways are included in this PRAlso, some work aiming to tidy the
deps/cryptowas introduced.To assert that the new
kbs_protocolworks, a unit test using a CoCo community publishedkbsimage is impled.see #292
cc @jialez0 @mkulke