This repository has been archived by the owner on Jan 20, 2022. It is now read-only.
[Pal/Linux-SGX] Add support for Microsoft Azure Attestation to RA-TLS #1793
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the changes
Microsoft Azure Attestation (MAA) is a service that receives Attestation Requests (serialized JSON files containing the SGX quote), verifies SGX quotes against a set of predefined policies, and issues Attestation Tokens containing a signed JSON Web Token (JWT).
This commit adds support for MAA to RA-TLS. RA-TLS already complies with the requirements of RA-TLS cert's public key being SHA256 hashed into an SGX quote's userdata. It is only necessary to construct MAA-specific
JSON content out of the RA-TLS/SGX objects and save it as a file used later by Microsoft Azure specific utility that sends it to MAA service.
Currently, RA-TLS simply generates the file during SGX quote verification if a filename is specified in the
environment variable
RA_TLS_MAA_JSON_FILE
. It is currently user's responsibility to send this JSON file to the MAA and receive JWT.For more info, see #1791.
Closes #1791.
Also see the following discussions at https://github.com/Azure-Samples/microsoft-azure-attestation:
How to test this PR?
A simple test is added to Jenkins, but the actual functionality must be tested manually on MS Azure VMs with the help of https://github.com/Azure-Samples/microsoft-azure-attestation.
TODO: I still need to check if it works correctly on MS Azure with
intel.sdk.attest.sample/validatequotes.core/
utility.This change is