[Pal/Linux-SGX] Add support for Microsoft Azure Attestation to RA-TLS #1793
Conversation
Microsoft Azure Attestation (MAA) is a service that receives Attestation Requests (serialized JSON files containing the SGX quote), verifies SGX quotes against a set of predefined policies, and issues Attestation Tokens containing a signed JSON Web Token (JWT). This commit adds support for MAA to RA-TLS. RA-TLS already complies with the requirements of RA-TLS cert's public key being SHA256 hashed into an SGX quote's userdata. It is only necessary to construct MAA-specific JSON content out of the RA-TLS/SGX objects and save it as a file used later by Microsoft Azure specific utility that sends it to MAA service. Currently, RA-TLS simply generates the file during SGX quote verification if a filename is specified in the environment variable RA_TLS_MAA_JSON_FILE. It is currently user's responsibility to send this JSON file to the MAA and receive JWT.
There was a problem hiding this comment.
Reviewable status: 0 of 9 files reviewed, all discussions resolved, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel)
Pal/src/host/Linux-SGX/tools/ra-tls/ra_tls.h, line 39 at r1 (raw file):
static const size_t quote_oid_len = sizeof(quote_oid); #define QUOTE_MAX_SIZE 8192 #define MAA_JSON_FILE_MAX_SIZE (QUOTE_MAX_SIZE * 3)
I think it could avoid to allocate big buffer and check boundary every time by writing to file stream directly.
|
Hi! In #1858 the jenkins configuration was moved from I intend to make this change in about week's time. Please rebase this PR onto said commit (preferably onto current master). You can also just close this PR, if it is no longer relevant. This is an automated message. If you have questions, please ask woju on slack. Thank you! |
|
Closing for now. We'll need proper MAA integration -- this PR was more of a hack. |
Description of the changes
Microsoft Azure Attestation (MAA) is a service that receives Attestation Requests (serialized JSON files containing the SGX quote), verifies SGX quotes against a set of predefined policies, and issues Attestation Tokens containing a signed JSON Web Token (JWT).
This commit adds support for MAA to RA-TLS. RA-TLS already complies with the requirements of RA-TLS cert's public key being SHA256 hashed into an SGX quote's userdata. It is only necessary to construct MAA-specific
JSON content out of the RA-TLS/SGX objects and save it as a file used later by Microsoft Azure specific utility that sends it to MAA service.
Currently, RA-TLS simply generates the file during SGX quote verification if a filename is specified in the
environment variable
RA_TLS_MAA_JSON_FILE. It is currently user's responsibility to send this JSON file to the MAA and receive JWT.For more info, see #1791.
Closes #1791.
Also see the following discussions at https://github.com/Azure-Samples/microsoft-azure-attestation:
How to test this PR?
A simple test is added to Jenkins, but the actual functionality must be tested manually on MS Azure VMs with the help of https://github.com/Azure-Samples/microsoft-azure-attestation.
TODO: I still need to check if it works correctly on MS Azure with
intel.sdk.attest.sample/validatequotes.core/utility.This change is