Make attest-server a flask app #166
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Multiple changes;
- The python implementation is converted to a Flask app.
- The attestation API is altered. There remains a single input tarball and
single output tarball, but rather than the request body _being_ the
input tarball, we now expect an HTTP POST request encoded in
conventional form (multipart/form-data) that includes a field called
"quote" containing the input tarball (a source filename attribute is
expected). I.e. the encoded form should contain a section like;
Content-Disposition: form-data; name="quote"; filename="whatever"
To use from 'curl', you would;
curl -X -POST -F quote=@"mytarball.tar" <URL>
whereas previously you would have been using;
curl -X -POST --data-binary @"mytarball.tar" <URL>
- sbin/tpm2-attest (i.e. the client) is adjusted in the manner described
in the previous point.
- The extra required package (python3-flask) is added to the
"requirements" target of the top-level Makefile.
Signed-off-by: Geoff Thorpe <geoffrey@twosigma.com>
If the client's EK isn't enrolled, it manifests as an obscure failure to open a directory. This changes it to catch the unenrolled-EK case and report it as such. Signed-off-by: Geoff Thorpe <geoffrey@twosigma.com>
Signed-off-by: Geoff Thorpe <geoffrey@twosigma.com>
Signed-off-by: Geoff Thorpe <geoffrey@twosigma.com>
osresearch
commented
Mar 8, 2022
| tries=0 | ||
| mypath=${tmp}/socket | ||
|
|
||
| # swtpm --daemon exits immediately, which can be too soon. |
There was a problem hiding this comment.
swtpm --daemon should be fixed in new releases. Did you also want to update the submodules?
osresearch
commented
Mar 8, 2022
| PCR list, Eventlog and other details. It performs three actions: | ||
| This is a python flask server implementing a single API end-point on /, which | ||
| expects a POST request encoded in conventional form (multipart/form-data) that | ||
| includes a field called "quote" containing an input tarball (a source filename |
There was a problem hiding this comment.
Should we remove the tar file entirely and instead post the individual components as named form fields?
|
I've started a separate tree to split the attestation code out from the safeboot code (#167 ) and based the initial version on the Flask version from this PR. https://github.com/osresearch/safeboot-attest |
Signed-off-by: Geoff Thorpe <geoffrey@twosigma.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
13958a8 sbin/attest-server: respect BINDIR for sbin paths
0aaad58 sbin/attest-enroll: locally, use unix sockets, not TCP
8665580 sbin/attest-verify: better error-handling
f06a165 sbin/attest-server: convert to a Flask app/API
8648640 gencert: Support use of OpenSSL for cert issuance