AS/Verifier: add report_data and init_data_hash field for SGX/TDX

Related to confidential-containers#228. This is the implementation for SGX/TDX/Sample Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007 · Nov 30, 2023 · 9174bf7 · 9174bf7
1 parent cfa1dec
commit 9174bf7
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/attestation-service/verifier/src/lib.rs b/attestation-service/verifier/src/lib.rs
@@ -125,6 +125,12 @@ pub trait Verifier {
     /// instance is created. It is always provided by untrusted host,
     /// but its integrity will be protected by the tee evidence.
     /// Typical `init_data_hash` is `HOSTDATA` for SNP.
+    ///
+    ///
+    /// There will be two claims by default regardless of architectures:
+    /// - `init_data_hash`: init data hash of the evidence
+    /// - `report_data`: report data of the evidence
+    /// TODO: See https://github.com/confidential-containers/kbs/issues/228
     async fn evaluate(
         &self,
         evidence: &[u8],

diff --git a/attestation-service/verifier/src/sample/mod.rs b/attestation-service/verifier/src/sample/mod.rs
@@ -79,6 +79,8 @@ async fn verify_tee_evidence(
 fn parse_tee_evidence(quote: &SampleTeeEvidence) -> Result<TeeEvidenceParsedClaim> {
     let claims_map = json!({
         "svn": quote.svn,
+        "report_data": quote.report_data,
+        "init_data_hash": quote.init_data_hash,
     });
 
     Ok(claims_map as TeeEvidenceParsedClaim)

diff --git a/attestation-service/verifier/src/sgx/claims.rs b/attestation-service/verifier/src/sgx/claims.rs
@@ -104,6 +104,8 @@ pub fn generate_parsed_claims(quote: sgx_quote3_t) -> Result<TeeEvidenceParsedCl
     let mut claims = Map::new();
     parse_claim!(claims, "header", quote_header);
     parse_claim!(claims, "body", quote_body);
+    parse_claim!(claims, "report_data", quote.report_body.report_data);
+    parse_claim!(claims, "init_data_hash", quote.report_body.config_id);
 
     log::info!("\nParsed Evidence claims map: \n{:?}\n", &claims);
 

diff --git a/attestation-service/verifier/src/tdx/claims.rs b/attestation-service/verifier/src/tdx/claims.rs
@@ -119,6 +119,10 @@ pub fn generate_parsed_claim(
     let mut claims = Map::new();
     parse_claim!(claims, "quote", quote_map);
     parse_claim!(claims, "ccel", ccel_map);
+
+    parse_claim!(claims, "report_data", quote.report_body.report_data);
+    parse_claim!(claims, "init_data_hash", quote.report_body.mr_config_id);
+
     log::info!("\nParsed Evidence claims map: \n{:?}\n", &claims);
 
     Ok(Value::Object(claims) as TeeEvidenceParsedClaim)