Retire IASv3; always use IASv4
This commit is contained in:
Jon Chambers
Jon Chambers
parent
e5c94d09e8
commit
14eb70082f
@ -109,7 +109,6 @@ message EnclaveFrontendConfig {
|
||||
required uint32 pending_request_count = 5;
|
||||
required uint32 pending_request_ttl = 6;
|
||||
required uint32 max_backup_data_length = 7;
|
||||
required uint32 ias_version = 8;
|
||||
}
|
||||
|
||||
message SourcePartitionConfig {
|
||||
@ -133,7 +132,6 @@ message EnclaveReplicaConfig {
|
||||
required uint32 storage_page_cache_size = 10;
|
||||
required uint32 raft_log_index_page_cache_size = 13;
|
||||
required uint32 max_frontend_count = 14;
|
||||
required uint32 ias_version = 15;
|
||||
}
|
||||
|
||||
message StartReplicaGroupRequest {
|
||||
|
||||
@ -144,8 +144,6 @@ pub struct EnclaveFrontendConfig {
|
||||
pub pending_request_ttl: u32,
|
||||
#[prost(uint32, required, tag = "7")]
|
||||
pub max_backup_data_length: u32,
|
||||
#[prost(uint32, required, tag = "8")]
|
||||
pub ias_version: u32,
|
||||
}
|
||||
#[derive(Clone, PartialEq, ::prost::Message)]
|
||||
pub struct SourcePartitionConfig {
|
||||
@ -183,8 +181,6 @@ pub struct EnclaveReplicaConfig {
|
||||
pub raft_log_index_page_cache_size: u32,
|
||||
#[prost(uint32, required, tag = "14")]
|
||||
pub max_frontend_count: u32,
|
||||
#[prost(uint32, required, tag = "15")]
|
||||
pub ias_version: u32,
|
||||
}
|
||||
#[derive(Clone, PartialEq, ::prost::Message)]
|
||||
pub struct StartReplicaGroupRequest {
|
||||
|
||||
@ -56,7 +56,6 @@ pub struct NodeParams {
|
||||
node_key: Rc<[u8]>,
|
||||
node_id: NodeId,
|
||||
node_type: NodeType,
|
||||
ias_version: u32,
|
||||
}
|
||||
|
||||
pub struct RemoteSender<M>
|
||||
@ -463,7 +462,7 @@ where
|
||||
match self.accept_connection(&connect_request.noise_data) {
|
||||
Ok((noise, their_handshake_hash)) => match self.auth_type {
|
||||
RemoteAuthorizationType::Mutual | RemoteAuthorizationType::RemoteOnly => {
|
||||
match validate_ias_report(connect_request.ias_report.as_ref(), self.node_params.ias_version, &their_handshake_hash.hash) {
|
||||
match validate_ias_report(connect_request.ias_report.as_ref(), &their_handshake_hash.hash) {
|
||||
Ok(attestation) => {
|
||||
*session = SessionState::Accepted {
|
||||
noise,
|
||||
@ -612,7 +611,7 @@ where
|
||||
} => (noise, their_handshake_hash, final_handshake_hash),
|
||||
_ => unreachable!(),
|
||||
};
|
||||
match validate_ias_report(Some(&ias_report), self.node_params.ias_version, &their_handshake_hash.hash) {
|
||||
match validate_ias_report(Some(&ias_report), &their_handshake_hash.hash) {
|
||||
Ok(attestation) => {
|
||||
let handshake_hash = final_handshake_hash;
|
||||
*session = SessionState::Authorized {
|
||||
@ -635,7 +634,7 @@ where
|
||||
attestation,
|
||||
handshake_hash,
|
||||
..
|
||||
} => match validate_ias_report(Some(&ias_report), self.node_params.ias_version, &handshake_hash.get_hash_for_node(&self.remote_node_id)) {
|
||||
} => match validate_ias_report(Some(&ias_report), &handshake_hash.get_hash_for_node(&self.remote_node_id)) {
|
||||
Ok(new_attestation) => {
|
||||
verbose!("validated attestation report for {}: {}", &self.remote_node_id, &new_attestation);
|
||||
*attestation = Some(new_attestation);
|
||||
@ -824,7 +823,6 @@ fn parse_ias_timestamp(timestamp: &str) -> Result<u64, AttestationVerificationEr
|
||||
|
||||
fn validate_ias_report(
|
||||
maybe_ias_report: Option<&IasReport>,
|
||||
ias_version: u32,
|
||||
expected_report_data: &[u8],
|
||||
) -> Result<AttestationParameters, AttestationVerificationError>
|
||||
{
|
||||
@ -847,7 +845,7 @@ fn validate_ias_report(
|
||||
|
||||
let body: IasReportBody = serde_json::from_slice(&ias_report.body[..]).map_err(AttestationVerificationError::InvalidJson)?;
|
||||
|
||||
if body.version != ias_version as u64 {
|
||||
if body.version != 4 {
|
||||
return Err(AttestationVerificationError::WrongVersion(body.version));
|
||||
}
|
||||
|
||||
@ -869,7 +867,7 @@ fn validate_ias_report(
|
||||
//
|
||||
// The check for INTEL-SA-00334 was introduced in IASv4, and should never appear under
|
||||
// IASv3.
|
||||
if ias_version < 4 || body.advisoryIDs.iter().any(|advisory_id| !is_expected_advisory_id(advisory_id)) {
|
||||
if body.advisoryIDs.iter().any(|advisory_id| !is_expected_advisory_id(advisory_id)) {
|
||||
return Err(AttestationVerificationError::AttestationError(body.isvEnclaveQuoteStatus));
|
||||
}
|
||||
}
|
||||
@ -994,7 +992,7 @@ impl Deref for NodeId {
|
||||
//
|
||||
|
||||
impl NodeParams {
|
||||
pub fn generate(node_type: NodeType, ias_version: u32) -> Self {
|
||||
pub fn generate(node_type: NodeType) -> Self {
|
||||
let params = NOISE_PARAMS.parse().unwrap_or_else(|_| unreachable!());
|
||||
let builder = snow::Builder::with_resolver(params, Box::new(SnowResolver));
|
||||
let keypair = builder.generate_keypair().unwrap_or_else(|_| unreachable!());
|
||||
@ -1003,7 +1001,6 @@ impl NodeParams {
|
||||
node_key: keypair.private.into(),
|
||||
node_id: keypair.public.into(),
|
||||
node_type,
|
||||
ias_version,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -66,9 +66,9 @@ enum QeInfoRequestState {
|
||||
impl<T> PeerManager<T>
|
||||
where T: Peer
|
||||
{
|
||||
pub fn new(node_type: NodeType, ias_version: u32) -> Self {
|
||||
pub fn new(node_type: NodeType) -> Self {
|
||||
Self {
|
||||
node_params: Rc::new(NodeParams::generate(node_type, ias_version)),
|
||||
node_params: Rc::new(NodeParams::generate(node_type)),
|
||||
noise_buffers: Default::default(),
|
||||
connecting_peers: Default::default(),
|
||||
qe_info_req: QeInfoRequestState::None,
|
||||
|
||||
@ -87,11 +87,9 @@ pub struct PendingClientRequest {
|
||||
|
||||
impl FrontendState {
|
||||
pub fn init(request: StartFrontendRequest) -> Self {
|
||||
let ias_version = request.config.ias_version;
|
||||
|
||||
let mut state = Self {
|
||||
config: request.config,
|
||||
replicas: PeerManager::new(NODE_TYPE, ias_version),
|
||||
replicas: PeerManager::new(NODE_TYPE),
|
||||
partitions: Default::default(),
|
||||
key_ranges: Default::default(),
|
||||
last_request_id: Default::default(),
|
||||
|
||||
@ -80,10 +80,8 @@ enum PeerMessage {
|
||||
|
||||
impl ReplicaState {
|
||||
pub fn init(request: StartReplicaRequest) -> Self {
|
||||
let ias_version = request.config.ias_version;
|
||||
|
||||
let state = Self {
|
||||
peers: PeerManager::new(NodeType::Replica, ias_version),
|
||||
peers: PeerManager::new(NodeType::Replica),
|
||||
config: request.config,
|
||||
frontends: Lru::new(),
|
||||
partition: None,
|
||||
|
||||
@ -117,7 +117,6 @@ tar: $(builddir)/kbupd-$(VERSION)-bin-staging.tar.gz $(builddir)/kbupd-$(VERSION
|
||||
|
||||
$(builddir)/kbupd-$(VERSION)-bin-%.tar.gz: FORCE
|
||||
$(targetdir)/release/kbupd-config validate frontend config/frontend.$*.yml
|
||||
$(targetdir)/release/kbupd-config validate frontend config/frontend.$*-ias-v4.yml
|
||||
$(targetdir)/release/kbupd-config validate replica $(wildcard config/replica-*.$*.yml)
|
||||
-rm -rf $(builddir)/tar/
|
||||
mkdir -p $(builddir)/tar/enclave/
|
||||
@ -127,7 +126,6 @@ $(builddir)/kbupd-$(VERSION)-bin-%.tar.gz: FORCE
|
||||
$(INSTALL_PROGRAM) $(targetdir)/release/kbuptlsd $(builddir)/tar/
|
||||
$(INSTALL_DATA) $(wildcard kbupd/res/enclave/*.so) $(builddir)/tar/enclave/
|
||||
$(INSTALL_DATA) config/frontend.$*.yml $(builddir)/tar/
|
||||
$(INSTALL_DATA) config/frontend.$*-ias-v4.yml $(builddir)/tar/
|
||||
$(INSTALL_DATA) $(wildcard config/replica-*.$*.yml) $(builddir)/tar/
|
||||
$(INSTALL_DATA) config/peer_ca_cert.$*.pem $(builddir)/tar/
|
||||
tar -czf $(builddir)/kbupd-$(VERSION)-bin-$*.tar.gz -C $(builddir)/tar .
|
||||
|
||||
@ -13,12 +13,11 @@ use std::sync::Arc;
|
||||
use std::thread;
|
||||
use std::time::Duration;
|
||||
|
||||
use failure::{bail, format_err, ResultExt};
|
||||
use failure::{format_err, ResultExt};
|
||||
use futures::future;
|
||||
use futures::prelude::*;
|
||||
use hyper::Uri;
|
||||
use hyper::client::connect::HttpConnector;
|
||||
use ias_client::IasApiVersion;
|
||||
use kbupd_config::metrics::*;
|
||||
use kbupd_config::FrontendConfig;
|
||||
use kbuptlsd::prelude::*;
|
||||
@ -98,14 +97,8 @@ impl FrontendService {
|
||||
})
|
||||
.context("error creating intel attestation tls proxy client")?;
|
||||
|
||||
let ias_version = match config.attestation.iasVersion {
|
||||
None | Some(3) => IasApiVersion::ApiVer3,
|
||||
Some(4) => IasApiVersion::ApiVer4,
|
||||
_ => bail!("unrecognized IAS version: {}", config.attestation.iasVersion.unwrap())
|
||||
};
|
||||
|
||||
let new_intel_client =
|
||||
new_ias_client(&config.attestation.host, ias_version, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?;
|
||||
new_ias_client(&config.attestation.host, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?;
|
||||
handshake_manager = Some(HandshakeManager::new(
|
||||
enclave_manager_tx.clone(),
|
||||
new_intel_client.clone(),
|
||||
@ -145,7 +138,6 @@ impl FrontendService {
|
||||
let enclave_spid = config.attestation.spid;
|
||||
let enclave_executor = runtime.executor();
|
||||
let enclave_directory = cmdline_config.enclave_directory.to_owned();
|
||||
let ias_version = config.attestation.iasVersion.unwrap_or(3);
|
||||
let enclave_thread = thread::spawn(move || -> Result<(), failure::Error> {
|
||||
let mut enclaves = Vec::with_capacity(enclave_configs.len());
|
||||
for (enclave_config, partitions) in enclave_configs {
|
||||
@ -169,7 +161,6 @@ impl FrontendService {
|
||||
pending_request_ttl: util::duration::as_ticks(pending_request_ttl, timer_tick_interval),
|
||||
pending_request_count: enclave_config.pendingRequestCount,
|
||||
max_backup_data_length: enclave_config.maxBackupDataLength,
|
||||
ias_version,
|
||||
};
|
||||
|
||||
let mut partition_configs = Vec::new();
|
||||
|
||||
@ -13,11 +13,11 @@ use kbuptlsd::prelude::*;
|
||||
|
||||
pub type KbupdIasClient = IasClient<TlsProxyConnector<HttpConnector>>;
|
||||
|
||||
pub fn new_ias_client(host: &str, ias_version: IasApiVersion, api_key: &str, tls_proxy: TlsClientProxySpawner) -> Result<KbupdIasClient, failure::Error> {
|
||||
pub fn new_ias_client(host: &str, api_key: &str, tls_proxy: TlsClientProxySpawner) -> Result<KbupdIasClient, failure::Error> {
|
||||
let mut http_connector = HttpConnector::new(1);
|
||||
http_connector.enforce_http(false);
|
||||
|
||||
let tls_connector = TlsProxyConnector::new(Arc::new(tls_proxy), http_connector);
|
||||
|
||||
IasClient::new(host, Some(ias_version), Some(api_key), tls_connector)
|
||||
IasClient::new(host, Some(IasApiVersion::ApiVer4), Some(api_key), tls_connector)
|
||||
}
|
||||
|
||||
@ -109,7 +109,6 @@ message EnclaveFrontendConfig {
|
||||
required uint32 pending_request_count = 5;
|
||||
required uint32 pending_request_ttl = 6;
|
||||
required uint32 max_backup_data_length = 7;
|
||||
required uint32 ias_version = 8;
|
||||
}
|
||||
|
||||
message SourcePartitionConfig {
|
||||
@ -133,7 +132,6 @@ message EnclaveReplicaConfig {
|
||||
required uint32 storage_page_cache_size = 10;
|
||||
required uint32 raft_log_index_page_cache_size = 13;
|
||||
required uint32 max_frontend_count = 14;
|
||||
required uint32 ias_version = 15;
|
||||
}
|
||||
|
||||
message StartReplicaGroupRequest {
|
||||
|
||||
@ -11,11 +11,10 @@ use std::sync::Arc;
|
||||
use std::thread;
|
||||
use std::time::Duration;
|
||||
|
||||
use failure::{bail, ResultExt};
|
||||
use failure::ResultExt;
|
||||
use futures::prelude::*;
|
||||
use hyper::Uri;
|
||||
use hyper::client::connect::HttpConnector;
|
||||
use ias_client::IasApiVersion;
|
||||
use kbupd_config::metrics::*;
|
||||
use kbupd_config::ReplicaConfig;
|
||||
use kbuptlsd::prelude::*;
|
||||
@ -83,12 +82,6 @@ impl ReplicaService {
|
||||
.host()
|
||||
.expect("attestation host does not contain a hostname"));
|
||||
|
||||
let ias_version = match config.attestation.iasVersion {
|
||||
None | Some(3) => IasApiVersion::ApiVer3,
|
||||
Some(4) => IasApiVersion::ApiVer4,
|
||||
_ => bail!("unrecognized IAS version: {}", config.attestation.iasVersion.unwrap())
|
||||
};
|
||||
|
||||
let intel_client_proxy =
|
||||
TlsClientProxySpawner::new(cmdline_config.kbuptlsd_bin_path.to_owned(), TlsClientProxyArguments::NoConfig {
|
||||
ca: TlsClientProxyCaArgument::System,
|
||||
@ -96,7 +89,7 @@ impl ReplicaService {
|
||||
hostname: TlsClientProxyHostnameArgument::Hostname(hostname)
|
||||
})
|
||||
.context("error creating intel attestation tls client proxy")?;
|
||||
Some(new_ias_client(&config.attestation.host, ias_version, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?)
|
||||
Some(new_ias_client(&config.attestation.host, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
@ -134,7 +127,6 @@ impl ReplicaService {
|
||||
storage_page_cache_size: Default::default(), // unused
|
||||
max_frontend_count: config.enclave.maxFrontendCount,
|
||||
raft_log_index_page_cache_size: 10,
|
||||
ias_version: config.attestation.iasVersion.unwrap_or(3),
|
||||
};
|
||||
|
||||
info!(
|
||||
|
||||
@ -76,8 +76,6 @@ pub struct FrontendAttestationConfig {
|
||||
pub disabled: bool,
|
||||
|
||||
pub apiKey: String,
|
||||
|
||||
pub iasVersion: Option<u32>,
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
|
||||
@ -39,8 +39,6 @@ pub struct ReplicaAttestationConfig {
|
||||
pub disabled: bool,
|
||||
|
||||
pub apiKey: String,
|
||||
|
||||
pub iasVersion: Option<u32>,
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user