diff --git a/enclave/include/kbupd.proto b/enclave/include/kbupd.proto index 8eacadc..3cd3449 100644 --- a/enclave/include/kbupd.proto +++ b/enclave/include/kbupd.proto @@ -109,7 +109,6 @@ message EnclaveFrontendConfig { required uint32 pending_request_count = 5; required uint32 pending_request_ttl = 6; required uint32 max_backup_data_length = 7; - required uint32 ias_version = 8; } message SourcePartitionConfig { @@ -133,7 +132,6 @@ message EnclaveReplicaConfig { required uint32 storage_page_cache_size = 10; required uint32 raft_log_index_page_cache_size = 13; required uint32 max_frontend_count = 14; - required uint32 ias_version = 15; } message StartReplicaGroupRequest { diff --git a/enclave/kbupd_enclave/src/protobufs/kbupd.rs b/enclave/kbupd_enclave/src/protobufs/kbupd.rs index aef7c5b..34bdc19 100644 --- a/enclave/kbupd_enclave/src/protobufs/kbupd.rs +++ b/enclave/kbupd_enclave/src/protobufs/kbupd.rs @@ -144,8 +144,6 @@ pub struct EnclaveFrontendConfig { pub pending_request_ttl: u32, #[prost(uint32, required, tag = "7")] pub max_backup_data_length: u32, - #[prost(uint32, required, tag = "8")] - pub ias_version: u32, } #[derive(Clone, PartialEq, ::prost::Message)] pub struct SourcePartitionConfig { @@ -183,8 +181,6 @@ pub struct EnclaveReplicaConfig { pub raft_log_index_page_cache_size: u32, #[prost(uint32, required, tag = "14")] pub max_frontend_count: u32, - #[prost(uint32, required, tag = "15")] - pub ias_version: u32, } #[derive(Clone, PartialEq, ::prost::Message)] pub struct StartReplicaGroupRequest { diff --git a/enclave/kbupd_enclave/src/remote/mod.rs b/enclave/kbupd_enclave/src/remote/mod.rs index 729848c..719f8fa 100644 --- a/enclave/kbupd_enclave/src/remote/mod.rs +++ b/enclave/kbupd_enclave/src/remote/mod.rs @@ -56,7 +56,6 @@ pub struct NodeParams { node_key: Rc<[u8]>, node_id: NodeId, node_type: NodeType, - ias_version: u32, } pub struct RemoteSender @@ -463,7 +462,7 @@ where match self.accept_connection(&connect_request.noise_data) { Ok((noise, their_handshake_hash)) => match self.auth_type { RemoteAuthorizationType::Mutual | RemoteAuthorizationType::RemoteOnly => { - match validate_ias_report(connect_request.ias_report.as_ref(), self.node_params.ias_version, &their_handshake_hash.hash) { + match validate_ias_report(connect_request.ias_report.as_ref(), &their_handshake_hash.hash) { Ok(attestation) => { *session = SessionState::Accepted { noise, @@ -612,7 +611,7 @@ where } => (noise, their_handshake_hash, final_handshake_hash), _ => unreachable!(), }; - match validate_ias_report(Some(&ias_report), self.node_params.ias_version, &their_handshake_hash.hash) { + match validate_ias_report(Some(&ias_report), &their_handshake_hash.hash) { Ok(attestation) => { let handshake_hash = final_handshake_hash; *session = SessionState::Authorized { @@ -635,7 +634,7 @@ where attestation, handshake_hash, .. - } => match validate_ias_report(Some(&ias_report), self.node_params.ias_version, &handshake_hash.get_hash_for_node(&self.remote_node_id)) { + } => match validate_ias_report(Some(&ias_report), &handshake_hash.get_hash_for_node(&self.remote_node_id)) { Ok(new_attestation) => { verbose!("validated attestation report for {}: {}", &self.remote_node_id, &new_attestation); *attestation = Some(new_attestation); @@ -824,7 +823,6 @@ fn parse_ias_timestamp(timestamp: &str) -> Result, - ias_version: u32, expected_report_data: &[u8], ) -> Result { @@ -847,7 +845,7 @@ fn validate_ias_report( let body: IasReportBody = serde_json::from_slice(&ias_report.body[..]).map_err(AttestationVerificationError::InvalidJson)?; - if body.version != ias_version as u64 { + if body.version != 4 { return Err(AttestationVerificationError::WrongVersion(body.version)); } @@ -869,7 +867,7 @@ fn validate_ias_report( // // The check for INTEL-SA-00334 was introduced in IASv4, and should never appear under // IASv3. - if ias_version < 4 || body.advisoryIDs.iter().any(|advisory_id| !is_expected_advisory_id(advisory_id)) { + if body.advisoryIDs.iter().any(|advisory_id| !is_expected_advisory_id(advisory_id)) { return Err(AttestationVerificationError::AttestationError(body.isvEnclaveQuoteStatus)); } } @@ -994,7 +992,7 @@ impl Deref for NodeId { // impl NodeParams { - pub fn generate(node_type: NodeType, ias_version: u32) -> Self { + pub fn generate(node_type: NodeType) -> Self { let params = NOISE_PARAMS.parse().unwrap_or_else(|_| unreachable!()); let builder = snow::Builder::with_resolver(params, Box::new(SnowResolver)); let keypair = builder.generate_keypair().unwrap_or_else(|_| unreachable!()); @@ -1003,7 +1001,6 @@ impl NodeParams { node_key: keypair.private.into(), node_id: keypair.public.into(), node_type, - ias_version, } } diff --git a/enclave/kbupd_enclave/src/remote/peer_manager.rs b/enclave/kbupd_enclave/src/remote/peer_manager.rs index d67aab2..eb4bf18 100644 --- a/enclave/kbupd_enclave/src/remote/peer_manager.rs +++ b/enclave/kbupd_enclave/src/remote/peer_manager.rs @@ -66,9 +66,9 @@ enum QeInfoRequestState { impl PeerManager where T: Peer { - pub fn new(node_type: NodeType, ias_version: u32) -> Self { + pub fn new(node_type: NodeType) -> Self { Self { - node_params: Rc::new(NodeParams::generate(node_type, ias_version)), + node_params: Rc::new(NodeParams::generate(node_type)), noise_buffers: Default::default(), connecting_peers: Default::default(), qe_info_req: QeInfoRequestState::None, diff --git a/enclave/kbupd_enclave/src/service/frontend.rs b/enclave/kbupd_enclave/src/service/frontend.rs index 3df265e..822228d 100644 --- a/enclave/kbupd_enclave/src/service/frontend.rs +++ b/enclave/kbupd_enclave/src/service/frontend.rs @@ -87,11 +87,9 @@ pub struct PendingClientRequest { impl FrontendState { pub fn init(request: StartFrontendRequest) -> Self { - let ias_version = request.config.ias_version; - let mut state = Self { config: request.config, - replicas: PeerManager::new(NODE_TYPE, ias_version), + replicas: PeerManager::new(NODE_TYPE), partitions: Default::default(), key_ranges: Default::default(), last_request_id: Default::default(), diff --git a/enclave/kbupd_enclave/src/service/replica/mod.rs b/enclave/kbupd_enclave/src/service/replica/mod.rs index e1734bc..f0acf35 100644 --- a/enclave/kbupd_enclave/src/service/replica/mod.rs +++ b/enclave/kbupd_enclave/src/service/replica/mod.rs @@ -80,10 +80,8 @@ enum PeerMessage { impl ReplicaState { pub fn init(request: StartReplicaRequest) -> Self { - let ias_version = request.config.ias_version; - let state = Self { - peers: PeerManager::new(NodeType::Replica, ias_version), + peers: PeerManager::new(NodeType::Replica), config: request.config, frontends: Lru::new(), partition: None, diff --git a/service/Makefile b/service/Makefile index 96c9758..c153dcd 100644 --- a/service/Makefile +++ b/service/Makefile @@ -117,7 +117,6 @@ tar: $(builddir)/kbupd-$(VERSION)-bin-staging.tar.gz $(builddir)/kbupd-$(VERSION $(builddir)/kbupd-$(VERSION)-bin-%.tar.gz: FORCE $(targetdir)/release/kbupd-config validate frontend config/frontend.$*.yml - $(targetdir)/release/kbupd-config validate frontend config/frontend.$*-ias-v4.yml $(targetdir)/release/kbupd-config validate replica $(wildcard config/replica-*.$*.yml) -rm -rf $(builddir)/tar/ mkdir -p $(builddir)/tar/enclave/ @@ -127,7 +126,6 @@ $(builddir)/kbupd-$(VERSION)-bin-%.tar.gz: FORCE $(INSTALL_PROGRAM) $(targetdir)/release/kbuptlsd $(builddir)/tar/ $(INSTALL_DATA) $(wildcard kbupd/res/enclave/*.so) $(builddir)/tar/enclave/ $(INSTALL_DATA) config/frontend.$*.yml $(builddir)/tar/ - $(INSTALL_DATA) config/frontend.$*-ias-v4.yml $(builddir)/tar/ $(INSTALL_DATA) $(wildcard config/replica-*.$*.yml) $(builddir)/tar/ $(INSTALL_DATA) config/peer_ca_cert.$*.pem $(builddir)/tar/ tar -czf $(builddir)/kbupd-$(VERSION)-bin-$*.tar.gz -C $(builddir)/tar . diff --git a/service/kbupd/src/frontend/mod.rs b/service/kbupd/src/frontend/mod.rs index 8b2db80..0cf37cd 100644 --- a/service/kbupd/src/frontend/mod.rs +++ b/service/kbupd/src/frontend/mod.rs @@ -13,12 +13,11 @@ use std::sync::Arc; use std::thread; use std::time::Duration; -use failure::{bail, format_err, ResultExt}; +use failure::{format_err, ResultExt}; use futures::future; use futures::prelude::*; use hyper::Uri; use hyper::client::connect::HttpConnector; -use ias_client::IasApiVersion; use kbupd_config::metrics::*; use kbupd_config::FrontendConfig; use kbuptlsd::prelude::*; @@ -98,14 +97,8 @@ impl FrontendService { }) .context("error creating intel attestation tls proxy client")?; - let ias_version = match config.attestation.iasVersion { - None | Some(3) => IasApiVersion::ApiVer3, - Some(4) => IasApiVersion::ApiVer4, - _ => bail!("unrecognized IAS version: {}", config.attestation.iasVersion.unwrap()) - }; - let new_intel_client = - new_ias_client(&config.attestation.host, ias_version, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?; + new_ias_client(&config.attestation.host, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?; handshake_manager = Some(HandshakeManager::new( enclave_manager_tx.clone(), new_intel_client.clone(), @@ -145,7 +138,6 @@ impl FrontendService { let enclave_spid = config.attestation.spid; let enclave_executor = runtime.executor(); let enclave_directory = cmdline_config.enclave_directory.to_owned(); - let ias_version = config.attestation.iasVersion.unwrap_or(3); let enclave_thread = thread::spawn(move || -> Result<(), failure::Error> { let mut enclaves = Vec::with_capacity(enclave_configs.len()); for (enclave_config, partitions) in enclave_configs { @@ -169,7 +161,6 @@ impl FrontendService { pending_request_ttl: util::duration::as_ticks(pending_request_ttl, timer_tick_interval), pending_request_count: enclave_config.pendingRequestCount, max_backup_data_length: enclave_config.maxBackupDataLength, - ias_version, }; let mut partition_configs = Vec::new(); diff --git a/service/kbupd/src/intel_client.rs b/service/kbupd/src/intel_client.rs index 27838e8..0bc154f 100644 --- a/service/kbupd/src/intel_client.rs +++ b/service/kbupd/src/intel_client.rs @@ -13,11 +13,11 @@ use kbuptlsd::prelude::*; pub type KbupdIasClient = IasClient>; -pub fn new_ias_client(host: &str, ias_version: IasApiVersion, api_key: &str, tls_proxy: TlsClientProxySpawner) -> Result { +pub fn new_ias_client(host: &str, api_key: &str, tls_proxy: TlsClientProxySpawner) -> Result { let mut http_connector = HttpConnector::new(1); http_connector.enforce_http(false); let tls_connector = TlsProxyConnector::new(Arc::new(tls_proxy), http_connector); - IasClient::new(host, Some(ias_version), Some(api_key), tls_connector) + IasClient::new(host, Some(IasApiVersion::ApiVer4), Some(api_key), tls_connector) } diff --git a/service/kbupd/src/kbupd.proto b/service/kbupd/src/kbupd.proto index 6fa06a9..1c7cf53 100644 --- a/service/kbupd/src/kbupd.proto +++ b/service/kbupd/src/kbupd.proto @@ -109,7 +109,6 @@ message EnclaveFrontendConfig { required uint32 pending_request_count = 5; required uint32 pending_request_ttl = 6; required uint32 max_backup_data_length = 7; - required uint32 ias_version = 8; } message SourcePartitionConfig { @@ -133,7 +132,6 @@ message EnclaveReplicaConfig { required uint32 storage_page_cache_size = 10; required uint32 raft_log_index_page_cache_size = 13; required uint32 max_frontend_count = 14; - required uint32 ias_version = 15; } message StartReplicaGroupRequest { diff --git a/service/kbupd/src/replica/mod.rs b/service/kbupd/src/replica/mod.rs index a28a6e4..f3d4a7e 100644 --- a/service/kbupd/src/replica/mod.rs +++ b/service/kbupd/src/replica/mod.rs @@ -11,11 +11,10 @@ use std::sync::Arc; use std::thread; use std::time::Duration; -use failure::{bail, ResultExt}; +use failure::ResultExt; use futures::prelude::*; use hyper::Uri; use hyper::client::connect::HttpConnector; -use ias_client::IasApiVersion; use kbupd_config::metrics::*; use kbupd_config::ReplicaConfig; use kbuptlsd::prelude::*; @@ -83,12 +82,6 @@ impl ReplicaService { .host() .expect("attestation host does not contain a hostname")); - let ias_version = match config.attestation.iasVersion { - None | Some(3) => IasApiVersion::ApiVer3, - Some(4) => IasApiVersion::ApiVer4, - _ => bail!("unrecognized IAS version: {}", config.attestation.iasVersion.unwrap()) - }; - let intel_client_proxy = TlsClientProxySpawner::new(cmdline_config.kbuptlsd_bin_path.to_owned(), TlsClientProxyArguments::NoConfig { ca: TlsClientProxyCaArgument::System, @@ -96,7 +89,7 @@ impl ReplicaService { hostname: TlsClientProxyHostnameArgument::Hostname(hostname) }) .context("error creating intel attestation tls client proxy")?; - Some(new_ias_client(&config.attestation.host, ias_version, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?) + Some(new_ias_client(&config.attestation.host, &config.attestation.apiKey, intel_client_proxy).context("error creating intel attestation client")?) } else { None }; @@ -134,7 +127,6 @@ impl ReplicaService { storage_page_cache_size: Default::default(), // unused max_frontend_count: config.enclave.maxFrontendCount, raft_log_index_page_cache_size: 10, - ias_version: config.attestation.iasVersion.unwrap_or(3), }; info!( diff --git a/service/kbupd_config/src/frontend/config.rs b/service/kbupd_config/src/frontend/config.rs index 9dd324b..01834ac 100644 --- a/service/kbupd_config/src/frontend/config.rs +++ b/service/kbupd_config/src/frontend/config.rs @@ -76,8 +76,6 @@ pub struct FrontendAttestationConfig { pub disabled: bool, pub apiKey: String, - - pub iasVersion: Option, } #[derive(Deserialize)] diff --git a/service/kbupd_config/src/replica/config.rs b/service/kbupd_config/src/replica/config.rs index 91a4e16..fa35e4f 100644 --- a/service/kbupd_config/src/replica/config.rs +++ b/service/kbupd_config/src/replica/config.rs @@ -39,8 +39,6 @@ pub struct ReplicaAttestationConfig { pub disabled: bool, pub apiKey: String, - - pub iasVersion: Option, } #[derive(Deserialize)]