Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SNP-style virtual attestations, restoring code update tests #6770

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
a931ec5
Remove unused SGX block
eddyashton Jan 15, 2025
deb614f
Plausible SNP-style virtual attestation
eddyashton Jan 16, 2025
4cafc93
Rename response's mrenclave to measurement
eddyashton Jan 16, 2025
a852850
Comment tweak
eddyashton Jan 16, 2025
76bb8b7
Baby steps - Python code to verify virtual quotes
eddyashton Jan 16, 2025
d8e8aa4
Working virtual code update
eddyashton Jan 17, 2025
844dc56
Remove oe_binary arg
eddyashton Jan 17, 2025
aa3f34f
Virtual security policy and host data tests, where possible
eddyashton Jan 17, 2025
12f000d
Remove redundant test_quote
eddyashton Jan 17, 2025
767ae41
Update new nodes endpoints to describe virtual quotes
eddyashton Jan 17, 2025
6a17b18
LTS compat working with new virtual attestations
eddyashton Jan 17, 2025
b0e96b6
Merge branch 'main' of github.com:microsoft/CCF into virtual_attestat…
eddyashton Jan 17, 2025
663b8b0
Include juggling
eddyashton Jan 17, 2025
1ac798a
Lint
eddyashton Jan 17, 2025
75f1dbf
Schema bump
eddyashton Jan 17, 2025
d4a0461
Remove debug logging
eddyashton Jan 17, 2025
4398ff8
Merge branch 'main' of github.com:microsoft/CCF into virtual_attestat…
eddyashton Jan 17, 2025
a53bdd7
Merge branch 'main' of github.com:microsoft/CCF into virtual_attestat…
eddyashton Jan 21, 2025
488d573
Document new tables
eddyashton Jan 21, 2025
d402708
Update reconfig test
eddyashton Jan 21, 2025
e032125
Update API descriptions
eddyashton Jan 21, 2025
c0ff3ef
Minimal plumbing to enable test_add_node_with_bad_security_policy
eddyashton Jan 21, 2025
e6342e2
Justifying comment
eddyashton Jan 21, 2025
998e0b8
Update doc/audit/builtin_maps.rst
eddyashton Jan 22, 2025
7c362f6
Update include/ccf/pal/attestation.h
eddyashton Jan 22, 2025
551ea7e
Remove virtual attestation actions from default constitution
eddyashton Jan 22, 2025
cde04db
A helpful error for future travellers
eddyashton Jan 22, 2025
41e8efa
Remove --oe-binary, celebrate
eddyashton Jan 22, 2025
1a54d1e
Subtleties
eddyashton Jan 22, 2025
fdb1095
artforms
eddyashton Jan 22, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 12 additions & 13 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -301,8 +301,6 @@ set(CCF_JS_SOURCES
${CCF_DIR}/src/js/registry.cpp
)

set(OE_BINDIR "")

if(COMPILE_TARGET STREQUAL "snp")
add_host_library(ccf_js.snp "${CCF_JS_SOURCES}")
add_san(ccf_js.snp)
Expand Down Expand Up @@ -1027,8 +1025,6 @@ if(BUILD_TESTS)
PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/e2e_suite.py
LABEL suite
ADDITIONAL_ARGS
--oe-binary
${OE_BINDIR}
--ledger-recovery-timeout
20
--test-duration
Expand Down Expand Up @@ -1106,9 +1102,8 @@ if(BUILD_TESTS)
NAME governance_test
PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/governance.py
CONSTITUTION ${CONSTITUTION_ARGS}
ADDITIONAL_ARGS
--oe-binary ${OE_BINDIR} --initial-operator-count 1
--jinja-templates-path ${CMAKE_SOURCE_DIR}/samples/templates
ADDITIONAL_ARGS --initial-operator-count 1 --jinja-templates-path
${CMAKE_SOURCE_DIR}/samples/templates
)

add_e2e_test(
Expand All @@ -1120,8 +1115,11 @@ if(BUILD_TESTS)
add_e2e_test(
NAME code_update_test
PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/code_update.py
ADDITIONAL_ARGS --oe-binary ${OE_BINDIR} --js-app-bundle
${CMAKE_SOURCE_DIR}/samples/apps/logging/js
ADDITIONAL_ARGS
--js-app-bundle
${CMAKE_SOURCE_DIR}/samples/apps/logging/js
--constitution
${CMAKE_SOURCE_DIR}/samples/constitutions/virtual/virtual_attestation_actions.js
)

if(BUILD_TPCC)
Expand Down Expand Up @@ -1256,9 +1254,7 @@ if(BUILD_TESTS)
${CMAKE_SOURCE_DIR}/python/config_1_x.ini
)

list(APPEND LTS_TEST_ARGS --oe-binary ${OE_BINDIR} --ccf-version
${CCF_VERSION}
)
list(APPEND LTS_TEST_ARGS --ccf-version ${CCF_VERSION})
if(LONG_TESTS)
list(APPEND LTS_TEST_ARGS --check-ledger-compatibility)
endif()
Expand All @@ -1268,7 +1264,10 @@ if(BUILD_TESTS)
NAME lts_compatibility
PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/lts_compatibility.py
LABEL e2e
ADDITIONAL_ARGS ${LTS_TEST_ARGS}
ADDITIONAL_ARGS
${LTS_TEST_ARGS}
--constitution
${CMAKE_SOURCE_DIR}/samples/constitutions/virtual/virtual_attestation_actions.js
)
set_property(
TEST lts_compatibility
Expand Down
26 changes: 23 additions & 3 deletions doc/audit/builtin_maps.rst
Original file line number Diff line number Diff line change
Expand Up @@ -138,10 +138,30 @@ DEPRECATED. Previously contained versions of the code allowed to join the curren
* - ``cae46d1...bb908b64e``
- ``ALLOWED_TO_JOIN``

``nodes.virtual.host_data``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Map mimicking SNP host_data for virtual nodes, restricting which host_data values may be presented by new nodes joining the network.

**Key** Host data: The host data.

**Value** Metadata: The platform specific meaning of the host data.

``nodes.virtual.measurements``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Trusted virtual measurements for new nodes allowed to join the network. Virtual measurements are constructed by CCF to test and debug code update flows on hardware without TEE protections.

.. warning:: Since virtual nodes provide no protection, this should be empty on production instances.

**Key** Measurement, represented as a base64 hex-encoded string (length: 64).

**Value** Status represented as JSON.

``nodes.snp.host_data``
~~~~~~~~~~~~~~~~~~~~~~~

Trusted attestation report host data field for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only).
Trusted attestation report host data field for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only). Only the presence of the joiner's host data key is checked, so the metadata is optional and may be empty for space-saving or privacy reasons.

**Key** Host data: The host data.

Expand All @@ -150,7 +170,7 @@ Trusted attestation report host data field for new nodes allowed to join the net
``nodes.snp.measurements``
~~~~~~~~~~~~~~~~~~~~~~~~~~

Trusted measurements for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only).
Trusted SNP measurements for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only).

.. note:: For improved serviceability on confidential ACI deployments, see :ref:`audit/builtin_maps:``nodes.snp.uvm_endorsements``` map.

Expand Down Expand Up @@ -387,7 +407,7 @@ JWT signing keys, used until 6.0.
**Value** List of (DER-encoded certificate, issuer, constraint), represented as JSON.

``jwt.public_signing_keys_metadata_v2``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JWT signing keys, from 6.0.0 onwards.

Expand Down
33 changes: 32 additions & 1 deletion doc/schemas/gov/2024-07-01/gov.json
Original file line number Diff line number Diff line change
Expand Up @@ -1708,11 +1708,16 @@
"snp": {
"$ref": "#/definitions/ServiceState.SnpJoinPolicy",
"description": "Policy applied to nodes running in AMD SEV-SNP containers."
},
"virtual": {
"$ref": "#/definitions/ServiceState.VirtualJoinPolicy",
"description": "Policy applied to virtual nodes (insecure, intended for debugging)."
}
},
"required": [
"sgx",
"snp"
"snp",
"virtual"
]
},
"ServiceState.JoinPolicy": {
Expand Down Expand Up @@ -2232,6 +2237,32 @@
],
"x-ms-discriminator-value": "OE_SGX_v1"
},
"ServiceState.VirtualJoinPolicy": {
"type": "object",
"description": "Join policy fields specific to nodes running on virtual nodes with no hardware protection.",
"properties": {
"measurements": {
"type": "array",
"description": "Code measurements of acceptable enclaves.",
"items": {
"type": "string",
"format": "byte"
}
},
"hostData": {
"type": "object",
"description": "Collection of acceptable host data values.",
"additionalProperties": {
"format": "byte",
"type": "string"
}
}
},
"required": [
"measurements",
"hostData"
]
},
"ServiceState.SnpJoinPolicy": {
"type": "object",
"description": "Join policy fields specific to nodes running on AMD SEV-SNP hardware.",
Expand Down
75 changes: 74 additions & 1 deletion doc/schemas/gov_openapi.json
Original file line number Diff line number Diff line change
Expand Up @@ -1223,6 +1223,29 @@
},
"type": "object"
},
"VirtualAttestationMeasurement": {
"format": "hex",
"pattern": "^[a-f0-9]64$",
"type": "string"
},
"VirtualAttestationMeasurement_to_CodeStatus": {
"items": {
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/VirtualAttestationMeasurement"
},
{
"$ref": "#/components/schemas/CodeStatus"
}
]
},
"maxItems": 2,
"minItems": 2,
"type": "array"
},
"type": "array"
},
"base64string": {
"format": "base64",
"type": "string"
Expand Down Expand Up @@ -1331,7 +1354,7 @@
"info": {
"description": "This API is used to submit and query proposals which affect CCF's public governance tables.",
"title": "CCF Governance API",
"version": "4.5.0"
"version": "4.5.1"
},
"openapi": "3.0.0",
"paths": {
Expand Down Expand Up @@ -2153,6 +2176,56 @@
}
}
},
"/gov/kv/nodes/virtual/host_data": {
"get": {
"deprecated": true,
"operationId": "GetGovKvNodesVirtualHostData",
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Sha256Digest_to_string"
}
}
},
"description": "Default response description"
},
"default": {
"$ref": "#/components/responses/default"
}
},
"summary": "This route is auto-generated from the KV schema.",
"x-ccf-forwarding": {
"$ref": "#/components/x-ccf-forwarding/sometimes"
}
}
},
"/gov/kv/nodes/virtual/measurements": {
"get": {
"deprecated": true,
"operationId": "GetGovKvNodesVirtualMeasurements",
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/VirtualAttestationMeasurement_to_CodeStatus"
}
}
},
"description": "Default response description"
},
"default": {
"$ref": "#/components/responses/default"
}
},
"summary": "This route is auto-generated from the KV schema.",
"x-ccf-forwarding": {
"$ref": "#/components/x-ccf-forwarding/sometimes"
}
}
},
"/gov/kv/proposals": {
"get": {
"deprecated": true,
Expand Down
4 changes: 2 additions & 2 deletions doc/schemas/node_openapi.json
Original file line number Diff line number Diff line change
Expand Up @@ -576,7 +576,7 @@
"format": {
"$ref": "#/components/schemas/QuoteFormat"
},
"mrenclave": {
"measurement": {
"$ref": "#/components/schemas/string"
},
"node_id": {
Expand Down Expand Up @@ -858,7 +858,7 @@
"info": {
"description": "This API provides public, uncredentialed access to service and node state.",
"title": "CCF Public Node API",
"version": "4.11.0"
"version": "4.12.0"
},
"openapi": "3.0.0",
"paths": {
Expand Down
2 changes: 1 addition & 1 deletion include/ccf/ds/quote_info.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ namespace ccf
std::vector<uint8_t> endorsements;
/// UVM endorsements (SNP-only)
std::optional<std::vector<uint8_t>> uvm_endorsements;
/// Endorsed TCB (hex-encoded)
/// Endorsed TCB (hex-encoded) (SNP-only)
std::optional<std::string> endorsed_tcb = std::nullopt;
};

Expand Down
Loading
Loading