ghe0
422e04a538
I believe we are currently not expecting users to change keys. If we do, I believe we should think about the UX of changing sensitive data in the CLI. Also changed "signing key" to "mrsigner key", since all keys are used for signing.
110 lines
3.7 KiB
Rust
110 lines
3.7 KiB
Rust
use detee_sgx::{prelude::*, HRaTlsConfigBuilder};
|
|
use detee_shared::common_proto::Empty;
|
|
use hyper_rustls::HttpsConnectorBuilder;
|
|
use rustls::ClientConfig;
|
|
use std::sync::{Arc, RwLock};
|
|
use tonic::transport::{Channel, Endpoint};
|
|
|
|
use detee_shared::sgx::{
|
|
pb::dtpm_proto::{
|
|
dtpm_config_manager_client::DtpmConfigManagerClient, DtpmConfigData, DtpmSetConfigReq,
|
|
},
|
|
types::dtpm::DtpmConfig,
|
|
};
|
|
|
|
use crate::config::Config;
|
|
use crate::sgx::utils::hratls_url_and_mr_enclave_from_app_id;
|
|
|
|
#[derive(thiserror::Error, Debug)]
|
|
pub enum Error {
|
|
#[error("Failed to connect to the dtpm: {0}")]
|
|
BrainConnection(#[from] tonic::transport::Error),
|
|
#[error("Received error from dtpm: {}", _0.message())]
|
|
ResponseStatus(#[from] tonic::Status),
|
|
#[error("Hex: {0}")]
|
|
HexDecode(#[from] hex::FromHexError),
|
|
#[error("Disk access error: {0}")]
|
|
DiskAccess(#[from] std::io::Error),
|
|
#[error("HRatls: {0}")]
|
|
SgxHRatls(#[from] detee_sgx::error::SgxError),
|
|
#[error("DtpmConfig: {0}")]
|
|
DtpmConfig(String),
|
|
}
|
|
|
|
type Result<T> = std::result::Result<T, Error>;
|
|
|
|
pub async fn connect_dtpm_grpc_client(
|
|
hratls_uri: String,
|
|
package_mr_enclave: Option<[u8; 32]>,
|
|
) -> Result<DtpmConfigManagerClient<Channel>> {
|
|
let private_key_pem = Config::get_hratls_private_key();
|
|
let mut mr_signer = [0u8; 32];
|
|
hex::decode_to_slice(Config::get_mrsigner(), &mut mr_signer)?;
|
|
let mr_signers = vec![mr_signer];
|
|
|
|
let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
|
|
|
|
let hratls_config = Arc::new(RwLock::new(
|
|
HRaTlsConfig::new()
|
|
.allow_instance_measurement(InstanceMeasurement::new().with_mrsigners(mr_signers))
|
|
.with_hratls_private_key_pem(private_key_pem),
|
|
));
|
|
|
|
if let Some(mr_enclave) = package_mr_enclave {
|
|
hratls_config.write().unwrap().allow_more_instance_measurement(
|
|
InstanceMeasurement::new().with_mrenclaves(vec![mr_enclave]),
|
|
);
|
|
}
|
|
|
|
let client_tls_config = ClientConfig::from_hratls_config(hratls_config.clone())?;
|
|
let connector = HttpsConnectorBuilder::new()
|
|
.with_tls_config(client_tls_config)
|
|
.https_only()
|
|
.enable_http2()
|
|
.build();
|
|
|
|
let channel = Endpoint::from_shared(hratls_uri)?.connect_with_connector(connector).await?;
|
|
|
|
Ok(DtpmConfigManagerClient::new(channel))
|
|
}
|
|
|
|
pub async fn attest_and_send_config(loaded_config: DtpmConfig, uuid: &str) -> Result<()> {
|
|
let config_data = Some(DtpmConfigData::from(loaded_config));
|
|
let req_data = DtpmSetConfigReq { config_data, ..Default::default() };
|
|
|
|
log::trace!("Decoded the configuration... {:?}", req_data);
|
|
|
|
let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await;
|
|
log::info!("hratls uri: {}\nmr_enclave: {:?}", &hratls_uri, &mr_enclave);
|
|
|
|
let client = connect_dtpm_grpc_client(hratls_uri, mr_enclave).await?;
|
|
|
|
let response = client
|
|
.max_decoding_message_size(10240000)
|
|
.set_config(tonic::Request::new(req_data))
|
|
.await?;
|
|
|
|
log::trace!("Received respose from the server...{:?}", response.into_inner());
|
|
|
|
Ok(())
|
|
}
|
|
|
|
pub async fn get_config_from_enclave(uuid: &str) -> Result<DtpmConfig> {
|
|
let (hratls_uri, mr_enclave) = hratls_url_and_mr_enclave_from_app_id(uuid).await;
|
|
log::info!("hratls uri: {}\nmr_enclave: {:?}", &hratls_uri, &mr_enclave);
|
|
|
|
let client = connect_dtpm_grpc_client(hratls_uri, None).await?;
|
|
|
|
let mgr_config_pb = client
|
|
.max_decoding_message_size(10240000)
|
|
.get_config(tonic::Request::new(Empty {}))
|
|
.await?
|
|
.into_inner();
|
|
|
|
let config: DtpmConfig = mgr_config_pb
|
|
.config_data
|
|
.ok_or(Error::DtpmConfig("config data not found".to_string()))?
|
|
.into();
|
|
Ok(config)
|
|
}
|