Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate cli related components #403

Merged
merged 5 commits into from
Nov 28, 2024
Merged

Deprecate cli related components #403

merged 5 commits into from
Nov 28, 2024

Conversation

bitboom
Copy link
Collaborator

@bitboom bitboom commented Nov 25, 2024
edited
Loading

This PR deprecates cli and use rsictl as is. (Fixed #382.)

  • Add tools/rsictl as a submodule
  • Remove diverged libs (cose, cca-token, rsi-el0)
  • Use rust-rsi at sdk

@bitboom bitboom force-pushed the deprecate-cli branch 4 times, most recently from b35f14e to eb3bab8 Compare November 26, 2024 04:36
@bitboom
Deprecate cli related components
0607167 
Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>
@bitboom
Fix to use tools/rsictl on fvp-cca
613b303 
Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>
@bitboom
examples: Update cross-platform-e2ee to use rsictl
9cc8b0b 
Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>
@bitboom
Copy link
Collaborator Author

bitboom commented Nov 26, 2024

@p-sawicki2

I am currently resolving #382 in this PR. As the final step, I plan to remove lib/cca_token, which is the token module in rust-rsi.

One of the requirements from the certifier is to provide a C API that allows access to the RIM value and the Realm’s Challenge from the attestation report.

// certifier
rv = islet_parse(CLAIM_TITLE_RIM,
                 claims,
                 claims_len,
                 measurement_out,
                 measurement_out_size);
return rv == ISLET_SUCCESS;

I have been using ClaimData for parsing this information in SDK. However, since the token module in rust-rsi is private, it cannot be directly accessed from the SDK.

// islet-sdk
#[no_mangle]
pub unsafe extern "C" fn islet_parse(
    title: *const c_char,
    claims: *const c_uchar,
    claims_len: c_int,
    value_out: *mut c_uchar,
    value_out_len: *mut c_int,
) -> islet_status_t {
    let do_parse = || -> Result<(), Error> {
...
        match parse(&claims, title) {
            Some(ClaimData::Bstr(value)) => {
...
            }

To address this, I believe there are two possible approaches:

  1. Provide an API in rust-rsi that allows parsing by passing the name of a specific claim.
  2. Make the token module a public module so that the SDK can access it directly and perform the parsing.

Could you share which approach do you prefer?

@p-sawicki2
Copy link
Collaborator

@bitboom I would prefer the 2nd option, bacause rust-rsi already contains code for parsing (verifier.rs) the attestation token and getting the claims (example usage of get_claim() function: parser.rs). So, it seems that the only thing is just making them public.
@Havner What is your opinion on that?

@Havner
Copy link
Collaborator

Havner commented Nov 26, 2024

@bitboom I'm not sure I understand. You need to extract the RIM and the challenge from the token? Because if that is the case you don't need to make any changes to the rust-rsi. You do verify_token which is re-exported in the lib.rs and you have a struct of claims AttestationClaims (platform and realm tokens) from which you can extract any information you need.

@bitboom
Deprecate lib/cca-token & lib/cose
80bf42b 
Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>
@bitboom
Copy link
Collaborator Author

bitboom commented Nov 27, 2024

@bitboom I'm not sure I understand. You need to extract the RIM and the challenge from the token? Because if that is the case you don't need to make any changes to the rust-rsi. You do verify_token which is re-exported in the lib.rs and you have a struct of claims AttestationClaims (platform and realm tokens) from which you can extract any information you need.

I found the way to extract platform & realm claims from platform & realm tokens. Thanks!

let realm_claims = RealmClaims::from_raw_claims(&claims.realm_claims.token_claims, &claims.realm_claims.measurement_claims)?;
let plat_claims = PlatClaims::from_raw_claims(&claims.platform_claims.token_claims)?;

@bitboom bitboom marked this pull request as ready for review November 27, 2024 04:51
Havner
Havner reviewed Nov 27, 2024
View reviewed changes
@bitboom
Fix to install rsictl directly from the git
22f3ae0 
Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>
@bitboom bitboom merged commit 00eca1a into main Nov 28, 2024
8 checks passed
@bitboom bitboom deleted the deprecate-cli branch November 28, 2024 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Havner Havner Havner left review comments

@bokdeuk-jeong bokdeuk-jeong bokdeuk-jeong approved these changes

@jinbpark jinbpark jinbpark approved these changes

@lkh8291 lkh8291 Awaiting requested review from lkh8291

@nook1208 nook1208 Awaiting requested review from nook1208

@zpzigi754 zpzigi754 Awaiting requested review from zpzigi754

@p-sawicki2 p-sawicki2 Awaiting requested review from p-sawicki2

@hihi-wang hihi-wang Awaiting requested review from hihi-wang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SDK should point to rust_rsi instead of rsi_el0
5 participants
@bitboom @p-sawicki2 @Havner @bokdeuk-jeong @jinbpark