-
Notifications
You must be signed in to change notification settings - Fork 58
WIP - New tee type: CCA (Confidential Compute Architecture) #184
base: main
Are you sure you want to change the base?
Conversation
/hold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see this is WIP and it looks like it's just using some dummy evidence, but I got so excited to see CCA support that I had to give a few suggestions.
Also note that #182 will require a rather large rebase one merged.
Cargo.toml
Outdated
@@ -39,7 +39,7 @@ rstest = "0.16.0" | |||
tonic-build = { version = "0.8.0", optional = true } | |||
|
|||
[features] | |||
default = ["sample_kbc", "rust-crypto"] | |||
default = ["sample_kbc", "rust-crypto", "cc_kbc"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this just for testing?
Note how other platforms have an additional feature to build their attester. You may want to add something similar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this will be reverted I think.
// If the environment variable "CCA_ATTESTER" is set, | ||
// the TEE platform is considered as "CCA". | ||
pub fn detect_platform() -> bool { | ||
env::var("CCA_ATTESTER").is_ok() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Who sets this? Is there a way to query the platform more directly like via cpuid?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking this might be an env, just like AA_SAMPLE_ATTESTER_TEST
, query from platform is a great idea. Let's see if we can move toward that.
#[allow(unused_variables)] | ||
impl Attester for CCAAttester { | ||
fn get_evidence(&self, data: String) -> Result<String> { | ||
let s = std::include_str!("cca-claims-without-realm-challenge.json").as_bytes(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is some kind of placeholder?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currently, I don't have a elegant way to get back the evidence, so just load it in this way instead, this will be updated if we there is any progress for us to get back the real evidence.
#[derive(Debug, EnumString, Display)] | ||
#[strum(ascii_case_insensitive, serialize_all = "lowercase")] | ||
pub enum Tee { | ||
Tdx, | ||
Sgx, | ||
Sevsnp, | ||
Sample, | ||
CCA, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CCA
-> Cca
@fitzthum thanks a lot for your review, any comments is highly appreciated! |
f9a3445
to
1393c4e
Compare
The evidence is currently loaded from disk, it's actually a placeholder and should be updated if there is way available to get back the real evidence. Signed-off-by: Dave Chen <[email protected]>
support ARM CCA (Confidential Compute Architecture), the evidence is loaded from the disk atm, this should be improved when there is a proper way to fetch the evidence instead.