devired_key: cleaning pass confidential-containers#1

eldios · eldios · commit 6916687090e7 · 2025-02-06T00:41:46.000+01:00
diff --git a/api-server-rest/src/aa.rs b/api-server-rest/src/aa.rs
@@ -67,6 +67,18 @@ impl ApiHandler for AAClient {
                 _ => {
                     return self.not_found();
                 }
+                None => return self.bad_request(),
+            },
+            AA_DERIVED_KEY_URL => match params.get() {
+                Some(key) => match self.get_derived_key().await {
+                    std::result::Result::Ok(results) => return self.octet_stream_response(results),
+                    Err(e) => return self.internal_error(e.to_string()),
+                },
+                None => return self.bad_request(),
+            },
+
+            _ => {
+                return self.not_found();
             }
         }
 
diff --git a/attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs b/attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs
@@ -164,14 +164,10 @@ impl AttestationAgentService for AA {
 
         debug!("AA (grpc): get derived key ...");
 
-        let derived_key = self
-            .inner
-            .get_derived_key(&request.key_id)
-            .await
-            .map_err(|e| {
-                error!("AA (grpc): get derived key failed:\n{e:?}\nkey_id:\n{&request.key_id}");
-                Status::internal(format!("[ERROR:{AGENT_NAME}] AA get derived key failed"))
-            })?;
+        let derived_key = self.inner.get_derived_key().await.map_err(|e| {
+            error!("AA (grpc): get derived key failed:\n{e:?}");
+            Status::internal(format!("[ERROR:{AGENT_NAME}] AA get derived key failed"))
+        })?;
 
         debug!("AA (grpc): Get derived key successfully!");
 
diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc-aa-client.rs b/attestation-agent/attestation-agent/src/bin/ttrpc-aa-client.rs
@@ -80,11 +80,7 @@ struct GetTokenArgs {
 
 #[derive(Args)]
 #[command(author, version, about, long_about = None)]
-struct GetDerivedKeyArgs {
-    /// base64 encodede runtime data
-    #[arg(short, long)]
-    key_id: String,
-}
+struct GetDerivedKeyArgs {}
 
 #[derive(Args)]
 #[command(author, version, about, long_about = None)]
@@ -152,15 +148,14 @@ pub async fn main() {
         }
         Operation::GetDerivedKey(get_derived_key_args) => {
             let req = GetDerivedKeyRequest {
-                KeyId: get_derived_key_args.key_id,
                 ..Default::default()
             };
             let res = client
                 .get_derived_key(context::with_timeout(TIMEOUT), &req)
                 .await
                 .expect("request to AA");
-            let key_id = String::from_utf8(res.KeyId).unwrap();
-            println!("{key_id}");
+            let key = String::from_utf8(res.Key).unwrap();
+            println!("{key}");
         }
         Operation::ExtendRuntimeMeasurement(extend_runtime_measurement_args) => {
             let req = ExtendRuntimeMeasurementRequest {
diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc_dep/server.rs b/attestation-agent/attestation-agent/src/bin/ttrpc_dep/server.rs
@@ -84,21 +84,16 @@ impl AttestationAgentService for AA {
     ) -> ::ttrpc::Result<GetDerivedKeyResponse> {
         debug!("AA (ttrpc): get derived key ...");
 
+        let empty_context = Vec::new();
         let derived_key = self
             .inner
-            .get_derived_key(&req.KeyId, Vec::new())
+            .get_derived_key(empty_context)
             .await
             .map_err(|e| {
-                error!(
-                    "AA (ttrpc): get derived key failed:\n {e:?}\n key_id:\n {:#?}",
-                    &req.KeyId
-                );
+                error!("AA (ttrpc): get derived key failed:\n {e:?}");
                 let mut error_status = ::ttrpc::proto::Status::new();
                 error_status.set_code(Code::INTERNAL);
-                error_status.set_message(format!(
-                    "[ERROR:{AGENT_NAME}] AA-KBC get derived key failed. key_id: {:#?}",
-                    &req.KeyId
-                ));
+                error_status.set_message("[ERROR:{AGENT_NAME}] AA-KBC get derived key failed.");
                 ::ttrpc::Error::RpcStatus(error_status)
             })?;
 
diff --git a/attestation-agent/attestation-agent/src/lib.rs b/attestation-agent/attestation-agent/src/lib.rs
@@ -60,8 +60,8 @@ pub trait AttestationAPIs {
     /// Get TEE hardware signed evidence that includes the runtime data.
     async fn get_evidence(&self, runtime_data: &[u8]) -> Result<Vec<u8>>;
 
-    /// Get a derived key using the provided key ID
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;
+    /// Get a derived key
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;
 
     /// Extend runtime measurement register
     async fn extend_runtime_measurement(
@@ -180,8 +180,8 @@ impl AttestationAPIs for AttestationAgent {
         Ok(evidence.into_bytes())
     }
 
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {
-        self.attester.get_derived_key(key_id, context).await
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {
+        self.attester.get_derived_key(context).await
     }
 
     /// Extend runtime measurement register. Parameters
diff --git a/attestation-agent/attester/src/snp/mod.rs b/attestation-agent/attester/src/snp/mod.rs
@@ -71,10 +71,6 @@ impl Attester for SnpAttester {
         }
 
         context.resize(64, 0);
-        let _root_key: u8 = root_key_hinit
-            .first()
-            .copied()
-            .context("Invalid key or empty key specified")?;
 
         let mut firmware: Firmware = Firmware::open()?;
 
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs b/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs
@@ -40,9 +40,8 @@ impl AAEvidenceProvider {
 #[async_trait]
 impl EvidenceProvider for AAEvidenceProvider {
     /// Get derived key using the provided key ID
-    async fn get_derived_key(&self, key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
         let req = GetDerivedKeyRequest {
-            KeyId: key_id.to_vec(),
             ..Default::default()
         };
         let res = self
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/mock.rs b/attestation-agent/kbs_protocol/src/evidence_provider/mock.rs
@@ -19,7 +19,7 @@ impl EvidenceProvider for MockedEvidenceProvider {
         Ok("test evidence".into())
     }
 
-    async fn get_derived_key(&self, _key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
         Ok(vec![0u8; 32]) // Return a mock 32-byte key filled with zeros
     }
 
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs b/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs
@@ -27,7 +27,6 @@ pub trait EvidenceProvider: Send + Sync {
     async fn get_tee_type(&self) -> Result<Tee>;
 
     /// Get a derived key using the hardware-specific key derivation function.
-    /// The parameter `root_key_hint` is the root key used for derivation,
-    /// and `context` is additional data used in the derivation process.
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;
+    /// The parameter `context` is data potentially used in the derivation process.
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;
 }
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/native.rs b/attestation-agent/kbs_protocol/src/evidence_provider/native.rs
@@ -35,9 +35,9 @@ impl EvidenceProvider for NativeEvidenceProvider {
         Ok(detect_tee_type())
     }
 
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {
         self.0
-            .get_derived_key(key_id, context)
+            .get_derived_key(context)
             .await
             .map_err(|e| Error::GetDerivedKey(e.to_string()))
     }
diff --git a/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs
@@ -515,9 +515,6 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenResponse {
 // @@protoc_insertion_point(message:attestation_agent.GetDerivedKeyRequest)
 #[derive(PartialEq,Clone,Default,Debug)]
 pub struct GetDerivedKeyRequest {
-    // message fields
-    // @@protoc_insertion_point(field:attestation_agent.GetDerivedKeyRequest.KeyId)
-    pub KeyId: ::std::vec::Vec<u8>,
     // special fields
     // @@protoc_insertion_point(special_field:attestation_agent.GetDerivedKeyRequest.special_fields)
     pub special_fields: ::protobuf::SpecialFields,
@@ -535,13 +532,8 @@ impl GetDerivedKeyRequest {
     }
 
     fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
-        let mut fields = ::std::vec::Vec::with_capacity(1);
+        let mut fields = ::std::vec::Vec::with_capacity(0);
         let mut oneofs = ::std::vec::Vec::with_capacity(0);
-        fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
-            "KeyId",
-            |m: &GetDerivedKeyRequest| { &m.KeyId },
-            |m: &mut GetDerivedKeyRequest| { &mut m.KeyId },
-        ));
         ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetDerivedKeyRequest>(
             "GetDerivedKeyRequest",
             fields,
@@ -560,9 +552,6 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
     fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
         while let Some(tag) = is.read_raw_tag_or_eof()? {
             match tag {
-                10 => {
-                    self.KeyId = is.read_bytes()?;
-                },
                 tag => {
                     ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
                 },
@@ -575,18 +564,12 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
     #[allow(unused_variables)]
     fn compute_size(&self) -> u64 {
         let mut my_size = 0;
-        if !self.KeyId.is_empty() {
-            my_size += ::protobuf::rt::bytes_size(1, &self.KeyId);
-        }
         my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
         self.special_fields.cached_size().set(my_size as u32);
         my_size
     }
 
     fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
-        if !self.KeyId.is_empty() {
-            os.write_bytes(1, &self.KeyId)?;
-        }
         os.write_unknown_fields(self.special_fields.unknown_fields())?;
         ::std::result::Result::Ok(())
     }
@@ -604,13 +587,11 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
     }
 
     fn clear(&mut self) {
-        self.KeyId.clear();
         self.special_fields.clear();
     }
 
     fn default_instance() -> &'static GetDerivedKeyRequest {
         static instance: GetDerivedKeyRequest = GetDerivedKeyRequest {
-            KeyId: ::std::vec::Vec::new(),
             special_fields: ::protobuf::SpecialFields::new(),
         };
         &instance
@@ -1856,33 +1837,32 @@ static file_descriptor_proto_data: &'static [u8] = b"\
     \"1\n\x13GetEvidenceResponse\x12\x1a\n\x08Evidence\x18\x01\x20\x01(\x0cR\
     \x08Evidence\"/\n\x0fGetTokenRequest\x12\x1c\n\tTokenType\x18\x01\x20\
     \x01(\tR\tTokenType\"(\n\x10GetTokenResponse\x12\x14\n\x05Token\x18\x01\
-    \x20\x01(\x0cR\x05Token\",\n\x14GetDerivedKeyRequest\x12\x14\n\x05KeyId\
-    \x18\x01\x20\x01(\x0cR\x05KeyId\"7\n\x15GetDerivedKeyResponse\x12\x1e\n\
-    \nDerivedKey\x18\x01\x20\x01(\x0cR\nDerivedKey\"\xae\x01\n\x1fExtendRunt\
-    imeMeasurementRequest\x12\x16\n\x06Domain\x18\x01\x20\x01(\tR\x06Domain\
-    \x12\x1c\n\tOperation\x18\x02\x20\x01(\tR\tOperation\x12\x18\n\x07Conten\
-    t\x18\x03\x20\x01(\tR\x07Content\x12)\n\rRegisterIndex\x18\x04\x20\x01(\
-    \x04H\0R\rRegisterIndex\x88\x01\x01B\x10\n\x0e_RegisterIndex\"\"\n\x20Ex\
-    tendRuntimeMeasurementResponse\"K\n\x11InitDataPlaintext\x12\x18\n\x07Co\
-    ntent\x18\x01\x20\x01(\x0cR\x07Content\x12\x1c\n\tAlgorithm\x18\x02\x20\
-    \x01(\tR\tAlgorithm\"-\n\x13BindInitDataRequest\x12\x16\n\x06Digest\x18\
-    \x01\x20\x01(\x0cR\x06Digest\"\x16\n\x14BindInitDataResponse\"4\n\x1aUpd\
-    ateConfigurationRequest\x12\x16\n\x06config\x18\x01\x20\x01(\tR\x06confi\
-    g\"\x1d\n\x1bUpdateConfigurationResponse\"\x13\n\x11GetTeeTypeRequest\"&\
-    \n\x12GetTeeTypeResponse\x12\x10\n\x03tee\x18\x01\x20\x01(\tR\x03tee2\
-    \xe8\x05\n\x17AttestationAgentService\x12b\n\rGetDerivedKey\x12'.attesta\
-    tion_agent.GetDerivedKeyRequest\x1a(.attestation_agent.GetDerivedKeyResp\
-    onse\x12\\\n\x0bGetEvidence\x12%.attestation_agent.GetEvidenceRequest\
-    \x1a&.attestation_agent.GetEvidenceResponse\x12S\n\x08GetToken\x12\".att\
-    estation_agent.GetTokenRequest\x1a#.attestation_agent.GetTokenResponse\
-    \x12\x83\x01\n\x18ExtendRuntimeMeasurement\x122.attestation_agent.Extend\
-    RuntimeMeasurementRequest\x1a3.attestation_agent.ExtendRuntimeMeasuremen\
-    tResponse\x12_\n\x0cBindInitData\x12&.attestation_agent.BindInitDataRequ\
-    est\x1a'.attestation_agent.BindInitDataResponse\x12t\n\x13UpdateConfigur\
-    ation\x12-.attestation_agent.UpdateConfigurationRequest\x1a..attestation\
-    _agent.UpdateConfigurationResponse\x12Y\n\nGetTeeType\x12$.attestation_a\
-    gent.GetTeeTypeRequest\x1a%.attestation_agent.GetTeeTypeResponseb\x06pro\
-    to3\
+    \x20\x01(\x0cR\x05Token\"\x16\n\x14GetDerivedKeyRequest\"7\n\x15GetDeriv\
+    edKeyResponse\x12\x1e\n\nDerivedKey\x18\x01\x20\x01(\x0cR\nDerivedKey\"\
+    \xae\x01\n\x1fExtendRuntimeMeasurementRequest\x12\x16\n\x06Domain\x18\
+    \x01\x20\x01(\tR\x06Domain\x12\x1c\n\tOperation\x18\x02\x20\x01(\tR\tOpe\
+    ration\x12\x18\n\x07Content\x18\x03\x20\x01(\tR\x07Content\x12)\n\rRegis\
+    terIndex\x18\x04\x20\x01(\x04H\0R\rRegisterIndex\x88\x01\x01B\x10\n\x0e_\
+    RegisterIndex\"\"\n\x20ExtendRuntimeMeasurementResponse\"K\n\x11InitData\
+    Plaintext\x12\x18\n\x07Content\x18\x01\x20\x01(\x0cR\x07Content\x12\x1c\
+    \n\tAlgorithm\x18\x02\x20\x01(\tR\tAlgorithm\"-\n\x13BindInitDataRequest\
+    \x12\x16\n\x06Digest\x18\x01\x20\x01(\x0cR\x06Digest\"\x16\n\x14BindInit\
+    DataResponse\"4\n\x1aUpdateConfigurationRequest\x12\x16\n\x06config\x18\
+    \x01\x20\x01(\tR\x06config\"\x1d\n\x1bUpdateConfigurationResponse\"\x13\
+    \n\x11GetTeeTypeRequest\"&\n\x12GetTeeTypeResponse\x12\x10\n\x03tee\x18\
+    \x01\x20\x01(\tR\x03tee2\xe8\x05\n\x17AttestationAgentService\x12b\n\rGe\
+    tDerivedKey\x12'.attestation_agent.GetDerivedKeyRequest\x1a(.attestation\
+    _agent.GetDerivedKeyResponse\x12\\\n\x0bGetEvidence\x12%.attestation_age\
+    nt.GetEvidenceRequest\x1a&.attestation_agent.GetEvidenceResponse\x12S\n\
+    \x08GetToken\x12\".attestation_agent.GetTokenRequest\x1a#.attestation_ag\
+    ent.GetTokenResponse\x12\x83\x01\n\x18ExtendRuntimeMeasurement\x122.atte\
+    station_agent.ExtendRuntimeMeasurementRequest\x1a3.attestation_agent.Ext\
+    endRuntimeMeasurementResponse\x12_\n\x0cBindInitData\x12&.attestation_ag\
+    ent.BindInitDataRequest\x1a'.attestation_agent.BindInitDataResponse\x12t\
+    \n\x13UpdateConfiguration\x12-.attestation_agent.UpdateConfigurationRequ\
+    est\x1a..attestation_agent.UpdateConfigurationResponse\x12Y\n\nGetTeeTyp\
+    e\x12$.attestation_agent.GetTeeTypeRequest\x1a%.attestation_agent.GetTee\
+    TypeResponseb\x06proto3\
 ";
 
 /// `FileDescriptorProto` object which was a source for this generated file
diff --git a/attestation-agent/protos/attestation-agent.proto b/attestation-agent/protos/attestation-agent.proto
@@ -18,9 +18,7 @@ message GetTokenResponse {
     bytes Token = 1;
 }
 
-message GetDerivedKeyRequest {
-    bytes KeyId = 1;
-}
+message GetDerivedKeyRequest {}
 
 message GetDerivedKeyResponse {
     bytes DerivedKey = 1;

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,18 @@ impl ApiHandler for AAClient {`
`67`	`67`	`_ => {`
`68`	`68`	`return self.not_found();`
`69`	`69`	`}`
	`70`	`+ None => return self.bad_request(),`
	`71`	`+ },`
	`72`	`+ AA_DERIVED_KEY_URL => match params.get() {`
	`73`	`+ Some(key) => match self.get_derived_key().await {`
	`74`	`+ std::result::Result::Ok(results) => return self.octet_stream_response(results),`
	`75`	`+ Err(e) => return self.internal_error(e.to_string()),`
	`76`	`+ },`
	`77`	`+ None => return self.bad_request(),`
	`78`	`+ },`
	`79`	`+`
	`80`	`+ _ => {`
	`81`	`+ return self.not_found();`
`70`	`82`	`}`
`71`	`83`	`}`
`72`	`84`
Original file line number	Diff line number	Diff line change
`@@ -71,10 +71,6 @@ impl Attester for SnpAttester {`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`context.resize(64, 0);`
`74`		`- let _root_key: u8 = root_key_hinit`
`75`		`- .first()`
`76`		`- .copied()`
`77`		`- .context("Invalid key or empty key specified")?;`
`78`	`74`
`79`	`75`	`let mut firmware: Firmware = Firmware::open()?;`
`80`	`76`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ impl EvidenceProvider for MockedEvidenceProvider {`
`19`	`19`	`Ok("test evidence".into())`
`20`	`20`	`}`
`21`	`21`
`22`		`- async fn get_derived_key(&self, _key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {`
	`22`	`+ async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {`
`23`	`23`	`Ok(vec![0u8; 32]) // Return a mock 32-byte key filled with zeros`
`24`	`24`	`}`
`25`	`25`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,6 @@ pub trait EvidenceProvider: Send + Sync {`
`27`	`27`	`async fn get_tee_type(&self) -> Result<Tee>;`
`28`	`28`
`29`	`29`	`/// Get a derived key using the hardware-specific key derivation function.`
`30`		- /// The parameter `root_key_hint` is the root key used for derivation,
`31`		- /// and `context` is additional data used in the derivation process.
`32`		`- async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;`
	`30`	+ /// The parameter `context` is data potentially used in the derivation process.
	`31`	`+ async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;`
`33`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,9 +35,9 @@ impl EvidenceProvider for NativeEvidenceProvider {`
`35`	`35`	`Ok(detect_tee_type())`
`36`	`36`	`}`
`37`	`37`
`38`		`- async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {`
	`38`	`+ async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {`
`39`	`39`	`self.0`
`40`		`- .get_derived_key(key_id, context)`
	`40`	`+ .get_derived_key(context)`
`41`	`41`	`.await`
`42`	`42`	`.map_err(\|e\| Error::GetDerivedKey(e.to_string()))`
`43`	`43`	`}`