diff --git a/rune/libenclave/attestation/challenger.go b/rune/libenclave/attestation/challenger.go new file mode 100644 index 0000000000000000000000000000000000000000..e0b6b97cb8f4c7403699b3c68523d61fe135ef16 --- /dev/null +++ b/rune/libenclave/attestation/challenger.go @@ -0,0 +1,86 @@ +package attestation // import "github.com/opencontainers/runc/libenclave/attestation" + +import ( + "fmt" +) + +type Challenger interface { + Name() string + New(map[string]string) error + Check([]byte) error + Verify([]byte) (*ReportStatus, error) + GetReport([]byte, uint64) (*ReportStatus, map[string]string, error) + ShowReportStatus(*ReportStatus) + // TODO + // PrepareChallenge() (*pb.AttestChallenge, error) + // HandleChallengeResponse(*pb.AttestResponse) (*Quote, error) +} + +type ReportStatus struct { + StatusCode uint32 + ErrorMessage string + SpecificStatus interface{} +} + +/* +type Service struct { + NonceForChallenge Nonce + NonceForVerify Nonce +} + +type Quote struct { + // FIXME: use interface like io.Reader as callback? + Evidence []byte +} +*/ + +const ( + // FIXME: allow tuning via parameter + seedTimeout int64 = 6e10 // 60 seconds +) + +func NewChallenger(aType string, cfg map[string]string) (Challenger, error) { + for _, c := range challengerList { + if c.Name() == aType { + if err := c.New(cfg); err != nil { + return nil, err + } + + return c, nil + } + } + + return nil, fmt.Errorf("Unsupported attestation service %s specified", aType) +} + +var challengerList []Challenger + +func registerChallenger(challenger Challenger) error { + for _, c := range challengerList { + if c.Name() == challenger.Name() { + return fmt.Errorf("Attestation service %s registered already", challenger.Name()) + } + } + + challengerList = append(challengerList, challenger) + + return nil +} + +/* +func PrepareChallenger() (*pb.AttestChallenge, error) { + return &pb.AttestChallenge{ + Nonce: NonceForChallenge.Generate(), + }, nil +} + +func HandleResponse(r *pb.AttestResponse) (*attest.Quote, error) { + quote := r.GetQuote() + + if len(quote) <= intelsgx.QuoteLength { + return nil, fmt.Errorf("Invalid length of quote returned: %d-byte", len(quote)) + } + + return &Quote{Evidence: quote}, nil +} +*/ diff --git a/rune/libenclave/attestation/check.go b/rune/libenclave/attestation/check.go deleted file mode 100644 index 66b47bb7e04453cc7699a641ff691ce1864eb108..0000000000000000000000000000000000000000 --- a/rune/libenclave/attestation/check.go +++ /dev/null @@ -1,13 +0,0 @@ -package attestation // import "github.com/opencontainers/runc/libenclave/attestation" - -import ( - "fmt" -) - -func (svc *Service) Check(q []byte) error { - if q == nil { - return fmt.Errorf("Invalid Quote") - } - - return svc.Attester.Check(q) -} diff --git a/rune/libenclave/attestation/get_verified_report.go b/rune/libenclave/attestation/get_verified_report.go deleted file mode 100644 index 1a4ae8a7abcf85b1cd3554222bb9e0b13142f5e0..0000000000000000000000000000000000000000 --- a/rune/libenclave/attestation/get_verified_report.go +++ /dev/null @@ -1,5 +0,0 @@ -package attestation // import "github.com/opencontainers/runc/libenclave/attestation" - -func (svc *Service) GetVerifiedReport(q []byte) (*Status, map[string]string, error) { - return svc.Attester.GetVerifiedReport(q) -} diff --git a/rune/libenclave/attestation/registry.go b/rune/libenclave/attestation/registry.go deleted file mode 100644 index 473d447fd78bafc1b37459f49713ea8f33e92a80..0000000000000000000000000000000000000000 --- a/rune/libenclave/attestation/registry.go +++ /dev/null @@ -1,14 +0,0 @@ -package attestation // import "github.com/opencontainers/runc/libenclave/attestation" - -var registry []Registry - -type Registry interface { - Create(p map[string]string) (*Service, error) -} - -func RegisterAttestation(reg Registry) error { - // FIXME: check re-register - registry = append(registry, reg) - - return nil -} diff --git a/rune/libenclave/attestation/service.go b/rune/libenclave/attestation/service.go deleted file mode 100644 index 56afa1faf99945b0f1caec19ef5185177b661839..0000000000000000000000000000000000000000 --- a/rune/libenclave/attestation/service.go +++ /dev/null @@ -1,99 +0,0 @@ -package attestation // import "github.com/opencontainers/runc/libenclave/attestation" - -import ( - "fmt" - pb "github.com/opencontainers/runc/libenclave/attestation/proto" - "log" -) - -type Service struct { - Attester - NonceForChallenge Nonce - NonceForVerify Nonce - verbose bool -} - -type Attester interface { - PrepareChallenge() (*pb.AttestChallenge, error) - HandleChallengeResponse(r *pb.AttestResponse) (*Quote, error) - Check([]byte) error - GetVerifiedReport([]byte) (*Status, map[string]string, error) - Verify([]byte) *Status - ShowStatus(status *Status) -} - -type Quote struct { - // FIXME: use interface like io.Reader as callback? - Evidence []byte -} - -const ( - StatusSgxBit = 0x80000000 -) - -type Status struct { - StatusCode uint32 - ErrorMessage string - SpecificStatus interface{} -} - -func NewService(p map[string]string, verbose bool) (*Service, error) { - // TODO: try to probe the hardware and know which hardware security - // technology is actually supported. - - for _, reg := range registry { - var svc *Service - var err error - - if svc, err = reg.Create(p); err == nil { - if svc.Attester == nil { - log.Println("Attestation service not set attester") - continue - } - - svc.verbose = verbose - return svc, nil - } - - if verbose { - log.Fatal(err) - } - } - - return nil, fmt.Errorf("No matching attestation registry available") -} - -/* -func (attest *Attestation) SetParameter(key string, val string, overwrite bool) error { - // FIXME: use sync mutex - if err := attest.GetParameter(key); err == nil { - if !overwrite { - return fmt.Errorf("Attestation parameter %s exists", key) - } - } - - attest.parameters[key] = val - - return nil -} - -func (attest *Attestation) GetParameter(key string) (string, error) { - if !attest.parameters[key] { - return "", fmt.Errorf("Attestation parameter %s not exists", key) - } - - return attest.parameters[key], nil -} -*/ - -func (svc *Service) VerboseOn() { - svc.verbose = true -} - -func (svc *Service) VerboseOff() { - svc.verbose = false -} - -func (svc *Service) IsVerbose() bool { - return svc.verbose -} diff --git a/rune/libenclave/attestation/sgx-epid-challenger.go b/rune/libenclave/attestation/sgx-epid-challenger.go new file mode 100644 index 0000000000000000000000000000000000000000..e08a2047cb573aef4a2623547b5d1a32d57fb56f --- /dev/null +++ b/rune/libenclave/attestation/sgx-epid-challenger.go @@ -0,0 +1,84 @@ +package attestation // import "github.com/opencontainers/runc/libenclave/attestation" + +import ( + "fmt" + "github.com/opencontainers/runc/libenclave/attestation/sgx/ias" + "github.com/sirupsen/logrus" +) + +type sgxEpidChallenger struct { + ias *ias.IasAttestation +} + +/* The definition of StatusCode */ +const ( + StatusSgxBit = 0x80000000 +) + +func (epid *sgxEpidChallenger) Name() string { + return "sgx-epid" +} + +func (epid *sgxEpidChallenger) New(cfg map[string]string) error { + ias, err := ias.NewIasAttestation(cfg) + if err != nil { + return nil + } + epid.ias = ias + + return nil +} + +func (epid *sgxEpidChallenger) Check(quote []byte) error { + return epid.ias.CheckQuote(quote) +} + +func (epid *sgxEpidChallenger) Verify(quote []byte) (*ReportStatus, error) { + s, err := epid.ias.VerifyQuote(quote) + if err != nil { + return nil, err + } + + /* FIXME: check whether the report status is acceptable */ + status := &ReportStatus{ + StatusCode: StatusSgxBit, + SpecificStatus: s, + } + + return status, nil +} + +func (epid *sgxEpidChallenger) GetReport(quote []byte, nonce uint64) (*ReportStatus, map[string]string, error) { + s, report, err := epid.ias.RetrieveIasReport(quote, nonce) + if err != nil { + return nil, nil, err + } + + status := &ReportStatus{ + StatusCode: StatusSgxBit, + SpecificStatus: s, + } + + return status, report, nil +} + +func (epid *sgxEpidChallenger) ShowReportStatus(status *ReportStatus) { + if status.StatusCode&StatusSgxBit != StatusSgxBit { + logrus.Error("Report status is used for SGX EPID-based") + return + } + + s, ok := status.SpecificStatus.(*ias.IasReportStatus) + if ok { + logrus.Infof("Request ID: %s\n", s.RequestId) + logrus.Infof("Report ID: %s\n", s.ReportId) + logrus.Infof("Timestamp: %s\n", s.Timestamp) + logrus.Infof("IsvEnclaveQuoteStatus: %s\n", s.QuoteStatus) + } +} + +func init() { + if err := registerChallenger(&sgxEpidChallenger{}); err != nil { + fmt.Print(err) + } +} diff --git a/rune/libenclave/attestation/sgx/ias/ias.go b/rune/libenclave/attestation/sgx/ias/ias.go index 03859eb54f54254dc43ba20d53b8211dba1f94b7..5b0d438c14994416c14e808ab57346252e2f59bc 100644 --- a/rune/libenclave/attestation/sgx/ias/ias.go +++ b/rune/libenclave/attestation/sgx/ias/ias.go @@ -9,8 +9,7 @@ import ( "encoding/json" "encoding/pem" "fmt" - attest "github.com/opencontainers/runc/libenclave/attestation" - pb "github.com/opencontainers/runc/libenclave/attestation/proto" + //pb "github.com/opencontainers/runc/libenclave/attestation/proto" "github.com/opencontainers/runc/libenclave/intelsgx" "github.com/sirupsen/logrus" "io" @@ -27,47 +26,42 @@ const ( subscriptionKeyLength = 16 ) -type reportStatus struct { - requestId string - reportId string - timestamp string - quoteStatus string -} - -type iasRegistry struct { -} - -type iasService struct { - attest.Service +type IasAttestation struct { reportApiUrl string spid [spidLength]byte subscriptionKey [subscriptionKeyLength]byte } -func (reg *iasRegistry) Create(p map[string]string) (*attest.Service, error) { +type IasReportStatus struct { + RequestId string + ReportId string + Timestamp string + QuoteStatus string +} + +func NewIasAttestation(cfg map[string]string) (*IasAttestation, error) { isProduct := false - v := attest.GetParameter("service-class", p) - if v != "" && v == "product" { + v, ok := cfg["service-class"] + if ok && v == "product" { isProduct = true } - spid := attest.GetParameter("spid", p) - if spid == "" { - return nil, fmt.Errorf("Missing parameter spid") + spid, ok := cfg["spid"] + if !ok || spid == "" { + return nil, fmt.Errorf("EPID parameter spid not specified") } if len(spid) != spidLength*2 { - return nil, fmt.Errorf("The length of spid must be %d-character", - spidLength*2) + return nil, fmt.Errorf("Spid must be %d-character long", spidLength*2) } - subKey := attest.GetParameter("subscription-key", p) - if subKey == "" { - return nil, fmt.Errorf("Missing parameter subscription-key") + subKey, ok := cfg["subscription-key"] + if !ok && subKey == "" { + return nil, fmt.Errorf("EPID parameter subscription-key not specified") } if len(subKey) != subscriptionKeyLength*2 { - return nil, fmt.Errorf("The length of subscription key must be %d-character", + return nil, fmt.Errorf("Subscription key must be %d-character long", subscriptionKeyLength*2) } @@ -87,86 +81,67 @@ func (reg *iasRegistry) Create(p map[string]string) (*attest.Service, error) { url += "/dev" } - apiVer := attest.GetParameter("apiVer", p) - if apiVer != "" { - apiVersion, err = strconv.ParseUint(apiVer, 10, 32) + version := apiVersion + apiVer, ok := cfg["apiVer"] + if ok && apiVer != "" { + version, err = strconv.ParseUint(apiVer, 10, 32) if err != nil { return nil, fmt.Errorf("Invalid IAS API Version: %s", err) - } else if apiVersion != apiV3 && apiVersion != apiV4 { + } + if version != apiV3 && apiVersion != apiV4 { return nil, fmt.Errorf("Unsupported IAS API Version: %s", apiVer) } } - url += fmt.Sprintf("/attestation/v%d/report", apiVersion) + url += fmt.Sprintf("/attestation/v%d/report", version) - ias := &iasService{ + ias := &IasAttestation{ reportApiUrl: url, } copy(ias.subscriptionKey[:], rawSubKey) copy(ias.spid[:], rawSpid) - ias.Attester = ias - - return &ias.Service, nil -} - -func (ias *iasService) PrepareChallenge() (*pb.AttestChallenge, error) { - return &pb.AttestChallenge{ - Nonce: ias.NonceForChallenge.Generate(), - }, nil + return ias, nil } -func (ias *iasService) HandleChallengeResponse(r *pb.AttestResponse) (*attest.Quote, error) { - quote := r.GetQuote() - - if len(quote) <= intelsgx.QuoteLength { - return nil, fmt.Errorf("Invalid length of quote returned: %d-byte", len(quote)) - } - - return &attest.Quote{Evidence: quote}, nil -} - -// TODO: check target enclave report -func (ias *iasService) Check(q []byte) error { +func (ias *IasAttestation) CheckQuote(q []byte) error { quote := (*intelsgx.Quote)(unsafe.Pointer(&q[0])) - if ias.IsVerbose() { - logrus.Infof("Target Platform's Quote") - logrus.Infof(" Quote Body") - logrus.Infof(" QUOTE Structure Version: %d", - quote.Version) - logrus.Infof(" EPID Signature Type: %d", - quote.SignatureType) - logrus.Infof(" Platform's EPID Group ID: %#08x", - quote.Gid) - logrus.Infof(" Quoting Enclave's ISV assigned SVN: %#04x", - quote.ISVSvnQe) - logrus.Infof(" Provisioning Certification Enclave's ISV assigned SVN: %#04x", - quote.ISVSvnPce) - logrus.Infof(" EPID Basename: 0x%v", - hex.EncodeToString(quote.Basename[:])) - logrus.Infof(" Report Body") - logrus.Infof(" Target CPU SVN: 0x%v", - hex.EncodeToString(quote.CpuSvn[:])) - logrus.Infof(" Enclave Misc Select: %#08x", - quote.MiscSelect) - logrus.Infof(" Enclave Attributes: 0x%v", - hex.EncodeToString(quote.Attributes[:])) - logrus.Infof(" Enclave Hash: 0x%v", - hex.EncodeToString(quote.MrEnclave[:])) - logrus.Infof(" Enclave Signer: 0x%v", - hex.EncodeToString(quote.MrSigner[:])) - logrus.Infof(" ISV assigned Product ID: %#04x", - quote.IsvProdId) - logrus.Infof(" ISV assigned SVN: %#04x", - quote.IsvSvn) - logrus.Infof(" Report Data: 0x%v...", - hex.EncodeToString(quote.ReportData[:32])) - logrus.Infof(" Encrypted EPID Signature") - logrus.Infof(" Length: %d", - quote.SigLen) - logrus.Infof(" Signature: 0x%v...", - hex.EncodeToString(q[intelsgx.QuoteLength:intelsgx.QuoteLength+32])) - } + logrus.Debugf("Target Platform's Quote") + logrus.Debugf(" Quote Body") + logrus.Debugf(" QUOTE Structure Version: %d", + quote.Version) + logrus.Debugf(" EPID Signature Type: %d", + quote.SignatureType) + logrus.Debugf(" Platform's EPID Group ID: %#08x", + quote.Gid) + logrus.Debugf(" Quoting Enclave's ISV assigned SVN: %#04x", + quote.ISVSvnQe) + logrus.Debugf(" Provisioning Certification Enclave's ISV assigned SVN: %#04x", + quote.ISVSvnPce) + logrus.Debugf(" EPID Basename: 0x%v", + hex.EncodeToString(quote.Basename[:])) + logrus.Debugf(" Report Body") + logrus.Debugf(" Target CPU SVN: 0x%v", + hex.EncodeToString(quote.CpuSvn[:])) + logrus.Debugf(" Enclave Misc Select: %#08x", + quote.MiscSelect) + logrus.Debugf(" Enclave Attributes: 0x%v", + hex.EncodeToString(quote.Attributes[:])) + logrus.Debugf(" Enclave Hash: 0x%v", + hex.EncodeToString(quote.MrEnclave[:])) + logrus.Debugf(" Enclave Signer: 0x%v", + hex.EncodeToString(quote.MrSigner[:])) + logrus.Debugf(" ISV assigned Product ID: %#04x", + quote.IsvProdId) + logrus.Debugf(" ISV assigned SVN: %#04x", + quote.IsvSvn) + logrus.Debugf(" Report Data: 0x%v...", + hex.EncodeToString(quote.ReportData[:32])) + logrus.Debugf(" Encrypted EPID Signature") + logrus.Debugf(" Length: %d", + quote.SigLen) + logrus.Debugf(" Signature: 0x%v...", + hex.EncodeToString(q[intelsgx.QuoteLength:intelsgx.QuoteLength+32])) if quote.Version != intelsgx.QuoteVersion { return fmt.Errorf("Invalid quote version: %d", quote.Version) @@ -187,64 +162,49 @@ func (ias *iasService) Check(q []byte) error { return nil } -func (ias *iasService) getIasReport(quote []byte) (*attest.Status, map[string]string, error) { - nonce := strconv.FormatUint(rand.Uint64(), 16) + strconv.FormatUint(rand.Uint64(), 16) - p := &evidencePayload{ - IsvEnclaveQuote: base64.StdEncoding.EncodeToString(quote), - PseManifest: "", - Nonce: nonce, +func (ias *IasAttestation) VerifyQuote(quote []byte) (*IasReportStatus, error) { + status, _, err := ias.RetrieveIasReport(quote, 0) + if err != nil { + return nil, err } - status := &attest.Status{ - StatusCode: attest.StatusSgxBit, - ErrorMessage: "", + return status, nil +} + +func (ias *IasAttestation) GetVerifiedReport(quote []byte, nonce uint64) (*IasReportStatus, map[string]string, error) { + return ias.RetrieveIasReport(quote, nonce) +} + +func (ias *IasAttestation) RetrieveIasReport(quote []byte, nonce uint64) (*IasReportStatus, map[string]string, error) { + var nonceStr string + + if nonce == 0 { + nonceStr = strconv.FormatUint(rand.Uint64(), 16) + strconv.FormatUint(rand.Uint64(), 16) + } else { + nonceStr = strconv.FormatUint(nonce, 16) } - var resp *http.Response - var err error - if resp, err = ias.reportAttestationEvidence(p); err != nil { - status.ErrorMessage = fmt.Sprintf("%s", err) - return status, nil, err + p := &evidencePayload{ + IsvEnclaveQuote: base64.StdEncoding.EncodeToString(quote), + PseManifest: "", + Nonce: nonceStr, } - defer resp.Body.Close() - var reportStatus *reportStatus - reportStatus, rawReport, err := checkVerificationReport(resp, quote, nonce) + resp, err := ias.reportAttestationEvidence(p) if err != nil { - status.ErrorMessage = fmt.Sprintf("%s", err) - return status, nil, err + return nil, nil, err } + defer resp.Body.Close() - iasReport := formatIasReport(resp, rawReport) - - status.SpecificStatus = reportStatus - return status, iasReport, nil -} - -func (ias *iasService) Verify(quote []byte) *attest.Status { - status, _, err := ias.getIasReport(quote) + status, rawReport, err := checkAttestationVerificationReport(resp, quote, nonceStr) if err != nil { - return nil + return nil, nil, err } - return status -} - -func (ias *iasService) GetVerifiedReport(quote []byte) (*attest.Status, map[string]string, error) { - return ias.getIasReport(quote) -} - -func (ias *iasService) ShowStatus(status *attest.Status) { - s, ok := status.SpecificStatus.(*reportStatus) - if ok { - logrus.Infof("Request ID: %s\n", s.requestId) - logrus.Infof("Report ID: %s\n", s.reportId) - logrus.Infof("Timestamp: %s\n", s.timestamp) - logrus.Infof("IsvEnclaveQuoteStatus: %s\n", s.quoteStatus) - } + return status, formatIasReport(resp, rawReport), nil } -func (ias *iasService) reportAttestationEvidence(p *evidencePayload) (*http.Response, error) { +func (ias *IasAttestation) reportAttestationEvidence(p *evidencePayload) (*http.Response, error) { var jp []byte var err error @@ -261,14 +221,12 @@ func (ias *iasService) reportAttestationEvidence(p *evidencePayload) (*http.Resp req.Header.Add("Content-Type", "application/json") req.Header.Add("Ocp-Apim-Subscription-Key", hex.EncodeToString(ias.subscriptionKey[:])) - if ias.IsVerbose() { - logrus.Infof("Initializing attestation evidence report ...") + logrus.Debugf("Initializing attestation evidence report ...") - if dump, err := httputil.DumpRequestOut(req, true); err == nil { - logrus.Infof("--- start of request ---") - logrus.Infof("%s\n", dump) - logrus.Infof("--- end of request ---") - } + if dump, err := httputil.DumpRequestOut(req, true); err == nil { + logrus.Debugf("--- start of request ---") + logrus.Debugf("%s\n", dump) + logrus.Debugf("--- end of request ---") } client := &http.Client{ @@ -282,14 +240,12 @@ func (ias *iasService) reportAttestationEvidence(p *evidencePayload) (*http.Resp return nil, fmt.Errorf("Failed to send http request and receive http response: %s", err) } - if ias.IsVerbose() { - logrus.Infof("Attestation evidence response retrieved ...") + logrus.Debugf("Attestation evidence response retrieved ...") - if dump, err := httputil.DumpResponse(resp, true); err == nil { - logrus.Infof("--- start of response ---") - logrus.Infof("%s\n", dump) - logrus.Infof("--- end of response ---") - } + if dump, err := httputil.DumpResponse(resp, true); err == nil { + logrus.Debugf("--- start of response ---") + logrus.Debugf("%s\n", dump) + logrus.Debugf("--- end of response ---") } return resp, nil @@ -309,11 +265,11 @@ func formatIasReport(resp *http.Response, rawReport string) map[string]string { return iasReport } -func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (*reportStatus, string, error) { - status := &reportStatus{ - requestId: "", - reportId: "", - quoteStatus: "", +func checkAttestationVerificationReport(resp *http.Response, quote []byte, nonce string) (*IasReportStatus, string, error) { + status := &IasReportStatus{ + RequestId: "", + ReportId: "", + QuoteStatus: "", } if resp.StatusCode != 200 { @@ -339,7 +295,7 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* return status, "", fmt.Errorf("No Request-ID in response header") } - status.requestId = reqId + status.RequestId = reqId if resp.Header.Get("X-Iasreport-Signature") == "" { return status, "", fmt.Errorf("No X-Iasreport-Signature in response header") @@ -371,9 +327,9 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* rawReport, err) } - status.reportId = report.Id - status.timestamp = report.Timestamp - status.quoteStatus = report.IsvEnclaveQuoteStatus + status.ReportId = report.Id + status.Timestamp = report.Timestamp + status.QuoteStatus = report.IsvEnclaveQuoteStatus if report.Version != (uint32)(apiVersion) { return status, "", fmt.Errorf("Unsupported attestation API version %d in attesation verification report", @@ -481,9 +437,3 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* return status, string(rawReport), nil } - -func init() { - if err := attest.RegisterAttestation(&iasRegistry{}); err != nil { - fmt.Print(err) - } -} diff --git a/rune/libenclave/attestation/utils.go b/rune/libenclave/attestation/utils.go deleted file mode 100644 index 8cdf6b1c578cc3115f3d820590fa0bf3de9e1f73..0000000000000000000000000000000000000000 --- a/rune/libenclave/attestation/utils.go +++ /dev/null @@ -1,11 +0,0 @@ -package attestation // import "github.com/opencontainers/runc/libenclave/attestation" - -func GetParameter(key string, p map[string]string) string { - for k, v := range p { - if k == key { - return v - } - } - - return "" -} diff --git a/rune/libenclave/attestation/verify.go b/rune/libenclave/attestation/verify.go deleted file mode 100644 index dd08007a101b754f0b68f3331c9c6e4db3023e1b..0000000000000000000000000000000000000000 --- a/rune/libenclave/attestation/verify.go +++ /dev/null @@ -1,10 +0,0 @@ -package attestation // import "github.com/opencontainers/runc/libenclave/attestation" - -const ( - // FIXME: allow tuning via parameter - seedTimeout int64 = 6e10 // 60 seconds -) - -func (svc *Service) Verify(q []byte) *Status { - return svc.Attester.Verify(q) -} diff --git a/rune/libenclave/internal/runtime/pal/pal_linux.go b/rune/libenclave/internal/runtime/pal/pal_linux.go index a26e72c26895d93daee65146f8b7623f24149ac6..d402b080dba36dd7a5eb5abf748f55068bb091b3 100644 --- a/rune/libenclave/internal/runtime/pal/pal_linux.go +++ b/rune/libenclave/internal/runtime/pal/pal_linux.go @@ -126,25 +126,24 @@ func (pal *enclaveRuntimePal) Attest(spid string, subscriptionKey string, produc } // get IAS remote attestation report - var verbose bool = true p := parseAttestParameters(spid, subscriptionKey, product) - svc, err := attestation.NewService(p, verbose) + challenger, err := attestation.NewChallenger("sgx-epid", p) if err != nil { log.Fatal(err) return nil, err } - if err = svc.Check(quote); err != nil { + if err = challenger.Check(quote); err != nil { log.Fatal(err) return nil, err } - status, iasReport, err := svc.GetVerifiedReport(quote) + status, iasReport, err := challenger.GetReport(quote, 0) if err != nil { return nil, fmt.Errorf("%s", err) } - svc.ShowStatus(status) + challenger.ShowReportStatus(status) return iasReport, nil }