CCF
Loading...
Searching...
No Matches
attestation_sev_snp_endorsements.h
Go to the documentation of this file.
1// Copyright (c) Microsoft Corporation. All rights reserved.
2// Licensed under the Apache 2.0 License.
3#pragma once
4
5#include "ccf/ds/json.h"
6#include "ccf/ds/unit_strings.h"
7#include "ccf/pal/sev_snp_cpuid.h"
8
9#include <list>
10#include <map>
11#include <string>
12#include <vector>
13
14#define FMT_HEADER_ONLY
15#include <fmt/format.h>
16
17namespace ccf::pal::snp
18{
19 struct ACIReportEndorsements
20 {
21 std::string cache_control;
22 std::string vcek_cert;
23 std::string certificate_chain;
24 std::string tcbm;
25 };
26 DECLARE_JSON_TYPE(ACIReportEndorsements);
27 DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES(
28 ACIReportEndorsements,
29 cache_control,
30 "cacheControl",
31 vcek_cert,
32 "vcekCert",
33 certificate_chain,
34 "certificateChain",
35 tcbm,
36 "tcbm");
37
38 struct EndorsementEndpointsConfiguration
39 {
40 struct EndpointInfo
41 {
42 std::string host;
43 std::string port;
44 std::string uri;
45 std::map<std::string, std::string> params;
46 bool response_is_der = false;
47 bool response_is_thim_json = false;
48 std::map<std::string, std::string> headers = {};
49 bool tls = true;
50 size_t max_retries_count = 3;
51 size_t max_client_response_size = SIZE_MAX;
52
53 bool operator==(const EndpointInfo&) const = default;
54 };
55 using Server = std::list<EndpointInfo>;
56
57 // First server in list is always used first and other servers are provided
58 // as fallback.
59 std::list<Server> servers;
60 };
61
62 enum EndorsementsEndpointType
63 {
64 Azure = 0,
65 AMD = 1,
66 THIM = 2,
67 };
68 DECLARE_JSON_ENUM(
69 EndorsementsEndpointType,
70 {{EndorsementsEndpointType::Azure, "Azure"},
71 {EndorsementsEndpointType::AMD, "AMD"},
72 {EndorsementsEndpointType::THIM, "THIM"}});
73
74 struct EndorsementsServer
75 {
76 EndorsementsEndpointType type = Azure;
77 std::optional<std::string> url = std::nullopt;
78 std::optional<size_t> max_retries_count = std::nullopt;
79 std::optional<ccf::ds::SizeString> max_client_response_size = std::nullopt;
80
81 bool operator==(const EndorsementsServer&) const = default;
82 };
83 DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(EndorsementsServer);
84 DECLARE_JSON_REQUIRED_FIELDS(EndorsementsServer);
85 DECLARE_JSON_OPTIONAL_FIELDS(
86 EndorsementsServer, type, url, max_retries_count, max_client_response_size);
87 using EndorsementsServers = std::vector<EndorsementsServer>;
88
89 struct HostPort
90 {
91 std::string host;
92 std::string port;
93 };
94
95 static HostPort default_azure_endorsements_endpoint = {
96 "global.acccache.azure.net", "443"};
97
98 static EndorsementEndpointsConfiguration::Server
99 make_azure_endorsements_server(
100 const HostPort& endpoint,
101 const std::string& chip_id_hex,
102 const std::string& reported_tcb,
103 size_t max_retries_count,
104 size_t max_client_response_size)
105 {
106 std::map<std::string, std::string> params;
107 params["api-version"] = "2020-10-15-preview";
108 EndorsementEndpointsConfiguration::EndpointInfo info{
109 endpoint.host,
110 endpoint.port,
111 fmt::format("/SevSnpVM/certificates/{}/{}", chip_id_hex, reported_tcb),
112 params,
113 };
114
115 info.max_retries_count = max_retries_count;
116 info.max_client_response_size = max_client_response_size;
117
118 return {info};
119 }
120
121 // AMD endorsements endpoints. See
122 // https://www.amd.com/system/files/TechDocs/57230.pdf
123 static HostPort default_amd_endorsements_endpoint = {
124 "kdsintf.amd.com", "443"};
125
126 static EndorsementEndpointsConfiguration::Server make_amd_endorsements_server(
127 const HostPort& endpoint,
128 const std::string& chip_id_hex,
129 const std::string& boot_loader,
130 const std::string& tee,
131 const std::string& snp,
132 const std::string& microcode,
133 const ProductName& product_name,
134 size_t max_retries_count,
135 size_t max_client_response_size)
136 {
137 std::map<std::string, std::string> params;
138 params["blSPL"] = boot_loader;
139 params["teeSPL"] = tee;
140 params["snpSPL"] = snp;
141 params["ucodeSPL"] = microcode;
142
143 EndorsementEndpointsConfiguration::Server server;
144 EndorsementEndpointsConfiguration::EndpointInfo leaf{
145 endpoint.host,
146 endpoint.port,
147 fmt::format("/vcek/v1/{}/{}", to_string(product_name), chip_id_hex),
148 params,
149 true // DER
150 };
151 leaf.max_retries_count = max_retries_count;
152 leaf.max_client_response_size = max_client_response_size;
153 EndorsementEndpointsConfiguration::EndpointInfo chain{
154 endpoint.host,
155 endpoint.port,
156 fmt::format("/vcek/v1/{}/cert_chain", to_string(product_name)),
157 {}};
158 chain.max_retries_count = max_retries_count;
159 chain.max_client_response_size = max_client_response_size;
160
161 server.push_back(leaf);
162 server.push_back(chain);
163 return server;
164 }
165
166 static HostPort default_thim_endorsements_endpoint = {
167 "169.254.169.254", "80"};
168
169 static EndorsementEndpointsConfiguration::Server
170 make_thim_endorsements_server(
171 const HostPort& endpoint,
172 const std::string& chip_id_hex,
173 const std::string& reported_tcb,
174 size_t max_retries_count,
175 size_t max_client_response_size)
176 {
177 std::map<std::string, std::string> params;
178 params["tcbVersion"] = reported_tcb;
179 params["platformId"] = chip_id_hex;
180 EndorsementEndpointsConfiguration::EndpointInfo info{
181 endpoint.host,
182 endpoint.port,
183 "/metadata/THIM/amd/certification",
184 params,
185 false, // Not DER
186 true, // But THIM JSON
187 {{"Metadata", "true"}},
188 false // No TLS
189 };
190 info.max_retries_count = max_retries_count;
191 info.max_client_response_size = max_client_response_size;
192
193 return {info};
194 }
195}
196
197FMT_BEGIN_NAMESPACE
198template <>
199struct formatter<ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo>
200{
201 template <typename ParseContext>
202 constexpr auto parse(ParseContext& ctx)
203 {
204 return ctx.begin();
205 }
206
207 template <typename FormatContext>
208 auto format(
209 const ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo& e,
210 FormatContext& ctx) const
211 {
212 return format_to(
213 ctx.out(), "http{}://{}:{}", e.tls ? "s" : "", e.host, e.port);
214 }
215};
216FMT_END_NAMESPACE
DECLARE_JSON_REQUIRED_FIELDS
#define DECLARE_JSON_REQUIRED_FIELDS(TYPE,...)
Definition json.h:714
DECLARE_JSON_TYPE
#define DECLARE_JSON_TYPE(TYPE)
Definition json.h:663
DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES
#define DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES(TYPE,...)
Definition json.h:752
DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS
#define DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(TYPE)
Definition json.h:690
DECLARE_JSON_OPTIONAL_FIELDS
#define DECLARE_JSON_OPTIONAL_FIELDS(TYPE,...)
Definition json.h:786
DECLARE_JSON_ENUM
#define DECLARE_JSON_ENUM(TYPE,...)
Definition json.h:837
ccf::pal::snp
Definition attestation_sev_snp.h:24
ccf::pal::snp::to_string
std::string to_string(ProductName product)
Definition sev_snp_cpuid.h:92
ccf::pal::snp::ProductName
ProductName
Definition sev_snp_cpuid.h:86
ccf::pal::snp::EndorsementsEndpointType
EndorsementsEndpointType
Definition attestation_sev_snp_endorsements.h:63
ccf::pal::snp::Azure
@ Azure
Definition attestation_sev_snp_endorsements.h:64
ccf::pal::snp::THIM
@ THIM
Definition attestation_sev_snp_endorsements.h:66
ccf::pal::snp::AMD
@ AMD
Definition attestation_sev_snp_endorsements.h:65
ccf::pal::snp::EndorsementsServers
std::vector< EndorsementsServer > EndorsementsServers
Definition attestation_sev_snp_endorsements.h:87
ccf
Definition app_interface.h:14
tls
Definition key_exchange.h:18
sev_snp_cpuid.h
ccf::pal::snp::ACIReportEndorsements
Definition attestation_sev_snp_endorsements.h:20
ccf::pal::snp::ACIReportEndorsements::tcbm
std::string tcbm
Definition attestation_sev_snp_endorsements.h:24
ccf::pal::snp::ACIReportEndorsements::certificate_chain
std::string certificate_chain
Definition attestation_sev_snp_endorsements.h:23
ccf::pal::snp::ACIReportEndorsements::vcek_cert
std::string vcek_cert
Definition attestation_sev_snp_endorsements.h:22
ccf::pal::snp::ACIReportEndorsements::cache_control
std::string cache_control
Definition attestation_sev_snp_endorsements.h:21
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo
Definition attestation_sev_snp_endorsements.h:41
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::host
std::string host
Definition attestation_sev_snp_endorsements.h:42
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::params
std::map< std::string, std::string > params
Definition attestation_sev_snp_endorsements.h:45
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::headers
std::map< std::string, std::string > headers
Definition attestation_sev_snp_endorsements.h:48
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::max_retries_count
size_t max_retries_count
Definition attestation_sev_snp_endorsements.h:50
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::operator==
bool operator==(const EndpointInfo &) const =default
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::max_client_response_size
size_t max_client_response_size
Definition attestation_sev_snp_endorsements.h:51
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::response_is_der
bool response_is_der
Definition attestation_sev_snp_endorsements.h:46
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::port
std::string port
Definition attestation_sev_snp_endorsements.h:43
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::uri
std::string uri
Definition attestation_sev_snp_endorsements.h:44
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::tls
bool tls
Definition attestation_sev_snp_endorsements.h:49
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::response_is_thim_json
bool response_is_thim_json
Definition attestation_sev_snp_endorsements.h:47
ccf::pal::snp::EndorsementEndpointsConfiguration
Definition attestation_sev_snp_endorsements.h:39
ccf::pal::snp::EndorsementEndpointsConfiguration::servers
std::list< Server > servers
Definition attestation_sev_snp_endorsements.h:59
ccf::pal::snp::EndorsementEndpointsConfiguration::Server
std::list< EndpointInfo > Server
Definition attestation_sev_snp_endorsements.h:55
ccf::pal::snp::EndorsementsServer
Definition attestation_sev_snp_endorsements.h:75
ccf::pal::snp::EndorsementsServer::max_retries_count
std::optional< size_t > max_retries_count
Definition attestation_sev_snp_endorsements.h:78
ccf::pal::snp::EndorsementsServer::max_client_response_size
std::optional< ccf::ds::SizeString > max_client_response_size
Definition attestation_sev_snp_endorsements.h:79
ccf::pal::snp::EndorsementsServer::type
EndorsementsEndpointType type
Definition attestation_sev_snp_endorsements.h:76
ccf::pal::snp::EndorsementsServer::operator==
bool operator==(const EndorsementsServer &) const =default
ccf::pal::snp::EndorsementsServer::url
std::optional< std::string > url
Definition attestation_sev_snp_endorsements.h:77
ccf::pal::snp::HostPort
Definition attestation_sev_snp_endorsements.h:90
ccf::pal::snp::HostPort::port
std::string port
Definition attestation_sev_snp_endorsements.h:92
ccf::pal::snp::HostPort::host
std::string host
Definition attestation_sev_snp_endorsements.h:91
formatter< ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo >::format
auto format(const ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo &e, FormatContext &ctx) const
Definition attestation_sev_snp_endorsements.h:208
formatter< ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo >::parse
constexpr auto parse(ParseContext &ctx)
Definition attestation_sev_snp_endorsements.h:202
unit_strings.h
Generated by doxygen 1.9.8