CCF
Loading...
Searching...
No Matches
attestation_sev_snp_endorsements.h
Go to the documentation of this file.
1// Copyright (c) Microsoft Corporation. All rights reserved.
2// Licensed under the Apache 2.0 License.
3#pragma once
4
5#include "ccf/ds/json.h"
6#include "ccf/ds/unit_strings.h"
7#include "ccf/pal/sev_snp_cpuid.h"
8
9#include <list>
10#include <map>
11#include <string>
12#include <vector>
13
14#define FMT_HEADER_ONLY
15#include <fmt/format.h>
16
17namespace ccf::pal::snp
18{
19 struct ACIReportEndorsements
20 {
21 std::string cache_control;
22 std::string vcek_cert;
23 std::string certificate_chain;
24 std::string tcbm;
25 };
26 DECLARE_JSON_TYPE(ACIReportEndorsements);
27 DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES(
28 ACIReportEndorsements,
29 cache_control,
30 "cacheControl",
31 vcek_cert,
32 "vcekCert",
33 certificate_chain,
34 "certificateChain",
35 tcbm,
36 "tcbm");
37
38 struct EndorsementEndpointsConfiguration
39 {
40 struct EndpointInfo
41 {
42 std::string host;
43 std::string port;
44 std::string uri;
45 std::map<std::string, std::string> params;
46 bool response_is_der = false;
47 bool response_is_thim_json = false;
48 std::map<std::string, std::string> headers;
49 bool tls = true;
50 size_t max_retries_count = 3;
51 size_t max_client_response_size = SIZE_MAX;
52
53 bool operator==(const EndpointInfo&) const = default;
54 };
55 using Server = std::list<EndpointInfo>;
56
57 // First server in list is always used first and other servers are provided
58 // as fallback.
59 std::list<Server> servers;
60 };
61
62 enum EndorsementsEndpointType : uint8_t
63 {
64 Azure = 0,
65 AMD = 1,
66 THIM = 2,
67 };
68 DECLARE_JSON_ENUM(
69 EndorsementsEndpointType,
70 {{EndorsementsEndpointType::Azure, "Azure"},
71 {EndorsementsEndpointType::AMD, "AMD"},
72 {EndorsementsEndpointType::THIM, "THIM"}});
73
74 struct EndorsementsServer
75 {
76 EndorsementsEndpointType type = Azure;
77 std::optional<std::string> url = std::nullopt;
78 std::optional<size_t> max_retries_count = std::nullopt;
79 std::optional<ccf::ds::SizeString> max_client_response_size = std::nullopt;
80
81 bool operator==(const EndorsementsServer&) const = default;
82 };
83 DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(EndorsementsServer);
84 DECLARE_JSON_REQUIRED_FIELDS(EndorsementsServer);
85 DECLARE_JSON_OPTIONAL_FIELDS(
86 EndorsementsServer, type, url, max_retries_count, max_client_response_size);
87 using EndorsementsServers = std::vector<EndorsementsServer>;
88
89 struct HostPort
90 {
91 std::string host;
92 std::string port;
93 };
94
95 static HostPort default_azure_endorsements_endpoint = {
96 "global.acccache.azure.net", "443"};
97
98 static EndorsementEndpointsConfiguration::Server
99 make_azure_endorsements_server(
100 const HostPort& endpoint,
101 const std::string& chip_id_hex,
102 const std::string& reported_tcb,
103 size_t max_retries_count,
104 size_t max_client_response_size)
105 {
106 std::map<std::string, std::string> params;
107 params["api-version"] = "2020-10-15-preview";
108 EndorsementEndpointsConfiguration::EndpointInfo info{
109 .host = endpoint.host,
110 .port = endpoint.port,
111 .uri =
112 fmt::format("/SevSnpVM/certificates/{}/{}", chip_id_hex, reported_tcb),
113 .params = params,
114 .headers = {}};
115
116 info.max_retries_count = max_retries_count;
117 info.max_client_response_size = max_client_response_size;
118
119 return {info};
120 }
121
122 // AMD endorsements endpoints. See
123 // https://www.amd.com/system/files/TechDocs/57230.pdf
124 static HostPort default_amd_endorsements_endpoint = {
125 "kdsintf.amd.com", "443"};
126
127 static EndorsementEndpointsConfiguration::Server make_amd_endorsements_server(
128 const HostPort& endpoint,
129 const std::string& chip_id_hex,
130 const std::string& boot_loader,
131 const std::string& tee,
132 const std::string& snp,
133 const std::string& microcode,
134 const ProductName& product_name,
135 size_t max_retries_count,
136 size_t max_client_response_size,
137 const std::optional<std::string>& fmc_version = std::nullopt)
138 {
139 std::map<std::string, std::string> params;
140 params["blSPL"] = boot_loader;
141 params["teeSPL"] = tee;
142 params["snpSPL"] = snp;
143 params["ucodeSPL"] = microcode;
144 if (fmc_version.has_value())
145 {
146 params["fmcSPL"] = fmc_version.value();
147 }
148
149 EndorsementEndpointsConfiguration::Server server;
150 EndorsementEndpointsConfiguration::EndpointInfo leaf{
151 .host = endpoint.host,
152 .port = endpoint.port,
153 .uri =
154 fmt::format("/vcek/v1/{}/{}", to_string(product_name), chip_id_hex),
155 .params = params,
156 .response_is_der = true,
157 .headers = {}};
158 leaf.max_retries_count = max_retries_count;
159 leaf.max_client_response_size = max_client_response_size;
160 EndorsementEndpointsConfiguration::EndpointInfo chain{
161 .host = endpoint.host,
162 .port = endpoint.port,
163 .uri = fmt::format("/vcek/v1/{}/cert_chain", to_string(product_name)),
164 .params = {},
165 .headers = {}};
166 chain.max_retries_count = max_retries_count;
167 chain.max_client_response_size = max_client_response_size;
168
169 server.push_back(leaf);
170 server.push_back(chain);
171 return server;
172 }
173
174 static HostPort default_thim_endorsements_endpoint = {
175 "169.254.169.254", "80"};
176
177 static EndorsementEndpointsConfiguration::Server
178 make_thim_endorsements_server(
179 const HostPort& endpoint,
180 const std::string& chip_id_hex,
181 const std::string& reported_tcb,
182 size_t max_retries_count,
183 size_t max_client_response_size)
184 {
185 std::map<std::string, std::string> params;
186 params["tcbVersion"] = reported_tcb;
187 params["platformId"] = chip_id_hex;
188 EndorsementEndpointsConfiguration::EndpointInfo info{
189 endpoint.host,
190 endpoint.port,
191 "/metadata/THIM/amd/certification",
192 params,
193 false, // Not DER
194 true, // But THIM JSON
195 {{"Metadata", "true"}},
196 false // No TLS
197 };
198 info.max_retries_count = max_retries_count;
199 info.max_client_response_size = max_client_response_size;
200
201 return {info};
202 }
203}
204
205FMT_BEGIN_NAMESPACE
206template <>
207struct formatter<ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo>
208{
209 template <typename ParseContext>
210 constexpr auto parse(ParseContext& ctx)
211 {
212 return ctx.begin();
213 }
214
215 template <typename FormatContext>
216 auto format(
217 const ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo& e,
218 FormatContext& ctx) const
219 {
220 return format_to(
221 ctx.out(), "http{}://{}:{}", e.tls ? "s" : "", e.host, e.port);
222 }
223};
224FMT_END_NAMESPACE
DECLARE_JSON_REQUIRED_FIELDS
#define DECLARE_JSON_REQUIRED_FIELDS(TYPE,...)
Definition json.h:718
DECLARE_JSON_TYPE
#define DECLARE_JSON_TYPE(TYPE)
Definition json.h:667
DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES
#define DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES(TYPE,...)
Definition json.h:756
DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS
#define DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(TYPE)
Definition json.h:694
DECLARE_JSON_OPTIONAL_FIELDS
#define DECLARE_JSON_OPTIONAL_FIELDS(TYPE,...)
Definition json.h:790
DECLARE_JSON_ENUM
#define DECLARE_JSON_ENUM(TYPE,...)
Definition json.h:841
ccf::pal::snp
Definition attestation_sev_snp.h:24
ccf::pal::snp::to_string
std::string to_string(ProductName product)
Definition sev_snp_cpuid.h:93
ccf::pal::snp::EndorsementsEndpointType
EndorsementsEndpointType
Definition attestation_sev_snp_endorsements.h:63
ccf::pal::snp::Azure
@ Azure
Definition attestation_sev_snp_endorsements.h:64
ccf::pal::snp::THIM
@ THIM
Definition attestation_sev_snp_endorsements.h:66
ccf::pal::snp::AMD
@ AMD
Definition attestation_sev_snp_endorsements.h:65
ccf::pal::snp::EndorsementsServers
std::vector< EndorsementsServer > EndorsementsServers
Definition attestation_sev_snp_endorsements.h:87
ccf::pal::snp::ProductName
ProductName
Definition sev_snp_cpuid.h:87
ccf
Definition app_interface.h:14
tls
Definition key_exchange.h:18
sev_snp_cpuid.h
ccf::pal::snp::ACIReportEndorsements
Definition attestation_sev_snp_endorsements.h:20
ccf::pal::snp::ACIReportEndorsements::tcbm
std::string tcbm
Definition attestation_sev_snp_endorsements.h:24
ccf::pal::snp::ACIReportEndorsements::certificate_chain
std::string certificate_chain
Definition attestation_sev_snp_endorsements.h:23
ccf::pal::snp::ACIReportEndorsements::vcek_cert
std::string vcek_cert
Definition attestation_sev_snp_endorsements.h:22
ccf::pal::snp::ACIReportEndorsements::cache_control
std::string cache_control
Definition attestation_sev_snp_endorsements.h:21
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo
Definition attestation_sev_snp_endorsements.h:41
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::host
std::string host
Definition attestation_sev_snp_endorsements.h:42
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::params
std::map< std::string, std::string > params
Definition attestation_sev_snp_endorsements.h:45
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::headers
std::map< std::string, std::string > headers
Definition attestation_sev_snp_endorsements.h:48
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::max_retries_count
size_t max_retries_count
Definition attestation_sev_snp_endorsements.h:50
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::operator==
bool operator==(const EndpointInfo &) const =default
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::max_client_response_size
size_t max_client_response_size
Definition attestation_sev_snp_endorsements.h:51
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::response_is_der
bool response_is_der
Definition attestation_sev_snp_endorsements.h:46
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::port
std::string port
Definition attestation_sev_snp_endorsements.h:43
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::uri
std::string uri
Definition attestation_sev_snp_endorsements.h:44
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::tls
bool tls
Definition attestation_sev_snp_endorsements.h:49
ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo::response_is_thim_json
bool response_is_thim_json
Definition attestation_sev_snp_endorsements.h:47
ccf::pal::snp::EndorsementEndpointsConfiguration
Definition attestation_sev_snp_endorsements.h:39
ccf::pal::snp::EndorsementEndpointsConfiguration::servers
std::list< Server > servers
Definition attestation_sev_snp_endorsements.h:59
ccf::pal::snp::EndorsementEndpointsConfiguration::Server
std::list< EndpointInfo > Server
Definition attestation_sev_snp_endorsements.h:55
ccf::pal::snp::EndorsementsServer
Definition attestation_sev_snp_endorsements.h:75
ccf::pal::snp::EndorsementsServer::max_retries_count
std::optional< size_t > max_retries_count
Definition attestation_sev_snp_endorsements.h:78
ccf::pal::snp::EndorsementsServer::max_client_response_size
std::optional< ccf::ds::SizeString > max_client_response_size
Definition attestation_sev_snp_endorsements.h:79
ccf::pal::snp::EndorsementsServer::type
EndorsementsEndpointType type
Definition attestation_sev_snp_endorsements.h:76
ccf::pal::snp::EndorsementsServer::operator==
bool operator==(const EndorsementsServer &) const =default
ccf::pal::snp::EndorsementsServer::url
std::optional< std::string > url
Definition attestation_sev_snp_endorsements.h:77
ccf::pal::snp::HostPort
Definition attestation_sev_snp_endorsements.h:90
ccf::pal::snp::HostPort::port
std::string port
Definition attestation_sev_snp_endorsements.h:92
ccf::pal::snp::HostPort::host
std::string host
Definition attestation_sev_snp_endorsements.h:91
formatter< ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo >::format
auto format(const ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo &e, FormatContext &ctx) const
Definition attestation_sev_snp_endorsements.h:216
formatter< ccf::pal::snp::EndorsementEndpointsConfiguration::EndpointInfo >::parse
constexpr auto parse(ParseContext &ctx)
Definition attestation_sev_snp_endorsements.h:210
unit_strings.h
Generated by doxygen 1.9.8