sync patches from upstream

Signed-off-by: xuraoqing <xuraoqing@huawei.com>
2025-03-18 20:13:23 +08:00 · 2025-03-18 20:13:23 +08:00 · 4b7794d24e
commit 4b7794d24e
parent 7af307bbee
6 changed files with 289 additions and 2 deletions
--- a/0089-add-parse-report-c-interface.patch
+++ b/0089-add-parse-report-c-interface.patch
@ -0,0 +1,94 @@
+From e835af7ff3667005be6893dedcb46a18452450d2 Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Mon, 14 Oct 2024 11:35:12 +0800
+Subject: [PATCH] add parse report c interface
+
+Conflict: remove /attestation-agent/c_header/example.c,c_header/rust_attestation_agent.h 
+
+---
+ .../attestation-agent/agent/src/lib.rs        | 31 +++++++++++++++++++
+ .../attestation-service/verifier/src/lib.rs   |  7 +++++
+ .../verifier/src/virtcca/mod.rs               | 10 ++++++
+ 3 files changed, 48 insertions(+)
+
+diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs
+index f1c4510..1164e2a 100644
+--- a/service/attestation/attestation-agent/agent/src/lib.rs
+++ b/service/attestation/attestation-agent/agent/src/lib.rs
+@@ -373,6 +373,37 @@ pub fn get_report(c_challenge: Option<&repr_c::Vec<u8>>, c_ima: &repr_c::TaggedO
+     report.into()
+ }
+ 
+#[cfg(feature = "no_as")]
+use verifier::virtcca_parse_evidence;
+
+#[cfg(feature = "no_as")]
+#[ffi_export]
+pub fn parse_report(report: Option<&repr_c::Vec<u8>>) -> repr_c::String {
+    let report = match report {
+        None => {
+            log::error!("report is null");
+            return "".to_string().into();
+        },
+        Some(report) => report.clone().to_vec(),
+    };
+    let rt = Runtime::new().unwrap();
+    let fut = async {virtcca_parse_evidence(&report)};
+    let ret = rt.block_on(fut);
+    
+    let ret = match ret {
+        Ok(claim) => {
+            log::debug!("claim: {:?}", claim);
+            claim.to_string()
+        },
+        Err(e) =>{
+            log::error!("{e}");
+            "".to_string()
+        },
+    };
+    
+    return ret.into();
+}
+
+ #[ffi_export]
+ pub fn verify_report(c_challenge: Option<&repr_c::Vec<u8>>, report: Option<&repr_c::Vec<u8>>) -> repr_c::String {
+     let challenge = match c_challenge {
+diff --git a/service/attestation/attestation-service/verifier/src/lib.rs b/service/attestation/attestation-service/verifier/src/lib.rs
+index 0b776c2..a0e0b58 100644
+--- a/service/attestation/attestation-service/verifier/src/lib.rs
+++ b/service/attestation/attestation-service/verifier/src/lib.rs
+@@ -58,3 +58,10 @@ impl VerifierAPIs for Verifier {
+         }
+     }
+ }
+
+pub fn virtcca_parse_evidence(evidence: &[u8]) -> Result<TeeClaim> {
+    let aa_evidence: Evidence = serde_json::from_slice(evidence)?;
+    let evidence = aa_evidence.evidence.as_bytes();
+
+    return virtcca::Evidence::parse_evidence(evidence);
+}
+diff --git a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs
+index 3de7c9f..ca3a2ff 100644
+--- a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs
+++ b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs
+@@ -114,6 +114,16 @@ impl Evidence {
+         // todo parsed TeeClaim
+         evidence.parse_claim_from_evidence(ima)
+     }
+    pub fn parse_evidence(evidence: &[u8]) -> Result<TeeClaim> {
+        let virtcca_ev: VirtccaEvidence = serde_json::from_slice(evidence)?;
+        let evidence = virtcca_ev.evidence;
+        let evidence = Evidence::decode(evidence)?;
+
+        let ima = json!("");
+        // parsed TeeClaim
+        let claim = evidence.parse_claim_from_evidence(ima).unwrap();
+        Ok(claim["payload"].clone() as TeeClaim)
+    }
+     fn parse_claim_from_evidence(&self, ima: serde_json::Value) -> Result<TeeClaim> {
+         let payload = json!({
+             "vcca.cvm.challenge": hex::encode(self.cvm_token.challenge.clone()),
+-- 
+2.33.0
+
--- a/0090-add-no_as-ima-reference-path.patch
+++ b/0090-add-no_as-ima-reference-path.patch
@ -0,0 +1,41 @@
+From f5266141477b9ea23c2f674e041d5f8dc6509668 Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Wed, 16 Oct 2024 19:52:04 +0800
+Subject: [PATCH] add no_as ima reference path
+
+Conflict: remove attestation/attestation-agent/c_header/example.c
+---
+ .../attestation-service/verifier/src/virtcca/ima.rs       | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+index 30a151f..2b73b46 100644
+--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+@@ -14,8 +14,13 @@ use ima_measurements::{Event, EventData, Parser};
+ use fallible_iterator::FallibleIterator;
+ use serde_json::{Value, Map, json};
+ 
+#[cfg(not(feature = "no_as"))]
+ const IMA_REFERENCE_FILE: &str = "/etc/attestation/attestation-service/verifier/virtcca/ima/digest_list_file";
+ 
+// attestation agent local ima reference 
+#[cfg(feature = "no_as")]
+const IMA_REFERENCE_FILE: &str = "/etc/attestation/attestation-agent/local_verifier/virtcca/ima/digest_list_file";
+
+ #[derive(Debug, Default)]
+ pub struct ImaVerify {}
+ 
+@@ -72,7 +77,8 @@ impl ImaVerify {
+ use std::io::BufRead;
+ use std::io::BufReader;
+ fn file_reader(file_path: &str) -> ::std::io::Result<Vec<String>> {
+-    let file = std::fs::File::open(file_path)?;
+    let file = std::fs::File::open(file_path)
+        .expect("open ima reference file failed");
+     let mut strings = Vec::<String>::new();
+     let mut reader = BufReader::new(file);
+     let mut buf = String::new();
+-- 
+2.33.0
+
--- a/0091-add-ima-detail-result-in-token.patch
+++ b/0091-add-ima-detail-result-in-token.patch
@ -0,0 +1,45 @@
+From c26a4b5db3eb5ff5d558b9d14f962e3df4147dca Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Thu, 17 Oct 2024 18:58:00 +0800
+Subject: [PATCH] add ima detail result in token
+
+Conflict: remove service/attestation/attestation-agent/c_header/example.c 
+---
+ service/attestation/attestation-agent/agent/src/lib.rs     | 6 +-----
+ service/attestation/attestation-service/service/src/lib.rs | 3 +++
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/service/attestation/attestation-agent/agent/src/lib.rs b/service/attestation/attestation-agent/agent/src/lib.rs
+index 1164e2a..93809a2 100644
+--- a/service/attestation/attestation-agent/agent/src/lib.rs
+++ b/service/attestation/attestation-agent/agent/src/lib.rs
+@@ -280,11 +280,7 @@ impl AttestationAgent {
+         match ret {
+             Ok(token) => {
+                 let token_claim: serde_json::Value = serde_json::from_slice(token.claim.as_bytes())?;
+-                let tee_claim = json!({
+-                    "tee": token_claim["tee"].clone(),
+-                    "payload" : token_claim["tcb_status"].clone(),
+-                });
+-                Ok(tee_claim as TeeClaim)
+                Ok(token_claim as TeeClaim)
+             },
+             Err(e) => {
+                 log::error!("token to teeclaim failed:{:?}", e);
+diff --git a/service/attestation/attestation-service/service/src/lib.rs b/service/attestation/attestation-service/service/src/lib.rs
+index 1c5c907..dd10b89 100644
+--- a/service/attestation/attestation-service/service/src/lib.rs
+++ b/service/attestation/attestation-service/service/src/lib.rs
+@@ -152,6 +152,9 @@ impl AttestationService {
+             }
+         }
+         
+        // add ima detail result to report
+        report.as_object_mut().unwrap().insert("ima".to_string(), claims_evidence["ima"].clone());
+
+         // issue attestation result token
+         let evl_report = EvlReport {
+             tee: String::from(claims_evidence["tee"].as_str().ok_or(anyhow!("tee type unknown"))?),
+-- 
+2.33.0
+
--- a/0092-ima-detail-result-exclude-boot_aggregate-file.patch
+++ b/0092-ima-detail-result-exclude-boot_aggregate-file.patch
@ -0,0 +1,26 @@
+From 9908ddc7947c10e0411c0b037160e320d8e83620 Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Tue, 22 Oct 2024 19:51:26 +0800
+Subject: [PATCH] ima detail result exclude boot_aggregate file
+
+---
+ .../attestation-service/verifier/src/virtcca/ima.rs            | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+index 2b73b46..4a9a954 100644
+--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+@@ -59,6 +59,9 @@ impl ImaVerify {
+                 EventData::ImaNg{digest, name} => (name, digest.digest),
+                 _ => bail!("Inalid event {:?}", event),
+             };
+            if name == "boot_aggregate".to_string() {
+                continue;
+            }
+             let hex_str_digest = hex::encode(file_digest);
+             if ima_refs.contains(&hex_str_digest) {
+                 ima_detail.insert(name, Value::Bool(true));
+-- 
+2.43.0
+
--- a/0093-add-detailed-log-of-file-opening-failures.patch
+++ b/0093-add-detailed-log-of-file-opening-failures.patch
@ -0,0 +1,74 @@
+From 9c04006b8f5281bd5b436f81ec855f78a719dff7 Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Wed, 18 Dec 2024 09:34:57 +0800
+Subject: [PATCH] add detailed log of file opening failures
+
+---
+ .../attestation-service/verifier/src/virtcca/ima.rs      | 8 ++++----
+ .../attestation-service/verifier/src/virtcca/mod.rs      | 9 ++++++---
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+index 7af55e8..e25e55e 100644
+--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs
+@@ -9,7 +9,7 @@
+  * PURPOSE.
+  * See the Mulan PSL v2 for more details.
+  */
+-use anyhow::{Result, bail};
+use anyhow::{anyhow, Result, bail};
+ use ima_measurements::{Event, EventData, Parser};
+ use fallible_iterator::FallibleIterator;
+ use serde_json::{Value, Map, json};
+@@ -47,7 +47,8 @@ impl ImaVerify {
+             bail!("ima log hash verify failed");
+         }
+ 
+-        let ima_refs: Vec<_> = file_reader(IMA_REFERENCE_FILE)?
+        let ima_refs: Vec<_> = file_reader(IMA_REFERENCE_FILE)
+            .map_err(|_err| anyhow!("{} is not found", IMA_REFERENCE_FILE))?
+             .into_iter()
+             .map(String::from)
+             .collect();
+@@ -80,8 +81,7 @@ impl ImaVerify {
+ use std::io::BufRead;
+ use std::io::BufReader;
+ fn file_reader(file_path: &str) -> ::std::io::Result<Vec<String>> {
+-    let file = std::fs::File::open(file_path)
+-        .expect("open ima reference file failed");
+    let file = std::fs::File::open(file_path)?;
+     let mut strings = Vec::<String>::new();
+     let mut reader = BufReader::new(file);
+     let mut buf = String::new();
+diff --git a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs
+index 97f5b6b..42f263a 100644
+--- a/service/attestation/attestation-service/verifier/src/virtcca/mod.rs
+++ b/service/attestation/attestation-service/verifier/src/virtcca/mod.rs
+@@ -161,9 +161,11 @@ impl Evidence {
+     // todo verify cert chain, now only verify signature
+     fn verify_dev_cert_chain(dev_cert: &[u8]) -> Result<()> {
+         let dev_cert = x509::X509::from_der(dev_cert)?;
+-        let sub_cert_file = std::fs::read(VIRTCCA_SUB_CERT)?;
+        let sub_cert_file = std::fs::read(VIRTCCA_SUB_CERT)
+            .map_err(|_err| anyhow!("{} is not found", VIRTCCA_SUB_CERT))?;
+         let sub_cert = x509::X509::from_pem(&sub_cert_file)?;
+-        let root_cert_file = std::fs::read(VIRTCCA_ROOT_CERT)?;
+        let root_cert_file = std::fs::read(VIRTCCA_ROOT_CERT)
+            .map_err(|_err| anyhow!("{} is not found", VIRTCCA_ROOT_CERT))?;
+         let root_cert = x509::X509::from_pem(&root_cert_file)?;
+ 
+         // verify dev_cert by sub_cert
+@@ -229,7 +231,8 @@ impl Evidence {
+     }
+     #[cfg(feature = "no_as")]
+     fn compare_with_ref(&mut self) -> Result<()> {
+-        let ref_file = std::fs::read(VIRTCCA_REF_VALUE_FILE)?;
+        let ref_file = std::fs::read(VIRTCCA_REF_VALUE_FILE)
+            .map_err(|_err| anyhow!("{} is not found", VIRTCCA_REF_VALUE_FILE))?;
+         let js_ref = serde_json::from_slice(&ref_file)?;
+         match js_ref {
+             serde_json::Value::Object(obj) => {
+-- 
+2.43.0
+
--- a/secGear.spec
+++ b/secGear.spec
@ -1,6 +1,6 @@
 Name:		secGear
 Version:	0.1.0
-Release:	53
+Release:	54
 Summary:	secGear is an SDK to develop confidential computing apps based on hardware enclave features


@ -98,7 +98,11 @@ Patch84:	0085-fix-multi-thread-request-as-generate-challenge-and-v.patch
 Patch85:	0086-add-error-type-for-api.patch
 Patch86:	0087-use-id-when-get-policy.patch
 Patch87:	0088-fix-evidence-decode-typos.patch
-
+Patch88:	0089-add-parse-report-c-interface.patch
+Patch89:	0090-add-no_as-ima-reference-path.patch
+Patch90:	0091-add-ima-detail-result-in-token.patch
+Patch91:	0092-ima-detail-result-exclude-boot_aggregate-file.patch
+Patch92:	0093-add-detailed-log-of-file-opening-failures.patch

 BuildRequires:	gcc python automake autoconf libtool
 BUildRequires:	glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel
@ -294,6 +298,9 @@ popd
 systemctl restart rsyslog

 %changelog
+* Tue Mar 18 2025 xuraoqing<xuraoqing@huawei.com> - 0.1.0-54
+- sync patches from upstream
+
 * Wed Mar 12 2025 houmingyong<houmingyong@huawei.com> - 0.1.0-53
 - generate cargo vendor on %prep stage