devired_key: cleaning pass confidential-containers#1

eldios · eldios · commit cf100b1d4f57 · 2025-01-27T22:54:30.000+01:00
diff --git a/api-server-rest/src/aa.rs b/api-server-rest/src/aa.rs
@@ -76,8 +76,8 @@ impl ApiHandler for AAClient {
                 }
                 None => return self.bad_request(),
             },
-            AA_DERIVED_KEY_URL => match params.get("key_id") {
-                Some(key_id) => match self.get_derived_key(&key_id.clone().into_bytes()).await {
+            AA_DERIVED_KEY_URL => match params.get() {
+                Some(key) => match self.get_derived_key().await {
                     std::result::Result::Ok(results) => return self.octet_stream_response(results),
                     Err(e) => return self.internal_error(e.to_string()),
                 },
@@ -127,9 +127,8 @@ impl AAClient {
         Ok(res.Evidence)
     }
 
-    pub async fn get_derived_key(&self, key_id: &[u8]) -> Result<Vec<u8>> {
+    pub async fn get_derived_key(&self) -> Result<Vec<u8>> {
         let req = GetDerivedKeyRequest {
-            KeyId: key_id.to_vec(),
             ..Default::default()
         };
         let res = self
diff --git a/api-server-rest/src/ttrpc_proto/attestation_agent.rs b/api-server-rest/src/ttrpc_proto/attestation_agent.rs
@@ -515,9 +515,6 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenResponse {
 // @@protoc_insertion_point(message:attestation_agent.GetDerivedKeyRequest)
 #[derive(PartialEq,Clone,Default,Debug)]
 pub struct GetDerivedKeyRequest {
-    // message fields
-    // @@protoc_insertion_point(field:attestation_agent.GetDerivedKeyRequest.KeyId)
-    pub KeyId: ::std::vec::Vec<u8>,
     // special fields
     // @@protoc_insertion_point(special_field:attestation_agent.GetDerivedKeyRequest.special_fields)
     pub special_fields: ::protobuf::SpecialFields,
@@ -535,13 +532,8 @@ impl GetDerivedKeyRequest {
     }
 
     fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
-        let mut fields = ::std::vec::Vec::with_capacity(1);
+        let mut fields = ::std::vec::Vec::with_capacity(0);
         let mut oneofs = ::std::vec::Vec::with_capacity(0);
-        fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
-            "KeyId",
-            |m: &GetDerivedKeyRequest| { &m.KeyId },
-            |m: &mut GetDerivedKeyRequest| { &mut m.KeyId },
-        ));
         ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetDerivedKeyRequest>(
             "GetDerivedKeyRequest",
             fields,
@@ -560,9 +552,6 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
     fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
         while let Some(tag) = is.read_raw_tag_or_eof()? {
             match tag {
-                10 => {
-                    self.KeyId = is.read_bytes()?;
-                },
                 tag => {
                     ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
                 },
@@ -575,18 +564,12 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
     #[allow(unused_variables)]
     fn compute_size(&self) -> u64 {
         let mut my_size = 0;
-        if !self.KeyId.is_empty() {
-            my_size += ::protobuf::rt::bytes_size(1, &self.KeyId);
-        }
         my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
         self.special_fields.cached_size().set(my_size as u32);
         my_size
     }
 
     fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
-        if !self.KeyId.is_empty() {
-            os.write_bytes(1, &self.KeyId)?;
-        }
         os.write_unknown_fields(self.special_fields.unknown_fields())?;
         ::std::result::Result::Ok(())
     }
@@ -604,13 +587,11 @@ impl ::protobuf::Message for GetDerivedKeyRequest {
     }
 
     fn clear(&mut self) {
-        self.KeyId.clear();
         self.special_fields.clear();
     }
 
     fn default_instance() -> &'static GetDerivedKeyRequest {
         static instance: GetDerivedKeyRequest = GetDerivedKeyRequest {
-            KeyId: ::std::vec::Vec::new(),
             special_fields: ::protobuf::SpecialFields::new(),
         };
         &instance
@@ -762,14 +743,14 @@ static file_descriptor_proto_data: &'static [u8] = b"\
     \"1\n\x13GetEvidenceResponse\x12\x1a\n\x08Evidence\x18\x01\x20\x01(\x0cR\
     \x08Evidence\"/\n\x0fGetTokenRequest\x12\x1c\n\tTokenType\x18\x01\x20\
     \x01(\tR\tTokenType\"(\n\x10GetTokenResponse\x12\x14\n\x05Token\x18\x01\
-    \x20\x01(\x0cR\x05Token\",\n\x14GetDerivedKeyRequest\x12\x14\n\x05KeyId\
-    \x18\x01\x20\x01(\x0cR\x05KeyId\"7\n\x15GetDerivedKeyResponse\x12\x1e\n\
-    \nDerivedKey\x18\x01\x20\x01(\x0cR\nDerivedKey2\xb0\x02\n\x17Attestation\
-    AgentService\x12b\n\rGetDerivedKey\x12'.attestation_agent.GetDerivedKeyR\
-    equest\x1a(.attestation_agent.GetDerivedKeyResponse\x12\\\n\x0bGetEviden\
-    ce\x12%.attestation_agent.GetEvidenceRequest\x1a&.attestation_agent.GetE\
-    videnceResponse\x12S\n\x08GetToken\x12\".attestation_agent.GetTokenReque\
-    st\x1a#.attestation_agent.GetTokenResponseb\x06proto3\
+    \x20\x01(\x0cR\x05Token\"\x16\n\x14GetDerivedKeyRequest\"7\n\x15GetDeriv\
+    edKeyResponse\x12\x1e\n\nDerivedKey\x18\x01\x20\x01(\x0cR\nDerivedKey2\
+    \xb0\x02\n\x17AttestationAgentService\x12b\n\rGetDerivedKey\x12'.attesta\
+    tion_agent.GetDerivedKeyRequest\x1a(.attestation_agent.GetDerivedKeyResp\
+    onse\x12\\\n\x0bGetEvidence\x12%.attestation_agent.GetEvidenceRequest\
+    \x1a&.attestation_agent.GetEvidenceResponse\x12S\n\x08GetToken\x12\".att\
+    estation_agent.GetTokenRequest\x1a#.attestation_agent.GetTokenResponseb\
+    \x06proto3\
 ";
 
 /// `FileDescriptorProto` object which was a source for this generated file
diff --git a/attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs b/attestation-agent/attestation-agent/src/bin/grpc-aa/server.rs
@@ -164,14 +164,10 @@ impl AttestationAgentService for AA {
 
         debug!("AA (grpc): get derived key ...");
 
-        let derived_key = self
-            .inner
-            .get_derived_key(&request.key_id)
-            .await
-            .map_err(|e| {
-                error!("AA (grpc): get derived key failed:\n{e:?}\nkey_id:\n{&request.key_id}");
-                Status::internal(format!("[ERROR:{AGENT_NAME}] AA get derived key failed"))
-            })?;
+        let derived_key = self.inner.get_derived_key().await.map_err(|e| {
+            error!("AA (grpc): get derived key failed:\n{e:?}");
+            Status::internal(format!("[ERROR:{AGENT_NAME}] AA get derived key failed"))
+        })?;
 
         debug!("AA (grpc): Get derived key successfully!");
 
diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc-aa-client.rs b/attestation-agent/attestation-agent/src/bin/ttrpc-aa-client.rs
@@ -80,11 +80,7 @@ struct GetTokenArgs {
 
 #[derive(Args)]
 #[command(author, version, about, long_about = None)]
-struct GetDerivedKeyArgs {
-    /// base64 encodede runtime data
-    #[arg(short, long)]
-    key_id: String,
-}
+struct GetDerivedKeyArgs {}
 
 #[derive(Args)]
 #[command(author, version, about, long_about = None)]
@@ -152,15 +148,14 @@ pub async fn main() {
         }
         Operation::GetDerivedKey(get_derived_key_args) => {
             let req = GetDerivedKeyRequest {
-                KeyId: get_derived_key_args.key_id,
                 ..Default::default()
             };
             let res = client
                 .get_derived_key(context::with_timeout(TIMEOUT), &req)
                 .await
                 .expect("request to AA");
-            let key_id = String::from_utf8(res.KeyId).unwrap();
-            println!("{key_id}");
+            let key = String::from_utf8(res.Key).unwrap();
+            println!("{key}");
         }
         Operation::ExtendRuntimeMeasurement(extend_runtime_measurement_args) => {
             let req = ExtendRuntimeMeasurementRequest {
diff --git a/attestation-agent/attestation-agent/src/bin/ttrpc_dep/server.rs b/attestation-agent/attestation-agent/src/bin/ttrpc_dep/server.rs
@@ -84,21 +84,16 @@ impl AttestationAgentService for AA {
     ) -> ::ttrpc::Result<GetDerivedKeyResponse> {
         debug!("AA (ttrpc): get derived key ...");
 
+        let empty_context = Vec::new();
         let derived_key = self
             .inner
-            .get_derived_key(&req.KeyId, Vec::new())
+            .get_derived_key(empty_context)
             .await
             .map_err(|e| {
-                error!(
-                    "AA (ttrpc): get derived key failed:\n {e:?}\n key_id:\n {:#?}",
-                    &req.KeyId
-                );
+                error!("AA (ttrpc): get derived key failed:\n {e:?}");
                 let mut error_status = ::ttrpc::proto::Status::new();
                 error_status.set_code(Code::INTERNAL);
-                error_status.set_message(format!(
-                    "[ERROR:{AGENT_NAME}] AA-KBC get derived key failed. key_id: {:#?}",
-                    &req.KeyId
-                ));
+                error_status.set_message("[ERROR:{AGENT_NAME}] AA-KBC get derived key failed.");
                 ::ttrpc::Error::RpcStatus(error_status)
             })?;
 
diff --git a/attestation-agent/attestation-agent/src/lib.rs b/attestation-agent/attestation-agent/src/lib.rs
@@ -60,8 +60,8 @@ pub trait AttestationAPIs {
     /// Get TEE hardware signed evidence that includes the runtime data.
     async fn get_evidence(&self, runtime_data: &[u8]) -> Result<Vec<u8>>;
 
-    /// Get a derived key using the provided key ID
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;
+    /// Get a derived key
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;
 
     /// Extend runtime measurement register
     async fn extend_runtime_measurement(
@@ -180,8 +180,8 @@ impl AttestationAPIs for AttestationAgent {
         Ok(evidence.into_bytes())
     }
 
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {
-        self.attester.get_derived_key(key_id, context).await
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {
+        self.attester.get_derived_key(context).await
     }
 
     /// Extend runtime measurement register. Parameters
diff --git a/attestation-agent/attester/src/lib.rs b/attestation-agent/attester/src/lib.rs
@@ -101,9 +101,8 @@ pub trait Attester {
     }
 
     /// Get a derived key using the hardware-specific key derivation function.
-    /// The parameter `root_key_hinit` is the root key used for derivation,
-    /// and `context` is additional data used in the derivation process.
-    async fn get_derived_key(&self, _root_key_hinit: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
+    /// The parameter `root_key_hinit` `context` is data potentially used in the derivation process.
+    async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
         bail!("Unimplemented")
     }
 }
diff --git a/attestation-agent/attester/src/snp/mod.rs b/attestation-agent/attester/src/snp/mod.rs
@@ -65,20 +65,12 @@ impl Attester for SnpAttester {
         Ok(InitDataResult::Ok)
     }
 
-    async fn get_derived_key(
-        &self,
-        root_key_hinit: &[u8],
-        mut context: Vec<u8>,
-    ) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, mut context: Vec<u8>) -> Result<Vec<u8>> {
         if context.len() > 64 {
             bail!("SNP Attester: Context must be no more than 64 bytes");
         }
 
         context.resize(64, 0);
-        let _root_key: u8 = root_key_hinit
-            .first()
-            .copied()
-            .context("Invalid key or empty key specified")?;
 
         let mut firmware: Firmware = Firmware::open()?;
 
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs b/attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs
@@ -40,9 +40,8 @@ impl AAEvidenceProvider {
 #[async_trait]
 impl EvidenceProvider for AAEvidenceProvider {
     /// Get derived key using the provided key ID
-    async fn get_derived_key(&self, key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
         let req = GetDerivedKeyRequest {
-            KeyId: key_id.to_vec(),
             ..Default::default()
         };
         let res = self
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/mock.rs b/attestation-agent/kbs_protocol/src/evidence_provider/mock.rs
@@ -19,7 +19,7 @@ impl EvidenceProvider for MockedEvidenceProvider {
         Ok("test evidence".into())
     }
 
-    async fn get_derived_key(&self, _key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {
         Ok(vec![0u8; 32]) // Return a mock 32-byte key filled with zeros
     }
 
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs b/attestation-agent/kbs_protocol/src/evidence_provider/mod.rs
@@ -27,7 +27,6 @@ pub trait EvidenceProvider: Send + Sync {
     async fn get_tee_type(&self) -> Result<Tee>;
 
     /// Get a derived key using the hardware-specific key derivation function.
-    /// The parameter `root_key_hint` is the root key used for derivation,
-    /// and `context` is additional data used in the derivation process.
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>>;
+    /// The parameter `context` is data potentially used in the derivation process.
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>>;
 }
diff --git a/attestation-agent/kbs_protocol/src/evidence_provider/native.rs b/attestation-agent/kbs_protocol/src/evidence_provider/native.rs
@@ -35,9 +35,9 @@ impl EvidenceProvider for NativeEvidenceProvider {
         Ok(detect_tee_type())
     }
 
-    async fn get_derived_key(&self, key_id: &[u8], context: Vec<u8>) -> Result<Vec<u8>> {
+    async fn get_derived_key(&self, context: Vec<u8>) -> Result<Vec<u8>> {
         self.0
-            .get_derived_key(key_id, context)
+            .get_derived_key(context)
             .await
             .map_err(|e| Error::GetDerivedKey(e.to_string()))
     }
diff --git a/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs b/attestation-agent/kbs_protocol/src/ttrpc_protos/attestation_agent.rs
diff --git a/attestation-agent/protos/attestation-agent.proto b/attestation-agent/protos/attestation-agent.proto

Original file line number	Diff line number	Diff line change
`@@ -101,9 +101,8 @@ pub trait Attester {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`/// Get a derived key using the hardware-specific key derivation function.`
`104`		- /// The parameter `root_key_hinit` is the root key used for derivation,
`105`		- /// and `context` is additional data used in the derivation process.
`106`		`- async fn get_derived_key(&self, _root_key_hinit: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {`
	`104`	+ /// The parameter `root_key_hinit` `context` is data potentially used in the derivation process.
	`105`	`+ async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {`
`107`	`106`	`bail!("Unimplemented")`
`108`	`107`	`}`
`109`	`108`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ impl EvidenceProvider for MockedEvidenceProvider {`
`19`	`19`	`Ok("test evidence".into())`
`20`	`20`	`}`
`21`	`21`
`22`		`- async fn get_derived_key(&self, _key_id: &[u8], _context: Vec<u8>) -> Result<Vec<u8>> {`
	`22`	`+ async fn get_derived_key(&self, _context: Vec<u8>) -> Result<Vec<u8>> {`
`23`	`23`	`Ok(vec![0u8; 32]) // Return a mock 32-byte key filled with zeros`
`24`	`24`	`}`
`25`	`25`