Add support for AESM command line option --supported_attestation_types

lingyuj · llly · commit 1efe23c20e37 · 2023-04-06T14:50:06.000+08:00
Signed-off-by: lingyuji &lt;lingyu.jiang@intel.com&gt;
diff --git a/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp
@@ -427,6 +427,12 @@ class EcdsaQuoteServiceImp : public IQuoteProviderService
         *att_key_id_num = 1;
         return AESM_SUCCESS;
     }
+
+    uint16_t get_attestation_type()
+    {
+        return ATTESTATION_TYPE_ECDSA;
+
+    }
 };
 
 class Activator : public BundleActivator
diff --git a/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/epid_quote_service_bundle.cpp
@@ -577,6 +577,12 @@ class EpidQuoteServiceImp : public IEpidQuoteService, public IQuoteProviderServi
             update_info, update_info_size,
             config, status);
     }
+
+    uint16_t get_attestation_type()
+    {
+        return ATTESTATION_TYPE_EPID;
+
+    }
 };
 
 class Activator : public BundleActivator
diff --git a/psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/quote_ex_service_bundle/quote_ex_service_bundle.cpp
@@ -67,9 +67,16 @@ class QuoteExServiceImp : public IQuoteProxyService
     std::vector<quote_provider_t> available_providers;
     ListenerToken listenerToken;
     AESMLogicMutex quote_ex_mutex;
+    uint16_t supported_attestation_types;
 
 public:
-    QuoteExServiceImp():initialized(false), default_quoting_type(AESM_QUOTING_DEFAULT_VALUE) {}
+    QuoteExServiceImp():initialized(false), default_quoting_type(AESM_QUOTING_DEFAULT_VALUE),
+        supported_attestation_types(0) {}
+
+    void set_supported_attestation_types(uint16_t att_types)
+    {
+        supported_attestation_types = att_types;
+    }
 
     ae_error_t start()
     {
@@ -95,27 +102,38 @@ class QuoteExServiceImp : public IQuoteProxyService
             if (IQuoteProviderService::VERSION != bundle.GetVersion().GetMajor())
                 continue;
 
-            auto service = context.GetService(sr);
-            if (service
-                && (AE_SUCCESS == service->start()))
-            {
-                uint32_t num = 0;
-                sgx_att_key_id_ext_t att_key_id_ext_list[BUNLE_ATT_KEY_NUM_MAX] ={0};
 
-                available_providers.push_back(service);
-                if (AESM_SUCCESS != service->get_att_key_id_num(&num))
-                    continue;
-                if (num > BUNLE_ATT_KEY_NUM_MAX)
-                    continue;
-                if (AESM_SUCCESS != service->get_att_key_id((uint8_t *)att_key_id_ext_list, sizeof(att_key_id_ext_list)))
-                    continue;
-                for (int i = 0; i <num; i++)
-                {
-                    available_key_id_t temp = {0};
-                    memcpy_s(&temp.key_id, sizeof(temp.key_id), &att_key_id_ext_list[i], sizeof(att_key_id_ext_list[i]));
-                    temp.service = service;
-                    available_key_ids.push_back(temp);
-                    AESM_DBG_INFO("quote type %d available", temp.key_id.base.algorithm_id);
+            auto service = context.GetService(sr);
+            if (service) {
+                ae_error_t service_started = service->start();
+                if (AE_SUCCESS == service_started) {
+                    uint32_t num = 0;
+                    sgx_att_key_id_ext_t att_key_id_ext_list[BUNLE_ATT_KEY_NUM_MAX] ={0};
+
+                    available_providers.push_back(service);
+                    if (AESM_SUCCESS != service->get_att_key_id_num(&num))
+                        continue;
+                    if (num > BUNLE_ATT_KEY_NUM_MAX)
+                        continue;
+                    if (AESM_SUCCESS != service->get_att_key_id((uint8_t *)att_key_id_ext_list, sizeof(att_key_id_ext_list)))
+                        continue;
+                    for (int i = 0; i <num; i++)
+                    {
+                        available_key_id_t temp = {0};
+                        memcpy_s(&temp.key_id, sizeof(temp.key_id), &att_key_id_ext_list[i], sizeof(att_key_id_ext_list[i]));
+                        temp.service = service;
+                        available_key_ids.push_back(temp);
+                        AESM_DBG_INFO("quote type %d available", temp.key_id.base.algorithm_id);
+                    }
+                }
+                else {
+                    // If the attestation type was required but the service failed to start, return error.
+                    // Otherwise ignore the failure
+                    uint16_t att_type_of_service = service->get_attestation_type();
+                    if (supported_attestation_types & att_type_of_service) {
+                        AESM_DBG_INFO("Failed to start attestation service : %d ", att_type_of_service);
+                        return service_started;
+                    }
                 }
             }
         }
diff --git a/psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp b/psw/ae/aesm_service/source/core/AESMLogicWrapper.cpp
@@ -61,7 +61,7 @@
 static cppmicroservices::BundleContext g_fw_ctx;
 using namespace cppmicroservices;
 static Framework g_fw = FrameworkFactory().NewFramework();
-
+extern uint16_t supported_attestation_types;
 
 #ifdef US_PLATFORM_POSIX
 #define PATH_SEPARATOR "/"
@@ -688,6 +688,23 @@ ae_error_t AESMLogicWrapper::service_start()
         // Start the framework itself.
         g_fw.Start();
         auto bundles = g_fw_ctx.GetBundles();
+        // check required attestation bundles
+        bool found_epid = false, found_ecdsa = false;
+        for (Bundle &bundle : bundles) {
+            if (bundle.GetSymbolicName() == "epid_quote_service_bundle_name")
+                found_epid = true;
+            else if (bundle.GetSymbolicName() == "ecdsa_quote_service_bundle_name")
+                found_ecdsa = true;
+        }
+        if (!found_epid && (supported_attestation_types & ATTESTATION_TYPE_EPID)) {
+            AESM_LOG_ERROR("EPID attestation is required but the bundle is not installed.");
+            return AE_FAILURE;
+        }
+        if (!found_ecdsa && (supported_attestation_types & ATTESTATION_TYPE_ECDSA)) {
+            AESM_LOG_ERROR("ECDSA attestation is required but the bundle is not installed.");
+            return AE_FAILURE;
+        }
+
         for (auto &bundle : bundles)
         {
             bundle.Start();
@@ -722,8 +739,14 @@ ae_error_t AESMLogicWrapper::service_start()
     }
     {
         std::shared_ptr<IQuoteProxyService> service;
-        if (get_service_wrapper(service, g_fw_ctx))
-            service->start();
+        if (get_service_wrapper(service, g_fw_ctx)) 
+        {
+            service->set_supported_attestation_types(supported_attestation_types);
+            ae_error_t ret = service->start();
+
+            if (ret != AE_SUCCESS)
+                return ret;
+        }
     }
     AESM_DBG_INFO("aesm service started");
 
diff --git a/psw/ae/aesm_service/source/core/main.cpp b/psw/ae/aesm_service/source/core/main.cpp
@@ -34,15 +34,22 @@
 #include <CAESMServer.h>
 #include <CSelector.h>
 #include <AESMLogicWrapper.h>
+#include "quote_ex_service.h"
 #include <curl/curl.h>
 #include <oal/error_report.h>
 
 #include <SocketConfig.h>
 
 #include <iostream>
+#include <getopt.h>
 
 static CAESMServer* server = NULL;
 volatile bool reload = false;
+// Each bit indicates a certain type of attestation is supported. 
+// If a attestation type is marked as supported but AESM fails to load the corresponding module,
+// AESM will exit. 
+// Currently only two attestation types can be supported: Bit 0: EPID  Bit 1: ECDSA
+uint16_t supported_attestation_types = 0;
 
 void signal_handler(int sig)
 {
@@ -67,26 +74,61 @@ void signal_handler(int sig)
     }
 }
 
+void print_usage() {
+    printf("Usage: aesm_service [--no-daemon] [--no-syslog] [--supported_attestation_types=[EPID][,ECDSA]]\n");
+}
+
 int main(int argc, char *argv[]) {
     bool noDaemon = false, noSyslog = false;
+    int opt= 0;
 
-    if (argc > 3) {
-        AESM_LOG_INIT();
-        AESM_LOG_FATAL("Invalid command line.");
-        AESM_LOG_FINI();
-        exit(1);
-    }
+    //Specifying the expected options
+    static struct option long_options[] = {
+        {"no-daemon", no_argument, 0, 0 },
+        {"no-syslog", no_argument, 0, 1 },
+        {"supported_attestation_types", required_argument, 0, 2 },
+        {0, 0, 0, 0}
+    };
 
-    for (int i = 1; i < argc; ++i) {
-        std::string arg = argv[i];
-        if (arg == "--no-daemon") {
-            noDaemon = true;
-        }
-        else if (arg == "--no-syslog"){
-            noSyslog = true;
+    int long_index =0;
+    while ((opt = getopt_long(argc, argv, "012:", long_options, &long_index )) != -1) {
+        switch (opt) {
+            case 0:
+                noDaemon = true;
+                break;
+            case 1:
+                noSyslog = true;
+                break;
+            case 2:
+                if (optarg) {
+                    char * token = strtok(optarg, ",");
+                    while( token != NULL ) {
+                        if (strcasecmp(token, "epid") == 0) {
+                            supported_attestation_types |= ATTESTATION_TYPE_EPID;
+                        }
+                        else if (strcasecmp(token, "ecdsa") == 0) {
+                            supported_attestation_types |= ATTESTATION_TYPE_ECDSA;
+                        }
+                        else {
+                            print_usage();
+                            exit(EXIT_FAILURE);
+                        }
+                        token = strtok(NULL, ",");
+                    }
+                }
+                break;
+            default:
+                print_usage();
+                exit(EXIT_FAILURE);
         }
     }
 
+    if (optind < argc) {
+        fprintf(stderr, "%s: invalid option -- '%s'\n", argv[0], argv[optind]);
+        print_usage();
+        exit(EXIT_FAILURE);
+    }
+
     AESM_LOG_INIT_EX(noSyslog);
 
     if(!noDaemon) {
diff --git a/psw/ae/aesm_service/source/interfaces/quote_ex_service.h b/psw/ae/aesm_service/source/interfaces/quote_ex_service.h
@@ -36,6 +36,8 @@
 #include <stddef.h>
 #include "aesm_error.h"
 
+#define ATTESTATION_TYPE_EPID 0x0001
+#define ATTESTATION_TYPE_ECDSA 0x0002
 
 struct IQuoteExService : virtual public IService
 {
diff --git a/psw/ae/aesm_service/source/interfaces/quote_provider_service.h b/psw/ae/aesm_service/source/interfaces/quote_provider_service.h
@@ -39,6 +39,7 @@ struct IQuoteProviderService : public IQuoteExService, public IGetAttKeyID
     // The value should be the same as the major version in manifest.json
     enum {VERSION = 2};
     virtual ~IQuoteProviderService() = default;
+    virtual uint16_t get_attestation_type() = 0;
 };
 
 #endif /* QUOTE_PROVIDER_SERVICE_EXPORT_H */
diff --git a/psw/ae/aesm_service/source/interfaces/quote_proxy_service.h b/psw/ae/aesm_service/source/interfaces/quote_proxy_service.h
@@ -40,6 +40,7 @@ struct IQuoteProxyService : public IQuoteExService, public ISelectAttKeyID, publ
     // The value should be the same as the major version in manifest.json
     enum {VERSION = 2};
     virtual ~IQuoteProxyService() = default;
+    virtual void set_supported_attestation_types(uint16_t att_types) = 0;
 };
 
 #endif /* QUOTE_PROXY_SERVICE_EXPORT_H */

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@`
`36`	`36`	`#include <stddef.h>`
`37`	`37`	`#include "aesm_error.h"`
`38`	`38`
	`39`	`+#define ATTESTATION_TYPE_EPID 0x0001`
	`40`	`+#define ATTESTATION_TYPE_ECDSA 0x0002`
`39`	`41`
`40`	`42`	`struct IQuoteExService : virtual public IService`
`41`	`43`	`{`