Add support for THIM as a source of collateral (#5854)

.snpcc_canary

@@ -1,4 +1,4 @@
   ___         ___    ___
  (. =)     Y (0 0)  (x X)    Y
    O     \     o      |    /
-/-xXx--//-----x=x--/-xXx--/---x---->>|
+/-xXx--//-----x=x--/-xXx--/---x---->>>

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [5.0.0-dev9]
+
+[5.0.0-dev9]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev9
+
+- `snp_endorsements_servers` now supports a `THIM` type, which is the recommended value when running in [Confidential AKS preview](https://learn.microsoft.com/en-us/azure/aks/confidential-containers-overview).
+
 ## [5.0.0-dev8]
 
 [5.0.0-dev8]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev8

doc/host_config_schema/cchost_config.json

@@ -463,13 +463,13 @@
             "properties": {
               "type": {
                 "type": "string",
-                "enum": ["Azure", "AMD"],
+                "enum": ["Azure", "AMD", "THIM"],
                 "default": "Azure",
                 "description": "Type of server used to retrieve attestation report endorsement certificates (SEV-SNP only)"
               },
               "url": {
                 "type": "string",
-                "description": "Server URLs used to retrieve attestation report endorsement certificates, e.g. \"kdsintf.amd.com\" (SEV-SNP only)"
+                "description": "Server URLs used to retrieve attestation report endorsement certificates, e.g. \"kdsintf.amd.com\" (AMD), \"global.acccache.azure.net\" (Azure) or \"169.254.169.254\" (THIM)"
               }
             },
             "required": ["url"],

doc/operations/platforms/snp.rst

@@ -4,7 +4,7 @@ AMD SEV-SNP
 How to use the AMD SEV-SNP platform
 -----------------------------------
 
-CCF must run on an AMD CPU which supports SEV-SNP (typically `Azure confidential containers <https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-containers>`_).
+CCF must run on an AMD CPU which supports SEV-SNP, such as `Azure confidential containers <https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-containers>`_ or `Azure Kubernetes Service with Confidential Containers <https://learn.microsoft.com/en-us/azure/aks/confidential-containers-overview>`_.
 
 To use SNP, in the :ref:`operations/configuration:``enclave``` configuration section, the enclave ``platform`` should be set to ``SNP``.
 
@@ -28,10 +28,28 @@ The location of the security context directory is passed to the container's star
 
 .. tip:: See :ccf_repo:`samples/config/start_config_aci_sev_snp.json` for a sample node configuration for ACI deployments.
 
-Non-ACI Deployment
-~~~~~~~~~~~~~~~~~~
+Confidential Azure Kubernetes Service (AKS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. note:: See `here <https://learn.microsoft.com/en-us/azure/aks/deploy-confidential-containers-default-policy>`_ for more information on the deployment of confidential containers in Azure.
+
+Confidential AKS provides a security context directory containing the following file.
+
+- ``reference-info-base64``: The COSE Sign1 document containing the measurement [#measurement]_ of the utility VM (UVM) used to launch the container (Base64 encoded). The measurement contained in the document payload should match the report ``measurement``. If set, the value is stored in the :ref:`audit/builtin_maps:``nodes.snp.uvm_endorsements``` table and new nodes must present measurement endorsements from the same issuer (`did:x509`) to be trusted.
+
+The security policy must be provided by the operator, and will be picked up by CCF on startup if is named ``security-policy-base64`` and located in the security context directory. The SHA256 hash of the decoded value should match the attestation report ``host_data``. This value is stored in the :ref:`audit/builtin_maps:``nodes.snp.host_data``` table.
+
+AMD endorsements must be fetched, preferably from the THIM service, but configuring the Azure cache or the AMD server is also possible.
+
+The location of the security context directory is passed to the container's startup command as the ``UVM_SECURITY_CONTEXT_DIR`` environment variable. The name of an alternative environment variable may be specified as the value of the ``--snp-security-context-dir-var`` CLI argument, if an alternative trust root is needed.
+
+.. tip:: See :ccf_repo:`samples/config/start_config_aks_sev_snp.json` for a sample node configuration for Confidential AKS deployments.
+
+
+Non-Azure Deployment
+~~~~~~~~~~~~~~~~~~~~
 
-For non-ACI deployments, the certificate chain for VCEK will need to be retrieved from an endorsement server, as specified in the :ref:`operations/configuration:``snp_endorsements_servers``` configuration section. For example, for the `well-known AMD endorsement server <https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/57230.pdf>`_, the value should be set to:
+For non-Azure deployments, the certificate chain for VCEK will need to be retrieved from an endorsement server, as specified in the :ref:`operations/configuration:``snp_endorsements_servers``` configuration section. For example, for the `well-known AMD endorsement server <https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/57230.pdf>`_, the value should be set to:
 
 .. code-block:: json
 
@@ -44,7 +62,7 @@ For non-ACI deployments, the certificate chain for VCEK will need to be retrieve
         ]
     }
 
-.. tip:: See :ccf_repo:`samples/config/start_config_amd_sev_snp.json` for a sample node configuration for non-ACI deployments.
+.. tip:: See :ccf_repo:`samples/config/start_config_amd_sev_snp.json` for a sample node configuration for non-Azure deployments.
 
 .. note:: The CCF node will fetch the endorsements from the server on startup, which may cause substantial deployment delays (up to tens of seconds) depending on network latency and endpoint throttling. 
 
@@ -54,10 +72,10 @@ Governance Proposals
 The following governance proposals can be issued to add/remove these trusted values, e.g. when upgrading the service (see :doc:`/operations/code_upgrade`):
 
 - ``add_snp_host_data``/``remove_snp_host_data``: To add/remove a trusted security policy, e.g. when adding a new trusted container image as part of the code upgrade procedure. 
-- ``add_snp_uvm_endorsement``/``add_snp_uvm_endorsement``: To add remove a trusted UVM endorsement (ACI deployment only).
+- ``add_snp_uvm_endorsement``/``add_snp_uvm_endorsement``: To add remove a trusted UVM endorsement (Azure deployment only).
 - ``add_snp_measurement``/``remove_snp_measurement``: To add/remove a trusted measurement.
 
 .. rubric:: Footnotes
 
-.. [#security_policy] A `REGO <https://www.openpolicyagent.org/docs/latest/policy-language/>`_ policy checked by the utility VM (UVM) against the ACI container. 
+.. [#security_policy] A `REGO <https://www.openpolicyagent.org/docs/latest/policy-language/>`_ policy checked by the utility VM (UVM) against the container. 
 .. [#measurement] Digest of the initial memory pages for the SEV-SNP VM. 

include/ccf/pal/attestation_sev_snp.h

@@ -200,6 +200,14 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
             url, chip_id_hex, boot_loader, tee, snp, microcode));
           break;
         }
+        case EndorsementsEndpointType::THIM:
+        {
+          auto url =
+            server.url.value_or(default_thim_endorsements_endpoint_host);
+          config.servers.emplace_back(
+            make_thim_endorsements_server(url, chip_id_hex, reported_tcb));
+          break;
+        }
         default:
         {
           throw std::logic_error(fmt::format(

include/ccf/pal/attestation_sev_snp_endorsements.h

@@ -44,6 +44,8 @@ namespace ccf::pal::snp
       std::string uri;
       std::map<std::string, std::string> params;
       bool response_is_der = false;
+      bool response_is_thim_json = false;
+      std::map<std::string, std::string> headers = {};
 
       bool operator==(const EndpointInfo&) const = default;
     };
@@ -57,12 +59,14 @@ namespace ccf::pal::snp
   enum EndorsementsEndpointType
   {
     Azure = 0,
-    AMD = 1
+    AMD = 1,
+    THIM = 2,
   };
   DECLARE_JSON_ENUM(
     EndorsementsEndpointType,
     {{EndorsementsEndpointType::Azure, "Azure"},
-     {EndorsementsEndpointType::AMD, "AMD"}});
+     {EndorsementsEndpointType::AMD, "AMD"},
+     {EndorsementsEndpointType::THIM, "THIM"}});
 
   struct EndorsementsServer
   {
@@ -113,12 +117,13 @@ namespace ccf::pal::snp
     params["ucodeSPL"] = microcode;
 
     EndorsementEndpointsConfiguration::Server server;
-    server.push_back(
-      {endpoint,
-       "443",
-       fmt::format("/vcek/v1/{}/{}", product_name, chip_id_hex),
-       params,
-       true});
+    server.push_back({
+      endpoint,
+      "443",
+      fmt::format("/vcek/v1/{}/{}", product_name, chip_id_hex),
+      params,
+      true // DER
+    });
     server.push_back(
       {endpoint,
        "443",
@@ -127,4 +132,25 @@ namespace ccf::pal::snp
 
     return server;
   }
+
+  constexpr auto default_thim_endorsements_endpoint_host = "169.254.169.254";
+
+  static EndorsementEndpointsConfiguration::Server
+  make_thim_endorsements_server(
+    const std::string& endpoint,
+    const std::string& chip_id_hex,
+    const std::string& reported_tcb)
+  {
+    std::map<std::string, std::string> params;
+    params["tcbVersion"] = reported_tcb;
+    params["platformId"] = chip_id_hex;
+    return {
+      {endpoint,
+       "80",
+       "/metadata/THIM/amd/certification",
+       params,
+       false, // Not DER
+       true, // But THIM JSON
+       {{"Metadata", "true"}}}};
+  }
 }

samples/config/start_config_aci_sev_snp.json

@@ -36,6 +36,12 @@
   "attestation": {
     "environment": {
       "security_context_directory": "UVM_SECURITY_CONTEXT_DIR"
-    }
+    },
+    "snp_endorsements_servers": [
+      {
+        "type": "THIM",
+        "url": "169.254.169.254"
+      }
+    ]
   }
 }

samples/config/start_config_aks_sev_snp.json

@@ -0,0 +1,41 @@
+{
+  "enclave": {
+    "file": "libjs_generic.snp.so",
+    "platform": "SNP",
+    "type": "Release"
+  },
+  "network": {
+    "node_to_node_interface": {
+      "bind_address": "127.0.0.1:8081"
+    },
+    "rpc_interfaces": {
+      "interface_name": {
+        "bind_address": "127.0.0.1:8080",
+        "published_address": "ccf.dummy.com:12345"
+      }
+    }
+  },
+  "command": {
+    "type": "Start",
+    "service_certificate_file": "service_cert.pem",
+    "start": {
+      "constitution_files": [
+        "validate.js",
+        "apply.js",
+        "resolve.js",
+        "actions.js"
+      ],
+      "members": [
+        {
+          "certificate_file": "member0_cert.pem",
+          "encryption_public_key_file": "member0_enc_pubk.pem"
+        }
+      ]
+    }
+  },
+  "attestation": {
+    "environment": {
+      "security_context_directory": "UVM_SECURITY_CONTEXT_DIR"
+    }
+  }
+}

src/enclave/rpc_sessions.h

@@ -583,6 +583,17 @@ namespace ccf
       }
     }
 
+    std::shared_ptr<ClientSession> create_unencrypted_client()
+    {
+      std::lock_guard<ccf::pal::Mutex> guard(lock);
+      auto id = get_next_client_id();
+      auto session = std::make_shared<http::UnencryptedHTTPClientSession>(
+        id, writer_factory);
+      sessions.insert(std::make_pair(id, std::make_pair("", session)));
+      sessions_peak = std::max(sessions_peak, sessions.size());
+      return session;
+    }
+
     void register_message_handlers(
       messaging::Dispatcher<ringbuffer::Message>& disp)
     {