From 9b60b1f54fef0fe6143fdc6be2afe235e774e43c Mon Sep 17 00:00:00 2001
From: Ivan Petrov <ivanpetrov@google.com>
Date: Tue, 10 Sep 2024 17:35:30 +0100
Subject: [PATCH] Add Verification Policy template

Bug: 356629119

Change-Id: Iff766185dfefbf85c1f447a5df8de84d5d36abf9
---
 oak_attestation_verification/src/lib.rs       |  1 +
 oak_attestation_verification/src/policy.rs    | 44 +++++++++++++++++++
 .../generated/oak.attestation.v1.rs           |  8 ++++
 proto/attestation/verification.proto          |  7 +++
 4 files changed, 60 insertions(+)
 create mode 100644 oak_attestation_verification/src/policy.rs

diff --git a/oak_attestation_verification/src/lib.rs b/oak_attestation_verification/src/lib.rs
index 6109273bab1..9c32cb1818f 100644
--- a/oak_attestation_verification/src/lib.rs
+++ b/oak_attestation_verification/src/lib.rs
@@ -21,6 +21,7 @@ extern crate alloc;
 
 pub mod amd;
 pub mod endorsement;
+pub mod policy;
 pub mod rekor;
 pub mod util;
 pub mod verifier;
diff --git a/oak_attestation_verification/src/policy.rs b/oak_attestation_verification/src/policy.rs
new file mode 100644
index 00000000000..76d7703da89
--- /dev/null
+++ b/oak_attestation_verification/src/policy.rs
@@ -0,0 +1,44 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+//! Contains code related to attestation verification policies.
+
+use oak_proto_rust::oak::attestation::v1::{
+    AttestationResults, Endorsements, EventAttestationResults, EventLog,
+};
+
+/// Verification Policy that takes an EventLog and corresponding Event
+/// Endorsements and performs attestation verification.
+///
+/// Verification Policy correspond to the "Appraisal Policy for Evidence"
+/// provided by the RATS standard.
+/// <https://datatracker.ietf.org/doc/html/rfc9334#section-8.5>
+pub trait Policy {
+    fn verify(
+        event_log: &EventLog,
+        endorsements: &Endorsements,
+    ) -> anyhow::Result<AttestationResults>;
+}
+
+/// Verification Policy that takes a serialized Event and a serialized Event
+/// Endorsement and performs attestation verification for this specific Event.
+pub trait EventPolicy {
+    fn verify(
+        &self,
+        serialized_event: &[u8],
+        serialized_event_endorsements: &[u8],
+    ) -> anyhow::Result<EventAttestationResults>;
+}
diff --git a/oak_proto_rust/generated/oak.attestation.v1.rs b/oak_proto_rust/generated/oak.attestation.v1.rs
index d3087e5a081..0218bc829a5 100644
--- a/oak_proto_rust/generated/oak.attestation.v1.rs
+++ b/oak_proto_rust/generated/oak.attestation.v1.rs
@@ -971,6 +971,9 @@ pub struct AttestationResults {
     /// Contains the evidence values whenever the status indicates success.
     #[prost(message, optional, tag = "5")]
     pub extracted_evidence: ::core::option::Option<ExtractedEvidence>,
+    /// Detailed attestation verification results each event.
+    #[prost(message, repeated, tag = "6")]
+    pub event_attestation_results: ::prost::alloc::vec::Vec<EventAttestationResults>,
 }
 /// Nested message and enum types in `AttestationResults`.
 pub mod attestation_results {
@@ -1014,6 +1017,11 @@ pub mod attestation_results {
         }
     }
 }
+/// Attestation verification results for an individual event.
+/// TODO: b/366419879 - Implement descriptive per-event attestation results.
+#[allow(clippy::derive_partial_eq_without_eq)]
+#[derive(Clone, PartialEq, ::prost_derive::Message)]
+pub struct EventAttestationResults {}
 /// Evidence values extracted from attestation evidence during verification.
 #[allow(clippy::derive_partial_eq_without_eq)]
 #[derive(Clone, PartialEq, ::prost_derive::Message)]
diff --git a/proto/attestation/verification.proto b/proto/attestation/verification.proto
index aa6e08e0242..27e536c5a42 100644
--- a/proto/attestation/verification.proto
+++ b/proto/attestation/verification.proto
@@ -59,8 +59,15 @@ message AttestationResults {
 
   // Contains the evidence values whenever the status indicates success.
   ExtractedEvidence extracted_evidence = 5;
+
+  // Detailed attestation verification results each event.
+  repeated EventAttestationResults event_attestation_results = 6;
 }
 
+// Attestation verification results for an individual event.
+// TODO: b/366419879 - Implement descriptive per-event attestation results.
+message EventAttestationResults {}
+
 // Evidence values extracted from attestation evidence during verification.
 message ExtractedEvidence {
   oneof evidence_values {