openhcl_attestation_protocol/igvm_attest/
cps.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

//! This module includes the definition of the VM Metadata blob (VMMD)
//! issued by CVM Provisioning Service (CPS) that is used for parsing
//! the response of the `WRAPPED_KEY_REQUEST`.

use base64_serde::base64_serde_type;
use serde::Deserialize;
use serde::Serialize;

base64_serde_type!(Base64, base64::engine::general_purpose::STANDARD);

/// The `VMMD` blob format (JSON object) defined by CPS.
/// Only include the fields that include the base64-encoded
/// wrapped DiskEncryptionSettings key and the key reference (in JSON).
/// The JSON object looks like
/// ```ignore
/// {
///   "DiskEncryptionSettings" {
///     "encryption_info": {
///       "ase_info": {
///         "ciphertext": <base64-encoded wrapped DiskEncryptionSettings key>
///         ..
///       }
///       "key_reference": <JSON object>
///       ..
///     }
///     ..
///   }
/// }
/// ```
#[derive(Deserialize, Serialize)]
pub struct VmmdBlob {
    /// JSON data
    #[serde(rename = "DiskEncryptionSettings")]
    pub disk_encryption_settings: DiskEncryptionSettings,
}

/// Only include the relevant fields that include base64-encoded wrapped
/// DiskEncryptionSettings key and the key reference JSON object.
#[derive(Deserialize, Serialize)]
pub struct DiskEncryptionSettings {
    /// Encryption info
    pub encryption_info: EncryptionInfo,
}

/// Only include the relevant fields that include base64-encoded wrapped DiskEncryptionSettings
/// key and the key reference JSON object (held in the `key_reference` field).
#[derive(Deserialize, Serialize)]
pub struct EncryptionInfo {
    /// AES information that includes the wrapped key.
    pub aes_info: AesInfo,
    /// JSON object used by the agent in the SKR process
    pub key_reference: serde_json::Value,
}

/// Only include the relevant field the includes the base64-encoded wrapped DiskEncryptionSettings
/// key (held in the `ciphertext` filed).
#[derive(Deserialize, Serialize)]
pub struct AesInfo {
    /// Base64-encoded symmetric key wrapped in RSA-OAEP.
    #[serde(with = "Base64")]
    pub ciphertext: Vec<u8>,
}