tpm/ak_cert.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
//! Helper traits for TPM Attestation Key Certificate (AK cert).
use std::sync::Arc;
use tpm_resources::RequestAkCertKind;
use vm_resource::CanResolveTo;
/// Type of TPM AK cert.
pub enum TpmAkCertType {
/// No Ak cert.
None,
/// Authorized AK cert that is not hardware-attested.
/// Used by TVM
Trusted(Arc<dyn RequestAkCert>),
/// Authorized and hardware-attested AK cert (backed by
/// a TEE attestation report).
/// Used by CVM
HwAttested(Arc<dyn RequestAkCert>),
}
impl TpmAkCertType {
/// Get the `RequestAkCert` from the enum
pub fn get_ak_cert_helper(&self) -> Option<&Arc<dyn RequestAkCert>> {
match self {
TpmAkCertType::HwAttested(helper) => Some(helper),
TpmAkCertType::Trusted(helper) => Some(helper),
TpmAkCertType::None => None,
}
}
}
impl CanResolveTo<ResolvedRequestAkCert> for RequestAkCertKind {
// Workaround for async_trait not supporting GATs with missing lifetimes.
type Input<'a> = &'a ();
}
/// A resolved get attestation report helper resource.
pub struct ResolvedRequestAkCert(pub Arc<dyn RequestAkCert>);
impl<T: 'static + RequestAkCert> From<T> for ResolvedRequestAkCert {
fn from(value: T) -> Self {
Self(Arc::new(value))
}
}
/// A trait for requesting an AK cert.
#[async_trait::async_trait]
pub trait RequestAkCert: Send + Sync {
/// Helper function to create the request needed by `request_ak_cert`.
fn create_ak_cert_request(
&self,
ak_pub_modulus: &[u8],
ak_pub_exponent: &[u8],
ek_pub_modulus: &[u8],
ek_pub_exponent: &[u8],
guest_input: &[u8],
) -> Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync>>;
/// Helper function to request an AK cert.
async fn request_ak_cert(
&self,
request: Vec<u8>,
) -> Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>>;
}