AA/kbs_protocol: add AAEvidenceProvider

AAEvidenceProvider gets evidence via ttrpc from AA. This patch also does
some refactoring upon the code structure of ttrpc to avoid duplication
of ttrpc files.

Signed-off-by: Xynnn007 <[email protected]>

attestation-agent/kbs_protocol/build.rs

@@ -28,7 +28,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         }
 
         ttrpc_codegen::Codegen::new()
-            .out_dir("src/token_provider/aa")
+            .out_dir("src/ttrpc_protos")
             .include("../protos")
             .inputs(["../protos/attestation-agent.proto"])
             .rust_protobuf()
@@ -42,7 +42,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
         // Fix clippy warnings of code generated from ttrpc_codegen
         replace_text_in_file(
-            "src/token_provider/aa/attestation_agent_ttrpc.rs",
+            "src/ttrpc_protos/attestation_agent_ttrpc.rs",
             "client: client",
             "client",
         )?;

attestation-agent/kbs_protocol/src/error.rs

@@ -9,6 +9,9 @@ pub type Result<T> = std::result::Result<T, Error>;
 
 #[derive(Error, Debug)]
 pub enum Error {
+    #[error("Attestation Agent evidence provider error: {0}")]
+    AAEvidenceProvider(String),
+
     #[error("Attestation Agent token provider error: {0}")]
     AATokenProvider(String),
 

attestation-agent/kbs_protocol/src/evidence_provider/aa_ttrpc.rs

@@ -0,0 +1,79 @@
+// Copyright (c) 2025 Alibaba Cloud
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use async_trait::async_trait;
+use kbs_types::Tee;
+use serde_json::json;
+use ttrpc::context;
+
+use crate::{
+    ttrpc_protos::{
+        attestation_agent::{GetEvidenceRequest, GetTeeTypeRequest},
+        attestation_agent_ttrpc::AttestationAgentServiceClient,
+    },
+    Error, Result,
+};
+
+use super::EvidenceProvider;
+
+const AA_SOCKET_FILE: &str =
+    "unix:///run/confidential-containers/attestation-agent/attestation-agent.sock";
+
+/// The timeout for ttrpc call to Attestation Agent
+const AA_TTRPC_TIMEOUT_SECONDS: i64 = 50;
+
+pub struct AAEvidenceProvider {
+    client: AttestationAgentServiceClient,
+}
+
+impl AAEvidenceProvider {
+    pub async fn new() -> Result<Self> {
+        let c = ttrpc::r#async::Client::connect(AA_SOCKET_FILE)
+            .map_err(|e| Error::AATokenProvider(format!("ttrpc connect failed {e}")))?;
+        let client = AttestationAgentServiceClient::new(c);
+        Ok(Self { client })
+    }
+}
+
+#[async_trait]
+impl EvidenceProvider for AAEvidenceProvider {
+    /// Get evidence with as runtime data (report data, challege)
+    async fn get_evidence(&self, runtime_data: Vec<u8>) -> Result<String> {
+        let req = GetEvidenceRequest {
+            RuntimeData: runtime_data,
+            ..Default::default()
+        };
+        let res = self
+            .client
+            .get_evidence(
+                context::with_timeout(AA_TTRPC_TIMEOUT_SECONDS * 1000 * 1000 * 1000),
+                &req,
+            )
+            .await
+            .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?;
+        let evidence = String::from_utf8(res.Evidence)
+            .map_err(|e| Error::AAEvidenceProvider(format!("non-utf8 evidence: {e}")))?;
+        Ok(evidence)
+    }
+
+    /// Get the underlying Tee type
+    async fn get_tee_type(&self) -> Result<Tee> {
+        let req = GetTeeTypeRequest {
+            ..Default::default()
+        };
+        let res = self
+            .client
+            .get_tee_type(
+                context::with_timeout(AA_TTRPC_TIMEOUT_SECONDS * 1000 * 1000 * 1000),
+                &req,
+            )
+            .await
+            .map_err(|e| Error::AAEvidenceProvider(format!("call ttrpc failed: {e}")))?;
+
+        let tee = serde_json::from_value(json!(res.tee))
+            .map_err(|e| Error::AAEvidenceProvider(format!("failed to parse Tee type: {e}")))?;
+        Ok(tee)
+    }
+}

attestation-agent/kbs_protocol/src/evidence_provider/mod.rs

@@ -9,6 +9,11 @@ pub use native::*;
 pub mod mock;
 pub use mock::*;
 
+#[cfg(feature = "aa_ttrpc")]
+pub mod aa_ttrpc;
+#[cfg(feature = "aa_ttrpc")]
+pub use aa_ttrpc::*;
+
 use crate::Result;
 use async_trait::async_trait;
 use kbs_types::Tee;

attestation-agent/kbs_protocol/src/lib.rs

@@ -77,6 +77,8 @@ pub mod error;
 pub mod evidence_provider;
 pub mod keypair;
 pub mod token_provider;
+#[cfg(feature = "aa_ttrpc")]
+pub mod ttrpc_protos;
 
 pub use api::*;
 pub use builder::KbsClientBuilder;

attestation-agent/kbs_protocol/src/token_provider/aa/mod.rs

@@ -5,17 +5,15 @@
 
 //! This is a token provider which connects the attestation-agent
 
-mod attestation_agent;
-mod attestation_agent_ttrpc;
-
 use async_trait::async_trait;
 use serde::Deserialize;
 use ttrpc::context;
 
-use crate::{Error, Result, TeeKeyPair, Token};
-
-use self::{
-    attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient,
+use crate::{
+    ttrpc_protos::{
+        attestation_agent::GetTokenRequest, attestation_agent_ttrpc::AttestationAgentServiceClient,
+    },
+    Error, Result, TeeKeyPair, Token,
 };
 
 use super::TokenProvider;

attestation-agent/kbs_protocol/src/ttrpc_protos/mod.rs

@@ -0,0 +1,7 @@
+// Copyright (c) 2025 Alibaba Cloud
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+pub mod attestation_agent;
+pub mod attestation_agent_ttrpc;