Merge pull request #195 from eyakubovich/ey/generate-data-key-pair

Add DeriveSharedSecret & GenerateDataKeyPair

Author: eyakubovich

enclaver/src/bin/enclaver-run/main.rs

@@ -1,17 +1,17 @@
 use anyhow::Result;
 use clap::{Parser, Subcommand};
-use enclaver::constants::{MANIFEST_FILE_NAME, RELEASE_BUNDLE_DIR, EIF_FILE_NAME};
-use enclaver::run::{Enclave, EnclaveExitStatus, EnclaveOpts};
+use enclaver::constants::{EIF_FILE_NAME, MANIFEST_FILE_NAME, RELEASE_BUNDLE_DIR};
 use enclaver::manifest::load_manifest_raw;
 use enclaver::nitro_cli::NitroCLI;
+use enclaver::run::{Enclave, EnclaveExitStatus, EnclaveOpts};
 use enclaver::utils;
 use log::info;
 use std::{
     path::PathBuf,
     process::{ExitCode, Termination},
 };
-use tokio_util::sync::CancellationToken;
 use tokio::io::{stdout, AsyncWriteExt};
+use tokio_util::sync::CancellationToken;
 
 const ENCLAVE_SIGNALED_EXIT_CODE: u8 = 107;
 const ENCLAVE_FATAL: u8 = 108;

enclaver/src/bin/odyn/config.rs

@@ -121,11 +121,7 @@ impl KmsEndpointProvider for Configuration {
             .manifest
             .kms_proxy
             .as_ref()
-            .and_then(|kp| {
-                kp.endpoints
-                    .as_ref()
-                    .map(|eps| eps.get(region).cloned())
-            })
+            .and_then(|kp| kp.endpoints.as_ref().map(|eps| eps.get(region).cloned()))
             .flatten();
 
         ep.unwrap_or_else(|| format!("kms.{region}.amazonaws.com"))

enclaver/src/build.rs

@@ -350,8 +350,7 @@ impl EnclaveArtifactBuilder {
         }
 
         // If we make it this far, do a little bit of cleanup
-        self
-            .docker
+        self.docker
             .remove_container(&build_container_id, None)
             .await?;
         let _ = self.docker.remove_image(&img_tag, None, None).await?;

enclaver/src/proxy/egress_http.rs

@@ -61,10 +61,7 @@ struct ConnectRequest {
 
 impl ConnectRequest {
     fn new(host: String, port: u16) -> Self {
-        Self {
-            host,
-            port,
-        }
+        Self { host, port }
     }
 }
 

enclaver/src/proxy/kms.rs

@@ -25,9 +25,11 @@ static X_AMZ_JSON: HeaderValue = HeaderValue::from_static("application/x-amz-jso
 
 const X_AMZ_CREDENTIAL: &str = "X-Amz-Credential";
 
-const ATTESTING_ACTIONS: [&str; 3] = [
+const ATTESTING_ACTIONS: [&str; 5] = [
     "TrentService.Decrypt",
+    "TrentService.DeriveSharedSecret",
     "TrentService.GenerateDataKey",
+    "TrentService.GenerateDataKeyPair",
     "TrentService.GenerateRandom",
 ];
 
@@ -203,8 +205,8 @@ impl KmsRequestOutgoing {
         );
 
         // Sign and then apply the signature to the request
-        let signed = aws_sigv4::http_request::sign(signable_request, &signing_params)
-            .map_err(Error::msg)?;
+        let signed =
+            aws_sigv4::http_request::sign(signable_request, &signing_params).map_err(Error::msg)?;
 
         let (signing_instructions, _signature) = signed.into_parts();
         signing_instructions.apply_to_request(&mut self.inner);

enclaver/src/proxy/pkcs7.rs

@@ -62,8 +62,7 @@ impl<'a> ContentInfo<'a> {
 
     pub fn decrypt_content(&self, priv_key: &RsaPrivateKey) -> Result<Vec<u8>> {
         let datakey = self.decrypt_key(priv_key)?;
-        self
-            .content
+        self.content
             .encrypted_content_info
             .decrypt_content(&datakey)
     }

enclaver/src/run.rs

@@ -214,24 +214,25 @@ impl Enclave {
     }
 
     fn start_odyn_log_stream(&mut self, cid: u32) -> Result<()> {
-        self.tasks.push(utils::spawn!("odyn log stream", async move {
-            info!("waiting for enclave to boot to stream logs");
-            let conn = loop {
-                match VsockStream::connect(cid, APP_LOG_PORT).await {
-                    Ok(conn) => break conn,
-
-                    // TODO: improve the polling frequency / backoff / timeout
-                    Err(_) => {
-                        tokio::time::sleep(LOG_VSOCK_RETRY_INTERVAL).await;
+        self.tasks
+            .push(utils::spawn!("odyn log stream", async move {
+                info!("waiting for enclave to boot to stream logs");
+                let conn = loop {
+                    match VsockStream::connect(cid, APP_LOG_PORT).await {
+                        Ok(conn) => break conn,
+
+                        // TODO: improve the polling frequency / backoff / timeout
+                        Err(_) => {
+                            tokio::time::sleep(LOG_VSOCK_RETRY_INTERVAL).await;
+                        }
                     }
-                }
-            };
+                };
 
-            info!("connected to enclave, starting log stream");
-            if let Err(e) = utils::log_lines_from_stream("enclave", conn).await {
-                error!("error reading log lines from enclave: {e}");
-            }
-        })?);
+                info!("connected to enclave, starting log stream");
+                if let Err(e) = utils::log_lines_from_stream("enclave", conn).await {
+                    error!("error reading log lines from enclave: {e}");
+                }
+            })?);
 
         Ok(())
     }