tdx-quote-provider is a service used by flashtestations to get around the issue needing sudo to access /sys/kernel/config/tsm/report when issuing DCAP attestations. The tdx-quote-provider service is run as sudo, and serves attestations over HTTP. It uses automata-network/coco-provider-sdk which does support tpm attestations as well as DCAP, but i'm not sure if it supports Azure (probably not having had a brief look).
Supporting this would be identical to the existing 'dummy' quote provider used for testing which also retrieves quotes using HTTP with an identical API:
|
async fn generate_dummy_attestation( |
|
&self, |
|
input_data: [u8; 64], |
|
) -> Result<Vec<u8>, AttestationError> { |
|
let url = format!( |
|
"{}/attest/{}", |
|
self.dummy_dcap_url |
|
.clone() |
|
.ok_or(AttestationError::DummyUrl)?, |
|
hex::encode(input_data) |
|
); |
|
|
|
Ok(reqwest::get(url) |
|
.await |
|
.map_err(|err| AttestationError::DummyServer(err.to_string()))? |
|
.bytes() |
|
.await |
|
.map_err(|err| AttestationError::DummyServer(err.to_string()))? |
|
.to_vec()) |
|
} |
|
} |
That is making a GET request to /attest/{input data as hex}.
We would maybe just need to rename it something other than dummy for clarity and perhaps add a check that the target address is local.
Personally i prefer the approach Buildernet is using to get around this issue - the systemd service explictly allows the process read-write access to /sys/kernel/config/tsm/report (and nothing else):
https://github.com/flashbots/flashbots-images/blob/a0e1841e39a8aae28121f1ae77d65129456502e9/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf#L10-L13
tdx-quote-provideris a service used by flashtestations to get around the issue needing sudo to access/sys/kernel/config/tsm/reportwhen issuing DCAP attestations. Thetdx-quote-providerservice is run as sudo, and serves attestations over HTTP. It uses automata-network/coco-provider-sdk which does support tpm attestations as well as DCAP, but i'm not sure if it supports Azure (probably not having had a brief look).Supporting this would be identical to the existing 'dummy' quote provider used for testing which also retrieves quotes using HTTP with an identical API:
attested-tls-proxy/src/attestation/mod.rs
Lines 240 to 260 in dc7d2af
That is making a GET request to
/attest/{input data as hex}.We would maybe just need to rename it something other than dummy for clarity and perhaps add a check that the target address is local.
Personally i prefer the approach Buildernet is using to get around this issue - the systemd service explictly allows the process read-write access to
/sys/kernel/config/tsm/report(and nothing else):https://github.com/flashbots/flashbots-images/blob/a0e1841e39a8aae28121f1ae77d65129456502e9/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf#L10-L13