veraison service issue

[oxsignal]

I encountered the error message below when I tried a veraison service with ARM CCA.

Instruction : https://github.com/islet-project/islet/blob/main/examples/veraison/RUN.md

Cmd (In bootstrap.sh): veraison -- pocli create CCA_SSD_PLATFORM accept-all.rego Error message:

+ /home/cysec/cca/islet/examples/veraison/services/deployments/docker/veraison -- pocli create CCA_SSD_PLATFORM accept-all.rego
Error: unexpected HTTP response code 400
Usage:
   create SCHEME RULES_FILE [flags]

Flags:
  -d, --dont-activate   if specified, the new policy will not be activated afer being created
  -h, --help            help for create
  -n, --name string     the name for the new policy

Global Flags:
  -a, --auth Method            authentication method, must be one of "none"/"passthrough", "basic", "oauth2" (default passthrough)
  -E, --ca-cert stringArray    path to a CA cert that will be used in addition to system certs; may be specified multiple times
  -C, --client-id string       OAuth2 client ID
  -S, --client-secret string   OAuth2 client secret
  -c, --config string          configuration file
  -H, --host string            the host running Veraison management service (default "localhost")
  -i, --insecure               Use HTTPS but do not check certs (implies -s/--tls)
  -P, --password string        service password
  -p, --port int               the port on which Veraison management service is listening (default 8088)
  -s, --tls                    Use HTTPS
  -T, --token-url string       token URL of the OAuth2 service
  -U, --username string        service username

Error: unexpected HTTP response code 400

Veraison status:

$ veraison status
         vts: running
provisioning: running
verification: running
  management: running
    keycloak: running

It seems the service does not recognize the policy propely.

[bokdeuk-jeong]

@p-sawicki2 Could you take a look into this too?

[p-sawicki2]

@bokdeuk-jeong I think that it is the same issue as @L0czek came across during the development of the application provisioning mechanism.

[oxsignal]

I got around somehow, I should use -s option for HTTPS.

Example:

pocli schemes -s
Attestation schemes supported by management-service:8088:
ARM_CCA
PARSEC_CCA
PARSEC_TPM
PSA_IOT
TPM_ENACTTRUST
riot

As you see, current pocli does not support "CCA_SSD_PLATFORM", but "ARM_CCA"

pocli create ARM_CCA /home/cysec/cca/islet/examples/veraison/accept-all.rego  -s
Policy created:
{
    "uuid": "f8ae25bc-9a9e-11ef-8db2-0242ac120006",
    "ctime": "2024-11-04T11:21:43.944748611Z",
    "name": "default",
    "type": "opa",
    "rules": "package policy\n\nexecutables = APPROVED_RT\n",
    "active": false
}
Policy activated.

I am not aware of SCHEME, but this works for now.

[oxsignal]

I found other issues on veraison

1. Provisioning service

in CCA/islet/examples/veraison/provisioning $ ./run.sh -t <path/to/token.bin> -c <path/to/cpak_public.pem>, cmd: cocli comid create --template=endorsements.json --template=refvals.json

>> created "endorsements.cbor" from "endorsements.json"
>> creation failed for "": error decoding template from refvals.json: error unmarshalling field "Triples": error unmarshalling field "ReferenceValues": error at index 0: error at index 0: error unmarshalling field "Digests": unknown hash algorithm TF-M_SHA256MemPreXIP
Error: 1/2 creations(s) failed

It looks like the reference files have wrong format.

2. RIM value

In this scenario, I put the example of RIM value in the instruction. F58AF6D6A022F113627B1E0B1E0D9B9A1BFB460207AC29721E84BCEF4B4F5CE08351684444BC11CF329D1D4C807BB621807916C2DF4F56B7326E8D16692546A8

cmd: ./bin/reliant-party -r ./realm.json Error: "Failed to decode RIM value" The RIM Value is SHA256 of some complex values including Realm measurement. (refer THIS)

I found reliant-party refers realm-verifier: https://github.com/islet-project/remote-attestation/tree/main/lib/realm-verifier

I thought this issue comes from the length of the RIM, so I cut 64bytes of RIM and retry this:

./bin/reliant-party -r ./realm.json hanged...(no output)