tools: add migtd-policy-generator

This tool is used to fetch reference values from backend server and
transfer the values into migtd policy style.

Signed-off-by: Jiaqi Gao <[email protected]>

Cargo.toml

@@ -11,6 +11,7 @@ members = [
     "src/policy",
     "tests/test-td-payload",
     "tools/migtd-hash",
+    "tools/migtd-policy-generator",
     "xtask",
     ]
 

tools/migtd-policy-generator/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "migtd-policy-generator"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+anyhow = "1.0"
+clap = { version = "4.0", features = ["derive"] }
+curl = "0.4.44"
+serde = { version = "1.0", features = ["derive"]}
+serde_json = "1.0"

tools/migtd-policy-generator/readme.md

@@ -0,0 +1,28 @@
+## migtd-policy-generator tool
+
+This tool can be used to fetch the platform TCB and enclave information from backend server and generate the migtd policy based on the values.
+
+### How to build
+
+```
+pushd tools/migtd-policy-generator
+cargo build
+popd
+```
+
+### How to use
+
+- Help 
+  ```
+  ./target/debug/migtd-policy-generator -h
+  ```
+
+- Generate migtd policy for production platforms:
+  ```
+  ./target/debug/migtd-policy-generator -o config/policy_production_fmspc.json
+  ```
+
+- Generate migtd policy for pre-production platforms:
+  ```
+  ./target/debug/migtd-policy-generator -o config/policy_pre_production_fmspc.json --pre-production
+  ```

tools/migtd-policy-generator/src/lib.rs

@@ -0,0 +1,26 @@
+// Copyright (c) 2023 Intel Corporation
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+use curl::easy::Easy;
+
+pub mod platform_tcb;
+pub mod policy;
+pub mod qe_identity;
+
+pub(crate) fn fetch_data_from_url(url: &str) -> Result<(u32, Vec<u8>), curl::Error> {
+    let mut handle = Easy::new();
+    let mut data = Vec::new();
+
+    handle.url(url)?;
+    {
+        let mut transfer = handle.transfer();
+        transfer.write_function(|new_data| {
+            data.extend_from_slice(new_data);
+            Ok(new_data.len())
+        })?;
+        transfer.perform()?;
+    }
+
+    Ok((handle.response_code()?, data))
+}

tools/migtd-policy-generator/src/main.rs

@@ -0,0 +1,31 @@
+// Copyright (c) 2023 Intel Corporation
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+use clap::Parser;
+use migtd_policy_generator::policy::generate_policy;
+use std::{fs, path::PathBuf, process::exit};
+
+#[derive(Debug, Clone, Parser)]
+struct Config {
+    /// Set to use pre-prodution server. Production server is used by
+    /// default.
+    #[clap(long)]
+    pub pre_production: bool,
+    /// Where to write the generated policy
+    #[clap(long, short)]
+    pub output: PathBuf,
+}
+
+fn main() {
+    let config = Config::parse();
+
+    let policy = generate_policy(!config.pre_production).unwrap_or_else(|e| {
+        eprintln!("Failed to generate policy: {}", e);
+        exit(1);
+    });
+    fs::write(config.output, &policy).unwrap_or_else(|e| {
+        eprintln!("Failed to write output file: {}", e);
+        exit(1);
+    })
+}

tools/migtd-policy-generator/src/platform_tcb/fmspc.rs

@@ -0,0 +1,58 @@
+// Copyright (c) 2023 Intel Corporation
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+use anyhow::{anyhow, Result};
+use serde::Deserialize;
+
+use crate::fetch_data_from_url;
+
+const FMSPC_LIST_URL: &str = "https://api.trustedservices.intel.com/sgx/certification/v4/fmspcs";
+const SBX_FMSPC_LIST_URL: &str =
+    "https://sbx.api.trustedservices.intel.com/sgx/certification/v4/fmspcs";
+
+pub fn fetch_fmspc_list(for_production: bool) -> Result<Vec<Fmspc>> {
+    let fmspc_list_url = if for_production {
+        FMSPC_LIST_URL
+    } else {
+        SBX_FMSPC_LIST_URL
+    };
+
+    let (response_code, data) = fetch_data_from_url(fmspc_list_url)?;
+    match response_code {
+        200 => Ok(serde_json::from_slice::<Vec<Fmspc>>(&data)?),
+        _ => {
+            eprintln!("Error fetching fmspc list - {:?}", response_code);
+            Err(anyhow!("AccessException"))
+        }
+    }
+}
+
+pub fn get_all_e5_platform(list: &Vec<Fmspc>) -> Vec<&Fmspc> {
+    list.iter()
+        .filter(|p| p.platform.as_str() == "E5")
+        .collect()
+}
+
+#[derive(Debug, Deserialize)]
+pub struct Fmspc {
+    pub fmspc: String,
+    platform: String,
+}
+
+impl Fmspc {
+    pub fn is_e5(&self) -> bool {
+        self.platform.as_str() == "E5"
+    }
+}
+
+mod test {
+    #[test]
+    fn test_json_deserialize() {
+        use crate::platform_tcb::fmspc::Fmspc;
+
+        let list = include_str!("../../test/fmspc_list.json");
+        let result = serde_json::from_str::<Vec<Fmspc>>(list);
+        assert!(result.is_ok());
+    }
+}

tools/migtd-policy-generator/src/platform_tcb/mod.rs

@@ -0,0 +1,33 @@
+// Copyright (c) 2023 Intel Corporation
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+use anyhow::Result;
+
+use crate::policy::PlatformPolicy;
+use fmspc::{fetch_fmspc_list, get_all_e5_platform};
+use tcb_info::fetch_platform_tcb;
+
+pub mod fmspc;
+pub mod tcb_info;
+
+pub fn get_platform_info(for_production: bool) -> Result<Vec<PlatformPolicy>> {
+    match fetch_fmspc_list(for_production) {
+        Ok(list) => {
+            let mut platforms = Vec::new();
+            for platform in get_all_e5_platform(&list) {
+                if let Ok(platform_tcb) = fetch_platform_tcb(for_production, &platform.fmspc) {
+                    if let Some(platform_tcb) = platform_tcb {
+                        let platform = PlatformPolicy::new(&platform_tcb);
+                        platforms.push(platform);
+                    }
+                }
+            }
+            Ok(platforms)
+        }
+        Err(err) => {
+            eprintln!("Error fetching fmspc list: {}", err);
+            Err(err.into())
+        }
+    }
+}