From ec1025d9441ff3de93319413b9cb4a9a2665e884 Mon Sep 17 00:00:00 2001 From: peg Date: Thu, 18 Dec 2025 08:35:43 +0100 Subject: [PATCH 1/3] Add demonstration instructions to readme --- README.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d09df01..c3a91c8 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,7 @@ Attestation exchange messages are formatted as follows: SCALE is used by parity/substrate and was chosen because it is simple and actually matches the formatting used in TDX quotes. So it was already used as a dependency (via the [`dcap-qvl`](https://docs.rs/dcap-qvl) crate). -### Attestation Generation and Verification +### Attestation Generation and Verification: Attestation input takes the form of a 64 byte array. @@ -145,6 +145,51 @@ The `azure` feature, for Microsoft Azure attestation requires [tpm2](https://tpm This feature is enabled by default. For non-azure deployments you can compile without this requirement by specifying `--no-default-features`. But note that this is will disable both generation and verification of azure attestations. + +## Trying it out locally (without CVM attestation) + +This might help give an understanding of how it works. + +1. Make sure you have the tpm2 dependency (see above) - or compile with `--no-default-features`. +2. Run the helper script `./scripts/generate-cert.sh` to generate a mock certifcate authority and a TLS certificate signed by it. +3. Start a http server to try this out with, on 127.0.01:8000 `python3 -m http.server 8000` +4. Start a proxy-server: + +``` +cargo run -- server \ + --listen-addr 127.0.0.1:7000 \ + --server-attestation-type none \ + --allowed-remote-attestation-type none \ + --tls-private-key-path server.key \ + --tls-certificate-path server.crt \ + 127.0.0.1:8000 +``` + +The final positional argument is the target address - in this case the python server we started in step 3. +Note that you must specify that you accept 'none' as the remote attestation type. + +5. Start a proxy-client: + +``` +cargo run -- client \ + --listen-addr 127.0.0.1:6000 \ + --client-attestation-type none \ + --allowed-remote-attestation-type none \ + --tls-ca-certificate ca.crt \ + localhost:7000 +``` + +The final positional argument is the hostname and port of the proxy-server. +Note that we specified a CA root of trust. If you use a standard certificate authority you do not need this argument. + +6. Make a HTTP request to the proxy-client: + +``` +curl 127.0.0.1:6000/README.md +``` + +Assuming you started the python http server in the directory of this repository, this should print the contents of this README. + ## CLI differences from `cvm-reverse-proxy` This aims to have a similar command line interface to `cvm-reverse-proxy` but there are some differences: @@ -152,3 +197,4 @@ This aims to have a similar command line interface to `cvm-reverse-proxy` but th - The measurements file path is specified with `--measurements-file` rather than `--server-measurements` or `--client-measurements`. - If no measurements file is specified, `--allowed-remote-attestation-type` must be given. - `--log-dcap-quote` logs all attestation data (not only DCAP), but [currently] only remote attestation data, not locally-generated data. + From e8f683ba13c62e97e6942d2813fea78e27e50545 Mon Sep 17 00:00:00 2001 From: peg Date: Thu, 18 Dec 2025 08:42:12 +0100 Subject: [PATCH 2/3] Update readme --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c3a91c8..c24bd41 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,14 @@ This feature is enabled by default. For non-azure deployments you can compile wi This might help give an understanding of how it works. 1. Make sure you have the tpm2 dependency (see above) - or compile with `--no-default-features`. -2. Run the helper script `./scripts/generate-cert.sh` to generate a mock certifcate authority and a TLS certificate signed by it. +2. Run the helper script to generate a mock certifcate authority and a TLS certificate for localhost signed by it. + +This requires `openssl` to be installed. + +``` +./scripts/generate-cert.sh localhost 127.0.0.1 +``` + 3. Start a http server to try this out with, on 127.0.01:8000 `python3 -m http.server 8000` 4. Start a proxy-server: From 7173d86fddef2d86cd0f3e84877b4a05c5c6c73c Mon Sep 17 00:00:00 2001 From: peg Date: Thu, 18 Dec 2025 08:54:18 +0100 Subject: [PATCH 3/3] Update readme --- README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c24bd41..a59830e 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,14 @@ This requires `openssl` to be installed. ./scripts/generate-cert.sh localhost 127.0.0.1 ``` -3. Start a http server to try this out with, on 127.0.01:8000 `python3 -m http.server 8000` +3. Start a http server to try this out with, on 127.0.01:8000 + +This requires `python3` to be installed. + +``` +python3 -m http.server 8000 +``` + 4. Start a proxy-server: ``` @@ -197,6 +204,18 @@ curl 127.0.0.1:6000/README.md Assuming you started the python http server in the directory of this repository, this should print the contents of this README. +Since we just wanted to make a single GET request here, we can make this process simpler but using the `attested-get` command: + +``` +cargo run -- attested-get \ + --url-path README.md + --tls-ca-certificate ca.crt \ + --allowed-remote-attestation-type none \ + localhost:7000 +``` + +This should also print the README file. This should work even if the proxy-client from step 5 is not running. + ## CLI differences from `cvm-reverse-proxy` This aims to have a similar command line interface to `cvm-reverse-proxy` but there are some differences: