blueprint-tee 0.2.0-alpha.3

First-class TEE (Trusted Execution Environment) support for the Blueprint SDK
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! Native attestation verifier for TDX and SEV-SNP.
//!
//! Both Intel TDX and AMD SEV-SNP share the same attestation pattern:
//! open a device node, write report data, read back a report, and extract
//! a measurement at a known offset. This module provides a single
//! [`NativeVerifier`] with platform dispatch rather than duplicating logic
//! across separate modules.

use crate::attestation::report::AttestationReport;
use crate::attestation::verifier::{AttestationVerifier, VerifiedAttestation};
use crate::config::TeeProvider;
use crate::errors::TeeError;

/// Platform-specific configuration for native attestation verification.
#[derive(Debug, Clone)]
pub enum NativePlatform {
    /// Intel TDX: validates MRTD (TD measurement register).
    Tdx {
        /// Expected MRTD value, if enforced.
        expected_mrtd: Option<String>,
    },
    /// AMD SEV-SNP: validates launch measurement.
    SevSnp {
        /// Expected launch measurement, if enforced.
        expected_measurement: Option<String>,
    },
}

/// Unified verifier for native TEE platforms (TDX and SEV-SNP).
///
/// Both platforms use the same ioctl-based attestation pattern with different
/// device nodes (`/dev/tdx_guest` vs `/dev/sev-guest`) and report sizes.
/// This verifier handles both with platform dispatch.
pub struct NativeVerifier {
    /// Which native platform to verify for.
    pub platform: NativePlatform,
    /// Whether to allow debug enclaves/guests.
    pub allow_debug: bool,
}

impl NativeVerifier {
    /// Create a new TDX verifier.
    pub fn tdx() -> Self {
        Self {
            platform: NativePlatform::Tdx {
                expected_mrtd: None,
            },
            allow_debug: false,
        }
    }

    /// Create a new SEV-SNP verifier.
    pub fn sev_snp() -> Self {
        Self {
            platform: NativePlatform::SevSnp {
                expected_measurement: None,
            },
            allow_debug: false,
        }
    }

    /// Set the expected measurement for the platform.
    pub fn with_expected_measurement(mut self, measurement: impl Into<String>) -> Self {
        let m = measurement.into();
        match &mut self.platform {
            NativePlatform::Tdx { expected_mrtd } => *expected_mrtd = Some(m),
            NativePlatform::SevSnp {
                expected_measurement,
            } => *expected_measurement = Some(m),
        }
        self
    }

    /// Allow or deny debug mode enclaves/guests.
    pub fn with_allow_debug(mut self, allow: bool) -> Self {
        self.allow_debug = allow;
        self
    }

    fn expected_provider(&self) -> TeeProvider {
        match &self.platform {
            NativePlatform::Tdx { .. } => TeeProvider::IntelTdx,
            NativePlatform::SevSnp { .. } => TeeProvider::AmdSevSnp,
        }
    }

    fn expected_measurement(&self) -> Option<&str> {
        match &self.platform {
            NativePlatform::Tdx { expected_mrtd } => expected_mrtd.as_deref(),
            NativePlatform::SevSnp {
                expected_measurement,
            } => expected_measurement.as_deref(),
        }
    }

    fn platform_name(&self) -> &'static str {
        match &self.platform {
            NativePlatform::Tdx { .. } => "Intel TDX",
            NativePlatform::SevSnp { .. } => "AMD SEV-SNP",
        }
    }

    fn debug_entity(&self) -> &'static str {
        match &self.platform {
            NativePlatform::Tdx { .. } => "debug mode TDs",
            NativePlatform::SevSnp { .. } => "debug mode guests",
        }
    }
}

impl AttestationVerifier for NativeVerifier {
    /// Verify a native TDX or SEV-SNP attestation report.
    ///
    /// # Security Warning
    ///
    /// This verifier performs structural validation only (provider match,
    /// measurement, debug mode). It does **not** verify ioctl-based
    /// attestation evidence or platform-specific cryptographic signatures.
    fn verify(&self, report: &AttestationReport) -> Result<VerifiedAttestation, TeeError> {
        let expected_provider = self.expected_provider();

        if report.provider != expected_provider {
            return Err(TeeError::AttestationVerification(format!(
                "expected {} provider, got {}",
                self.platform_name(),
                report.provider
            )));
        }

        if report.claims.debug_mode && !self.allow_debug {
            return Err(TeeError::AttestationVerification(format!(
                "{} are not permitted",
                self.debug_entity()
            )));
        }

        if let Some(expected) = self.expected_measurement() {
            if report.measurement.digest != expected {
                return Err(TeeError::MeasurementMismatch {
                    expected: expected.to_string(),
                    actual: report.measurement.digest.clone(),
                });
            }
        }

        tracing::debug!(
            "structural validation only — cryptographic signature verification requires platform SDK"
        );

        Ok(VerifiedAttestation::new(report.clone(), expected_provider))
    }

    fn supported_provider(&self) -> TeeProvider {
        self.expected_provider()
    }
}