Move standalone helpers into oak_sdk

* Alter naming since standalone doesn't really use an "Orchestrator". Instead, just direclty return the fake EndorsedEvidence and encryption key handle. * Move StandaloneEncryptionKeyHandle to StaticEncryptionKeyHandle in common SDK. * Remove currently unused StandaloneInstanceSigner Bug: b/357921050 Change-Id: I293506dbf8cb634411719d6a5016f209210821d1
project-oak · Feb 14, 2025 · e7c76de · e7c76de
1 parent 66ea5e1
commit e7c76de
Show file tree

Hide file tree

Showing 15 changed files with 218 additions and 131 deletions.
diff --git a/cc/containers/sdk/standalone/BUILD b/cc/containers/sdk/standalone/BUILD
@@ -29,7 +29,7 @@ cc_library(
         "//cc/crypto:encryption_key",
         "//cc/crypto:server_encryptor",
         "//cc/crypto/hpke:recipient_context",
-        "//oak_containers_sdk:ffi",
+        "//oak_sdk/standalone:ffi",
         "//proto/session:messages_cc_proto",
         "@com_google_absl//absl/log",
         "@com_google_absl//absl/status:statusor",
@@ -43,7 +43,7 @@ cc_test(
         ":oak_standalone",
         "//cc/attestation/verification:attestation_verifier",
         "//cc/attestation/verification:insecure_attestation_verifier",
-        "//oak_containers_sdk:ffi",
+        "//oak_sdk/standalone:ffi",
         "//proto/attestation:verification_cc_proto",
         "//proto/session:messages_cc_proto",
         "@com_google_absl//absl/log",

diff --git a/oak_attestation_integration_tests/BUILD b/oak_attestation_integration_tests/BUILD
@@ -36,8 +36,8 @@ rust_library(
     ],
     crate_name = "oak_attestation_integration_tests",
     deps = [
-        "//oak_containers_sdk",
         "//oak_proto_rust",
+        "//oak_sdk/standalone:oak_sdk_standalone",
         "@oak_crates_index//:anyhow",
         "@oak_crates_index//:assert-json-diff",
         "@oak_crates_index//:prost",
@@ -100,10 +100,10 @@ rust_test_suite(
         "//oak_attestation",
         "//oak_attestation_types",
         "//oak_attestation_verification",
-        "//oak_containers_sdk",
         "//oak_dice",
         "//oak_proto_rust",
         "//oak_restricted_kernel_sdk",
+        "//oak_sdk/standalone:oak_sdk_standalone",
         "//stage0_dice",
         "@oak_crates_index//:prost",
         "@oak_crates_index//:prost-types",

diff --git a/oak_attestation_integration_tests/src/create.rs b/oak_attestation_integration_tests/src/create.rs
@@ -14,7 +14,6 @@
 // limitations under the License.
 //
 
-use oak_containers_sdk::standalone::StandaloneOrchestrator;
 use oak_proto_rust::oak::{
     attestation::v1::{
         binary_reference_value, kernel_binary_reference_value, reference_values,
@@ -27,6 +26,7 @@ use oak_proto_rust::oak::{
     session::v1::EndorsedEvidence,
     RawDigest,
 };
+use oak_sdk_standalone::Standalone;
 use sha2::Digest;
 
 /// Creates reference values that match the supplied digests and images
@@ -133,17 +133,13 @@ pub async fn oak_containers_standalone_endorsed_evidence_with_matching_reference
         application_image,
         &application_config,
     );
-    let endorsed_evidence = {
-        let orchestrator = StandaloneOrchestrator::builder()
-            .stage0_measurements(stage0_measurements)
-            .stage1_system_image(stage1_system_image)
-            .application_image(application_image)
-            .application_config(application_config)
-            .build()
-            .expect("failed to create StandaloneOrchestrator");
+    let standalone = Standalone::builder()
+        .stage0_measurements(stage0_measurements)
+        .stage1_system_image(stage1_system_image)
+        .application_image(application_image)
+        .application_config(application_config)
+        .build()
+        .expect("failed to create Standalone");
 
-        orchestrator.get_endorsed_evidence()
-    };
-
-    (endorsed_evidence, reference_values)
+    (standalone.endorsed_evidence(), reference_values)
 }
diff --git a/oak_attestation_integration_tests/tests/verifier_tests.rs b/oak_attestation_integration_tests/tests/verifier_tests.rs
@@ -32,6 +32,7 @@ use oak_proto_rust::oak::attestation::{
     },
 };
 use oak_restricted_kernel_sdk::Attester;
+use oak_sdk_standalone::Standalone;
 use prost::Message;
 
 // Pretend the tests run at this time: 1 Nov 2023, 9:00 UTC
@@ -210,8 +211,10 @@ fn oak_containers_skip_all_reference_values() -> ReferenceValues {
 #[tokio::test]
 async fn verify_mock_oak_containers_evidence() {
     // Create a mock orchestrator and get endorsed evidence
-    let orchestrator = oak_containers_sdk::standalone::StandaloneOrchestrator::default();
-    let endorsed_evidence = orchestrator.get_endorsed_evidence();
+    let endorsed_evidence = Standalone::builder()
+        .build()
+        .expect("failed to build standalone elements")
+        .endorsed_evidence();
 
     let evidence = endorsed_evidence.evidence.as_ref().expect("No evidence found");
     let endorsements = endorsed_evidence.endorsements.as_ref().expect("No endorsements found");

diff --git a/oak_containers/examples/hello_world/enclave_app/BUILD b/oak_containers/examples/hello_world/enclave_app/BUILD
@@ -63,6 +63,7 @@ rust_test(
         "//oak_proto_rust",
         "//oak_proto_rust/grpc",
         "//oak_sdk/server/v1:oak_sdk_server_v1",
+        "//oak_sdk/standalone:oak_sdk_standalone",
         "//oak_session",
         "@oak_crates_index//:anyhow",
         "@oak_crates_index//:futures",

diff --git a/oak_containers/examples/hello_world/enclave_app/tests/standalone_test.rs b/oak_containers/examples/hello_world/enclave_app/tests/standalone_test.rs
@@ -19,43 +19,44 @@ use anyhow::{Context, Result};
 use futures::channel::mpsc;
 use oak_client::{client::OakClient, verifier::InsecureAttestationVerifier};
 use oak_client_tonic::transport::GrpcStreamingTransport;
-use oak_containers_sdk::standalone::StandaloneOrchestrator;
 use oak_hello_world_proto::oak::containers::example::enclave_application_client::EnclaveApplicationClient;
 use oak_proto_rust::oak::session::v1::{PlaintextMessage, SessionRequest, SessionResponse};
 use oak_sdk_server_v1::OakApplicationContext;
+use oak_sdk_standalone::Standalone;
 use oak_session::{
     attestation::AttestationType, config::SessionConfig, handshake::HandshakeType, ProtocolEngine,
     Session,
 };
 use tokio::net::TcpListener;
 use tonic::transport::Channel;
 
+const APPLICATION_CONFIG: &[u8] = b"fake_config";
+
 async fn start_server() -> Result<(SocketAddr, tokio::task::JoinHandle<Result<()>>)> {
     let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 0);
     let listener = TcpListener::bind(addr).await?;
     let addr = listener.local_addr()?;
 
-    let orchestrator = StandaloneOrchestrator::default();
-    let encryption_key_handle = orchestrator.get_instance_encryption_key_handle();
-
-    let endorsed_evidence = orchestrator.get_endorsed_evidence();
-    let application_config = orchestrator.get_application_config();
+    let standalone = Standalone::builder()
+        .application_config(APPLICATION_CONFIG.to_vec())
+        .build()
+        .expect("failed to create Oak standalone elements");
 
     Ok((
         addr,
         tokio::spawn(oak_containers_examples_hello_world_enclave_app::app_service::create(
             listener,
             OakApplicationContext::new(
-                Box::new(encryption_key_handle),
-                endorsed_evidence,
+                Box::new(standalone.encryption_key_handle()),
+                standalone.endorsed_evidence(),
                 Box::new(
                     oak_containers_examples_hello_world_enclave_app::app::HelloWorldApplicationHandler {
-                        application_config: application_config.clone(),
+                        application_config: APPLICATION_CONFIG.to_vec(),
                     },
                 ),
             ),
             Box::new(oak_containers_examples_hello_world_enclave_app::app::HelloWorldApplicationHandler {
-                application_config,
+                application_config: APPLICATION_CONFIG.to_vec()
             }),
         )),
     ))
@@ -90,9 +91,10 @@ async fn test_legacy() {
     let mut oak_client = OakClient::create(transport, &attestation_verifier).await.unwrap();
 
     // Send single request, see the response
+    let app_config_len = APPLICATION_CONFIG.len();
     assert_eq!(
         String::from_utf8(oak_client.invoke(b"standalone user").await.unwrap()).unwrap(),
-        "Hello from the enclave, standalone user! Btw, the app has a config with a length of 4 bytes."
+        format!("Hello from the enclave, standalone user! Btw, the app has a config with a length of {app_config_len} bytes."),
     );
 }
 
@@ -199,8 +201,9 @@ async fn test_noise() {
     let decrypted_response =
         client_session.decrypt_response(&response).expect("failed to decrypt response");
 
+    let app_config_len = APPLICATION_CONFIG.len();
     assert_eq!(
         String::from_utf8(decrypted_response).unwrap(),
-        "Hello from the enclave, standalone user! Btw, the app has a config with a length of 4 bytes."
+        format!("Hello from the enclave, standalone user! Btw, the app has a config with a length of {app_config_len} bytes."),
     );
 }
diff --git a/oak_containers_sdk/BUILD b/oak_containers_sdk/BUILD
@@ -28,7 +28,6 @@ rust_library(
         "src/handler.rs",
         "src/lib.rs",
         "src/orchestrator_client.rs",
-        "src/standalone.rs",
     ],
     proc_macro_deps = [
         "@oak_crates_index//:async-trait",
@@ -60,18 +59,3 @@ rust_test(
     name = "oak_containers_sdk_test",
     crate = ":oak_containers_sdk",
 )
-
-rust_library(
-    name = "ffi",
-    testonly = True,
-    srcs = [
-        "src/ffi/standalone_c.rs",
-    ],
-    deps = [
-        ":oak_containers_sdk",
-        "//oak_crypto",
-        "//oak_proto_rust",
-        "@oak_crates_index//:anyhow",
-        "@oak_crates_index//:prost",
-    ],
-)
diff --git a/oak_containers_sdk/src/lib.rs b/oak_containers_sdk/src/lib.rs
@@ -16,7 +16,6 @@
 pub mod crypto;
 pub mod handler;
 pub mod orchestrator_client;
-pub mod standalone;
 
 // Re-export structs so that they are available at the top level of the SDK.
 pub use crypto::InstanceEncryptionKeyHandle;

diff --git a/oak_sdk/common/BUILD b/oak_sdk/common/BUILD
@@ -27,5 +27,6 @@ rust_library(
     deps = [
         "//oak_sdk/common/attestation:oak_static_attester",
         "//oak_sdk/common/attestation:oak_static_endorser",
+        "//oak_sdk/common/crypto:encryption_key_handle",
     ],
 )
diff --git a/oak_sdk/common/crypto/BUILD b/oak_sdk/common/crypto/BUILD
@@ -0,0 +1,34 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load("@rules_rust//rust:defs.bzl", "rust_library")
+
+package(
+    default_visibility = ["//:default_visibility"],
+    licenses = ["notice"],
+)
+
+rust_library(
+    name = "encryption_key_handle",
+    srcs = ["encryption_key_handle.rs"],
+    proc_macro_deps = [
+        "@oak_crates_index//:async-trait",
+    ],
+    deps = [
+        "//oak_crypto",
+        "@oak_crates_index//:anyhow",
+    ],
+)
diff --git a/oak_sdk/common/crypto/encryption_key_handle.rs b/oak_sdk/common/crypto/encryption_key_handle.rs
@@ -0,0 +1,41 @@
+//
+// Copyright 2025 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use oak_crypto::{
+    encryption_key::{AsyncEncryptionKeyHandle, EncryptionKey},
+    hpke::RecipientContext,
+};
+
+/// A simple AsyncEncryptionKeyHandle that generates a new key based on a static
+/// key provided at creation.
+pub struct StaticEncryptionKeyHandle {
+    encryption_key: EncryptionKey,
+}
+
+impl StaticEncryptionKeyHandle {
+    pub fn new(encryption_key: EncryptionKey) -> Self {
+        Self { encryption_key }
+    }
+}
+
+#[async_trait::async_trait]
+impl AsyncEncryptionKeyHandle for StaticEncryptionKeyHandle {
+    async fn generate_recipient_context(
+        &self,
+        encapsulated_public_key: &[u8],
+    ) -> anyhow::Result<RecipientContext> {
+        self.encryption_key.generate_recipient_context(encapsulated_public_key).await
+    }
+}
diff --git a/oak_sdk/common/lib.rs b/oak_sdk/common/lib.rs
@@ -14,5 +14,6 @@
 // limitations under the License.
 //
 
+pub use encryption_key_handle::StaticEncryptionKeyHandle;
 pub use oak_static_attester::StaticAttester;
 pub use oak_static_endorser::StaticEndorser;
diff --git a/oak_sdk/standalone/BUILD b/oak_sdk/standalone/BUILD
@@ -0,0 +1,57 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load("@rules_rust//rust:defs.bzl", "rust_library")
+
+package(
+    default_visibility = ["//:default_visibility"],
+    licenses = ["notice"],
+)
+
+rust_library(
+    name = "oak_sdk_standalone",
+    srcs = [
+        "standalone.rs",
+    ],
+    deps = [
+        "//oak_attestation",
+        "//oak_attestation_types",
+        "//oak_containers/attestation",
+        "//oak_crypto",
+        "//oak_dice",
+        "//oak_proto_rust",
+        "//oak_sdk/common:oak_sdk_common",
+        "//stage0_dice",
+        "@oak_crates_index//:anyhow",
+        "@oak_crates_index//:p256",
+        "@oak_crates_index//:prost",
+    ],
+)
+
+rust_library(
+    name = "ffi",
+    testonly = True,
+    srcs = [
+        "ffi/standalone_c.rs",
+    ],
+    deps = [
+        ":oak_sdk_standalone",
+        "//oak_crypto",
+        "//oak_proto_rust",
+        "@oak_crates_index//:anyhow",
+        "@oak_crates_index//:prost",
+    ],
+)
diff --git a/oak_containers_sdk/src/ffi/standalone_c.rs → oak_sdk/standalone/ffi/standalone_c.rs b/oak_containers_sdk/src/ffi/standalone_c.rs → oak_sdk/standalone/ffi/standalone_c.rs
@@ -20,8 +20,8 @@
 //! any gaps we have between our current C++ and Rust featureset.
 use std::os::raw::{c_uchar, c_void};
 
-use oak_containers_sdk::standalone::StandaloneOrchestrator;
 use oak_crypto::encryption_key::EncryptionKey;
+use oak_sdk_standalone::Standalone;
 use prost::Message;
 
 /// C bindings for generating standalone endorsed evidence.
@@ -67,12 +67,12 @@ pub unsafe extern "C" fn standalone_endorsed_evidence(
     let public_key_bytes =
         std::slice::from_raw_parts((*public_key).data, (*public_key).len).to_vec();
 
-    let orchestrator = StandaloneOrchestrator::builder()
+    let endorsed_evidence = Standalone::builder()
         .encryption_key_pair(Some((private_key, public_key_bytes)))
         .build()
-        .expect("failed to build standalone orchestrator");
+        .expect("failed to build standalone orchestrator")
+        .endorsed_evidence();
 
-    let endorsed_evidence = orchestrator.get_endorsed_evidence();
     let serialized_endorsed_evidence = Message::encode_to_vec(&endorsed_evidence);
 
     let ffi_evidence = Bytes {