Create Avalon attestation verification service

1. Attestation verification service to do verify IAS AVR, DCAP quote
2. Service listens on HTTP based jrpc listener and uses format json-rpc
3. Python API makes to call to attestation service
4. Shell container having pure python packages and become light-weight.

Signed-off-by: Ramakrishna Srinivasamurthy <[email protected]>

Author: Ramakrishna Srinivasamurthy

BUILD.md

@@ -117,7 +117,8 @@ These docker compose files can be further customized to run multiple worker pool
    3. When submitting work orders using any of the sample client applications, `--worker_id` argument needs to be mentioned explicitly to choose one of the workers in the system (Note : Each pool represents a single worker). For example:
    ```bash
    ./generic_client.py -o --uri "http://avalon-listener:1947" \
-      --workload_id "echo-result" --in_data "Hello" --worker_id worker-pool-2
+      --workload_id "echo-result" --in_data "Hello" --worker_id worker-pool-2 \
+      -as "http://avalon-avs:6090" 
    ```
 
 # <a name="standalonebuild"></a>Standalone Build

avs/Dockerfile

@@ -0,0 +1,220 @@
+# Copyright 2020 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+
+# Description:
+#   Builds the environment needed to build Avalon attestation
+#   verification service
+#
+#  Configuration (build) parameters
+#  - proxy configuration: https_proxy http_proxy ftp_proxy
+#
+# Build:
+#   $ docker build docker -f avs/Dockerfile -t avalon-avs-dev
+#   if behind a proxy, you might want to add also below options
+#   --build-arg https_proxy=$https_proxy --build-arg http_proxy=$http_proxy --build-arg ftp_proxy=$ftp_proxy
+
+# -------------=== build avalon attestation verification service image ===-------------
+FROM ubuntu:bionic as base_image
+
+# Ignore timezone prompt in apt
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Add necessary packages
+RUN apt-get update \
+ && apt-get install -y -q \
+    software-properties-common \
+    python3-requests \
+    python3-colorlog \
+    python3-twisted \
+ && apt-get clean
+
+# Make Python3 default
+RUN ln -sf /usr/bin/python3 /usr/bin/python
+
+
+# -------------=== python build ===-------------
+
+#Build python intermediate docker image
+FROM ubuntu:bionic as python_image
+
+
+# Add necessary packages
+RUN apt-get update \
+ && apt-get install -y -q \
+    ca-certificates \
+    pkg-config \
+    python3-pip \
+    python3-dev \
+    make \
+ && apt-get clean
+
+# Install setuptools packages using pip because
+# these are not available in apt repository.
+RUN pip3 install setuptools
+
+# Make Python3 default
+RUN ln -sf /usr/bin/python3 /usr/bin/python
+
+# -------------=== Build openssl_image ===-------------
+
+#Build openssl intermediate docker image
+FROM ubuntu:bionic as openssl_image
+
+RUN apt-get update \
+ && apt-get install -y -q \
+    ca-certificates \
+    pkg-config \
+    make \
+    wget \
+    tar \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /tmp
+
+# Build ("Untrusted") OpenSSL
+RUN OPENSSL_VER=1.1.1g \
+ && wget https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz \
+ && tar -zxf openssl-$OPENSSL_VER.tar.gz \
+ && cd openssl-$OPENSSL_VER/ \
+ && ./config \
+ && THREADS=8 \
+ && make -j$THREADS \
+ && make test \
+ && make install -j$THREADS
+
+
+# -------------=== common/cpp build ===-------------
+
+#Build common/cpp intermediate docker image
+FROM ubuntu:bionic as common_cpp_image
+
+RUN apt-get update \
+ && apt-get install -y -q \
+    pkg-config \
+    cmake \
+    make
+
+
+# Copy openssl build artifacts from openssl_image
+COPY --from=openssl_image /usr/local/ssl /usr/local/ssl
+COPY --from=openssl_image /usr/local/bin /usr/local/bin
+COPY --from=openssl_image /usr/local/include /usr/local/include
+COPY --from=openssl_image /usr/local/lib /usr/local/lib
+
+RUN ldconfig \
+ && ln -s /etc/ssl/certs/* /usr/local/ssl/certs/
+
+ENV TCF_HOME=/project/avalon
+
+COPY ./common/cpp /project/avalon/common/cpp
+
+WORKDIR /project/avalon/common/cpp
+
+RUN mkdir -p build \
+  && cd build \
+  && cmake .. -DUNTRUSTED_ONLY=1 \
+  && make
+
+
+# -------------=== common/python build ===-------------
+
+#Build common/python intermediate docker image
+FROM python_image as common_python_image
+
+COPY VERSION /project/avalon/
+COPY ./bin /project/avalon/bin
+
+ENV TCF_HOME=/project/avalon
+
+COPY ./common/python /project/avalon/common/python
+
+WORKDIR /project/avalon/common/python
+
+RUN echo "Building Avalon Common Python\n" \
+ && make
+
+
+# -------------=== common/verify_report_utils build ===-------------
+
+#Build common/verify_report_utils intermediate docker image
+FROM python_image as verify_report_utils
+
+RUN apt-get update \
+ && apt-get install -y -q \
+    swig
+
+# Copy openssl build artifacts from openssl_image
+COPY --from=openssl_image /usr/local/ssl /usr/local/ssl
+COPY --from=openssl_image /usr/local/bin /usr/local/bin
+COPY --from=openssl_image /usr/local/include /usr/local/include
+COPY --from=openssl_image /usr/local/lib /usr/local/lib
+
+RUN ldconfig \
+ && ln -s /etc/ssl/certs/* /usr/local/ssl/certs/
+
+COPY --from=common_cpp_image /project/avalon/common/cpp/build /project/avalon/common/cpp/build
+COPY VERSION /project/avalon/
+COPY ./bin /project/avalon/bin
+COPY ./common/cpp /project/avalon/common/cpp
+
+ENV TCF_HOME=/project/avalon
+
+COPY ./common/verify_report_utils/ias /project/avalon/common/verify_report_utils/ias
+
+WORKDIR /project/avalon/common/verify_report_utils/ias
+
+RUN echo "Building Avalon Verify Report Utils\n" \
+ && make
+
+
+# Build image for attestation version service
+FROM python_image as build_avs
+
+#Environment setup
+ENV TCF_HOME=/project/avalon
+
+WORKDIR /project/avalon/
+
+COPY ./avs /project/avalon/avs
+COPY VERSION /project/avalon/
+COPY ./bin /project/avalon/bin
+
+WORKDIR /project/avalon/avs
+
+RUN echo "Building Avalon Attestation Verification service\n" \
+ && make
+
+
+# Build Final image and install dependent modules
+FROM base_image as final_image
+
+COPY --from=common_python_image /project/avalon/common/python/dist/*.whl dist/
+COPY --from=verify_report_utils /project/avalon/common/verify_report_utils/ias/dist/*.whl dist/
+COPY --from=build_avs /project/avalon/avs/dist/*.whl dist/
+
+# Installing wheel file requires python3-pip package.
+# But python3-pip package will increase size of final docker image.
+# So remove python3-pip package and dependencies after installing wheel file.
+RUN apt-get update \
+ && apt-get install -y -q python3-pip \
+ && echo "Install Attestation verification service \n" \
+ && pip3 install dist/*.whl \
+ && pip3 install json-rpc \
+ && echo "Remove unused packages from image\n" \
+ && apt-get autoremove --purge -y -q python3-pip \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+

avs/Makefile

@@ -0,0 +1,47 @@
+# Copyright 2020 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+PY_VERSION=${shell python3 --version | sed 's/Python \(3\.[0-9]\).*/\1/' | cut -b 1}
+MOD_VERSION=${shell ../bin/get_version}
+
+WHEEL_FILE=dist/attestation_verification_service-${MOD_VERSION}-py${PY_VERSION}-none-any.whl
+
+all : $(WHEEL_FILE)
+
+$(WHEEL_FILE): build_ext
+	@echo Build Distribution
+	python3 setup.py bdist_wheel
+
+build_ext:
+	@echo Build build_ext
+	python3 setup.py build_ext
+
+build :
+	mkdir $@
+
+install:
+	@echo INSTALLING WHEEL FILE =================
+	pip3 install $(WHEEL_FILE)
+
+clean:
+	if pip3 uninstall --yes $(WHEEL_FILE); then \
+	    echo UNINSTALLED $(WHEEL_FILE); fi
+	rm -rf build deps dist *.egg-info
+	find . -iname '*.pyc' -delete
+	find . -iname '__pycache__' -delete
+
+
+.PHONY : all
+.PHONY : clean
+.PHONY : install

avs/attestation_verification_service/__init__.py

@@ -0,0 +1,15 @@
+# Copyright 2020 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+all = []