tdxctl: Use Rust client instead of curl

Cargo.toml

@@ -20,3 +20,6 @@ members = [
     "ct_monitor",
 ]
 resolver = "2"
+
+[patch.crates-io]
+"rustls" = { git = "https://github.com/kvinwang/rustls", branch = "fix-panic" }

certbot/cli/Cargo.toml

@@ -17,4 +17,4 @@ serde = { version = "1.0.213", features = ["derive"] }
 tokio = { version = "1.41.0", features = ["full"] }
 toml_edit = { version = "0.22.22", features = ["serde"] }
 tracing-subscriber = "0.3.18"
-rustls = "0.23.15"
+rustls = "0.23.17"

certgen/src/main.rs

@@ -22,7 +22,7 @@ fn main() -> anyhow::Result<()> {
 
     let tmp_ca_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
     let ca_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
-    let kms_www_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
+    let kms_rpc_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
     let tproxy_rpc_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
 
     let tmp_ca_cert = CertRequest::builder()
@@ -42,15 +42,19 @@ fn main() -> anyhow::Result<()> {
         .build()
         .self_signed()?;
 
+    let kms_domain = format!("kms.{}", args.domain);
     // Sign WWW server cert with KMS cert
-    let kms_www_cert = CertRequest::builder()
-        .subject(&format!("kms.{}", args.domain))
-        .key(&kms_www_key)
+    let kms_rpc_cert = CertRequest::builder()
+        .subject(&kms_domain)
+        .alt_names(&[kms_domain.clone()])
+        .key(&kms_rpc_key)
         .build()
         .signed_by(&ca_cert, &ca_key)?;
 
+    let tproxy_domain = format!("tproxy.{}", args.domain);
     let tproxy_rpc_cert = CertRequest::builder()
-        .subject(&format!("tproxy.{}", args.domain))
+        .subject(&tproxy_domain)
+        .alt_names(&[tproxy_domain.clone()])
         .key(&tproxy_rpc_key)
         .build()
         .signed_by(&ca_cert, &ca_key)?;
@@ -66,8 +70,8 @@ fn main() -> anyhow::Result<()> {
     store_cert(
         output_dir,
         "kms-rpc",
-        &kms_www_cert.pem(),
-        &kms_www_key.serialize_pem(),
+        &kms_rpc_cert.pem(),
+        &kms_rpc_key.serialize_pem(),
     )?;
     store_cert(
         output_dir,

kms/rpc/Cargo.toml

@@ -4,13 +4,13 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-prpc = "0.2.2"
-prost = "0.12.4"
+prpc = "0.3.0"
+prost = "0.13.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 anyhow = "1"
 scale = { version = "3.6.12", package = "parity-scale-codec", features = ["derive"] }
 
 [build-dependencies]
-prpc-build = "0.2.1"
+prpc-build = "0.3.1"
 fs-err = "3.0.0"

ra-rpc/Cargo.toml

@@ -5,7 +5,7 @@ edition = "2021"
 
 [dependencies]
 anyhow = "1.0.88"
-prpc = "0.2.2"
+prpc = "0.3.0"
 ra-tls = { version = "0.1.0", path = "../ra-tls" }
 rocket = { git = "https://github.com/rwf2/Rocket", branch = "master", features = ["mtls"], optional = true }
 serde_json = "1.0.128"

ra-rpc/src/client.rs

@@ -1,7 +1,8 @@
 use std::time::Duration;
 
+use anyhow::{Context, Result};
 use prpc::client::{Error, RequestClient};
-use reqwest::Client;
+use reqwest::{Certificate, Client, Identity};
 
 pub struct RaClient {
     remote_uri: String,
@@ -19,6 +20,27 @@ impl RaClient {
             .expect("failed to create client");
         Self { remote_uri, client }
     }
+    pub fn new_mtls(
+        remote_uri: String,
+        ca_cert: String,
+        cert_pem: String,
+        key_pem: String,
+    ) -> Result<Self> {
+        let root_ca =
+            Certificate::from_pem(ca_cert.as_bytes()).context("Failed to parse CA cert")?;
+        let identity_pem = format!("{cert_pem}\n{key_pem}");
+        let identity =
+            Identity::from_pem(identity_pem.as_bytes()).context("Failed to parse identity")?;
+        let client = Client::builder()
+            .tls_sni(true)
+            .add_root_certificate(root_ca)
+            .identity(identity)
+            .connect_timeout(Duration::from_secs(5))
+            .timeout(Duration::from_secs(60))
+            .build()
+            .context("failed to create client")?;
+        Ok(Self { remote_uri, client })
+    }
 }
 
 impl RequestClient for RaClient {
@@ -30,11 +52,18 @@ impl RequestClient for RaClient {
             .body(body)
             .send()
             .await
-            .map_err(|err| Error::RpcError(format!("failed to send request: {}", err)))?;
-        response
+            .map_err(|err| Error::RpcError(format!("failed to send request: {:?}", err)))?;
+        if !response.status().is_success() {
+            return Err(Error::RpcError(format!(
+                "request failed with status: {}",
+                response.status()
+            )));
+        }
+        let body = response
             .bytes()
             .await
-            .map_err(|err| Error::RpcError(format!("failed to read response: {}", err)))
-            .map(|bytes| bytes.to_vec())
+            .map_err(|err| Error::RpcError(format!("failed to read response: {:?}", err)))?
+            .to_vec();
+        Ok(body)
     }
 }

tappd/rpc/Cargo.toml

@@ -4,12 +4,12 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-prpc = "0.2.2"
-prost = "0.12.4"
+prpc = "0.3.0"
+prost = "0.13.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 anyhow = "1"
 scale = { version = "3.6.12", package = "parity-scale-codec", features = ["derive"] }
 
 [build-dependencies]
-prpc-build = "0.2.1"
+prpc-build = "0.3.1"

tdxctl/Cargo.toml

@@ -12,6 +12,8 @@ fs-err = "3.0.0"
 getrandom = "0.2.15"
 hex = "0.4.3"
 hex_fmt = "0.3.0"
+kms-rpc = { version = "0.1.0", path = "../kms/rpc" }
+ra-rpc = { version = "0.1.0", path = "../ra-rpc" }
 ra-tls = { version = "0.1.0", path = "../ra-tls" }
 regex = "1.11.1"
 scale = { version = "3.6.12", package = "parity-scale-codec", features = ["derive"] }
@@ -21,6 +23,7 @@ serde-human-bytes = "0.1.0"
 serde_json = "1.0.128"
 sha2 = "0.10.8"
 tdx-attest = { path = "../tdx-attest" }
+tokio = { version = "1.41.1", features = ["macros", "rt"] }
 tproxy-rpc = { version = "0.1.0", path = "../tproxy/rpc" }
 tracing = "0.1.40"
 tracing-subscriber = "0.3.18"

tdxctl/src/fde_setup.rs

@@ -7,6 +7,7 @@ use std::{
 use anyhow::{bail, Context, Result};
 use env_process::convert_env_to_str;
 use fs_err as fs;
+use ra_rpc::client::RaClient;
 use serde::{Deserialize, Serialize};
 use tracing::info;
 
@@ -150,7 +151,7 @@ impl HostShared {
     }
 }
 
-pub fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> {
+pub async fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> {
     fs::create_dir_all(&args.host_shared).context("Failed to create host-sharing mount point")?;
     mount_9p("host-shared", &args.host_shared.display().to_string())
         .context("Failed to mount host-sharing")?;
@@ -215,21 +216,19 @@ pub fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> {
             key_path: gen_certs_dir.join("key.pem"),
         })?;
         info!("Requesting app keys from KMS: {kms_url}");
-        let todo = "use rust library";
-        run_command(
-            "curl",
-            &[
-                "--cacert",
-                &host_shared_dir.kms_ca_cert_file().display().to_string(),
-                "--cert",
-                &gen_certs_dir.join("cert.pem").display().to_string(),
-                "--key",
-                &gen_certs_dir.join("key.pem").display().to_string(),
-                "-o",
-                &app_keys_file.display().to_string(),
-                &format!("{kms_url}/prpc/KMS.GetAppKey"),
-            ],
+        let ra_client = RaClient::new_mtls(
+            format!("{kms_url}/prpc"),
+            fs::read_to_string(host_shared_dir.kms_ca_cert_file())?,
+            fs::read_to_string(gen_certs_dir.join("cert.pem"))?,
+            fs::read_to_string(gen_certs_dir.join("key.pem"))?,
         )?;
+        let kms_client = kms_rpc::kms_client::KmsClient::new(ra_client);
+        let response = kms_client
+            .get_app_key()
+            .await
+            .context("Failed to get app key")?;
+        let keys_json = serde_json::to_string(&response).context("Failed to serialize app keys")?;
+        fs::write(&app_keys_file, keys_json).context("Failed to write app keys")?;
     } else {
         info!("KMS is not enabled, generating local app keys");
         cmd_gen_app_keys(GenAppKeysArgs {

tdxctl/src/main.rs

@@ -5,12 +5,13 @@ use fs_err as fs;
 use getrandom::getrandom;
 use ra_tls::{attestation::QuoteContentType, cert::CaCert};
 use scale::Decode;
-use tracing::error;
 use std::{
     io::{self, Read, Write},
     path::PathBuf,
 };
+use tboot::TbootArgs;
 use tdx_attest as att;
+use tracing::error;
 use utils::{deserialize_json_file, run_command, AppCompose};
 
 mod crypto;
@@ -168,14 +169,6 @@ struct TestAppFeatureArgs {
     compose: String,
 }
 
-#[derive(Parser)]
-/// Boot the Tapp
-struct TbootArgs {
-    /// shutdown if the tboot fails
-    #[arg(short, long)]
-    shutdown_on_fail: bool,
-}
-
 fn cmd_quote() -> Result<()> {
     let mut report_data = [0; 64];
     io::stdin()
@@ -397,7 +390,8 @@ fn sha256(data: &[u8]) -> String {
     hex::encode(sha256.finalize())
 }
 
-fn main() -> Result<()> {
+#[tokio::main]
+async fn main() -> Result<()> {
     tracing_subscriber::fmt::init();
 
     let cli = Cli::parse();
@@ -428,10 +422,10 @@ fn main() -> Result<()> {
             cmd_test_app_feature(args)?;
         }
         Commands::SetupFde(args) => {
-            cmd_setup_fde(args)?;
+            cmd_setup_fde(args).await?;
         }
         Commands::Tboot(args) => {
-            if let Err(err) = tboot::tboot() {
+            if let Err(err) = tboot::tboot(&args).await {
                 error!("{:?}", err);
                 if args.shutdown_on_fail {
                     let _ = run_command("shutdown", &["-h", "now"]);