sled-agent: add RoT attestation endpoints

[luqmana]

This covers the sled agent portion of https://github.com/orgs/oxidecomputer/projects/159?pane=issue&itemId=139850060 by exposing a new set of APIs a propolis instance will call.

I hooked up the existing verifier-cli tool with a new sled-agent-client-based interface to exercise the new APIs (playing the role of propolis):

BRM42220026 # ./verifier-cli --interface sled-agent --sled-addr '[fde2:c3cc:fbe3:101::1]:12345' log | tee log.json
{"index":1,"measurements":[{"Sha3_256":[127,251,54,168,183,58,224,201,42,83,6,65,4,185,67,222,122,251,50,182,251,85,202,12,37,122,102,35,50,21,169,102]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}]}

BRM42220026 # ./verifier-cli --interface sled-agent --sled-addr '[fde2:c3cc:fbe3:101::1]:12345' cert-chain > chain.pem
BRM42220026 # openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Oxide Computer Company, CN = alias
issuer=C = US, O = Oxide Computer Company, CN = device-id

subject=C = US, O = Oxide Computer Company, CN = device-id
issuer=C = US, O = Oxide Computer Company, CN = PDV1:913-0000019:006:BRM42220026

subject=C = US, O = Oxide Computer Company, CN = PDV1:913-0000019:006:BRM42220026
issuer=C = US, O = Oxide Computer Company, CN = Platform Identity Staging Intermediate 20780377

subject=C = US, O = Oxide Computer Company, CN = Platform Identity Staging Intermediate 20780377
issuer=C = US, O = Oxide Computer Company, CN = Platform Identity Staging Root A

BRM42220026 # ./verifier-cli verify-cert-chain --ca-cert /usr/share/oxide/idcerts/staging.pem chain.pem && echo chain verified
chain verified

BRM42220026 # awk '/BEGIN CERTIFICATE/ {p=1} p; /END CERTIFICATE/ {exit}' chain.pem > alias-cert.pem

BRM42220026 # perl -e "print '0'x64" | xxd -r -p > nonce.bin
BRM42220026 # ./verifier-cli --interface sled-agent --sled-addr '[fde2:c3cc:fbe3:101::1]:12345' attest nonce.bin | tee attestation.sig
{"Ed25519":[249,0,91,88,42,203,67,7,219,178,216,2,171,173,99,190,207,245,241,234,153,92,23,83,6,198,205,190,243,167,93,42,222,236,217,106,64,233,143,226,105,24,252,145,119,15,109,108,67,130,172,249,106,116,65,248,183,48,110,77,63,39,112,5]}

BRM42220026 # ./verifier-cli verify-attestation --alias-cert alias-cert.pem --log log.json --nonce nonce.bin attestation.sig && echo attestation verified
attestation verified

[labbott]

It seems a little odd to have this and other conversion methods here. Can we push this lower into the rot modules to just return the type directly?

[luqmana]

Can we push this lower into the rot modules to just return the type directly?

I'm not sure I follow here. As in, change the types RotAttestationHandle::get_measurement_log/get_certificate_chain/attest take/return?

For the conversions, I had them here just to keep them close to the definitions which seem to be normal from a quick rg 'impl (Try)?From' sled-agent/types/versions/src

[labbott]

Yeah I was thinking of changing the types returned from RotAttestationHandle to return the inventory types directly. There's a lot of TryFrom and From but that's for conversion between internal inventory types. There isn't another great example of other inventory types doing a lot of external conversions in sled-agent/types/versions/src/impls/ but if nobody else has a problem I think it's fine for it to stay as is.

[luqmana]

Got it, makes sense -- moved things around in fad57df.

[luqmana]

Dropped the attestation code I had in the local omicron ipcc crate and switched to using dice-verifier. Besides deduplicating, that comes with the nice upside of being able to use the AttestMock impl for non-gimlet setups (piggy-backing off sprockets' AttestConfig in sled-agent's config.toml).