This adds AWS Nitro attestation support to attested-tls.

It adds a new attestation type AwsNitro which AttestationGenerator and AttestationVerifier will use to create and verify Nitro attestation documents.

The implementation uses the nsm-nitro-enclave-utils crate for NSM interaction and COSE/CBOR parsing.

The AWS root certificate is hardcoded as DER. It will expire on 2049-10-28 and was retrieved from https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip

Attestation detection now checks for Nitro by attempting communication with the Nitro Security Module at /dev/nsm. This is checked before attempting TDX DCAP attestation and only when the nitro feature is present.

For running tests outside of a Nitro enclave, mock Nitro attestations are produced which verify against a mock root of trust rather than AWS.

Nitro support is gated behind the nitro feature flag. But it is enabled by default. Happy to disable it by default is others prefer.

Timestamp checks

Nitro attestation docs have a signed timestamp field. We can verify that this matches up with the not before / not after times on the TLS cert. In attested-tls crate, the not-before time is read immediately before attestation is generated (so that it can be included as input).

I have not yet added this check here, because it would be an API breaking change, needing to pass in a time-window to the attestation verifier fn. But if we were serious about adopting this, i would add it in a followup PR.

Testing on a deployment

For testing on a Nitro deployment, this pairs with flashbots/attested-tls-proxy#162 which adds vsocket support to attestation-provider-server allowing us to check that these nitro attestation documents will verify.

There is also a flake for reproducibly building a docker container with attestation-provider-server: https://github.com/flashbots/attested-tls-proxy/blob/peg/nitro-test/flake.nix

Heres how to deploy using that flake (from the attested-tls-proxy repo on the paired branch):

1. Build the OCI image from the flake in attested-tls-proxy:

nix build ".#attestation-provider-server-image"

This produces a Docker image tarball at result in the repo root.

2. Scp that image to the nitro host, and load into Docker:

docker load < result

3. Build the EIF from the loaded image:

nitro-cli build-enclave \
  --docker-uri attestation-provider-server:latest \
  --output-file attestation-provider-server.eif

4. Run the enclave:

nitro-cli run-enclave \
  --eif-path attestation-provider-server.eif \
  --cpu-count 2 \
  --memory 512 \
  --enclave-cid 10 \
  --enclave-name attestation-provider-server

The flake bakes in the enclave startup command, so the container starts the server in vsock mode and with --server-attestation-type aws-nitro by default. That means you do not need to pass extra runtime flags when building the EIF.

The server side then listens on vsock port 8000, and the parent host can connect with the client command using:

attestation-provider-server client \
  --server-transport vsock \
  --server-cid 10 \
  --log-dcap-quote \
  --server-vsock-port 8000

Which should verify the attestation-document, and dump it to a local file. But not actually check measurements.

This shows that nitro attestations can be verified but does not demonstrate an attested-tls workflow with nitro. flashbots/attested-tls-proxy#163 adds full vsocket support to attested-tls-proxy allowing us to test a full attested-tls workflow on Nitro.