Skip to content

sled-agent: gate RoT attestation endpoints on sled-local clients #10041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
luqmana wants to merge 2 commits into
base: main
Choose a base branch
from
+42 −6
Open

sled-agent: gate RoT attestation endpoints on sled-local clients #10041

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de0010a
sled-agent: gate RoT attestation endpoints on sled-local clients
luqmana Mar 10, 2026
bab44e5
Review comments
luqmana Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions sled-agent/src/http_entrypoints.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1853,9 +1853,11 @@ impl SledAgentApi for SledAgentImpl {
path_params: Path<RotPathParams>,
) -> Result<HttpResponseOk<MeasurementLog>, HttpError> {
let sa = request_context.context();
let rot = sa.rot_attestor(path_params.into_inner().rot);
sa.latencies()
.instrument_dropshot_handler(&request_context, async {
let remote_addr = request_context.request.remote_addr();
let rot =
sa.rot_attestor(path_params.into_inner().rot, remote_addr)?;
let log = rot.get_measurement_log().await?;
Ok(HttpResponseOk(log.into()))
})
Expand All @@ -1867,9 +1869,11 @@ impl SledAgentApi for SledAgentImpl {
path_params: Path<RotPathParams>,
) -> Result<HttpResponseOk<CertificateChain>, HttpError> {
let sa = request_context.context();
let rot = sa.rot_attestor(path_params.into_inner().rot);
sa.latencies()
.instrument_dropshot_handler(&request_context, async {
let remote_addr = request_context.request.remote_addr();
let rot =
sa.rot_attestor(path_params.into_inner().rot, remote_addr)?;
let chain = rot.get_certificate_chain().await?;
Ok(HttpResponseOk(chain.into()))
})
Expand All @@ -1882,10 +1886,12 @@ impl SledAgentApi for SledAgentImpl {
body: TypedBody<Nonce>,
) -> Result<HttpResponseOk<Attestation>, HttpError> {
let sa = request_context.context();
let rot = sa.rot_attestor(path_params.into_inner().rot);
let nonce = body.into_inner();
sa.latencies()
.instrument_dropshot_handler(&request_context, async {
let remote_addr = request_context.request.remote_addr();
let rot =
sa.rot_attestor(path_params.into_inner().rot, remote_addr)?;
let attestation = rot.attest(nonce.into()).await?;
Ok(HttpResponseOk(attestation.into()))
})
Expand Down
36 changes: 33 additions & 3 deletions sled-agent/src/sled_agent.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ use slog::Logger;
use slog_error_chain::{InlineErrorChain, SlogInlineError};
use sprockets_tls::keys::SprocketsConfig;
use std::collections::BTreeMap;
use std::net::{Ipv6Addr, SocketAddrV6};
use std::net::{Ipv6Addr, SocketAddr, SocketAddrV6};
use std::sync::Arc;
use uuid::Uuid;

Expand Down Expand Up @@ -795,10 +795,16 @@ impl SledAgent {
&self.inner.hardware_monitor
}

pub(crate) fn rot_attestor(&self, rot: Rot) -> &RotAttestationHandle {
pub(crate) fn rot_attestor(
&self,
rot: Rot,
remote_addr: SocketAddr,
) -> Result<&RotAttestationHandle, HttpError> {
// We currently only support the LPC55 RoT
let Rot::Oxide = rot;
&self.inner.rot_attestor
// And we only serve sled-local clients
self.ensure_sled_local_request(remote_addr)?;
Ok(&self.inner.rot_attestor)
}

/// Trigger a request to Nexus informing it that the current sled exists,
Expand Down Expand Up @@ -1100,6 +1106,30 @@ impl SledAgent {
.map_err(Error::from)
}

/// Validate if the given [`SocketAddr`] represents a peer on the same
/// underlay subnet as the current sled.
pub fn ensure_sled_local_request(
&self,
remote_addr: SocketAddr,
) -> Result<(), HttpError> {
let SocketAddr::V6(remote_addr) = remote_addr else {
return Err(HttpError::for_client_error(
None,
dropshot::ClientErrorStatusCode::FORBIDDEN,
String::from("unexpected non-v6 request"),
));
};
let underlay_subnet = self.inner.subnet.net();
if !underlay_subnet.contains(*remote_addr.ip()) {
return Err(HttpError::for_client_error(
None,
dropshot::ClientErrorStatusCode::FORBIDDEN,
String::from("non-sled-local request not allowed"),
));
}
Ok(())
}

pub fn bootstore(&self) -> bootstore::NodeHandle {
self.inner.bootstore.clone()
}
Expand Down
Loading