Skip to content

sled-agent: gate RoT attestation endpoints on sled-local clients#10041

Open
luqmana wants to merge 2 commits intomainfrom
sled-agent-rot-lockdown
Open

sled-agent: gate RoT attestation endpoints on sled-local clients#10041
luqmana wants to merge 2 commits intomainfrom
sled-agent-rot-lockdown

Conversation

@luqmana
Copy link
Contributor

@luqmana luqmana commented Mar 12, 2026

Added some checks to ensure the attestation endpoints may only be called from clients (propolis zones) on the same sled.

Using the switch zone as a stand-in, here's what that looks like to callers:

Same Sled:

# Switch Zone 1 -> Sled Agent (Cubby 16):
root@oxz_switch1:~# /tmp/verifier-cli --interface sled-agent --sled-addr '[fd2e:afd:d190:102::1]:12345' log                                                                                               
{"index":1,"measurements":[{"Sha3_256":[73,44,2,60,18,23,151,170,58,164,156,168,236,55,243,95,194,173,188,252,163,255,12,72,66,82,99,116,126,220,202,88]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},{"Sha3_256":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}]}

00:47:48.318Z INFO SledAgent (dropshot (SledAgent)): accepted connection
    file = /home/luqman/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/dropshot-0.16.7/src/server.rs:1025
    local_addr = [fd2e:afd:d190:102::1]:12345
    remote_addr = [fd2e:afd:d190:102::2]:43892
00:47:48.380Z INFO SledAgent (dropshot (SledAgent)): request completed
    file = /home/luqman/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/dropshot-0.16.7/src/server.rs:867
    latency_us = 61982
    local_addr = [fd2e:afd:d190:102::1]:12345
    method = GET
    remote_addr = [fd2e:afd:d190:102::2]:43892
    req_id = e397b94f-3777-4e8a-bb9d-c7343efc1a13
    response_code = 200
    uri = /rot/oxide/measurement-log

Cross Sled:

# Switch Zone 1 -> Sled Agent (Cubby 15):
root@oxz_switch1:~# /tmp/verifier-cli --interface sled-agent --sled-addr '[fd2e:afd:d190:103::1]:12345' log                                                                                               
Error: Getting attestation measurement log

Caused by:
    Error Response: status: 400 Bad Request; headers: {"content-type": "application/json", "x-request-id": "fbd55e68-c00b-4604-bbe1-250c3b53d322", "content-length": "109", "date": "Thu, 12 Mar 2026 00:48:30 GMT"}; value: Error { error_code: None, message: "non-sled-local request not allowed", request_id: "fbd55e68-c00b-4604-bbe1-250c3b53d322" }

00:48:30.227Z INFO SledAgent (dropshot (SledAgent)): accepted connection
    file = /home/luqman/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/dropshot-0.16.7/src/server.rs:1025
    local_addr = [fd2e:afd:d190:103::1]:12345
    remote_addr = [fd2e:afd:d190:102::2]:46577
00:48:30.229Z INFO SledAgent (dropshot (SledAgent)): request completed
    error_message_external = non-sled-local request not allowed
    error_message_internal = non-sled-local request not allowed
    file = /home/luqman/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/dropshot-0.16.7/src/server.rs:855
    latency_us = 1250
    local_addr = [fd2e:afd:d190:103::1]:12345
    method = GET
    remote_addr = [fd2e:afd:d190:102::2]:46577
    req_id = fbd55e68-c00b-4604-bbe1-250c3b53d322
    response_code = 400
    uri = /rot/oxide/measurement-log

@luqmana luqmana requested review from davepacheco and hawkw March 16, 2026 19:11
hawkw
hawkw reviewed Mar 16, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hawkw hawkw hawkw left review comments

@davepacheco davepacheco Awaiting requested review from davepacheco

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@luqmana @hawkw @morlandi7