From bbf9843e461759f380fe8786620ff48fc2d55317 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Fri, 16 Feb 2024 17:52:33 +0100 Subject: [PATCH] az-snp/tdx-vtpm-verifier: add PCRs to claims map PCR values are added in a `"tpm": { "pcr0": ..., "pcrN": ... }` hierarchy, to the claims map so they can be compared to reference values. Signed-off-by: Magnus Kulke --- Cargo.lock | 234 ++++++++++-------- attestation-service/verifier/Cargo.toml | 4 +- .../verifier/src/az_snp_vtpm/mod.rs | 42 +++- .../verifier/src/az_tdx_vtpm/mod.rs | 5 +- attestation-service/verifier/src/snp/mod.rs | 4 +- 5 files changed, 187 insertions(+), 102 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index cd55190395..9309d82756 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -30,7 +30,7 @@ dependencies = [ "actix-service", "actix-tls", "actix-utils", - "ahash 0.8.8", + "ahash 0.8.9", "base64 0.21.7", "bitflags 2.4.2", "brotli", @@ -66,7 +66,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -167,7 +167,7 @@ dependencies = [ "actix-tls", "actix-utils", "actix-web-codegen", - "ahash 0.8.8", + "ahash 0.8.9", "bytes", "bytestring", "cfg-if", @@ -201,7 +201,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -282,9 +282,9 @@ dependencies = [ [[package]] name = "ahash" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42cd52102d3df161c77a887b608d7a4897d7cc112886a9537b738a887a03aaff" +checksum = "d713b3834d76b85304d4d525563c1276e2e30dc97cc67bfb4585a4a29fc2c89f" dependencies = [ "cfg-if", "getrandom", @@ -343,9 +343,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.11" +version = "0.6.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5" +checksum = "96b09b5178381e0874812a9b157f7fe84982617e48f71f4e3235482775e5b540" dependencies = [ "anstyle", "anstyle-parse", @@ -391,9 +391,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.79" +version = "1.0.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca" +checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1" [[package]] name = "api-server" @@ -407,7 +407,7 @@ dependencies = [ "attestation-service", "base64 0.21.7", "cfg-if", - "clap 4.5.0", + "clap 4.5.1", "config", "env_logger 0.10.2", "jsonwebtoken", @@ -425,7 +425,7 @@ dependencies = [ "rustls 0.20.9", "rustls-pemfile", "scc", - "semver 1.0.21", + "semver 1.0.22", "serde", "serde_json", "strum", @@ -507,7 +507,7 @@ checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -518,7 +518,7 @@ checksum = "c980ee35e870bd1a4d2c8294d4c04d0499e67bca1e4b5cefcc693c2fa00caea9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -531,7 +531,7 @@ dependencies = [ "async-trait", "base64 0.21.7", "cfg-if", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "futures", "hex", @@ -568,8 +568,8 @@ source = "git+https://github.com/confidential-containers/guest-components.git?re dependencies = [ "anyhow", "async-trait", - "az-snp-vtpm", - "az-tdx-vtpm", + "az-snp-vtpm 0.5.1", + "az-tdx-vtpm 0.5.1", "base64 0.21.7", "codicon", "csv-rs", @@ -670,15 +670,49 @@ dependencies = [ "zerocopy", ] +[[package]] +name = "az-cvm-vtpm" +version = "0.5.2" +source = "git+https://github.com/mkulke/azure-cvm-tooling.git?rev=7fbd5ab2d53602941af7d28f1efe7e0798126d0a#7fbd5ab2d53602941af7d28f1efe7e0798126d0a" +dependencies = [ + "bincode", + "jsonwebkey", + "memoffset 0.9.0", + "openssl", + "rsa 0.9.6", + "serde", + "serde-big-array", + "serde_json", + "sev", + "sha2", + "thiserror", + "tss-esapi", + "zerocopy", +] + [[package]] name = "az-snp-vtpm" version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "45e9b802881e606ed0a259218dfb657e2a9130f37bf4161ff8db5c4ed10488c5" dependencies = [ - "az-cvm-vtpm", + "az-cvm-vtpm 0.5.1", + "bincode", + "clap 4.5.1", + "serde", + "sev", + "thiserror", + "ureq", +] + +[[package]] +name = "az-snp-vtpm" +version = "0.5.2" +source = "git+https://github.com/mkulke/azure-cvm-tooling.git?rev=7fbd5ab2d53602941af7d28f1efe7e0798126d0a#7fbd5ab2d53602941af7d28f1efe7e0798126d0a" +dependencies = [ + "az-cvm-vtpm 0.5.2", "bincode", - "clap 4.5.0", + "clap 4.5.1", "openssl", "serde", "sev", @@ -692,7 +726,22 @@ version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d5e9475a3a25803c9ada11c2481356dd1e4c4fafe56a97ee6566a61c1d7d5832" dependencies = [ - "az-cvm-vtpm", + "az-cvm-vtpm 0.5.1", + "base64-url", + "bincode", + "serde", + "serde_json", + "thiserror", + "ureq", + "zerocopy", +] + +[[package]] +name = "az-tdx-vtpm" +version = "0.5.2" +source = "git+https://github.com/mkulke/azure-cvm-tooling.git?rev=7fbd5ab2d53602941af7d28f1efe7e0798126d0a#7fbd5ab2d53602941af7d28f1efe7e0798126d0a" +dependencies = [ + "az-cvm-vtpm 0.5.2", "base64-url", "bincode", "serde", @@ -876,9 +925,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.15.0" +version = "3.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d32a994c2b3ca201d9b263612a374263f05e7adde37c4707f693dcd375076d1f" +checksum = "c764d619ca78fccbf3069b37bd7af92577f044bb15236036662d79b6559f25b7" [[package]] name = "byteorder" @@ -922,11 +971,10 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.83" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" +checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" dependencies = [ - "jobserver", "libc", ] @@ -1035,14 +1083,14 @@ dependencies = [ "indexmap 1.9.3", "strsim 0.10.0", "termcolor", - "textwrap 0.16.0", + "textwrap 0.16.1", ] [[package]] name = "clap" -version = "4.5.0" +version = "4.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80c21025abd42669a92efc996ef13cfb2c5c627858421ea58d5c3b331a6c134f" +checksum = "c918d541ef2913577a0f9566e9ce27cb35b6df072075769e0b26cb5a554520da" dependencies = [ "clap_builder", "clap_derive", @@ -1050,9 +1098,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.0" +version = "4.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "458bf1f341769dfcf849846f65dffdf9146daa56bcd2a47cb4e1de9915567c99" +checksum = "9f3e7391dad68afb0c2ede1bf619f579a3dc9c2ec67f089baa397123a2f3d1eb" dependencies = [ "anstream", "anstyle", @@ -1069,7 +1117,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1504,7 +1552,7 @@ checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1607,7 +1655,7 @@ checksum = "5c785274071b1b420972453b306eeca06acf4633829db4223b58a2a8c5953bc4" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1808,7 +1856,7 @@ checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -2295,15 +2343,6 @@ version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" -[[package]] -name = "jobserver" -version = "0.1.28" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6" -dependencies = [ - "libc", -] - [[package]] name = "js-sys" version = "0.3.68" @@ -2350,7 +2389,7 @@ dependencies = [ "base64 0.21.7", "js-sys", "pem", - "ring 0.17.7", + "ring 0.17.8", "serde", "serde_json", "simple_asn1", @@ -2403,7 +2442,7 @@ dependencies = [ "anyhow", "api-server", "cfg-if", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "log", "tokio", @@ -2415,7 +2454,7 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.21.7", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "jwt-simple", "kbs_protocol", @@ -2817,7 +2856,7 @@ checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -2920,9 +2959,9 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" -version = "0.10.63" +version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" +checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ "bitflags 2.4.2", "cfg-if", @@ -2941,7 +2980,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -2961,9 +3000,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.99" +version = "0.9.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" +checksum = "ae94056a791d0e1217d18b6cbdccb02c61e3054fc69893607f4067e3bb0b1fd1" dependencies = [ "cc", "libc", @@ -3171,7 +3210,7 @@ dependencies = [ "pest_meta", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -3226,7 +3265,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -3290,7 +3329,7 @@ checksum = "266c042b60c9c76b8d53061e52b2e0d1116abc57cefc8c5cd671619a56ac3690" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -3595,7 +3634,7 @@ dependencies = [ "base64 0.21.7", "cfg-if", "chrono", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "log", "path-clean", @@ -3734,16 +3773,17 @@ dependencies = [ [[package]] name = "ring" -version = "0.17.7" +version = "0.17.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "688c63d65483050968b2a8937f7995f443e27041a0f7700aa59b0822aedebb74" +checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d" dependencies = [ "cc", + "cfg-if", "getrandom", "libc", "spin 0.9.8", "untrusted 0.9.0", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -3824,7 +3864,7 @@ dependencies = [ "regex", "relative-path", "rustc_version 0.4.0", - "syn 2.0.49", + "syn 2.0.50", "unicode-ident", ] @@ -3865,7 +3905,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" dependencies = [ - "semver 1.0.21", + "semver 1.0.22", ] [[package]] @@ -3909,7 +3949,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", - "ring 0.17.7", + "ring 0.17.8", "rustls-webpki 0.101.7", "sct", ] @@ -3921,7 +3961,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41" dependencies = [ "log", - "ring 0.17.7", + "ring 0.17.8", "rustls-pki-types", "rustls-webpki 0.102.2", "subtle", @@ -3949,7 +3989,7 @@ version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "untrusted 0.9.0", ] @@ -3959,7 +3999,7 @@ version = "0.102.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "rustls-pki-types", "untrusted 0.9.0", ] @@ -3972,9 +4012,9 @@ checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" [[package]] name = "ryu" -version = "1.0.16" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c" +checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1" [[package]] name = "salsa20" @@ -4032,7 +4072,7 @@ checksum = "1db149f81d46d2deba7cd3c50772474707729550221e69588478ebf9ada425ae" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -4052,7 +4092,7 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "untrusted 0.9.0", ] @@ -4104,9 +4144,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.21" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0" +checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" [[package]] name = "semver-parser" @@ -4119,9 +4159,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.196" +version = "1.0.197" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32" +checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2" dependencies = [ "serde_derive", ] @@ -4146,20 +4186,20 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.196" +version = "1.0.197" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67" +checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] name = "serde_json" -version = "1.0.113" +version = "1.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69801b70b1c3dac963ecb03a364ba0ceda9cf60c71cfe475e99864759c8b8a79" +checksum = "c5f09b1bd632ef549eaa9f60a1f8de742bdbc698e6cee2095fc84dde5f549ae0" dependencies = [ "itoa", "ryu", @@ -4512,7 +4552,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -4534,9 +4574,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.49" +version = "2.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496" +checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" dependencies = [ "proc-macro2", "quote", @@ -4645,9 +4685,9 @@ dependencies = [ [[package]] name = "textwrap" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d" +checksum = "23d434d3f8967a09480fb04132ebe0a3e088c173e6d0ee7897abbdf4eab0f8b9" [[package]] name = "thiserror" @@ -4666,14 +4706,14 @@ checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] name = "thread_local" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" +checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c" dependencies = [ "cfg-if", "once_cell", @@ -4764,7 +4804,7 @@ checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -4969,7 +5009,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -5121,9 +5161,9 @@ checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unicode-normalization" -version = "0.1.22" +version = "0.1.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" +checksum = "a56d1686db2308d901306f92a263857ef59ea39678a5458e7cb17f01415101f5" dependencies = [ "tinyvec", ] @@ -5249,8 +5289,8 @@ dependencies = [ "asn1-rs", "assert-json-diff", "async-trait", - "az-snp-vtpm", - "az-tdx-vtpm", + "az-snp-vtpm 0.5.2", + "az-tdx-vtpm 0.5.2", "base64 0.21.7", "bincode", "byteorder", @@ -5350,7 +5390,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", "wasm-bindgen-shared", ] @@ -5384,7 +5424,7 @@ checksum = "642f325be6301eb8107a83d12a8ac6c1e1c54345a7ef1a9261962dfefda09e66" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -5411,7 +5451,7 @@ version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "untrusted 0.9.0", ] @@ -5687,7 +5727,7 @@ checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -5707,7 +5747,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] diff --git a/attestation-service/verifier/Cargo.toml b/attestation-service/verifier/Cargo.toml index 3a3a8a8820..09b7d8eef7 100644 --- a/attestation-service/verifier/Cargo.toml +++ b/attestation-service/verifier/Cargo.toml @@ -18,8 +18,8 @@ cca-verifier = [ "ear", "jsonwebtoken", "veraison-apiclient" ] anyhow.workspace = true asn1-rs = { version = "0.5.1", optional = true } async-trait.workspace = true -az-snp-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } -az-tdx-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } +az-snp-vtpm = { git = "https://github.com/mkulke/azure-cvm-tooling.git", rev = "7fbd5ab2d53602941af7d28f1efe7e0798126d0a", default-features = false, features = ["verifier"], optional = true } +az-tdx-vtpm = { git = "https://github.com/mkulke/azure-cvm-tooling.git", rev = "7fbd5ab2d53602941af7d28f1efe7e0798126d0a", default-features = false, features = ["verifier"], optional = true } base64 = "0.21" bincode = "1.3.3" byteorder = "1" diff --git a/attestation-service/verifier/src/az_snp_vtpm/mod.rs b/attestation-service/verifier/src/az_snp_vtpm/mod.rs index 0dfdc6f8c6..2aace92b06 100644 --- a/attestation-service/verifier/src/az_snp_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_snp_vtpm/mod.rs @@ -18,6 +18,7 @@ use az_snp_vtpm::vtpm::Quote; use log::{debug, warn}; use openssl::pkey::PKey; use serde::{Deserialize, Serialize}; +use serde_json::Value; use sev::firmware::host::{CertTableEntry, CertType}; const HCL_VMPL_VALUE: u32 = 0; @@ -43,6 +44,24 @@ impl AzSnpVtpm { } } +pub(crate) fn extend_claim_with_tpm_quote( + claim: &mut TeeEvidenceParsedClaim, + quote: &Quote, +) -> Result<()> { + let Value::Object(ref mut map) = claim else { + bail!("failed to extend the claim, not an object"); + }; + + let mut tpm_values = serde_json::Map::new(); + for (i, pcr) in quote.pcrs_sha256().iter().enumerate() { + tpm_values.insert(format!("pcr{:02}", i), Value::String(hex::encode(pcr))); + } + debug!("extending claim with TPM quote: {:#?}", tpm_values); + map.insert("tpm".to_string(), Value::Object(tpm_values)); + + Ok(()) +} + #[async_trait] impl Verifier for AzSnpVtpm { /// The following verification steps are performed: @@ -83,7 +102,9 @@ impl Verifier for AzSnpVtpm { let vcek = Vcek::from_pem(&evidence.vcek)?; verify_snp_report(&snp_report, &vcek, &self.vendor_certs)?; - let claim = parse_tee_evidence(&snp_report); + let mut claim = parse_tee_evidence(&snp_report); + extend_claim_with_tpm_quote(&mut claim, &evidence.quote)?; + Ok(claim) } } @@ -145,6 +166,7 @@ fn verify_snp_report( mod tests { use super::*; use az_snp_vtpm::vtpm::VerifyError; + use serde_json::json; const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin"); const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-snp-vtpm/quote.bin"); @@ -273,4 +295,22 @@ mod tests { VerifyError::PcrMismatch.to_string() ); } + + #[test] + fn test_extend_claim_with_tpm_quote() { + let mut claim = json!({"some": "thing"}); + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); + extend_claim_with_tpm_quote(&mut claim, "e).unwrap(); + + let map = claim.as_object().unwrap(); + assert_eq!(map.len(), 2); + let tpm_map = map.get("tpm").unwrap().as_object().unwrap(); + assert_eq!(tpm_map.len(), 24); + + for (i, pcr) in quote.pcrs_sha256().iter().enumerate() { + let key = format!("pcr{:02}", i); + let value = tpm_map.get(&key).unwrap().as_str().unwrap(); + assert_eq!(value, hex::encode(pcr)); + } + } } diff --git a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs index 274bca9f04..bf317fb7e9 100644 --- a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // +use super::az_snp_vtpm::extend_claim_with_tpm_quote; use super::tdx::claims::generate_parsed_claim; use super::tdx::quote::{ecdsa_quote_verification, parse_tdx_quote, Quote as TdQuote}; use super::{TeeEvidenceParsedClaim, Verifier}; @@ -62,7 +63,9 @@ impl Verifier for AzTdxVtpm { verify_hcl_var_data(&hcl_report, &td_quote)?; - let claim = generate_parsed_claim(td_quote, None)?; + let mut claim = generate_parsed_claim(td_quote, None)?; + extend_claim_with_tpm_quote(&mut claim, &evidence.tpm_quote)?; + Ok(claim) } } diff --git a/attestation-service/verifier/src/snp/mod.rs b/attestation-service/verifier/src/snp/mod.rs index 918be3aa94..3de637feae 100644 --- a/attestation-service/verifier/src/snp/mod.rs +++ b/attestation-service/verifier/src/snp/mod.rs @@ -112,7 +112,9 @@ impl Verifier for Snp { } } - Ok(parse_tee_evidence(&report)) + let claims_map = parse_tee_evidence(&report); + let json = json!(claims_map); + Ok(json) } }