From 7b908df9e9a06a800f90b0b16f380ed455981439 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Fri, 16 Feb 2024 17:52:33 +0100 Subject: [PATCH] az-snp/tdx-vtpm-verifier: add PCRs to claims map PCR values are added in a `"tpm": { "pcr0": ..., "pcrN": ... }` hierarchy, to the claims map so they can be compared to reference values. Signed-off-by: Magnus Kulke --- Cargo.lock | 251 +++++++++--------- attestation-service/docs/parsed_claims.md | 16 ++ attestation-service/verifier/Cargo.toml | 4 +- .../verifier/src/az_snp_vtpm/mod.rs | 44 ++- .../verifier/src/az_tdx_vtpm/mod.rs | 7 +- attestation-service/verifier/src/snp/mod.rs | 4 +- .../test_data/az-snp-vtpm/hcl-report.bin | Bin 2600 -> 2600 bytes .../verifier/test_data/az-snp-vtpm/quote.bin | Bin 1362 -> 1170 bytes .../verifier/test_data/az-snp-vtpm/vcek.pem | 116 ++++++-- .../test_data/az-tdx-vtpm/hcl-report.bin | Bin 2600 -> 2600 bytes .../verifier/test_data/az-tdx-vtpm/quote.bin | Bin 1362 -> 1170 bytes .../test_data/az-tdx-vtpm/td-quote.bin | Bin 5006 -> 5006 bytes 12 files changed, 285 insertions(+), 157 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index cd5519039..9d443a50d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -30,7 +30,7 @@ dependencies = [ "actix-service", "actix-tls", "actix-utils", - "ahash 0.8.8", + "ahash 0.8.9", "base64 0.21.7", "bitflags 2.4.2", "brotli", @@ -66,7 +66,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -167,7 +167,7 @@ dependencies = [ "actix-tls", "actix-utils", "actix-web-codegen", - "ahash 0.8.8", + "ahash 0.8.9", "bytes", "bytestring", "cfg-if", @@ -201,7 +201,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -282,9 +282,9 @@ dependencies = [ [[package]] name = "ahash" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42cd52102d3df161c77a887b608d7a4897d7cc112886a9537b738a887a03aaff" +checksum = "d713b3834d76b85304d4d525563c1276e2e30dc97cc67bfb4585a4a29fc2c89f" dependencies = [ "cfg-if", "getrandom", @@ -343,9 +343,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.11" +version = "0.6.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5" +checksum = "96b09b5178381e0874812a9b157f7fe84982617e48f71f4e3235482775e5b540" dependencies = [ "anstyle", "anstyle-parse", @@ -391,9 +391,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.79" +version = "1.0.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca" +checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1" [[package]] name = "api-server" @@ -407,7 +407,7 @@ dependencies = [ "attestation-service", "base64 0.21.7", "cfg-if", - "clap 4.5.0", + "clap 4.5.1", "config", "env_logger 0.10.2", "jsonwebtoken", @@ -425,7 +425,7 @@ dependencies = [ "rustls 0.20.9", "rustls-pemfile", "scc", - "semver 1.0.21", + "semver 1.0.22", "serde", "serde_json", "strum", @@ -507,7 +507,7 @@ checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -518,7 +518,7 @@ checksum = "c980ee35e870bd1a4d2c8294d4c04d0499e67bca1e4b5cefcc693c2fa00caea9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -531,7 +531,7 @@ dependencies = [ "async-trait", "base64 0.21.7", "cfg-if", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "futures", "hex", @@ -651,9 +651,9 @@ dependencies = [ [[package]] name = "az-cvm-vtpm" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a10f6fa739b35830481a36f199a57cdcb4dbea2dbc416070a1a9618dd4d4df2a" +checksum = "53f5fa6fe32f6409dca8202ddd267027ac1f1de4cd91b9e21d92062c14d63cae" dependencies = [ "bincode", "jsonwebkey", @@ -672,13 +672,13 @@ dependencies = [ [[package]] name = "az-snp-vtpm" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45e9b802881e606ed0a259218dfb657e2a9130f37bf4161ff8db5c4ed10488c5" +checksum = "5b394dfe2307a0ee74bf22a7ebbb2563a03739927ad44e216803300260426b5d" dependencies = [ "az-cvm-vtpm", "bincode", - "clap 4.5.0", + "clap 4.5.1", "openssl", "serde", "sev", @@ -688,9 +688,9 @@ dependencies = [ [[package]] name = "az-tdx-vtpm" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5e9475a3a25803c9ada11c2481356dd1e4c4fafe56a97ee6566a61c1d7d5832" +checksum = "199c3d801575d0e6779aa66876ef88703324892f2fc0b1daf56c2ee09a51ec98" dependencies = [ "az-cvm-vtpm", "base64-url", @@ -876,9 +876,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.15.0" +version = "3.15.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d32a994c2b3ca201d9b263612a374263f05e7adde37c4707f693dcd375076d1f" +checksum = "8ea184aa71bb362a1157c896979544cc23974e08fd265f29ea96b59f0b4a555b" [[package]] name = "byteorder" @@ -922,11 +922,10 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.83" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" +checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" dependencies = [ - "jobserver", "libc", ] @@ -957,7 +956,7 @@ dependencies = [ "num-traits", "serde", "wasm-bindgen", - "windows-targets 0.52.0", + "windows-targets 0.52.3", ] [[package]] @@ -1035,14 +1034,14 @@ dependencies = [ "indexmap 1.9.3", "strsim 0.10.0", "termcolor", - "textwrap 0.16.0", + "textwrap 0.16.1", ] [[package]] name = "clap" -version = "4.5.0" +version = "4.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80c21025abd42669a92efc996ef13cfb2c5c627858421ea58d5c3b331a6c134f" +checksum = "c918d541ef2913577a0f9566e9ce27cb35b6df072075769e0b26cb5a554520da" dependencies = [ "clap_builder", "clap_derive", @@ -1050,9 +1049,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.0" +version = "4.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "458bf1f341769dfcf849846f65dffdf9146daa56bcd2a47cb4e1de9915567c99" +checksum = "9f3e7391dad68afb0c2ede1bf619f579a3dc9c2ec67f089baa397123a2f3d1eb" dependencies = [ "anstream", "anstyle", @@ -1069,7 +1068,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1504,7 +1503,7 @@ checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1607,7 +1606,7 @@ checksum = "5c785274071b1b420972453b306eeca06acf4633829db4223b58a2a8c5953bc4" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1808,7 +1807,7 @@ checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -1825,9 +1824,9 @@ checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" [[package]] name = "futures-timer" -version = "3.0.2" +version = "3.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e64b03909df88034c26dc1547e8970b91f98bdb65165d6a4e9110d94263dbb2c" +checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24" [[package]] name = "futures-util" @@ -2295,15 +2294,6 @@ version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" -[[package]] -name = "jobserver" -version = "0.1.28" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6" -dependencies = [ - "libc", -] - [[package]] name = "js-sys" version = "0.3.68" @@ -2350,7 +2340,7 @@ dependencies = [ "base64 0.21.7", "js-sys", "pem", - "ring 0.17.7", + "ring 0.17.8", "serde", "serde_json", "simple_asn1", @@ -2403,7 +2393,7 @@ dependencies = [ "anyhow", "api-server", "cfg-if", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "log", "tokio", @@ -2415,7 +2405,7 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.21.7", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "jwt-simple", "kbs_protocol", @@ -2817,7 +2807,7 @@ checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -2920,9 +2910,9 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" -version = "0.10.63" +version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" +checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ "bitflags 2.4.2", "cfg-if", @@ -2941,7 +2931,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -2961,9 +2951,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.99" +version = "0.9.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" +checksum = "dda2b0f344e78efc2facf7d195d098df0dd72151b26ab98da807afc26c198dff" dependencies = [ "cc", "libc", @@ -3171,7 +3161,7 @@ dependencies = [ "pest_meta", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -3226,7 +3216,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -3290,7 +3280,7 @@ checksum = "266c042b60c9c76b8d53061e52b2e0d1116abc57cefc8c5cd671619a56ac3690" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -3595,7 +3585,7 @@ dependencies = [ "base64 0.21.7", "cfg-if", "chrono", - "clap 4.5.0", + "clap 4.5.1", "env_logger 0.10.2", "log", "path-clean", @@ -3734,16 +3724,17 @@ dependencies = [ [[package]] name = "ring" -version = "0.17.7" +version = "0.17.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "688c63d65483050968b2a8937f7995f443e27041a0f7700aa59b0822aedebb74" +checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d" dependencies = [ "cc", + "cfg-if", "getrandom", "libc", "spin 0.9.8", "untrusted 0.9.0", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -3824,7 +3815,7 @@ dependencies = [ "regex", "relative-path", "rustc_version 0.4.0", - "syn 2.0.49", + "syn 2.0.50", "unicode-ident", ] @@ -3865,7 +3856,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" dependencies = [ - "semver 1.0.21", + "semver 1.0.22", ] [[package]] @@ -3909,7 +3900,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", - "ring 0.17.7", + "ring 0.17.8", "rustls-webpki 0.101.7", "sct", ] @@ -3921,7 +3912,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41" dependencies = [ "log", - "ring 0.17.7", + "ring 0.17.8", "rustls-pki-types", "rustls-webpki 0.102.2", "subtle", @@ -3949,7 +3940,7 @@ version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "untrusted 0.9.0", ] @@ -3959,7 +3950,7 @@ version = "0.102.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "rustls-pki-types", "untrusted 0.9.0", ] @@ -3972,9 +3963,9 @@ checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" [[package]] name = "ryu" -version = "1.0.16" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c" +checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1" [[package]] name = "salsa20" @@ -4032,7 +4023,7 @@ checksum = "1db149f81d46d2deba7cd3c50772474707729550221e69588478ebf9ada425ae" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -4052,7 +4043,7 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "untrusted 0.9.0", ] @@ -4104,9 +4095,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.21" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0" +checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" [[package]] name = "semver-parser" @@ -4119,9 +4110,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.196" +version = "1.0.197" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32" +checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2" dependencies = [ "serde_derive", ] @@ -4146,20 +4137,20 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.196" +version = "1.0.197" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67" +checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] name = "serde_json" -version = "1.0.113" +version = "1.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69801b70b1c3dac963ecb03a364ba0ceda9cf60c71cfe475e99864759c8b8a79" +checksum = "c5f09b1bd632ef549eaa9f60a1f8de742bdbc698e6cee2095fc84dde5f549ae0" dependencies = [ "itoa", "ryu", @@ -4410,12 +4401,12 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "socket2" -version = "0.5.5" +version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b5fac59a5cb5dd637972e5fca70daf0523c9067fcdc4842f053dae04a18f8e9" +checksum = "05ffd9c0a93b7543e062e759284fcf5f5e3b098501104bfbdde4d404db792871" dependencies = [ "libc", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -4512,7 +4503,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -4534,9 +4525,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.49" +version = "2.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496" +checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" dependencies = [ "proc-macro2", "quote", @@ -4584,9 +4575,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.13" +version = "0.12.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69758bda2e78f098e4ccb393021a0963bb3442eac05f135c30f61b7370bbafae" +checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" [[package]] name = "tdx-attest-rs" @@ -4645,9 +4636,9 @@ dependencies = [ [[package]] name = "textwrap" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d" +checksum = "23d434d3f8967a09480fb04132ebe0a3e088c173e6d0ee7897abbdf4eab0f8b9" [[package]] name = "thiserror" @@ -4666,14 +4657,14 @@ checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] name = "thread_local" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" +checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c" dependencies = [ "cfg-if", "once_cell", @@ -4764,7 +4755,7 @@ checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -4969,7 +4960,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -5121,9 +5112,9 @@ checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unicode-normalization" -version = "0.1.22" +version = "0.1.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" +checksum = "a56d1686db2308d901306f92a263857ef59ea39678a5458e7cb17f01415101f5" dependencies = [ "tinyvec", ] @@ -5350,7 +5341,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", "wasm-bindgen-shared", ] @@ -5384,7 +5375,7 @@ checksum = "642f325be6301eb8107a83d12a8ac6c1e1c54345a7ef1a9261962dfefda09e66" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -5411,7 +5402,7 @@ version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" dependencies = [ - "ring 0.17.7", + "ring 0.17.8", "untrusted 0.9.0", ] @@ -5488,7 +5479,7 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" dependencies = [ - "windows-targets 0.52.0", + "windows-targets 0.52.3", ] [[package]] @@ -5506,7 +5497,7 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.0", + "windows-targets 0.52.3", ] [[package]] @@ -5526,17 +5517,17 @@ dependencies = [ [[package]] name = "windows-targets" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" +checksum = "d380ba1dc7187569a8a9e91ed34b8ccfc33123bbacb8c0aed2d1ad7f3ef2dc5f" dependencies = [ - "windows_aarch64_gnullvm 0.52.0", - "windows_aarch64_msvc 0.52.0", - "windows_i686_gnu 0.52.0", - "windows_i686_msvc 0.52.0", - "windows_x86_64_gnu 0.52.0", - "windows_x86_64_gnullvm 0.52.0", - "windows_x86_64_msvc 0.52.0", + "windows_aarch64_gnullvm 0.52.3", + "windows_aarch64_msvc 0.52.3", + "windows_i686_gnu 0.52.3", + "windows_i686_msvc 0.52.3", + "windows_x86_64_gnu 0.52.3", + "windows_x86_64_gnullvm 0.52.3", + "windows_x86_64_msvc 0.52.3", ] [[package]] @@ -5547,9 +5538,9 @@ checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" [[package]] name = "windows_aarch64_gnullvm" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" +checksum = "68e5dcfb9413f53afd9c8f86e56a7b4d86d9a2fa26090ea2dc9e40fba56c6ec6" [[package]] name = "windows_aarch64_msvc" @@ -5559,9 +5550,9 @@ checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" [[package]] name = "windows_aarch64_msvc" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" +checksum = "8dab469ebbc45798319e69eebf92308e541ce46760b49b18c6b3fe5e8965b30f" [[package]] name = "windows_i686_gnu" @@ -5571,9 +5562,9 @@ checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" [[package]] name = "windows_i686_gnu" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" +checksum = "2a4e9b6a7cac734a8b4138a4e1044eac3404d8326b6c0f939276560687a033fb" [[package]] name = "windows_i686_msvc" @@ -5583,9 +5574,9 @@ checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" [[package]] name = "windows_i686_msvc" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" +checksum = "28b0ec9c422ca95ff34a78755cfa6ad4a51371da2a5ace67500cf7ca5f232c58" [[package]] name = "windows_x86_64_gnu" @@ -5595,9 +5586,9 @@ checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" [[package]] name = "windows_x86_64_gnu" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" +checksum = "704131571ba93e89d7cd43482277d6632589b18ecf4468f591fbae0a8b101614" [[package]] name = "windows_x86_64_gnullvm" @@ -5607,9 +5598,9 @@ checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" [[package]] name = "windows_x86_64_gnullvm" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" +checksum = "42079295511643151e98d61c38c0acc444e52dd42ab456f7ccfd5152e8ecf21c" [[package]] name = "windows_x86_64_msvc" @@ -5619,9 +5610,9 @@ checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" [[package]] name = "windows_x86_64_msvc" -version = "0.52.0" +version = "0.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" +checksum = "0770833d60a970638e989b3fa9fd2bb1aaadcf88963d1659fd7d9990196ed2d6" [[package]] name = "winreg" @@ -5687,7 +5678,7 @@ checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] @@ -5707,7 +5698,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.49", + "syn 2.0.50", ] [[package]] diff --git a/attestation-service/docs/parsed_claims.md b/attestation-service/docs/parsed_claims.md index cf79cb7a9..888adfd15 100644 --- a/attestation-service/docs/parsed_claims.md +++ b/attestation-service/docs/parsed_claims.md @@ -72,3 +72,19 @@ The following fields always exist. - `sgx.body.reserved4`: Reserved. - `sgx.body.isv_family_id`: ISV assigned Family ID. - `sgx.body.report_data`: Data provided by the user. + +## Azure TDX Confidential VM (az-tdx-vtpm) + +The claim inherit the fields from the TDX claim with and additional `tpm` hierachy in which the TEE's PCR values are stored: + +- `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote. + +Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers. + +## Azure SEV-SNP Confidential VM (az-snp-vtpm) + +The claim inherit the fields from the SEV-SNP claim with and additional `tpm` hierachy in which the TEE's PCR values are stored: + +- `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote. + +Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers. diff --git a/attestation-service/verifier/Cargo.toml b/attestation-service/verifier/Cargo.toml index 3a3a8a882..17480f34e 100644 --- a/attestation-service/verifier/Cargo.toml +++ b/attestation-service/verifier/Cargo.toml @@ -18,8 +18,8 @@ cca-verifier = [ "ear", "jsonwebtoken", "veraison-apiclient" ] anyhow.workspace = true asn1-rs = { version = "0.5.1", optional = true } async-trait.workspace = true -az-snp-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } -az-tdx-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } +az-snp-vtpm = { version = "0.5.2", default-features = false, features = ["verifier"], optional = true } +az-tdx-vtpm = { version = "0.5.2", default-features = false, features = ["verifier"], optional = true } base64 = "0.21" bincode = "1.3.3" byteorder = "1" diff --git a/attestation-service/verifier/src/az_snp_vtpm/mod.rs b/attestation-service/verifier/src/az_snp_vtpm/mod.rs index 0dfdc6f8c..82b4243e9 100644 --- a/attestation-service/verifier/src/az_snp_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_snp_vtpm/mod.rs @@ -18,6 +18,7 @@ use az_snp_vtpm::vtpm::Quote; use log::{debug, warn}; use openssl::pkey::PKey; use serde::{Deserialize, Serialize}; +use serde_json::Value; use sev::firmware::host::{CertTableEntry, CertType}; const HCL_VMPL_VALUE: u32 = 0; @@ -43,6 +44,24 @@ impl AzSnpVtpm { } } +pub(crate) fn extend_claim_with_tpm_quote( + claim: &mut TeeEvidenceParsedClaim, + quote: &Quote, +) -> Result<()> { + let Value::Object(ref mut map) = claim else { + bail!("failed to extend the claim, not an object"); + }; + + let mut tpm_values = serde_json::Map::new(); + for (i, pcr) in quote.pcrs_sha256().enumerate() { + tpm_values.insert(format!("pcr{:02}", i), Value::String(hex::encode(pcr))); + } + debug!("extending claim with TPM quote: {:#?}", tpm_values); + map.insert("tpm".to_string(), Value::Object(tpm_values)); + + Ok(()) +} + #[async_trait] impl Verifier for AzSnpVtpm { /// The following verification steps are performed: @@ -83,7 +102,9 @@ impl Verifier for AzSnpVtpm { let vcek = Vcek::from_pem(&evidence.vcek)?; verify_snp_report(&snp_report, &vcek, &self.vendor_certs)?; - let claim = parse_tee_evidence(&snp_report); + let mut claim = parse_tee_evidence(&snp_report); + extend_claim_with_tpm_quote(&mut claim, &evidence.quote)?; + Ok(claim) } } @@ -145,9 +166,10 @@ fn verify_snp_report( mod tests { use super::*; use az_snp_vtpm::vtpm::VerifyError; + use serde_json::json; const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin"); - const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-snp-vtpm/quote.bin"); + const QUOTE: &[u8; 1170] = include_bytes!("../../test_data/az-snp-vtpm/quote.bin"); const REPORT_DATA: &[u8] = "challenge".as_bytes(); #[test] @@ -273,4 +295,22 @@ mod tests { VerifyError::PcrMismatch.to_string() ); } + + #[test] + fn test_extend_claim_with_tpm_quote() { + let mut claim = json!({"some": "thing"}); + let quote: Quote = bincode::deserialize(QUOTE).unwrap(); + extend_claim_with_tpm_quote(&mut claim, "e).unwrap(); + + let map = claim.as_object().unwrap(); + assert_eq!(map.len(), 2); + let tpm_map = map.get("tpm").unwrap().as_object().unwrap(); + assert_eq!(tpm_map.len(), 24); + + for (i, pcr) in quote.pcrs_sha256().enumerate() { + let key = format!("pcr{:02}", i); + let value = tpm_map.get(&key).unwrap().as_str().unwrap(); + assert_eq!(value, hex::encode(pcr)); + } + } } diff --git a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs index 274bca9f0..3e41add46 100644 --- a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // +use super::az_snp_vtpm::extend_claim_with_tpm_quote; use super::tdx::claims::generate_parsed_claim; use super::tdx::quote::{ecdsa_quote_verification, parse_tdx_quote, Quote as TdQuote}; use super::{TeeEvidenceParsedClaim, Verifier}; @@ -62,7 +63,9 @@ impl Verifier for AzTdxVtpm { verify_hcl_var_data(&hcl_report, &td_quote)?; - let claim = generate_parsed_claim(td_quote, None)?; + let mut claim = generate_parsed_claim(td_quote, None)?; + extend_claim_with_tpm_quote(&mut claim, &evidence.tpm_quote)?; + Ok(claim) } } @@ -111,7 +114,7 @@ mod tests { use az_tdx_vtpm::vtpm::VerifyError; const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-tdx-vtpm/hcl-report.bin"); - const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-tdx-vtpm/quote.bin"); + const QUOTE: &[u8; 1170] = include_bytes!("../../test_data/az-tdx-vtpm/quote.bin"); const TD_QUOTE: &[u8; 5006] = include_bytes!("../../test_data/az-tdx-vtpm/td-quote.bin"); #[test] diff --git a/attestation-service/verifier/src/snp/mod.rs b/attestation-service/verifier/src/snp/mod.rs index 918be3aa9..3de637fea 100644 --- a/attestation-service/verifier/src/snp/mod.rs +++ b/attestation-service/verifier/src/snp/mod.rs @@ -112,7 +112,9 @@ impl Verifier for Snp { } } - Ok(parse_tee_evidence(&report)) + let claims_map = parse_tee_evidence(&report); + let json = json!(claims_map); + Ok(json) } } diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin b/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin index 5c58c8dbf99e5ac575621b0994f17a8c70658316..eb375e9058018805e3b69509ccf4b61c6ad11fcb 100644 GIT binary patch delta 1008 zcmWO4U1%Ex0KoBe7Fi!AOsY(VtPZWNdUAKUOD=ATcez~dD|bmQ_mQ9t$>nm%CAqI8 zm*lF3DToxs)u_yYQ}Dq)_))ArXqk2}MJ?0$GNBW#Zwi9oq(v*MegD7w;J-Y*Jbl)k zS>1i#nEv|o2P@d2XQ$_xomWp>xbYNmZ0Wz$-dJva_}&{`Sd3f@67#75sTFCv+;}Q z9oIjef7o2xm_qixKmOS11N;X2#y9^yBkoRZHevS5#qTz^hktSJUN1fOV(Z&i4z7bo zpSbNo?!d__&fh=W|5NSdt>?F9w-=TVn?Ig!UEXepWoa%j^*@^eRxO8S| z=_t79J@VSZqm6}^CNH*5!gr6A2iEp3*U#VnkGGjJ&t18BZTa=l+KKy0@S7XI&VF_0 zrB(cv(Ztf*Q{(l?`H`24@g9y7q#hPYh8@(ALQfRk5}0gwMKB-mogr3q_-aH<(;Wb6 z^AzF>O%IuB z*0)fERdf^t%jl?sIc7u5=i8AAi$#@$!=>zq*n`z{MokqejF@L^rN$OIxFl;vqb?F+ z)Gv_~X@x=t&_uOVXxLgUrdg#_MR&oBZT3Sdk->O#~blMx29+SwdK zImvo)Dk@t=vrb1 zVdEt`io&)+2|N&VB&(C+8_~Sc#agcKIc#;ms_2kISPHBns%tw?0B|HY?4h#28;UwC zYTl4^@ro9$Nl+W|tr&*)Rkk;zow)4h6iMsL4KS>fnSqAjy&#%J$Udj$Q=o4RbS>e> zidmdXkTTcWe*({j1%9Y2xh9<1*R-l_1;Nl_MXF*-kt&6L7GM>=EMVENKR$9uzc&s+ k1el~SAWjlEfM5g&5O53ykR(D^(AkOq0j>Ob0{{R3 delta 1008 zcmV~$U5MKR003a`JY`eFpPi^1%)8;Xmu2LqNm_3Ym!#=m+B9j?{8U_R(xge6UYnoh zry$)FggL=G4`jl|9rKi-pofQ3*&$OWayNX~gvmXLKI*`G5PT8l_g$O4HoH8W+sy7i z_4b!1&F{9G7pPN~3wx_Ab_z18zmFRrdl%`d(@qTm1G>nBh1;qGUj3(Q{e#?k+tJ39Tl zcjU3~_1|{Z*yES(O2p&RGv8jU+^&A`=EYqnxyzmS$=+XkA$eo}%zM)}!5=G^U;AbI z&hnx4cl^`y3*ryi8&AM*q0j1>bC)~cbn)`9)ZEth#~!)*>iWH}uJ2x7S$Q73KPy>k z46*kX-YsMwoV@kWPRTqm31)sik2%!dUMx+YJ-qO5bmgy)H~zkS{9JL1cz80kvVL&& z=FHiN@8*<%Ajn*8NyKcyMd|marg|XufyD}miQ<}EK?LLFkv~aql29iZ+N`K>Ftt32*rHp)avG7sO6%Dj{`x6hX!V*N6D_0 zos_^ta(Si>w3&(o8jddX)M76&dxXlFO*5o`ph`EYDc;sQJ}CJa$b+>dLv?Uw6!!IM zjEZzIRgyIz9+`R=22vB?WJ0u5x(-u$%m*4A0_gdcHz@al&XVMJiZrdDvT4*5fS1Mg zc#w@XRj=4yPA>>cgMe^NN>f`5m~R9%*#`7H5`pY*A!;}8S^ctTqpDQ=VKDT>4t%BWR$(WtEBN(Jz> zwjng398(v8fP)8kCTQ6%TPH9gOyPo5x6=b)WRd{WP#~Bqz;+J}@{Y=2Nr!GIXP8W`+%MfC4P$0y0b)V+9rkE*YiS zs*1&0W$YWR9@HG>hg4y#W02M=BYqgwFlLN6-6%!@TS$)*mt^u~l{PADN5s2S(Pr%e zVGbJ_ZbgZvw@L&Ki?D~vw8djpyl!hs#A%Wh0#ROwdf9|DY_i?%H5^;6wo0|OomdFg zukaBGs39YesKd%~c}NQVs4SO|VIsHW{8E^;Ae^gqZGQFX1KLY8ox!pYm;ulnO#&%` Z!T^#)aDYY;no1KXD1(q&mkumX{SV#=ZrcC= diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/quote.bin b/attestation-service/verifier/test_data/az-snp-vtpm/quote.bin index 76d0dd0445273b4284a23c9c01a83fb4ac90dc25..3a281ff34edc8db9d39a139200db01b5c4bb1057 100644 GIT binary patch delta 720 zcmcb_HHovHfsp|WwEoJ-Pu$k|BfNTp)=Qg}-U_=XT>BE6CN@`7vW@k6gUjR-U8T!1 zyRv=%L`QC$ByaO#ih;Tnli3?45y#C});4Xi!7O5A_iWQn@(@{Tl*E7|>D-THQdGDMU&~xw8 zMxEF1ADGNs{7Yr=qRl231Ln#~7`oVdB=y#=K6GOKu1nsrs*Y(pzVsI#SNV4I)dmih z?Ljm1=88_}5B5EF`_wIiYdqC=r6%c0v_6q}^L&~3qd@nZX-B(t_k5obE-Bfl*{7-X zIsLNk$FyvP6MuFu4)X7?DO<-^f5L|AOBEy_82*PiyEjNMC^2wP`}STd<*jI(g@pZq z51$-1J+t$F?W1+b;GIypo7kFuY(ac|b{%Y@Xr+0yqcC1;? z_1n_q<`Um;(p!EuPJYFx0K)aM)-oF%CnRg$?bVOjnQUvj4h57ZCX?5`0(T$)7P4tee{1%5&nHxs9rgHo|X3A$@+`jd|ZXBQajQ%-oZrxI|NoPWKSDnAG-+ZNl#{LN}9f~dr$bHwBnHxIzta1)&rf6MRdTmoX< z5*ottd!7D2;JJ zH1`ypJ`v*bTz;+Uww>F1k0v~DZA#{_pI<(OYyZwf_Wr7fDk)EAl{w~J_O8&+I?lkEoROH5lbV;F3fAk`-U_6dL2O0^1!f@zAuxxLft&gN|NjgM z>~CiAq zZrk%bcu80B`CAM2EqL=s$ouX7s2=y3`(WyP;zRi+tXbr*q4k`(b-Azk&g_d1qEDwr zUlS1IY5MZ}4@{k{YtO&XGt95#UF=1Z_Py!-DpUH;qAnoT+rvb*a1h5hC$6*TrwcBby+70{Ci{DdFUtbg2aO_kbf%thPhS1# z8Y12ZSPOUG$AwNuP1~M7QnEYl7w;?O=`=N4{^pvBUw`hm3RW$4y#=$ESo0pwl&-z& zzOQalQC72VM#)i=*+JVofAQ|v8gXp?E6s2}Qq3dQUSQ(J3t;x*RRokAD(VP@3jpT7 BGv5FJ diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem b/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem index c7e9c01c8..8f50d2204 100644 --- a/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem +++ b/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem @@ -3,29 +3,105 @@ MIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD VQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs YXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl -czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEwMTA1MzExOFoXDTMwMDEwMTA1 -MzExOFowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD +czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDUwMjIxMjIxOVoXDTMwMDUwMjIx +MjIxOVowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD VQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk IE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF -K4EEACIDYgAEP3PCTk5P1qVUrvZPD+Motv8TNuSxJs5IR21EHLVk7HKQ3bNFknCc -mwE4ldVb27hjHGpizC9Oom6HHfa7XjX+3P+77N217Tn8/u2MUWhlv7koTxe/xwuV -Xn07DiWV7ZSKo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC +K4EEACIDYgAE53roqP63VFYieePXcG6qPLq8m9pLUrvFe4V3RUMfTwPmAMBILaXW +3jNzcaPfj8bz9ZgtTRaIHPW5hPuro1OO1rM+dYI6N11Xtjqadw78qxcPdOUQMkjY +y6q5pqga5xj9o4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC BAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC AQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE AZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB -CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEA6dUWWsrgPLlF2yq6v -VEvZSbse/BceAuFyGwp2fd/Jn04lmNJXQQtXEr6LTctPmYOLymx50lAmx2rwnxl5 -gvA8MEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B -AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQA3s4HR1ZshYd/PeYXfiuLV -kmTCWm+OBd9HVM0hXcNv2KWxRzmG7lBzNKfk71DLqsjOYK5uAS0Jdad9iSbJS6F9 -nQNL1O7/n8M3K6OYa1SYFubU1tXJjRL3Bzx/rcL1w6sGQIeXwDXNjxyPO433YbIW -oQ6VuUj5AeTLlp3hChfrQ0Nkj3DbfsmDmSL4F0vsSq629YxQ6XTT+tIT897iMMVI -IMUeJ4O7wxcMnoKoNbM+dTmKrkDm4/FdqYpsT2ziPD9FcTcMud0qZGy8YmUCa9cV -/g7xKrDfRe8A8FDe1iFAVJ62xhS7GiOx/F2Gd/oEHto9dwE4/OVRmZlFy1njlxZt -3Dd6W8z0TLmiyHngApx8VMJHNuf4+UeiDYkWo14ZzGlsMKHweGQhy/bRbkIpjNB/ -fUZsn404ZxV8+mbTdeMftIUAofDHryPq2/K4FZB6IucEil9S/dejUerlAlDn+uq/ -TT/FatsAv8gMnTHNB2/GRDRuiLf5bqRGXFRelV8K0edfoxxvW8JjiK2h6bsQf4aA -JPH53P1GFWvEu9zOsGTldzOIvcPdykMFxhssRryI4YTTwAg6BPpXM83kdnGCEPgU -pNO5zaEImuqtrxdmOZt8qGxyQ2DYgwS0QC8srEIxBtM9eBSJAodvgUiovwACF4+w -5CU3rQt0CzyWLJop7k8GMw== +CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEAZdSpEfbUBoyreRkKK +RukmOb01Fdu0Xi5nu8sJNP/PHz48AEzLSpnJ+n5P+wnaazJKxYrO2vZ58kun21+D +jGzKMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B +AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQCJk1WMW74Z9cOTBpgetdgb +fNHAmUKPwJIsOAWVlM/8dciPWcKdWc5VB7fy8bpOqCc95/RbUKFdT3cezjZ8Ukmo +mQh7ALdiuSvBVh2RVGVAJW9/xuIQTB09jJO2izL03vHy6ojrUBohyLUJI1Qajheu +6YjlZ2sL4xkvzMGqvKInqXYGEqMDrqgCIEFQ63Si1HWIi/ms3DPW+kZZNQVzAFCk +dDxMAaApAbBJNww28bCSHrkgnQdwrRzUlM38truqV/g0ItThiAzBWE7asBggRHxA +lHu53ECo4uZ0k9v3lD6NQ6lldnl0nM31rbry1rQlJqseyvWqDq4+/+LksBqdfsud +hDP1SdeRD7YzBziTn5Tr/XY+Vg+GxMfUNE2E0XW3FJMLGd8AnGIipRN67BmDQuY7 +oVeWF1ZJ0Gk+d3fbCuJ5lYECcBBq8zKje9u/zX1UaSwgi11RMkKB4pfBmLrGPppz +q/s5rx4x2+HrHyHLvpLeQaxWzMe0ZaF5XBYi5ujsOci550cl4x6mjb/grUucurSc +cjl0NTQeyL5L7cpNTp450U9p7+EVRRxx2kufc1EbcDyZ5pwlnqApcgLX5ajF51im +LikpLkCNCWdu5QNKFXquJkNSCaocE56djP1CwqirfeRuHvj7NpVA6QRJ8TFdjWV/ +J7rtq64Z//EpcDJ1B/c7PA== -----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIGiTCCBDigAwIBAgIDAQABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC +BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS +BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg +Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp +Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTgyNDIwWhcNNDUxMDIy +MTgyNDIwWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS +BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j +ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLU1pbGFuMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAnU2drrNTfbhNQIllf+W2y+ROCbSzId1aKZft +2T9zjZQOzjGccl17i1mIKWl7NTcB0VYXt3JxZSzOZjsjLNVAEN2MGj9TiedL+Qew +KZX0JmQEuYjm+WKksLtxgdLp9E7EZNwNDqV1r0qRP5tB8OWkyQbIdLeu4aCz7j/S +l1FkBytev9sbFGzt7cwnjzi9m7noqsk+uRVBp3+In35QPdcj8YflEmnHBNvuUDJh +LCJMW8KOjP6++Phbs3iCitJcANEtW4qTNFoKW3CHlbcSCjTM8KsNbUx3A8ek5EVL +jZWH1pt9E3TfpR6XyfQKnY6kl5aEIPwdW3eFYaqCFPrIo9pQT6WuDSP4JCYJbZne +KKIbZjzXkJt3NQG32EukYImBb9SCkm9+fS5LZFg9ojzubMX3+NkBoSXI7OPvnHMx +jup9mw5se6QUV7GqpCA2TNypolmuQ+cAaxV7JqHE8dl9pWf+Y3arb+9iiFCwFt4l +AlJw5D0CTRTC1Y5YWFDBCrA/vGnmTnqG8C+jjUAS7cjjR8q4OPhyDmJRPnaC/ZG5 +uP0K0z6GoO/3uen9wqshCuHegLTpOeHEJRKrQFr4PVIwVOB0+ebO5FgoyOw43nyF +D5UKBDxEB4BKo/0uAiKHLRvvgLbORbU8KARIs1EoqEjmF8UtrmQWV2hUjwzqwvHF +ei8rPxMCAwEAAaOBozCBoDAdBgNVHQ4EFgQUO8ZuGCrD/T1iZEib47dHLLT8v/gw +HwYDVR0jBBgwFoAUhawa0UP3yKxV1MUdQUir1XhK1FMwEgYDVR0TAQH/BAgwBgEB +/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r +ZHNpbnRmLmFtZC5jb20vdmNlay92MS9NaWxhbi9jcmwwRgYJKoZIhvcNAQEKMDmg +DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID +AgEwowMCAQEDggIBAIgeUQScAf3lDYqgWU1VtlDbmIN8S2dC5kmQzsZ/HtAjQnLE +PI1jh3gJbLxL6gf3K8jxctzOWnkYcbdfMOOr28KT35IaAR20rekKRFptTHhe+DFr +3AFzZLDD7cWK29/GpPitPJDKCvI7A4Ug06rk7J0zBe1fz/qe4i2/F12rvfwCGYhc +RxPy7QF3q8fR6GCJdB1UQ5SlwCjFxD4uezURztIlIAjMkt7DFvKRh+2zK+5plVGG +FsjDJtMz2ud9y0pvOE4j3dH5IW9jGxaSGStqNrabnnpF236ETr1/a43b8FFKL5QN +mt8Vr9xnXRpznqCRvqjr+kVrb6dlfuTlliXeQTMlBoRWFJORL8AcBJxGZ4K2mXft +l1jU5TLeh5KXL9NW7a/qAOIUs2FiOhqrtzAhJRg9Ij8QkQ9Pk+cKGzw6El3T3kFr +Eg6zkxmvMuabZOsdKfRkWfhH2ZKcTlDfmH1H0zq0Q2bG3uvaVdiCtFY1LlWyB38J +S2fNsR/Py6t5brEJCFNvzaDky6KeC4ion/cVgUai7zzS3bGQWzKDKU35SqNU2WkP +I8xCZ00WtIiKKFnXWUQxvlKmmgZBIYPe01zD0N8atFxmWiSnfJl690B9rJpNR/fI +ajxCW3Seiws6r1Zm+tCuVbMiNtpS9ThjNX4uve5thyfE2DgoxRFvY1CsoF5M +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC +BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS +BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg +Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp +Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy +MTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS +BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j +ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg +W41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta +1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2 +SzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0 +60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05 +gmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg +bKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs ++gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi +Qi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ +eTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18 +fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j +WhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI +rFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG +KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG +SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI +AWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel +ETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw +STjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK +dHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq +zT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp +KGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e +pmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq +HnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh +3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn +JZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH +CViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4 +AFZEAwoKCQ== +-----END CERTIFICATE----- + diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin index daca213c6d61393cbeb75e3a7767c275d68d8f67..512df8aa9aedda0dea23c0c41807a4021c3f42d8 100644 GIT binary patch delta 879 zcmW-cJ*eY!0Kogshn(n>CwHEc@OTKf7)bI@(!|MpG;Pv+^xq~;6NHjB-)WMjY4cHp zCyF=-!n1>ei{pWd$2kiQjt4q9IUP7U2qHM$!|AvEe*B(1eDd&O#4GH*Ua$B0YrWpR z+n*oYUVU=)4KdLly?d$bUp)Hg?SH!;l5c;!_^&**@BIGPpI_NDb9#FA;nm08AE!?r z|1-Va|N8v;`A?58-n{&B_Tar2#_Q)_fAQHH>a(k}?_PQ9m-All>`s4&|M~Rv+qrtv z$<-nZS$6AZAj#PhZt5)LB>Pxm-4wGh2j+pd0>T_2^U1g!3_7#fW2BaGOC@knd%SS^ zInioEqFG8sf0(u1ey6t)b=+z-!pBHD)0L!UN^AnfMrAV?5JPz`YA!RFl*Ns-w5zD^ zZKd(i86WGNTJ<}hL;BZ@f0lFHTG2`gIeDr;Faut%#%s?$hwS;G;aVHJo!J7CP+;Ea`VglqsW)QG&v z0c`0Owv2vEb~S8VsEyQlL(Gd_3dD4EyN=A6LY2JAYOn*@&g1B zs6~mNs#ixhInpp7WVy+3Lyh9ntN~r@h6p|h>7~$YL`gZ1gsB#D_(IES^en>kxl zT_wy;lU>U9C4_ZRX+MN@O%!}FMmS}nQLFVLB}TTY=cEPkO;ln1IE7|PS{rLRoO9zq zUSfCskk;BHTCgjt^_8IY%nmktXI)7nkZdZ!Dt4Y}ur=R6>c}ugYT~+VFj0WopsFe` zuli`S$x@Ss!))w<9krIxik*68WX>x;cqy3#Lx`}gxZCX6Vq?|>;LHd(fR8ltI%h?Uhk7vd%d#< zzr6F{;^T|s-=F>T{AqR{K6~xUKf|BD{^R`muZQoAUw-%YyZ7&YSiQJ@-2dR>-+PCz z-gtQX2mP+%8tE5LKi!_rJ{muEzkUAeKko0JyH76q-@NkHvs=Ah|0aLK|NeOW+pXzU z6}6Igr0Loo!hIf9rt1wNfeQ(5fIwambgo5m5wYNW$QR5ga1_!cD-$Xs;D=0cg3M6f zHk^?bW(FMEIZZ|yV&Fs^u4ikS7nn57ttgQpNqUn~Q|g*DHDF~>JVG#=Tm`)04HMa_ z)sZ3xtIqL`77vh+j^unXGeJ3%fV?4NjNUe>w@MU%Ie~SWo;=16{fuPvlF-p^vpdYG z!K6qX!OwMWy-xrswURtC7sX=iXJ+I`iL5qRK0l3@ff{E7hGTGR2LphPb6af>$+DA6 zU8Uo0RP0qg_6v~2#4+*owpL;u7cuIFZz}`&&-KH@v8#Koq}uT z7|yP*54Xju&S-NqqM5|Q*DzR86*iz-f7fb47D_JKF~;(!WkwFvZ8hZ@30Yu5gcrqZ zw{Q*B(ps!&Ooc^*?S8XNS(Z3(AS$V~Mu-%iBqu?uxBiM~;cy+sH|NSynd2@H#$s}) z+Qtpi9J33A$C6Mxw< z*3_^!HfOm;p!(BJ8&+%?!9?7V+qr-qEzTBcfg!`v(U!D{XO#}pnj}~dz{Fh?_CP>K zzMmjg3GhP{tf)m9>haEveYd5u4oUPbBZaji=o>rrGOUK|7`W~L1G$a0^M)qM<4D|3 zJPb99U>1>k3n~$D{pOwT$*Qb_dza1LN;gFvNdD#fmkdh?7{D=vCrJh&aF#;o5lbS% U07ZusF``itfAaDU==Xd70gM4AZ~y=R diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin index 26e9da2c8fa4c3c3b981ae35d0e1a6c7f77cc05c..beb697cbee6fa6448153fd318e746db1755bbf01 100644 GIT binary patch delta 726 zcmcb_HHovHfsp|W7AKk|d)IINCL8fec+-N~T`UP-`4m0tGm>{)EvPSFl0P%@_95TkZFkJy1si0a z-D4|Ufb6XcTWn&qozMjgJ9 zv1#dH#;CXFj>`Q%A3WRaliJC3Y!ixqS3v@T;eUv;dxHdn5(Bs1kG;7Ohg}zbZO`Sf zj^6)Hq|czXobP4!C$)F;!ZkI67&wzN5_57=^U_m6dPP;!TY(hgjEW+}rzD|B{$T%PrOzZ8pc);z-e^HI&7~@J5)lheQISA zyS;Ij;I^Ar*4*>?Y%0;d)>TK%&FG|m?!U7s-5_Q zamwUCW(9|$*K;2>sF&ogn{J~KEa<86uY!a9+@8r=`!_rj%oXW(kEwjLFJ_|dj&!j$+A%iF;YJDTBjnG$=<3fTMtK_aeKib{W~r6KhHZ_B`48 zLR$a8fe$xkoRMp(c^hNJmg?BYRd8zJDK^XH^Gw?Ro;p}OW9d4sl5;U1WqJ9%7^^d6 z`tN8~GKeOpFutBux#w?N6(krK{)afbH%KrjF>n`_mnQw?h}*+^Iy&7U)@Y&Kyjj2A zoDFhLIluG$yQt3n44lasi8(o`dFiQOy;AXNK$;oEW>ipM7Ge+ra~K)8ng9R)&!8~< z$vGLOcZoZM%XxUYI$qx2y!gwHIrERrcyKM!tJK-}umnga5Ga6228If4g^m27XWSl% z=o}J>4QZRfZWsN!sZ^)8ep2O!8;goz>U`ou`6jGcHR8G`p|3s`B_CK3+*NQDlrno4?hM10A^m!x8l^Sop+Ot+BS<`{ot6! z@#Nw3%k^oS@_Y+Fe6mzO08_{D&28BgzvNw$qVhw33dpUG%ZD} zz|;}27Vf@}3!RRdwmpBOWOv*z-dD=gX==9o%{3Lj{@iaBtXk}Pi&XO-&y=pc>%OmU yQc+g3Zbr#bli5MrJAd)+*cx$c{wvLJKT^#j)*rycjTgY|#j6M?IaJgU3Ksz8d?ZEy diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin index b5b00b282a0147a9d2e853f52d8ec61d5b0702f7..e90918ef3856dbbf313be8ddec690dbdadf697be 100644 GIT binary patch delta 680 zcmV;Z0$2TxCypnO91!t-tPw6u*`WIT;k0X7@sF`A3<4mRG*C|#9S}@(;}%>M_j#~t zo3su3ag%r#*Y4(ySvWb7aUg%p5C8xYUHEc3@FfPa%;3i$!shlUphTK`$8(#UIGrt{ zr^Sa=Z9exUsc}+1^;7W9@<#MgKPLbyYLxjdn&VBNfJl_<@p>^EwV=T~xuFmuIfH;K zj^YBm0a;PzIaQ^J%Pu9x!DcPi`zY=!?w#Z0+f@i|0Tad>?Yg=|pCtuEy@LwQv-|=^ z0U#AO+!HKj5abt%q8hz>_K=ZVZQ!OAOlcn!!*zu-x0R7`AV9U{ENyJ!i~2nc!fLs1 zWHQX!P!21Hb>=I^lin4(wpC#gx`vH;ZDzj)&9EehniLvJWq8SO?p9hPgF&EO=?AVO+;0AlL-dESWII<3QS^8cxq)raBNRB zc404hG;~OGc5y^{XIMg1Fi1{$FilrVOlfm>Ycoq>V@O#sI5#zQGFVM;Yh`XxPgFuj zcnV1|XlztgN_ufkZ&h<+R#u0vAJhY%@?fZ(&V(P6|(WY)WQj zGiGovIFslKaAa#iO+{Hl3Q18zYhgi2Z&YP@YB^MCL~l57YcDWRLoY9SV{lM6LqS+` zYH?^vOH6ESc6nz>XhBL#a&l*MVr(%oHfm)vSPEe)Z%1ZBR8&wyMKf4JbyRgnD^Pi2 OHeoU=H!rii3(^OtZVem& delta 680 zcmV;Z0$2TxCypnO91v12Y=7%FCc`=KAm)Zg;#2QH}-7qKPf5(8RPZplcCwWA}}_#hNz7 z#r)R^O_a%!1nVo>zl5BwFC2D#e+dKlTRcx94G_zz7R7Ydo4cOg4YN;z%4;4JjmSv`SamEgn}Szwz-`Mvw(?Vr(O2v-|=^ z0U+Y9S;oTmW6$o(!#6@n{>dmsrr&uNSYOEg$4VpY}Y5R!#ZmB?;e?xEykX_$uv=Ms~` z1V}44dP74(N?~U~cS%A)XGv9MSyn}LQ%iSJRB>xCNl{cqS~+HSNO@RgPdJk`1+yV| zO;ka8O+;BRO;ka8S7>8SO?p9iO;ka8O+;BRO;ka8lL-dESV?Pd3Q0~jdQC}ZS8zmd zWk_mFY;|^dY;kf)G(>PmI51Q$7E zND5a}Vl;SZFLZKPOG{97N>po9d6OXr*&Ie$X+dZ-HFq>wN_J~yZf{gWP%>6kHVQLo zR(g{b2wfFzVOCW%G%GnyZBJQ6D@biqHgQ!_vxo>u0vAt0PH#alG