Skip to content

Commit

Permalink
verifier: Change logic to check the attestation report version
Browse files Browse the repository at this point in the history
Fixes Issue #589

Change the check condition to handle multiple attestation report versions.

Signed-off-by: Adithya Krishnan Kannan <[email protected]>
  • Loading branch information
AdithyaKrishnan authored and mkulke committed Nov 25, 2024
1 parent a0e3448 commit 86223c4
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions deps/verifier/src/snp/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ const LOADER_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .1);
const KDS_CERT_SITE: &str = "https://kdsintf.amd.com";
const KDS_VCEK: &str = "/vcek/v1";

/// Attestation report versions supported
const REPORT_VERSION_MIN: u32 = 2;
const REPORT_VERSION_MAX: u32 = 3;

#[derive(Debug)]
pub struct Snp {
vendor_certs: VendorCertificates,
Expand Down Expand Up @@ -104,8 +108,9 @@ impl Verifier for Snp {

verify_report_signature(&report, &cert_chain, &self.vendor_certs)?;

if report.version != 2 {
return Err(anyhow!("Unexpected report version"));
// See Trustee Issue#589 https://github.com/confidential-containers/trustee/issues/589
if report.version < REPORT_VERSION_MIN || report.version > REPORT_VERSION_MAX {
return Err(anyhow!("Unexpected attestation report version. Check SNP Firmware ABI specification"));
}

if report.vmpl != 0 {
Expand Down

0 comments on commit 86223c4

Please sign in to comment.