Update SNP Verifier with report and init claims #253
Conversation
|
Now SGX and TDX are using hex as the claims. Maybe we should have a standard for all platforms? All using base64 or hex? It would help the consumer without worrying about the encoding of the claims. |
|
btw #248 is mergwd |
Yeah I think it has to be standardized or we aren't going to be able to move the checks out of individual verifiers. |
Another idea is whether we need to standardize other claims? This could be a potential work for all platforms. Or, we should record the different encoding algorithm in the document. |
|
If the claims are generic for each TEE, should we add them individually in the TEE-specific parts of a the verification logic? can we just add them after the verification has passed? (IMO, it probably would be cleaner to have them added in the |
|
I recommend decoupling test cleanups into a discrete PR. We should really attempt to reduce the number of drive-by fixes. Non-controversial but necessary quality improvements could be merged quickly, and we can focus our review-time on parts which require more scrutiny. untangling unrelated parts from change-sets is a cognitive overhead. |
As of today we could add the expected @mkulke my question for you is whether there is anything wrong with exposing the Generally I agree that smaller PRs are better, but I don't mind simple drive-by fixes here and there, especially if it increases the likelihood that things get fixed. |
For az-{snp,tdx}-vtpm TEEs we would have to make changes to support this, at the moment nonce/report_data verification is coupled with signature validation in an encapsulated library fn, like this: 
but in principle the verification can be split, I think. What would be the projected timeframe for such a change?
Is there a reason why report_data should be part of a claims map? It's a property of a concrete RCAR exchange and hence not useful for a consumer of a claims map, is it? Evidence extraction logic for report_data would still need to be implemented individually for each TEE, even if the verification is moved to upper layers. I would still recommend to have this close to the verifier implementation, maybe we can change the trait signatures, so a given TEE's evidence needs to implement trait ExtractReportData {
fn report_data(&self) -> &[u8];
}
type ClaimsMap = (); // dummy
trait Verifier {
type Evidence: ExtractReportData;
fn evaluate(&self, evidence: &Self::Evidence) -> Result<ClaimsMap>;
}
struct MyTee;
type MyEvidence = [u8;64]; // dummy
impl ExtractReportData for MyEvidence {
fn report_data(&self) -> &[u8] {
todo!();
}
}
impl Verifier for MyTee {
type Evidence = MyEvidence;
fn evaluate(&self, evidence: &MyEvidence) -> Result<ClaimsMap> {
todo!();
}
}
I'm not sure I understand. Init-data is a CoCo concept, how would that be related to provisioning of a vTPM? |
I don't think there is any specific timeline. It would be nice to get things sorted out before we implement support for validating the init-data via the policy i.e. passing the expected init-data into AS and to the OPA verifier.
Yes, hence we need changes to each verifier before we can go forward with this. The traits you suggest are interesting. To me I am fine with leaving the verifier implementation completely open as long as it somehow returns a claims map. We could think about adding an extra method to the verifier trait to get the report data, but I am a little wary of separating evaluation of the evidence from parsing of the evidence.
I just mean that for AZ SNP verifier the |
a thanks, understood. having report_data and init_data in the claims would be misleading indeed, Can you add this change to bottom of the az-snp-vtpm verifier logic, so we unset the respective keys from the json map? ...
let mut claim = parse_tee_evidence(&snp_report);
drop_unsupported_claims(&mut claim)?;
Ok(claim)
}
}
fn drop_unsupported_claims(claim: &mut serde_json::Value) -> Result<()> {
let claim_map = claim
.as_object_mut()
.ok_or(anyhow::anyhow!("couldn't get claim map"))?;
claim_map.remove("init_data");
claim_map.remove("report_data");
Ok(())
} |
If we drop both of these the AS isn't going to be able to verify that the report_data is correct. I guess we could drop the init_data from the AZ SNP claims. The check in the AS for the init_data can maybe be optional? |
re report_data: as long as the signature to If the signature changes, and we don't receive re init_data: at the moment it's still not entirely clear to me how we want to curate init_data in attestation-agent on a peerpod. If we can ignore it for the time being until we know more, that would be fine w/ me. |
If there is no way to extract the report data from the evidence, then #228 might not really be feasible. |
Ah, I just meant it won‘t work automagically ootb, we need to make a crate release + bump a dep in this repo before we can use the respective code to do that. in principle #228 shouldn‘t be blocked, just needs prepwork |
Ok, in that case let me add the code you suggested and once we are ready we can tweak things to work better for #228 btw I think in the long term we can just have the AS remove the report_data from the claims map before it does the policy evaluation. |
fitzthum
force-pushed
the
snp-updates
branch
from
1504741 to
1c2d3fd
Compare
|
Ok, I forget what was happening with this PR. I think we ran into some confusion regarding how to handle |
| @@ -258,6 +258,11 @@ mod tests { | |||
| use super::*; | |||
| use openssl::nid::Nid; | |||
|
|
|||
| const VCEK: &[u8; 1360] = include_bytes!("../../test_data/snp/test-vcek.der"); | |||
There was a problem hiding this comment.
Might not related to the PR. But if we can have an agreement that the binary values should be all showed as hex or base64? see Line 250 in this file (I cannot add comment to line out of this PR)
There was a problem hiding this comment.
Yeah let's take this in a separate issue but I think it is probably a good idea.
There was a problem hiding this comment.
Ok. See #372. And I think other fields of SNP should also do the same, such as https://github.com/confidential-containers/trustee/blob/main/attestation-service/verifier/src/snp/mod.rs#L240
Follows the layout of other verifiers Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Includes brief description of reported TCB Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
|
Rebased to pick up the vlek change. I think the comments are accounted for so I merged before I forget about this PR again. |
Also, move the SNP testing data into the test_data directory.
@mkulke This seems like it's going to have somewhat incorrect implications for the AZ Verifier (since we don't want to use the init data from the report for that). Not sure what the best way to reconcile is.
@Xynnn007 It seems like we don't specify what format the report_data and init_data should be returned in the claims map. I am assuming we want base64.
I am planning to also add to the parsed claims doc once #248 is merged.