From e9ad270361dd5c3ef5a8dd90b22b16c35fa25fc8 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 29 May 2024 16:39:09 +0800 Subject: [PATCH 1/3] AS/verifier: support AA eventlog in TDX This is an alignment with guest-components side AA eventlog. Signed-off-by: Xynnn007 --- Cargo.lock | 1 + deps/verifier/Cargo.toml | 1 + deps/verifier/src/az_tdx_vtpm/mod.rs | 2 +- deps/verifier/src/eventlog/hash.rs | 22 +++ deps/verifier/src/eventlog/mod.rs | 189 ++++++++++++++++++++ deps/verifier/src/lib.rs | 2 + deps/verifier/src/tdx/claims.rs | 12 +- deps/verifier/src/tdx/eventlog.rs | 5 +- deps/verifier/src/tdx/mod.rs | 38 +++- deps/verifier/test_data/aael/AAEL_data_1 | 2 + deps/verifier/test_data/aael/AAEL_data_2 | 2 + deps/verifier/test_data/aael/AAEL_data_3 | 3 + deps/verifier/test_data/aael/AAEL_quote_tdx | Bin 0 -> 5006 bytes 13 files changed, 268 insertions(+), 11 deletions(-) create mode 100644 deps/verifier/src/eventlog/hash.rs create mode 100644 deps/verifier/src/eventlog/mod.rs create mode 100644 deps/verifier/test_data/aael/AAEL_data_1 create mode 100644 deps/verifier/test_data/aael/AAEL_data_2 create mode 100644 deps/verifier/test_data/aael/AAEL_data_3 create mode 100644 deps/verifier/test_data/aael/AAEL_quote_tdx diff --git a/Cargo.lock b/Cargo.lock index 62d356259..44e1f3eaa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5619,6 +5619,7 @@ dependencies = [ "serde_with", "serial_test", "sev", + "sha2", "shadow-rs", "strum", "thiserror", diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index 774b10d51..8f78b6ff4 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -42,6 +42,7 @@ serde.workspace = true serde_json.workspace = true serde_with = { workspace = true, optional = true } sev = { version = "3.1.1", features = ["openssl", "snp"], optional = true } +sha2.workspace = true tokio = { workspace = true, optional = true, default-features = false } intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } strum.workspace = true diff --git a/deps/verifier/src/az_tdx_vtpm/mod.rs b/deps/verifier/src/az_tdx_vtpm/mod.rs index 2e85da789..5ceeb7f90 100644 --- a/deps/verifier/src/az_tdx_vtpm/mod.rs +++ b/deps/verifier/src/az_tdx_vtpm/mod.rs @@ -63,7 +63,7 @@ impl Verifier for AzTdxVtpm { verify_hcl_var_data(&hcl_report, &td_quote)?; - let mut claim = generate_parsed_claim(td_quote, None)?; + let mut claim = generate_parsed_claim(td_quote, None, None)?; extend_claim_with_tpm_quote(&mut claim, &evidence.tpm_quote)?; Ok(claim) diff --git a/deps/verifier/src/eventlog/hash.rs b/deps/verifier/src/eventlog/hash.rs new file mode 100644 index 000000000..0b828311b --- /dev/null +++ b/deps/verifier/src/eventlog/hash.rs @@ -0,0 +1,22 @@ +// Copyright (c) 2024 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use strum::{AsRefStr, EnumString}; + +/// Hash algorithms used to calculate eventlog +#[derive(EnumString, AsRefStr, Clone)] +pub enum HashAlgorithm { + #[strum(ascii_case_insensitive)] + #[strum(serialize = "sha256")] + Sha256, + + #[strum(ascii_case_insensitive)] + #[strum(serialize = "sha384")] + Sha384, + + #[strum(ascii_case_insensitive)] + #[strum(serialize = "sha512")] + Sha512, +} diff --git a/deps/verifier/src/eventlog/mod.rs b/deps/verifier/src/eventlog/mod.rs new file mode 100644 index 000000000..7580f2f0f --- /dev/null +++ b/deps/verifier/src/eventlog/mod.rs @@ -0,0 +1,189 @@ +// Copyright (c) 2024 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +mod hash; + +use std::str::FromStr; + +use anyhow::{anyhow, bail, Context, Result}; +use hash::HashAlgorithm; +use serde_json::{Map, Value}; +use sha2::{digest::FixedOutput, Digest, Sha256, Sha384, Sha512}; + +#[derive(Clone)] +pub struct AAEvent { + pub domain: String, + pub operation: String, + pub content: String, +} + +impl FromStr for AAEvent { + type Err = anyhow::Error; + + fn from_str(input: &str) -> Result { + let input_trimed = input.trim_end(); + let sections: Vec<&str> = input_trimed.split(' ').collect(); + if sections.len() != 3 { + bail!("Illegal AA event entry format. Should be ` `"); + } + Ok(Self { + domain: sections[0].into(), + operation: sections[1].into(), + content: sections[2].into(), + }) + } +} + +#[derive(Clone)] +pub struct AAEventlog { + pub hash_algorithm: HashAlgorithm, + pub init_state: Vec, + pub events: Vec, +} + +impl FromStr for AAEventlog { + type Err = anyhow::Error; + + fn from_str(input: &str) -> Result { + let all_lines = input.lines().collect::>(); + + let (initline, eventlines) = all_lines + .split_first() + .ok_or(anyhow!("at least one line should be included in AAEL"))?; + + // Init line looks like + // INIT sha256/0000000000000000000000000000000000000000000000000000000000000000 + let init_line_items = initline.split_ascii_whitespace().collect::>(); + if init_line_items.len() != 2 { + bail!("Illegal INIT event record."); + } + + if init_line_items[0] != "INIT" { + bail!("INIT event should start with `INIT` key word"); + } + + let (hash_algorithm, init_state) = init_line_items[1].split_once('/').ok_or(anyhow!( + "INIT event should have `/` as content after `INIT`" + ))?; + + let hash_algorithm = hash_algorithm + .try_into() + .context("parse Hash Algorithm in INIT entry")?; + let init_state = hex::decode(init_state).context("parse init state in INIT entry")?; + + let events = eventlines + .iter() + .map(|line| AAEvent::from_str(line)) + .collect::>>()?; + + Ok(Self { + events, + hash_algorithm, + init_state, + }) + } +} + +impl AAEventlog { + fn accumulate_hash(&self) -> Vec { + let mut state = self.init_state.clone(); + + let mut init_event_hasher = D::new(); + let init_event = format!( + "INIT {}/{}", + self.hash_algorithm.as_ref(), + hex::encode(&self.init_state) + ); + Digest::update(&mut init_event_hasher, init_event.as_bytes()); + let init_event_hash = init_event_hasher.finalize(); + + let mut hasher = D::new(); + Digest::update(&mut hasher, &state); + + Digest::update(&mut hasher, init_event_hash); + state = hasher.finalize().to_vec(); + + self.events.iter().for_each(|event| { + let mut event_hasher = D::new(); + Digest::update(&mut event_hasher, event.domain.as_bytes()); + Digest::update(&mut event_hasher, b" "); + Digest::update(&mut event_hasher, event.operation.as_bytes()); + Digest::update(&mut event_hasher, b" "); + Digest::update(&mut event_hasher, event.content.as_bytes()); + let event_hash = event_hasher.finalize(); + + let mut hasher = D::new(); + Digest::update(&mut hasher, &state); + Digest::update(&mut hasher, event_hash); + state = hasher.finalize().to_vec(); + }); + + state + } + + /// Check the integrity of the AAEL, and gets a digest. The digest should be the same + /// as the input `rtmr`, or the integrity check will fail. + pub fn integrity_check(&self, rtmr: &[u8]) -> Result<()> { + let result = match self.hash_algorithm { + HashAlgorithm::Sha256 => self.accumulate_hash::(), + HashAlgorithm::Sha384 => self.accumulate_hash::(), + HashAlgorithm::Sha512 => self.accumulate_hash::(), + }; + + if rtmr != result { + bail!( + "AA eventlog does not pass check. AAEL value : {}, Quote value {}", + hex::encode(result), + hex::encode(rtmr) + ); + } + + Ok(()) + } + + pub fn to_parsed_claims(&self) -> Map { + let mut aael = Map::new(); + for eventlog in &self.events { + let key = format!("{}/{}", eventlog.domain, eventlog.operation); + let item = Value::String(eventlog.content.clone()); + match aael.get_mut(&key) { + Some(value) => value + .as_array_mut() + .expect("Only array can be inserted") + .push(item), + None => { + // This insertion will ensure the value in AAEL always be + // `Array`s. This will make `as_array_mut()` always result + // in `Some`. + aael.insert(key, Value::Array(vec![item])); + } + } + } + + aael + } +} + +#[cfg(test)] +mod tests { + use std::fs; + + use rstest::rstest; + + #[rstest] + #[case("./test_data/aael/AAEL_data_1", b"71563a23b430b8637970b866169052815ef9434056516dc9f78c1b3bfb745cee18a2ca92aa53c8122be5cbe59a100764")] + #[case("./test_data/aael/AAEL_data_2", b"31fa17881137923029b1da5b368e92d8b22b14bbb4deaa360da61fce7aa530bd2f4c59ac7bd27021ef64104ff4dd04f9")] + #[case("./test_data/aael/AAEL_data_3", b"0de62b45b29775495d278c85ad63ff45e59406e509506b26c545a5419316e1c4bd2b00a4e803051fa98b550767e13f06")] + fn aael_integrity_check(#[case] aael_path: &str, #[case] sum: &[u8]) { + use std::str::FromStr; + + use super::AAEventlog; + + let aael_bin = fs::read_to_string(aael_path).unwrap(); + let aael = AAEventlog::from_str(&aael_bin).unwrap(); + let sum = hex::decode(sum).unwrap(); + aael.integrity_check(&sum).unwrap(); + } +} diff --git a/deps/verifier/src/lib.rs b/deps/verifier/src/lib.rs index f0e2e7a28..40c09d345 100644 --- a/deps/verifier/src/lib.rs +++ b/deps/verifier/src/lib.rs @@ -7,6 +7,8 @@ use log::debug; pub mod sample; +pub mod eventlog; + #[cfg(feature = "az-snp-vtpm-verifier")] pub mod az_snp_vtpm; diff --git a/deps/verifier/src/tdx/claims.rs b/deps/verifier/src/tdx/claims.rs index e24171ffb..168db155d 100644 --- a/deps/verifier/src/tdx/claims.rs +++ b/deps/verifier/src/tdx/claims.rs @@ -50,7 +50,7 @@ use byteorder::{LittleEndian, ReadBytesExt}; use log::{debug, warn}; use serde_json::{Map, Value}; -use crate::{tdx::quote::QuoteV5Body, TeeEvidenceParsedClaim}; +use crate::{eventlog::AAEventlog, tdx::quote::QuoteV5Body, TeeEvidenceParsedClaim}; use super::{ eventlog::{CcEventLog, MeasuredEntity}, @@ -72,6 +72,7 @@ macro_rules! parse_claim { pub fn generate_parsed_claim( quote: Quote, cc_eventlog: Option, + aa_eventlog: Option, ) -> Result { let mut quote_map = Map::new(); let mut quote_body = Map::new(); @@ -172,6 +173,13 @@ pub fn generate_parsed_claim( } let mut claims = Map::new(); + + // Claims from AA eventlog + if let Some(aael) = aa_eventlog { + let aael_map = aael.to_parsed_claims(); + parse_claim!(claims, "aael", aael_map); + } + parse_claim!(claims, "quote", quote_map); parse_claim!(claims, "ccel", ccel_map); @@ -329,7 +337,7 @@ mod tests { let ccel_bin = std::fs::read("./test_data/CCEL_data").expect("read ccel failed"); let quote = parse_tdx_quote("e_bin).expect("parse quote"); let ccel = CcEventLog::try_from(ccel_bin).expect("parse ccel"); - let claims = generate_parsed_claim(quote, Some(ccel)).expect("parse claim failed"); + let claims = generate_parsed_claim(quote, Some(ccel), None).expect("parse claim failed"); let expected = json!({ "ccel": { "kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", diff --git a/deps/verifier/src/tdx/eventlog.rs b/deps/verifier/src/tdx/eventlog.rs index fb9fdca33..3278c9e71 100644 --- a/deps/verifier/src/tdx/eventlog.rs +++ b/deps/verifier/src/tdx/eventlog.rs @@ -46,11 +46,8 @@ impl CcEventLog { if rtmr_from_quote.rtmr0 != rtmr_eventlog.rtmr0 || rtmr_from_quote.rtmr1 != rtmr_eventlog.rtmr1 || rtmr_from_quote.rtmr2 != rtmr_eventlog.rtmr2 - || rtmr_from_quote.rtmr3 != rtmr_eventlog.rtmr3 { - return Err(anyhow!( - "RTMR values from TD quote is not equal with the values from EventLog\n" - )); + bail!("RTMR 0, 1, 2 values from TD quote is not equal with the values from EventLog"); } Ok(()) diff --git a/deps/verifier/src/tdx/mod.rs b/deps/verifier/src/tdx/mod.rs index d4a9f1c38..6878f214a 100644 --- a/deps/verifier/src/tdx/mod.rs +++ b/deps/verifier/src/tdx/mod.rs @@ -1,7 +1,9 @@ +use std::str::FromStr; + use anyhow::anyhow; use log::{debug, error, info, warn}; -use crate::tdx::claims::generate_parsed_claim; +use crate::{eventlog::AAEventlog, tdx::claims::generate_parsed_claim}; use super::*; use async_trait::async_trait; @@ -21,6 +23,8 @@ struct TdxEvidence { cc_eventlog: Option, // Base64 encoded TD quote. quote: String, + // Eventlog of Attestation Agent + aa_eventlog: Option, } #[derive(Debug, Default)] @@ -105,15 +109,32 @@ async fn verify_evidence( } } + // Verify Integrity of AA eventlog + let aael = match &evidence.aa_eventlog { + Some(el) => { + let aael = + AAEventlog::from_str(el).context("failed to parse AA Eventlog from evidence")?; + // We assume we always use PCR 17, rtmr 3 for the application side events. + + aael.integrity_check(quote.rtmr_3())?; + info!("CCEL integrity check succeeded."); + Some(aael) + } + None => { + warn!("No AA Eventlog included inside the TDX evidence."); + None + } + }; + // Return Evidence parsed claim - generate_parsed_claim(quote, ccel_option) + generate_parsed_claim(quote, ccel_option, aael) } #[cfg(test)] mod tests { use super::*; - use std::fs; + use std::{fs, str::FromStr}; #[test] fn test_generate_parsed_claim() { @@ -122,7 +143,7 @@ mod tests { let quote_bin = fs::read("./test_data/tdx_quote_4.dat").unwrap(); let quote = parse_tdx_quote("e_bin).unwrap(); - let parsed_claim = generate_parsed_claim(quote, Some(ccel)); + let parsed_claim = generate_parsed_claim(quote, Some(ccel), None); assert!(parsed_claim.is_ok()); let _ = fs::write( @@ -130,4 +151,13 @@ mod tests { format!("{:?}", parsed_claim.unwrap()), ); } + + #[test] + fn test_aael_binding() { + let aael_bin = fs::read_to_string("./test_data/aael/AAEL_data_1").unwrap(); + let aael = AAEventlog::from_str(&aael_bin).unwrap(); + let quote_bin = fs::read("./test_data/aael/AAEL_quote_tdx").unwrap(); + let quote = parse_tdx_quote("e_bin).unwrap(); + aael.integrity_check(quote.rtmr_3()).unwrap(); + } } diff --git a/deps/verifier/test_data/aael/AAEL_data_1 b/deps/verifier/test_data/aael/AAEL_data_1 new file mode 100644 index 000000000..f0fca95a8 --- /dev/null +++ b/deps/verifier/test_data/aael/AAEL_data_1 @@ -0,0 +1,2 @@ +INIT sha384/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +image-rs CreateContainer docker.io/library/alpine \ No newline at end of file diff --git a/deps/verifier/test_data/aael/AAEL_data_2 b/deps/verifier/test_data/aael/AAEL_data_2 new file mode 100644 index 000000000..1f5e6b46f --- /dev/null +++ b/deps/verifier/test_data/aael/AAEL_data_2 @@ -0,0 +1,2 @@ +INIT sha384/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +github.com/confidential-containers CreateContainer docker.io/library/alpine \ No newline at end of file diff --git a/deps/verifier/test_data/aael/AAEL_data_3 b/deps/verifier/test_data/aael/AAEL_data_3 new file mode 100644 index 000000000..29d145516 --- /dev/null +++ b/deps/verifier/test_data/aael/AAEL_data_3 @@ -0,0 +1,3 @@ +INIT sha384/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +github.com/confidential-containers CreateContainer docker.io/library/alpine +github.com/confidential-containers CreateContainer docker.io/library/busybox \ No newline at end of file diff --git a/deps/verifier/test_data/aael/AAEL_quote_tdx b/deps/verifier/test_data/aael/AAEL_quote_tdx new file mode 100644 index 0000000000000000000000000000000000000000..47c500f1654889e08e7a815ee10204a2c7c92f76 GIT binary patch literal 5006 zcmcIn3$PQ_8NP7gf{P-efFO#Bqv+M%&Fkhy$HzIlo6RQKB)gkUvOyh_O|p4xUN?_T zw%AJ5PGKBhg+3V6Dq2OSQc2o4~~Ahz0yl`GW_JxT6`T)0%wX=XB; zeCI#s{QrNx|9t5_iaz*6_}Mc5h7F8*QHxEXI>V!CuMJ5|^|cS%<# z{&2%;%&4wG>(=A&TKy-X>MdW5`C#Bp4nO^8PfrNjuYN7tdDGN2?|q(~xM{PsvijxA zcC4JfXW83xM)xfqHu=>4Olp|#8{OLfx%snxsbBcni+QOm%qkuXPkyDE5>w>zWq^G@1$GKx_;YKCw8d3@DI!< z4@oa+oo`HiW%E4S1*<=N|GEiA^0%F9XYPF3nJX+vOg=FCH=jD3g z`NY(F`S~{=B5nw9*|h_Aop;Sw z-X#|wymh_pNps z;krkEwe5lzKd`P{Id|7>*RI&|o^{}*G50;{+_K%b^vcYSa(lP$|L1*Ec(CIK{hh&! ztLvgyUUY{2-uy@ZnVa58Pw#weyS{t+A$R9`#{j;qtHX}G=;}IqO6TE@vB!FNqW@C{ z2lfp<_bz*U)mD7X;%j~(xK(M{GVlB5{icC07Tkl~xpDj*nRO>xX9$1)!7JwF7u_?B z_Lv|4n)syi%z0Df&t80ar+mYk-<#-v;`JfB|JQSL$MA|i)qS?ZLw4-&!ppa9d2H6S zm1`#&zrJn;xp2>lAK%S>x@!Kq_r7VpJ#)E*8|G~gUwGue!&i6M?pS>OuXBIQjOYJ7 z<=_Kz@qTuSFY~*7r%juC&-A&mh1Z|yIe2K#pRXD_cGup`muy__e`nE!9UY@aca9m` zHE#TA*o4#1n0V%-vnHQ?&XlRs&YeEvyqV`;Fl%hb%@aF1u4;TBMKhiY35xeKc7_0c zs)=GO!%%%BK|p6j0U85=!iaQ*cKFOP$Ch0L?4_)=?o>rAFiMRD8lgyxD<5X`G)^IV z4UTSO{A1a8Of3JSH)AND6hxMQJ-8&f4lx0g{}bim*^=+7pV#V?z@- zqpdE}wz?GJ3sIxFW+#CF6;A*HnI#OKWHiSo8Ol?VLe3=1l{A8r$NRoyJe zG*^X5mIwq`&5@KnY?{+pKQOQ)t9$$$9&BJbH4MXoX{fORqcNblB1uBkiFQ+?1oZO; zMG+~F8||#hIld6is%hk*%JO-QZrQsq6559*kWrIUL*HbKR;$r8C9;rdd8KJ?(P*#4 zXiDLXwWOS-YJ?7)jSw-EcI3SWw#7wLnlm8kFw8=hhV>#Xux1-jD4HM!e`}Nj;0%CN zAHbMux<(e#abI_L(NKnRR1z&_kIf8<@g9d=iIT9MVCC+#T!_$unlL-cT$U;p-5O;F zvZKynE=BIwg-Rh}%@h5UImK}Cw4$&q;s;5PAklEsA+Qupf}jG0K-6IJRQYPMSA@=b z%#UMipBVR1eAHXLFrkrsg}lF?Rnn>@KVVMDkRj|9U7$!JGUTg7dXaJLDjBSud>O4`zr-=JYf zSr%5KSx+@gtCg^B$b>_T=4g~px0HC}OUQTj0Y9U!odH{z*3?k5#CJ2y{G>0O& z+6Mv0alRT}@+H$gSITd878P@(P|*7t_Cb`TRFTF6CTjL`6k3hZ6vggG`_V+>?2qDz zDil2ePBd_AgaHx_5F_B!NH~Uewxa=Zgb6gl;Rv_`;V3~ZPuoLaPOy-(eL`Dkt_D6* z2<{V1U`N6mA$Ud_K)Ck=xUU^=4}ohRXmgcExSNH2$DWP=Q64a;pc_`B0MNjZPcuR2 zjE^qDq7y(wf?V_LkK!DKL6rc}#$*!sppq{pGby^8!qM$X*@@;Un2(txQ50>9>NZ87 zi{(-4HU%9 zmh1Fz*EtR^DI#4%x)rX%KLc}TIw+VcqGEUcf=8()td-8eBUGeemQjkvcNGU5VgluN0Xnsw> z8iH$f;%dJm&z8DFc}u>h6zcWbxM0n}gKAi$y)mA%%GDwtiWHgurMKVol6#Wl{{?wG B@RtAp literal 0 HcmV?d00001 From 4e627fcdc14f5ca3b90308e9b1da92b81b7bd5ad Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 20 Jun 2024 17:39:40 +0800 Subject: [PATCH 2/3] AS: fix flatten function Before this commit, the parsed claims of arrays will be flatten into a nested structure like map. But in real scenario like AAEL, Array will only be the "leaf" member of the parsed claims. Thus keep it as-is is better. Signed-off-by: Xynnn007 --- attestation-service/src/utils.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/attestation-service/src/utils.rs b/attestation-service/src/utils.rs index ddc26e2fc..a116397d2 100644 --- a/attestation-service/src/utils.rs +++ b/attestation-service/src/utils.rs @@ -73,10 +73,7 @@ fn flatten_helper(parent: &mut Map, child: &serde_json::Value, pr let _ = parent.insert(prefix, Value::String(str.clone())); } Value::Array(arr) => { - for (i, v) in arr.iter().enumerate() { - let sub_prefix = format!("{prefix}.{i}"); - flatten_helper(parent, v, sub_prefix); - } + let _ = parent.insert(prefix, Value::Array(arr.clone())); } Value::Object(obj) => { for (k, v) in obj { From 4095b443afda931182d77589e5385b5ebd24687e Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 15 Jul 2024 10:59:27 +0800 Subject: [PATCH 3/3] Verifier: fix lint error for SGX/TDX delete useless code for SGX, also makes submodules public. Signed-off-by: Xynnn007 --- deps/verifier/src/sgx/claims.rs | 32 -------------------------------- deps/verifier/src/tdx/mod.rs | 2 +- 2 files changed, 1 insertion(+), 33 deletions(-) diff --git a/deps/verifier/src/sgx/claims.rs b/deps/verifier/src/sgx/claims.rs index c47fa448a..c513f49d1 100644 --- a/deps/verifier/src/sgx/claims.rs +++ b/deps/verifier/src/sgx/claims.rs @@ -39,7 +39,6 @@ //! ``` use anyhow::*; -use byteorder::{LittleEndian, ReadBytesExt}; use serde_json::{Map, Value}; use crate::TeeEvidenceParsedClaim; @@ -112,37 +111,6 @@ pub fn generate_parsed_claims(quote: sgx_quote3_t) -> Result { - pub descriptor: [u8; 16], - pub info_length: u32, - pub data: &'a [u8], -} - -impl<'a> TryFrom<&'a [u8]> for TdShimPlatformConfigInfo<'a> { - type Error = anyhow::Error; - - fn try_from(data: &'a [u8]) -> std::result::Result { - if data.len() < core::mem::size_of::<[u8; 16]>() + core::mem::size_of::() { - bail!("give data slice is too short"); - } - - let descriptor = data[0..core::mem::size_of::<[u8; 16]>()].try_into()?; - let info_length = (&data[core::mem::size_of::<[u8; 16]>() - ..core::mem::size_of::<[u8; 16]>() + core::mem::size_of::()]) - .read_u32::()?; - let data = &data[core::mem::size_of::<[u8; 16]>() + core::mem::size_of::() - ..core::mem::size_of::<[u8; 16]>() - + core::mem::size_of::() - + info_length as usize]; - Ok(Self { - descriptor, - info_length, - data, - }) - } -} - #[cfg(test)] mod tests { use assert_json_diff::assert_json_eq; diff --git a/deps/verifier/src/tdx/mod.rs b/deps/verifier/src/tdx/mod.rs index 6878f214a..a33d24d67 100644 --- a/deps/verifier/src/tdx/mod.rs +++ b/deps/verifier/src/tdx/mod.rs @@ -13,7 +13,7 @@ use quote::{ecdsa_quote_verification, parse_tdx_quote}; use serde::{Deserialize, Serialize}; pub(crate) mod claims; -mod eventlog; +pub mod eventlog; pub(crate) mod quote; #[derive(Serialize, Deserialize, Debug)]