Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifier: Change logic to check the attestation report version #590

Merged
merged 1 commit into from
Nov 25, 2024
Merged

verifier: Change logic to check the attestation report version #590

merged 1 commit into from
Nov 25, 2024

Conversation

AdithyaKrishnan
Copy link
Contributor

Fixes Issue #589

Change the check condition to handle multiple attestation report versions.

@AdithyaKrishnan AdithyaKrishnan requested a review from a team as a code owner November 21, 2024 21:13
cclaudio
cclaudio suggested changes Nov 21, 2024
View reviewed changes
deps/verifier/src/snp/mod.rs Outdated Show resolved Hide resolved
deps/verifier/src/snp/mod.rs Outdated Show resolved Hide resolved
@deeglaze
Copy link

Do you plan on updating fetch_vcek_from_kds to determine which kds product endpoint to try based on the CPUID information in the attestation report? That plus the fact that KDS gets the ProductName wrong in its VCEK cert extensions (for complicated reasons that should be fixed for Turin and later) is the reason why they changed the attestation report.

@AdithyaKrishnan AdithyaKrishnan force-pushed the main branch 2 times, most recently from f00f69d to cee4b6a Compare November 21, 2024 21:40
@AdithyaKrishnan
Copy link
Contributor Author

Do you plan on updating fetch_vcek_from_kds to determine which kds product endpoint to try based on the CPUID information in the attestation report? That plus the fact that KDS gets the ProductName wrong in its VCEK cert extensions (for complicated reasons that should be fixed for Turin and later) is the reason why they changed the attestation report.

Not in this PR but might have a new PR in the future to do the same.

cclaudio
cclaudio approved these changes Nov 21, 2024
View reviewed changes
Copy link

@cclaudio cclaudio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Xynnn007
Xynnn007 approved these changes Nov 22, 2024
View reviewed changes
Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks! @AdithyaKrishnan . One thing to think about the error report

deps/verifier/src/snp/mod.rs Outdated
@@ -37,6 +37,10 @@ const LOADER_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .1);
const KDS_CERT_SITE: &str = "https://kdsintf.amd.com";
const KDS_VCEK: &str = "/vcek/v1";

// Attestation report versions supported
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The note here looks very good to be an inline document

Suggested change
// Attestation report versions supported
/// Attestation report versions supported

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Thanks Ding!

deps/verifier/src/snp/mod.rs Outdated
@@ -104,7 +108,8 @@ impl Verifier for Snp {

verify_report_signature(&report, &cert_chain, &self.vendor_certs)?;

if report.version != 2 {
// See Trustee Issue#589 https://github.com/confidential-containers/trustee/issues/589
if report.version < REPORT_VERSION_MIN || report.version > REPORT_VERSION_MAX {
return Err(anyhow!("Unexpected report version"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also add some context including SNP to the error information here? Because the information

ERROR kbs::http::error] Attestation failed: Verifier evaluate failed: Unexpected report version

is somehow confusing as it could be KBS protocol's error.

Copy link
Contributor Author

@AdithyaKrishnan AdithyaKrishnan Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added an extra line of error log. Thanks Ding!

bpradipt
bpradipt approved these changes Nov 22, 2024
View reviewed changes
Copy link
Member

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

fitzthum
fitzthum approved these changes Nov 22, 2024
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. See Ding's comments

@mkulke mkulke added the test_e2e Authorize TEE e2e test run label Nov 23, 2024
@AdithyaKrishnan
verifier: Change logic to check the attestation report version
3494ea7 
Fixes Issue confidential-containers#589

Change the check condition to handle multiple attestation report versions.

Signed-off-by: Adithya Krishnan Kannan <[email protected]>
@AdithyaKrishnan
Copy link
Contributor Author

LGTM. See Ding's comments

Addressed all issues. Please merge PR if appropriate.

@AdithyaKrishnan AdithyaKrishnan mentioned this pull request Nov 25, 2024
Closed
@mkulke mkulke merged commit 86223c4 into confidential-containers:main Nov 25, 2024
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xynnn007 Xynnn007 Xynnn007 approved these changes

@bpradipt bpradipt bpradipt approved these changes

@cclaudio cclaudio cclaudio approved these changes

@fitzthum fitzthum fitzthum approved these changes

Assignees
No one assigned
Labels
test_e2e Authorize TEE e2e test run
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@AdithyaKrishnan @deeglaze @fitzthum @cclaudio @bpradipt @Xynnn007 @mkulke