From 13bdb6f2a0d340b8dcb819b7f0a18ec4ce08d182 Mon Sep 17 00:00:00 2001 From: Kevin Loughlin Date: Thu, 4 Apr 2024 21:01:52 +0000 Subject: [PATCH] Fail command line validation for long cmdlines unless skipped Since the temporary workaround for #4981 truncates length command lines to 256 characters, fail verification for any command lines >= 256 (characters since it may have been truncated), unless the reference value is set to Skip. --- oak_attestation_verification/src/verifier.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/oak_attestation_verification/src/verifier.rs b/oak_attestation_verification/src/verifier.rs index e50bf909fc0..9bb263951b0 100644 --- a/oak_attestation_verification/src/verifier.rs +++ b/oak_attestation_verification/src/verifier.rs @@ -518,7 +518,10 @@ fn verify_kernel_layer( ) .context("kernel failed verification")?; - if let Some(kernel_raw_cmd_line) = values.kernel_raw_cmd_line.as_ref() { + // TODO(#4981): Remove temporary workaround for command line length limit. + if let Some(kernel_raw_cmd_line) = values.kernel_raw_cmd_line.as_ref() + && kernel_raw_cmd_line.len() < 256 + { verify_text( now_utc_millis, kernel_raw_cmd_line.as_str(), @@ -530,7 +533,7 @@ fn verify_kernel_layer( ) .context("kernel command line failed verification")?; } else { - // Support missing kernel_raw_cmd_line but only if the corresponding reference + // Support invalid kernel_raw_cmd_line but only if the corresponding reference // value is set to skip. This is a temporary workaround until all clients are // migrated. anyhow::ensure!( @@ -543,7 +546,7 @@ fn verify_kernel_layer( .as_ref(), Some(text_reference_value::Type::Skip(_)) ), - "No kernel_raw_cmd_line provided" + "No valid kernel_raw_cmd_line provided" ) }