update scriptures

kinvolk · Jan 15, 2024 · 0f1b45a · 0f1b45a
1 parent 2b21ace
commit 0f1b45a
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 39 deletions.
diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml
@@ -23,7 +23,7 @@ bincode.workspace = true
 jsonwebkey = { version = "0.3.5", features = ["pkcs-convert"] }
 memoffset = "0.9.0"
 openssl = { workspace = true, optional = true }
-rsa = { version = "0.8.2", features = ["pkcs5", "sha2"] }
+rsa = { version = "0.9.6", features = ["pkcs5", "sha2"] }
 serde.workspace = true
 serde_json.workspace = true
 serde-big-array = "0.5.1"

diff --git a/az-cvm-vtpm/src/vtpm/verify.rs b/az-cvm-vtpm/src/vtpm/verify.rs
@@ -91,31 +91,48 @@ impl Quote {
 mod tests {
     use super::*;
 
+    // // Use this code to generate the scriptures for the test on an AMD CVM.
+    //
+    // use az_snp_vtpm::vtpm;
+    // use bincode;
+    // use rsa;
+    // use rsa::pkcs8::EncodePublicKey;
+    // use std::error::Error;
+    // use std::fs;
+    //
+    // fn main() -> Result<(), Box<dyn Error>> {
+    //     // Extract the AK public key.
+    //     let foo = vtpm::get_ak_pub()?.to_public_key_pem(rsa::pkcs8::LineEnding::LF)?;
+    //     fs::write("/tmp/akpub.pem", foo)?;
+    //
+    //     // Save the PCRs into binary file.
+    //     let nonce = "challenge".as_bytes().to_vec();
+    //     let quote = vtpm::get_quote(&nonce)?;
+    //     let quote_encoded: Vec<u8> = bincode::serialize(&quote).unwrap();
+    //     fs::write("/tmp/quote.bin", quote_encoded)?;
+    //
+    //     Ok(())
+    // }
+
     #[cfg(feature = "verifier")]
     #[test]
     fn test_quote_validation() {
         // Can be retrieved by `get_ak_pub()` or via tpm2-tools:
-        // `tpm2_readpublic -c 0x81000003 -f pem -o akpub.pem`
-
+        // sudo tpm2_readpublic -c 0x81000003 -f pem -o akpub.pem
         let pem = include_bytes!("../../test/akpub.pem");
         let pkey = PKey::public_key_from_pem(pem).unwrap();
 
         // Can be retrieved by `get_quote()` or via tpm2-tools:
-        // `tpm2_quote -c 0x81000003 -l sha256:5,8 -q cafe -m quote_msg -s quote_sig`
-        let message = include_bytes!("../../test/quote_msg").to_vec();
-        let signature = include_bytes!("../../test/quote_sig").to_vec();
-
-        // Dummy PCR value.
-        let pcrs = Vec::new();
-
-        let quote = Quote {
-            signature,
-            message,
-            pcrs,
-        };
+        // For message and signature:
+        // sudo tpm2_quote -c 0x81000003 -l sha256:5,8 -q challenge -m quote_msg -s quote_sig
+        //
+        // For PCR values:
+        // sudo tpm2_pcrread sha256:0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
+        let quote_bytes: Vec<u8> = include_bytes!("../../test/quote.bin").to_vec();
+        let quote: Quote = bincode::deserialize(&quote_bytes[..]).unwrap();
 
         // proper nonce in message
-        let nonce = vec![1, 2, 3];
+        let nonce = "challenge".as_bytes().to_vec();
         let result = quote.verify(&pkey, &nonce);
         assert!(result.is_ok(), "Quote verification should not fail");
 
@@ -141,22 +158,7 @@ mod tests {
 
     #[test]
     fn test_pcr_values() {
-        /// Generate the quote-pcrs.bin using the following code:
-        ///
-        /// use az_snp_vtpm::vtpm;
-        /// use bincode;
-        /// use std::error::Error;
-        /// use std::fs;
-        ///
-        /// fn main() -> Result<(), Box<dyn Error>> {
-        ///     let nonce = "challenge".as_bytes().to_vec();
-        ///     let quote = vtpm::get_quote(&nonce)?;
-        ///     let quote_encoded: Vec<u8> = bincode::serialize(&quote).unwrap();
-        ///     fs::write("/tmp/quote-pcrs.bin", quote_encoded).expect("Unable to write file");
-        ///     Ok(())
-        /// }
-        ///
-        let quote_bytes: Vec<u8> = include_bytes!("../../test/quote-pcrs.bin").to_vec();
+        let quote_bytes: Vec<u8> = include_bytes!("../../test/quote.bin").to_vec();
         let quote: Quote = bincode::deserialize(&quote_bytes[..]).unwrap();
         let result = quote.verify_pcrs();
         assert!(result.is_ok(), "PCR verification should not fail");

diff --git a/az-cvm-vtpm/test/akpub.pem b/az-cvm-vtpm/test/akpub.pem
@@ -1,9 +1,9 @@
 -----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfSaJAABoi7dSNwLgxab
-Qj0Ag+3u74ioHzP/JKk7urkxwFyPN95+ofKhBIp63mfOxTVIfjPFhiYhnYGKJvQY
-drTg1slNSIR5MRcjwDhHlTwK4BefiwcIiQMsEwdjbWEcHVfKIjrIFLX6HgXwftGU
-mdItDBJuZaGT08F1kGMz7K6hH1ZjQBKnwmGih5p/P4pBDD4ccNapUtaIraCgQ+4f
-YguTMACZAl7ZZxISS1yxxudHbJ8cI7viijk1TmuauJN+GAn7hkEauOdWd6xpv8jf
-NHEm24kTh/TgNhTlyZpfafEbwXNVNVk7TZ3HRNl0Uou4FNCQw8eb+PG3q/IxMv7h
-oQIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJlHggAAGWfX9uqSq3js
+wJ9PGrEGyurECyTMfptLwI5Ca1JEwocKXHsTfdAEUVIi9GVWcNuBGpr5Dbd8reoE
+l6/p5IoxQsXyPSC6LZ7HdisORYOo8tQU/fqcuRky1InLJnsKG0o91XEP1MBo5/J7
+MxUAkkWPOiA6wPo+k7Wo3X3TB1NxxqohqAN+sRQ3Useqlzg7sViw+us0nrPb5gbz
+1M8PMlLj4UW6j2j+XNQMsPtZEJ5qAwOmtqstFqT16qBkqFd/ey+NQBNINQAYlaHT
+Vh2cwzq17i2Cru0KSHGQVa2YcUPZhDu4eAQdy+fdVE/uTjxf7Sac5WXefK2YXxyw
+VQIDAQAB
 -----END PUBLIC KEY-----
diff --git a/az-cvm-vtpm/test/quote.bin b/az-cvm-vtpm/test/quote.bin
diff --git a/az-cvm-vtpm/test/quote_msg b/az-cvm-vtpm/test/quote_msg
diff --git a/az-cvm-vtpm/test/quote_sig b/az-cvm-vtpm/test/quote_sig