Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vtpm-quote: Add SHA256 PCR value extraction API #47

Merged
merged 7 commits into from
Jan 16, 2024
Merged

vtpm-quote: Add SHA256 PCR value extraction API #47

merged 7 commits into from
Jan 16, 2024

Conversation

surajssd
Copy link
Member

@surajssd surajssd commented Dec 22, 2023
edited
Loading

This PR adds an API to extract all PCRs from SHA256 bank and store it in the quote. Alongwith this extraciton logic, it also adds a verification logic. Now users can call quote.verify_pcrs() to verify the PCR values.

How to test

Here is a sample code that can be used to verify the workings of code. Run the following steps from the root of the directory:

mkdir -p az-cvm-vtpm/az-snp-vtpm/example2/src
cat <<EOF > az-cvm-vtpm/az-snp-vtpm/example2/src/main.rs
use az_snp_vtpm::vtpm;
use bincode;
use std::error::Error;
use std::fs;

fn main() -> Result<(), Box<dyn Error>> {
    // Save the PCRs into binary file.
    let nonce = "challenge".as_bytes().to_vec();
    let quote = vtpm::get_quote(&nonce)?;
    let quote_encoded: Vec<u8> = bincode::serialize(&quote).unwrap();
    fs::write("/tmp/quote.bin", quote_encoded).expect("Unable to write file");

    // Verification logic
    let quote_bytes = fs::read("/tmp/quote.bin").expect("Unable to read file");
    let quote: vtpm::Quote = bincode::deserialize(&quote_bytes[..]).unwrap();
    println!("Verify PCRs: {:?}", quote.verify_pcrs()?);
    Ok(())
}
EOF

Here is Cargo.toml

cat <<EOF > az-cvm-vtpm/az-snp-vtpm/example2/Cargo.toml
[package]
name = "snp-example2"
version = "0.1.0"
edition = "2021"

[dependencies]
az-snp-vtpm.path = "../"
bincode.workspace = true
openssl.workspace = true
EOF

Make the following change:

diff --git az-cvm-vtpm/Cargo.toml az-cvm-vtpm/Cargo.toml
index 4a36f15..4eec2e9 100644
--- az-cvm-vtpm/Cargo.toml
+++ az-cvm-vtpm/Cargo.toml
@@ -13,6 +13,7 @@ members = [
        "az-snp-vtpm",
        "az-tdx-vtpm",
        "az-snp-vtpm/example",
+       "az-snp-vtpm/example2",
 ]

 [lib]

Finally run the code:

cd az-cvm-vtpm/az-snp-vtpm/example2
cargo build && sudo ../../target/debug/snp-example2

@surajssd surajssd requested a review from mkulke December 22, 2023 10:44
mkulke
mkulke reviewed Dec 22, 2023
View reviewed changes
@surajssd surajssd requested a review from mkulke January 4, 2024 11:04
mkulke
mkulke reviewed Jan 4, 2024
View reviewed changes
@mkulke
Copy link
Member

mkulke commented Jan 4, 2024

let's bump a minor version of the tdx and snp crates in this PR

@surajssd surajssd force-pushed the hash-extraction-api branch from 22efda5 to beb8f62 Compare January 13, 2024 12:31
@surajssd
Copy link
Member Author

I need to update other fixtures as well, because the test fails otherwise.

@surajssd surajssd force-pushed the hash-extraction-api branch 2 times, most recently from aa30c3f to 0f1b45a Compare January 15, 2024 09:04
@surajssd surajssd requested a review from mkulke January 15, 2024 09:06
@surajssd
Copy link
Member Author

I have updated the scriptures.

mkulke
mkulke reviewed Jan 15, 2024
View reviewed changes
@surajssd
Add .gitignore at root level
ce24599 
Ignore .vscode directory.

Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd
refactor(vtpm): Remove unused VerifyError
217b643 
This commit removes unused code in the `vtpm` module. This enum is
defined elaborately in `verfiy.rs`.

Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd
deps: Update rsa crate to 0.9.6
5115d80 
- Also fix the formatting from spaces to tabs.

Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd
vtpm: Add support to include PCR values
0bbf708 
This commit add support to include PCR SHA256 bank values in the Quote
struct.

Here are details of minor changes as a part of this commit:
- Make the Quote parameters private.
- Add a field called `pcrs` to Quote which will hold the PCR SHA256 bank
  values.
- Add verification logic to the see if hash of all the PCRs match the
  PCR digest from the message.
- Add test for verify_pcrs
- Update the existing test to read the whole quote instead of individual
  message and signature from the fixutres.
- Generate new fixtures for the test so that the PCR values are also
  incorporated.

Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd
vtpm: Make QuoteError and VerifyError non_exhaustive
4928614 
Make these enums non-exhaustive so that we can make non-breaking changes
in subsequent updates.

Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd surajssd force-pushed the hash-extraction-api branch from 289cbfa to 3917111 Compare January 15, 2024 15:09
@surajssd
vtpm: Add a getter method for message
a2ad73d 
Since the `Quote` struct's fields were made private, to access the field
`message` this commit adds a getter method `message()`.

Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd
version: Bump the crate to 0.5.0
ba22c78 
Signed-off-by: Suraj Deshmukh <[email protected]>
@surajssd surajssd force-pushed the hash-extraction-api branch from 3917111 to ba22c78 Compare January 16, 2024 03:35
@surajssd surajssd requested a review from mkulke January 16, 2024 08:08
@surajssd surajssd merged commit 29874be into kinvolk:main Jan 16, 2024
1 check passed
@surajssd surajssd deleted the hash-extraction-api branch January 16, 2024 13:53
@mkulke mkulke mentioned this pull request Jan 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkulke mkulke mkulke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@surajssd @mkulke