Skip to content
This repository has been archived by the owner on Jul 19, 2023. It is now read-only.

add retry when vcekcertchain is empty #45

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add retry when vcekcertchain is empty #45

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8bb0bb5
add retry when vcekcertchain is empty
stevendongatmsft Jun 16, 2023
f360fd6
remove/add comments
stevendongatmsft Jun 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 35 additions & 18 deletions pkg/attest/attest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,30 +124,21 @@ func (certState *CertState) Attest(maa MAA, runtimeDataBytes []byte, uvmInformat
}

if SNPReport.ReportedTCB != certState.Tcbm {
// TCB values still don't match, try retrieving the SNP report again
SNPReportBytes, inittimeDataBytes, err = GetSNPReport(uvmInformation.EncodedSecurityPolicy, runtimeDataBytes)
SNPReportBytes, inittimeDataBytes, vcekCertChain, err = certState.refreshSNPReportAndCertChain(uvmInformation.EncodedSecurityPolicy, runtimeDataBytes)
if err != nil {
return "", errors.Wrapf(err, "failed to retrieve new attestation report")
}

if err = SNPReport.DeserializeReport(SNPReportBytes); err != nil {
return "", errors.Wrapf(err, "failed to deserialize new attestation report")
return "", err
}

// refresh certs again
vcekCertChain, err = certState.RefreshCertChain(SNPReport)
}
} else {
if uvmInformation.InitialCerts.VcekCert == "" || uvmInformation.InitialCerts.CertificateChain == "" {
stevendongatmsft marked this conversation as resolved.
Show resolved Hide resolved
SNPReportBytes, inittimeDataBytes, vcekCertChain, err = certState.refreshSNPReportAndCertChain(uvmInformation.EncodedSecurityPolicy, runtimeDataBytes)
if err != nil {
return "", err
}

// if no match after refreshing certs and attestation report, fail
if SNPReport.ReportedTCB != certState.Tcbm {
return "", errors.New(fmt.Sprintf("SNP reported TCB value: %d doesn't match Certificate TCB value: %d", SNPReport.ReportedTCB, certState.Tcbm))
}
} else {
certString := uvmInformation.InitialCerts.VcekCert + uvmInformation.InitialCerts.CertificateChain
vcekCertChain = []byte(certString)
}
} else {
certString := uvmInformation.InitialCerts.VcekCert + uvmInformation.InitialCerts.CertificateChain
vcekCertChain = []byte(certString)
}

uvmReferenceInfoBytes, err := base64.StdEncoding.DecodeString(uvmInformation.EncodedUvmReferenceInfo)
Expand All @@ -164,3 +155,29 @@ func (certState *CertState) Attest(maa MAA, runtimeDataBytes []byte, uvmInformat

return maaToken, nil
}

func (certState *CertState) refreshSNPReportAndCertChain(securityPolicy string, runtimeDataBytes []byte) ([]byte, []byte, []byte, error) {
var SNPReport SNPAttestationReport
// TCB values still don't match, try retrieving the SNP report again
stevendongatmsft marked this conversation as resolved.
Show resolved Hide resolved
SNPReportBytes, inittimeDataBytes, err := GetSNPReport(securityPolicy, runtimeDataBytes)
if err != nil {
return nil, nil, nil, errors.Wrapf(err, "failed to retrieve new attestation report")
}

if err = SNPReport.DeserializeReport(SNPReportBytes); err != nil {
return nil, nil, nil, errors.Wrapf(err, "failed to deserialize new attestation report")
}

// refresh certs again
vcekCertChain, err := certState.RefreshCertChain(SNPReport)
if err != nil {
return nil, nil, nil, err
}

// if no match after refreshing certs and attestation report, fail
if SNPReport.ReportedTCB != certState.Tcbm {
return nil, nil, nil, errors.New(fmt.Sprintf("SNP reported TCB value: %d doesn't match Certificate TCB value: %d", SNPReport.ReportedTCB, certState.Tcbm))
}

return SNPReportBytes, inittimeDataBytes, vcekCertChain, nil
}