Update oak_attestation_explain tests with recent evidence

Change-Id: Idb2254dff2d3affe4e846830c266052103fa486b
project-oak · May 7, 2024 · 85d079d · 85d079d
1 parent 30aa525
commit 85d079d
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 45 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/oak_attestation_explain/Cargo.toml b/oak_attestation_explain/Cargo.toml
@@ -17,3 +17,4 @@ zerocopy = { version = "*", features = ["derive"] }
 prost = { workspace = true, default-features = false, features = [
   "prost-derive",
 ] }
+oak_attestation_verification = { workspace = true }
diff --git a/oak_attestation_explain/src/lib.rs b/oak_attestation_explain/src/lib.rs
@@ -68,13 +68,13 @@ impl HumanReadableTitle for OakRestrictedKernelData {
             .as_ref()
             .context("unexpectedly unset report proto field")?;
         let tee_name = get_tee_name(tee_report);
-        Ok(format!("Evidence of the Oak Restricted Kernel Stack in a {} TEE", tee_name))
+        Ok(format!("Oak Restricted Kernel Stack in a {} TEE", tee_name))
     }
 }
 
 impl HumanReadableTitle for OakRestrictedKernelReferenceValues {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Reference values for the Oak Restricted Kernel Stack".to_owned())
+        Ok("Oak Restricted Kernel Stack".to_owned())
     }
 }
 
@@ -94,13 +94,13 @@ impl HumanReadableTitle for OakContainersData {
 
 impl HumanReadableTitle for OakContainersReferenceValues {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Reference values for the Oak Conatiners Stack".to_owned())
+        Ok("Oak Conatiners Stack".to_owned())
     }
 }
 
 impl HumanReadableTitle for RootLayerData {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Root Layer [Evidence]".to_string())
+        Ok("Root Layer".to_string())
     }
 }
 
@@ -111,9 +111,9 @@ impl HumanReadableExplanation for RootLayerData {
                 let initial_memory_sha256_digest =
                     SNPInitialMemoryMeasurement::try_from(report.initial_measurement.as_slice())?;
                 Ok(format!(
-                    "Initial Memory [Digest]: {}
+                    "Firmware [Digest]: {}
 {}
-Initial Memory [Provenance]: {}",
+Firmware [Provenances]: {}",
                     initial_memory_sha256_digest.display_hash(),
                     initial_memory_sha256_digest.display_hash_explaination(),
                     initial_memory_sha256_digest.provenance_link()
@@ -128,7 +128,7 @@ Initial Memory [Provenance]: {}",
 
 impl HumanReadableTitle for RootLayerReferenceValues {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Root Layer [Reference Values]".to_string())
+        Ok("Root Layer".to_string())
     }
 }
 
@@ -140,7 +140,7 @@ impl HumanReadableExplanation for RootLayerReferenceValues {
 
 impl HumanReadableTitle for KernelLayerData {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Kernel Layer [Evidence]".to_string())
+        Ok("Kernel Layer".to_string())
     }
 }
 
@@ -166,7 +166,7 @@ Kernel Setup Data [Digest]: {}",
             .display_hash(),
         );
         let kernel_commandline = format!(
-            "Kernel Command Line: {}",
+            "Kernel Command Line [String]: {}",
             self.kernel_raw_cmd_line
                 .as_ref()
                 .context("unexpectedly unset kernel_raw_cmd_line proto field")?,
@@ -183,10 +183,10 @@ Kernel Setup Data [Digest]: {}",
 
         Ok(format!(
             "{}
-Kernel Image/Setup-Data [Provenance]: {}
+Kernel Image/Setup-Data [Provenances]: {}
 {}
 {}
-Inital RAM Disk [Provenance]: {}",
+Inital RAM Disk [Provenances]: {}",
             bz_image_description,
             kernel_image_digest.provenance_link(),
             kernel_commandline,
@@ -198,7 +198,7 @@ Inital RAM Disk [Provenance]: {}",
 
 impl HumanReadableTitle for KernelLayerReferenceValues {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Kernel Layer [Reference Values]".to_string())
+        Ok("Kernel Layer".to_string())
     }
 }
 
@@ -210,7 +210,7 @@ impl HumanReadableExplanation for KernelLayerReferenceValues {
 
 impl HumanReadableTitle for SystemLayerData {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("System Layer [Evidence]".to_string())
+        Ok("System Layer".to_string())
     }
 }
 
@@ -225,7 +225,7 @@ impl HumanReadableExplanation for SystemLayerData {
             })?;
         Ok(format!(
             "System Image [Digest]: {}
-System Image [Provenance]: {}",
+System Image [Provenances]: {}",
             system_image_digest.display_hash(),
             system_image_digest.provenance_link(),
         ))
@@ -234,7 +234,7 @@ System Image [Provenance]: {}",
 
 impl HumanReadableTitle for SystemLayerReferenceValues {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("System Layer [Reference Values]".to_string())
+        Ok("System Layer".to_string())
     }
 }
 
@@ -246,7 +246,7 @@ impl HumanReadableExplanation for SystemLayerReferenceValues {
 
 impl HumanReadableTitle for ApplicationLayerData {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Application Layer [Evidence]".to_string())
+        Ok("Application Layer".to_string())
     }
 }
 
@@ -259,17 +259,17 @@ impl HumanReadableExplanation for ApplicationLayerData {
                 )?;
 
             // Restricted Kernel Applications do not use a config, no digest is included in
-            // the evidence.
+            // the.
             if let Ok(config_digest) =
                 self.config.as_ref().context("unexpectedly unset config proto field").and_then(
                     |digest| ArtifactDigestSha2_256::try_from(digest).map_err(anyhow::Error::from),
                 )
             {
                 format!(
                     "Binary [Digest]: {}
-Binary [Provenance]: {}
+Binary [Provenances]: {}
 Config [Digest]: {}
-Config [Provenance]: {}",
+Config [Provenances]: {}",
                     binary_digest.display_hash(),
                     binary_digest.provenance_link(),
                     config_digest.display_hash(),
@@ -278,7 +278,7 @@ Config [Provenance]: {}",
             } else {
                 format!(
                     "Binary [Digest]: {}
-Binary [Provenance]: {}",
+Binary [Provenances]: {}",
                     binary_digest.display_hash(),
                     binary_digest.provenance_link(),
                 )
@@ -291,7 +291,7 @@ Binary [Provenance]: {}",
 
 impl HumanReadableTitle for ApplicationLayerReferenceValues {
     fn title(&self) -> Result<String, anyhow::Error> {
-        Ok("Application Layer [Reference Values]".to_string())
+        Ok("Application Layer".to_string())
     }
 }
 
@@ -342,7 +342,7 @@ impl OakDigestDisplay for ArtifactDigestSha2_256 {
         format!("https://search.sigstore.dev/?hash={}", hex::encode(self.0))
     }
     fn display_hash(&self) -> String {
-        format!("sha2-256:{}", hex::encode(self.0.as_slice()))
+        format!("SHA2-256:{}", hex::encode(self.0.as_slice()))
     }
 }
 
@@ -361,7 +361,7 @@ impl SNPInitialMemoryMeasurement {
     /// struct.
     fn display_hash_explaination(&self) -> String {
         format!(
-            "ⓘ The firmware attestation digest is the sha2-256 hash of the sha2-386 hash of the initial memory state taken by the AMD SoC. The original sha2-386 hash of the initial memory is: sha2-384:{}.",
+            "ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:{}.",
             { hex::encode(self.0.as_slice()) }
         )
     }

diff --git a/oak_attestation_explain/testdata/rk_evidence.binarypb b/oak_attestation_explain/testdata/rk_evidence.binarypb
diff --git a/oak_attestation_explain/testdata/rk_extracted_evidence.binarypb b/oak_attestation_explain/testdata/rk_extracted_evidence.binarypb
diff --git a/oak_attestation_explain/tests/explain_test.rs b/oak_attestation_explain/tests/explain_test.rs
@@ -19,27 +19,28 @@ use std::fs;
 
 use oak_attestation_explain::{HumanReadableExplanation, HumanReadableTitle};
 use oak_proto_rust::oak::attestation::v1::{
-    extracted_evidence::EvidenceValues, ExtractedEvidence, OakRestrictedKernelData,
+    extracted_evidence::EvidenceValues, Evidence, OakRestrictedKernelData,
 };
 use prost::Message;
 
 // TODO: b/334900893 - Generate extracted evidence programatically.
-const RK_EXTRACTED_EVIDENCE_PATH: &str = "testdata/rk_extracted_evidence.binarypb";
+const RK_EVIDENCE_PATH: &str = "testdata/rk_evidence.binarypb";
 
 #[test]
 fn produces_expected_explaination() {
     let mut extracted_evidence = {
-        let serialized =
-            fs::read(RK_EXTRACTED_EVIDENCE_PATH).expect("could not read extracted evidence");
-        ExtractedEvidence::decode(serialized.as_slice()).expect("could not decode evidence")
+        let serialized = fs::read(RK_EVIDENCE_PATH).expect("could not read extracted evidence");
+        let evidence = Evidence::decode(serialized.as_slice()).expect("could not decode evidence");
+        oak_attestation_verification::verifier::extract_evidence(&evidence)
+            .expect("could not extract evidence")
     };
 
     eprintln!("{:?}", extracted_evidence.evidence_values);
     match extracted_evidence.evidence_values.take() {
         Some(EvidenceValues::OakRestrictedKernel(restricted_kernel_evidence)) => {
             assert_eq!(
                 restricted_kernel_evidence.title().unwrap(),
-                format!("Evidence of the Oak Restricted Kernel Stack in a {} TEE", "AMD SEV-SNP")
+                format!("Oak Restricted Kernel Stack in a {} TEE", "AMD SEV-SNP")
             );
             match restricted_kernel_evidence {
                 OakRestrictedKernelData {
@@ -49,23 +50,23 @@ fn produces_expected_explaination() {
                 } => {
                     assert_eq!(
                         root_layer.description().unwrap(),
-                        r#"Initial Memory [Digest]: sha2-256:519bb2bd42afa2dd8cb3ca88aed6a8aea8905ee371f5e64b4aae03c7cec99a22
-ⓘ The firmware attestation digest is the sha2-256 hash of the sha2-386 hash of the initial memory state taken by the AMD SoC. The original sha2-386 hash of the initial memory is: sha2-384:5a5cd76580dd3f0e9cc69ddfe7a6120919c02c3e376317bb3cc6de40a66e60683d380d966664d83fcd124f83f878d2ec.
-Initial Memory [Provenance]: https://search.sigstore.dev/?hash=519bb2bd42afa2dd8cb3ca88aed6a8aea8905ee371f5e64b4aae03c7cec99a22"#
+                        r#"Firmware [Digest]: SHA2-256:33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d
+ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a.
+Firmware [Provenances]: https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d"#
                     );
                     assert_eq!(
                         kernel_layer.description().unwrap(),
-                        r#"Kernel Image [Digest]: sha2-256:bb149e581ed858d4269acf844ca9ceb00162f2e2aa2e2061072462a05e0c8743
-Kernel Setup Data [Digest]: sha2-256:4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1
-Kernel Image/Setup-Data [Provenance]: https://search.sigstore.dev/?hash=bb149e581ed858d4269acf844ca9ceb00162f2e2aa2e2061072462a05e0c8743
-Kernel Command Line: console=ttyS0
-Initial RAM Disk [Digest]: sha2-256:0000000000000000000000000000000000000000000000000000000000000000
-Inital RAM Disk [Provenance]: https://search.sigstore.dev/?hash=0000000000000000000000000000000000000000000000000000000000000000"#
+                        r#"Kernel Image [Digest]: SHA2-256:ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
+Kernel Setup Data [Digest]: SHA2-256:4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1
+Kernel Image/Setup-Data [Provenances]: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
+Kernel Command Line [String]: console=ttyS0
+Initial RAM Disk [Digest]: SHA2-256:daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+Inital RAM Disk [Provenances]: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8"#
                     );
                     assert_eq!(
                         application_layer.description().unwrap(),
-                        r#"Binary [Digest]: sha2-256:b5cae5b9b92104f7ebc08b7cd7dc9f2fb191ebd5db7041421f2f885b777d5040
-Binary [Provenance]: https://search.sigstore.dev/?hash=b5cae5b9b92104f7ebc08b7cd7dc9f2fb191ebd5db7041421f2f885b777d5040"#
+                        r#"Binary [Digest]: SHA2-256:7d4682a9a0f97ade0fad9a47f247e1cb6ed326e80ba05ea39fc84b2fe6bcacfb
+Binary [Provenances]: https://search.sigstore.dev/?hash=7d4682a9a0f97ade0fad9a47f247e1cb6ed326e80ba05ea39fc84b2fe6bcacfb"#
                     );
                 }
                 _ => panic!("evidence values unexpectedly unset"),

diff --git a/oak_attestation_explain_cli/src/main.rs b/oak_attestation_explain_cli/src/main.rs
@@ -27,7 +27,7 @@ use prost::Message;
 #[group(skip)]
 pub struct Params {
     /// Path to the evidence to inspect.
-    #[arg(long, value_parser = path_exists, default_value = "oak_attestation_verification/testdata/rk_evidence.binarypb")]
+    #[arg(long, value_parser = path_exists, default_value = "oak_attestation_explain/testdata/rk_evidence.binarypb")]
     pub evidence: PathBuf,
 }
 
@@ -53,10 +53,6 @@ fn main() {
 
     match extracted_evidence.evidence_values.take() {
         Some(EvidenceValues::OakRestrictedKernel(restricted_kernel_evidence)) => {
-            assert_eq!(
-                restricted_kernel_evidence.title().unwrap(),
-                format!("Oak Restricted Kernel Stack in a {} TEE", "AMD SEV-SNP")
-            );
             match restricted_kernel_evidence {
                 OakRestrictedKernelData {
                     root_layer: Some(root_layer),