Add Eventlog as evidence to CWT certificate.

Change-Id: I58540762720e643318e208e0723b68651e928291
project-oak · May 31, 2024 · bcb942f · bcb942f
1 parent d43dc4d
commit bcb942f
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 52 deletions.
diff --git a/oak_dice/src/cert.rs b/oak_dice/src/cert.rs
@@ -71,6 +71,8 @@ pub const LAYER_3_CODE_MEASUREMENT_ID: i64 = -4670569;
 pub const FINAL_LAYER_CONFIG_MEASUREMENT_ID: i64 = -4670570;
 /// The CWT private claim ID for SHA2_256 digests.
 pub const SHA2_256_ID: i64 = -4670572;
+/// The CWT private claim ID of the Event.
+pub const EVENT_ID: i64 = -4670573;
 
 /// String to be used as salt for generating Key IDs.
 const ID_SALT: &[u8] = b"DICE_ID_SALT";

diff --git a/stage0/src/lib.rs b/stage0/src/lib.rs
@@ -319,13 +319,24 @@ pub fn rust64_start(encrypted: u64) -> ! {
     };
 
     let event_log_proto = generate_event_log(stage0event);
+    let event_type_url_str = event_log_proto.events[0].event.as_ref().unwrap().type_url.as_str();
+    let eventlog_sha2_256_digest = measure_byte_slice(
+        format!(
+            "{}{}{:?}",
+            event_type_url_str.len(),
+            event_type_url_str,
+            event_log_proto.events[0].event.as_ref().unwrap().value.as_bytes()
+        )
+        .as_bytes(),
+    );
 
     log::debug!("Kernel image digest: sha2-256:{}", hex::encode(kernel_info.measurement));
     log::debug!("Kernel setup data digest: sha2-256:{}", hex::encode(setup_data_sha2_256_digest));
     log::debug!("Kernel command-line: {}", cmdline);
     log::debug!("Initial RAM disk digest: sha2-256:{}", hex::encode(ram_disk_sha2_256_digest));
     log::debug!("ACPI table generation digest: sha2-256:{}", hex::encode(acpi_sha2_256_digest));
     log::debug!("E820 table digest: sha2-256:{}", hex::encode(memory_map_sha2_256_digest));
+    log::debug!("Event Log digest: sha2-256:{}", hex::encode(eventlog_sha2_256_digest));
 
     // TODO: b/331252282 - Remove temporary workaround for cmd line length.
     let cmdline_max_len = 256;
@@ -341,6 +352,7 @@ pub fn rust64_start(encrypted: u64) -> ! {
         ram_disk_sha2_256_digest,
         setup_data_sha2_256_digest,
         memory_map_sha2_256_digest,
+        eventlog_sha2_256_digest,
     };
 
     let tee_platform = if sev_status().contains(SevStatus::SNP_ACTIVE) {

diff --git a/stage0_dice/src/lib.rs b/stage0_dice/src/lib.rs
@@ -31,7 +31,7 @@ use hkdf::Hkdf;
 use oak_dice::{
     cert::{
         derive_verifying_key_id, generate_ecdsa_key_pair, generate_signing_certificate,
-        verifying_key_to_cose_key, ACPI_MEASUREMENT_ID, INITRD_MEASUREMENT_ID,
+        verifying_key_to_cose_key, ACPI_MEASUREMENT_ID, EVENT_ID, INITRD_MEASUREMENT_ID,
         KERNEL_COMMANDLINE_ID, KERNEL_COMMANDLINE_MEASUREMENT_ID, KERNEL_LAYER_ID,
         KERNEL_MEASUREMENT_ID, MEMORY_MAP_MEASUREMENT_ID, SETUP_DATA_MEASUREMENT_ID, SHA2_256_ID,
     },
@@ -62,6 +62,8 @@ pub struct Measurements {
     /// The concatenated measurement of the command used for building the ACPI
     /// tables.
     pub acpi_sha2_256_digest: [u8; 32],
+    /// Eventlog measurement containing the hashes of other components
+    pub eventlog_sha2_256_digest: [u8; 32],
 }
 
 /// Generates an ECA certificate for use by the next boot stage (Stage 1).
@@ -72,57 +74,66 @@ fn generate_stage1_certificate(
 ) -> (CoseSign1, SigningKey) {
     // Generate additional claims to cover the measurements.
 
-    let additional_claims = vec![(
-        ClaimName::PrivateUse(KERNEL_LAYER_ID),
-        Value::Map(vec![
-            (
-                Value::Integer(KERNEL_MEASUREMENT_ID.into()),
-                Value::Map(alloc::vec![(
-                    Value::Integer(SHA2_256_ID.into()),
-                    Value::Bytes(measurements.kernel_sha2_256_digest.into()),
-                )]),
-            ),
-            (
-                Value::Integer(KERNEL_COMMANDLINE_MEASUREMENT_ID.into()),
-                Value::Map(alloc::vec![(
-                    Value::Integer(SHA2_256_ID.into()),
-                    Value::Bytes(measurements.cmdline_sha2_256_digest.into()),
-                )]),
-            ),
-            (
-                Value::Integer(KERNEL_COMMANDLINE_ID.into()),
-                Value::Text(measurements.cmdline.clone()),
-            ),
-            (
-                Value::Integer(SETUP_DATA_MEASUREMENT_ID.into()),
-                Value::Map(alloc::vec![(
-                    Value::Integer(SHA2_256_ID.into()),
-                    Value::Bytes(measurements.setup_data_sha2_256_digest.into()),
-                )]),
-            ),
-            (
-                Value::Integer(INITRD_MEASUREMENT_ID.into()),
-                Value::Map(alloc::vec![(
-                    Value::Integer(SHA2_256_ID.into()),
-                    Value::Bytes(measurements.ram_disk_sha2_256_digest.into()),
-                )]),
-            ),
-            (
-                Value::Integer(MEMORY_MAP_MEASUREMENT_ID.into()),
-                Value::Map(alloc::vec![(
-                    Value::Integer(SHA2_256_ID.into()),
-                    Value::Bytes(measurements.memory_map_sha2_256_digest.into()),
-                )]),
-            ),
-            (
-                Value::Integer(ACPI_MEASUREMENT_ID.into()),
-                Value::Map(alloc::vec![(
-                    Value::Integer(SHA2_256_ID.into()),
-                    Value::Bytes(measurements.acpi_sha2_256_digest.into()),
-                )]),
-            ),
-        ]),
-    )];
+    let additional_claims = vec![
+        (
+            ClaimName::PrivateUse(KERNEL_LAYER_ID),
+            Value::Map(vec![
+                (
+                    Value::Integer(KERNEL_MEASUREMENT_ID.into()),
+                    Value::Map(alloc::vec![(
+                        Value::Integer(SHA2_256_ID.into()),
+                        Value::Bytes(measurements.kernel_sha2_256_digest.into()),
+                    )]),
+                ),
+                (
+                    Value::Integer(KERNEL_COMMANDLINE_MEASUREMENT_ID.into()),
+                    Value::Map(alloc::vec![(
+                        Value::Integer(SHA2_256_ID.into()),
+                        Value::Bytes(measurements.cmdline_sha2_256_digest.into()),
+                    )]),
+                ),
+                (
+                    Value::Integer(KERNEL_COMMANDLINE_ID.into()),
+                    Value::Text(measurements.cmdline.clone()),
+                ),
+                (
+                    Value::Integer(SETUP_DATA_MEASUREMENT_ID.into()),
+                    Value::Map(alloc::vec![(
+                        Value::Integer(SHA2_256_ID.into()),
+                        Value::Bytes(measurements.setup_data_sha2_256_digest.into()),
+                    )]),
+                ),
+                (
+                    Value::Integer(INITRD_MEASUREMENT_ID.into()),
+                    Value::Map(alloc::vec![(
+                        Value::Integer(SHA2_256_ID.into()),
+                        Value::Bytes(measurements.ram_disk_sha2_256_digest.into()),
+                    )]),
+                ),
+                (
+                    Value::Integer(MEMORY_MAP_MEASUREMENT_ID.into()),
+                    Value::Map(alloc::vec![(
+                        Value::Integer(SHA2_256_ID.into()),
+                        Value::Bytes(measurements.memory_map_sha2_256_digest.into()),
+                    )]),
+                ),
+                (
+                    Value::Integer(ACPI_MEASUREMENT_ID.into()),
+                    Value::Map(alloc::vec![(
+                        Value::Integer(SHA2_256_ID.into()),
+                        Value::Bytes(measurements.acpi_sha2_256_digest.into()),
+                    )]),
+                ),
+            ]),
+        ),
+        (
+            ClaimName::PrivateUse(EVENT_ID),
+            Value::Map(alloc::vec![(
+                Value::Integer(SHA2_256_ID.into()),
+                Value::Bytes(measurements.eventlog_sha2_256_digest.into()),
+            )]),
+        ),
+    ];
 
     let (signing_key, verifying_key) = generate_ecdsa_key_pair();
     (