From bcb942f320c141bd24523fc3d5eed00410a228c3 Mon Sep 17 00:00:00 2001 From: Sourav Dasgupta Date: Thu, 23 May 2024 23:14:34 -0700 Subject: [PATCH] Add Eventlog as evidence to CWT certificate. Change-Id: I58540762720e643318e208e0723b68651e928291 --- oak_dice/src/cert.rs | 2 + stage0/src/lib.rs | 12 +++++ stage0_dice/src/lib.rs | 115 ++++++++++++++++++++++------------------- 3 files changed, 77 insertions(+), 52 deletions(-) diff --git a/oak_dice/src/cert.rs b/oak_dice/src/cert.rs index ac381f1298c..e8aa73aac3b 100644 --- a/oak_dice/src/cert.rs +++ b/oak_dice/src/cert.rs @@ -71,6 +71,8 @@ pub const LAYER_3_CODE_MEASUREMENT_ID: i64 = -4670569; pub const FINAL_LAYER_CONFIG_MEASUREMENT_ID: i64 = -4670570; /// The CWT private claim ID for SHA2_256 digests. pub const SHA2_256_ID: i64 = -4670572; +/// The CWT private claim ID of the Event. +pub const EVENT_ID: i64 = -4670573; /// String to be used as salt for generating Key IDs. const ID_SALT: &[u8] = b"DICE_ID_SALT"; diff --git a/stage0/src/lib.rs b/stage0/src/lib.rs index 9b68e5559f1..932bf4899a5 100644 --- a/stage0/src/lib.rs +++ b/stage0/src/lib.rs @@ -319,6 +319,16 @@ pub fn rust64_start(encrypted: u64) -> ! { }; let event_log_proto = generate_event_log(stage0event); + let event_type_url_str = event_log_proto.events[0].event.as_ref().unwrap().type_url.as_str(); + let eventlog_sha2_256_digest = measure_byte_slice( + format!( + "{}{}{:?}", + event_type_url_str.len(), + event_type_url_str, + event_log_proto.events[0].event.as_ref().unwrap().value.as_bytes() + ) + .as_bytes(), + ); log::debug!("Kernel image digest: sha2-256:{}", hex::encode(kernel_info.measurement)); log::debug!("Kernel setup data digest: sha2-256:{}", hex::encode(setup_data_sha2_256_digest)); @@ -326,6 +336,7 @@ pub fn rust64_start(encrypted: u64) -> ! { log::debug!("Initial RAM disk digest: sha2-256:{}", hex::encode(ram_disk_sha2_256_digest)); log::debug!("ACPI table generation digest: sha2-256:{}", hex::encode(acpi_sha2_256_digest)); log::debug!("E820 table digest: sha2-256:{}", hex::encode(memory_map_sha2_256_digest)); + log::debug!("Event Log digest: sha2-256:{}", hex::encode(eventlog_sha2_256_digest)); // TODO: b/331252282 - Remove temporary workaround for cmd line length. let cmdline_max_len = 256; @@ -341,6 +352,7 @@ pub fn rust64_start(encrypted: u64) -> ! { ram_disk_sha2_256_digest, setup_data_sha2_256_digest, memory_map_sha2_256_digest, + eventlog_sha2_256_digest, }; let tee_platform = if sev_status().contains(SevStatus::SNP_ACTIVE) { diff --git a/stage0_dice/src/lib.rs b/stage0_dice/src/lib.rs index b39cefa587c..6781282fdf5 100644 --- a/stage0_dice/src/lib.rs +++ b/stage0_dice/src/lib.rs @@ -31,7 +31,7 @@ use hkdf::Hkdf; use oak_dice::{ cert::{ derive_verifying_key_id, generate_ecdsa_key_pair, generate_signing_certificate, - verifying_key_to_cose_key, ACPI_MEASUREMENT_ID, INITRD_MEASUREMENT_ID, + verifying_key_to_cose_key, ACPI_MEASUREMENT_ID, EVENT_ID, INITRD_MEASUREMENT_ID, KERNEL_COMMANDLINE_ID, KERNEL_COMMANDLINE_MEASUREMENT_ID, KERNEL_LAYER_ID, KERNEL_MEASUREMENT_ID, MEMORY_MAP_MEASUREMENT_ID, SETUP_DATA_MEASUREMENT_ID, SHA2_256_ID, }, @@ -62,6 +62,8 @@ pub struct Measurements { /// The concatenated measurement of the command used for building the ACPI /// tables. pub acpi_sha2_256_digest: [u8; 32], + /// Eventlog measurement containing the hashes of other components + pub eventlog_sha2_256_digest: [u8; 32], } /// Generates an ECA certificate for use by the next boot stage (Stage 1). @@ -72,57 +74,66 @@ fn generate_stage1_certificate( ) -> (CoseSign1, SigningKey) { // Generate additional claims to cover the measurements. - let additional_claims = vec![( - ClaimName::PrivateUse(KERNEL_LAYER_ID), - Value::Map(vec![ - ( - Value::Integer(KERNEL_MEASUREMENT_ID.into()), - Value::Map(alloc::vec![( - Value::Integer(SHA2_256_ID.into()), - Value::Bytes(measurements.kernel_sha2_256_digest.into()), - )]), - ), - ( - Value::Integer(KERNEL_COMMANDLINE_MEASUREMENT_ID.into()), - Value::Map(alloc::vec![( - Value::Integer(SHA2_256_ID.into()), - Value::Bytes(measurements.cmdline_sha2_256_digest.into()), - )]), - ), - ( - Value::Integer(KERNEL_COMMANDLINE_ID.into()), - Value::Text(measurements.cmdline.clone()), - ), - ( - Value::Integer(SETUP_DATA_MEASUREMENT_ID.into()), - Value::Map(alloc::vec![( - Value::Integer(SHA2_256_ID.into()), - Value::Bytes(measurements.setup_data_sha2_256_digest.into()), - )]), - ), - ( - Value::Integer(INITRD_MEASUREMENT_ID.into()), - Value::Map(alloc::vec![( - Value::Integer(SHA2_256_ID.into()), - Value::Bytes(measurements.ram_disk_sha2_256_digest.into()), - )]), - ), - ( - Value::Integer(MEMORY_MAP_MEASUREMENT_ID.into()), - Value::Map(alloc::vec![( - Value::Integer(SHA2_256_ID.into()), - Value::Bytes(measurements.memory_map_sha2_256_digest.into()), - )]), - ), - ( - Value::Integer(ACPI_MEASUREMENT_ID.into()), - Value::Map(alloc::vec![( - Value::Integer(SHA2_256_ID.into()), - Value::Bytes(measurements.acpi_sha2_256_digest.into()), - )]), - ), - ]), - )]; + let additional_claims = vec![ + ( + ClaimName::PrivateUse(KERNEL_LAYER_ID), + Value::Map(vec![ + ( + Value::Integer(KERNEL_MEASUREMENT_ID.into()), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.kernel_sha2_256_digest.into()), + )]), + ), + ( + Value::Integer(KERNEL_COMMANDLINE_MEASUREMENT_ID.into()), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.cmdline_sha2_256_digest.into()), + )]), + ), + ( + Value::Integer(KERNEL_COMMANDLINE_ID.into()), + Value::Text(measurements.cmdline.clone()), + ), + ( + Value::Integer(SETUP_DATA_MEASUREMENT_ID.into()), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.setup_data_sha2_256_digest.into()), + )]), + ), + ( + Value::Integer(INITRD_MEASUREMENT_ID.into()), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.ram_disk_sha2_256_digest.into()), + )]), + ), + ( + Value::Integer(MEMORY_MAP_MEASUREMENT_ID.into()), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.memory_map_sha2_256_digest.into()), + )]), + ), + ( + Value::Integer(ACPI_MEASUREMENT_ID.into()), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.acpi_sha2_256_digest.into()), + )]), + ), + ]), + ), + ( + ClaimName::PrivateUse(EVENT_ID), + Value::Map(alloc::vec![( + Value::Integer(SHA2_256_ID.into()), + Value::Bytes(measurements.eventlog_sha2_256_digest.into()), + )]), + ), + ]; let (signing_key, verifying_key) = generate_ecdsa_key_pair(); (