Extract reference value test utils so they can be used in explainatio…

…n library tests Bug: 335457019 Change-Id: I75ae17efeafa193c10b52ebfb6998d1cf261fab7
project-oak · May 2, 2024 · eb8311b · eb8311b
1 parent 1adcfc0
commit eb8311b
Show file tree

Hide file tree

Showing 7 changed files with 330 additions and 248 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,6 +12,7 @@ members = [
   "oak_attestation_explain_cli",
   "oak_attestation_integration_tests",
   "oak_attestation_verification",
+  "oak_attestation_verification_test_utils",
   "oak_channel",
   "oak_client",
   "oak_containers_hello_world_trusted_app",
@@ -104,6 +105,7 @@ micro_rpc_build = { path = "./micro_rpc_build" }
 oak_attestation = { path = "./oak_attestation" }
 oak_attestation_explain = { path = "./oak_attestation_explain" }
 oak_attestation_verification = { path = "./oak_attestation_verification" }
+oak_attestation_verification_test_utils = { path = "./oak_attestation_verification_test_utils" }
 oak_channel = { path = "./oak_channel" }
 oak_client = { path = "./oak_client" }
 oak_containers_orchestrator = { path = "./oak_containers_orchestrator" }

diff --git a/oak_attestation_verification/Cargo.toml b/oak_attestation_verification/Cargo.toml
@@ -46,3 +46,6 @@ time = { version = "0.3.28", default-features = false, features = [
 ] }
 x509-cert = { version = "0.2.5", default-features = false, features = ["pem"] }
 zerocopy = "*"
+
+[dev-dependencies]
+oak_attestation_verification_test_utils = { workspace = true }
diff --git a/oak_attestation_verification/tests/verifier_tests.rs b/oak_attestation_verification/tests/verifier_tests.rs
@@ -20,20 +20,19 @@ use oak_attestation_verification::{
     util::convert_pem_to_raw,
     verifier::{to_attestation_results, verify, verify_dice_chain},
 };
+use oak_attestation_verification_test_utils::{
+    create_containers_reference_values, create_rk_reference_values, reference_values_from_evidence,
+};
 use oak_proto_rust::oak::{
     attestation::v1::{
         attestation_results::Status, binary_reference_value, extracted_evidence::EvidenceValues,
         kernel_binary_reference_value, reference_values, root_layer_data::Report,
-        text_reference_value, AmdSevReferenceValues, ApplicationLayerEndorsements,
-        ApplicationLayerReferenceValues, BinaryReferenceValue, ContainerLayerEndorsements,
-        ContainerLayerReferenceValues, Digests, EndorsementReferenceValue, Endorsements, Evidence,
-        ExtractedEvidence, InsecureReferenceValues, KernelBinaryReferenceValue, KernelDigests,
-        KernelLayerData, KernelLayerEndorsements, KernelLayerReferenceValues,
-        OakContainersEndorsements, OakContainersReferenceValues, OakRestrictedKernelEndorsements,
-        OakRestrictedKernelReferenceValues, ReferenceValues, Regex, RootLayerData,
-        RootLayerEndorsements, RootLayerReferenceValues, SkipVerification, StringLiterals,
-        SystemLayerEndorsements, SystemLayerReferenceValues, TcbVersion, TextReferenceValue,
-        TransparentReleaseEndorsement,
+        text_reference_value, ApplicationLayerEndorsements, BinaryReferenceValue,
+        ContainerLayerEndorsements, Digests, EndorsementReferenceValue, Endorsements, Evidence,
+        InsecureReferenceValues, KernelLayerEndorsements, OakContainersEndorsements,
+        OakRestrictedKernelEndorsements, ReferenceValues, Regex, RootLayerEndorsements,
+        RootLayerReferenceValues, SkipVerification, SystemLayerEndorsements, TcbVersion,
+        TextReferenceValue, TransparentReleaseEndorsement,
     },
     RawDigest,
 };
@@ -149,244 +148,6 @@ fn create_rk_endorsements() -> Endorsements {
     }
 }
 
-// Creates valid reference values for an Oak Containers chain.
-fn create_containers_reference_values() -> ReferenceValues {
-    let skip = BinaryReferenceValue {
-        r#type: Some(binary_reference_value::Type::Skip(SkipVerification {})),
-    };
-
-    let amd_sev = AmdSevReferenceValues {
-        min_tcb_version: Some(TcbVersion { boot_loader: 0, tee: 0, snp: 0, microcode: 0 }),
-        allow_debug: false,
-        // See b/327069120: Do not skip over stage0.
-        stage0: Some(skip.clone()),
-    };
-
-    let root_layer = RootLayerReferenceValues { amd_sev: Some(amd_sev), ..Default::default() };
-    #[allow(deprecated)]
-    let kernel_layer = KernelLayerReferenceValues {
-        kernel: Some(KernelBinaryReferenceValue {
-            r#type: Some(kernel_binary_reference_value::Type::Skip(SkipVerification {})),
-        }),
-        kernel_setup_data: None,
-        kernel_image: None,
-        kernel_cmd_line: None,
-        kernel_cmd_line_regex: None,
-        kernel_cmd_line_text: Some(TextReferenceValue {
-            r#type: Some(text_reference_value::Type::StringLiterals(StringLiterals {
-                value: vec![String::from(
-                    "console=ttyS0 panic=-1 earlycon=uart,io,0x3F8 brd.rd_nr=1 brd.rd_size=3072000 brd.max_part=1 ip=10.0.2.15:::255.255.255.0::eth0:off net.ifnames=0 quiet",
-                )],
-            })),
-        }),
-        init_ram_fs: Some(skip.clone()),
-        memory_map: Some(skip.clone()),
-        acpi: Some(skip.clone()),
-    };
-    let system_layer = SystemLayerReferenceValues { system_image: Some(skip.clone()) };
-    let container_layer = ContainerLayerReferenceValues {
-        binary: Some(skip.clone()),
-        configuration: Some(skip.clone()),
-    };
-    let vs = OakContainersReferenceValues {
-        root_layer: Some(root_layer),
-        kernel_layer: Some(kernel_layer),
-        system_layer: Some(system_layer),
-        container_layer: Some(container_layer),
-    };
-    ReferenceValues { r#type: Some(reference_values::Type::OakContainers(vs)) }
-}
-
-// Creates valid reference values for a restricted kernel application.
-fn create_rk_reference_values() -> ReferenceValues {
-    let skip = BinaryReferenceValue {
-        r#type: Some(binary_reference_value::Type::Skip(SkipVerification {})),
-    };
-
-    let amd_sev = AmdSevReferenceValues {
-        min_tcb_version: Some(TcbVersion { boot_loader: 0, tee: 0, snp: 0, microcode: 0 }),
-        allow_debug: false,
-        // See b/327069120: Do not skip over stage0.
-        stage0: Some(skip.clone()),
-    };
-
-    let root_layer = RootLayerReferenceValues { amd_sev: Some(amd_sev), ..Default::default() };
-    #[allow(deprecated)]
-    let kernel_layer = KernelLayerReferenceValues {
-        kernel: Some(KernelBinaryReferenceValue {
-            r#type: Some(kernel_binary_reference_value::Type::Skip(SkipVerification {})),
-        }),
-        kernel_setup_data: None,
-        kernel_image: None,
-        kernel_cmd_line: None,
-        kernel_cmd_line_regex: None,
-        kernel_cmd_line_text: Some(TextReferenceValue {
-            r#type: Some(text_reference_value::Type::StringLiterals(StringLiterals {
-                value: vec![String::from("console=ttyS0")],
-            })),
-        }),
-        init_ram_fs: Some(skip.clone()),
-        memory_map: Some(skip.clone()),
-        acpi: Some(skip.clone()),
-    };
-    let application_layer = ApplicationLayerReferenceValues {
-        binary: Some(skip.clone()),
-        configuration: Some(skip.clone()),
-    };
-    let vs = OakRestrictedKernelReferenceValues {
-        root_layer: Some(root_layer),
-        kernel_layer: Some(kernel_layer),
-        application_layer: Some(application_layer),
-    };
-    ReferenceValues { r#type: Some(reference_values::Type::OakRestrictedKernel(vs)) }
-}
-
-fn reference_values_from_evidence(evidence: ExtractedEvidence) -> ReferenceValues {
-    let r#type = match evidence.evidence_values.expect("no evidence") {
-        EvidenceValues::OakRestrictedKernel(rk) => {
-            let application = rk.application_layer.expect("no application layer evidence");
-            let config = application.config.expect("no application config digest");
-            Some(reference_values::Type::OakRestrictedKernel(OakRestrictedKernelReferenceValues {
-                root_layer: Some(root_layer_reference_values_from_evidence(
-                    rk.root_layer.expect("no root layer evidence"),
-                )),
-                kernel_layer: Some(kernel_layer_reference_values_from_evidence(
-                    rk.kernel_layer.expect("no kernel layer evidence"),
-                )),
-                application_layer: Some(ApplicationLayerReferenceValues {
-                    binary: Some(BinaryReferenceValue {
-                        r#type: Some(binary_reference_value::Type::Digests(Digests {
-                            digests: vec![
-                                application.binary.expect("no application binary digest"),
-                            ],
-                        })),
-                    }),
-                    // We don't currently specify configuration values for Oak Containers
-                    // applications, so skip for now if the sha2_256 value is empty.
-                    configuration: if config.sha2_256.is_empty() {
-                        Some(BinaryReferenceValue {
-                            r#type: Some(binary_reference_value::Type::Skip(SkipVerification {})),
-                        })
-                    } else {
-                        Some(BinaryReferenceValue {
-                            r#type: Some(binary_reference_value::Type::Digests(Digests {
-                                digests: vec![config],
-                            })),
-                        })
-                    },
-                }),
-            }))
-        }
-        EvidenceValues::OakContainers(oc) => {
-            let system = oc.system_layer.expect("no system layer evidence");
-            let container = oc.container_layer.expect("no container layer evidence");
-            Some(reference_values::Type::OakContainers(OakContainersReferenceValues {
-                root_layer: Some(root_layer_reference_values_from_evidence(
-                    oc.root_layer.expect("no root layer evidence"),
-                )),
-                kernel_layer: Some(kernel_layer_reference_values_from_evidence(
-                    oc.kernel_layer.expect("no kernel layer evidence"),
-                )),
-                system_layer: Some(SystemLayerReferenceValues {
-                    system_image: Some(BinaryReferenceValue {
-                        r#type: Some(binary_reference_value::Type::Digests(Digests {
-                            digests: vec![system.system_image.expect("no system image digest")],
-                        })),
-                    }),
-                }),
-                container_layer: Some(ContainerLayerReferenceValues {
-                    binary: Some(BinaryReferenceValue {
-                        r#type: Some(binary_reference_value::Type::Digests(Digests {
-                            digests: vec![container.bundle.expect("no container bundle digest")],
-                        })),
-                    }),
-                    configuration: Some(BinaryReferenceValue {
-                        r#type: Some(binary_reference_value::Type::Digests(Digests {
-                            digests: vec![container.config.expect("no container config digest")],
-                        })),
-                    }),
-                }),
-            }))
-        }
-        EvidenceValues::Cb(_) => panic!("not yet supported"),
-    };
-    ReferenceValues { r#type }
-}
-
-fn root_layer_reference_values_from_evidence(
-    root_layer: RootLayerData,
-) -> RootLayerReferenceValues {
-    let amd_sev = root_layer.report.clone().and_then(|report| match report {
-        Report::SevSnp(r) => Some(AmdSevReferenceValues {
-            min_tcb_version: r.current_tcb,
-            stage0: Some(BinaryReferenceValue {
-                r#type: Some(binary_reference_value::Type::Digests(Digests {
-                    digests: vec![RawDigest {
-                        sha2_384: r.initial_measurement,
-                        ..Default::default()
-                    }],
-                })),
-            }),
-            allow_debug: r.debug,
-        }),
-        _ => None,
-    });
-    let intel_tdx = if let Some(Report::Tdx(_)) = root_layer.report.clone() {
-        panic!("not yet supported");
-    } else {
-        None
-    };
-    let insecure = root_layer.report.and_then(|report| match report {
-        Report::Fake(_) => Some(InsecureReferenceValues {}),
-        _ => None,
-    });
-    RootLayerReferenceValues { amd_sev, intel_tdx, insecure }
-}
-
-fn kernel_layer_reference_values_from_evidence(
-    kernel_layer: KernelLayerData,
-) -> KernelLayerReferenceValues {
-    #[allow(deprecated)]
-    KernelLayerReferenceValues {
-        kernel: Some(KernelBinaryReferenceValue {
-            r#type: Some(kernel_binary_reference_value::Type::Digests(KernelDigests {
-                image: Some(Digests {
-                    digests: vec![kernel_layer.kernel_image.expect("no kernel image digest")],
-                }),
-                setup_data: Some(Digests {
-                    digests: vec![
-                        kernel_layer.kernel_setup_data.expect("no kernel setup data digest"),
-                    ],
-                }),
-            })),
-        }),
-        kernel_setup_data: None,
-        kernel_image: None,
-        kernel_cmd_line: None,
-        kernel_cmd_line_regex: None,
-        kernel_cmd_line_text: Some(TextReferenceValue {
-            r#type: Some(text_reference_value::Type::StringLiterals(StringLiterals {
-                value: vec![kernel_layer.kernel_raw_cmd_line.expect("no kernel command-line")],
-            })),
-        }),
-        init_ram_fs: Some(BinaryReferenceValue {
-            r#type: Some(binary_reference_value::Type::Digests(Digests {
-                digests: vec![kernel_layer.init_ram_fs.expect("no initial ram disk digest")],
-            })),
-        }),
-        memory_map: Some(BinaryReferenceValue {
-            r#type: Some(binary_reference_value::Type::Digests(Digests {
-                digests: vec![kernel_layer.memory_map.expect("no memory map digest")],
-            })),
-        }),
-        acpi: Some(BinaryReferenceValue {
-            r#type: Some(binary_reference_value::Type::Digests(Digests {
-                digests: vec![kernel_layer.acpi.expect("no acpi digest")],
-            })),
-        }),
-    }
-}
-
 #[test]
 fn verify_containers_succeeds() {
     let evidence = create_containers_evidence();

diff --git a/oak_attestation_verification_test_utils/BUILD b/oak_attestation_verification_test_utils/BUILD
@@ -0,0 +1,30 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load("@rules_rust//rust:defs.bzl", "rust_library")
+
+package(
+    default_visibility = ["//visibility:public"],
+    licenses = ["notice"],
+)
+
+rust_library(
+    name = "oak_attestation_verification_test_utils",
+    srcs = glob(["src/**"]),
+    deps = [
+        "//oak_proto_rust",
+    ],
+)
diff --git a/oak_attestation_verification_test_utils/Cargo.toml b/oak_attestation_verification_test_utils/Cargo.toml
@@ -0,0 +1,11 @@
+[package]
+name = "oak_attestation_verification_test_utils"
+version = "0.1.0"
+authors = ["Juliette Pluto <[email protected]>"]
+edition = "2021"
+license = "Apache-2.0"
+description = "Shared utilities for testing"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[dependencies]
+oak_proto_rust = { workspace = true }