Merge pull request #81 from deeglaze/moreuuids

Add CertTableOptions for "extra" certs
google · Sep 19, 2023 · 28d8e00 · 28d8e00
2 parents a6bdd4c + b6001c9
commit 28d8e00
Show file tree

Hide file tree

Showing 9 changed files with 245 additions and 89 deletions.
diff --git a/abi/abi.go b/abi/abi.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"math/big"
 
-	"github.com/google/go-sev-guest/gce"
 	pb "github.com/google/go-sev-guest/proto/sevsnp"
 	"github.com/google/logger"
 	"github.com/pborman/uuid"
@@ -769,33 +768,36 @@ func (c *CertTable) GetByGUIDString(guid string) ([]byte, error) {
 // so missing certificates aren't an error. If certificates are missing, you can
 // choose to fetch them yourself by calling verify.GetAttestationFromReport.
 func (c *CertTable) Proto() *pb.CertificateChain {
-	var vcek, vlek, ask, ark []byte
-	var err, cerr, lerr error
-	// Whereas a host is permitted to populate its certificate chain blob with both a VCEK and VLEK
-	// certificate, doing so is unusual since the choice of VCEK vs VLEK is an infrastructural choice.
-	// To keep the implementation clean, we don't pun vcek and vlek in the same field.
-	vcek, cerr = c.GetByGUIDString(VcekGUID)
-	vlek, lerr = c.GetByGUIDString(VlekGUID)
-	if cerr != nil && lerr != nil {
+	vcekGUID := uuid.Parse(VcekGUID)
+	vlekGUID := uuid.Parse(VlekGUID)
+	askGUID := uuid.Parse(AskGUID)
+	arkGUID := uuid.Parse(ArkGUID)
+	result := &pb.CertificateChain{Extras: make(map[string][]byte)}
+	for _, entry := range c.Entries {
+		switch {
+		case uuid.Equal(entry.GUID, vcekGUID):
+			result.VcekCert = entry.RawCert
+		case uuid.Equal(entry.GUID, vlekGUID):
+			result.VlekCert = entry.RawCert
+		case uuid.Equal(entry.GUID, askGUID):
+			result.AskCert = entry.RawCert
+		case uuid.Equal(entry.GUID, arkGUID):
+			result.ArkCert = entry.RawCert
+		default:
+			result.Extras[entry.GUID.String()] = entry.RawCert
+		}
+	}
+	if (result.VcekCert == nil) && (result.VlekCert == nil) {
 		logger.Warning("Warning: Neither VCEK nor VLEK certificate found in data pages")
 	}
 
-	ask, err = c.GetByGUIDString(AskGUID)
-	if err != nil {
-		logger.Warningf("ASK certificate not found in data pages: %v", err)
-	}
-	ark, err = c.GetByGUIDString(ArkGUID)
-	if err != nil {
-		logger.Warningf("ARK certificate not found in data pages: %v", err)
+	if result.AskCert == nil {
+		logger.Warningf("ASK certificate not found in data pages")
 	}
-	firmware, _ := c.GetByGUIDString(gce.FirmwareCertGUID)
-	return &pb.CertificateChain{
-		VcekCert:     vcek,
-		VlekCert:     vlek,
-		AskCert:      ask,
-		ArkCert:      ark,
-		FirmwareCert: firmware,
+	if result.ArkCert == nil {
+		logger.Warningf("ARK certificate not found in data pages")
 	}
+	return result
 }
 
 // cpuid returns the 4 register results of CPUID[EAX=op,ECX=0].

diff --git a/abi/abi_test.go b/abi/abi_test.go
@@ -15,11 +15,14 @@
 package abi
 
 import (
+	"bytes"
+	"encoding/hex"
 	"math/rand"
 	"strings"
 	"testing"
 
 	spb "github.com/google/go-sev-guest/proto/sevsnp"
+	"github.com/pborman/uuid"
 	"google.golang.org/protobuf/encoding/prototext"
 )
 
@@ -208,3 +211,52 @@ func TestSnpPlatformInfo(t *testing.T) {
 		}
 	}
 }
+
+func TestCertTableProto(t *testing.T) {
+	headers := make([]CertTableHeaderEntry, 6) // ARK, ASK, VCEK, VLEK, extra, NULL
+	arkraw := []byte("ark")
+	askraw := []byte("ask")
+	vcekraw := []byte("vcek")
+	vlekraw := []byte("vlek")
+	extraraw := []byte("extra")
+	headers[0].GUID = uuid.Parse(ArkGUID)
+	headers[0].Offset = uint32(len(headers) * CertTableEntrySize)
+	headers[0].Length = uint32(len(arkraw))
+
+	headers[1].GUID = uuid.Parse(AskGUID)
+	headers[1].Offset = headers[0].Offset + headers[0].Length
+	headers[1].Length = uint32(len(askraw))
+
+	headers[2].GUID = uuid.Parse(VcekGUID)
+	headers[2].Offset = headers[1].Offset + headers[1].Length
+	headers[2].Length = uint32(len(vcekraw))
+
+	headers[3].GUID = uuid.Parse(VlekGUID)
+	headers[3].Offset = headers[2].Offset + headers[2].Length
+	headers[3].Length = uint32(len(vlekraw))
+
+	extraGUID := "00000000-0000-c0de-0000-000000000000"
+	headers[4].GUID = uuid.Parse(extraGUID)
+	headers[4].Offset = headers[3].Offset + headers[3].Length
+	headers[4].Length = uint32(len(extraraw))
+
+	result := make([]byte, headers[4].Offset+headers[4].Length)
+	for i, cert := range [][]byte{arkraw, askraw, vcekraw, vlekraw, extraraw} {
+		if err := (&headers[i]).Write(result[i*CertTableEntrySize:]); err != nil {
+			t.Fatalf("could not write header %d: %v", i, err)
+		}
+		copy(result[headers[i].Offset:], cert)
+	}
+	c := new(CertTable)
+	if err := c.Unmarshal(result); err != nil {
+		t.Errorf("c.Unmarshal(%s) = %v, want nil", hex.Dump(result), err)
+	}
+	p := c.Proto()
+	if len(p.Extras) != 1 {
+		t.Fatalf("got cert table Extras length %d, want 1", len(p.Extras))
+	}
+	gotExtra, ok := p.Extras[extraGUID]
+	if !ok || !bytes.Equal(gotExtra, extraraw) {
+		t.Fatalf("Extras[%q] = %v, want %v", extraGUID, gotExtra, extraraw)
+	}
+}
diff --git a/gce/gce.go b/gce/gce.go
diff --git a/proto/check/check.pb.go b/proto/check/check.pb.go
diff --git a/proto/fakekds/fakekds.pb.go b/proto/fakekds/fakekds.pb.go
diff --git a/proto/sevsnp.proto b/proto/sevsnp.proto
@@ -72,7 +72,10 @@ message CertificateChain {
 
   // A certificate the host may inject to endorse the measurement of the
   // firmware.
-  bytes firmware_cert = 4;
+  bytes firmware_cert = 4 [deprecated = true];
+
+  // Non-standard certificates the host may inject.
+  map<string, bytes> extras = 7;
 }
 
 // The CPUID[EAX=1] version information includes product info as described in

diff --git a/proto/sevsnp/sevsnp.pb.go b/proto/sevsnp/sevsnp.pb.go