Skip to content

Commit

Permalink
Clean up internal deprecated interface uses
Browse files Browse the repository at this point in the history
Packages and tests should not use deprecated fields and functions, so
fix up some newly deprecated items.

The check.proto line wrap is an internal lint change.
  • Loading branch information
deeglaze committed Feb 29, 2024
1 parent 9f91628 commit 9ce0c8f
Show file tree
Hide file tree
Showing 6 changed files with 52 additions and 44 deletions.
30 changes: 19 additions & 11 deletions kds/kds.go
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,14 @@ type VCEKCert struct {
TCB uint64
}

// VCEKCertProduct returns a VCEKCert with the product line set to productLine.
func VCEKCertProduct(productLine string) VCEKCert {
return VCEKCert{
Product: productLine, // TODO(Issue#114): Remove
ProductLine: productLine,
}
}

// VLEKCert represents the attestation report components represented in a KDS VLEK certificate
// request URL.
type VLEKCert struct {
Expand Down Expand Up @@ -787,23 +795,23 @@ func ProductName(product *pb.SevProduct) string {
//
// Deprecated: Use ParseProductLine
func ParseProduct(productLine string) (pb.SevProduct_SevProductName, error) {
switch productLine {
case "Milan":
return pb.SevProduct_SEV_PRODUCT_MILAN, nil
case "Genoa":
return pb.SevProduct_SEV_PRODUCT_GENOA, nil
default:
return pb.SevProduct_SEV_PRODUCT_UNKNOWN, fmt.Errorf("unknown AMD SEV product: %q", productLine)
p, err := ParseProductLine(productLine)
if err != nil {
return pb.SevProduct_SEV_PRODUCT_UNKNOWN, nil
}
return p.Name, nil
}

// ParseProductLine returns the SevProductName for a product name without the stepping suffix.
func ParseProductLine(productLine string) (*pb.SevProduct, error) {
name, err := ParseProduct(productLine)
if err != nil {
return nil, err
switch productLine {
case "Milan":
return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_MILAN}, nil
case "Genoa":
return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_GENOA}, nil
default:
return nil, fmt.Errorf("unknown AMD SEV product: %q", productLine)
}
return &pb.SevProduct{Name: name}, nil
}

// ParseProductName returns the KDS project input value, and the model, stepping numbers represented
Expand Down
7 changes: 6 additions & 1 deletion kds/kds_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,12 @@ func TestParseVCEKCertURL(t *testing.T) {
{
name: "happy path",
url: VCEKCertURL("Milan", hwid, TCBVersion(0)),
want: VCEKCert{Product: "Milan", ProductLine: "Milan", HWID: hwid, TCB: 0},
want: func() VCEKCert {
c := VCEKCertProduct("Milan")
c.HWID = hwid
c.TCB = 0
return c
}(),
},
{
name: "bad query format",
Expand Down
3 changes: 2 additions & 1 deletion proto/check.proto
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ message Policy {
// RootOfTrust represents configuration for which hardware root of trust
// certificates to use for verifying attestation report signatures.
message RootOfTrust {
// The expected AMD product the attestation was collected from. Default "Milan".
// The expected AMD product the attestation was collected from. Default
// "Milan".
string product = 1 [deprecated = true];

// Paths to CA bundles for the AMD product.
Expand Down
3 changes: 2 additions & 1 deletion proto/check/check.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 4 additions & 6 deletions verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -501,12 +501,10 @@ func decodeCerts(chain *spb.CertificateChain, key abi.ReportSigner, options *Opt
return nil, nil, err
}
if len(roots) == 0 {
root := &trust.AMDRootCerts{
Product: productLine,
// Require that the root matches embedded root certs.
AskSev: trust.DefaultRootCerts[productLine].AskSev,
ArkSev: trust.DefaultRootCerts[productLine].ArkSev,
}
root := trust.AMDRootCertsProduct(productLine)
// Require that the root matches embedded root certs.
root.AskSev = trust.DefaultRootCerts[productLine].AskSev
root.ArkSev = trust.DefaultRootCerts[productLine].ArkSev
if err := root.Decode(chain.GetAskCert(), chain.GetArkCert()); err != nil {
return nil, nil, err
}
Expand Down
43 changes: 19 additions & 24 deletions verify/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,14 +79,12 @@ func TestEmbeddedCertsAppendixB3Expectations(t *testing.T) {
func TestFakeCertsKDSExpectations(t *testing.T) {
signMu.Do(initSigner)
trust.ClearProductCertCache()
root := &trust.AMDRootCerts{
Product: test.GetProductLine(),
ProductCerts: &trust.ProductCerts{
Ark: signer.Ark,
Ask: signer.Ask,
},
// No ArkSev or AskSev intentionally for test certs.
root := trust.AMDRootCertsProduct(test.GetProductLine())
root.ProductCerts = &trust.ProductCerts{
Ark: signer.Ark,
Ask: signer.Ask,
}
// No ArkSev or AskSev intentionally for test certs.
if err := validateArkX509(root); err != nil {
t.Errorf("fake ARK validation error: %v", err)
}
Expand Down Expand Up @@ -306,13 +304,14 @@ func TestKdsMetadataLogic(t *testing.T) {
// won't get tested.
options := &Options{
TrustedRoots: map[string][]*trust.AMDRootCerts{
test.GetProductLine(): {&trust.AMDRootCerts{
Product: test.GetProductLine(),
ProductCerts: &trust.ProductCerts{
test.GetProductLine(): {func() *trust.AMDRootCerts {
r := trust.AMDRootCertsProduct(test.GetProductLine())
r.ProductCerts = &trust.ProductCerts{
Ark: newSigner.Ark,
Ask: newSigner.Ask,
},
}},
}
return r
}()},
},
Now: time.Date(1, time.January, 5, 0, 0, 0, 0, time.UTC),
Product: abi.DefaultSevProduct(),
Expand Down Expand Up @@ -374,12 +373,10 @@ func TestCRLRootValidity(t *testing.T) {
},
Number: big.NewInt(1),
}
root := &trust.AMDRootCerts{
Product: test.GetProductLine(),
ProductCerts: &trust.ProductCerts{
Ark: signer.Ark,
Ask: signer.Ask,
},
root := trust.AMDRootCertsProduct(test.GetProductLine())
root.ProductCerts = &trust.ProductCerts{
Ark: signer.Ark,
Ask: signer.Ask,
}

// Now try signing a CRL with a different root that certifies Vcek with a different serial number.
Expand All @@ -398,12 +395,10 @@ func TestCRLRootValidity(t *testing.T) {
}

// Finally try checking a VCEK that's signed by a revoked ASK.
root2 := &trust.AMDRootCerts{
Product: test.GetProductLine(),
ProductCerts: &trust.ProductCerts{
Ark: signer2.Ark,
Ask: signer2.Ask,
},
root2 := trust.AMDRootCertsProduct(test.GetProductLine())
root2.ProductCerts = &trust.ProductCerts{
Ark: signer2.Ark,
Ask: signer2.Ask,
}
wantErr2 := "ASK was revoked at 2022-06-14 12:01:00 +0000 UTC"
if err := VcekNotRevoked(root2, signer2.Vcek, &Options{Getter: g2}); !test.Match(err, wantErr2) {
Expand Down

0 comments on commit 9ce0c8f

Please sign in to comment.