Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update handling of productName and add a temporary workaround #116

Merged
merged 2 commits into from
Feb 29, 2024
Merged

Update handling of productName and add a temporary workaround #116

merged 2 commits into from
Feb 29, 2024

Conversation

deeglaze
Copy link
Collaborator

Given the CPUID mismatch between machine and certificate, any verification failures that see "0x0 is not 0x1" should add --workaround_kds_productname=true to skip Stepping comparisons.

There is some confusion in the KDS specification between product_name that's used in the URL, and productName that's used in the VCEK certificate extensions. I've changed the disparate uses of product, productString, and productName to instead always have the following meaning:

  • product should only mean *spb.SevProduct
  • productString is deprecated. Use productLine for the name of the family and model without stepping, e.g., Milan, Genoa.
  • productName should only mean the decoded IA5String value of certificate extension 1.3.6.1.4.1.3704.1.2.

@deeglaze
Deprecate Product/ProductString for ProductLine
3bd46e1 
There is inconsistent wording for product string arguments that leads to
some confusing input/expectation mismatches. This change not only fixes
some wording, but also allows tests that expect to validate a report's
product to only care about the product line, and not the product name,
which can include the stepping version.

The test condition relaxation allows a Milan fleet of mixed staging
values to pass verify_test.
@deeglaze
Add a workaround flag for issue#115
2b3721a 
The default value for this flag is false, since we hope to only advise a
small number of users to include this flag temporarily while the CPUID
does not match the VCEK cert productName.
kongoshuu
kongoshuu approved these changes Feb 29, 2024
View reviewed changes
verify/verify.go
@@ -47,7 +48,9 @@ const (
var (
// ErrMissingVlek is returned when attempting to verify a VLEK-signed report that doesn't also
// have its VLEK certificate attached.
ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing")
ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing")
workaroundStepping = flag.Bool("workaround_kds_productname", false, "If true, don't compare "+
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is default to false, users will still run into issues unless they explicitly set this flag. Shall this be default to true until the issue is addressed?

@deeglaze
Copy link
Collaborator Author

deeglaze commented Feb 29, 2024 via email

@deeglaze deeglaze merged commit 9f91628 into google:main Feb 29, 2024
8 checks passed
@deeglaze deeglaze deleted the productstring branch February 29, 2024 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kongoshuu kongoshuu kongoshuu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@deeglaze @kongoshuu