Handle variable report_data index sizes

fixes #61

A caller of `get_report_with_report_data()` might provide report_data of
varying sizes. We need to verify the size of the allocated nv index that
holds the report data and recreate it if necessary.

Integration tests have been added to test this on CVM hardware.

Signed-off-by: Magnus Kulke <[email protected]>

.github/workflows/rust.yml

@@ -22,29 +22,26 @@ jobs:
     - name: Install deps
       run: sudo apt-get update && sudo apt-get install -y libtss2-dev
 
-    - uses: actions-rs/toolchain@v1
+    - uses: actions-rust-lang/setup-rust-toolchain@v1
       with:
-        profile: minimal
         toolchain: stable
+        components: rustfmt, clippy
         override: true
 
-    - name: Install additional components
-      shell: bash
-      run: |
-        rustup component add rustfmt
-        rustup component add clippy
-
     - name: Build
-      run: cargo build --verbose --all
+      run: cargo build --all
 
     - name: Check verifier-only
-      run: cargo check --verbose --no-default-features --features=verifier
+      run: cargo check --no-default-features --features=verifier
 
     - name: Check attester-only
-      run: cargo check --verbose --no-default-features --features=attester
+      run: cargo check --no-default-features --features=attester
 
     - name: Run tests
-      run: cargo test --verbose --all
+      run: cargo test --all
+
+    - name: Compile integration tests
+      run: cargo test --verbose --all --features integration_test --no-run
 
     - name: Format
       run: cargo fmt --all -- --check

az-cvm-vtpm/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "az-cvm-vtpm"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -48,3 +48,4 @@ thiserror = "1.0.38"
 sev = "4.0.0"
 ureq = { version = "2.6.2", default-features = false, features = ["json"] }
 zerocopy = { version = "0.7.26", features = ["derive"] }
+hex = "0.4"

az-cvm-vtpm/az-snp-vtpm/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "az-snp-vtpm"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -17,7 +17,7 @@ path = "src/main.rs"
 required-features = ["attester", "verifier"]
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.7.0" }
+az-cvm-vtpm = { path = "..", version = "0.7.1" }
 bincode.workspace = true
 clap.workspace = true
 openssl = { workspace = true, optional = true }
@@ -26,7 +26,12 @@ sev.workspace = true
 thiserror.workspace = true
 ureq.workspace = true
 
+[dev-dependencies]
+serde_json.workspace = true
+hex.workspace = true
+
 [features]
 default = ["attester", "verifier"]
 attester = []
 verifier = ["az-cvm-vtpm/openssl", "openssl", "ureq/tls"]
+integration_test = []

az-cvm-vtpm/az-snp-vtpm/README.md

@@ -71,3 +71,11 @@ signs ┌─  ┌─┴────────────┐ │  │ │
       └─  └─┬────────────┘ │
             └──────────────┘
 ```
+
+## Integration Tests
+
+The integration test suite can run on an SNP CVM. It needs to be executed as root and the tests have to run sequentially.
+
+```bash
+sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1
+```

az-cvm-vtpm/az-snp-vtpm/tests/integration_tests.rs

@@ -0,0 +1,49 @@
+#[cfg(feature = "integration_test")]
+mod tests {
+    use az_snp_vtpm::{hcl, report, vtpm};
+    use serde::Deserialize;
+
+    #[test]
+    fn get_report_with_varying_report_data_len() {
+        let mut report_data = "test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+        report_data = "test_test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+    }
+
+    #[derive(Deserialize, Debug)]
+    struct VarDataUserData {
+        #[serde(rename = "user-data")]
+        user_data: String,
+    }
+
+    #[test]
+    fn get_report_with_report_data() {
+        let mut report_data: [u8; 64] = [0; 64];
+        report_data[42] = 42;
+        let bytes = vtpm::get_report_with_report_data(&report_data).unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+        let var_data = hcl_report.var_data();
+        let VarDataUserData { user_data } = serde_json::from_slice(var_data).unwrap();
+        assert_eq!(user_data.to_lowercase(), hex::encode(report_data));
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let snp_report: report::AttestationReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, snp_report.report_data[..32]);
+    }
+
+    #[test]
+    fn get_report() {
+        let bytes = vtpm::get_report().unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let snp_report: report::AttestationReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, snp_report.report_data[..32]);
+    }
+
+    #[test]
+    fn ak_pub() {
+        let _ = vtpm::get_ak_pub().unwrap();
+    }
+}

az-cvm-vtpm/az-tdx-vtpm/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "az-tdx-vtpm"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -16,7 +16,7 @@ name = "tdx-vtpm"
 path = "src/main.rs"
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.7.0" }
+az-cvm-vtpm = { path = "..", version = "0.7.1" }
 base64-url = "3.0.0"
 bincode.workspace = true
 serde.workspace = true
@@ -27,8 +27,10 @@ zerocopy.workspace = true
 
 [dev-dependencies]
 openssl.workspace = true
+hex.workspace = true
 
 [features]
 default = ["attester", "verifier"]
 attester = []
 verifier = ["az-cvm-vtpm/verifier"]
+integration_test =[]

az-cvm-vtpm/az-tdx-vtpm/README.md

@@ -20,3 +20,12 @@ On the TDX CVM, retrieve a TD Quote and write it to disk:
 ```bash
 sudo ./tdx-vtpm
 ```
+
+## Integration Tests
+
+The integration test suite can run on a TDX CVM. It needs to be executed as root and the tests have to run sequentially.
+
+```bash
+sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1
+```
+

az-cvm-vtpm/az-tdx-vtpm/tests/integration_tests.rs

@@ -0,0 +1,49 @@
+#[cfg(feature = "integration_test")]
+mod tests {
+    use az_tdx_vtpm::{hcl, tdx, vtpm};
+    use serde::Deserialize;
+
+    #[test]
+    fn get_report_with_varying_report_data_len() {
+        let mut report_data = "test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+        report_data = "test_test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+    }
+
+    #[derive(Deserialize, Debug)]
+    struct VarDataUserData {
+        #[serde(rename = "user-data")]
+        user_data: String,
+    }
+
+    #[test]
+    fn get_report_with_report_data() {
+        let mut report_data: [u8; 64] = [0; 64];
+        report_data[42] = 42;
+        let bytes = vtpm::get_report_with_report_data(&report_data).unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+        let var_data = hcl_report.var_data();
+        let VarDataUserData { user_data } = serde_json::from_slice(var_data).unwrap();
+        assert_eq!(user_data.to_lowercase(), hex::encode(report_data));
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let td_report: tdx::TdReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, td_report.report_mac.reportdata[..32]);
+    }
+
+    #[test]
+    fn get_report() {
+        let bytes = vtpm::get_report().unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let td_report: tdx::TdReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, td_report.report_mac.reportdata[..32]);
+    }
+
+    #[test]
+    fn ak_pub() {
+        let _ = vtpm::get_ak_pub().unwrap();
+    }
+}