From d652595ee0d0cdd059d15a0c977818cabc1590d7 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Thu, 15 Feb 2024 18:04:12 +0100 Subject: [PATCH] vtpm: add method to get sha256 PCRs from Quote The internal representation of the PCRs has been changed to fixed-size array. Signed-off-by: Magnus Kulke --- az-cvm-vtpm/Cargo.toml | 2 +- az-cvm-vtpm/az-snp-vtpm/Cargo.toml | 4 ++-- az-cvm-vtpm/az-tdx-vtpm/Cargo.toml | 4 ++-- az-cvm-vtpm/src/vtpm/mod.rs | 12 +++++++++--- az-cvm-vtpm/test/akpub.pem | 14 +++++++------- az-cvm-vtpm/test/quote.bin | Bin 1362 -> 1170 bytes 6 files changed, 21 insertions(+), 15 deletions(-) diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml index 3c63359..5dd4578 100644 --- a/az-cvm-vtpm/Cargo.toml +++ b/az-cvm-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-cvm-vtpm" -version = "0.5.1" +version = "0.5.2" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml index b9fcade..90d0051 100644 --- a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml +++ b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-snp-vtpm" -version = "0.5.1" +version = "0.5.2" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -17,7 +17,7 @@ path = "src/main.rs" required-features = ["attester", "verifier"] [dependencies] -az-cvm-vtpm = { path = "..", version = "0.5.1" } +az-cvm-vtpm = { path = "..", version = "0.5.2" } bincode.workspace = true clap.workspace = true openssl = { workspace = true, optional = true } diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml index f0c6e0e..34208a1 100644 --- a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml +++ b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-tdx-vtpm" -version = "0.5.1" +version = "0.5.2" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -16,7 +16,7 @@ name = "tdx-vtpm" path = "src/main.rs" [dependencies] -az-cvm-vtpm = { path = "..", version = "0.5.1" } +az-cvm-vtpm = { path = "..", version = "0.5.2" } base64-url = "2.0.0" bincode.workspace = true serde.workspace = true diff --git a/az-cvm-vtpm/src/vtpm/mod.rs b/az-cvm-vtpm/src/vtpm/mod.rs index 0a50e31..0c90dc1 100644 --- a/az-cvm-vtpm/src/vtpm/mod.rs +++ b/az-cvm-vtpm/src/vtpm/mod.rs @@ -126,10 +126,15 @@ pub enum QuoteError { pub struct Quote { signature: Vec, message: Vec, - pcrs: Vec>, + pcrs: Vec<[u8; 32]>, } impl Quote { + /// Retrieve sha256 PCR values from a Quote + pub fn pcrs_sha256(&self) -> impl Iterator { + self.pcrs.iter() + } + /// Extract nonce from a Quote pub fn nonce(&self) -> Result, QuoteError> { let attest = Attest::unmarshall(&self.message)?; @@ -191,10 +196,11 @@ pub fn get_quote(data: &[u8]) -> Result { .pcr_bank(hash_algo) .ok_or(QuoteError::PcrBankNotFound)?; - let pcrs = pcr_bank + let pcrs: Result, _> = pcr_bank .into_iter() - .map(|(_, x)| x.value().to_vec()) + .map(|(_, digest)| digest.clone().try_into().map_err(|_| QuoteError::PcrRead)) .collect(); + let pcrs = pcrs?; Ok(Quote { signature, diff --git a/az-cvm-vtpm/test/akpub.pem b/az-cvm-vtpm/test/akpub.pem index 7cab27d..9263f13 100644 --- a/az-cvm-vtpm/test/akpub.pem +++ b/az-cvm-vtpm/test/akpub.pem @@ -1,9 +1,9 @@ -----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJlHggAAGWfX9uqSq3js -wJ9PGrEGyurECyTMfptLwI5Ca1JEwocKXHsTfdAEUVIi9GVWcNuBGpr5Dbd8reoE -l6/p5IoxQsXyPSC6LZ7HdisORYOo8tQU/fqcuRky1InLJnsKG0o91XEP1MBo5/J7 -MxUAkkWPOiA6wPo+k7Wo3X3TB1NxxqohqAN+sRQ3Useqlzg7sViw+us0nrPb5gbz -1M8PMlLj4UW6j2j+XNQMsPtZEJ5qAwOmtqstFqT16qBkqFd/ey+NQBNINQAYlaHT -Vh2cwzq17i2Cru0KSHGQVa2YcUPZhDu4eAQdy+fdVE/uTjxf7Sac5WXefK2YXxyw -VQIDAQAB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh/zPnAAAQVXPyGWeKFj0 +UmbmtufZK7yeoeLZn0GbA0VVyjh+BPybG/ZrsgXFF7aQsOyaW2OLaKeeFzXqy6v3 +kCZRONtxLOXWlTSK2ytRrXvzJnjF86gqD4z9VkJ5GyWhPNI4P67+eJKu8iaHmSrP +WKAVJbJ9+YaZwP48E3Q0wQ1rZjRT8VVJNrjCAT0gRivoEqN5GZMrwIeCjddvs13/ +A4pBc6+Na7ojQ8ljmF6I/dV9dvJWi/GsQXNgjjSjw2SgYdyuZts7syyuKx42idCJ +qxJb6Zmmjb6VWfoOo/cr5ZvjSeQFaBEVuAgP47fYLlhVjIQddKM/IDxW6fovr8OO +YwIDAQAB -----END PUBLIC KEY----- diff --git a/az-cvm-vtpm/test/quote.bin b/az-cvm-vtpm/test/quote.bin index 41c893751118daf5defeb19b354e967d8762178b..a23518daa2553b2147a0a8de24658361d6b0d1b3 100644 GIT binary patch delta 724 zcmcb_HHovHfsp|WqSkmnVGEnX=ehrKPN)Cc$!SL>@s(ZSF7%2kIJi6DL2b~*y(>2u zr{B@Hu;kdkYx31Mf;nQ(FBNw&ni^-Yb)H;m|5;1fV1M?f%RQ2O4NA)UcXhcdxgKDe zb7K+n`Kh<181>J19;;1bbCYD9cZWI3{`k?Y@hv(Z!|DwrruB2bGMYQ5^`X+PQ$Iah zj;wh2+qv1gbc+v1`%>TA6SFh7{CL=TL7~Ulzop$UYYit~&Dt|3?{EDU=wT|67Ao6Bo?y8_;=ZZ=JLtgI&S&i2>5Q>S)5x?ne(DO-I` zz&E3h_a$0t07qMq*A*YF>IOSg-zxtw5T2av-CmBFnG6GaA_( z^_+X8C$F{kX2~hz@1OZ5w6=Zir`1f`mn@K&Jeg5lVMpKsFU>ES`HRnA?OpElE^yM0 zHS4*4TbkTl;`>c{%g@HiuNW0TxL(#;W~1YTWX-!>8>Y4>dUf3Y^~3V5$cgvqRoUnB z7F97#xwrSR{v|PwmRqbb+H8)o#gU>-YbqTdo}6R)T643He(jM7g#wTKUccVT{q@#Q zxl=*c)Gn5IFOxDdcy?E4`W^|Re@>fQx72LXnULL8=P&FxU#Xz6f5J#_4Y>sL?^Lze%qnqD80S!@@Tm{4+`V^Q}oSeWc1jM|PomdnmH?VL~gn{M) E0Ds0m@Bjb+ literal 1362 zcmZQzWB`NSi4n5@@)xIVkiB!<5XOhTV~e@21^v z@fP`^9r=1`^1VfwM|Zg$oUpYD5)2IgL!8|kBp8$!xP`nV_A^~rmb9d{b8Admmct$m zODVQZ994>{JC*()V>ryfnVgZBlard4o(j^-Csw@?NO6GJj0y_OLJUF-%pf)cH}n7h z{}~k0!*)(S?Q1mgRzT#dB52ns1K9q05nnnH^TF;qVm;0LU%)a;_ z`gCgaH331MrZ2z$z|`5g_WTPy!~9C##a=XN-<#gAGNli_=AWNcWU|m+vad3eRCV*k zJ?(^LzD1tsWXW4KvDu+6L02g8^NSCkH)_n@r7O+?Gtam^Tk4oVIluO9BPG`9E3|`e zIBmFT`#bo(|Lf_2vR;fZb>@yz@-16M#bTn2Pexl_nsw|^`eNe)B_~Uwg`a+V#&ZFt z?sbN({ZpN|%~r`whgW3m6o0*WxeWh|eP_?yUU>S1Q}1e+ItBs&rY`4Oacb7iyGciF zn?Ihg1kKd0AosOEeJ%6NRcib=DSIX0AYPS5%H5I@9+;0`ETI_m@RP!Fs zl&-z&zOQalQC72VM#)i=*+JVofAQ|v8gXp?E6s2}Qq3dQAHc+o7r^Yrs|YALRMZg) F7XXMxFo6I7