Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implemented Intel TDX Quote Verification #157

Closed
wants to merge 24 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,4 @@ example-setup/**/*.cbor
example-setup/metadata-signed/*
tpmdriver/test_encrypted_ak.json
est/server/server
attestationreport/cache/*
58 changes: 54 additions & 4 deletions attestationreport/attestationreport.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,14 @@ type SwMeasurement struct {
Sha256 HexByte `json:"sha256" cbor:"2,keyasint"`
}

// TdxMeasurement represents the attestation report
// element of type 'TDX Measurement' signed by the device
type TdxMeasurement struct {
Type string `json:"type" cbor:"0,keyasint"`
Report []byte `json:"blob" cbor:"1,keyasint"`
Certs [][]byte `json:"certs" cbor:"2,keyasint"`
}

type SnpPolicy struct {
Type string `json:"type" cbor:"0,keyasint"`
SingleSocket bool `json:"singleSocket" cbor:"1,keyasint"`
Expand Down Expand Up @@ -177,8 +185,39 @@ type SnpDetails struct {
Tcb SnpTcb `json:"tcb" cbor:"4,keyasint"`
}

type IntelCollateral struct {
// Format of CRLs:
// version 1.0: PEM, v3.0: DER base16, v3.1: DER raw binary
TeeType uint32 `json:"teeType" cbor:"0,keyasint"`
TcbInfo json.RawMessage `json:"tcbInfo" cbor:"1,keyasint"`
TcbInfoSize uint32 `json:"tcbInfoSize" cbor:"2,keyasint"`
QeIdentity json.RawMessage `json:"qeIdentity" cbor:"3,keyasint"`
QeIdentitySize uint32 `json:"qeIdentitySize" cbor:"4,keyasint"`
}

type TDXDetails struct {
Version uint16 `json:"version" cbor:"0,keyasint"`
Collateral IntelCollateral `json:"collateral" cbor:"1,keyasint"`
CaFingerprint string `json:"caFingerprint" cbor:"2,keyasint"` // Intel Root CA Certificate Fingerprint
TdId TDId `json:"tdId" cbor:"3,keyasint"`
TdAttributes [8]byte `json:"tdAttributes" cbor:"4,keyasint"`
Xfam [8]byte `json:"xfam" cbor:"5,keyasint"`
MrSeam string `json:"mrseam" cbor:"6,keyasint"`
}

// Note: MrTd is already given in ReferenceValue.Sha256
type TDId struct {
MrOwner [48]byte `json:"mrOwner" cbor:"0,keyasint"`
MrOwnerConfig [48]byte `json:"mrOwnerConfig" cbor:"1,keyasint"`
MrConfigId [48]byte `json:"mrConfigId" cbor:"2,keyasint"`
RtMr0 [48]byte `json:"rtMr0" cbor:"3,keyasint"` // updated by the TD virtual firmware/BIOS
RtMr1 [48]byte `json:"rtMr1" cbor:"4,keyasint"` // updated by the TD virtual firmware/BIOS
RtMr2 [48]byte `json:"rtMr2" cbor:"5,keyasint"` // runtime measurement
RtMr3 [48]byte `json:"rtMr3" cbor:"6,keyasint"` // runtime measurement
}

// ReferenceValue represents the attestation report
// element of types 'SNP Reference Value', 'TPM Reference Value'
// element of types 'SNP Reference Value', 'TPM Reference Value', TDX Reference Value'
// and 'SW Reference Value'
type ReferenceValue struct {
Type string `json:"type" cbor:"0,keyasint"`
Expand All @@ -187,7 +226,8 @@ type ReferenceValue struct {
Name string `json:"name,omitempty" cbor:"3,keyasint,omitempty"`
Pcr *int `json:"pcr,omitempty" cbor:"4,keyasint,omitempty"`
Snp *SnpDetails `json:"snp,omitempty" cbor:"5,keyasint,omitempty"`
Description string `json:"description,omitempty" cbor:"6,keyasint,omitempty"`
Tdx *TDXDetails `json:"tdx,omitempty" cbor:"8,keyasint,omitempty"`
Description string `json:"description,omitempty" cbor:"9,keyasint,omitempty"`
}

// AppDescription represents the attestation report
Expand Down Expand Up @@ -308,6 +348,7 @@ type ArPlain struct {
Type string `json:"type" cbor:"0,keyasint"`
TpmM *TpmMeasurement `json:"tpmMeasurement,omitempty" cbor:"1,keyasint,omitempty"`
SnpM *SnpMeasurement `json:"snpMeasurement,omitempty" cbor:"2,keyasint,omitempty"`
TdxM *TdxMeasurement `json:"tdxMeasurement,omitempty" cbor:"12,keyasint,omitempty"`
IasM *IasMeasurement `cbor:"10,keyasint,omitempty"`
SWM []SwMeasurement `json:"swMeasurements,omitempty" cbor:"3,keyasint,omitempty"`
RtmManifest RtmManifest `json:"rtmManifest" cbor:"4,keyasint"`
Expand All @@ -324,6 +365,7 @@ type ArPacked struct {
Type string `json:"type" cbor:"0,keyasint"`
TpmM *TpmMeasurement `json:"tpmMeasurement,omitempty" cbor:"1,keyasint,omitempty"`
SnpM *SnpMeasurement `json:"snpMeasurement,omitempty" cbor:"2,keyasint,omitempty"`
TdxM *TdxMeasurement `json:"tdxMeasurement,omitempty" cbor:"11,keyasint,omitempty"`
SWM []SwMeasurement `json:"swMeasurements,omitempty" cbor:"3,keyasint,omitempty"`
RtmManifest []byte `json:"rtmManifests" cbor:"4,keyasint"`
OsManifest []byte `json:"osManifest" cbor:"5,keyasint"`
Expand Down Expand Up @@ -515,6 +557,13 @@ func Verify(arRaw, nonce, casPem []byte, policies []byte, polEng PolicyEngineSel
result.Success = false
}

// If present, verify AMD SEV SNP measurements against provided SNP reference values
result.MeasResult.TdxMeasResult, ok = verifyTdxMeasurements(ar.TdxM, nonce,
referenceValues["TDX Reference Value"])
if !ok {
result.Success = false
}

// If present, verify ARM PSA EAT measurements against provided PSA reference values
result.MeasResult.IasMeasResult, ok = verifyIasMeasurements(ar.IasM, nonce,
referenceValues["IAS Reference Value"], cas)
Expand Down Expand Up @@ -546,7 +595,7 @@ func Verify(arRaw, nonce, casPem []byte, policies []byte, polEng PolicyEngineSel
// If no hardware trust anchor is present, the maximum certification level is 1
// If there are referenceValues with a higher trust level present, the remote attestation
// must fail
if ar.TpmM == nil && ar.SnpM == nil && aggCertLevel > 1 {
if ar.TpmM == nil && ar.SnpM == nil && ar.TdxM == nil && aggCertLevel > 1 {
msg := fmt.Sprintf("No hardware trust anchor measurements present but claimed certification level is %v, which requires a hardware trust anchor", aggCertLevel)
result.ProcessingError = append(result.ProcessingError, msg)
result.Success = false
Expand Down Expand Up @@ -684,6 +733,7 @@ func verifyAr(attestationReport []byte, result *VerificationResult,
ar.TpmM = arPacked.TpmM
ar.SnpM = arPacked.SnpM
ar.SWM = arPacked.SWM
ar.TdxM = arPacked.TdxM
ar.Nonce = arPacked.Nonce

// Validate and unpack Rtm Manifest
Expand Down Expand Up @@ -922,7 +972,7 @@ func collectReferenceValues(ar *ArPlain) (map[string][]ReferenceValue, error) {

// Iterate through the reference values and sort them into the different types
for _, v := range verList {
if v.Type != "SNP Reference Value" && v.Type != "SW Reference Value" && v.Type != "TPM Reference Value" {
if v.Type != "SNP Reference Value" && v.Type != "SW Reference Value" && v.Type != "TPM Reference Value" && v.Type != "TDX Reference Value" {
return nil, fmt.Errorf("reference value of type %v is not supported", v.Type)
}
verMap[v.Type] = append(verMap[v.Type], v)
Expand Down
Loading