Skip to content

Commit

Permalink
Remove deprecated fields in kernel layer endorsements, evidence and r…
Browse files Browse the repository at this point in the history 
…eference values.

Bug: 380873119
Change-Id: I7b6fd219c251686861d731a26f7f4557250216c0
  • Loading branch information
@thmsbinder
thmsbinder committed Nov 26, 2024
1 parent 5a9d978 commit 52dd270
Show file tree
Hide file tree
Showing 12 changed files with 10 additions and 166 deletions.
42 changes: 2 additions & 40 deletions oak_attestation_explain/src/json_serialization.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,9 @@ pub fn serialize_kernel_layer_data(instance: &KernelLayerData) -> serde_json::Va
// all fields. If a new field is added to the struct, this code won't
// compile unless this destructuring operation is updated, thereby reminding us
// to keep the serialization in sync manually.
#[allow(deprecated)]
let KernelLayerData {
kernel_image,
kernel_setup_data,
kernel_cmd_line,
kernel_raw_cmd_line,
init_ram_fs,
memory_map,
Expand All @@ -157,7 +155,6 @@ pub fn serialize_kernel_layer_data(instance: &KernelLayerData) -> serde_json::Va
json!({
"kernel_image": kernel_image.as_ref().map(serialize_raw_digest),
"kernel_setup_data": kernel_setup_data.as_ref().map(serialize_raw_digest),
"kernel_cmd_line": kernel_cmd_line.as_ref().map(serialize_raw_digest),
"kernel_raw_cmd_line": kernel_raw_cmd_line,
"init_ram_fs": init_ram_fs.as_ref().map(serialize_raw_digest),
"memory_map": memory_map.as_ref().map(serialize_raw_digest),
Expand Down Expand Up @@ -529,27 +526,6 @@ pub fn serialize_string_literals(instance: &StringLiterals) -> serde_json::Value
json!(value)
}

pub fn serialize_regex_reference_value(instance: &RegexReferenceValue) -> serde_json::Value {
// Exhaustive destructuring (e.g., without ", ..") ensures this function handles
// all fields. If a new field is added to the struct, this code won't
// compile unless this destructuring operation is updated, thereby reminding us
// to keep the serialization in sync manually.
let RegexReferenceValue { r#type } = instance;
match r#type {
Some(regex_reference_value::Type::Skip(instance)) => {
json!({
"skip": serialize_skip_verification(instance)
})
}
Some(regex_reference_value::Type::Regex(instance)) => {
json!({
"regex": serialize_regex(instance)
})
}
None => json!(null),
}
}

pub fn serialize_text_reference_value(instance: &TextReferenceValue) -> serde_json::Value {
// Exhaustive destructuring (e.g., without ", ..") ensures this function handles
// all fields. If a new field is added to the struct, this code won't
Expand Down Expand Up @@ -639,25 +615,11 @@ pub fn serialize_kernel_layer_reference_values(
// all fields. If a new field is added to the struct, this code won't
// compile unless this destructuring operation is updated, thereby reminding us
// to keep the serialization in sync manually.
#[allow(deprecated)]
let KernelLayerReferenceValues {
kernel,
kernel_cmd_line_text,
kernel_setup_data,
kernel_image,
kernel_cmd_line_regex,
kernel_cmd_line,
init_ram_fs,
memory_map,
acpi,
} = instance;
let KernelLayerReferenceValues { kernel, kernel_cmd_line_text, init_ram_fs, memory_map, acpi } =
instance;
json!({
"kernel": kernel.as_ref().map(serialize_kernel_binary_reference_value),
"kernel_cmd_line_text": kernel_cmd_line_text.as_ref().map(serialize_text_reference_value),
"kernel_setup_data": kernel_setup_data.as_ref().map(serialize_binary_reference_value),
"kernel_image": kernel_image.as_ref().map(serialize_binary_reference_value),
"kernel_cmd_line_regex": kernel_cmd_line_regex.as_ref().map(serialize_regex_reference_value),
"kernel_cmd_line": kernel_cmd_line.as_ref().map(serialize_binary_reference_value),
"init_ram_fs": init_ram_fs.as_ref().map(serialize_binary_reference_value),
"memory_map": memory_map.as_ref().map(serialize_binary_reference_value),
"acpi": acpi.as_ref().map(serialize_binary_reference_value),
Expand Down
2 changes: 0 additions & 2 deletions oak_attestation_explain/tests/explain_test.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,6 @@ acpi:
sha2_256: 64f555327287a2141476681e4e4dd80d5f75ab9c276f6db8effc55236dba9953
init_ram_fs:
sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
kernel_cmd_line:
sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297
kernel_image:
sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
kernel_raw_cmd_line: console=ttyS0
Expand Down
1 change: 0 additions & 1 deletion oak_attestation_integration_tests/src/create.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,6 @@ fn reference_values_for_oak_containers_measurements(
}],
})),
}),
..Default::default()
}),
system_layer: Some(SystemLayerReferenceValues {
system_image: Some(BinaryReferenceValue {
Expand Down
10 changes: 0 additions & 10 deletions oak_attestation_integration_tests/tests/verifier_tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,17 +134,12 @@ fn verify_mock_restricted_kernel_evidence() {
insecure: Some(InsecureReferenceValues::default()),
..Default::default()
}),
#[allow(deprecated)]
kernel_layer: Some(KernelLayerReferenceValues {
kernel: Some(KernelBinaryReferenceValue {
r#type: Some(kernel_binary_reference_value::Type::Skip(
SkipVerification {},
)),
}),
kernel_image: None,
kernel_setup_data: None,
kernel_cmd_line: None,
kernel_cmd_line_regex: None,
kernel_cmd_line_text: Some(TextReferenceValue {
r#type: Some(text_reference_value::Type::Skip(SkipVerification {})),
}),
Expand Down Expand Up @@ -172,7 +167,6 @@ fn verify_mock_restricted_kernel_evidence() {
}

fn oak_containers_skip_all_reference_values() -> ReferenceValues {
#[allow(deprecated)]
ReferenceValues {
r#type: Some(reference_values::Type::OakContainers(OakContainersReferenceValues {
root_layer: Some(RootLayerReferenceValues {
Expand All @@ -183,10 +177,6 @@ fn oak_containers_skip_all_reference_values() -> ReferenceValues {
kernel: Some(KernelBinaryReferenceValue {
r#type: Some(kernel_binary_reference_value::Type::Skip(SkipVerification {})),
}),
kernel_setup_data: None,
kernel_image: None,
kernel_cmd_line: None,
kernel_cmd_line_regex: None,
kernel_cmd_line_text: Some(TextReferenceValue {
r#type: Some(text_reference_value::Type::Skip(SkipVerification {})),
}),
Expand Down
15 changes: 3 additions & 12 deletions oak_attestation_verification/src/extract.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,9 @@ use oak_dice::cert::{
cose_key_to_hpke_public_key, cose_key_to_verifying_key, get_public_key_from_claims_set,
ACPI_MEASUREMENT_ID, APPLICATION_KEY_ID, CONTAINER_IMAGE_LAYER_ID,
ENCLAVE_APPLICATION_LAYER_ID, EVENT_ID, FINAL_LAYER_CONFIG_MEASUREMENT_ID,
INITRD_MEASUREMENT_ID, KERNEL_COMMANDLINE_ID, KERNEL_COMMANDLINE_MEASUREMENT_ID,
KERNEL_LAYER_ID, KERNEL_MEASUREMENT_ID, LAYER_2_CODE_MEASUREMENT_ID,
LAYER_3_CODE_MEASUREMENT_ID, MEMORY_MAP_MEASUREMENT_ID, SETUP_DATA_MEASUREMENT_ID, SHA2_256_ID,
SYSTEM_IMAGE_LAYER_ID,
INITRD_MEASUREMENT_ID, KERNEL_COMMANDLINE_ID, KERNEL_LAYER_ID, KERNEL_MEASUREMENT_ID,
LAYER_2_CODE_MEASUREMENT_ID, LAYER_3_CODE_MEASUREMENT_ID, MEMORY_MAP_MEASUREMENT_ID,
SETUP_DATA_MEASUREMENT_ID, SHA2_256_ID, SYSTEM_IMAGE_LAYER_ID,
};
use oak_proto_rust::oak::{
attestation::v1::{
Expand Down Expand Up @@ -482,19 +481,15 @@ fn extract_kernel_values(claims: &ClaimsSet) -> anyhow::Result<KernelLayerData>
let kernel_image = Some(value_to_raw_digest(extract_value(values, KERNEL_MEASUREMENT_ID)?)?);
let kernel_setup_data =
Some(value_to_raw_digest(extract_value(values, SETUP_DATA_MEASUREMENT_ID)?)?);
let kernel_cmd_line =
Some(value_to_raw_digest(extract_value(values, KERNEL_COMMANDLINE_MEASUREMENT_ID)?)?);
let kernel_raw_cmd_line = extract_value(values, KERNEL_COMMANDLINE_ID)
.ok()
.map(|v| String::from(v.as_text().expect("kernel_raw_cmd_line found but is not a string")));
let init_ram_fs = Some(value_to_raw_digest(extract_value(values, INITRD_MEASUREMENT_ID)?)?);
let memory_map = Some(value_to_raw_digest(extract_value(values, MEMORY_MAP_MEASUREMENT_ID)?)?);
let acpi = Some(value_to_raw_digest(extract_value(values, ACPI_MEASUREMENT_ID)?)?);
#[allow(deprecated)]
Ok(KernelLayerData {
kernel_image,
kernel_setup_data,
kernel_cmd_line,
kernel_raw_cmd_line,
init_ram_fs,
memory_map,
Expand Down Expand Up @@ -602,9 +597,6 @@ fn value_to_raw_digest(value: &Value) -> anyhow::Result<RawDigest> {
/// Translates [`Stage0Measurements`] to [`KernelLayerData`]. Both hold the same
/// data, just in slightly different proto messages.
fn stage0_measurements_to_kernel_layer_data(measurements: Stage0Measurements) -> KernelLayerData {
// We need to set fields of [`KernelLayerData`] to create it, some are
// deprecated.
#[allow(deprecated)]
KernelLayerData {
kernel_image: Some(RawDigest {
sha2_256: measurements.kernel_measurement,
Expand All @@ -614,7 +606,6 @@ fn stage0_measurements_to_kernel_layer_data(measurements: Stage0Measurements) ->
sha2_256: measurements.setup_data_digest,
..Default::default()
}),
kernel_cmd_line: None,
kernel_raw_cmd_line: Some(measurements.kernel_cmdline),
init_ram_fs: Some(RawDigest {
sha2_256: measurements.ram_disk_digest,
Expand Down
4 changes: 0 additions & 4 deletions oak_attestation_verification/src/util.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,10 +390,6 @@ fn kernel_layer_reference_values_from_evidence(
}),
})),
}),
kernel_setup_data: None,
kernel_image: None,
kernel_cmd_line: None,
kernel_cmd_line_regex: None,
kernel_cmd_line_text: Some(TextReferenceValue {
r#type: Some(text_reference_value::Type::StringLiterals(StringLiterals {
value: vec![kernel_layer.kernel_raw_cmd_line.expect("no kernel command-line")],
Expand Down
4 changes: 0 additions & 4 deletions oak_attestation_verification/src/verifier/tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,6 @@ fn create_oc_endorsements_reference_values(
init_ram_fs: Some(stage1),
memory_map: Some(memory_map),
acpi: Some(acpi),
..Default::default()
}),
system_layer: Some(SystemLayerEndorsements {
system_image: Some(system_image),
Expand Down Expand Up @@ -214,7 +213,6 @@ fn create_oc_endorsements_reference_values(
init_ram_fs: Some(binary_reference_value_for_endorser_pk(stage1_vkey)),
memory_map: Some(binary_reference_value_for_endorser_pk(memory_map_vkey)),
acpi: Some(binary_reference_value_for_endorser_pk(acpi_vkey)),
..Default::default() // Deprecated fields only.
}),
system_layer: Some(SystemLayerReferenceValues {
system_image: Some(binary_reference_value_for_endorser_pk(system_image_vkey)),
Expand Down Expand Up @@ -269,7 +267,6 @@ fn create_rk_endorsements_reference_values(
init_ram_fs: Some(init_ram_fs),
memory_map: Some(memory_map),
acpi: Some(acpi),
..Default::default() // Deprecated fields only
}),
application_layer: Some(ApplicationLayerEndorsements {
binary: Some(app_binary),
Expand Down Expand Up @@ -311,7 +308,6 @@ fn create_rk_endorsements_reference_values(
init_ram_fs: Some(binary_reference_value_for_endorser_pk(init_ram_fs_vkey)),
memory_map: Some(binary_reference_value_for_endorser_pk(memory_map_vkey)),
acpi: Some(binary_reference_value_for_endorser_pk(acpi_vkey)),
..Default::default() // Deprecated fields only
}),
application_layer: Some(ApplicationLayerReferenceValues {
binary: Some(binary_reference_value_for_endorser_pk(app_binary_vkey)),
Expand Down
13 changes: 0 additions & 13 deletions oak_attestation_verification/tests/verifier_tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,10 +153,8 @@ fn create_oc_endorsements() -> Endorsements {
let vcek_milan_cert =
fs::read(data_path(CONTAINERS_VCEK_MILAN_CERT_DER)).expect("couldn't read TEE cert");
let root_layer = RootLayerEndorsements { tee_certificate: vcek_milan_cert, stage0: None };
#[allow(deprecated)]
let kernel_layer = KernelLayerEndorsements {
kernel: None,
kernel_image: None,
kernel_cmd_line: None,
init_ram_fs: Some(create_stage1_endorsement()),
memory_map: None,
Expand All @@ -183,10 +181,8 @@ fn create_rk_endorsements() -> Endorsements {
let vcek_milan_cert =
fs::read(data_path(RK_VCEK_MILAN_CERT_DER)).expect("couldn't read TEE cert");
let root_layer = RootLayerEndorsements { tee_certificate: vcek_milan_cert, stage0: None };
#[allow(deprecated)]
let kernel_layer = KernelLayerEndorsements {
kernel: None,
kernel_image: None,
kernel_cmd_line: None,
init_ram_fs: None,
memory_map: None,
Expand Down Expand Up @@ -304,15 +300,10 @@ fn create_oc_reference_values() -> ReferenceValues {
};

let root_layer = RootLayerReferenceValues { amd_sev: Some(amd_sev), ..Default::default() };
#[allow(deprecated)]
let kernel_layer = KernelLayerReferenceValues {
kernel: Some(KernelBinaryReferenceValue {
r#type: Some(kernel_binary_reference_value::Type::Skip(SkipVerification {})),
}),
kernel_setup_data: None,
kernel_image: None,
kernel_cmd_line: None,
kernel_cmd_line_regex: None,
kernel_cmd_line_text: Some(TextReferenceValue {
r#type: Some(text_reference_value::Type::StringLiterals(StringLiterals {
value: vec![String::from(
Expand Down Expand Up @@ -358,10 +349,6 @@ fn create_rk_reference_values() -> ReferenceValues {
kernel: Some(KernelBinaryReferenceValue {
r#type: Some(kernel_binary_reference_value::Type::Skip(SkipVerification {})),
}),
kernel_setup_data: None,
kernel_image: None,
kernel_cmd_line: None,
kernel_cmd_line_regex: None,
kernel_cmd_line_text: Some(TextReferenceValue {
r#type: Some(text_reference_value::Type::StringLiterals(StringLiterals {
value: vec![String::from("console=ttyS0")],
Expand Down
48 changes: 0 additions & 48 deletions oak_proto_rust/generated/oak.attestation.v1.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,14 +457,6 @@ pub struct FileReferenceValue {
#[prost(string, tag = "2")]
pub path: ::prost::alloc::string::String,
}
/// Verifies that a particular string is equal to at least one of the specified
/// ones. No checks are performed if this is empty.
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost_derive::Message)]
pub struct StringReferenceValue {
#[prost(string, repeated, tag = "1")]
pub values: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost_derive::Message)]
pub struct Regex {
Expand All @@ -479,23 +471,6 @@ pub struct StringLiterals {
#[prost(string, repeated, tag = "1")]
pub value: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost_derive::Message)]
pub struct RegexReferenceValue {
#[prost(oneof = "regex_reference_value::Type", tags = "1, 2")]
pub r#type: ::core::option::Option<regex_reference_value::Type>,
}
/// Nested message and enum types in `RegexReferenceValue`.
pub mod regex_reference_value {
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost_derive::Oneof)]
pub enum Type {
#[prost(message, tag = "1")]
Skip(super::SkipVerification),
#[prost(message, tag = "2")]
Regex(super::Regex),
}
}
/// Reference value to match text via endorsement, or directly via constants
/// or a regular expression.
#[allow(clippy::derive_partial_eq_without_eq)]
Expand Down Expand Up @@ -573,20 +548,6 @@ pub struct KernelLayerReferenceValues {
/// kernel on boot.
#[prost(message, optional, tag = "9")]
pub kernel_cmd_line_text: ::core::option::Option<TextReferenceValue>,
/// Fields are deprecated and kept only for backwards compatibility. They are
/// not being used by the verifier. Remove ASAP.
#[deprecated]
#[prost(message, optional, tag = "3")]
pub kernel_setup_data: ::core::option::Option<BinaryReferenceValue>,
#[deprecated]
#[prost(message, optional, tag = "7")]
pub kernel_image: ::core::option::Option<BinaryReferenceValue>,
#[deprecated]
#[prost(message, optional, tag = "8")]
pub kernel_cmd_line_regex: ::core::option::Option<RegexReferenceValue>,
#[deprecated]
#[prost(message, optional, tag = "2")]
pub kernel_cmd_line: ::core::option::Option<BinaryReferenceValue>,
/// Verifies the stage1 binary if running as Oak Containers.
#[prost(message, optional, tag = "4")]
pub init_ram_fs: ::core::option::Option<BinaryReferenceValue>,
Expand Down Expand Up @@ -852,10 +813,6 @@ pub struct KernelLayerEndorsements {
pub memory_map: ::core::option::Option<TransparentReleaseEndorsement>,
#[prost(message, optional, tag = "6")]
pub acpi: ::core::option::Option<TransparentReleaseEndorsement>,
/// Field is deprecated and kept only for backwards compatibility. Remove ASAP.
#[deprecated]
#[prost(message, optional, tag = "7")]
pub kernel_image: ::core::option::Option<TransparentReleaseEndorsement>,
}
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost_derive::Message)]
Expand Down Expand Up @@ -1216,11 +1173,6 @@ pub struct KernelLayerData {
/// Measured digests of the setup data part of the kernel.
#[prost(message, optional, tag = "3")]
pub kernel_setup_data: ::core::option::Option<super::super::RawDigest>,
/// Measured digests of the command-line that was passed to the kernel
/// during startup.
#[deprecated]
#[prost(message, optional, tag = "2")]
pub kernel_cmd_line: ::core::option::Option<super::super::RawDigest>,
/// Command-line that was passed to the kernel during startup. If absent,
/// verification will only succeed with the corresponding reference value set
/// to skip (for compatibility with the legacy version of the evidence
Expand Down
3 changes: 1 addition & 2 deletions proto/attestation/endorsement.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,7 @@ message KernelLayerEndorsements {
TransparentReleaseEndorsement memory_map = 5;
TransparentReleaseEndorsement acpi = 6;

// Field is deprecated and kept only for backwards compatibility. Remove ASAP.
TransparentReleaseEndorsement kernel_image = 7 [deprecated = true];
reserved 7;
}

message SystemLayerEndorsements {
Expand Down
Loading

0 comments on commit 52dd270

Please sign in to comment.