verifier: Use the VirTEE CA Chain #446
Conversation
|
Waiting on virtee/sev#206 |
larrydewey
force-pushed
the
cleanup
branch
2 times, most recently
from
0e781eb
to
cba1195
Compare
larrydewey
changed the title
deps/verifier/src/snp/mod.rs
Outdated
| let certs = X509::stack_from_pem(include_bytes!("milan_ask_ark_asvk.pem"))?; | ||
| if certs.len() != 3 { | ||
| bail!("Malformed Milan ASK/ARK/ASVK"); | ||
| fn read_certs_from_file() -> Vec<X509> { |
There was a problem hiding this comment.
Not sure of the value of splitting this into two functions. This new one should still refer to milan since it is only loading the milan certs. Also this isn't exactly reading them from a file.
There was a problem hiding this comment.
I am splitting this into two functions because the former behavior of utilizing a OnceLock around a Result leaves room for unexpected behavior, as it returns a reference to a Result. I suppose I could re-implement this using a lazy_static! to ensure it is only allocated once, and then use a Mutex to make sure access is serial.
Ultimately, I was just trying to get rid of the UB.
There was a problem hiding this comment.
UB often means "undefined behaviour", which should not happen in safe rust. You are referring to "unexpected behaviour". Can you elaborate what unexpected behaviour you are concerned about?
Afaiu OnceLock/OnceCell/lazy_static! should do mostly the same, with the Once* family being the more modern alternative to the lazy_static macro.
| ark: Certificate::from(certs[1].clone()), | ||
| ask: Certificate::from(certs[0].clone()), | ||
| }, | ||
| vek: Certificate::from(certs[2].clone()), |
There was a problem hiding this comment.
I thought this was the asvk. Has the term changed? If so, please remove references to asvk. I thought vek already referred to the guest encryption key.
There was a problem hiding this comment.
In this case, the ASK and the VEK are generic terms. The AMD Signing Key (ASK) covers both the traditional ASK and the ASVK. The Versioned Endorsement Key (VEK) covers VCEK or VLEK.
There was a problem hiding this comment.
Isn't certs[2] going to be the ASVK? That shouldn't go into the VEK field. The current VendorCertificates struct holds both the ASK and ASVK. It doesn't like the CaChain struct does that so you might need to tweak the logic a bit.
There was a problem hiding this comment.
You are absolutely correct. I misunderstood your comment. I will have to think about this, as a certificate chain usually should contain one or the other, not both.
| base64 = "0.21" | ||
| bincode = "1.3.3" | ||
| byteorder = "1" | ||
| cfg-if = "1.0.0" | ||
| codicon = { version = "3.0", optional = true } | ||
| # TODO: change it to "0.1", once released. | ||
| csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "b74aa8c", optional = true } | ||
| csv-rs = { version = "=0.1.0", git = "https://github.com/openanolis/csv-rs", rev = "b74aa8c", optional = true } |
There was a problem hiding this comment.
is this intentionally both version and ref?
There was a problem hiding this comment.
I am not sure if it is a bug in Cargo, or something else, but if I didn't enforce the specific version of the crate, it was being mangled on re-build.
| @@ -46,7 +50,7 @@ sha2 = "0.10" | |||
| shadow-rs = "0.19.0" | |||
| strum = { version = "0.25", features = ["derive"] } | |||
| thiserror = "1.0" | |||
| tokio = { version = "1", features = ["full"] } | |||
| tokio = { version = "1", features = ["full"], default-features = false } | |||
There was a problem hiding this comment.
why do we want to turn on the tokio default-features?
There was a problem hiding this comment.
I don't have any clear insight into why the project chose to have full tokio features enabled. The PR moves the default-features = false into the workspace toml. If we have it inside of the verifier Cargo.toml, it is completely ignored, and it throws a warning.
| sha2.workspace = true | ||
| tokio = { workspace = true, optional = true, default-features = false } | ||
| tokio = { workspace = true, optional = true } |
There was a problem hiding this comment.
why do we want to turn on the tokio default-features?
There was a problem hiding this comment.
Again, I am not sure. in this case, I am just removing the ignored default-features = false flag from the Cargo.toml and moving into the workspace level Cargo.toml
| } | ||
| Result::Err(err) => panic!("Error reading certificates file: {err}"), |
There was a problem hiding this comment.
I think initially there was an ask to avoid panicking if the parsing of the bundled X509 failed. I'm fine with this, since this is very const-y and unlikely to fail.
However, we're not reading a file here, the bytes are embedded in the binary.
There was a problem hiding this comment.
Renamed the file to more accurately describe what is happening.
| @@ -124,6 +124,7 @@ impl CcEventLog { | |||
|
|
|||
| /// Defined in TCG PC Client Platform Firmware Profile Specification section | |||
| /// 'UEFI_PLATFORM_FIRMWARE_BLOB Structure Definition' | |||
| #[allow(dead_code)] | |||
There was a problem hiding this comment.
It was to remove a warning when compiling, as the TDX library is unused.
larrydewey
force-pushed
the
cleanup
branch
4 times, most recently
from
11840dc
to
183b9d6
Compare
This introduces changes into the code to utilize the cert chain provided by the VirTEE sev crate, pushing resposibility for upkeep and maintainership back to the library itself. This also reduces duplication of code and expands functionality for future changes. Review Changes: - Adding whitespace back to Makefile - Updating sev to 4.0.0 - Removed Cargo.toml reformatting - Renamed function per mkulke's comment Signed-off-by: Larry Dewey <[email protected]>
There was a problem hiding this comment.
@larrydewey maybe the compiler/cargo errors you are seeing are due to some specifics in your local build environment? (e.g. cargo, rust toolchain, etc.) In this case you can maybe take a look at
trustee/.github/workflows/kbs-rust.yml
Lines 33 to 38 in 81f904f
This is my default configuration, so I don't believe it is my workflow or configuration. |
|
A large number of errors I believe are coming from the sev update from 3.2.0 to 4.0.0. Particularly due to the dependencies not using the latest version |
This introduces changes into the code to utilize the cert chain provided by the VirTEE sev crate, pushing resposibility for upkeep and maintainership back to the library itself. This also reduces duplication of code and expands functionality for future changes.