From 0abcf8e4d9010e7186396eb508cec5497263c1bf Mon Sep 17 00:00:00 2001 From: grydz Date: Wed, 30 Apr 2025 13:46:51 +0400 Subject: [PATCH 1/2] Fix: attestation verification on AWS with AMD SEV-SNP The type of VEK certificate on AWS EC2 instance with AMD SEV-SNP is now CertType::VLEK instead of CertType::OTHER(...) which is not needed anymore. --- Cargo.lock | 52 +++++------------------ crate/sev_quote/Cargo.toml | 1 - crate/sev_quote/data/report-vlek-aws.bin | Bin 2556 -> 2523 bytes crate/sev_quote/src/quote.rs | 14 ++---- 4 files changed, 13 insertions(+), 54 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5491e7e..e06221d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -628,7 +628,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e9b3460f44bea8cd47f45a0c70892f1eff856d97cd55358b2f73f663789f6190" dependencies = [ "ct-codecs", - "getrandom 0.2.15", + "getrandom", ] [[package]] @@ -831,22 +831,10 @@ dependencies = [ "cfg-if", "js-sys", "libc", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", "wasm-bindgen", ] -[[package]] -name = "getrandom" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8" -dependencies = [ - "cfg-if", - "libc", - "wasi 0.13.3+wasi-0.2.2", - "windows-targets 0.52.6", -] - [[package]] name = "gimli" version = "0.28.1" @@ -1501,7 +1489,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" dependencies = [ "libc", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", "windows-sys 0.52.0", ] @@ -1857,7 +1845,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" dependencies = [ "bytes", - "getrandom 0.2.15", + "getrandom", "rand", "ring", "rustc-hash 2.1.1", @@ -1920,7 +1908,7 @@ version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "getrandom 0.2.15", + "getrandom", ] [[package]] @@ -1947,7 +1935,7 @@ version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bd283d9651eeda4b2a83a43c1c91b266c40fd76ecd39a50a8c630ae69dc72891" dependencies = [ - "getrandom 0.2.15", + "getrandom", "libredox", "thiserror 1.0.60", ] @@ -2058,7 +2046,7 @@ checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" dependencies = [ "cc", "cfg-if", - "getrandom 0.2.15", + "getrandom", "libc", "untrusted", "windows-sys 0.52.0", @@ -2331,7 +2319,6 @@ dependencies = [ "sev", "sha2", "thiserror 2.0.12", - "uuid", "x509-parser", ] @@ -2494,7 +2481,7 @@ version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fbde97f499e51ef384f585dc8f8fb6a9c3a71b274b8d12469b516758e6540607" dependencies = [ - "getrandom 0.2.15", + "getrandom", "hmac-sha256", "hmac-sha512", "rand", @@ -2886,7 +2873,7 @@ checksum = "78ea9ccde878b029392ac97b5be1f470173d06ea41d18ad0bb3c92794c16a0f2" dependencies = [ "bitfield 0.14.0", "enumflags2", - "getrandom 0.2.15", + "getrandom", "hostname-validator", "log", "mbox", @@ -2976,7 +2963,6 @@ version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "458f7a779bf54acc9f347480ac654f68407d3aab21269a6e3c9f922acd9e2da9" dependencies = [ - "getrandom 0.3.1", "serde", ] @@ -3013,22 +2999,13 @@ version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" -[[package]] -name = "wasi" -version = "0.13.3+wasi-0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26816d2e1a4a36a2940b96c5296ce403917633dff8f3440e9b236ed6f6bacad2" -dependencies = [ - "wit-bindgen-rt", -] - [[package]] name = "wasix" version = "0.12.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c1fbb4ef9bbca0c1170e0b00dd28abc9e3b68669821600cad1caaed606583c6d" dependencies = [ - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", ] [[package]] @@ -3420,15 +3397,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486" -[[package]] -name = "wit-bindgen-rt" -version = "0.33.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c" -dependencies = [ - "bitflags 2.5.0", -] - [[package]] name = "write16" version = "1.0.0" diff --git a/crate/sev_quote/Cargo.toml b/crate/sev_quote/Cargo.toml index 336c9a8..4e46aa9 100644 --- a/crate/sev_quote/Cargo.toml +++ b/crate/sev_quote/Cargo.toml @@ -26,7 +26,6 @@ sev = { workspace = true, features = [ ] } sha2 = { workspace = true } thiserror = { workspace = true } -uuid = { version = "1.16", features = ["serde", "v4"] } x509-parser = { workspace = true } [dev-dependencies] diff --git a/crate/sev_quote/data/report-vlek-aws.bin b/crate/sev_quote/data/report-vlek-aws.bin index 521ceea15c0b2d5453fe5314927cb06b8fed1657..b20f6b1605f6c722ce493380e41b3313f0fda4f8 100644 GIT binary patch delta 1049 zcmew(d|Q~2c_O2^APWNsNZe5e(+mtO6A!u@tg-WL6-)MtV{9;PEIrdyGl5M+WN+r| zsL$*|rxs28W%8EoOp^MfJ%Z&z*%w7usO_4}$kd>4?VX#eNaC}zn<_6@P1^l?!w$|* z&qB{=SNU09ne^G|jN9ZyMtPq9Q2TC5GBQp)7%Bnf-j+3IWB_3pf3hO;3WIac72=&& z*K=$%OcE@a^4&n{n?}dZDF>Ag*8Wb27I2bZlNqdKrX3z;U-ak6jb{`8PZX3e;E~&= zXIFN?Z1)szszMr@$f^t@=NGT2ifEDNoT^9kidRE%)ifdi9s9b{?LxS&_M( zaiRj}BIR+~rLcV0$DE(4Rv``AsG z4H_FJpJdIL+|Md2WnyS#XkcVyY+z^>CC+PPir`K@#yT}^O2I1`?zDTS;_v0zKK}f_ zaP5ElwAp{Z)jMShXBR}DvEt<|wD@@~QRrmFk(p-GW<-AuTyp)(-ak7POmrW&Czbu) zcYjY=)|y#!A11NMCHspk_@C~S{_N4iX9fS}ifrEYE^l$;CxgcKlMk|4F|thl!&WFN zVIaiDrOn33!Z@dbk(q;qg^7vb=Hy0peLhT&)H62$eVDa3mwES%su-_b_N(78pA-1b zz|>gnnwIlQ$9ZbuJJE=5YyV`;madt%;$DeUW36L9hqp9i{LH^Q{z@&bTRkEDx~7%O z{;R7+KKe#vW;<@bD{mcSXy^UTZ1O_h#_Q43I|>h-OZZ%}{0nF5--@#~m2)~Xo^{Ld ztDVbD`(HmJV{Rp@LW=6I%WnOv<4c(}Urmv@CH_OFihm=M_`fB7jj1w%j4O&}-SBy6 za%fv%<^FxS48Cf;au1G3NPo^Pe`=R_vpXbmCEu&B!E$o~KB_Y)%=LP@^>la7Vh;Z8 zW~c01X89jtab#V<6j-YzwC8x@s?AYuVMkVYUidy?f6V3Q^+u~xo^aU*hE~>!-tfAY zA+hA3l+@%y|EI53U-bKv!qP)U5+9>wL;nW+j#&$J`e#-JgW{*S*}yVCItHm*nGnzq%~^IywJy(t;^T4NK0}Zd=NjX|&T`AL>STDPkFL6K;LV3(Tm3~HRNp;Vyk>ROHN{QU&mUE_sTW>6tr*jx zk}b^rK)U4^Iq0OJwRy@>*>6JL^EX`V&Oh=<=me)`cJ|VI Ie#7pi0OX*&2LJ#7 delta 1143 zcmcaD{70CPX(FS!1v3K(a9xDZ3=Aw_J_7@oICR2$a>}3i{2?1$P0D)Oc=GrxvTk-yd$F_cl-rul!V59M(o33) zKZKlUIDhfWf)##~8JQXs%2@==QwvNxEPT<}%XD3z4aZa`V@@H}) zqdez-sI!VE9*mHHvR5*iF*1NKj6YeCd4<6x9UbY_T1^WkiF-76ua2?X$^5P4>MZGx z_ir8DzFxX(?O&#AmQu_?7N`GkbY(GQKA$KkVbJmVCimVe8UNxc8H8-3p1#p7n>26Y z6XCs!9p`kMbd5jTDE(~l<=OGacb(S|R8h13wONt5o^hfA=i~(}9L{XO01|)((h7F( zLyMw3>{dOqJm9)u$3g>Eh=f5CtByev)9nS!OpHuSj0^^DY@Awc9&O)w85y|@EGJ)P zG2vJYlw&k#Y?!=;HDhuStE`lkeO=rSS1)O(1X61WTs}9`X&hf6EuoJEY{O7Nd34rhk)G!sgg5mTnF0Vy~7jxAxU* zTQfs!s`|$I_4$_%_I~l<(2!Y}nXW?GZ0|o)MjI3 zVVqOJ$jAb8B7=blSY+~EHbq9}$@kd`MYs$E*|=bem^nbIiYKSC>+@myvL5V9<|d#y z(!m;67p)Q95_UB{wo=hy>b20j`)#wa8J+S{$OW97XGe^MXi=!L(?XfABE_xRTLEd24EDA!-t1=H<1{U6TQ_Jr}RqtEJe zgF+$Zk2d$UPjCIbTKf1e6N4tPddV*52aot&rhjsrd&{ct?3=Ibk_B9fBH4^r9M1BY zc&yl6z}N4v{c^;G(oN-8vg=Rt=1#lwBI>@5z3yhEM_U;d-F4h2C~{q=BvF{1&B4L1 zdi%1?>$v@V71g=L6AVtz>Qr7ZdGh~5d$N-cJ&T`ObI^L(rt^oyUWCv1nRP;I>AJRh z-+gL(r&_B<7{sjck`tMIH0i;tJ+}WJ@n2fqJO2$IV^TOfW6kSrkF;jZ4XriuNN3oztvtL%Pvo%*`Gdx!M^W*XDGDY7llS9h|R42*V z{PWy->E@+z zMJp%zxIJH^c*TQ%cTl69;KxT!bMKyyiSj&nm0RS$RC>gsm>+-6*xpcBXZUMJnf%!& z6E0tWYxQ{E6|4A3C3)gAUNfBdY*2HV)zYP|U|-wbc;-)!;`=T&RZaM8Cp=k1^SK`1 ckJ`p-$+vks`9gMWZd_h%^-C_UH(aY907&1@iU0rr diff --git a/crate/sev_quote/src/quote.rs b/crate/sev_quote/src/quote.rs index 604b932..0af5c9b 100644 --- a/crate/sev_quote/src/quote.rs +++ b/crate/sev_quote/src/quote.rs @@ -25,19 +25,11 @@ use sev::{ firmware::host::CertType, }; -use uuid::Uuid; use x509_parser::{self, pem::parse_x509_pem}; #[cfg(target_os = "linux")] use crate::REPORT_DATA_SIZE; -const AWS_VLEK_TYPE: Uuid = Uuid::from_fields( - 0xa807_4bc2, - 0xa25a, - 0x483e, - &[0xaa, 0xe6, 0x39, 0xc0, 0x45, 0xa0, 0xb8, 0xa1], -); - const SEV_PROD_NAME: SevProdName = SevProdName::Milan; const KDS_CERT_SITE: &str = "https://kdsintf.amd.com"; @@ -117,7 +109,7 @@ pub fn verify_quote(quote: &Quote, policy: &SevQuoteVerificationPolicy) -> Resul let vlek = quote .certs .iter() - .find(|item| item.cert_type == CertType::OTHER(AWS_VLEK_TYPE)); + .find(|item| item.cert_type == CertType::VLEK); let ark = quote .certs .iter() @@ -219,8 +211,8 @@ mod tests { verify_quote( "e, &SevQuoteVerificationPolicy { - measurement: Some(hex::decode("c2c84b9364fc9f0f54b04534768c860c6e0e386ad98b96e8b98eca46ac8971d05c531ba48373f054c880cfd1f4a0a84e").unwrap().try_into().unwrap()), - report_data: Some(hex::decode("0d155251f139f682dc4ea2798feceed7c475461c8faecf7496401500956624540000000000000000000000000000000000000000000000000000000000000000").unwrap().try_into().unwrap()) , + measurement: Some(hex::decode("ac3e4d8516634a5e0180338175cc827c90061414bd699b5af30712caa291fa34ed06cc622792bc1177126bd115a826ba").unwrap().try_into().unwrap()), + report_data: Some(hex::decode("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000").unwrap().try_into().unwrap()) , ..Default::default() } ) From f5b2565f0984630542c29e49883e799f95c32f02 Mon Sep 17 00:00:00 2001 From: grydz Date: Wed, 30 Apr 2025 13:54:35 +0400 Subject: [PATCH 2/2] Bump version to 1.6.2 --- Cargo.lock | 20 ++++++++++---------- Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e06221d..7cf5e8e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -205,7 +205,7 @@ checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "azure_cvm" -version = "1.6.1" +version = "1.6.2" dependencies = [ "base64 0.22.1", "bincode", @@ -1405,7 +1405,7 @@ checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94" [[package]] name = "maa_client" -version = "1.6.1" +version = "1.6.2" dependencies = [ "base64 0.22.1", "hex", @@ -1676,7 +1676,7 @@ dependencies = [ [[package]] name = "pccs_client" -version = "1.6.1" +version = "1.6.2" dependencies = [ "hex", "reqwest", @@ -1913,7 +1913,7 @@ dependencies = [ [[package]] name = "ratls" -version = "1.6.1" +version = "1.6.2" dependencies = [ "const-oid", "der", @@ -2305,7 +2305,7 @@ dependencies = [ [[package]] name = "sev_quote" -version = "1.6.1" +version = "1.6.2" dependencies = [ "asn1-rs", "bincode", @@ -2324,7 +2324,7 @@ dependencies = [ [[package]] name = "sgx_pck_extension" -version = "1.6.1" +version = "1.6.2" dependencies = [ "asn1", "asn1-rs", @@ -2334,7 +2334,7 @@ dependencies = [ [[package]] name = "sgx_quote" -version = "1.6.1" +version = "1.6.2" dependencies = [ "chrono", "env_logger 0.11.3", @@ -2543,7 +2543,7 @@ dependencies = [ [[package]] name = "tdx_quote" -version = "1.6.1" +version = "1.6.2" dependencies = [ "env_logger 0.11.3", "hex", @@ -2562,7 +2562,7 @@ dependencies = [ [[package]] name = "tee_attestation" -version = "1.6.1" +version = "1.6.2" dependencies = [ "azure_cvm", "env_logger 0.11.3", @@ -2797,7 +2797,7 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tpm_quote" -version = "1.6.1" +version = "1.6.2" dependencies = [ "env_logger 0.11.3", "hex", diff --git a/Cargo.toml b/Cargo.toml index fd3d58c..4474432 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,7 +14,7 @@ members = [ ] [workspace.package] -version = "1.6.1" +version = "1.6.2" edition = "2021" license = "BUSL-1.1" # "Business Source License 1.1" license-file = "LICENSE"