Add logging

Author: ameba23

src/attestation/azure/ak_certificate.rs

@@ -152,12 +152,14 @@ pub fn verify_ak_cert_with_azure_roots(ak_cert_der: &[u8], now_secs: u64) -> Res
         None,
         None,
     )?;
+    tracing::debug!("Successfully verified AK certificate from vTPM");
 
     Ok(())
 }
 
 /// Retrieve an AK certificate from the vTPM
 pub fn read_ak_certificate_from_tpm() -> Result<Vec<u8>, tss_esapi::Error> {
+    tracing::debug!("Reading AK certificate from vTPM");
     let mut context = nv_index::get_session_context()?;
     nv_index::read_nv_index(&mut context, TPM_AK_CERT_IDX)
 }

src/attestation/azure/mod.rs

@@ -29,7 +29,7 @@ struct AttestationDocument {
 struct TpmAttest {
     /// Attestation Key certificate from vTPM
     ak_certificate_pem: String,
-    /// vTPM quotes over the selected PCR bank(s).
+    /// vTPM quote
     quote: vtpm::Quote,
     /// Raw TCG event log bytes (UEFI + IMA) [currently not used]
     ///
@@ -68,6 +68,7 @@ pub async fn create_azure_attestation(input_data: [u8; 64]) -> Result<Vec<u8>, M
         tpm_attestation,
     };
 
+    tracing::info!("Successfully generated azure attestation: {attestation_document:?}");
     Ok(serde_json::to_vec(&attestation_document)?)
 }
 
@@ -94,6 +95,7 @@ async fn verify_azure_attestation_with_given_timestamp(
     now: u64,
 ) -> Result<super::measurements::Measurements, MaaError> {
     let attestation_document: AttestationDocument = serde_json::from_slice(&input)?;
+    tracing::info!("Attempting to verifiy azure attestation: {attestation_document:?}");
 
     let hcl_report_bytes = BASE64_URL_SAFE.decode(attestation_document.hcl_report_base64)?;
 

src/attestation/azure/nv_index.rs

@@ -14,6 +14,7 @@ pub fn get_session_context() -> Result<Context, tss_esapi::Error> {
 }
 
 pub fn read_nv_index(ctx: &mut Context, index: u32) -> Result<Vec<u8>, tss_esapi::Error> {
+    tracing::debug!("Reading from TPM, nv index: {index}");
     let nv_tpm_handle = NvIndexTpmHandle::new(index)?;
     let buf = tss_esapi::abstraction::nv::read_full(ctx, NvAuth::Owner, nv_tpm_handle)?;
     Ok(buf.to_vec())

src/attestation/dcap.rs

@@ -16,7 +16,9 @@ pub const PCS_URL: &str = "https://api.trustedservices.intel.com";
 
 /// Quote generation using configfs_tsm
 pub async fn create_dcap_attestation(input_data: [u8; 64]) -> Result<Vec<u8>, AttestationError> {
-    Ok(generate_quote(input_data)?)
+    let quote = generate_quote(input_data)?;
+    tracing::info!("Generated TDX quote of {} bytes", quote.len());
+    Ok(quote)
 }
 
 /// Verify a DCAP TDX quote, and return the measurement values
@@ -30,6 +32,7 @@ pub async fn verify_dcap_attestation(
             .duration_since(std::time::UNIX_EPOCH)?
             .as_secs();
         let quote = Quote::parse(&input)?;
+        tracing::info!("Verifying DCAP attestation: {quote:?}");
 
         let ca = quote.ca()?;
         let fmspc = hex::encode_upper(quote.fmspc()?);
@@ -99,27 +102,13 @@ pub fn get_quote_input_data(report: Report) -> [u8; 64] {
     }
 }
 
-/// An error when generating or verifying an attestation
+/// An error when verifying a DCAP attestation
 #[derive(Error, Debug)]
 pub enum DcapVerificationError {
-    // #[error("Certificate chain is empty")]
-    // NoCertificate,
-    // #[error("X509 parse: {0}")]
-    // X509Parse(#[from] x509_parser::asn1_rs::Err<x509_parser::error::X509Error>),
-    // #[error("X509: {0}")]
-    // X509(#[from] x509_parser::error::X509Error),
     #[error("Quote input is not as expected")]
     InputMismatch,
-    // #[error("Configuration mismatch - expected no remote attestation")]
-    // AttestationGivenWhenNoneExpected,
-    // #[error("Configfs-tsm quote generation: {0}")]
-    // QuoteGeneration(#[from] configfs_tsm::QuoteGenerationError),
     #[error("SGX quote given when TDX quote expected")]
     SgxNotSupported,
-    // #[error("Platform measurements do not match any accepted values")]
-    // UnacceptablePlatformMeasurements,
-    // #[error("OS image measurements do not match any accepted values")]
-    // UnacceptableOsImageMeasurements,
     #[error("System Time: {0}")]
     SystemTime(#[from] std::time::SystemTimeError),
     #[error("DCAP quote verification: {0}")]

src/attestation/mod.rs

@@ -172,6 +172,7 @@ impl AttestationGenerator {
                 }
                 #[cfg(not(feature = "azure"))]
                 {
+                    tracing::error!("Attempted to generate an azure attestation but the `azure` feature not enabled");
                     Err(AttestationError::AttestationTypeNotSupported)
                 }
             }