Skip to content

Allows Azure's V6 instance outdated SEAM Loader #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ameba23 wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Allows Azure's V6 instance outdated SEAM Loader #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a8f95a6
Override outdated SEAM loader
ameba23 Dec 12, 2025
8710790
Merge main
ameba23 Dec 12, 2025
cbc4cb5
Gate behind feature flag
ameba23 Dec 12, 2025
4ff0f5d
Rm logging
ameba23 Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,10 @@ rcgen = "0.14.5"
tempfile = "3.23.0"

[features]
default = ["azure"]
default = ["azure", "azure-v6-override"]

# Adds support for Microsoft Azure attestation generation and verification
azure = ["tss-esapi", "az-tdx-vtpm"]

# Allows Azure's V6 instance outdated SEAM Loader
azure-v6-override = ["azure"]
35 changes: 35 additions & 0 deletions src/attestation/azure/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ use x509_parser::prelude::*;

use crate::attestation::{dcap::verify_dcap_attestation, measurements::MultiMeasurements};

#[cfg(feature = "azure-v6-override")]
const AZURE_V6_BAD_FMSPC: &str = "90c06f000000";

/// The attestation evidence payload that gets sent over the channel
#[derive(Debug, Serialize, Deserialize)]
struct AttestationDocument {
Expand Down Expand Up @@ -245,6 +248,38 @@ impl RsaPubKey {
}
}

#[cfg(feature = "azure-v6-override")]
pub fn azure_v6_override(collateral: &mut dcap_qvl::QuoteCollateralV3) {
use crate::attestation::tcb_info::TcbInfo;

let mut tcb_info: TcbInfo = serde_json::from_str(&collateral.tcb_info).unwrap();

if tcb_info.fmspc == AZURE_V6_BAD_FMSPC {
let tcb_levels = tcb_info
.tcb_levels
.into_iter()
.map(|mut tcb_level| {
if &tcb_level.tcb_status == "UpToDate" {
if tcb_level.tcb.sgx_components[7].svn > 3 {
tracing::warn!(
"Overriding tcb info to allow outdated Azure v6 SEAM loader"
);
tcb_level.tcb.sgx_components[7].svn = 3;
}
tcb_level
} else {
tcb_level
}
})
.collect::<Vec<_>>();

tcb_info.tcb_levels = tcb_levels;

let tcb_info_json = serde_json::to_string(&tcb_info).unwrap();
collateral.tcb_info = tcb_info_json;
}
}

#[derive(Error, Debug)]
pub enum MaaError {
#[error("Report: {0}")]
Expand Down
7 changes: 6 additions & 1 deletion src/attestation/dcap.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,19 @@ pub async fn verify_dcap_attestation(

let ca = quote.ca()?;
let fmspc = hex::encode_upper(quote.fmspc()?);
let collateral = get_collateral_for_fmspc(

#[allow(unused_mut)]
let mut collateral = get_collateral_for_fmspc(
&pccs_url.clone().unwrap_or(PCS_URL.to_string()),
fmspc,
ca,
false, // Indicates not SGX
)
.await?;

#[cfg(feature = "azure-v6-override")]
crate::attestation::azure::azure_v6_override(&mut collateral);

let _verified_report = dcap_qvl::verify::verify(&input, &collateral, now)?;

let measurements = MultiMeasurements::from_dcap_qvl_quote(&quote)?;
Expand Down
1 change: 1 addition & 0 deletions src/attestation/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
pub mod azure;
pub mod dcap;
pub mod measurements;
pub mod tcb_info;

use measurements::MultiMeasurements;
use parity_scale_codec::{Decode, Encode};
Expand Down
42 changes: 42 additions & 0 deletions src/attestation/tcb_info.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
use serde::{Deserialize, Serialize};

#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct TcbInfo {
pub id: String,
pub version: u8,
pub issue_date: String,
pub next_update: String,
pub fmspc: String,
pub pce_id: String,
pub tcb_type: u32,
pub tcb_evaluation_data_number: u32,
pub tcb_levels: Vec<TcbLevel>,
}

#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct TcbLevel {
pub tcb: Tcb,
pub tcb_date: String,
pub tcb_status: String,
#[serde(rename = "advisoryIDs", default)]
pub advisory_ids: Vec<String>,
}

#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct Tcb {
#[serde(rename = "sgxtcbcomponents")]
pub sgx_components: Vec<TcbComponents>,
#[serde(rename = "tdxtcbcomponents", default)]
pub tdx_components: Vec<TcbComponents>,
#[serde(rename = "pcesvn")]
pub pce_svn: u16,
}

#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct TcbComponents {
pub svn: u8,
}