New type for AKPub hash

stunes-ms · stunes-ms · commit c0579fdc82ea · 2025-10-14T11:08:57.000-07:00
diff --git a/vm/devices/tpm/src/lib.rs b/vm/devices/tpm/src/lib.rs
@@ -90,6 +90,8 @@ const RSA_2K_MODULUS_BITS: u16 = 2048;
 const RSA_2K_MODULUS_SIZE: usize = (RSA_2K_MODULUS_BITS / 8) as usize;
 const RSA_2K_EXPONENT_SIZE: usize = 3;
 
+const SHA_256_OUTPUT_SIZE_BYTES: usize = 32;
+
 const TPM_RSA_SRK_HANDLE: ReservedHandle = ReservedHandle::new(TPM20_HT_PERSISTENT, 0x01);
 const TPM_AZURE_AIK_HANDLE: ReservedHandle = ReservedHandle::new(TPM20_HT_PERSISTENT, 0x03);
 const TPM_GUEST_SECRET_HANDLE: ReservedHandle = ReservedHandle::new(TPM20_HT_PERSISTENT, 0x04);
@@ -260,7 +262,7 @@ pub struct Tpm {
 
     // For logging
     bios_guid: Guid,
-    ak_pub_hash: String,
+    ak_pub_hash: [u8; SHA_256_OUTPUT_SIZE_BYTES],
 
     // Runtime glue
     rt: TpmRuntime,
@@ -441,7 +443,7 @@ impl Tpm {
             mmio_region,
             allow_ak_cert_renewal: false,
             bios_guid,
-            ak_pub_hash: "".into(),
+            ak_pub_hash: [0; SHA_256_OUTPUT_SIZE_BYTES],
 
             rt: TpmRuntime {
                 mem,
@@ -630,15 +632,14 @@ impl Tpm {
             let mut ak_pub_hasher = Sha256::new();
             ak_pub_hasher.update(ak_pub.exponent);
             ak_pub_hasher.update(ak_pub.modulus);
-            let ak_pub_hash = ak_pub_hasher.finalize();
-            self.ak_pub_hash = base64::engine::general_purpose::STANDARD.encode(ak_pub_hash);
+            self.ak_pub_hash = ak_pub_hasher.finalize().into();
 
             tracing::info!(
                 CVM_ALLOWED,
                 op_type = ?LogOpType::VtpmKeysProvision,
                 key_type = ?KeyType::AkPub,
                 bios_guid = %self.bios_guid,
-                pub_key = self.ak_pub_hash,
+                pub_key = self.ak_pub_str(),
                 success = true,
                 latency = std::time::SystemTime::now()
                     .duration_since(start_time)
@@ -1048,7 +1049,7 @@ impl Tpm {
             CVM_ALLOWED,
             op_type = ?LogOpType::BeginAkCertProvision,
             is_renew,
-            pub_key = self.ak_pub_hash,
+            pub_key = self.ak_pub_str(),
             bios_guid = %self.bios_guid,
             "Request AK cert renewal"
         );
@@ -1111,7 +1112,7 @@ impl Tpm {
                             CVM_ALLOWED,
                             op_type = ?LogOpType::AkCertProvision,
                             bios_guid = %self.bios_guid,
-                            pub_key = self.ak_pub_hash,
+                            pub_key = self.ak_pub_str(),
                             is_renew,
                             got_cert = 0,
                             latency = latency.map_or(0, |d| d.as_millis()),
@@ -1132,7 +1133,7 @@ impl Tpm {
                             CVM_ALLOWED,
                             op_type = ?LogOpType::AkCertProvision,
                             bios_guid = %self.bios_guid,
-                            pub_key = self.ak_pub_hash,
+                            pub_key = self.ak_pub_str(),
                             is_renew,
                             got_cert = 0,
                             latency = latency.map_or(0, |d| d.as_millis()),
@@ -1168,7 +1169,7 @@ impl Tpm {
                     CVM_ALLOWED,
                     op_type = ?LogOpType::AkCertProvision,
                     bios_guid = %self.bios_guid,
-                    pub_key = self.ak_pub_hash,
+                    pub_key = self.ak_pub_str(),
                     is_renew,
                     got_cert = 1,
                     size = response.len(),
@@ -1261,6 +1262,10 @@ impl Tpm {
             }
         }
     }
+
+    fn ak_pub_str(&self) -> String {
+        base64::engine::general_purpose::STANDARD.encode(self.ak_pub_hash)
+    }
 }
 
 impl ChangeDeviceState for Tpm {
