Fix legacy attestation report validation #293
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rouming
requested review from
DGonzalezVillal,
larrydewey and
tylerfanelli
as code owners
rouming
force-pushed
the
fix-validate
branch
3 times, most recently
from
bf98692 to
d3b694f
Compare
Member
DGonzalezVillal
left a comment
DGonzalezVillal
left a comment
There was a problem hiding this comment.
It looks correct to me, did you have any issues @larrydewey
larrydewey
approved these changes
Mar 27, 2025
Contributor
Author
|
Please let me know, if there is anything to address from my side. Also I would really appreciate, if you review the |
DGonzalezVillal
approved these changes
Apr 2, 2025
Member
|
@rouming Could you squash into one commit, besides that it looks good, we can merge right after. |
tylerfanelli
approved these changes
Apr 2, 2025
Member
tylerfanelli
left a comment
tylerfanelli
left a comment
There was a problem hiding this comment.
LGTM. Can you squash into one commit?
This commit fixes legacy attestation report verification by addressing a few problems: 1. Fix typo of `launch_digest` definition for the `LegacyAttestationReport` structure: should be `DIGEST_SIZE` not `POLICY_SIZE`. 2. Signature verification should be performed on the SHA256 digest, not on the raw data. Additionally, the return value of `sig.verify()` should be properly converted to the `Result` type. 3. The `EcdsaSignature` structure has a size of 512 bytes, but the `LegacyAttestationReport` defines the signature as 144 bytes. Change the type of the signature to an `Array<u8, 144>` with an appropriate conversion trait. Signed-off-by: Roman Penyaev <[email protected]>
Contributor
Author
|
@DGonzalezVillal @tylerfanelli squashed, please take a look. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi folks,
For a couple of weeks, I've been investigating AMD SEV technology and experimenting with the
sev/sevctltool. I noticed that legacy report validation was only drafted (rewritten from the deprecatedsev-tool) but actually does not work as expected. I've fixed that and tried to mimic the spirit of thesevctltool as much as possible. This is my first contribution in Rust, so your feedback is highly appreciated.What has been done in this PR:
LegacyAttestationReportby defining it as anArray<u8, 144>instead of anEcdsaSignaturestructure, which is 512 bytes.LegacyAttestationReport, ensuringlaunch_digestusesDIGEST_SIZEinstead ofPOLICY_SIZE.There should be another PR for
sevctlitself coming soon, I'll provide a link to that PR once I push it.Update: the
sevctlpart virtee/sevctl#205