Lax parser feature #363
Lax parser feature #363
Conversation
cschramm
requested review from
DGonzalezVillal,
larrydewey and
tylerfanelli
as code owners
cschramm
force-pushed
the
lax-decoders
branch
from
e6e308a to
629cd46
Compare
The parser strictly checks reserved areas to be zero (even though the specification does not even require that for all of them). This is an issue when parsing newer versions of attestation reports where those areas might not be reserved anymore. The `lax-parser` feature disables that check, currently with some tradeoffs: * No `WriteExt::skip_bytes` * No `Encoder` impl for `AttestationReport`, `Signature`, and `WrappedVlekHashstick` * No compatibility with `openssl` and `crypto_nossl` Closes virtee#343 Signed-off-by: Christopher Schramm <[email protected]>
cschramm
force-pushed
the
lax-decoders
branch
from
629cd46 to
e5c58d6
Compare
|
So in this solution, you would only be able to parse the attestation report, but you would not be able to write it anywhere correct? Is that still useful to you? |
|
Because the Write stuff can be modified to write the raw contents. Create something like a raw write |
Absolutely, yes. I only use the parser, but not the As I wrote in #343, writing could be achieved by actually reading reserved areas and carrying their contents to write them back instead of zeroes. I was under the impression, though, that you wanted to keep this a limited parse-only case. |
DGonzalezVillal
left a comment
DGonzalezVillal
left a comment
There was a problem hiding this comment.
Hello @cschramm,
Apologies for the delay—I was out on break.
After taking a closer look at your PR, I’m thinking a better approach might be to shift from the current lax-parsing idea to something more like a raw read/write (or unsafe read/write) mode. With that approach, this feature would simply read and write the raw binary contents as-is.
In our earlier discussions, I may have implied that I wanted this scoped strictly to parsing, but after reviewing the PR and realizing that lax parsing would require disabling or weakening other APIs, I’m less comfortable with that direction. I’d prefer not to reduce existing functionality to support a single feature. This alternative also results in fewer changes overall, since it would mainly involve updating the read and write paths to operate on raw bytes without safety checks.
This keeps the library behavior unchanged for most users, while clearly shifting responsibility for validation and safety checks to users who opt into this mode.
Please let me know what you think, and apologies again for the back and forth.
Thanks!
| Ok(()) | ||
| } | ||
|
|
||
| #[cfg(not(feature = "lax-parser"))] |
There was a problem hiding this comment.
Why do you have to disable this API for lax-parser?
There was a problem hiding this comment.
It encodes hashstick, which is not supported as it requires skip_bytes.
| #[cfg(all( | ||
| any(feature = "openssl", feature = "crypto_nossl"), | ||
| feature = "lax-parser" | ||
| ))] |
There was a problem hiding this comment.
Why would lax-parser be part of this check?
There was a problem hiding this comment.
This check is precisely to detect the use of one of the crypto features together with lax-parser. The only purpose is to give a clear error message above the error messages that will follow due to the disabled code.
There was a problem hiding this comment.
Hi @DGonzalezVillal, no worries. A lax parser that does not disable encoding support makes perfect sense to me. I'll prepare an alternative PR for that. 👍
Edit: => #366 Keeping this open for reference until the other direction is settled.
| Ok(()) | ||
| } | ||
|
|
||
| #[cfg(not(feature = "lax-parser"))] |
There was a problem hiding this comment.
It encodes hashstick, which is not supported as it requires skip_bytes.
| #[cfg(all( | ||
| any(feature = "openssl", feature = "crypto_nossl"), | ||
| feature = "lax-parser" | ||
| ))] |
There was a problem hiding this comment.
This check is precisely to detect the use of one of the crypto features together with lax-parser. The only purpose is to give a clear error message above the error messages that will follow due to the disabled code.
|
This looks like a very useful change overall, especially treating reserved fields in the top-level One subtle point: in the ABI spec, some The same issue also applies to sub-structures (e.g. TCB Version, Guest Policy, Platform Info), which still handle reserved fields in the old way. As @DGonzalezVillal suggested:
I strongly agree with this direction. A raw read/write model avoids baking ABI assumptions into parsing, and it naturally resolves the MBZ vs non-MBZ ambiguity (including for sub-structures) in a cleaner and more scalable way. As additional context, similar strict-parsing assumptions have already caused issues downstream. For example:
Both were ultimately related to parsing expectations around attestation report layout and reserved fields. A raw read/write (opaque binary) model would not only prevent this class of bugs, but also make root-cause analysis and fixes much simpler when ABI-level discrepancies occur. |
I mentioned that in #343 (comment), but @DGonzalezVillal responded with
I do not understand why, but I'm definitely the one with less domain knowledge here. In case you missed it: There is #366 with an alternative approach that reads raw bytes. |
Yes. I read it. The alternative design I have in mind is to store the attestation report as a 1184-byte blob while providing setters and getters for each field. |
|
I see. Fine for me either. @DGonzalezVillal? |
5 participants
The parser strictly checks reserved areas to be zero (even though the specification does not even require that for all of them). This is an issue when parsing future (i.e., not known to the current codebase) versions of attestation reports, where those areas may no longer be reserved.
The
lax-parserfeature disables that check, currently with some tradeoffs:WriteExt::skip_bytesEncoderimplforAttestationReport,Signature, andWrappedVlekHashstickopensslandcrypto_nosslCloses #343