From 2796ad4eecb4395a3e71de50f6c0dd17085d5a3a Mon Sep 17 00:00:00 2001 From: Kartik Joshi Date: Mon, 26 Feb 2024 19:45:14 +0530 Subject: [PATCH] Azsnpvtpm: Replace anyhow error crate with thiserror crate Replace anyhow error crate with thiserror crate Fixes: #231 Signed-off-by: Kartik Joshi --- .../verifier/src/az_snp_vtpm/mod.rs | 40 +++++++++++++++---- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/attestation-service/verifier/src/az_snp_vtpm/mod.rs b/attestation-service/verifier/src/az_snp_vtpm/mod.rs index 82b4243e9d..a064d18b0a 100644 --- a/attestation-service/verifier/src/az_snp_vtpm/mod.rs +++ b/attestation-service/verifier/src/az_snp_vtpm/mod.rs @@ -5,6 +5,9 @@ use crate::{InitDataHash, ReportData}; +use az_snp_vtpm::vtpm::QuoteError; +use thiserror::Error; + use super::{TeeEvidenceParsedClaim, Verifier}; use crate::snp::{ load_milan_cert_chain, parse_tee_evidence, verify_report_signature, VendorCertificates, @@ -34,10 +37,28 @@ pub struct AzSnpVtpm { vendor_certs: VendorCertificates, } +#[derive(Error, Debug)] +pub enum CertError { + #[error("Failed to load Milan cert chain")] + LoadMilanCert, + #[error("TPM quote nonce doesn't match expected report_data")] + NonceMismatch, + #[error("SNP report report_data mismatch")] + SnpReportMismatch, + #[error("VMPL of SNP report is not {0}")] + VmplIncorrect(u32), + #[error(transparent)] + Quote(#[from] QuoteError), + #[error(transparent)] + JsonWebkey(#[from] jsonwebkey::ConversionError), + #[error(transparent)] + Anyhow(#[from] anyhow::Error), +} + impl AzSnpVtpm { - pub fn new() -> Result { + pub fn new() -> Result { let Result::Ok(vendor_certs) = load_milan_cert_chain() else { - bail!("Failed to load Milan cert chain"); + return Err(CertError::LoadMilanCert); }; let vendor_certs = vendor_certs.clone(); Ok(Self { vendor_certs }) @@ -109,10 +130,10 @@ impl Verifier for AzSnpVtpm { } } -fn verify_nonce(quote: &Quote, report_data: &[u8]) -> Result<()> { +fn verify_nonce(quote: &Quote, report_data: &[u8]) -> Result<(), CertError> { let nonce = quote.nonce()?; if nonce != report_data[..] { - bail!("TPM quote nonce doesn't match expected report_data"); + return Err(CertError::NonceMismatch); } debug!("TPM report_data verification completed successfully"); Ok(()) @@ -138,9 +159,12 @@ fn verify_pcrs(quote: &Quote) -> Result<()> { Ok(()) } -fn verify_report_data(var_data_hash: &[u8; 32], snp_report: &AttestationReport) -> Result<()> { +fn verify_report_data( + var_data_hash: &[u8; 32], + snp_report: &AttestationReport, +) -> Result<(), CertError> { if *var_data_hash != snp_report.report_data[..32] { - bail!("SNP report report_data mismatch"); + return Err(CertError::SnpReportMismatch); } debug!("SNP report_data verification completed successfully"); Ok(()) @@ -150,13 +174,13 @@ fn verify_snp_report( snp_report: &AttestationReport, vcek: &Vcek, vendor_certs: &VendorCertificates, -) -> Result<()> { +) -> Result<(), CertError> { let vcek_data = vcek.0.to_der().context("Failed to get raw VCEK data")?; let cert_chain = [CertTableEntry::new(CertType::VCEK, vcek_data)]; verify_report_signature(snp_report, &cert_chain, vendor_certs)?; if snp_report.vmpl != HCL_VMPL_VALUE { - bail!("VMPL of SNP report is not {HCL_VMPL_VALUE}"); + return Err(CertError::VmplIncorrect(HCL_VMPL_VALUE)); } Ok(())