Skip to content

Commit

Permalink
Azsnpvtpm: Replace anyhow error crate with thiserror crate
Browse files Browse the repository at this point in the history
Replace anyhow error crate with thiserror crate
Fixes: confidential-containers#231

Signed-off-by: Kartik Joshi <[email protected]>
  • Loading branch information
kartikjoshi21 committed Mar 19, 2024
1 parent 9b8ef6c commit e5fa0a5
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 8 deletions.
2 changes: 2 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions attestation-service/verifier/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ cca-verifier = [ "ear", "jsonwebtoken", "veraison-apiclient" ]

[dependencies]
anyhow.workspace = true
thiserror.workspace=true
asn1-rs = { version = "0.5.1", optional = true }
async-trait.workspace = true
az-snp-vtpm = { version = "0.5.2", default-features = false, features = ["verifier"], optional = true }
Expand All @@ -30,6 +31,7 @@ csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "b74aa8c", option
eventlog-rs = { version = "0.1.3", optional = true }
hex.workspace = true
jsonwebtoken = { workspace = true, default-features = false, optional = true }
jsonwebkey = "0.3.5"
kbs-types.workspace = true
log.workspace = true
openssl = { version = "0.10.55", optional = true }
Expand Down
40 changes: 32 additions & 8 deletions attestation-service/verifier/src/az_snp_vtpm/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@

use crate::{InitDataHash, ReportData};

use az_snp_vtpm::vtpm::QuoteError;
use thiserror::Error;

use super::{TeeEvidenceParsedClaim, Verifier};
use crate::snp::{
load_milan_cert_chain, parse_tee_evidence, verify_report_signature, VendorCertificates,
Expand Down Expand Up @@ -34,10 +37,28 @@ pub struct AzSnpVtpm {
vendor_certs: VendorCertificates,
}

#[derive(Error, Debug)]
pub enum CertError {
#[error("Failed to load Milan cert chain")]
LoadMilanCert,
#[error("TPM quote nonce doesn't match expected report_data")]
NonceMismatch,
#[error("SNP report report_data mismatch")]
SnpReportMismatch,
#[error("VMPL of SNP report is not {0}")]
VmplIncorrect(u32),
#[error(transparent)]
Quote(#[from] QuoteError),
#[error(transparent)]
JsonWebkey(#[from] jsonwebkey::ConversionError),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
}

impl AzSnpVtpm {
pub fn new() -> Result<Self> {
pub fn new() -> Result<Self, CertError> {
let Result::Ok(vendor_certs) = load_milan_cert_chain() else {
bail!("Failed to load Milan cert chain");
return Err(CertError::LoadMilanCert);
};
let vendor_certs = vendor_certs.clone();
Ok(Self { vendor_certs })
Expand Down Expand Up @@ -109,10 +130,10 @@ impl Verifier for AzSnpVtpm {
}
}

fn verify_nonce(quote: &Quote, report_data: &[u8]) -> Result<()> {
fn verify_nonce(quote: &Quote, report_data: &[u8]) -> Result<(), CertError> {
let nonce = quote.nonce()?;
if nonce != report_data[..] {
bail!("TPM quote nonce doesn't match expected report_data");
return Err(CertError::NonceMismatch);
}
debug!("TPM report_data verification completed successfully");
Ok(())
Expand All @@ -138,9 +159,12 @@ fn verify_pcrs(quote: &Quote) -> Result<()> {
Ok(())
}

fn verify_report_data(var_data_hash: &[u8; 32], snp_report: &AttestationReport) -> Result<()> {
fn verify_report_data(
var_data_hash: &[u8; 32],
snp_report: &AttestationReport,
) -> Result<(), CertError> {
if *var_data_hash != snp_report.report_data[..32] {
bail!("SNP report report_data mismatch");
return Err(CertError::SnpReportMismatch);
}
debug!("SNP report_data verification completed successfully");
Ok(())
Expand All @@ -150,13 +174,13 @@ fn verify_snp_report(
snp_report: &AttestationReport,
vcek: &Vcek,
vendor_certs: &VendorCertificates,
) -> Result<()> {
) -> Result<(), CertError> {
let vcek_data = vcek.0.to_der().context("Failed to get raw VCEK data")?;
let cert_chain = [CertTableEntry::new(CertType::VCEK, vcek_data)];
verify_report_signature(snp_report, &cert_chain, vendor_certs)?;

if snp_report.vmpl != HCL_VMPL_VALUE {
bail!("VMPL of SNP report is not {HCL_VMPL_VALUE}");
return Err(CertError::VmplIncorrect(HCL_VMPL_VALUE));
}

Ok(())
Expand Down

0 comments on commit e5fa0a5

Please sign in to comment.