Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifier-cli: the verify command ignores errors #214

Open
flihp opened this issue May 16, 2024 · 0 comments
Open

verifier-cli: the verify command ignores errors #214

flihp opened this issue May 16, 2024 · 0 comments

Comments

@flihp
Copy link
Collaborator

flihp commented May 16, 2024

This is probably a larger error handling problembut this is a good place to start. If a humility hiffy call fails the verify command will just carry on and then probably fail at some later step that depended on the earlier one. An example w/ verbose output looks like:

$ cat verify-sprot.log 
[INFO  verifier_cli] getting Nonce from platform RNG
[INFO  verifier_cli] writing nonce to: /tmp/.tmp2au1H6/nonce.bin
[INFO  verifier_cli] getting attestation
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.attest_len"
[DEBUG verifier_cli] output: 0x41
[DEBUG verifier_cli] prefix stripped: "41"
[DEBUG verifier_cli] output u32: 65
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.attest" "--num=65" "--output=/tmp/.tmp2fAje8" "--input=/tmp/.tmpoVBPZU"
[DEBUG verifier_cli] output: SpRot.attest() => Err(<Complex error: AttestOrSprotError>)
    Wrote 65 bytes to '/tmp/.tmp2fAje8'
    
[INFO  verifier_cli] writing attestation to: /tmp/.tmp2au1H6/attest.bin
[INFO  verifier_cli] getting measurement log
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.log_len"
[DEBUG verifier_cli] output: 0x214
[DEBUG verifier_cli] prefix stripped: "214"
[DEBUG verifier_cli] output u32: 532
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.log" "--num=256" "--output=/tmp/.tmpKZQAZs" "--arguments" "offset=0"
[DEBUG verifier_cli] output: SpRot.log() => ()
    Wrote 256 bytes to '/tmp/.tmpKZQAZs'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.log" "--num=256" "--output=/tmp/.tmpuFiKCL" "--arguments" "offset=256"
[DEBUG verifier_cli] output: SpRot.log() => ()
    Wrote 256 bytes to '/tmp/.tmpuFiKCL'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.log" "--num=20" "--output=/tmp/.tmpT94Mur" "--arguments" "offset=512"
[DEBUG verifier_cli] output: SpRot.log() => ()
    Wrote 20 bytes to '/tmp/.tmpT94Mur'
    
[INFO  verifier_cli] writing measurement log to: /tmp/.tmp2au1H6/log.bin
[INFO  verifier_cli] getting cert chain
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_chain_len"
[DEBUG verifier_cli] output: 0x4
[DEBUG verifier_cli] prefix stripped: "4"
[DEBUG verifier_cli] output u32: 4
[INFO  verifier_cli] getting cert[0] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=0"
[DEBUG verifier_cli] output: 0x1b0
[DEBUG verifier_cli] prefix stripped: "1b0"
[DEBUG verifier_cli] output u32: 432
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmp5W9cbf" "--arguments" "index=0,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmp5W9cbf'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=176" "--output=/tmp/.tmpDW0XlJ" "--arguments" "index=0,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 176 bytes to '/tmp/.tmpDW0XlJ'
    
[INFO  verifier_cli] writing alias cert to: /tmp/.tmp2au1H6/alias.pem
[INFO  verifier_cli] writing cert[0] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] getting cert[1] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=1"
[DEBUG verifier_cli] output: 0x197
[DEBUG verifier_cli] prefix stripped: "197"
[DEBUG verifier_cli] output u32: 407
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmpJxkVOP" "--arguments" "index=1,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmpJxkVOP'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=151" "--output=/tmp/.tmp4FIo4V" "--arguments" "index=1,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 151 bytes to '/tmp/.tmp4FIo4V'
    
[INFO  verifier_cli] writing cert[1] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] getting cert[2] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=2"
[DEBUG verifier_cli] output: 0x252
[DEBUG verifier_cli] prefix stripped: "252"
[DEBUG verifier_cli] output u32: 594
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmprT1fu9" "--arguments" "index=2,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmprT1fu9'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmpk3wtgQ" "--arguments" "index=2,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmpk3wtgQ'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=82" "--output=/tmp/.tmpF2EXEa" "--arguments" "index=2,offset=512"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 82 bytes to '/tmp/.tmpF2EXEa'
    
[INFO  verifier_cli] writing cert[2] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] getting cert[3] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=3"
[DEBUG verifier_cli] output: 0x285
[DEBUG verifier_cli] prefix stripped: "285"
[DEBUG verifier_cli] output u32: 645
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmpqR69G3" "--arguments" "index=3,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmpqR69G3'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmppBys5V" "--arguments" "index=3,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmppBys5V'
    
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=133" "--output=/tmp/.tmpNeHZrr" "--arguments" "index=3,offset=512"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 133 bytes to '/tmp/.tmpNeHZrr'
    
[INFO  verifier_cli] writing cert[3] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] verifying attestation
[DEBUG verifier_cli] decoded pem w/ label: "CERTIFICATE"
Error: signature error: Verification equation was not satisfied

Caused by:
    Verification equation was not satisfied

The first thing verify does is get an attestation through sprot and that failed. So humility writes an empty buffer as the output. This isn't used again till we attempt to verify the signature over the attestation and it fails. The initial failure should be reported and a non-zero exit code returned.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flihp