sync branch and rewrite removed testcase

chipsalliance · Nov 21, 2023 · 133a667 · 133a667
1 parent 38b2b96
commit 133a667
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 18 deletions.
diff --git a/verification/certifyKey.go b/verification/certifyKey.go
@@ -262,38 +262,51 @@ func checkCertifyKeyMultiTcbInfoExtensionStructure(t *testing.T, c *x509.Certifi
 // Checks the FWID block's Digest.
 // FWID at index 0 has the TCI_CURRENT as digest
 // FWID at index 1 has the TCI_CUMULATIVE as digest
-// The length of FWID array in each DICE TCB information block is 2.
-func checkCurrentDiceTcbMeasurements(t *testing.T, multiTcbInfo []DiceTcbInfo, expectedCurrentValue []byte) {
-	currentTci := multiTcbInfo[0].Fwids[0].Digest
-	cumulativeTci := multiTcbInfo[0].Fwids[1].Digest
+// The length of FWID array in each DICE TCB information block is alyays 2 comprising the current and cumulative.
+func checkCurrentDiceTcbMeasurements(t *testing.T, handle *ContextHandle, multiTcbInfo []DiceTcbInfo, expectedCurrentValue []byte, isTciExtended bool) {
+	t.Helper()
 
+	currentTciIndex := 0
+	currentTci := multiTcbInfo[currentTciIndex].Fwids[0].Digest
 	if !bytes.Equal(currentTci, expectedCurrentValue) {
 		t.Errorf("[ERROR]: Unexpected TCI_CURRENT digest, want %v but got %v", expectedCurrentValue, currentTci)
 	}
 
 	// Calculate expected cumulative value
-	var expectedCumulativeValue []byte
 	var defaultTci []byte
 	var hasher hash.Hash
 	if multiTcbInfo[0].Fwids[1].HashAlg.Equal(OidSHA384) {
 		hasher = sha512.New384()
 		defaultTci = make([]byte, 48)
-		hasher.Write(defaultTci)
 	} else if multiTcbInfo[0].Fwids[1].HashAlg.Equal(OidSHA256) {
 		hasher = sha256.New()
 		defaultTci = make([]byte, 32)
-		hasher.Write(defaultTci)
 	}
 
-	// The DiceTcbInfo blocks are listed with current node at index0 followed by parent TCI nodes.
-	for i := len(multiTcbInfo) - 1; i >= 0; i-- {
-		hasher.Write(multiTcbInfo[i].Fwids[0].Digest)
+	// For Extended TCI, CUMULATIVE = H(TCI_CUMULATIVE || INPUT_TCI_VALUE)
+	startIndex := 0
+	if isTciExtended {
+		startIndex += 1 // To skip usual hash compuatation for extended TCI
 	}
-	expectedCumulativeValue = hasher.Sum(nil)
 
-	// Verify the FWID index-1 which has TCI_CUMULATIVE value of current node
-	if !bytes.Equal(cumulativeTci, expectedCumulativeValue) {
-		t.Errorf("[ERROR]: Unexpected cumulative TCI value, want %v but got %v", expectedCumulativeValue, cumulativeTci)
+	// TCI_CUMULATIVE = H(TCI_CURRENT)
+	for i := startIndex; i < len(multiTcbInfo); i++ {
+
+		// Get TCI_CUMULATIVE in MultiTcbInfo Extension
+		cumulativeTci := multiTcbInfo[i].Fwids[1].Digest
+
+		// Re-initialize hasher
+		hasher.Reset()
+
+		// Recompute hash
+		hasher.Write(defaultTci)
+		hasher.Write(multiTcbInfo[i].Fwids[0].Digest)
+		expectedCumulativeValue := hasher.Sum(nil)
+
+		// Verify hash, the FWID index-1 which has TCI_CUMULATIVE value of current node
+		if !bytes.Equal(cumulativeTci, expectedCumulativeValue) {
+			t.Errorf("[ERROR]: Unexpected cumulative TCI value, want %v but got %v", expectedCumulativeValue, cumulativeTci)
+		}
 	}
 }
 

diff --git a/verification/extendTCI.go b/verification/extendTCI.go
@@ -3,6 +3,7 @@
 package verification
 
 import (
+	"bytes"
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/x509"
@@ -50,10 +51,108 @@ func TestExtendTCI(d TestDPEInstance, c DPEClient, t *testing.T) {
 	}
 
 	// Cross-check current and cumulative measurement by CertifyKey
-	verifyMeasurementsByCertifyKey(c, t, handle, defaultTci, tciValue, hasher)
+	verifyMeasurementsByCertifyKey(c, t, handle, defaultTci, tciValue, false, hasher)
 }
 
-func verifyMeasurementsByCertifyKey(c DPEClient, t *testing.T, handle *ContextHandle, label []byte, tciValue []byte, hasher hash.Hash) {
+// Check whether the ExtendTCI command with derived child context.
+func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T) {
+	var err error
+	useSimulation := false // To indicate that simulation context is not used
+
+	// Get default context handle
+	handle := getInitialContextHandle(d, c, t, useSimulation)
+
+	// Get digest size
+	profile, err := GetTransportProfile(d)
+	if err != nil {
+		t.Fatalf("[FATAL]: Could not get profile: %v", err)
+	}
+	digestLen := profile.GetDigestSize()
+
+	// Initialize TCI inputs
+	parentTciValue := make([]byte, digestLen)
+	for i := range parentTciValue {
+		parentTciValue[i] = byte(i)
+	}
+
+	deriveCtxTciValue := make([]byte, digestLen)
+	for i := range deriveCtxTciValue {
+		deriveCtxTciValue[i] = byte(i + 1)
+	}
+
+	extendTciValue := make([]byte, digestLen)
+	for i := range extendTciValue {
+		extendTciValue[i] = byte(i + 2)
+	}
+
+	// Initialize hasher
+	var hasher hash.Hash
+	if digestLen == 32 {
+		hasher = sha256.New()
+	} else if digestLen == 48 {
+		hasher = sha512.New384()
+	}
+
+	// Cross-check current and cumulative measurement by CertifyKey of parent context handle
+	handle, _ = verifyMeasurementsByCertifyKey(c, t, handle, make([]byte, digestLen), parentTciValue, false, hasher)
+
+	// Preserve parent context to restore for subsequent tests.
+	parentHandle, err := c.RotateContextHandle(handle, RotateContextHandleFlags(0))
+	if err != nil {
+		t.Errorf("[ERROR]: Error while rotating parent context handle, this may cause failure in subsequent tests: %s", err)
+	}
+
+	// Derive Child context with input data, tag it and check TCI_CUMULATIVE
+	childCtx, err := c.DeriveChild(parentHandle, deriveCtxTciValue, DeriveChildFlags(RetainParent|InputAllowX509), 0, 0)
+	if err != nil {
+		t.Fatalf("[FATAL]: Error while creating default child handle in default context: %s", err)
+	}
+
+	// Cross-check current and cumulative measurement by CertifyKey of derived context context
+	newHandle, derivedTciMultiTcbInfo := verifyMeasurementsByCertifyKey(c, t, &childCtx.NewContextHandle, make([]byte, digestLen), deriveCtxTciValue, false, hasher)
+
+	// Extend TCI to child context and check TCI_CURRENT and TCI_CUMULATIVE
+	newHandle, err = c.ExtendTCI(newHandle, extendTciValue)
+	if err != nil {
+		t.Fatalf("[FATAL]: Could not extend tag: %v", err)
+	}
+
+	// Cross-check current and cumulative measurement by CertifyKey of parent context handle
+	newHandle, extendedTCiMultiTcbInfo := verifyMeasurementsByCertifyKey(c, t, newHandle, make([]byte, digestLen), extendTciValue, true, hasher)
+
+	cumulativeTci := extendedTCiMultiTcbInfo[0].Fwids[1].Digest
+	prevCumulativeTci := derivedTciMultiTcbInfo[0].Fwids[1].Digest
+
+	// Re-initialize hasher
+	hasher.Reset()
+
+	// Recompute hash
+	hasher.Write(prevCumulativeTci)
+	hasher.Write(extendTciValue)
+	expectedCumulativeValue := hasher.Sum(nil)
+
+	// Verify hash
+	if !bytes.Equal(cumulativeTci, expectedCumulativeValue) {
+		t.Errorf("[ERROR]: Unexpected cumulative value for extended TCI, want %v but got %v", expectedCumulativeValue, cumulativeTci)
+	}
+
+	// Clean up derived context and restore default context handle for subsequent tests
+	defer func() {
+		err := c.DestroyContext(newHandle, DestroyDescendants)
+		if err != nil {
+			t.Errorf("[ERROR]: Error while cleaning up derived context, this may cause failure in subsequent tests: %s", err)
+		}
+
+		_, err = c.RotateContextHandle(&childCtx.ParentContextHandle, RotateContextHandleFlags(TargetIsDefault))
+		if err != nil {
+			t.Errorf("[ERROR]: Error while restoring parent context handle as default context handle, this may cause failure in subsequent tests: %s", err)
+		}
+	}()
+
+}
+
+func verifyMeasurementsByCertifyKey(c DPEClient, t *testing.T, handle *ContextHandle, label []byte, tciValue []byte, isTciExtended bool, hasher hash.Hash) (*ContextHandle, []DiceTcbInfo) {
+	t.Helper()
 	certifiedKey, err := c.CertifyKey(handle, label, CertifyKeyX509, 0)
 	if err != nil {
 		t.Fatalf("[FATAL]: Could not get Certified key: %v", err)
@@ -74,6 +173,7 @@ func verifyMeasurementsByCertifyKey(c DPEClient, t *testing.T, handle *ContextHa
 		t.Errorf("Error while unmarshalling MultiTCB information %v, skipping MultiTCB validation", err)
 	} else {
 		// Cross-verify cumulative value returned in MultiTcbInfo
-		checkCurrentDiceTcbMeasurements(t, multiTcbInfo, tciValue)
+		checkCurrentDiceTcbMeasurements(t, handle, multiTcbInfo, tciValue, isTciExtended)
 	}
+	return &certifiedKey.Handle, multiTcbInfo
 }
diff --git a/verification/simulator.go b/verification/simulator.go
@@ -227,7 +227,7 @@ func GetSimulatorTargets() []TestTarget {
 		},
 		{
 			"DefaultSupport",
-			getTestTarget([]string{"AutoInit", "Simulation", "X509", "IsCA", "Tagging", "RotateContext", "ExtendTci", "IsSymmetric"}),
+			getTestTarget([]string{"AutoInit", "Simulation", "X509", "IsCA", "RotateContext", "ExtendTci", "IsSymmetric"}),
 			AllTestCases,
 		},
 		{

diff --git a/verification/verification.go b/verification/verification.go
@@ -38,6 +38,9 @@ var GetCertificateChainTestCase = TestCase{
 var ExtendTCITestCase = TestCase{
 	"ExtendTCITestCase", TestExtendTCI, []string{"AutoInit", "ExtendTci"},
 }
+var ExtendDerivedTciTestCase = TestCase{
+	"ExtendDerivedTciTestCase", TestExtendTciOnDerivedContexts, []string{"AutoInit", "ExtendTci"},
+}
 var GetProfileTestCase = TestCase{
 	"GetProfile", TestGetProfile, []string{},
 }