diff --git a/dpe/fuzz/src/fuzz_target_1.rs b/dpe/fuzz/src/fuzz_target_1.rs index 7aeb4998..36184dbe 100644 --- a/dpe/fuzz/src/fuzz_target_1.rs +++ b/dpe/fuzz/src/fuzz_target_1.rs @@ -82,8 +82,6 @@ fn harness(data: &[u8]) { Response::Sign(ref res) => res.resp_hdr.status, Response::DestroyCtx(ref resp_hdr) => resp_hdr.status, Response::ExtendTci(ref res) => res.resp_hdr.status, - Response::TagTci(ref res) => res.resp_hdr.status, - Response::GetTaggedTci(ref res) => res.resp_hdr.status, Response::GetCertificateChain(ref res) => res.resp_hdr.status, Response::Error(ref resp_hdr) => resp_hdr.status, }; diff --git a/dpe/src/commands/get_tagged_tci.rs b/dpe/src/commands/get_tagged_tci.rs deleted file mode 100644 index 989293a3..00000000 --- a/dpe/src/commands/get_tagged_tci.rs +++ /dev/null @@ -1,41 +0,0 @@ -// Licensed under the Apache-2.0 license. -use super::CommandExecution; -use crate::{ - dpe_instance::{DpeEnv, DpeInstance, DpeTypes}, - response::{DpeErrorCode, GetTaggedTciResp, Response, ResponseHdr}, -}; - -#[repr(C)] -#[derive(Debug, PartialEq, Eq, zerocopy::FromBytes)] -#[cfg_attr(test, derive(zerocopy::AsBytes))] -pub struct GetTaggedTciCmd { - tag: u32, -} - -impl CommandExecution for GetTaggedTciCmd { - fn execute( - &self, - dpe: &mut DpeInstance, - _env: &mut DpeEnv, - _: u32, - ) -> Result { - // Make sure this command is supported. - if !dpe.support.tagging() { - return Err(DpeErrorCode::InvalidCommand); - } - - // Tags are unique across all contexts, so we just need to return the first context - // we find with the requested tag. - let ctx = dpe - .contexts - .iter() - .find(|c| c.has_tag() && c.tag == self.tag) - .ok_or(DpeErrorCode::BadTag)?; - - Ok(Response::GetTaggedTci(GetTaggedTciResp { - tci_cumulative: ctx.tci.tci_cumulative, - tci_current: ctx.tci.tci_current, - resp_hdr: ResponseHdr::new(DpeErrorCode::NoError), - })) - } -} diff --git a/dpe/src/commands/mod.rs b/dpe/src/commands/mod.rs index f60cbfd7..637d79b7 100644 --- a/dpe/src/commands/mod.rs +++ b/dpe/src/commands/mod.rs @@ -12,10 +12,8 @@ pub use self::initialize_context::InitCtxCmd; pub use self::certify_key::{CertifyKeyCmd, CertifyKeyFlags}; use self::extend_tci::ExtendTciCmd; -use self::get_tagged_tci::GetTaggedTciCmd; pub use self::rotate_context::{RotateCtxCmd, RotateCtxFlags}; pub use self::sign::{SignCmd, SignFlags}; -use self::tag_tci::TagTciCmd; use crate::{ dpe_instance::{DpeEnv, DpeInstance, DpeTypes}, @@ -30,11 +28,9 @@ mod derive_child; mod destroy_context; mod extend_tci; mod get_certificate_chain; -mod get_tagged_tci; mod initialize_context; mod rotate_context; mod sign; -mod tag_tci; #[derive(Debug, PartialEq, Eq)] pub enum Command { @@ -46,8 +42,6 @@ pub enum Command { RotateCtx(RotateCtxCmd), DestroyCtx(DestroyCtxCmd), ExtendTci(ExtendTciCmd), - TagTci(TagTciCmd), - GetTaggedTci(GetTaggedTciCmd), GetCertificateChain(GetCertificateChainCmd), } @@ -61,8 +55,6 @@ impl Command { pub const DESTROY_CONTEXT: u32 = 0x0f; pub const GET_CERTIFICATE_CHAIN: u32 = 0x80; pub const EXTEND_TCI: u32 = 0x81; - pub const TAG_TCI: u32 = 0x82; - pub const GET_TAGGED_TCI: u32 = 0x83; /// Returns the command with its parameters given a slice of bytes. /// @@ -85,8 +77,6 @@ impl Command { Self::parse_command(Command::GetCertificateChain, bytes) } Command::EXTEND_TCI => Self::parse_command(Command::ExtendTci, bytes), - Command::TAG_TCI => Self::parse_command(Command::TagTci, bytes), - Command::GET_TAGGED_TCI => Self::parse_command(Command::GetTaggedTci, bytes), _ => Err(DpeErrorCode::InvalidCommand), } } @@ -112,8 +102,6 @@ impl From for u32 { Command::RotateCtx(_) => Command::ROTATE_CONTEXT_HANDLE, Command::DestroyCtx(_) => Command::DESTROY_CONTEXT, Command::ExtendTci(_) => Command::EXTEND_TCI, - Command::TagTci(_) => Command::TAG_TCI, - Command::GetTaggedTci(_) => Command::GET_TAGGED_TCI, Command::GetCertificateChain(_) => Command::GET_CERTIFICATE_CHAIN, } } diff --git a/dpe/src/commands/tag_tci.rs b/dpe/src/commands/tag_tci.rs deleted file mode 100644 index a2d90cd3..00000000 --- a/dpe/src/commands/tag_tci.rs +++ /dev/null @@ -1,197 +0,0 @@ -// Licensed under the Apache-2.0 license. -use super::CommandExecution; -use crate::{ - context::ContextHandle, - dpe_instance::{DpeEnv, DpeInstance, DpeTypes}, - response::{DpeErrorCode, NewHandleResp, Response, ResponseHdr}, -}; - -#[repr(C)] -#[derive(Debug, PartialEq, Eq, zerocopy::FromBytes)] -#[cfg_attr(test, derive(zerocopy::AsBytes))] -pub struct TagTciCmd { - handle: ContextHandle, - tag: u32, -} - -impl CommandExecution for TagTciCmd { - fn execute( - &self, - dpe: &mut DpeInstance, - env: &mut DpeEnv, - locality: u32, - ) -> Result { - // Make sure this command is supported. - if !dpe.support.tagging() { - return Err(DpeErrorCode::InvalidCommand); - } - // Make sure the tag isn't used by any other contexts. - if dpe - .contexts - .iter() - .any(|c| c.has_tag() && c.tag == self.tag) - { - return Err(DpeErrorCode::BadTag); - } - - let idx = dpe.get_active_context_pos(&self.handle, locality)?; - - if dpe.contexts[idx].has_tag() { - return Err(DpeErrorCode::BadTag); - } - - // Because handles are one-time use, let's rotate the handle, if it isn't the default. - dpe.roll_onetime_use_handle(env, idx)?; - let context = &mut dpe.contexts[idx]; - context.has_tag = true.into(); - context.tag = self.tag; - - Ok(Response::TagTci(NewHandleResp { - handle: context.handle, - resp_hdr: ResponseHdr::new(DpeErrorCode::NoError), - })) - } -} - -#[cfg(test)] -mod tests { - use super::*; - use crate::{ - commands::{Command, CommandHdr, InitCtxCmd}, - dpe_instance::tests::{ - TestTypes, RANDOM_HANDLE, SIMULATION_HANDLE, TEST_HANDLE, TEST_LOCALITIES, - }, - support::Support, - }; - use crypto::OpensslCrypto; - use platform::default::DefaultPlatform; - use zerocopy::AsBytes; - - const TEST_TAG_TCI_CMD: TagTciCmd = TagTciCmd { - handle: SIMULATION_HANDLE, - tag: 0x1234_5678, - }; - - #[test] - fn test_deserialize_tag_tci() { - let mut command = CommandHdr::new_for_test(Command::TAG_TCI) - .as_bytes() - .to_vec(); - command.extend(TEST_TAG_TCI_CMD.as_bytes()); - assert_eq!( - Ok(Command::TagTci(TEST_TAG_TCI_CMD)), - Command::deserialize(&command) - ); - } - - #[test] - fn test_tag_tci() { - let mut env = DpeEnv:: { - crypto: OpensslCrypto::new(), - platform: DefaultPlatform, - }; - let mut dpe = DpeInstance::new(&mut env, Support::default()).unwrap(); - // Make sure it returns an error if the command is marked unsupported. - assert_eq!( - Err(DpeErrorCode::InvalidCommand), - TagTciCmd { - handle: ContextHandle::default(), - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Make a new instance that supports tagging. - let mut dpe = DpeInstance::new(&mut env, Support::TAGGING | Support::SIMULATION).unwrap(); - InitCtxCmd::new_use_default() - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - .unwrap(); - - // Wrong locality. - assert_eq!( - Err(DpeErrorCode::InvalidLocality), - TagTciCmd { - handle: ContextHandle::default(), - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[1]) - ); - - let sim_local = TEST_LOCALITIES[1]; - // Make a simulation context to test against. - InitCtxCmd::new_simulation() - .execute(&mut dpe, &mut env, sim_local) - .unwrap(); - - // Invalid handle. - assert_eq!( - Err(DpeErrorCode::InvalidHandle), - TagTciCmd { - handle: TEST_HANDLE, - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Tag default handle. - assert_eq!( - Ok(Response::TagTci(NewHandleResp { - handle: ContextHandle::default(), - resp_hdr: ResponseHdr::new(DpeErrorCode::NoError), - })), - TagTciCmd { - handle: ContextHandle::default(), - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Try to re-tag the default context. - assert_eq!( - Err(DpeErrorCode::BadTag), - TagTciCmd { - handle: ContextHandle::default(), - tag: 1, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Try same tag on simulation. - assert_eq!( - Err(DpeErrorCode::BadTag), - TagTciCmd { - handle: SIMULATION_HANDLE, - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[1]) - ); - - // Give the simulation context another handle so we can prove the handle rotates when it - // gets tagged. - let simulation_ctx = &mut dpe.contexts[dpe - .get_active_context_pos(&RANDOM_HANDLE, sim_local) - .unwrap()]; - let sim_tmp_handle = ContextHandle([0xff; ContextHandle::SIZE]); - simulation_ctx.handle = sim_tmp_handle; - assert!(dpe - .get_active_context_pos(&RANDOM_HANDLE, sim_local) - .is_err()); - - // Tag simulation. - match (TagTciCmd { - handle: sim_tmp_handle, - tag: 1, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[1])) - { - Ok(Response::TagTci(NewHandleResp { handle, .. })) => { - // Make sure it rotated back to the deterministic simulation handle. - assert!(dpe - .get_active_context_pos(&sim_tmp_handle, sim_local) - .is_err()); - assert!(dpe.get_active_context_pos(&handle, sim_local).is_ok()); - } - _ => panic!("Tag simulation failed"), - } - } -} diff --git a/dpe/src/context.rs b/dpe/src/context.rs index 8d891942..d4b7aab3 100644 --- a/dpe/src/context.rs +++ b/dpe/src/context.rs @@ -14,11 +14,6 @@ pub struct Context { /// Which hardware locality owns the context. pub locality: u32, - /// Optional tag assigned to the context. - pub tag: u32, - - /// Whether a tag has been assigned to the context. - pub has_tag: U8Bool, /// Index in DPE instance of the parent context. 0xFF if this node is the root pub parent_idx: u8, @@ -36,6 +31,7 @@ pub struct Context { pub allow_ca: U8Bool, /// Whether this context can emit certificates in X.509 format pub allow_x509: U8Bool, + pub reserved: [u8; 1], } impl Context { @@ -50,18 +46,14 @@ impl Context { context_type: ContextType::Normal, state: ContextState::Inactive, locality: 0, - has_tag: U8Bool::new(false), - tag: 0, uses_internal_input_info: U8Bool::new(false), uses_internal_input_dice: U8Bool::new(false), allow_ca: U8Bool::new(false), allow_x509: U8Bool::new(false), + reserved: [0; 1], } } - pub fn has_tag(&self) -> bool { - self.has_tag.get() - } pub fn uses_internal_input_info(&self) -> bool { self.uses_internal_input_info.get() } @@ -101,8 +93,6 @@ impl Context { /// context cannot be re-initialized. pub fn destroy(&mut self) { self.tci = TciNodeData::new(); - self.has_tag = false.into(); - self.tag = 0; self.state = ContextState::Inactive; self.uses_internal_input_info = false.into(); self.uses_internal_input_dice = false.into(); @@ -274,16 +264,16 @@ mod tests { let root_index = CHAIN_INDICES[0]; assert_eq!(MAX_HANDLES, CHAIN_INDICES.len()); - // Lets put the context's index in the tag to make it easy to find later. - contexts[root_index].tag = root_index as u32; + // Put the context's index in the handle to make it easy to find later. + contexts[root_index].handle = ContextHandle([root_index as u8; ContextHandle::SIZE]); contexts[root_index].state = ContextState::Retired; - // Assign all of the children's parents and put their index in the tag. + // Assign all of the children's parents and put their index in the handle. for (parent_chain_idx, child_idx) in CHAIN_INDICES.iter().skip(1).enumerate() { let parent_idx = CHAIN_INDICES[parent_chain_idx]; let context = &mut contexts[*child_idx]; context.parent_idx = parent_idx as u8; - context.tag = *child_idx as u32; + context.handle = ContextHandle([*child_idx as u8; ContextHandle::SIZE]); context.state = ContextState::Active; } @@ -295,7 +285,10 @@ mod tests { .rev() .zip(ChildToRootIter::new(leaf_index, &contexts)) { - assert_eq!(*answer, status.unwrap().tag as usize); + assert_eq!( + [*answer as u8; ContextHandle::SIZE], + status.unwrap().handle.0 + ); count += 1; } diff --git a/dpe/src/dpe_instance.rs b/dpe/src/dpe_instance.rs index 54a9f492..6b65aae1 100644 --- a/dpe/src/dpe_instance.rs +++ b/dpe/src/dpe_instance.rs @@ -114,8 +114,6 @@ impl DpeInstance { Command::RotateCtx(cmd) => cmd.execute(self, env, locality), Command::DestroyCtx(cmd) => cmd.execute(self, env, locality), Command::ExtendTci(cmd) => cmd.execute(self, env, locality), - Command::TagTci(cmd) => cmd.execute(self, env, locality), - Command::GetTaggedTci(cmd) => cmd.execute(self, env, locality), Command::GetCertificateChain(cmd) => cmd.execute(self, env, locality), }; @@ -128,7 +126,7 @@ impl DpeInstance { // Inlined so the callsite optimizer knows that idx < self.contexts.len() // and won't insert possible call to panic. #[inline(always)] - pub(crate) fn get_active_context_pos( + pub fn get_active_context_pos( &self, handle: &ContextHandle, locality: u32, diff --git a/dpe/src/lib.rs b/dpe/src/lib.rs index f2bcb41f..75f0a210 100644 --- a/dpe/src/lib.rs +++ b/dpe/src/lib.rs @@ -23,7 +23,7 @@ pub mod x509; use zerocopy::{AsBytes, FromBytes}; const MAX_CERT_SIZE: usize = 2048; -const MAX_HANDLES: usize = 24; +pub const MAX_HANDLES: usize = 24; const CURRENT_PROFILE_MAJOR_VERSION: u16 = 0; const CURRENT_PROFILE_MINOR_VERSION: u16 = 8; diff --git a/dpe/src/response.rs b/dpe/src/response.rs index b5ffda48..78ae42d9 100644 --- a/dpe/src/response.rs +++ b/dpe/src/response.rs @@ -5,8 +5,8 @@ Abstract: DPE reponses and serialization. --*/ use crate::{ - context::ContextHandle, tci::TciMeasurement, CURRENT_PROFILE_MAJOR_VERSION, - CURRENT_PROFILE_MINOR_VERSION, DPE_PROFILE, MAX_CERT_SIZE, MAX_HANDLES, + context::ContextHandle, CURRENT_PROFILE_MAJOR_VERSION, CURRENT_PROFILE_MINOR_VERSION, + DPE_PROFILE, MAX_CERT_SIZE, MAX_HANDLES, }; use crypto::CryptoError; use platform::PlatformError; @@ -23,8 +23,6 @@ pub enum Response { Sign(SignResp), DestroyCtx(ResponseHdr), ExtendTci(NewHandleResp), - TagTci(NewHandleResp), - GetTaggedTci(GetTaggedTciResp), GetCertificateChain(GetCertificateChainResp), Error(ResponseHdr), } @@ -40,8 +38,6 @@ impl Response { Response::Sign(res) => res.as_bytes(), Response::DestroyCtx(res) => res.as_bytes(), Response::ExtendTci(res) => res.as_bytes(), - Response::TagTci(res) => res.as_bytes(), - Response::GetTaggedTci(res) => res.as_bytes(), Response::GetCertificateChain(res) => res.as_bytes(), Response::Error(res) => res.as_bytes(), } @@ -135,15 +131,6 @@ pub struct SignResp { pub sig_s: [u8; DPE_PROFILE.get_ecc_int_size()], } -#[repr(C)] -#[derive(Debug, zerocopy::AsBytes)] -#[cfg_attr(test, derive(PartialEq, Eq))] -pub struct GetTaggedTciResp { - pub resp_hdr: ResponseHdr, - pub tci_cumulative: TciMeasurement, - pub tci_current: TciMeasurement, -} - #[repr(C)] #[derive(Debug, PartialEq, Eq, zerocopy::AsBytes, zerocopy::FromBytes)] pub struct GetCertificateChainResp { @@ -162,7 +149,6 @@ pub enum DpeErrorCode { ArgumentNotSupported = 4, InvalidHandle = 0x1000, InvalidLocality = 0x1001, - BadTag = 0x1002, MaxTcis = 0x1003, Platform(PlatformError) = 0x01000000, Crypto(CryptoError) = 0x02000000, diff --git a/dpe/src/support.rs b/dpe/src/support.rs index 170c142c..5f38ac85 100644 --- a/dpe/src/support.rs +++ b/dpe/src/support.rs @@ -12,14 +12,13 @@ bitflags! { const SIMULATION = 1u32 << 31; const EXTEND_TCI = 1u32 << 30; const AUTO_INIT = 1u32 << 29; - const TAGGING = 1u32 << 28; const ROTATE_CONTEXT = 1u32 << 27; const X509 = 1u32 << 26; const CSR = 1u32 << 25; const IS_SYMMETRIC = 1u32 << 24; - const INTERNAL_INFO = 1u32 << 23; - const INTERNAL_DICE = 1u32 << 22; - const IS_CA = 1u32 << 21; + const INTERNAL_INFO = 1u32 << 22; + const INTERNAL_DICE = 1u32 << 21; + const IS_CA = 1u32 << 20; } } @@ -33,9 +32,6 @@ impl Support { pub fn auto_init(&self) -> bool { self.contains(Support::AUTO_INIT) } - pub fn tagging(&self) -> bool { - self.contains(Support::TAGGING) - } pub fn rotate_context(&self) -> bool { self.contains(Support::ROTATE_CONTEXT) } @@ -67,7 +63,6 @@ pub mod test { pub const SUPPORT: Support = bitflags_join!( Support::SIMULATION, Support::AUTO_INIT, - Support::TAGGING, Support::ROTATE_CONTEXT, Support::X509 ); @@ -83,9 +78,6 @@ pub mod test { // Supports auto-init. let flags = Support::AUTO_INIT.bits(); assert_eq!(flags, 1 << 29); - // Supports tagging. - let flags = Support::TAGGING.bits(); - assert_eq!(flags, 1 << 28); // Supports rotate context. let flags = Support::ROTATE_CONTEXT.bits(); assert_eq!(flags, 1 << 27); @@ -100,13 +92,13 @@ pub mod test { assert_eq!(flags, 1 << 24); // Supports internal info. let flags = Support::INTERNAL_INFO.bits(); - assert_eq!(flags, 1 << 23); + assert_eq!(flags, 1 << 22); // Supports internal DICE. let flags = Support::INTERNAL_DICE.bits(); - assert_eq!(flags, 1 << 22); + assert_eq!(flags, 1 << 21); // Supports is ca. let flags = Support::IS_CA.bits(); - assert_eq!(flags, 1 << 21); + assert_eq!(flags, 1 << 20); // Supports a couple combos. let flags = (Support::SIMULATION | Support::AUTO_INIT @@ -116,18 +108,12 @@ pub mod test { .bits(); assert_eq!( flags, - (1 << 31) | (1 << 29) | (1 << 27) | (1 << 25) | (1 << 22) - ); - let flags = (Support::EXTEND_TCI - | Support::TAGGING - | Support::X509 - | Support::IS_SYMMETRIC - | Support::INTERNAL_INFO) - .bits(); - assert_eq!( - flags, - (1 << 30) | (1 << 28) | (1 << 26) | (1 << 24) | (1 << 23) + (1 << 31) | (1 << 29) | (1 << 27) | (1 << 25) | (1 << 21) ); + let flags = + (Support::EXTEND_TCI | Support::X509 | Support::IS_SYMMETRIC | Support::INTERNAL_INFO) + .bits(); + assert_eq!(flags, (1 << 30) | (1 << 26) | (1 << 24) | (1 << 22)); // Supports everything. let flags = Support::all().bits(); assert_eq!( @@ -135,14 +121,13 @@ pub mod test { (1 << 31) | (1 << 30) | (1 << 29) - | (1 << 28) | (1 << 27) | (1 << 26) | (1 << 25) | (1 << 24) - | (1 << 23) | (1 << 22) | (1 << 21) + | (1 << 20) ); } } diff --git a/simulator/src/main.rs b/simulator/src/main.rs index d788366c..76941501 100644 --- a/simulator/src/main.rs +++ b/simulator/src/main.rs @@ -49,8 +49,6 @@ fn handle_request(dpe: &mut DpeInstance, env: &mut DpeEnv, stream Response::Sign(ref res) => res.resp_hdr.status, Response::DestroyCtx(ref resp_hdr) => resp_hdr.status, Response::ExtendTci(ref res) => res.resp_hdr.status, - Response::TagTci(ref res) => res.resp_hdr.status, - Response::GetTaggedTci(ref res) => res.resp_hdr.status, Response::GetCertificateChain(ref res) => res.resp_hdr.status, Response::Error(ref resp_hdr) => resp_hdr.status, }; @@ -83,10 +81,6 @@ struct Args { #[arg(long)] supports_auto_init: bool, - /// Supports the TagTci and GetTaggedTci commands. - #[arg(long)] - supports_tagging: bool, - /// Supports the RotateContextHandle command. #[arg(long)] supports_rotate_context: bool, @@ -152,7 +146,6 @@ fn main() -> std::io::Result<()> { support.set(Support::INTERNAL_INFO, args.supports_internal_info); support.set(Support::IS_CA, args.supports_is_ca); support.set(Support::IS_SYMMETRIC, args.supports_is_symmetric); - support.set(Support::TAGGING, args.supports_tagging); let mut env = DpeEnv:: { crypto: OpensslCrypto::new(), diff --git a/verification/abi.go b/verification/abi.go index d4fdac6a..63f76607 100755 --- a/verification/abi.go +++ b/verification/abi.go @@ -9,10 +9,6 @@ import ( var DefaultContextHandle = ContextHandle{0} -const defaultCtxTCITag = TCITag(12345) -const nonExistentTCITag = TCITag(98765) -const childCtxTCITag = TCITag(34567) - const ( CmdMagic uint32 = 0x44504543 RespMagic uint32 = 0x44504552 @@ -27,7 +23,6 @@ type Support struct { Simulation bool ExtendTci bool AutoInit bool - Tagging bool RotateContext bool X509 bool Csr bool @@ -47,8 +42,6 @@ const ( CommandDestroyContext CommandCode = 0xf CommandGetCertificateChain CommandCode = 0x80 CommandExtendTCI CommandCode = 0x81 - CommandTagTCI CommandCode = 0x82 - CommandGetTaggedTCI CommandCode = 0x83 ) type CommandHdr struct { @@ -145,26 +138,6 @@ type GetCertificateChainResp struct { CertificateChain []byte } -type TCITag uint32 - -type TagTCIReq struct { - ContextHandle ContextHandle - Tag TCITag -} - -type TagTCIResp struct { - NewContextHandle ContextHandle -} - -type GetTaggedTCIReq struct { - Tag TCITag -} - -type GetTaggedTCIResp[Digest DigestAlgorithm] struct { - CumulativeTCI Digest - CurrentTCI Digest -} - type RotateContextHandleFlags uint32 const ( @@ -447,30 +420,6 @@ func (c *dpeABI[_, _]) GetCertificateChainABI() (*GetCertificateChainResp, error return &certs, nil } -// TagTCI calls the DPE TagTCI command. -func (c *dpeABI[_, _]) TagTCIABI(cmd *TagTCIReq) (*TagTCIResp, error) { - var respStruct TagTCIResp - - _, err := execCommand(c.transport, CommandTagTCI, c.Profile, cmd, &respStruct) - if err != nil { - return nil, err - } - - return &respStruct, nil -} - -// GetTaggedTCI calls the DPE GetTaggedTCI command. -func (c *dpeABI[_, Digest]) GetTaggedTCIABI(cmd *GetTaggedTCIReq) (*GetTaggedTCIResp[Digest], error) { - var respStruct GetTaggedTCIResp[Digest] - - _, err := execCommand(c.transport, CommandGetTaggedTCI, c.Profile, cmd, &respStruct) - if err != nil { - return nil, err - } - - return &respStruct, nil -} - // DeriveChild calls DPE DeriveChild command. func (c *dpeABI[_, Digest]) DeriveChildABI(cmd *DeriveChildReq[Digest]) (*DeriveChildResp, error) { var respStruct DeriveChildResp @@ -562,36 +511,6 @@ func (c *dpeABI[_, Digest]) CertifyKey(handle *ContextHandle, label []byte, form return key, nil } -func (c *dpeABI[_, _]) TagTCI(handle *ContextHandle, tag TCITag) (*ContextHandle, error) { - cmd := TagTCIReq{ - ContextHandle: *handle, - Tag: tag, - } - - resp, err := c.TagTCIABI(&cmd) - if err != nil { - return nil, err - } - - return &resp.NewContextHandle, nil -} - -func (c *dpeABI[_, _]) GetTaggedTCI(tag TCITag) (*DPETCI, error) { - cmd := GetTaggedTCIReq{ - Tag: tag, - } - - resp, err := c.GetTaggedTCIABI(&cmd) - if err != nil { - return nil, err - } - - return &DPETCI{ - CumulativeTCI: resp.CumulativeTCI.Bytes(), - CurrentTCI: resp.CurrentTCI.Bytes(), - }, nil -} - func (c *dpeABI[_, _]) DestroyContext(handle *ContextHandle, flags DestroyCtxFlags) error { cmd := DestroyCtxCmd{ handle: *handle, @@ -701,9 +620,6 @@ func (s *Support) ToFlags() uint32 { if s.AutoInit { flags |= (1 << 29) } - if s.Tagging { - flags |= (1 << 28) - } if s.RotateContext { flags |= (1 << 27) } @@ -717,13 +633,13 @@ func (s *Support) ToFlags() uint32 { flags |= (1 << 24) } if s.InternalInfo { - flags |= (1 << 23) + flags |= (1 << 22) } if s.InternalDice { - flags |= (1 << 22) + flags |= (1 << 21) } if s.IsCA { - flags |= (1 << 21) + flags |= (1 << 20) } return flags } diff --git a/verification/client.go b/verification/client.go index 23aaf42f..6f6109a1 100755 --- a/verification/client.go +++ b/verification/client.go @@ -44,8 +44,6 @@ type DPEClient interface { GetProfile() (*GetProfileResp, error) CertifyKey(handle *ContextHandle, label []byte, format CertifyKeyFormat, flags CertifyKeyFlags) (*CertifiedKey, error) GetCertificateChain() ([]byte, error) - TagTCI(handle *ContextHandle, tag TCITag) (*ContextHandle, error) - GetTaggedTCI(tag TCITag) (*DPETCI, error) DestroyContext(handle *ContextHandle, flags DestroyCtxFlags) error DeriveChild(handle *ContextHandle, inputData []byte, flags DeriveChildFlags, tciType uint32, targetLocality uint32) (*DeriveChildResp, error) RotateContextHandle(handle *ContextHandle, flags RotateContextHandleFlags) (*ContextHandle, error) diff --git a/verification/errors.go b/verification/errors.go index 4236f790..c94a138a 100644 --- a/verification/errors.go +++ b/verification/errors.go @@ -35,8 +35,6 @@ func (s Status) Error() string { return "contextHandle does not exist" case StatusInvalidLocality: return "Hardware Locality does not exist" - case StatusBadTag: - return "TCI Tag is either in use (TagTci) or not found (GetTaggedTci)" case StatusMaxTCIs: return "maximum number of TCIs have been created" case StatusPlatformError: diff --git a/verification/extendTCI.go b/verification/extendTCI.go index 68ea1845..3d2bcdbd 100644 --- a/verification/extendTCI.go +++ b/verification/extendTCI.go @@ -3,7 +3,6 @@ package verification import ( - "bytes" "crypto/sha256" "crypto/sha512" "crypto/x509" @@ -50,160 +49,10 @@ func TestExtendTCI(d TestDPEInstance, c DPEClient, t *testing.T) { t.Fatalf("[FATAL]: Could not extend TCI: %v", err) } - // Cross-check current and cumulative measurement by GetTaggedTCI - verifyMeasurementsByGetTaggedTCI(c, t, defaultTci, tciValue, hasher) - // Cross-check current and cumulative measurement by CertifyKey verifyMeasurementsByCertifyKey(c, t, handle, defaultTci, tciValue, hasher) } -// Check whether the ExtendTCI command with derived child context. -func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T) { - var err error - var wantCumulativeTCI []byte - - useSimulation := false // To indicate that simulation context is not used - - // Get default context handle - handle := getInitialContextHandle(d, c, t, useSimulation) - - // Get digest size - profile, err := GetTransportProfile(d) - if err != nil { - t.Fatalf("[FATAL]: Could not get profile: %v", err) - } - digestLen := profile.GetDigestSize() - - // Initialize TCI inputs - defaultTci := make([]byte, digestLen) - - tciValue := make([]byte, digestLen) - for i := range tciValue { - tciValue[i] = byte(i + 1) - } - - extendTciValue := make([]byte, digestLen) - for i := range extendTciValue { - extendTciValue[i] = byte(i + 2) - } - - // Initialize hasher - var hasher hash.Hash - if digestLen == 32 { - hasher = sha256.New() - } else if digestLen == 48 { - hasher = sha512.New384() - } - - // Get parent context TCI values for cumulative value calculation - parentTci, err := c.GetTaggedTCI(defaultCtxTCITag) - if err != nil { - t.Fatalf("[FATAL]: Could not get tagged TCI: %v", err) - } - - // Cross-verify parent's TCI_CUMULATIVE - hasher.Write(defaultTci) - hasher.Write(parentTci.CurrentTCI) - wantCumulativeTCI = hasher.Sum(nil) - if !bytes.Equal(parentTci.CumulativeTCI, wantCumulativeTCI) { - t.Errorf("[ERROR]: Parent node's cumulative TCI %x, expected %x", parentTci.CumulativeTCI, wantCumulativeTCI) - } - - // Preserve parent context to restore for subsequent tests. - parentHandle, err := c.RotateContextHandle(handle, RotateContextHandleFlags(0)) - if err != nil { - t.Errorf("[ERROR]: Error while rotating parent context handle, this may cause failure in subsequent tests: %s", err) - } - - // Derive Child context with input data, tag it and check TCI_CUMULATIVE - childCtx, err := c.DeriveChild(parentHandle, tciValue, DeriveChildFlags(RetainParent), 0, 0) - if err != nil { - t.Fatalf("[FATAL]: Error while creating default child handle in default context: %s", err) - } - - // Tag derived context - newHandle, err := c.TagTCI(&childCtx.NewContextHandle, childCtxTCITag) - if err != nil { - t.Fatalf("[FATAL]: Could not tag TCI: %v", err) - } - - childTci, err := c.GetTaggedTCI(childCtxTCITag) - if err != nil { - t.Fatalf("[FATAL]: Could not get tagged TCI: %v", err) - } - - if !bytes.Equal(childTci.CurrentTCI, tciValue) { - t.Errorf("[ERROR]: GetTaggedTCI returned current TCI %x, expected %x", childTci.CurrentTCI, tciValue) - } - - // Check TCI_CUMULATIVE after creating child context - hasher.Reset() - hasher.Write(defaultTci) - hasher.Write(childTci.CurrentTCI) - wantCumulativeTCI = hasher.Sum(nil) - if !bytes.Equal(childTci.CumulativeTCI, wantCumulativeTCI) { - t.Errorf("[ERROR]: Child node's cumulative TCI %x, expected %x", childTci.CumulativeTCI, wantCumulativeTCI) - } - - // Extend TCI to child context and check TCI_CURRENT and TCI_CUMULATIVE - newHandle, err = c.ExtendTCI(newHandle, extendTciValue) - if err != nil { - t.Fatalf("[FATAL]: Could not tag TCI: %v", err) - } - - childExtendTci, err := c.GetTaggedTCI(childCtxTCITag) - if err != nil { - t.Fatalf("[FATAL]: Could not get tagged TCI: %v", err) - } - - if !bytes.Equal(childExtendTci.CurrentTCI, extendTciValue) { - t.Errorf("[ERROR]: GetTaggedTCI returned current TCI %x, expected %x", childExtendTci.CurrentTCI, extendTciValue) - } - - // Check TCI_CUMULATIVE after extending input to child context - hasher.Reset() - hasher.Write(childTci.CumulativeTCI) - hasher.Write(childExtendTci.CurrentTCI) - wantCumulativeTCI = hasher.Sum(nil) - if !bytes.Equal(childExtendTci.CumulativeTCI, wantCumulativeTCI) { - t.Errorf("[ERROR]: Child node's cumulative TCI %x, expected %x", childExtendTci.CumulativeTCI, wantCumulativeTCI) - } - - // Clean up derived context and restore default context handle for subsequent tests - defer func() { - err := c.DestroyContext(newHandle, DestroyDescendants) - if err != nil { - t.Errorf("[ERROR]: Error while cleaning up derived context, this may cause failure in subsequent tests: %s", err) - } - - _, err = c.RotateContextHandle(&childCtx.ParentContextHandle, RotateContextHandleFlags(TargetIsDefault)) - if err != nil { - t.Errorf("[ERROR]: Error while restoring parent context handle as default context handle, this may cause failure in subsequent tests: %s", err) - } - }() - -} - -func verifyMeasurementsByGetTaggedTCI(c DPEClient, t *testing.T, defaultTci []byte, tciValue []byte, hasher hash.Hash) { - taggedTCI, err := c.GetTaggedTCI(defaultCtxTCITag) - if err != nil { - t.Fatalf("[FATAL]: Could not get tagged TCI: %v", err) - } - - // Check TCI_CURRENT - wantCurrentTCI := tciValue - if !bytes.Equal(taggedTCI.CurrentTCI, tciValue) { - t.Errorf("[ERROR]: GetTaggedTCI returned current TCI %x, expected %x", taggedTCI.CurrentTCI, wantCurrentTCI) - } - - // Cross-verify TCI_CUMULATIVE - hasher.Write(defaultTci) - hasher.Write(taggedTCI.CurrentTCI) - if wantCumulativeTCI := hasher.Sum(nil); !bytes.Equal(taggedTCI.CumulativeTCI, wantCumulativeTCI) { - t.Errorf("[ERROR]: GetTaggedTCI returned cumulative TCI %x, expected %x", taggedTCI.CumulativeTCI, wantCumulativeTCI) - } -} - func verifyMeasurementsByCertifyKey(c DPEClient, t *testing.T, handle *ContextHandle, label []byte, tciValue []byte, hasher hash.Hash) { certifiedKey, err := c.CertifyKey(handle, label, CertifyKeyX509, 0) if err != nil { diff --git a/verification/negativeCases.go b/verification/negativeCases.go index 9f6f9f1f..ac39092c 100644 --- a/verification/negativeCases.go +++ b/verification/negativeCases.go @@ -10,7 +10,7 @@ import ( var InvalidHandle = ContextHandle{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15} // Checks whether error is reported when non-existent handle is passed as input to DPE commands. -// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, GetTaggedTCI commands +// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands // which do not need context handle as input parameter. func TestInvalidHandle(d TestDPEInstance, c DPEClient, t *testing.T) { ctx := getInitialContextHandle(d, c, t, true) @@ -63,17 +63,10 @@ func TestInvalidHandle(d TestDPEInstance, c DPEClient, t *testing.T) { } else if !errors.Is(err, StatusInvalidHandle) { t.Errorf("[ERROR]: Incorrect error type. ExtendTCI should return %q, but returned %q", StatusInvalidHandle, err) } - - // Check TagTCI with invalid handle - if _, err := c.TagTCI(&InvalidHandle, 0); err == nil { - t.Errorf("[ERROR]: TagTCI should return %q, but returned no error", StatusInvalidHandle) - } else if !errors.Is(err, StatusInvalidHandle) { - t.Errorf("[ERROR]: Incorrect error type. TagTCI should return %q, but returned %q", StatusInvalidHandle, err) - } } // Checks whether error is reported when caller from one locality issues DPE commands in another locality. -// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, GetTaggedTCI commands +// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands // which do not need context handle as input and hence locality is irrelevant. func TestWrongLocality(d TestDPEInstance, c DPEClient, t *testing.T) { // Modify and later restore the locality of DPE instance to test @@ -132,17 +125,10 @@ func TestWrongLocality(d TestDPEInstance, c DPEClient, t *testing.T) { } else if !errors.Is(err, StatusInvalidLocality) { t.Errorf("[ERROR]: Incorrect error type. ExtendTCI should return %q, but returned %q", StatusInvalidLocality, err) } - - // Check TagTCI from wrong locality - if _, err := c.TagTCI(handle, 0); err == nil { - t.Errorf("[ERROR]: TagTCI should return %q, but returned no error", StatusInvalidLocality) - } else if !errors.Is(err, StatusInvalidLocality) { - t.Errorf("[ERROR]: Incorrect error type. TagTCI should return %q, but returned %q", StatusInvalidLocality, err) - } } // Checks whether error is reported while using commands that are turned off in DPE. -// DPE commands - TagTCI, RotateContextHandle, ExtendTCI, require support to be enabled in DPE profile +// DPE commands - RotateContextHandle, ExtendTCI, require support to be enabled in DPE profile // before being called. func TestUnsupportedCommand(d TestDPEInstance, c DPEClient, t *testing.T) { ctx := &DefaultContextHandle @@ -166,13 +152,6 @@ func TestUnsupportedCommand(d TestDPEInstance, c DPEClient, t *testing.T) { } else if !errors.Is(err, StatusInvalidCommand) { t.Errorf("[ERROR]: Incorrect error type. ExtendTCI is not supported by DPE, should return %q, but returned %q", StatusInvalidCommand, err) } - - // Check whether TagTCI is unsupported by DPE profile - if _, err := c.TagTCI(ctx, 0); err == nil { - t.Errorf("[ERROR]: TagTCI is not supported by DPE, should return %q, but returned no error", StatusInvalidCommand) - } else if !errors.Is(err, StatusInvalidCommand) { - t.Errorf("[ERROR]: Incorrect error type. TagTCI is not supported by DPE, should return %q, but returned %q", StatusInvalidCommand, err) - } } // Checks whether error is reported while enabling command flags that are turned off in DPE. diff --git a/verification/simulator.go b/verification/simulator.go index ddecadf4..f29eb144 100644 --- a/verification/simulator.go +++ b/verification/simulator.go @@ -55,9 +55,6 @@ func (s *DpeSimulator) PowerOn() error { if s.supports.AutoInit { args = append(args, "--supports-auto-init") } - if s.supports.Tagging { - args = append(args, "--supports-tagging") - } if s.supports.RotateContext { args = append(args, "--supports-rotate-context") } @@ -248,11 +245,6 @@ func GetSimulatorTargets() []TestTarget { getTestTarget([]string{"AutoInit"}), []TestCase{GetProfileTestCase}, }, - { - "GetProfile_Tagging", - getTestTarget([]string{"Tagging"}), - []TestCase{GetProfileTestCase}, - }, { "GetProfile_RotateContext", getTestTarget([]string{"RotateContext"}), @@ -295,12 +287,12 @@ func GetSimulatorTargets() []TestTarget { }, { "GetProfile_Combo02", - getTestTarget([]string{"ExtendTci", "Tagging", "X509", "InternalInfo"}), + getTestTarget([]string{"ExtendTci", "X509", "InternalInfo"}), []TestCase{GetProfileTestCase}, }, { "GetProfile_All", - getTestTarget([]string{"Simulation", "ExtendTci", "AutoInit", "Tagging", "RotateContext", "X509", "Csr", "IsSymmetric", "InternalInfo", "InternalDice", "IsCA"}), + getTestTarget([]string{"Simulation", "ExtendTci", "AutoInit", "RotateContext", "X509", "Csr", "IsSymmetric", "InternalInfo", "InternalDice", "IsCA"}), []TestCase{GetProfileTestCase}, }, { @@ -310,7 +302,7 @@ func GetSimulatorTargets() []TestTarget { }, { "NegativeCase_UnsupportedFeatureByDPE", - getTestTarget([]string{"AutoInit", "RotateContext", "ExtendTci", "Tagging"}), + getTestTarget([]string{"AutoInit", "RotateContext", "ExtendTci"}), []TestCase{UnsupportedCommandFlag}, }, } diff --git a/verification/tagTCI.go b/verification/tagTCI.go deleted file mode 100644 index cff911ef..00000000 --- a/verification/tagTCI.go +++ /dev/null @@ -1,48 +0,0 @@ -// Licensed under the Apache-2.0 license - -package verification - -import ( - "errors" - "testing" -) - -// Check tagTCI command with default context handle. -func TestTagTCI(d TestDPEInstance, c DPEClient, t *testing.T) { - var err error - useSimulation := false // To indicate that simulation context is not used - - // Get default context handle - handle := getInitialContextHandle(d, c, t, useSimulation) - - // Check to see our tag is not yet found and then tag default context - if _, err := c.GetTaggedTCI(defaultCtxTCITag); !errors.Is(err, StatusBadTag) { - t.Fatalf("GetTaggedTCI returned %v, want %v", err, StatusBadTag) - } - - // Tag default context handle and make sure default handle returns - // same handle when used for tagging TCI - newHandle, err := c.TagTCI(handle, defaultCtxTCITag) - if err != nil { - t.Fatalf("Could not tag TCI: %v", err) - } - if *newHandle != *handle { - t.Errorf("New context handle from TagTCI was %x, expected %x", newHandle, handle) - } - - _, err = c.GetTaggedTCI(defaultCtxTCITag) - if err != nil { - t.Fatalf("Could not get tagged TCI: %v", err) - } - - // Retag a tagged TCI should report error - newTag := TCITag(11111) - if _, err := c.TagTCI(handle, newTag); !errors.Is(err, StatusBadTag) { - t.Fatalf("Re-tagging a tagged TCI returned %v, want %v", err, StatusBadTag) - } - - // Fetching a non-existent tag should report error - if _, err := c.GetTaggedTCI(TCITag(nonExistentTCITag)); !errors.Is(err, StatusBadTag) { - t.Fatalf("GetTaggedTCI returned %v, want %v", err, StatusBadTag) - } -} diff --git a/verification/verification.go b/verification/verification.go index d7c8fe2e..3eb01573 100644 --- a/verification/verification.go +++ b/verification/verification.go @@ -35,29 +35,23 @@ var CertifyKeySimulationTestCase = TestCase{ var GetCertificateChainTestCase = TestCase{ "GetCertificateChain", TestGetCertificateChain, []string{"AutoInit", "X509"}, } -var TagTCITestCase = TestCase{ - "TagTCI", TestTagTCI, []string{"AutoInit", "Tagging"}, -} var ExtendTCITestCase = TestCase{ - "ExtendTCITestCase", TestExtendTCI, []string{"AutoInit", "Tagging", "ExtendTci"}, -} -var ExtendDerivedTciTestCase = TestCase{ - "ExtendDerivedTciTestCase", TestExtendTciOnDerivedContexts, []string{"AutoInit", "Tagging", "ExtendTci"}, + "ExtendTCITestCase", TestExtendTCI, []string{"AutoInit", "ExtendTci"}, } var GetProfileTestCase = TestCase{ "GetProfile", TestGetProfile, []string{}, } var InvalidHandleTestCase = TestCase{ - "CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext", "ExtendTci", "Tagging"}, + "CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext", "ExtendTci"}, } var WrongLocalityTestCase = TestCase{ - "CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext", "ExtendTci", "Tagging"}, + "CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext", "ExtendTci"}, } var UnsupportedCommand = TestCase{ "CheckSupportForCommand", TestUnsupportedCommand, []string{"AutoInit"}, } var UnsupportedCommandFlag = TestCase{ - "CheckSupportForCommmandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext", "ExtendTci", "Tagging"}, + "CheckSupportForCommmandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext", "ExtendTci"}, } var SignAsymmetricTestCase = TestCase{ "Sign", TestAsymmetricSigning, []string{"AutoInit", "X509"}, @@ -73,7 +67,6 @@ var AllTestCases = []TestCase{ CertifyKeyTestCase, CertifyKeySimulationTestCase, GetCertificateChainTestCase, - TagTCITestCase, ExtendTCITestCase, ExtendDerivedTciTestCase, SignAsymmetricTestCase,