From 1cfccfc51bd4984e5a546515e17094c1be48289c Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Thu, 15 Feb 2024 18:04:12 +0100 Subject: [PATCH] vtpm: add method to get sha256 PCRs from Quote Internally the PCRs are still represented as `Vec`, due to serialization concerns of large arrays. For the consumer a fixed byte array `Vec<[u8; 32]` is more convenient, so you don't have to perform runtime assertions on the vector size. A test has been added to make sure the transformation is non-destructive. Signed-off-by: Magnus Kulke --- az-cvm-vtpm/Cargo.toml | 2 +- az-cvm-vtpm/az-snp-vtpm/Cargo.toml | 4 ++-- az-cvm-vtpm/az-tdx-vtpm/Cargo.toml | 4 ++-- az-cvm-vtpm/src/vtpm/mod.rs | 31 ++++++++++++++++++++++++++++++ 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml index 3c63359..5dd4578 100644 --- a/az-cvm-vtpm/Cargo.toml +++ b/az-cvm-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-cvm-vtpm" -version = "0.5.1" +version = "0.5.2" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml index b9fcade..90d0051 100644 --- a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml +++ b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-snp-vtpm" -version = "0.5.1" +version = "0.5.2" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -17,7 +17,7 @@ path = "src/main.rs" required-features = ["attester", "verifier"] [dependencies] -az-cvm-vtpm = { path = "..", version = "0.5.1" } +az-cvm-vtpm = { path = "..", version = "0.5.2" } bincode.workspace = true clap.workspace = true openssl = { workspace = true, optional = true } diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml index f0c6e0e..34208a1 100644 --- a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml +++ b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-tdx-vtpm" -version = "0.5.1" +version = "0.5.2" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -16,7 +16,7 @@ name = "tdx-vtpm" path = "src/main.rs" [dependencies] -az-cvm-vtpm = { path = "..", version = "0.5.1" } +az-cvm-vtpm = { path = "..", version = "0.5.2" } base64-url = "2.0.0" bincode.workspace = true serde.workspace = true diff --git a/az-cvm-vtpm/src/vtpm/mod.rs b/az-cvm-vtpm/src/vtpm/mod.rs index 0a50e31..96c0d15 100644 --- a/az-cvm-vtpm/src/vtpm/mod.rs +++ b/az-cvm-vtpm/src/vtpm/mod.rs @@ -129,7 +129,23 @@ pub struct Quote { pcrs: Vec>, } +fn pad(input: &[u8]) -> [u8; T] { + let mut output = [0; T]; + let len = input.len(); + if len > T { + output.copy_from_slice(&input[..T]); + } else { + output[..len].copy_from_slice(input); + } + output +} + impl Quote { + /// Retrieve sha256 PCR values from a Quote + pub fn pcrs_sha256(&self) -> Vec<[u8; 32]> { + self.pcrs.iter().map(|x| pad(x)).collect() + } + /// Extract nonce from a Quote pub fn nonce(&self) -> Result, QuoteError> { let attest = Attest::unmarshall(&self.message)?; @@ -202,3 +218,18 @@ pub fn get_quote(data: &[u8]) -> Result { pcrs, }) } + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_pcr_sha256() { + let quote_bytes = include_bytes!("../../test/quote.bin"); + let quote: Quote = bincode::deserialize(quote_bytes).unwrap(); + // convert Vec of fixed byte array to Vec of Vec + let pcrs_sha256: Vec> = quote.pcrs_sha256().iter().map(|p| p.to_vec()).collect(); + assert_eq!(pcrs_sha256.len(), 24); + assert_eq!(pcrs_sha256, quote.pcrs); + } +}