Use Report and ReportBody from mc-sgx-core-types (#3449)

Previously the `Report` and `ReportBody` were defined in `mc-attest-core`. Now the `Report` and `ReportBody` from `mc-sgx-core-types` is used.
mobilecoinfoundation · Jul 26, 2023 · 29f761a · 29f761a
1 parent 068c56d
commit 29f761a
Show file tree

Hide file tree

Showing 12 changed files with 82 additions and 863 deletions.
diff --git a/attest/ake/src/lib.rs b/attest/ake/src/lib.rs
@@ -80,8 +80,8 @@ mod test {
 
         let mr_signer = TrustedIdentity::from(TrustedMrSignerIdentity::new(
             report_body.mr_signer(),
-            report_body.product_id(),
-            report_body.security_version(),
+            report_body.isv_product_id(),
+            report_body.isv_svn(),
             [] as [&str; 0],
             [] as [&str; 0],
         ));

diff --git a/attest/core/data/test/quote_ok_str.txt b/attest/core/data/test/quote_ok_str.txt
@@ -1 +1 @@
-Quote: { version: 2, sign_type: Unlinkable, epid_group_id: 00000b4d, qe_svn: 8, pce_svn: 7, xeid: 0, basename: Basename(b6b3ee840b3fb5a6a2b14c54221aab6aad6bd3cd49db38f2b12d2c37b8943eda), report_body: ReportBody: { cpu_svn: CpuSvn(sgx_cpu_svn_t { svn: [8, 8, 255, 255, 255, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0] }), misc_select: MiscellaneousSelect(0), isv_ext_prod_id: ExtendedProductId([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]), attributes: Attributes(sgx_attributes_t { flags: 7, xfrm: 7 }), mr_enclave: MrEnclave(973140462e17d2f523511d798061eae3e8282b884ee078de91c99d833f559bbc), mr_signer: MrSigner(7ee5e29d74623fdbc6fbf1454be6f3bb0b86c12366b7b478ad13353e44de8411), config_id: ConfigId([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]), isv_prod_id: IsvProductId(0), isv_svn: IsvSvn(0), config_svn: ConfigSvn(0), isv_family_id: FamilyId([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]), report_data: ReportData(sgx_report_data_t { d: [231, 160, 220, 27, 37, 176, 225, 77, 21, 108, 159, 18, 130, 15, 61, 34, 104, 25, 253, 104, 242, 55, 106, 203, 247, 61, 64, 28, 149, 154, 85, 144, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }) }, signature_len: 680, signature: Some(146c25c134df61f2f55fbba368333e1c77b3524f483212f90b89d6432a21ab2adcfdbeaeb816bdb7a988a67b502c92e7b4a683b88df6ffc649d24e75d61dbfcf8aa09e22da5fb84b24fa1908f8d338277bbf8dc3c6e060ace551b7eaf2d3fdbbfc38905d0ed9d4cd28657f07ce4d5ba9e405a597c534484b4e38c54d5f9a7bcc602373f96a2962c51b60162b28c30d8a374d12f3f46ec5970699c39e8e7a3527443c65cd56abf0ad1153426e0ba32edf84070f2bfa3a32a7463bcdaec0c46ce9337899c1399e68b04ed36409c49bddd2db2bfc40ff7a1b281e2c4fa9607c678ffa4f7a7d93cfd4610047eeb62755861240eed273158c33dd17f539d248a1b3a197d986f9c52d43a246060a6a3bff21e971d82f1bfec654b31265f0e980a54a29e2ba8aca6bffe27668dd21a268010000d46a0dc1ffc4986b994b0b6efd610637d7b22bf21888c6296a9a538cadb8ac5d8f4156ac01db17579b90acd4e130f5865373a84d2ea131ee4f326d169d41d1b552daaa4c514c8ae1245185bccf4f4c9b6b5f3e3cec93216cd1ae023f03155fbf05ff0701b7fadd29a1f097318b9ba2a416e86d3131859c7aea45c58cda4a5a6fa833eabcf0a520d7342d514dbd5c9fa85ed89d8e85342a3b6f1bc1144c11102cd6409e9e93ee672ebffed9b17b0e766a9556ff0bc0da5baac91de39d1deacc35e4036795bd5ebfe7c2e8392921757f2355fdb5ff0c3d6885712cf399d0598a95df36ea34f10f3e4906043d913449d24e12228583d0713aed8a54c530cdc4c28acfc916fe7ba96be700ed2eccb3ba6874a1badd2a1ef80bac9169305666b33091f8ad935e31d3ed33251642787b161e0322d891e3a1fa171251783b61b3b33e5dffaba9010ee33e445840e0e493799d7281a681d86b1afd05cfd90b2eaf0584bccf7eefe5d9747a2e52a0e5c7a0a5d2ff1f1af590d7064abd) }
+Quote: { version: 2, sign_type: Unlinkable, epid_group_id: 00000b4d, qe_svn: 8, pce_svn: 7, xeid: 0, basename: Basename(b6b3ee840b3fb5a6a2b14c54221aab6aad6bd3cd49db38f2b12d2c37b8943eda), report_body: ReportBody(sgx_report_body_t { cpu_svn: sgx_cpu_svn_t { svn: [8, 8, 255, 255, 255, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0] }, misc_select: 0, reserved1: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], isv_ext_prod_id: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], attributes: sgx_attributes_t { flags: 7, xfrm: 7 }, mr_enclave: sgx_measurement_t { m: [151, 49, 64, 70, 46, 23, 210, 245, 35, 81, 29, 121, 128, 97, 234, 227, 232, 40, 43, 136, 78, 224, 120, 222, 145, 201, 157, 131, 63, 85, 155, 188] }, reserved2: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], mr_signer: sgx_measurement_t { m: [126, 229, 226, 157, 116, 98, 63, 219, 198, 251, 241, 69, 75, 230, 243, 187, 11, 134, 193, 35, 102, 183, 180, 120, 173, 19, 53, 62, 68, 222, 132, 17] }, reserved3: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], config_id: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], isv_prod_id: 0, isv_svn: 0, config_svn: 0, reserved4: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], isv_family_id: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], report_data: sgx_report_data_t { d: [231, 160, 220, 27, 37, 176, 225, 77, 21, 108, 159, 18, 130, 15, 61, 34, 104, 25, 253, 104, 242, 55, 106, 203, 247, 61, 64, 28, 149, 154, 85, 144, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] } }), signature_len: 680, signature: Some(146c25c134df61f2f55fbba368333e1c77b3524f483212f90b89d6432a21ab2adcfdbeaeb816bdb7a988a67b502c92e7b4a683b88df6ffc649d24e75d61dbfcf8aa09e22da5fb84b24fa1908f8d338277bbf8dc3c6e060ace551b7eaf2d3fdbbfc38905d0ed9d4cd28657f07ce4d5ba9e405a597c534484b4e38c54d5f9a7bcc602373f96a2962c51b60162b28c30d8a374d12f3f46ec5970699c39e8e7a3527443c65cd56abf0ad1153426e0ba32edf84070f2bfa3a32a7463bcdaec0c46ce9337899c1399e68b04ed36409c49bddd2db2bfc40ff7a1b281e2c4fa9607c678ffa4f7a7d93cfd4610047eeb62755861240eed273158c33dd17f539d248a1b3a197d986f9c52d43a246060a6a3bff21e971d82f1bfec654b31265f0e980a54a29e2ba8aca6bffe27668dd21a268010000d46a0dc1ffc4986b994b0b6efd610637d7b22bf21888c6296a9a538cadb8ac5d8f4156ac01db17579b90acd4e130f5865373a84d2ea131ee4f326d169d41d1b552daaa4c514c8ae1245185bccf4f4c9b6b5f3e3cec93216cd1ae023f03155fbf05ff0701b7fadd29a1f097318b9ba2a416e86d3131859c7aea45c58cda4a5a6fa833eabcf0a520d7342d514dbd5c9fa85ed89d8e85342a3b6f1bc1144c11102cd6409e9e93ee672ebffed9b17b0e766a9556ff0bc0da5baac91de39d1deacc35e4036795bd5ebfe7c2e8392921757f2355fdb5ff0c3d6885712cf399d0598a95df36ea34f10f3e4906043d913449d24e12228583d0713aed8a54c530cdc4c28acfc916fe7ba96be700ed2eccb3ba6874a1badd2a1ef80bac9169305666b33091f8ad935e31d3ed33251642787b161e0322d891e3a1fa171251783b61b3b33e5dffaba9010ee33e445840e0e493799d7281a681d86b1afd05cfd90b2eaf0584bccf7eefe5d9747a2e52a0e5c7a0a5d2ff1f1af590d7064abd) }
diff --git a/attest/core/src/lib.rs b/attest/core/src/lib.rs
@@ -15,7 +15,6 @@ mod error;
 mod ias;
 mod nonce;
 mod quote;
-mod report;
 mod seal;
 mod sigrl;
 mod traits;
@@ -31,21 +30,20 @@ pub use crate::{
     ias::verify::{EpidPseudonym, VerificationReportData},
     nonce::{IasNonce, Nonce, QuoteNonce},
     quote::{Quote, QuoteSignType},
-    report::Report,
     seal::{IntelSealed, IntelSealingError, ParseSealedError, Sealed},
     sigrl::SigRL,
     types::{
         basename::Basename, epid_group_id::EpidGroupId, key_id::KeyId, mac::Mac,
-        measurement::Measurement, pib::PlatformInfoBlob, report_body::ReportBody,
-        report_data::ReportDataMask, spid::ProviderId, update_info::*,
+        measurement::Measurement, pib::PlatformInfoBlob, report_data::ReportDataMask,
+        spid::ProviderId, update_info::*,
     },
 };
 
 pub use mc_attest_verifier_types::{VerificationReport, VerificationSignature};
 
 pub use mc_sgx_core_types::{
     Attributes, ConfigId, ConfigSvn, CpuSvn, ExtendedProductId, FamilyId, IsvProductId, IsvSvn,
-    MiscellaneousSelect, MrEnclave, MrSigner, ReportData, TargetInfo,
+    MiscellaneousSelect, MrEnclave, MrSigner, Report, ReportBody, ReportData, TargetInfo,
 };
 
 /// The IAS version we support

diff --git a/attest/core/src/quote.rs b/attest/core/src/quote.rs
@@ -7,21 +7,22 @@ use alloc::vec;
 
 use crate::{
     error::{QuoteError, QuoteSignTypeError, QuoteVerifyError},
-    report::Report,
     types::{
         basename::Basename, epid_group_id::EpidGroupId, measurement::Measurement,
-        report_body::ReportBody, report_data::ReportDataMask,
+        report_data::ReportDataMask,
     },
-    IsvProductId, IsvSvn, BASE64_ENGINE,
+    IsvProductId, IsvSvn, Report, ReportBody, ReportBodyVerifyError, BASE64_ENGINE,
 };
 use alloc::vec::Vec;
 use base64::Engine;
 use core::{
     cmp::{max, min},
     fmt::{Debug, Display, Formatter, Result as FmtResult},
+    mem,
     ops::Range,
 };
 use hex_fmt::HexFmt;
+use mc_sgx_core_types::{AttributeFlags, Attributes};
 use mc_sgx_types::{sgx_quote_sign_type_t, sgx_quote_t};
 use mc_util_encodings::{
     base64_buffer_size, Error as EncodingError, FromBase64, IntelLayout, ToBase64, ToX64,
@@ -44,8 +45,7 @@ const QUOTE_XEID_END: usize = QUOTE_XEID_START + INTEL_U32_SIZE;
 const QUOTE_BASENAME_START: usize = QUOTE_XEID_END;
 const QUOTE_BASENAME_END: usize = QUOTE_BASENAME_START + <Basename as IntelLayout>::X86_64_CSIZE;
 const QUOTE_REPORTBODY_START: usize = QUOTE_BASENAME_END;
-const QUOTE_REPORTBODY_END: usize =
-    QUOTE_REPORTBODY_START + <ReportBody as IntelLayout>::X86_64_CSIZE;
+const QUOTE_REPORTBODY_END: usize = QUOTE_REPORTBODY_START + mem::size_of::<ReportBody>();
 const QUOTE_SIGLEN_START: usize = QUOTE_REPORTBODY_END;
 const QUOTE_SIGLEN_END: usize = QUOTE_SIGLEN_START + INTEL_U32_SIZE;
 const QUOTE_SIGNATURE_START: usize = QUOTE_SIGLEN_END;
@@ -224,8 +224,8 @@ impl Quote {
 
     /// Read the report body from the quote
     pub fn report_body(&self) -> Result<ReportBody, EncodingError> {
-        self.try_get_slice(QUOTE_REPORTBODY_START..QUOTE_REPORTBODY_END)
-            .and_then(ReportBody::try_from)
+        let slice = self.try_get_slice(QUOTE_REPORTBODY_START..QUOTE_REPORTBODY_END)?;
+        ReportBody::try_from(slice).map_err(|_| EncodingError::InvalidInputLength)
     }
 
     /// Read the signature length from the quote (may be zero)
@@ -287,7 +287,7 @@ impl Quote {
         quoted_report: &Report,
     ) -> Result<(), QuoteError> {
         let qe_body = qe_report.body();
-        if self.qe_security_version()? != qe_body.security_version() {
+        if self.qe_security_version()? != qe_body.isv_svn() {
             return Err(QuoteVerifyError::QeVersionMismatch.into());
         }
 
@@ -322,8 +322,7 @@ impl Quote {
             return Err(QuoteSignTypeError::Mismatch(expected_type, sign_type).into());
         }
 
-        // Check report body
-        self.report_body()?.verify(
+        self.verify_report_body(
             allow_debug,
             expected_measurements,
             expected_product_id,
@@ -333,6 +332,61 @@ impl Quote {
 
         Ok(())
     }
+
+    fn verify_report_body(
+        &self,
+        allow_debug: bool,
+        expected_measurements: &[Measurement],
+        expected_product_id: IsvProductId,
+        minimum_security_version: IsvSvn,
+        expected_data: &ReportDataMask,
+    ) -> Result<(), QuoteError> {
+        let report_body = self.report_body()?;
+
+        if !allow_debug {
+            let debug_flag = Attributes::default().set_flags(AttributeFlags::DEBUG);
+            if debug_flag & report_body.attributes() != Attributes::default() {
+                return Err(ReportBodyVerifyError::DebugNotAllowed.into());
+            }
+        }
+
+        let product_id = report_body.isv_product_id();
+        if expected_product_id != product_id {
+            return Err(ReportBodyVerifyError::ProductId(
+                expected_product_id.into(),
+                product_id.into(),
+            )
+            .into());
+        }
+
+        let svn = report_body.isv_svn();
+        if minimum_security_version.as_ref() > svn.as_ref() {
+            return Err(
+                ReportBodyVerifyError::SecurityVersion(minimum_security_version.into()).into(),
+            );
+        }
+
+        // Any match of expected mr_signers or mr_enclaves passes verification.
+        let mr_signer = report_body.mr_signer();
+        let mr_enclave = report_body.mr_enclave();
+        if !expected_measurements
+            .iter()
+            .any(|m| m == &mr_signer || m == &mr_enclave)
+        {
+            return Err(ReportBodyVerifyError::MrMismatch(
+                expected_measurements.to_vec(),
+                mr_enclave,
+                mr_signer,
+            )
+            .into());
+        }
+
+        if expected_data != &report_body.report_data() {
+            return Err(ReportBodyVerifyError::DataMismatch.into());
+        }
+
+        Ok(())
+    }
 }
 
 /// The AsRef implementation for Quote will return the valid bytes.