feat: add tdx-extend, sha384-extend and rtmr-calc

This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 15:13:56 +02:00 · 2024-12-17 13:18:10 +01:00 · 2024-12-17 13:18:10 +01:00 · 5d32396966
commit 5d32396966
parent fbc4897dad
12 changed files with 603 additions and 2 deletions
--- a/bin/tdx-extend/Cargo.toml
+++ b/bin/tdx-extend/Cargo.toml
@ -0,0 +1,16 @@
+[package]
+name = "tdx-extend"
+publish = false
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+clap.workspace = true
+hex.workspace = true
+teepot.workspace = true
+tracing.workspace = true
--- a/bin/tdx-extend/src/main.rs
+++ b/bin/tdx-extend/src/main.rs
@ -0,0 +1,60 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2024 Matter Labs
+
+//! Extend the TDX measurement
+
+#![deny(missing_docs)]
+#![deny(clippy::all)]
+
+use anyhow::{Context, Result};
+use clap::Parser;
+use teepot::{
+    log::{setup_logging, LogLevelParser},
+    pad,
+    tdx::rtmr::TdxRtmrEvent,
+};
+use tracing::{error, level_filters::LevelFilter};
+
+/// Extend a TDX rtmr with a hash digest for measured boot.
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Arguments {
+    /// digest in hex to extend the rtmr with
+    #[arg(long)]
+    digest: String,
+    /// the number or the rtmr
+    #[arg(long, default_value = "2")]
+    rtmr: u64,
+    /// Log level for the log output.
+    /// Valid values are: `off`, `error`, `warn`, `info`, `debug`, `trace`
+    #[clap(long, default_value_t = LevelFilter::WARN, value_parser = LogLevelParser)]
+    pub log_level: LevelFilter,
+}
+
+fn main_with_error() -> Result<()> {
+    let args = Arguments::parse();
+    tracing::subscriber::set_global_default(setup_logging(
+        env!("CARGO_CRATE_NAME"),
+        &args.log_level,
+    )?)?;
+
+    // Parse the digest string as a hex array
+    let digest_bytes = hex::decode(&args.digest).context("Invalid digest format")?;
+    let extend_data: [u8; 48] = pad(&digest_bytes);
+
+    // Extend the TDX measurement with the extend data
+    TdxRtmrEvent::default()
+        .with_extend_data(extend_data)
+        .with_rtmr_index(args.rtmr)
+        .extend()?;
+
+    Ok(())
+}
+
+fn main() -> Result<()> {
+    let ret = main_with_error();
+    if let Err(e) = &ret {
+        error!(error = %e, "Execution failed");
+    }
+    ret
+}