mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 23:23:57 +02:00
refactor: update collateral handling
- Simplify collateral handling by removing unnecessary references and matches. - Add `collateral` field to `QuoteVerificationResult` for improved data clarity. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer
parent
a677615474
commit
8cf7651781
GPG key ID:
F519A1143B3FBE32
7 changed files with 34 additions and 19 deletions
|
|
@ -21,7 +21,7 @@ use teepot::{
|
||||||
server::signatures::verify_sig,
|
server::signatures::verify_sig,
|
||||||
sgx::sign::Signature,
|
sgx::sign::Signature,
|
||||||
};
|
};
|
||||||
use tracing::{error, info, level_filters::LevelFilter};
|
use tracing::{error, level_filters::LevelFilter};
|
||||||
|
|
||||||
#[derive(Args, Debug)]
|
#[derive(Args, Debug)]
|
||||||
struct SendArgs {
|
struct SendArgs {
|
||||||
|
|
|
||||||
|
|
@ -127,7 +127,7 @@ fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteVerif
|
||||||
let unix_time: i64 = std::time::SystemTime::now()
|
let unix_time: i64 = std::time::SystemTime::now()
|
||||||
.duration_since(UNIX_EPOCH)?
|
.duration_since(UNIX_EPOCH)?
|
||||||
.as_secs() as _;
|
.as_secs() as _;
|
||||||
verify_quote_with_collateral(attestation_quote_bytes, Some(&collateral), unix_time)
|
verify_quote_with_collateral(attestation_quote_bytes, Some(collateral), unix_time)
|
||||||
.context("Failed to verify quote with collateral")
|
.context("Failed to verify quote with collateral")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -129,7 +129,7 @@ pub fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteV
|
||||||
let unix_time: i64 = std::time::SystemTime::now()
|
let unix_time: i64 = std::time::SystemTime::now()
|
||||||
.duration_since(std::time::UNIX_EPOCH)?
|
.duration_since(std::time::UNIX_EPOCH)?
|
||||||
.as_secs() as _;
|
.as_secs() as _;
|
||||||
verify_quote_with_collateral(attestation_quote_bytes, Some(&collateral), unix_time)
|
verify_quote_with_collateral(attestation_quote_bytes, Some(collateral), unix_time)
|
||||||
.context("Failed to verify quote with collateral!")
|
.context("Failed to verify quote with collateral!")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -201,8 +201,7 @@ impl TeeConnection {
|
||||||
advisories,
|
advisories,
|
||||||
earliest_expiration_date,
|
earliest_expiration_date,
|
||||||
..
|
..
|
||||||
} = verify_quote_with_collateral(quote_bytes, collateral.as_ref(), current_time)
|
} = verify_quote_with_collateral(quote_bytes, collateral, current_time).unwrap();
|
||||||
.unwrap();
|
|
||||||
|
|
||||||
let Report::SgxEnclave(report_body) = quote.report else {
|
let Report::SgxEnclave(report_body) = quote.report else {
|
||||||
return Err(Error::General("TDX quote and not SGX quote".into()));
|
return Err(Error::General("TDX quote and not SGX quote".into()));
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
// Copyright (c) 2023-2024 Matter Labs
|
// Copyright (c) 2023-2025 Matter Labs
|
||||||
|
|
||||||
// Parts of it are Copyright (c) 2024 Phala Network
|
// Parts of it are Copyright (c) 2024 Phala Network
|
||||||
// and copied from https://github.com/Phala-Network/dcap-qvl
|
// and copied from https://github.com/Phala-Network/dcap-qvl
|
||||||
|
|
@ -627,6 +627,8 @@ pub fn get_quote(report_data: &[u8]) -> Result<(TEEType, Box<[u8]>), QuoteError>
|
||||||
|
|
||||||
/// The result of the quote verification
|
/// The result of the quote verification
|
||||||
pub struct QuoteVerificationResult {
|
pub struct QuoteVerificationResult {
|
||||||
|
/// the used collateral
|
||||||
|
pub collateral: Collateral,
|
||||||
/// the raw result
|
/// the raw result
|
||||||
pub result: sgx_ql_qv_result_t,
|
pub result: sgx_ql_qv_result_t,
|
||||||
/// indicates if the collateral is expired
|
/// indicates if the collateral is expired
|
||||||
|
|
@ -644,7 +646,7 @@ pub struct QuoteVerificationResult {
|
||||||
/// Verifies a quote with optional collateral material
|
/// Verifies a quote with optional collateral material
|
||||||
pub fn verify_quote_with_collateral(
|
pub fn verify_quote_with_collateral(
|
||||||
quote: &[u8],
|
quote: &[u8],
|
||||||
collateral: Option<&Collateral>,
|
collateral: Option<Collateral>,
|
||||||
current_time: i64,
|
current_time: i64,
|
||||||
) -> Result<QuoteVerificationResult, QuoteError> {
|
) -> Result<QuoteVerificationResult, QuoteError> {
|
||||||
let mut supp_data: mem::MaybeUninit<sgx_ql_qv_supplemental_t> = mem::MaybeUninit::zeroed();
|
let mut supp_data: mem::MaybeUninit<sgx_ql_qv_supplemental_t> = mem::MaybeUninit::zeroed();
|
||||||
|
|
@ -689,9 +691,19 @@ pub fn verify_quote_with_collateral(
|
||||||
|
|
||||||
trace!("tee_verify_quote");
|
trace!("tee_verify_quote");
|
||||||
|
|
||||||
let (collateral_expiration_status, result) =
|
let collateral = match collateral {
|
||||||
tee_verify_quote(quote, collateral, current_time, None, p_supplemental_data)
|
None => tee_qv_get_collateral(quote).context("tee_qv_get_collateral")?,
|
||||||
.context("tee_verify_quote")?;
|
Some(c) => c,
|
||||||
|
};
|
||||||
|
|
||||||
|
let (collateral_expiration_status, result) = tee_verify_quote(
|
||||||
|
quote,
|
||||||
|
Some(&collateral),
|
||||||
|
current_time,
|
||||||
|
None,
|
||||||
|
p_supplemental_data,
|
||||||
|
)
|
||||||
|
.context("tee_verify_quote")?;
|
||||||
|
|
||||||
trace!("tee_verify_quote end");
|
trace!("tee_verify_quote end");
|
||||||
|
|
||||||
|
|
@ -721,6 +733,7 @@ pub fn verify_quote_with_collateral(
|
||||||
let quote = Quote::parse(quote)?;
|
let quote = Quote::parse(quote)?;
|
||||||
|
|
||||||
let res = QuoteVerificationResult {
|
let res = QuoteVerificationResult {
|
||||||
|
collateral,
|
||||||
collateral_expired: collateral_expiration_status != 0,
|
collateral_expired: collateral_expiration_status != 0,
|
||||||
earliest_expiration_date,
|
earliest_expiration_date,
|
||||||
tcb_level_date_tag,
|
tcb_level_date_tag,
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
// Copyright (c) 2023-2024 Matter Labs
|
// Copyright (c) 2023-2025 Matter Labs
|
||||||
|
|
||||||
//! Common attestation API for all TEEs
|
//! Common attestation API for all TEEs
|
||||||
|
|
||||||
|
|
@ -68,7 +68,9 @@ pub fn get_quote_and_collateral(
|
||||||
tcb_level_date_tag,
|
tcb_level_date_tag,
|
||||||
quote,
|
quote,
|
||||||
advisories,
|
advisories,
|
||||||
} = verify_quote_with_collateral(&myquote, Some(&collateral), unix_time.saturating_add(60))
|
collateral,
|
||||||
|
..
|
||||||
|
} = verify_quote_with_collateral(&myquote, Some(collateral), unix_time.saturating_add(60))
|
||||||
.context("Failed to verify own quote with collateral")?;
|
.context("Failed to verify own quote with collateral")?;
|
||||||
|
|
||||||
debug!(tcb_level_date_tag);
|
debug!(tcb_level_date_tag);
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
// Copyright (c) 2024 Matter Labs
|
// Copyright (c) 2024-2025 Matter Labs
|
||||||
|
|
||||||
mod sgx {
|
mod sgx {
|
||||||
use anyhow::{Context, Result};
|
use anyhow::{Context, Result};
|
||||||
|
|
@ -13,7 +13,7 @@ mod sgx {
|
||||||
|
|
||||||
fn check_quote(
|
fn check_quote(
|
||||||
quote: &[u8],
|
quote: &[u8],
|
||||||
collateral: Option<&Collateral>,
|
collateral: Option<Collateral>,
|
||||||
current_time: i64,
|
current_time: i64,
|
||||||
expected_mrsigner: &[u8],
|
expected_mrsigner: &[u8],
|
||||||
expected_reportdata: &[u8],
|
expected_reportdata: &[u8],
|
||||||
|
|
@ -26,6 +26,7 @@ mod sgx {
|
||||||
quote,
|
quote,
|
||||||
advisories,
|
advisories,
|
||||||
tcb_level_date_tag,
|
tcb_level_date_tag,
|
||||||
|
..
|
||||||
} = verify_quote_with_collateral(quote, collateral, current_time)?;
|
} = verify_quote_with_collateral(quote, collateral, current_time)?;
|
||||||
|
|
||||||
if collateral_expired || result != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
|
if collateral_expired || result != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
|
||||||
|
|
@ -1140,7 +1141,7 @@ mod sgx {
|
||||||
|
|
||||||
check_quote(
|
check_quote(
|
||||||
"e,
|
"e,
|
||||||
Some(&collateral),
|
Some(collateral),
|
||||||
current_time,
|
current_time,
|
||||||
&mrsigner,
|
&mrsigner,
|
||||||
&report_data,
|
&report_data,
|
||||||
|
|
@ -2211,7 +2212,7 @@ mod sgx {
|
||||||
|
|
||||||
check_quote(
|
check_quote(
|
||||||
"e,
|
"e,
|
||||||
Some(&collateral),
|
Some(collateral),
|
||||||
current_time,
|
current_time,
|
||||||
&mrsigner,
|
&mrsigner,
|
||||||
&report_data,
|
&report_data,
|
||||||
|
|
@ -2594,7 +2595,7 @@ mod sgx {
|
||||||
|
|
||||||
check_quote(
|
check_quote(
|
||||||
"e,
|
"e,
|
||||||
Some(&collateral),
|
Some(collateral),
|
||||||
current_time,
|
current_time,
|
||||||
&mrsigner,
|
&mrsigner,
|
||||||
&report_data,
|
&report_data,
|
||||||
|
|
@ -3677,7 +3678,7 @@ mod sgx {
|
||||||
|
|
||||||
check_quote(
|
check_quote(
|
||||||
"e,
|
"e,
|
||||||
Some(&collateral),
|
Some(collateral),
|
||||||
current_time,
|
current_time,
|
||||||
&mrsigner,
|
&mrsigner,
|
||||||
&report_data,
|
&report_data,
|
||||||
|
|
@ -4805,7 +4806,7 @@ mod sgx {
|
||||||
|
|
||||||
check_quote(
|
check_quote(
|
||||||
"e,
|
"e,
|
||||||
Some(&collateral),
|
Some(collateral),
|
||||||
current_time as i64,
|
current_time as i64,
|
||||||
&mrsigner,
|
&mrsigner,
|
||||||
&report_data,
|
&report_data,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue