Override outdated SEAM loader

Author: ameba23

src/attestation/dcap.rs

@@ -1,9 +1,9 @@
 //! Data Center Attestation Primitives (DCAP) evidence generation and verification
-use crate::attestation::{measurements::MultiMeasurements, AttestationError};
+use crate::attestation::{measurements::MultiMeasurements, tcb_info::TcbInfo, AttestationError};
 
 use configfs_tsm::QuoteGenerationError;
 use dcap_qvl::{
-    collateral::get_collateral_for_fmspc,
+    collateral::{self, get_collateral_for_fmspc},
     quote::{Quote, Report},
 };
 use thiserror::Error;
@@ -24,7 +24,7 @@ pub async fn verify_dcap_attestation(
     expected_input_data: [u8; 64],
     pccs_url: Option<String>,
 ) -> Result<MultiMeasurements, DcapVerificationError> {
-    let measurements = if cfg!(not(test)) {
+    let measurements = if !cfg!(not(test)) {
         let now = std::time::SystemTime::now()
             .duration_since(std::time::UNIX_EPOCH)?
             .as_secs();
@@ -33,14 +33,43 @@ pub async fn verify_dcap_attestation(
 
         let ca = quote.ca()?;
         let fmspc = hex::encode_upper(quote.fmspc()?);
-        let collateral = get_collateral_for_fmspc(
+        let mut collateral = get_collateral_for_fmspc(
             &pccs_url.clone().unwrap_or(PCS_URL.to_string()),
             fmspc,
             ca,
             false, // Indicates not SGX
         )
         .await?;
 
+        println!("tcb info {:?}", collateral.tcb_info);
+        let mut tcb_info: TcbInfo = serde_json::from_str(&collateral.tcb_info).unwrap();
+
+        let tcb_levels = tcb_info
+            .tcb_levels
+            .into_iter()
+            .map(|mut tcb_level| {
+                if &tcb_level.tcb_status == "UpToDate" {
+                    if tcb_level.tcb.sgx_components[7].svn > 3 {
+                        tracing::warn!(
+                            "Overriding tcb info to allow outdated Azure v6 SEAM loader"
+                        );
+                        println!("modifying!");
+                        tcb_level.tcb.sgx_components[7].svn = 3;
+                    }
+                    tcb_level
+                } else {
+                    tcb_level
+                }
+            })
+            .collect::<Vec<_>>();
+
+        tcb_info.tcb_levels = tcb_levels;
+
+        let tcb_info_json = serde_json::to_string(&tcb_info).unwrap();
+        // collateral.tcb_info = tcb_info_json;
+
+        println!("tcb info {:?}", collateral.tcb_info);
+
         let _verified_report = dcap_qvl::verify::verify(&input, &collateral, now)?;
 
         let measurements = MultiMeasurements::from_dcap_qvl_quote(&quote)?;

src/attestation/mod.rs

@@ -2,6 +2,7 @@
 pub mod azure;
 pub mod dcap;
 pub mod measurements;
+pub mod tcb_info;
 
 use measurements::MultiMeasurements;
 use parity_scale_codec::{Decode, Encode};

src/attestation/tcb_info.rs

@@ -0,0 +1,42 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TcbInfo {
+    pub id: String,
+    pub version: u8,
+    pub issue_date: String,
+    pub next_update: String,
+    pub fmspc: String,
+    pub pce_id: String,
+    pub tcb_type: u32,
+    pub tcb_evaluation_data_number: u32,
+    pub tcb_levels: Vec<TcbLevel>,
+}
+
+#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TcbLevel {
+    pub tcb: Tcb,
+    pub tcb_date: String,
+    pub tcb_status: String,
+    #[serde(rename = "advisoryIDs", default)]
+    pub advisory_ids: Vec<String>,
+}
+
+#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct Tcb {
+    #[serde(rename = "sgxtcbcomponents")]
+    pub sgx_components: Vec<TcbComponents>,
+    #[serde(rename = "tdxtcbcomponents", default)]
+    pub tdx_components: Vec<TcbComponents>,
+    #[serde(rename = "pcesvn")]
+    pub pce_svn: u16,
+}
+
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TcbComponents {
+    pub svn: u8,
+}