Gate behind feature flag

Author: ameba23

Cargo.toml

@@ -54,5 +54,10 @@ rcgen = "0.14.5"
 tempfile = "3.23.0"
 
 [features]
-default = ["azure"]
+default = ["azure", "azure-v6-override"]
+
+# Adds support for Microsoft Azure attestation generation and verification
 azure = ["tss-esapi", "az-tdx-vtpm"]
+
+# Allows Azure's V6 instance outdated SEAM Loader
+azure-v6-override = ["azure"]

src/attestation/azure/mod.rs

@@ -13,6 +13,9 @@ use x509_parser::prelude::*;
 
 use crate::attestation::{dcap::verify_dcap_attestation, measurements::MultiMeasurements};
 
+#[cfg(feature = "azure-v6-override")]
+const AZURE_V6_BAD_FMSPC: &str = "90c06f000000";
+
 /// The attestation evidence payload that gets sent over the channel
 #[derive(Debug, Serialize, Deserialize)]
 struct AttestationDocument {
@@ -245,6 +248,39 @@ impl RsaPubKey {
     }
 }
 
+#[cfg(feature = "azure-v6-override")]
+pub fn azure_v6_override(collateral: &mut dcap_qvl::QuoteCollateralV3) {
+    use crate::attestation::tcb_info::TcbInfo;
+
+    let mut tcb_info: TcbInfo = serde_json::from_str(&collateral.tcb_info).unwrap();
+
+    if tcb_info.fmspc == AZURE_V6_BAD_FMSPC {
+        let tcb_levels = tcb_info
+            .tcb_levels
+            .into_iter()
+            .map(|mut tcb_level| {
+                if &tcb_level.tcb_status == "UpToDate" {
+                    if tcb_level.tcb.sgx_components[7].svn > 3 {
+                        tracing::warn!(
+                            "Overriding tcb info to allow outdated Azure v6 SEAM loader"
+                        );
+                        println!("modifying!");
+                        tcb_level.tcb.sgx_components[7].svn = 3;
+                    }
+                    tcb_level
+                } else {
+                    tcb_level
+                }
+            })
+            .collect::<Vec<_>>();
+
+        tcb_info.tcb_levels = tcb_levels;
+
+        let tcb_info_json = serde_json::to_string(&tcb_info).unwrap();
+        collateral.tcb_info = tcb_info_json;
+    }
+}
+
 #[derive(Error, Debug)]
 pub enum MaaError {
     #[error("Report: {0}")]

src/attestation/dcap.rs

@@ -1,9 +1,9 @@
 //! Data Center Attestation Primitives (DCAP) evidence generation and verification
-use crate::attestation::{measurements::MultiMeasurements, tcb_info::TcbInfo, AttestationError};
+use crate::attestation::{measurements::MultiMeasurements, AttestationError};
 
 use configfs_tsm::QuoteGenerationError;
 use dcap_qvl::{
-    collateral::{self, get_collateral_for_fmspc},
+    collateral::get_collateral_for_fmspc,
     quote::{Quote, Report},
 };
 use thiserror::Error;
@@ -32,6 +32,8 @@ pub async fn verify_dcap_attestation(
 
     let ca = quote.ca()?;
     let fmspc = hex::encode_upper(quote.fmspc()?);
+
+    #[allow(unused_mut)]
     let mut collateral = get_collateral_for_fmspc(
         &pccs_url.clone().unwrap_or(PCS_URL.to_string()),
         fmspc,
@@ -40,6 +42,9 @@ pub async fn verify_dcap_attestation(
     )
     .await?;
 
+    #[cfg(feature = "azure-v6-override")]
+    crate::attestation::azure::azure_v6_override(&mut collateral);
+
     let _verified_report = dcap_qvl::verify::verify(&input, &collateral, now)?;
 
     let measurements = MultiMeasurements::from_dcap_qvl_quote(&quote)?;