fix(sevsnp): update matching of REPORTED_TCB

REPORTED_TCB is a bitfield of versions. Extract individual versions
for comparison. REPORTED_TCB in evidence should be greater than or
equal to the reference value.

Signed-off-by: Jagannathan Raman <[email protected]>

Author: jraman567

scheme/sevsnp/common.go

@@ -9,8 +9,11 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"reflect"
+	"strconv"
 
 	"github.com/google/go-sev-guest/abi"
+	"github.com/google/go-sev-guest/kds"
 	"github.com/google/go-sev-guest/proto/sevsnp"
 	"github.com/veraison/cmw"
 	"github.com/veraison/corim/comid"
@@ -163,3 +166,34 @@ func parseAttestationToken(token *proto.AttestationToken) (*tokens.TSMReport, er
 
 	return tsm, nil
 }
+
+// transformSVNtoTCB extracts TCB from the supplied SVN. SEV-SNP's TCB_VERSION
+// is a composite version; it's bitfield consisting of SVNs from various firmware components
+func transformSVNtoTCB(svn comid.SVN) (*kds.TCBParts, error) {
+	var (
+		tcbVersion uint64
+		err        error
+		tcbParts   kds.TCBParts
+	)
+
+	// ToDo: following is a circuitous way to obtain the 64-bit TCB integer value
+	// from SVN. Consider updating the SVN type to return a 64-bit value
+	switch v := svn.Value.(type) {
+	case *comid.TaggedSVN:
+		tcbString := v.String()
+		tcbVersion, err = strconv.ParseUint(tcbString, 10, 64)
+	case *comid.TaggedMinSVN:
+		tcbString := v.String()
+		tcbVersion, err = strconv.ParseUint(tcbString, 10, 64)
+	default:
+		err = fmt.Errorf("unsupported SVN type: %v", reflect.TypeOf(svn.Value))
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	tcbParts = kds.DecomposeTCBVersion(kds.TCBVersion(tcbVersion))
+
+	return &tcbParts, nil
+}

scheme/sevsnp/evidence_handler.go

@@ -366,6 +366,38 @@ func compareMeasurements(refM comid.Measurement, evM comid.Measurement) bool {
 	return true
 }
 
+func compareTcb(refM comid.Measurement, evM comid.Measurement) bool {
+	if refM.Val.SVN == nil {
+		log.Errorf("reference doesn't have SVN")
+		return false
+	}
+
+	if evM.Val.SVN == nil {
+		log.Errorf("evidence doesn't have SVN")
+		return false
+	}
+
+	refTcbParts, err := transformSVNtoTCB(*refM.Val.SVN)
+	if err != nil {
+		log.Errorf("could not transform reference SVN to TCB parts: %v", err)
+		return false
+	}
+
+	evTcbParts, err := transformSVNtoTCB(*evM.Val.SVN)
+	if err != nil {
+		log.Errorf("could not transform evidence SVN to TCB parts: %v", err)
+	}
+
+	if evTcbParts.BlSpl < refTcbParts.BlSpl ||
+		evTcbParts.SnpSpl < refTcbParts.SnpSpl ||
+		evTcbParts.TeeSpl < refTcbParts.TeeSpl ||
+		evTcbParts.UcodeSpl < refTcbParts.UcodeSpl {
+		return false
+	}
+
+	return true
+}
+
 // AppraiseEvidence confirms if the claims in the evidence match with the provisioned
 // reference values.
 //
@@ -405,6 +437,7 @@ func (o EvidenceHandler) AppraiseEvidence(
 	appraisal.TrustVector.Hardware = ear.UnsafeHardwareClaim
 	appraisal.TrustVector.RuntimeOpaque = ear.VisibleMemoryRuntimeClaim
 
+claimsLoop:
 	for _, m := range refVal.Measurements.Values {
 		var (
 			k  uint64
@@ -433,9 +466,17 @@ func (o EvidenceHandler) AppraiseEvidence(
 			break
 		}
 
-		if !compareMeasurements(m, *em) {
-			err = fmt.Errorf("MKey %d in reference value doesn't match with evidence", k)
-			break
+		switch k {
+		case mKeyReportedTcb:
+			if !compareTcb(m, *em) {
+				err = fmt.Errorf("reported TCB in evidence doesn't match reference")
+				break claimsLoop
+			}
+		default:
+			if !compareMeasurements(m, *em) {
+				err = fmt.Errorf("MKey %d in reference value doesn't match with evidence", k)
+				break claimsLoop
+			}
 		}
 	}
 

scheme/sevsnp/scheme.go

@@ -29,4 +29,5 @@ const (
 	mKeyReportData  = 640
 	mKeyMeasurement = 641
 	mKeyReportID    = 645
+	mKeyReportedTcb = 647
 )