verifier: Fetch VCEK cert from KDS instead of bailing #555
Conversation
Fetch the VCEK cert from the KDS if it is absent in the cert chain instead of just printing a bail statement stating that the VCEK is not found. Signed-off-by: Adithya Krishnan Kannan <[email protected]>
| // Function to request vcek from KDS. Return vcek in der format. | ||
| fn request_endorsement_key_kds( | ||
| att_report: AttestationReport, | ||
| ) -> Result<Vec<CertTableEntry>, anyhow::Error> { |
There was a problem hiding this comment.
The function is specific to download the VCEK, so I think it could be rename to something more specific such as fetch_vcek_from_kds()
There was a problem hiding this comment.
Additionally, I think the function would be more self-contained if it returns Result<Vec<u8>>
There was a problem hiding this comment.
Changed. If appropriate, please mark this comment as Resolved.
There was a problem hiding this comment.
Additionally, I think the function would be more self-contained if it returns
Result<Vec<u8>>
Tried this and got a type mismatch error
There was a problem hiding this comment.
Btw I don't think you need anyhow::Error in in this return type.
There was a problem hiding this comment.
Nice PR. Looks like this will address #456 which is actually a duplicate of #363
One thing to think about is that this could result in quite a few requests being made to the KDS. We should probably implement some kind of caching mechanism so that the verifier doesn't have to get the vcek for the same node again and again. We can probably do this in a follow-up.
Also, we might want to add vlek support at some point although I suspect this will require specifying a few more config params.
deps/verifier/Cargo.toml
Outdated
| @@ -49,6 +49,7 @@ strum.workspace = true | |||
| veraison-apiclient = { git = "https://github.com/chendave/rust-apiclient", branch = "token", optional = true } | |||
| ear = { git = "https://github.com/veraison/rust-ear", rev = "43f7f480d09ea2ebc03137af8fbcd70fe3df3468", optional = true } | |||
| x509-parser = { version = "0.14.0", optional = true } | |||
| reqwest = { version="0.12.9", features = ["blocking"] } | |||
There was a problem hiding this comment.
I you are already specifying the needed version of reqwest in the global Cargo file, you can just say request = workspace.true here.
There was a problem hiding this comment.
Changed. If appropriate, please mark this comment as Resolved.
There was a problem hiding this comment.
See Ding's suggestions about the Cargo file as well.
| @@ -84,8 +85,10 @@ impl Verifier for Snp { | |||
| cert_chain, | |||
| } = serde_json::from_slice(evidence).context("Deserialize Quote failed.")?; | |||
|
|
|||
| let Some(cert_chain) = cert_chain else { | |||
| bail!("Cert chain is unset"); | |||
| let cert_chain = if let Some(chain) = cert_chain{ | |||
There was a problem hiding this comment.
So the cert chain is type Option<Vec<Cert>> or something. This accounts for cases where the option is none, but what if the option is there but the vector is empty?
Ideally we should get the vcek even if there is a non-empty cert chain as long as the vcek/vlek isn't part of it.
There was a problem hiding this comment.
Could this be part of the future follow-up PR?
There was a problem hiding this comment.
We can leave check the cert types to a follow-up, but please add a case to this statement to catch an empty vector.
deps/verifier/src/snp/mod.rs
Outdated
| ) -> Result<Vec<CertTableEntry>, anyhow::Error> { | ||
| // KDS URL parameters | ||
| const KDS_CERT_SITE: &str = "https://kdsintf.amd.com"; | ||
| const KDS_VCEK: &str = "/vcek/v1"; |
There was a problem hiding this comment.
might be better to put these consts at the top of the file rather than inside this function
There was a problem hiding this comment.
Fixed. If appropriate, please mark this comment as Resolved.
deps/verifier/src/snp/mod.rs
Outdated
| StatusCode::OK => { | ||
| let vcek_rsp_bytes: Vec<u8> = | ||
| vcek_rsp.bytes().context("Unable to parse VCEK")?.to_vec(); | ||
| let key= CertTableEntry{cert_type: CertType::VCEK, data: vcek_rsp_bytes}; |
There was a problem hiding this comment.
nit: key= -> key =. Also you probably want some spaces around the {. I'm surprised this survived cargo fmt check.
There was a problem hiding this comment.
If appropriate, please mark this comment as Resolved.
There was a problem hiding this comment.
there are more formatting/lint issues. we do have a problem in the build pipeline, the verifier crate is not linted/formatted.
There was a problem hiding this comment.
can you run
cargo fmt
cargo clippy -p verifier -- -D warningson your code in the mean time and fix the warnings?
Cargo.lock
Outdated
There was a problem hiding this comment.
It seems your Cargo.lock has more changes than required. You may need to restore it and apply the request = worspace.true change that Tobin suggested
There was a problem hiding this comment.
If appropriate, please mark this comment as Resolved.
1. In deps\verifier\src\snp\mod.rs: i. Rename function request_endorsement_key_kds() -> fetch_vcek_from_kds() ii. KDS URL Parameter consts shifted to top of file iii. Corrected spacing around key and curly baces in vcek_rsp.status() match 2. In deps/verifier/Cargo.toml i. set reqwest = workspace.true Signed-off-by: Adithya Krishnan Kannan <[email protected]>
| @@ -482,4 +518,4 @@ mod tests { | |||
| let vendor_certs = load_milan_cert_chain().as_ref().unwrap(); | |||
| verify_report_signature(&attestation_report, &cert_chain, vendor_certs).unwrap_err(); | |||
| } | |||
| } | |||
| } | |||
There was a problem hiding this comment.
this empty line can be reserved
| @@ -36,7 +36,7 @@ jsonwebtoken = { version = "9", default-features = false } | |||
| log = "0.4.17" | |||
| prost = "0.12" | |||
| regorus = { version = "0.1.5", default-features = false, features = ["regex", "base64", "time"] } | |||
| reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } | |||
| reqwest = { version = "0.12", default-features = false, features = ["default-tls", "blocking"] } | |||
There was a problem hiding this comment.
I noticed that the reqwest is used in fetch_vcek_from_kds. It is suggested to use reqwest::get (the async version) rather than blocking version, because the blocking version would hang on network I/O during which the process would wait.
| let key = CertTableEntry { cert_type: CertType::VCEK, data: vcek_rsp_bytes }; | ||
| Ok(vec![key]) | ||
| } | ||
| status => Err(anyhow::anyhow!("Unable to fetch VCEK from URL: {status:?}")), |
Co-authored-by: Xynnn_ <[email protected]> Signed-off-by: Adithya Krishnan Kannan <[email protected]>
Fetch the VCEK cert from the KDS if it is absent in the cert chain instead of just printing a bail statement stating that the VCEK is not found.