Skip to content

[rom_ext_e2e] Check the attestation certificates #24793

Merged
cfrantz merged 2 commits intolowRISC:earlgrey_es_sivalfrom
cfrantz:print-certs
Oct 21, 2024
Merged

[rom_ext_e2e] Check the attestation certificates #24793
cfrantz merged 2 commits intolowRISC:earlgrey_es_sivalfrom
cfrantz:print-certs

Conversation

@cfrantz
Copy link
Contributor

@cfrantz cfrantz commented Oct 15, 2024

Examine the attestation certificates and check the measurements published in the DiceTcbInfo extensions.

@cfrantz
[rust] Add the crate
14ab823 
Signed-off-by: Chris Frantz <[email protected]>
@cfrantz cfrantz requested review from a team as code owners October 15, 2024 23:40
@cfrantz cfrantz removed request for a team October 15, 2024 23:40
timothytrippel
timothytrippel approved these changes Oct 16, 2024
View reviewed changes
sw/host/tests/attestation/attestation_test.rs
let cdi0 = x509::parse_certificate(&cdi0_bin)?;
let cdi1 = x509::parse_certificate(&cdi1_bin)?;

// TODO: verify signature chain from CDI_1 to CDI_0 to UDS.
Copy link
Contributor

@timothytrippel timothytrippel Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a good starting point: https://cs.opensource.google/opentitan/opentitan/+/master:sw/host/provisioning/cert_lib/src/lib.rs;drc=96ea5f430320b411facab840ebe7f785509c4a2a;l=160 but heads up I have not gotten it to work yet with the DICE certs since they have a custom extension that openssl can't seem to parse. Needs further investigation.

Copy link
Contributor

@pamaury pamaury Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So openssl won't verify a certificate that it can't fully parse?
One option might be to use the openssl library (not tool) to verify the certificate. From what I remember, it's not that straightforward unfortunately, and it might not have rust bindings, but at least with the library you can parse a certificate and extract extensions and decode manually (which is what I did in the ot_cert crate).

Copy link
Contributor Author

@cfrantz cfrantz Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to perform the TODOs in follow-on PRs:

  • Fix the endianness of the measurements.
  • Verify the signature chain.
  • Checking the UDS cert on a real chip; skipping UDS on FPGAs.

@cfrantz
[rom_ext_e2e] Check the attestation certificates
e8602a0 
Examine the attestation certificates and check the measurements
published in the DiceTcbInfo extensions.

Signed-off-by: Chris Frantz <[email protected]>
@cfrantz
Copy link
Contributor Author

cfrantz commented Oct 21, 2024

The CI failure is not related to this PR.

@cfrantz cfrantz merged commit edabd2f into lowRISC:earlgrey_es_sival Oct 21, 2024
@cfrantz cfrantz mentioned this pull request Nov 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pamaury pamaury pamaury left review comments

@timothytrippel timothytrippel timothytrippel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cfrantz @pamaury @timothytrippel