[rom_ext_e2e] Check the attestation certificates #24793
Conversation
Signed-off-by: Chris Frantz <[email protected]>
| let cdi0 = x509::parse_certificate(&cdi0_bin)?; | ||
| let cdi1 = x509::parse_certificate(&cdi1_bin)?; | ||
|
|
||
| // TODO: verify signature chain from CDI_1 to CDI_0 to UDS. |
There was a problem hiding this comment.
This might be a good starting point: https://cs.opensource.google/opentitan/opentitan/+/master:sw/host/provisioning/cert_lib/src/lib.rs;drc=96ea5f430320b411facab840ebe7f785509c4a2a;l=160 but heads up I have not gotten it to work yet with the DICE certs since they have a custom extension that openssl can't seem to parse. Needs further investigation.
There was a problem hiding this comment.
So openssl won't verify a certificate that it can't fully parse?
One option might be to use the openssl library (not tool) to verify the certificate. From what I remember, it's not that straightforward unfortunately, and it might not have rust bindings, but at least with the library you can parse a certificate and extract extensions and decode manually (which is what I did in the ot_cert crate).
There was a problem hiding this comment.
I'm going to perform the TODOs in follow-on PRs:
- Fix the endianness of the measurements.
- Verify the signature chain.
- Checking the UDS cert on a real chip; skipping UDS on FPGAs.
sw/device/silicon_creator/rom_ext/e2e/attestation/print_certs.c
Outdated
Show resolved
Hide resolved
sw/device/silicon_creator/rom_ext/e2e/attestation/print_certs.c
Outdated
Show resolved
Hide resolved
sw/device/silicon_creator/rom_ext/e2e/attestation/print_certs.c
Outdated
Show resolved
Hide resolved
Examine the attestation certificates and check the measurements published in the DiceTcbInfo extensions. Signed-off-by: Chris Frantz <[email protected]>
|
The CI failure is not related to this PR. |
Examine the attestation certificates and check the measurements published in the DiceTcbInfo extensions.