Deduplicate structs in stage0 attestation generation

Bug: 347970899 Change-Id: I2249064e988cf2e0811e575fd4f4aab342d01893
project-oak · Sep 26, 2024 · e1e1ed2 · e1e1ed2
1 parent fcf553a
commit e1e1ed2
Show file tree

Hide file tree

Showing 5 changed files with 152 additions and 180 deletions.
diff --git a/oak_attestation_integration_tests/tests/attester_tests.rs b/oak_attestation_integration_tests/tests/attester_tests.rs
@@ -20,23 +20,27 @@ use oak_attestation::{
 };
 use oak_attestation_verification::verifier::verify_dice_chain;
 use oak_dice::evidence::TeePlatform;
-use oak_proto_rust::oak::{
-    attestation::v1::{ApplicationLayerData, EventLog},
-    RawDigest,
-};
+use oak_proto_rust::oak::{attestation::v1::ApplicationLayerData, RawDigest};
 use prost::Message;
 
 const TEST_APPLICATION_DIGEST: [u8; 4] = [0, 1, 2, 3];
 
 #[test]
 fn dice_attester_generates_correct_dice_chain() {
-    let test_stage0_measurements = oak_stage0_dice::Measurements::default();
+    let test_stage0_measurements = oak_proto_rust::oak::attestation::v1::Stage0Measurements {
+        setup_data_digest: vec![],
+        kernel_measurement: vec![],
+        ram_disk_digest: vec![],
+        memory_map_digest: vec![],
+        acpi_digest: vec![],
+        kernel_cmdline: String::new(),
+    };
+    let stage0_event = oak_stage0_dice::encoded_stage0_event(test_stage0_measurements);
     let (_, stage0_dice_data_proto) = oak_stage0_dice::generate_dice_data(
-        &test_stage0_measurements,
         oak_stage0_dice::mock_attestation_report,
         oak_stage0_dice::mock_derived_key,
         TeePlatform::None,
-        EventLog::default(),
+        &stage0_event,
     );
     let serialized_stage0_dice_data = stage0_dice_data_proto.encode_length_delimited_to_vec();
 

diff --git a/oak_containers_sdk/src/standalone.rs b/oak_containers_sdk/src/standalone.rs
@@ -41,32 +41,29 @@ pub fn standalone_endorsed_evidence_containing_only_public_keys(
         oak_proto_rust::oak::attestation::v1::EventLog,
         oak_dice::evidence::Stage0DiceData,
     ) = {
-        let mut mock_stage0_measurements = oak_stage0_dice::Measurements::default();
-        let (mock_event_log, stage0_event_sha2_256_digest) = oak_stage0_dice::generate_event_log(
-            mock_stage0_measurements.kernel_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.acpi_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.memory_map_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.ram_disk_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.setup_data_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.cmdline.clone(),
+        let encoded_stage0_event = oak_stage0_dice::encoded_stage0_event(
+            oak_proto_rust::oak::attestation::v1::Stage0Measurements::default(),
         );
-        mock_stage0_measurements.event_sha2_256_digest = stage0_event_sha2_256_digest;
-        let (stage0_dice_data, _) = oak_stage0_dice::generate_dice_data(
-            &mock_stage0_measurements,
+        let mock_event_log = {
+            let mut base = oak_proto_rust::oak::attestation::v1::EventLog::default();
+            base.encoded_events.push(encoded_stage0_event.to_vec());
+            base
+        };
+        let (mock_stage0_dice_data, _) = oak_stage0_dice::generate_dice_data(
             oak_stage0_dice::mock_attestation_report,
             oak_stage0_dice::mock_derived_key,
             oak_dice::evidence::TeePlatform::None,
-            oak_proto_rust::oak::attestation::v1::EventLog::default(),
+            &encoded_stage0_event,
         );
-        (mock_event_log, stage0_dice_data)
+        (mock_event_log, mock_stage0_dice_data)
     };
     let mut attester = oak_containers_stage1_dice::stage0_dice_data_into_dice_attester(
         mock_stage0_dice_data,
         mock_event_log,
     )
     .expect("failed to create dice attester");
     let stage1_layer_data = oak_containers_stage1_dice::get_layer_data(&[]);
-    attester.add_layer(stage1_layer_data).expect("failred to add stage1 layer data");
+    attester.add_layer(stage1_layer_data).expect("failed to add stage1 layer data");
     let orchestrator_layer_data =
         oak_containers_orchestrator_attestation::measure_container_and_config(&[], &[]);
     let (_instance_keys, instance_public_keys) =

diff --git a/oak_restricted_kernel_sdk/src/testing.rs b/oak_restricted_kernel_sdk/src/testing.rs
@@ -49,22 +49,19 @@ lazy_static::lazy_static! {
 
 fn get_mock_dice_data_and_event_log() -> (RestrictedKernelDiceData, Vec<u8>) {
     let (mut mock_event_log, stage0_dice_data): (EventLog, Stage0DiceData) = {
-        let mut mock_stage0_measurements = oak_stage0_dice::Measurements::default();
-        let (mock_event_log, stage0_event_sha2_256_digest) = oak_stage0_dice::generate_event_log(
-            mock_stage0_measurements.kernel_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.acpi_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.memory_map_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.ram_disk_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.setup_data_sha2_256_digest.to_vec(),
-            mock_stage0_measurements.cmdline.clone(),
+        let stage0_event = oak_stage0_dice::encoded_stage0_event(
+            oak_proto_rust::oak::attestation::v1::Stage0Measurements::default(),
         );
-        mock_stage0_measurements.event_sha2_256_digest = stage0_event_sha2_256_digest;
+        let mock_event_log = {
+            let mut base = oak_proto_rust::oak::attestation::v1::EventLog::default();
+            base.encoded_events.push(stage0_event.to_vec());
+            base
+        };
         let (stage0_dice_data, _) = oak_stage0_dice::generate_dice_data(
-            &mock_stage0_measurements,
             oak_stage0_dice::mock_attestation_report,
             oak_stage0_dice::mock_derived_key,
             TeePlatform::None,
-            EventLog::default(),
+            &stage0_event,
         );
         (mock_event_log, stage0_dice_data)
     };

diff --git a/stage0/src/lib.rs b/stage0/src/lib.rs
@@ -44,8 +44,6 @@ use x86_64::{
 };
 use zerocopy::AsBytes;
 
-use crate::alloc::string::ToString;
-
 mod acpi;
 mod acpi_tables;
 pub mod allocator;
@@ -145,7 +143,6 @@ pub fn rust64_start<P: hal::Platform>() -> ! {
     P::populate_zero_page(&mut zero_page);
 
     let cmdline = kernel::try_load_cmdline(&mut fwcfg).unwrap_or_default();
-    let cmdline_sha2_256_digest = cmdline.measure();
 
     // Safety: this is the only place where we try to load a kernel, so the backing
     // memory is unused.
@@ -179,14 +176,22 @@ pub fn rust64_start<P: hal::Platform>() -> ! {
     let memory_map_sha2_256_digest = zero_page.e820_table().measure();
 
     // Generate Stage0 Event Log data.
-    let (event_log_proto, event_sha2_256_digest) = oak_stage0_dice::generate_event_log(
-        kernel_sha2_256_digest.as_bytes().to_vec(),
-        acpi_sha2_256_digest.as_bytes().to_vec(),
-        memory_map_sha2_256_digest.as_bytes().to_vec(),
-        ram_disk_sha2_256_digest.as_bytes().to_vec(),
-        setup_data_sha2_256_digest.as_bytes().to_vec(),
-        cmdline.clone(),
+    let stage0_event = oak_stage0_dice::encoded_stage0_event(
+        oak_proto_rust::oak::attestation::v1::Stage0Measurements {
+            setup_data_digest: setup_data_sha2_256_digest.as_bytes().to_vec(),
+            kernel_measurement: kernel_sha2_256_digest.as_bytes().to_vec(),
+            ram_disk_digest: ram_disk_sha2_256_digest.as_bytes().to_vec(),
+            memory_map_digest: memory_map_sha2_256_digest.as_bytes().to_vec(),
+            acpi_digest: acpi_sha2_256_digest.as_bytes().to_vec(),
+            kernel_cmdline: cmdline.clone(),
+        },
     );
+    let event_sha2_256_digest = Sha256::digest(&stage0_event).to_vec();
+    let event_log_proto = {
+        let mut base = oak_proto_rust::oak::attestation::v1::EventLog::default();
+        base.encoded_events.push(stage0_event.to_vec());
+        base
+    };
 
     log::debug!("Kernel image digest: sha2-256:{}", hex::encode(kernel_sha2_256_digest));
     log::debug!("Kernel setup data digest: sha2-256:{}", hex::encode(setup_data_sha2_256_digest));
@@ -196,31 +201,13 @@ pub fn rust64_start<P: hal::Platform>() -> ! {
     log::debug!("E820 table digest: sha2-256:{}", hex::encode(memory_map_sha2_256_digest));
     log::debug!("Event digest: sha2-256:{}", hex::encode(event_sha2_256_digest));
 
-    // TODO: b/331252282 - Remove temporary workaround for cmd line length.
-    let cmdline_max_len = 256;
-    let measurements = oak_stage0_dice::Measurements {
-        acpi_sha2_256_digest,
-        kernel_sha2_256_digest,
-        cmdline_sha2_256_digest,
-        cmdline: if cmdline.len() > cmdline_max_len {
-            cmdline[..cmdline_max_len].to_string()
-        } else {
-            cmdline.clone()
-        },
-        ram_disk_sha2_256_digest,
-        setup_data_sha2_256_digest,
-        memory_map_sha2_256_digest,
-        event_sha2_256_digest,
-    };
-
     let tee_platform = P::tee_platform();
 
     let (dice_data_struct, dice_data_proto) = oak_stage0_dice::generate_dice_data(
-        &measurements,
         P::get_attestation,
         P::get_derived_key,
         tee_platform,
-        event_log_proto.clone(),
+        &stage0_event,
     );
     let dice_data = Box::leak(Box::new_in(dice_data_struct, &crate::BOOT_ALLOC));