Skip to content

Commit bda87ac

Browse files
committed
policy: add checks for PolicyEvaluationInfo fields
A new() constructor is added to centralize validation logic. Conditionally requires MigTD TCB information, allowing it to be absent only when the test_disable_tcb_mapping_check feature is enabled for testing. Signed-off-by: Jiaqi Gao <[email protected]>
1 parent 2ed64ff commit bda87ac

File tree

6 files changed

+57
-19
lines changed

6 files changed

+57
-19
lines changed

.github/workflows/integration-tdx.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ jobs:
6464
popd
6565
6666
- name: Build Migration TD binary with policy v2
67-
run: cargo image --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem --root-ca config/Intel_SGX_Provisioning_Certification_RootCA_preproduction.cer
67+
run: cargo image --features test_disable_tcb_mapping_check --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem --root-ca config/Intel_SGX_Provisioning_Certification_RootCA_preproduction.cer
6868

6969
- name: Run Tests - Test policy v2
7070
run: |
@@ -114,7 +114,7 @@ jobs:
114114
popd
115115
116116
- name: Build Migration TD binary with policy v2
117-
run: cargo image --no-default-features --features stack-guard,virtio-serial --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem --root-ca config/Intel_SGX_Provisioning_Certification_RootCA_preproduction.cer
117+
run: cargo image --no-default-features --features stack-guard,virtio-serial,test_disable_tcb_mapping_check --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem --root-ca config/Intel_SGX_Provisioning_Certification_RootCA_preproduction.cer
118118

119119
- name: Run Tests - Test policy v2
120120
run: |
@@ -228,7 +228,7 @@ jobs:
228228
run: echo "SPDM_CONFIG=../../../config/spdm_config_policy_v2.json" >> "$GITHUB_ENV"
229229

230230
- name: Build Migration TD binary with SPDM feature and Policy V2
231-
run: cargo image --features spdm_attestation --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem
231+
run: cargo image --features spdm_attestation,test_disable_tcb_mapping_check --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem
232232

233233
- name: Run Tests - Test Migration TD 20 Cycles
234234
run: |
@@ -237,7 +237,7 @@ jobs:
237237
popd
238238
239239
- name: Build Migration TD binary with SPDM feature and Policy V2
240-
run: cargo image --no-default-features --features stack-guard,virtio-serial,spdm_attestation --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem
240+
run: cargo image --no-default-features --features stack-guard,virtio-serial,spdm_attestation,test_disable_tcb_mapping_check --policy-v2 --policy config/templates/policy_v2_signed.json --policy-issuer-chain config/templates/policy_issuer_chain.pem
241241

242242
- name: Run Tests - Test Migration TD 20 Cycles
243243
run: |

src/migtd/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ oneshot-apic = []
7171
test_heap_size = ["td-benchmark", "td-payload/test_heap_size"]
7272
test_stack_size = ["td-benchmark"]
7373
test_disable_ra_and_accept_all = ["attestation/test"] # Dangerous: can only be used for test purpose to bypass the remote attestation
74+
test_disable_tcb_mapping_check = ["policy/test_disable_tcb_mapping_check"]# Dangerous: can only be used for test purpose to bypass the tcb mapping check
7475
spdm_attestation = ["main"]
7576

7677
[patch.crates-io]

src/migtd/src/mig_policy.rs

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -262,14 +262,13 @@ mod v2 {
262262

263263
let migtd_tcb = migtd_svn.and_then(|svn| policy.servtd_identity.get_tcb_level_by_svn(svn));
264264

265-
Ok(PolicyEvaluationInfo {
266-
tcb_date: Some(tcb_date.to_string()),
267-
tcb_status: Some(tcb_status.as_str().to_string()),
268-
tcb_evaluation_number: Some(tcb_evaluation_number),
269-
fmspc: Some(fmspc),
270-
migtd_tcb_date: migtd_tcb.map(|tcb| tcb.tcb_date.clone()),
271-
migtd_tcb_status: migtd_tcb.map(|tcb| tcb.tcb_status.clone()),
272-
})
265+
PolicyEvaluationInfo::new(
266+
Some(tcb_date.to_string()),
267+
Some(tcb_status.as_str().to_string()),
268+
Some(tcb_evaluation_number),
269+
Some(fmspc),
270+
migtd_tcb,
271+
)
273272
}
274273

275274
fn get_tcb_date_and_status_from_suppl_data(

src/policy/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,4 @@ td-shim-interface = { path = "../../deps/td-shim/td-shim-interface"}
1818
[features]
1919
std = []
2020
policy_v2 = []
21+
test_disable_tcb_mapping_check = []

src/policy/src/lib.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,8 @@ pub enum PolicyError {
5252
InvalidReference,
5353
InvalidServtdIdentity,
5454
InvalidServtdTcbMapping,
55+
PlatformTcbNotFound,
56+
ServtdTcbNotFound,
5557
PolicyHashMismatch,
5658
InvalidQuote,
5759
SvnMismatch,

src/policy/src/v2/policy.rs

Lines changed: 42 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ use serde_json::{self, value::RawValue};
1010
use crate::{
1111
parse_events,
1212
v2::{bytes_to_hex_string, hex_string_to_bytes, policy, verify_event_hash},
13-
Collaterals, EventName, PolicyError, ServtdCollateral, TdIdentity, TdTcbMapping,
13+
Collaterals, EventName, PolicyError, ServtdCollateral, TcbLevel, TdIdentity, TdTcbMapping,
1414
};
1515

1616
#[derive(Debug)]
@@ -58,22 +58,57 @@ impl TryFrom<&str> for TcbStatus {
5858
#[derive(Debug, Clone, Default)]
5959
pub struct PolicyEvaluationInfo {
6060
/// The date of the Trusted Computing Base (TCB) in ISO-8601 format, e.g. "2023-06-19T00:00:00Z"
61-
pub tcb_date: Option<String>,
61+
tcb_date: Option<String>,
6262

6363
/// The status of the TCB
64-
pub tcb_status: Option<String>,
64+
tcb_status: Option<String>,
6565

6666
/// The TCB evaluation data number used to track TCB revocations and updates
67-
pub tcb_evaluation_number: Option<u32>,
67+
tcb_evaluation_number: Option<u32>,
6868

6969
/// The FMSPC of platform
70-
pub fmspc: Option<[u8; 6]>,
70+
fmspc: Option<[u8; 6]>,
7171

7272
/// The status of the MigTD TCB
73-
pub migtd_tcb_status: Option<String>,
73+
migtd_tcb_status: Option<String>,
7474

7575
/// The date of the MigTD TCB in ISO-8601 format, e.g. "2023-06-19T00:00:00Z"
76-
pub migtd_tcb_date: Option<String>,
76+
migtd_tcb_date: Option<String>,
77+
}
78+
79+
impl PolicyEvaluationInfo {
80+
/// Creates a new `PolicyEvaluationInfo` instance, validating that required fields are present.
81+
pub fn new(
82+
tcb_date: Option<String>,
83+
tcb_status: Option<String>,
84+
tcb_evaluation_number: Option<u32>,
85+
fmspc: Option<[u8; 6]>,
86+
migtd_tcb: Option<&TcbLevel>,
87+
) -> Result<Self, PolicyError> {
88+
let info = Self {
89+
tcb_date,
90+
tcb_status,
91+
tcb_evaluation_number,
92+
fmspc,
93+
migtd_tcb_date: migtd_tcb.map(|tcb| tcb.tcb_date.clone()),
94+
migtd_tcb_status: migtd_tcb.map(|tcb| tcb.tcb_status.clone()),
95+
};
96+
97+
if info.tcb_date.is_none()
98+
|| info.tcb_status.is_none()
99+
|| tcb_evaluation_number.is_none()
100+
|| fmspc.is_none()
101+
{
102+
return Err(PolicyError::PlatformTcbNotFound);
103+
}
104+
105+
#[cfg(not(feature = "test_disable_tcb_mapping_check"))]
106+
if info.migtd_tcb_date.is_none() || info.migtd_tcb_status.is_none() {
107+
return Err(PolicyError::ServtdTcbNotFound);
108+
}
109+
110+
Ok(info)
111+
}
77112
}
78113

79114
pub struct VerifiedPolicy<'a> {

0 commit comments

Comments
 (0)