Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: greater protection for release mode #72

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

chore: greater protection for release mode #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c2fcc09
chore: greater protection for release mode
rjzak Oct 10, 2022
675a026
chore: insecure mode feature flag
rjzak Oct 11, 2022
ad5b1ea
Adding canned CSRs, tests
rjzak Oct 17, 2022
ab44039
feat: add csr from signed Enarx
rjzak Nov 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ rstest = { version = "0.16", default-features = false }
sgx = { version = "0.6.0", default-features = false }
testaso = { version = "0.1", default-features = false }

[features]
default = []
insecure = []

[profile.release]
incremental = false
codegen-units = 1
Expand Down
Binary file added crates/sgx_validation/src/icelake.csr
View file
Open in desktop
Binary file not shown.
1 change: 1 addition & 0 deletions crates/sgx_validation/src/icelake_signed.csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
308213673082130c02010030003059301306072a8648ce3d020106082a8648ce3d03010703420004733e8d4f4cdef415c1aad042fd80150bd09664d8069a7318c0879837739bd5cb19f2a065de8cd71f2ff484c800814d4f1fcc06e7fb462371c75c6475b31e5559a08212a8308212a406092a864886f70d01090e31821295308212913082128d060a2b0601040183c71e01020482127d030002000000000007000c00939a7233f79c4ca9940a0db3957f0607e25d0f4e649cd7d8c788bfc27bca4f780000000006060e0dffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000000000000e700000000000000e106565074be5ef3897711472617a0a000bae5c577f69a42202e3f76a07980f30000000000000000000000000000000000000000000000000000000000000000c8dc9fe36caaeef871e6512c481092754c57c2ea999f128282ccb563d160277400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000baa378396adcff8d2c7571d2bfde9b5a64d02148d7cb56c72f7e61ddabc0ce150000000000000000000000000000000000000000000000000000000000000000c9100000a34326b6bcf8ba59302b40d4462b111427cb564302455c9aada8c52f8364cf7d83f7df2dea546254a828ec8ae0f76bc603561101a197f0a2b75934978db404c1f4613e6257b2248720cfc0811119e6fb0f8507c10945d236280fb0a7c7d2c73e46aa9de581e15d6213f3d550f91672a2d524eca23bbeffac11179ac473ecbff006060e0dffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001500000000000000e700000000000000ae123cbfa96c268560dfd5dffe4854ce443de4e0fa51d281184c9428d7a340fb00000000000000000000000000000000000000000000000000000000000000008c4f5775d796503e96137f77c68a829a0056ac8ded70140b081b094490c57bff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007e00e7c12a8dcb4cbe80dd4d5ca61b29093eb17ff8548591ff286c285f63a37000000000000000000000000000000000000000000000000000000000000000012a1a0bdee90927c881dd485b3a569a3b0f60845374cdbe303892e76f52efdae2d0678c6e4ff4fbd86d62f1cbcec4a8018b7d887614189a97b40c466dd09ff082000000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f0500610e00002d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945387a4343424a696741774942416749555364692b6a744947586d39784f706d476a4145383267324d6c373077436759494b6f5a497a6a3045417749770a634445694d434147413155454177775a535735305a577767553064594946424453794251624746305a6d397962534244515445614d42674741315545436777520a535735305a577767513239796347397959585270623234784644415342674e564241634d43314e68626e526849454e7359584a684d51737743515944565151490a44414a445154454c4d416b474131554542684d4356564d774868634e4d6a49784d4445794d544d794f4451355768634e4d6a6b784d4445794d544d794f4451350a576a42774d534977494159445651514444426c4a626e526c624342545231676755454e4c49454e6c636e52705a6d6c6a5958526c4d526f77474159445651514b0a4442464a626e526c6243424462334a7762334a6864476c76626a45554d424947413155454277774c553246756447456751327868636d4578437a414a42674e560a4241674d416b4e424d517377435159445651514745774a56557a425a4d424d4742797147534d34394167454743437147534d34394177454841304941424730790a54646552557677442b76385a664d6f484e4d53696c712f474a72443734426d6f737149744939696f383059563950305a71556862636550724d424a4765786a470a2b7771476e49796a48657342696d5932334e4b6a67674d4f4d494944436a416642674e5648534d4547444157674253566231334e765276683655424a796454300a4d383442567776655644427242674e56485238455a4442694d47436758714263686c706f64485277637a6f764c32467761533530636e567a6447566b633256790a646d6c6a5a584d75615735305a577775593239744c334e6e6543396a5a584a3061575a7059324630615739754c33597a4c33426a61324e796244396a595431770a624746305a6d397962535a6c626d4e765a476c755a7a316b5a584977485159445652304f424259454647614353755a37387141414a374a367842736a517255530a706e38754d41344741315564447745422f775145417749477744414d42674e5648524d4241
9 changes: 6 additions & 3 deletions crates/sgx_validation/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,12 @@ use std::fmt::Debug;
use crate::config::Config;
use anyhow::{bail, ensure, Result};
use cryptography::const_oid::ObjectIdentifier;
#[cfg(not(feature = "insecure"))]
use cryptography::sha2::{Digest, Sha256};
use cryptography::x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
use der::{Decode, Encode};
use der::Decode;
#[cfg(not(feature = "insecure"))]
use der::Encode;

#[derive(Clone, Debug)]
pub struct Sgx([Certificate<'static>; 1]);
Expand Down Expand Up @@ -44,7 +47,6 @@ impl Sgx {
cri: &CertReqInfo<'_>,
ext: &Extension<'_>,
config: Option<&Config>,
dbg: bool,
) -> Result<bool> {
ensure!(!ext.critical, "sgx extension cannot be critical");

Expand Down Expand Up @@ -82,7 +84,8 @@ impl Sgx {
"sgx pck algorithm mismatch"
);

if !dbg {
#[cfg(not(feature = "insecure"))]
{
// Validate that the certification request came from an SGX enclave.
let hash = Sha256::digest(cri.public_key.to_vec()?);
ensure!(
Expand Down
8 changes: 5 additions & 3 deletions crates/snp_validation/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ use cryptography::const_oid::db::rfc5912::ECDSA_WITH_SHA_384;
use cryptography::const_oid::ObjectIdentifier;
use cryptography::ext::TbsCertificateExt;
use cryptography::sec1::pkcs8::AlgorithmIdentifier;
use cryptography::sha2::{Digest, Sha384};
#[cfg(not(feature = "insecure"))]
use cryptography::sha2::Digest;
use cryptography::sha2::Sha384;
use cryptography::x509::ext::Extension;
use cryptography::x509::{request::CertReqInfo, Certificate};
use cryptography::x509::{PkiPath, TbsCertificate};
Expand Down Expand Up @@ -258,7 +260,6 @@ impl Snp {
cri: &CertReqInfo<'_>,
ext: &Extension<'_>,
config: Option<&Config>,
dbg: bool,
) -> Result<bool> {
ensure!(!ext.critical, "snp extension cannot be critical");

Expand Down Expand Up @@ -382,7 +383,8 @@ impl Snp {

ensure!(report.body.vmpl == 0, "snp report vmpl field invalid value");

if !dbg {
#[cfg(not(feature = "insecure"))]
{
// Validate that the certification request came from an SNP VM.
let hash = Sha384::digest(cri.public_key.to_vec()?);
ensure!(
Expand Down
Binary file added crates/snp_validation/src/milan.csr
View file
Open in desktop
Binary file not shown.
1 change: 1 addition & 0 deletions crates/snp_validation/src/milan_signed.csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
30820b1f30820aa402010030003076301006072a8648ce3d020106052b8104002203620004cc5066093f051758cab949b4363ef62ed346e15ec0d47d2e393b92310afca9e9ad9875d01e6de5c785b52fbf36514dc7d9ea1e2c921c006a689388877d7deb0c77cd675ed4860e5f2b637ab7e42558177730d666fd632fb62e196e20f6b2314da0820a2330820a1f06092a864886f70d01090e31820a1030820a0c30820a08060a2b0601040183c71e0103048209f8308209f43082054c308202fba003020102020100304606092a864886f70d01010a3039a00f300d06096086480165030402020500a11c301a06092a864886f70d010108300d06096086480165030402020500a203020130a303020101307b31143012060355040b0c0b456e67696e656572696e67310b30090603550406130255533114301206035504070c0b53616e746120436c617261310b300906035504080c024341311f301d060355040a0c16416476616e636564204d6963726f20446576696365733112301006035504030c095345562d4d696c616e301e170d3232303932393132343835365a170d3239303932393132343835365a307a31143012060355040b0c0b456e67696e656572696e67310b30090603550406130255533114301206035504070c0b53616e746120436c617261310b300906035504080c024341311f301d060355040a0c16416476616e636564204d6963726f20446576696365733111300f06035504030c085345562d5643454b3076301006072a8648ce3d020106052b810400220362000412a03ef4727fecf841ac310aa12ece4f749c603c5ddd935b581ab53c65c2a00acbdbdb2f52ff90c56711f0a85774d96d2e219b4c6eef4fdd179b29ac908b0be7cb8ecc972f821f17526f361ebcd628c2fc2f9f77e4a6f3244eaa3abc2eeb849aa382011630820112301006092b060104019c7801010403020100301706092b060104019c780102040a16084d696c616e2d42303011060a2b060104019c7801030104030201023011060a2b060104019c7801030204030201003011060a2b060104019c7801030404030201003011060a2b060104019c7801030504030201003011060a2b060104019c7801030604030201003011060a2b060104019c7801030704030201003011060a2b060104019c7801030304030201063011060a2b060104019c78010308040302015d304d06092b060104019c78010404405cb260b9c24d8a9cbf1aab853d0eabae34dca787d876ae97f8d7a0e707d180ce07d4fdb2da7d6814b2f75b242a299dfd8181c157718c4b53a9ade79e82d24cbd304606092a864886f70d01010a3039a00f300d06096086480165030402020500a11c301a06092a864886f70d010108300d06096086480165030402020500a203020130a30302010103820201007a2b7afa30fce933b60e85d2dded2a05726f1ac3dd6375ccfa6c4455e39a92d26ccb40c2414205e42d58cda0f336e18ce869fad85ba8cb25cd3f9c21b95c750f2343d4ba219e942410a1ce2a1b1765f3149d5cc6e04f6eb0395fd395e6754001159ae467f5e69f92d746a2b4aad0ef94b4ddadf5fb8cfbcfa03d0cf455f39cda584e2d9c716bf45e757b07a11bff051b9743d804e8283a5dcdd045fca504bfad2fc9a516e59d9c146d9094a8fa42a56b9be8b146cabadb7e52482307bdbf9f71fa4b717bad3e0cb23d2140f6881c453256aebc7ce54a398c00980c89a923f9e74e802281979f82de68f2b00e4c2e0f2221b0603d295ebf79384e212d30c800724e06c6864341f2cb60b136e452fba010edd40b2f7e89aa2706d5c8941a9430506039676ae5a60e8ccbc751d620b90f445da9b4e58fbcf032f98c904c6e1f72c1c90ec589681f8edfbf42692b24854c14d77ecc23f4ca6469da652f1e032c1cccf27f2897e3514878d9c22067da463de6c40b5224e1495aa861e6d28c07abcbedeb020279d43d35b0d66bd43f1abd6330eced08a5d73aa5c5158c453b8c23799b8db936fd39110d37f9d7b3c678a927d4bc85c1d6d7347a9943b7459e6526dda4607a4ef7607483a89c5067f734a0f42b4d173dbab56042693d298e2893b3d60f9f0a1acb01131b8b0f06a30a3c9327cc5950fef583113324127633807e9f1359048204a00200000001000000330103000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000065d01000000000000000100000000000000e1ddda70a828be86dc469c7ed31d6f63168b1f11f7830380a6eaeedcd5cfc33ddb29eb783e019ba7b3c8272ac0788332000000000000000000000000000000006ff9ac4c61adc4cd2d86264230afc386358a5b41221dd236de92a3b45cb8a590bf719388994711ab9fe2b192bebc18a20000000000000000000000000000000000000000000000000000000000000000966a25a22ee44283aa51bfb3682c990fd9e0a7457c5f60f4ac4eb5c41715478c4b206b0e01dc11aae8628f5aa29e05605b2181f5e2294fa0709d22b3f85d9d88b287b897c6b7289004802b53bbf09bc50f5469f98a6d6718d5f9c918d3d3c16f31c642a1c52d5beaf7a04f2dbdc06a9e1ab31c4297899d884dd151ce62a025e3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff020000000000065d0000000000000000000000000000000000000000000000005cb260b9c24d8a9cbf1aab853d0eabae34dca787d876ae97f8d7a0e707d180ce07d4fdb2da7d6814b2f75b242a299dfd8181c157718c4b53a9ade79e82d24cbd020000000000065d033301000333010002000000
13 changes: 4 additions & 9 deletions src/kvm.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,7 @@ impl Kvm {
pub(crate) const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.1");
pub(crate) const ATT: bool = true;

pub(crate) fn verify(
&self,
_cri: &CertReqInfo<'_>,
ext: &Extension<'_>,
dbg: bool,
) -> Result<bool> {
pub(crate) fn verify(&self, _cri: &CertReqInfo<'_>, ext: &Extension<'_>) -> Result<bool> {
if ext.critical {
return Err(anyhow!("kvm extension cannot be critical"));
}
Expand All @@ -31,10 +26,10 @@ impl Kvm {
return Err(anyhow!("invalid kvm extension"));
}

if !dbg {
return Err(anyhow!("steward not in debug mode"));
}
#[cfg(not(feature = "insecure"))]
return Err(anyhow!("steward not in debug mode"));

#[cfg(feature = "insecure")]
Ok(true)
}
}
Loading