fix: Temporarily allow WARNING as well as AFFIRMING status in EAR sub…

…-modules. Keeps things working while deeper issues are addressed. Signed-off-by: Paul Howard <paul.howard@arm.com>
veraison · Aug 28, 2024 · a1c61cd · a1c61cd
1 parent 417fc89
commit a1c61cd
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/rust-keybroker/keybroker-server/src/verifier.rs b/rust-keybroker/keybroker-server/src/verifier.rs
@@ -60,12 +60,14 @@ pub fn verify_with_veraison_instance(
         verification_key_string.as_bytes(),
     )?;
 
-    // The simplest possible appraisal policy: accept if we have an AFFIRMING result from
-    // every submodule of the token.
-    let verified = ear
-        .submods
-        .iter()
-        .all(|(_module, appraisal)| appraisal.status == TrustTier::Affirming);
+    // The simplest possible appraisal policy: accept if we have an AFFIRMING or WARNING result
+    // from every submodule.
+    // TODO: This policy is rather too "relaxed" - the simplest and strictest policy would be
+    //       to require AFFIRMING from every submodule. We have some integration issues with Veraison
+    //       today that prevent this.
+    let verified = ear.submods.iter().all(|(_module, appraisal)| {
+        appraisal.status == TrustTier::Affirming || appraisal.status == TrustTier::Warning
+    });
 
     Ok(verified)
 }