refactor Quote v4 verifier

bluele · bluele · commit d2e2ea597896 · 2025-02-20T22:37:57.000+09:00
Signed-off-by: Jun Kimura &lt;jun.kimura@datachain.jp&gt;
diff --git a/crates/quote-verifier/src/cert.rs b/crates/quote-verifier/src/cert.rs
@@ -75,30 +75,38 @@ pub fn get_x509_issuer_cn(cert: &X509Certificate) -> String {
     cn.as_str().unwrap().to_string()
 }
 
+/// Get the TCB status of the SGX and TDX corresponding to the given SVN from the TCB Info V3.
+/// This function returns the TCB status of the SGX and TDX, and the advisory IDs.
 /// ref. <https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/Checks/TcbLevelCheck.cpp#L129-L181>
-pub fn get_sgx_tdx_fmspc_tcbstatus_v3(
+///
+/// # Arguments
+/// * `tee_type` - The type of TEE (SGX or TDX)
+/// * `tee_tcb_svn` - The TCB SVN of the TEE (only for TDX)
+/// * `sgx_extensions` - The SGX Extensions from the PCK Certificate
+/// * `tcbinfov3` - The TCB Info V3
+/// # Returns
+/// * `(sgx_tcb_status, tdx_tcb_status, advisory_ids)` - The TCB status of the SGX and TDX, and the advisory IDs
+pub fn get_sgx_tdx_tcb_status_v3(
     tee_type: u32,
     tee_tcb_svn: Option<[u8; 16]>,
-    // SGX Extensions from the PCK Certificate
     sgx_extensions: &SgxExtensions,
     tcbinfov3: &TcbInfoV3,
 ) -> crate::Result<(TcbInfoV3TcbStatus, Option<TcbInfoV3TcbStatus>, Vec<String>)> {
-    let is_tdx = tee_type == TDX_TEE_TYPE && tcbinfov3.tcb_info.id == "TDX";
-    if !is_tdx {
-        // check if tee_type and tcb_info.id are consistent
-        assert!(tee_type == SGX_TEE_TYPE && tcbinfov3.tcb_info.id == "SGX");
-    }
-
-    let is_tdx = if tee_type == SGX_TEE_TYPE {
-        false
+    if tee_type == SGX_TEE_TYPE {
+        if tcbinfov3.tcb_info.id != "SGX" {
+            bail!("Invalid TCB Info ID for SGX TEE Type");
+        } else if tee_tcb_svn.is_some() {
+            bail!("SGX TCB SVN is not needed");
+        }
     } else if tee_type == TDX_TEE_TYPE {
-        if tee_tcb_svn.is_none() {
+        if tcbinfov3.tcb_info.id != "TDX" {
+            bail!("Invalid TCB Info ID for TDX TEE Type");
+        } else if tee_tcb_svn.is_none() {
             bail!("TDX TCB SVN is missing");
         }
-        true
     } else {
         bail!("Unsupported TEE type: {}", tee_type);
-    };
+    }
 
     // ref. https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/QuoteVerifier.cpp#L117
     if sgx_extensions.fmspc != tcbinfov3.tcb_info.fmspc()? {
@@ -125,15 +133,16 @@ pub fn get_sgx_tdx_fmspc_tcbstatus_v3(
             && extension_pcesvn >= tcb_level.tcb.pcesvn
         {
             sgx_tcb_status = Some(TcbInfoV3TcbStatus::from_str(tcb_level.tcb_status.as_str())?);
-            if !is_tdx {
+            if tee_type == SGX_TEE_TYPE {
                 return Ok((
                     sgx_tcb_status.unwrap(),
                     None,
                     tcb_level.advisory_ids.clone().unwrap_or_default(),
                 ));
             }
         }
-        if is_tdx && sgx_tcb_status.is_some() {
+
+        if tee_type == TDX_TEE_TYPE && sgx_tcb_status.is_some() {
             let tdxtcbcomponents = match &tcb_level.tcb.tdxtcbcomponents {
                 Some(cmps) => cmps,
                 None => bail!("TDX TCB Components are missing"),
diff --git a/crates/quote-verifier/src/quotes/version_3.rs b/crates/quote-verifier/src/quotes/version_3.rs
@@ -1,6 +1,6 @@
 use super::{check_quote_header, converge_tcb_status_with_qe_tcb, verify_quote_common, Result};
 use crate::{
-    cert::{get_sgx_tdx_fmspc_tcbstatus_v3, merge_advisory_ids},
+    cert::{get_sgx_tdx_tcb_status_v3, merge_advisory_ids},
     collaterals::IntelCollateral,
     crypto::keccak256sum,
     verifier::QuoteVerificationOutput,
@@ -41,7 +41,7 @@ pub fn verify_quote_v3(
     )?;
     let TcbInfo::V3(tcb_info_v3) = tcb_info;
     let (tcb_status, _, tcb_advisory_ids) =
-        get_sgx_tdx_fmspc_tcbstatus_v3(quote.header.tee_type, None, &sgx_extensions, &tcb_info_v3)?;
+        get_sgx_tdx_tcb_status_v3(quote.header.tee_type, None, &sgx_extensions, &tcb_info_v3)?;
 
     Ok(QuoteVerificationOutput {
         version: VERIFIER_VERSION,
diff --git a/crates/quote-verifier/src/quotes/version_4.rs b/crates/quote-verifier/src/quotes/version_4.rs
@@ -1,9 +1,9 @@
 use super::{check_quote_header, converge_tcb_status_with_qe_tcb, verify_quote_common, Result};
 use crate::{
-    cert::{get_sgx_tdx_fmspc_tcbstatus_v3, merge_advisory_ids},
+    cert::{get_sgx_tdx_tcb_status_v3, merge_advisory_ids},
     collaterals::IntelCollateral,
     crypto::sha256sum,
-    tdx_module::{converge_tcb_status_with_tdx_module_tcb, get_tdx_module_identity_and_tcb},
+    tdx_module::{check_tdx_module_tcb_status, converge_tcb_status_with_tdx_module_tcb},
     verifier::QuoteVerificationOutput,
     VERIFIER_VERSION,
 };
@@ -12,7 +12,7 @@ use core::cmp::min;
 use dcap_types::{
     quotes::{body::QuoteBody, version_4::QuoteV4, CertDataType},
     tcbinfo::TcbInfo,
-    TcbInfoV3TcbStatus, TdxModuleTcbValidationStatus, SGX_TEE_TYPE,
+    TdxModuleTcbValidationStatus, SGX_TEE_TYPE, TDX_TEE_TYPE,
 };
 
 /// Verify the given DCAP quote v4 and return the verification output.
@@ -58,61 +58,63 @@ pub fn verify_quote_v4(
 
     let TcbInfo::V3(tcb_info_v3) = tcb_info;
     let (quote_tdx_body, tee_tcb_svn) = if let QuoteBody::TD10QuoteBody(body) = &quote.quote_body {
-        (Some(body), body.tee_tcb_svn)
+        (Some(body), Some(body.tee_tcb_svn))
     } else {
-        // SGX does not produce tee_tcb_svns
-        (None, [0; 16])
+        // SGX does not produce tee_tcb_svn
+        (None, None)
     };
 
-    // check TCB level
-
     let tee_type = quote.header.tee_type;
     let (sgx_tcb_status, tdx_tcb_status, tcb_advisory_ids) =
-        get_sgx_tdx_fmspc_tcbstatus_v3(tee_type, Some(tee_tcb_svn), &sgx_extensions, &tcb_info_v3)?;
+        get_sgx_tdx_tcb_status_v3(tee_type, tee_tcb_svn, &sgx_extensions, &tcb_info_v3)?;
 
-    let mut advisory_ids = merge_advisory_ids(tcb_advisory_ids, qe_tcb.advisory_ids);
-    let mut tcb_status: TcbInfoV3TcbStatus;
-    if quote.header.tee_type == SGX_TEE_TYPE {
-        tcb_status = sgx_tcb_status;
-    } else {
-        tcb_status = tdx_tcb_status.context("TDX TCB Status not found")?;
+    let advisory_ids = merge_advisory_ids(tcb_advisory_ids, qe_tcb.advisory_ids);
+
+    let (tcb_status, advisory_ids) = if tee_type == TDX_TEE_TYPE {
+        let tdx_tcb_status = tdx_tcb_status.context("TDX TCB Status not found")?;
 
         // Fetch TDXModule TCB and TDXModule Identity
         let (
             tdx_module_tcb_status,
             tdx_module_advisory_ids,
             tdx_module_mrsigner,
             tdx_module_attributes,
-        ) = get_tdx_module_identity_and_tcb(&tee_tcb_svn, &tcb_info_v3)?;
+        ) = check_tdx_module_tcb_status(&tee_tcb_svn.unwrap_or_default(), &tcb_info_v3)?;
         if tdx_module_tcb_status == TdxModuleTcbValidationStatus::TcbNotSupported
             || tdx_module_tcb_status == TdxModuleTcbValidationStatus::TdxModuleMismatch
         {
-            // NOTE: early return - modify from the original
+            // NOTE: early return - different from the original code
             bail!("TDX Module TCB not supported or out of date");
         }
 
         // check TDX module
-        let (tdx_report_mrsigner, tdx_report_attributes) = if let Some(tdx_body) = quote_tdx_body {
-            (tdx_body.mrsignerseam, tdx_body.seam_attributes)
-        } else {
-            unreachable!();
-        };
+        let (tdx_report_mrsigner, tdx_report_attributes) = quote_tdx_body
+            .map(|tdx_body| (tdx_body.mrsignerseam, tdx_body.seam_attributes))
+            .context("TDX Quote Body not found")?;
 
-        // TODO check if these validations are correct
-        let mr_signer_matched = tdx_module_mrsigner == tdx_report_mrsigner;
-        let attributes_matched = tdx_module_attributes == tdx_report_attributes;
-        if !mr_signer_matched || !attributes_matched {
-            bail!("TDX module values mismatch");
+        // ref. https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/QuoteVerifier.cpp#L181
+        if tdx_module_mrsigner != tdx_report_mrsigner {
+            bail!("TDX module mrsigner mismatch");
+        }
+        // ref. https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/QuoteVerifier.cpp#L200
+        if tdx_module_attributes != tdx_report_attributes {
+            bail!("TDX module attributes mismatch");
         }
 
-        tcb_status = converge_tcb_status_with_tdx_module_tcb(tcb_status, tdx_module_tcb_status);
-        advisory_ids = merge_advisory_ids(advisory_ids, tdx_module_advisory_ids);
-    }
+        (
+            converge_tcb_status_with_tdx_module_tcb(tdx_tcb_status, tdx_module_tcb_status),
+            merge_advisory_ids(advisory_ids, tdx_module_advisory_ids),
+        )
+    } else if tee_type == SGX_TEE_TYPE {
+        (sgx_tcb_status, advisory_ids)
+    } else {
+        bail!("Unsupported TEE type: {}", tee_type);
+    };
 
     Ok(QuoteVerificationOutput {
         version: VERIFIER_VERSION,
         quote_version: quote.header.version,
-        tee_type: quote.header.tee_type,
+        tee_type,
         tcb_status: converge_tcb_status_with_qe_tcb(tcb_status, qe_tcb.tcb_status),
         min_tcb_evaluation_data_number: min(
             qe_tcb.tcb_evaluation_data_number,
diff --git a/crates/quote-verifier/src/tdx_module.rs b/crates/quote-verifier/src/tdx_module.rs
@@ -1,48 +1,53 @@
 use crate::Result;
-use anyhow::bail;
+use anyhow::Context;
 use dcap_types::tcbinfo::TcbInfoV3;
 use dcap_types::{TcbInfoV3TcbStatus, TdxModuleTcbStatus, TdxModuleTcbValidationStatus};
 use std::str::FromStr;
 
-// https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/Checks/TdxModuleCheck.cpp#L62-L97
-pub fn get_tdx_module_identity_and_tcb(
+/// Get the TCB status of the TDX module corresponding to the given SVN.
+/// ref. <https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/Checks/TdxModuleCheck.cpp#L62-L97>
+///
+/// # Arguments
+/// - `tee_tcb_svn`: The SVN of the TEE TCB extracted from the `TD10ReportBody::tee_tcb_svn`
+/// - `tcb_info_v3`: The TDX TCB Info V3
+/// # Returns
+/// - The TCB status of the TDX module
+pub fn check_tdx_module_tcb_status(
     tee_tcb_svn: &[u8; 16],
     tcb_info_v3: &TcbInfoV3,
 ) -> Result<(TdxModuleTcbValidationStatus, Vec<String>, [u8; 48], u64)> {
-    let tdx_module = if let Some(tdx_module_obj) = &tcb_info_v3.tcb_info.tdx_module {
-        tdx_module_obj
-    } else {
-        bail!("TDX module not found");
-    };
+    let tdx_module = tcb_info_v3
+        .tcb_info
+        .tdx_module
+        .as_ref()
+        .context("TDX module not found")?;
 
     let tdx_module_isv_svn = tee_tcb_svn[0];
     let tdx_module_version = tee_tcb_svn[1];
 
     if tdx_module_version == 0 {
         // we assume the quote header version is greater than 3
-        let mut mrsigner: [u8; 48] = [0; 48];
-        mrsigner.copy_from_slice(&hex::decode(&tdx_module.mrsigner)?);
-
         return Ok((
             TdxModuleTcbValidationStatus::Ok,
             Default::default(),
-            mrsigner,
-            from_str_to_u64(tdx_module.attributes.as_str())?,
+            tdx_module.mrsigner()?,
+            tdx_module.attributes()?,
         ));
     }
 
-    let id = format!("TDX_{:02x}", tdx_module_version);
+    let tdx_module_identity_id = format!("TDX_{:02x}", tdx_module_version);
     if let Some(tdx_module_identities) = &tcb_info_v3.tcb_info.tdx_module_identities {
-        for tdx_module_identity in tdx_module_identities.iter().filter(|m| m.id == id) {
+        for tdx_module_identity in tdx_module_identities
+            .iter()
+            .filter(|m| m.id == tdx_module_identity_id)
+        {
             for tcb_level in &tdx_module_identity.tcb_levels {
                 if tdx_module_isv_svn >= tcb_level.tcb.isvsvn {
-                    let mut mrsigner: [u8; 48] = [0; 48];
-                    mrsigner.copy_from_slice(&hex::decode(&tdx_module_identity.mrsigner)?);
                     return Ok((
                         TdxModuleTcbStatus::from_str(tcb_level.tcb_status.as_str())?.into(),
                         tcb_level.advisory_ids.clone().unwrap_or_default(),
-                        mrsigner,
-                        from_str_to_u64(tdx_module_identity.attributes.as_str())?,
+                        tdx_module_identity.mrsigner()?,
+                        tdx_module_identity.attributes()?,
                     ));
                 }
             }
@@ -63,7 +68,8 @@ pub fn get_tdx_module_identity_and_tcb(
     }
 }
 
-// https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/Checks/TdxModuleCheck.cpp#L99-L137
+/// Converge TCB status with TDX module TCB status
+/// ref. <https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/Checks/TdxModuleCheck.cpp#L99-L137>
 pub fn converge_tcb_status_with_tdx_module_tcb(
     tcb_status: TcbInfoV3TcbStatus,
     tdx_module_tcb_status: TdxModuleTcbValidationStatus,
@@ -83,14 +89,3 @@ pub fn converge_tcb_status_with_tdx_module_tcb(
         _ => tcb_status,
     }
 }
-
-fn from_str_to_u64(str: &str) -> Result<u64> {
-    if str.len() != 16 {
-        bail!("Invalid u64 str length");
-    }
-
-    match u64::from_str_radix(str, 16) {
-        Ok(ret) => Ok(ret),
-        Err(_) => bail!("Invalid hex character found"),
-    }
-}
diff --git a/crates/types/src/lib.rs b/crates/types/src/lib.rs
diff --git a/crates/types/src/tcbinfo.rs b/crates/types/src/tcbinfo.rs
