add min_tcb_evaluation_data_number to VerifiedOutput

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

crates/collaterals/src/enclave_identity.rs

@@ -85,7 +85,7 @@ impl EnclaveIdentityV2Builder {
         }
     }
 
-    pub fn tcb_evaluation_data_number(self, tcb_evaluation_data_number: u64) -> Self {
+    pub fn tcb_evaluation_data_number(self, tcb_evaluation_data_number: u32) -> Self {
         Self {
             obj: EnclaveIdentityV2Inner {
                 tcb_evaluation_data_number,

crates/quote-verifier/src/quotes/mod.rs

@@ -27,6 +27,14 @@ use dcap_types::{EnclaveIdentityV2TcbStatus, Status, TcbInfoV3TcbStatus};
 use dcap_types::{ECDSA_256_WITH_P256_CURVE, INTEL_QE_VENDOR_ID};
 use x509_parser::certificate::X509Certificate;
 
+/// The TCB info of the QE
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct QETCB {
+    pub tcb_evaluation_data_number: u32,
+    pub tcb_status: EnclaveIdentityV2TcbStatus,
+    pub advisory_ids: Vec<String>,
+}
+
 /// common_verify_and_fetch_tcb is a common function that verifies the quote and fetches the TCB info
 ///
 /// # Arguments
@@ -46,7 +54,6 @@ use x509_parser::certificate::X509Certificate;
 ///
 /// * A tuple containing:
 /// * The TCB status of the QE
-/// * The advisory IDs of the QE
 /// * The SGX extensions from the PCK leaf certificate
 /// * The TCB info
 /// * The validity intersection of all collaterals
@@ -62,13 +69,7 @@ fn common_verify_and_fetch_tcb(
     qe_cert_data: &CertData,
     collaterals: &IntelCollateral,
     current_time: u64,
-) -> Result<(
-    EnclaveIdentityV2TcbStatus,
-    Vec<String>,
-    SgxExtensions,
-    TcbInfo,
-    ValidityIntersection,
-)> {
+) -> Result<(QETCB, SgxExtensions, TcbInfo, ValidityIntersection)> {
     // get the certchain embedded in the ecda quote signature data
     // this can be one of 5 types, and we only support type 5
     // https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/aa239d25a437a28f3f4de92c38f5b6809faac842/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_3.h#L63C4-L63C112
@@ -143,41 +144,28 @@ fn common_verify_and_fetch_tcb(
     };
 
     // validate QE Report and Quote Body
-    let (qe_tcb_status, advisory_ids, pck_cert_sgx_extensions) = {
-        let (qe_tcb_status, advisory_ids) = verify_qe_report(
-            qe_report,
-            ecdsa_attestation_pubkey,
-            qe_auth_data,
-            &qeidentityv2,
-            &pck_leaf_cert,
-            qe_report_signature,
-        )?;
-        verify_quote_attestation(
-            quote_header,
-            quote_body,
-            ecdsa_attestation_pubkey,
-            ecdsa_attestation_signature,
-        )
-        .context("Invalid quote attestation")?;
-
-        (
-            qe_tcb_status,
-            advisory_ids,
-            extract_sgx_extensions(&pck_leaf_cert)?,
-        )
-    };
+    let qe_tcb = verify_qe_report(
+        qe_report,
+        ecdsa_attestation_pubkey,
+        qe_auth_data,
+        &qeidentityv2,
+        &pck_leaf_cert,
+        qe_report_signature,
+    )?;
+    verify_quote_attestation(
+        quote_header,
+        quote_body,
+        ecdsa_attestation_pubkey,
+        ecdsa_attestation_signature,
+    )
+    .context("Invalid quote attestation")?;
+    let pck_cert_sgx_extensions = extract_sgx_extensions(&pck_leaf_cert)?;
 
     if !validity.validate() {
         bail!("Validity intersection provided from collaterals is invalid");
     }
 
-    Ok((
-        qe_tcb_status,
-        advisory_ids,
-        pck_cert_sgx_extensions,
-        tcb_info,
-        validity,
-    ))
+    Ok((qe_tcb, pck_cert_sgx_extensions, tcb_info, validity))
 }
 
 fn check_quote_header(quote_header: &QuoteHeader, expected_quote_version: u16) -> Result<()> {
@@ -206,7 +194,7 @@ fn verify_qe_report(
     qeidentityv2: &EnclaveIdentityV2,
     pck_leaf_cert: &X509Certificate,
     qe_report_signature: &[u8; 64],
-) -> Result<(EnclaveIdentityV2TcbStatus, Vec<String>)> {
+) -> Result<QETCB> {
     // validate QEReport then get TCB Status
     if !validate_qe_report_data(
         &qe_report.report_data,
@@ -228,7 +216,14 @@ fn verify_qe_report(
 
     // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/29bd3b0a3b46c1159907d656b45f378f97e7e686/Src/AttestationLibrary/src/Verifiers/EnclaveReportVerifier.cpp#L92
     // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/QuoteVerifier.cpp#L286
-    get_qe_tcbstatus(qe_report.isv_svn, &qeidentityv2.enclave_identity.tcb_levels)
+    let (tcb_status, advisory_ids) =
+        get_qe_tcbstatus(qe_report.isv_svn, &qeidentityv2.enclave_identity.tcb_levels)?;
+
+    Ok(QETCB {
+        tcb_evaluation_data_number: qeidentityv2.enclave_identity.tcb_evaluation_data_number,
+        tcb_status,
+        advisory_ids,
+    })
 }
 
 /// Verify the attestation signature for the quote (header + body) using the attestation public key

crates/quote-verifier/src/quotes/version_3.rs

@@ -9,6 +9,7 @@ use crate::{
     VERIFIER_VERSION,
 };
 use anyhow::{bail, Context};
+use core::cmp::min;
 use dcap_types::{
     quotes::{body::QuoteBody, version_3::QuoteV3},
     tcbinfo::TcbInfo,
@@ -22,19 +23,18 @@ pub fn verify_quote_dcapv3(
     check_quote_header(&quote.header, 3).context("invalid quote header")?;
 
     let quote_body = QuoteBody::SGXQuoteBody(quote.isv_enclave_report);
-    let (qe_tcb_status, qe_advisory_ids, sgx_extensions, tcb_info, validity) =
-        common_verify_and_fetch_tcb(
-            &quote.header,
-            &quote_body,
-            &quote.signature.isv_enclave_report_signature,
-            &quote.signature.ecdsa_attestation_key,
-            &quote.signature.qe_report,
-            &quote.signature.qe_report_signature,
-            &quote.signature.qe_auth_data.data,
-            &quote.signature.qe_cert_data,
-            collaterals,
-            current_time,
-        )?;
+    let (qe_status, sgx_extensions, tcb_info, validity) = common_verify_and_fetch_tcb(
+        &quote.header,
+        &quote_body,
+        &quote.signature.isv_enclave_report_signature,
+        &quote.signature.ecdsa_attestation_key,
+        &quote.signature.qe_report,
+        &quote.signature.qe_report_signature,
+        &quote.signature.qe_auth_data.data,
+        &quote.signature.qe_cert_data,
+        collaterals,
+        current_time,
+    )?;
     if !validity.validate_time(current_time) {
         bail!(
             "certificates are expired: validity={} current_time={}",
@@ -50,12 +50,16 @@ pub fn verify_quote_dcapv3(
         version: VERIFIER_VERSION,
         quote_version: quote.header.version,
         tee_type: quote.header.tee_type,
-        tcb_status: converge_tcb_status_with_qe_tcb(tcb_status, qe_tcb_status),
+        tcb_status: converge_tcb_status_with_qe_tcb(tcb_status, qe_status.tcb_status),
+        min_tcb_evaluation_data_number: min(
+            qe_status.tcb_evaluation_data_number,
+            tcb_info_v3.tcb_info.tcb_evaluation_data_number,
+        ),
         fmspc: sgx_extensions.fmspc,
         sgx_intel_root_ca_hash: keccak256sum(collaterals.sgx_intel_root_ca_der.as_ref()),
         validity,
         quote_body,
-        advisory_ids: merge_advisory_ids(tcb_advisory_ids, qe_advisory_ids),
+        advisory_ids: merge_advisory_ids(tcb_advisory_ids, qe_status.advisory_ids),
     })
 }
 
@@ -143,11 +147,13 @@ mod tests {
         // fmspc and tcb_levels must be consistent with the sgx extensions in the pck cert
         let tcb_info = TcbInfoV3Builder::new(true)
             .fmspc([0, 96, 106, 0, 0, 0])
+            .tcb_evaluation_data_number(2)
             .tcb_levels(target_tcb_levels)
             .build_and_sign(&tcb_certchain.key)
             .unwrap();
 
         let qe_identity = EnclaveIdentityV2Builder::new(EnclaveIdentityId::QE)
+            .tcb_evaluation_data_number(1)
             .tcb_levels_json(json!([
             {
               "tcb": {
@@ -172,5 +178,7 @@ mod tests {
         let current_time = 1730000000;
         let res = verify_quote_dcapv3(&quote, &collateral, current_time);
         assert!(res.is_ok(), "{:?}", res);
+        let output = res.unwrap();
+        assert_eq!(output.min_tcb_evaluation_data_number, 1);
     }
 }

crates/quote-verifier/src/quotes/version_4.rs

@@ -10,6 +10,7 @@ use crate::{
     VERIFIER_VERSION,
 };
 use anyhow::{bail, Context};
+use core::cmp::min;
 use dcap_types::{
     quotes::{body::QuoteBody, version_4::QuoteV4, CertDataType},
     tcbinfo::TcbInfo,
@@ -38,19 +39,18 @@ pub fn verify_quote_dcapv4(
         );
     };
 
-    let (qe_tcb_status, qe_advisory_ids, sgx_extensions, tcb_info, validity) =
-        common_verify_and_fetch_tcb(
-            &quote.header,
-            &quote.quote_body,
-            &quote.signature.quote_signature,
-            &quote.signature.ecdsa_attestation_key,
-            &qe_report_cert_data.qe_report,
-            &qe_report_cert_data.qe_report_signature,
-            &qe_report_cert_data.qe_auth_data.data,
-            &qe_report_cert_data.qe_cert_data,
-            collaterals,
-            current_time,
-        )?;
+    let (qe_tcb, sgx_extensions, tcb_info, validity) = common_verify_and_fetch_tcb(
+        &quote.header,
+        &quote.quote_body,
+        &quote.signature.quote_signature,
+        &quote.signature.ecdsa_attestation_key,
+        &qe_report_cert_data.qe_report,
+        &qe_report_cert_data.qe_report_signature,
+        &qe_report_cert_data.qe_auth_data.data,
+        &qe_report_cert_data.qe_cert_data,
+        collaterals,
+        current_time,
+    )?;
 
     if !validity.validate_time(current_time) {
         bail!(
@@ -73,7 +73,7 @@ pub fn verify_quote_dcapv4(
     let (sgx_tcb_status, tdx_tcb_status, tcb_advisory_ids) =
         get_sgx_tdx_fmspc_tcbstatus_v3(tee_type, Some(tee_tcb_svn), &sgx_extensions, &tcb_info_v3)?;
 
-    let mut advisory_ids = merge_advisory_ids(tcb_advisory_ids, qe_advisory_ids);
+    let mut advisory_ids = merge_advisory_ids(tcb_advisory_ids, qe_tcb.advisory_ids);
     let mut tcb_status: TcbInfoV3TcbStatus;
     if quote.header.tee_type == SGX_TEE_TYPE {
         tcb_status = sgx_tcb_status;
@@ -116,7 +116,11 @@ pub fn verify_quote_dcapv4(
         version: VERIFIER_VERSION,
         quote_version: quote.header.version,
         tee_type: quote.header.tee_type,
-        tcb_status: converge_tcb_status_with_qe_tcb(tcb_status, qe_tcb_status),
+        tcb_status: converge_tcb_status_with_qe_tcb(tcb_status, qe_tcb.tcb_status),
+        min_tcb_evaluation_data_number: min(
+            qe_tcb.tcb_evaluation_data_number,
+            tcb_info_v3.tcb_info.tcb_evaluation_data_number,
+        ),
         fmspc: sgx_extensions.fmspc,
         sgx_intel_root_ca_hash: sha256sum(collaterals.sgx_intel_root_ca_der.as_ref()),
         validity,

crates/quote-verifier/src/verifier.rs

@@ -116,6 +116,9 @@ pub struct VerifiedOutput {
     /// TCB status
     /// length: 1 byte
     pub tcb_status: Status,
+    /// Minimum TCB evaluation data number
+    /// length: 4 bytes
+    pub min_tcb_evaluation_data_number: u32,
     /// FMSPC
     /// length: 6 bytes
     pub fmspc: [u8; 6],
@@ -145,6 +148,7 @@ impl VerifiedOutput {
         output_vec.extend_from_slice(&self.quote_version.to_be_bytes());
         output_vec.extend_from_slice(&self.tee_type.to_be_bytes());
         output_vec.push(self.tcb_status.as_u8());
+        output_vec.extend_from_slice(&self.min_tcb_evaluation_data_number.to_be_bytes());
         output_vec.extend_from_slice(&self.fmspc);
         output_vec.extend_from_slice(&self.sgx_intel_root_ca_hash);
         output_vec.extend_from_slice(&self.validity.not_before_max.to_be_bytes());
@@ -176,18 +180,20 @@ impl VerifiedOutput {
         let mut tee_type = [0; 4];
         tee_type.copy_from_slice(&slice[4..8]);
         let tcb_status = Status::from_u8(slice[8])?;
+        let mut min_tcb_evaluation_data_number = [0; 4];
+        min_tcb_evaluation_data_number.copy_from_slice(&slice[9..13]);
         let mut fmspc = [0; 6];
-        fmspc.copy_from_slice(&slice[9..15]);
+        fmspc.copy_from_slice(&slice[13..19]);
 
         let mut sgx_intel_root_ca_hash = [0; 32];
-        sgx_intel_root_ca_hash.copy_from_slice(&slice[15..47]);
+        sgx_intel_root_ca_hash.copy_from_slice(&slice[19..51]);
 
         let mut not_before_max = [0; 8];
-        not_before_max.copy_from_slice(&slice[47..55]);
+        not_before_max.copy_from_slice(&slice[51..59]);
         let mut not_after_min = [0; 8];
-        not_after_min.copy_from_slice(&slice[55..63]);
+        not_after_min.copy_from_slice(&slice[59..67]);
 
-        const QUOTE_BODY_OFFSET: usize = 63;
+        const QUOTE_BODY_OFFSET: usize = 67;
         let (quote_body, advisory_ids_offset) = match u32::from_be_bytes(tee_type) {
             SGX_TEE_TYPE => {
                 let raw_quote_body =
@@ -214,6 +220,7 @@ impl VerifiedOutput {
             quote_version: u16::from_be_bytes(quote_version),
             tee_type: u32::from_be_bytes(tee_type),
             tcb_status,
+            min_tcb_evaluation_data_number: u32::from_be_bytes(min_tcb_evaluation_data_number),
             fmspc,
             sgx_intel_root_ca_hash,
             validity: ValidityIntersection {

crates/types/src/enclave_identity.rs

@@ -144,7 +144,7 @@ pub struct EnclaveIdentityV2Inner {
     pub version: u64,
     pub issue_date: String,
     pub next_update: String,
-    pub tcb_evaluation_data_number: u64,
+    pub tcb_evaluation_data_number: u32,
     pub miscselect: String,
     pub miscselect_mask: String,
     pub attributes: String,

zkvm/risc0/Cargo.toml

@@ -6,11 +6,17 @@ edition = "2021"
 [package.metadata.risc0]
 methods = ["guest"]
 
+[dependencies]
+risc0-zkvm = { version = "=1.2.2", default-features = false, optional = true }
+
 [build-dependencies]
 risc0-build = { version = "=1.2.2", features = ["docker", "unstable"] }
 risc0-binfmt = { version = "=1.2.2", default-features = false }
 
 [dev-dependencies]
 risc0-zkvm = { version = "=1.2.2", default-features = false, features = ["prove"] }
 hex = { version = "0.4", default-features = false, features = ["alloc"] }
-dcap-quote-verifier = { path = "../../crates/quote-verifier" }
+dcap-quote-verifier = { path = "../../crates/quote-verifier" }
+
+[features]
+cuda = ["risc0-zkvm?/cuda"]

zkvm/risc0/artifacts/dcap-quote-verifier

@@ -1,4 +1,4 @@
 
-pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [1310702660, 1468422329, 87586300, 1252053983, 3549838645, 1249629134, 1412581844, 922648141];
-pub const DCAP_QUOTE_VERIFIER_ID_STR: &str = "44bc1f4eb9588657fc753805dfd3a04a353d96d3ced37b4ad44932544d7efe36";
+pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [927428042, 1559589155, 2728204900, 3879470470, 2705950934, 683452413, 3440644992, 2443300394];
+pub const DCAP_QUOTE_VERIFIER_ID_STR: &str = "ca6d47372371f55c641a9da286053ce7d68849a1fda7bc28801314cd2acea191";
 pub const DCAP_QUOTE_VERIFIER_ELF: &[u8] = include_bytes!("../artifacts/dcap-quote-verifier");