Tmp

microsoft · Feb 24, 2025 · ff2cb6e · ff2cb6e
1 parent 1808c9a
commit ff2cb6e
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 7 deletions.
diff --git a/include/ccf/pal/attestation_sev_snp.h b/include/ccf/pal/attestation_sev_snp.h
@@ -51,6 +51,8 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
   static_assert(
     sizeof(TcbVersion) == sizeof(uint64_t),
     "Can't cast TcbVersion to uint64_t");
+  DECLARE_JSON_TYPE(TcbVersion);
+  DECLARE_JSON_REQUIRED_FIELDS(TcbVersion, boot_loader, tee, snp, microcode);
 
 #pragma pack(push, 1)
   struct Signature
@@ -264,6 +266,7 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
     virtual ~AttestationInterface() = default;
   };
 
+  static uint8_t MIN_TCB_VERIF_VERSION = 3;
 #pragma pack(push, 1)
   struct CPUID
   {
@@ -287,6 +290,8 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
     bool operator==(const AttestChipModel&) const = default;
   };
 #pragma pack(pop)
+  DECLARE_JSON_TYPE(AttestChipModel);
+  DECLARE_JSON_REQUIRED_FIELDS(AttestChipModel, family, model, stepping);
 
   constexpr AttestChipModel get_attest_chip_model(const CPUID& cpuid)
   {

diff --git a/src/node/rpc/member_frontend.h b/src/node/rpc/member_frontend.h
@@ -15,6 +15,7 @@
 #include "ccf/service/tables/jwt.h"
 #include "ccf/service/tables/members.h"
 #include "ccf/service/tables/nodes.h"
+#include "ccf/service/tables/tcb_verification.h"
 #include "frontend.h"
 #include "js/extensions/ccf/network.h"
 #include "js/extensions/ccf/node.h"

diff --git a/src/node/rpc/node_frontend.h b/src/node/rpc/node_frontend.h
@@ -1657,6 +1657,7 @@ namespace ccf
         }
 
         InternalTablesAccess::trust_static_snp_tcb_version(ctx.tx);
+        //InternalTablesAccess::trust_node_snp_tcb_version(ctx.tx, in.quote_info);
 
         std::optional<ccf::ClaimsDigest::Digest> digest =
           ccf::get_create_tx_claims_digest(ctx.tx);

diff --git a/src/service/internal_tables_access.h b/src/service/internal_tables_access.h
@@ -833,7 +833,8 @@ namespace ccf
          .base_family = 0xF,
          .extended_model = 0x0,
          .extended_family = 0x0A});
-      constexpr pal::snp::TcbVersion milan_tcb_version = {.microcode = 0xDB, .snp = 0x18};
+      constexpr pal::snp::TcbVersion milan_tcb_version = {
+        .microcode = 0xDB, .snp = 0x18};
       h->put(milan_chip_id, milan_tcb_version);
 
       constexpr auto milan_x_chip_id = pal::snp::get_attest_chip_model(
@@ -842,7 +843,8 @@ namespace ccf
          .base_family = 0xF,
          .extended_model = 0x0,
          .extended_family = 0x0A});
-      constexpr pal::snp::TcbVersion milan_x_tcb_version = {.microcode = 0x44, .snp = 0x18};
+      constexpr pal::snp::TcbVersion milan_x_tcb_version = {
+        .microcode = 0x44, .snp = 0x18};
       h->put(milan_x_chip_id, milan_x_tcb_version);
 
       constexpr auto genoa_chip_id = pal::snp::get_attest_chip_model(
@@ -851,7 +853,8 @@ namespace ccf
          .base_family = 0xF,
          .extended_model = 0x1,
          .extended_family = 0x0A});
-      constexpr pal::snp::TcbVersion genoa_tcb_version = {.microcode = 0x54, .snp = 0x17};
+      constexpr pal::snp::TcbVersion genoa_tcb_version = {
+        .microcode = 0x54, .snp = 0x17};
       h->put(genoa_chip_id, genoa_tcb_version);
 
       constexpr auto genoa_x_chip_id = pal::snp::get_attest_chip_model(
@@ -860,10 +863,26 @@ namespace ccf
          .base_family = 0xF,
          .extended_model = 0x1,
          .extended_family = 0x0A});
-      constexpr pal::snp::TcbVersion genoa_x_tcb_version = {.microcode = 0x4F, .snp = 0x17};
+      constexpr pal::snp::TcbVersion genoa_x_tcb_version = {
+        .microcode = 0x4F, .snp = 0x17};
       h->put(genoa_x_chip_id, genoa_x_tcb_version);
     }
 
+    static void trust_node_snp_tcb_version(
+      ccf::kv::Tx& tx, const pal::snp::Attestation& attestation)
+    {
+      if (attestation.version >= pal::snp::MIN_TCB_VERIF_VERSION)
+      {
+        pal::snp::AttestChipModel chip_id{
+          .family = attestation.cpuid_fam_id,
+          .model = attestation.cpuid_mod_id,
+          .stepping = attestation.cpuid_step,
+        };
+        auto h = tx.wo<ccf::SnpTcbVersionMap>(Tables::SNP_TCB_VERSIONS);
+        h->put(chip_id, attestation.reported_tcb);
+      }
+    }
+
     static void init_configuration(
       ccf::kv::Tx& tx, const ServiceConfiguration& configuration)
     {

diff --git a/src/service/network_tables.h b/src/service/network_tables.h
@@ -97,7 +97,7 @@ namespace ccf
     const SnpMeasurements snp_measurements = {Tables::NODE_SNP_MEASUREMENTS};
     const SNPUVMEndorsements snp_uvm_endorsements = {
       Tables::NODE_SNP_UVM_ENDORSEMENTS};
-    const SNPTCBVersions snp_tcb_versions = {Tables::SNP_TCB_VERSIONS};
+    const SnpTcbVersionMap snp_tcb_versions = {Tables::SNP_TCB_VERSIONS};
 
     inline auto get_all_node_tables() const
     {
@@ -110,8 +110,8 @@ namespace ccf
         virtual_measurements,
         host_data,
         snp_measurements,
-        snp_uvm_endorsements,
-        snp_tcb_versions);
+        snp_uvm_endorsements
+        );
     }
 
     //