Add verify cert callback function for DiceTcbInfo

[Wenxing-hou]

Refer the spec: https://trustedcomputinggroup.org/wp-content/uploads/DICE-Attestation-Architecture-Version-1.1-Revision-18_pub.pdf ,
add verify cert callback function for cert DiceTcbInfo extension check.

[xiaoyuruan]

The code should handle cases where malloc fails and returns NULL.

[Wenxing-hou]

Thanks. I have add the code to handle the failed case.

[xiaoyuruan]

Why there is no check for vendorInfo and flags?

[Wenxing-hou]

Because there is no vendorInfo and flags reference. The check will skip.

[xiaoyuruan]

What if the verifier would like to check vendorInfo and/or flags against references?

Because there is no vendorInfo and flags reference. The check will skip.

[jyao1]

Please note, this is only reference implementation.

In a real production, the integrator can decide to add more fields to check, or skip some fields.

[xiaoyuruan]

General: we can't assume that the adopter code will provide reference values for all TCBinfo components hardcoded above (m_libspdm_dice_tcbinfo_xyz). If a reference is not provided, this function should skip mem_equal() for that component, even if the component is present in the TcbInfo extension.

[Wenxing-hou]

Yes. The code assume only follow reference will be provided. And the other components will be skip even if existing in cert.

/*vendor: INTC*/
/*model: S3M GNR*/
/*version: 000200000000008B*/
/*svn*/
/*layer*/
/*fwids*/
/*type*/

[xiaoyuruan]

I was saying that the code should not require hardcoded references of these components (vendor, model, version, etc.). For example, the verifier can choose to hardcode reference for only "version" because the verifier only cares about version.

[jyao1]

Please note, this test is only reference implementation, to demonstrate how to do the alias cert verification.

The integrator should decide what to do - input as parameter, or hardcode somewhere.

[xiaoyuruan]

The "m_libspdm_must_have_dice_tcb_info" is a global that applies to all certs in the chain, but TcbInfo is usually present and required for some certs (e.g., Alias cert).

[jyao1]

Please note, this is reference implementation. We cannot handle all difference use cases.

The integrator should choose what to do in the final production, based on their own use case.

[jyao1]

@xiaoyuruan, I would like to provide a general comment: This is only reference implementation to demonstrate how to do the alias cert check. If you have one specific use case to cover, please describe it clearly. We can cover that. That is not a problem.

However, it is impossible to cover all use cases, which is NOT the goal of this PR.

[xiaoyuruan]

@xiaoyuruan, I would like to provide a general comment: This is only reference implementation to demonstrate how to do the alias cert check. If you have one specific use case to cover, please describe it clearly. We can cover that. That is not a problem.

However, it is impossible to cover all use cases, which is NOT the goal of this PR.

OK that's fine. Please document all assumptions of the implementation (maybe in the readme file?), so reviewers and verifier integrators have a proper expectation.
For example:

• TcbInfo is required for either all certificates or none certificates (controlled by m_libspdm_must_have_dice_tcb_info).
• If a TcbInfo component is present in cert, then there must be a reference hardcoded for this component.
• etc.

[steven-bellock]

@Wenxing-hou @jyao1 please file a separate issue for OpenSSL's validation of certificates with critical OIDs.

[jyao1]

@xiaoyuruan, I would like to provide a general comment: This is only reference implementation to demonstrate how to do the alias cert check. If you have one specific use case to cover, please describe it clearly. We can cover that. That is not a problem.
However, it is impossible to cover all use cases, which is NOT the goal of this PR.

OK that's fine. Please document all assumptions of the implementation (maybe in the readme file?), so reviewers and verifier integrators have a proper expectation. For example:

• TcbInfo is required for either all certificates or none certificates (controlled by m_libspdm_must_have_dice_tcb_info).
• If a TcbInfo component is present in cert, then there must be a reference hardcoded for this component.
• etc.

Yes. That is good suggestion. We should add readme to document that.

I think current assumption is:

1. Reference TcbInfo.

• Only one reference TcbInfo entry is provided by the integrator. (Multiple reference TcbInfo is NOT supported in this PR.)

2. Reported TcbInfo

• The number of reported TcbInfo must match the number of reference TcbInfo.

3. TcbInfo Matching

• Each of the reported TcbInfo must fully match each of the reference TcbInfo with same order.

4. TcbInfo Field

• The reported TcbInfo must include all fields in the reference TcbInfo. If a field in the reference TcbInfo does not exist in the reported TcbInfo, the verification must fail.
• The reported TcbInfo could include more fields which do not exist in the reference TcbInfo. The extra fields in the reported TcbInfo must be ignored and NOT validated, and they must not impact the final result.

@Wenxing-hou , please double check if above assumption is satisfied.
@xiaoyuruan , please review and comment if above assumption is OK.

[Wenxing-hou]

@xiaoyuruan, I would like to provide a general comment: This is only reference implementation to demonstrate how to do the alias cert check. If you have one specific use case to cover, please describe it clearly. We can cover that. That is not a problem.
However, it is impossible to cover all use cases, which is NOT the goal of this PR.

OK that's fine. Please document all assumptions of the implementation (maybe in the readme file?), so reviewers and verifier integrators have a proper expectation. For example:

• TcbInfo is required for either all certificates or none certificates (controlled by m_libspdm_must_have_dice_tcb_info).
• If a TcbInfo component is present in cert, then there must be a reference hardcoded for this component.
• etc.

Yes. That is good suggestion. We should add readme to document that.

I think current assumption is:

1. Reference TcbInfo.

• Only one reference TcbInfo entry is provided by the integrator. (Multiple reference TcbInfo is NOT supported in this PR.)

2. Reported TcbInfo

• Reported TcbInfo must be in at least one certificate.
• If none of the certificates includes TcbInfo, the verification must fail.

3. TcbInfo Matching

• At least one reported TcbInfo must fully match the reference TcbInfo.
• If none of the reported TcbInfos matches all fields in the reference TcbInfo, the verification must fail.
• Once one of the reported TcbInfo fully matches, the verification must pass and the rests of reported TcbInfo must be ignored.

4. TcbInfo Field

• The reported TcbInfo must include all fields in the reference TcbInfo. If a field in the reference TcbInfo does not exist in the reported TcbInfo, the verification must fail.
• The reported TcbInfo could include more fields which do not exist in the reference TcbInfo. The extra fields in the reported TcbInfo must be ignored and NOT validated, and they must not impact the final result.

@Wenxing-hou , please double check if above assumption is satisfied. @xiaoyuruan , please review and comment if above assumption is OK.

Hi Jiewen. I have checked the code, the code logic match the implementation assumption.

libspdm/unit_test/test_spdm_callback/spdm_cert_verify_callback.c

Lines 249 to 277 in 642defe

	while (ptr < end) {
	cert_dice_tcb_info_size = 0;
	tem_ptr = ptr;
	result = libspdm_asn1_get_tag(&ptr, end, &obj_len,
	LIBSPDM_CRYPTO_ASN1_SEQUENCE |
	LIBSPDM_CRYPTO_ASN1_CONSTRUCTED);
	if (result) {
	/*verify Dice TCB info*/
	result = libspdm_verify_cert_dicetcbinfo(tem_ptr, obj_len + (ptr - tem_ptr),
	&cert_dice_tcb_info_size);
	if (!result) {
	if (cert_dice_tcb_info_size == 0) {
	return false;
	}
	} else {
	if (cert_dice_tcb_info_size != 0) {
	cert_chain_have_matched_dice = true;
	}
	}
	/* Move to next cert*/
	ptr += obj_len;
	} else {
	return false;
	}
	}
	if (m_libspdm_must_have_dice_tcb_info && !cert_chain_have_matched_dice) {
	return false;
	}

And I have added the Readme for the Callback function.

[xiaoyuruan]

If libspdm_verify_cert_dicetcbinfo returns FALSE and cert_dice_tcb_info_size!=0, tracing this function further, I think there is an error ("store buffer too small"- not sure what it meant). Is it necessary to handle the error here?

[Wenxing-hou]

Thanks.
Now libspdm_verify_cert_dicetcbinfo hard code the DiceTcbInfo buffer size, and the code categorizes the buffer error to invalid error.

libspdm/unit_test/test_spdm_callback/spdm_cert_verify_callback.c

Lines 56 to 66 in c1c1faa

	spdm_dice_tcb_info_size = 256;
	*spdm_get_dice_tcb_info_size = 0;
	result = libspdm_x509_get_extension_data(cert, cert_size,
	m_libspdm_tcg_dice_tcbinfo_oid,
	sizeof(m_libspdm_tcg_dice_tcbinfo_oid),
	spdm_dice_tcb_info, &spdm_dice_tcb_info_size);
	if (!result) {
	return false;
	} else if (spdm_dice_tcb_info_size == 0) {
	return true;
	}

I don't think it is necessary to handle this issue.

[jyao1]

Please change to below:

2) Reported TcbInfo
  * The number of reported TcbInfo must match the number of reference TcbInfo.
3) TcbInfo Matching
  * Each of the reported TcbInfo must fully match each of the reference TcbInfo with same order.

[jyao1]

This is NOT correct.

The rule is to make sure the TcbInfo number matches, not the right TcbInfo number matches.

[Wenxing-hou]

Thanks.
I have updated the logic: change the number when the cert have DiceTcbInfo.

libspdm/unit_test/test_spdm_callback/spdm_cert_verify_callback.c

Lines 264 to 274 in 20640c8

	if (!result) {
	if (cert_dice_tcb_info_size == 0) {
	return false;
	}
	number_dice_tcb_info++;
	} else {
	if (cert_dice_tcb_info_size != 0) {
	cert_chain_have_matched_dice = true;
	number_dice_tcb_info++;
	}
	}

[jyao1]

please resolve conflict.

[steven-bellock]

I'll provide my comments tomorrow. Was busy today.

[Wenxing-hou]

please resolve conflict.

Thanks. I have fixed the conflict.

[Wenxing-hou]

I'll provide my comments tomorrow. Was busy today.

Thanks for your support.

[PrithviAPai]

@Wenxing-hou we have libspdm_verify_spdm_cert_chain_func where we can register libspdm_verify_spdm_cert_chain_with_dice as callback to verify the DICE certificates right ?

[PrithviAPai]

Also if we pass sample cert chain from libspdm unit test. Will this function verify that ?
We might have cases where on some devices we will have DICE certificates and rest without dice extension.

[steven-bellock]

So I think there are three separate issues / pull requests here.

1. Testing that Integrator-provided callbacks are registered properly.
   • For example there is currently no coverage for libspdm_register_verify_spdm_cert_chain_func.
   • This would be tested in either test_spdm_callback or (if possible) in issue 2 below.
2. Testing that libspdm properly calls and handles the output of Integrator-provided functions.
   • For example there is currently no coverage for verify_peer_spdm_cert_chain in GET_CERTIFICATE and encapsulated GET_CERTIFICATE.
   • This would be tested in the unit tests for the corresponding SPDM message. For example test_spdm_requester/get_certificate.c.
   • Note that the callback function used for testing need not be elaborate. It can just return true or false.
3. Sample implementation of a callback function.
   • This belongs, at a minimum, in os_stub/ or maybe make a new example_code/ directory or in the spdm-emu repository.

[Wenxing-hou]

@Wenxing-hou we have libspdm_verify_spdm_cert_chain_func where we can register libspdm_verify_spdm_cert_chain_with_dice as callback to verify the DICE certificates right ?

Yes, the libspdm_verify_spdm_cert_chain_with_dice as callback need to register to libspdm_verify_spdm_cert_chain_func .
Please use the function libspdm_register_verify_spdm_cert_chain_func to register.
In the libspdm_register_verify_spdm_cert_chain_func comment, you can know:
This function must be called after libspdm_init_context, and before any SPDM communication.

Thanks.

[Wenxing-hou]

Also if we pass sample cert chain from libspdm unit test. Will this function verify that ? We might have cases where on some devices we will have DICE certificates and rest without dice extension.

Please refer to the Readme.md:
https://github.com/DMTF/libspdm/blob/7d13678fec5b5c3479956b7c67cde2cf7cb053cb/unit_test/test_spdm_callback/README.md#implementation-assumption

Thanks.

[Wenxing-hou]

So I think there are three separate issues / pull requests here.

1. Testing that Integrator-provided callbacks are registered properly.

   • For example there is currently no coverage for libspdm_register_verify_spdm_cert_chain_func.
   • This would be tested in either test_spdm_callback or (if possible) in issue 2 below.

2. Testing that libspdm properly calls and handles the output of Integrator-provided functions.

   • For example there is currently no coverage for verify_peer_spdm_cert_chain in GET_CERTIFICATE and encapsulated GET_CERTIFICATE.
   • This would be tested in the unit tests for the corresponding SPDM message. For example test_spdm_requester/get_certificate.c.
   • Note that the callback function used for testing need not be elaborate. It can just return true or false.

3. Sample implementation of a callback function.

   • This belongs, at a minimum, in os_stub/ or maybe make a new example_code/ directory or in the spdm-emu repository.

Thanks for your suggestion. I will do the corresponding work based on your feedback.

[steven-bellock]

Let's make sure @jyao1 approves first.

[jyao1]

So I think there are three separate issues / pull requests here.

1. Testing that Integrator-provided callbacks are registered properly.

   • For example there is currently no coverage for libspdm_register_verify_spdm_cert_chain_func.
   • This would be tested in either test_spdm_callback or (if possible) in issue 2 below.

Agree. Please file a new issue.

2. Testing that libspdm properly calls and handles the output of Integrator-provided functions.

   • For example there is currently no coverage for verify_peer_spdm_cert_chain in GET_CERTIFICATE and encapsulated GET_CERTIFICATE.
   • This would be tested in the unit tests for the corresponding SPDM message. For example test_spdm_requester/get_certificate.c.
   • Note that the callback function used for testing need not be elaborate. It can just return true or false.

Agree. Please file a new issue.

3. Sample implementation of a callback function.

   • This belongs, at a minimum, in os_stub/ or maybe make a new example_code/ directory or in the spdm-emu repository.

Agree. Please move this to os_stub/spdm_cert_verify_callback_sample. Please only do this in this PR.

[Wenxing-hou]

So I think there are three separate issues / pull requests here.

1. Testing that Integrator-provided callbacks are registered properly.

   • For example there is currently no coverage for libspdm_register_verify_spdm_cert_chain_func.
   • This would be tested in either test_spdm_callback or (if possible) in issue 2 below.

Agree. Please file a new issue.

2. Testing that libspdm properly calls and handles the output of Integrator-provided functions.

   • For example there is currently no coverage for verify_peer_spdm_cert_chain in GET_CERTIFICATE and encapsulated GET_CERTIFICATE.
   • This would be tested in the unit tests for the corresponding SPDM message. For example test_spdm_requester/get_certificate.c.
   • Note that the callback function used for testing need not be elaborate. It can just return true or false.

Agree. Please file a new issue.

3. Sample implementation of a callback function.

   • This belongs, at a minimum, in os_stub/ or maybe make a new example_code/ directory or in the spdm-emu repository.

Agree. Please move this to os_stub/spdm_cert_verify_callback_sample. Please only do this in this PR.

For the first feedback, I have submitted the issue: #2695
For the second feedback, I have submitted the issue: #2696
For the third feedback, I have move this to os_stub/spdm_cert_verify_callback_sample. Thanks!

[steven-bellock]

Trim the headers to those that are actually used.

[Wenxing-hou]

Thanks. I have deleted the unused header.

[steven-bellock]

__SPDM_CERT_VERIFY_CALLBACK_INTERNAL_H__ -> SPDM_CERT_VERIFY_CALLBACK_INTERNAL_H

[Wenxing-hou]

Thanks. I have fixed the MACRO.

[steven-bellock]

Trim the headers to those that are actually used.

[Wenxing-hou]

Thanks. I have deleted the unused header.

[steven-bellock]

This file should be in os_stub/spdm_cert_verify_callback_sample.

[Wenxing-hou]

Thanks. I have moved the README to os_stub.

[steven-bellock]

This directory should be called unit_test/test_spdm_sample.

[Wenxing-hou]

Thanks. I have changed the folder name.

[steven-bellock]

All these instances of *_crypt_lib_* need to be renamed to *_spdm_sample_*.

[Wenxing-hou]

Thanks. I have changed the name.