google · Freax13 · Oct 1, 2024 · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024
diff --git a/pcs/pcs.go b/pcs/pcs.go
@@ -57,6 +57,8 @@ var (
 	OidPCEID = asn1.ObjectIdentifier([]int{1, 2, 840, 113741, 1, 13, 1, 3})
 	// OidFMSPC  is the x509v3 extension for PCK certificate's SGX Extensions FMSPC value.
 	OidFMSPC = asn1.ObjectIdentifier([]int{1, 2, 840, 113741, 1, 13, 1, 4})
+	// OidSGXType is the x509v3 extension for PCK certificate's SGX Extensions SGX Type value.
+	OidSGXType = asn1.ObjectIdentifier([]int{1, 2, 840, 113741, 1, 13, 1, 5})
 
 	// ErrPckExtInvalid error returned when parsing PCK certificate's extension returns leftover bytes
 	ErrPckExtInvalid = errors.New("unexpected leftover bytes for PCK certificate's extension")
@@ -158,14 +160,27 @@ type PckCertTCB struct {
 }
 
 // PckExtensions represents the information stored in the x509 extensions of a PCK certificate which
-// will be required for verification
+// will be required for verification/validation
 type PckExtensions struct {
-	PPID  string
-	TCB   PckCertTCB
-	PCEID string
-	FMSPC string
+	PPID    string
+	TCB     PckCertTCB
+	PCEID   string
+	FMSPC   string
+	SGXType SGXType
 }
 
+// SGXType represents the type of the platform for which the PCK certificate was created
+type SGXType int
+
+const (
+	// SGXTypeStandard represents a standard (non-scalable) platform.
+	SGXTypeStandard SGXType = iota
+	// SGXTypeScalable represents a scalable platform with logical integrity protection.
+	SGXTypeScalable
+	// SGXTypeScalable represents a scalable platform with cryptographic integrity protection.
+	SGXTypeScalableWithIntegrity
+)
+
 // HexBytes struct contains hex decoded string to bytes value
 type HexBytes struct {
 	Bytes []byte
@@ -376,6 +391,15 @@ func extractAsn1OctetStringExtension(name string, extension asn1.RawValue, size
 	return hex.EncodeToString(val), nil
 }
 
+// attributeTypeAndEnumerated is a specialized version of
+// pkix.AttributeTypeAndValue to work around a bug where Go's ASN.1 parser
+// fails to unmarshal `asn1.Enumerated` values into the `any` field in
+// `AttributeTypeAndValue`: https://github.com/golang/go/pull/69727
+type attributeTypeAndEnumerated struct {
+	Type  asn1.ObjectIdentifier
+	Value asn1.Enumerated
+}
+
 func extractSgxExtensions(extensions []asn1.RawValue) (*PckExtensions, error) {
 	pckExtension := &PckExtensions{}
 	if len(extensions) < sgxExtensionMinSize {
@@ -416,6 +440,14 @@ func extractSgxExtensions(extensions []asn1.RawValue) (*PckExtensions, error) {
 				return nil, err
 			}
 		}
+		if sExtension.Type.Equal(OidSGXType) {
+			var sExtension attributeTypeAndEnumerated
+			_, err := asn1.Unmarshal(ext.FullBytes, &sExtension)
+			if err != nil {
+				return nil, fmt.Errorf("could not parse SGX extension's in PCK certificate: %v", err)
+			}
+			pckExtension.SGXType = SGXType(sExtension.Value)
+		}
 	}
 	return pckExtension, nil
 }
@@ -430,7 +462,7 @@ func findMatchingExtension(extns []pkix.Extension, oid asn1.ObjectIdentifier) (*
 }
 
 // PckCertificateExtensions returns only those x509v3 extensions from the PCK certificate into a
-// struct type which will be required in verification purpose.
+// struct type which will be required for verification or validation purposes.
 func PckCertificateExtensions(cert *x509.Certificate) (*PckExtensions, error) {
 	if len(cert.Extensions) != pckCertExtensionSize {
 		return nil, fmt.Errorf("PCK certificate extensions length found %d. Expected %d", len(cert.Extensions), pckCertExtensionSize)

diff --git a/proto/checkconfig.proto b/proto/checkconfig.proto
@@ -30,6 +30,8 @@ message Policy {
   // TDQuoteBodyPolicy is representation of TdQuoteBody of an attestation quote
   // validation policy.
   TDQuoteBodyPolicy td_quote_body_policy = 2;  // should be 528 bytes
+
+  PCKPolicy pck_policy = 3;
 }
 
 message HeaderPolicy {
@@ -54,6 +56,16 @@ message TDQuoteBodyPolicy {
   repeated bytes any_mr_td = 11;  // each should be 48 bytes.
 }
 
+message PCKPolicy {
+  optional SGXType sgx_type = 1;
+}
+
+enum SGXType {
+  Standard = 0;
+  Scalable = 1;
+  ScalableWithIntegrity = 2;
+}
+
 // RootOfTrust represents configuration for which hardware root of trust
 // certificates to use for verifying attestation quote.
 message RootOfTrust {

diff --git a/proto/checkconfig/checkconfig.pb.go b/proto/checkconfig/checkconfig.pb.go
diff --git a/tools/check/check.go b/tools/check/check.go
@@ -100,6 +100,8 @@ var (
 	minqesvn  = flag.String("minimum_qe_svn", "", "The minimum acceptable value for QE_SVN field.")
 	minpcesvn = flag.String("minimum_pce_svn", "", "The minimum acceptable value for PCE_SVN field.")
 
+	sgxtype = flag.String("sgx_type", "", "An acceptable value for SGXType field.")
+
 	// Optional Bool
 	checkcrl        = flag.String("check_crl", "", "Download and check the CRL for revoked certificates. -get_collateral must be true.")
 	getcollateral   = flag.String("get_collateral", "", "If true, then permitted to download necessary collaterals for additional checks.")
@@ -110,7 +112,7 @@ var (
 	// Assign the values of the flags to the corresponding proto fields
 	config = &ccpb.Config{
 		RootOfTrust: &ccpb.RootOfTrust{},
-		Policy:      &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}},
+		Policy:      &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}, PckPolicy: &ccpb.PCKPolicy{}},
 	}
 )
 
@@ -223,7 +225,7 @@ func parseConfig(path string) error {
 		config.RootOfTrust = &ccpb.RootOfTrust{}
 	}
 	if config.Policy == nil {
-		config.Policy = &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}}
+		config.Policy = &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}, PckPolicy: &ccpb.PCKPolicy{}}
 	}
 	return nil
 }
@@ -346,6 +348,17 @@ func populateConfig() error {
 		}
 		return nil
 	}
+	setSGXType := func(dest **ccpb.SGXType, flag string) error {
+		if flag != "" {
+			val, ok := ccpb.SGXType_value[flag]
+			if !ok {
+				return fmt.Errorf("invalid -sgx_type=%s: expected one of Standard, Scalable, or ScalableWithIntegrity", flag)
+			}
+			sgxType := ccpb.SGXType(val)
+			*dest = &sgxType
+		}
+		return nil
+	}
 
 	setNonNil(&policy.HeaderPolicy.QeVendorId, *qevendorid)
 	setNonNil(&policy.TdQuoteBodyPolicy.MinimumTeeTcbSvn, *minteetcbsvn)
@@ -361,6 +374,7 @@ func populateConfig() error {
 	return multierr.Combine(
 		setUint32(&policy.HeaderPolicy.MinimumQeSvn, "minimum_qe_svn", *minqesvn, defaultMinQeSvn),
 		setUint32(&policy.HeaderPolicy.MinimumPceSvn, "minimum_pce_svn", *minpcesvn, defaultMinPceSvn),
+		setSGXType(&policy.PckPolicy.SgxType, *sgxtype),
 		setRtmrs(&policy.TdQuoteBodyPolicy.Rtmrs, *rtmrs),
 	)
 }

diff --git a/tools/check/check_test.go b/tools/check/check_test.go
@@ -86,6 +86,11 @@ func setField(p *ccpb.Policy, policy string, name string, value any) {
 		r := s.ProtoReflect()
 		ty := r.Descriptor()
 		r.Set(ty.Fields().ByName(protoreflect.Name(name)), protoreflect.ValueOf(value))
+	} else if policy == "pck_policy" {
+		s := p.PckPolicy
+		r := s.ProtoReflect()
+		ty := r.Descriptor()
+		r.Set(ty.Fields().ByName(protoreflect.Name(name)), protoreflect.ValueOf(value))
 	}
 }
 
@@ -111,6 +116,13 @@ func uint32setter(name string, policy string) setterFn {
 	}
 }
 
+func enumSetter(name string, policy string, values map[string]int32) setterFn {
+	return func(p *ccpb.Policy, value string, _ *testing.T) bool {
+		setField(p, policy, name, protoreflect.EnumNumber(values[value]))
+		return false
+	}
+}
+
 func testCases() []testCase {
 	return []testCase{
 		{
@@ -196,6 +208,16 @@ func testCases() []testCase {
 			bad:    []string{"6c62dec1b8191749a31dab490be532a35944dea47caef1f980863993d9899545eb7406a38d1eed313b987a467dacead6f0c87a6d766c66f6f29f8acb281f2213"},
 			setter: bytesSetter("report_data", "td_quote_body_policy"),
 		},
+		{
+			flag: "sgx_type",
+			good: "Scalable",
+			bad: []string{
+				"Standard",
+				"ScalableWithIntegrity",
+				"non-existing type",
+			},
+			setter: enumSetter("sgx_type", "pck_policy", ccpb.SGXType_value),
+		},
 	}
 }
 
@@ -284,7 +306,7 @@ func TestRtmrs(t *testing.T) {
 func TestCheckGoodFields(t *testing.T) {
 	for _, tc := range testCases() {
 		t.Run(tc.flag, func(t *testing.T) {
-			p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}}
+			p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}, PckPolicy: &ccpb.PCKPolicy{}}
 			if tc.setter(p, tc.good, t) {
 				t.Fatal("unexpected parse failure")
 			}
@@ -302,7 +324,7 @@ func TestCheckBadFields(t *testing.T) {
 	for _, tc := range testCases() {
 		for i, bad := range tc.bad {
 			t.Run(fmt.Sprintf("%s_bad[%d]", tc.flag, i+1), func(t *testing.T) {
-				p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}}
+				p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}, PckPolicy: &ccpb.PCKPolicy{}}
 				if tc.setter(p, bad, t) {
 					return
 				}
@@ -321,7 +343,7 @@ func TestCheckGoodFlagOverridesBadField(t *testing.T) {
 	for _, tc := range testCases() {
 		for i, bad := range tc.bad {
 			t.Run(fmt.Sprintf("%s_bad[%d]", tc.flag, i+1), func(t *testing.T) {
-				p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}}
+				p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}, PckPolicy: &ccpb.PCKPolicy{}}
 				if tc.setter(p, bad, t) {
 					return
 				}
@@ -340,7 +362,7 @@ func TestCheckBadFlagOverridesGoodField(t *testing.T) {
 	for _, tc := range testCases() {
 		for i, bad := range tc.bad {
 			t.Run(fmt.Sprintf("%s_bad[%d]", tc.flag, i+1), func(t *testing.T) {
-				p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}}
+				p := &ccpb.Policy{HeaderPolicy: &ccpb.HeaderPolicy{}, TdQuoteBodyPolicy: &ccpb.TDQuoteBodyPolicy{}, PckPolicy: &ccpb.PCKPolicy{}}
 				if tc.setter(p, tc.good, t) {
 					t.Fatal("unexpected parse failure")
 				}

diff --git a/validate/validate.go b/validate/validate.go
@@ -17,11 +17,15 @@ package validate
 
 import (
 	"bytes"
+	"crypto/x509"
 	"encoding/binary"
 	"encoding/hex"
+	"encoding/pem"
+	"errors"
 	"fmt"
 
 	"github.com/google/go-tdx-guest/abi"
+	"github.com/google/go-tdx-guest/pcs"
 	ccpb "github.com/google/go-tdx-guest/proto/checkconfig"
 	pb "github.com/google/go-tdx-guest/proto/tdx"
 	vr "github.com/google/go-tdx-guest/verify"
@@ -50,6 +54,7 @@ const (
 type Options struct {
 	HeaderOptions      HeaderOptions
 	TdQuoteBodyOptions TdQuoteBodyOptions
+	PCKOptions         PCKOptions
 }
 
 // HeaderOptions represents validation options for a TDX attestation Quote Header.
@@ -88,6 +93,12 @@ type TdQuoteBodyOptions struct {
 	AnyMrTd [][]byte
 }
 
+// PCKOptions represents validation options for the PCK certificate in side a TDX attestation.
+type PCKOptions struct {
+	// SgxType is the expected SGXType. Not checked if nil.
+	SgxType *pcs.SGXType
+}
+
 func lengthCheck(name string, length int, value []byte) error {
 	if value != nil && len(value) != length {
 		return fmt.Errorf("option %q length is %d. Want %d", name, len(value), length)
@@ -163,6 +174,10 @@ func PolicyToOptions(policy *ccpb.Policy) (*Options, error) {
 			AnyMrTd:          policy.GetTdQuoteBodyPolicy().GetAnyMrTd(),
 		},
 	}
+	if policy.PckPolicy != nil && policy.PckPolicy.SgxType != nil {
+		value := pcs.SGXType(*policy.PckPolicy.SgxType)
+		opts.PCKOptions.SgxType = &value
+	}
 	if err := checkOptionsLengths(opts); err != nil {
 		return nil, err
 	}
@@ -315,6 +330,32 @@ func validateTdAttributes(value []byte, fixed1, fixed0 uint64) error {
 	return nil
 }
 
+func validatePck(quote *pb.QuoteV4, opts *PCKOptions) error {
+	// Extract the PCK
+	certChainBytes := quote.GetSignedData().GetCertificationData().GetQeReportCertificationData().GetPckCertificateChainData().GetPckCertChain()
+	if certChainBytes == nil {
+		return errors.New("PCK certificate chain is empty")
+	}
+	pck, rem := pem.Decode(certChainBytes)
+	if pck == nil || len(rem) == 0 || pck.Type != "CERTIFICATE" {
+		return errors.New("incomplete PCK Certificate chain found, should contain 3 concatenated PEM-formatted 'CERTIFICATE'-type block (PCK Leaf Cert||Intermediate CA Cert||Root CA Cert)")
+	}
+	pckCert, err := x509.ParseCertificate(pck.Bytes)
+	if err != nil {
+		return fmt.Errorf("could not interpret PCK leaf certificate DER bytes: %v", err)
+	}
+
+	// Validate the PCK.
+	exts, err := pcs.PckCertificateExtensions(pckCert)
+	if err != nil {
+		return fmt.Errorf("could not get PCK certificate extensions: %v", err)
+	}
+	if opts.SgxType != nil && *opts.SgxType != exts.SGXType {
+		return fmt.Errorf("PCK extension SGXType is %d. Expect %d", *opts.SgxType, exts.SGXType)
-		return fmt.Errorf("PCK extension SGXType is %d. Expect %d", *opts.SgxType, exts.SGXType)
+		return fmt.Errorf("PCK extension SGXType is %d. Expect %d", exts.SGXType, *opts.SgxType)
-		return fmt.Errorf("PCK extension SGXType is %d. Expect %d", *opts.SgxType, exts.SGXType)
+		return fmt.Errorf("PCK extension SGXType is %d. Expect %d", exts.SGXType, *opts.SgxType)
+	}
+	return nil
+}
+
 // TdxQuote validates fields of the protobuf representation of an attestation Quote
 // against expectations depending on supported quote formats - QuoteV4.
 // Does not check the attestation certificates or signature.
@@ -342,6 +383,7 @@ func tdxQuoteV4(quote *pb.QuoteV4, options *Options) error {
 		minVersionCheck(quote, options),
 		validateXfam(quote.GetTdQuoteBody().GetXfam(), xfamFixed1, xfamFixed0),
 		validateTdAttributes(quote.GetTdQuoteBody().GetTdAttributes(), tdAttributesFixed1, tdAttributesFixed0),
+		validatePck(quote, &options.PCKOptions),
 	)
 }
 

diff --git a/validate/validate_test.go b/validate/validate_test.go
@@ -18,6 +18,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-tdx-guest/pcs"
 	pb "github.com/google/go-tdx-guest/proto/tdx"
 	vr "github.com/google/go-tdx-guest/verify"
 
@@ -73,6 +74,7 @@ func TestTdxQuote(t *testing.T) {
 		0x59, 0x44, 0xde, 0xa4, 0x7c, 0xae, 0xf1, 0xf9, 0x80, 0x86, 0x39, 0x93, 0xd9, 0x89, 0x95, 0x45,
 		0xeb, 0x74, 0x6, 0xa3, 0x8d, 0x1e, 0xed, 0x31, 0x3b, 0x98, 0x7a, 0x46, 0x7d, 0xac, 0xea, 0xd6,
 		0xf0, 0xc8, 0x7a, 0x6d, 0x76, 0x6c, 0x66, 0xf6, 0xf2, 0x9f, 0x8a, 0xcb, 0x28, 0x1f, 0x11, 0x13}
+	sgxType := pcs.SGXTypeScalable
 
 	mknonce := func(front []byte) []byte {
 		result := make([]byte, 64)
@@ -136,6 +138,9 @@ func TestTdxQuote(t *testing.T) {
 					Rtmrs:            [][]byte{rtmr0, rtmr1, rtmr2, rtmr3},
 					ReportData:       reportData,
 				},
+				PCKOptions: PCKOptions{
+					SgxType: &sgxType,
+				},
 			},
 		},
 		{
@@ -281,7 +286,16 @@ func TestTdxQuote(t *testing.T) {
 			opts: &Options{
 				HeaderOptions: HeaderOptions{QeVendorID: make([]byte, abi.QeVendorIDSize)},
 			},
-			wantErr: "quote field QE_VENDOR_ID"},
+			wantErr: "quote field QE_VENDOR_ID",
+		},
+		{
+			name:  "Test incorrect SGXType",
+			quote: quote12345,
+			opts: &Options{
+				PCKOptions: PCKOptions{SgxType: new(pcs.SGXType)},
+			},
+			wantErr: "PCK extension SGXType",
+		},
 	}
 
 	for _, tc := range tests {

diff --git a/verify/verify_test.go b/verify/verify_test.go
@@ -92,6 +92,7 @@ func TestPckCertificateExtensions(t *testing.T) {
 	pckExt.PPID = hex.EncodeToString(ppidBytes)
 	pckExt.FMSPC = hex.EncodeToString(fmspcBytes)
 	pckExt.PCEID = hex.EncodeToString(pceIDBytes)
+	pckExt.SGXType = pcs.SGXTypeScalable
 	pckExtTcb := &pcs.PckCertTCB{
 		PCESvn:           11,
 		CPUSvn:           []byte{3, 3, 2, 2, 2, 1, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0},