From 384eb9567800d4fbce96e140033d476497feed3b Mon Sep 17 00:00:00 2001 From: k-naliuka <126095038+k-naliuka@users.noreply.github.com> Date: Thu, 23 Nov 2023 12:16:41 +0100 Subject: [PATCH] Rename InitLayerEndorsements and the binary field (#4501) InitLayerEndorsements doesn't reflect well which components the endorsements refer to, and the binary field is too generic. Renaming to more descriptive names --- .../google/oak/verification/MainVerifier.java | 17 +++++++++-------- .../oak/verification/MainVerifierTest.java | 9 +++++---- proto/attestation/endorsement.proto | 6 +++--- proto/attestation/reference_value.proto | 8 ++++---- 4 files changed, 21 insertions(+), 19 deletions(-) diff --git a/java/src/main/java/com/google/oak/verification/MainVerifier.java b/java/src/main/java/com/google/oak/verification/MainVerifier.java index a61fe53c863..b807359b41d 100644 --- a/java/src/main/java/com/google/oak/verification/MainVerifier.java +++ b/java/src/main/java/com/google/oak/verification/MainVerifier.java @@ -22,8 +22,6 @@ import com.google.oak.attestation.v1.EndorsementReferenceValue; import com.google.oak.attestation.v1.Endorsements; import com.google.oak.attestation.v1.Evidence; -import com.google.oak.attestation.v1.InitLayerEndorsements; -import com.google.oak.attestation.v1.InitLayerReferenceValues; import com.google.oak.attestation.v1.KernelLayerEndorsements; import com.google.oak.attestation.v1.KernelLayerReferenceValues; import com.google.oak.attestation.v1.OakContainersEndorsements; @@ -31,6 +29,8 @@ import com.google.oak.attestation.v1.ReferenceValues; import com.google.oak.attestation.v1.RootLayerEndorsements; import com.google.oak.attestation.v1.RootLayerReferenceValues; +import com.google.oak.attestation.v1.SystemLayerEndorsements; +import com.google.oak.attestation.v1.SystemLayerReferenceValues; import com.google.oak.attestation.v1.TransparentReleaseEndorsement; import java.util.Optional; @@ -56,11 +56,12 @@ Optional verifyKernelLayer( return Optional.empty(); } - Optional verifyInitLayer( - InitLayerEndorsements endorsements, InitLayerReferenceValues values) { - BinaryReferenceValue binaryValue = values.getBinary(); - if (binaryValue.hasEndorsement()) { - Optional r = verifyLogEntry(endorsements.getBinary(), binaryValue.getEndorsement()); + Optional verifySystemLayer( + SystemLayerEndorsements endorsements, SystemLayerReferenceValues values) { + BinaryReferenceValue systemImageValue = values.getSystemImage(); + if (systemImageValue.hasEndorsement()) { + Optional r = + verifyLogEntry(endorsements.getSystemImage(), systemImageValue.getEndorsement()); if (r.isPresent()) { return r; } @@ -91,7 +92,7 @@ public Optional verify(Endorsements endorsementsArg, ReferenceValues va if (r.isPresent()) { return r; } - r = verifyInitLayer(endorsements.getInitLayer(), values.getInitLayer()); + r = verifySystemLayer(endorsements.getSystemLayer(), values.getSystemLayer()); if (r.isPresent()) { return r; } diff --git a/java/src/test/java/com/google/oak/verification/MainVerifierTest.java b/java/src/test/java/com/google/oak/verification/MainVerifierTest.java index 7ab7e89ff3e..c55534dd109 100644 --- a/java/src/test/java/com/google/oak/verification/MainVerifierTest.java +++ b/java/src/test/java/com/google/oak/verification/MainVerifierTest.java @@ -22,8 +22,6 @@ import com.google.oak.attestation.v1.EndorsementReferenceValue; import com.google.oak.attestation.v1.Endorsements; import com.google.oak.attestation.v1.Evidence; -import com.google.oak.attestation.v1.InitLayerEndorsements; -import com.google.oak.attestation.v1.InitLayerReferenceValues; import com.google.oak.attestation.v1.KernelLayerEndorsements; import com.google.oak.attestation.v1.KernelLayerReferenceValues; import com.google.oak.attestation.v1.LayerEvidence; @@ -33,6 +31,8 @@ import com.google.oak.attestation.v1.RootLayerEndorsements; import com.google.oak.attestation.v1.RootLayerEvidence; import com.google.oak.attestation.v1.RootLayerReferenceValues; +import com.google.oak.attestation.v1.SystemLayerEndorsements; +import com.google.oak.attestation.v1.SystemLayerReferenceValues; import com.google.oak.attestation.v1.TeePlatform; import com.google.oak.attestation.v1.TransparentReleaseEndorsement; import com.google.protobuf.ByteString; @@ -99,7 +99,8 @@ private Endorsements createEndorsements() { .setRootLayer(RootLayerEndorsements.newBuilder().setStage0(createTREndorsement())) .setKernelLayer( KernelLayerEndorsements.newBuilder().setKernelImage(createTREndorsement())) - .setInitLayer(InitLayerEndorsements.newBuilder().setBinary(createTREndorsement())) + .setSystemLayer( + SystemLayerEndorsements.newBuilder().setSystemImage(createTREndorsement())) .setContainerLayer( ContainerLayerEndorsements.newBuilder().setBinary(createTREndorsement()))) .build(); @@ -114,7 +115,7 @@ private ReferenceValues createReferenceValues() { OakContainersReferenceValues.newBuilder() .setRootLayer(RootLayerReferenceValues.newBuilder()) .setKernelLayer(KernelLayerReferenceValues.newBuilder()) - .setInitLayer(InitLayerReferenceValues.newBuilder().setBinary( + .setSystemLayer(SystemLayerReferenceValues.newBuilder().setSystemImage( BinaryReferenceValue.newBuilder().setEndorsement( EndorsementReferenceValue.newBuilder() .setEndorserPublicKey(endorserPublicKey) diff --git a/proto/attestation/endorsement.proto b/proto/attestation/endorsement.proto index 04d9d4f06cf..444c5413a35 100644 --- a/proto/attestation/endorsement.proto +++ b/proto/attestation/endorsement.proto @@ -55,8 +55,8 @@ message KernelLayerEndorsements { TransparentReleaseEndorsement init_ram_fs = 3; } -message InitLayerEndorsements { - TransparentReleaseEndorsement binary = 1; +message SystemLayerEndorsements { + TransparentReleaseEndorsement system_image = 1; } message ApplicationLayerEndorsements { @@ -76,7 +76,7 @@ message OakRestrictedKernelEndorsements { message OakContainersEndorsements { RootLayerEndorsements root_layer = 1; KernelLayerEndorsements kernel_layer = 2; - InitLayerEndorsements init_layer = 3; + SystemLayerEndorsements system_layer = 3; ContainerLayerEndorsements container_layer = 4; } diff --git a/proto/attestation/reference_value.proto b/proto/attestation/reference_value.proto index 7183ba862a2..60b03a50086 100644 --- a/proto/attestation/reference_value.proto +++ b/proto/attestation/reference_value.proto @@ -107,9 +107,9 @@ message KernelLayerReferenceValues { BinaryReferenceValue acpi = 6; } -message InitLayerReferenceValues { - // Verifies the binary based on endorsement. - BinaryReferenceValue binary = 1; +message SystemLayerReferenceValues { + // Verifies the system image binary based on endorsement. + BinaryReferenceValue system_image = 1; // Configuration measurements. BinaryReferenceValue configuration = 2; @@ -141,7 +141,7 @@ message OakRestrictedKernelReferenceValues { message OakContainersReferenceValues { RootLayerReferenceValues root_layer = 1; KernelLayerReferenceValues kernel_layer = 2; - InitLayerReferenceValues init_layer = 3; + SystemLayerReferenceValues system_layer = 3; ContainerLayerReferenceValues container_layer = 4; }