Refactor text reference values matching #4965
Conversation
…mparison and making regex optional
We can enable the feature in crate_features in the BUILD rule - when the feature is disabled the dependency is not necessary. Defined both targets in the BUILD rule as a proof of concept |
| regex: &oak_proto_rust::oak::attestation::v1::Regex, | ||
| ) -> anyhow::Result<()> { | ||
| if cfg!(feature = "regex") { | ||
| #[cfg(feature = "regex")] |
There was a problem hiding this comment.
are both config guards needed?
There was a problem hiding this comment.
#[cfg(feature = "regex")] allows using the Regex type only when the feature is enabled, the if cfg!(feature = "regex") condition prevents the unreachable code warning for returning the error - but perhaps there is a more elegant way to do it?
There was a problem hiding this comment.
I think another option could be to define two verify_regex functions, one for when the feature is on, one for when it is off. Something like:
#[cfg(feature = "regex")]
fn verify_regex(
actual: &str,
regex: &oak_proto_rust::oak::attestation::v1::Regex,
) -> anyhow::Result<()> {
// the real implementation
}
#[cfg(not(feature = "regex"))]
fn verify_regex(
_actual: &str,
_regex: &oak_proto_rust::oak::attestation::v1::Regex,
) -> anyhow::Result<()> {
Err(anyhow::anyhow!("verification of regex values not supported"))
}
There was a problem hiding this comment.
Oh, that's really nice, thanks!
| string value = 1; | ||
| } | ||
|
|
||
| // Deprecated. Use TextReferenceValue instead. |
There was a problem hiding this comment.
I think you can mark the message itself as deprecated with an annotation.
There was a problem hiding this comment.
Looks like to deprecate an entire message an option needs to be used
| optional BinaryReferenceValue kernel_setup_data = 3 [deprecated = true]; | ||
| optional BinaryReferenceValue kernel_image = 7 [deprecated = true]; | ||
| RegexReferenceValue kernel_cmd_line_regex = 8 [deprecated = true]; | ||
| optional BinaryReferenceValue kernel_cmd_line = 2 [deprecated = true]; |
There was a problem hiding this comment.
Why did they become optional though? I think they should be kept identical to what they were before. I mean, it's probably fine, but I would avoid unnecessary changes if possible. Also, being message types, I don't think there is an actual difference on the wire -- you can already set them to None, even without the optional, or did I misunderstand what optional actually does in proto3?
There was a problem hiding this comment.
Oops. an artifact from playing around with optional fields. Reverted.
| @@ -94,21 +95,34 @@ message Regex { | |||
| string value = 1; | |||
| } | |||
|
|
|||
| message StringLiteral { | |||
| string value = 1; | |||
There was a problem hiding this comment.
I guess this may become repeated in the future, right?
There was a problem hiding this comment.
If it will changing this field to repeated will be rather painful, but if we don't already have a use case for multiple values I'd rather leave it as is... I guess if this becomes necessary we can add another oneof option, e.g., MultiStringLiteral. WDYT?
There was a problem hiding this comment.
For parity with BinaryReferenceValue, which has a Digests submessage which lists multiple valid digests (only of which has to match), I would actually lean towards using multiple string values here, as Tiziano suggests.
We're currently operating under the assumption that we can create one ReferenceValues proto to verify a set of possibly TEE configurations, and due to the multiple allowable digests per layer this works right now, but if the kernel command line were to vary across configurations that would break down with this current "single literal" approach.
There was a problem hiding this comment.
Hmmm, do we have a story about how to match a particular kernel cmd line to a particular binary to define an acceptable TEE configuration? Or would you expect to define a set of binaries + a set of command lines where any combination is acceptable?
There was a problem hiding this comment.
That's currently the assumption we're making, yeah, that we don't have to strictly verify specific configurations. E.g. that given:
- layer 1: A or B is allowed
- layer 2: C or D is allowed
means that all of the following configurations are allowable:
- A && C
- A && D
- B && C
- B && D
as opposed to only allowing, say, A && C and B && D. I don't think we have a way to specify such allowable strict configurations within a single ReferenceValues proto, but we could always try verifying using a list of ReferenceValues until the first one matches to achieve that kind of more strict checking. I don't think the commit really changes that situation much, given that we already have this issue with the other BinaryReferenceValues matchers.
| @@ -94,21 +95,34 @@ message Regex { | |||
| string value = 1; | |||
| } | |||
|
|
|||
| message StringLiteral { | |||
| string value = 1; | |||
There was a problem hiding this comment.
For parity with BinaryReferenceValue, which has a Digests submessage which lists multiple valid digests (only of which has to match), I would actually lean towards using multiple string values here, as Tiziano suggests.
We're currently operating under the assumption that we can create one ReferenceValues proto to verify a set of possibly TEE configurations, and due to the multiple allowable digests per layer this works right now, but if the kernel command line were to vary across configurations that would break down with this current "single literal" approach.
| // Validates the kernel command-line using a regex. | ||
| RegexReferenceValue kernel_cmd_line_regex = 8; | ||
| // Validates the kernel command-line using either a string literal or a regex. | ||
| TextReferenceValue kernel_cmd_line_text = 9; | ||
|
|
||
| // Fields are deprecated and kept only for backwards compatibility. |
There was a problem hiding this comment.
Maybe we should clarify that these fields are not just kept for compatibility, but also being completely ignored now by the verifier.
And maybe for good measure the verifier should actually fail if any of these values are still being specified. That would avoid all confusion about the meaning of these fields in cases where someone erroneously specifies both the new and old values.
There was a problem hiding this comment.
Failing verification sounds scary at this point but expanded the comment
| regex: &oak_proto_rust::oak::attestation::v1::Regex, | ||
| ) -> anyhow::Result<()> { | ||
| if cfg!(feature = "regex") { | ||
| #[cfg(feature = "regex")] |
There was a problem hiding this comment.
I think another option could be to define two verify_regex functions, one for when the feature is on, one for when it is off. Something like:
#[cfg(feature = "regex")]
fn verify_regex(
actual: &str,
regex: &oak_proto_rust::oak::attestation::v1::Regex,
) -> anyhow::Result<()> {
// the real implementation
}
#[cfg(not(feature = "regex"))]
fn verify_regex(
_actual: &str,
_regex: &oak_proto_rust::oak::attestation::v1::Regex,
) -> anyhow::Result<()> {
Err(anyhow::anyhow!("verification of regex values not supported"))
}
| repeated string values = 1; | ||
| } | ||
|
|
||
| message Regex { | ||
| string value = 1; | ||
| } | ||
|
|
||
| message StringLiteral { |
There was a problem hiding this comment.
Note that if we do move to a list of allowed string values, I'd name this StringLiterals (plural), again to be consistent with the Digests (also plural) message name.
Squashed commit of the following: commit 1b24ec1 Author: Tiziano Santoro <[email protected]> Date: Thu Apr 4 00:50:26 2024 +0100 Update nix deps (#4979) Among other things, this update xz to v. 5.4.6 commit f68df2b Author: Tiziano Santoro <[email protected]> Date: Thu Apr 4 00:46:45 2024 +0100 Align with internal linter (#4978) b/332740854 commit 8bdd773 Author: jblebrun <[email protected]> Date: Wed Apr 3 21:43:20 2024 +0000 Update h2 to resolve vulnerability discovered by deny (#4977) https://rustsec.org/advisories/RUSTSEC-2024-0332 commit 5bc91be Author: jul-sh <[email protected]> Date: Wed Apr 3 16:05:06 2024 -0400 Directly issue kernel provenance for attestation measurements (#4976) * Directly issue kernel provenance attestation measurements Previously the provenance created by the SLSA builder was just for the bzImage. Not the artifact that would be measured in the attestation. With this PR the provenance subjects should include binaries measured in the attestation. Change-Id: I16e3234d0d65e3790319294c416c378cd7611681 * fix typo Change-Id: I3d078256d085ef05171e5997743d7497fc530ad0 commit 2ae6255 Author: Andri Saar <[email protected]> Date: Tue Apr 2 20:55:51 2024 +0000 Do a page state change operation before invoking `PVALIDATE` commit 8452885 Author: conradgrobler <[email protected]> Date: Wed Apr 3 17:54:04 2024 +0100 Ensure CPUID triggered the #VC exception (#4974) We want to make sure that the instruction pointer in a #VC exception really pointed to a CPUID instruction since it is the only #VC exception type we support. commit 4ad534f Author: thmsbinder <[email protected]> Date: Wed Apr 3 18:09:46 2024 +0200 Add and verify endorsement field for text reference value (#4973) The kernel command line reference value now follows the pattern from other reference values: skip, TR endorsement, or direct verification. When using TR endorsements in conjunction with the kernel command line the regex feature needs to be enabled. commit fa50670 Author: Patrick McGrath <[email protected]> Date: Tue Apr 2 10:43:22 2024 -0700 Unary gRPC transport template class (#4970) Implement unary transport class template for future Oak clients that use the unary interface. commit 65f6b46 Author: k-naliuka <[email protected]> Date: Fri Mar 29 00:33:37 2024 +0100 Add go and java options to the TcbVersion proto (#4969) commit cefb3c3 Author: Andri Saar <[email protected]> Date: Thu Mar 28 15:46:31 2024 +0000 Collect, and print out, some `PVALIDATE` stats in stage0 commit 579e92c Author: k-naliuka <[email protected]> Date: Wed Mar 27 20:49:53 2024 +0100 Refactor text reference values matching (#4965) Allow literal string comparison and make regex optional commit 121a6b0 Author: Ivan Petrov <[email protected]> Date: Wed Mar 27 19:13:14 2024 +0000 Sign group keys as part of Key Provisioning (#4961) This PR adds the ability to sign group keys in the attestation evidence as part of Key Provisioning. Ref #4442 commit 2a57cd6 Author: jul-sh <[email protected]> Date: Wed Mar 27 12:10:56 2024 -0400 Revert "Increase the size of the certificate in Stage0 DICE data (#4946)" (#4966) This reverts commit c869644, as it introduced a breaking change that broke imports. commit 57a8f73 Author: Ivan Petrov <[email protected]> Date: Wed Mar 27 15:29:07 2024 +0000 Add GroupEncryptionKeyHandle to C++ Containers SDK (#4964) Ref #4442 commit 863ee00 Author: k-naliuka <[email protected]> Date: Wed Mar 27 14:15:48 2024 +0100 Include regex in Bazel oak_crates_index (#4960) commit 83d881d Author: Tiziano Santoro <[email protected]> Date: Wed Mar 27 09:53:32 2024 +0000 Fix username and host when building kernel (#4963) b/330744888 Change-Id: Iac4a71c2d14238ccaca13c3997f47aa265a789ba
Allow literal string comparison and make regex optional