attester: tdx: strip CCEL

The CCEL log is made available through an ACPI sysfs entry and is of size "log_area_minimum_length". OVMF sets it to 64k. The current tdx-attester code reads the whole blob and it's used as is in encoding and when sent over the wire. Test runs suggests that it could be beneficial to strip the log before processing it further: Squeezed from 65536 to 5064 bytes The stripping follows the same pattern as what eventlog-rs does on the receiving end (we keep the same "stop flag" in the blob to keep things compatible). Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Oct 31, 2024 · b27905c · b27905c
1 parent 134f0ad
commit b27905c
Showing 1 changed file with 43 additions and 1 deletion.
diff --git a/attestation-agent/attester/src/tdx/mod.rs b/attestation-agent/attester/src/tdx/mod.rs
@@ -71,6 +71,26 @@ struct TdxEvidence {
 #[derive(Debug, Default)]
 pub struct TdxAttester {}
 
+fn find_stop_pos(buffer: &[u8]) -> usize {
+    let mut stop_pos: usize = 0;
+
+    const CHUNK_SIZE: usize = std::mem::size_of::<u64>();
+
+    if buffer.len() % CHUNK_SIZE != 0 {
+        return buffer.len();
+    }
+
+    for chunk in buffer.chunks_exact(CHUNK_SIZE) {
+        stop_pos += CHUNK_SIZE;
+
+        if u64::from_ne_bytes(chunk.try_into().unwrap()) == u64::MAX {
+            break;
+        }
+    }
+
+    stop_pos
+}
+
 #[async_trait::async_trait]
 impl Attester for TdxAttester {
     async fn get_evidence(&self, mut report_data: Vec<u8>) -> Result<String> {
@@ -95,7 +115,19 @@ impl Attester for TdxAttester {
         let quote = engine.encode(quote_bytes);
 
         let cc_eventlog = match std::fs::read(CCEL_PATH) {
-            Result::Ok(el) => Some(engine.encode(el)),
+            Result::Ok(el) => {
+                let stop_pos = find_stop_pos(&el);
+
+                log::debug!(
+                    "Squeezed from {} to {} bytes",
+                    std::fs::metadata(CCEL_PATH)?.len(),
+                    stop_pos,
+                );
+
+                let (data, _) = el.split_at(stop_pos);
+
+                Some(engine.encode(data))
+            }
             Result::Err(e) => {
                 log::warn!("Read CC Eventlog failed: {:?}", e);
                 None
@@ -188,6 +220,16 @@ impl Attester for TdxAttester {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use rstest::*;
+
+    #[rstest]
+    #[case(b"\x00\x00\x00\x00\x00\x00\x00", 7)]
+    #[case(b"\x00\x00\x00\x00\x00\x00\x00\x00", 8)]
+    #[case(b"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8)]
+    #[case(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00", 24)]
+    fn test_find_stop_pos(#[case] input_buf: &[u8], #[case] expected_stop_pos: usize) {
+        assert_eq!(find_stop_pos(input_buf), expected_stop_pos);
+    }
 
     #[ignore]
     #[tokio::test]