Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestation quote verification should check both run-time and build-time measurement values #1303

Merged
merged 14 commits into from
Feb 20, 2025
Merged

Attestation quote verification should check both run-time and build-time measurement values #1303

merged 14 commits into from
Feb 20, 2025

Conversation

ameba23
Copy link
Contributor

@ameba23 ameba23 commented Feb 18, 2025

Currently we check only build-time (MRTD) measurement values when verifying attestations.

This PR changes this so that we hash together both the MRTD register value and all four run-time measurement registers (rtmr0,1,2,3).

I'm not sure whether we actually need all four - the first two are the ones that matter. But i think it does not harm to put them in anyway.

@ameba23 ameba23 marked this pull request as draft February 18, 2025 13:24
ameba23
ameba23 commented Feb 18, 2025
View reviewed changes
node/cli/src/chain_spec/tdx_testnet.rs
215, 250, 254, 138, 53, 32, 201, 66, 166, 4, 164, 7, 222, 3, 174, 109, 197, 248, 127, 39, 66,
139, 37, 56, 135, 49, 24, 183,
];
const ACCEPTED_MEASUREMENT: [u8; 32] = [0; 32];
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I plan to add this in a followup. This chainspec is currently not being used anywhere, so should not be an issue to leave it like this for now.

@ameba23 ameba23 marked this pull request as ready for review February 19, 2025 08:36
ameba23
ameba23 commented Feb 19, 2025
View reviewed changes
CHANGELOG.md
@@ -66,6 +66,7 @@ runtime
- Non persistent TSS signer and x25519 keypair ([#1216](https://github.com/entropyxyz/entropy-core/pull/1216))
- Extract PCK certificate chain from quotes ([#1209](https://github.com/entropyxyz/entropy-core/pull/1209))
- Allow different versions for programs ([#1250](https://github.com/entropyxyz/entropy-core/pull/1250))
- Attestation quote verification should check both run-time and build-time measurement values ([#1303](https://github.com/entropyxyz/entropy-core/pull/1303))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this counts as breaking. Old builds of entropy-tss will no longer be compatible with the chain as it is built here - but that is not external-facing.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we had a running network depending on this then yes this would be problematic. So yeah I'd mention it here

@ameba23 ameba23 mentioned this pull request Feb 19, 2025
Merged
@ameba23 ameba23 self-assigned this Feb 19, 2025
@ameba23 ameba23 added this to the v0.4.0 milestone Feb 19, 2025
HCastano
HCastano approved these changes Feb 20, 2025
View reviewed changes
Copy link
Collaborator

@HCastano HCastano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good 👍

Can you explain what the difference between the MRTD and runtime registers is (or give me some reading material to follow up with)?

CHANGELOG.md
@@ -66,6 +66,7 @@ runtime
- Non persistent TSS signer and x25519 keypair ([#1216](https://github.com/entropyxyz/entropy-core/pull/1216))
- Extract PCK certificate chain from quotes ([#1209](https://github.com/entropyxyz/entropy-core/pull/1209))
- Allow different versions for programs ([#1250](https://github.com/entropyxyz/entropy-core/pull/1250))
- Attestation quote verification should check both run-time and build-time measurement values ([#1303](https://github.com/entropyxyz/entropy-core/pull/1303))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we had a running network depending on this then yes this would be problematic. So yeah I'd mention it here

pallets/parameters/src/lib.rs
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because some events and genesis config entries are changing, maybe we add the Bump "spec_version" tag to the PR

pallets/parameters/src/lib.rs
#[pallet::weight( <T as Config>::WeightInfo::change_accepted_mrtd_values())]
pub fn change_accepted_mrtd_values(
#[pallet::weight( <T as Config>::WeightInfo::change_accepted_measurement_values())]
pub fn change_accepted_measurement_values(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, because of this we may even need to bump the transaction version

@ameba23 ameba23 added Bump `spec_version` A change which affects the current runtime behaviour Bump `transaction_version` A change which affects how existing extrinsics are created (e.g parameter changes) labels Feb 20, 2025
@ameba23
Copy link
Contributor Author

ameba23 commented Feb 20, 2025

Can you explain what the difference between the MRTD and runtime registers is (or give me some reading material to follow up with)?

TBH i still don't totally understand how they are computed. The are basically the hash of the bootloader, and initial ramdisk (initrd) which contains the kernel and in our case the image for the initramfs.

The reason i have made this PR is because if i make a single byte change to the entropy-tss binary and rebuild the image, RTMR1 changes.

MRTD is 'build time' and RTMR0-3 are 'runtime' - but as far as i can see the only one which can actually change after the VM has booted is RTMR3 which is the hash of an event log which can be 'extended' by a special call (which is used by Dstack to do measurements of a docker container - but we do not use it).

The most direct explanation is in the intel whitepaper section 4.2.2 https://www.intel.com/content/www/us/en/content-details/783067/whitepaper-linux-stacks-for-intel-trust-domain-extension-1-0.html

theres also this more high level article from intel: https://www.intel.com/content/www/us/en/developer/articles/community/runtime-integrity-measure-and-attest-trust-domain.html

and my notes about this stuff: entropyxyz/tdx-build-system#6

@HCastano

@ameba23 ameba23 merged commit d3ff40c into master Feb 20, 2025
8 checks passed
@ameba23 ameba23 deleted the peg/attestation-measurements branch February 20, 2025 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HCastano HCastano HCastano approved these changes

@JesseAbram JesseAbram JesseAbram approved these changes

Assignees

@ameba23 ameba23

Labels
Bump `spec_version` A change which affects the current runtime behaviour Bump `transaction_version` A change which affects how existing extrinsics are created (e.g parameter changes)
Projects
Entropy Core
Status: Done
Milestone
v0.4.0
Development

Successfully merging this pull request may close these issues.
3 participants
@ameba23 @HCastano @JesseAbram