aws / aws-nitro-enclaves-cli

Tooling for Nitro Enclave Management
Apache License 2.0
123 stars 80 forks source link

PCR8 verification procedure unclear #446

Closed fabienpe closed 1 year ago

fabienpe commented 1 year ago

In aws/aws-nitro-cli/docs/image_signing.md, it is stated that PCR8 "is the SHA384 hash of the signing certificate's fingerprint".

I have built an EIF file with my own certificate.pem and key.pem files, generated with openssl.

After the creation I get a PCR8 value provided by the nitro-cli. Unfortunately the value is not the same as the one I get if I do: openssl x509 -in certificate.pem -noout -sha384 -fingerprint or using equivalent method in Python.

petreeftime commented 1 year ago

The PCR registers start in a known zero state and each extend operation does a hash between the previous state and the data. So for PCR8, the extend operation looks like:

#!/usr/bin/env python3

from cryptography import x509
from cryptography.hazmat.primitives import hashes

with open("cert.pem", "rb") as f:
    cert = x509.load_pem_x509_certificate(f.read())

cert_hash = cert.fingerprint(hashes.SHA384())
print(cert_hash.hex())

hasher = hashes.Hash(hashes.SHA384())
hash_size = int(384 / 8)
hasher.update(b'\0' * hash_size)
hasher.update(cert_hash)
print(hasher.finalize().hex())

This should give you the same value as nitro-cli and the NitroSecureModule.

fabienpe commented 1 year ago

Indeed! Thank you for clarification! Is there Python code available to verify the signatures of the EIF?

petreeftime commented 1 year ago

I don't know of any.

fabienpe commented 1 year ago

FYI I created a simple Python script https://github.com/fabienpe/aws-nitro-verify-pcr-signature