search

oxidecomputer / dice-util

utilities for cert template generation and manufacturing / certifying DeviceIds
Mozilla Public License 2.0
7 stars 3 forks source link

verifier-cli: the `verify` command ignores errors #214

Open flihp opened 3 months ago

flihp commented 3 months ago

This is probably a larger error handling problembut this is a good place to start. If a humility hiffy call fails the verify command will just carry on and then probably fail at some later step that depended on the earlier one. An example w/ verbose output looks like:

$ cat verify-sprot.log 
[INFO  verifier_cli] getting Nonce from platform RNG
[INFO  verifier_cli] writing nonce to: /tmp/.tmp2au1H6/nonce.bin
[INFO  verifier_cli] getting attestation
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.attest_len"
[DEBUG verifier_cli] output: 0x41
[DEBUG verifier_cli] prefix stripped: "41"
[DEBUG verifier_cli] output u32: 65
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.attest" "--num=65" "--output=/tmp/.tmp2fAje8" "--input=/tmp/.tmpoVBPZU"
[DEBUG verifier_cli] output: SpRot.attest() => Err(<Complex error: AttestOrSprotError>)
    Wrote 65 bytes to '/tmp/.tmp2fAje8'

[INFO  verifier_cli] writing attestation to: /tmp/.tmp2au1H6/attest.bin
[INFO  verifier_cli] getting measurement log
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.log_len"
[DEBUG verifier_cli] output: 0x214
[DEBUG verifier_cli] prefix stripped: "214"
[DEBUG verifier_cli] output u32: 532
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.log" "--num=256" "--output=/tmp/.tmpKZQAZs" "--arguments" "offset=0"
[DEBUG verifier_cli] output: SpRot.log() => ()
    Wrote 256 bytes to '/tmp/.tmpKZQAZs'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.log" "--num=256" "--output=/tmp/.tmpuFiKCL" "--arguments" "offset=256"
[DEBUG verifier_cli] output: SpRot.log() => ()
    Wrote 256 bytes to '/tmp/.tmpuFiKCL'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.log" "--num=20" "--output=/tmp/.tmpT94Mur" "--arguments" "offset=512"
[DEBUG verifier_cli] output: SpRot.log() => ()
    Wrote 20 bytes to '/tmp/.tmpT94Mur'

[INFO  verifier_cli] writing measurement log to: /tmp/.tmp2au1H6/log.bin
[INFO  verifier_cli] getting cert chain
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_chain_len"
[DEBUG verifier_cli] output: 0x4
[DEBUG verifier_cli] prefix stripped: "4"
[DEBUG verifier_cli] output u32: 4
[INFO  verifier_cli] getting cert[0] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=0"
[DEBUG verifier_cli] output: 0x1b0
[DEBUG verifier_cli] prefix stripped: "1b0"
[DEBUG verifier_cli] output u32: 432
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmp5W9cbf" "--arguments" "index=0,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmp5W9cbf'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=176" "--output=/tmp/.tmpDW0XlJ" "--arguments" "index=0,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 176 bytes to '/tmp/.tmpDW0XlJ'

[INFO  verifier_cli] writing alias cert to: /tmp/.tmp2au1H6/alias.pem
[INFO  verifier_cli] writing cert[0] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] getting cert[1] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=1"
[DEBUG verifier_cli] output: 0x197
[DEBUG verifier_cli] prefix stripped: "197"
[DEBUG verifier_cli] output u32: 407
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmpJxkVOP" "--arguments" "index=1,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmpJxkVOP'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=151" "--output=/tmp/.tmp4FIo4V" "--arguments" "index=1,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 151 bytes to '/tmp/.tmp4FIo4V'

[INFO  verifier_cli] writing cert[1] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] getting cert[2] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=2"
[DEBUG verifier_cli] output: 0x252
[DEBUG verifier_cli] prefix stripped: "252"
[DEBUG verifier_cli] output u32: 594
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmprT1fu9" "--arguments" "index=2,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmprT1fu9'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmpk3wtgQ" "--arguments" "index=2,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmpk3wtgQ'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=82" "--output=/tmp/.tmpF2EXEa" "--arguments" "index=2,offset=512"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 82 bytes to '/tmp/.tmpF2EXEa'

[INFO  verifier_cli] writing cert[2] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] getting cert[3] encoded as pem
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.cert_len" "--arguments=index=3"
[DEBUG verifier_cli] output: 0x285
[DEBUG verifier_cli] prefix stripped: "285"
[DEBUG verifier_cli] output u32: 645
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmpqR69G3" "--arguments" "index=3,offset=0"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmpqR69G3'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=256" "--output=/tmp/.tmppBys5V" "--arguments" "index=3,offset=256"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 256 bytes to '/tmp/.tmppBys5V'

[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=SpRot.cert" "--num=133" "--output=/tmp/.tmpNeHZrr" "--arguments" "index=3,offset=512"
[DEBUG verifier_cli] output: SpRot.cert() => ()
    Wrote 133 bytes to '/tmp/.tmpNeHZrr'

[INFO  verifier_cli] writing cert[3] to: /tmp/.tmp2au1H6/cert-chain.pem
[INFO  verifier_cli] verifying attestation
[DEBUG verifier_cli] decoded pem w/ label: "CERTIFICATE"
Error: signature error: Verification equation was not satisfied

Caused by:
    Verification equation was not satisfied

The first thing verify does is get an attestation through sprot and that failed. So humility writes an empty buffer as the output. This isn't used again till we attempt to verify the signature over the attestation and it fails. The initial failure should be reported and a non-zero exit code returned.