search

oxidecomputer / dice-util

utilities for cert template generation and manufacturing / certifying DeviceIds
Mozilla Public License 2.0
7 stars 3 forks source link

verifier-cli: attest command through `sprot` fails #215

Closed flihp closed 2 months ago

flihp commented 5 months ago

This is the output of my testing the fix for a recent hubris bug: https://github.com/oxidecomputer/hubris/issues/1777. It seems as though the fix works since hiffy commands that don't take any arguments work again:

$ HUMILITY_TARGET=gimletlet HUMILITY_ARCHIVE=../hubris/target/gimletlet/dist/default/build-gimletlet-image-default.zip verifier-cli --verbose --interface sprot log-len
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "SpRot.log_len"
[DEBUG verifier_cli] output: 0x214
[DEBUG verifier_cli] prefix stripped: "214"
[DEBUG verifier_cli] output u32: 532
532

and this enables more complicated things like getting the cert chain associated with the alias key:

$ HUMILITY_TARGET=gimletlet HUMILITY_ARCHIVE=../hubris/target/gimletlet/dist/default/build-gimletlet-image-default.zip verifier-cli --interface sprot cert-chain
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Unfortunately the attest command still seems to be broken but the breakage doesn't look related to hubris#1777. Through the RoT `attest works fine:

$ HUMILITY_TARGET=rot-carrier HUMILITY_ARCHIVE=../hubris/target/rot-carrier/dist/a/build-rot-carrier-image-a.zip verifier-cli --verbose --interface rot attest ./nonce.bin > attest-rot.bin
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "Attest.attest_len"
[DEBUG verifier_cli] output: 0x41
[DEBUG verifier_cli] prefix stripped: "41"
[DEBUG verifier_cli] output u32: 65
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=Attest.attest" "--num=65" "--output=/tmp/.tmpaEFUrF" "--input=/tmp/.tmptJTwQT"
[DEBUG verifier_cli] output: Attest.attest() => ()
    Wrote 65 bytes to '/tmp/.tmpaEFUrF'

through sprot however we get an error:

$ HUMILITY_TARGET=rot-carrier HUMILITY_ARCHIVE=../hubris/target/rot-carrier/dist/a/build-rot-carrier-image-a.zip verifier-cli --verbose --interface rot attest ./nonce.bin > attest-rot.bin
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call" "Attest.attest_len"
[DEBUG verifier_cli] output: 0x41
[DEBUG verifier_cli] prefix stripped: "41"
[DEBUG verifier_cli] output u32: 65
[DEBUG verifier_cli] executing command: "humility" "hiffy" "--call=Attest.attest" "--num=65" "--output=/tmp/.tmpaEFUrF" "--input=/tmp/.tmptJTwQT"
[DEBUG verifier_cli] output: Attest.attest() => ()
    Wrote 65 bytes to '/tmp/.tmpaEFUrF'

The output is 65 bytes of 0's and the exit code indicates success though there is no success :(

flihp commented 2 months ago

this was a bug in hubris that has since been resolved