`snpguest verify attestation` Error checking Chip ID

[gianlucascopelliti]

Hi,

I got the following error while attempting to verify a (valid) attestation report using snpguest verify attestation:

Reported TCB Boot Loader from certificate matches the attestation report.
Reported TCB TEE from certificate matches the attestation report.
Reported TCB SNP from certificate matches the attestation report.
Reported TCB Microcode from certificate matches the attestation report.
thread 'main' panicked at src/verify.rs:216:21:
Invalid octet length encountered!
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The error comes from the check_cert_bytes function, called for verifying the Chip ID: https://github.com/virtee/snpguest/blob/439f4446202567c8fbe89e9322667443427a43ea/src/verify.rs#L313

In my case, the cause of the error was that the Chip ID of the SNP instance started with 0x2, which triggers the first branch of the match ext.value[0] in line 212 and then causes the tool to panic because it gets an unexpected value for the second byte (namely 0xea in my case).

This, however, is not what should happen, because the Chip ID in the VCEK certificate has no "header" (it has a fixed length of 40 bytes), so the content of this X.509 extension should be checked byte-by-byte with what is contained in the attestation report (val), as done at line 236.

[larrydewey]

@gianlucascopelliti VLEK support was just merged upstream. I will start working VLEK support for the guest, and it should be ready when v3.0.0 of sev is released.