search

virtee / snpguest

A CLI tool for interacting with SEV-SNP guest environment
Apache License 2.0
37 stars 22 forks source link

snpguest verify attestation Error: Invalid octet length encountered #66

Open jquanC opened 3 weeks ago

jquanC commented 3 weeks ago

I got the following output when performing the attestation using snpguest.

jquan@localhost:~/.local/attestation_exp> sudo /home/jquan/.local/src/snpguest/target/release/snpguest verify attestation ./certs-kds ./report_dir/attestation-report.bin
Reported TCB Boot Loader from certificate matches the attestation report.
Reported TCB TEE from certificate matches the attestation report.
Reported TCB SNP from certificate matches the attestation report.
Reported TCB Microcode from certificate matches the attestation report.
thread 'main' panicked at src/verify.rs:251:21:
Invalid octet length encountered!
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Again, with -t option

jquan@localhost:~/.local/attestation_exp> sudo /home/jquan/.local/src/snpguest/target/release/snpguest verify attestation ./certs-kds ./report_dir/attestation-report.bin -t
[sudo] password for root:
Reported TCB Boot Loader from certificate matches the attestation report.
Reported TCB TEE from certificate matches the attestation report.
Reported TCB SNP from certificate matches the attestation report.
Reported TCB Microcode from certificate matches the attestation report.
thread 'main' panicked at src/verify.rs:251:21:
Invalid octet length encountered!
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

While, if only validate the signature with option -s, it succeed

jquan@localhost:~/.local/attestation_exp> sudo /home/jquan/.local/src/snpguest/target/release/snpguest verify attestation ./certs-kds ./report_dir/attestation-report.bin -s
VEK signed the Attestation Report!

I tried to run after I exported RUST_BACKTRACE=1 to the current shell environment, but it seems not to work with the same result as above shows.

jquan@localhost:~/.local/attestation_exp> env
SHELL=/bin/bash
...
RUST_BACKTRACE=1
...
_=/usr/bin/env

Consequently, I only know that the error comes from the function check_cert_bytes, but I don't have other knowledge of which function call resulted in the error.

// Check the cert extension byte to value
    fn check_cert_bytes(ext: &X509Extension, val: &[u8]) -> bool {
        match ext.value[0] {
            // Integer
            0x2 => {
                if ext.value[1] != 0x1 && ext.value[1] != 0x2 {
                    panic!("Invalid octet length encountered!");
                } else if let Some(byte_value) = ext.value.last() {
                    byte_value == &val[0]
                } else {
                    false
                }
            }
            // Octet String
            0x4 => {
                if ext.value[1] != 0x40 {
                    panic!("Invalid octet length encountered!"); // here is where the error comes when called
                } else if ext.value[2..].len() != 0x40 {
                    panic!("Invalid size of bytes encountered!");
                } else if val.len() != 0x40 {
                    panic!("Invalid certificate harward id length encountered!")
                }

                &ext.value[2..] == val
            }

Besides, I noticed that the #issue38 mentioned a similar question and I did conduct this validation with vcek. So the cause of this error is the same as issue 38? Any guidance or advice would be significantly appreciated. Thanks!

tylerfanelli commented 3 weeks ago

Did you generate the certs and report from the snpguest tool as well?

jquanC commented 3 weeks ago

Yes, I did.

tylerfanelli commented 1 week ago

Can you walk through each command you ran to get to this point? generating report, certs, etc.. Please show each command line.