Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: CCA realm attestation result has status tier of "Warning" when no RVs are present #265

Open
paulhowardarm opened this issue Aug 29, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@paulhowardarm
Copy link

What version of the package are you using?

I am using an instance of Veraison running on Linaro infrastructure, and available publicly at the base URL http://veraison.test.linaro.org:8080.

Commit level at date of reporting should be this one.

Does this issue reproduce with the latest release?

Yes

What OS and CPU architecture are you using (go env)?

I am not able to report this because I am not running my own instance of the service.

What did you do?

I used the Linaro-provided Veraison verification instance, which has been provisioned with endorsements and RVs for the CCA software models (which use a well-known token).

I submitted this token for verification and visually inspected the attestation result.

If you wish, for convenience, you can automate the repro by building and running this example Rust program, which you can run on the command-line without any arguments. It will submit the correct token to the Linaro-provided verifier and provide a summary of the returned AR.

What did you expect to see?

My initial expectation was for the AR to contain a single submodule for CCA_SSD_PLATFORM and a status tier of Affirming. This was previous behaviour.

What did you see instead?

The AR contained two submodules, one for CCA_SSD_PLATFORM with a status of Affirming as expected, but there was also another submodule for CCA_REALM with a status of Warning.

The presence of the second submodule for CCA_REALM is a feature, not a bug. This is due to recent work in the CCA plug-in to support the realm token.

However, the status of Warning does not appear to be the most appropriate. The Linaro verifier does not have any RVs for the realm token. This evaluation should have been skipped entirely with a consequent AR4SI tier value of None for this submodule.

@paulhowardarm paulhowardarm added the bug Something isn't working label Aug 29, 2024
@thomas-fossati
Copy link
Contributor

thomas-fossati commented Aug 29, 2024

Thanks @paulhowardarm for reporting.

I can reproduce the behaviour using your token with latest(0d3a0937) evcli:

evcli cca verify-as relying-party \
    --token cca-token.cbor \
    --config ~/.config/evcli/config.yaml \
    2>&1 | \
        grep -v "^Using" | \
        tr -d '"' | \
        step crypto jwt inspect --insecure

with $HOME/.config/evcli/config.yaml containing the following settings:

api_server: http://veraison.test.linaro.org:8080/challenge-response/v1/newSession
insecure: true

and I think you are right, since no realm reference values are provisioned, there is no good reason for the CCA_REALM appraisal to state a warning(33) in the executables bucket. It should just say "I can't tell", i.e., 0.

thomas-fossati added a commit that referenced this issue Sep 3, 2024
Do not return an overall warning status if no realm reference values have been
provisioned.  Instead, return "no claims".

Fix #265

Signed-off-by: Thomas Fossati <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants