diff --git a/oak_attestation_verification/src/expect.rs b/oak_attestation_verification/src/expect.rs index ef281a9b60..0e12253921 100644 --- a/oak_attestation_verification/src/expect.rs +++ b/oak_attestation_verification/src/expect.rs @@ -13,6 +13,9 @@ // See the License for the specific language governing permissions and // limitations under the License. // +// Names of functions related to legacy attestation verification start with +// `get_`, while names of functions related to policy-based attestation +// verification start with `acquire_`. use alloc::{string::String, vec::Vec}; @@ -21,21 +24,23 @@ use oak_proto_rust::oak::{ attestation::v1::{ binary_reference_value, endorsement::Format, endorsements, expected_digests, expected_values, kernel_binary_reference_value, reference_values, text_expected_value, - text_reference_value, AmdSevExpectedValues, AmdSevReferenceValues, + text_reference_value, AmdSevExpectedValues, AmdSevReferenceValues, ApplicationEndorsement, ApplicationLayerEndorsements, ApplicationLayerExpectedValues, ApplicationLayerReferenceValues, BinaryReferenceValue, CbEndorsements, CbExpectedValues, - CbReferenceValues, ContainerLayerEndorsements, ContainerLayerExpectedValues, - ContainerLayerReferenceValues, Endorsement, EndorsementReferenceValue, Endorsements, - EventExpectedValues, EventReferenceValues, ExpectedDigests, ExpectedRegex, - ExpectedStringLiterals, ExpectedValues, FirmwareAttachment, InsecureExpectedValues, - IntelTdxExpectedValues, KernelAttachment, KernelBinaryReferenceValue, KernelExpectedValues, + CbReferenceValues, ContainerEndorsement, ContainerLayerEndorsements, + ContainerLayerExpectedValues, ContainerLayerReferenceValues, Endorsement, + EndorsementReferenceValue, Endorsements, EventExpectedValues, EventReferenceValues, + ExpectedDigests, ExpectedRegex, ExpectedStringLiterals, ExpectedValues, FirmwareAttachment, + FirmwareEndorsement, InsecureExpectedValues, IntelTdxExpectedValues, KernelAttachment, + KernelBinaryReferenceValue, KernelEndorsement, KernelExpectedValues, KernelLayerEndorsements, KernelLayerExpectedValues, KernelLayerReferenceValues, OakContainersEndorsements, OakContainersExpectedValues, OakContainersReferenceValues, OakRestrictedKernelEndorsements, OakRestrictedKernelExpectedValues, OakRestrictedKernelReferenceValues, RawDigests, ReferenceValues, RootLayerEndorsements, RootLayerExpectedValues, RootLayerReferenceValues, Signature, SignedEndorsement, - SystemLayerEndorsements, SystemLayerExpectedValues, SystemLayerReferenceValues, - TextExpectedValue, TextReferenceValue, TransparentReleaseEndorsement, VerificationSkipped, + SystemEndorsement, SystemLayerEndorsements, SystemLayerExpectedValues, + SystemLayerReferenceValues, TextExpectedValue, TextReferenceValue, + TransparentReleaseEndorsement, VerificationSkipped, }, RawDigest, }; @@ -44,7 +49,7 @@ use prost::Message; use crate::{ endorsement::{ self, get_digest, is_firmware_type, is_kernel_type, parse_statement, - verify_binary_endorsement, verify_endorsement, + verify_binary_endorsement, verify_endorsement, DefaultStatement, }, util::{hex_to_raw_digest, is_hex_digest_match, raw_digest_from_contents, raw_to_hex_digest}, }; @@ -182,7 +187,7 @@ pub(crate) fn get_cb_expected_values( .context("getting root layer values")?, ), kernel_layer: Some( - get_event_expected_values( + acquire_event_expected_values( now_utc_millis, reference_values .kernel_layer @@ -192,7 +197,7 @@ pub(crate) fn get_cb_expected_values( .context("getting kernel layer values")?, ), system_layer: Some( - get_event_expected_values( + acquire_event_expected_values( now_utc_millis, reference_values .system_layer @@ -202,7 +207,7 @@ pub(crate) fn get_cb_expected_values( .context("getting system layer values")?, ), application_layer: Some( - get_event_expected_values( + acquire_event_expected_values( now_utc_millis, reference_values .application_layer @@ -274,11 +279,11 @@ pub(crate) fn get_kernel_layer_expected_values( kernel_cmd_line_text: Some( get_text_expected_values( now_utc_millis, + endorsements.and_then(|value| value.kernel_cmd_line.as_ref()), reference_values .kernel_cmd_line_text .as_ref() .context("no kernel command line text reference values")?, - endorsements.and_then(|value| value.kernel_cmd_line.as_ref()), ) .context("getting kernel command line values")?, ), @@ -315,7 +320,67 @@ pub(crate) fn get_kernel_layer_expected_values( }) } -pub(crate) fn get_event_expected_values( +pub(crate) fn acquire_kernel_event_expected_values( + now_utc_millis: i64, + endorsement: Option<&KernelEndorsement>, + reference_values: &KernelLayerReferenceValues, +) -> anyhow::Result { + Ok(KernelLayerExpectedValues { + kernel: Some( + acquire_kernel_expected_values( + now_utc_millis, + endorsement.and_then(|value| value.kernel.as_ref()), + reference_values.kernel.as_ref().context("no kernel reference value")?, + ) + .context("getting kernel values")?, + ), + + // TODO: b/331252282 - Remove temporary workaround for cmd line. + kernel_cmd_line_text: Some( + acquire_text_expected_values( + now_utc_millis, + endorsement.and_then(|value| value.kernel_cmd_line.as_ref()), + reference_values + .kernel_cmd_line_text + .as_ref() + .context("no kernel command line text reference values")?, + ) + .context("getting kernel command line values")?, + ), + + init_ram_fs: Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.init_ram_fs.as_ref()), + reference_values + .init_ram_fs + .as_ref() + .context("no initial RAM disk reference value")?, + ) + .context("getting initramfs values")?, + ), + + memory_map: Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.memory_map.as_ref()), + reference_values.memory_map.as_ref().context("no memory map reference value")?, + ) + .context("getting memory map values")?, + ), + + acpi: Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.acpi.as_ref()), + reference_values.acpi.as_ref().context("no ACPI reference value")?, + ) + .context("getting acpi values")?, + ), + }) +} + +pub(crate) fn acquire_event_expected_values( now_utc_millis: i64, reference_values: &EventReferenceValues, ) -> anyhow::Result { @@ -343,6 +408,22 @@ pub(crate) fn get_system_layer_expected_values( Ok(SystemLayerExpectedValues { system_image }) } +pub(crate) fn acquire_system_event_expected_values( + now_utc_millis: i64, + endorsement: Option<&SystemEndorsement>, + reference_values: &SystemLayerReferenceValues, +) -> anyhow::Result { + let system_image = Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.system_image.as_ref()), + reference_values.system_image.as_ref().context("system image reference value")?, + ) + .context("getting system image values")?, + ); + Ok(SystemLayerExpectedValues { system_image }) +} + pub(crate) fn get_application_layer_expected_values( now_utc_millis: i64, endorsements: Option<&ApplicationLayerEndorsements>, @@ -367,6 +448,33 @@ pub(crate) fn get_application_layer_expected_values( Ok(ApplicationLayerExpectedValues { binary, configuration }) } +pub(crate) fn acquire_application_event_expected_values( + now_utc_millis: i64, + endorsement: Option<&ApplicationEndorsement>, + reference_values: &ApplicationLayerReferenceValues, +) -> anyhow::Result { + let binary = Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.binary.as_ref()), + reference_values.binary.as_ref().context("application binary reference value")?, + ) + .context("getting application binary values")?, + ); + let configuration = Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.configuration.as_ref()), + reference_values + .configuration + .as_ref() + .context("application config reference value")?, + ) + .context("getting application config values")?, + ); + Ok(ApplicationLayerExpectedValues { binary, configuration }) +} + pub(crate) fn get_container_layer_expected_values( now_utc_millis: i64, endorsements: Option<&ContainerLayerEndorsements>, @@ -391,6 +499,30 @@ pub(crate) fn get_container_layer_expected_values( Ok(ContainerLayerExpectedValues { bundle, config }) } +pub(crate) fn acquire_container_event_expected_values( + now_utc_millis: i64, + endorsement: Option<&ContainerEndorsement>, + reference_values: &ContainerLayerReferenceValues, +) -> anyhow::Result { + let bundle = Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.binary.as_ref()), + reference_values.binary.as_ref().context("container binary reference value")?, + ) + .context("getting container binary values")?, + ); + let config = Some( + acquire_expected_digests( + now_utc_millis, + endorsement.and_then(|value| value.binary.as_ref()), + reference_values.configuration.as_ref().context("container config reference value")?, + ) + .context("getting container config values")?, + ); + Ok(ContainerLayerExpectedValues { bundle, config }) +} + // Generate the expected measurement digest values for the provided endorsement // and reference_value. The resulting values can be cached by the client to // avoid re-computation later. @@ -428,6 +560,37 @@ pub(crate) fn get_expected_measurement_digest( } } +// Generic helper to extract digest values for the provided endorsement and +// binary reference value. The resulting values can be cached by the client to +// avoid re-computation later. +fn acquire_expected_digests( + now_utc_millis: i64, + signed_endorsement: Option<&SignedEndorsement>, + reference_value: &BinaryReferenceValue, +) -> anyhow::Result { + match reference_value.r#type.as_ref() { + Some(binary_reference_value::Type::Skip(_)) => Ok(ExpectedDigests { + r#type: Some(expected_digests::Type::Skipped(VerificationSkipped {})), + }), + Some(binary_reference_value::Type::Endorsement(ref_value)) => { + let statement = verify_endorsement( + now_utc_millis, + signed_endorsement.context("endorsement missing")?, + ref_value, + ) + .context("verifying generic endorsement")?; + Ok(to_expected_digests( + &[hex_to_raw_digest(&get_digest(&statement)?)?], + statement.predicate.validity.as_ref(), + )) + } + Some(binary_reference_value::Type::Digests(expected_digests)) => { + Ok(to_expected_digests(&expected_digests.digests, None)) + } + None => Err(anyhow::anyhow!("empty binary reference value")), + } +} + // Extract the stage0 data from the provided Endorsement // It will only be returned if the endorsement was verified. fn get_verified_stage0_attachment( @@ -444,18 +607,42 @@ fn get_verified_stage0_attachment( ) .context("verifying firmware endorsement")?; // Parse endorsement statement and verify attachment digest. - let parsed_statement = + let statement = parse_statement(&endorsement.endorsement).context("parsing endorsement statement")?; - if !is_firmware_type(&parsed_statement) { + if !is_firmware_type(&statement) { anyhow::bail!("expected endorsement for firmware-type binary"); } - let expected_digest = get_digest(&parsed_statement).context("getting expected digest")?; + let expected_digest = get_digest(&statement).context("getting expected digest")?; let actual_digest = raw_to_hex_digest(&raw_digest_from_contents(&endorsement.subject)); is_hex_digest_match(&actual_digest, &expected_digest).context("comparing digests")?; FirmwareAttachment::decode(&*endorsement.subject) .map_err(|_| anyhow::anyhow!("couldn't parse stage0 attachment")) } +fn acquire_verified_stage0_attachment( + now_utc_millis: i64, + signed_endorsement: &SignedEndorsement, + ref_value: &EndorsementReferenceValue, +) -> anyhow::Result<(FirmwareAttachment, DefaultStatement)> { + let statement = verify_endorsement(now_utc_millis, signed_endorsement, ref_value) + .context("verifying firmware endorsement")?; + if !is_firmware_type(&statement) { + anyhow::bail!("expected endorsement for firmware-type binary"); + } + + let expected_digest = get_digest(&statement).context("getting expected digest")?; + let endorsement = signed_endorsement + .endorsement + .as_ref() + .ok_or_else(|| anyhow::anyhow!("missing endorsement"))?; + let actual_digest = raw_to_hex_digest(&raw_digest_from_contents(&endorsement.subject)); + is_hex_digest_match(&actual_digest, &expected_digest).context("comparing expected digest")?; + + let decoded = FirmwareAttachment::decode(&*endorsement.subject) + .map_err(|_| anyhow::anyhow!("couldn't parse firmware attachment"))?; + Ok((decoded, statement)) +} + // Get the expected values from the provided TransparentReleaseEndorsement. // The endorsement is expected to contain a subject that can be deserialized as // a FirmwareAttachment. @@ -500,6 +687,41 @@ pub(crate) fn get_stage0_expected_values( } } +pub(crate) fn acquire_stage0_expected_values( + now_utc_millis: i64, + endorsement: Option<&FirmwareEndorsement>, + reference_value: &BinaryReferenceValue, +) -> anyhow::Result { + match reference_value.r#type.as_ref() { + Some(binary_reference_value::Type::Skip(_)) => Ok(ExpectedDigests { + r#type: Some(expected_digests::Type::Skipped(VerificationSkipped {})), + }), + Some(binary_reference_value::Type::Endorsement(ref_value)) => { + let (firmware_attachment, statement) = acquire_verified_stage0_attachment( + now_utc_millis, + endorsement.and_then(|value| value.firmware.as_ref()).expect(""), + ref_value, + ) + .context("getting verified stage0 attachment")?; + + Ok(to_expected_digests( + firmware_attachment + .configs + .values() + .map(|digest| hex_to_raw_digest(digest).unwrap()) + .collect::>() + .as_slice(), + statement.predicate.validity.as_ref(), + )) + } + Some(binary_reference_value::Type::Digests(expected_digests)) => { + Ok(to_expected_digests(expected_digests.digests.as_slice(), None)) + } + + None => Err(anyhow::anyhow!("empty stage0 reference value")), + } +} + // Extract the KernelAttachment data from the provided Endorsement // It will only be returned if the endorsement was verified. fn get_verified_kernel_attachment( @@ -516,18 +738,41 @@ fn get_verified_kernel_attachment( ) .context("verifying kernel endorsement")?; // Parse endorsement statement and verify attachment digest. - let parsed_statement = + let statement = parse_statement(&endorsement.endorsement).context("parsing endorsement statement")?; - if !is_kernel_type(&parsed_statement) { + if !is_kernel_type(&statement) { anyhow::bail!("expected endorsement for kernel-type binary"); } - let expected_digest = get_digest(&parsed_statement).context("getting expected digest")?; + let expected_digest = get_digest(&statement).context("getting expected digest")?; let actual_digest = raw_to_hex_digest(&raw_digest_from_contents(&endorsement.subject)); is_hex_digest_match(&actual_digest, &expected_digest).context("comparing expected digest")?; KernelAttachment::decode(&*endorsement.subject) .map_err(|_| anyhow::anyhow!("couldn't parse kernel attachment")) } +fn acquire_verified_kernel_attachment( + now_utc_millis: i64, + signed_endorsement: &SignedEndorsement, + ref_value: &EndorsementReferenceValue, +) -> anyhow::Result<(KernelAttachment, DefaultStatement)> { + let statement = verify_endorsement(now_utc_millis, signed_endorsement, ref_value) + .context("verifying kernel endorsement")?; + if !is_kernel_type(&statement) { + anyhow::bail!("expected endorsement for kernel-type binary"); + } + let expected_digest = get_digest(&statement).context("getting expected digest")?; + let endorsement = signed_endorsement + .endorsement + .as_ref() + .ok_or_else(|| anyhow::anyhow!("missing endorsement"))?; + let actual_digest = raw_to_hex_digest(&raw_digest_from_contents(&endorsement.subject)); + is_hex_digest_match(&actual_digest, &expected_digest).context("comparing expected digest")?; + + let decoded = KernelAttachment::decode(&*endorsement.subject) + .map_err(|_| anyhow::anyhow!("couldn't parse kernel attachment"))?; + Ok((decoded, statement)) +} + // Get the expected values from the provided TransportReleaseEndorsement. // The endorsement is expected to contain a subject that can be deserialized as // a KernelAttachment. @@ -563,17 +808,80 @@ fn get_kernel_expected_values( .ok_or_else(|| anyhow::anyhow!("no setup data digest in kernel attachment"))?; let endorsement = endorsement.context("No endorsement provided")?; - let parsed_statement = parse_statement(&endorsement.endorsement) + let statement = parse_statement(&endorsement.endorsement) .context("parsing endorsement statement")?; Ok(KernelExpectedValues { image: Some(to_expected_digests( &[hex_to_raw_digest(&expected_image)?], - parsed_statement.predicate.validity.as_ref(), + statement.predicate.validity.as_ref(), )), setup_data: Some(to_expected_digests( &[hex_to_raw_digest(&expected_setup_data)?], - parsed_statement.predicate.validity.as_ref(), + statement.predicate.validity.as_ref(), + )), + }) + } + Some(kernel_binary_reference_value::Type::Digests(expected_digests)) => { + Ok(KernelExpectedValues { + image: Some(to_expected_digests( + &expected_digests + .image + .as_ref() + .ok_or_else(|| anyhow::anyhow!("no image digests provided"))? + .digests, + None, + )), + setup_data: Some(to_expected_digests( + &expected_digests + .setup_data + .as_ref() + .ok_or_else(|| anyhow::anyhow!("no setup_data digests provided"))? + .digests, + None, + )), + }) + } + None => Err(anyhow::anyhow!("empty binary reference value")), + } +} + +fn acquire_kernel_expected_values( + now_utc_millis: i64, + signed_endorsement: Option<&SignedEndorsement>, + reference_value: &KernelBinaryReferenceValue, +) -> anyhow::Result { + match reference_value.r#type.as_ref() { + Some(kernel_binary_reference_value::Type::Skip(_)) => Ok(KernelExpectedValues { + image: Some(ExpectedDigests { + r#type: Some(expected_digests::Type::Skipped(VerificationSkipped {})), + }), + setup_data: Some(ExpectedDigests { + r#type: Some(expected_digests::Type::Skipped(VerificationSkipped {})), + }), + }), + Some(kernel_binary_reference_value::Type::Endorsement(public_keys)) => { + let (kernel_attachment, statement) = acquire_verified_kernel_attachment( + now_utc_millis, + signed_endorsement.context("endorsement not found")?, + public_keys, + ) + .context("getting verified kernel attachment")?; + let expected_image = kernel_attachment + .image + .ok_or_else(|| anyhow::anyhow!("no image digest in kernel attachment"))?; + let expected_setup_data = kernel_attachment + .setup_data + .ok_or_else(|| anyhow::anyhow!("no setup data digest in kernel attachment"))?; + + Ok(KernelExpectedValues { + image: Some(to_expected_digests( + &[hex_to_raw_digest(&expected_image)?], + statement.predicate.validity.as_ref(), + )), + setup_data: Some(to_expected_digests( + &[hex_to_raw_digest(&expected_setup_data)?], + statement.predicate.validity.as_ref(), )), }) } @@ -603,8 +911,8 @@ fn get_kernel_expected_values( pub(crate) fn get_text_expected_values( now_utc_millis: i64, - value: &TextReferenceValue, endorsement: Option<&TransparentReleaseEndorsement>, + value: &TextReferenceValue, ) -> anyhow::Result { match value.r#type.as_ref() { Some(text_reference_value::Type::Skip(_)) => Ok(TextExpectedValue { @@ -644,6 +952,43 @@ pub(crate) fn get_text_expected_values( } } +pub(crate) fn acquire_text_expected_values( + now_utc_millis: i64, + signed_endorsement: Option<&SignedEndorsement>, + value: &TextReferenceValue, +) -> anyhow::Result { + match value.r#type.as_ref() { + Some(text_reference_value::Type::Skip(_)) => Ok(TextExpectedValue { + r#type: Some(text_expected_value::Type::Skipped(VerificationSkipped {})), + }), + Some(text_reference_value::Type::Endorsement(ref_value)) => { + let signed = signed_endorsement.context("missing signed endorsement")?; + let _statement = verify_endorsement(now_utc_millis, signed, ref_value) + .context("verifying text endorsement")?; + // Compare the actual command line against the one inlined in the endorsement. + let endorsement = signed.endorsement.as_ref().context("missing endorsement")?; + let regex = String::from_utf8(endorsement.subject.clone()) + .expect("endorsement subject is not utf8"); + Ok(TextExpectedValue { + r#type: Some(text_expected_value::Type::Regex(ExpectedRegex { value: regex })), + }) + } + Some(text_reference_value::Type::Regex(regex)) => Ok(TextExpectedValue { + r#type: Some(text_expected_value::Type::Regex(ExpectedRegex { + value: regex.value.clone(), + })), + }), + Some(text_reference_value::Type::StringLiterals(string_literals)) => { + Ok(TextExpectedValue { + r#type: Some(text_expected_value::Type::StringLiterals(ExpectedStringLiterals { + value: string_literals.value.clone(), + })), + }) + } + None => Err(anyhow::anyhow!("missing skip or value in the text reference value")), + } +} + fn to_expected_digests( source: &[RawDigest], claim_validity: Option<&endorsement::Validity>, diff --git a/oak_attestation_verification/src/policy/application.rs b/oak_attestation_verification/src/policy/application.rs index 2ee796c1e8..7fa1d49290 100644 --- a/oak_attestation_verification/src/policy/application.rs +++ b/oak_attestation_verification/src/policy/application.rs @@ -18,7 +18,7 @@ use anyhow::Context; use oak_attestation_verification_types::{policy::Policy, APPLICATION_ENDORSEMENT_ID}; use oak_proto_rust::oak::{ attestation::v1::{ - ApplicationLayerData, ApplicationLayerEndorsements, ApplicationLayerReferenceValues, + ApplicationEndorsement, ApplicationLayerData, ApplicationLayerReferenceValues, EventAttestationResults, }, Variant, @@ -26,7 +26,7 @@ use oak_proto_rust::oak::{ use crate::{ compare::compare_application_layer_measurement_digests, - expect::get_application_layer_expected_values, + expect::acquire_application_event_expected_values, util::{decode_endorsement_proto, decode_event_proto}, }; @@ -54,18 +54,18 @@ impl Policy<[u8], Variant> for ApplicationPolicy { "type.googleapis.com/oak.attestation.v1.ApplicationLayerData", encoded_event, )?; - // TODO: b/375137648 - Decode into new endorsement protos. - let event_endorsement = decode_endorsement_proto::( + let endorsement = decode_endorsement_proto::( &APPLICATION_ENDORSEMENT_ID, encoded_event_endorsement, )?; - let expected_values = get_application_layer_expected_values( + let expected_values = acquire_application_event_expected_values( milliseconds_since_epoch, - Some(&event_endorsement), + Some(&endorsement), &self.reference_values, ) - .context("couldn't verify application endosements")?; + .context("couldn't verify application endorsements")?; + compare_application_layer_measurement_digests(&event, &expected_values) .context("couldn't verify application event")?; diff --git a/oak_attestation_verification/src/policy/binary.rs b/oak_attestation_verification/src/policy/binary.rs index 528464c66f..49309a2acc 100644 --- a/oak_attestation_verification/src/policy/binary.rs +++ b/oak_attestation_verification/src/policy/binary.rs @@ -22,7 +22,7 @@ use oak_proto_rust::oak::{ }; use crate::{ - compare::compare_event_measurement_digests, expect::get_event_expected_values, + compare::compare_event_measurement_digests, expect::acquire_event_expected_values, util::decode_event_proto, }; @@ -49,8 +49,9 @@ impl Policy<[u8], Variant> for BinaryPolicy { )?; let expected_values = - get_event_expected_values(milliseconds_since_epoch, &self.reference_values) - .context("couldn't verify event endosements")?; + acquire_event_expected_values(milliseconds_since_epoch, &self.reference_values) + .context("couldn't verify event endorsements")?; + compare_event_measurement_digests(&event, &expected_values) .context("couldn't verify generic event")?; diff --git a/oak_attestation_verification/src/policy/container.rs b/oak_attestation_verification/src/policy/container.rs index 43508890a1..97279e1d32 100644 --- a/oak_attestation_verification/src/policy/container.rs +++ b/oak_attestation_verification/src/policy/container.rs @@ -18,7 +18,7 @@ use anyhow::Context; use oak_attestation_verification_types::{policy::Policy, CONTAINER_ENDORSEMENT_ID}; use oak_proto_rust::oak::{ attestation::v1::{ - ContainerLayerData, ContainerLayerEndorsements, ContainerLayerReferenceValues, + ContainerEndorsement, ContainerLayerData, ContainerLayerReferenceValues, EventAttestationResults, }, Variant, @@ -26,7 +26,7 @@ use oak_proto_rust::oak::{ use crate::{ compare::compare_container_layer_measurement_digests, - expect::get_container_layer_expected_values, + expect::acquire_container_event_expected_values, util::{decode_endorsement_proto, decode_event_proto}, }; @@ -54,18 +54,18 @@ impl Policy<[u8], Variant> for ContainerPolicy { "type.googleapis.com/oak.attestation.v1.ContainerLayerData", encoded_event, )?; - // TODO: b/375137648 - Decode into new endorsement protos. - let event_endorsement = decode_endorsement_proto::( + let endorsement = decode_endorsement_proto::( &CONTAINER_ENDORSEMENT_ID, encoded_event_endorsement, )?; - let expected_values = get_container_layer_expected_values( + let expected_values = acquire_container_event_expected_values( milliseconds_since_epoch, - Some(&event_endorsement), + Some(&endorsement), &self.reference_values, ) - .context("couldn't verify container endosements")?; + .context("couldn't verify container endorsements")?; + compare_container_layer_measurement_digests(&event, &expected_values) .context("couldn't verify container event")?; diff --git a/oak_attestation_verification/src/policy/firmware.rs b/oak_attestation_verification/src/policy/firmware.rs index 2554703b32..3daa9b0d1f 100644 --- a/oak_attestation_verification/src/policy/firmware.rs +++ b/oak_attestation_verification/src/policy/firmware.rs @@ -22,7 +22,7 @@ use oak_proto_rust::oak::{ }; use crate::{ - compare::compare_measurement_digest, expect::get_stage0_expected_values, + compare::compare_measurement_digest, expect::acquire_stage0_expected_values, platform::convert_amd_sev_snp_initial_measurement, util::decode_endorsement_proto, }; @@ -44,21 +44,19 @@ impl Policy<[u8], Variant> for FirmwarePolicy { milliseconds_since_epoch: i64, ) -> anyhow::Result { let initial_measurement = convert_amd_sev_snp_initial_measurement(firmware_measurement); - let _firmware_endorsement = decode_endorsement_proto::( + let endorsement = decode_endorsement_proto::( &FIRMWARE_ENDORSEMENT_ID, encoded_firmware_endorsement, )?; - let initial_measurement_expected_values = get_stage0_expected_values( + let expected_values = acquire_stage0_expected_values( milliseconds_since_epoch, - // TODO: b/375137648 - Use firmware endorsement, once we switch to new endorsment - // types. - None, + Some(&endorsement), &self.reference_values, ) .context("getting stage0 values")?; - compare_measurement_digest(&initial_measurement, &initial_measurement_expected_values) + compare_measurement_digest(&initial_measurement, &expected_values) .context("stage0 measurement values failed verification")?; // TODO: b/356631062 - Return detailed attestation results. diff --git a/oak_attestation_verification/src/policy/kernel.rs b/oak_attestation_verification/src/policy/kernel.rs index 2ecec53d46..64e8e04a46 100644 --- a/oak_attestation_verification/src/policy/kernel.rs +++ b/oak_attestation_verification/src/policy/kernel.rs @@ -18,15 +18,14 @@ use anyhow::Context; use oak_attestation_verification_types::{policy::Policy, KERNEL_ENDORSEMENT_ID}; use oak_proto_rust::oak::{ attestation::v1::{ - EventAttestationResults, KernelLayerEndorsements, KernelLayerReferenceValues, - Stage0Measurements, + EventAttestationResults, KernelEndorsement, KernelLayerReferenceValues, Stage0Measurements, }, Variant, }; use crate::{ compare::compare_kernel_layer_measurement_digests, - expect::get_kernel_layer_expected_values, + expect::acquire_kernel_event_expected_values, extract::stage0_measurements_to_kernel_layer_data, util::{decode_endorsement_proto, decode_event_proto}, }; @@ -53,18 +52,17 @@ impl Policy<[u8], Variant> for KernelPolicy { "type.googleapis.com/oak.attestation.v1.Stage0Measurements", encoded_event, )?); - // TODO: b/375137648 - Decode into new endorsement protos. - let event_endorsements = decode_endorsement_proto::( + let endorsement = decode_endorsement_proto::( &KERNEL_ENDORSEMENT_ID, encoded_event_endorsement, )?; - let expected_values = get_kernel_layer_expected_values( + let expected_values = acquire_kernel_event_expected_values( milliseconds_since_epoch, - Some(&event_endorsements), + Some(&endorsement), &self.reference_values, ) - .context("couldn't verify kernel endosements")?; + .context("couldn't verify kernel endorsements")?; compare_kernel_layer_measurement_digests(&event, &expected_values) .context("couldn't verify kernel event")?; diff --git a/oak_attestation_verification/src/policy/system.rs b/oak_attestation_verification/src/policy/system.rs index 6f6ab2b082..4fd6a02c5f 100644 --- a/oak_attestation_verification/src/policy/system.rs +++ b/oak_attestation_verification/src/policy/system.rs @@ -18,15 +18,14 @@ use anyhow::Context; use oak_attestation_verification_types::{policy::Policy, SYSTEM_ENDORSEMENT_ID}; use oak_proto_rust::oak::{ attestation::v1::{ - EventAttestationResults, SystemLayerData, SystemLayerEndorsements, - SystemLayerReferenceValues, + EventAttestationResults, SystemEndorsement, SystemLayerData, SystemLayerReferenceValues, }, Variant, }; use crate::{ compare::compare_system_layer_measurement_digests, - expect::get_system_layer_expected_values, + expect::acquire_system_event_expected_values, util::{decode_endorsement_proto, decode_event_proto}, }; @@ -51,18 +50,18 @@ impl Policy<[u8], Variant> for SystemPolicy { "type.googleapis.com/oak.attestation.v1.SystemLayerData", encoded_event, )?; - // TODO: b/375137648 - Decode into new endorsement protos. - let event_endorsements = decode_endorsement_proto::( + let endorsement = decode_endorsement_proto::( &SYSTEM_ENDORSEMENT_ID, encoded_event_endorsement, )?; - let expected_values = get_system_layer_expected_values( + let expected_values = acquire_system_event_expected_values( milliseconds_since_epoch, - Some(&event_endorsements), + Some(&endorsement), &self.reference_values, ) - .context("couldn't verify system endosements")?; + .context("couldn't verify system endorsement")?; + compare_system_layer_measurement_digests(&event, &expected_values) .context("couldn't verify system event")?; diff --git a/oak_attestation_verification/testdata/oc_endorsements_20241205.binarypb b/oak_attestation_verification/testdata/oc_endorsements_20241205.binarypb index 31ac84e294..536dc9fbf9 100644 Binary files a/oak_attestation_verification/testdata/oc_endorsements_20241205.binarypb and b/oak_attestation_verification/testdata/oc_endorsements_20241205.binarypb differ diff --git a/oak_attestation_verification/testdata/oc_endorsements_20241205.textproto b/oak_attestation_verification/testdata/oc_endorsements_20241205.textproto index c569a5d93a..844641b03a 100644 --- a/oak_attestation_verification/testdata/oc_endorsements_20241205.textproto +++ b/oak_attestation_verification/testdata/oc_endorsements_20241205.textproto @@ -1,32 +1,58 @@ +# proto-file: proto/attestation/endorsement.proto +# proto-message: oak.attestaton.v1.Endorsements +# +# Valid real-world endorsements for an Oak Containers chain, used for testing. +# Created on 2024-12-04, last updated on 2025-01-15. +# `oc_endorsements_{DATE}.binarypb` is the same instance in serialized binary +# format. oak_containers { root_layer { - tee_certificate: "0\202\005M0\202\002\374\240\003\002\001\002\002\001\0000F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\0010{1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0220\020\006\003U\004\003\014\tSEV-Milan0\036\027\r240726020933Z\027\r310726020933Z0z1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0210\017\006\003U\004\003\014\010SEV-VCEK0v0\020\006\007*\206H\316=\002\001\006\005+\201\004\000\"\003b\000\004^L\177X*\267\210H\216\177\3431\262\304\312\217\263D\323\355R\350\305\007\274\000\276I\326Q\230\331\220K$\345G\316\016C\252\274d\340\3427\330\227\201\335s\033\033]\212\203\345`~\321\nIV\374z\306\'\n\351\210\204\242\234\203i\320z\267\300\251\247\346\024\2119\362\";\014]\0300\354CU\247\243\202\001\0270\202\001\0230\020\006\t+\006\001\004\001\234x\001\001\004\003\002\001\0000\027\006\t+\006\001\004\001\234x\001\002\004\n\026\010Milan-B00\021\006\n+\006\001\004\001\234x\001\003\001\004\003\002\001\0030\021\006\n+\006\001\004\001\234x\001\003\002\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\004\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\005\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\006\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\007\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\003\004\003\002\001\0260\022\006\n+\006\001\004\001\234x\001\003\010\004\004\002\002\000\3210M\006\t+\006\001\004\001\234x\001\004\004@\364\203\357\036;\n)\256\224\242\030\020\335\214`\261\024\341\263\237\317\232t\005\374\373\333zwvDB$\230E\014\275\305\252\263\230+1j\036\020\366\365:\371\336O\224\005\370\037\270!\343\315\235(\324\0370F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\001\003\202\002\001\000\013\013\354q\220,\230\261\363J\271\354\256[\324y\351\330\252\332\373\363\234\200\020M\'\311\302_\225w\324\257:\333B\3179a\357m\255j0\372!\342\252\275\031\307N6 \236\370\251\032\313\2038\205\254rV?\356\243\031\376\013\234\361W\370\302>\335\237q\263C\256\2644Y\353\"a\333b\254.\213\004\033\201m\035|\263\365\274};\277\036\030V!\367p_C\243\202\001\0270\202\001\0230\020\006\t+\006\001\004\001\234x\001\001\004\003\002\001\0000\027\006\t+\006\001\004\001\234x\001\002\004\n\026\010Milan-B00\021\006\n+\006\001\004\001\234x\001\003\001\004\003\002\001\0030\021\006\n+\006\001\004\001\234x\001\003\002\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\004\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\005\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\006\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\007\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\003\004\003\002\001\0260\022\006\n+\006\001\004\001\234x\001\003\010\004\004\002\002\000\3210M\006\t+\006\001\004\001\234x\001\004\004@\243\375\302\306M\302\231\253\220\324#\211s\206KXcx\342\345\357\234\235M\306\010\363\275\252\211\251i\240?\033WR\312\325Z\014\025G\255\350\000\333\327@N\234\263\371s\215\243\262\200\321\337i\317\202\3440F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\001\003\202\002\001\000$\333\244s\202F\361w\273\354\021i\3415\035\207\361\256\277:\356\000\212\002\262\220Hi\326%\311P+\256~\223\0315\217qbG\223\242K2\3760`\303\014*\026\337\302\322\341\202\212!\343)\364\033Rb\326H\214\345d\327\030{\332:\261\331pj\272OA\240\236I\224\247\207\307\2634Y*\2703X\250\217\005\320\207jh\220)R\306\"\370Yz[@\243\346[\262@8~\265\020\234_$=\356d\262}I\2024\264\271\010]\372\327Eg\247\361\255\344\004\274\313a\306I`\213u)\337\374\2533\361Cm\225\034#\324\350G\310\347\324\r\035J\002\205A\335pS\3654&\177\352V\246yS\335TQG&\251\320\204\r\013j\360,\232\217b\341\343\321\362\266 t\362\362s\210;\210\217\010P\362f7\332$\202\202I\216F\001\241\256\377\303I\243%\014tA\305|\361\257\214\341E+E7\227\332\204\020m\377\013\314Kk\025\343\247\027$\360A%\216\322\267KuU\273\036ON\211\275\305K\2346\tTe:\362\355\321\354\315\037\016\241\022\374\364x\351\017\0329\350H\250R\203T;\341 \362\223q\347\017\n\023\225d\210\247\266+;\317\374<%\233\032}\255\005\2221\366\201\364a\270\345\301Q(\341\223\320\300\244\211e\353l\310\300\253\313F\242 \032\246gOy\223=/\340\254\234\031\225.u\307\314\201\365\326\322C\3306\006/@b\016\313G\266rUj\271\312\354\233\035\243}\013s\224\200\316fY\2541\214\355\2316\225\304\276E\200\004\255\273\2317\340i4u\343\317`\3353\357)\232p\236\353\231\025%\220<\3359=#\"\037s\313\006\335\374\247M\225\255\223\345F\250^E\334\332\027$\032\365R\237\026\243\224\206e\256\251\000\264\271OZ\204\022i^\346cspg\344x\237AKo\216\016\257(h" stage0 { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"stage0_bin\",\n \"digest\": {\n \"sha256\": \"4995d127ff8505f1f21a45172f175674c774675618883ea15ce8244ec3d49df5\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-04T07:44:39.137000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-04T07:44:39.137000Z\",\n \"notAfter\": \"2025-03-04T07:44:39.137000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/10271.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/66738.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0E\002!\000\340\243\202\033.$ui\322\305\346T\374\372\253\263o{\216\226\221\276\005\353\004\027\333N\337\272}\326\002 99y\026\265C%\n&\215\211d\341\314\211@?_\020\330\372o\"~\366\340~\036\026<\356\373" - subject: "\ng\010\001\022c\202\002`82fe92481fc4d5a08ca15e7daed7588e4938d9debee44fb3fad673ff0382fb24151687c2fc90966544e8c7eb21e4fba2\ng\010\004\022c\202\002`6e405e2324e8536d3397205aea3b8f79b05d3e8a4a76c91bdb2d61df80decfc849a4962db3ca7da0c86adee27e1de35b\ng\010\020\022c\202\002`3ac3406f6c7b751cc2f8b12ee77e330ccf880640bed2d001b5aa1656dc200072601863ab14bbeaf75f23767625013365\ng\010@\022c\202\002`4e8c44cedfcdb4f1dfa9fde21ece741651b4801accd17b9486791daec6f249726a759f06d7e023de68ce07ebea5e4071" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"stage0_bin\",\n \"digest\": {\n \"sha256\": \"a8fa02e83d3a5da701200c8038f31d8333cbbaade36847661744ddfab0114619\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.621000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.621000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.621000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/10271.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/66738.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0F\002!\000\373\327\306\357\303\323)\365o\242t\307H\354F(\364p\313\327\236\366E\257\027\341\2510\245\250\264\252\002!\000\353\003\250\232\214?\324\361\024W\253\"\323,\024\027^+\263\350\037F\273\235P\314.\026\247\227*\365" + subject: "\ng\010\001\022c\202\002`7c2daa0108c61839cc7f9e6dad58338836469ebb9e7b216e8fadccfa8d7548fa26a824e8292f6e8699ab345f616ff734\ng\010\004\022c\202\002`ab8ce333c3415df2ae6880138fe261103c35466338c501a0f3b70b323feaceb02d5271ad1d8cd6935be8570e18a8e87e\ng\010\020\022c\202\002`51f1f3fc37441ecd765f0edcac9a9bd48de41a2cf4b174c2f3346edca13e7df478844ddd5386f2654275a43a52d67b38\ng\010@\022c\202\002`c0cafcb13152343f84ff2d867f3734bbbe015fcf3848083b65e1909c1984bf1e05ee815fc274793708c3fca2eaf63e64" } } kernel_layer { kernel { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_kernel\",\n \"digest\": {\n \"sha256\": \"b67c400a04a2a1dd7bc217ee270576f19ce8e264ea42aa4d3ecb08e85e5a9a1a\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-04T07:44:38.397000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-04T07:44:38.397000Z\",\n \"notAfter\": \"2025-03-04T07:44:38.397000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/22790.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/98982.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0E\002 HJM5g\234z)Z\303\331W\302\006\246\000I\327\245n\024\313\300Wa\362\257\037\300\206W}\002!\000\320n\367\372Z4{\034\177j\320\354\240 \'!\223\272\235\033x\266\234\023\302\266\036Q\325\022\'K" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_kernel\",\n \"digest\": {\n \"sha256\": \"b67c400a04a2a1dd7bc217ee270576f19ce8e264ea42aa4d3ecb08e85e5a9a1a\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:01.561000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:01.561000Z\",\n \"notAfter\": \"2025-04-14T07:44:01.561000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/22790.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/98982.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0F\002!\000\244\212\353\244\361a\261\244\247\364\216\2152\222\310\202\320A\312\267\310\343\341\227\320vB\212\327p\313H\002!\000\266\007\220\247\207\212\211\"\310\372\245\223\342\251f\003z\256\rW\350,_<\016A\025\366\341\330\344/" subject: "\n\211\006\202\001L02000057600033ef811da9f4925fdf2b4597942343e031b120c73e163b83eb2f7a9f4f97446c\212\001(ff59d8a4671808c56f0761369c1f422cca5a4295\222\001@29dc898c1fa91a6d49a9a66a6defd2d53ae90eb6902a80a21bc8c6978855eaa1\232\001\200\0019b53e4f34a769fb0e1520e0e81b8b4a811ae04c3fa2be953b8ffe5f76984a6890811f060afd53771eb7a35536e12e6d1212d47a36843277d15f3b00cb1ff24eb\242\001\200\001221edc34bec167b9ee62bba914c7093652a5b6869e26465485188fe21aec81d7fe36e31f6872bae04e4feaf3a298be0ba63b42b10b5598272d1eb3cf4f6a4200\252\001`d927dfdf20df2e2fe3de0b9efb0848d0db1b85890ba28e37abb8652532ee31a8a4fb9ad44cafda9efc6bf9ff9d0eae29\262\001@9a823cef4fa1c5c53830e0410384dcc2c6ca3ac6bf0b491fd16123a697bd762a\272\0018957d80c268bd954fc96b86f4812a95e61bfd188acc7a2e3542dab6c7\202\002`5a2a1ba414a37bd89abcdd3e2e34288b431748216c8fa5c5293167a27a95a4ebc214576000cc766b5bdcd14170639b19\022\205\006\202\001H010040005651f38283721c4b00fa12d871f9fc4c0cc53cceb3c56e833bd5f80ca9d6e984\212\001(efb78208afd9bff5be1ee3ceee00076fb47e3e3e\222\001@085c9fbd3de185458e59c5e2d1f6219929e34ba110a1c0797bd2464e98267b65\232\001\200\0010e0efee3a5e51eddd922bfbd5739132be461e2bcb2f370c96f28da644787e91bb87023b11cf4a5c0ef10a2f707775b125c38ef83fd812dd4ec31ea7c34da8a26\242\001\200\00174bfd6409f55b553d8349d118dd7fdcfd00149399a768b0c70c1c8bc42f3fe1ff8e6a7bd046d1232edb1675dbaa829d1ba2553041ab503cfd64bd5e5332f8635\252\001`3cf98e173d3b0230bca9b5fd84a57cb4d86c1a542c8ce7876d6993662020aafb8d9578353d90cb5e8e80ca40d7702e50\262\001@7eb810f35136f4b5164e071618b6a59d8bfb22922e38749983df089f747e38bf\272\0018520631938259636eed6356208371d7e87b65283a5bce192f6abfaed3\202\002`86e320c764212deac5001f33ea0a9e4ba4a914958c618086d2608ec1bf73ca426c4c54b4cbd0a18aadd2810492d3970a" } kernel_cmd_line { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_kernel_cmd_line_regex\",\n \"digest\": {\n \"sha256\": \"4c93c60c646ed8ec53ac4761b249db0713a9b9ef316edc2ee9c4ec0221f72dac\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-04T07:44:38.691000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-04T07:44:38.691000Z\",\n \"notAfter\": \"2025-03-04T07:44:38.691000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/48633.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/77149.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0D\002 P\244K\337\r\220L\320^\2206\237\036f\006\203\317LY\252\036\252K\311\311\224\225\347V\237+\311\002 \0224eRX\252\237\273\210\241\021\343\245Rc\232\246\034U\237\016]~\323\360\333\\\277\344\214r\\" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_kernel_cmd_line_regex\",\n \"digest\": {\n \"sha256\": \"4c93c60c646ed8ec53ac4761b249db0713a9b9ef316edc2ee9c4ec0221f72dac\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.022000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.022000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.022000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/48633.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/77149.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0F\002!\000\317s\331\330Q4\003Q\024q$e\354S\206\246\275?l\213\341Y|E\350\001\210\215{\245\214F\002!\000\367\014\334\325\242/!\265C\271U\342-\273\r~\274\231b\332\206\273\231j\333\2075\013W\352{X" subject: "^console=ttyS0 panic=-1 earlycon=uart,io,0x3F8 brd.rd_nr=1 brd.rd_size=[1-9][0-9]* brd.max_part=1 ip=10.0.2.15:::255.255.255.0::eth0:off net.ifnames=0 quiet(| -- .*)$\n" } init_ram_fs { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_stage1\",\n \"digest\": {\n \"sha256\": \"03a524542c56e33795cb7775262c0cab14fe3111a220e36ecef78c229f86b354\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-04T07:44:38.701000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-04T07:44:38.701000Z\",\n \"notAfter\": \"2025-03-04T07:44:38.701000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/85483.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0D\002 \000\360\344k\374\216\037{\323\235?\031\237\023c\253\201\226\237\tV\277\306\211\256\360V\331M\354\220\371\002 3\231\265\345\366\270\032\221\022\010\333H\274\2777\020\362\352\247\325F\311\335|\342x\372\2115#A\350" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_stage1\",\n \"digest\": {\n \"sha256\": \"821ca80e476b8ce3af83d72581c2984d0f1f2c0712d7e35a8f5278e3528ceaff\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.036000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.036000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.036000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/85483.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0D\002 y\rN?\374z\270\"[\245\010\315P\3645?\303\313&V\001\'\353t?\2567\311\331=S\333\002 \216\202V\303Lm\367\260\225\300\007q.\231\t\226\321\332\330\037\300\t\311\r\263\323aIv:\247" } } system_layer { system_image { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_system_image\",\n \"digest\": {\n \"sha256\": \"e4a72404efb3c4ad836aa8910fdde03ae59d6ea935bc1195237dc9ff4950f49d\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-04T07:44:38.712000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-04T07:44:38.712000Z\",\n \"notAfter\": \"2025-03-04T07:44:38.712000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/58963.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0F\002!\000\302 ^\262\350\036\340\271\340\257\375Ek\'\033-)&[\207\275%!H\314\363\022\022Z\023\236\337\002!\000\357\007\223\262o\266\004\277a\215x<{\306\362\313\214,\2154\363\300]\375\003\264-Q\013\202\327\271" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_system_image\",\n \"digest\": {\n \"sha256\": \"c91da8f6297981093f44f3413fe7f8592ad3392155ac09f4b85461fde9ecfa7a\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.053000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.053000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.053000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/58963.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0E\002!\000\266\264G\365\000\035\021ZR4NY7\337;d\004\212\370\016*i\207^\377\236\241\300I\216[Y\002 d\251\203[FU5\316\017=\000\3265t\231&\210-\227\362-K\217\235w\261&\344\360?o\365" } } -} \ No newline at end of file +} +platform { + id: "Z\022\320\017H\240B$\277\364\227\\vWC\217" + value: "\n\321\n0\202\005M0\202\002\374\240\003\002\001\002\002\001\0000F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\0010{1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0220\020\006\003U\004\003\014\tSEV-Milan0\036\027\r240726045333Z\027\r310726045333Z0z1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0210\017\006\003U\004\003\014\010SEV-VCEK0v0\020\006\007*\206H\316=\002\001\006\005+\201\004\000\"\003b\000\004\351j\351\215\277\364>\'\311\302_\225w\324\257:\333B\3179a\357m\255j0\372!\342\252\275\031\307N6 \236\370\251\032\313\2038\205\254rV?\356\243\031\376\013\234\361W\370\302>\335\237q\263C\256\2644Y\353\"a\333b\254.\213\004\033\201m\035|\263\365\274};\277\036\030V!\367p_C\243\202\001\0270\202\001\0230\020\006\t+\006\001\004\001\234x\001\001\004\003\002\001\0000\027\006\t+\006\001\004\001\234x\001\002\004\n\026\010Milan-B00\021\006\n+\006\001\004\001\234x\001\003\001\004\003\002\001\0030\021\006\n+\006\001\004\001\234x\001\003\002\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\004\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\005\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\006\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\007\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\003\004\003\002\001\0260\022\006\n+\006\001\004\001\234x\001\003\010\004\004\002\002\000\3210M\006\t+\006\001\004\001\234x\001\004\004@\243\375\302\306M\302\231\253\220\324#\211s\206KXcx\342\345\357\234\235M\306\010\363\275\252\211\251i\240?\033WR\312\325Z\014\025G\255\350\000\333\327@N\234\263\371s\215\243\262\200\321\337i\317\202\3440F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\001\003\202\002\001\000$\333\244s\202F\361w\273\354\021i\3415\035\207\361\256\277:\356\000\212\002\262\220Hi\326%\311P+\256~\223\0315\217qbG\223\242K2\3760`\303\014*\026\337\302\322\341\202\212!\343)\364\033Rb\326H\214\345d\327\030{\332:\261\331pj\272OA\240\236I\224\247\207\307\2634Y*\2703X\250\217\005\320\207jh\220)R\306\"\370Yz[@\243\346[\262@8~\265\020\234_$=\356d\262}I\2024\264\271\010]\372\327Eg\247\361\255\344\004\274\313a\306I`\213u)\337\374\2533\361Cm\225\034#\324\350G\310\347\324\r\035J\002\205A\335pS\3654&\177\352V\246yS\335TQG&\251\320\204\r\013j\360,\232\217b\341\343\321\362\266 t\362\362s\210;\210\217\010P\362f7\332$\202\202I\216F\001\241\256\377\303I\243%\014tA\305|\361\257\214\341E+E7\227\332\204\020m\377\013\314Kk\025\343\247\027$\360A%\216\322\267KuU\273\036ON\211\275\305K\2346\tTe:\362\355\321\354\315\037\016\241\022\374\364x\351\017\0329\350H\250R\203T;\341 \362\223q\347\017\n\023\225d\210\247\266+;\317\374<%\233\032}\255\005\2221\366\201\364a\270\345\301Q(\341\223\320\300\244\211e\353l\310\300\253\313F\242 \032\246gOy\223=/\340\254\234\031\225.u\307\314\201\365\326\322C\3306\006/@b\016\313G\266rUj\271\312\354\233\035\243}\013s\224\200\316fY\2541\214\355\2316\225\304\276E\200\004\255\273\2317\340i4u\343\317`\3353\357)\232p\236\353\231\025%\220<\3359=#\"\037s\313\006\335\374\247M\225\255\223\345F\250^E\334\332\027$\032\365R\237\026\243\224\206e\256\251\000\264\271OZ\204\022i^\346cspg\344x\237AKo\216\016\257(h" +} +initial { + id: "\336J\rU`\352M\306\253\321\t\355tO\200\352" + value: "\n\306\t\n\365\010\010\001\022\311\005{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"stage0_bin\",\n \"digest\": {\n \"sha256\": \"a8fa02e83d3a5da701200c8038f31d8333cbbaade36847661744ddfab0114619\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.621000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.621000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.621000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/10271.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/66738.md\"\n }\n ]\n }\n}\n\032\244\003\ng\010\001\022c\202\002`7c2daa0108c61839cc7f9e6dad58338836469ebb9e7b216e8fadccfa8d7548fa26a824e8292f6e8699ab345f616ff734\ng\010\004\022c\202\002`ab8ce333c3415df2ae6880138fe261103c35466338c501a0f3b70b323feaceb02d5271ad1d8cd6935be8570e18a8e87e\ng\010\020\022c\202\002`51f1f3fc37441ecd765f0edcac9a9bd48de41a2cf4b174c2f3346edca13e7df478844ddd5386f2654275a43a52d67b38\ng\010@\022c\202\002`c0cafcb13152343f84ff2d867f3734bbbe015fcf3848083b65e1909c1984bf1e05ee815fc274793708c3fca2eaf63e64\022L\010\001\022H0F\002!\000\373\327\306\357\303\323)\365o\242t\307H\354F(\364p\313\327\236\366E\257\027\341\2510\245\250\264\252\002!\000\353\003\250\232\214?\324\361\024W\253\"\323,\024\027^+\263\350\037F\273\235P\314.\026\247\227*\365" +} +events { + id: "\211Q\035e]5F\001\220\013\036m\272\370B\266" + value: "\n\301\022\n\360\021\010\001\022\324\005{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_kernel\",\n \"digest\": {\n \"sha256\": \"b67c400a04a2a1dd7bc217ee270576f19ce8e264ea42aa4d3ecb08e85e5a9a1a\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:01.561000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:01.561000Z\",\n \"notAfter\": \"2025-04-14T07:44:01.561000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/22790.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/98982.md\"\n }\n ]\n }\n}\n\032\224\014\n\211\006\202\001L02000057600033ef811da9f4925fdf2b4597942343e031b120c73e163b83eb2f7a9f4f97446c\212\001(ff59d8a4671808c56f0761369c1f422cca5a4295\222\001@29dc898c1fa91a6d49a9a66a6defd2d53ae90eb6902a80a21bc8c6978855eaa1\232\001\200\0019b53e4f34a769fb0e1520e0e81b8b4a811ae04c3fa2be953b8ffe5f76984a6890811f060afd53771eb7a35536e12e6d1212d47a36843277d15f3b00cb1ff24eb\242\001\200\001221edc34bec167b9ee62bba914c7093652a5b6869e26465485188fe21aec81d7fe36e31f6872bae04e4feaf3a298be0ba63b42b10b5598272d1eb3cf4f6a4200\252\001`d927dfdf20df2e2fe3de0b9efb0848d0db1b85890ba28e37abb8652532ee31a8a4fb9ad44cafda9efc6bf9ff9d0eae29\262\001@9a823cef4fa1c5c53830e0410384dcc2c6ca3ac6bf0b491fd16123a697bd762a\272\0018957d80c268bd954fc96b86f4812a95e61bfd188acc7a2e3542dab6c7\202\002`5a2a1ba414a37bd89abcdd3e2e34288b431748216c8fa5c5293167a27a95a4ebc214576000cc766b5bdcd14170639b19\022\205\006\202\001H010040005651f38283721c4b00fa12d871f9fc4c0cc53cceb3c56e833bd5f80ca9d6e984\212\001(efb78208afd9bff5be1ee3ceee00076fb47e3e3e\222\001@085c9fbd3de185458e59c5e2d1f6219929e34ba110a1c0797bd2464e98267b65\232\001\200\0010e0efee3a5e51eddd922bfbd5739132be461e2bcb2f370c96f28da644787e91bb87023b11cf4a5c0ef10a2f707775b125c38ef83fd812dd4ec31ea7c34da8a26\242\001\200\00174bfd6409f55b553d8349d118dd7fdcfd00149399a768b0c70c1c8bc42f3fe1ff8e6a7bd046d1232edb1675dbaa829d1ba2553041ab503cfd64bd5e5332f8635\252\001`3cf98e173d3b0230bca9b5fd84a57cb4d86c1a542c8ce7876d6993662020aafb8d9578353d90cb5e8e80ca40d7702e50\262\001@7eb810f35136f4b5164e071618b6a59d8bfb22922e38749983df089f747e38bf\272\0018520631938259636eed6356208371d7e87b65283a5bce192f6abfaed3\202\002`86e320c764212deac5001f33ea0a9e4ba4a914958c618086d2608ec1bf73ca426c4c54b4cbd0a18aadd2810492d3970a\022L\010\001\022H0F\002!\000\244\212\353\244\361a\261\244\247\364\216\2152\222\310\202\320A\312\267\310\343\341\227\320vB\212\327p\313H\002!\000\266\007\220\247\207\212\211\"\310\372\245\223\342\251f\003z\256\rW\350,_<\016A\025\366\341\330\344/\022\343\007\n\222\007\010\001\022\343\005{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_kernel_cmd_line_regex\",\n \"digest\": {\n \"sha256\": \"4c93c60c646ed8ec53ac4761b249db0713a9b9ef316edc2ee9c4ec0221f72dac\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.022000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.022000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.022000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/48633.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/77149.md\"\n }\n ]\n }\n}\n\032\247\001^console=ttyS0 panic=-1 earlycon=uart,io,0x3F8 brd.rd_nr=1 brd.rd_size=[1-9][0-9]* brd.max_part=1 ip=10.0.2.15:::255.255.255.0::eth0:off net.ifnames=0 quiet(| -- .*)$\n\022L\010\001\022H0F\002!\000\317s\331\330Q4\003Q\024q$e\354S\206\246\275?l\213\341Y|E\350\001\210\215{\245\214F\002!\000\367\014\334\325\242/!\265C\271U\342-\273\r~\274\231b\332\206\273\231j\333\2075\013W\352{X\032\301\005\n\362\004\010\001\022\355\004{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_stage1\",\n \"digest\": {\n \"sha256\": \"821ca80e476b8ce3af83d72581c2984d0f1f2c0712d7e35a8f5278e3528ceaff\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.036000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.036000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.036000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/85483.md\"\n }\n ]\n }\n}\n\022J\010\001\022F0D\002 y\rN?\374z\270\"[\245\010\315P\3645?\303\313&V\001\'\353t?\2567\311\331=S\333\002 \216\202V\303Lm\367\260\225\300\007q.\231\t\226\321\332\330\037\300\t\311\r\263\323aIv:\247" +} +events { + id: "G\"e]\226=O\311\204C\361Eq\3352\242" + value: "\n\310\005\n\370\004\010\001\022\363\004{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_containers_system_image\",\n \"digest\": {\n \"sha256\": \"c91da8f6297981093f44f3413fe7f8592ad3392155ac09f4b85461fde9ecfa7a\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.053000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.053000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.053000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/58963.md\"\n }\n ]\n }\n}\n\022K\010\001\022G0E\002!\000\266\264G\365\000\035\021ZR4NY7\337;d\004\212\370\016*i\207^\377\236\241\300I\216[Y\002 d\251\203[FU5\316\017=\000\3265t\231&\210-\227\362-K\217\235w\261&\344\360?o\365" +} +events { + id: "r\227\245\037\240]I\241\257\333d\315\356\007\206-" +} diff --git a/oak_attestation_verification/testdata/oc_evidence_20241205.binarypb b/oak_attestation_verification/testdata/oc_evidence_20241205.binarypb index 38668fd290..ec182f698d 100644 Binary files a/oak_attestation_verification/testdata/oc_evidence_20241205.binarypb and b/oak_attestation_verification/testdata/oc_evidence_20241205.binarypb differ diff --git a/oak_attestation_verification/testdata/oc_evidence_20241205.textproto b/oak_attestation_verification/testdata/oc_evidence_20241205.textproto index d2e5747fd0..5fa44948e3 100644 --- a/oak_attestation_verification/testdata/oc_evidence_20241205.textproto +++ b/oak_attestation_verification/testdata/oc_evidence_20241205.textproto @@ -2,28 +2,32 @@ # proto-message: oak.attestaton.v1.Evidence # # Valid real-world evidence for an Oak Containers chain, used for testing. -# Generated on 2024-12-04. `oc_evidence.binarypb` is the same instance in +# Created on 2024-12-04, last updated on 2025-01-15. +# `oc_evidence_{DATE}.binarypb` is the same instance in # serialized binary format. ECA: Embedded Certification Authority # # The stage0 binary is measured in the attestation report. root_layer { platform: AMD_SEV_SNP - remote_attestation_report: "\002\000\000\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001\000\000\000\003\000\000\000\000\000\026\321\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\350\207_n\217\256\"U\254\224\010\003v\330\225\371M\332\317+\006.qT\311\304\302.\352\017\r\255\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\274\332\212Vx\325\013\333\200\242\010\343\370\315\3257\034\303\263 \004]D\310\365\315;\211\271|\225\306\013:^n\206\324\354\375\n}\335\357\371k\037\306\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\2655\030l\0202*\353\262\036\300\034N\222a\330\243v\003\344x~\225\014i!\222\\\326ny\272\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\364\203\357\036;\n)\256\224\242\030\020\335\214`\261\024\341\263\237\317\232t\005\374\373\333zwvDB$\230E\014\275\305\252\263\230+1j\036\020\366\365:\371\336O\224\005\370\037\270!\343\315\235(\324\037\003\000\000\000\000\000\026\321\0247\001\000\0247\001\000\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\360\344\305\3576\301u\363k\322\307x\327\242\217\210\375\025d\351gZS%\247\205\225\245z\312m\031rT \'\307\256\'\310Wm\236\'\341a`\013\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000z\315\213\370\370\036\345\267\252V\363\362\207s\341t\203\0074\331\254\203\336\256\370\355\n\306`G\301\223\325\341z\007\311\336Vubc\343\240\356\017&\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" - eca_public_key: "\247\001\002\002T\322>\230\345\273\371:" + remote_attestation_report: "\002\000\000\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001\000\000\000\003\000\000\000\000\000\026\321\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000}}\251\356\203\217\356\353W\235j\246\007w7g\267\007\020\312\244\345\264\361\3645R\0031+Z,\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000TG`kxMg#\334\26699\014\261+\222\206\341\214z\032\217}\r<\'\307\335P\325\034\224\310Ek`\002\360Gs,\210!\231\276\025o\277\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\347\273\326U\332\261\240,\220\367AF|\246*\301\037\202\371\201\261.\363m\\M\026=\014\026\370\242\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\243\375\302\306M\302\231\253\220\324#\211s\206KXcx\342\345\357\234\235M\306\010\363\275\252\211\251i\240?\033WR\312\325Z\014\025G\255\350\000\333\327@N\234\263\371s\215\243\262\200\321\337i\317\202\344\003\000\000\000\000\000\026\321\0247\001\000\0247\001\000\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0007\200\261\305\212k\364\0232\354l\214\221\375\236\341\2643\246\301\207\037\244\002\276\005#\254\375\312A>\013\270i\353\240s\374\343\241{\232\037\"ua\203\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000f\245h\355\'\027\273n\374\332\346 \256i\316\300S\000z\347\305\r0\256\266\202\357\225m\2500\033\244,\225/\2267\323\247V0\316\212\025\313\201\332\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" + eca_public_key: "\247\001\002\002T\373\177J\2321Q\035\217\350\227\377\364\343\025\264L\027\251\316\304\003&\004\201\002 \001!X \247X\211\354\035\nop \200O]\272FT9\303\257\312I\1775\374\344Tz5\321\004\227R\334\"X Q\245\033\227qO\244\241|\346*\020\307.\035\317x\376f+/\361_\276U\233rYX\270\024L" } layers { - eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(d23e98e5bbf93a3c64b384caef1b1884d21656c8\002x(2ea6aa3feaac804cc5506c0a8c44cee4cf6ebc6a:\000GDWXf\247\001\002\002T.\246\252?\352\254\200L\305Pl\n\214D\316\344\317n\274j\003&\004\201\002 \001!X \\\343j\264\001\013\236\357k\233n\r\031.\223L\220\354A|Z\206\3207A\271+\235\365\007\350\372\"X \025A(\352\324;A\nM\177s!\276z\006\3314*F^J\374\205l\214\300\376C\003dl\227:\000GDXB \000:\000GDl\241:\000GDkX *\320\013\347;\351L\344\r[\030\243\304\324X`\013\233r\352\033?\242\363\177*}\277v\206\202\242X@\023U\303v\003w\033\377\336U\353\254\374-CH\244\357\256\217\211\327\331\035\265C{Bb\023\372]\361rq\316#\251|\303\326\371\236\204\016\333\377\252\230\210]2\214\017|\226\'\373jBU\022/6" + eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(fb7f4a9a31511d8fe897fff4e315b44c17a9cec4\002x(8ff67d7290ed2bbe48867eee7d207239f9651f08:\000GDWXf\247\001\002\002T\217\366}r\220\355+\276H\206~\356} r9\371e\037\010\003&\004\201\002 \001!X \237\337Z\220x\312\327\374\326\206%\216Ut\373Wg\266\360\236\212\203\331Y[\215\325\3327\035\253q\"X \326\3009|\370\211BW\326\316Y\356\362\307\226\314\257b\341\374\t\003\200\010\252?\205\237T\323\226\235:\000GDXB \000:\000GDl\241:\000GDkX ;\025\201\177\330\321\313\276?\234G\363\332\2541\202\366\354\377\007:\314\006\263\2756\331M.t\246\237X@\200|\263\251\334\237\324\031\260\210\223-\213\221\350\315\271\034\335\320uSqU\227\3679`a\'\346\277[\370`{\262\202\305\352\245\225\230~\262\211OC\237\2231\317%\024\260\246\025\360\303\241\014\002\204\337" } layers { - eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(2ea6aa3feaac804cc5506c0a8c44cee4cf6ebc6a\002x(953912a1f9778a7d98c0e43b7996ad72b28dcce6:\000GDWXf\247\001\002\002T\2259\022\241\371w\212}\230\300\344;y\226\255r\262\215\314\346\003&\004\201\002 \001!X \024\357<\3154a\301\302\346\220*B\330\205E\363\331\270\330\251\010\021:\007\242\365\004\025o\221L\264\"X )\023\234~\314\277OLK}v\324\360\021c q\3145\336o\203nUyte\370\257C#l:\000GDXB \000:\000GDl\241:\000GDkX \365a\017r\337Mf5\247\2701\262\233fqGU\232Bv\204\355\304\2570\201\026\204v\224-\240X@\341\027GWJ\327\217\321\323g\340\016t\355 \314\376\244\374\"X\227\0225[T\224\262\323\354\311oP\361%O#?\211\026\353\242\344Q1NE\204\036qjx\366\337\312\224LL\271R\341\2335n" + eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(8ff67d7290ed2bbe48867eee7d207239f9651f08\002x(b7ca85b96b61af65a177c24407d486092fb401a4:\000GDWXf\247\001\002\002T\267\312\205\271ka\257e\241w\302D\007\324\206\t/\264\001\244\003&\004\201\002 \001!X iH\016\r\301\277\177\347\251\371o\344(\032\\X\272U\222\257 \322\'\362\212F\213\001\311^\241\376\"X \005\231C\326\264\372A\337\364\'O{\357\3619O\253\372\251\217{x\333\274SA\341ng\030mB:\000GDXB \000:\000GDl\241:\000GDkX S\200\3019\234\362\027\227\035\014\353\274l\215QB\235_W\234\277\347\016\277\036\323b7\232q\013:X@\023vt*]\251\037\235\204\333\226\016z\352^Q\303\034t\261\317g\334\264\232\270\035P\200D\346\302\333?\023\r\027\270\034-X\377\036w\223\335 :\316\346\230\373\377\300\343\021\216\361[\347\"\240\276\365" +} +layers { + eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(b7ca85b96b61af65a177c24407d486092fb401a4\002x(ea6b67dcb04a6ee8029abfd2ae28e7f84198eae0:\000GDWXf\247\001\002\002T\352kg\334\260Jn\350\002\232\277\322\256(\347\370A\230\352\340\003&\004\201\002 \001!X ]\274*\254\326~\321\250V\225\341\365\032\255\033G\252*\313\276M\223=\377t\005\264\254\004E\366\007\"X \202U\037m\330Q\361F\316\203c\3417Un3\340\326\203N\275\203\244\362\312^\025\201\000I\033\341:\000GDXB \000:\000GDl\241:\000GDkX \001\005\243\301\351\231\255Zaff\021\334\342GV\006t\354%_ok\333}\200\353\'\341^{\264X@9\027S\370xiu\005\375T`\377g{\t8\252\'\006\0230\177]\325\353\331J\347\355L \330\177E`t\332\211Q\3276\217\333\220`y\337\204g \311\013\225\372S#\246T\341\205\317\364\260\364" } application_keys { - encryption_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\327\245\001x(953912a1f9778a7d98c0e43b7996ad72b28dcce6\002x(6de24211baced888c887a79e5e3e32ae96affadb:\000GDWXD\246\001\001\002Tm\342B\021\272\316\330\210\310\207\247\236^>2\256\226\257\372\333\0038\036\004\201\005 \004!X j\374\220\030\267\321\321\016ehX@\346u\234\223\215\262&2\001}\223y\177\317\230o\330\210\3038`p4jL\245)i\276C\304Dc$\010/O\3632\0332\343\024<\0169\353\302{\201\216\217\373\022D\314;\271DGc\325tA" - signing_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(953912a1f9778a7d98c0e43b7996ad72b28dcce6\002x(71531787de499090acdf5797dd2585e6fd0bcda0:\000GDWXf\247\001\002\002TqS\027\207\336I\220\220\254\337W\227\335%\205\346\375\013\315\240\003&\004\201\002 \001!X \334\224\302t\356+b\216\347\030sx\372\323\353p\257\236\262\\>\014G\227\017\220\030\267\321\321\016ehX@\025W\371\217!\311\326M\2542Q-\000@\362\001\244\306\254\016Lo\006\232\353B\222m\223n\220\334>\350\325\374\344\371O\023C*\027\346\301\'\007\265\245m\031\202xl\345\276\226%\006t1\3254\310" - group_encryption_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\252\244\001x(953912a1f9778a7d98c0e43b7996ad72b28dcce6\002x(d3ab14c2f4d71b9e4d392d3c676bceea4c8d72c1:\000GDWXD\246\001\001\002T\323\253\024\302\364\327\033\236M9-\033\311\375\342\0038\036\004\201\005 \004!X \237\373\247k\327\231\311]\304\'!\265w\355\272\266\002xi\375\247\204\340^&\302\241c)\"\231a:\000GDXB \000X@\201\0275/\373\321\216%\341~P\020Xj\212\222K=zs\245d\342\207\355\017\250\024\353\272HT\256\023\220V<\311\317`)g\037\345,\270\325\212Nj\233\247I\306\001\ts\342\3330\027\271\021\354" } event_log { - encoded_events: "\n\006Stage0\022\202\003\n9type.googleapis.com/oak.attestation.v1.Stage0Measurements\022\304\002\n \010\\\237\275=\341\205E\216Y\305\342\321\366!\231)\343K\241\020\241\300y{\322FN\230&{e\022 )\334\211\214\037\251\032mI\251\246jm\357\322\325:\351\016\266\220*\200\242\033\310\306\227\210U\352\241\032 \003\245$T,V\3437\225\313wu&,\014\253\024\3761\021\242 \343n\316\367\214\"\237\206\263T\" \032}U\341\364\263\321;_S{+P\375\\\330\351O\335\315\350\013\025RJ\2715(\234.:\010* Z\200J\367\351\007t\222\332\302\342\333g\020\246\315\246\207\331]A\\rA\225\321\2051\010\"\261\2602\227\001console=ttyS0 panic=-1 earlycon=uart,io,0x3F8 brd.rd_nr=1 brd.rd_size=3072000 brd.max_part=1 ip=10.0.2.15:::255.255.255.0::eth0:off net.ifnames=0 quiet" - encoded_events: "\n\006stage1\022_\n6type.googleapis.com/oak.attestation.v1.SystemLayerData\022%\n#\222\001 \344\247$\004\357\263\304\255\203j\250\221\017\335\340:\345\235n\2515\274\021\225#}\311\377IP\364\235" - encoded_events: "\n\014ORCHESTRATOR\022\207\001\n9type.googleapis.com/oak.attestation.v1.ContainerLayerData\022J\n#\222\001 \242\037\340\272\017\254L\330\361\236hc\303!_\300\364\034E\'\206\021\026\374\000\323\035#\262k\260\213\022#\222\001 \033\336\262\213\304\362\020\333\233B\2421`\370\027\307\005\357\371\210\334g\302\342\350\356O\216\345\223Rz" + encoded_events: "\n\006Stage0\022\202\003\n9type.googleapis.com/oak.attestation.v1.Stage0Measurements\022\304\002\n \010\\\237\275=\341\205E\216Y\305\342\321\366!\231)\343K\241\020\241\300y{\322FN\230&{e\022 )\334\211\214\037\251\032mI\251\246jm\357\322\325:\351\016\266\220*\200\242\033\310\306\227\210U\352\241\032 \202\034\250\016Gk\214\343\257\203\327%\201\302\230M\017\037,\007\022\327\343Z\217Rx\343R\214\352\377\" \032}U\341\364\263\321;_S{+P\375\\\330\351O\335\315\350\013\025RJ\2715(\234.:\010* Z\200J\367\351\007t\222\332\302\342\333g\020\246\315\246\207\331]A\\rA\225\321\2051\010\"\261\2602\227\001console=ttyS0 panic=-1 earlycon=uart,io,0x3F8 brd.rd_nr=1 brd.rd_size=3072000 brd.max_part=1 ip=10.0.2.15:::255.255.255.0::eth0:off net.ifnames=0 quiet" + encoded_events: "\n\006stage1\022_\n6type.googleapis.com/oak.attestation.v1.SystemLayerData\022%\n#\222\001 \311\035\250\366)y\201\t?D\363A?\347\370Y*\3239!U\254\t\364\270Ta\375\351\354\372z" + encoded_events: "\n\014ORCHESTRATOR\022\260\002\n9type.googleapis.com/oak.attestation.v1.ContainerLayerData\022\362\001\n#\222\001 \276\023\017L\263\276\025TjWvM\"\255\315\235\217`\253\240\256C\360G\214pa8b\230[\363\022#\222\001 \033\336\262\213\304\362\020\333\233B\2421`\370\027\307\005\357\371\210\334g\302\342\350\356O\216\345\223Rz\032 $C \"J\307\230l}\005\227\211Y\215{)\004\026\227%\263{\014\336\322\356fk[v\313U\"A\004e\321u\216\206\251\227\024\267\302\261\323\203\240\374\026\343\240\230\347\353\227\356\2259X\205\n5\203\306\n\352\252\016\247\325\370\207,)u\'\221\315Z5\335,\375p\377(!\264\341\320\274\n\313\370Nw\337*A\004@M\201\205w\251\335\246\013s\266\376\000\373R\223\373x\022\337|\341\037%\344\334\221,\354U\317\347\201\247\373x\320Mo\347U\342A\000\233\315\274\371\004\002\374M[\362\313\024\002=H\256\001\252\rw" } diff --git a/oak_attestation_verification/testdata/rk_endorsements_20241205.binarypb b/oak_attestation_verification/testdata/rk_endorsements_20241205.binarypb index dca8ffa333..ac2ef5de55 100644 Binary files a/oak_attestation_verification/testdata/rk_endorsements_20241205.binarypb and b/oak_attestation_verification/testdata/rk_endorsements_20241205.binarypb differ diff --git a/oak_attestation_verification/testdata/rk_endorsements_20241205.textproto b/oak_attestation_verification/testdata/rk_endorsements_20241205.textproto index 2a38a01282..43153677f0 100644 --- a/oak_attestation_verification/testdata/rk_endorsements_20241205.textproto +++ b/oak_attestation_verification/testdata/rk_endorsements_20241205.textproto @@ -1,38 +1,55 @@ -# proto-file: proto/attestation/evidence.proto +# proto-file: proto/attestation/endorsement.proto # proto-message: oak.attestaton.v1.Endorsements # # Valid real-world endorsements for a Restricted Kernel chain, used for testing. -# Generated on 2024-12-05. `rk_endorsements_{DATE}.binarypb` is the same instance in -# serialized binary format. +# Created on 2024-12-05, last updated on 2025-01-14. +# `rk_endorsements_{DATE}.binarypb` is the same instance in serialized binary +# format. oak_restricted_kernel { root_layer { - tee_certificate: "0\202\005M0\202\002\374\240\003\002\001\002\002\001\0000F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\0010{1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0220\020\006\003U\004\003\014\tSEV-Milan0\036\027\r240726041346Z\027\r310726041346Z0z1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0210\017\006\003U\004\003\014\010SEV-VCEK0v0\020\006\007*\206H\316=\002\001\006\005+\201\004\000\"\003b\000\004\374\235\333n\254\264\256\314\234@\215\356\245\275\310KT\367\320\337\347\354\322T\016\003\261\367\023~\217\036{\301\322\033\315\345\177\345\230^s\341\na\017\024/I\200m!;$\373b\006\316\231R\211\266<\372\032\321X\230\004\300.P1\345b\017,\346\346eQu,\366]\217pt\230\020\271\235\347\337\363\243\202\001\0270\202\001\0230\020\006\t+\006\001\004\001\234x\001\001\004\003\002\001\0000\027\006\t+\006\001\004\001\234x\001\002\004\n\026\010Milan-B00\021\006\n+\006\001\004\001\234x\001\003\001\004\003\002\001\0030\021\006\n+\006\001\004\001\234x\001\003\002\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\004\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\005\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\006\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\007\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\003\004\003\002\001\0260\022\006\n+\006\001\004\001\234x\001\003\010\004\004\002\002\000\3210M\006\t+\006\001\004\001\234x\001\004\004@M\343\242\340xY\345\236\255\273\230G\320P\355\334y\037yC\251\251\374\351\375\265\237\206\002\360\335&\312\370\020.\013g\3675\'\354\204\200]\010\367\201\370\372\240N:\342\036\237\310\274-\303CG\\\3620F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\001\003\202\002\001\000\233\0141\262\333\351\'\210\343$\002\343\\\024\324\214u\351w\235\371Y\253\227ObT\t\215^\347}\036\257\232\356\205\334\253\377*\354F\001\014.6X\347\247i\216\205(QxT\250\244R,3\376\347K\006i\000\232_E\342V#\303\207p\204\341:\265\373\266:\232\225\221\345g/\334\364\3636\020\005$K\356\265Lm\367\022P\327\306d\347|\302s\243\367&\276\334Xm\270\016\311s};\035\370p\323\353\263r\254aA\255#\177\265\1779s\340*\030\352x\324\013\334/\211\260\330i\376\245\327]Q\327T\035T\327\013)\215@\276d\261,\306\300=\233%K\006N\262\212=\226\017;c\220?\330\347\276P\311\231\221\332W\224\020\177\227\374\271x\222\334!\262\r#\265\031\353\023\351\207\353\210{\026r\322\363\231\346\372\014\351la\302tq\377\370\327\254\360\312\340\376\016~\375\256\264e\246\353\243\t^n\032=\032`\350\000\327m_.\343\010\303\224\223\375\206\376J\rQ\253\300|\374\337\341\020Ug_f\276=\244\370\323\357\315O\366W<\253\000S|GB\2306\264\365\274b\367\235:\n1\024d.\316J?\313\027V\311\277\026\205pF<\276\316X\374}\367\\PL\204\242\032\026^\3246S\210\034\235*\240\243\354\312\373\332.\273\n\305\361\024.\024\255\264\240\370\n\211\361o\310\003;:yM\314\005\317\222_\367y\016\007(\177\302\364h\225\231/\3425\320\200s,F\275+\362\242\243\016\\\322\233\310X\275\265E\255\342\322)N\321\177\234_gO\010\203\341eJ\260U\013\023w\334#\340\265\372Wo<|\257M\300X\204\221\377\272J\335\2072\211\332\027Z\355w\022D\302I\373\364>\367\3254\251\203" + tee_certificate: "0\202\005M0\202\002\374\240\003\002\001\002\002\001\0000F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\0010{1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0220\020\006\003U\004\003\014\tSEV-Milan0\036\027\r240726004737Z\027\r310726004737Z0z1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0210\017\006\003U\004\003\014\010SEV-VCEK0v0\020\006\007*\206H\316=\002\001\006\005+\201\004\000\"\003b\000\004\211\0019vXxTp&\232\220\266\033T\331\316q\257\251\232\024\234\261\375@\240\004\257\300\354\020\200\340\025=\354Y#\276\263)s\255&8\026(iT\006\316\220\325\340\244\003\265}]\225|O\034\216&V[%\337Q\000\367\222\240\202\317:Dx\032rR.\2473vQF\272\006y\361\177A\3618\243\202\001\0270\202\001\0230\020\006\t+\006\001\004\001\234x\001\001\004\003\002\001\0000\027\006\t+\006\001\004\001\234x\001\002\004\n\026\010Milan-B00\021\006\n+\006\001\004\001\234x\001\003\001\004\003\002\001\0030\021\006\n+\006\001\004\001\234x\001\003\002\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\004\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\005\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\006\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\007\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\003\004\003\002\001\0260\022\006\n+\006\001\004\001\234x\001\003\010\004\004\002\002\000\3210M\006\t+\006\001\004\001\234x\001\004\004@\3244\303\005U\241\200bj\336\205\217\263\357\333!L\010Yj\201/\030\206 \257\212|\353\316\206\364\262OO\032S\265\315\237\"\317\352\377\263R\177\300{Q\266\'\t\020\317iN|\233\374X-:I0F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\001\003\202\002\001\000\200p\3635\305vGX\240{n,\263\330\264\323I+\277\241\266\263\000\215\236\"\204-\356\214\031\273\357,\200\202\246B\250\245>@1\374\266\233\310\225Q\265\304\260DF\240\204\202\263\233\267\005<:\250\261\243\025\347!\233*Sb\214z\247h-b\177R\002\313=\300\374\350\354\200S\333\207\213\211349\254\002x{\273I\311\272a\036\314\220uU=\377.\227\267bC\3110<\332T\327\005}\274\341GS6\274\333\251\262\000\'\007\316\374[\317H\355\200\347h\026\231\0233{(\267\317\217\305\272Z\220\320\303\311\022-\344[\332\310\237\216-\242\252\004T\341Lc\312\324\366t\225vfa\374\317P\336\376\277_\244\220\231\243\005\277u\260\035@\222\362y\356\347\253:\000T\346T\370W\217\277\334\352\226\336:{\241\232\205\262\002&\2579\033\301E\372D\273\247q\240\350\367Gq^\017\367\355\256\031\320N \205\003/\017\362\326\340\311\374aE\306\240dt\002\347\253\216\277(e\226&\034\300\200%yJ\242\336\010\213\014M\233%\3519?\252G\262Y\220t&\336i^\215\322b\262\253\326\234|\275\337\036\313\237!\003\206c\202^2Q\224\246\0333\177X\016uk\335g\231X;\'!R\340\0345<\262\256\024}\213O%\306\306O\313\226\014!>Y\017\340Mq\001\034\010^%\264\344\332w*\362\253\331\\+\207a\376\271K\"\231@n\275\302\224\3514&\355B\202u6J\005h\206\211]\316\256\002\215\326\026J\275\253w\300\227\031\242,\334\331\025qP\252F\r\263\\\222A\271\346\203\230#\212\0021Q1\027\244\370 9V\302\235\252q[-\356\231\274|\232\3210z \023\017\222re9\250kg\224\305\240\231\201|\320Q\000&5\332\270\010\330\233\253h.\211\252\336\357\264P\026\355T\032\350\234<,\351iz" stage0 { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"stage0_bin\",\n \"digest\": {\n \"sha256\": \"98e6e13370cd6dab507270885c981988354b2a6d6b76e0bc9bf2d02054a07ed3\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-05T07:48:40.328000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-05T07:48:40.328000Z\",\n \"notAfter\": \"2025-03-05T07:48:40.328000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/10271.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/66738.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0E\002!\000\351\277\202X\007[^\300\336\"\3624\022H\000\030\346\340\002\364\222R\367\3152v\022U15\205\237\002 ~\202\"r\277\354\031\300uc\227\262\004\020\357\010\261\nF\003;U\344\315\332\341\376\3023R\244\037" - subject: "\ng\010\001\022c\202\002`c911683128b0725ea834070cf8f886b9ec47a1c66c34b3fbf163582a1915e96c440c588065bad8d193b3bf2eeaac4441\ng\010\004\022c\202\002`2038ba730a423b9353c7bddd616ec49813743158d906abe326083ab40f4e6f91d6f152ed83d2fcd8302f477152896cc9\ng\010\020\022c\202\002`c6c3188acf652fbeb382fbf363609dfe3bcec99c9541d0c98acf85083bbf247f83c01fbd5dfbd290945a7dff6b0f7c95\ng\010@\022c\202\002`bde7dceadb550549ac9282ee6873e454a9cee7579dad5b8994c165046bab44a57794c8a63681fc8202f2bdda8a9bd070" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"stage0_bin\",\n \"digest\": {\n \"sha256\": \"a8fa02e83d3a5da701200c8038f31d8333cbbaade36847661744ddfab0114619\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.621000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.621000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.621000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/10271.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/66738.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0F\002!\000\373\327\306\357\303\323)\365o\242t\307H\354F(\364p\313\327\236\366E\257\027\341\2510\245\250\264\252\002!\000\353\003\250\232\214?\324\361\024W\253\"\323,\024\027^+\263\350\037F\273\235P\314.\026\247\227*\365" + subject: "\ng\010\001\022c\202\002`7c2daa0108c61839cc7f9e6dad58338836469ebb9e7b216e8fadccfa8d7548fa26a824e8292f6e8699ab345f616ff734\ng\010\004\022c\202\002`ab8ce333c3415df2ae6880138fe261103c35466338c501a0f3b70b323feaceb02d5271ad1d8cd6935be8570e18a8e87e\ng\010\020\022c\202\002`51f1f3fc37441ecd765f0edcac9a9bd48de41a2cf4b174c2f3346edca13e7df478844ddd5386f2654275a43a52d67b38\ng\010@\022c\202\002`c0cafcb13152343f84ff2d867f3734bbbe015fcf3848083b65e1909c1984bf1e05ee815fc274793708c3fca2eaf63e64" } } kernel_layer { kernel { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_restricted_kernel_simple_io_init_rd_wrapper_bin\",\n \"digest\": {\n \"sha256\": \"e07ad7496484e4ec22ed1bb2fa5b4cdbc58703a64307d0e38f1c0d1facf540bd\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-05T07:48:40.064000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-05T07:48:40.064000Z\",\n \"notAfter\": \"2025-03-05T07:48:40.064000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/36746.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/98982.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0D\002 \002g\0342\267e \235o\342|\327\337\261\250r\323\341^\274\203\314{?\317&\315/\207\331\337o\002 &\213u\002\263\223 \222i2?\020[\370\003\246\252\371*\252\227\375\237\377\273W\352<].\277\316" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_restricted_kernel_simple_io_init_rd_wrapper_bin\",\n \"digest\": {\n \"sha256\": \"e07ad7496484e4ec22ed1bb2fa5b4cdbc58703a64307d0e38f1c0d1facf540bd\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.242000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.242000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.242000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/36746.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/98982.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0E\002 }l\002\3441\327\206\367\222@\371K\030b\320\205\314\004\375\252B\253\031\"\273\3120\356\315\343K~\002!\000\234tN\337\347\252\262\357\305\206\313\242\246\211\275\315\272\326y\235\204\376\034\3224f\000\013z\345\211y" subject: "\n\211\006\202\001L0200006163004daef634350537af029a208e0bf9ffebcb494639bcc8882b4f6a8b5de7a8d3b1\212\001(ead4c09277f74ae48cf1c04bb3811266bd099910\222\001@a25a7e2ab3bae81fdef8b31974596167ef31af59128ba7b6e05b5ee473222b02\232\001\200\001c0c5c492b72931b64a45975f09bcaff14ef8e2a5e04f3ed6b0156ce07ea29fdac173ca09c0b2be8f7da1afcb907a39e61a096cc014efcf96aa4194245e721771\242\001\200\0010abcdb8bdea145b841050a773510f5c0bc114851c81cf16122e0f50f199f46ae70a9c8c9fa4802a098d1df59d5c8647349cc877867b31e55d65420926a58efab\252\001`055586ef72f153d1662778d263ceea8481e46af762bb9f7144f1e135ffa460c1990511228e69d5ffc2ceb3a90d309725\262\001@d4c2cc977c765b5ba40f4ac15c9c3c947c72eb0588da3ab23245ef426c31bb17\272\001800e0b7e3afca1594b30fb3f656dc1ce2d688991cb958c6e2fe3f5d62\202\002`496303095a9e203090732d7ef5959860e2288c150d0d00597a1278bffb9dc40726d540d239d892ed0186a674b8d5eabf\022\205\006\202\001H01001000f787ecb996c0158085698f8a71f75cd023bebb4549c315c4bb27388da4020171\212\001(d0787af619375feb58490bd08ee85d25266466d3\222\001@4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1\232\001\200\001a6a0e968a93fa544e8cba746455cb4d6b6e005ac1ea3d62bdd531e2fb38d1a9e6fd3d82240ebef54aca6b196ff7b52b0ed95a885b82bb3e7acd5920ba0a0d194\242\001\200\001e68d9fde05550f9404ec03b21c469ce5f28e2afb471718f87e8a39262ac4abeebaf052296cca15c3a530bb6c1367d9bfc0be847f6a3d3278f199591fda3ac5c3\252\001`68a52675263b95c44f2cda0ff46cac7b6b4900dbba648332ba0bff32b42800dc7cb59457a8d232e73016d2cf10812cb9\262\001@8afd043b8a0b124988965a8774a60b72675aedca94fc9f6c210f75bb56808c9c\272\0018b61c92b1a571213d971aee789a7c04509e45648d52467f0c217e3207\202\002`dd79803b4e303d6f5355d15f009ea6d7d75e2db2f4813e2a95fab171aa89a916ec68149c0560e8b664be34ff22e864ec" } kernel_cmd_line { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_restricted_kernel_simple_io_wrapper_cmd_line_regex\",\n \"digest\": {\n \"sha256\": \"c444046790f41f70117def6e8794029bf5d89edbb47d0380431850685503d0af\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-05T07:48:40.317000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-05T07:48:40.317000Z\",\n \"notAfter\": \"2025-03-05T07:48:40.317000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/47346.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/77149.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0F\002!\000\273\300\2349*\356\337\216\337\3603\341cj\205hW\014\215an\002\320R\003\343\215\014\270\256f\272\002!\000\325m\034\240\220\334\004\306\230\375\215\256P\360\242p@#L\326\260\224/\266?.\001=D\336c\220" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_restricted_kernel_simple_io_wrapper_cmd_line_regex\",\n \"digest\": {\n \"sha256\": \"c444046790f41f70117def6e8794029bf5d89edbb47d0380431850685503d0af\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.611000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.611000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.611000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/47346.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/77149.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0E\002 |\246<\325\254N\254\330-\364\023\010\177i\333\246}U\340\361\342x\225\337\246o.^LI\337\030\002!\000\373\310\270sM\272X\267P\024O\241\305W\303\255\241\366WV\034\371\250\020\013\230\013\252\332,t\016" subject: "^quiet panic=-1 init=/init .*$\n" } init_ram_fs { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_orchestrator\",\n \"digest\": {\n \"sha256\": \"74e70565f634e24e8cb65caa2f2494c854924cfb3d34cb0dfcb0765a80bf0c8b\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-05T07:48:40.054000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-05T07:48:40.054000Z\",\n \"notAfter\": \"2025-03-05T07:48:40.054000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/87425.md\"\n }\n ]\n }\n}\n" - endorsement_signature: "0E\002 \035\240\r\365\272\307\007\264\370T\206)+\002\224\300J\320\334\353\367\337p\364\033?\226\0314\332\243\341\002!\000\200\237\027,\376BB\0004\326\351f\325\302\005`\222\253\376\365y\016\221P\211\225\300\204\240G\350\276" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_orchestrator\",\n \"digest\": {\n \"sha256\": \"8c335c191d3748d4803a17678fad63dea9757e74cc1a1d4242bd8ec21ffe6d0f\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.224000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.224000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.224000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/87425.md\"\n }\n ]\n }\n}\n" + endorsement_signature: "0E\002 \014\321\32636\200FTKD\0143o\347O-\t\203\224\271\301)\362\356\254\006\373\006P\036\016\356\002!\000\321A\252@!\214\346v\205C\206\033\202\255\nE-\274\211\205\320\3153%\213\367\247\265\362g\270w" } } application_layer { binary { - endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_echo_enclave_app\",\n \"digest\": {\n \"sha256\": \"45c6ce9b2fdad4ca9042b3b0601b9ab4ef9c6863a7227fceb4b3ec3852b347ee\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2024-12-05T07:48:39.994000Z\",\n \"validity\": {\n \"notBefore\": \"2024-12-05T07:48:39.994000Z\",\n \"notAfter\": \"2025-03-05T07:48:39.994000Z\"\n }\n }\n}\n" - endorsement_signature: "0F\002!\000\223O/\234\264P+\355\n\321h\346\232\261\342\276l\362\323\3018\371\245.{4\217\273\000\016\031\344\002!\000\227\362\314\207\210\001E6\211UG\213_\017,\354!_\322\227\237VnR\215\330\206`\n\"5\346" + endorsement: "{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_echo_enclave_app\",\n \"digest\": {\n \"sha256\": \"05880883bb26ff7e09510f602984f3921583bdc483d9885316a3d4ff939e4ca9\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.118000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.118000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.118000Z\"\n }\n }\n}\n" + endorsement_signature: "0D\002 R\034.\367\214\024\010\001]i\322\304\251\177\314\224\010\315\027\027\217\275\3471p\035)\260\031\207\\7\002 ]\314\231\354;7;\373\'m`\322`\'\226XS\255\023\223\344\022\\$)j\353?\371\211A\263" } } -} \ No newline at end of file +} +platform { + id: "Z\022\320\017H\240B$\277\364\227\\vWC\217" + value: "\n\321\n0\202\005M0\202\002\374\240\003\002\001\002\002\001\0000F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\0010{1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0220\020\006\003U\004\003\014\tSEV-Milan0\036\027\r240726004737Z\027\r310726004737Z0z1\0240\022\006\003U\004\013\014\013Engineering1\0130\t\006\003U\004\006\023\002US1\0240\022\006\003U\004\007\014\013Santa Clara1\0130\t\006\003U\004\010\014\002CA1\0370\035\006\003U\004\n\014\026Advanced Micro Devices1\0210\017\006\003U\004\003\014\010SEV-VCEK0v0\020\006\007*\206H\316=\002\001\006\005+\201\004\000\"\003b\000\004\211\0019vXxTp&\232\220\266\033T\331\316q\257\251\232\024\234\261\375@\240\004\257\300\354\020\200\340\025=\354Y#\276\263)s\255&8\026(iT\006\316\220\325\340\244\003\265}]\225|O\034\216&V[%\337Q\000\367\222\240\202\317:Dx\032rR.\2473vQF\272\006y\361\177A\3618\243\202\001\0270\202\001\0230\020\006\t+\006\001\004\001\234x\001\001\004\003\002\001\0000\027\006\t+\006\001\004\001\234x\001\002\004\n\026\010Milan-B00\021\006\n+\006\001\004\001\234x\001\003\001\004\003\002\001\0030\021\006\n+\006\001\004\001\234x\001\003\002\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\004\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\005\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\006\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\007\004\003\002\001\0000\021\006\n+\006\001\004\001\234x\001\003\003\004\003\002\001\0260\022\006\n+\006\001\004\001\234x\001\003\010\004\004\002\002\000\3210M\006\t+\006\001\004\001\234x\001\004\004@\3244\303\005U\241\200bj\336\205\217\263\357\333!L\010Yj\201/\030\206 \257\212|\353\316\206\364\262OO\032S\265\315\237\"\317\352\377\263R\177\300{Q\266\'\t\020\317iN|\233\374X-:I0F\006\t*\206H\206\367\r\001\001\n09\240\0170\r\006\t`\206H\001e\003\004\002\002\005\000\241\0340\032\006\t*\206H\206\367\r\001\001\0100\r\006\t`\206H\001e\003\004\002\002\005\000\242\003\002\0010\243\003\002\001\001\003\202\002\001\000\200p\3635\305vGX\240{n,\263\330\264\323I+\277\241\266\263\000\215\236\"\204-\356\214\031\273\357,\200\202\246B\250\245>@1\374\266\233\310\225Q\265\304\260DF\240\204\202\263\233\267\005<:\250\261\243\025\347!\233*Sb\214z\247h-b\177R\002\313=\300\374\350\354\200S\333\207\213\211349\254\002x{\273I\311\272a\036\314\220uU=\377.\227\267bC\3110<\332T\327\005}\274\341GS6\274\333\251\262\000\'\007\316\374[\317H\355\200\347h\026\231\0233{(\267\317\217\305\272Z\220\320\303\311\022-\344[\332\310\237\216-\242\252\004T\341Lc\312\324\366t\225vfa\374\317P\336\376\277_\244\220\231\243\005\277u\260\035@\222\362y\356\347\253:\000T\346T\370W\217\277\334\352\226\336:{\241\232\205\262\002&\2579\033\301E\372D\273\247q\240\350\367Gq^\017\367\355\256\031\320N \205\003/\017\362\326\340\311\374aE\306\240dt\002\347\253\216\277(e\226&\034\300\200%yJ\242\336\010\213\014M\233%\3519?\252G\262Y\220t&\336i^\215\322b\262\253\326\234|\275\337\036\313\237!\003\206c\202^2Q\224\246\0333\177X\016uk\335g\231X;\'!R\340\0345<\262\256\024}\213O%\306\306O\313\226\014!>Y\017\340Mq\001\034\010^%\264\344\332w*\362\253\331\\+\207a\376\271K\"\231@n\275\302\224\3514&\355B\202u6J\005h\206\211]\316\256\002\215\326\026J\275\253w\300\227\031\242,\334\331\025qP\252F\r\263\\\222A\271\346\203\230#\212\0021Q1\027\244\370 9V\302\235\252q[-\356\231\274|\232\3210z \023\017\222re9\250kg\224\305\240\231\201|\320Q\000&5\332\270\010\330\233\253h.\211\252\336\357\264P\026\355T\032\350\234<,\351iz" +} +initial { + id: "\336J\rU`\352M\306\253\321\t\355tO\200\352" + value: "\n\306\t\n\365\010\010\001\022\311\005{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"stage0_bin\",\n \"digest\": {\n \"sha256\": \"a8fa02e83d3a5da701200c8038f31d8333cbbaade36847661744ddfab0114619\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.621000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.621000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.621000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/10271.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/66738.md\"\n }\n ]\n }\n}\n\032\244\003\ng\010\001\022c\202\002`7c2daa0108c61839cc7f9e6dad58338836469ebb9e7b216e8fadccfa8d7548fa26a824e8292f6e8699ab345f616ff734\ng\010\004\022c\202\002`ab8ce333c3415df2ae6880138fe261103c35466338c501a0f3b70b323feaceb02d5271ad1d8cd6935be8570e18a8e87e\ng\010\020\022c\202\002`51f1f3fc37441ecd765f0edcac9a9bd48de41a2cf4b174c2f3346edca13e7df478844ddd5386f2654275a43a52d67b38\ng\010@\022c\202\002`c0cafcb13152343f84ff2d867f3734bbbe015fcf3848083b65e1909c1984bf1e05ee815fc274793708c3fca2eaf63e64\022L\010\001\022H0F\002!\000\373\327\306\357\303\323)\365o\242t\307H\354F(\364p\313\327\236\366E\257\027\341\2510\245\250\264\252\002!\000\353\003\250\232\214?\324\361\024W\253\"\323,\024\027^+\263\350\037F\273\235P\314.\026\247\227*\365" +} +events { + id: "\211Q\035e]5F\001\220\013\036m\272\370B\266" + value: "\n\336\022\n\216\022\010\001\022\362\005{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_restricted_kernel_simple_io_init_rd_wrapper_bin\",\n \"digest\": {\n \"sha256\": \"e07ad7496484e4ec22ed1bb2fa5b4cdbc58703a64307d0e38f1c0d1facf540bd\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.242000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.242000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.242000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/36746.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/98982.md\"\n }\n ]\n }\n}\n\032\224\014\n\211\006\202\001L0200006163004daef634350537af029a208e0bf9ffebcb494639bcc8882b4f6a8b5de7a8d3b1\212\001(ead4c09277f74ae48cf1c04bb3811266bd099910\222\001@a25a7e2ab3bae81fdef8b31974596167ef31af59128ba7b6e05b5ee473222b02\232\001\200\001c0c5c492b72931b64a45975f09bcaff14ef8e2a5e04f3ed6b0156ce07ea29fdac173ca09c0b2be8f7da1afcb907a39e61a096cc014efcf96aa4194245e721771\242\001\200\0010abcdb8bdea145b841050a773510f5c0bc114851c81cf16122e0f50f199f46ae70a9c8c9fa4802a098d1df59d5c8647349cc877867b31e55d65420926a58efab\252\001`055586ef72f153d1662778d263ceea8481e46af762bb9f7144f1e135ffa460c1990511228e69d5ffc2ceb3a90d309725\262\001@d4c2cc977c765b5ba40f4ac15c9c3c947c72eb0588da3ab23245ef426c31bb17\272\001800e0b7e3afca1594b30fb3f656dc1ce2d688991cb958c6e2fe3f5d62\202\002`496303095a9e203090732d7ef5959860e2288c150d0d00597a1278bffb9dc40726d540d239d892ed0186a674b8d5eabf\022\205\006\202\001H01001000f787ecb996c0158085698f8a71f75cd023bebb4549c315c4bb27388da4020171\212\001(d0787af619375feb58490bd08ee85d25266466d3\222\001@4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1\232\001\200\001a6a0e968a93fa544e8cba746455cb4d6b6e005ac1ea3d62bdd531e2fb38d1a9e6fd3d82240ebef54aca6b196ff7b52b0ed95a885b82bb3e7acd5920ba0a0d194\242\001\200\001e68d9fde05550f9404ec03b21c469ce5f28e2afb471718f87e8a39262ac4abeebaf052296cca15c3a530bb6c1367d9bfc0be847f6a3d3278f199591fda3ac5c3\252\001`68a52675263b95c44f2cda0ff46cac7b6b4900dbba648332ba0bff32b42800dc7cb59457a8d232e73016d2cf10812cb9\262\001@8afd043b8a0b124988965a8774a60b72675aedca94fc9f6c210f75bb56808c9c\272\0018b61c92b1a571213d971aee789a7c04509e45648d52467f0c217e3207\202\002`dd79803b4e303d6f5355d15f009ea6d7d75e2db2f4813e2a95fab171aa89a916ec68149c0560e8b664be34ff22e864ec\022K\010\001\022G0E\002 }l\002\3441\327\206\367\222@\371K\030b\320\205\314\004\375\252B\253\031\"\273\3120\356\315\343K~\002!\000\234tN\337\347\252\262\357\305\206\313\242\246\211\275\315\272\326y\235\204\376\034\3224f\000\013z\345\211y\022\353\006\n\233\006\010\001\022\365\005{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_restricted_kernel_simple_io_wrapper_cmd_line_regex\",\n \"digest\": {\n \"sha256\": \"c444046790f41f70117def6e8794029bf5d89edbb47d0380431850685503d0af\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.611000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.611000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.611000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/47346.md\"\n },\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/77149.md\"\n }\n ]\n }\n}\n\032\037^quiet panic=-1 init=/init .*$\n\022K\010\001\022G0E\002 |\246<\325\254N\254\330-\364\023\010\177i\333\246}U\340\361\342x\225\337\246o.^LI\337\030\002!\000\373\310\270sM\272X\267P\024O\241\305W\303\255\241\366WV\034\371\250\020\013\230\013\252\332,t\016\032\275\005\n\355\004\010\001\022\350\004{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_orchestrator\",\n \"digest\": {\n \"sha256\": \"8c335c191d3748d4803a17678fad63dea9757e74cc1a1d4242bd8ec21ffe6d0f\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.224000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.224000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.224000Z\"\n },\n \"claims\": [\n {\n \"type\": \"https://github.com/project-oak/oak/blob/main/docs/tr/claim/87425.md\"\n }\n ]\n }\n}\n\022K\010\001\022G0E\002 \014\321\32636\200FTKD\0143o\347O-\t\203\224\271\301)\362\356\254\006\373\006P\036\016\356\002!\000\321A\252@!\214\346v\205C\206\033\202\255\nE-\274\211\205\320\3153%\213\367\247\265\362g\270w" +} +events { + id: "\350N\327\024f\235C\n\246\017\212e\036ZU\003" + value: "\n\303\004\n\364\003\010\001\022\357\003{\n \"_type\": \"https://in-toto.io/Statement/v1\",\n \"predicateType\": \"https://project-oak.github.io/oak/tr/endorsement/v1\",\n \"subject\": [\n {\n \"name\": \"oak_echo_enclave_app\",\n \"digest\": {\n \"sha256\": \"05880883bb26ff7e09510f602984f3921583bdc483d9885316a3d4ff939e4ca9\"\n }\n }\n ],\n \"predicate\": {\n \"issuedOn\": \"2025-01-14T07:44:02.118000Z\",\n \"validity\": {\n \"notBefore\": \"2025-01-14T07:44:02.118000Z\",\n \"notAfter\": \"2025-04-14T07:44:02.118000Z\"\n }\n }\n}\n\022J\010\001\022F0D\002 R\034.\367\214\024\010\001]i\322\304\251\177\314\224\010\315\027\027\217\275\3471p\035)\260\031\207\\7\002 ]\314\231\354;7;\373\'m`\322`\'\226XS\255\023\223\344\022\\$)j\353?\371\211A\263" +} diff --git a/oak_attestation_verification/testdata/rk_evidence_20241205.binarypb b/oak_attestation_verification/testdata/rk_evidence_20241205.binarypb index 2de6f6bf8e..8560c49fdb 100644 Binary files a/oak_attestation_verification/testdata/rk_evidence_20241205.binarypb and b/oak_attestation_verification/testdata/rk_evidence_20241205.binarypb differ diff --git a/oak_attestation_verification/testdata/rk_evidence_20241205.textproto b/oak_attestation_verification/testdata/rk_evidence_20241205.textproto index a44a0ee10d..0765b2550f 100644 --- a/oak_attestation_verification/testdata/rk_evidence_20241205.textproto +++ b/oak_attestation_verification/testdata/rk_evidence_20241205.textproto @@ -2,23 +2,24 @@ # proto-message: oak.attestaton.v1.Evidence # # Valid real-world evidence for a Restricted Kernel chain, used for testing. -# Generated on 2024-12-05. `rk_evidence_{DATE}.binarypb` is the same instance in +# Created on 2024-12-05, last updated on 2025-01-14. +# `rk_evidence_{DATE}.binarypb` is the same instance in # serialized binary format. ECA: Embedded Certification Authority # # The stage0 binary is measured in the attestation report. root_layer { platform: AMD_SEV_SNP - remote_attestation_report: "\002\000\000\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001\000\000\000\003\000\000\000\000\000\026\321\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\306\252\036\347{\361\016\313\313\320y\23275(eP\222}]\376\037\364\354\223\304\200\242ZmD\312\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\331S\003\342\206\013J\276\027\301\020,\342\351QX\000\340Kj)^\366_4\023\271*\330J\207t\304\357\033\361\300\214ot/X\377Oc\375dk\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000*J\030\204Z\254\010\244G\257\246\324\314\207\023}\324 f\371\r\254\220Pt\230\035\005\225\265\233;\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000M\343\242\340xY\345\236\255\273\230G\320P\355\334y\037yC\251\251\374\351\375\265\237\206\002\360\335&\312\370\020.\013g\3675\'\354\204\200]\010\367\201\370\372\240N:\342\036\237\310\274-\303CG\\\362\003\000\000\000\000\000\026\321\0247\001\000\0247\001\000\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\010\230#B)\205;\374F\354\372u5`\210\343\2362WJ\r\221\362\3236\237\374\250\350\206\314r\nv:V\241!Z\0228@\305\241\010Zl\254\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\244d\375\317\227\257;\014I*j\306s\306(v\350\273\364\037\027\2200\307\312\007\372\307\n\306\014y\210\315Sn\000-\373\317X\350\236\260\005\001\035N\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" - eca_public_key: "\247\001\002\002T\036#\230v>j\361x\303\026\023\021\237\347/\201\374.?\222\003&\004\201\002 \001!X \270r\226\353\377\221\212vp\013`a\310\354A\204\311Z\036\271\316u\215J&5\251\2147Z|#\"X \233(\263\247\036jV\226\320{z_\023\247M\272h`j6a\277ZV.\330U\017Y\370\254G" + remote_attestation_report: "\002\000\000\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001\000\000\000\003\000\000\000\000\000\026\321\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\004B\210\232\317^{\374\017\213/]\007\301rk#\327q\341Y?\371\330+\310kZ\026R\210^\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\304\\\223\326\210d\005\316\237T\3555\351\275\035\016\3610\335@]y/\375\267.\306\342-k0E&\273\001\247\003\257j\362\243\212nj\022\275ee\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000|&1\372A\363\373\275Yk\222\226O\212i\303\367\215\261\234j\255\340\220\225\357\246\201r\266O\263\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\3244\303\005U\241\200bj\336\205\217\263\357\333!L\010Yj\201/\030\206 \257\212|\353\316\206\364\262OO\032S\265\315\237\"\317\352\377\263R\177\300{Q\266\'\t\020\317iN|\233\374X-:I\003\000\000\000\000\000\026\321\0247\001\000\0247\001\000\003\000\000\000\000\000\026\321\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000U\265M\202j\"\217/\241$c\242gyE\037&\3456\310\033\004\307\031t\r>\251s\013?\207\034\257l\357\213s\221?G\310\346V\r\003\272U\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\203\306O\271r=\225B\214\2528\264\376Z\033\205\334i\362\374\302j5\202\"\377\326\032\207\353}M`\313\237\235\330A\237\033\376u\302HJ\271_C\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" + eca_public_key: "\247\001\002\002T\222\035\220&\241:\337\004\032/p\351\373\006\020\212\316\243U\307\003&\004\201\002 \001!X 3\2359\221\366\376G\320\206\014r\264\034\303FY7\225\210=\003a\340\303\\\303\237$a;ix\"X \365\305\352\017m7\316\215&\t2\033\226\027\t\002\003\350\032\307g\3179\262w\017kp\241\017LF" } layers { - eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(1e2398763e6af178c31613119fe72f81fc2e3f92\002x(fa0aff537f2856685f9e7733b53dc090b5ed4d3b:\000GDWXf\247\001\002\002T\372\n\377S\177(Vh_\236w3\265=\300\220\265\355M;\003&\004\201\002 \001!X \312\256\036\021\253I*T\313\323EZ\316\3100\375d[\177l\004m\334\001\266\346ad2\324#\036\"X \273\027\014\273\271\332\231\325\244\275\200\207\017\207\211\257Zj\"\224\316\311$\217!\177?{:\t\023\034:\000GDXB \000:\000GDl\241:\000GDkX \002\002Z\002;\036\372\204\013\355\351\227{\275\343^\352A\241\344N\206\225\"\353\373\257\322}^E\254X@\321lR\302\275\374\371\373p\333 f\026\370\254\034\201\177\242\024/Bi\224w\014P\303c\311\354t\223/b\334q\005p\335\251A-8\216w\206F>\312q\214\302)\340\276L\210\310\242\037\355\342P" + eca_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(921d9026a13adf041a2f70e9fb06108acea355c7\002x(1c1d36f14ae43ec98999924ed2e1af0736eb8d6d:\000GDWXf\247\001\002\002T\034\0356\361J\344>\311\211\231\222N\322\341\257\0076\353\215m\003&\004\201\002 \001!X \343p+\242\006\0133e\037af6\333\211\253+\210LaVS\002~\302\2644\223\226m\322M>\"X }du3\253\007\014\271\212\320C\237\242\362\324\312V\376?s\261\316\211+\2121\363\351z\303\300\306:\000GDXB \000:\000GDl\241:\000GDkX e\261sw\257c\365fa#\007*t\023\366o\027J\365\302\235\312\215\334\032\355\257\3564\356\317\342X@\020\322P\347/\242\311\221Y\212W\213\301\356\'X\345\'\333@I3W$\233\014\016\332\232\003;\256/}\021VJ\320\034\353}n8\345\365C\313X\236\260L\345\327&\364\333\365<%\377\035&MW" } application_keys { - encryption_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\327\245\001x(fa0aff537f2856685f9e7733b53dc090b5ed4d3b\002x(e710703dbd37a40d1016a62683098c5443460cc9:\000GDWXD\246\001\001\002T\347\020p=\2757\244\r\020\026\246&\203\t\214TCF\014\311\0038\036\004\201\005 \004!X \243\243v\346\234F\360\027\215\370F\232,c\224\222<=xxo\"\346\276\310\265\276\257\272m\364\033:\000GDXB \000:\000GDl\241:\000GDkX \255\373\024\266\301\215q\226\247q\300\312G\312Y\275\205$E6\373z$\026=}\001\2770\200f\242X@\312\023P\307H\367\271v\207\207\007\345:2)\247\217\"\262@\243\203\324M?\275x\255K\341p>2h!6\020d\214\003j\306\333\242j\247\0335\271\002\340\344I\264\376[B\347\013\240TH\317\004" - signing_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(fa0aff537f2856685f9e7733b53dc090b5ed4d3b\002x(a9e3f1a8511450d38db3553f69c7128d3919fd57:\000GDWXf\247\001\002\002T\251\343\361\250Q\024P\323\215\263U?i\307\022\2159\031\375W\003&\004\201\002 \001!X \231(\274\317\224\265\347\232\362\204\025\215\245\234P\325\024<\202Y|T{\330\222fu\312#\237V\037\"X \n\3501\354\310\353m\005\225\177\312P<:\303\355\003>\261\276\250\031!\355\366%\243\356\300\035c\332:\000GDXB \000:\000GDl\241:\000GDkX \255\373\024\266\301\215q\226\247q\300\312G\312Y\275\205$E6\373z$\026=}\001\2770\200f\242X@r \366\257\026\373M\256\227\006\03799\361\024\177`\351\377\304\207\354\026X\211;\007ju\276\031\241\"T\327f\343\360&\024p]]\002K\000|\240.\205\337\271\311\366B[\212\246\346\336\366\306\177|" + encryption_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\327\245\001x(1c1d36f14ae43ec98999924ed2e1af0736eb8d6d\002x(d9b0d0d10f27f96a2d7ed28e99c46d515d18cf57:\000GDWXD\246\001\001\002T\331\260\320\321\017\'\371j-~\322\216\231\304mQ]\030\317W\0038\036\004\201\005 \004!X \246\242M\264J\233l\024i0\342\353Z\322:!2\363\205\367\375\n\352\314\020\350\246\316ZG\354G:\000GDXB \000:\000GDl\241:\000GDkX s\273\177\271\006\010*\227\362\340dyCC/\274\204p\313s\303x\233\374\267k\267N\357\231\262]X@\251\350\261\3425\366\200_**\215\264\322l\211\360wa\000\233%NhE\353\233\307\323/zITF\007\364\330\354\266r\013`k\240d&\221\336/:n$q+\251\273\323\022\311\327#\320W\303\356" + signing_public_key_certificate: "\204C\241\001&\241\004RAsymmetricECDSA256X\371\245\001x(1c1d36f14ae43ec98999924ed2e1af0736eb8d6d\002x(55a7165dd71cda0aded8426ff1dd692c994450ee:\000GDWXf\247\001\002\002TU\247\026]\327\034\332\n\336\330Bo\361\335i,\231DP\356\003&\004\201\002 \001!X \204\205\324\271l\2258\253P\222\251\372,\360\017\016%h\177\027q\353Tv\260`\333c`\260\027D\"X \305d>\345\262,\020\356\027\2261A\362Qw\023\026\267\017v=?\203\243!D\236L\365\365\275\347:\000GDXB \000:\000GDl\241:\000GDkX s\273\177\271\006\010*\227\362\340dyCC/\274\204p\313s\303x\233\374\267k\267N\357\231\262]X@\027\334\353\210\276\305\352\343NN\306\233\241o\243X\243C\232t^G\347{\257\345\320\262)\350`o\243\234\035\235F+\336\250\226\240\371\034\257\217\267\037\317\335\0243\232t\210\255\324\3179\031\301\014\345\025" } event_log { - encoded_events: "\n\006Stage0\022\367\001\n9type.googleapis.com/oak.attestation.v1.Stage0Measurements\022\271\001\n L\320 \202\r\246c\006?A\205\312\024\247\350\003\315|\234\241H anyhow::Result<&AttestationReport> { let root_layer = @@ -69,21 +66,6 @@ fn extract_attestation_report(evidence: &Evidence) -> anyhow::Result<&Attestatio .context("invalid AMD SEV-SNP attestation report") } -fn extract_event(evidence: &Evidence, index: usize) -> anyhow::Result> { - if let Some(event_log) = &evidence.event_log { - if event_log.encoded_events.len() < index + 1 { - anyhow::bail!( - "not enough events, expected at least {}, found {}", - index + 1, - event_log.encoded_events.len() - ); - } - Ok(event_log.encoded_events[index].clone()) - } else { - Err(anyhow!("event log wasn't provided in the evidence")) - } -} - // Loads a valid AMD SEV-SNP evidence instance for Oak Containers. fn load_oc_evidence() -> Evidence { let serialized = fs::read(data_path(OC_EVIDENCE_PATH)).expect("could not read evidence"); @@ -91,23 +73,10 @@ fn load_oc_evidence() -> Evidence { } // Loads a valid AMD SEV-SNP endorsements instance for Oak Containers. -fn load_oc_endorsements() -> OakContainersEndorsements { +fn load_oc_endorsements() -> Endorsements { let serialized = fs::read(data_path(OC_ENDORSEMENTS_PATH)).expect("could not read endorsements"); - let endorsements = - Endorsements::decode(serialized.as_slice()).expect("could not decode endorsements"); - let containers_endorsements = match endorsements.r#type.as_ref() { - Some(endorsements::Type::OakContainers(containers_endorsements)) => { - containers_endorsements.clone() - } - _ => panic!("couldn't find Oak Containers reference values"), - }; - assert!(containers_endorsements.root_layer.is_some()); - assert!(containers_endorsements.kernel_layer.is_some()); - assert!(containers_endorsements.system_layer.is_some()); - // TODO: b/368030563 - Verify container layer once corresponding endorsements - // are provided. assert!(containers_endorsements.container_layer.is_some()); - containers_endorsements + Endorsements::decode(serialized.as_slice()).expect("could not decode endorsements") } // Loads valid AMD SEV-SNP reference values instance for Oak Containers. @@ -137,19 +106,10 @@ fn load_rk_evidence() -> Evidence { } // Loads a valid AMD SEV-SNP endorsements instance for Oak Restricted Kernel. -fn load_rk_endorsements() -> OakRestrictedKernelEndorsements { +fn load_rk_endorsements() -> Endorsements { let serialized = fs::read(data_path(RK_ENDORSEMENTS_PATH)).expect("could not read endorsements"); - let endorsements = - Endorsements::decode(serialized.as_slice()).expect("could not decode endorsements"); - let rk_endorsements = match endorsements.r#type.as_ref() { - Some(endorsements::Type::OakRestrictedKernel(rk_endorsements)) => rk_endorsements.clone(), - _ => panic!("couldn't find Oak RestrictedKernel reference values"), - }; - assert!(rk_endorsements.root_layer.is_some()); - assert!(rk_endorsements.kernel_layer.is_some()); - assert!(rk_endorsements.application_layer.is_some()); - rk_endorsements + Endorsements::decode(serialized.as_slice()).expect("could not decode endorsements") } // Loads valid AMD SEV-SNP reference values instance for Oak Restricted Kernel. @@ -172,11 +132,11 @@ fn load_rk_reference_values() -> OakRestrictedKernelReferenceValues { lazy_static::lazy_static! { static ref OC_EVIDENCE: Evidence = load_oc_evidence(); - static ref OC_ENDORSEMENTS: OakContainersEndorsements = load_oc_endorsements(); + static ref OC_ENDORSEMENTS: Endorsements = load_oc_endorsements(); static ref OC_REFERENCE_VALUES: OakContainersReferenceValues = load_oc_reference_values(); static ref RK_EVIDENCE: Evidence = load_rk_evidence(); - static ref RK_ENDORSEMENTS: OakRestrictedKernelEndorsements = load_rk_endorsements(); + static ref RK_ENDORSEMENTS: Endorsements = load_rk_endorsements(); static ref RK_REFERENCE_VALUES: OakRestrictedKernelReferenceValues = load_rk_reference_values(); } @@ -185,11 +145,14 @@ fn amd_sev_snp_platform_policy_verify_succeeds() { let platform_reference_values = OC_REFERENCE_VALUES.root_layer.as_ref().unwrap().amd_sev.as_ref().unwrap(); let policy = AmdSevSnpPolicy::new(platform_reference_values); - let attestation_report = extract_attestation_report(&OC_EVIDENCE).unwrap(); - // TODO: b/375137648 - Use new endorsements directly once they are available. let platform_endorsement = AmdSevSnpEndorsement { - tee_certificate: OC_ENDORSEMENTS.root_layer.as_ref().unwrap().tee_certificate.to_vec(), + tee_certificate: match OC_ENDORSEMENTS.r#type.as_ref() { + Some(endorsements::Type::OakContainers(e)) => { + e.root_layer.as_ref().unwrap().tee_certificate.to_vec() + } + _ => vec![], + }, }; let encoded_endorsement = Variant { id: AMD_SEV_SNP_PLATFORM_ENDORSEMENT_ID.to_vec(), @@ -197,8 +160,9 @@ fn amd_sev_snp_platform_policy_verify_succeeds() { }; let result = policy.verify(attestation_report, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); + // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); } #[test] @@ -230,41 +194,33 @@ fn amd_sev_snp_firmware_policy_verify_succeeds() { let result = policy.verify(firmware_measurement, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); } #[test] fn oc_kernel_policy_verify_succeeds() { - let event_reference_values = OC_REFERENCE_VALUES.kernel_layer.as_ref().unwrap(); - let policy = KernelPolicy::new(event_reference_values); + let reference_values = OC_REFERENCE_VALUES.kernel_layer.as_ref().unwrap(); + let policy = KernelPolicy::new(reference_values); + let event = &OC_EVIDENCE.event_log.as_ref().unwrap().encoded_events[KERNEL_EVENT_INDEX]; + let endorsement = &OC_ENDORSEMENTS.events[KERNEL_EVENT_INDEX]; - let event = extract_event(&OC_EVIDENCE, KERNEL_EVENT_INDEX).expect("couldn't extract event"); - let endorsement = OC_ENDORSEMENTS.kernel_layer.as_ref().unwrap(); + let result = policy.verify(event, endorsement, MILLISECONDS_SINCE_EPOCH); - // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = - Variant { id: KERNEL_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; - - let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); } #[test] fn oc_system_policy_verify_succeeds() { let event_reference_values = OC_REFERENCE_VALUES.system_layer.as_ref().unwrap(); let policy = SystemPolicy::new(event_reference_values); + let event = &OC_EVIDENCE.event_log.as_ref().unwrap().encoded_events[SYSTEM_EVENT_INDEX]; + let endorsement = &OC_ENDORSEMENTS.events[SYSTEM_EVENT_INDEX]; - let event = extract_event(&OC_EVIDENCE, SYSTEM_EVENT_INDEX).expect("couldn't extract event"); - let endorsement = OC_ENDORSEMENTS.system_layer.as_ref().unwrap(); - - // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = - Variant { id: SYSTEM_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; + let result = policy.verify(event, endorsement, MILLISECONDS_SINCE_EPOCH); - let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); } #[test] @@ -272,54 +228,38 @@ fn oc_container_policy_verify_succeeds() { // TODO: b/382550581 - Container reference values currently skip verification. let event_reference_values = OC_REFERENCE_VALUES.container_layer.as_ref().unwrap(); let policy = ContainerPolicy::new(event_reference_values); + let event = &OC_EVIDENCE.event_log.as_ref().unwrap().encoded_events[CONTAINER_EVENT_INDEX]; + let endorsement = &OC_ENDORSEMENTS.events[CONTAINER_EVENT_INDEX]; - let event = extract_event(&OC_EVIDENCE, CONTAINER_EVENT_INDEX).expect("couldn't extract event"); - // TODO: b/382550581 - Use real endorsements once they provide an application - // level endorsement. let endorsement = - // OC_ENDORSEMENTS.container_layer.as_ref().unwrap(); - let endorsement = std::vec![]; + let result = policy.verify(event, endorsement, MILLISECONDS_SINCE_EPOCH); - // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = - Variant { id: CONTAINER_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; - - let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); } #[test] fn rk_kernel_policy_verify_succeeds() { - let event_reference_values = RK_REFERENCE_VALUES.kernel_layer.as_ref().unwrap(); - let policy = KernelPolicy::new(event_reference_values); - - let event = extract_event(&RK_EVIDENCE, KERNEL_EVENT_INDEX).expect("couldn't extract event"); - let endorsement = RK_ENDORSEMENTS.kernel_layer.as_ref().unwrap(); + let reference_values = RK_REFERENCE_VALUES.kernel_layer.as_ref().unwrap(); + let policy = KernelPolicy::new(reference_values); + let event = &RK_EVIDENCE.event_log.as_ref().unwrap().encoded_events[KERNEL_EVENT_INDEX]; + let endorsement = &RK_ENDORSEMENTS.events[KERNEL_EVENT_INDEX]; - // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = - Variant { id: KERNEL_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; + let result = policy.verify(event, endorsement, MILLISECONDS_SINCE_EPOCH); - let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); } #[test] fn rk_application_policy_verify_succeeds() { // TODO: b/382550581 - Application reference values currently skip verification. - let event_reference_values = RK_REFERENCE_VALUES.application_layer.as_ref().unwrap(); - let policy = ApplicationPolicy::new(event_reference_values); - - let event = - extract_event(&RK_EVIDENCE, RK_APPLICATION_EVENT_INDEX).expect("couldn't extract event"); - let endorsement = RK_ENDORSEMENTS.application_layer.as_ref().unwrap(); + let reference_values = RK_REFERENCE_VALUES.application_layer.as_ref().unwrap(); + let policy = ApplicationPolicy::new(reference_values); + let event = &RK_EVIDENCE.event_log.as_ref().unwrap().encoded_events[RK_APPLICATION_EVENT_INDEX]; + let endorsement = &RK_ENDORSEMENTS.events[RK_APPLICATION_EVENT_INDEX]; - // TODO: b/375137648 - Populate `events` proto field. - let encoded_endorsement = - Variant { id: APPLICATION_ENDORSEMENT_ID.to_vec(), value: endorsement.encode_to_vec() }; + let result = policy.verify(event, endorsement, MILLISECONDS_SINCE_EPOCH); - let result = policy.verify(&event, &encoded_endorsement, MILLISECONDS_SINCE_EPOCH); // TODO: b/356631062 - Verify detailed attestation results. - assert!(result.is_ok()); + assert!(result.is_ok(), "Failed: {:?}", result.err().unwrap()); }