attestationreport: fix and better log output

Signed-off-by: Simon Ott <[email protected]>
Fraunhofer-AISEC · Mar 15, 2024 · 792ad66 · 792ad66
1 parent 1c120e5
commit 792ad66
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 5 deletions.
diff --git a/attestationreport/attestationreport.go b/attestationreport/attestationreport.go
@@ -1045,7 +1045,7 @@ func checkExtensionBuf(cert *x509.Certificate, oid string, buf []byte) (Result,
 					Got:      hex.EncodeToString(ext.Value),
 				}, false
 			}
-			return Result{Success: false}, false
+			return Result{Success: true}, true
 		}
 	}
 

diff --git a/attestationreport/snp.go b/attestationreport/snp.go
@@ -87,6 +87,8 @@ const (
 func verifySnpMeasurements(snpM Measurement, nonce []byte, referenceValues []ReferenceValue,
 ) (*MeasurementResult, bool) {
 
+	log.Trace("Verifying SNP measurements")
+
 	result := &MeasurementResult{
 		Type:      "SNP Result",
 		SnpResult: &SnpResult{},
@@ -154,6 +156,7 @@ func verifySnpMeasurements(snpM Measurement, nonce []byte, referenceValues []Ref
 
 	// Compare Measurements
 	if cmp := bytes.Compare(s.Measurement[:], snpReferenceValue.Sha384); cmp != 0 {
+		log.Trace("Failed to verify SNP reference value")
 		result.Artifacts = append(result.Artifacts,
 			DigestResult{
 				Name:    snpReferenceValue.Name,
@@ -171,6 +174,7 @@ func verifySnpMeasurements(snpM Measurement, nonce []byte, referenceValues []Ref
 
 		ok = false
 	} else {
+		log.Trace("Successfully verified SNP reference value")
 		// As we previously checked, that the attestation report contains exactly one
 		// SNP Reference Value, we can set this here:
 		result.Artifacts = append(result.Artifacts,
@@ -481,25 +485,25 @@ func verifySnpExtensions(cert *x509.Certificate, report *snpreport) ([]Result, b
 
 	if r, ok = checkExtensionUint8(cert, "1.3.6.1.4.1.3704.1.3.2", uint8(tcb>>8)); !ok {
 		log.Tracef("SEV TEE Extension Check failed")
-		ok = false
+		success = false
 	}
 	results = append(results, r)
 
 	if r, ok = checkExtensionUint8(cert, "1.3.6.1.4.1.3704.1.3.3", uint8(tcb>>48)); !ok {
 		log.Tracef("SEV SNP Extension Check failed")
-		ok = false
+		success = false
 	}
 	results = append(results, r)
 
 	if r, ok = checkExtensionUint8(cert, "1.3.6.1.4.1.3704.1.3.8", uint8(tcb>>56)); !ok {
 		log.Tracef("SEV UCODE Extension Check failed")
-		ok = false
+		success = false
 	}
 	results = append(results, r)
 
 	if r, ok = checkExtensionBuf(cert, "1.3.6.1.4.1.3704.1.4", report.ChipId[:]); !ok {
 		log.Tracef("Chip ID Extension Check failed")
-		ok = false
+		success = false
 	}
 	results = append(results, r)
 

diff --git a/attestationreport/snp_test.go b/attestationreport/snp_test.go
@@ -18,9 +18,14 @@ package attestationreport
 import (
 	"encoding/hex"
 	"testing"
+
+	"github.com/sirupsen/logrus"
 )
 
 func Test_verifySnpMeasurements(t *testing.T) {
+
+	logrus.SetLevel(logrus.TraceLevel)
+
 	type args struct {
 		snpM  *Measurement
 		snpV  []ReferenceValue

diff --git a/attestationreport/sw.go b/attestationreport/sw.go
@@ -21,6 +21,8 @@ import (
 
 func VerifySwMeasurements(swMeasurements []Measurement, refVals []ReferenceValue) ([]MeasurementResult, bool) {
 
+	log.Trace("Verifying SW measurements")
+
 	swMeasurementResults := make([]MeasurementResult, 0)
 	ok := true
 

diff --git a/attestationreport/tdx.go b/attestationreport/tdx.go
@@ -194,6 +194,8 @@ func parseECDSASignatureV4(buf *bytes.Buffer, sig *ECDSA256QuoteSignatureDataStr
 
 func verifyTdxMeasurements(tdxM Measurement, nonce []byte, intelCache string, referenceValues []ReferenceValue) (*MeasurementResult, bool) {
 
+	log.Trace("Verifying TDX measurements")
+
 	var err error
 	result := &MeasurementResult{
 		Type:      "TDX Result",