Azure v6 tcbinfo patch (#42)

Ruteri · bakhtin · web-flow · commit f3a8b3c3e0ca · 2025-08-29T11:45:42.000+03:00
Co-authored-by: bakhtin &lt;a@bakhtin.net&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -7,5 +7,5 @@ RUN make build-${BINARY}
 
 FROM gcr.io/distroless/cc-debian12:nonroot-6755e21ccd99ddead6edc8106ba03888cbeed41a
 ARG BINARY
-COPY --from=builder /app/build/${BINARY} /app
-ENTRYPOINT [ "/app" ]
+COPY --from=builder /app/build/${BINARY} /proxy
+ENTRYPOINT [ "/proxy" ]
diff --git a/azure-tcbinfo-override/override.go b/azure-tcbinfo-override/override.go
@@ -0,0 +1,38 @@
+package azure_tcbinfo_override
+
+import (
+	"log/slog"
+
+	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
+	azure_tdx "github.com/flashbots/cvm-reverse-proxy/internal/attestation/azure/tdx"
+	"github.com/flashbots/cvm-reverse-proxy/proxy"
+
+	"github.com/google/go-tdx-guest/pcs"
+)
+
+func OverrideV6InstanceOutdatedSEAMLoader(log *slog.Logger, tcbInfo pcs.TcbInfo) pcs.TcbInfo {
+	if tcbInfo.Fmspc == azure_tdx.AZURE_V6_BAD_FMSPC {
+		for l, tcbLevel := range tcbInfo.TcbLevels {
+			if tcbLevel.TcbStatus == pcs.TcbComponentStatusUpToDate {
+				if tcbLevel.Tcb.SgxTcbcomponents[7].Svn > 3 {
+					log.Debug("overriding tcb info to allow outdated Azure v6 SEAM loader")
+					tcbInfo.TcbLevels[l].Tcb.SgxTcbcomponents[7].Svn = 3
+				}
+			}
+		}
+	}
+
+	return tcbInfo
+}
+
+func OverrideAzureValidatorsForV6SEAMLoader(log *slog.Logger, validators []atls.Validator) {
+	for _, validator := range validators {
+		if multiValidator, ok := validator.(*proxy.MultiValidator); ok {
+			OverrideAzureValidatorsForV6SEAMLoader(log, multiValidator.Validators())
+		}
+		if azureTdxValidator, ok := validator.(*azure_tdx.Validator); ok {
+			log.Info("set tcb overide for Azure TDX validator")
+			azureTdxValidator.SetTcbOverride(func(tcbInfo pcs.TcbInfo) pcs.TcbInfo { return OverrideV6InstanceOutdatedSEAMLoader(log, tcbInfo) })
+		}
+	}
+}
diff --git a/cmd/attested-get/main.go b/cmd/attested-get/main.go
@@ -41,6 +41,7 @@ import (
 	"os"
 	"strings"
 
+	azure_tcbinfo_override "github.com/flashbots/cvm-reverse-proxy/azure-tcbinfo-override"
 	"github.com/flashbots/cvm-reverse-proxy/common"
 	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
 	azure_tdx "github.com/flashbots/cvm-reverse-proxy/internal/attestation/azure/tdx"
@@ -78,6 +79,12 @@ var flags []cli.Flag = []cli.Flag{
 		Value: "",
 		Usage: "File or URL with known measurements (to compare against)",
 	},
+	&cli.BoolFlag{
+		Name:    "override-azurev6-tcbinfo",
+		Value:   false,
+		EnvVars: []string{"OVERRIDE_AZUREV6_TCBINFO"},
+		Usage:   "Allows Azure's V6 instance outdated SEAM Loader",
+	},
 	&cli.BoolFlag{
 		Name:  "log-debug",
 		Value: false,
@@ -105,6 +112,7 @@ func runClient(cCtx *cli.Context) (err error) {
 	outResponse := cCtx.String("out-response")
 	attestationTypeStr := cCtx.String("attestation-type")
 	expectedMeasurementsPath := cCtx.String("expected-measurements")
+	overrideAzurev6Tcbinfo := cCtx.Bool("override-azurev6-tcbinfo")
 
 	// Setup logging
 	log := common.SetupLogger(&common.LoggingOpts{
@@ -133,6 +141,9 @@ func runClient(cCtx *cli.Context) (err error) {
 		attConfig := config.DefaultForAzureTDX()
 		attConfig.SetMeasurements(measurements.M{})
 		validator := azure_tdx.NewValidator(attConfig, proxy.AttestationLogger{Log: log})
+		if overrideAzurev6Tcbinfo {
+			azure_tcbinfo_override.OverrideAzureValidatorsForV6SEAMLoader(log, []atls.Validator{validator})
+		}
 		validators = append(validators, validator)
 	default:
 		log.Error("currently only azure-tdx attestation is supported")
diff --git a/cmd/proxy-client/main.go b/cmd/proxy-client/main.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 
+	azure_tcbinfo_override "github.com/flashbots/cvm-reverse-proxy/azure-tcbinfo-override"
 	"github.com/flashbots/cvm-reverse-proxy/common"
 	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
 	"github.com/flashbots/cvm-reverse-proxy/proxy"
@@ -47,6 +48,12 @@ var flags []cli.Flag = []cli.Flag{
 		Value: string(proxy.AttestationNone),
 		Usage: "type of attestation to present (" + proxy.AvailableAttestationTypes + "). Set to " + string(proxy.AttestationDummy) + " to use remote quote provider.",
 	},
+	&cli.BoolFlag{
+		Name:    "override-azurev6-tcbinfo",
+		Value:   false,
+		EnvVars: []string{"OVERRIDE_AZUREV6_TCBINFO"},
+		Usage:   "Allows Azure's V6 instance outdated SEAM Loader",
+	},
 	&cli.BoolFlag{
 		Name:  "log-json",
 		Value: false,
@@ -87,6 +94,7 @@ func runClient(cCtx *cli.Context) error {
 	listenAddr := cCtx.String("listen-addr")
 	targetAddr := cCtx.String("target-addr")
 	serverMeasurements := cCtx.String("server-measurements")
+	overrideAzurev6Tcbinfo := cCtx.Bool("override-azurev6-tcbinfo")
 	logJSON := cCtx.Bool("log-json")
 	logDebug := cCtx.Bool("log-debug")
 	tdx.SetLogDcapQuote(cCtx.Bool("log-dcap-quote"))
@@ -143,6 +151,10 @@ func runClient(cCtx *cli.Context) error {
 		return err
 	}
 
+	if overrideAzurev6Tcbinfo {
+		azure_tcbinfo_override.OverrideAzureValidatorsForV6SEAMLoader(log, validators)
+	}
+
 	tlsConfig, err := atls.CreateAttestationClientTLSConfig(issuer, validators)
 	if err != nil {
 		log.Error("could not create atls config", "err", err)
diff --git a/cmd/proxy-server/main.go b/cmd/proxy-server/main.go
@@ -11,6 +11,7 @@ import (
 	"syscall"
 	"time"
 
+	azure_tcbinfo_override "github.com/flashbots/cvm-reverse-proxy/azure-tcbinfo-override"
 	"github.com/flashbots/cvm-reverse-proxy/common"
 	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
 	"github.com/flashbots/cvm-reverse-proxy/proxy"
@@ -62,6 +63,12 @@ var flags []cli.Flag = []cli.Flag{
 		EnvVars: []string{"CLIENT_MEASUREMENTS"},
 		Usage:   "optional path to JSON measurements enforced on the client",
 	},
+	&cli.BoolFlag{
+		Name:    "override-azurev6-tcbinfo",
+		Value:   false,
+		EnvVars: []string{"OVERRIDE_AZUREV6_TCBINFO"},
+		Usage:   "Allows Azure's V6 instance outdated SEAM Loader",
+	},
 	&cli.BoolFlag{
 		Name:    "log-json",
 		EnvVars: []string{"LOG_JSON"},
@@ -110,6 +117,7 @@ func runServer(cCtx *cli.Context) error {
 	listenAddr := cCtx.String("listen-addr")
 	targetAddr := cCtx.String("target-addr")
 	clientMeasurements := cCtx.String("client-measurements")
+	overrideAzurev6Tcbinfo := cCtx.Bool("override-azurev6-tcbinfo")
 	logJSON := cCtx.Bool("log-json")
 	logDebug := cCtx.Bool("log-debug")
 	tdx.SetLogDcapQuote(cCtx.Bool("log-dcap-quote"))
@@ -146,6 +154,10 @@ func runServer(cCtx *cli.Context) error {
 		return err
 	}
 
+	if overrideAzurev6Tcbinfo {
+		azure_tcbinfo_override.OverrideAzureValidatorsForV6SEAMLoader(log, validators)
+	}
+
 	var issuer atls.Issuer
 
 	isDummyAttestationType := serverAttestationTypeFlag == string(proxy.AttestationDummy)
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.22.4
 replace github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c
 
 replace (
+	github.com/google/go-tdx-guest => github.com/flashbots/go-tdx-guest v0.0.0-20250812101008-c4de93fd5a34
 	k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.2
 	k8s.io/controller-manager => k8s.io/controller-manager v0.30.2
 	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.2
@@ -158,7 +159,7 @@ require (
 	github.com/google/certificate-transparency-go v1.1.8 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-attestation v0.5.1 // indirect
-	github.com/google/go-configfs-tsm v0.2.2 // indirect
+	github.com/google/go-configfs-tsm v0.3.2 // indirect
 	github.com/google/go-containerregistry v0.19.2 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
diff --git a/go.sum b/go.sum
@@ -167,6 +167,8 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/flashbots/go-tdx-guest v0.0.0-20250812101008-c4de93fd5a34 h1:rqyx3e+CwPtKBbopWz0amKweDkiuSb9fB/rF9y3RlBw=
+github.com/flashbots/go-tdx-guest v0.0.0-20250812101008-c4de93fd5a34/go.mod h1:uHy3VaNXNXhl0fiPxKqTxieeouqQmW6A0EfLcaeCYBk=
 github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
 github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
@@ -258,14 +260,12 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98=
-github.com/google/go-configfs-tsm v0.2.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo=
+github.com/google/go-configfs-tsm v0.3.2 h1:ZYmHkdQavfsvVGDtX7RRda0gamelUNUhu0A9fbiuLmE=
+github.com/google/go-configfs-tsm v0.3.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo=
 github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w=
 github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/go-sev-guest v0.11.1 h1:gnww4U8fHV5DCPz4gykr1s8SEX1fFNcxCBy+vvXN24k=
 github.com/google/go-sev-guest v0.11.1/go.mod h1:qBOfb+JmgsUI3aUyzQoGC13Kpp9zwLeWvuyXmA9q77w=
-github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw=
-github.com/google/go-tdx-guest v0.3.1/go.mod h1:/rc3d7rnPykOPuY8U9saMyEps0PZDThLk/RygXm04nE=
 github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
 github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98=
diff --git a/internal/attestation/azure/tdx/validator.go b/internal/attestation/azure/tdx/validator.go
@@ -20,6 +20,7 @@ import (
 	"github.com/flashbots/cvm-reverse-proxy/internal/config"
 
 	"github.com/google/go-tdx-guest/abi"
+	"github.com/google/go-tdx-guest/pcs"
 	"github.com/google/go-tdx-guest/proto/tdx"
 	"github.com/google/go-tdx-guest/validate"
 	"github.com/google/go-tdx-guest/verify"
@@ -28,6 +29,8 @@ import (
 	"github.com/google/go-tpm/legacy/tpm2"
 )
 
+const AZURE_V6_BAD_FMSPC = "90c06f000000"
+
 // Validator for Azure confidential VM attestation using TDX.
 type Validator struct {
 	variant.AzureTDX
@@ -36,6 +39,9 @@ type Validator struct {
 
 	getter       trust.HTTPSGetter
 	hclValidator hclAkValidator
+
+	tcbOverride func(pcs.TcbInfo) pcs.TcbInfo
+	log         attestation.Logger
 }
 
 // NewValidator returns a new Validator for Azure confidential VM attestation using TDX.
@@ -44,6 +50,7 @@ func NewValidator(cfg *config.AzureTDX, log attestation.Logger) *Validator {
 		cfg:          cfg,
 		getter:       trust.DefaultHTTPSGetter(),
 		hclValidator: &azure.HCLAkValidator{},
+		log:          log,
 	}
 
 	v.Validator = vtpm.NewValidator(
@@ -58,6 +65,11 @@ func NewValidator(cfg *config.AzureTDX, log attestation.Logger) *Validator {
 	return v
 }
 
+func (v *Validator) SetTcbOverride(overrideFn func(pcs.TcbInfo) pcs.TcbInfo) *Validator {
+	v.tcbOverride = overrideFn
+	return v
+}
+
 func (v *Validator) getTrustedTPMKey(_ context.Context, attDoc vtpm.AttestationDocument, _ []byte) (crypto.PublicKey, error) {
 	var instanceInfo InstanceInfo
 	if err := json.Unmarshal(attDoc.InstanceInfo, &instanceInfo); err != nil {
@@ -96,12 +108,26 @@ func (v *Validator) validateQuote(tdxQuote *tdx.QuoteV4) error {
 	if err := verify.TdxQuote(tdxQuote, &verify.Options{
 		CheckRevocations: true,
 		GetCollateral:    true,
+		PatchTCBInfo:     v.tcbOverride,
 		TrustedRoots:     roots,
 		Getter:           v.getter,
 	}); err != nil {
 		return err
 	}
 
+	// Hacky way to log every time we validate the outdated v6 tcb
+	if v.tcbOverride != nil {
+		if chain, err := verify.ExtractChainFromQuote(tdxQuote); err == nil {
+			if exts, err := pcs.PckCertificateExtensions(chain.PCKCertificate); err == nil {
+				if exts.FMSPC == AZURE_V6_BAD_FMSPC {
+					if tdxQuote.TdQuoteBody.TeeTcbSvn[7] == 3 {
+						v.log.Warn("allowing azure's outdated SEAM loader")
+					}
+				}
+			}
+		}
+	}
+
 	if err := validate.TdxQuote(tdxQuote, &validate.Options{
 		HeaderOptions: validate.HeaderOptions{
 			MinimumQeSvn:  v.cfg.QESVN.Value,
diff --git a/proxy/mutli_validator.go b/proxy/mutli_validator.go
@@ -27,6 +27,10 @@ func NewMultiValidator(validators []atls.Validator) *MultiValidator {
 	}
 }
 
+func (v *MultiValidator) Validators() []atls.Validator {
+	return v.validators
+}
+
 func (v *MultiValidator) OID() asn1.ObjectIdentifier {
 	return v.oid
 }

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,10 @@ func NewMultiValidator(validators []atls.Validator) *MultiValidator {`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
	`30`	`+func (v *MultiValidator) Validators() []atls.Validator {`
	`31`	`+ return v.validators`
	`32`	`+}`
	`33`	`+`
`30`	`34`	`func (v *MultiValidator) OID() asn1.ObjectIdentifier {`
`31`	`35`	`return v.oid`
`32`	`36`	`}`