Change ParseCosCEL* to return an AttestedCosState (#501)

google · Oct 3, 2024 · 6405dbb · 6405dbb
1 parent 3332c30
commit 6405dbb
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 23 deletions.
diff --git a/server/eventlog.go b/server/eventlog.go
@@ -91,17 +91,17 @@ func parsePCClientEventLog(rawEventLog []byte, pcrs *tpmpb.PCRs, loader Bootload
 
 // ParseCosCELPCR takes an encoded COS CEL and PCR bank, replays the CEL against the PCRs,
 // and returns the AttestedCosState
-func ParseCosCELPCR(cosEventLog []byte, p register.PCRBank) (*pb.MachineState, error) {
+func ParseCosCELPCR(cosEventLog []byte, p register.PCRBank) (*pb.AttestedCosState, error) {
 	return getCosStateFromCEL(cosEventLog, p, cel.PCRTypeValue)
 }
 
 // ParseCosCELRTMR takes in a raw COS CEL and a RTMR bank, validates and returns it's
 // COS states as parts of the MachineState.
-func ParseCosCELRTMR(cosEventLog []byte, r register.RTMRBank) (*pb.MachineState, error) {
+func ParseCosCELRTMR(cosEventLog []byte, r register.RTMRBank) (*pb.AttestedCosState, error) {
 	return getCosStateFromCEL(cosEventLog, r, cel.CCMRTypeValue)
 }
 
-func getCosStateFromCEL(rawCanonicalEventLog []byte, register register.MRBank, trustingRegisterType uint8) (*pb.MachineState, error) {
+func getCosStateFromCEL(rawCanonicalEventLog []byte, register register.MRBank, trustingRegisterType uint8) (*pb.AttestedCosState, error) {
 	decodedCEL, err := cel.DecodeToCEL(bytes.NewBuffer(rawCanonicalEventLog))
 	if err != nil {
 		return nil, err
@@ -116,9 +116,7 @@ func getCosStateFromCEL(rawCanonicalEventLog []byte, register register.MRBank, t
 		return nil, err
 	}
 
-	return &pb.MachineState{
-		Cos: cosState,
-	}, err
+	return cosState, err
 }
 
 func contains(set [][]byte, value []byte) bool {

diff --git a/server/eventlog_test.go b/server/eventlog_test.go
@@ -736,18 +736,18 @@ func TestParsingRTMREventlog(t *testing.T) {
 	fakeRTMR := fakertmr.CreateRtmrSubsystem(t.TempDir())
 	rtmrBank := getRTMRBank(t, fakeRTMR)
 
-	msState, err := ParseCosCELRTMR(buf.Bytes(), rtmrBank)
+	acosState, err := ParseCosCELRTMR(buf.Bytes(), rtmrBank)
 	if err != nil {
 		t.Errorf("expecting no error from ParseCosCELRTMR(), but get %v", err)
 	}
-	if diff := cmp.Diff(msState.Cos.Container, &emptyCosState, protocmp.Transform()); diff != "" {
+	if diff := cmp.Diff(acosState.Container, &emptyCosState, protocmp.Transform()); diff != "" {
 		t.Errorf("unexpected container state difference:\n%v", diff)
 	}
-	if diff := cmp.Diff(msState.Cos.HealthMonitoring, &emptyHealthMonitoringState, protocmp.Transform()); diff != "" {
+	if diff := cmp.Diff(acosState.HealthMonitoring, &emptyHealthMonitoringState, protocmp.Transform()); diff != "" {
 		t.Errorf("unexpected health monitoring difference:\n%v", diff)
 	}
-	if msState.Cos.HealthMonitoring.MemoryEnabled != nil {
-		t.Errorf("unexpected MemoryEnabled state, want nil, but got %v", *msState.Cos.HealthMonitoring.MemoryEnabled)
+	if acosState.HealthMonitoring.MemoryEnabled != nil {
+		t.Errorf("unexpected MemoryEnabled state, want nil, but got %v", *acosState.HealthMonitoring.MemoryEnabled)
 	}
 
 	// add events
@@ -802,13 +802,13 @@ func TestParsingRTMREventlog(t *testing.T) {
 
 	rtmrBank = getRTMRBank(t, fakeRTMR)
 
-	if msState, err := ParseCosCELRTMR(buf.Bytes(), rtmrBank); err != nil {
+	if acosState, err := ParseCosCELRTMR(buf.Bytes(), rtmrBank); err != nil {
 		t.Errorf("expecting no error from ParseCosCELRTMR(), but get %v", err)
 	} else {
-		if diff := cmp.Diff(msState.Cos.Container, &wantContainerState, protocmp.Transform()); diff != "" {
+		if diff := cmp.Diff(acosState.Container, &wantContainerState, protocmp.Transform()); diff != "" {
 			t.Errorf("unexpected container state difference:\n%v", diff)
 		}
-		if diff := cmp.Diff(msState.Cos.HealthMonitoring, &wantHealthMonitoringState, protocmp.Transform()); diff != "" {
+		if diff := cmp.Diff(acosState.HealthMonitoring, &wantHealthMonitoringState, protocmp.Transform()); diff != "" {
 			t.Errorf("unexpected health monitoring state difference:\n%v", diff)
 		}
 	}
@@ -858,18 +858,18 @@ func TestParsingCELEventLog(t *testing.T) {
 	for _, bank := range banks {
 		pcrBank := convertToPCRBank(t, bank)
 		// pcrs can have any value here, since the coscel has no records, the replay should always success.
-		msState, err := ParseCosCELPCR(buf.Bytes(), pcrBank)
+		acosState, err := ParseCosCELPCR(buf.Bytes(), pcrBank)
 		if err != nil {
 			t.Errorf("expecting no error from ParseCosCELPCR(), but get %v", err)
 		}
-		if diff := cmp.Diff(msState.Cos.Container, &emptyCosState, protocmp.Transform()); diff != "" {
+		if diff := cmp.Diff(acosState.Container, &emptyCosState, protocmp.Transform()); diff != "" {
 			t.Errorf("unexpected container state difference:\n%v", diff)
 		}
-		if diff := cmp.Diff(msState.Cos.HealthMonitoring, &emptyHealthMonitoringState, protocmp.Transform()); diff != "" {
+		if diff := cmp.Diff(acosState.HealthMonitoring, &emptyHealthMonitoringState, protocmp.Transform()); diff != "" {
 			t.Errorf("unexpected health monitoring difference:\n%v", diff)
 		}
-		if msState.Cos.HealthMonitoring.MemoryEnabled != nil {
-			t.Errorf("unexpected MemoryEnabled state, want nil, but got %v", *msState.Cos.HealthMonitoring.MemoryEnabled)
+		if acosState.HealthMonitoring.MemoryEnabled != nil {
+			t.Errorf("unexpected MemoryEnabled state, want nil, but got %v", *acosState.HealthMonitoring.MemoryEnabled)
 		}
 	}
 
@@ -929,13 +929,13 @@ func TestParsingCELEventLog(t *testing.T) {
 	for _, bank := range banks {
 		pcrBank := convertToPCRBank(t, bank)
 
-		if msState, err := ParseCosCELPCR(buf.Bytes(), pcrBank); err != nil {
+		if acosState, err := ParseCosCELPCR(buf.Bytes(), pcrBank); err != nil {
 			t.Errorf("expecting no error from ParseCosCELPCR(), but get %v", err)
 		} else {
-			if diff := cmp.Diff(msState.Cos.Container, &wantContainerState, protocmp.Transform()); diff != "" {
+			if diff := cmp.Diff(acosState.Container, &wantContainerState, protocmp.Transform()); diff != "" {
 				t.Errorf("unexpected container state difference:\n%v", diff)
 			}
-			if diff := cmp.Diff(msState.Cos.HealthMonitoring, &wantHealthMonitoringState, protocmp.Transform()); diff != "" {
+			if diff := cmp.Diff(acosState.HealthMonitoring, &wantHealthMonitoringState, protocmp.Transform()); diff != "" {
 				t.Errorf("unexpected health monitoring state difference:\n%v", diff)
 			}
 		}

diff --git a/server/verify.go b/server/verify.go
@@ -150,6 +150,7 @@ func VerifyAttestation(attestation *pb.Attestation, opts VerifyOpts) (*pb.Machin
 			lastErr = fmt.Errorf("failed to validate the Canonical event log: %w", err)
 			continue
 		}
+		machineState.Cos = celState
 
 		// Verify the PCR hash algorithm. We have this check here (instead of at
 		// the start of the loop) so that the user gets a "SHA-1 not supported"
@@ -160,7 +161,6 @@ func VerifyAttestation(attestation *pb.Attestation, opts VerifyOpts) (*pb.Machin
 			continue
 		}
 
-		proto.Merge(machineState, celState)
 		proto.Merge(machineState, tpmMachineState)
 
 		return machineState, nil