Skip to content

Unify OASIS_UNSAFE_SKIP_AVR_VERIFY semantics across Go and Rust attestation verification #6491

Description

@martintomazic

Harmless since debug flag for testing.

On the Rust side unsafe skip verify check is minimal:

if !unsafe_skip_quote_verification {
let tcb_level = quote.verify(tcb_info, qe_identity, ts)?;
// Validate TCB level.
match tcb_level.status {
TCBStatus::UpToDate | TCBStatus::SWHardeningNeeded => {}

On the go side, signature verification captures the quote verification against the policy that rust side may not ignore with unsafe skip verify set to true:

if !unsafeSkipVerify {
err := q.signature.Verify(q.header, q.reportBody, ts, tcb, policy)
if err != nil {
return nil, err
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions