Make decode_stage0_event stricter

This checks that the event has the expected tag and that the `Any` type has the correct `type_url` before assuming that the bytes represent an encoded instance of `Stage0Measurements`. Also renamed the function `encoded_stage0_event` to `encode_stage0_event` for consistency. Change-Id: I6b39f36e3431a250593b63c15ec871d2fab8acfa
project-oak · Oct 1, 2024 · bd9e19e · bd9e19e
1 parent 30d6767
commit bd9e19e
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 8 deletions.
diff --git a/oak_attestation_integration_tests/tests/attester_tests.rs b/oak_attestation_integration_tests/tests/attester_tests.rs
@@ -35,7 +35,7 @@ fn dice_attester_generates_correct_dice_chain() {
         acpi_digest: vec![],
         kernel_cmdline: String::new(),
     };
-    let stage0_event = oak_stage0_dice::encoded_stage0_event(test_stage0_measurements);
+    let stage0_event = oak_stage0_dice::encode_stage0_event(test_stage0_measurements);
     let (_, stage0_dice_data_proto) = oak_stage0_dice::generate_dice_data(
         oak_stage0_dice::mock_attestation_report,
         oak_stage0_dice::mock_derived_key,

diff --git a/oak_containers_sdk/src/standalone.rs b/oak_containers_sdk/src/standalone.rs
@@ -77,7 +77,7 @@ impl StandaloneOrchestrator {
         application_config: Vec<u8>,
     ) -> Result<Self> {
         // Generate the root layer (Stage0) event
-        let encoded_stage0_event = oak_stage0_dice::encoded_stage0_event(root_layer_event.clone());
+        let encoded_stage0_event = oak_stage0_dice::encode_stage0_event(root_layer_event.clone());
 
         // Create a mock event log with the root layer event
         let mut mock_event_log = oak_proto_rust::oak::attestation::v1::EventLog::default();

diff --git a/oak_restricted_kernel_sdk/src/testing.rs b/oak_restricted_kernel_sdk/src/testing.rs
@@ -49,7 +49,7 @@ lazy_static::lazy_static! {
 
 fn get_mock_dice_data_and_event_log() -> (RestrictedKernelDiceData, Vec<u8>) {
     let (mut mock_event_log, stage0_dice_data): (EventLog, Stage0DiceData) = {
-        let stage0_event = oak_stage0_dice::encoded_stage0_event(
+        let stage0_event = oak_stage0_dice::encode_stage0_event(
             oak_proto_rust::oak::attestation::v1::Stage0Measurements::default(),
         );
         let mock_event_log = {

diff --git a/stage0/src/lib.rs b/stage0/src/lib.rs
@@ -177,7 +177,7 @@ pub fn rust64_start<P: hal::Platform>() -> ! {
     let memory_map_sha2_256_digest = zero_page.e820_table().measure();
 
     // Generate Stage0 Event Log data.
-    let stage0_event = oak_stage0_dice::encoded_stage0_event(
+    let stage0_event = oak_stage0_dice::encode_stage0_event(
         oak_proto_rust::oak::attestation::v1::Stage0Measurements {
             setup_data_digest: setup_data_sha2_256_digest.as_bytes().to_vec(),
             kernel_measurement: kernel_sha2_256_digest.as_bytes().to_vec(),

diff --git a/stage0_dice/src/lib.rs b/stage0_dice/src/lib.rs
@@ -50,6 +50,8 @@ use crate::alloc::string::ToString;
 
 pub type DerivedKey = [u8; 32];
 
+const STAGE0_TAG: &str = "Stage0";
+
 /// Generates an ECA certificate for use by the next boot stage (Stage 1).
 fn generate_stage1_certificate(
     stage0_eca_key: &SigningKey,
@@ -148,8 +150,8 @@ fn decode_stage0_event(
     let decoded_event: oak_proto_rust::oak::attestation::v1::Event =
         Message::decode(encoded_event).expect("Failed to decode stage0 event");
 
-    Message::decode(decoded_event.event.unwrap().value.as_slice())
-        .expect("Failed to decode stage0 measurements")
+    assert_eq!(decoded_event.tag, STAGE0_TAG);
+    decoded_event.event.unwrap().to_msg().expect("Failed to decode stage0 measurements")
 }
 
 /// Generates attestation evidence for the 'measurements' of all Stage 1
@@ -275,10 +277,10 @@ pub fn mock_derived_key() -> Result<DerivedKey, &'static str> {
     Ok(DerivedKey::default())
 }
 
-pub fn encoded_stage0_event(
+pub fn encode_stage0_event(
     measurements: oak_proto_rust::oak::attestation::v1::Stage0Measurements,
 ) -> Vec<u8> {
-    let tag = String::from("Stage0");
+    let tag = String::from(STAGE0_TAG);
     let any = prost_types::Any::from_msg(&measurements);
     let event = oak_proto_rust::oak::attestation::v1::Event { tag, event: Some(any.unwrap()) };
     event.encode_to_vec()