DCAP attestation - bail on non-up-to-date TCB status#46
Open
ameba23 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
During DCAP attestation verification, TCB status can have the following possible values:
dcap-qvl's verify function will reject an attestation if the status is 'Revoked' and succeed otherwise, giving us the status information and possible advisory IDs in theVerifiedReport.Out current policy is to log a warning if the status is not 'UpToDate' and proceed with success anyway.
This PR changes that behavior to bail with an error if the status is not 'UpToDate'.
This is the most conservative approach, but it could possibly mean that configurations are rejected which are considered safe by the cloud provider.
A possible alternative approach to this would be to check TCB status in our PCCS implementation, so out of date
Note: It has been suggested to have a minimum time window for rejecting out of date TCB, so that providers have time to update before attestations are rejected. But i can't see a way we can get the date on which the TCB expired, without observing ourselves when attestations with the TCB are no longer accepted, which we could do as part of the PCCS implementation.
We do have access to various dates associated with collateral - but as far as i can see, none of these nessarily tell us when collateral became out of date:
tcbDate- is the date associated with the TCB level, not the expiry dateissueDateandnextUpdate- are the freshness window of the collateral document, not the TCB - so collateral with OutOfDate TCB status may still have anextUpdatedate in the future.