podvm: truncate initdata digest to 32 bytes on az #2186
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkulke
force-pushed
the
mkulke/fix-sha384-initdata-in-az
branch
from
8c10d90 to
864a014
Compare
mkulke
force-pushed
the
mkulke/fix-sha384-initdata-in-az
branch
2 times, most recently
from
4333a0c to
f106d5c
Compare
mkulke
force-pushed
the
mkulke/fix-sha384-initdata-in-az
branch
from
f106d5c to
a95db14
Compare
According to initdata spec the digest needs to be truncated/padded according to the requirements of the TEE. for az tpm we use the sha256 bank of TPM for initdata. This will fix a bug when a initdata body with alg=sha384+ was used and the PCR8 value in the TEE evidence will not be extended, since you cannot extend sha256 w/ a digest that's bigger than 32 bytes. An e2e test for azure was added to assert this behaviour. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
mkulke
force-pushed
the
mkulke/fix-sha384-initdata-in-az
branch
from
a95db14 to
eb0e87b
Compare
There was a problem hiding this comment.
Copilot reviewed 2 out of 4 changed files in this pull request and generated no suggestions.
Files not reviewed (2)
- src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/afterburn-checkin.service.d/10-override.conf: Language not supported
- src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/process-user-data.service.d/10-override.conf: Language not supported
stevenhorsman
approved these changes
Dec 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
depends on #2187 to be merged firstAccording to initdata spec the digest needs to be truncated/padded according to the requirements of the TEE. for az tpm we use the sha256 bank of TPM for initdata.
This will fix a bug when a initdata body with alg=sha384+ was used and the PCR8 value in the TEE evidence will not be extended, since you cannot extend sha256 w/ a digest that's bigger than 32 bytes.
An e2e test for azure was added to assert this behaviour.