[release/6.x] Accept UVM endorsements with integer SVN (#7316) (#7318)

Author: achamayou

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.0.14]
+
+[6.0.14]: https://github.com/microsoft/CCF/releases/tag/ccf-6.0.14
+
+### Added
+
+- Improved handling of socket errors in curlm callbacks (#7308)
+- Accept UVM endorsements with SVNs encoded as integers, and use integer comparison for UVM (#7316)
+
 ## [6.0.13]
 
 [6.0.13]: https://github.com/microsoft/CCF/releases/tag/ccf-6.0.13

python/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "ccf"
-version = "6.0.13"
+version = "6.0.14"
 authors = [
   { name="CCF Team", email="CCF-Sec@microsoft.com" },
 ]

src/node/uvm_endorsements.cpp

@@ -9,17 +9,35 @@ namespace ccf
     const pal::UVMEndorsements& endorsements,
     const std::vector<pal::UVMEndorsements>& uvm_roots_of_trust)
   {
-    for (const auto& uvm_root_of_trust : uvm_roots_of_trust)
-    {
-      if (
-        uvm_root_of_trust.did == endorsements.did &&
-        uvm_root_of_trust.feed == endorsements.feed &&
-        uvm_root_of_trust.svn <= endorsements.svn)
-      {
-        return true;
-      }
-    }
-    return false;
+    return std::ranges::any_of(
+      uvm_roots_of_trust, [&](const auto& uvm_root_of_trust) {
+        size_t root_of_trust_svn = 0;
+        auto result = std::from_chars(
+          uvm_root_of_trust.svn.data(),
+          uvm_root_of_trust.svn.data() + uvm_root_of_trust.svn.size(),
+          root_of_trust_svn);
+        if (result.ec != std::errc())
+        {
+          throw std::runtime_error(fmt::format(
+            "Unable to parse svn value {} to unsigned in UVM root of trust",
+            uvm_root_of_trust.svn));
+        }
+        size_t endorsement_svn = 0;
+        result = std::from_chars(
+          endorsements.svn.data(),
+          endorsements.svn.data() + endorsements.svn.size(),
+          endorsement_svn);
+        if (result.ec != std::errc())
+        {
+          throw std::runtime_error(fmt::format(
+            "Unable to parse svn value {} to unsigned in UVM endorsements",
+            endorsements.svn));
+        }
+
+        return uvm_root_of_trust.did == endorsements.did &&
+          uvm_root_of_trust.feed == endorsements.feed &&
+          root_of_trust_svn <= endorsement_svn;
+      });
   }
 
   namespace cose
@@ -263,25 +281,58 @@ namespace ccf
         cose::headers::CONTENT_TYPE_APPLICATION_JSON_VALUE));
     }
 
-    UVMEndorsementsPayload payload = nlohmann::json::parse(raw_payload);
-    if (payload.sevsnpvm_launch_measurement != uvm_measurement.hex_str())
+    auto payload = nlohmann::json::parse(raw_payload);
+    std::string sevsnpvm_launch_measurement =
+      payload["x-ms-sevsnpvm-launchmeasurement"].get<std::string>();
+    auto sevsnpvm_guest_svn_obj = payload["x-ms-sevsnpvm-guestsvn"];
+    std::string sevsnpvm_guest_svn;
+    if (sevsnpvm_guest_svn_obj.is_string())
+    {
+      sevsnpvm_guest_svn = sevsnpvm_guest_svn_obj.get<std::string>();
+      size_t uintval = 0;
+      auto result = std::from_chars(
+        sevsnpvm_guest_svn.data(),
+        sevsnpvm_guest_svn.data() + sevsnpvm_guest_svn.size(),
+        uintval);
+      if (result.ec != std::errc())
+      {
+        throw std::logic_error(fmt::format(
+          "Unable to parse sevsnpvm_guest_svn value {} to unsigned in UVM "
+          "endorsements "
+          "payload",
+          sevsnpvm_guest_svn));
+      }
+    }
+    else if (sevsnpvm_guest_svn_obj.is_number_unsigned())
+    {
+      sevsnpvm_guest_svn = std::to_string(sevsnpvm_guest_svn_obj.get<size_t>());
+    }
+    else
+    {
+      throw std::logic_error(fmt::format(
+        "Unexpected type {} for sevsnpvm_guest_svn in UVM endorsements "
+        "payload, expected string or unsigned integer",
+        sevsnpvm_guest_svn_obj.type_name()));
+    }
+
+    if (sevsnpvm_launch_measurement != uvm_measurement.hex_str())
     {
       throw std::logic_error(fmt::format(
         "Launch measurement in UVM endorsements payload {} is not equal "
         "to UVM attestation measurement {}",
-        payload.sevsnpvm_launch_measurement,
+        sevsnpvm_launch_measurement,
         uvm_measurement.hex_str()));
     }
 
     LOG_INFO_FMT(
       "Successfully verified endorsements for attested measurement {} against "
       "{}, feed {}, svn {}",
-      payload.sevsnpvm_launch_measurement,
+      sevsnpvm_launch_measurement,
       did,
       phdr.feed,
-      payload.sevsnpvm_guest_svn);
+      sevsnpvm_guest_svn);
 
-    pal::UVMEndorsements end{did, phdr.feed, payload.sevsnpvm_guest_svn};
+    pal::UVMEndorsements end{did, phdr.feed, sevsnpvm_guest_svn};
 
     if (
       enforce_uvm_roots_of_trust &&

src/node/uvm_endorsements.h

@@ -19,19 +19,6 @@
 
 namespace ccf
 {
-  struct UVMEndorsementsPayload
-  {
-    std::string sevsnpvm_guest_svn;
-    std::string sevsnpvm_launch_measurement;
-  };
-  DECLARE_JSON_TYPE(UVMEndorsementsPayload);
-  DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES(
-    UVMEndorsementsPayload,
-    sevsnpvm_guest_svn,
-    "x-ms-sevsnpvm-guestsvn",
-    sevsnpvm_launch_measurement,
-    "x-ms-sevsnpvm-launchmeasurement");
-
   struct UvmEndorsementsProtectedHeader
   {
     int64_t alg;