edgelesssys · daniel-weisse · Oct 2, 2024 · Sep 26, 2024 · Sep 30, 2024 · Sep 30, 2024
diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   vale:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

diff --git a/api/api.go b/api/api.go
@@ -101,6 +101,7 @@ func VerifyCoordinator(ctx context.Context, endpoint string, opts VerifyOptions)
 		Debug:               opts.Debug,
 		Nonce:               opts.Nonce,
 		AcceptedTCBStatuses: opts.AcceptedTCBStatuses,
+		AcceptedAdvisories:  opts.AcceptedAdvisories,
 	}); err != nil {
 		return nil, nil, nil, fmt.Errorf("verifying Coordinator quote: %w", err)
 	}
@@ -467,6 +468,10 @@ type VerifyOptions struct {
 	// If not set, defaults to ["UpToDate", "SWHardeningNeeded"].
 	// If the Coordinator returns a TCB status not listed, an [attestation.TCBStatusError] is returned.
 	AcceptedTCBStatuses []string `json:"AcceptedTCBStatuses"`
+	// AcceptedAdvisories is a list of Intel Security Advisories that are acceptable.
+	// If the Coordinator returns TCB status "SWHardeningNeeded", the list of advisories for that report must be a subset of this list.
+	// If not set, all advisories are accepted.
+	AcceptedAdvisories []string `json:"AcceptedAdvisories"`
 
 	// Nonce is an optional, user-defined nonce to be included in the Coordinator's attestation statement.
 	// If set, the Coordinator will generate an SGX quote over sha256(Coordinator_root_cert, Nonce).

diff --git a/api/attestation/attestation.go b/api/attestation/attestation.go
@@ -25,16 +25,27 @@ import (
 type TCBStatusError struct {
 	// TCBStatus is the TCB status of the Coordinator enclave.
 	TCBStatus tcbstatus.Status
+	// Advisories is a list of Intel Security Advisories if the TCB status is SWHardeningNeeded.
+	Advisories []string
 }
 
 // NewTCBStatusError creates a new TCBStatusError.
 func NewTCBStatusError(tcbStatus tcbstatus.Status) error {
 	return &TCBStatusError{TCBStatus: tcbStatus}
 }
 
+// NewTCBStatusErrorWithAdvisories creates a new TCBStatusError with a list of Intel Security Advisories.
+func NewTCBStatusErrorWithAdvisories(tcbStatus tcbstatus.Status, advisories []string) error {
+	return &TCBStatusError{TCBStatus: tcbStatus, Advisories: advisories}
+}
+
 // Error returns the error message.
 func (e *TCBStatusError) Error() string {
-	return fmt.Sprintf("invalid TCB status: %s", e.TCBStatus)
+	var advisoryMsg string
+	if len(e.Advisories) > 0 {
+		advisoryMsg = fmt.Sprintf(": advisories not accepted by configuration: %s", e.Advisories)
+	}
+	return fmt.Sprintf("invalid TCB status: %s%s", e.TCBStatus, advisoryMsg)
 }
 
 // Config is the expected attestation metadata of a MarbleRun Coordinator enclave.
@@ -48,6 +59,7 @@ type Config struct {
 	Debug               bool
 	Nonce               []byte
 	AcceptedTCBStatuses []string
+	AcceptedAdvisories  []string
 }
 
 // VerifyCertificate verifies the Coordinator's TLS certificate against the Coordinator's SGX quote.
@@ -73,6 +85,15 @@ func verifyCertificate(
 	if err != nil {
 		return NewTCBStatusError(report.TCBStatus)
 	}
+
+	notAccepted, err := tcb.CheckAdvisories(report, config.AcceptedAdvisories)
+	if err != nil {
+		return err
+	}
+	if len(notAccepted) > 0 {
+		return NewTCBStatusErrorWithAdvisories(report.TCBStatus, notAccepted)
+	}
+
 	switch validity {
 	case tcb.ValidityUnconditional:
 	case tcb.ValidityConditional:
@@ -83,7 +104,7 @@ func verifyCertificate(
 
 	if validity != tcb.ValidityUnconditional {
 		if report.TCBAdvisoriesErr != nil {
-			fmt.Fprintln(out, "Error: TCB Advisories:", err)
+			fmt.Fprintln(out, "Error: TCB Advisories:", report.TCBAdvisoriesErr)
 		} else {
 			fmt.Fprintln(out, "TCB Advisories:", report.TCBAdvisories)
 		}

diff --git a/api/attestation/attestation_test.go b/api/attestation/attestation_test.go
@@ -226,6 +226,78 @@ func TestVerifyCertificate(t *testing.T) {
 				}, attestation.ErrTCBLevelInvalid
 			},
 		},
+		"tcb error with advisories": {
+			config: defaultConfig,
+			verify: func([]byte) (attestation.Report, error) {
+				return attestation.Report{
+					Data:            quoteData[:],
+					SecurityVersion: 2,
+					ProductID:       []byte{0x03, 0x00},
+					SignerID:        []byte{0xAB, 0xCD},
+					TCBStatus:       tcbstatus.SWHardeningNeeded,
+					TCBAdvisories:   []string{"INTEL-SA-0001"},
+				}, attestation.ErrTCBLevelInvalid
+			},
+			wantErr:    true,
+			wantTCBErr: true,
+		},
+		"tcb error with advisories rejected": {
+			config: func() Config {
+				config := defaultConfig
+				config.AcceptedTCBStatuses = []string{"SWHardeningNeeded"}
+				config.AcceptedAdvisories = []string{"INTEL-SA-0002"}
+				return config
+			}(),
+			verify: func([]byte) (attestation.Report, error) {
+				return attestation.Report{
+					Data:            quoteData[:],
+					SecurityVersion: 2,
+					ProductID:       []byte{0x03, 0x00},
+					SignerID:        []byte{0xAB, 0xCD},
+					TCBStatus:       tcbstatus.SWHardeningNeeded,
+					TCBAdvisories:   []string{"INTEL-SA-0001"},
+				}, attestation.ErrTCBLevelInvalid
+			},
+			wantErr:    true,
+			wantTCBErr: true,
+		},
+		"tcb error with advisories accepted": {
+			config: func() Config {
+				config := defaultConfig
+				config.AcceptedTCBStatuses = []string{"SWHardeningNeeded"}
+				config.AcceptedAdvisories = []string{"INTEL-SA-0001"}
+				return config
+			}(),
+			verify: func([]byte) (attestation.Report, error) {
+				return attestation.Report{
+					Data:            quoteData[:],
+					SecurityVersion: 2,
+					ProductID:       []byte{0x03, 0x00},
+					SignerID:        []byte{0xAB, 0xCD},
+					TCBStatus:       tcbstatus.SWHardeningNeeded,
+					TCBAdvisories:   []string{"INTEL-SA-0001"},
+				}, attestation.ErrTCBLevelInvalid
+			},
+		},
+		"report contains tcb advisory parsing error": {
+			config: func() Config {
+				config := defaultConfig
+				config.AcceptedTCBStatuses = []string{"SWHardeningNeeded"}
+				config.AcceptedAdvisories = []string{"INTEL-SA-0001"}
+				return config
+			}(),
+			verify: func([]byte) (attestation.Report, error) {
+				return attestation.Report{
+					Data:             quoteData[:],
+					SecurityVersion:  2,
+					ProductID:        []byte{0x03, 0x00},
+					SignerID:         []byte{0xAB, 0xCD},
+					TCBStatus:        tcbstatus.SWHardeningNeeded,
+					TCBAdvisoriesErr: assert.AnError,
+				}, attestation.ErrTCBLevelInvalid
+			},
+			wantErr: true,
+		},
 	}
 
 	for name, tc := range testCases {

diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -68,6 +68,7 @@ To install and configure MarbleRun, run:
 	rootCmd.PersistentFlags().String("era-config", "", "Path to a remote-attestation config file in JSON format. If none is provided, the command attempts to use './coordinator-era.json'. If that does not exist, the command will attempt to load a matching config file from the MarbleRun GitHub repository")
 	rootCmd.PersistentFlags().BoolP("insecure", "i", false, "Set to skip quote verification, needed when running in simulation mode")
 	rootCmd.PersistentFlags().StringSlice("accepted-tcb-statuses", []string{"UpToDate", "SWHardeningNeeded"}, "Comma-separated list of user accepted TCB statuses")
+	rootCmd.PersistentFlags().StringSlice("accepted-advisories", nil, "Comma-separated list of user accepted Intel Security Advisories for SWHardeningNeeded TCB status. If empty, all advisories are accepted")
 	rootCmd.PersistentFlags().StringP("namespace", "n", helm.Namespace, "Kubernetes namespace of the MarbleRun installation")
 	rootCmd.PersistentFlags().String("nonce", "", "(Optional) nonce to use for quote verification. If set, the Coordinator will generate a quote over sha256(CoordinatorCert + nonce)")
 	rootCmd.PersistentFlags().String("save-sgx-quote", "", "If set, save the Coordinator's SGX quote to the specified file")

diff --git a/cli/internal/cmd/cmd.go b/cli/internal/cmd/cmd.go
@@ -46,6 +46,10 @@ func parseRestFlags(cmd *cobra.Command) (api.VerifyOptions, string, error) {
 	if err != nil {
 		return api.VerifyOptions{}, "", err
 	}
+	acceptedAdvisories, err := cmd.Flags().GetStringSlice("accepted-advisories")
+	if err != nil {
+		return api.VerifyOptions{}, "", err
+	}
 	k8sNamespace, err := cmd.Flags().GetString("namespace")
 	if err != nil {
 		return api.VerifyOptions{}, "", err
@@ -83,6 +87,7 @@ func parseRestFlags(cmd *cobra.Command) (api.VerifyOptions, string, error) {
 		}
 	}
 	verifyOptions.AcceptedTCBStatuses = acceptedTCBStatuses
+	verifyOptions.AcceptedAdvisories = acceptedAdvisories
 	verifyOptions.Nonce = []byte(nonce)
 
 	return verifyOptions, sgxQuotePath, nil

diff --git a/coordinator/clientapi/clientapi.go b/coordinator/clientapi/clientapi.go
@@ -556,19 +556,9 @@ func (a *ClientAPI) UpdateManifest(ctx context.Context, rawUpdateManifest []byte
 
 	// update manifest was valid, increase svn and regenerate secrets
 	for pkgName, pkg := range updateManifest.Packages {
-		if currentPackages[pkgName].SecurityVersion == nil {
-			currentPkg := currentPackages[pkgName]
-			currentPackages[pkgName] = quote.PackageProperties{
-				Debug:               currentPkg.Debug,
-				UniqueID:            currentPkg.UniqueID,
-				SecurityVersion:     pkg.SecurityVersion,
-				ProductID:           currentPkg.ProductID,
-				SignerID:            currentPkg.SignerID,
-				AcceptedTCBStatuses: currentPkg.AcceptedTCBStatuses,
-			}
-		} else {
-			*currentPackages[pkgName].SecurityVersion = *pkg.SecurityVersion
-		}
+		currentPkg := currentPackages[pkgName]
+		currentPkg.SecurityVersion = pkg.SecurityVersion
+		currentPackages[pkgName] = currentPkg
 	}
 
 	rootCert, err := txdata.GetCertificate(constants.SKCoordinatorRootCert)

diff --git a/coordinator/quote/ert.go b/coordinator/quote/ert.go
@@ -29,6 +29,10 @@ type PackageProperties struct {
 	SecurityVersion *uint
 	// AcceptedTCBStatuses is a list of TCB levels an enclave is allowed to have.
 	AcceptedTCBStatuses []string
+	// AcceptedAdvisories is a list of open Intel Security Advisories an enclave is allowed to run on,
+	// when it reports an SWHardeningNeeded TCB status.
+	// An empty list allows all advisories.
+	AcceptedAdvisories []string
 }
 
 // InfrastructureProperties contains the infrastructure-specific properties of a SGX DCAP quote.
@@ -107,6 +111,9 @@ func (p PackageProperties) String() string {
 	if len(p.AcceptedTCBStatuses) > 0 {
 		values = append(values, fmt.Sprintf("AcceptedTCBStatuses: %v", p.AcceptedTCBStatuses))
 	}
+	if len(p.AcceptedAdvisories) > 0 {
+		values = append(values, fmt.Sprintf("AcceptedAdvisories: %v", p.AcceptedAdvisories))
+	}
 	return fmt.Sprintf("{%s}", strings.Join(values, ", "))
 }
 

diff --git a/coordinator/quote/ertvalidator/ertvalidator.go b/coordinator/quote/ertvalidator/ertvalidator.go
@@ -47,6 +47,14 @@ func (v *ERTValidator) Validate(givenQuote []byte, cert []byte, pp quote.Package
 		v.log.Error("TCB Advisories", zap.Error(report.TCBAdvisoriesErr))
 	}
 
+	notAccepted, err := tcb.CheckAdvisories(report, pp.AcceptedAdvisories)
+	if err != nil {
+		return err
+	}
+	if len(notAccepted) > 0 {
+		return fmt.Errorf("TCB status %s contains advisories not accepted by configuration: %s", report.TCBStatus, notAccepted)
+	}
+
 	switch validity {
 	case tcb.ValidityUnconditional:
 	case tcb.ValidityConditional: