From 36d2fa20a3505dfd3ae86161e21f4f2961c73e9a Mon Sep 17 00:00:00 2001 From: Jiaqi Gao Date: Tue, 26 Dec 2023 03:47:15 -0500 Subject: [PATCH] migtd: add error status for invalid policy Signed-off-by: Jiaqi Gao --- src/migtd/src/migration/mod.rs | 33 ++++++++++++++++++++------------- src/migtd/src/ratls.rs | 11 +++++++++-- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/src/migtd/src/migration/mod.rs b/src/migtd/src/migration/mod.rs index 64e8f6a9..6b65f5c7 100644 --- a/src/migtd/src/migration/mod.rs +++ b/src/migtd/src/migration/mod.rs @@ -8,8 +8,10 @@ pub mod event; pub mod session; use crate::ratls::RatlsError; -use crate::ratls::MIG_POLICY_ERROR; -use crate::ratls::MUTUAL_ATTESTATION_ERROR; +use crate::ratls::{ + INVALID_MIG_POLICY_ERROR, MIG_POLICY_UNSATISFIED_ERROR, MUTUAL_ATTESTATION_ERROR, +}; +use alloc::string::ToString; use alloc::vec::Vec; use crypto::Error as CryptoError; use r_efi::efi::Guid; @@ -137,7 +139,8 @@ pub enum MigrationResult { NetworkError = 5, SecureSessionError = 6, MutualAttestationError = 7, - MigPolicyError = 8, + PolicyUnsatisfiedError = 8, + InvalidPolicyError = 9, } impl From for MigrationResult { @@ -171,8 +174,10 @@ impl From for MigrationResult { fn from(e: CryptoError) -> Self { match e { CryptoError::TlsVerifyPeerCert(desc) => { - if desc.as_str() == MIG_POLICY_ERROR { - MigrationResult::MigPolicyError + if desc.as_str() == MIG_POLICY_UNSATISFIED_ERROR { + MigrationResult::PolicyUnsatisfiedError + } else if desc.as_str() == INVALID_MIG_POLICY_ERROR { + MigrationResult::InvalidPolicyError } else if desc.as_str() == MUTUAL_ATTESTATION_ERROR { MigrationResult::MutualAttestationError } else { @@ -188,15 +193,17 @@ impl From for MigrationResult { fn from(e: io::Error) -> Self { match e.kind() { io::ErrorKind::InvalidData => { - // let desc = e.to_string(); + let desc = e.to_string(); - // if desc.contains(MIG_POLICY_ERROR) { - // MigrationResult::MigPolicyError - // } else if desc.contains(MUTUAL_ATTESTATION_ERROR) { - // MigrationResult::MutualAttestationError - // } else { - MigrationResult::SecureSessionError - // } + if desc.contains(MIG_POLICY_UNSATISFIED_ERROR) { + MigrationResult::PolicyUnsatisfiedError + } else if desc.contains(INVALID_MIG_POLICY_ERROR) { + MigrationResult::InvalidPolicyError + } else if desc.contains(MUTUAL_ATTESTATION_ERROR) { + MigrationResult::MutualAttestationError + } else { + MigrationResult::SecureSessionError + } } _ => MigrationResult::NetworkError, } diff --git a/src/migtd/src/ratls.rs b/src/migtd/src/ratls.rs index 7c074cdb..d150fe8e 100644 --- a/src/migtd/src/ratls.rs +++ b/src/migtd/src/ratls.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: BSD-2-Clause-Patent use alloc::{string::ToString, vec::Vec}; +use policy::PolicyError; use rust_std_stub::io::{Read, Write}; use tdx_tdcall::TdCallError; @@ -72,7 +73,8 @@ pub const SERVER_AUTH: ObjectIdentifier = ObjectIdentifier::new("1.3.6.1.5.5.7.3 pub const CLIENT_AUTH: ObjectIdentifier = ObjectIdentifier::new("1.3.6.1.5.5.7.3.2"); pub const ID_EC_SIG_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.10045.4.3.3"); -pub const MIG_POLICY_ERROR: &str = "MigPolicyError"; +pub const MIG_POLICY_UNSATISFIED_ERROR: &str = "PolicyUnsatisfiedError"; +pub const INVALID_MIG_POLICY_ERROR: &str = "InvalidPolicyError"; pub const MUTUAL_ATTESTATION_ERROR: &str = "MutualAttestationError"; pub const MISMATCH_PUBLIC_KEY: &str = "MismatchPublicKeyError"; @@ -193,7 +195,12 @@ fn verify_peer_cert( verified_report_peer.as_slice(), event_log, ) - .map_err(|_| CryptoError::TlsVerifyPeerCert(MIG_POLICY_ERROR.to_string())); + .map_err(|e| match e { + PolicyError::InvalidPolicy => { + CryptoError::TlsVerifyPeerCert(INVALID_MIG_POLICY_ERROR.to_string()) + } + _ => CryptoError::TlsVerifyPeerCert(MIG_POLICY_UNSATISFIED_ERROR.to_string()), + }); } Err(CryptoError::TlsVerifyPeerCert(