policy: add crl evaluation for v2

Signed-off-by: Jiaqi Gao <[email protected]>

Author: gaojiaqi7

config/templates/policy_v2.json

@@ -58,7 +58,7 @@ mod v2 {
     use alloc::{string::String, string::ToString, vec::Vec};
     use attestation::verify_quote_with_collaterals;
     use chrono::DateTime;
-    use crypto::pem_cert_to_der;
+    use crypto::{crl::get_crl_number, pem_cert_to_der};
     use lazy_static::lazy_static;
     use policy::*;
     use spin::Once;
@@ -272,6 +272,10 @@ mod v2 {
             .get_engine_svn_by_report(&report_value);
 
         let migtd_tcb = migtd_svn.and_then(|svn| policy.servtd_identity.get_tcb_level_by_svn(svn));
+        let pck_crl_num = get_crl_number(collaterals.pck_crl.as_bytes())
+            .map_err(|_| PolicyError::InvalidCollateral)?;
+        let root_ca_crl_num = get_crl_number(collaterals.root_ca_crl.as_bytes())
+            .map_err(|_| PolicyError::InvalidCollateral)?;
 
         Ok(PolicyEvaluationInfo {
             tcb_date: Some(tcb_date.to_string()),
@@ -281,6 +285,8 @@ mod v2 {
             migtd_isvsvn: migtd_svn,
             migtd_tcb_date: migtd_tcb.map(|tcb| tcb.tcb_date.clone()),
             migtd_tcb_status: migtd_tcb.map(|tcb| tcb.tcb_status.clone()),
+            pck_crl_num: Some(pck_crl_num),
+            root_ca_crl_num: Some(root_ca_crl_num),
         })
     }
 

config/templates/policy_v2_signed.json

@@ -44,6 +44,7 @@ pub enum PolicyError {
     InvalidQuote,
     SvnMismatch,
     TcbEvaluation,
+    CrlEvaluation,
     HashCalculation,
     QuoteVerification,
     QuoteGeneration,

src/migtd/src/mig_policy.rs

@@ -97,6 +97,12 @@ pub struct PolicyEvaluationInfo {
 
     /// The date of the MigTD TCB in ISO-8601 format, e.g. "2023-06-19T00:00:00Z"
     pub migtd_tcb_date: Option<String>,
+
+    /// The minimal crl_num of pck_crl
+    pub pck_crl_num: Option<u32>,
+
+    /// The minimal crl_num of root_ca_crl
+    pub root_ca_crl_num: Option<u32>,
 }
 
 pub struct VerifiedPolicy<'a> {
@@ -295,6 +301,7 @@ enum PolicyTypes {
 struct GlobalPolicy {
     tcb: Option<TcbPolicy>,
     platform: Option<PlatformPolicy>,
+    crl: Option<CrlPolicy>,
 }
 
 impl GlobalPolicy {
@@ -311,6 +318,10 @@ impl GlobalPolicy {
             platform_policy.evaluate(value, relative_reference)?;
         }
 
+        if let Some(crl_policy) = &self.crl {
+            crl_policy.evaluate(value, relative_reference)?;
+        }
+
         Ok(())
     }
 }
@@ -399,6 +410,37 @@ impl PlatformPolicy {
     }
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct CrlPolicy {
+    pck_crl_num: Option<PolicyProperty>,
+    root_ca_crl_num: Option<PolicyProperty>,
+}
+
+impl CrlPolicy {
+    fn evaluate(
+        &self,
+        value: &PolicyEvaluationInfo,
+        relative_reference: &PolicyEvaluationInfo,
+    ) -> Result<(), PolicyError> {
+        if let Some(property) = &self.pck_crl_num {
+            let pck_crl_num = value.pck_crl_num.ok_or(PolicyError::CrlEvaluation)?;
+            if !property.evaluate_integer(pck_crl_num, relative_reference.pck_crl_num)? {
+                return Err(PolicyError::CrlEvaluation);
+            }
+        }
+
+        if let Some(property) = &self.root_ca_crl_num {
+            let root_ca_crl_num = value.root_ca_crl_num.ok_or(PolicyError::CrlEvaluation)?;
+            if !property.evaluate_integer(root_ca_crl_num, relative_reference.root_ca_crl_num)? {
+                return Err(PolicyError::CrlEvaluation);
+            }
+        }
+
+        Ok(())
+    }
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ServtdPolicy {
@@ -691,6 +733,8 @@ mod test {
             migtd_tcb_status: None,
             migtd_tcb_date: None,
             migtd_isvsvn: None,
+            pck_crl_num: None,
+            root_ca_crl_num: None,
         };
         let relative_ref = PolicyEvaluationInfo::default();
         assert!(global_policy.evaluate(&value, &relative_ref).is_ok());