Allow explicit port in SNP endorsements config (#5858)

microsoft · Dec 8, 2023 · 5c11f47 · 5c11f47
1 parent d37224a
commit 5c11f47
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 27 deletions.
diff --git a/.snpcc_canary b/.snpcc_canary
@@ -1,4 +1,4 @@
   ___         ___    ___
  (. =)     Y (0 0)  (x X)    Y
    O     \     o      |    /
-/-xXx--//-----x=x--/-xXx--/---x---->>>
+/-xXx--//-----x=x--/-xXx--/---x---->>><
diff --git a/include/ccf/pal/attestation_sev_snp.h b/include/ccf/pal/attestation_sev_snp.h
@@ -157,6 +157,26 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
   };
 #pragma pack(pop)
 
+  static HostPort get_endpoint_loc(
+    const EndorsementsServer& server, const HostPort& default_values)
+  {
+    if (server.url.has_value())
+    {
+      auto url = server.url.value();
+      auto pos = url.find(':');
+      if (pos == std::string::npos)
+      {
+        return {url, default_values.port};
+      }
+      else
+      {
+        return {url.substr(0, pos), url.substr(pos + 1)};
+      }
+    }
+
+    return default_values;
+  }
+
   static EndorsementEndpointsConfiguration
   make_endorsement_endpoint_configuration(
     const Attestation& quote,
@@ -171,7 +191,7 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
     {
       // Default to Azure server if no servers are specified
       config.servers.emplace_back(make_azure_endorsements_server(
-        default_azure_endorsements_endpoint_host, chip_id_hex, reported_tcb));
+        default_azure_endorsements_endpoint, chip_id_hex, reported_tcb));
       return config;
     }
 
@@ -181,10 +201,10 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
       {
         case EndorsementsEndpointType::Azure:
         {
-          auto url =
-            server.url.value_or(default_azure_endorsements_endpoint_host);
+          auto loc =
+            get_endpoint_loc(server, default_azure_endorsements_endpoint);
           config.servers.emplace_back(
-            make_azure_endorsements_server(url, chip_id_hex, reported_tcb));
+            make_azure_endorsements_server(loc, chip_id_hex, reported_tcb));
           break;
         }
         case EndorsementsEndpointType::AMD:
@@ -194,18 +214,18 @@ QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
           auto snp = fmt::format("{}", quote.reported_tcb.snp);
           auto microcode = fmt::format("{}", quote.reported_tcb.microcode);
 
-          auto url =
-            server.url.value_or(default_azure_endorsements_endpoint_host);
+          auto loc =
+            get_endpoint_loc(server, default_amd_endorsements_endpoint);
           config.servers.emplace_back(make_amd_endorsements_server(
-            url, chip_id_hex, boot_loader, tee, snp, microcode));
+            loc, chip_id_hex, boot_loader, tee, snp, microcode));
           break;
         }
         case EndorsementsEndpointType::THIM:
         {
-          auto url =
-            server.url.value_or(default_thim_endorsements_endpoint_host);
+          auto loc =
+            get_endpoint_loc(server, default_thim_endorsements_endpoint);
           config.servers.emplace_back(
-            make_thim_endorsements_server(url, chip_id_hex, reported_tcb));
+            make_thim_endorsements_server(loc, chip_id_hex, reported_tcb));
           break;
         }
         default:

diff --git a/include/ccf/pal/attestation_sev_snp_endorsements.h b/include/ccf/pal/attestation_sev_snp_endorsements.h
@@ -80,30 +80,37 @@ namespace ccf::pal::snp
   DECLARE_JSON_OPTIONAL_FIELDS(EndorsementsServer, type, url);
   using EndorsementsServers = std::vector<EndorsementsServer>;
 
-  constexpr auto default_azure_endorsements_endpoint_host =
-    "global.acccache.azure.net";
+  struct HostPort
+  {
+    std::string host;
+    std::string port;
+  };
+
+  static HostPort default_azure_endorsements_endpoint = {
+    "global.acccache.azure.net", "443"};
 
   static EndorsementEndpointsConfiguration::Server
   make_azure_endorsements_server(
-    const std::string& endpoint,
+    const HostPort& endpoint,
     const std::string& chip_id_hex,
     const std::string& reported_tcb)
   {
     std::map<std::string, std::string> params;
     params["api-version"] = "2020-10-15-preview";
     return {
-      {endpoint,
-       "443",
+      {endpoint.host,
+       endpoint.port,
        fmt::format("/SevSnpVM/certificates/{}/{}", chip_id_hex, reported_tcb),
        params}};
   }
 
   // AMD endorsements endpoints. See
   // https://www.amd.com/system/files/TechDocs/57230.pdf
-  constexpr auto default_amd_endorsements_endpoint_host = "kdsintf.amd.com";
+  static HostPort default_amd_endorsements_endpoint = {
+    "kdsintf.amd.com", "443"};
 
   static EndorsementEndpointsConfiguration::Server make_amd_endorsements_server(
-    const std::string& endpoint,
+    const HostPort& endpoint,
     const std::string& chip_id_hex,
     const std::string& boot_loader,
     const std::string& tee,
@@ -118,35 +125,36 @@ namespace ccf::pal::snp
 
     EndorsementEndpointsConfiguration::Server server;
     server.push_back({
-      endpoint,
-      "443",
+      endpoint.host,
+      endpoint.port,
       fmt::format("/vcek/v1/{}/{}", product_name, chip_id_hex),
       params,
       true // DER
     });
     server.push_back(
-      {endpoint,
-       "443",
+      {endpoint.host,
+       endpoint.port,
        fmt::format("/vcek/v1/{}/cert_chain", product_name),
        {}});
 
     return server;
   }
 
-  constexpr auto default_thim_endorsements_endpoint_host = "169.254.169.254";
+  static HostPort default_thim_endorsements_endpoint = {
+    "169.254.169.254", "80"};
 
   static EndorsementEndpointsConfiguration::Server
   make_thim_endorsements_server(
-    const std::string& endpoint,
+    const HostPort& endpoint,
     const std::string& chip_id_hex,
     const std::string& reported_tcb)
   {
     std::map<std::string, std::string> params;
     params["tcbVersion"] = reported_tcb;
     params["platformId"] = chip_id_hex;
     return {
-      {endpoint,
-       "80",
+      {endpoint.host,
+       endpoint.port,
        "/metadata/THIM/amd/certification",
        params,
        false, // Not DER

diff --git a/tests/infra/remote.py b/tests/infra/remote.py
@@ -725,7 +725,7 @@ def __init__(
         snp_endorsements_servers_list = []
         for s in snp_endorsements_servers:
             try:
-                server_type, url = s.split(":")
+                server_type, url = s.split(":", 1)
             except ValueError as e:
                 raise ValueError(
                     "SNP endorsements servers should be in the format type:url"

diff --git a/tests/reconfiguration.py b/tests/reconfiguration.py
@@ -255,6 +255,7 @@ def test_add_node_endorsements_endpoints(network, args):
     args_copy = deepcopy(args)
     test_vectors = [
         (["Azure:global.acccache.azure.net"], True),
+        (["Azure:global.acccache.azure.net:443"], True),
         (["AMD:kdsintf.amd.com"], True),
         (["AMD:invalid.amd.com"], False),
         (["Azure:invalid.azure.com", "AMD:kdsintf.amd.com"], True),  # Fallback server