From c0e8d5f3c937012473884e285edaae73185b8467 Mon Sep 17 00:00:00 2001 From: Zeyu Zhang Date: Tue, 31 Mar 2026 14:40:44 +0800 Subject: [PATCH] Allow callers to configure acceptable TCB status levels --- proto/checkconfig.proto | 6 +++ proto/checkconfig/checkconfig.pb.go | 55 ++++++++++++++++--------- tools/check/check.go | 9 ++++ verify/verify.go | 64 ++++++++++++++++++----------- verify/verify_test.go | 19 +++++---- 5 files changed, 100 insertions(+), 53 deletions(-) diff --git a/proto/checkconfig.proto b/proto/checkconfig.proto index 547a7d0..6aba26f 100644 --- a/proto/checkconfig.proto +++ b/proto/checkconfig.proto @@ -75,6 +75,12 @@ message RootOfTrust { // If true, then check is not permitted to download necessary files for // verification. bool get_collateral = 4; + + // The set of acceptable TCB status values. If empty, only "UpToDate" is + // accepted. Possible values: "UpToDate", "SWHardeningNeeded", + // "ConfigurationNeeded", "ConfigurationAndSWHardeningNeeded", "OutOfDate", + // "OutOfDateConfigurationNeeded". + repeated string accepted_tcb_statuses = 5; } // Config is the overall message input for the check tool. This provides all diff --git a/proto/checkconfig/checkconfig.pb.go b/proto/checkconfig/checkconfig.pb.go index 6784813..166920a 100644 --- a/proto/checkconfig/checkconfig.pb.go +++ b/proto/checkconfig/checkconfig.pb.go @@ -14,7 +14,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.28.1 +// protoc-gen-go v1.34.2 // protoc v4.23.4 // source: checkconfig.proto @@ -332,6 +332,11 @@ type RootOfTrust struct { // If true, then check is not permitted to download necessary files for // verification. GetCollateral bool `protobuf:"varint,4,opt,name=get_collateral,json=getCollateral,proto3" json:"get_collateral,omitempty"` + // The set of acceptable TCB status values. If empty, only "UpToDate" is + // accepted. Possible values: "UpToDate", "SWHardeningNeeded", + // "ConfigurationNeeded", "ConfigurationAndSWHardeningNeeded", "OutOfDate", + // "OutOfDateConfigurationNeeded". + AcceptedTcbStatuses []string `protobuf:"bytes,5,rep,name=accepted_tcb_statuses,json=acceptedTcbStatuses,proto3" json:"accepted_tcb_statuses,omitempty"` } func (x *RootOfTrust) Reset() { @@ -394,6 +399,13 @@ func (x *RootOfTrust) GetGetCollateral() bool { return false } +func (x *RootOfTrust) GetAcceptedTcbStatuses() []string { + if x != nil { + return x.AcceptedTcbStatuses + } + return nil +} + // Config is the overall message input for the check tool. This provides all // the flags that configure the tool, including the validation policy. type Config struct { @@ -507,7 +519,7 @@ var file_checkconfig_proto_rawDesc = []byte{ 0x0c, 0x52, 0x11, 0x6d, 0x69, 0x6e, 0x69, 0x6d, 0x75, 0x6d, 0x54, 0x65, 0x65, 0x54, 0x63, 0x62, 0x53, 0x76, 0x6e, 0x32, 0x12, 0x22, 0x0a, 0x0d, 0x6d, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x74, 0x64, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x6d, 0x72, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x54, 0x64, 0x22, 0x96, 0x01, 0x0a, 0x0b, 0x52, 0x6f, 0x6f, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x54, 0x64, 0x22, 0xca, 0x01, 0x0a, 0x0b, 0x52, 0x6f, 0x6f, 0x74, 0x4f, 0x66, 0x54, 0x72, 0x75, 0x73, 0x74, 0x12, 0x25, 0x0a, 0x0e, 0x63, 0x61, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x61, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x73, 0x12, @@ -517,18 +529,21 @@ var file_checkconfig_proto_rawDesc = []byte{ 0x52, 0x08, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x43, 0x72, 0x6c, 0x12, 0x25, 0x0a, 0x0e, 0x67, 0x65, 0x74, 0x5f, 0x63, 0x6f, 0x6c, 0x6c, 0x61, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x67, 0x65, 0x74, 0x43, 0x6f, 0x6c, 0x6c, 0x61, 0x74, 0x65, 0x72, 0x61, - 0x6c, 0x22, 0x73, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2b, 0x0a, 0x06, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x68, - 0x65, 0x63, 0x6b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x3c, 0x0a, 0x0d, 0x72, 0x6f, 0x6f, 0x74, - 0x5f, 0x6f, 0x66, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x18, 0x2e, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x52, 0x6f, - 0x6f, 0x74, 0x4f, 0x66, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x0b, 0x72, 0x6f, 0x6f, 0x74, 0x4f, - 0x66, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x67, 0x6f, 0x2d, 0x74, - 0x64, 0x78, 0x2d, 0x67, 0x75, 0x65, 0x73, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, - 0x68, 0x65, 0x63, 0x6b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x6c, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x63, + 0x62, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x13, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x65, 0x64, 0x54, 0x63, 0x62, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x65, 0x73, 0x22, 0x73, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, + 0x2b, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x13, 0x2e, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x3c, 0x0a, 0x0d, + 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x6f, 0x66, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x63, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x2e, 0x52, 0x6f, 0x6f, 0x74, 0x4f, 0x66, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x0b, 0x72, + 0x6f, 0x6f, 0x74, 0x4f, 0x66, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, + 0x67, 0x6f, 0x2d, 0x74, 0x64, 0x78, 0x2d, 0x67, 0x75, 0x65, 0x73, 0x74, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x2f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -544,7 +559,7 @@ func file_checkconfig_proto_rawDescGZIP() []byte { } var file_checkconfig_proto_msgTypes = make([]protoimpl.MessageInfo, 5) -var file_checkconfig_proto_goTypes = []interface{}{ +var file_checkconfig_proto_goTypes = []any{ (*Policy)(nil), // 0: checkconfig.Policy (*HeaderPolicy)(nil), // 1: checkconfig.HeaderPolicy (*TDQuoteBodyPolicy)(nil), // 2: checkconfig.TDQuoteBodyPolicy @@ -569,7 +584,7 @@ func file_checkconfig_proto_init() { return } if !protoimpl.UnsafeEnabled { - file_checkconfig_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + file_checkconfig_proto_msgTypes[0].Exporter = func(v any, i int) any { switch v := v.(*Policy); i { case 0: return &v.state @@ -581,7 +596,7 @@ func file_checkconfig_proto_init() { return nil } } - file_checkconfig_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + file_checkconfig_proto_msgTypes[1].Exporter = func(v any, i int) any { switch v := v.(*HeaderPolicy); i { case 0: return &v.state @@ -593,7 +608,7 @@ func file_checkconfig_proto_init() { return nil } } - file_checkconfig_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + file_checkconfig_proto_msgTypes[2].Exporter = func(v any, i int) any { switch v := v.(*TDQuoteBodyPolicy); i { case 0: return &v.state @@ -605,7 +620,7 @@ func file_checkconfig_proto_init() { return nil } } - file_checkconfig_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + file_checkconfig_proto_msgTypes[3].Exporter = func(v any, i int) any { switch v := v.(*RootOfTrust); i { case 0: return &v.state @@ -617,7 +632,7 @@ func file_checkconfig_proto_init() { return nil } } - file_checkconfig_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + file_checkconfig_proto_msgTypes[4].Exporter = func(v any, i int) any { switch v := v.(*Config); i { case 0: return &v.state diff --git a/tools/check/check.go b/tools/check/check.go index 403804a..673afd6 100644 --- a/tools/check/check.go +++ b/tools/check/check.go @@ -116,6 +116,8 @@ var ( maxRetryDelay = flag.Duration("max_retry_delay", defaultMaxRetryDelay, "Maximum Duration to wait between HTTP request retries.") testLocalGetter = flag.Bool("test_local_getter", false, "Use this flag only to test this CLI tool when network access is not available") + acceptedTcbStatuses = flag.String("accepted_tcb_statuses", "", "Comma-separated list of acceptable TCB statuses (e.g. UpToDate,SWHardeningNeeded,ConfigurationNeeded). If empty, only UpToDate is accepted.") + // Assign the values of the flags to the corresponding proto fields config = &ccpb.Config{ RootOfTrust: &ccpb.RootOfTrust{}, @@ -333,6 +335,13 @@ func populateRootOfTrust() error { if len(paths) > 0 { rot.CabundlePaths = paths } + if *acceptedTcbStatuses != "" { + statuses := strings.Split(*acceptedTcbStatuses, ",") + for i := range statuses { + statuses[i] = strings.TrimSpace(statuses[i]) + } + rot.AcceptedTcbStatuses = statuses + } return nil } diff --git a/verify/verify.go b/verify/verify.go index 5401199..601f777 100644 --- a/verify/verify.go +++ b/verify/verify.go @@ -190,6 +190,9 @@ type Options struct { // TrustedRoots specifies the root CertPool to trust when verifying PCK certificate chain. // If nil, embedded certificate will be used TrustedRoots *x509.CertPool + // AcceptedTCBStatuses is the set of TCB status values that the caller considers acceptable. + // If nil or empty, only "UpToDate" is accepted. + AcceptedTCBStatuses []pcs.TcbComponentStatus chain *PCKCertificateChain collateral *Collateral @@ -224,12 +227,14 @@ func DefaultOptions() *Options { } type tdQuoteBodyOptions struct { - tcbInfo pcs.TcbInfo - pckCertExtensions *pcs.PckExtensions + tcbInfo pcs.TcbInfo + pckCertExtensions *pcs.PckExtensions + acceptedTCBStatuses []pcs.TcbComponentStatus } type qeReportOptions struct { - qeIdentity *pcs.EnclaveIdentity + qeIdentity *pcs.EnclaveIdentity + acceptedTCBStatuses []pcs.TcbComponentStatus } // PCKCertificateChain contains certificate chains @@ -997,18 +1002,26 @@ func readQeTcbStatus(tcbLevels []pcs.TcbLevel, isvsvn uint32) (pcs.TcbLevel, err return pcs.TcbLevel{}, fmt.Errorf("no matching QE TCB level found") } -func checkQeTcbStatus(tcbLevels []pcs.TcbLevel, isvsvn uint32) error { +func isTcbStatusAccepted(status pcs.TcbComponentStatus, accepted []pcs.TcbComponentStatus) bool { + if len(accepted) == 0 { + return status == pcs.TcbComponentStatusUpToDate + } + for _, s := range accepted { + if s == status { + return true + } + } + return false +} + +func checkQeTcbStatus(tcbLevels []pcs.TcbLevel, isvsvn uint32, accepted []pcs.TcbComponentStatus) error { found, err := readQeTcbStatus(tcbLevels, isvsvn) if err != nil { return err } - if found.TcbStatus == pcs.TcbComponentStatusOutOfDate { - return ErrEnclaveTcbStatus - } - - if found.TcbStatus != pcs.TcbComponentStatusUpToDate { - return fmt.Errorf("QE TCB Status is not %q, found %q", pcs.TcbComponentStatusUpToDate, found.TcbStatus) + if !isTcbStatusAccepted(found.TcbStatus, accepted) { + return fmt.Errorf("QE TCB Status %q is not acceptable", found.TcbStatus) } return nil @@ -1052,18 +1065,14 @@ func readTcbInfoTcbStatus(tcbInfo pcs.TcbInfo, tdQuoteBody any, pckCertExtension return matchingTcbLevel, nil } -func checkTcbInfoTcbStatus(tcbInfo pcs.TcbInfo, tdQuoteBody any, pckCertExtensions *pcs.PckExtensions) error { +func checkTcbInfoTcbStatus(tcbInfo pcs.TcbInfo, tdQuoteBody any, pckCertExtensions *pcs.PckExtensions, accepted []pcs.TcbComponentStatus) error { found, err := readTcbInfoTcbStatus(tcbInfo, tdQuoteBody, pckCertExtensions) if err != nil { return err } - if found.TcbStatus == pcs.TcbComponentStatusOutOfDate { - return ErrTdxTcbStatus - } - - if found.TcbStatus != pcs.TcbComponentStatusUpToDate { - return fmt.Errorf("TDX TCB Status is not %q, found %q", pcs.TcbComponentStatusUpToDate, found.TcbStatus) + if !isTcbStatusAccepted(found.TcbStatus, accepted) { + return fmt.Errorf("TDX TCB Status %q is not acceptable", found.TcbStatus) } return nil @@ -1111,7 +1120,7 @@ func verifyTdQuoteBody(tdQuoteBody any, tdQuoteBodyOptions *tdQuoteBodyOptions) return fmt.Errorf("AttributesMask value(%q) is not equal to TdxModule.Attributes field in Intel PCS's reported TDX TCB info(%q)", hex.EncodeToString(attributesMask), hex.EncodeToString(tdQuoteBodyOptions.tcbInfo.TdxModule.Attributes.Bytes)) } - if err := checkTcbInfoTcbStatus(tdQuoteBodyOptions.tcbInfo, tdQuoteBody, tdQuoteBodyOptions.pckCertExtensions); err != nil { + if err := checkTcbInfoTcbStatus(tdQuoteBodyOptions.tcbInfo, tdQuoteBody, tdQuoteBodyOptions.pckCertExtensions, tdQuoteBodyOptions.acceptedTCBStatuses); err != nil { return fmt.Errorf("TDX TCB info reported by Intel PCS failed TCB status check: %v", err) } return nil @@ -1154,7 +1163,7 @@ func verifyQeReport(qeReport *pb.EnclaveReport, qeReportOptions *qeReportOptions return fmt.Errorf("ISV PRODID value(%v) in QE Report is not equal to ISV PRODID value(%v) in Intel PCS's reported QE Identity", qeReport.GetIsvProdId(), qeReportOptions.qeIdentity.IsvProdID) } - if err := checkQeTcbStatus(qeReportOptions.qeIdentity.TcbLevels, qeReport.GetIsvSvn()); err != nil { + if err := checkQeTcbStatus(qeReportOptions.qeIdentity.TcbLevels, qeReport.GetIsvSvn(), qeReportOptions.acceptedTCBStatuses); err != nil { return fmt.Errorf("QE Identity reported by Intel PCS failed TCB status check: %v", err) } return nil @@ -1242,7 +1251,7 @@ func verifyQuote(quote any, options *Options) error { if collateral != nil { logger.V(1).Info("Verifying TD Quote Body using TCB Info API response") var err error - quoteBodyOptions := tdQuoteBodyOptions{tcbInfo: collateral.TdxTcbInfo.TcbInfo, pckCertExtensions: pckCertExtensions} + quoteBodyOptions := tdQuoteBodyOptions{tcbInfo: collateral.TdxTcbInfo.TcbInfo, pckCertExtensions: pckCertExtensions, acceptedTCBStatuses: options.AcceptedTCBStatuses} switch q := quote.(type) { case *pb.QuoteV4: err = verifyTdQuoteBody(q.GetTdQuoteBody(), "eBodyOptions) @@ -1258,7 +1267,8 @@ func verifyQuote(quote any, options *Options) error { logger.V(1).Info("Verifying QE Report using QE Identity API response") if err := verifyQeReport(qeReportCertificationData.GetQeReport(), &qeReportOptions{ - qeIdentity: &collateral.QeIdentity.EnclaveIdentity, + qeIdentity: &collateral.QeIdentity.EnclaveIdentity, + acceptedTCBStatuses: options.AcceptedTCBStatuses, }); err != nil { return err } @@ -1605,10 +1615,16 @@ func RootOfTrustToOptions(rot *ccpb.RootOfTrust) (*Options, error) { return nil, err } + var accepted []pcs.TcbComponentStatus + for _, s := range rot.AcceptedTcbStatuses { + accepted = append(accepted, pcs.TcbComponentStatus(s)) + } + return &Options{ - CheckRevocations: rot.CheckCrl, - GetCollateral: rot.GetCollateral, - TrustedRoots: trustedRoots, + CheckRevocations: rot.CheckCrl, + GetCollateral: rot.GetCollateral, + TrustedRoots: trustedRoots, + AcceptedTCBStatuses: accepted, }, nil } diff --git a/verify/verify_test.go b/verify/verify_test.go index e2c23d2..cdd5768 100644 --- a/verify/verify_test.go +++ b/verify/verify_test.go @@ -18,7 +18,6 @@ import ( "context" "crypto/x509" "encoding/hex" - "errors" "os" "reflect" "strings" @@ -824,25 +823,26 @@ func TestNegativeTcbInfoTcbStatusV4(t *testing.T) { setTcbSvnValues(10, 0, &tcbInfo.TcbLevels[0].Tcb.TdxTcbcomponents, &tcbInfo.TcbLevels[0].Tcb.SgxTcbcomponents) wantErr := "no matching TCB level found" - if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext); err == nil || err.Error() != wantErr { + if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext, nil); err == nil || err.Error() != wantErr { t.Errorf("SgxTcbComponents values greater: checkTcbInfoTcbStatus() = %v. Want error %v", err, wantErr) } setTcbSvnValues(0, 10, &tcbInfo.TcbLevels[0].Tcb.TdxTcbcomponents, &tcbInfo.TcbLevels[0].Tcb.SgxTcbcomponents) - if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext); err == nil || err.Error() != wantErr { + if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext, nil); err == nil || err.Error() != wantErr { t.Errorf("TdxTcbComponents values greater: checkTcbInfoTcbStatus() = %v. Want error %v", err, wantErr) } tcbInfo.TcbLevels[0].Tcb.Pcesvn = 20 setTcbSvnValues(0, 0, &tcbInfo.TcbLevels[0].Tcb.TdxTcbcomponents, &tcbInfo.TcbLevels[0].Tcb.SgxTcbcomponents) - if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext); err == nil || err.Error() != wantErr { + if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext, nil); err == nil || err.Error() != wantErr { t.Errorf("PCESvn value greater: checkTcbInfoTcbStatus() = %v. Want error %v", err, wantErr) } tcbInfo.TcbLevels[0].Tcb.Pcesvn = 0 tcbInfo.TcbLevels[0].TcbStatus = "OutOfDate" - if gotErr, wantErr := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext), ErrTdxTcbStatus; gotErr == nil || !errors.Is(gotErr, wantErr) { - t.Errorf("TCB status expired: checkTcbInfoTcbStatus() = %v. Want error %v", err, wantErr) + wantErrOutOfDate := `TDX TCB Status "OutOfDate" is not acceptable` + if err := checkTcbInfoTcbStatus(tcbInfo, quote.GetTdQuoteBody(), ext, nil); err == nil || err.Error() != wantErrOutOfDate { + t.Errorf("TCB status expired: checkTcbInfoTcbStatus() = %v. Want error %v", err, wantErrOutOfDate) } } @@ -867,14 +867,15 @@ func TestNegativeCheckQeStatusV4(t *testing.T) { qeIdentity.TcbLevels[0].Tcb.Isvsvn = 10 wantErr := "no matching QE TCB level found" - if err := checkQeTcbStatus(qeIdentity.TcbLevels, qeReport.GetIsvSvn()); err == nil || err.Error() != wantErr { + if err := checkQeTcbStatus(qeIdentity.TcbLevels, qeReport.GetIsvSvn(), nil); err == nil || err.Error() != wantErr { t.Errorf("No matching TCB level: verifyUsingQeIdentity() = %v. Want error %v", err, wantErr) } qeIdentity.TcbLevels[0].Tcb.Isvsvn = 0 qeIdentity.TcbLevels[0].TcbStatus = "OutOfDate" - if gotErr, wantErr := checkQeTcbStatus(qeIdentity.TcbLevels, qeReport.GetIsvSvn()), ErrEnclaveTcbStatus; gotErr == nil || !errors.Is(gotErr, wantErr) { - t.Errorf("TCB status expired: verifyUsingQeIdentity() = %v. Want error %v", err, wantErr) + wantErrOutOfDate := `QE TCB Status "OutOfDate" is not acceptable` + if err := checkQeTcbStatus(qeIdentity.TcbLevels, qeReport.GetIsvSvn(), nil); err == nil || err.Error() != wantErrOutOfDate { + t.Errorf("TCB status expired: verifyUsingQeIdentity() = %v. Want error %v", err, wantErrOutOfDate) } }