QE identity not checked in v2 policy

[haitaohuang]

I notice that the verify_qe_info is not implemented for v2 policy. Although the same QE identity information is available from the supplemental data returned by verify_quote_integrity_ex(), v2 policy ignores those. Is that intentional and the reason if so?

[gaojiaqi7]

Hi @haitaohuang , policy v2 defines the global policy, which includes combined tcbDate and tcbStatus verification incorporating both the platform and QE:

• The tcbDate and tcbStatus returned by QVL are combined with the QE's tcbDate and tcbStatus.
• The combined tcbDate and tcbStatus values are then verified against the global policy.

[jyao1]

@haitaohuang , if you think it is OK, please close the issue.

[haitaohuang]

• The tcbDate and tcbStatus returned by QVL are combined with the QE's tcbDate and tcbStatus.
• The combined tcbDate and tcbStatus values are then verified against the global policy.

hi @gaojiaqi7,
Could you point me to the code how they are combined?
I only see QVL returned them separately: https://github.com/intel/confidential-computing.tee.dcap/blob/87064ddf9a19baa345674d0f0cabb334531b29e8/QuoteVerification/QvE/Enclave/qve.cpp#L1070
And no QE's tcbDate/status, only ISVSVN returned.

Also only the tcbDate and tcbStatus at platform tcbDate and tcbStatus offset are used here in migtd policy evaluation data:
https://github.com/intel/MigTD/blob/main/src/migtd/src/mig_policy.rs#L300

Thanks

[hyjiang]

@haitaohuang I can update the attestation library to return the QE TCB status/date if needed.

I'm just curious: will the QE TCB status/date be used in the migration TD policy?

[jyao1]

I'm just curious: will the QE TCB status/date be used in the migration TD policy?

Yes, it will be defined in the policy. The consumer can choose to use it or not.

[haitaohuang]

@hyjiang @jyao1 thanks

[haitaohuang]

@jyao1 @gaojiaqi7 with changes in QVL, would you make corresponding changes to policy v2 to enforce the QE TCB date and status?