update fn pckcerts_with_fallback

New logic will get following PCK certs:
- PCKID CPUSVN
- CPUSVN all 1's
- For every CPUSVN we try where the late microcode
  value is higher than the early microcode value,
  the CPUSVN where the early microcode value is
  set to the late microcode value.

Author: Taowyoo

intel-sgx/dcap-artifact-retrieval/src/provisioning_client/mod.rs

@@ -5,7 +5,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-use std::collections::HashMap;
+use std::collections::BTreeMap;
 use std::convert::{TryFrom, TryInto};
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::io::Read;
@@ -570,10 +570,17 @@ pub trait ProvisioningClient {
 
     /// Retrieve PCK certificates using `pckcerts()` and fallback to the
     /// following method if that's not supported:
-    /// - Call `pckcert()` to find the FMSPC.
-    /// - Using the FMSPC value, call `tcbinfo()` to get TCB info.
-    /// - For each TCB level in the result of previous call:
-    ///   - Call `pckcert()` to get the best available PCK cert for that TCB level.
+    /// 1. Call `pckcert()` with PCK ID to get best available PCK cert.
+    /// 2. Try to call `pckcert()` with PCK ID but with CPUSVN all 1's.
+    /// 3. Using the FMSPC value from PCK cert in step 1, call `tcbinfo()` to
+    ///    get TCB info.
+    /// 4. For each TCB level in the result of previous call:
+    ///     - Call `pckcert()` to get the best available PCK cert for that TCB
+    ///       level.
+    ///     - When late microcode value is higher than the early microcode
+    ///       value, also try to get PCK cert with TCB level where the early
+    ///       microcode value is set to the late microcode value.
+    /// 
     /// Note that PCK certs for some TCB levels may be missing.
     fn pckcerts_with_fallback(&self, pck_id: &PckID) -> Result<PckCerts, Error> {
         match self.pckcerts(&pck_id.enc_ppid, pck_id.pce_id) {
@@ -592,15 +599,35 @@ pub trait ProvisioningClient {
             pck_id.pce_isvsvn,
             Some(&pck_id.qe_id),
         )?;
+        // Use BTreeMap to have an ordered PckCerts at the end
+        let mut pckcerts_map = BTreeMap::new();
+        // Getting PCK cert using CPUSVN from PCKID
+        {
+            let ptcb = pck_cert.platform_tcb()?;
+            pckcerts_map.insert((ptcb.cpusvn, ptcb.tcb_components.pce_svn()), pck_cert.clone());
+        }
+        // Getting PCK cert using CPUSVN all 1's
+        {
+            if let Ok(pck_cert) = self.pckcert(
+                Some(&pck_id.enc_ppid),
+                &pck_id.pce_id,
+                &[u8::MAX; 16],
+                pck_id.pce_isvsvn,
+                Some(&pck_id.qe_id),
+            ){
+                let ptcb = pck_cert.platform_tcb()?;
+                pckcerts_map.insert((ptcb.cpusvn, ptcb.tcb_components.pce_svn()), pck_cert);
+            }
+        }
         let fmspc = pck_cert.sgx_extension()?.fmspc;
         let tcb_info = self.tcbinfo(&fmspc, None)?;
         let tcb_data = tcb_info.data()?;
-        let mut pcks = HashMap::new();
+        // For every CPUSVN we also try where the late microcode value is higher
+        // than the early microcode value, the CPUSVN where the early
+        // microcode value is set to the late microcode value
+        for (cpu_svn, pce_isvsvn) in tcb_data.iter_tcb_components()
+            .chain(tcb_data.iter_tcb_components_with_late_tcb_override_only())
         {
-            let ptcb = pck_cert.platform_tcb()?;
-            pcks.insert((ptcb.cpusvn, ptcb.tcb_components.pce_svn()), pck_cert);
-        }
-        for (cpu_svn, pce_isvsvn) in tcb_data.iter_tcb_components() {
             let p = match self.pckcert(
                 Some(&pck_id.enc_ppid),
                 &pck_id.pce_id,
@@ -614,10 +641,11 @@ pub trait ProvisioningClient {
                 Err(other) => return Err(other)
             };
             let ptcb = p.platform_tcb()?;
-            pcks.insert((ptcb.cpusvn, ptcb.tcb_components.pce_svn()), p);
+            pckcerts_map.insert((ptcb.cpusvn, ptcb.tcb_components.pce_svn()), p);
         }
-        let pcks: Vec<_> = pcks.into_iter().map(|(_, v)| v).collect();
-        pcks
+        // BTreeMap by default is Ascending
+        let pck_certs: Vec<_> = pckcerts_map.into_iter().rev().map(|(_, v)| v).collect();
+        pck_certs
             .try_into()
             .map_err(|e| Error::PCSDecodeError(format!("{}", e).into()))
     }

intel-sgx/pcs/src/pckcrt.rs

@@ -158,6 +158,50 @@ impl TcbComponents {
         }
         out
     }
+
+    /// Returns the CPUSVN with the "Early Microcode Update" SVN overridden by the
+    /// "SGX Late Microcode Update" SVN if the latter is higher.
+    /// We assume there is only at most one component of either type.
+    /// If there are multiple components of either type, only the first occurrence is used.
+    /// 
+    /// For example:
+    /// ```json
+    /// [
+    ///   ...
+    ///   {
+    ///     "svn": 7,
+    ///     "category": "BIOS",
+    ///     "type": "Early Microcode Update"
+    ///   },
+    ///   ...
+    ///   {
+    ///     "svn": 9,
+    ///     "category": "OS/VMM",
+    ///     "type": "SGX Late Microcode Update"
+    ///   },
+    ///   ...
+    /// ]
+    /// ```
+    /// Here 7 will be set to 9. Note: order is random.
+    pub fn cpu_svn_with_late_override_early(&self) -> CpuSvn {
+        let mut out: CpuSvn = self.cpu_svn();
+        let tcb_components = &self.0.sgxtcbcomponents;
+
+        // Find the first index of each relevant component type.
+        let early_idx = tcb_components
+            .iter()
+            .position(|comp| comp.comp_type == "Early Microcode Update");
+        let late_idx = tcb_components
+            .iter()
+            .position(|comp| comp.comp_type == "SGX Late Microcode Update");
+
+        if let (Some(early), Some(late)) = (early_idx, late_idx) {
+            if out[early] < out[late] {
+                out[early] = out[late];
+            }
+        }
+        out
+    }
 }
 
 impl PartialOrd for TcbComponents {

intel-sgx/pcs/src/tcb_info.rs

@@ -326,6 +326,21 @@ impl<V: VerificationType> TcbData<V> {
     pub fn iter_tcb_components(&self) -> impl Iterator<Item = (CpuSvn, PceIsvsvn)> + '_ {
         self.tcb_levels.iter().map(|tcb_level| (tcb_level.tcb.cpu_svn(), tcb_level.tcb.pce_svn()))
     }
+
+    /// For every CPUSVN where the late microcode value is higher
+    /// than the early microcode value, the CPUSVN where the early
+    /// microcode value is set to the late microcode value
+    pub fn iter_tcb_components_with_late_tcb_override_only(&self) -> impl Iterator<Item = (CpuSvn, PceIsvsvn)> + '_ {
+        self.tcb_levels.iter().filter_map(|tcb_level| {
+            let overridden_svn = tcb_level.tcb.cpu_svn_with_late_override_early();
+            let cpu_svn = tcb_level.tcb.cpu_svn();
+            if cpu_svn != overridden_svn {
+                Some((overridden_svn, tcb_level.tcb.pce_svn()))
+            } else {
+                None
+            }
+        })
+    }
 }
 
 #[derive(Clone, Serialize, Deserialize, Debug, Eq, PartialEq)]