fix(attestation): include Azure vTPM AK intermediates#49
Open
samlaf wants to merge 1 commit into
Open
Conversation
Fetch Azure vTPM AK issuer certificates from the leaf certificate's AIA CA Issuers URLs during attestation generation and serialize them into the Azure evidence document. During verification, treat evidence-supplied intermediates as untrusted chain material, combine them with the legacy bundled intermediate for backwards compatibility, and continue pinning Azure vTPM roots. Bound the number of serialized intermediates during deserialization and keep stripping TPM NV zero padding before WebPKI verification. Add offline AK-chain fixtures for the observed Azure Cloud Virtual TPM CA - 24 -> Azure Cloud Virtual TPM CA 2025 chain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This fixes Azure TDX/vTPM attestation verification failures caused by newer Azure vTPM AK certificate chains that are not covered by the currently bundled
Global Virtual TPM CA - 03intermediate.On a current Azure TDX CVM, the AK leaf certificate chain can look like:
The TPM NV AK cert index on this VM contained only:
so parsing additional intermediates from the TPM AK cert payload is not sufficient for this chain.
This PR changes Azure attestation generation to fetch the AK issuer chain from the leaf certificate’s AIA
CA IssuersURLs and serialize those intermediates into the attestation evidence. Verification remains offline: the verifier treats these intermediates as untrusted chain material and still pins the Azure vTPM roots.Microsoft guidance indicates that AIA should be used to discover Azure vTPM intermediate CAs, since public docs can lag behind production intermediate rotation:
https://learn.microsoft.com/en-us/answers/questions/5897616/download-intermediate-ca-cert-for-azure-cloud-virt
Changes
Adds optional evidence field:
During Azure attestation generation:
CA IssuersURLs up to a bounded depth;During verification:
Keeps verification network-free/deterministic.
Keeps
#[serde(default)]on the new field so old evidence still deserializes.Adds offline fixture tests for the observed Azure chain:
Azure Cloud Virtual TPM CA - 24Azure Cloud Virtual TPM CA 2025Security notes
The fetched intermediates are not trusted anchors. They are serialized as untrusted evidence only. Verification still requires the AK certificate chain to terminate at a pinned Azure vTPM root.
The number of evidence-supplied intermediates is capped to avoid unbounded peer-controlled chain material.
Behavior change
Azure attestation generation now makes outbound HTTP(S) requests to Microsoft PKI/AIA endpoints in order to fetch issuer certificates.
Azure attestation verification does not make network requests.
Validation
Tested with this code on an Azure Standard_DC4eds_v6 TDX box on westus3. Before this change, verification failed with:
After this change:
The generated evidence includes two serialized AK intermediates:
This subsumes #48.
PR #48 improves handling for cases where the TPM AK cert payload contains concatenated DER intermediates. However, on the Azure TDX VM tested here, the TPM AK cert NV index contained only:
and no intermediate certificates. Therefore #48 does not fix the observed
UnknownIssuerfailure for this chain.This PR handles that case by following the AIA issuer URLs from the AK leaf certificate and including the resulting issuer chain in the evidence.