test: AMD SEV-SNP forged-quote / tampered-input coverage

Adversarial negative tests for the SEV-SNP verification path:

dstack-mr::sev (synthetic, deterministic):
- forged hardware MEASUREMENT and HOST_DATA are rejected
- every measured launch field (ovmf/kernel/initrd hashes, cmdline, hash-table
  offset, reset eip, section gpa, vcpus, vcpu_type, guest_features) is caught
  by the measurement-equality check
- substituting a different MrConfigV3 (app/compose/instance id) breaks the
  HOST_DATA binding
- an advertised top-level os_image_hash is ignored (derived value wins)
- booting a different image cannot present an allow-listed image's inputs
- missing sev_snp_measurement / mr_config fail closed
- documents that rootfs_hash is os_image_hash-only (bound via the measured
  cmdline), so tampering it changes the derived os_image_hash rather than
  failing the measurement check

dstack-attest (real fixture, offline):
- flipping any signed report field (report_data/measurement/host_data) or the
  signature invalidates VCEK verification; zeroed/truncated reports rejected
- wrong collateral (ASK-as-VCEK, malformed VCEK) rejected
- forged measurement/host_data, tampered launch inputs, substituted mr_config
  and bogus advertised os_image_hash all handled correctly against real data

Derive Debug on SevImageBinding for test ergonomics.

Author: kvinwang

dstack-attest/tests/sev_snp_verify.rs

@@ -10,7 +10,9 @@
 //! one built into `sev-snp-qvl`.
 
 use dstack_attest::attestation::{AttestationQuote, VersionedAttestation};
-use sev_snp_qvl::{verify_amd_snp_attestation, AmdSnpAttestationInput};
+use dstack_mr::sev::verify_sev_launch;
+use dstack_types::{mr_config::MrConfigV3, KeyProviderKind};
+use sev_snp_qvl::{verify_amd_snp_attestation, AmdSnpAttestationInput, VerifiedAmdSnpReport};
 
 /// Real SEV-SNP attestation captured from a dstack CVM (VersionedAttestation, SCALE V0).
 const SEV_ATTESTATION_BIN: &[u8] = include_bytes!("sev_snp_attestation.bin");
@@ -104,3 +106,225 @@ fn verify_sev_snp_attestation_bin() {
     );
     println!("os_image_hash: {}", hex::encode(&binding.os_image_hash));
 }
+
+// ---------------------------------------------------------------------------
+// Forged / tampered quote coverage (all offline, using the real fixture).
+// ---------------------------------------------------------------------------
+
+const OS_IMAGE_HASH: &str = "32b4767373ad7fa0f9c418925006194d5c3f5619529f309fe81156789fecd8bc";
+
+fn decoded_attestation() -> dstack_attest::attestation::Attestation {
+    let versioned =
+        VersionedAttestation::from_scale(SEV_ATTESTATION_BIN).expect("decode VersionedAttestation");
+    let VersionedAttestation::V0 { attestation } = versioned else {
+        panic!("expected V0 attestation");
+    };
+    attestation
+}
+
+fn fixture_report() -> Vec<u8> {
+    let attestation = decoded_attestation();
+    let AttestationQuote::DstackAmdSevSnp(quote) = &attestation.quote else {
+        panic!("expected an AMD SEV-SNP quote");
+    };
+    quote.report.clone()
+}
+
+fn fixture_config() -> String {
+    decoded_attestation().config
+}
+
+fn verified_fixture_report() -> VerifiedAmdSnpReport {
+    let report = fixture_report();
+    verify_amd_snp_attestation(&AmdSnpAttestationInput {
+        report: &report,
+        ask_pem: SEV_ASK_PEM,
+        vcek_pem: SEV_VCEK_PEM,
+    })
+    .expect("verify SEV-SNP attestation offline")
+}
+
+/// Rewrite one field inside the embedded `sev_snp_measurement` document.
+fn with_measurement_field(config: &str, f: impl FnOnce(&mut serde_json::Value)) -> String {
+    let mut value: serde_json::Value = serde_json::from_str(config).expect("config json");
+    let measurement_doc = value["sev_snp_measurement"]
+        .as_str()
+        .expect("sev_snp_measurement string")
+        .to_string();
+    let mut measurement: serde_json::Value =
+        serde_json::from_str(&measurement_doc).expect("measurement json");
+    f(&mut measurement);
+    value["sev_snp_measurement"] =
+        serde_json::Value::String(serde_json::to_string(&measurement).expect("reserialize"));
+    value.to_string()
+}
+
+/// Replace the embedded MrConfigV3 document with a different one.
+fn set_mr_config(config: &str, mr_config_doc: &str) -> String {
+    let mut value: serde_json::Value = serde_json::from_str(config).expect("config json");
+    value["mr_config"] = serde_json::Value::String(mr_config_doc.to_string());
+    value.to_string()
+}
+
+#[test]
+fn forged_report_bytes_fail_signature_verification() {
+    let report = fixture_report();
+    // Flip a byte in each signed field (and the signature itself); the VCEK
+    // signature over the report must no longer verify.
+    // SNP ATTESTATION_REPORT offsets: report_data 0x50, measurement 0x90,
+    // host_data 0xC0, signature 0x2A0.
+    for (name, offset) in [
+        ("report_data", 0x50usize),
+        ("measurement", 0x90),
+        ("host_data", 0xC0),
+        ("signature", 0x2A0),
+    ] {
+        let mut tampered = report.clone();
+        tampered[offset] ^= 0xff;
+        let result = verify_amd_snp_attestation(&AmdSnpAttestationInput {
+            report: &tampered,
+            ask_pem: SEV_ASK_PEM,
+            vcek_pem: SEV_VCEK_PEM,
+        });
+        assert!(
+            result.is_err(),
+            "tampering the {name} field must invalidate the report signature"
+        );
+    }
+
+    // A well-formed-length but zeroed report has no valid signature.
+    let zeroed = vec![0u8; 1184];
+    assert!(
+        verify_amd_snp_attestation(&AmdSnpAttestationInput {
+            report: &zeroed,
+            ask_pem: SEV_ASK_PEM,
+            vcek_pem: SEV_VCEK_PEM,
+        })
+        .is_err(),
+        "a zeroed report must not verify"
+    );
+
+    // A truncated report must be rejected, not parsed.
+    assert!(
+        verify_amd_snp_attestation(&AmdSnpAttestationInput {
+            report: &report[..200],
+            ask_pem: SEV_ASK_PEM,
+            vcek_pem: SEV_VCEK_PEM,
+        })
+        .is_err(),
+        "a truncated report must be rejected"
+    );
+}
+
+#[test]
+fn wrong_collateral_is_rejected() {
+    let report = fixture_report();
+    // The ASK presented as the VCEK leaf: the report signature won't verify
+    // against the intermediate key.
+    assert!(
+        verify_amd_snp_attestation(&AmdSnpAttestationInput {
+            report: &report,
+            ask_pem: SEV_ASK_PEM,
+            vcek_pem: SEV_ASK_PEM,
+        })
+        .is_err(),
+        "using the ASK as the VCEK must be rejected"
+    );
+
+    // Garbage VCEK PEM.
+    let junk = b"-----BEGIN CERTIFICATE-----\nbm90IGEgY2VydA==\n-----END CERTIFICATE-----\n";
+    assert!(
+        verify_amd_snp_attestation(&AmdSnpAttestationInput {
+            report: &report,
+            ask_pem: SEV_ASK_PEM,
+            vcek_pem: junk,
+        })
+        .is_err(),
+        "a malformed VCEK must be rejected"
+    );
+}
+
+#[test]
+fn forged_launch_measurement_is_rejected() {
+    let verified = verified_fixture_report();
+    let config = fixture_config();
+    let mut forged = verified.measurement;
+    forged[0] ^= 0xff;
+    let err = verify_sev_launch(&forged, &verified.host_data, &config)
+        .expect_err("a measurement that disagrees with the launch inputs must reject");
+    assert!(
+        err.to_string().contains("amd sev-snp measurement mismatch"),
+        "unexpected error: {err:?}"
+    );
+}
+
+#[test]
+fn forged_host_data_is_rejected() {
+    let verified = verified_fixture_report();
+    let config = fixture_config();
+    let mut forged = verified.host_data;
+    forged[0] ^= 0xff;
+    let err = verify_sev_launch(&verified.measurement, &forged, &config)
+        .expect_err("host_data that does not bind the mr_config must reject");
+    assert!(
+        err.to_string().contains("amd sev-snp host_data mismatch"),
+        "unexpected error: {err:?}"
+    );
+}
+
+#[test]
+fn tampered_launch_inputs_break_os_image_binding() {
+    // Swap in a different kernel hash in the advertised launch inputs: the
+    // recomputed measurement no longer equals the hardware MEASUREMENT, so the
+    // forged (allow-listed-looking) os_image_hash is never trusted.
+    let verified = verified_fixture_report();
+    let tampered = with_measurement_field(&fixture_config(), |m| {
+        m["kernel_hash"] = serde_json::Value::String("00".repeat(32));
+    });
+    let err = verify_sev_launch(&verified.measurement, &verified.host_data, &tampered)
+        .expect_err("tampered launch inputs must reject");
+    assert!(
+        err.to_string().contains("amd sev-snp measurement mismatch"),
+        "unexpected error: {err:?}"
+    );
+}
+
+#[test]
+fn substituted_mr_config_breaks_host_data_binding() {
+    // Present a well-formed but different-identity MrConfigV3 document. The
+    // hardware HOST_DATA still binds the original document, so this is rejected.
+    let verified = verified_fixture_report();
+    let evil = MrConfigV3::new(
+        vec![0xab; 20],
+        vec![0xcd; 32],
+        KeyProviderKind::None,
+        Vec::new(),
+        vec![0xef; 20],
+    );
+    let tampered = set_mr_config(&fixture_config(), &evil.to_canonical_json());
+    let err = verify_sev_launch(&verified.measurement, &verified.host_data, &tampered)
+        .expect_err("a substituted mr_config must reject");
+    assert!(
+        err.to_string().contains("amd sev-snp host_data mismatch"),
+        "unexpected error: {err:?}"
+    );
+}
+
+#[test]
+fn advertised_os_image_hash_is_ignored() {
+    // A forged top-level os_image_hash is ignored; the authoritative value is
+    // derived from the measurement-bound launch inputs.
+    let verified = verified_fixture_report();
+    let mut value: serde_json::Value =
+        serde_json::from_str(&fixture_config()).expect("config json");
+    value["os_image_hash"] = serde_json::Value::String("de".repeat(32));
+    let tampered = value.to_string();
+
+    let binding = verify_sev_launch(&verified.measurement, &verified.host_data, &tampered)
+        .expect("a bogus advertised os_image_hash is ignored, not fatal");
+    assert_eq!(
+        hex::encode(&binding.os_image_hash),
+        OS_IMAGE_HASH,
+        "derived os_image_hash must win over the advertised one"
+    );
+}