refactor(rebinding): use init_tdinfo in rebind handshake

Adapt rebinding handshake to use init_tdinfo instead of init_policy:
- rebinding.rs: rename params in pre_session_data_exchange functions
- server_client.rs: rename init_td_report -> init_tdinfo in RATLS cert
  creation/verification, update pre_session_data parsing with init_tdinfo
  naming, compare mrowner at TDINFO offset 112..160 directly instead of
  digest_sha384(init_policy)
- spdm_rsp.rs: rename pre_session_data parsing, compare mrowner directly

Co-authored-by: Grams, Stanislaw <stanislaw.grams@intel.com>

Author: MichalTarnacki

src/migtd/src/migration/rebinding.rs

@@ -235,7 +235,7 @@ impl<'a> MigtdDataEntry<'a> {
 
 pub(super) async fn rebinding_old_pre_session_data_exchange(
     transport: &mut TransportType,
-    init_policy: &[u8],
+    init_tdinfo: &[u8],
 ) -> Result<Vec<u8>, MigrationResult> {
     let version = exchange_hello_packet(transport).await.map_err(|e| {
         log::error!(
@@ -271,7 +271,7 @@ pub(super) async fn rebinding_old_pre_session_data_exchange(
             e
         })?;
 
-    send_pre_session_data_packet(init_policy, transport)
+    send_pre_session_data_packet(init_tdinfo, transport)
         .await
         .map_err(|e| {
             log::error!(
@@ -336,11 +336,11 @@ pub(super) async fn rebinding_new_pre_session_data_exchange(
             e
         })?;
 
-    let init_policy = receive_pre_session_data_packet(transport)
+    let init_tdinfo = receive_pre_session_data_packet(transport)
         .await
         .map_err(|e| {
             log::error!(
-                "pre_session_data_exchange: send_pre_session_data_packet error: {:?}\n",
+                "pre_session_data_exchange: receive init_tdinfo error: {:?}\n",
                 e
             );
             e
@@ -365,8 +365,8 @@ pub(super) async fn rebinding_new_pre_session_data_exchange(
     let mut policy_buffer = Vec::new();
     policy_buffer.extend_from_slice(&(remote_policy.len() as u32).to_le_bytes());
     policy_buffer.extend_from_slice(&remote_policy);
-    policy_buffer.extend_from_slice(&(init_policy.len() as u32).to_le_bytes());
-    policy_buffer.extend_from_slice(&init_policy);
+    policy_buffer.extend_from_slice(&(init_tdinfo.len() as u32).to_le_bytes());
+    policy_buffer.extend_from_slice(&init_tdinfo);
 
     Ok(policy_buffer)
 }

src/migtd/src/ratls/server_client.rs

@@ -184,7 +184,7 @@ pub fn client_rebinding<T: AsyncRead + AsyncWrite + Unpin>(
     stream: T,
     remote_policy: Vec<u8>,
     init_policy_hash: &[u8],
-    init_td_report: &[u8],
+    init_tdinfo: &[u8],
     init_event_log: &[u8],
     servtd_ext: &ServtdExt,
 ) -> Result<SecureChannel<T>> {
@@ -198,7 +198,7 @@ pub fn client_rebinding<T: AsyncRead + AsyncWrite + Unpin>(
     let certs = create_certificate_for_rebinding_old(
         &signing_key,
         init_policy_hash,
-        init_td_report,
+        init_tdinfo,
         init_event_log,
         servtd_ext,
     )
@@ -409,7 +409,7 @@ fn create_certificate_for_client(signing_key: &EcdsaPk) -> Result<(Vec<u8>, Vec<
 fn create_certificate_for_rebinding_old(
     signing_key: &EcdsaPk,
     init_policy_hash: &[u8],
-    init_tdreport: &[u8],
+    init_tdinfo: &[u8],
     init_event_log: &[u8],
     servtd_ext: &ServtdExt,
 ) -> Result<Vec<u8>> {
@@ -508,7 +508,7 @@ fn create_certificate_for_rebinding_old(
             Extension::new(
                 EXTNID_MIGTD_TDREPORT_INIT,
                 Some(false),
-                Some(&init_tdreport),
+                Some(&init_tdinfo),
             )
             .map_err(|e| {
                 log::error!(
@@ -992,16 +992,18 @@ mod verify {
                 log::error!("Failed to find expected policy hash extension.\n");
                 CryptoError::ParseCertificate
             })?;
-        let init_td_report =
+        // Per GHCI 1.5: init extension now carries TDINFO_STRUCT instead of full TDREPORT
+        let init_tdinfo =
             find_extension(extensions, &EXTNID_MIGTD_TDREPORT_INIT).ok_or_else(|| {
-                log::error!("Failed to find init tdreport extension.\n");
+                log::error!("Failed to find init tdinfo extension.\n");
                 CryptoError::ParseCertificate
             })?;
         let init_event_log =
             find_extension(extensions, &EXTNID_MIGTD_EVENT_LOG_INIT).ok_or_else(|| {
                 log::error!("Failed to find init event log extension.\n");
                 CryptoError::ParseCertificate
             })?;
+        // Per GHCI 1.5: init_policy_hash is now mrowner from the initial TDINFO_STRUCT
         let init_policy_hash = find_extension(extensions, &EXTNID_MIGTD_INIT_POLICY_HASH)
             .ok_or_else(|| {
                 log::error!("Failed to find init policy hash extension.\n");
@@ -1012,6 +1014,7 @@ mod verify {
             CryptoError::ParseCertificate
         })?;
 
+        // Parse pre_session_data: [remote_policy_size(4) | remote_policy | init_tdinfo_size(4) | init_tdinfo]
         let remote_policy_size = u32::from_le_bytes(
             pre_session_data
                 .get(..4)
@@ -1024,18 +1027,19 @@ mod verify {
         let remote_policy = pre_session_data.get(4..4 + remote_policy_size).ok_or(
             CryptoError::TlsVerifyPeerCert(INVALID_MIG_POLICY_ERROR.to_string()),
         )?;
-        let init_policy_offset = 4 + remote_policy_size;
-        let init_policy_size = u32::from_le_bytes(
+        // Per GHCI 1.5: second item is init_tdinfo (was init_policy)
+        let init_tdinfo_offset = 4 + remote_policy_size;
+        let init_tdinfo_size = u32::from_le_bytes(
             pre_session_data
-                .get(init_policy_offset..4 + init_policy_offset)
+                .get(init_tdinfo_offset..4 + init_tdinfo_offset)
                 .ok_or(CryptoError::TlsVerifyPeerCert(
                     INVALID_MIG_POLICY_ERROR.to_string(),
                 ))?
                 .try_into()
                 .unwrap(),
         ) as usize;
-        let init_policy = pre_session_data
-            .get(init_policy_offset + 4..init_policy_offset + 4 + init_policy_size)
+        let _init_tdinfo_from_pre_session = pre_session_data
+            .get(init_tdinfo_offset + 4..init_tdinfo_offset + 4 + init_tdinfo_size)
             .ok_or(CryptoError::TlsVerifyPeerCert(
                 INVALID_MIG_POLICY_ERROR.to_string(),
             ))?;
@@ -1046,9 +1050,10 @@ mod verify {
                 INVALID_MIG_POLICY_ERROR.to_string(),
             ));
         }
-        let exact_init_policy_hash = digest_sha384(init_policy)?;
-        if init_policy_hash != exact_init_policy_hash.as_slice() {
-            log::error!("Invalid init rebinding policy.\n");
+        // Per GHCI 1.5: init_policy_hash is mrowner from TDINFO — compare directly
+        // (no longer a hash of a policy blob)
+        if init_policy_hash != init_tdinfo.get(112..160).unwrap_or(&[]) {
+            log::error!("Invalid init policy hash (mrowner mismatch).\n");
             return Err(CryptoError::TlsVerifyPeerCert(
                 INVALID_MIG_POLICY_ERROR.to_string(),
             ));

src/migtd/src/spdm/spdm_rsp.rs

@@ -1052,16 +1052,17 @@ pub fn handle_exchange_rebind_attest_info_req(
         let remote_policy = pre_session_data
             .get(4..4 + remote_policy_size)
             .ok_or(MigrationResult::InvalidPolicyError)?;
-        let init_policy_offset = 4 + remote_policy_size;
-        let init_policy_size = u32::from_le_bytes(
+        // Per GHCI 1.5: second item in pre_session_data is init_tdinfo (was init_policy)
+        let init_tdinfo_offset = 4 + remote_policy_size;
+        let init_tdinfo_size = u32::from_le_bytes(
             pre_session_data
-                .get(init_policy_offset..4 + init_policy_offset)
+                .get(init_tdinfo_offset..4 + init_tdinfo_offset)
                 .ok_or(MigrationResult::InvalidPolicyError)?
                 .try_into()
                 .unwrap(),
         ) as usize;
-        let init_policy = pre_session_data
-            .get(init_policy_offset + 4..init_policy_offset + 4 + init_policy_size)
+        let _init_tdinfo_from_pre_session = pre_session_data
+            .get(init_tdinfo_offset + 4..init_tdinfo_offset + 4 + init_tdinfo_size)
             .ok_or(MigrationResult::InvalidPolicyError)?;
 
         let remote_policy_hash =
@@ -1073,11 +1074,11 @@ pub fn handle_exchange_rebind_attest_info_req(
             return Err(SPDM_STATUS_INVALID_MSG_FIELD);
         }
 
-        let mig_policy_init_hash =
-            digest_sha384(init_policy).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
-        if mig_policy_init_hash_src != mig_policy_init_hash.as_slice() {
+        // Per GHCI 1.5: init_policy_hash is mrowner from TDINFO — compare directly
+        let mrowner = td_report_init_vec.get(112..160).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
+        if mig_policy_init_hash_src != mrowner {
             error!(
-                "The received mig policy init hash does not match the expected init policy hash!\n"
+                "The received mig policy init hash does not match mrowner from init tdinfo!\n"
             );
             return Err(SPDM_STATUS_INVALID_MSG_FIELD);
         }