intel · sgrams · Jun 8, 2026
@@ -330,37 +330,29 @@ async fn rebinding_old_prepare(
 ) -> Result<(), MigrationResult> {
     let servtd_ext = read_servtd_ext(info.binding_handle, &info.target_td_uuid)?;
 
-    // Per GHCI 1.5: init policy key hash is in tdinfo.mrowner.
-    // Use mrowner directly as the init_policy_hash equivalent.
-    let init_policy_hash = init_migtd_data.mrowner().to_vec();
-
     // Per GHCI 1.5: init_tdinfo replaces the old init_report (full TDREPORT).
     // The TDINFO_STRUCT contains all the measurement fields needed for verification.
     let init_tdinfo = &init_migtd_data.init_tdinfo;
 
     // TLS client
-    let mut ratls_client = ratls::client_rebinding(
-        transport,
-        remote_policy,
-        &init_policy_hash,
-        init_tdinfo,
-        &servtd_ext,
-    )
-    .map_err(|_| {
-        #[cfg(feature = "vmcall-raw")]
-        data.extend_from_slice(
-            &format!(
-                "Error: rebinding_old(): Failed in ratls transport. Migration ID: {:x}\n",
-                info.mig_request_id,
-            )
-            .into_bytes(),
-        );
-        log::error!(
-            "rebinding_old(): Failed in ratls transport. Migration ID: {}\n",
-            info.mig_request_id
-        );
-        MigrationResult::SecureSessionError
-    })?;
+    let mut ratls_client =
+        ratls::client_rebinding(transport, remote_policy, init_tdinfo, &servtd_ext).map_err(
+            |_| {
+                #[cfg(feature = "vmcall-raw")]
+                data.extend_from_slice(
+                    &format!(
+                        "Error: rebinding_old(): Failed in ratls transport. Migration ID: {:x}\n",
+                        info.mig_request_id,
+                    )
+                    .into_bytes(),
+                );
+                log::error!(
+                    "rebinding_old(): Failed in ratls transport. Migration ID: {}\n",
+                    info.mig_request_id
+                );
+                MigrationResult::SecureSessionError
+            },
+        )?;
 
     let rebind_token = create_rebind_token()?;
     tls_send_rebind_token(&mut ratls_client, &rebind_token).await?;

@@ -63,8 +63,6 @@ pub const EXTNID_MIGTD_TDREPORT_INIT: ObjectIdentifier =
     ObjectIdentifier::new_unwrap("1.2.840.113741.1.5.5.1.7");
 pub const EXTNID_MIGTD_EVENT_LOG_INIT: ObjectIdentifier =
     ObjectIdentifier::new_unwrap("1.2.840.113741.1.5.5.1.8");
-pub const EXTNID_MIGTD_INIT_POLICY_HASH: ObjectIdentifier =
-    ObjectIdentifier::new_unwrap("1.2.840.113741.1.5.5.1.9");
 
 // As specified in https://datatracker.ietf.org/doc/html/rfc5480#appendix-A
 // id-ecPublicKey OBJECT IDENTIFIER ::= {

@@ -183,7 +183,6 @@ pub fn server_rebinding<T: AsyncRead + AsyncWrite + Unpin>(
 pub fn client_rebinding<T: AsyncRead + AsyncWrite + Unpin>(
     stream: T,
     remote_policy: Vec<u8>,
-    init_policy_hash: &[u8],
     init_tdinfo: &[u8],
     servtd_ext: &ServtdExt,
 ) -> Result<SecureChannel<T>> {
@@ -194,16 +193,11 @@ pub fn client_rebinding<T: AsyncRead + AsyncWrite + Unpin>(
         );
         e
     })?;
-    let certs = create_certificate_for_rebinding_old(
-        &signing_key,
-        init_policy_hash,
-        init_tdinfo,
-        servtd_ext,
-    )
-    .map_err(|e| {
-        log::error!("client rebinding gen_cert() failed with error {:?}\n", e);
-        e
-    })?;
+    let certs = create_certificate_for_rebinding_old(&signing_key, init_tdinfo, servtd_ext)
+        .map_err(|e| {
+            log::error!("client rebinding gen_cert() failed with error {:?}\n", e);
+            e
+        })?;
     let certs = vec![certs];
 
     let config = TlsConfig::new(certs, signing_key, verify_rebinding_new_cert, remote_policy)
@@ -413,7 +407,6 @@ fn create_certificate_for_client(signing_key: &EcdsaPk) -> Result<(Vec<u8>, Vec<
 #[cfg(feature = "policy_v2")]
 fn create_certificate_for_rebinding_old(
     signing_key: &EcdsaPk,
-    init_policy_hash: &[u8],
     init_tdinfo: &[u8],
     servtd_ext: &ServtdExt,
 ) -> Result<Vec<u8>> {
@@ -525,27 +518,6 @@ fn create_certificate_for_rebinding_old(
                 e
             );
             e
-        })?
-        .add_extension(
-            Extension::new(
-                EXTNID_MIGTD_INIT_POLICY_HASH,
-                Some(false),
-                Some(&init_policy_hash),
-            )
-            .map_err(|e| {
-                log::error!(
-                    "gen_cert policy_v2 add_extension failed with error {:?}.\n",
-                    e
-                );
-                e
-            })?,
-        )
-        .map_err(|e| {
-            log::error!(
-                "gen_cert policy_v2 add_extension for init policy hash failed with error {:?}.\n",
-                e
-            );
-            e
         })?;
 
     let x509_cert_der = sign_tls_tbs(x509_builder, &signing_key)?;
@@ -977,12 +949,6 @@ mod verify {
                 log::error!("Failed to find init tdinfo extension.\n");
                 CryptoError::ParseCertificate
             })?;
-        // Per GHCI 1.5: init_policy_hash is now mrowner from the initial TDINFO_STRUCT
-        let init_policy_hash = find_extension(extensions, &EXTNID_MIGTD_INIT_POLICY_HASH)
-            .ok_or_else(|| {
-                log::error!("Failed to find init policy hash extension.\n");
-                CryptoError::ParseCertificate
-            })?;
         let servtd_ext = find_extension(extensions, &EXTNID_MIGTD_SERVTD_EXT).ok_or_else(|| {
             log::error!("Failed to find servtd ext extension.\n");
             CryptoError::ParseCertificate
@@ -1024,14 +990,6 @@ mod verify {
                 INVALID_MIG_POLICY_ERROR.to_string(),
             ));
         }
-        // Per GHCI 1.5: init_policy_hash is mrowner from TDINFO — compare directly
-        // (no longer a hash of a policy blob)
-        if init_policy_hash != init_tdinfo.get(112..160).unwrap_or(&[]) {
-            log::error!("Invalid init policy hash (mrowner mismatch).\n");
-            return Err(CryptoError::TlsVerifyPeerCert(
-                INVALID_MIG_POLICY_ERROR.to_string(),
-            ));
-        }
 
         let policy_check_result = mig_policy::authenticate_rebinding_old(
             td_report,