Documentation ¶
Overview ¶
--------- WARNING! ---------
THIS PACKAGE DOES CURRENTLY NOT IMPLEMENT ANY SNP ATTESTATION. It exists to implement required interfaces while implementing other parts of the AWS SNP attestation variant within Constellation.
----------------------------
SNP ¶
Attestation based on TPMs and AMD SEV-SNP. The TPM is used to generate runtime measurements and sign them with an attestation key. The TPM currently runs outside the confidential context. This is a limitation imposed by the AWS implementation.
Issuer ¶
Generates a TPM attestation using an attestation key saved inside the TPM. Additionally loads the SEV-SNP attestation report and AMD VLEK certificate chain, and adds them to the attestation document. The SNP report includes a measurement of the initial firmware inside the CVM, which can be precalculated independently for verification. The report also includes the attestation key.
Validator ¶
Verifies the SNP report by verifying the VLEK certificate chain and the report's signature. This estabilishes trust in the attestation key and the CVM's initial firmware. However, since the TPM is outside the confidential context, it has to be trusted without verification. Thus, the hypervisor is still included in the trusted computing base.
Glossary ¶
This section explains abbreviations used in SNP implementation.
Attestation Key (AK)
AMD Root Key (ARK)
AMD Signing Key (ASK)
Versioned Chip Endorsement Key (VCEK)
Versioned Loaded Endorsement Key (VLEK) For more information see SNP WhitePaper
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Issuer ¶
Issuer for AWS SNP attestation.
func NewIssuer ¶
func NewIssuer(log attestation.Logger) *Issuer
NewIssuer creates a SEV-SNP based issuer for AWS.
type Validator ¶
type Validator struct { // Embed variant to identify the Validator using variant.OID(). variant.AWSSEVSNP // Embed validator to implement Validate method for aTLS handshake. *vtpm.Validator // contains filtered or unexported fields }
Validator for AWS TPM attestation.
func NewValidator ¶
func NewValidator(cfg *config.AWSSEVSNP, log attestation.Logger) *Validator
NewValidator create a new Validator structure and returns it.