es

package
v2.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: AGPL-3.0 Imports: 8 Imported by: 0

Documentation

Overview

GCP SEV-ES attestation

Google offers confidential VMs, utilizing AMD SEV-ES to provide memory encryption.

AMD SEV-ES doesn't offer much in terms of remote attestation, and following that the VMs don't offer much either, see their docs on how to validate a confidential VM for some insights. However, each VM comes with a virtual Trusted Platform Module (vTPM). This module can be used to generate VM unique encryption keys or to attest the platform's chain of boot. We can use the vTPM to verify the VM is running on AMD SEV-ES enabled hardware, allowing us to bootstrap a constellation cluster.

Issuer

Generates a TPM attestation key using a Google provided attestation key. Additionally project ID, zone, and instance name are fetched from the metadata server and attached to the attestation document.

Validator

Verifies the TPM attestation by using a public key provided by Google's API corresponding to the project ID, zone, instance name tuple attached to the attestation document.

Problems

  • SEV-ES is somewhat limited when compared to the newer version SEV-SNP

    Comparison of SEV, SEV-ES, and SEV-SNP can be seen on page seven of AMD's SNP whitepaper

  • We have to trust Google

    Since the vTPM is provided by Google, and they could do whatever they want with it, we have no save proof of the VMs actually being confidential.

  • The provided vTPM has no endorsement certificate for its attestation key

    Without a certificate signing the authenticity of any endorsement keys we have no way of establishing a chain of trust. Instead, we have to rely on Google's API to provide us with the public key of the vTPM's endorsement key.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Issuer

type Issuer struct {
	variant.GCPSEVES
	*vtpm.Issuer
}

Issuer for GCP confidential VM attestation.

func NewIssuer

func NewIssuer(log attestation.Logger) *Issuer

NewIssuer initializes a new GCP Issuer.

type Validator

type Validator struct {
	variant.GCPSEVES
	*vtpm.Validator
}

Validator for GCP confidential VM attestation.

func NewValidator

func NewValidator(cfg *config.GCPSEVES, log attestation.Logger) (*Validator, error)

NewValidator initializes a new GCP validator with the provided PCR values specified in the config.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL