snp

package
v2.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: AGPL-3.0 Imports: 12 Imported by: 0

Documentation

Overview

Package SNP provides types shared by SNP-based attestation implementations. It ensures all issuers provide the same types to the verify command.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetExtendedReport added in v2.17.0

func GetExtendedReport(reportData [64]byte) (report, certChain []byte, err error)

GetExtendedReport retrieves the extended SNP report from the CVM.

func Product

func Product() *spb.SevProduct

Product returns the SEV product info currently supported by Constellation's SNP attestation.

Types

type AzureInstanceInfo

type AzureInstanceInfo struct {
	// RuntimeData is the Azure runtime data from the vTPM (NVRAM) of the CVM.
	RuntimeData []byte
	// MAAToken is the token of the MAA for the attestation report, used as a fallback
	// if the IDKeyDigest cannot be verified.
	MAAToken string
}

AzureInstanceInfo contains Azure specific information related to SNP attestation.

type CertificateChain

type CertificateChain struct {
	// contains filtered or unexported fields
}

CertificateChain stores an AMD signing key (ASK) and AMD root key (ARK) certificate.

func NewCertificateChain

func NewCertificateChain(ask, ark *x509.Certificate) CertificateChain

NewCertificateChain returns a new CertificateChain with the given ASK and ARK certificates.

type InstanceInfo

type InstanceInfo struct {
	// ReportSigner is the PEM-encoded certificate used to validate the attestation report's signature.
	ReportSigner []byte
	// CertChain is the PEM-encoded certificate chain for the attestation report (ASK+ARK).
	// Intermediate key that validates the ReportSigner and root key.
	CertChain []byte
	// AttestationReport is the attestation report from the vTPM (NVRAM) of the CVM.
	AttestationReport []byte
	Azure             *AzureInstanceInfo
	GCP               *attest.GCEInstanceInfo
}

InstanceInfo contains the necessary information to establish trust in a SNP CVM.

func (*InstanceInfo) AttestationWithCerts

func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
	fallbackCerts CertificateChain, logger attestation.Logger,
) (*spb.Attestation, error)

AttestationWithCerts returns a formatted version of the attestation report and its certificates from the instanceInfo. Certificates are retrieved in the following precedence: 1. ASK from issuer. On Azure: THIM. One AWS: not prefilled. (Go to option 2) On GCP: prefilled. 2. ASK or ARK from fallbackCerts. 3. ASK or ARK from AMD KDS.

func (*InstanceInfo) ParseCertChain

func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr error)

ParseCertChain parses the certificate chain from the instanceInfo into x509-formatted ASK and ARK certificates. If less than 2 certificates are present, only the present certificate is returned. If more than 2 certificates are present, an error is returned.

func (*InstanceInfo) ParseReportSigner

func (a *InstanceInfo) ParseReportSigner() (*x509.Certificate, error)

ParseReportSigner parses the VCEK/VLEK certificate from the instanceInfo into an x509-formatted certificate. If no certificate is present, nil is returned.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL