GO-2024-2727: Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

snp

package

v2.7.0-pre Latest Latest Go to latest Published: Mar 7, 2023 License: AGPL-3.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/constellation

Documentation ¶

Overview ¶

SNP ¶

Attestation based on TPM and SEV-SNP attestation. The TPM is used to generate runtime measurements and signed by an attestation key that can be verified using the SEV-SNP attestation report.

Issuer ¶

Generates a TPM attestation using an attestation key saved in the TPM. Additionally loads the SEV-SNP attestation report and AMD VCEK certificate chain, and adds them to the attestation document.

Validator ¶

Verifies the attestation key used by first verifying the VCEK certificate chain and the SNP attestation report.

Glossary ¶

This section explains abbreviations used in SNP implementation.

Attestation Key (AK)
AMD Root Key (ARK)
AMD Signing Key (ASK)
Versioned Chip Endorsement Key (VCEK)
For more information see SNP WhitePaper
Host (Hardware?) Compatibility Layer (HCL)
No public information. Azure compute API has a field `isHostCompatibilityLayerVm`, with only a single sentence of documentation.

Index ¶

func GetIDKeyDigest(open vtpm.TPMOpenFunc) ([]byte, error)
type HCLAkValidator
type Issuer
- func NewIssuer(log vtpm.AttestationLogger) *Issuer
type Validator
- func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, ...) *Validator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetIDKeyDigest ¶

func GetIDKeyDigest(open vtpm.TPMOpenFunc) ([]byte, error)

GetIDKeyDigest reads the idkeydigest from the snp report saved in the TPM's non-volatile memory.

Types ¶

type HCLAkValidator ¶

type HCLAkValidator interface {
	// contains filtered or unexported methods
}

HCLAkValidator validates an attestation key issued by the Host Compatibility Layer (HCL). The HCL is written by Azure, and sits between the Hypervisor and CVM OS. The HCL runs in the protected context of the CVM.

type Issuer ¶

type Issuer struct {
	oid.AzureSEVSNP
	*vtpm.Issuer
}

Issuer for Azure TPM attestation.

func NewIssuer ¶

func NewIssuer(log vtpm.AttestationLogger) *Issuer

NewIssuer initializes a new Azure Issuer.

type Validator ¶

type Validator struct {
	oid.AzureSEVSNP
	*vtpm.Validator
}

Validator for Azure confidential VM attestation.

func NewValidator ¶

func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, enforceIDKeyDigest bool, log vtpm.AttestationLogger) *Validator

NewValidator initializes a new Azure validator with the provided PCR values.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL