snp

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 4, 2024 License: AGPL-3.0 Imports: 22 Imported by: 0

Documentation

Overview

--------- WARNING! ---------

THIS PACKAGE DOES CURRENTLY NOT IMPLEMENT ANY SNP ATTESTATION. It exists to implement required interfaces while implementing other parts of the AWS SNP attestation variant within Constellation.

----------------------------

SNP

Attestation based on TPMs and AMD SEV-SNP. The TPM is used to generate runtime measurements and sign them with an attestation key. The TPM currently runs outside the confidential context. This is a limitation imposed by the AWS implementation.

Issuer

Generates a TPM attestation using an attestation key saved inside the TPM. Additionally loads the SEV-SNP attestation report and AMD VLEK certificate chain, and adds them to the attestation document. The SNP report includes a measurement of the initial firmware inside the CVM, which can be precalculated independently for verification. The report also includes the attestation key.

Validator

Verifies the SNP report by verifying the VLEK certificate chain and the report's signature. This estabilishes trust in the attestation key and the CVM's initial firmware. However, since the TPM is outside the confidential context, it has to be trusted without verification. Thus, the hypervisor is still included in the trusted computing base.

Glossary

This section explains abbreviations used in SNP implementation.

  • Attestation Key (AK)

  • AMD Root Key (ARK)

  • AMD Signing Key (ASK)

  • Versioned Chip Endorsement Key (VCEK)

  • Versioned Loaded Endorsement Key (VLEK) For more information see SNP WhitePaper

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Issuer

type Issuer struct {
	variant.AWSSEVSNP
	*vtpm.Issuer
}

Issuer for AWS SNP attestation.

func NewIssuer

func NewIssuer(log attestation.Logger) *Issuer

NewIssuer creates a SEV-SNP based issuer for AWS.

type Validator

type Validator struct {
	// Embed variant to identify the Validator using variant.OID().
	variant.AWSSEVSNP
	// Embed validator to implement Validate method for aTLS handshake.
	*vtpm.Validator
	// contains filtered or unexported fields
}

Validator for AWS TPM attestation.

func NewValidator

func NewValidator(cfg *config.AWSSEVSNP, log attestation.Logger) *Validator

NewValidator create a new Validator structure and returns it.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL