Documentation ¶
Overview ¶
Package verify includes logic and embedded AMD keys to check attestation report signatures.
Index ¶
- Variables
- func GetAttestationFromReport(report *spb.Report, options *Options) (*spb.Attestation, error)
- func GetCrlAndCheckRoot(r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)
- func RawSnpReport(rawReport []byte, options *Options) error
- func SnpAttestation(attestation *spb.Attestation, options *Options) error
- func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error
- func SnpReport(report *spb.Report, options *Options) error
- func SnpReportSignature(report []byte, vcek *x509.Certificate) error
- func VcekNotRevoked(r *trust.AMDRootCerts, _ *x509.Certificate, options *Options) error
- type CRLUnavailableErr
- type Options
Constants ¶
This section is empty.
Variables ¶
var ( // ErrMissingVlek is returned when attempting to verify a VLEK-signed report that doesn't also // have its VLEK certificate attached. ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing") )
Functions ¶
func GetAttestationFromReport ¶ added in v0.2.4
GetAttestationFromReport uses AMD's Key Distribution Service (KDS) to download the certificate chain for the VCEK that supposedly signed the given report, and returns the Attestation representation of their combination. If getter is nil, uses Golang's http.Get.
func GetCrlAndCheckRoot ¶ added in v0.4.0
func GetCrlAndCheckRoot(r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)
GetCrlAndCheckRoot downloads the given cert's CRL from one of the distribution points and verifies that the CRL is valid and doesn't revoke an intermediate key.
func RawSnpReport ¶ added in v0.2.4
RawSnpReport verifies the raw bytes representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.
func SnpAttestation ¶
func SnpAttestation(attestation *spb.Attestation, options *Options) error
SnpAttestation verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo, provided the certificate chain is valid.
func SnpProtoReportSignature ¶
func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error
SnpProtoReportSignature verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo.
func SnpReport ¶ added in v0.2.4
SnpReport verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.
func SnpReportSignature ¶
func SnpReportSignature(report []byte, vcek *x509.Certificate) error
SnpReportSignature verifies the attestation report's signature based on the report's SignatureAlgo.
func VcekNotRevoked ¶ added in v0.4.0
func VcekNotRevoked(r *trust.AMDRootCerts, _ *x509.Certificate, options *Options) error
VcekNotRevoked will consult the online CRL listed in the VCEK certificate for whether this cert has been revoked. Returns nil if not revoked, error on any problem.
Types ¶
type CRLUnavailableErr ¶
type CRLUnavailableErr struct {
// contains filtered or unexported fields
}
CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html
type Options ¶
type Options struct { // CheckRevocations set to true if the verifier should retrieve the CRL from the network and check // if the VCEK or ASK have been revoked according to the ARK. CheckRevocations bool // DisableCertFetching set to true if SnpAttestation should not connect to the AMD KDS to fill in // any missing certificates in an attestation's certificate chain. Uses Getter if false. DisableCertFetching bool // Getter takes a URL and returns the body of its contents. By default uses http.Get and returns // the body. Getter trust.HTTPSGetter // Now is the time at which to verify the validity of certificates. If unset, uses time.Now(). Now time.Time // TrustedRoots specifies the ARK and ASK certificates to trust when checking the VCEK. If nil, // then verification will fall back on embedded AMD-published root certificates. // Maps the product name to an array of allowed roots. TrustedRoots map[string][]*trust.AMDRootCerts // Product is a forced value for the attestation product name when verifying or retrieving // VCEK certificates. An attestation should carry the product of the reporting // machine. Only used for v2 attestation reports. Product *spb.SevProduct }
Options represents verification options for an SEV-SNP attestation report.
func DefaultOptions ¶ added in v0.6.0
func DefaultOptions() *Options
DefaultOptions returns a useful default verification option setting
func RootOfTrustToOptions ¶ added in v0.3.0
func RootOfTrustToOptions(rot *cpb.RootOfTrust) (*Options, error)
RootOfTrustToOptions translates the RootOfTrust message into the Options type needed for driving an attestation verification.