Documentation ¶
Overview ¶
Package trust defines core trust types and values for attestation verification.
Index ¶
- Variables
- func ClearProductCertCache()
- func ParseCert(cert []byte) (*x509.Certificate, error)
- type AMDRootCerts
- func (r *AMDRootCerts) Decode(ask []byte, ark []byte) error
- func (r *AMDRootCerts) FromKDSCert(path string) error
- func (r *AMDRootCerts) FromKDSCertBytes(data []byte) error
- func (r *AMDRootCerts) GetProductLine() string
- func (r *AMDRootCerts) Unmarshal(data []byte) error
- func (r *AMDRootCerts) X509Options(now time.Time, key abi.ReportSigner) *x509.VerifyOptions
- type AttestationRecreationErr
- type HTTPSGetter
- type ProductCerts
- type RetryHTTPSGetter
- type SimpleHTTPSGetter
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultRootCerts holds AMD's SEV API certificate format for ASK and ARK keys as published here // https://download.amd.com/developer/eula/sev/ask_ark_milan.cert DefaultRootCerts map[string]*AMDRootCerts // AskArkMilanVcekBytes is a CA bundle for Milan. // source: https://kdsintf.amd.com/vcek/v1/Milan/cert_chain //go:embed ask_ark_milan.pem AskArkMilanVcekBytes []byte // AskArkMilanVlekBytes is a CA bundle for VLEK certs on Milan. // source: https://kdsintf.amd.com/vlek/v1/Milan/cert_chain //go:embed ask_ark_milan_vlek.pem AskArkMilanVlekBytes []byte // AskArkGenoaVcekBytes is a CA bundle for Genoa. // source: https://kdsintf.amd.com/vcek/v1/Genoa/cert_chain //go:embed ask_ark_genoa.pem AskArkGenoaVcekBytes []byte // AskArkGenoaVlekBytes is a CA bundle for VLEK certs on Genoa. // source: https://kdsintf.amd.com/vlek/v1/Genoa/cert_chain //go:embed ask_ark_genoa_vlek.pem AskArkGenoaVlekBytes []byte // AskArkTurinVcekBytes is a CA bundle for VCEK certs on Turin. // source: https://kdsintf.amd.com/vcek/v1/Turin/cert_chain //go:embed ask_ark_turin_vcek.pem AskArkTurinVcekBytes []byte // AskArkTurinVlekBytes is a CA bundle for VLEK certs on Turin. // source: https://kdsintf.amd.com/vcek/v1/Turin/cert_chain //go:embed ask_ark_turin_vlek.pem AskArkTurinVlekBytes []byte )
Functions ¶
func ClearProductCertCache ¶ added in v0.5.0
func ClearProductCertCache()
ClearProductCertCache clears the product certificate cache. This is useful for testing with multiple roots of trust.
Types ¶
type AMDRootCerts ¶
type AMDRootCerts struct { // Product is the expected CPU product line, e.g., Milan, Turin, Genoa. // // Deprecated: Use ProductLine. Product string // Product is the expected CPU product line, e.g., Milan, Turin, Genoa. ProductLine string // ProductCerts contains the root key and signing key devoted to a given product line. ProductCerts *ProductCerts // AskSev is the AMD certificate representation of the AMD signing key that certifies // versioned chip endoresement keys. If present, the information must match AskX509. AskSev *abi.AskCert // ArkSev is the AMD certificate representation of the self-signed AMD root key that // certifies the AMD signing key. If present, the information must match ArkX509. ArkSev *abi.AskCert // Mu protects concurrent accesses to CRL. Mu sync.Mutex // CRL is the certificate revocation list for this AMD product. Populated once, only when a // revocation is checked. CRL *x509.RevocationList }
AMDRootCerts encapsulates the certificates that represent root of trust in AMD.
func AMDRootCertsProduct ¶ added in v0.11.1
func AMDRootCertsProduct(productLine string) *AMDRootCerts
AMDRootCertsProduct returns a new *AMDRootCerts for a given product line.
func (*AMDRootCerts) Decode ¶ added in v0.7.1
func (r *AMDRootCerts) Decode(ask []byte, ark []byte) error
Decode populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.
func (*AMDRootCerts) FromKDSCert ¶
func (r *AMDRootCerts) FromKDSCert(path string) error
FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*AMDRootCerts) FromKDSCertBytes ¶
func (r *AMDRootCerts) FromKDSCertBytes(data []byte) error
FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*AMDRootCerts) GetProductLine ¶ added in v0.11.1
func (r *AMDRootCerts) GetProductLine() string
GetProductLine returns the product line the certificate chain is associated with.
func (*AMDRootCerts) Unmarshal ¶
func (r *AMDRootCerts) Unmarshal(data []byte) error
Unmarshal populates ASK and ARK certificates from AMD SEV format certificates in data.
func (*AMDRootCerts) X509Options ¶
func (r *AMDRootCerts) X509Options(now time.Time, key abi.ReportSigner) *x509.VerifyOptions
X509Options returns the AS[V]K and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r. Choice between ASK and ASVK is determined by key.
type AttestationRecreationErr ¶ added in v0.5.0
type AttestationRecreationErr struct {
Msg string
}
AttestationRecreationErr represents a problem with fetching or interpreting associated certificates for a given attestation report. This is typically due to network unreliability.
func (*AttestationRecreationErr) Error ¶ added in v0.5.0
func (e *AttestationRecreationErr) Error() string
type HTTPSGetter ¶
HTTPSGetter represents the ability to fetch data from the internet from an HTTP URL. Used particularly for fetching certificates.
func DefaultHTTPSGetter ¶ added in v0.4.1
func DefaultHTTPSGetter() HTTPSGetter
DefaultHTTPSGetter returns the library's default getter implementation. It will retry slowly due to the AMD KDS's rate limiting.
type ProductCerts ¶ added in v0.5.0
type ProductCerts struct { Ask *x509.Certificate Asvk *x509.Certificate Ark *x509.Certificate }
ProductCerts contains the root key and signing key devoted to a given product line.
func GetProductChain ¶ added in v0.5.0
func GetProductChain(productLine string, s abi.ReportSigner, getter HTTPSGetter) (*ProductCerts, error)
GetProductChain returns the ASK and ARK certificates of the given product line, either from getter or from a cache of the results from the last successful call.
func (*ProductCerts) Decode ¶ added in v0.7.1
func (r *ProductCerts) Decode(ask []byte, ark []byte) error
Decode populates the ProductCerts from DER-formatted certificates for both the AS[V]K and the ARK.
func (*ProductCerts) FromKDSCert ¶ added in v0.5.0
func (r *ProductCerts) FromKDSCert(path string) error
FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*ProductCerts) FromKDSCertBytes ¶ added in v0.5.0
func (r *ProductCerts) FromKDSCertBytes(data []byte) error
FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*ProductCerts) X509Options ¶ added in v0.5.0
func (r *ProductCerts) X509Options(now time.Time, key abi.ReportSigner) *x509.VerifyOptions
X509Options returns the AS[V]K and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r. The choice between ASK and ASVK is determined bey key.
type RetryHTTPSGetter ¶ added in v0.4.1
type RetryHTTPSGetter struct { // Timeout is how long to retry before failure. Timeout time.Duration // MaxRetryDelay is the maximum amount of time to wait between retries. MaxRetryDelay time.Duration // Getter is the non-retrying way of getting a URL. Getter HTTPSGetter }
RetryHTTPSGetter is a meta-HTTPS getter that will retry on failure a given number of times.
type SimpleHTTPSGetter ¶ added in v0.4.1
type SimpleHTTPSGetter struct{}
SimpleHTTPSGetter implements the HTTPSGetter interface with http.Get.