verify

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 22, 2022 License: Apache-2.0 Imports: 20 Imported by: 8

Documentation

Overview

Package verify includes logic and embedded AMD keys to check attestation report signatures.

Index

Constants

This section is empty.

Variables

View Source 
var DefaultRootCerts map[string]*AMDRootCerts

DefaultRootCerts holds AMD's SEV API certificate format for ASK and ARK keys as published here https://developer.amd.com/wp-content/resources/ask_ark_milan.cert

Functions

func SnpAttestation 

func SnpAttestation(attestation *spb.Attestation, options *Options) error

SnpAttestation verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo, provided the certificate chain is valid.

func SnpProtoReportSignature 

func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error

SnpProtoReportSignature verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo.

func SnpReportSignature 

func SnpReportSignature(report []byte, vcek *x509.Certificate) error

SnpReportSignature verifies the attestation report's signature based on the report's SignatureAlgo.

func ValidateVcekCertSubject 

func ValidateVcekCertSubject(subject pkix.Name) error

ValidateVcekCertSubject checks KDS-specified values of the subject metadata of the AMD certificate.

func ValidateVcekExtensions 

func ValidateVcekExtensions(exts *kds.VcekExtensions) error

ValidateVcekExtensions checks if the certificate extensions match wellformedness expectations.

Types

type AMDRootCerts 

type AMDRootCerts struct {
	// Platform is the expected CPU platform name, e.g., Milan, Turin, Genoa.
	Platform string
	// AskX509 is an X.509 certificate for the AMD SEV signing key (ASK)
	AskX509 *x509.Certificate
	// ArkX509 is an X.509 certificate for the AMD root key (ARK).
	ArkX509 *x509.Certificate
	// AskSev is the AMD certificate representation of the AMD signing key that certifies
	// versioned chip endoresement keys. If present, the information must match AskX509.
	AskSev *abi.AskCert
	// ArkSev is the AMD certificate representation of the self-signed AMD root key that
	// certifies the AMD signing key. If present, the information must match ArkX509.
	ArkSev *abi.AskCert

	// CRL is the certificate revocation list for this AMD platform. Populated once, only when a
	// revocation is checked.
	CRL *x509.RevocationList
	// contains filtered or unexported fields
}

AMDRootCerts encapsulates the certificates that represent root of trust in AMD.

func VcekDER 

func VcekDER(vcek []byte, ask []byte, ark []byte, options *Options) (*x509.Certificate, *AMDRootCerts, error)

VcekDER checks that the VCEK certificate matches expected fields from the KDS specification and also that its certificate chain matches hardcoded trusted root certificates from AMD.

func (*AMDRootCerts) FromDER 

func (r *AMDRootCerts) FromDER(ask []byte, ark []byte) error

FromDER populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.

func (*AMDRootCerts) FromKDSCert 

func (r *AMDRootCerts) FromKDSCert(path string) error

FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain

func (*AMDRootCerts) FromKDSCertBytes 

func (r *AMDRootCerts) FromKDSCertBytes(data []byte) error

FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain

func (*AMDRootCerts) GetCrlAndCheckRoot 

func (r *AMDRootCerts) GetCrlAndCheckRoot(getter HTTPSGetter) (*x509.RevocationList, error)

GetCrlAndCheckRoot downloads the given cert's CRL from one of the distribution points and verifies that the CRL is valid and doesn't revoke an intermediate key.

func (*AMDRootCerts) Unmarshal 

func (r *AMDRootCerts) Unmarshal(data []byte) error

Unmarshal populates ASK and ARK certificates from AMD SEV format certificates in data.

func (*AMDRootCerts) ValidateArkSev 

func (r *AMDRootCerts) ValidateArkSev() error

ValidateArkSev checks ARK certificate validity according to AMD SEV API Appendix B.3 This covers steps 5, 6, 9, and 11.

func (*AMDRootCerts) ValidateArkX509 

func (r *AMDRootCerts) ValidateArkX509() error

ValidateArkX509 checks expected metadata about the ARK X.509 certificate. It does not verify the cryptographic signatures.

func (*AMDRootCerts) ValidateAskSev 

func (r *AMDRootCerts) ValidateAskSev() error

ValidateAskSev checks ASK SEV format certificate validity according to AMD SEV API Appendix B.3 This covers steps 1, 2, and 5

func (*AMDRootCerts) ValidateAskX509 

func (r *AMDRootCerts) ValidateAskX509() error

ValidateAskX509 checks expected metadata about the ASK X.509 certificate. It does not verify the cryptographic signatures.

func (*AMDRootCerts) ValidateVcekCertIssuer 

func (r *AMDRootCerts) ValidateVcekCertIssuer(issuer pkix.Name) error

ValidateVcekCertIssuer checks KDS-specified values of the issuer metadata of the AMD certificate.

func (*AMDRootCerts) ValidateX509 

func (r *AMDRootCerts) ValidateX509() error

ValidateX509 will validate the x509 certificates of the ASK and ARK.

func (*AMDRootCerts) VcekNotRevoked 

func (r *AMDRootCerts) VcekNotRevoked(getter HTTPSGetter, cert *x509.Certificate) error

VcekNotRevoked will consult the online CRL listed in the VCEK certificate for whether this cert has been revoked. Returns nil if not revoked, error on any problem.

func (*AMDRootCerts) X509Options 

func (r *AMDRootCerts) X509Options() *x509.VerifyOptions

X509Options returns the ASK and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r.

type CRLUnavailableErr 

type CRLUnavailableErr struct {
	// contains filtered or unexported fields
}

CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html

type HTTPSGetter 

type HTTPSGetter interface {
	Get(url string) ([]byte, error)
}

HTTPSGetter represents the ability to fetch data from the internet from an HTTP URL.

type Options 

type Options struct {
	// CheckRevocations set to true if the verifier should retreive the CRL from the network and check
	// if the VCEK or ASK have been revoked according to the ARK.
	CheckRevocations bool
	// Getter takes a URL and returns the body of its contents. By default uses http.Get and returns
	// the body.
	Getter HTTPSGetter
	// TrustedRoots specifies the ARK and ASK certificates to trust when checking the VCEK. If nil,
	// then verification will fall back on embedded AMD-published root certificates.
	// Maps the platform name to an array of allowed roots.
	TrustedRoots map[string][]*AMDRootCerts
}

Options represents verification options for an SEV-SNP attestation report.

type SimpleHTTPSGetter 

type SimpleHTTPSGetter struct{}

SimpleHTTPSGetter implements the HTTPSGetter interface with http.Get.

func (*SimpleHTTPSGetter) Get 

func (n *SimpleHTTPSGetter) Get(url string) ([]byte, error)

Get uses http.Get to return the HTTPS response body as a byte array.

Source Files

View all Source files

Directories

Path Synopsis
Package kds defines values specified for the AMD Key Distribution Service.
 Package kds defines values specified for the AMD Key Distribution Service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.