Documentation
¶
Overview ¶
Package trust defines core trust types and values for attestation verification.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultRootCerts holds AMD's SEV API certificate format for ASK and ARK keys as published here // https://developer.amd.com/wp-content/resources/ask_ark_milan.cert DefaultRootCerts map[string]*AMDRootCerts )
Functions ¶
This section is empty.
Types ¶
type AMDRootCerts ¶
type AMDRootCerts struct {
// Product is the expected CPU product name, e.g., Milan, Turin, Genoa.
Product string
// AskX509 is an X.509 certificate for the AMD SEV signing key (ASK)
AskX509 *x509.Certificate
// ArkX509 is an X.509 certificate for the AMD root key (ARK).
ArkX509 *x509.Certificate
// AskSev is the AMD certificate representation of the AMD signing key that certifies
// versioned chip endoresement keys. If present, the information must match AskX509.
AskSev *abi.AskCert
// ArkSev is the AMD certificate representation of the self-signed AMD root key that
// certifies the AMD signing key. If present, the information must match ArkX509.
ArkSev *abi.AskCert
// Mu protects concurrent accesses to CRL.
Mu sync.Mutex
// CRL is the certificate revocation list for this AMD product. Populated once, only when a
// revocation is checked.
CRL *x509.RevocationList
}
AMDRootCerts encapsulates the certificates that represent root of trust in AMD.
func (*AMDRootCerts) FromDER ¶
func (r *AMDRootCerts) FromDER(ask []byte, ark []byte) error
FromDER populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.
func (*AMDRootCerts) FromKDSCert ¶
func (r *AMDRootCerts) FromKDSCert(path string) error
FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*AMDRootCerts) FromKDSCertBytes ¶
func (r *AMDRootCerts) FromKDSCertBytes(data []byte) error
FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*AMDRootCerts) Unmarshal ¶
func (r *AMDRootCerts) Unmarshal(data []byte) error
Unmarshal populates ASK and ARK certificates from AMD SEV format certificates in data.
func (*AMDRootCerts) X509Options ¶
func (r *AMDRootCerts) X509Options() *x509.VerifyOptions
X509Options returns the ASK and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r.
type HTTPSGetter ¶
HTTPSGetter represents the ability to fetch data from the internet from an HTTP URL. Used particularly for fetching certificates.
func DefaultHTTPSGetter ¶ added in v0.4.1
func DefaultHTTPSGetter() HTTPSGetter
DefaultHTTPSGetter returns the library's default getter implementation. It will retry slowly due to the AMD KDS's rate limiting.
type RetryHTTPSGetter ¶ added in v0.4.1
type RetryHTTPSGetter struct {
// Retries is how many times to retry on failure.
Retries int
// RetryRate is how long to wait between tries.
RetryRate time.Duration
// Getter is the non-retrying way of getting a URL.
Getter HTTPSGetter
}
RetryHTTPSGetter is a meta-HTTPS getter that will retry on failure a given number of times.
type SimpleHTTPSGetter ¶ added in v0.4.1
type SimpleHTTPSGetter struct{}
SimpleHTTPSGetter implements the HTTPSGetter interface with http.Get.
Source Files