kds

package

v0.4.5 Latest Latest Go to latest Published: Jan 26, 2023 License: Apache-2.0 Imports: 11 Imported by: 7

Documentation ¶

Overview ¶

Package kds defines values specified for the AMD Key Distribution Service.

Index ¶

Variables
func ParseProductCertChain(pems []byte) ([]byte, []byte, error)
func ParseProductCertChainURL(kdsurl string) (string, error)
func ProductCertChainURL(product string) string
func VCEKCertURL(product string, hwid []byte, tcb TCBVersion) string
type TCBParts
- func DecomposeTCBVersion(tcb TCBVersion) TCBParts
type TCBVersion
- func ComposeTCBParts(parts TCBParts) (TCBVersion, error)
type VCEKCert
- func ParseVCEKCertURL(kdsurl string) (VCEKCert, error)
type VcekExtensions
- func VcekCertificateExtensions(cert *x509.Certificate) (*VcekExtensions, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// OidStructVersion is the x509v3 extension for VCEK certificate struct version.
	OidStructVersion = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 1})
	// OidProductName1 is the x509v3 extension for VCEK certificate product name.
	OidProductName1 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 2})
	// OidBlSpl is the x509v3 extension for VCEK certificate bootloader security patch level.
	OidBlSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 1})
	// OidTeeSpl is the x509v3 extension for VCEK certificate TEE security patch level.
	OidTeeSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 2})
	// OidSnpSpl is the x509v3 extension for VCEK certificate SNP security patch level.
	OidSnpSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 3})
	// OidSpl4 is the x509v3 extension for VCEK certificate reserved security patch level.
	OidSpl4 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 4})
	// OidSpl5 is the x509v3 extension for VCEK certificate reserved security patch level.
	OidSpl5 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 5})
	// OidSpl6 is the x509v3 extension for VCEK certificate reserved security patch level.
	OidSpl6 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 6})
	// OidSpl7 is the x509v3 extension for VCEK certificate reserved security patch level.
	OidSpl7 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 7})
	// OidUcodeSpl is the x509v3 extension for VCEK microcode security patch level.
	OidUcodeSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 8})
	// OidHwid is the x509v3 extension for VCEK certificate associated hardware identifier.
	OidHwid = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 4})
)

Functions ¶

func ParseProductCertChain ¶

func ParseProductCertChain(pems []byte) ([]byte, []byte, error)

ParseProductCertChain returns the DER-formatted certificates represented by the body of the ProductCertChain (cert_chain) endpoint, ASK and ARK in that order.

func ParseProductCertChainURL ¶ added in v0.4.0

func ParseProductCertChainURL(kdsurl string) (string, error)

ParseProductCertChainURL returns the product name for a KDS cert_chain url, or an error if the input is not a KDS cert_chain url.

func ProductCertChainURL ¶

func ProductCertChainURL(product string) string

ProductCertChainURL returns the AMD KDS URL for retrieving the ARK and ASK certificates on the given product in PEM format.

func VCEKCertURL ¶

func VCEKCertURL(product string, hwid []byte, tcb TCBVersion) string

VCEKCertURL returns the AMD KDS URL for retrieving the VCEK on a given product at a given TCB version. The hwid is the CHIP_ID field in an attestation report.

Types ¶

type TCBParts ¶

type TCBParts struct {
	// BlSpl is the bootloader security patch level.
	BlSpl uint8
	// TeeSpl is the TEE security patch level.
	TeeSpl uint8
	// Spl4 is reserved.
	Spl4 uint8
	// Spl5 is reserved.
	Spl5 uint8
	// Spl6 is reserved.
	Spl6 uint8
	// Spl7 is reserved.
	Spl7 uint8
	// SnpSpl is the SNP security patch level.
	SnpSpl uint8
	// UcodeSpl is the microcode security patch level.
	UcodeSpl uint8
}

TCBParts represents all TCB field values in a given uint64 representation of an AMD secure processor firmware TCB version.

func DecomposeTCBVersion ¶

func DecomposeTCBVersion(tcb TCBVersion) TCBParts

DecomposeTCBVersion interprets the byte components of the AMD representation of the platform security patch levels into a struct.

type TCBVersion ¶

type TCBVersion uint64

TCBVersion is a 64-bit bitfield of different security patch levels of AMD firmware and microcode.

func ComposeTCBParts ¶

func ComposeTCBParts(parts TCBParts) (TCBVersion, error)

ComposeTCBParts returns an SEV-SNP TCB_VERSION from OID mapping values. The spl4-spl7 fields are reserved, but the KDS specification designates them as 4 byte-sized fields.

type VCEKCert ¶ added in v0.4.0

type VCEKCert struct {
	Product string
	HWID    []byte
	TCB     uint64
}

VCEKCert represents the attestation report components represented in a KDS VCEK certificate request URL.

func ParseVCEKCertURL ¶ added in v0.4.0

func ParseVCEKCertURL(kdsurl string) (VCEKCert, error)

ParseVCEKCertURL returns the attestation report components represented in the given KDS VCEK certificate request URL.

type VcekExtensions ¶

type VcekExtensions struct {
	StructVersion uint8
	ProductName   string
	// The host driver knows the difference between primary and secondary HWID.
	// Primary vs secondary is irrelevant to verification.
	HWID       [64]byte
	TCBVersion TCBVersion
}

VcekExtensions represents the information stored in the KDS-specified x509 extensions of a VCEK certificate.

func VcekCertificateExtensions ¶

func VcekCertificateExtensions(cert *x509.Certificate) (*VcekExtensions, error)

VcekCertificateExtensions returns the x509v3 extensions from the KDS specification interpreted into a struct type.

Source Files ¶

View all Source files

kds.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL