Documentation ¶
Overview ¶
Package trust defines core trust types and values for attestation verification.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultRootCerts holds AMD's SEV API certificate format for ASK and ARK keys as published here // https://developer.amd.com/wp-content/resources/ask_ark_milan.cert DefaultRootCerts map[string]*AMDRootCerts )
Functions ¶
func ClearProductCertCache ¶ added in v0.5.0
func ClearProductCertCache()
ClearProductCertCache clears the product certificate cache. This is useful for testing with multiple roots of trust.
Types ¶
type AMDRootCerts ¶
type AMDRootCerts struct { // Product is the expected CPU product name, e.g., Milan, Turin, Genoa. Product string // ProductCerts contains the root key and signing key devoted to a given product line. ProductCerts *ProductCerts // AskSev is the AMD certificate representation of the AMD signing key that certifies // versioned chip endoresement keys. If present, the information must match AskX509. AskSev *abi.AskCert // ArkSev is the AMD certificate representation of the self-signed AMD root key that // certifies the AMD signing key. If present, the information must match ArkX509. ArkSev *abi.AskCert // Mu protects concurrent accesses to CRL. Mu sync.Mutex // CRL is the certificate revocation list for this AMD product. Populated once, only when a // revocation is checked. CRL *x509.RevocationList }
AMDRootCerts encapsulates the certificates that represent root of trust in AMD.
func (*AMDRootCerts) FromDER ¶
func (r *AMDRootCerts) FromDER(ask []byte, ark []byte) error
FromDER populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.
func (*AMDRootCerts) FromKDSCert ¶
func (r *AMDRootCerts) FromKDSCert(path string) error
FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*AMDRootCerts) FromKDSCertBytes ¶
func (r *AMDRootCerts) FromKDSCertBytes(data []byte) error
FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*AMDRootCerts) Unmarshal ¶
func (r *AMDRootCerts) Unmarshal(data []byte) error
Unmarshal populates ASK and ARK certificates from AMD SEV format certificates in data.
func (*AMDRootCerts) X509Options ¶
func (r *AMDRootCerts) X509Options(now time.Time) *x509.VerifyOptions
X509Options returns the ASK and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r.
type AttestationRecreationErr ¶ added in v0.5.0
type AttestationRecreationErr struct {
Msg string
}
AttestationRecreationErr represents a problem with fetching or interpreting associated certificates for a given attestation report. This is typically due to network unreliability.
func (*AttestationRecreationErr) Error ¶ added in v0.5.0
func (e *AttestationRecreationErr) Error() string
type HTTPSGetter ¶
HTTPSGetter represents the ability to fetch data from the internet from an HTTP URL. Used particularly for fetching certificates.
func DefaultHTTPSGetter ¶ added in v0.4.1
func DefaultHTTPSGetter() HTTPSGetter
DefaultHTTPSGetter returns the library's default getter implementation. It will retry slowly due to the AMD KDS's rate limiting.
type ProductCerts ¶ added in v0.5.0
type ProductCerts struct { Ask *x509.Certificate Ark *x509.Certificate }
ProductCerts contains the root key and signing key devoted to a given product line.
func GetProductChain ¶ added in v0.5.0
func GetProductChain(product string, getter HTTPSGetter) (*ProductCerts, error)
GetProductChain returns the ASK and ARK certificates of the given product, either from getter or from a cache of the results from the last successful call.
func (*ProductCerts) FromDER ¶ added in v0.5.0
func (r *ProductCerts) FromDER(ask []byte, ark []byte) error
FromDER populates the ProductCerts from DER-formatted certificates for both the ASK and the ARK.
func (*ProductCerts) FromKDSCert ¶ added in v0.5.0
func (r *ProductCerts) FromKDSCert(path string) error
FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*ProductCerts) FromKDSCertBytes ¶ added in v0.5.0
func (r *ProductCerts) FromKDSCertBytes(data []byte) error
FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain
func (*ProductCerts) X509Options ¶ added in v0.5.0
func (r *ProductCerts) X509Options(now time.Time) *x509.VerifyOptions
X509Options returns the ASK and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r.
type RetryHTTPSGetter ¶ added in v0.4.1
type RetryHTTPSGetter struct { // Timeout is how long to retry before failure. Timeout time.Duration // MaxRetryDelay is the maximum amount of time to wait between retries. MaxRetryDelay time.Duration // Getter is the non-retrying way of getting a URL. Getter HTTPSGetter }
RetryHTTPSGetter is a meta-HTTPS getter that will retry on failure a given number of times.
type SimpleHTTPSGetter ¶ added in v0.4.1
type SimpleHTTPSGetter struct{}
SimpleHTTPSGetter implements the HTTPSGetter interface with http.Get.